Vulnerabilities > CVE-2017-18208 - Infinite Loop vulnerability in Linux Kernel

047910
CVSS 5.5 - MEDIUM
Attack vector
LOCAL
Attack complexity
LOW
Privileges required
LOW
Confidentiality impact
NONE
Integrity impact
NONE
Availability impact
HIGH
local
low complexity
linux
CWE-835
nessus

Summary

The madvise_willneed function in mm/madvise.c in the Linux kernel before 4.14.4 allows local users to cause a denial of service (infinite loop) by triggering use of MADVISE_WILLNEED for a DAX mapping.

Vulnerable Configurations

Part Description Count
OS
Linux
3269

Nessus

  • NASL familySuSE Local Security Checks
    NASL idSUSE_SU-2018-0786-1.NASL
    descriptionThe SUSE Linux Enterprise 12 SP3 kernel was updated to 4.4.120 to receive various security and bugfixes. The following security bugs were fixed : - CVE-2017-13166: An elevation of privilege vulnerability in the v4l2 video driver. (bnc#1072865). - CVE-2017-15951: The KEYS subsystem did not correctly synchronize the actions of updating versus finding a key in the
    last seen2020-06-01
    modified2020-06-02
    plugin id108649
    published2018-03-27
    reporterThis script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/108649
    titleSUSE SLED12 / SLES12 Security Update : kernel (SUSE-SU-2018:0786-1)
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were
    # extracted from SUSE update advisory SUSE-SU-2018:0786-1.
    # The text itself is copyright (C) SUSE.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(108649);
      script_version("1.5");
      script_cvs_date("Date: 2019/09/10 13:51:47");
    
      script_cve_id("CVE-2017-13166", "CVE-2017-15951", "CVE-2017-16644", "CVE-2017-16912", "CVE-2017-16913", "CVE-2017-17975", "CVE-2017-18174", "CVE-2017-18208", "CVE-2018-1000026", "CVE-2018-1068", "CVE-2018-8087");
    
      script_name(english:"SUSE SLED12 / SLES12 Security Update : kernel (SUSE-SU-2018:0786-1)");
      script_summary(english:"Checks rpm output for the updated packages.");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote SUSE host is missing one or more security updates."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "The SUSE Linux Enterprise 12 SP3 kernel was updated to 4.4.120 to
    receive various security and bugfixes. The following security bugs
    were fixed :
    
      - CVE-2017-13166: An elevation of privilege vulnerability
        in the v4l2 video driver. (bnc#1072865).
    
      - CVE-2017-15951: The KEYS subsystem did not correctly
        synchronize the actions of updating versus finding a key
        in the 'negative' state to avoid a race condition, which
        allowed local users to cause a denial of service or
        possibly have unspecified other impact via crafted
        system calls (bnc#1062840 bnc#1065615).
    
      - CVE-2017-16644: The hdpvr_probe function in
        drivers/media/usb/hdpvr/hdpvr-core.c allowed local users
        to cause a denial of service (improper error handling
        and system crash) or possibly have unspecified other
        impact via a crafted USB device (bnc#1067118).
    
      - CVE-2017-16912: The 'get_pipe()' function
        (drivers/usb/usbip/stub_rx.c) allowed attackers to cause
        a denial of service (out-of-bounds read) via a specially
        crafted USB over IP packet (bnc#1078673).
    
      - CVE-2017-16913: The 'stub_recv_cmd_submit()' function
        (drivers/usb/usbip/stub_rx.c) when handling CMD_SUBMIT
        packets allowed attackers to cause a denial of service
        (arbitrary memory allocation) via a specially crafted
        USB over IP packet (bnc#1078672).
    
      - CVE-2017-17975: Use-after-free in the usbtv_probe
        function in drivers/media/usb/usbtv/usbtv-core.c allowed
        attackers to cause a denial of service (system crash) or
        possibly have unspecified other impact by triggering
        failure of audio registration, because a kfree of the
        usbtv data structure occurs during a usbtv_video_free
        call, but the usbtv_video_fail label's code attempts to
        both access and free this data structure (bnc#1074426).
    
      - CVE-2017-18174: The amd_gpio_remove function in
        drivers/pinctrl/pinctrl-amd.c calls the
        pinctrl_unregister function, leading to a double free
        (bnc#1080533).
    
      - CVE-2017-18208: The madvise_willneed function in
        mm/madvise.c allowed local users to cause a denial of
        service (infinite loop) by triggering use of
        MADVISE_WILLNEED for a DAX mapping (bnc#1083494).
    
      - CVE-2018-1000026: A insufficient input validation
        vulnerability in bnx2x network card driver could result
        in DoS: Network card firmware assertion takes card
        off-line. This attack appear to be exploitable via An
        attacker on a must pass a very large, specially crafted
        packet to the bnx2x card. This can be done from an
        untrusted guest VM. (bnc#1079384).
    
      - CVE-2018-8087: Memory leak in the hwsim_new_radio_nl
        function in drivers/net/wireless/mac80211_hwsim.c
        allowed local users to cause a denial of service (memory
        consumption) by triggering an out-of-array error case
        (bnc#1085053).
    
      - CVE-2018-1068: Insufficient user provided offset
        checking in the ebtables compat code allowed local
        attackers to overwrite kernel memory and potentially
        execute code. (bsc#1085107)
    
    The update package also includes non-security fixes. See advisory for
    details.
    
    Note that Tenable Network Security has extracted the preceding
    description block directly from the SUSE security advisory. Tenable
    has attempted to automatically clean and format it as much as possible
    without introducing additional issues."
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1006867"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1012382"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1015342"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1015343"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1020645"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1022607"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1024376"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1027054"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1031717"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1033587"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1034503"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1042286"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1043441"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1043725"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1043726"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1062840"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1065600"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1065615"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1066223"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1067118"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1068032"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1068569"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1069135"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1070404"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1071306"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1071892"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1072363"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1072689"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1072739"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1072865"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1073401"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1073407"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1074198"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1074426"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1075087"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1076282"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1076693"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1076760"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1076982"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1077241"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1077285"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1077513"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1077560"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1077779"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1078583"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1078672"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1078673"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1078787"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1079029"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1079038"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1079195"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1079313"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1079384"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1079609"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1079886"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1079989"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1080014"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1080263"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1080321"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1080344"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1080364"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1080384"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1080464"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1080533"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1080656"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1080774"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1080813"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1080851"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1081134"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1081431"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1081436"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1081437"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1081491"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1081498"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1081500"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1081512"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1081514"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1081681"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1081735"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1082089"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1082223"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1082299"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1082373"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1082478"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1082632"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1082795"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1082864"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1082897"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1082979"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1082993"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1083048"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1083086"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1083223"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1083387"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1083409"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1083494"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1083548"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1083750"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1083770"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1084041"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1084397"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1084427"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1084610"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1084772"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1084888"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1084926"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1084928"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1084967"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1085011"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1085015"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1085045"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1085047"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1085050"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1085053"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1085054"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1085056"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1085107"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1085224"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1085239"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=863764"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=966170"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=966172"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=966328"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=969476"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=969477"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=975772"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=983145"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://www.suse.com/security/cve/CVE-2017-13166/"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://www.suse.com/security/cve/CVE-2017-15951/"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://www.suse.com/security/cve/CVE-2017-16644/"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://www.suse.com/security/cve/CVE-2017-16912/"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://www.suse.com/security/cve/CVE-2017-16913/"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://www.suse.com/security/cve/CVE-2017-17975/"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://www.suse.com/security/cve/CVE-2017-18174/"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://www.suse.com/security/cve/CVE-2017-18208/"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://www.suse.com/security/cve/CVE-2018-1000026/"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://www.suse.com/security/cve/CVE-2018-1068/"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://www.suse.com/security/cve/CVE-2018-8087/"
      );
      # https://www.suse.com/support/update/announcement/2018/suse-su-20180786-1/
      script_set_attribute(
        attribute:"see_also",
        value:"http://www.nessus.org/u?4c0c8a30"
      );
      script_set_attribute(
        attribute:"solution", 
        value:
    "To install this SUSE Security Update use the SUSE recommended
    installation methods like YaST online_update or 'zypper patch'.
    
    Alternatively you can run the command listed for your product :
    
    SUSE Linux Enterprise Workstation Extension 12-SP3:zypper in -t patch
    SUSE-SLE-WE-12-SP3-2018-534=1
    
    SUSE Linux Enterprise Software Development Kit 12-SP3:zypper in -t
    patch SUSE-SLE-SDK-12-SP3-2018-534=1
    
    SUSE Linux Enterprise Server 12-SP3:zypper in -t patch
    SUSE-SLE-SERVER-12-SP3-2018-534=1
    
    SUSE Linux Enterprise Live Patching 12-SP3:zypper in -t patch
    SUSE-SLE-Live-Patching-12-SP3-2018-534=1
    
    SUSE Linux Enterprise High Availability 12-SP3:zypper in -t patch
    SUSE-SLE-HA-12-SP3-2018-534=1
    
    SUSE Linux Enterprise Desktop 12-SP3:zypper in -t patch
    SUSE-SLE-DESKTOP-12-SP3-2018-534=1
    
    SUSE CaaS Platform ALL :
    
    To install this update, use the SUSE CaaS Platform Velum dashboard. It
    will inform you if it detects new updates and let you then trigger
    updating of the complete cluster in a controlled way."
      );
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
      script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
      script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H");
      script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
      script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"false");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:kernel-default");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:kernel-default-base");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:kernel-default-base-debuginfo");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:kernel-default-debuginfo");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:kernel-default-debugsource");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:kernel-default-devel");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:kernel-default-extra");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:kernel-default-extra-debuginfo");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:kernel-default-man");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:kernel-syms");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:novell:suse_linux:12");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2017/10/28");
      script_set_attribute(attribute:"patch_publication_date", value:"2018/03/23");
      script_set_attribute(attribute:"plugin_publication_date", value:"2018/03/27");
      script_set_attribute(attribute:"generated_plugin", value:"current");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");
      script_family(english:"SuSE Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/cpu", "Host/SuSE/release", "Host/SuSE/rpm-list");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("global_settings.inc");
    include("rpm.inc");
    
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    release = get_kb_item("Host/SuSE/release");
    if (isnull(release) || release !~ "^(SLED|SLES)") audit(AUDIT_OS_NOT, "SUSE");
    os_ver = pregmatch(pattern: "^(SLE(S|D)\d+)", string:release);
    if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "SUSE");
    os_ver = os_ver[1];
    if (! preg(pattern:"^(SLED12|SLES12)$", string:os_ver)) audit(AUDIT_OS_NOT, "SUSE SLED12 / SLES12", "SUSE " + os_ver);
    
    if (!get_kb_item("Host/SuSE/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    cpu = get_kb_item("Host/cpu");
    if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
    if (cpu !~ "^i[3-6]86$" && "x86_64" >!< cpu && "s390x" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "SUSE " + os_ver, cpu);
    
    sp = get_kb_item("Host/SuSE/patchlevel");
    if (isnull(sp)) sp = "0";
    if (os_ver == "SLES12" && (! preg(pattern:"^(3)$", string:sp))) audit(AUDIT_OS_NOT, "SLES12 SP3", os_ver + " SP" + sp);
    if (os_ver == "SLED12" && (! preg(pattern:"^(3)$", string:sp))) audit(AUDIT_OS_NOT, "SLED12 SP3", os_ver + " SP" + sp);
    
    
    flag = 0;
    if (rpm_check(release:"SLES12", sp:"3", cpu:"s390x", reference:"kernel-default-man-4.4.120-94.17.1")) flag++;
    if (rpm_check(release:"SLES12", sp:"3", reference:"kernel-default-4.4.120-94.17.1")) flag++;
    if (rpm_check(release:"SLES12", sp:"3", reference:"kernel-default-base-4.4.120-94.17.1")) flag++;
    if (rpm_check(release:"SLES12", sp:"3", reference:"kernel-default-base-debuginfo-4.4.120-94.17.1")) flag++;
    if (rpm_check(release:"SLES12", sp:"3", reference:"kernel-default-debuginfo-4.4.120-94.17.1")) flag++;
    if (rpm_check(release:"SLES12", sp:"3", reference:"kernel-default-debugsource-4.4.120-94.17.1")) flag++;
    if (rpm_check(release:"SLES12", sp:"3", reference:"kernel-default-devel-4.4.120-94.17.1")) flag++;
    if (rpm_check(release:"SLES12", sp:"3", reference:"kernel-syms-4.4.120-94.17.1")) flag++;
    if (rpm_check(release:"SLED12", sp:"3", cpu:"x86_64", reference:"kernel-default-4.4.120-94.17.1")) flag++;
    if (rpm_check(release:"SLED12", sp:"3", cpu:"x86_64", reference:"kernel-default-debuginfo-4.4.120-94.17.1")) flag++;
    if (rpm_check(release:"SLED12", sp:"3", cpu:"x86_64", reference:"kernel-default-debugsource-4.4.120-94.17.1")) flag++;
    if (rpm_check(release:"SLED12", sp:"3", cpu:"x86_64", reference:"kernel-default-devel-4.4.120-94.17.1")) flag++;
    if (rpm_check(release:"SLED12", sp:"3", cpu:"x86_64", reference:"kernel-default-extra-4.4.120-94.17.1")) flag++;
    if (rpm_check(release:"SLED12", sp:"3", cpu:"x86_64", reference:"kernel-default-extra-debuginfo-4.4.120-94.17.1")) flag++;
    if (rpm_check(release:"SLED12", sp:"3", cpu:"x86_64", reference:"kernel-syms-4.4.120-94.17.1")) flag++;
    
    
    if (flag)
    {
      if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());
      else security_hole(0);
      exit(0);
    }
    else
    {
      tested = pkg_tests_get();
      if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
      else audit(AUDIT_PACKAGE_NOT_INSTALLED, "kernel");
    }
    
  • NASL familyNewStart CGSL Local Security Checks
    NASL idNEWSTART_CGSL_NS-SA-2019-0070_KERNEL.NASL
    descriptionThe remote NewStart CGSL host, running version CORE 5.04 / MAIN 5.04, has kernel packages installed that are affected by multiple vulnerabilities: - Integer overflow in the aio_setup_single_vector function in fs/aio.c in the Linux kernel 4.0 allows local users to cause a denial of service or possibly have unspecified other impact via a large AIO iovec. NOTE: this vulnerability exists because of a CVE-2012-6701 regression. (CVE-2015-8830) - A weakness was found in the Linux ASLR implementation. Any user able to running 32-bit applications in a x86 machine can disable ASLR by setting the RLIMIT_STACK resource to unlimited. (CVE-2016-3672) - The xc2028_set_config function in drivers/media/tuners/tuner-xc2028.c in the Linux kernel before 4.6 allows local users to gain privileges or cause a denial of service (use-after-free) via vectors involving omission of the firmware name from a certain data structure. Due to the nature of the flaw, privilege escalation cannot be fully ruled out, although we believe it is unlikely. (CVE-2016-7913) - Use-after-free vulnerability in the snd_pcm_info() function in the ALSA subsystem in the Linux kernel allows attackers to induce a kernel memory corruption and possibly crash or lock up a system. Due to the nature of the flaw, a privilege escalation cannot be fully ruled out, although we believe it is unlikely. (CVE-2017-0861) - A reachable assertion failure flaw was found in the Linux kernel built with KVM virtualisation(CONFIG_KVM) support with Virtual Function I/O feature (CONFIG_VFIO) enabled. This failure could occur if a malicious guest device sent a virtual interrupt (guest IRQ) with a larger (>1024) index value. (CVE-2017-1000252) - Linux kernel Virtualization Module (CONFIG_KVM) for the Intel processor family (CONFIG_KVM_INTEL) is vulnerable to a DoS issue. It could occur if a guest was to flood the I/O port 0x80 with write requests. A guest user could use this flaw to crash the host kernel resulting in DoS. (CVE-2017-1000407) - A flaw was found in the processing of incoming L2CAP bluetooth commands. Uninitialized stack variables can be sent to an attacker leaking data in kernel address space. (CVE-2017-1000410) - A race condition was found in the Linux kernel before version 4.11-rc1 in
    last seen2020-06-01
    modified2020-06-02
    plugin id127272
    published2019-08-12
    reporterThis script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/127272
    titleNewStart CGSL CORE 5.04 / MAIN 5.04 : kernel Multiple Vulnerabilities (NS-SA-2019-0070)
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    
    # The descriptive text and package checks in this plugin were
    # extracted from ZTE advisory NS-SA-2019-0070. The text
    # itself is copyright (C) ZTE, Inc.
    
    include("compat.inc");
    
    if (description)
    {
      script_id(127272);
      script_version("1.2");
      script_cvs_date("Date: 2019/09/24 11:01:33");
    
      script_cve_id(
        "CVE-2015-8830",
        "CVE-2016-3672",
        "CVE-2016-7913",
        "CVE-2017-0861",
        "CVE-2017-9725",
        "CVE-2017-10661",
        "CVE-2017-12154",
        "CVE-2017-12190",
        "CVE-2017-13305",
        "CVE-2017-15129",
        "CVE-2017-15265",
        "CVE-2017-15274",
        "CVE-2017-17448",
        "CVE-2017-17449",
        "CVE-2017-17558",
        "CVE-2017-17805",
        "CVE-2017-18017",
        "CVE-2017-18203",
        "CVE-2017-18208",
        "CVE-2017-1000252",
        "CVE-2017-1000407",
        "CVE-2017-1000410",
        "CVE-2018-1120",
        "CVE-2018-1130",
        "CVE-2018-3646",
        "CVE-2018-5344",
        "CVE-2018-5750",
        "CVE-2018-5803",
        "CVE-2018-5848",
        "CVE-2018-7566",
        "CVE-2018-9568",
        "CVE-2018-17972",
        "CVE-2018-18397",
        "CVE-2018-18690",
        "CVE-2018-1000004",
        "CVE-2018-1000026"
      );
      script_bugtraq_id(102329);
    
      script_name(english:"NewStart CGSL CORE 5.04 / MAIN 5.04 : kernel Multiple Vulnerabilities (NS-SA-2019-0070)");
    
      script_set_attribute(attribute:"synopsis", value:
    "The remote machine is affected by multiple vulnerabilities.");
      script_set_attribute(attribute:"description", value:
    "The remote NewStart CGSL host, running version CORE 5.04 / MAIN 5.04, has kernel packages installed that are affected by
    multiple vulnerabilities:
    
      - Integer overflow in the aio_setup_single_vector function
        in fs/aio.c in the Linux kernel 4.0 allows local users
        to cause a denial of service or possibly have
        unspecified other impact via a large AIO iovec. NOTE:
        this vulnerability exists because of a CVE-2012-6701
        regression. (CVE-2015-8830)
    
      - A weakness was found in the Linux ASLR implementation.
        Any user able to running 32-bit applications in a x86
        machine can disable ASLR by setting the RLIMIT_STACK
        resource to unlimited. (CVE-2016-3672)
    
      - The xc2028_set_config function in
        drivers/media/tuners/tuner-xc2028.c in the Linux kernel
        before 4.6 allows local users to gain privileges or
        cause a denial of service (use-after-free) via vectors
        involving omission of the firmware name from a certain
        data structure. Due to the nature of the flaw, privilege
        escalation cannot be fully ruled out, although we
        believe it is unlikely. (CVE-2016-7913)
    
      - Use-after-free vulnerability in the snd_pcm_info()
        function in the ALSA subsystem in the Linux kernel
        allows attackers to induce a kernel memory corruption
        and possibly crash or lock up a system. Due to the
        nature of the flaw, a privilege escalation cannot be
        fully ruled out, although we believe it is unlikely.
        (CVE-2017-0861)
    
      - A reachable assertion failure flaw was found in the
        Linux kernel built with KVM virtualisation(CONFIG_KVM)
        support with Virtual Function I/O feature (CONFIG_VFIO)
        enabled. This failure could occur if a malicious guest
        device sent a virtual interrupt (guest IRQ) with a
        larger (>1024) index value. (CVE-2017-1000252)
    
      - Linux kernel Virtualization Module (CONFIG_KVM) for the
        Intel processor family (CONFIG_KVM_INTEL) is vulnerable
        to a DoS issue. It could occur if a guest was to flood
        the I/O port 0x80 with write requests. A guest user
        could use this flaw to crash the host kernel resulting
        in DoS. (CVE-2017-1000407)
    
      - A flaw was found in the processing of incoming L2CAP
        bluetooth commands. Uninitialized stack variables can be
        sent to an attacker leaking data in kernel address
        space. (CVE-2017-1000410)
    
      - A race condition was found in the Linux kernel before
        version 4.11-rc1 in 'fs/timerfd.c' file which allows a
        local user to cause a kernel list corruption or use-
        after-free via simultaneous operations with a file
        descriptor which leverage improper 'might_cancel'
        queuing. An unprivileged local user could use this flaw
        to cause a denial of service of the system. Due to the
        nature of the flaw, privilege escalation cannot be fully
        ruled out, although we believe it is unlikely.
        (CVE-2017-10661)
    
      - Linux kernel built with the KVM visualization support
        (CONFIG_KVM), with nested visualization (nVMX) feature
        enabled (nested=1), is vulnerable to a crash due to
        disabled external interrupts. As L2 guest could access
        (r/w) hardware CR8 register of the host(L0). In a nested
        visualization setup, L2 guest user could use this flaw
        to potentially crash the host(L0) resulting in DoS.
        (CVE-2017-12154)
    
      - It was found that in the Linux kernel through v4.14-rc5,
        bio_map_user_iov() and bio_unmap_user() in 'block/bio.c'
        do unbalanced pages refcounting if IO vector has small
        consecutive buffers belonging to the same page.
        bio_add_pc_page() merges them into one, but the page
        reference is never dropped, causing a memory leak and
        possible system lockup due to out-of-memory condition.
        (CVE-2017-12190)
    
      - A flaw was found in the Linux kernel's implementation of
        valid_master_desc() in which a memory buffer would be
        compared to a userspace value with an incorrect size of
        comparison. By bruteforcing the comparison, an attacker
        could determine what was in memory after the description
        and possibly obtain sensitive information from kernel
        memory. (CVE-2017-13305)
    
      - A use-after-free vulnerability was found in a network
        namespaces code affecting the Linux kernel since
        v4.0-rc1 through v4.15-rc5. The function
        get_net_ns_by_id() does not check for the net::count
        value after it has found a peer network in netns_ids idr
        which could lead to double free and memory corruption.
        This vulnerability could allow an unprivileged local
        user to induce kernel memory corruption on the system,
        leading to a crash. Due to the nature of the flaw,
        privilege escalation cannot be fully ruled out, although
        it is thought to be unlikely. (CVE-2017-15129)
    
      - A use-after-free vulnerability was found when issuing an
        ioctl to a sound device. This could allow a user to
        exploit a race condition and create memory corruption or
        possibly privilege escalation. (CVE-2017-15265)
    
      - A flaw was found in the implementation of associative
        arrays where the add_key systemcall and KEYCTL_UPDATE
        operations allowed for a NULL payload with a nonzero
        length. When accessing the payload within this length
        parameters value, an unprivileged user could trivially
        cause a NULL pointer dereference (kernel oops).
        (CVE-2017-15274)
    
      - The net/netfilter/nfnetlink_cthelper.c function in the
        Linux kernel through 4.14.4 does not require the
        CAP_NET_ADMIN capability for new, get, and del
        operations. This allows local users to bypass intended
        access restrictions because the nfnl_cthelper_list data
        structure is shared across all net namespaces.
        (CVE-2017-17448)
    
      - The __netlink_deliver_tap_skb function in
        net/netlink/af_netlink.c in the Linux kernel, through
        4.14.4, does not restrict observations of Netlink
        messages to a single net namespace, when CONFIG_NLMON is
        enabled. This allows local users to obtain sensitive
        information by leveraging the CAP_NET_ADMIN capability
        to sniff an nlmon interface for all Netlink activity on
        the system. (CVE-2017-17449)
    
      - The usb_destroy_configuration() function, in
        'drivers/usb/core/config.c' in the USB core subsystem,
        in the Linux kernel through 4.14.5 does not consider the
        maximum number of configurations and interfaces before
        attempting to release resources. This allows local users
        to cause a denial of service, due to out-of-bounds write
        access, or possibly have unspecified other impact via a
        crafted USB device. Due to the nature of the flaw,
        privilege escalation cannot be fully ruled out, although
        we believe it is unlikely. (CVE-2017-17558)
    
      - The Salsa20 encryption algorithm in the Linux kernel,
        before 4.14.8, does not correctly handle zero-length
        inputs. This allows a local attacker the ability to use
        the AF_ALG-based skcipher interface to cause a denial of
        service (uninitialized-memory free and kernel crash) or
        have an unspecified other impact by executing a crafted
        sequence of system calls that use the blkcipher_walk
        API. Both the generic implementation
        (crypto/salsa20_generic.c) and x86 implementation
        (arch/x86/crypto/salsa20_glue.c) of Salsa20 are
        vulnerable. (CVE-2017-17805)
    
      - The tcpmss_mangle_packet function in
        net/netfilter/xt_TCPMSS.c in the Linux kernel before
        4.11, and 4.9.x before 4.9.36, allows remote attackers
        to cause a denial of service (use-after-free and memory
        corruption) or possibly have unspecified other impact by
        leveraging the presence of xt_TCPMSS in an iptables
        action. Due to the nature of the flaw, privilege
        escalation cannot be fully ruled out, although we
        believe it is unlikely. (CVE-2017-18017)
    
      - The Linux kernel, before version 4.14.3, is vulnerable
        to a denial of service in
        drivers/md/dm.c:dm_get_from_kobject() which can be
        caused by local users leveraging a race condition with
        __dm_destroy() during creation and removal of DM
        devices. Only privileged local users (with CAP_SYS_ADMIN
        capability) can directly perform the ioctl operations
        for dm device creation and removal and this would
        typically be outside the direct control of the
        unprivileged attacker. (CVE-2017-18203)
    
      - The madvise_willneed function in the Linux kernel allows
        local users to cause a denial of service (infinite loop)
        by triggering use of MADVISE_WILLNEED for a DAX mapping.
        (CVE-2017-18208)
    
      - A flaw was found where the kernel truncated the value
        used to indicate the size of a buffer which it would
        later become zero using an untruncated value. This can
        corrupt memory outside of the original allocation.
        (CVE-2017-9725)
    
      - In the Linux kernel versions 4.12, 3.10, 2.6, and
        possibly earlier, a race condition vulnerability exists
        in the sound system allowing for a potential deadlock
        and memory corruption due to use-after-free condition
        and thus denial of service. Due to the nature of the
        flaw, privilege escalation cannot be fully ruled out,
        although we believe it is unlikely. (CVE-2018-1000004)
    
      - Improper validation in the bnx2x network card driver of
        the Linux kernel version 4.15 can allow for denial of
        service (DoS) attacks via a packet with a gso_size
        larger than ~9700 bytes. Untrusted guest VMs can exploit
        this vulnerability in the host machine, causing a crash
        in the network card. (CVE-2018-1000026)
    
      - By mmap()ing a FUSE-backed file onto a process's memory
        containing command line arguments (or environment
        strings), an attacker can cause utilities from psutils
        or procps (such as ps, w) or any other program which
        makes a read() call to the /proc//cmdline (or
        /proc//environ) files to block indefinitely (denial
        of service) or for some controlled time (as a
        synchronization primitive for other attacks).
        (CVE-2018-1120)
    
      - A null pointer dereference in dccp_write_xmit() function
        in net/dccp/output.c in the Linux kernel allows a local
        user to cause a denial of service by a number of certain
        crafted system calls. (CVE-2018-1130)
    
      - An issue was discovered in the proc_pid_stack function
        in fs/proc/base.c in the Linux kernel. An attacker with
        a local account can trick the stack unwinder code to
        leak stack contents to userspace. The fix allows only
        root to inspect the kernel stack of an arbitrary task.
        (CVE-2018-17972)
    
      - A flaw was found in the Linux kernel with files on tmpfs
        and hugetlbfs. An attacker is able to bypass file
        permissions on filesystems mounted with tmpfs/hugetlbs
        to modify a file and possibly disrupt normal system
        behavior. At this time there is an understanding there
        is no crash or privilege escalation but the impact of
        modifications on these filesystems of files in
        production systems may have adverse affects.
        (CVE-2018-18397)
    
      - In the Linux kernel before 4.17, a local attacker able
        to set attributes on an xfs filesystem could make this
        filesystem non-operational until the next mount by
        triggering an unchecked error condition during an xfs
        attribute change, because xfs_attr_shortform_addname in
        fs/xfs/libxfs/xfs_attr.c mishandles ATTR_REPLACE
        operations with conversion of an attr from short to long
        form. (CVE-2018-18690)
    
      - Modern operating systems implement virtualization of
        physical memory to efficiently use available system
        resources and provide inter-domain protection through
        access control and isolation. The L1TF issue was found
        in the way the x86 microprocessor designs have
        implemented speculative execution of instructions (a
        commonly used performance optimization) in combination
        with handling of page-faults caused by terminated
        virtual to physical address resolving process. As a
        result, an unprivileged attacker could use this flaw to
        read privileged memory of the kernel or other processes
        and/or cross guest/host boundaries to read host memory
        by conducting targeted cache side-channel attacks.
        (CVE-2018-3646)
    
      - A flaw was found in the Linux kernel's handling of
        loopback devices. An attacker, who has permissions to
        setup loopback disks, may create a denial of service or
        other unspecified actions. (CVE-2018-5344)
    
      - The acpi_smbus_hc_add function in drivers/acpi/sbshc.c
        in the Linux kernel, through 4.14.15, allows local users
        to obtain sensitive address information by reading dmesg
        data from an SBS HC printk call. (CVE-2018-5750)
    
      - An error in the _sctp_make_chunk() function
        (net/sctp/sm_make_chunk.c) when handling SCTP, packet
        length can be exploited by a malicious local user to
        cause a kernel crash and a DoS. (CVE-2018-5803)
    
      - In the function wmi_set_ie() in the Linux kernel the
        length validation code does not handle unsigned integer
        overflow properly. As a result, a large value of the
        ie_len argument can cause a buffer overflow and thus a
        memory corruption leading to a system crash or other or
        unspecified impact. Due to the nature of the flaw,
        privilege escalation cannot be fully ruled out, although
        we believe it is unlikely. (CVE-2018-5848)
    
      - ALSA sequencer core initializes the event pool on demand
        by invoking snd_seq_pool_init() when the first write
        happens and the pool is empty. A user can reset the pool
        size manually via ioctl concurrently, and this may lead
        to UAF or out-of-bound access. (CVE-2018-7566)
    
      - A possible memory corruption due to a type confusion was
        found in the Linux kernel in the sk_clone_lock()
        function in the net/core/sock.c. The possibility of
        local escalation of privileges cannot be fully ruled out
        for a local unprivileged attacker. (CVE-2018-9568)
    
    Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version
    number.");
      script_set_attribute(attribute:"see_also", value:"http://security.gd-linux.com/notice/NS-SA-2019-0070");
      script_set_attribute(attribute:"solution", value:
    "Upgrade the vulnerable CGSL kernel packages. Note that updated packages may not be available yet. Please contact ZTE for
    more information.");
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C");
      script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
      script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H");
      script_set_cvss3_temporal_vector("CVSS:3.0/E:P/RL:O/RC:C");
      script_set_attribute(attribute:"cvss_score_source", value:"CVE-2017-18017");
      script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"true");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2016/04/27");
      script_set_attribute(attribute:"patch_publication_date", value:"2019/07/17");
      script_set_attribute(attribute:"plugin_publication_date", value:"2019/08/12");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_family(english:"NewStart CGSL Local Security Checks");
    
      script_copyright(english:"This script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/ZTE-CGSL/release", "Host/ZTE-CGSL/rpm-list", "Host/cpu");
    
      exit(0);
    }
    
    include("audit.inc");
    include("global_settings.inc");
    include("rpm.inc");
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    
    release = get_kb_item("Host/ZTE-CGSL/release");
    if (isnull(release) || release !~ "^CGSL (MAIN|CORE)") audit(AUDIT_OS_NOT, "NewStart Carrier Grade Server Linux");
    
    if (release !~ "CGSL CORE 5.04" &&
        release !~ "CGSL MAIN 5.04")
      audit(AUDIT_OS_NOT, 'NewStart CGSL CORE 5.04 / NewStart CGSL MAIN 5.04');
    
    if (!get_kb_item("Host/ZTE-CGSL/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    cpu = get_kb_item("Host/cpu");
    if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
    if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "NewStart Carrier Grade Server Linux", cpu);
    
    flag = 0;
    
    pkgs = {
      "CGSL CORE 5.04": [
        "kernel-3.10.0-693.21.1.el7.cgslv5_4.12.322.gc3912fd.lite",
        "kernel-abi-whitelists-3.10.0-693.21.1.el7.cgslv5_4.12.322.gc3912fd.lite",
        "kernel-core-3.10.0-693.21.1.el7.cgslv5_4.12.322.gc3912fd.lite",
        "kernel-debug-core-3.10.0-693.21.1.el7.cgslv5_4.12.322.gc3912fd.lite",
        "kernel-debug-debuginfo-3.10.0-693.21.1.el7.cgslv5_4.12.322.gc3912fd.lite",
        "kernel-debug-devel-3.10.0-693.21.1.el7.cgslv5_4.12.322.gc3912fd.lite",
        "kernel-debug-modules-3.10.0-693.21.1.el7.cgslv5_4.12.322.gc3912fd.lite",
        "kernel-debuginfo-3.10.0-693.21.1.el7.cgslv5_4.12.322.gc3912fd.lite",
        "kernel-debuginfo-common-x86_64-3.10.0-693.21.1.el7.cgslv5_4.12.322.gc3912fd.lite",
        "kernel-devel-3.10.0-693.21.1.el7.cgslv5_4.12.322.gc3912fd.lite",
        "kernel-doc-3.10.0-693.21.1.el7.cgslv5_4.12.322.gc3912fd.lite",
        "kernel-headers-3.10.0-693.21.1.el7.cgslv5_4.12.322.gc3912fd.lite",
        "kernel-modules-3.10.0-693.21.1.el7.cgslv5_4.12.322.gc3912fd.lite",
        "kernel-tools-3.10.0-693.21.1.el7.cgslv5_4.12.322.gc3912fd.lite",
        "kernel-tools-debuginfo-3.10.0-693.21.1.el7.cgslv5_4.12.322.gc3912fd.lite",
        "kernel-tools-libs-3.10.0-693.21.1.el7.cgslv5_4.12.322.gc3912fd.lite",
        "kernel-tools-libs-devel-3.10.0-693.21.1.el7.cgslv5_4.12.322.gc3912fd.lite",
        "perf-3.10.0-693.21.1.el7.cgslv5_4.12.322.gc3912fd.lite",
        "perf-debuginfo-3.10.0-693.21.1.el7.cgslv5_4.12.322.gc3912fd.lite",
        "python-perf-3.10.0-693.21.1.el7.cgslv5_4.12.322.gc3912fd.lite",
        "python-perf-debuginfo-3.10.0-693.21.1.el7.cgslv5_4.12.322.gc3912fd.lite"
      ],
      "CGSL MAIN 5.04": [
        "kernel-3.10.0-693.21.1.el7.cgslv5_4.12.319.g46331d9",
        "kernel-abi-whitelists-3.10.0-693.21.1.el7.cgslv5_4.12.319.g46331d9",
        "kernel-debug-3.10.0-693.21.1.el7.cgslv5_4.12.319.g46331d9",
        "kernel-debug-debuginfo-3.10.0-693.21.1.el7.cgslv5_4.12.319.g46331d9",
        "kernel-debug-devel-3.10.0-693.21.1.el7.cgslv5_4.12.319.g46331d9",
        "kernel-debuginfo-3.10.0-693.21.1.el7.cgslv5_4.12.319.g46331d9",
        "kernel-debuginfo-common-x86_64-3.10.0-693.21.1.el7.cgslv5_4.12.319.g46331d9",
        "kernel-devel-3.10.0-693.21.1.el7.cgslv5_4.12.319.g46331d9",
        "kernel-doc-3.10.0-693.21.1.el7.cgslv5_4.12.319.g46331d9",
        "kernel-headers-3.10.0-693.21.1.el7.cgslv5_4.12.319.g46331d9",
        "kernel-tools-3.10.0-693.21.1.el7.cgslv5_4.12.319.g46331d9",
        "kernel-tools-debuginfo-3.10.0-693.21.1.el7.cgslv5_4.12.319.g46331d9",
        "kernel-tools-libs-3.10.0-693.21.1.el7.cgslv5_4.12.319.g46331d9",
        "kernel-tools-libs-devel-3.10.0-693.21.1.el7.cgslv5_4.12.319.g46331d9",
        "perf-3.10.0-693.21.1.el7.cgslv5_4.12.319.g46331d9",
        "perf-debuginfo-3.10.0-693.21.1.el7.cgslv5_4.12.319.g46331d9",
        "python-perf-3.10.0-693.21.1.el7.cgslv5_4.12.319.g46331d9",
        "python-perf-debuginfo-3.10.0-693.21.1.el7.cgslv5_4.12.319.g46331d9"
      ]
    };
    pkg_list = pkgs[release];
    
    foreach (pkg in pkg_list)
      if (rpm_check(release:"ZTE " + release, reference:pkg)) flag++;
    
    if (flag)
    {
      security_report_v4(
        port       : 0,
        severity   : SECURITY_HOLE,
        extra      : rpm_report_get()
      );
      exit(0);
    }
    else
    {
      tested = pkg_tests_get();
      if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
      else audit(AUDIT_PACKAGE_NOT_INSTALLED, "kernel");
    }
    
  • NASL familyOracle Linux Local Security Checks
    NASL idORACLELINUX_ELSA-2019-4710.NASL
    descriptionDescription of changes: [4.1.12-124.28.6.el7uek] - scsi: libfc: Fixup disc_mutex handling in fcoe module (Hannes Reinecke) [Orabug: 29511036] - scsi: libfc: sanitize E_D_TOV and R_A_TOV setting in fcp (Hannes Reinecke) [Orabug: 29511036] - sysctl: Fix kabi breakage (Shuning Zhang) [Orabug: 29689925] - proc: Fix proc_sys_prune_dcache to hold a sb reference (Eric W. Biederman) [Orabug: 29689925] - proc/sysctl: Don
    last seen2020-06-01
    modified2020-06-02
    plugin id126610
    published2019-07-11
    reporterThis script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/126610
    titleOracle Linux 6 / 7 : Unbreakable Enterprise kernel (ELSA-2019-4710) (Spectre)
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were
    # extracted from Oracle Linux Security Advisory ELSA-2019-4710.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(126610);
      script_version("1.5");
      script_cvs_date("Date: 2020/01/08");
    
      script_cve_id("CVE-2017-18208", "CVE-2017-5715", "CVE-2018-7191", "CVE-2019-6133");
    
      script_name(english:"Oracle Linux 6 / 7 : Unbreakable Enterprise kernel (ELSA-2019-4710) (Spectre)");
      script_summary(english:"Checks rpm output for the updated packages");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote Oracle Linux host is missing one or more security updates."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "Description of changes:
    
    [4.1.12-124.28.6.el7uek]
    - scsi: libfc: Fixup disc_mutex handling in fcoe module (Hannes Reinecke)  [Orabug: 29511036]
    - scsi: libfc: sanitize E_D_TOV and R_A_TOV setting in fcp (Hannes Reinecke)  [Orabug: 29511036]
    - sysctl: Fix kabi breakage (Shuning Zhang)  [Orabug: 29689925]
    - proc: Fix proc_sys_prune_dcache to hold a sb reference (Eric W. Biederman)  [Orabug: 29689925]
    - proc/sysctl: Don't grab i_lock under sysctl_lock. (Eric W. Biederman)  [Orabug: 29689925]
    - proc/sysctl: prune stale dentries during unregistering (Konstantin Khlebnikov)  [Orabug: 29689925]
    - scsi: smartpqi: correct lun reset issues (Kevin Barnett)  [Orabug: 29848621]
    - fork: record start_time late (David Herrmann)  [Orabug: 29850581]  {CVE-2019-6133}
    - mm: avoid taking zone lock in pagetypeinfo_showmixed() (Vinayak Menon)  [Orabug: 29905302]
    - x86/retpoline/ia32entry: Convert to non-speculative calls (Ankur Arora)  [Orabug: 29909295]  {CVE-2017-5715}
    - tun: call dev_get_valid_name() before register_netdevice() (Cong Wang)  [Orabug: 29925555]  {CVE-2018-7191}
    - mm/madvise.c: fix madvise() infinite loop under special circumstances (chenjie)  [Orabug: 29925610]  {CVE-2017-18208}"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://oss.oracle.com/pipermail/el-errata/2019-July/008886.html"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://oss.oracle.com/pipermail/el-errata/2019-July/008887.html"
      );
      script_set_attribute(
        attribute:"solution", 
        value:"Update the affected unbreakable enterprise kernel packages."
      );
      script_set_cvss_base_vector("CVSS2#AV:L/AC:M/Au:N/C:C/I:N/A:N");
      script_set_cvss_temporal_vector("CVSS2#E:H/RL:OF/RC:C");
      script_set_cvss3_base_vector("CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:N");
      script_set_cvss3_temporal_vector("CVSS:3.0/E:H/RL:O/RC:C");
      script_set_attribute(attribute:"cvss_score_source", value:"CVE-2017-5715");
      script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"true");
      script_set_attribute(attribute:"exploited_by_malware", value:"true");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:kernel-uek");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:kernel-uek-debug");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:kernel-uek-debug-devel");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:kernel-uek-devel");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:kernel-uek-doc");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:kernel-uek-firmware");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:oracle:linux:6");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:oracle:linux:7");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2018/01/04");
      script_set_attribute(attribute:"patch_publication_date", value:"2019/07/10");
      script_set_attribute(attribute:"plugin_publication_date", value:"2019/07/11");
      script_set_attribute(attribute:"in_the_news", value:"true");
      script_set_attribute(attribute:"generated_plugin", value:"current");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.");
      script_family(english:"Oracle Linux Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl", "linux_alt_patch_detect.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/OracleLinux", "Host/RedHat/release", "Host/RedHat/rpm-list");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("global_settings.inc");
    include("rpm.inc");
    include("ksplice.inc");
    
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    if (!get_kb_item("Host/OracleLinux")) audit(AUDIT_OS_NOT, "Oracle Linux");
    release = get_kb_item("Host/RedHat/release");
    if (isnull(release) || !pregmatch(pattern: "Oracle (?:Linux Server|Enterprise Linux)", string:release)) audit(AUDIT_OS_NOT, "Oracle Linux");
    os_ver = pregmatch(pattern: "Oracle (?:Linux Server|Enterprise Linux) .*release ([0-9]+(\.[0-9]+)?)", string:release);
    if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Oracle Linux");
    os_ver = os_ver[1];
    if (! preg(pattern:"^(6|7)([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Oracle Linux 6 / 7", "Oracle Linux " + os_ver);
    
    if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    cpu = get_kb_item("Host/cpu");
    if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
    if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Oracle Linux", cpu);
    if ("x86_64" >!< cpu) audit(AUDIT_ARCH_NOT, "x86_64", cpu);
    
    if (get_one_kb_item("Host/ksplice/kernel-cves"))
    {
      rm_kb_item(name:"Host/uptrack-uname-r");
      cve_list = make_list("CVE-2017-18208", "CVE-2017-5715", "CVE-2018-7191", "CVE-2019-6133");  
      if (ksplice_cves_check(cve_list))
      {
        audit(AUDIT_PATCH_INSTALLED, "KSplice hotfix for ELSA-2019-4710");
      }
      else
      {
        __rpm_report = ksplice_reporting_text();
      }
    }
    
    kernel_major_minor = get_kb_item("Host/uname/major_minor");
    if (empty_or_null(kernel_major_minor)) exit(1, "Unable to determine kernel major-minor level.");
    expected_kernel_major_minor = "4.1";
    if (kernel_major_minor != expected_kernel_major_minor)
      audit(AUDIT_OS_NOT, "running kernel level " + expected_kernel_major_minor + ", it is running kernel level " + kernel_major_minor);
    
    flag = 0;
    if (rpm_exists(release:"EL6", rpm:"kernel-uek-4.1.12") && rpm_check(release:"EL6", cpu:"x86_64", reference:"kernel-uek-4.1.12-124.28.6.el6uek")) flag++;
    if (rpm_exists(release:"EL6", rpm:"kernel-uek-debug-4.1.12") && rpm_check(release:"EL6", cpu:"x86_64", reference:"kernel-uek-debug-4.1.12-124.28.6.el6uek")) flag++;
    if (rpm_exists(release:"EL6", rpm:"kernel-uek-debug-devel-4.1.12") && rpm_check(release:"EL6", cpu:"x86_64", reference:"kernel-uek-debug-devel-4.1.12-124.28.6.el6uek")) flag++;
    if (rpm_exists(release:"EL6", rpm:"kernel-uek-devel-4.1.12") && rpm_check(release:"EL6", cpu:"x86_64", reference:"kernel-uek-devel-4.1.12-124.28.6.el6uek")) flag++;
    if (rpm_exists(release:"EL6", rpm:"kernel-uek-doc-4.1.12") && rpm_check(release:"EL6", cpu:"x86_64", reference:"kernel-uek-doc-4.1.12-124.28.6.el6uek")) flag++;
    if (rpm_exists(release:"EL6", rpm:"kernel-uek-firmware-4.1.12") && rpm_check(release:"EL6", cpu:"x86_64", reference:"kernel-uek-firmware-4.1.12-124.28.6.el6uek")) flag++;
    
    if (rpm_exists(release:"EL7", rpm:"kernel-uek-4.1.12") && rpm_check(release:"EL7", cpu:"x86_64", reference:"kernel-uek-4.1.12-124.28.6.el7uek")) flag++;
    if (rpm_exists(release:"EL7", rpm:"kernel-uek-debug-4.1.12") && rpm_check(release:"EL7", cpu:"x86_64", reference:"kernel-uek-debug-4.1.12-124.28.6.el7uek")) flag++;
    if (rpm_exists(release:"EL7", rpm:"kernel-uek-debug-devel-4.1.12") && rpm_check(release:"EL7", cpu:"x86_64", reference:"kernel-uek-debug-devel-4.1.12-124.28.6.el7uek")) flag++;
    if (rpm_exists(release:"EL7", rpm:"kernel-uek-devel-4.1.12") && rpm_check(release:"EL7", cpu:"x86_64", reference:"kernel-uek-devel-4.1.12-124.28.6.el7uek")) flag++;
    if (rpm_exists(release:"EL7", rpm:"kernel-uek-doc-4.1.12") && rpm_check(release:"EL7", cpu:"x86_64", reference:"kernel-uek-doc-4.1.12-124.28.6.el7uek")) flag++;
    if (rpm_exists(release:"EL7", rpm:"kernel-uek-firmware-4.1.12") && rpm_check(release:"EL7", cpu:"x86_64", reference:"kernel-uek-firmware-4.1.12-124.28.6.el7uek")) flag++;
    
    
    if (flag)
    {
      if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get());
      else security_warning(0);
      exit(0);
    }
    else
    {
      tested = pkg_tests_get();
      if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
      else audit(AUDIT_PACKAGE_NOT_INSTALLED, "affected kernel");
    }
    
  • NASL familyUbuntu Local Security Checks
    NASL idUBUNTU_USN-3653-2.NASL
    descriptionUSN-3653-1 fixed vulnerabilities and added mitigations in the Linux kernel for Ubuntu 17.10. This update provides the corresponding updates for the Linux Hardware Enablement (HWE) kernel from Ubuntu 17.10 for Ubuntu 16.04 LTS. Jann Horn and Ken Johnson discovered that microprocessors utilizing speculative execution of a memory read may allow unauthorized memory reads via a sidechannel attack. This flaw is known as Spectre Variant 4. A local attacker could use this to expose sensitive information, including kernel memory. (CVE-2018-3639) It was discovered that the netlink subsystem in the Linux kernel did not properly restrict observations of netlink messages to the appropriate net namespace. A local attacker could use this to expose sensitive information (kernel netlink traffic). (CVE-2017-17449) Tuba Yavuz discovered that a double-free error existed in the USBTV007 driver of the Linux kernel. A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2017-17975) It was discovered that a race condition existed in the Device Mapper component of the Linux kernel. A local attacker could use this to cause a denial of service (system crash). (CVE-2017-18203) It was discovered that an infinite loop could occur in the madvise(2) implementation in the Linux kernel in certain circumstances. A local attacker could use this to cause a denial of service (system hang). (CVE-2017-18208) Silvio Cesare discovered a buffer overwrite existed in the NCPFS implementation in the Linux kernel. A remote attacker controlling a malicious NCPFS server could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2018-8822). Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id110047
    published2018-05-23
    reporterUbuntu Security Notice (C) 2018-2019 Canonical, Inc. / NASL script (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/110047
    titleUbuntu 16.04 LTS : linux-hwe, linux-azure, linux-gcp, linux-oem vulnerabilities (USN-3653-2) (Spectre)
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were
    # extracted from Ubuntu Security Notice USN-3653-2. The text 
    # itself is copyright (C) Canonical, Inc. See 
    # <http://www.ubuntu.com/usn/>. Ubuntu(R) is a registered 
    # trademark of Canonical, Inc.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(110047);
      script_version("1.10");
      script_cvs_date("Date: 2019/09/18 12:31:48");
    
      script_cve_id("CVE-2017-17449", "CVE-2017-17975", "CVE-2017-18203", "CVE-2017-18208", "CVE-2018-3639", "CVE-2018-8822");
      script_xref(name:"USN", value:"3653-2");
    
      script_name(english:"Ubuntu 16.04 LTS : linux-hwe, linux-azure, linux-gcp, linux-oem vulnerabilities (USN-3653-2) (Spectre)");
      script_summary(english:"Checks dpkg output for updated packages.");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:
    "The remote Ubuntu host is missing one or more security-related
    patches."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "USN-3653-1 fixed vulnerabilities and added mitigations in the Linux
    kernel for Ubuntu 17.10. This update provides the corresponding
    updates for the Linux Hardware Enablement (HWE) kernel from Ubuntu
    17.10 for Ubuntu 16.04 LTS.
    
    Jann Horn and Ken Johnson discovered that microprocessors utilizing
    speculative execution of a memory read may allow unauthorized memory
    reads via a sidechannel attack. This flaw is known as Spectre Variant
    4. A local attacker could use this to expose sensitive information,
    including kernel memory. (CVE-2018-3639)
    
    It was discovered that the netlink subsystem in the Linux kernel did
    not properly restrict observations of netlink messages to the
    appropriate net namespace. A local attacker could use this to expose
    sensitive information (kernel netlink traffic). (CVE-2017-17449)
    
    Tuba Yavuz discovered that a double-free error existed in the USBTV007
    driver of the Linux kernel. A local attacker could use this to cause a
    denial of service (system crash) or possibly execute arbitrary code.
    (CVE-2017-17975)
    
    It was discovered that a race condition existed in the Device Mapper
    component of the Linux kernel. A local attacker could use this to
    cause a denial of service (system crash). (CVE-2017-18203)
    
    It was discovered that an infinite loop could occur in the madvise(2)
    implementation in the Linux kernel in certain circumstances. A local
    attacker could use this to cause a denial of service (system hang).
    (CVE-2017-18208)
    
    Silvio Cesare discovered a buffer overwrite existed in the NCPFS
    implementation in the Linux kernel. A remote attacker controlling a
    malicious NCPFS server could use this to cause a denial of service
    (system crash) or possibly execute arbitrary code. (CVE-2018-8822).
    
    Note that Tenable Network Security has extracted the preceding
    description block directly from the Ubuntu security advisory. Tenable
    has attempted to automatically clean and format it as much as possible
    without introducing additional issues."
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://usn.ubuntu.com/3653-2/"
      );
      script_set_attribute(attribute:"solution", value:"Update the affected packages.");
      script_set_cvss_base_vector("CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C");
      script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
      script_set_cvss3_base_vector("CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H");
      script_set_cvss3_temporal_vector("CVSS:3.0/E:P/RL:O/RC:C");
      script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"true");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-4.13-azure");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-4.13-gcp");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-4.13-generic");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-4.13-generic-lpae");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-4.13-lowlatency");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-4.13-oem");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-azure");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-gcp");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-generic-hwe-16.04");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-generic-lpae-hwe-16.04");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-gke");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-lowlatency-hwe-16.04");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-oem");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:canonical:ubuntu_linux:16.04");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2017/12/07");
      script_set_attribute(attribute:"patch_publication_date", value:"2018/05/22");
      script_set_attribute(attribute:"plugin_publication_date", value:"2018/05/23");
      script_set_attribute(attribute:"in_the_news", value:"true");
      script_set_attribute(attribute:"generated_plugin", value:"current");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"Ubuntu Security Notice (C) 2018-2019 Canonical, Inc. / NASL script (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");
      script_family(english:"Ubuntu Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl", "linux_alt_patch_detect.nasl");
      script_require_keys("Host/cpu", "Host/Ubuntu", "Host/Ubuntu/release", "Host/Debian/dpkg-l");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("ubuntu.inc");
    include("ksplice.inc");
    
    if ( ! get_kb_item("Host/local_checks_enabled") ) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    release = get_kb_item("Host/Ubuntu/release");
    if ( isnull(release) ) audit(AUDIT_OS_NOT, "Ubuntu");
    release = chomp(release);
    if (! preg(pattern:"^(16\.04)$", string:release)) audit(AUDIT_OS_NOT, "Ubuntu 16.04", "Ubuntu " + release);
    if ( ! get_kb_item("Host/Debian/dpkg-l") ) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    cpu = get_kb_item("Host/cpu");
    if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
    if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Ubuntu", cpu);
    
    if (get_one_kb_item("Host/ksplice/kernel-cves"))
    {
      rm_kb_item(name:"Host/uptrack-uname-r");
      cve_list = make_list("CVE-2017-17449", "CVE-2017-17975", "CVE-2017-18203", "CVE-2017-18208", "CVE-2018-3639", "CVE-2018-8822");
      if (ksplice_cves_check(cve_list))
      {
        audit(AUDIT_PATCH_INSTALLED, "KSplice hotfix for USN-3653-2");
      }
      else
      {
        _ubuntu_report = ksplice_reporting_text();
      }
    }
    
    flag = 0;
    
    if (ubuntu_check(osver:"16.04", pkgname:"linux-image-4.13.0-1017-gcp", pkgver:"4.13.0-1017.21")) flag++;
    if (ubuntu_check(osver:"16.04", pkgname:"linux-image-4.13.0-1018-azure", pkgver:"4.13.0-1018.21")) flag++;
    if (ubuntu_check(osver:"16.04", pkgname:"linux-image-4.13.0-1028-oem", pkgver:"4.13.0-1028.31")) flag++;
    if (ubuntu_check(osver:"16.04", pkgname:"linux-image-4.13.0-43-generic", pkgver:"4.13.0-43.48~16.04.1")) flag++;
    if (ubuntu_check(osver:"16.04", pkgname:"linux-image-4.13.0-43-generic-lpae", pkgver:"4.13.0-43.48~16.04.1")) flag++;
    if (ubuntu_check(osver:"16.04", pkgname:"linux-image-4.13.0-43-lowlatency", pkgver:"4.13.0-43.48~16.04.1")) flag++;
    if (ubuntu_check(osver:"16.04", pkgname:"linux-image-azure", pkgver:"4.13.0.1018.19")) flag++;
    if (ubuntu_check(osver:"16.04", pkgname:"linux-image-gcp", pkgver:"4.13.0.1017.19")) flag++;
    if (ubuntu_check(osver:"16.04", pkgname:"linux-image-generic-hwe-16.04", pkgver:"4.13.0.43.62")) flag++;
    if (ubuntu_check(osver:"16.04", pkgname:"linux-image-generic-lpae-hwe-16.04", pkgver:"4.13.0.43.62")) flag++;
    if (ubuntu_check(osver:"16.04", pkgname:"linux-image-gke", pkgver:"4.13.0.1017.19")) flag++;
    if (ubuntu_check(osver:"16.04", pkgname:"linux-image-lowlatency-hwe-16.04", pkgver:"4.13.0.43.62")) flag++;
    if (ubuntu_check(osver:"16.04", pkgname:"linux-image-oem", pkgver:"4.13.0.1028.33")) flag++;
    
    if (flag)
    {
      security_report_v4(
        port       : 0,
        severity   : SECURITY_HOLE,
        extra      : ubuntu_report_get()
      );
      exit(0);
    }
    else
    {
      tested = ubuntu_pkg_tests_get();
      if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
      else audit(AUDIT_PACKAGE_NOT_INSTALLED, "linux-image-4.13-azure / linux-image-4.13-gcp / etc");
    }
    
  • NASL familyScientific Linux Local Security Checks
    NASL idSL_20181030_KERNEL_ON_SL7_X.NASL
    descriptionSecurity Fix(es) : - A flaw named FragmentSmack was found in the way the Linux kernel handled reassembly of fragmented IPv4 and IPv6 packets. A remote attacker could use this flaw to trigger time and calculation expensive fragment reassembly algorithm by sending specially crafted packets which could lead to a CPU saturation and hence a denial of service on the system. (CVE-2018-5391) - kernel: out-of-bounds access in the show_timer function in kernel/time /posix-timers.c (CVE-2017-18344) - kernel: Integer overflow in udl_fb_mmap() can allow attackers to execute code in kernel space (CVE-2018-8781) - kernel: MIDI driver race condition leads to a double-free (CVE-2018-10902) - kernel: Missing check in inode_init_owner() does not clear SGID bit on non-directories for non-members (CVE-2018-13405) - kernel: AIO write triggers integer overflow in some protocols (CVE-2015-8830) - kernel: Use-after-free in snd_pcm_info function in ALSA subsystem potentially leads to privilege escalation (CVE-2017-0861) - kernel: Handling of might_cancel queueing is not properly pretected against race (CVE-2017-10661) - kernel: Salsa20 encryption algorithm does not correctly handle zero- length inputs allowing local attackers to cause denial of service (CVE-2017-17805) - kernel: Inifinite loop vulnerability in madvise_willneed() function allows local denial of service (CVE-2017-18208) - kernel: fuse-backed file mmap-ed onto process cmdline arguments causes denial of service (CVE-2018-1120) - kernel: a NULL pointer dereference in dccp_write_xmit() leads to a system crash (CVE-2018-1130) - kernel: drivers/block/loop.c mishandles lo_release serialization allowing denial of service (CVE-2018-5344) - kernel: Missing length check of payload in _sctp_make_chunk() function allows denial of service (CVE-2018-5803) - kernel: buffer overflow in drivers/net/wireless/ath/wil6210/wmi.c:wmi_set_ie() may lead to memory corruption (CVE-2018-5848) - kernel: out-of-bound write in ext4_init_block_bitmap function with a crafted ext4 image (CVE-2018-10878) - kernel: Improper validation in bnx2x network card driver can allow for denial of service attacks via crafted packet (CVE-2018-1000026) - kernel: Information leak when handling NM entries containing NUL (CVE-2016-4913) - kernel: Mishandling mutex within libsas allowing local Denial of Service (CVE-2017-18232) - kernel: NULL pointer dereference in ext4_process_freed_data() when mounting crafted ext4 image (CVE-2018-1092) - kernel: NULL pointer dereference in ext4_xattr_inode_hash() causes crash with crafted ext4 image (CVE-2018-1094) - kernel: vhost: Information disclosure in vhost/vhost.c:vhost_new_msg() (CVE-2018-1118) - kernel: Denial of service in resv_map_release function in mm/hugetlb.c (CVE-2018-7740) - kernel: Memory leak in the sas_smp_get_phy_events function in drivers/scsi/libsas/sas_expander.c (CVE-2018-7757) - kernel: Invalid pointer dereference in xfs_ilock_attr_map_shared() when mounting crafted xfs image allowing denial of service (CVE-2018-10322) - kernel: use-after-free detected in ext4_xattr_set_entry with a crafted file (CVE-2018-10879) - kernel: out-of-bound access in ext4_get_group_info() when mounting and operating a crafted ext4 image (CVE-2018-10881) - kernel: stack-out-of-bounds write in jbd2_journal_dirty_metadata function (CVE-2018-10883) - kernel: incorrect memory bounds check in drivers/cdrom/cdrom.c (CVE-2018-10940)
    last seen2020-03-18
    modified2018-11-27
    plugin id119187
    published2018-11-27
    reporterThis script is Copyright (C) 2018-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/119187
    titleScientific Linux Security Update : kernel on SL7.x x86_64 (20181030)
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text is (C) Scientific Linux.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(119187);
      script_version("1.6");
      script_set_attribute(attribute:"plugin_modification_date", value:"2020/07/01");
    
      script_cve_id("CVE-2015-8830", "CVE-2016-4913", "CVE-2017-0861", "CVE-2017-10661", "CVE-2017-17805", "CVE-2017-18208", "CVE-2017-18232", "CVE-2017-18344", "CVE-2018-1000026", "CVE-2018-10322", "CVE-2018-10878", "CVE-2018-10879", "CVE-2018-10881", "CVE-2018-10883", "CVE-2018-10902", "CVE-2018-1092", "CVE-2018-1094", "CVE-2018-10940", "CVE-2018-1118", "CVE-2018-1120", "CVE-2018-1130", "CVE-2018-13405", "CVE-2018-5344", "CVE-2018-5391", "CVE-2018-5803", "CVE-2018-5848", "CVE-2018-7740", "CVE-2018-7757", "CVE-2018-8781");
    
      script_name(english:"Scientific Linux Security Update : kernel on SL7.x x86_64 (20181030)");
      script_summary(english:"Checks rpm output for the updated packages");
    
      script_set_attribute(
        attribute:"synopsis",
        value:
    "The remote Scientific Linux host is missing one or more security
    updates."
      );
      script_set_attribute(
        attribute:"description",
        value:
    "Security Fix(es) :
    
      - A flaw named FragmentSmack was found in the way the
        Linux kernel handled reassembly of fragmented IPv4 and
        IPv6 packets. A remote attacker could use this flaw to
        trigger time and calculation expensive fragment
        reassembly algorithm by sending specially crafted
        packets which could lead to a CPU saturation and hence a
        denial of service on the system. (CVE-2018-5391)
    
      - kernel: out-of-bounds access in the show_timer function
        in kernel/time /posix-timers.c (CVE-2017-18344)
    
      - kernel: Integer overflow in udl_fb_mmap() can allow
        attackers to execute code in kernel space
        (CVE-2018-8781)
    
      - kernel: MIDI driver race condition leads to a
        double-free (CVE-2018-10902)
    
      - kernel: Missing check in inode_init_owner() does not
        clear SGID bit on non-directories for non-members
        (CVE-2018-13405)
    
      - kernel: AIO write triggers integer overflow in some
        protocols (CVE-2015-8830)
    
      - kernel: Use-after-free in snd_pcm_info function in ALSA
        subsystem potentially leads to privilege escalation
        (CVE-2017-0861)
    
      - kernel: Handling of might_cancel queueing is not
        properly pretected against race (CVE-2017-10661)
    
      - kernel: Salsa20 encryption algorithm does not correctly
        handle zero- length inputs allowing local attackers to
        cause denial of service (CVE-2017-17805)
    
      - kernel: Inifinite loop vulnerability in
        madvise_willneed() function allows local denial of
        service (CVE-2017-18208)
    
      - kernel: fuse-backed file mmap-ed onto process cmdline
        arguments causes denial of service (CVE-2018-1120)
    
      - kernel: a NULL pointer dereference in dccp_write_xmit()
        leads to a system crash (CVE-2018-1130)
    
      - kernel: drivers/block/loop.c mishandles lo_release
        serialization allowing denial of service (CVE-2018-5344)
    
      - kernel: Missing length check of payload in
        _sctp_make_chunk() function allows denial of service
        (CVE-2018-5803)
    
      - kernel: buffer overflow in
        drivers/net/wireless/ath/wil6210/wmi.c:wmi_set_ie() may
        lead to memory corruption (CVE-2018-5848)
    
      - kernel: out-of-bound write in ext4_init_block_bitmap
        function with a crafted ext4 image (CVE-2018-10878)
    
      - kernel: Improper validation in bnx2x network card driver
        can allow for denial of service attacks via crafted
        packet (CVE-2018-1000026)
    
      - kernel: Information leak when handling NM entries
        containing NUL (CVE-2016-4913)
    
      - kernel: Mishandling mutex within libsas allowing local
        Denial of Service (CVE-2017-18232)
    
      - kernel: NULL pointer dereference in
        ext4_process_freed_data() when mounting crafted ext4
        image (CVE-2018-1092)
    
      - kernel: NULL pointer dereference in
        ext4_xattr_inode_hash() causes crash with crafted ext4
        image (CVE-2018-1094)
    
      - kernel: vhost: Information disclosure in
        vhost/vhost.c:vhost_new_msg() (CVE-2018-1118)
    
      - kernel: Denial of service in resv_map_release function
        in mm/hugetlb.c (CVE-2018-7740)
    
      - kernel: Memory leak in the sas_smp_get_phy_events
        function in drivers/scsi/libsas/sas_expander.c
        (CVE-2018-7757)
    
      - kernel: Invalid pointer dereference in
        xfs_ilock_attr_map_shared() when mounting crafted xfs
        image allowing denial of service (CVE-2018-10322)
    
      - kernel: use-after-free detected in ext4_xattr_set_entry
        with a crafted file (CVE-2018-10879)
    
      - kernel: out-of-bound access in ext4_get_group_info()
        when mounting and operating a crafted ext4 image
        (CVE-2018-10881)
    
      - kernel: stack-out-of-bounds write in
        jbd2_journal_dirty_metadata function (CVE-2018-10883)
    
      - kernel: incorrect memory bounds check in
        drivers/cdrom/cdrom.c (CVE-2018-10940)"
      );
      # https://listserv.fnal.gov/scripts/wa.exe?A2=ind1811&L=scientific-linux-errata&F=&S=&P=8524
      script_set_attribute(
        attribute:"see_also",
        value:"http://www.nessus.org/u?faf0e575"
      );
      script_set_attribute(attribute:"solution", value:"Update the affected packages.");
      script_set_cvss_base_vector("CVSS2#AV:N/AC:H/Au:N/C:C/I:C/A:C");
      script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:C");
      script_set_cvss3_base_vector("CVSS:3.0/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H");
      script_set_cvss3_temporal_vector("CVSS:3.0/E:F/RL:O/RC:C");
      script_set_attribute(attribute:"cvss_score_source", value:"CVE-2017-10661");
      script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"true");
      script_set_attribute(attribute:"exploit_framework_canvas", value:"true");
      script_set_attribute(attribute:"canvas_package", value:'CANVAS');
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fermilab:scientific_linux:bpftool");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fermilab:scientific_linux:kernel");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fermilab:scientific_linux:kernel-abi-whitelists");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fermilab:scientific_linux:kernel-debug");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fermilab:scientific_linux:kernel-debug-debuginfo");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fermilab:scientific_linux:kernel-debug-devel");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fermilab:scientific_linux:kernel-debuginfo");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fermilab:scientific_linux:kernel-debuginfo-common-x86_64");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fermilab:scientific_linux:kernel-devel");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fermilab:scientific_linux:kernel-doc");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fermilab:scientific_linux:kernel-headers");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fermilab:scientific_linux:kernel-tools");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fermilab:scientific_linux:kernel-tools-debuginfo");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fermilab:scientific_linux:kernel-tools-libs");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fermilab:scientific_linux:kernel-tools-libs-devel");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fermilab:scientific_linux:perf");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fermilab:scientific_linux:perf-debuginfo");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fermilab:scientific_linux:python-perf");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fermilab:scientific_linux:python-perf-debuginfo");
      script_set_attribute(attribute:"cpe", value:"x-cpe:/o:fermilab:scientific_linux");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2016/05/02");
      script_set_attribute(attribute:"patch_publication_date", value:"2018/10/30");
      script_set_attribute(attribute:"plugin_publication_date", value:"2018/11/27");
      script_set_attribute(attribute:"generated_plugin", value:"current");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2018-2020 and is owned by Tenable, Inc. or an Affiliate thereof.");
      script_family(english:"Scientific Linux Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/cpu", "Host/RedHat/release", "Host/RedHat/rpm-list");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("global_settings.inc");
    include("misc_func.inc");
    include("rpm.inc");
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    release = get_kb_item("Host/RedHat/release");
    if (isnull(release) || "Scientific Linux " >!< release) audit(AUDIT_HOST_NOT, "running Scientific Linux");
    os_ver = pregmatch(pattern: "Scientific Linux.*release ([0-9]+(\.[0-9]+)?)", string:release);
    if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Scientific Linux");
    os_ver = os_ver[1];
    if (! preg(pattern:"^7([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Scientific Linux 7.x", "Scientific Linux " + os_ver);
    if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    cpu = get_kb_item("Host/cpu");
    if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
    if (cpu >!< "x86_64" && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Scientific Linux", cpu);
    
    
    flag = 0;
    if (rpm_check(release:"SL7", cpu:"x86_64", reference:"bpftool-3.10.0-957.el7")) flag++;
    if (rpm_check(release:"SL7", cpu:"x86_64", reference:"kernel-3.10.0-957.el7")) flag++;
    if (rpm_check(release:"SL7", reference:"kernel-abi-whitelists-3.10.0-957.el7")) flag++;
    if (rpm_check(release:"SL7", cpu:"x86_64", reference:"kernel-debug-3.10.0-957.el7")) flag++;
    if (rpm_check(release:"SL7", cpu:"x86_64", reference:"kernel-debug-debuginfo-3.10.0-957.el7")) flag++;
    if (rpm_check(release:"SL7", cpu:"x86_64", reference:"kernel-debug-devel-3.10.0-957.el7")) flag++;
    if (rpm_check(release:"SL7", cpu:"x86_64", reference:"kernel-debuginfo-3.10.0-957.el7")) flag++;
    if (rpm_check(release:"SL7", cpu:"x86_64", reference:"kernel-debuginfo-common-x86_64-3.10.0-957.el7")) flag++;
    if (rpm_check(release:"SL7", cpu:"x86_64", reference:"kernel-devel-3.10.0-957.el7")) flag++;
    if (rpm_check(release:"SL7", reference:"kernel-doc-3.10.0-957.el7")) flag++;
    if (rpm_check(release:"SL7", cpu:"x86_64", reference:"kernel-headers-3.10.0-957.el7")) flag++;
    if (rpm_check(release:"SL7", cpu:"x86_64", reference:"kernel-tools-3.10.0-957.el7")) flag++;
    if (rpm_check(release:"SL7", cpu:"x86_64", reference:"kernel-tools-debuginfo-3.10.0-957.el7")) flag++;
    if (rpm_check(release:"SL7", cpu:"x86_64", reference:"kernel-tools-libs-3.10.0-957.el7")) flag++;
    if (rpm_check(release:"SL7", cpu:"x86_64", reference:"kernel-tools-libs-devel-3.10.0-957.el7")) flag++;
    if (rpm_check(release:"SL7", cpu:"x86_64", reference:"perf-3.10.0-957.el7")) flag++;
    if (rpm_check(release:"SL7", cpu:"x86_64", reference:"perf-debuginfo-3.10.0-957.el7")) flag++;
    if (rpm_check(release:"SL7", cpu:"x86_64", reference:"python-perf-3.10.0-957.el7")) flag++;
    if (rpm_check(release:"SL7", cpu:"x86_64", reference:"python-perf-debuginfo-3.10.0-957.el7")) flag++;
    
    
    if (flag)
    {
      security_report_v4(
        port       : 0,
        severity   : SECURITY_HOLE,
        extra      : rpm_report_get()
      );
      exit(0);
    }
    else
    {
      tested = pkg_tests_get();
      if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
      else audit(AUDIT_PACKAGE_NOT_INSTALLED, "bpftool / kernel / kernel-abi-whitelists / kernel-debug / etc");
    }
    
  • NASL familySuSE Local Security Checks
    NASL idSUSE_SU-2018-1080-1.NASL
    descriptionThe SUSE Linux Enterprise 11 SP4 kernel was updated to receive various security and bugfixes. The following security bugs were fixed : - CVE-2017-5715: Systems with microprocessors utilizing speculative execution and indirect branch prediction may allow unauthorized disclosure of information to an attacker with local user access via a side-channel analysis (bnc#1068032). Enhancements and bugfixes over the previous fixes have been added to this kernel. - CVE-2018-10087: The kernel_wait4 function in kernel/exit.c might have allowed local users to cause a denial of service by triggering an attempted use of the -INT_MIN value (bnc#1089608). - CVE-2018-7757: Memory leak in the sas_smp_get_phy_events function in drivers/scsi/libsas/sas_expander.c allowed local users to cause a denial of service (memory consumption) via many read accesses to files in the /sys/class/sas_phy directory, as demonstrated by the /sys/class/sas_phy/phy-1:0:12/invalid_dword_count file (bnc#1084536). - CVE-2018-7566: There was a buffer overflow via an SNDRV_SEQ_IOCTL_SET_CLIENT_POOL ioctl write operation to /dev/snd/seq by a local user (bnc#1083483). - CVE-2017-0861: Use-after-free vulnerability in the snd_pcm_info function in the ALSA subsystem allowed attackers to gain privileges via unspecified vectors (bnc#1088260). - CVE-2018-8822: Incorrect buffer length handling in the ncp_read_kernel function in fs/ncpfs/ncplib_kernel.c could be exploited by malicious NCPFS servers to crash the kernel or execute code (bnc#1086162). - CVE-2017-13166: An elevation of privilege vulnerability in the kernel v4l2 video driver. (bnc#1072865). - CVE-2017-18203: The dm_get_from_kobject function in drivers/md/dm.c allowed local users to cause a denial of service (BUG) by leveraging a race condition with __dm_destroy during creation and removal of DM devices (bnc#1083242). - CVE-2017-16911: The vhci_hcd driver allowed allows local attackers to disclose kernel memory addresses. Successful exploitation requires that a USB device is attached over IP (bnc#1078674). - CVE-2017-18208: The madvise_willneed function in mm/madvise.c local users to cause a denial of service (infinite loop) by triggering use of MADVISE_WILLNEED for a DAX mapping (bnc#1083494). - CVE-2017-16644: The hdpvr_probe function in drivers/media/usb/hdpvr/hdpvr-core.c allowed local users to cause a denial of service (improper error handling and system crash) or possibly have unspecified other impact via a crafted USB device (bnc#1067118). - CVE-2018-6927: The futex_requeue function in kernel/futex.c in the Linux kernel might allow attackers to cause a denial of service (integer overflow) or possibly have unspecified other impact by triggering a negative wake or requeue value (bnc#1080757). - CVE-2017-16914: The
    last seen2020-06-01
    modified2020-06-02
    plugin id109360
    published2018-04-26
    reporterThis script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/109360
    titleSUSE SLES11 Security Update : kernel (SUSE-SU-2018:1080-1) (Spectre)
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were
    # extracted from SUSE update advisory SUSE-SU-2018:1080-1.
    # The text itself is copyright (C) SUSE.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(109360);
      script_version("1.7");
      script_cvs_date("Date: 2019/09/10 13:51:47");
    
      script_cve_id("CVE-2015-5156", "CVE-2016-7915", "CVE-2017-0861", "CVE-2017-12190", "CVE-2017-13166", "CVE-2017-16644", "CVE-2017-16911", "CVE-2017-16912", "CVE-2017-16913", "CVE-2017-16914", "CVE-2017-18203", "CVE-2017-18208", "CVE-2017-5715", "CVE-2018-10087", "CVE-2018-6927", "CVE-2018-7566", "CVE-2018-7757", "CVE-2018-8822");
      script_xref(name:"IAVA", value:"2018-A-0020");
    
      script_name(english:"SUSE SLES11 Security Update : kernel (SUSE-SU-2018:1080-1) (Spectre)");
      script_summary(english:"Checks rpm output for the updated packages.");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote SUSE host is missing one or more security updates."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "The SUSE Linux Enterprise 11 SP4 kernel was updated to receive various
    security and bugfixes. The following security bugs were fixed :
    
      - CVE-2017-5715: Systems with microprocessors utilizing
        speculative execution and indirect branch prediction may
        allow unauthorized disclosure of information to an
        attacker with local user access via a side-channel
        analysis (bnc#1068032). Enhancements and bugfixes over
        the previous fixes have been added to this kernel.
    
      - CVE-2018-10087: The kernel_wait4 function in
        kernel/exit.c might have allowed local users to cause a
        denial of service by triggering an attempted use of the
        -INT_MIN value (bnc#1089608).
    
      - CVE-2018-7757: Memory leak in the sas_smp_get_phy_events
        function in drivers/scsi/libsas/sas_expander.c allowed
        local users to cause a denial of service (memory
        consumption) via many read accesses to files in the
        /sys/class/sas_phy directory, as demonstrated by the
        /sys/class/sas_phy/phy-1:0:12/invalid_dword_count file
        (bnc#1084536).
    
      - CVE-2018-7566: There was a buffer overflow via an
        SNDRV_SEQ_IOCTL_SET_CLIENT_POOL ioctl write operation to
        /dev/snd/seq by a local user (bnc#1083483).
    
      - CVE-2017-0861: Use-after-free vulnerability in the
        snd_pcm_info function in the ALSA subsystem allowed
        attackers to gain privileges via unspecified vectors
        (bnc#1088260).
    
      - CVE-2018-8822: Incorrect buffer length handling in the
        ncp_read_kernel function in fs/ncpfs/ncplib_kernel.c
        could be exploited by malicious NCPFS servers to crash
        the kernel or execute code (bnc#1086162).
    
      - CVE-2017-13166: An elevation of privilege vulnerability
        in the kernel v4l2 video driver. (bnc#1072865).
    
      - CVE-2017-18203: The dm_get_from_kobject function in
        drivers/md/dm.c allowed local users to cause a denial of
        service (BUG) by leveraging a race condition with
        __dm_destroy during creation and removal of DM devices
        (bnc#1083242).
    
      - CVE-2017-16911: The vhci_hcd driver allowed allows local
        attackers to disclose kernel memory addresses.
        Successful exploitation requires that a USB device is
        attached over IP (bnc#1078674).
    
      - CVE-2017-18208: The madvise_willneed function in
        mm/madvise.c local users to cause a denial of service
        (infinite loop) by triggering use of MADVISE_WILLNEED
        for a DAX mapping (bnc#1083494).
    
      - CVE-2017-16644: The hdpvr_probe function in
        drivers/media/usb/hdpvr/hdpvr-core.c allowed local users
        to cause a denial of service (improper error handling
        and system crash) or possibly have unspecified other
        impact via a crafted USB device (bnc#1067118).
    
      - CVE-2018-6927: The futex_requeue function in
        kernel/futex.c in the Linux kernel might allow attackers
        to cause a denial of service (integer overflow) or
        possibly have unspecified other impact by triggering a
        negative wake or requeue value (bnc#1080757).
    
      - CVE-2017-16914: The 'stub_send_ret_submit()' function
        (drivers/usb/usbip/stub_tx.c) allowed attackers to cause
        a denial of service (NULL pointer dereference) via a
        specially crafted USB over IP packet (bnc#1078669).
    
      - CVE-2016-7915: The hid_input_field function in
        drivers/hid/hid-core.c allowed physically proximate
        attackers to obtain sensitive information from kernel
        memory or cause a denial of service (out-of-bounds read)
        by connecting a device, as demonstrated by a Logitech DJ
        receiver (bnc#1010470).
    
      - CVE-2015-5156: The virtnet_probe function in
        drivers/net/virtio_net.c attempted to support a FRAGLIST
        feature without proper memory allocation, which allowed
        guest OS users to cause a denial of service (buffer
        overflow and memory corruption) via a crafted sequence
        of fragmented packets (bnc#940776).
    
      - CVE-2017-12190: The bio_map_user_iov and bio_unmap_user
        functions in block/bio.c did unbalanced refcounting when
        a SCSI I/O vector has small consecutive buffers
        belonging to the same page. The bio_add_pc_page function
        merges them into one, but the page reference is never
        dropped. This causes a memory leak and possible system
        lockup (exploitable against the host OS by a guest OS
        user, if a SCSI disk is passed through to a virtual
        machine) due to an out-of-memory condition
        (bnc#1062568).
    
      - CVE-2017-16912: The 'get_pipe()' function
        (drivers/usb/usbip/stub_rx.c) allowed attackers to cause
        a denial of service (out-of-bounds read) via a specially
        crafted USB over IP packet (bnc#1078673).
    
      - CVE-2017-16913: The 'stub_recv_cmd_submit()' function
        (drivers/usb/usbip/stub_rx.c) when handling CMD_SUBMIT
        packets allowed attackers to cause a denial of service
        (arbitrary memory allocation) via a specially crafted
        USB over IP packet (bnc#1078672).
    
    The update package also includes non-security fixes. See advisory for
    details.
    
    Note that Tenable Network Security has extracted the preceding
    description block directly from the SUSE security advisory. Tenable
    has attempted to automatically clean and format it as much as possible
    without introducing additional issues."
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1010470"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1013018"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1039348"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1052943"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1062568"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1062840"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1063416"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1063516"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1065600"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1065999"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1067118"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1067912"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1068032"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1072689"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1072865"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1075088"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1075091"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1075994"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1078669"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1078672"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1078673"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1078674"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1080464"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1080757"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1080813"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1081358"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1082091"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1082424"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1083242"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1083275"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1083483"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1083494"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1084536"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1085113"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1085279"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1085331"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1085513"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1086162"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1087092"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1087260"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1087762"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1088147"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1088260"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1089608"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=909077"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=940776"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=943786"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://www.suse.com/security/cve/CVE-2015-5156/"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://www.suse.com/security/cve/CVE-2016-7915/"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://www.suse.com/security/cve/CVE-2017-0861/"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://www.suse.com/security/cve/CVE-2017-12190/"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://www.suse.com/security/cve/CVE-2017-13166/"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://www.suse.com/security/cve/CVE-2017-16644/"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://www.suse.com/security/cve/CVE-2017-16911/"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://www.suse.com/security/cve/CVE-2017-16912/"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://www.suse.com/security/cve/CVE-2017-16913/"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://www.suse.com/security/cve/CVE-2017-16914/"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://www.suse.com/security/cve/CVE-2017-18203/"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://www.suse.com/security/cve/CVE-2017-18208/"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://www.suse.com/security/cve/CVE-2017-5715/"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://www.suse.com/security/cve/CVE-2018-10087/"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://www.suse.com/security/cve/CVE-2018-6927/"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://www.suse.com/security/cve/CVE-2018-7566/"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://www.suse.com/security/cve/CVE-2018-7757/"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://www.suse.com/security/cve/CVE-2018-8822/"
      );
      # https://www.suse.com/support/update/announcement/2018/suse-su-20181080-1/
      script_set_attribute(
        attribute:"see_also",
        value:"http://www.nessus.org/u?1ffcd0fc"
      );
      script_set_attribute(
        attribute:"solution", 
        value:
    "To install this SUSE Security Update use the SUSE recommended
    installation methods like YaST online_update or 'zypper patch'.
    
    Alternatively you can run the command listed for your product :
    
    SUSE Linux Enterprise Software Development Kit 11-SP4:zypper in -t
    patch sdksp4-kernel-source-20180417-13574=1
    
    SUSE Linux Enterprise Server 11-SP4:zypper in -t patch
    slessp4-kernel-source-20180417-13574=1
    
    SUSE Linux Enterprise Server 11-EXTRA:zypper in -t patch
    slexsp3-kernel-source-20180417-13574=1
    
    SUSE Linux Enterprise Debuginfo 11-SP4:zypper in -t patch
    dbgsp4-kernel-source-20180417-13574=1"
      );
      script_set_cvss_base_vector("CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C");
      script_set_cvss_temporal_vector("CVSS2#E:H/RL:OF/RC:C");
      script_set_cvss3_base_vector("CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H");
      script_set_cvss3_temporal_vector("CVSS:3.0/E:H/RL:O/RC:C");
      script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"true");
      script_set_attribute(attribute:"exploited_by_malware", value:"true");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:kernel-default");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:kernel-default-base");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:kernel-default-devel");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:kernel-default-man");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:kernel-ec2");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:kernel-ec2-base");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:kernel-ec2-devel");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:kernel-pae");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:kernel-pae-base");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:kernel-pae-devel");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:kernel-source");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:kernel-syms");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:kernel-trace");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:kernel-trace-base");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:kernel-trace-devel");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:kernel-xen");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:kernel-xen-base");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:kernel-xen-devel");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:novell:suse_linux:11");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2015/10/19");
      script_set_attribute(attribute:"patch_publication_date", value:"2018/04/25");
      script_set_attribute(attribute:"plugin_publication_date", value:"2018/04/26");
      script_set_attribute(attribute:"in_the_news", value:"true");
      script_set_attribute(attribute:"generated_plugin", value:"current");
      script_set_attribute(attribute:"stig_severity", value:"I");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");
      script_family(english:"SuSE Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/cpu", "Host/SuSE/release", "Host/SuSE/rpm-list");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("global_settings.inc");
    include("rpm.inc");
    
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    release = get_kb_item("Host/SuSE/release");
    if (isnull(release) || release !~ "^(SLED|SLES)") audit(AUDIT_OS_NOT, "SUSE");
    os_ver = pregmatch(pattern: "^(SLE(S|D)\d+)", string:release);
    if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "SUSE");
    os_ver = os_ver[1];
    if (! preg(pattern:"^(SLES11)$", string:os_ver)) audit(AUDIT_OS_NOT, "SUSE SLES11", "SUSE " + os_ver);
    
    if (!get_kb_item("Host/SuSE/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    cpu = get_kb_item("Host/cpu");
    if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
    if (cpu !~ "^i[3-6]86$" && "x86_64" >!< cpu && "s390x" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "SUSE " + os_ver, cpu);
    
    sp = get_kb_item("Host/SuSE/patchlevel");
    if (isnull(sp)) sp = "0";
    if (os_ver == "SLES11" && (! preg(pattern:"^(4)$", string:sp))) audit(AUDIT_OS_NOT, "SLES11 SP4", os_ver + " SP" + sp);
    
    
    flag = 0;
    if (rpm_check(release:"SLES11", sp:"4", cpu:"x86_64", reference:"kernel-ec2-3.0.101-108.38.1")) flag++;
    if (rpm_check(release:"SLES11", sp:"4", cpu:"x86_64", reference:"kernel-ec2-base-3.0.101-108.38.1")) flag++;
    if (rpm_check(release:"SLES11", sp:"4", cpu:"x86_64", reference:"kernel-ec2-devel-3.0.101-108.38.1")) flag++;
    if (rpm_check(release:"SLES11", sp:"4", cpu:"x86_64", reference:"kernel-xen-3.0.101-108.38.1")) flag++;
    if (rpm_check(release:"SLES11", sp:"4", cpu:"x86_64", reference:"kernel-xen-base-3.0.101-108.38.1")) flag++;
    if (rpm_check(release:"SLES11", sp:"4", cpu:"x86_64", reference:"kernel-xen-devel-3.0.101-108.38.1")) flag++;
    if (rpm_check(release:"SLES11", sp:"4", cpu:"x86_64", reference:"kernel-pae-3.0.101-108.38.1")) flag++;
    if (rpm_check(release:"SLES11", sp:"4", cpu:"x86_64", reference:"kernel-pae-base-3.0.101-108.38.1")) flag++;
    if (rpm_check(release:"SLES11", sp:"4", cpu:"x86_64", reference:"kernel-pae-devel-3.0.101-108.38.1")) flag++;
    if (rpm_check(release:"SLES11", sp:"4", cpu:"s390x", reference:"kernel-default-man-3.0.101-108.38.1")) flag++;
    if (rpm_check(release:"SLES11", sp:"4", reference:"kernel-default-3.0.101-108.38.1")) flag++;
    if (rpm_check(release:"SLES11", sp:"4", reference:"kernel-default-base-3.0.101-108.38.1")) flag++;
    if (rpm_check(release:"SLES11", sp:"4", reference:"kernel-default-devel-3.0.101-108.38.1")) flag++;
    if (rpm_check(release:"SLES11", sp:"4", reference:"kernel-source-3.0.101-108.38.1")) flag++;
    if (rpm_check(release:"SLES11", sp:"4", reference:"kernel-syms-3.0.101-108.38.1")) flag++;
    if (rpm_check(release:"SLES11", sp:"4", reference:"kernel-trace-3.0.101-108.38.1")) flag++;
    if (rpm_check(release:"SLES11", sp:"4", reference:"kernel-trace-base-3.0.101-108.38.1")) flag++;
    if (rpm_check(release:"SLES11", sp:"4", reference:"kernel-trace-devel-3.0.101-108.38.1")) flag++;
    if (rpm_check(release:"SLES11", sp:"4", cpu:"i586", reference:"kernel-ec2-3.0.101-108.38.1")) flag++;
    if (rpm_check(release:"SLES11", sp:"4", cpu:"i586", reference:"kernel-ec2-base-3.0.101-108.38.1")) flag++;
    if (rpm_check(release:"SLES11", sp:"4", cpu:"i586", reference:"kernel-ec2-devel-3.0.101-108.38.1")) flag++;
    if (rpm_check(release:"SLES11", sp:"4", cpu:"i586", reference:"kernel-xen-3.0.101-108.38.1")) flag++;
    if (rpm_check(release:"SLES11", sp:"4", cpu:"i586", reference:"kernel-xen-base-3.0.101-108.38.1")) flag++;
    if (rpm_check(release:"SLES11", sp:"4", cpu:"i586", reference:"kernel-xen-devel-3.0.101-108.38.1")) flag++;
    if (rpm_check(release:"SLES11", sp:"4", cpu:"i586", reference:"kernel-pae-3.0.101-108.38.1")) flag++;
    if (rpm_check(release:"SLES11", sp:"4", cpu:"i586", reference:"kernel-pae-base-3.0.101-108.38.1")) flag++;
    if (rpm_check(release:"SLES11", sp:"4", cpu:"i586", reference:"kernel-pae-devel-3.0.101-108.38.1")) flag++;
    
    
    if (flag)
    {
      if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());
      else security_hole(0);
      exit(0);
    }
    else
    {
      tested = pkg_tests_get();
      if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
      else audit(AUDIT_PACKAGE_NOT_INSTALLED, "kernel");
    }
    
  • NASL familyRed Hat Local Security Checks
    NASL idREDHAT-RHSA-2018-3083.NASL
    descriptionAn update for kernel is now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. The kernel packages contain the Linux kernel, the core of any Linux operating system. Security Fix(es) : * A flaw named FragmentSmack was found in the way the Linux kernel handled reassembly of fragmented IPv4 and IPv6 packets. A remote attacker could use this flaw to trigger time and calculation expensive fragment reassembly algorithm by sending specially crafted packets which could lead to a CPU saturation and hence a denial of service on the system. (CVE-2018-5391) * kernel: out-of-bounds access in the show_timer function in kernel/time/ posix-timers.c (CVE-2017-18344) * kernel: Integer overflow in udl_fb_mmap() can allow attackers to execute code in kernel space (CVE-2018-8781) * kernel: MIDI driver race condition leads to a double-free (CVE-2018-10902) * kernel: Missing check in inode_init_owner() does not clear SGID bit on non-directories for non-members (CVE-2018-13405) * kernel: AIO write triggers integer overflow in some protocols (CVE-2015-8830) * kernel: Use-after-free in snd_pcm_info function in ALSA subsystem potentially leads to privilege escalation (CVE-2017-0861) * kernel: Handling of might_cancel queueing is not properly pretected against race (CVE-2017-10661) * kernel: Salsa20 encryption algorithm does not correctly handle zero-length inputs allowing local attackers to cause denial of service (CVE-2017-17805) * kernel: Inifinite loop vulnerability in madvise_willneed() function allows local denial of service (CVE-2017-18208) * kernel: fuse-backed file mmap-ed onto process cmdline arguments causes denial of service (CVE-2018-1120) * kernel: a NULL pointer dereference in dccp_write_xmit() leads to a system crash (CVE-2018-1130) * kernel: drivers/block/loop.c mishandles lo_release serialization allowing denial of service (CVE-2018-5344) * kernel: Missing length check of payload in _sctp_make_chunk() function allows denial of service (CVE-2018-5803) * kernel: buffer overflow in drivers/net/wireless/ath/wil6210/ wmi.c:wmi_set_ie() may lead to memory corruption (CVE-2018-5848) * kernel: out-of-bound write in ext4_init_block_bitmap function with a crafted ext4 image (CVE-2018-10878) * kernel: Improper validation in bnx2x network card driver can allow for denial of service attacks via crafted packet (CVE-2018-1000026) * kernel: Information leak when handling NM entries containing NUL (CVE-2016-4913) * kernel: Mishandling mutex within libsas allowing local Denial of Service (CVE-2017-18232) * kernel: NULL pointer dereference in ext4_process_freed_data() when mounting crafted ext4 image (CVE-2018-1092) * kernel: NULL pointer dereference in ext4_xattr_inode_hash() causes crash with crafted ext4 image (CVE-2018-1094) * kernel: vhost: Information disclosure in vhost/vhost.c:vhost_new_msg() (CVE-2018-1118) * kernel: Denial of service in resv_map_release function in mm/hugetlb.c (CVE-2018-7740) * kernel: Memory leak in the sas_smp_get_phy_events function in drivers/scsi/ libsas/sas_expander.c (CVE-2018-7757) * kernel: Invalid pointer dereference in xfs_ilock_attr_map_shared() when mounting crafted xfs image allowing denial of service (CVE-2018-10322) * kernel: use-after-free detected in ext4_xattr_set_entry with a crafted file (CVE-2018-10879) * kernel: out-of-bound access in ext4_get_group_info() when mounting and operating a crafted ext4 image (CVE-2018-10881) * kernel: stack-out-of-bounds write in jbd2_journal_dirty_metadata function (CVE-2018-10883) * kernel: incorrect memory bounds check in drivers/cdrom/cdrom.c (CVE-2018-10940) Red Hat would like to thank Juha-Matti Tilli (Aalto University - Department of Communications and Networking and Nokia Bell Labs) for reporting CVE-2018-5391; Trend Micro Zero Day Initiative for reporting CVE-2018-10902; Qualys Research Labs for reporting CVE-2018-1120; Evgenii Shatokhin (Virtuozzo Team) for reporting CVE-2018-1130; and Wen Xu for reporting CVE-2018-1092 and CVE-2018-1094.
    last seen2020-06-01
    modified2020-06-02
    plugin id118525
    published2018-10-31
    reporterThis script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/118525
    titleRHEL 7 : kernel (RHSA-2018:3083)
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were  
    # extracted from Red Hat Security Advisory RHSA-2018:3083. The text 
    # itself is copyright (C) Red Hat, Inc.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(118525);
      script_version("1.12");
      script_cvs_date("Date: 2019/10/24 15:35:45");
    
      script_cve_id("CVE-2015-8830", "CVE-2016-4913", "CVE-2017-0861", "CVE-2017-10661", "CVE-2017-17805", "CVE-2017-18208", "CVE-2017-18232", "CVE-2017-18344", "CVE-2017-18360", "CVE-2018-1000026", "CVE-2018-10322", "CVE-2018-10878", "CVE-2018-10879", "CVE-2018-10881", "CVE-2018-10883", "CVE-2018-10902", "CVE-2018-1092", "CVE-2018-1094", "CVE-2018-10940", "CVE-2018-1118", "CVE-2018-1120", "CVE-2018-1130", "CVE-2018-13405", "CVE-2018-18690", "CVE-2018-5344", "CVE-2018-5391", "CVE-2018-5803", "CVE-2018-5848", "CVE-2018-7740", "CVE-2018-7757", "CVE-2018-8781");
      script_xref(name:"RHSA", value:"2018:3083");
    
      script_name(english:"RHEL 7 : kernel (RHSA-2018:3083)");
      script_summary(english:"Checks the rpm output for the updated packages");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote Red Hat host is missing one or more security updates."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "An update for kernel is now available for Red Hat Enterprise Linux 7.
    
    Red Hat Product Security has rated this update as having a security
    impact of Important. A Common Vulnerability Scoring System (CVSS) base
    score, which gives a detailed severity rating, is available for each
    vulnerability from the CVE link(s) in the References section.
    
    The kernel packages contain the Linux kernel, the core of any Linux
    operating system.
    
    Security Fix(es) :
    
    * A flaw named FragmentSmack was found in the way the Linux kernel
    handled reassembly of fragmented IPv4 and IPv6 packets. A remote
    attacker could use this flaw to trigger time and calculation expensive
    fragment reassembly algorithm by sending specially crafted packets
    which could lead to a CPU saturation and hence a denial of service on
    the system. (CVE-2018-5391)
    
    * kernel: out-of-bounds access in the show_timer function in
    kernel/time/ posix-timers.c (CVE-2017-18344)
    
    * kernel: Integer overflow in udl_fb_mmap() can allow attackers to
    execute code in kernel space (CVE-2018-8781)
    
    * kernel: MIDI driver race condition leads to a double-free
    (CVE-2018-10902)
    
    * kernel: Missing check in inode_init_owner() does not clear SGID bit
    on non-directories for non-members (CVE-2018-13405)
    
    * kernel: AIO write triggers integer overflow in some protocols
    (CVE-2015-8830)
    
    * kernel: Use-after-free in snd_pcm_info function in ALSA subsystem
    potentially leads to privilege escalation (CVE-2017-0861)
    
    * kernel: Handling of might_cancel queueing is not properly pretected
    against race (CVE-2017-10661)
    
    * kernel: Salsa20 encryption algorithm does not correctly handle
    zero-length inputs allowing local attackers to cause denial of service
    (CVE-2017-17805)
    
    * kernel: Inifinite loop vulnerability in madvise_willneed() function
    allows local denial of service (CVE-2017-18208)
    
    * kernel: fuse-backed file mmap-ed onto process cmdline arguments
    causes denial of service (CVE-2018-1120)
    
    * kernel: a NULL pointer dereference in dccp_write_xmit() leads to a
    system crash (CVE-2018-1130)
    
    * kernel: drivers/block/loop.c mishandles lo_release serialization
    allowing denial of service (CVE-2018-5344)
    
    * kernel: Missing length check of payload in _sctp_make_chunk()
    function allows denial of service (CVE-2018-5803)
    
    * kernel: buffer overflow in drivers/net/wireless/ath/wil6210/
    wmi.c:wmi_set_ie() may lead to memory corruption (CVE-2018-5848)
    
    * kernel: out-of-bound write in ext4_init_block_bitmap function with a
    crafted ext4 image (CVE-2018-10878)
    
    * kernel: Improper validation in bnx2x network card driver can allow
    for denial of service attacks via crafted packet (CVE-2018-1000026)
    
    * kernel: Information leak when handling NM entries containing NUL
    (CVE-2016-4913)
    
    * kernel: Mishandling mutex within libsas allowing local Denial of
    Service (CVE-2017-18232)
    
    * kernel: NULL pointer dereference in ext4_process_freed_data() when
    mounting crafted ext4 image (CVE-2018-1092)
    
    * kernel: NULL pointer dereference in ext4_xattr_inode_hash() causes
    crash with crafted ext4 image (CVE-2018-1094)
    
    * kernel: vhost: Information disclosure in
    vhost/vhost.c:vhost_new_msg() (CVE-2018-1118)
    
    * kernel: Denial of service in resv_map_release function in
    mm/hugetlb.c (CVE-2018-7740)
    
    * kernel: Memory leak in the sas_smp_get_phy_events function in
    drivers/scsi/ libsas/sas_expander.c (CVE-2018-7757)
    
    * kernel: Invalid pointer dereference in xfs_ilock_attr_map_shared()
    when mounting crafted xfs image allowing denial of service
    (CVE-2018-10322)
    
    * kernel: use-after-free detected in ext4_xattr_set_entry with a
    crafted file (CVE-2018-10879)
    
    * kernel: out-of-bound access in ext4_get_group_info() when mounting
    and operating a crafted ext4 image (CVE-2018-10881)
    
    * kernel: stack-out-of-bounds write in jbd2_journal_dirty_metadata
    function (CVE-2018-10883)
    
    * kernel: incorrect memory bounds check in drivers/cdrom/cdrom.c
    (CVE-2018-10940)
    
    Red Hat would like to thank Juha-Matti Tilli (Aalto University -
    Department of Communications and Networking and Nokia Bell Labs) for
    reporting CVE-2018-5391; Trend Micro Zero Day Initiative for reporting
    CVE-2018-10902; Qualys Research Labs for reporting CVE-2018-1120;
    Evgenii Shatokhin (Virtuozzo Team) for reporting CVE-2018-1130; and
    Wen Xu for reporting CVE-2018-1092 and CVE-2018-1094."
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://access.redhat.com/articles/3553061"
      );
      # https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/
      script_set_attribute(
        attribute:"see_also",
        value:"http://www.nessus.org/u?3395ff0b"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://access.redhat.com/errata/RHSA-2018:3083"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://access.redhat.com/security/cve/cve-2015-8830"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://access.redhat.com/security/cve/cve-2016-4913"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://access.redhat.com/security/cve/cve-2017-0861"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://access.redhat.com/security/cve/cve-2017-10661"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://access.redhat.com/security/cve/cve-2017-17805"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://access.redhat.com/security/cve/cve-2017-18208"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://access.redhat.com/security/cve/cve-2017-18232"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://access.redhat.com/security/cve/cve-2017-18344"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://access.redhat.com/security/cve/cve-2017-18360"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://access.redhat.com/security/cve/cve-2018-1092"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://access.redhat.com/security/cve/cve-2018-1094"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://access.redhat.com/security/cve/cve-2018-1118"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://access.redhat.com/security/cve/cve-2018-1120"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://access.redhat.com/security/cve/cve-2018-1130"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://access.redhat.com/security/cve/cve-2018-5344"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://access.redhat.com/security/cve/cve-2018-5391"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://access.redhat.com/security/cve/cve-2018-5803"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://access.redhat.com/security/cve/cve-2018-5848"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://access.redhat.com/security/cve/cve-2018-7740"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://access.redhat.com/security/cve/cve-2018-7757"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://access.redhat.com/security/cve/cve-2018-8781"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://access.redhat.com/security/cve/cve-2018-10322"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://access.redhat.com/security/cve/cve-2018-10878"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://access.redhat.com/security/cve/cve-2018-10879"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://access.redhat.com/security/cve/cve-2018-10881"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://access.redhat.com/security/cve/cve-2018-10883"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://access.redhat.com/security/cve/cve-2018-10902"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://access.redhat.com/security/cve/cve-2018-10940"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://access.redhat.com/security/cve/cve-2018-13405"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://access.redhat.com/security/cve/cve-2018-18690"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://access.redhat.com/security/cve/cve-2018-1000026"
      );
      script_set_attribute(attribute:"solution", value:"Update the affected packages.");
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:C");
      script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:C");
      script_set_cvss3_base_vector("CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H");
      script_set_cvss3_temporal_vector("CVSS:3.0/E:F/RL:O/RC:C");
      script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"true");
      script_set_attribute(attribute:"exploit_framework_canvas", value:"true");
      script_set_attribute(attribute:"canvas_package", value:'CANVAS');
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:bpftool");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:kernel");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:kernel-abi-whitelists");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:kernel-debug");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:kernel-debug-debuginfo");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:kernel-debug-devel");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:kernel-debuginfo");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:kernel-debuginfo-common-s390x");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:kernel-debuginfo-common-x86_64");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:kernel-devel");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:kernel-doc");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:kernel-headers");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:kernel-kdump");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:kernel-kdump-debuginfo");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:kernel-kdump-devel");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:kernel-tools");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:kernel-tools-debuginfo");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:kernel-tools-libs");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:kernel-tools-libs-devel");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:perf");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:perf-debuginfo");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:python-perf");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:python-perf-debuginfo");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:redhat:enterprise_linux:7");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2016/05/02");
      script_set_attribute(attribute:"patch_publication_date", value:"2018/10/30");
      script_set_attribute(attribute:"plugin_publication_date", value:"2018/10/31");
      script_set_attribute(attribute:"generated_plugin", value:"current");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");
      script_family(english:"Red Hat Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl", "linux_alt_patch_detect.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/RedHat/release", "Host/RedHat/rpm-list", "Host/cpu");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("global_settings.inc");
    include("misc_func.inc");
    include("rpm.inc");
    include("ksplice.inc");
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    release = get_kb_item("Host/RedHat/release");
    if (isnull(release) || "Red Hat" >!< release) audit(AUDIT_OS_NOT, "Red Hat");
    os_ver = pregmatch(pattern: "Red Hat Enterprise Linux.*release ([0-9]+(\.[0-9]+)?)", string:release);
    if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Red Hat");
    os_ver = os_ver[1];
    if (! preg(pattern:"^7([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Red Hat 7.x", "Red Hat " + os_ver);
    
    if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    cpu = get_kb_item("Host/cpu");
    if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
    if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$" && "s390" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Red Hat", cpu);
    
    if (get_one_kb_item("Host/ksplice/kernel-cves"))
    {
      rm_kb_item(name:"Host/uptrack-uname-r");
      cve_list = make_list("CVE-2015-8830", "CVE-2016-4913", "CVE-2017-0861", "CVE-2017-10661", "CVE-2017-17805", "CVE-2017-18208", "CVE-2017-18232", "CVE-2017-18344", "CVE-2017-18360", "CVE-2018-1000026", "CVE-2018-10322", "CVE-2018-10878", "CVE-2018-10879", "CVE-2018-10881", "CVE-2018-10883", "CVE-2018-10902", "CVE-2018-1092", "CVE-2018-1094", "CVE-2018-10940", "CVE-2018-1118", "CVE-2018-1120", "CVE-2018-1130", "CVE-2018-13405", "CVE-2018-18690", "CVE-2018-5344", "CVE-2018-5391", "CVE-2018-5803", "CVE-2018-5848", "CVE-2018-7740", "CVE-2018-7757", "CVE-2018-8781");
      if (ksplice_cves_check(cve_list))
      {
        audit(AUDIT_PATCH_INSTALLED, "KSplice hotfix for RHSA-2018:3083");
      }
      else
      {
        __rpm_report = ksplice_reporting_text();
      }
    }
    
    yum_updateinfo = get_kb_item("Host/RedHat/yum-updateinfo");
    if (!empty_or_null(yum_updateinfo)) 
    {
      rhsa = "RHSA-2018:3083";
      yum_report = redhat_generate_yum_updateinfo_report(rhsa:rhsa);
      if (!empty_or_null(yum_report))
      {
        security_report_v4(
          port       : 0,
          severity   : SECURITY_HOLE,
          extra      : yum_report 
        );
        exit(0);
      }
      else
      {
        audit_message = "affected by Red Hat security advisory " + rhsa;
        audit(AUDIT_OS_NOT, audit_message);
      }
    }
    else
    {
      flag = 0;
      if (rpm_check(release:"RHEL7", cpu:"x86_64", reference:"bpftool-3.10.0-957.el7")) flag++;
      if (rpm_check(release:"RHEL7", cpu:"s390x", reference:"kernel-3.10.0-957.el7")) flag++;
      if (rpm_check(release:"RHEL7", cpu:"x86_64", reference:"kernel-3.10.0-957.el7")) flag++;
      if (rpm_check(release:"RHEL7", reference:"kernel-abi-whitelists-3.10.0-957.el7")) flag++;
      if (rpm_check(release:"RHEL7", cpu:"s390x", reference:"kernel-debug-3.10.0-957.el7")) flag++;
      if (rpm_check(release:"RHEL7", cpu:"x86_64", reference:"kernel-debug-3.10.0-957.el7")) flag++;
      if (rpm_check(release:"RHEL7", cpu:"s390x", reference:"kernel-debug-debuginfo-3.10.0-957.el7")) flag++;
      if (rpm_check(release:"RHEL7", cpu:"x86_64", reference:"kernel-debug-debuginfo-3.10.0-957.el7")) flag++;
      if (rpm_check(release:"RHEL7", cpu:"s390x", reference:"kernel-debug-devel-3.10.0-957.el7")) flag++;
      if (rpm_check(release:"RHEL7", cpu:"x86_64", reference:"kernel-debug-devel-3.10.0-957.el7")) flag++;
      if (rpm_check(release:"RHEL7", cpu:"s390x", reference:"kernel-debuginfo-3.10.0-957.el7")) flag++;
      if (rpm_check(release:"RHEL7", cpu:"x86_64", reference:"kernel-debuginfo-3.10.0-957.el7")) flag++;
      if (rpm_check(release:"RHEL7", cpu:"s390x", reference:"kernel-debuginfo-common-s390x-3.10.0-957.el7")) flag++;
      if (rpm_check(release:"RHEL7", cpu:"x86_64", reference:"kernel-debuginfo-common-x86_64-3.10.0-957.el7")) flag++;
      if (rpm_check(release:"RHEL7", cpu:"s390x", reference:"kernel-devel-3.10.0-957.el7")) flag++;
      if (rpm_check(release:"RHEL7", cpu:"x86_64", reference:"kernel-devel-3.10.0-957.el7")) flag++;
      if (rpm_check(release:"RHEL7", reference:"kernel-doc-3.10.0-957.el7")) flag++;
      if (rpm_check(release:"RHEL7", cpu:"s390x", reference:"kernel-headers-3.10.0-957.el7")) flag++;
      if (rpm_check(release:"RHEL7", cpu:"x86_64", reference:"kernel-headers-3.10.0-957.el7")) flag++;
      if (rpm_check(release:"RHEL7", cpu:"s390x", reference:"kernel-kdump-3.10.0-957.el7")) flag++;
      if (rpm_check(release:"RHEL7", cpu:"s390x", reference:"kernel-kdump-debuginfo-3.10.0-957.el7")) flag++;
      if (rpm_check(release:"RHEL7", cpu:"s390x", reference:"kernel-kdump-devel-3.10.0-957.el7")) flag++;
      if (rpm_check(release:"RHEL7", cpu:"x86_64", reference:"kernel-tools-3.10.0-957.el7")) flag++;
      if (rpm_check(release:"RHEL7", cpu:"x86_64", reference:"kernel-tools-debuginfo-3.10.0-957.el7")) flag++;
      if (rpm_check(release:"RHEL7", cpu:"x86_64", reference:"kernel-tools-libs-3.10.0-957.el7")) flag++;
      if (rpm_check(release:"RHEL7", cpu:"x86_64", reference:"kernel-tools-libs-devel-3.10.0-957.el7")) flag++;
      if (rpm_check(release:"RHEL7", cpu:"s390x", reference:"perf-3.10.0-957.el7")) flag++;
      if (rpm_check(release:"RHEL7", cpu:"x86_64", reference:"perf-3.10.0-957.el7")) flag++;
      if (rpm_check(release:"RHEL7", cpu:"s390x", reference:"perf-debuginfo-3.10.0-957.el7")) flag++;
      if (rpm_check(release:"RHEL7", cpu:"x86_64", reference:"perf-debuginfo-3.10.0-957.el7")) flag++;
      if (rpm_check(release:"RHEL7", cpu:"s390x", reference:"python-perf-3.10.0-957.el7")) flag++;
      if (rpm_check(release:"RHEL7", cpu:"x86_64", reference:"python-perf-3.10.0-957.el7")) flag++;
      if (rpm_check(release:"RHEL7", cpu:"s390x", reference:"python-perf-debuginfo-3.10.0-957.el7")) flag++;
      if (rpm_check(release:"RHEL7", cpu:"x86_64", reference:"python-perf-debuginfo-3.10.0-957.el7")) flag++;
    
      if (flag)
      {
        security_report_v4(
          port       : 0,
          severity   : SECURITY_HOLE,
          extra      : rpm_report_get() + redhat_report_package_caveat()
        );
        exit(0);
      }
      else
      {
        tested = pkg_tests_get();
        if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
        else audit(AUDIT_PACKAGE_NOT_INSTALLED, "bpftool / kernel / kernel-abi-whitelists / kernel-debug / etc");
      }
    }
    
  • NASL familyRed Hat Local Security Checks
    NASL idREDHAT-RHSA-2019-4058.NASL
    descriptionAn update for kernel is now available for Red Hat Enterprise Linux 7.4 Advanced Update Support, Red Hat Enterprise Linux 7.4 Telco Extended Update Support, and Red Hat Enterprise Linux 7.4 Update Services for SAP Solutions. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. The kernel packages contain the Linux kernel, the core of any Linux operating system. Security Fix(es) : * Kernel: vhost_net: infinite loop while receiving packets leads to DoS (CVE-2019-3900) * Kernel: page cache side channel attacks (CVE-2019-5489) * Kernel: KVM: nVMX: use-after-free of the hrtimer for emulation of the preemption timer (CVE-2019-7221) * kernel: Handling of might_cancel queueing is not properly pretected against race (CVE-2017-10661) * kernel: Inifinite loop vulnerability in mm/madvise.c:madvise_willneed() function allows local denial of service (CVE-2017-18208) * kernel: use-after-free in drivers/char/ipmi/ipmi_si_intf.c, ipmi_si_mem_io.c, ipmi_si_port_io.c (CVE-2019-11811) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Bug Fix(es) : * [LLNL 7.5 Bug] slab leak causing a crash when using kmem control group (BZ# 1748234) * kmem, memcg: system crash due to cache destruction race (BZ#1754829) * kernel build: parallelize redhat/mod-sign.sh (BZ#1755327) * kernel build: speed up module compression step (BZ#1755336)
    last seen2020-06-01
    modified2020-06-02
    plugin id131675
    published2019-12-04
    reporterThis script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/131675
    titleRHEL 7 : kernel (RHSA-2019:4058)
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were  
    # extracted from Red Hat Security Advisory RHSA-2019:4058. The text 
    # itself is copyright (C) Red Hat, Inc.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(131675);
      script_version("1.2");
      script_cvs_date("Date: 2019/12/09");
    
      script_cve_id("CVE-2017-10661", "CVE-2017-18208", "CVE-2019-11811", "CVE-2019-3900", "CVE-2019-5489", "CVE-2019-7221");
      script_xref(name:"RHSA", value:"2019:4058");
    
      script_name(english:"RHEL 7 : kernel (RHSA-2019:4058)");
      script_summary(english:"Checks the rpm output for the updated packages");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote Red Hat host is missing one or more security updates."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "An update for kernel is now available for Red Hat Enterprise Linux 7.4
    Advanced Update Support, Red Hat Enterprise Linux 7.4 Telco Extended
    Update Support, and Red Hat Enterprise Linux 7.4 Update Services for
    SAP Solutions.
    
    Red Hat Product Security has rated this update as having a security
    impact of Important. A Common Vulnerability Scoring System (CVSS) base
    score, which gives a detailed severity rating, is available for each
    vulnerability from the CVE link(s) in the References section.
    
    The kernel packages contain the Linux kernel, the core of any Linux
    operating system.
    
    Security Fix(es) :
    
    * Kernel: vhost_net: infinite loop while receiving packets leads to
    DoS (CVE-2019-3900)
    
    * Kernel: page cache side channel attacks (CVE-2019-5489)
    
    * Kernel: KVM: nVMX: use-after-free of the hrtimer for emulation of
    the preemption timer (CVE-2019-7221)
    
    * kernel: Handling of might_cancel queueing is not properly pretected
    against race (CVE-2017-10661)
    
    * kernel: Inifinite loop vulnerability in
    mm/madvise.c:madvise_willneed() function allows local denial of
    service (CVE-2017-18208)
    
    * kernel: use-after-free in drivers/char/ipmi/ipmi_si_intf.c,
    ipmi_si_mem_io.c, ipmi_si_port_io.c (CVE-2019-11811)
    
    For more details about the security issue(s), including the impact, a
    CVSS score, acknowledgments, and other related information, refer to
    the CVE page(s) listed in the References section.
    
    Bug Fix(es) :
    
    * [LLNL 7.5 Bug] slab leak causing a crash when using kmem control
    group (BZ# 1748234)
    
    * kmem, memcg: system crash due to cache destruction race (BZ#1754829)
    
    * kernel build: parallelize redhat/mod-sign.sh (BZ#1755327)
    
    * kernel build: speed up module compression step (BZ#1755336)"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://access.redhat.com/errata/RHSA-2019:4058"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://access.redhat.com/security/cve/cve-2017-10661"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://access.redhat.com/security/cve/cve-2017-18208"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://access.redhat.com/security/cve/cve-2019-3900"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://access.redhat.com/security/cve/cve-2019-5489"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://access.redhat.com/security/cve/cve-2019-7221"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://access.redhat.com/security/cve/cve-2019-11811"
      );
      script_set_attribute(attribute:"solution", value:"Update the affected packages.");
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C");
      script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
      script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H");
      script_set_cvss3_temporal_vector("CVSS:3.0/E:P/RL:O/RC:C");
      script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"true");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:kernel");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:kernel-abi-whitelists");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:kernel-debug");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:kernel-debug-debuginfo");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:kernel-debug-devel");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:kernel-debuginfo");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:kernel-debuginfo-common-x86_64");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:kernel-devel");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:kernel-doc");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:kernel-headers");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:kernel-tools");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:kernel-tools-debuginfo");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:kernel-tools-libs");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:kernel-tools-libs-devel");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:perf");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:perf-debuginfo");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:python-perf");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:python-perf-debuginfo");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:redhat:enterprise_linux:7.4");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2017/08/19");
      script_set_attribute(attribute:"patch_publication_date", value:"2019/12/03");
      script_set_attribute(attribute:"plugin_publication_date", value:"2019/12/04");
      script_set_attribute(attribute:"generated_plugin", value:"current");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.");
      script_family(english:"Red Hat Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl", "linux_alt_patch_detect.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/RedHat/release", "Host/RedHat/rpm-list", "Host/cpu");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("global_settings.inc");
    include("misc_func.inc");
    include("rpm.inc");
    include("ksplice.inc");
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    release = get_kb_item("Host/RedHat/release");
    if (isnull(release) || "Red Hat" >!< release) audit(AUDIT_OS_NOT, "Red Hat");
    os_ver = pregmatch(pattern: "Red Hat Enterprise Linux.*release ([0-9]+(\.[0-9]+)?)", string:release);
    if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Red Hat");
    os_ver = os_ver[1];
    if (! preg(pattern:"^7\.4([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Red Hat 7.4", "Red Hat " + os_ver);
    
    if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    cpu = get_kb_item("Host/cpu");
    if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
    if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$" && "s390" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Red Hat", cpu);
    
    if (get_one_kb_item("Host/ksplice/kernel-cves"))
    {
      rm_kb_item(name:"Host/uptrack-uname-r");
      cve_list = make_list("CVE-2017-10661", "CVE-2017-18208", "CVE-2019-11811", "CVE-2019-3900", "CVE-2019-5489", "CVE-2019-7221");
      if (ksplice_cves_check(cve_list))
      {
        audit(AUDIT_PATCH_INSTALLED, "KSplice hotfix for RHSA-2019:4058");
      }
      else
      {
        __rpm_report = ksplice_reporting_text();
      }
    }
    
    yum_updateinfo = get_kb_item("Host/RedHat/yum-updateinfo");
    if (!empty_or_null(yum_updateinfo)) 
    {
      rhsa = "RHSA-2019:4058";
      yum_report = redhat_generate_yum_updateinfo_report(rhsa:rhsa);
      if (!empty_or_null(yum_report))
      {
        security_report_v4(
          port       : 0,
          severity   : SECURITY_HOLE,
          extra      : yum_report 
        );
        exit(0);
      }
      else
      {
        audit_message = "affected by Red Hat security advisory " + rhsa;
        audit(AUDIT_OS_NOT, audit_message);
      }
    }
    else
    {
      flag = 0;
      if (rpm_check(release:"RHEL7", sp:"4", cpu:"x86_64", reference:"kernel-3.10.0-693.61.1.el7")) flag++;
      if (rpm_check(release:"RHEL7", sp:"4", reference:"kernel-abi-whitelists-3.10.0-693.61.1.el7")) flag++;
      if (rpm_check(release:"RHEL7", sp:"4", cpu:"x86_64", reference:"kernel-debug-3.10.0-693.61.1.el7")) flag++;
      if (rpm_check(release:"RHEL7", sp:"4", cpu:"x86_64", reference:"kernel-debug-debuginfo-3.10.0-693.61.1.el7")) flag++;
      if (rpm_check(release:"RHEL7", sp:"4", cpu:"x86_64", reference:"kernel-debug-devel-3.10.0-693.61.1.el7")) flag++;
      if (rpm_check(release:"RHEL7", sp:"4", cpu:"x86_64", reference:"kernel-debuginfo-3.10.0-693.61.1.el7")) flag++;
      if (rpm_check(release:"RHEL7", sp:"4", cpu:"x86_64", reference:"kernel-debuginfo-common-x86_64-3.10.0-693.61.1.el7")) flag++;
      if (rpm_check(release:"RHEL7", sp:"4", cpu:"x86_64", reference:"kernel-devel-3.10.0-693.61.1.el7")) flag++;
      if (rpm_check(release:"RHEL7", sp:"4", reference:"kernel-doc-3.10.0-693.61.1.el7")) flag++;
      if (rpm_check(release:"RHEL7", sp:"4", cpu:"x86_64", reference:"kernel-headers-3.10.0-693.61.1.el7")) flag++;
      if (rpm_check(release:"RHEL7", sp:"4", cpu:"x86_64", reference:"kernel-tools-3.10.0-693.61.1.el7")) flag++;
      if (rpm_check(release:"RHEL7", sp:"4", cpu:"x86_64", reference:"kernel-tools-debuginfo-3.10.0-693.61.1.el7")) flag++;
      if (rpm_check(release:"RHEL7", sp:"4", cpu:"x86_64", reference:"kernel-tools-libs-3.10.0-693.61.1.el7")) flag++;
      if (rpm_check(release:"RHEL7", sp:"4", cpu:"x86_64", reference:"kernel-tools-libs-devel-3.10.0-693.61.1.el7")) flag++;
      if (rpm_check(release:"RHEL7", sp:"4", cpu:"x86_64", reference:"perf-3.10.0-693.61.1.el7")) flag++;
      if (rpm_check(release:"RHEL7", sp:"4", cpu:"x86_64", reference:"perf-debuginfo-3.10.0-693.61.1.el7")) flag++;
      if (rpm_check(release:"RHEL7", sp:"4", cpu:"x86_64", reference:"python-perf-3.10.0-693.61.1.el7")) flag++;
      if (rpm_check(release:"RHEL7", sp:"4", cpu:"x86_64", reference:"python-perf-debuginfo-3.10.0-693.61.1.el7")) flag++;
    
      if (flag)
      {
        security_report_v4(
          port       : 0,
          severity   : SECURITY_HOLE,
          extra      : rpm_report_get() + redhat_report_package_caveat()
        );
        exit(0);
      }
      else
      {
        tested = pkg_tests_get();
        if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
        else audit(AUDIT_PACKAGE_NOT_INSTALLED, "kernel / kernel-abi-whitelists / kernel-debug / etc");
      }
    }
    
  • NASL familyOracle Linux Local Security Checks
    NASL idORACLELINUX_ELSA-2018-3083.NASL
    descriptionFrom Red Hat Security Advisory 2018:3083 : An update for kernel is now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. The kernel packages contain the Linux kernel, the core of any Linux operating system. Security Fix(es) : * A flaw named FragmentSmack was found in the way the Linux kernel handled reassembly of fragmented IPv4 and IPv6 packets. A remote attacker could use this flaw to trigger time and calculation expensive fragment reassembly algorithm by sending specially crafted packets which could lead to a CPU saturation and hence a denial of service on the system. (CVE-2018-5391) * kernel: out-of-bounds access in the show_timer function in kernel/time/ posix-timers.c (CVE-2017-18344) * kernel: Integer overflow in udl_fb_mmap() can allow attackers to execute code in kernel space (CVE-2018-8781) * kernel: MIDI driver race condition leads to a double-free (CVE-2018-10902) * kernel: Missing check in inode_init_owner() does not clear SGID bit on non-directories for non-members (CVE-2018-13405) * kernel: AIO write triggers integer overflow in some protocols (CVE-2015-8830) * kernel: Use-after-free in snd_pcm_info function in ALSA subsystem potentially leads to privilege escalation (CVE-2017-0861) * kernel: Handling of might_cancel queueing is not properly pretected against race (CVE-2017-10661) * kernel: Salsa20 encryption algorithm does not correctly handle zero-length inputs allowing local attackers to cause denial of service (CVE-2017-17805) * kernel: Inifinite loop vulnerability in madvise_willneed() function allows local denial of service (CVE-2017-18208) * kernel: fuse-backed file mmap-ed onto process cmdline arguments causes denial of service (CVE-2018-1120) * kernel: a NULL pointer dereference in dccp_write_xmit() leads to a system crash (CVE-2018-1130) * kernel: drivers/block/loop.c mishandles lo_release serialization allowing denial of service (CVE-2018-5344) * kernel: Missing length check of payload in _sctp_make_chunk() function allows denial of service (CVE-2018-5803) * kernel: buffer overflow in drivers/net/wireless/ath/wil6210/ wmi.c:wmi_set_ie() may lead to memory corruption (CVE-2018-5848) * kernel: out-of-bound write in ext4_init_block_bitmap function with a crafted ext4 image (CVE-2018-10878) * kernel: Improper validation in bnx2x network card driver can allow for denial of service attacks via crafted packet (CVE-2018-1000026) * kernel: Information leak when handling NM entries containing NUL (CVE-2016-4913) * kernel: Mishandling mutex within libsas allowing local Denial of Service (CVE-2017-18232) * kernel: NULL pointer dereference in ext4_process_freed_data() when mounting crafted ext4 image (CVE-2018-1092) * kernel: NULL pointer dereference in ext4_xattr_inode_hash() causes crash with crafted ext4 image (CVE-2018-1094) * kernel: vhost: Information disclosure in vhost/vhost.c:vhost_new_msg() (CVE-2018-1118) * kernel: Denial of service in resv_map_release function in mm/hugetlb.c (CVE-2018-7740) * kernel: Memory leak in the sas_smp_get_phy_events function in drivers/scsi/ libsas/sas_expander.c (CVE-2018-7757) * kernel: Invalid pointer dereference in xfs_ilock_attr_map_shared() when mounting crafted xfs image allowing denial of service (CVE-2018-10322) * kernel: use-after-free detected in ext4_xattr_set_entry with a crafted file (CVE-2018-10879) * kernel: out-of-bound access in ext4_get_group_info() when mounting and operating a crafted ext4 image (CVE-2018-10881) * kernel: stack-out-of-bounds write in jbd2_journal_dirty_metadata function (CVE-2018-10883) * kernel: incorrect memory bounds check in drivers/cdrom/cdrom.c (CVE-2018-10940) Red Hat would like to thank Juha-Matti Tilli (Aalto University - Department of Communications and Networking and Nokia Bell Labs) for reporting CVE-2018-5391; Trend Micro Zero Day Initiative for reporting CVE-2018-10902; Qualys Research Labs for reporting CVE-2018-1120; Evgenii Shatokhin (Virtuozzo Team) for reporting CVE-2018-1130; and Wen Xu for reporting CVE-2018-1092 and CVE-2018-1094.
    last seen2020-06-01
    modified2020-06-02
    plugin id118770
    published2018-11-07
    reporterThis script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/118770
    titleOracle Linux 7 : kernel (ELSA-2018-3083)
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were
    # extracted from Red Hat Security Advisory RHSA-2018:3083 and 
    # Oracle Linux Security Advisory ELSA-2018-3083 respectively.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(118770);
      script_version("1.10");
      script_cvs_date("Date: 2019/09/27 13:00:39");
    
      script_cve_id("CVE-2015-8830", "CVE-2016-4913", "CVE-2017-0861", "CVE-2017-10661", "CVE-2017-17805", "CVE-2017-18208", "CVE-2017-18232", "CVE-2017-18344", "CVE-2017-18360", "CVE-2018-1000026", "CVE-2018-10322", "CVE-2018-10878", "CVE-2018-10879", "CVE-2018-10881", "CVE-2018-10883", "CVE-2018-10902", "CVE-2018-1092", "CVE-2018-1094", "CVE-2018-10940", "CVE-2018-1118", "CVE-2018-1120", "CVE-2018-1130", "CVE-2018-13405", "CVE-2018-18690", "CVE-2018-5344", "CVE-2018-5391", "CVE-2018-5803", "CVE-2018-5848", "CVE-2018-7740", "CVE-2018-7757", "CVE-2018-8781");
      script_xref(name:"RHSA", value:"2018:3083");
    
      script_name(english:"Oracle Linux 7 : kernel (ELSA-2018-3083)");
      script_summary(english:"Checks rpm output for the updated packages");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote Oracle Linux host is missing one or more security updates."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "From Red Hat Security Advisory 2018:3083 :
    
    An update for kernel is now available for Red Hat Enterprise Linux 7.
    
    Red Hat Product Security has rated this update as having a security
    impact of Important. A Common Vulnerability Scoring System (CVSS) base
    score, which gives a detailed severity rating, is available for each
    vulnerability from the CVE link(s) in the References section.
    
    The kernel packages contain the Linux kernel, the core of any Linux
    operating system.
    
    Security Fix(es) :
    
    * A flaw named FragmentSmack was found in the way the Linux kernel
    handled reassembly of fragmented IPv4 and IPv6 packets. A remote
    attacker could use this flaw to trigger time and calculation expensive
    fragment reassembly algorithm by sending specially crafted packets
    which could lead to a CPU saturation and hence a denial of service on
    the system. (CVE-2018-5391)
    
    * kernel: out-of-bounds access in the show_timer function in
    kernel/time/ posix-timers.c (CVE-2017-18344)
    
    * kernel: Integer overflow in udl_fb_mmap() can allow attackers to
    execute code in kernel space (CVE-2018-8781)
    
    * kernel: MIDI driver race condition leads to a double-free
    (CVE-2018-10902)
    
    * kernel: Missing check in inode_init_owner() does not clear SGID bit
    on non-directories for non-members (CVE-2018-13405)
    
    * kernel: AIO write triggers integer overflow in some protocols
    (CVE-2015-8830)
    
    * kernel: Use-after-free in snd_pcm_info function in ALSA subsystem
    potentially leads to privilege escalation (CVE-2017-0861)
    
    * kernel: Handling of might_cancel queueing is not properly pretected
    against race (CVE-2017-10661)
    
    * kernel: Salsa20 encryption algorithm does not correctly handle
    zero-length inputs allowing local attackers to cause denial of service
    (CVE-2017-17805)
    
    * kernel: Inifinite loop vulnerability in madvise_willneed() function
    allows local denial of service (CVE-2017-18208)
    
    * kernel: fuse-backed file mmap-ed onto process cmdline arguments
    causes denial of service (CVE-2018-1120)
    
    * kernel: a NULL pointer dereference in dccp_write_xmit() leads to a
    system crash (CVE-2018-1130)
    
    * kernel: drivers/block/loop.c mishandles lo_release serialization
    allowing denial of service (CVE-2018-5344)
    
    * kernel: Missing length check of payload in _sctp_make_chunk()
    function allows denial of service (CVE-2018-5803)
    
    * kernel: buffer overflow in drivers/net/wireless/ath/wil6210/
    wmi.c:wmi_set_ie() may lead to memory corruption (CVE-2018-5848)
    
    * kernel: out-of-bound write in ext4_init_block_bitmap function with a
    crafted ext4 image (CVE-2018-10878)
    
    * kernel: Improper validation in bnx2x network card driver can allow
    for denial of service attacks via crafted packet (CVE-2018-1000026)
    
    * kernel: Information leak when handling NM entries containing NUL
    (CVE-2016-4913)
    
    * kernel: Mishandling mutex within libsas allowing local Denial of
    Service (CVE-2017-18232)
    
    * kernel: NULL pointer dereference in ext4_process_freed_data() when
    mounting crafted ext4 image (CVE-2018-1092)
    
    * kernel: NULL pointer dereference in ext4_xattr_inode_hash() causes
    crash with crafted ext4 image (CVE-2018-1094)
    
    * kernel: vhost: Information disclosure in
    vhost/vhost.c:vhost_new_msg() (CVE-2018-1118)
    
    * kernel: Denial of service in resv_map_release function in
    mm/hugetlb.c (CVE-2018-7740)
    
    * kernel: Memory leak in the sas_smp_get_phy_events function in
    drivers/scsi/ libsas/sas_expander.c (CVE-2018-7757)
    
    * kernel: Invalid pointer dereference in xfs_ilock_attr_map_shared()
    when mounting crafted xfs image allowing denial of service
    (CVE-2018-10322)
    
    * kernel: use-after-free detected in ext4_xattr_set_entry with a
    crafted file (CVE-2018-10879)
    
    * kernel: out-of-bound access in ext4_get_group_info() when mounting
    and operating a crafted ext4 image (CVE-2018-10881)
    
    * kernel: stack-out-of-bounds write in jbd2_journal_dirty_metadata
    function (CVE-2018-10883)
    
    * kernel: incorrect memory bounds check in drivers/cdrom/cdrom.c
    (CVE-2018-10940)
    
    Red Hat would like to thank Juha-Matti Tilli (Aalto University -
    Department of Communications and Networking and Nokia Bell Labs) for
    reporting CVE-2018-5391; Trend Micro Zero Day Initiative for reporting
    CVE-2018-10902; Qualys Research Labs for reporting CVE-2018-1120;
    Evgenii Shatokhin (Virtuozzo Team) for reporting CVE-2018-1130; and
    Wen Xu for reporting CVE-2018-1092 and CVE-2018-1094."
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://oss.oracle.com/pipermail/el-errata/2018-November/008203.html"
      );
      script_set_attribute(
        attribute:"solution", 
        value:"Update the affected kernel packages."
      );
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:C");
      script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:C");
      script_set_cvss3_base_vector("CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H");
      script_set_cvss3_temporal_vector("CVSS:3.0/E:F/RL:O/RC:C");
      script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"true");
      script_set_attribute(attribute:"exploit_framework_canvas", value:"true");
      script_set_attribute(attribute:"canvas_package", value:'CANVAS');
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:bpftool");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:kernel");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:kernel-abi-whitelists");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:kernel-debug");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:kernel-debug-devel");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:kernel-devel");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:kernel-doc");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:kernel-headers");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:kernel-tools");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:kernel-tools-libs");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:kernel-tools-libs-devel");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:perf");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:python-perf");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:oracle:linux:7");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2016/05/02");
      script_set_attribute(attribute:"patch_publication_date", value:"2018/11/06");
      script_set_attribute(attribute:"plugin_publication_date", value:"2018/11/07");
      script_set_attribute(attribute:"generated_plugin", value:"current");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");
      script_family(english:"Oracle Linux Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl", "linux_alt_patch_detect.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/OracleLinux", "Host/RedHat/release", "Host/RedHat/rpm-list");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("global_settings.inc");
    include("rpm.inc");
    include("ksplice.inc");
    
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    if (!get_kb_item("Host/OracleLinux")) audit(AUDIT_OS_NOT, "Oracle Linux");
    release = get_kb_item("Host/RedHat/release");
    if (isnull(release) || !pregmatch(pattern: "Oracle (?:Linux Server|Enterprise Linux)", string:release)) audit(AUDIT_OS_NOT, "Oracle Linux");
    os_ver = pregmatch(pattern: "Oracle (?:Linux Server|Enterprise Linux) .*release ([0-9]+(\.[0-9]+)?)", string:release);
    if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Oracle Linux");
    os_ver = os_ver[1];
    if (! preg(pattern:"^7([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Oracle Linux 7", "Oracle Linux " + os_ver);
    
    if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    cpu = get_kb_item("Host/cpu");
    if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
    if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Oracle Linux", cpu);
    if ("x86_64" >!< cpu) audit(AUDIT_ARCH_NOT, "x86_64", cpu);
    
    if (get_one_kb_item("Host/ksplice/kernel-cves"))
    {
      rm_kb_item(name:"Host/uptrack-uname-r");
      cve_list = make_list("CVE-2015-8830", "CVE-2016-4913", "CVE-2017-0861", "CVE-2017-10661", "CVE-2017-17805", "CVE-2017-18208", "CVE-2017-18232", "CVE-2017-18344", "CVE-2017-18360", "CVE-2018-1000026", "CVE-2018-10322", "CVE-2018-10878", "CVE-2018-10879", "CVE-2018-10881", "CVE-2018-10883", "CVE-2018-10902", "CVE-2018-1092", "CVE-2018-1094", "CVE-2018-10940", "CVE-2018-1118", "CVE-2018-1120", "CVE-2018-1130", "CVE-2018-13405", "CVE-2018-18690", "CVE-2018-5344", "CVE-2018-5391", "CVE-2018-5803", "CVE-2018-5848", "CVE-2018-7740", "CVE-2018-7757", "CVE-2018-8781");  
      if (ksplice_cves_check(cve_list))
      {
        audit(AUDIT_PATCH_INSTALLED, "KSplice hotfix for ELSA-2018-3083");
      }
      else
      {
        __rpm_report = ksplice_reporting_text();
      }
    }
    
    kernel_major_minor = get_kb_item("Host/uname/major_minor");
    if (empty_or_null(kernel_major_minor)) exit(1, "Unable to determine kernel major-minor level.");
    expected_kernel_major_minor = "3.10";
    if (kernel_major_minor != expected_kernel_major_minor)
      audit(AUDIT_OS_NOT, "running kernel level " + expected_kernel_major_minor + ", it is running kernel level " + kernel_major_minor);
    
    flag = 0;
    if (rpm_check(release:"EL7", cpu:"x86_64", reference:"bpftool-3.10.0-957.el7")) flag++;
    if (rpm_exists(release:"EL7", rpm:"kernel-3.10.0") && rpm_check(release:"EL7", cpu:"x86_64", reference:"kernel-3.10.0-957.el7")) flag++;
    if (rpm_exists(release:"EL7", rpm:"kernel-abi-whitelists-3.10.0") && rpm_check(release:"EL7", cpu:"x86_64", reference:"kernel-abi-whitelists-3.10.0-957.el7")) flag++;
    if (rpm_exists(release:"EL7", rpm:"kernel-debug-3.10.0") && rpm_check(release:"EL7", cpu:"x86_64", reference:"kernel-debug-3.10.0-957.el7")) flag++;
    if (rpm_exists(release:"EL7", rpm:"kernel-debug-devel-3.10.0") && rpm_check(release:"EL7", cpu:"x86_64", reference:"kernel-debug-devel-3.10.0-957.el7")) flag++;
    if (rpm_exists(release:"EL7", rpm:"kernel-devel-3.10.0") && rpm_check(release:"EL7", cpu:"x86_64", reference:"kernel-devel-3.10.0-957.el7")) flag++;
    if (rpm_exists(release:"EL7", rpm:"kernel-doc-3.10.0") && rpm_check(release:"EL7", cpu:"x86_64", reference:"kernel-doc-3.10.0-957.el7")) flag++;
    if (rpm_exists(release:"EL7", rpm:"kernel-headers-3.10.0") && rpm_check(release:"EL7", cpu:"x86_64", reference:"kernel-headers-3.10.0-957.el7")) flag++;
    if (rpm_exists(release:"EL7", rpm:"kernel-tools-3.10.0") && rpm_check(release:"EL7", cpu:"x86_64", reference:"kernel-tools-3.10.0-957.el7")) flag++;
    if (rpm_exists(release:"EL7", rpm:"kernel-tools-libs-3.10.0") && rpm_check(release:"EL7", cpu:"x86_64", reference:"kernel-tools-libs-3.10.0-957.el7")) flag++;
    if (rpm_exists(release:"EL7", rpm:"kernel-tools-libs-devel-3.10.0") && rpm_check(release:"EL7", cpu:"x86_64", reference:"kernel-tools-libs-devel-3.10.0-957.el7")) flag++;
    if (rpm_check(release:"EL7", cpu:"x86_64", reference:"perf-3.10.0-957.el7")) flag++;
    if (rpm_check(release:"EL7", cpu:"x86_64", reference:"python-perf-3.10.0-957.el7")) flag++;
    
    
    if (flag)
    {
      if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());
      else security_hole(0);
      exit(0);
    }
    else
    {
      tested = pkg_tests_get();
      if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
      else audit(AUDIT_PACKAGE_NOT_INSTALLED, "affected kernel");
    }
    
  • NASL familyHuawei Local Security Checks
    NASL idEULEROS_SA-2019-1062.NASL
    descriptionAccording to the versions of the kernel packages installed, the EulerOS installation on the remote host is affected by the following vulnerabilities : - Missing check in fs/inode.c:inode_init_owner() does not clear SGID bit on non-directories for non-members.(CVE-2018-13405) - A null pointer dereference in dccp_write_xmit() function in net/dccp/output.c in the Linux kernel allows a local user to cause a denial of service by a number of certain crafted system calls.(CVE-2018-1130) - A flaw was found in the Linux kernel, before 4.16.6 where the cdrom_ioctl_media_changed function in drivers/cdrom/cdrom.c allows local attackers to use a incorrect bounds check in the CDROM driver CDROM_MEDIA_CHANGED ioctl to read out kernel memory.(CVE-2018-10940) - The madvise_willneed function in the Linux kernel allows local users to cause a denial of service (infinite loop) by triggering use of MADVISE_WILLNEED for a DAX mapping.(CVE-2017-18208) - fuse-backed file mmap-ed onto process cmdline arguments causes denial of service.(CVE-2018-1120) - Memory leak in the sas_smp_get_phy_events function in drivers/scsi/libsas/sas_expander.c in the Linux kernel allows local users to cause a denial of service (kernel memory exhaustion) via multiple read accesses to files in the /sys/class/sas_phy directory.(CVE-2018-7757) - A vulnerability was found in the Linux kernel
    last seen2020-05-06
    modified2019-02-25
    plugin id122414
    published2019-02-25
    reporterThis script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/122414
    titleEulerOS 2.0 SP2 : kernel (EulerOS-SA-2019-1062)
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(122414);
      script_version("1.4");
      script_set_attribute(attribute:"plugin_modification_date", value:"2020/05/04");
    
      script_cve_id(
        "CVE-2017-18208",
        "CVE-2017-18255",
        "CVE-2017-18270",
        "CVE-2017-7889",
        "CVE-2018-10021",
        "CVE-2018-1066",
        "CVE-2018-10940",
        "CVE-2018-1120",
        "CVE-2018-1130",
        "CVE-2018-13053",
        "CVE-2018-13094",
        "CVE-2018-13405",
        "CVE-2018-14734",
        "CVE-2018-7757",
        "CVE-2018-7995"
      );
    
      script_name(english:"EulerOS 2.0 SP2 : kernel (EulerOS-SA-2019-1062)");
      script_summary(english:"Checks the rpm output for the updated packages.");
    
      script_set_attribute(attribute:"synopsis", value:
    "The remote EulerOS host is missing multiple security updates.");
      script_set_attribute(attribute:"description", value:
    "According to the versions of the kernel packages installed, the
    EulerOS installation on the remote host is affected by the following
    vulnerabilities :
    
      - Missing check in fs/inode.c:inode_init_owner() does not
        clear SGID bit on non-directories for
        non-members.(CVE-2018-13405)
    
      - A null pointer dereference in dccp_write_xmit()
        function in net/dccp/output.c in the Linux kernel
        allows a local user to cause a denial of service by a
        number of certain crafted system calls.(CVE-2018-1130)
    
      - A flaw was found in the Linux kernel, before 4.16.6
        where the cdrom_ioctl_media_changed function in
        drivers/cdrom/cdrom.c allows local attackers to use a
        incorrect bounds check in the CDROM driver
        CDROM_MEDIA_CHANGED ioctl to read out kernel
        memory.(CVE-2018-10940)
    
      - The madvise_willneed function in the Linux kernel
        allows local users to cause a denial of service
        (infinite loop) by triggering use of MADVISE_WILLNEED
        for a DAX mapping.(CVE-2017-18208)
    
      - fuse-backed file mmap-ed onto process cmdline arguments
        causes denial of service.(CVE-2018-1120)
    
      - Memory leak in the sas_smp_get_phy_events function in
        drivers/scsi/libsas/sas_expander.c in the Linux kernel
        allows local users to cause a denial of service (kernel
        memory exhaustion) via multiple read accesses to files
        in the /sys/class/sas_phy directory.(CVE-2018-7757)
    
      - A vulnerability was found in the Linux kernel's
        kernel/events/core.c:perf_cpu_time_max_percent_handler(
        ) function. Local privileged users could exploit this
        flaw to cause a denial of service due to integer
        overflow or possibly have unspecified other
        impact.(CVE-2017-18255)
    
      - A flaw was found in the Linux kernel in the way a local
        user could create keyrings for other users via keyctl
        commands. This may allow an attacker to set unwanted
        defaults, a denial of service, or possibly leak keyring
        information between users.(CVE-2017-18270)
    
      - The mm subsystem in the Linux kernel through 4.10.10
        does not properly enforce the CONFIG_STRICT_DEVMEM
        protection mechanism, which allows local users to read
        or write to kernel memory locations in the first
        megabyte (and bypass slab-allocation access
        restrictions) via an application that opens the
        /dev/mem file, related to arch/x86/mm/init.c and
        drivers/char/mem.c.(CVE-2017-7889)
    
      - The code in the drivers/scsi/libsas/sas_scsi_host.c
        file in the Linux kernel allow a physically proximate
        attacker to cause a memory leak in the ATA command
        queue and, thus, denial of service by triggering
        certain failure conditions.(CVE-2018-10021)
    
      - A flaw was found in the Linux kernel's client-side
        implementation of the cifs protocol. This flaw allows
        an attacker controlling the server to kernel panic a
        client which has the CIFS server
        mounted.(CVE-2018-1066)
    
      - A flaw was found in the alarm_timer_nsleep() function
        in kernel/time/alarmtimer.c in the Linux kernel. The
        ktime_add_safe() function is not used and an integer
        overflow can happen causing an alarm not to fire or
        possibly a denial-of-service if using a large relative
        timeout.(CVE-2018-13053)
    
      - An issue was discovered in the XFS filesystem in
        fs/xfs/libxfs/xfs_attr_leaf.c in the Linux kernel. A
        NULL pointer dereference may occur for a corrupted xfs
        image after xfs_da_shrink_inode() is called with a NULL
        bp. This can lead to a system crash and a denial of
        service.(CVE-2018-13094)
    
      - A flaw was found in the Linux Kernel in the
        ucma_leave_multicast() function in
        drivers/infiniband/core/ucma.c which allows access to a
        certain data structure after freeing it in
        ucma_process_join(). This allows an attacker to cause a
        use-after-free bug and to induce kernel memory
        corruption, leading to a system crash or other
        unspecified impact. Due to the nature of the flaw,
        privilege escalation cannot be fully ruled out,
        although we believe it is unlikely.(CVE-2018-14734)
    
      - A race condition in the store_int_with_restart()
        function in arch/x86/kernel/cpu/mcheck/mce.c in the
        Linux kernel allows local users to cause a denial of
        service (panic) by leveraging root access to write to
        the check_interval file in a
        /sys/devices/system/machinecheck/machinecheck (cpu
        number) directory.(CVE-2018-7995)
    
    Note that Tenable Network Security has extracted the preceding
    description block directly from the EulerOS security advisory. Tenable
    has attempted to automatically clean and format it as much as possible
    without introducing additional issues.");
      # https://developer.huaweicloud.com/ict/en/site-euleros/euleros/security-advisories/EulerOS-SA-2019-1062
      script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?7b15d986");
      script_set_attribute(attribute:"solution", value:
    "Update the affected kernel packages.");
      script_set_cvss_base_vector("CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C");
      script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
      script_set_cvss3_base_vector("CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H");
      script_set_cvss3_temporal_vector("CVSS:3.0/E:P/RL:O/RC:C");
      script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"true");
    
      script_set_attribute(attribute:"patch_publication_date", value:"2019/02/22");
      script_set_attribute(attribute:"plugin_publication_date", value:"2019/02/25");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:kernel");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:kernel-debug");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:kernel-debug-devel");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:kernel-debuginfo");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:kernel-debuginfo-common-x86_64");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:kernel-devel");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:kernel-headers");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:kernel-tools");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:kernel-tools-libs");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:perf");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:python-perf");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:huawei:euleros:2.0");
      script_set_attribute(attribute:"generated_plugin", value:"current");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_family(english:"Huawei Local Security Checks");
    
      script_copyright(english:"This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/EulerOS/release", "Host/EulerOS/rpm-list", "Host/EulerOS/sp");
      script_exclude_keys("Host/EulerOS/uvp_version");
    
      exit(0);
    }
    
    include("audit.inc");
    include("global_settings.inc");
    include("rpm.inc");
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    
    release = get_kb_item("Host/EulerOS/release");
    if (isnull(release) || release !~ "^EulerOS") audit(AUDIT_OS_NOT, "EulerOS");
    if (release !~ "^EulerOS release 2\.0(\D|$)") audit(AUDIT_OS_NOT, "EulerOS 2.0");
    
    sp = get_kb_item("Host/EulerOS/sp");
    if (isnull(sp) || sp !~ "^(2)$") audit(AUDIT_OS_NOT, "EulerOS 2.0 SP2");
    
    uvp = get_kb_item("Host/EulerOS/uvp_version");
    if (!empty_or_null(uvp)) audit(AUDIT_OS_NOT, "EulerOS 2.0 SP2", "EulerOS UVP " + uvp);
    
    if (!get_kb_item("Host/EulerOS/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    cpu = get_kb_item("Host/cpu");
    if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
    if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$" && "aarch64" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "EulerOS", cpu);
    if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_ARCH_NOT, "i686 / x86_64", cpu);
    
    flag = 0;
    
    pkgs = ["kernel-3.10.0-327.62.59.83.h128",
            "kernel-debug-3.10.0-327.62.59.83.h128",
            "kernel-debug-devel-3.10.0-327.62.59.83.h128",
            "kernel-debuginfo-3.10.0-327.62.59.83.h128",
            "kernel-debuginfo-common-x86_64-3.10.0-327.62.59.83.h128",
            "kernel-devel-3.10.0-327.62.59.83.h128",
            "kernel-headers-3.10.0-327.62.59.83.h128",
            "kernel-tools-3.10.0-327.62.59.83.h128",
            "kernel-tools-libs-3.10.0-327.62.59.83.h128",
            "perf-3.10.0-327.62.59.83.h128",
            "python-perf-3.10.0-327.62.59.83.h128"];
    
    foreach (pkg in pkgs)
      if (rpm_check(release:"EulerOS-2.0", sp:"2", reference:pkg)) flag++;
    
    if (flag)
    {
      security_report_v4(
        port       : 0,
        severity   : SECURITY_HOLE,
        extra      : rpm_report_get()
      );
      exit(0);
    }
    else
    {
      tested = pkg_tests_get();
      if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
      else audit(AUDIT_PACKAGE_NOT_INSTALLED, "kernel");
    }
    
  • NASL familyHuawei Local Security Checks
    NASL idEULEROS_SA-2018-1054.NASL
    descriptionAccording to the versions of the kernel packages installed, the EulerOS installation on the remote host is affected by the following vulnerabilities : - In the Linux kernel 4.12, 3.10, 2.6 and possibly earlier versions a race condition vulnerability exists in the sound system, this can lead to a deadlock and denial of service condition.(CVE-2018-1000004) - drivers/input/serio/i8042.c in the Linux kernel before 4.12.4 allows attackers to cause a denial of service (NULL pointer dereference and system crash) or possibly have unspecified other impact because the port-i1/4zexists value can change after it is validated.(CVE-2017-18079) - The acpi_smbus_hc_add function in drivers/acpi/sbshc.c in the Linux kernel through 4.14.15 allows local users to obtain sensitive address information by reading dmesg data from an SBS HC printk call.(CVE-2018-5750) - The futex_requeue function in kernel/futex.c in the Linux kernel, before 4.14.15, might allow attackers to cause a denial of service (integer overflow) or possibly have unspecified other impacts by triggering a negative wake or requeue value. Due to the nature of the flaw, privilege escalation cannot be fully ruled out, although we believe it is unlikely.(CVE-2018-6927) - The Linux kernel, before version 4.14.3, is vulnerable to a denial of service in drivers/md/dm.c:dm_get_from_kobject() which can be caused by local users leveraging a race condition with __dm_destroy() during creation and removal of DM devices. Only privileged local users (with CAP_SYS_ADMIN capability) can directly perform the ioctl operations for dm device creation and removal and this would typically be outside the direct control of the unprivileged attacker.(CVE-2017-18203) - The madvise_willneed function in the Linux kernel allows local users to cause a denial of service (infinite loop) by triggering use of MADVISE_WILLNEED for a DAX mapping.(CVE-2017-18208) Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-05-06
    modified2018-03-20
    plugin id108458
    published2018-03-20
    reporterThis script is Copyright (C) 2018-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/108458
    titleEulerOS 2.0 SP1 : kernel (EulerOS-SA-2018-1054)
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(108458);
      script_version("1.12");
      script_set_attribute(attribute:"plugin_modification_date", value:"2020/05/04");
    
      script_cve_id(
        "CVE-2017-18079",
        "CVE-2017-18203",
        "CVE-2017-18208",
        "CVE-2018-1000004",
        "CVE-2018-5750",
        "CVE-2018-6927"
      );
    
      script_name(english:"EulerOS 2.0 SP1 : kernel (EulerOS-SA-2018-1054)");
      script_summary(english:"Checks the rpm output for the updated packages.");
    
      script_set_attribute(attribute:"synopsis", value:
    "The remote EulerOS host is missing multiple security updates.");
      script_set_attribute(attribute:"description", value:
    "According to the versions of the kernel packages installed, the
    EulerOS installation on the remote host is affected by the following
    vulnerabilities :
    
      - In the Linux kernel 4.12, 3.10, 2.6 and possibly
        earlier versions a race condition vulnerability exists
        in the sound system, this can lead to a deadlock and
        denial of service condition.(CVE-2018-1000004)
    
      - drivers/input/serio/i8042.c in the Linux kernel before
        4.12.4 allows attackers to cause a denial of service
        (NULL pointer dereference and system crash) or possibly
        have unspecified other impact because the
        port-i1/4zexists value can change after it is
        validated.(CVE-2017-18079)
    
      - The acpi_smbus_hc_add function in drivers/acpi/sbshc.c
        in the Linux kernel through 4.14.15 allows local users
        to obtain sensitive address information by reading
        dmesg data from an SBS HC printk call.(CVE-2018-5750)
    
      - The futex_requeue function in kernel/futex.c in the
        Linux kernel, before 4.14.15, might allow attackers to
        cause a denial of service (integer overflow) or
        possibly have unspecified other impacts by triggering a
        negative wake or requeue value. Due to the nature of
        the flaw, privilege escalation cannot be fully ruled
        out, although we believe it is unlikely.(CVE-2018-6927)
    
      - The Linux kernel, before version 4.14.3, is vulnerable
        to a denial of service in
        drivers/md/dm.c:dm_get_from_kobject() which can be
        caused by local users leveraging a race condition with
        __dm_destroy() during creation and removal of DM
        devices. Only privileged local users (with
        CAP_SYS_ADMIN capability) can directly perform the
        ioctl operations for dm device creation and removal and
        this would typically be outside the direct control of
        the unprivileged attacker.(CVE-2017-18203)
    
      - The madvise_willneed function in the Linux kernel
        allows local users to cause a denial of service
        (infinite loop) by triggering use of MADVISE_WILLNEED
        for a DAX mapping.(CVE-2017-18208)
    
    Note that Tenable Network Security has extracted the preceding
    description block directly from the EulerOS security advisory. Tenable
    has attempted to automatically clean and format it as much as possible
    without introducing additional issues.");
      # https://developer.huaweicloud.com/ict/en/site-euleros/euleros/security-advisories/EulerOS-SA-2018-1054
      script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?77855b39");
      script_set_attribute(attribute:"solution", value:
    "Update the affected kernel packages.");
      script_set_cvss_base_vector("CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C");
      script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
      script_set_cvss3_base_vector("CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H");
      script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
    
      script_set_attribute(attribute:"patch_publication_date", value:"2018/02/14");
      script_set_attribute(attribute:"plugin_publication_date", value:"2018/03/20");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:kernel");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:kernel-debug");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:kernel-debuginfo");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:kernel-debuginfo-common-x86_64");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:kernel-devel");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:kernel-headers");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:kernel-tools");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:kernel-tools-libs");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:perf");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:python-perf");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:huawei:euleros:2.0");
      script_set_attribute(attribute:"generated_plugin", value:"current");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_family(english:"Huawei Local Security Checks");
    
      script_copyright(english:"This script is Copyright (C) 2018-2020 and is owned by Tenable, Inc. or an Affiliate thereof.");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/EulerOS/release", "Host/EulerOS/rpm-list", "Host/EulerOS/sp");
      script_exclude_keys("Host/EulerOS/uvp_version");
    
      exit(0);
    }
    
    include("audit.inc");
    include("global_settings.inc");
    include("rpm.inc");
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    
    release = get_kb_item("Host/EulerOS/release");
    if (isnull(release) || release !~ "^EulerOS") audit(AUDIT_OS_NOT, "EulerOS");
    if (release !~ "^EulerOS release 2\.0(\D|$)") audit(AUDIT_OS_NOT, "EulerOS 2.0");
    
    sp = get_kb_item("Host/EulerOS/sp");
    if (isnull(sp) || sp !~ "^(1)$") audit(AUDIT_OS_NOT, "EulerOS 2.0 SP1");
    
    uvp = get_kb_item("Host/EulerOS/uvp_version");
    if (!empty_or_null(uvp)) audit(AUDIT_OS_NOT, "EulerOS 2.0 SP1", "EulerOS UVP " + uvp);
    
    if (!get_kb_item("Host/EulerOS/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    cpu = get_kb_item("Host/cpu");
    if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
    if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$" && "aarch64" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "EulerOS", cpu);
    if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_ARCH_NOT, "i686 / x86_64", cpu);
    
    flag = 0;
    
    pkgs = ["kernel-3.10.0-229.49.1.175",
            "kernel-debug-3.10.0-229.49.1.175",
            "kernel-debuginfo-3.10.0-229.49.1.175",
            "kernel-debuginfo-common-x86_64-3.10.0-229.49.1.175",
            "kernel-devel-3.10.0-229.49.1.175",
            "kernel-headers-3.10.0-229.49.1.175",
            "kernel-tools-3.10.0-229.49.1.175",
            "kernel-tools-libs-3.10.0-229.49.1.175",
            "perf-3.10.0-229.49.1.175",
            "python-perf-3.10.0-229.49.1.175"];
    
    foreach (pkg in pkgs)
      if (rpm_check(release:"EulerOS-2.0", sp:"1", reference:pkg)) flag++;
    
    if (flag)
    {
      security_report_v4(
        port       : 0,
        severity   : SECURITY_HOLE,
        extra      : rpm_report_get()
      );
      exit(0);
    }
    else
    {
      tested = pkg_tests_get();
      if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
      else audit(AUDIT_PACKAGE_NOT_INSTALLED, "kernel");
    }
    
  • NASL familyRed Hat Local Security Checks
    NASL idREDHAT-RHSA-2019-3967.NASL
    descriptionAn update for kernel is now available for Red Hat Enterprise Linux 7.5 Extended Update Support. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. The kernel packages contain the Linux kernel, the core of any Linux operating system. Security Fix(es) : * kernel: Memory corruption due to incorrect socket cloning (CVE-2018-9568) * kernel: MIDI driver race condition leads to a double-free (CVE-2018-10902) * kernel: Use-after-free due to race condition in AF_PACKET implementation (CVE-2018-18559) * Kernel: vhost_net: infinite loop while receiving packets leads to DoS (CVE-2019-3900) * Kernel: page cache side channel attacks (CVE-2019-5489) * Kernel: KVM: potential use-after-free via kvm_ioctl_create_device() (CVE-2019-6974) * Kernel: KVM: nVMX: use-after-free of the hrtimer for emulation of the preemption timer (CVE-2019-7221) * kernel: Inifinite loop vulnerability in mm/madvise.c:madvise_willneed() function allows local denial of service (CVE-2017-18208) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Bug Fix(es) : * A cluster node has multiple hung
    last seen2020-06-01
    modified2020-06-02
    plugin id131375
    published2019-11-27
    reporterThis script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/131375
    titleRHEL 7 : kernel (RHSA-2019:3967)
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were  
    # extracted from Red Hat Security Advisory RHSA-2019:3967. The text 
    # itself is copyright (C) Red Hat, Inc.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(131375);
      script_version("1.2");
      script_cvs_date("Date: 2019/12/09");
    
      script_cve_id("CVE-2017-18208", "CVE-2018-10902", "CVE-2018-18559", "CVE-2018-9568", "CVE-2019-3900", "CVE-2019-5489", "CVE-2019-6974", "CVE-2019-7221");
      script_xref(name:"RHSA", value:"2019:3967");
    
      script_name(english:"RHEL 7 : kernel (RHSA-2019:3967)");
      script_summary(english:"Checks the rpm output for the updated packages");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote Red Hat host is missing one or more security updates."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "An update for kernel is now available for Red Hat Enterprise Linux 7.5
    Extended Update Support.
    
    Red Hat Product Security has rated this update as having a security
    impact of Important. A Common Vulnerability Scoring System (CVSS) base
    score, which gives a detailed severity rating, is available for each
    vulnerability from the CVE link(s) in the References section.
    
    The kernel packages contain the Linux kernel, the core of any Linux
    operating system.
    
    Security Fix(es) :
    
    * kernel: Memory corruption due to incorrect socket cloning
    (CVE-2018-9568)
    
    * kernel: MIDI driver race condition leads to a double-free
    (CVE-2018-10902)
    
    * kernel: Use-after-free due to race condition in AF_PACKET
    implementation (CVE-2018-18559)
    
    * Kernel: vhost_net: infinite loop while receiving packets leads to
    DoS (CVE-2019-3900)
    
    * Kernel: page cache side channel attacks (CVE-2019-5489)
    
    * Kernel: KVM: potential use-after-free via kvm_ioctl_create_device()
    (CVE-2019-6974)
    
    * Kernel: KVM: nVMX: use-after-free of the hrtimer for emulation of
    the preemption timer (CVE-2019-7221)
    
    * kernel: Inifinite loop vulnerability in
    mm/madvise.c:madvise_willneed() function allows local denial of
    service (CVE-2017-18208)
    
    For more details about the security issue(s), including the impact, a
    CVSS score, acknowledgments, and other related information, refer to
    the CVE page(s) listed in the References section.
    
    Bug Fix(es) :
    
    * A cluster node has multiple hung 'mv' processes that are accessing a
    gfs2 filesystem. (BZ#1716321)
    
    * Growing unreclaimable slab memory (BZ#1741918)
    
    * [LLNL 7.5 Bug] slab leak causing a crash when using kmem control
    group (BZ# 1748236)
    
    * kernel build: parallelize redhat/mod-sign.sh (BZ#1755328)
    
    * kernel build: speed up module compression step (BZ#1755337)"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://access.redhat.com/errata/RHSA-2019:3967"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://access.redhat.com/security/cve/cve-2017-18208"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://access.redhat.com/security/cve/cve-2018-9568"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://access.redhat.com/security/cve/cve-2018-10902"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://access.redhat.com/security/cve/cve-2018-18559"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://access.redhat.com/security/cve/cve-2019-3900"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://access.redhat.com/security/cve/cve-2019-5489"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://access.redhat.com/security/cve/cve-2019-6974"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://access.redhat.com/security/cve/cve-2019-7221"
      );
      script_set_attribute(attribute:"solution", value:"Update the affected packages.");
      script_set_cvss_base_vector("CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C");
      script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
      script_set_cvss3_base_vector("CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H");
      script_set_cvss3_temporal_vector("CVSS:3.0/E:P/RL:O/RC:C");
      script_set_attribute(attribute:"cvss_score_source", value:"CVE-2018-9568");
      script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"true");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:kernel");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:kernel-abi-whitelists");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:kernel-debug");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:kernel-debug-debuginfo");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:kernel-debug-devel");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:kernel-debuginfo");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:kernel-debuginfo-common-s390x");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:kernel-debuginfo-common-x86_64");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:kernel-devel");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:kernel-doc");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:kernel-headers");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:kernel-kdump");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:kernel-kdump-debuginfo");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:kernel-kdump-devel");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:kernel-tools");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:kernel-tools-debuginfo");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:kernel-tools-libs");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:kernel-tools-libs-devel");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:perf");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:perf-debuginfo");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:python-perf");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:python-perf-debuginfo");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:redhat:enterprise_linux:7.5");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2018/03/01");
      script_set_attribute(attribute:"patch_publication_date", value:"2019/11/26");
      script_set_attribute(attribute:"plugin_publication_date", value:"2019/11/27");
      script_set_attribute(attribute:"generated_plugin", value:"current");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.");
      script_family(english:"Red Hat Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl", "linux_alt_patch_detect.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/RedHat/release", "Host/RedHat/rpm-list", "Host/cpu");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("global_settings.inc");
    include("misc_func.inc");
    include("rpm.inc");
    include("ksplice.inc");
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    release = get_kb_item("Host/RedHat/release");
    if (isnull(release) || "Red Hat" >!< release) audit(AUDIT_OS_NOT, "Red Hat");
    os_ver = pregmatch(pattern: "Red Hat Enterprise Linux.*release ([0-9]+(\.[0-9]+)?)", string:release);
    if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Red Hat");
    os_ver = os_ver[1];
    if (! preg(pattern:"^7\.5([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Red Hat 7.5", "Red Hat " + os_ver);
    
    if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    cpu = get_kb_item("Host/cpu");
    if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
    if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$" && "s390" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Red Hat", cpu);
    
    if (get_one_kb_item("Host/ksplice/kernel-cves"))
    {
      rm_kb_item(name:"Host/uptrack-uname-r");
      cve_list = make_list("CVE-2017-18208", "CVE-2018-10902", "CVE-2018-18559", "CVE-2018-9568", "CVE-2019-3900", "CVE-2019-5489", "CVE-2019-6974", "CVE-2019-7221");
      if (ksplice_cves_check(cve_list))
      {
        audit(AUDIT_PATCH_INSTALLED, "KSplice hotfix for RHSA-2019:3967");
      }
      else
      {
        __rpm_report = ksplice_reporting_text();
      }
    }
    
    yum_updateinfo = get_kb_item("Host/RedHat/yum-updateinfo");
    if (!empty_or_null(yum_updateinfo)) 
    {
      rhsa = "RHSA-2019:3967";
      yum_report = redhat_generate_yum_updateinfo_report(rhsa:rhsa);
      if (!empty_or_null(yum_report))
      {
        security_report_v4(
          port       : 0,
          severity   : SECURITY_HOLE,
          extra      : yum_report 
        );
        exit(0);
      }
      else
      {
        audit_message = "affected by Red Hat security advisory " + rhsa;
        audit(AUDIT_OS_NOT, audit_message);
      }
    }
    else
    {
      flag = 0;
      if (rpm_check(release:"RHEL7", sp:"5", cpu:"s390x", reference:"kernel-3.10.0-862.44.2.el7")) flag++;
      if (rpm_check(release:"RHEL7", sp:"5", cpu:"x86_64", reference:"kernel-3.10.0-862.44.2.el7")) flag++;
      if (rpm_check(release:"RHEL7", sp:"5", reference:"kernel-abi-whitelists-3.10.0-862.44.2.el7")) flag++;
      if (rpm_check(release:"RHEL7", sp:"5", cpu:"s390x", reference:"kernel-debug-3.10.0-862.44.2.el7")) flag++;
      if (rpm_check(release:"RHEL7", sp:"5", cpu:"x86_64", reference:"kernel-debug-3.10.0-862.44.2.el7")) flag++;
      if (rpm_check(release:"RHEL7", sp:"5", cpu:"s390x", reference:"kernel-debug-debuginfo-3.10.0-862.44.2.el7")) flag++;
      if (rpm_check(release:"RHEL7", sp:"5", cpu:"x86_64", reference:"kernel-debug-debuginfo-3.10.0-862.44.2.el7")) flag++;
      if (rpm_check(release:"RHEL7", sp:"5", cpu:"s390x", reference:"kernel-debug-devel-3.10.0-862.44.2.el7")) flag++;
      if (rpm_check(release:"RHEL7", sp:"5", cpu:"x86_64", reference:"kernel-debug-devel-3.10.0-862.44.2.el7")) flag++;
      if (rpm_check(release:"RHEL7", sp:"5", cpu:"s390x", reference:"kernel-debuginfo-3.10.0-862.44.2.el7")) flag++;
      if (rpm_check(release:"RHEL7", sp:"5", cpu:"x86_64", reference:"kernel-debuginfo-3.10.0-862.44.2.el7")) flag++;
      if (rpm_check(release:"RHEL7", sp:"5", cpu:"s390x", reference:"kernel-debuginfo-common-s390x-3.10.0-862.44.2.el7")) flag++;
      if (rpm_check(release:"RHEL7", sp:"5", cpu:"x86_64", reference:"kernel-debuginfo-common-x86_64-3.10.0-862.44.2.el7")) flag++;
      if (rpm_check(release:"RHEL7", sp:"5", cpu:"s390x", reference:"kernel-devel-3.10.0-862.44.2.el7")) flag++;
      if (rpm_check(release:"RHEL7", sp:"5", cpu:"x86_64", reference:"kernel-devel-3.10.0-862.44.2.el7")) flag++;
      if (rpm_check(release:"RHEL7", sp:"5", reference:"kernel-doc-3.10.0-862.44.2.el7")) flag++;
      if (rpm_check(release:"RHEL7", sp:"5", cpu:"s390x", reference:"kernel-headers-3.10.0-862.44.2.el7")) flag++;
      if (rpm_check(release:"RHEL7", sp:"5", cpu:"x86_64", reference:"kernel-headers-3.10.0-862.44.2.el7")) flag++;
      if (rpm_check(release:"RHEL7", sp:"5", cpu:"s390x", reference:"kernel-kdump-3.10.0-862.44.2.el7")) flag++;
      if (rpm_check(release:"RHEL7", sp:"5", cpu:"s390x", reference:"kernel-kdump-debuginfo-3.10.0-862.44.2.el7")) flag++;
      if (rpm_check(release:"RHEL7", sp:"5", cpu:"s390x", reference:"kernel-kdump-devel-3.10.0-862.44.2.el7")) flag++;
      if (rpm_check(release:"RHEL7", sp:"5", cpu:"x86_64", reference:"kernel-tools-3.10.0-862.44.2.el7")) flag++;
      if (rpm_check(release:"RHEL7", sp:"5", cpu:"x86_64", reference:"kernel-tools-debuginfo-3.10.0-862.44.2.el7")) flag++;
      if (rpm_check(release:"RHEL7", sp:"5", cpu:"x86_64", reference:"kernel-tools-libs-3.10.0-862.44.2.el7")) flag++;
      if (rpm_check(release:"RHEL7", sp:"5", cpu:"x86_64", reference:"kernel-tools-libs-devel-3.10.0-862.44.2.el7")) flag++;
      if (rpm_check(release:"RHEL7", sp:"5", cpu:"s390x", reference:"perf-3.10.0-862.44.2.el7")) flag++;
      if (rpm_check(release:"RHEL7", sp:"5", cpu:"x86_64", reference:"perf-3.10.0-862.44.2.el7")) flag++;
      if (rpm_check(release:"RHEL7", sp:"5", cpu:"s390x", reference:"perf-debuginfo-3.10.0-862.44.2.el7")) flag++;
      if (rpm_check(release:"RHEL7", sp:"5", cpu:"x86_64", reference:"perf-debuginfo-3.10.0-862.44.2.el7")) flag++;
      if (rpm_check(release:"RHEL7", sp:"5", cpu:"s390x", reference:"python-perf-3.10.0-862.44.2.el7")) flag++;
      if (rpm_check(release:"RHEL7", sp:"5", cpu:"x86_64", reference:"python-perf-3.10.0-862.44.2.el7")) flag++;
      if (rpm_check(release:"RHEL7", sp:"5", cpu:"s390x", reference:"python-perf-debuginfo-3.10.0-862.44.2.el7")) flag++;
      if (rpm_check(release:"RHEL7", sp:"5", cpu:"x86_64", reference:"python-perf-debuginfo-3.10.0-862.44.2.el7")) flag++;
    
      if (flag)
      {
        security_report_v4(
          port       : 0,
          severity   : SECURITY_HOLE,
          extra      : rpm_report_get() + redhat_report_package_caveat()
        );
        exit(0);
      }
      else
      {
        tested = pkg_tests_get();
        if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
        else audit(AUDIT_PACKAGE_NOT_INSTALLED, "kernel / kernel-abi-whitelists / kernel-debug / etc");
      }
    }
    
  • NASL familyRed Hat Local Security Checks
    NASL idREDHAT-RHSA-2018-3096.NASL
    descriptionAn update for kernel-rt is now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. The kernel-rt packages provide the Real Time Linux Kernel, which enables fine-tuning for systems with extremely high determinism requirements. Security Fix(es) : * A flaw named FragmentSmack was found in the way the Linux kernel handled reassembly of fragmented IPv4 and IPv6 packets. A remote attacker could use this flaw to trigger time and calculation expensive fragment reassembly algorithm by sending specially crafted packets which could lead to a CPU saturation and hence a denial of service on the system. (CVE-2018-5391) * kernel: out-of-bounds access in the show_timer function in kernel/time/ posix-timers.c (CVE-2017-18344) * kernel: Integer overflow in udl_fb_mmap() can allow attackers to execute code in kernel space (CVE-2018-8781) * kernel: MIDI driver race condition leads to a double-free (CVE-2018-10902) * kernel: Missing check in inode_init_owner() does not clear SGID bit on non-directories for non-members (CVE-2018-13405) * kernel: AIO write triggers integer overflow in some protocols (CVE-2015-8830) * kernel: Use-after-free in snd_pcm_info function in ALSA subsystem potentially leads to privilege escalation (CVE-2017-0861) * kernel: Handling of might_cancel queueing is not properly pretected against race (CVE-2017-10661) * kernel: Salsa20 encryption algorithm does not correctly handle zero-length inputs allowing local attackers to cause denial of service (CVE-2017-17805) * kernel: Inifinite loop vulnerability in madvise_willneed() function allows local denial of service (CVE-2017-18208) * kernel: fuse-backed file mmap-ed onto process cmdline arguments causes denial of service (CVE-2018-1120) * kernel: a NULL pointer dereference in dccp_write_xmit() leads to a system crash (CVE-2018-1130) * kernel: drivers/block/loop.c mishandles lo_release serialization allowing denial of service (CVE-2018-5344) * kernel: Missing length check of payload in _sctp_make_chunk() function allows denial of service (CVE-2018-5803) * kernel: buffer overflow in drivers/net/wireless/ath/wil6210/ wmi.c:wmi_set_ie() may lead to memory corruption (CVE-2018-5848) * kernel: out-of-bound write in ext4_init_block_bitmap function with a crafted ext4 image (CVE-2018-10878) * kernel: Improper validation in bnx2x network card driver can allow for denial of service attacks via crafted packet (CVE-2018-1000026) * kernel: Information leak when handling NM entries containing NUL (CVE-2016-4913) * kernel: Mishandling mutex within libsas allowing local Denial of Service (CVE-2017-18232) * kernel: NULL pointer dereference in ext4_process_freed_data() when mounting crafted ext4 image (CVE-2018-1092) * kernel: NULL pointer dereference in ext4_xattr_inode_hash() causes crash with crafted ext4 image (CVE-2018-1094) * kernel: vhost: Information disclosure in vhost.c:vhost_new_msg() (CVE-2018-1118) * kernel: Denial of service in resv_map_release function in mm/hugetlb.c (CVE-2018-7740) * kernel: Memory leak in the sas_smp_get_phy_events function in drivers/scsi/ libsas/sas_expander.c (CVE-2018-7757) * kernel: Invalid pointer dereference in xfs_ilock_attr_map_shared() when mounting crafted xfs image allowing denial of service (CVE-2018-10322) * kernel: use-after-free detected in ext4_xattr_set_entry with a crafted file (CVE-2018-10879) * kernel: out-of-bound access in ext4_get_group_info() when mounting and operating a crafted ext4 image (CVE-2018-10881) * kernel: stack-out-of-bounds write in jbd2_journal_dirty_metadata function (CVE-2018-10883) * kernel: incorrect memory bounds check in drivers/cdrom/cdrom.c (CVE-2018-10940) Red Hat would like to thank Juha-Matti Tilli (Aalto University - Department of Communications and Networking and Nokia Bell Labs) for reporting CVE-2018-5391; Trend Micro Zero Day Initiative for reporting CVE-2018-10902; Qualys Research Labs for reporting CVE-2018-1120; Evgenii Shatokhin (Virtuozzo Team) for reporting CVE-2018-1130; and Wen Xu for reporting CVE-2018-1092 and CVE-2018-1094.
    last seen2020-06-01
    modified2020-06-02
    plugin id118528
    published2018-10-31
    reporterThis script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/118528
    titleRHEL 7 : kernel-rt (RHSA-2018:3096)
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were  
    # extracted from Red Hat Security Advisory RHSA-2018:3096. The text 
    # itself is copyright (C) Red Hat, Inc.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(118528);
      script_version("1.12");
      script_cvs_date("Date: 2019/10/24 15:35:45");
    
      script_cve_id("CVE-2015-8830", "CVE-2016-4913", "CVE-2017-0861", "CVE-2017-10661", "CVE-2017-17805", "CVE-2017-18208", "CVE-2017-18232", "CVE-2017-18344", "CVE-2017-18360", "CVE-2018-1000026", "CVE-2018-10322", "CVE-2018-10878", "CVE-2018-10879", "CVE-2018-10881", "CVE-2018-10883", "CVE-2018-10902", "CVE-2018-1092", "CVE-2018-1094", "CVE-2018-10940", "CVE-2018-1118", "CVE-2018-1120", "CVE-2018-1130", "CVE-2018-13405", "CVE-2018-18690", "CVE-2018-5344", "CVE-2018-5391", "CVE-2018-5803", "CVE-2018-5848", "CVE-2018-7740", "CVE-2018-7757", "CVE-2018-8781");
      script_xref(name:"RHSA", value:"2018:3096");
    
      script_name(english:"RHEL 7 : kernel-rt (RHSA-2018:3096)");
      script_summary(english:"Checks the rpm output for the updated packages");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote Red Hat host is missing one or more security updates."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "An update for kernel-rt is now available for Red Hat Enterprise Linux
    7.
    
    Red Hat Product Security has rated this update as having a security
    impact of Important. A Common Vulnerability Scoring System (CVSS) base
    score, which gives a detailed severity rating, is available for each
    vulnerability from the CVE link(s) in the References section.
    
    The kernel-rt packages provide the Real Time Linux Kernel, which
    enables fine-tuning for systems with extremely high determinism
    requirements.
    
    Security Fix(es) :
    
    * A flaw named FragmentSmack was found in the way the Linux kernel
    handled reassembly of fragmented IPv4 and IPv6 packets. A remote
    attacker could use this flaw to trigger time and calculation expensive
    fragment reassembly algorithm by sending specially crafted packets
    which could lead to a CPU saturation and hence a denial of service on
    the system. (CVE-2018-5391)
    
    * kernel: out-of-bounds access in the show_timer function in
    kernel/time/ posix-timers.c (CVE-2017-18344)
    
    * kernel: Integer overflow in udl_fb_mmap() can allow attackers to
    execute code in kernel space (CVE-2018-8781)
    
    * kernel: MIDI driver race condition leads to a double-free
    (CVE-2018-10902)
    
    * kernel: Missing check in inode_init_owner() does not clear SGID bit
    on non-directories for non-members (CVE-2018-13405)
    
    * kernel: AIO write triggers integer overflow in some protocols
    (CVE-2015-8830)
    
    * kernel: Use-after-free in snd_pcm_info function in ALSA subsystem
    potentially leads to privilege escalation (CVE-2017-0861)
    
    * kernel: Handling of might_cancel queueing is not properly pretected
    against race (CVE-2017-10661)
    
    * kernel: Salsa20 encryption algorithm does not correctly handle
    zero-length inputs allowing local attackers to cause denial of service
    (CVE-2017-17805)
    
    * kernel: Inifinite loop vulnerability in madvise_willneed() function
    allows local denial of service (CVE-2017-18208)
    
    * kernel: fuse-backed file mmap-ed onto process cmdline arguments
    causes denial of service (CVE-2018-1120)
    
    * kernel: a NULL pointer dereference in dccp_write_xmit() leads to a
    system crash (CVE-2018-1130)
    
    * kernel: drivers/block/loop.c mishandles lo_release serialization
    allowing denial of service (CVE-2018-5344)
    
    * kernel: Missing length check of payload in _sctp_make_chunk()
    function allows denial of service (CVE-2018-5803)
    
    * kernel: buffer overflow in drivers/net/wireless/ath/wil6210/
    wmi.c:wmi_set_ie() may lead to memory corruption (CVE-2018-5848)
    
    * kernel: out-of-bound write in ext4_init_block_bitmap function with a
    crafted ext4 image (CVE-2018-10878)
    
    * kernel: Improper validation in bnx2x network card driver can allow
    for denial of service attacks via crafted packet (CVE-2018-1000026)
    
    * kernel: Information leak when handling NM entries containing NUL
    (CVE-2016-4913)
    
    * kernel: Mishandling mutex within libsas allowing local Denial of
    Service (CVE-2017-18232)
    
    * kernel: NULL pointer dereference in ext4_process_freed_data() when
    mounting crafted ext4 image (CVE-2018-1092)
    
    * kernel: NULL pointer dereference in ext4_xattr_inode_hash() causes
    crash with crafted ext4 image (CVE-2018-1094)
    
    * kernel: vhost: Information disclosure in vhost.c:vhost_new_msg()
    (CVE-2018-1118)
    
    * kernel: Denial of service in resv_map_release function in
    mm/hugetlb.c (CVE-2018-7740)
    
    * kernel: Memory leak in the sas_smp_get_phy_events function in
    drivers/scsi/ libsas/sas_expander.c (CVE-2018-7757)
    
    * kernel: Invalid pointer dereference in xfs_ilock_attr_map_shared()
    when mounting crafted xfs image allowing denial of service
    (CVE-2018-10322)
    
    * kernel: use-after-free detected in ext4_xattr_set_entry with a
    crafted file (CVE-2018-10879)
    
    * kernel: out-of-bound access in ext4_get_group_info() when mounting
    and operating a crafted ext4 image (CVE-2018-10881)
    
    * kernel: stack-out-of-bounds write in jbd2_journal_dirty_metadata
    function (CVE-2018-10883)
    
    * kernel: incorrect memory bounds check in drivers/cdrom/cdrom.c
    (CVE-2018-10940)
    
    Red Hat would like to thank Juha-Matti Tilli (Aalto University -
    Department of Communications and Networking and Nokia Bell Labs) for
    reporting CVE-2018-5391; Trend Micro Zero Day Initiative for reporting
    CVE-2018-10902; Qualys Research Labs for reporting CVE-2018-1120;
    Evgenii Shatokhin (Virtuozzo Team) for reporting CVE-2018-1130; and
    Wen Xu for reporting CVE-2018-1092 and CVE-2018-1094."
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://access.redhat.com/articles/3553061"
      );
      # https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/
      script_set_attribute(
        attribute:"see_also",
        value:"http://www.nessus.org/u?3395ff0b"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://access.redhat.com/errata/RHSA-2018:3096"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://access.redhat.com/security/cve/cve-2015-8830"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://access.redhat.com/security/cve/cve-2016-4913"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://access.redhat.com/security/cve/cve-2017-0861"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://access.redhat.com/security/cve/cve-2017-10661"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://access.redhat.com/security/cve/cve-2017-17805"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://access.redhat.com/security/cve/cve-2017-18208"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://access.redhat.com/security/cve/cve-2017-18232"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://access.redhat.com/security/cve/cve-2017-18344"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://access.redhat.com/security/cve/cve-2017-18360"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://access.redhat.com/security/cve/cve-2018-1092"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://access.redhat.com/security/cve/cve-2018-1094"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://access.redhat.com/security/cve/cve-2018-1118"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://access.redhat.com/security/cve/cve-2018-1120"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://access.redhat.com/security/cve/cve-2018-1130"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://access.redhat.com/security/cve/cve-2018-5344"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://access.redhat.com/security/cve/cve-2018-5391"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://access.redhat.com/security/cve/cve-2018-5803"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://access.redhat.com/security/cve/cve-2018-5848"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://access.redhat.com/security/cve/cve-2018-7740"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://access.redhat.com/security/cve/cve-2018-7757"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://access.redhat.com/security/cve/cve-2018-8781"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://access.redhat.com/security/cve/cve-2018-10322"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://access.redhat.com/security/cve/cve-2018-10878"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://access.redhat.com/security/cve/cve-2018-10879"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://access.redhat.com/security/cve/cve-2018-10881"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://access.redhat.com/security/cve/cve-2018-10883"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://access.redhat.com/security/cve/cve-2018-10902"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://access.redhat.com/security/cve/cve-2018-10940"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://access.redhat.com/security/cve/cve-2018-13405"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://access.redhat.com/security/cve/cve-2018-18690"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://access.redhat.com/security/cve/cve-2018-1000026"
      );
      script_set_attribute(attribute:"solution", value:"Update the affected packages.");
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:C");
      script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:C");
      script_set_cvss3_base_vector("CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H");
      script_set_cvss3_temporal_vector("CVSS:3.0/E:F/RL:O/RC:C");
      script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"true");
      script_set_attribute(attribute:"exploit_framework_canvas", value:"true");
      script_set_attribute(attribute:"canvas_package", value:'CANVAS');
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:kernel-rt");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:kernel-rt-debug");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:kernel-rt-debug-debuginfo");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:kernel-rt-debug-devel");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:kernel-rt-debug-kvm");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:kernel-rt-debug-kvm-debuginfo");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:kernel-rt-debuginfo");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:kernel-rt-debuginfo-common-x86_64");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:kernel-rt-devel");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:kernel-rt-doc");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:kernel-rt-kvm");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:kernel-rt-kvm-debuginfo");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:kernel-rt-trace");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:kernel-rt-trace-debuginfo");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:kernel-rt-trace-devel");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:kernel-rt-trace-kvm");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:kernel-rt-trace-kvm-debuginfo");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:redhat:enterprise_linux:7");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2016/05/02");
      script_set_attribute(attribute:"patch_publication_date", value:"2018/10/30");
      script_set_attribute(attribute:"plugin_publication_date", value:"2018/10/31");
      script_set_attribute(attribute:"generated_plugin", value:"current");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");
      script_family(english:"Red Hat Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl", "linux_alt_patch_detect.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/RedHat/release", "Host/RedHat/rpm-list", "Host/cpu");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("global_settings.inc");
    include("misc_func.inc");
    include("rpm.inc");
    include("ksplice.inc");
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    release = get_kb_item("Host/RedHat/release");
    if (isnull(release) || "Red Hat" >!< release) audit(AUDIT_OS_NOT, "Red Hat");
    os_ver = pregmatch(pattern: "Red Hat Enterprise Linux.*release ([0-9]+(\.[0-9]+)?)", string:release);
    if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Red Hat");
    os_ver = os_ver[1];
    if (! preg(pattern:"^7([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Red Hat 7.x", "Red Hat " + os_ver);
    
    if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    cpu = get_kb_item("Host/cpu");
    if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
    if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$" && "s390" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Red Hat", cpu);
    
    if (get_one_kb_item("Host/ksplice/kernel-cves"))
    {
      rm_kb_item(name:"Host/uptrack-uname-r");
      cve_list = make_list("CVE-2015-8830", "CVE-2016-4913", "CVE-2017-0861", "CVE-2017-10661", "CVE-2017-17805", "CVE-2017-18208", "CVE-2017-18232", "CVE-2017-18344", "CVE-2017-18360", "CVE-2018-1000026", "CVE-2018-10322", "CVE-2018-10878", "CVE-2018-10879", "CVE-2018-10881", "CVE-2018-10883", "CVE-2018-10902", "CVE-2018-1092", "CVE-2018-1094", "CVE-2018-10940", "CVE-2018-1118", "CVE-2018-1120", "CVE-2018-1130", "CVE-2018-13405", "CVE-2018-18690", "CVE-2018-5344", "CVE-2018-5391", "CVE-2018-5803", "CVE-2018-5848", "CVE-2018-7740", "CVE-2018-7757", "CVE-2018-8781");
      if (ksplice_cves_check(cve_list))
      {
        audit(AUDIT_PATCH_INSTALLED, "KSplice hotfix for RHSA-2018:3096");
      }
      else
      {
        __rpm_report = ksplice_reporting_text();
      }
    }
    
    yum_updateinfo = get_kb_item("Host/RedHat/yum-updateinfo");
    if (!empty_or_null(yum_updateinfo)) 
    {
      rhsa = "RHSA-2018:3096";
      yum_report = redhat_generate_yum_updateinfo_report(rhsa:rhsa);
      if (!empty_or_null(yum_report))
      {
        security_report_v4(
          port       : 0,
          severity   : SECURITY_HOLE,
          extra      : yum_report 
        );
        exit(0);
      }
      else
      {
        audit_message = "affected by Red Hat security advisory " + rhsa;
        audit(AUDIT_OS_NOT, audit_message);
      }
    }
    else
    {
      flag = 0;
      if (rpm_check(release:"RHEL7", cpu:"x86_64", reference:"kernel-rt-3.10.0-957.rt56.910.el7")) flag++;
      if (rpm_check(release:"RHEL7", cpu:"x86_64", reference:"kernel-rt-debug-3.10.0-957.rt56.910.el7")) flag++;
      if (rpm_check(release:"RHEL7", cpu:"x86_64", reference:"kernel-rt-debug-debuginfo-3.10.0-957.rt56.910.el7")) flag++;
      if (rpm_check(release:"RHEL7", cpu:"x86_64", reference:"kernel-rt-debug-devel-3.10.0-957.rt56.910.el7")) flag++;
      if (rpm_check(release:"RHEL7", cpu:"x86_64", reference:"kernel-rt-debug-kvm-3.10.0-957.rt56.910.el7")) flag++;
      if (rpm_check(release:"RHEL7", cpu:"x86_64", reference:"kernel-rt-debug-kvm-debuginfo-3.10.0-957.rt56.910.el7")) flag++;
      if (rpm_check(release:"RHEL7", cpu:"x86_64", reference:"kernel-rt-debuginfo-3.10.0-957.rt56.910.el7")) flag++;
      if (rpm_check(release:"RHEL7", cpu:"x86_64", reference:"kernel-rt-debuginfo-common-x86_64-3.10.0-957.rt56.910.el7")) flag++;
      if (rpm_check(release:"RHEL7", cpu:"x86_64", reference:"kernel-rt-devel-3.10.0-957.rt56.910.el7")) flag++;
      if (rpm_check(release:"RHEL7", reference:"kernel-rt-doc-3.10.0-957.rt56.910.el7")) flag++;
      if (rpm_check(release:"RHEL7", cpu:"x86_64", reference:"kernel-rt-kvm-3.10.0-957.rt56.910.el7")) flag++;
      if (rpm_check(release:"RHEL7", cpu:"x86_64", reference:"kernel-rt-kvm-debuginfo-3.10.0-957.rt56.910.el7")) flag++;
      if (rpm_check(release:"RHEL7", cpu:"x86_64", reference:"kernel-rt-trace-3.10.0-957.rt56.910.el7")) flag++;
      if (rpm_check(release:"RHEL7", cpu:"x86_64", reference:"kernel-rt-trace-debuginfo-3.10.0-957.rt56.910.el7")) flag++;
      if (rpm_check(release:"RHEL7", cpu:"x86_64", reference:"kernel-rt-trace-devel-3.10.0-957.rt56.910.el7")) flag++;
      if (rpm_check(release:"RHEL7", cpu:"x86_64", reference:"kernel-rt-trace-kvm-3.10.0-957.rt56.910.el7")) flag++;
      if (rpm_check(release:"RHEL7", cpu:"x86_64", reference:"kernel-rt-trace-kvm-debuginfo-3.10.0-957.rt56.910.el7")) flag++;
    
      if (flag)
      {
        security_report_v4(
          port       : 0,
          severity   : SECURITY_HOLE,
          extra      : rpm_report_get() + redhat_report_package_caveat()
        );
        exit(0);
      }
      else
      {
        tested = pkg_tests_get();
        if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
        else audit(AUDIT_PACKAGE_NOT_INSTALLED, "kernel-rt / kernel-rt-debug / kernel-rt-debug-debuginfo / etc");
      }
    }
    
  • NASL familySuSE Local Security Checks
    NASL idSUSE_SU-2018-1172-1.NASL
    descriptionThe SUSE Linux Enterprise 11 SP3 LTSS kernel was updated to receive various security and bugfixes. The following security bugs were fixed : - CVE-2018-1087: And an unprivileged KVM guest user could use this flaw to potentially escalate their privileges inside a guest. (bsc#1087088) - CVE-2018-8897: An unprivileged system user could use incorrect set up interrupt stacks to crash the Linux kernel resulting in DoS issue. (bsc#1087088) - CVE-2018-10124: The kill_something_info function in kernel/signal.c might allow local users to cause a denial of service via an INT_MIN argument (bnc#1089752). - CVE-2018-10087: The kernel_wait4 function in kernel/exit.c might allow local users to cause a denial of service by triggering an attempted use of the -INT_MIN value (bnc#1089608). - CVE-2018-7757: Memory leak in the sas_smp_get_phy_events function in drivers/scsi/libsas/sas_expander.c allowed local users to cause a denial of service (memory consumption) via many read accesses to files in the /sys/class/sas_phy directory, as demonstrated by the /sys/class/sas_phy/phy-1:0:12/invalid_dword_count file (bnc#1084536 1087209). - CVE-2018-7566: A Buffer Overflow via an SNDRV_SEQ_IOCTL_SET_CLIENT_POOL ioctl write operation to /dev/snd/seq by a local user was fixed (bnc#1083483). - CVE-2017-0861: Use-after-free vulnerability in the snd_pcm_info function in the ALSA subsystem allowed attackers to gain privileges via unspecified vectors (bnc#1088260). - CVE-2018-8822: Incorrect buffer length handling in the ncp_read_kernel function in fs/ncpfs/ncplib_kernel.c could be exploited by malicious NCPFS servers to crash the kernel or execute code (bnc#1086162). - CVE-2017-13166: An elevation of privilege vulnerability in the kernel v4l2 video driver. (bnc#1072865). - CVE-2017-18203: The dm_get_from_kobject function in drivers/md/dm.c allow local users to cause a denial of service (BUG) by leveraging a race condition with __dm_destroy during creation and removal of DM devices (bnc#1083242). - CVE-2017-16911: The vhci_hcd driver allowed allows local attackers to disclose kernel memory addresses. Successful exploitation requires that a USB device is attached over IP (bnc#1078674). - CVE-2017-18208: The madvise_willneed function in mm/madvise.c allowed local users to cause a denial of service (infinite loop) by triggering use of MADVISE_WILLNEED for a DAX mapping (bnc#1083494). - CVE-2017-16644: The hdpvr_probe function in drivers/media/usb/hdpvr/hdpvr-core.c allowed local users to cause a denial of service (improper error handling and system crash) or possibly have unspecified other impact via a crafted USB device (bnc#1067118). - CVE-2018-6927: The futex_requeue function in kernel/futex.c might allow attackers to cause a denial of service (integer overflow) or possibly have unspecified other impact by triggering a negative wake or requeue value (bnc#1080757). - CVE-2017-16914: The
    last seen2020-06-01
    modified2020-06-02
    plugin id109646
    published2018-05-09
    reporterThis script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/109646
    titleSUSE SLES11 Security Update : kernel (SUSE-SU-2018:1172-1)
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were
    # extracted from SUSE update advisory SUSE-SU-2018:1172-1.
    # The text itself is copyright (C) SUSE.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(109646);
      script_version("1.8");
      script_cvs_date("Date: 2019/09/10 13:51:47");
    
      script_cve_id("CVE-2015-5156", "CVE-2016-7915", "CVE-2017-0861", "CVE-2017-12190", "CVE-2017-13166", "CVE-2017-16644", "CVE-2017-16911", "CVE-2017-16912", "CVE-2017-16913", "CVE-2017-16914", "CVE-2017-18203", "CVE-2017-18208", "CVE-2018-10087", "CVE-2018-10124", "CVE-2018-1087", "CVE-2018-6927", "CVE-2018-7566", "CVE-2018-7757", "CVE-2018-8822", "CVE-2018-8897");
    
      script_name(english:"SUSE SLES11 Security Update : kernel (SUSE-SU-2018:1172-1)");
      script_summary(english:"Checks rpm output for the updated packages.");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote SUSE host is missing one or more security updates."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "The SUSE Linux Enterprise 11 SP3 LTSS kernel was updated to receive
    various security and bugfixes. The following security bugs were 
    fixed :
    
      - CVE-2018-1087: And an unprivileged KVM guest user could
        use this flaw to potentially escalate their privileges
        inside a guest. (bsc#1087088)
    
      - CVE-2018-8897: An unprivileged system user could use
        incorrect set up interrupt stacks to crash the Linux
        kernel resulting in DoS issue. (bsc#1087088)
    
      - CVE-2018-10124: The kill_something_info function in
        kernel/signal.c might allow local users to cause a
        denial of service via an INT_MIN argument (bnc#1089752).
    
      - CVE-2018-10087: The kernel_wait4 function in
        kernel/exit.c might allow local users to cause a denial
        of service by triggering an attempted use of the
        -INT_MIN value (bnc#1089608).
    
      - CVE-2018-7757: Memory leak in the sas_smp_get_phy_events
        function in drivers/scsi/libsas/sas_expander.c allowed
        local users to cause a denial of service (memory
        consumption) via many read accesses to files in the
        /sys/class/sas_phy directory, as demonstrated by the
        /sys/class/sas_phy/phy-1:0:12/invalid_dword_count file
        (bnc#1084536 1087209).
    
      - CVE-2018-7566: A Buffer Overflow via an
        SNDRV_SEQ_IOCTL_SET_CLIENT_POOL ioctl write operation to
        /dev/snd/seq by a local user was fixed (bnc#1083483).
    
      - CVE-2017-0861: Use-after-free vulnerability in the
        snd_pcm_info function in the ALSA subsystem allowed
        attackers to gain privileges via unspecified vectors
        (bnc#1088260).
    
      - CVE-2018-8822: Incorrect buffer length handling in the
        ncp_read_kernel function in fs/ncpfs/ncplib_kernel.c
        could be exploited by malicious NCPFS servers to crash
        the kernel or execute code (bnc#1086162).
    
      - CVE-2017-13166: An elevation of privilege vulnerability
        in the kernel v4l2 video driver. (bnc#1072865).
    
      - CVE-2017-18203: The dm_get_from_kobject function in
        drivers/md/dm.c allow local users to cause a denial of
        service (BUG) by leveraging a race condition with
        __dm_destroy during creation and removal of DM devices
        (bnc#1083242).
    
      - CVE-2017-16911: The vhci_hcd driver allowed allows local
        attackers to disclose kernel memory addresses.
        Successful exploitation requires that a USB device is
        attached over IP (bnc#1078674).
    
      - CVE-2017-18208: The madvise_willneed function in
        mm/madvise.c allowed local users to cause a denial of
        service (infinite loop) by triggering use of
        MADVISE_WILLNEED for a DAX mapping (bnc#1083494).
    
      - CVE-2017-16644: The hdpvr_probe function in
        drivers/media/usb/hdpvr/hdpvr-core.c allowed local users
        to cause a denial of service (improper error handling
        and system crash) or possibly have unspecified other
        impact via a crafted USB device (bnc#1067118).
    
      - CVE-2018-6927: The futex_requeue function in
        kernel/futex.c might allow attackers to cause a denial
        of service (integer overflow) or possibly have
        unspecified other impact by triggering a negative wake
        or requeue value (bnc#1080757).
    
      - CVE-2017-16914: The 'stub_send_ret_submit()' function
        (drivers/usb/usbip/stub_tx.c) allowed attackers to cause
        a denial of service (NULL pointer dereference) via a
        specially crafted USB over IP packet (bnc#1078669).
    
      - CVE-2016-7915: The hid_input_field function in
        drivers/hid/hid-core.c allowed physically proximate
        attackers to obtain sensitive information from kernel
        memory or cause a denial of service (out-of-bounds read)
        by connecting a device, as demonstrated by a Logitech DJ
        receiver (bnc#1010470).
    
      - CVE-2015-5156: The virtnet_probe function in
        drivers/net/virtio_net.c attempted to support a FRAGLIST
        feature without proper memory allocation, which allowed
        guest OS users to cause a denial of service (buffer
        overflow and memory corruption) via a crafted sequence
        of fragmented packets (bnc#940776).
    
      - CVE-2017-12190: The bio_map_user_iov and bio_unmap_user
        functions in block/bio.c did unbalanced refcounting when
        a SCSI I/O vector has small consecutive buffers
        belonging to the same page. The bio_add_pc_page function
        merges them into one, but the page reference is never
        dropped. This causes a memory leak and possible system
        lockup (exploitable against the host OS by a guest OS
        user, if a SCSI disk is passed through to a virtual
        machine) due to an out-of-memory condition
        (bnc#1062568).
    
      - CVE-2017-16912: The 'get_pipe()' function
        (drivers/usb/usbip/stub_rx.c) allowed attackers to cause
        a denial of service (out-of-bounds read) via a specially
        crafted USB over IP packet (bnc#1078673).
    
      - CVE-2017-16913: The 'stub_recv_cmd_submit()' function
        (drivers/usb/usbip/stub_rx.c) when handling CMD_SUBMIT
        packets allowed attackers to cause a denial of service
        (arbitrary memory allocation) via a specially crafted
        USB over IP packet (bnc#1078672).
    
    The update package also includes non-security fixes. See advisory for
    details.
    
    Note that Tenable Network Security has extracted the preceding
    description block directly from the SUSE security advisory. Tenable
    has attempted to automatically clean and format it as much as possible
    without introducing additional issues."
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1010470"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1039348"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1052943"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1062568"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1062840"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1063416"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1067118"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1072689"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1072865"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1078669"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1078672"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1078673"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1078674"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1080464"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1080757"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1082424"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1083242"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1083483"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1083494"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1084536"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1085331"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1086162"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1087088"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1087209"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1087260"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1087762"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1088147"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1088260"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1089608"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1089752"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=940776"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://www.suse.com/security/cve/CVE-2015-5156/"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://www.suse.com/security/cve/CVE-2016-7915/"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://www.suse.com/security/cve/CVE-2017-0861/"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://www.suse.com/security/cve/CVE-2017-12190/"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://www.suse.com/security/cve/CVE-2017-13166/"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://www.suse.com/security/cve/CVE-2017-16644/"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://www.suse.com/security/cve/CVE-2017-16911/"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://www.suse.com/security/cve/CVE-2017-16912/"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://www.suse.com/security/cve/CVE-2017-16913/"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://www.suse.com/security/cve/CVE-2017-16914/"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://www.suse.com/security/cve/CVE-2017-18203/"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://www.suse.com/security/cve/CVE-2017-18208/"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://www.suse.com/security/cve/CVE-2018-10087/"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://www.suse.com/security/cve/CVE-2018-10124/"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://www.suse.com/security/cve/CVE-2018-1087/"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://www.suse.com/security/cve/CVE-2018-6927/"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://www.suse.com/security/cve/CVE-2018-7566/"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://www.suse.com/security/cve/CVE-2018-7757/"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://www.suse.com/security/cve/CVE-2018-8822/"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://www.suse.com/security/cve/CVE-2018-8897/"
      );
      # https://www.suse.com/support/update/announcement/2018/suse-su-20181172-1/
      script_set_attribute(
        attribute:"see_also",
        value:"http://www.nessus.org/u?1abfbd41"
      );
      script_set_attribute(
        attribute:"solution", 
        value:
    "To install this SUSE Security Update use the SUSE recommended
    installation methods like YaST online_update or 'zypper patch'.
    
    Alternatively you can run the command listed for your product :
    
    SUSE Linux Enterprise Server 11-SP3-LTSS:zypper in -t patch
    slessp3-kernel-source-20180429-13591=1
    
    SUSE Linux Enterprise Server 11-EXTRA:zypper in -t patch
    slexsp3-kernel-source-20180429-13591=1
    
    SUSE Linux Enterprise Point of Sale 11-SP3:zypper in -t patch
    sleposp3-kernel-source-20180429-13591=1
    
    SUSE Linux Enterprise Debuginfo 11-SP3:zypper in -t patch
    dbgsp3-kernel-source-20180429-13591=1"
      );
      script_set_cvss_base_vector("CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C");
      script_set_cvss_temporal_vector("CVSS2#E:H/RL:OF/RC:C");
      script_set_cvss3_base_vector("CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H");
      script_set_cvss3_temporal_vector("CVSS:3.0/E:H/RL:O/RC:C");
      script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"true");
      script_set_attribute(attribute:"exploited_by_malware", value:"true");
      script_set_attribute(attribute:"metasploit_name", value:'Microsoft Windows POP/MOV SS Local Privilege Elevation Vulnerability');
      script_set_attribute(attribute:"exploit_framework_metasploit", value:"true");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:kernel-bigsmp");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:kernel-bigsmp-base");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:kernel-bigsmp-devel");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:kernel-default");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:kernel-default-base");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:kernel-default-devel");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:kernel-default-man");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:kernel-ec2");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:kernel-ec2-base");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:kernel-ec2-devel");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:kernel-pae");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:kernel-pae-base");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:kernel-pae-devel");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:kernel-source");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:kernel-syms");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:kernel-trace");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:kernel-trace-base");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:kernel-trace-devel");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:kernel-xen");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:kernel-xen-base");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:kernel-xen-devel");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:novell:suse_linux:11");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2015/10/19");
      script_set_attribute(attribute:"patch_publication_date", value:"2018/05/08");
      script_set_attribute(attribute:"plugin_publication_date", value:"2018/05/09");
      script_set_attribute(attribute:"generated_plugin", value:"current");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");
      script_family(english:"SuSE Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/cpu", "Host/SuSE/release", "Host/SuSE/rpm-list");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("global_settings.inc");
    include("rpm.inc");
    
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    release = get_kb_item("Host/SuSE/release");
    if (isnull(release) || release !~ "^(SLED|SLES)") audit(AUDIT_OS_NOT, "SUSE");
    os_ver = pregmatch(pattern: "^(SLE(S|D)\d+)", string:release);
    if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "SUSE");
    os_ver = os_ver[1];
    if (! preg(pattern:"^(SLES11)$", string:os_ver)) audit(AUDIT_OS_NOT, "SUSE SLES11", "SUSE " + os_ver);
    
    if (!get_kb_item("Host/SuSE/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    cpu = get_kb_item("Host/cpu");
    if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
    if (cpu !~ "^i[3-6]86$" && "x86_64" >!< cpu && "s390x" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "SUSE " + os_ver, cpu);
    
    sp = get_kb_item("Host/SuSE/patchlevel");
    if (isnull(sp)) sp = "0";
    if (os_ver == "SLES11" && (! preg(pattern:"^(3)$", string:sp))) audit(AUDIT_OS_NOT, "SLES11 SP3", os_ver + " SP" + sp);
    
    
    flag = 0;
    if (rpm_check(release:"SLES11", sp:"3", cpu:"x86_64", reference:"kernel-ec2-3.0.101-0.47.106.22.1")) flag++;
    if (rpm_check(release:"SLES11", sp:"3", cpu:"x86_64", reference:"kernel-ec2-base-3.0.101-0.47.106.22.1")) flag++;
    if (rpm_check(release:"SLES11", sp:"3", cpu:"x86_64", reference:"kernel-ec2-devel-3.0.101-0.47.106.22.1")) flag++;
    if (rpm_check(release:"SLES11", sp:"3", cpu:"x86_64", reference:"kernel-xen-3.0.101-0.47.106.22.1")) flag++;
    if (rpm_check(release:"SLES11", sp:"3", cpu:"x86_64", reference:"kernel-xen-base-3.0.101-0.47.106.22.1")) flag++;
    if (rpm_check(release:"SLES11", sp:"3", cpu:"x86_64", reference:"kernel-xen-devel-3.0.101-0.47.106.22.1")) flag++;
    if (rpm_check(release:"SLES11", sp:"3", cpu:"x86_64", reference:"kernel-bigsmp-3.0.101-0.47.106.22.1")) flag++;
    if (rpm_check(release:"SLES11", sp:"3", cpu:"x86_64", reference:"kernel-bigsmp-base-3.0.101-0.47.106.22.1")) flag++;
    if (rpm_check(release:"SLES11", sp:"3", cpu:"x86_64", reference:"kernel-bigsmp-devel-3.0.101-0.47.106.22.1")) flag++;
    if (rpm_check(release:"SLES11", sp:"3", cpu:"x86_64", reference:"kernel-pae-3.0.101-0.47.106.22.1")) flag++;
    if (rpm_check(release:"SLES11", sp:"3", cpu:"x86_64", reference:"kernel-pae-base-3.0.101-0.47.106.22.1")) flag++;
    if (rpm_check(release:"SLES11", sp:"3", cpu:"x86_64", reference:"kernel-pae-devel-3.0.101-0.47.106.22.1")) flag++;
    if (rpm_check(release:"SLES11", sp:"3", cpu:"s390x", reference:"kernel-default-man-3.0.101-0.47.106.22.1")) flag++;
    if (rpm_check(release:"SLES11", sp:"3", reference:"kernel-default-3.0.101-0.47.106.22.1")) flag++;
    if (rpm_check(release:"SLES11", sp:"3", reference:"kernel-default-base-3.0.101-0.47.106.22.1")) flag++;
    if (rpm_check(release:"SLES11", sp:"3", reference:"kernel-default-devel-3.0.101-0.47.106.22.1")) flag++;
    if (rpm_check(release:"SLES11", sp:"3", reference:"kernel-source-3.0.101-0.47.106.22.1")) flag++;
    if (rpm_check(release:"SLES11", sp:"3", reference:"kernel-syms-3.0.101-0.47.106.22.1")) flag++;
    if (rpm_check(release:"SLES11", sp:"3", reference:"kernel-trace-3.0.101-0.47.106.22.1")) flag++;
    if (rpm_check(release:"SLES11", sp:"3", reference:"kernel-trace-base-3.0.101-0.47.106.22.1")) flag++;
    if (rpm_check(release:"SLES11", sp:"3", reference:"kernel-trace-devel-3.0.101-0.47.106.22.1")) flag++;
    if (rpm_check(release:"SLES11", sp:"3", cpu:"i586", reference:"kernel-ec2-3.0.101-0.47.106.22.1")) flag++;
    if (rpm_check(release:"SLES11", sp:"3", cpu:"i586", reference:"kernel-ec2-base-3.0.101-0.47.106.22.1")) flag++;
    if (rpm_check(release:"SLES11", sp:"3", cpu:"i586", reference:"kernel-ec2-devel-3.0.101-0.47.106.22.1")) flag++;
    if (rpm_check(release:"SLES11", sp:"3", cpu:"i586", reference:"kernel-xen-3.0.101-0.47.106.22.1")) flag++;
    if (rpm_check(release:"SLES11", sp:"3", cpu:"i586", reference:"kernel-xen-base-3.0.101-0.47.106.22.1")) flag++;
    if (rpm_check(release:"SLES11", sp:"3", cpu:"i586", reference:"kernel-xen-devel-3.0.101-0.47.106.22.1")) flag++;
    if (rpm_check(release:"SLES11", sp:"3", cpu:"i586", reference:"kernel-pae-3.0.101-0.47.106.22.1")) flag++;
    if (rpm_check(release:"SLES11", sp:"3", cpu:"i586", reference:"kernel-pae-base-3.0.101-0.47.106.22.1")) flag++;
    if (rpm_check(release:"SLES11", sp:"3", cpu:"i586", reference:"kernel-pae-devel-3.0.101-0.47.106.22.1")) flag++;
    
    
    if (flag)
    {
      if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());
      else security_hole(0);
      exit(0);
    }
    else
    {
      tested = pkg_tests_get();
      if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
      else audit(AUDIT_PACKAGE_NOT_INSTALLED, "kernel");
    }
    
  • NASL familyUbuntu Local Security Checks
    NASL idUBUNTU_USN-3657-1.NASL
    descriptionIt was discovered that the netlink subsystem in the Linux kernel did not properly restrict observations of netlink messages to the appropriate net namespace. A local attacker could use this to expose sensitive information (kernel netlink traffic). (CVE-2017-17449) Tuba Yavuz discovered that a double-free error existed in the USBTV007 driver of the Linux kernel. A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2017-17975) It was discovered that a race condition existed in the Device Mapper component of the Linux kernel. A local attacker could use this to cause a denial of service (system crash). (CVE-2017-18203) It was discovered that an infinite loop could occur in the madvise(2) implementation in the Linux kernel in certain circumstances. A local attacker could use this to cause a denial of service (system hang). (CVE-2017-18208) Silvio Cesare discovered a buffer overwrite existed in the NCPFS implementation in the Linux kernel. A remote attacker controlling a malicious NCPFS server could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2018-8822). Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id110052
    published2018-05-23
    reporterUbuntu Security Notice (C) 2018-2019 Canonical, Inc. / NASL script (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/110052
    titleUbuntu 17.10 : linux-raspi2 vulnerabilities (USN-3657-1)
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were
    # extracted from Ubuntu Security Notice USN-3657-1. The text 
    # itself is copyright (C) Canonical, Inc. See 
    # <http://www.ubuntu.com/usn/>. Ubuntu(R) is a registered 
    # trademark of Canonical, Inc.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(110052);
      script_version("1.5");
      script_cvs_date("Date: 2019/09/18 12:31:48");
    
      script_cve_id("CVE-2017-17449", "CVE-2017-17975", "CVE-2017-18203", "CVE-2017-18208", "CVE-2018-8822");
      script_xref(name:"USN", value:"3657-1");
    
      script_name(english:"Ubuntu 17.10 : linux-raspi2 vulnerabilities (USN-3657-1)");
      script_summary(english:"Checks dpkg output for updated packages.");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:
    "The remote Ubuntu host is missing one or more security-related
    patches."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "It was discovered that the netlink subsystem in the Linux kernel did
    not properly restrict observations of netlink messages to the
    appropriate net namespace. A local attacker could use this to expose
    sensitive information (kernel netlink traffic). (CVE-2017-17449)
    
    Tuba Yavuz discovered that a double-free error existed in the USBTV007
    driver of the Linux kernel. A local attacker could use this to cause a
    denial of service (system crash) or possibly execute arbitrary code.
    (CVE-2017-17975)
    
    It was discovered that a race condition existed in the Device Mapper
    component of the Linux kernel. A local attacker could use this to
    cause a denial of service (system crash). (CVE-2017-18203)
    
    It was discovered that an infinite loop could occur in the madvise(2)
    implementation in the Linux kernel in certain circumstances. A local
    attacker could use this to cause a denial of service (system hang).
    (CVE-2017-18208)
    
    Silvio Cesare discovered a buffer overwrite existed in the NCPFS
    implementation in the Linux kernel. A remote attacker controlling a
    malicious NCPFS server could use this to cause a denial of service
    (system crash) or possibly execute arbitrary code. (CVE-2018-8822).
    
    Note that Tenable Network Security has extracted the preceding
    description block directly from the Ubuntu security advisory. Tenable
    has attempted to automatically clean and format it as much as possible
    without introducing additional issues."
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://usn.ubuntu.com/3657-1/"
      );
      script_set_attribute(
        attribute:"solution", 
        value:
    "Update the affected linux-image-4.13-raspi2 and / or
    linux-image-raspi2 packages."
      );
      script_set_cvss_base_vector("CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C");
      script_set_cvss3_base_vector("CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-4.13-raspi2");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-raspi2");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:canonical:ubuntu_linux:17.10");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2017/12/07");
      script_set_attribute(attribute:"patch_publication_date", value:"2018/05/22");
      script_set_attribute(attribute:"plugin_publication_date", value:"2018/05/23");
      script_set_attribute(attribute:"generated_plugin", value:"current");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"Ubuntu Security Notice (C) 2018-2019 Canonical, Inc. / NASL script (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");
      script_family(english:"Ubuntu Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl", "linux_alt_patch_detect.nasl");
      script_require_keys("Host/cpu", "Host/Ubuntu", "Host/Ubuntu/release", "Host/Debian/dpkg-l");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("ubuntu.inc");
    include("ksplice.inc");
    
    if ( ! get_kb_item("Host/local_checks_enabled") ) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    release = get_kb_item("Host/Ubuntu/release");
    if ( isnull(release) ) audit(AUDIT_OS_NOT, "Ubuntu");
    release = chomp(release);
    if (! preg(pattern:"^(17\.10)$", string:release)) audit(AUDIT_OS_NOT, "Ubuntu 17.10", "Ubuntu " + release);
    if ( ! get_kb_item("Host/Debian/dpkg-l") ) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    cpu = get_kb_item("Host/cpu");
    if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
    if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Ubuntu", cpu);
    
    if (get_one_kb_item("Host/ksplice/kernel-cves"))
    {
      rm_kb_item(name:"Host/uptrack-uname-r");
      cve_list = make_list("CVE-2017-17449", "CVE-2017-17975", "CVE-2017-18203", "CVE-2017-18208", "CVE-2018-8822");
      if (ksplice_cves_check(cve_list))
      {
        audit(AUDIT_PATCH_INSTALLED, "KSplice hotfix for USN-3657-1");
      }
      else
      {
        _ubuntu_report = ksplice_reporting_text();
      }
    }
    
    flag = 0;
    
    if (ubuntu_check(osver:"17.10", pkgname:"linux-image-4.13.0-1020-raspi2", pkgver:"4.13.0-1020.21")) flag++;
    if (ubuntu_check(osver:"17.10", pkgname:"linux-image-raspi2", pkgver:"4.13.0.1020.18")) flag++;
    
    if (flag)
    {
      security_report_v4(
        port       : 0,
        severity   : SECURITY_HOLE,
        extra      : ubuntu_report_get()
      );
      exit(0);
    }
    else
    {
      tested = ubuntu_pkg_tests_get();
      if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
      else audit(AUDIT_PACKAGE_NOT_INSTALLED, "linux-image-4.13-raspi2 / linux-image-raspi2");
    }
    
  • NASL familySuSE Local Security Checks
    NASL idSUSE_SU-2018-0785-1.NASL
    descriptionThe SUSE Linux Enterprise 12 SP2 kernel was updated to 4.4.120 to receive various security and bugfixes. The following security bugs were fixed : - CVE-2017-13166: An elevation of privilege vulnerability in the v4l2 video driver was fixed. (bnc#1072865). - CVE-2017-15951: The KEYS subsystem did not correctly synchronize the actions of updating versus finding a key in the
    last seen2020-06-01
    modified2020-06-02
    plugin id108648
    published2018-03-27
    reporterThis script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/108648
    titleSUSE SLED12 / SLES12 Security Update : kernel (SUSE-SU-2018:0785-1)
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were
    # extracted from SUSE update advisory SUSE-SU-2018:0785-1.
    # The text itself is copyright (C) SUSE.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(108648);
      script_version("1.4");
      script_cvs_date("Date: 2019/09/10 13:51:47");
    
      script_cve_id("CVE-2017-13166", "CVE-2017-15951", "CVE-2017-16644", "CVE-2017-16912", "CVE-2017-16913", "CVE-2017-17975", "CVE-2017-18208", "CVE-2018-1000026", "CVE-2018-1068", "CVE-2018-8087");
    
      script_name(english:"SUSE SLED12 / SLES12 Security Update : kernel (SUSE-SU-2018:0785-1)");
      script_summary(english:"Checks rpm output for the updated packages.");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote SUSE host is missing one or more security updates."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "The SUSE Linux Enterprise 12 SP2 kernel was updated to 4.4.120 to
    receive various security and bugfixes. The following security bugs
    were fixed :
    
      - CVE-2017-13166: An elevation of privilege vulnerability
        in the v4l2 video driver was fixed. (bnc#1072865).
    
      - CVE-2017-15951: The KEYS subsystem did not correctly
        synchronize the actions of updating versus finding a key
        in the 'negative' state to avoid a race condition, which
        allowed local users to cause a denial of service or
        possibly have unspecified other impact via crafted
        system calls (bnc#1062840 bnc#1065615).
    
      - CVE-2017-16644: The hdpvr_probe function in
        drivers/media/usb/hdpvr/hdpvr-core.c allowed local users
        to cause a denial of service (improper error handling
        and system crash) or possibly have unspecified other
        impact via a crafted USB device (bnc#1067118).
    
      - CVE-2017-16912: The 'get_pipe()' function
        (drivers/usb/usbip/stub_rx.c) allowed attackers to cause
        a denial of service (out-of-bounds read) via a specially
        crafted USB over IP packet (bnc#1078673).
    
      - CVE-2017-16913: The 'stub_recv_cmd_submit()' function
        (drivers/usb/usbip/stub_rx.c) when handling CMD_SUBMIT
        packets allowed attackers to cause a denial of service
        (arbitrary memory allocation) via a specially crafted
        USB over IP packet (bnc#1078672).
    
      - CVE-2017-17975: Use-after-free in the usbtv_probe
        function in drivers/media/usb/usbtv/usbtv-core.c allowed
        attackers to cause a denial of service (system crash) or
        possibly have unspecified other impact by triggering
        failure of audio registration, because a kfree of the
        usbtv data structure occurs during a usbtv_video_free
        call, but the usbtv_video_fail label's code attempts to
        both access and free this data structure (bnc#1074426).
    
      - CVE-2017-18208: The madvise_willneed function in
        mm/madvise.c allowed local users to cause a denial of
        service (infinite loop) by triggering use of
        MADVISE_WILLNEED for a DAX mapping (bnc#1083494).
    
      - CVE-2018-8087: Memory leak in the hwsim_new_radio_nl
        function in drivers/net/wireless/mac80211_hwsim.c
        allowed local users to cause a denial of service (memory
        consumption) by triggering an out-of-array error case
        (bnc#1085053).
    
      - CVE-2018-1000026: A insufficient input validation
        vulnerability in the bnx2x network card driver could
        result in DoS: Network card firmware assertion takes
        card off-line. This attack appear to be exploitable via
        An attacker on a must pass a very large, specially
        crafted packet to the bnx2x card. This can be done from
        an untrusted guest VM. (bnc#1079384).
    
      - CVE-2018-1068: Insufficient user provided offset
        checking in the ebtables compat code allowed local
        attackers to overwrite kernel memory and potentially
        execute code. (bsc#1085107)
    
    The update package also includes non-security fixes. See advisory for
    details.
    
    Note that Tenable Network Security has extracted the preceding
    description block directly from the SUSE security advisory. Tenable
    has attempted to automatically clean and format it as much as possible
    without introducing additional issues."
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1005776"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1006867"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1012382"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1012829"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1027054"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1031717"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1034503"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1035432"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1042286"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1043441"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1045330"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1062840"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1065600"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1065615"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1066223"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1067118"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1068032"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1068569"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1069135"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1071306"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1071892"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1072363"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1072689"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1072739"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1072865"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1073401"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1074198"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1074426"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1075087"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1076282"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1077285"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1077513"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1077560"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1077779"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1078583"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1078609"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1078672"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1078673"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1078787"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1079029"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1079038"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1079384"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1079989"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1080014"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1080263"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1080344"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1080360"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1080364"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1080384"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1080464"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1080774"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1080809"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1080813"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1080851"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1081134"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1081431"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1081491"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1081498"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1081500"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1081512"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1081671"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1082223"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1082299"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1082478"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1082795"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1082864"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1082897"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1082979"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1082993"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1083494"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1083548"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1084610"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1085053"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1085107"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1085224"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1085239"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=863764"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=966328"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=975772"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=983145"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://www.suse.com/security/cve/CVE-2017-13166/"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://www.suse.com/security/cve/CVE-2017-15951/"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://www.suse.com/security/cve/CVE-2017-16644/"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://www.suse.com/security/cve/CVE-2017-16912/"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://www.suse.com/security/cve/CVE-2017-16913/"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://www.suse.com/security/cve/CVE-2017-17975/"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://www.suse.com/security/cve/CVE-2017-18208/"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://www.suse.com/security/cve/CVE-2018-1000026/"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://www.suse.com/security/cve/CVE-2018-1068/"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://www.suse.com/security/cve/CVE-2018-8087/"
      );
      # https://www.suse.com/support/update/announcement/2018/suse-su-20180785-1/
      script_set_attribute(
        attribute:"see_also",
        value:"http://www.nessus.org/u?ad41d0d5"
      );
      script_set_attribute(
        attribute:"solution", 
        value:
    "To install this SUSE Security Update use the SUSE recommended
    installation methods like YaST online_update or 'zypper patch'.
    
    Alternatively you can run the command listed for your product :
    
    SUSE Linux Enterprise Workstation Extension 12-SP2:zypper in -t patch
    SUSE-SLE-WE-12-SP2-2018-535=1
    
    SUSE Linux Enterprise Software Development Kit 12-SP2:zypper in -t
    patch SUSE-SLE-SDK-12-SP2-2018-535=1
    
    SUSE Linux Enterprise Server for Raspberry Pi 12-SP2:zypper in -t
    patch SUSE-SLE-RPI-12-SP2-2018-535=1
    
    SUSE Linux Enterprise Server 12-SP2:zypper in -t patch
    SUSE-SLE-SERVER-12-SP2-2018-535=1
    
    SUSE Linux Enterprise Live Patching 12:zypper in -t patch
    SUSE-SLE-Live-Patching-12-2018-535=1
    
    SUSE Linux Enterprise High Availability 12-SP2:zypper in -t patch
    SUSE-SLE-HA-12-SP2-2018-535=1
    
    SUSE Linux Enterprise Desktop 12-SP2:zypper in -t patch
    SUSE-SLE-DESKTOP-12-SP2-2018-535=1
    
    OpenStack Cloud Magnum Orchestration 7:zypper in -t patch
    SUSE-OpenStack-Cloud-Magnum-Orchestration-7-2018-535=1"
      );
      script_set_cvss_base_vector("CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C");
      script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
      script_set_cvss3_base_vector("CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H");
      script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
      script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"false");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:kernel-default");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:kernel-default-base");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:kernel-default-base-debuginfo");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:kernel-default-debuginfo");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:kernel-default-debugsource");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:kernel-default-devel");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:kernel-default-extra");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:kernel-default-extra-debuginfo");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:kernel-default-man");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:kernel-syms");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:novell:suse_linux:12");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2017/10/28");
      script_set_attribute(attribute:"patch_publication_date", value:"2018/03/23");
      script_set_attribute(attribute:"plugin_publication_date", value:"2018/03/27");
      script_set_attribute(attribute:"generated_plugin", value:"current");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");
      script_family(english:"SuSE Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/cpu", "Host/SuSE/release", "Host/SuSE/rpm-list");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("global_settings.inc");
    include("rpm.inc");
    
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    release = get_kb_item("Host/SuSE/release");
    if (isnull(release) || release !~ "^(SLED|SLES)") audit(AUDIT_OS_NOT, "SUSE");
    os_ver = pregmatch(pattern: "^(SLE(S|D)\d+)", string:release);
    if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "SUSE");
    os_ver = os_ver[1];
    if (! preg(pattern:"^(SLED12|SLES12)$", string:os_ver)) audit(AUDIT_OS_NOT, "SUSE SLED12 / SLES12", "SUSE " + os_ver);
    
    if (!get_kb_item("Host/SuSE/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    cpu = get_kb_item("Host/cpu");
    if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
    if (cpu !~ "^i[3-6]86$" && "x86_64" >!< cpu && "s390x" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "SUSE " + os_ver, cpu);
    
    sp = get_kb_item("Host/SuSE/patchlevel");
    if (isnull(sp)) sp = "0";
    if (os_ver == "SLES12" && (! preg(pattern:"^(2)$", string:sp))) audit(AUDIT_OS_NOT, "SLES12 SP2", os_ver + " SP" + sp);
    if (os_ver == "SLED12" && (! preg(pattern:"^(2)$", string:sp))) audit(AUDIT_OS_NOT, "SLED12 SP2", os_ver + " SP" + sp);
    
    
    flag = 0;
    if (rpm_check(release:"SLES12", sp:"2", cpu:"s390x", reference:"kernel-default-man-4.4.120-92.70.1")) flag++;
    if (rpm_check(release:"SLES12", sp:"2", reference:"kernel-default-4.4.120-92.70.1")) flag++;
    if (rpm_check(release:"SLES12", sp:"2", reference:"kernel-default-base-4.4.120-92.70.1")) flag++;
    if (rpm_check(release:"SLES12", sp:"2", reference:"kernel-default-base-debuginfo-4.4.120-92.70.1")) flag++;
    if (rpm_check(release:"SLES12", sp:"2", reference:"kernel-default-debuginfo-4.4.120-92.70.1")) flag++;
    if (rpm_check(release:"SLES12", sp:"2", reference:"kernel-default-debugsource-4.4.120-92.70.1")) flag++;
    if (rpm_check(release:"SLES12", sp:"2", reference:"kernel-default-devel-4.4.120-92.70.1")) flag++;
    if (rpm_check(release:"SLES12", sp:"2", reference:"kernel-syms-4.4.120-92.70.1")) flag++;
    if (rpm_check(release:"SLED12", sp:"2", cpu:"x86_64", reference:"kernel-default-4.4.120-92.70.1")) flag++;
    if (rpm_check(release:"SLED12", sp:"2", cpu:"x86_64", reference:"kernel-default-debuginfo-4.4.120-92.70.1")) flag++;
    if (rpm_check(release:"SLED12", sp:"2", cpu:"x86_64", reference:"kernel-default-debugsource-4.4.120-92.70.1")) flag++;
    if (rpm_check(release:"SLED12", sp:"2", cpu:"x86_64", reference:"kernel-default-devel-4.4.120-92.70.1")) flag++;
    if (rpm_check(release:"SLED12", sp:"2", cpu:"x86_64", reference:"kernel-default-extra-4.4.120-92.70.1")) flag++;
    if (rpm_check(release:"SLED12", sp:"2", cpu:"x86_64", reference:"kernel-default-extra-debuginfo-4.4.120-92.70.1")) flag++;
    if (rpm_check(release:"SLED12", sp:"2", cpu:"x86_64", reference:"kernel-syms-4.4.120-92.70.1")) flag++;
    
    
    if (flag)
    {
      if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());
      else security_hole(0);
      exit(0);
    }
    else
    {
      tested = pkg_tests_get();
      if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
      else audit(AUDIT_PACKAGE_NOT_INSTALLED, "kernel");
    }
    
  • NASL familyRed Hat Local Security Checks
    NASL idREDHAT-RHSA-2019-4057.NASL
    descriptionAn update for kernel-rt is now available for Red Hat Enterprise MRG 2. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. The kernel-rt packages provide the Real Time Linux Kernel, which enables fine-tuning for systems with extremely high determinism requirements. Security Fix(es) : * Kernel: page cache side channel attacks (CVE-2019-5489) * kernel: Handling of might_cancel queueing is not properly pretected against race (CVE-2017-10661) * kernel: Inifinite loop vulnerability in mm/madvise.c:madvise_willneed() function allows local denial of service (CVE-2017-18208) * kernel: use-after-free in drivers/char/ipmi/ipmi_si_intf.c, ipmi_si_mem_io.c, ipmi_si_port_io.c (CVE-2019-11811) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Bug Fix(es) : * update the MRG 2.5.z 3.10 realtime-kernel sources (BZ#1765670) * [MRG/R] pip_stress hangs when a priority inversion occurs (BZ#1772562)
    last seen2020-06-01
    modified2020-06-02
    plugin id131719
    published2019-12-05
    reporterThis script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/131719
    titleRHEL 6 : MRG (RHSA-2019:4057)
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were  
    # extracted from Red Hat Security Advisory RHSA-2019:4057. The text 
    # itself is copyright (C) Red Hat, Inc.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(131719);
      script_version("1.2");
      script_cvs_date("Date: 2019/12/09");
    
      script_cve_id("CVE-2017-10661", "CVE-2017-18208", "CVE-2019-11811", "CVE-2019-5489");
      script_xref(name:"RHSA", value:"2019:4057");
    
      script_name(english:"RHEL 6 : MRG (RHSA-2019:4057)");
      script_summary(english:"Checks the rpm output for the updated packages");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote Red Hat host is missing one or more security updates."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "An update for kernel-rt is now available for Red Hat Enterprise MRG 2.
    
    Red Hat Product Security has rated this update as having a security
    impact of Important. A Common Vulnerability Scoring System (CVSS) base
    score, which gives a detailed severity rating, is available for each
    vulnerability from the CVE link(s) in the References section.
    
    The kernel-rt packages provide the Real Time Linux Kernel, which
    enables fine-tuning for systems with extremely high determinism
    requirements.
    
    Security Fix(es) :
    
    * Kernel: page cache side channel attacks (CVE-2019-5489)
    
    * kernel: Handling of might_cancel queueing is not properly pretected
    against race (CVE-2017-10661)
    
    * kernel: Inifinite loop vulnerability in
    mm/madvise.c:madvise_willneed() function allows local denial of
    service (CVE-2017-18208)
    
    * kernel: use-after-free in drivers/char/ipmi/ipmi_si_intf.c,
    ipmi_si_mem_io.c, ipmi_si_port_io.c (CVE-2019-11811)
    
    For more details about the security issue(s), including the impact, a
    CVSS score, acknowledgments, and other related information, refer to
    the CVE page(s) listed in the References section.
    
    Bug Fix(es) :
    
    * update the MRG 2.5.z 3.10 realtime-kernel sources (BZ#1765670)
    
    * [MRG/R] pip_stress hangs when a priority inversion occurs
    (BZ#1772562)"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://access.redhat.com/errata/RHSA-2019:4057"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://access.redhat.com/security/cve/cve-2017-10661"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://access.redhat.com/security/cve/cve-2017-18208"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://access.redhat.com/security/cve/cve-2019-5489"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://access.redhat.com/security/cve/cve-2019-11811"
      );
      script_set_attribute(attribute:"solution", value:"Update the affected packages.");
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C");
      script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
      script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H");
      script_set_cvss3_temporal_vector("CVSS:3.0/E:P/RL:O/RC:C");
      script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"true");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:kernel-rt");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:kernel-rt-debug");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:kernel-rt-debug-debuginfo");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:kernel-rt-debug-devel");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:kernel-rt-debuginfo");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:kernel-rt-debuginfo-common-x86_64");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:kernel-rt-devel");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:kernel-rt-doc");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:kernel-rt-firmware");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:kernel-rt-trace");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:kernel-rt-trace-debuginfo");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:kernel-rt-trace-devel");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:kernel-rt-vanilla");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:kernel-rt-vanilla-debuginfo");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:kernel-rt-vanilla-devel");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:redhat:enterprise_linux:6");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2017/08/19");
      script_set_attribute(attribute:"patch_publication_date", value:"2019/12/03");
      script_set_attribute(attribute:"plugin_publication_date", value:"2019/12/05");
      script_set_attribute(attribute:"generated_plugin", value:"current");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.");
      script_family(english:"Red Hat Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl", "linux_alt_patch_detect.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/RedHat/release", "Host/RedHat/rpm-list", "Host/cpu");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("global_settings.inc");
    include("misc_func.inc");
    include("rpm.inc");
    include("ksplice.inc");
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    release = get_kb_item("Host/RedHat/release");
    if (isnull(release) || "Red Hat" >!< release) audit(AUDIT_OS_NOT, "Red Hat");
    os_ver = pregmatch(pattern: "Red Hat Enterprise Linux.*release ([0-9]+(\.[0-9]+)?)", string:release);
    if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Red Hat");
    os_ver = os_ver[1];
    if (! preg(pattern:"^6([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Red Hat 6.x", "Red Hat " + os_ver);
    
    if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    cpu = get_kb_item("Host/cpu");
    if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
    if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$" && "s390" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Red Hat", cpu);
    
    if (get_one_kb_item("Host/ksplice/kernel-cves"))
    {
      rm_kb_item(name:"Host/uptrack-uname-r");
      cve_list = make_list("CVE-2017-10661", "CVE-2017-18208", "CVE-2019-11811", "CVE-2019-5489");
      if (ksplice_cves_check(cve_list))
      {
        audit(AUDIT_PATCH_INSTALLED, "KSplice hotfix for RHSA-2019:4057");
      }
      else
      {
        __rpm_report = ksplice_reporting_text();
      }
    }
    
    yum_updateinfo = get_kb_item("Host/RedHat/yum-updateinfo");
    if (!empty_or_null(yum_updateinfo)) 
    {
      rhsa = "RHSA-2019:4057";
      yum_report = redhat_generate_yum_updateinfo_report(rhsa:rhsa);
      if (!empty_or_null(yum_report))
      {
        security_report_v4(
          port       : 0,
          severity   : SECURITY_HOLE,
          extra      : yum_report 
        );
        exit(0);
      }
      else
      {
        audit_message = "affected by Red Hat security advisory " + rhsa;
        audit(AUDIT_OS_NOT, audit_message);
      }
    }
    else
    {
      flag = 0;
    
      if (! (rpm_exists(release:"RHEL6", rpm:"mrg-release"))) audit(AUDIT_PACKAGE_NOT_INSTALLED, "MRG");
    
      if (rpm_check(release:"RHEL6", cpu:"x86_64", reference:"kernel-rt-3.10.0-693.61.1.rt56.656.el6")) flag++;
      if (rpm_check(release:"RHEL6", cpu:"x86_64", reference:"kernel-rt-debug-3.10.0-693.61.1.rt56.656.el6")) flag++;
      if (rpm_check(release:"RHEL6", cpu:"x86_64", reference:"kernel-rt-debug-debuginfo-3.10.0-693.61.1.rt56.656.el6")) flag++;
      if (rpm_check(release:"RHEL6", cpu:"x86_64", reference:"kernel-rt-debug-devel-3.10.0-693.61.1.rt56.656.el6")) flag++;
      if (rpm_check(release:"RHEL6", cpu:"x86_64", reference:"kernel-rt-debuginfo-3.10.0-693.61.1.rt56.656.el6")) flag++;
      if (rpm_check(release:"RHEL6", cpu:"x86_64", reference:"kernel-rt-debuginfo-common-x86_64-3.10.0-693.61.1.rt56.656.el6")) flag++;
      if (rpm_check(release:"RHEL6", cpu:"x86_64", reference:"kernel-rt-devel-3.10.0-693.61.1.rt56.656.el6")) flag++;
      if (rpm_check(release:"RHEL6", reference:"kernel-rt-doc-3.10.0-693.61.1.rt56.656.el6")) flag++;
      if (rpm_check(release:"RHEL6", reference:"kernel-rt-firmware-3.10.0-693.61.1.rt56.656.el6")) flag++;
      if (rpm_check(release:"RHEL6", cpu:"x86_64", reference:"kernel-rt-trace-3.10.0-693.61.1.rt56.656.el6")) flag++;
      if (rpm_check(release:"RHEL6", cpu:"x86_64", reference:"kernel-rt-trace-debuginfo-3.10.0-693.61.1.rt56.656.el6")) flag++;
      if (rpm_check(release:"RHEL6", cpu:"x86_64", reference:"kernel-rt-trace-devel-3.10.0-693.61.1.rt56.656.el6")) flag++;
      if (rpm_check(release:"RHEL6", cpu:"x86_64", reference:"kernel-rt-vanilla-3.10.0-693.61.1.rt56.656.el6")) flag++;
      if (rpm_check(release:"RHEL6", cpu:"x86_64", reference:"kernel-rt-vanilla-debuginfo-3.10.0-693.61.1.rt56.656.el6")) flag++;
      if (rpm_check(release:"RHEL6", cpu:"x86_64", reference:"kernel-rt-vanilla-devel-3.10.0-693.61.1.rt56.656.el6")) flag++;
    
      if (flag)
      {
        security_report_v4(
          port       : 0,
          severity   : SECURITY_HOLE,
          extra      : rpm_report_get() + redhat_report_package_caveat()
        );
        exit(0);
      }
      else
      {
        tested = pkg_tests_get();
        if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
        else audit(AUDIT_PACKAGE_NOT_INSTALLED, "kernel-rt / kernel-rt-debug / kernel-rt-debug-debuginfo / etc");
      }
    }
    
  • NASL familyUbuntu Local Security Checks
    NASL idUBUNTU_USN-3619-2.NASL
    descriptionUSN-3619-1 fixed vulnerabilities in the Linux kernel for Ubuntu 16.04 LTS. This update provides the corresponding updates for the Linux Hardware Enablement (HWE) kernel from Ubuntu 16.04 LTS for Ubuntu 14.04 LTS. Jann Horn discovered that the Berkeley Packet Filter (BPF) implementation in the Linux kernel improperly performed sign extension in some situations. A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2017-16995) It was discovered that a race condition leading to a use-after-free vulnerability existed in the ALSA PCM subsystem of the Linux kernel. A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2017-0861) It was discovered that the KVM implementation in the Linux kernel allowed passthrough of the diagnostic I/O port 0x80. An attacker in a guest VM could use this to cause a denial of service (system crash) in the host OS. (CVE-2017-1000407) It was discovered that an information disclosure vulnerability existed in the ACPI implementation of the Linux kernel. A local attacker could use this to expose sensitive information (kernel memory addresses). (CVE-2017-11472) It was discovered that a use-after-free vulnerability existed in the network namespaces implementation in the Linux kernel. A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2017-15129) It was discovered that the Advanced Linux Sound Architecture (ALSA) subsystem in the Linux kernel contained a use-after-free when handling device removal. A physically proximate attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2017-16528) Andrey Konovalov discovered that the usbtest device driver in the Linux kernel did not properly validate endpoint metadata. A physically proximate attacker could use this to cause a denial of service (system crash). (CVE-2017-16532) Andrey Konovalov discovered that the Conexant cx231xx USB video capture driver in the Linux kernel did not properly validate interface descriptors. A physically proximate attacker could use this to cause a denial of service (system crash). (CVE-2017-16536) Andrey Konovalov discovered that the SoundGraph iMON USB driver in the Linux kernel did not properly validate device metadata. A physically proximate attacker could use this to cause a denial of service (system crash). (CVE-2017-16537) Andrey Konovalov discovered that the IMS Passenger Control Unit USB driver in the Linux kernel did not properly validate device descriptors. A physically proximate attacker could use this to cause a denial of service (system crash). (CVE-2017-16645) Andrey Konovalov discovered that the DiBcom DiB0700 USB DVB driver in the Linux kernel did not properly handle detach events. A physically proximate attacker could use this to cause a denial of service (system crash). (CVE-2017-16646) Andrey Konovalov discovered that the CDC USB Ethernet driver did not properly validate device descriptors. A physically proximate attacker could use this to cause a denial of service (system crash). (CVE-2017-16649) Andrey Konovalov discovered that the QMI WWAN USB driver did not properly validate device descriptors. A physically proximate attacker could use this to cause a denial of service (system crash). (CVE-2017-16650) It was discovered that the USB Virtual Host Controller Interface (VHCI) driver in the Linux kernel contained an information disclosure vulnerability. A physically proximate attacker could use this to expose sensitive information (kernel memory). (CVE-2017-16911) It was discovered that the USB over IP implementation in the Linux kernel did not validate endpoint numbers. A remote attacker could use this to cause a denial of service (system crash). (CVE-2017-16912) It was discovered that the USB over IP implementation in the Linux kernel did not properly validate CMD_SUBMIT packets. A remote attacker could use this to cause a denial of service (excessive memory consumption). (CVE-2017-16913) It was discovered that the USB over IP implementation in the Linux kernel contained a NULL pointer dereference error. A remote attacker could use this to cause a denial of service (system crash). (CVE-2017-16914) It was discovered that the HugeTLB component of the Linux kernel did not properly handle holes in hugetlb ranges. A local attacker could use this to expose sensitive information (kernel memory). (CVE-2017-16994) It was discovered that the netfilter component of the Linux did not properly restrict access to the connection tracking helpers list. A local attacker could use this to bypass intended access restrictions. (CVE-2017-17448) It was discovered that the netlink subsystem in the Linux kernel did not properly restrict observations of netlink messages to the appropriate net namespace. A local attacker could use this to expose sensitive information (kernel netlink traffic). (CVE-2017-17449) It was discovered that the netfilter passive OS fingerprinting (xt_osf) module did not properly perform access control checks. A local attacker could improperly modify the system-wide OS fingerprint list. (CVE-2017-17450) It was discovered that the core USB subsystem in the Linux kernel did not validate the number of configurations and interfaces in a device. A physically proximate attacker could use this to cause a denial of service (system crash). (CVE-2017-17558) Dmitry Vyukov discovered that the KVM implementation in the Linux kernel contained an out-of-bounds read when handling memory-mapped I/O. A local attacker could use this to expose sensitive information. (CVE-2017-17741) It was discovered that the Salsa20 encryption algorithm implementations in the Linux kernel did not properly handle zero-length inputs. A local attacker could use this to cause a denial of service (system crash). (CVE-2017-17805) It was discovered that the HMAC implementation did not validate the state of the underlying cryptographic hash algorithm. A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2017-17806) It was discovered that the keyring implementation in the Linux kernel did not properly check permissions when a key request was performed on a task
    last seen2020-06-01
    modified2020-06-02
    plugin id108878
    published2018-04-06
    reporterUbuntu Security Notice (C) 2018-2019 Canonical, Inc. / NASL script (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/108878
    titleUbuntu 14.04 LTS : linux-lts-xenial, linux-aws vulnerabilities (USN-3619-2)
  • NASL familySuSE Local Security Checks
    NASL idSUSE_SU-2018-0834-1.NASL
    descriptionThe SUSE Linux Enterprise 12 kernel was updated to receive various security and bugfixes. The following security bugs were fixed : - CVE-2018-1068: Fixed flaw in the implementation of 32-bit syscall interface for bridging. This allowed a privileged user to arbitrarily write to a limited range of kernel memory (bnc#1085107). - CVE-2017-18221: The __munlock_pagevec function allowed local users to cause a denial of service (NR_MLOCK accounting corruption) via crafted use of mlockall and munlockall system calls (bnc#1084323). - CVE-2018-1066: Prevent NULL pointer dereference in fs/cifs/cifsencrypt.c:setup_ntlmv2_rsp() that allowed an attacker controlling a CIFS server to kernel panic a client that has this server mounted, because an empty TargetInfo field in an NTLMSSP setup negotiation response was mishandled during session recovery (bnc#1083640). - CVE-2017-13166: Prevent elevation of privilege vulnerability in the kernel v4l2 video driver (bnc#1072865). - CVE-2017-16911: The vhci_hcd driver allowed local attackers to disclose kernel memory addresses. Successful exploitation required that a USB device was attached over IP (bnc#1078674). - CVE-2017-15299: The KEYS subsystem mishandled use of add_key for a key that already exists but is uninstantiated, which allowed local users to cause a denial of service (NULL pointer dereference and system crash) or possibly have unspecified other impact via a crafted system call (bnc#1063416). - CVE-2017-18208: The madvise_willneed function kernel allowed local users to cause a denial of service (infinite loop) by triggering use of MADVISE_WILLNEED for a DAX mapping (bnc#1083494). - CVE-2018-7566: The ALSA sequencer core initializes the event pool on demand by invoking snd_seq_pool_init() when the first write happens and the pool is empty. A user could have reset the pool size manually via ioctl concurrently, which may have lead UAF or out-of-bound access (bsc#1083483). - CVE-2017-18204: The ocfs2_setattr function allowed local users to cause a denial of service (deadlock) via DIO requests (bnc#1083244). - CVE-2017-16644: The hdpvr_probe function allowed local users to cause a denial of service (improper error handling and system crash) or possibly have unspecified other impact via a crafted USB device (bnc#1067118). - CVE-2018-6927: The futex_requeue function allowed attackers to cause a denial of service (integer overflow) or possibly have unspecified other impact by triggering a negative wake or requeue value (bnc#1080757). - CVE-2017-16914: The
    last seen2020-06-01
    modified2020-06-02
    plugin id108705
    published2018-03-29
    reporterThis script is Copyright (C) 2018-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/108705
    titleSUSE SLES12 Security Update : kernel (SUSE-SU-2018:0834-1)
  • NASL familyOracleVM Local Security Checks
    NASL idORACLEVM_OVMSA-2019-0035.NASL
    descriptionThe remote OracleVM system is missing necessary patches to address critical security updates : - scsi: libfc: Fixup disc_mutex handling in fcoe module (Hannes Reinecke) [Orabug: 29511036] - scsi: libfc: sanitize E_D_TOV and R_A_TOV setting in fcp (Hannes Reinecke) [Orabug: 29511036] - sysctl: Fix kabi breakage (Shuning Zhang) [Orabug: 29689925] - proc: Fix proc_sys_prune_dcache to hold a sb reference (Eric W. Biederman) [Orabug: 29689925] - proc/sysctl: Don
    last seen2020-06-01
    modified2020-06-02
    plugin id126670
    published2019-07-15
    reporterThis script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/126670
    titleOracleVM 3.4 : Unbreakable / etc (OVMSA-2019-0035) (Spectre)
  • NASL familyUbuntu Local Security Checks
    NASL idUBUNTU_USN-3619-1.NASL
    descriptionJann Horn discovered that the Berkeley Packet Filter (BPF) implementation in the Linux kernel improperly performed sign extension in some situations. A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2017-16995) It was discovered that a race condition leading to a use-after-free vulnerability existed in the ALSA PCM subsystem of the Linux kernel. A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2017-0861) It was discovered that the KVM implementation in the Linux kernel allowed passthrough of the diagnostic I/O port 0x80. An attacker in a guest VM could use this to cause a denial of service (system crash) in the host OS. (CVE-2017-1000407) It was discovered that an information disclosure vulnerability existed in the ACPI implementation of the Linux kernel. A local attacker could use this to expose sensitive information (kernel memory addresses). (CVE-2017-11472) It was discovered that a use-after-free vulnerability existed in the network namespaces implementation in the Linux kernel. A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2017-15129) It was discovered that the Advanced Linux Sound Architecture (ALSA) subsystem in the Linux kernel contained a use-after-free when handling device removal. A physically proximate attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2017-16528) Andrey Konovalov discovered that the usbtest device driver in the Linux kernel did not properly validate endpoint metadata. A physically proximate attacker could use this to cause a denial of service (system crash). (CVE-2017-16532) Andrey Konovalov discovered that the Conexant cx231xx USB video capture driver in the Linux kernel did not properly validate interface descriptors. A physically proximate attacker could use this to cause a denial of service (system crash). (CVE-2017-16536) Andrey Konovalov discovered that the SoundGraph iMON USB driver in the Linux kernel did not properly validate device metadata. A physically proximate attacker could use this to cause a denial of service (system crash). (CVE-2017-16537) Andrey Konovalov discovered that the IMS Passenger Control Unit USB driver in the Linux kernel did not properly validate device descriptors. A physically proximate attacker could use this to cause a denial of service (system crash). (CVE-2017-16645) Andrey Konovalov discovered that the DiBcom DiB0700 USB DVB driver in the Linux kernel did not properly handle detach events. A physically proximate attacker could use this to cause a denial of service (system crash). (CVE-2017-16646) Andrey Konovalov discovered that the CDC USB Ethernet driver did not properly validate device descriptors. A physically proximate attacker could use this to cause a denial of service (system crash). (CVE-2017-16649) Andrey Konovalov discovered that the QMI WWAN USB driver did not properly validate device descriptors. A physically proximate attacker could use this to cause a denial of service (system crash). (CVE-2017-16650) It was discovered that the USB Virtual Host Controller Interface (VHCI) driver in the Linux kernel contained an information disclosure vulnerability. A physically proximate attacker could use this to expose sensitive information (kernel memory). (CVE-2017-16911) It was discovered that the USB over IP implementation in the Linux kernel did not validate endpoint numbers. A remote attacker could use this to cause a denial of service (system crash). (CVE-2017-16912) It was discovered that the USB over IP implementation in the Linux kernel did not properly validate CMD_SUBMIT packets. A remote attacker could use this to cause a denial of service (excessive memory consumption). (CVE-2017-16913) It was discovered that the USB over IP implementation in the Linux kernel contained a NULL pointer dereference error. A remote attacker could use this to cause a denial of service (system crash). (CVE-2017-16914) It was discovered that the HugeTLB component of the Linux kernel did not properly handle holes in hugetlb ranges. A local attacker could use this to expose sensitive information (kernel memory). (CVE-2017-16994) It was discovered that the netfilter component of the Linux did not properly restrict access to the connection tracking helpers list. A local attacker could use this to bypass intended access restrictions. (CVE-2017-17448) It was discovered that the netlink subsystem in the Linux kernel did not properly restrict observations of netlink messages to the appropriate net namespace. A local attacker could use this to expose sensitive information (kernel netlink traffic). (CVE-2017-17449) It was discovered that the netfilter passive OS fingerprinting (xt_osf) module did not properly perform access control checks. A local attacker could improperly modify the system-wide OS fingerprint list. (CVE-2017-17450) It was discovered that the core USB subsystem in the Linux kernel did not validate the number of configurations and interfaces in a device. A physically proximate attacker could use this to cause a denial of service (system crash). (CVE-2017-17558) Dmitry Vyukov discovered that the KVM implementation in the Linux kernel contained an out-of-bounds read when handling memory-mapped I/O. A local attacker could use this to expose sensitive information. (CVE-2017-17741) It was discovered that the Salsa20 encryption algorithm implementations in the Linux kernel did not properly handle zero-length inputs. A local attacker could use this to cause a denial of service (system crash). (CVE-2017-17805) It was discovered that the HMAC implementation did not validate the state of the underlying cryptographic hash algorithm. A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2017-17806) It was discovered that the keyring implementation in the Linux kernel did not properly check permissions when a key request was performed on a task
    last seen2020-06-01
    modified2020-06-02
    plugin id108842
    published2018-04-05
    reporterUbuntu Security Notice (C) 2018-2019 Canonical, Inc. / NASL script (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/108842
    titleUbuntu 16.04 LTS : linux, linux-aws, linux-kvm, linux-raspi2, linux-snapdragon vulnerabilities (USN-3619-1)
  • NASL familyHuawei Local Security Checks
    NASL idEULEROS_SA-2018-1246.NASL
    descriptionAccording to the versions of the kernel packages installed, the EulerOS Virtualization installation on the remote host is affected by the following vulnerabilities : - Improper validation in the bnx2x network card driver of the Linux kernel version 4.15 can allow for denial of service (DoS) attacks via a packet with a gso_size larger than ~9700 bytes. Untrusted guest VMs can exploit this vulnerability in the host machine, causing a crash in the network card.(CVE-2018-1000026) - The futex_requeue function in kernel/futex.c in the Linux kernel, before 4.14.15, might allow attackers to cause a denial of service (integer overflow) or possibly have unspecified other impacts by triggering a negative wake or requeue value. Due to the nature of the flaw, privilege escalation cannot be fully ruled out, although we believe it is unlikely.(CVE-2018-6927) - The madvise_willneed function in the Linux kernel allows local users to cause a denial of service (infinite loop) by triggering use of MADVISE_WILLNEED for a DAX mapping.(CVE-2017-18208) - The Linux kernel, before version 4.14.3, is vulnerable to a denial of service in drivers/md/dm.c:dm_get_from_kobject() which can be caused by local users leveraging a race condition with __dm_destroy() during creation and removal of DM devices. Only privileged local users (with CAP_SYS_ADMIN capability) can directly perform the ioctl operations for dm device creation and removal and this would typically be outside the direct control of the unprivileged attacker.(CVE-2017-18203) Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id117555
    published2018-09-18
    reporterThis script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/117555
    titleEulerOS Virtualization 2.5.0 : kernel (EulerOS-SA-2018-1246)
  • NASL familyRed Hat Local Security Checks
    NASL idREDHAT-RHSA-2018-2948.NASL
    descriptionAn update for kernel-alt is now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. The kernel-alt packages provide the Linux kernel version 4.x. Security Fix(es) : * An industry-wide issue was found in the way many modern microprocessor designs have implemented speculative execution of Load & Store instructions (a commonly used performance optimization). It relies on the presence of a precisely-defined instruction sequence in the privileged code as well as the fact that memory read from address to which a recent memory write has occurred may see an older value and subsequently cause an update into the microprocessor
    last seen2020-06-01
    modified2020-06-02
    plugin id118513
    published2018-10-31
    reporterThis script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/118513
    titleRHEL 7 : kernel-alt (RHSA-2018:2948) (Spectre)
  • NASL familyUbuntu Local Security Checks
    NASL idUBUNTU_USN-3653-1.NASL
    descriptionJann Horn and Ken Johnson discovered that microprocessors utilizing speculative execution of a memory read may allow unauthorized memory reads via a sidechannel attack. This flaw is known as Spectre Variant 4. A local attacker could use this to expose sensitive information, including kernel memory. (CVE-2018-3639) It was discovered that the netlink subsystem in the Linux kernel did not properly restrict observations of netlink messages to the appropriate net namespace. A local attacker could use this to expose sensitive information (kernel netlink traffic). (CVE-2017-17449) Tuba Yavuz discovered that a double-free error existed in the USBTV007 driver of the Linux kernel. A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2017-17975) It was discovered that a race condition existed in the Device Mapper component of the Linux kernel. A local attacker could use this to cause a denial of service (system crash). (CVE-2017-18203) It was discovered that an infinite loop could occur in the madvise(2) implementation in the Linux kernel in certain circumstances. A local attacker could use this to cause a denial of service (system hang). (CVE-2017-18208) Silvio Cesare discovered a buffer overwrite existed in the NCPFS implementation in the Linux kernel. A remote attacker controlling a malicious NCPFS server could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2018-8822). Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id110046
    published2018-05-23
    reporterUbuntu Security Notice (C) 2018-2019 Canonical, Inc. / NASL script (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/110046
    titleUbuntu 17.10 : linux vulnerabilities (USN-3653-1) (Spectre)
  • NASL familyCentOS Local Security Checks
    NASL idCENTOS_RHSA-2018-3083.NASL
    descriptionAn update for kernel is now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. The kernel packages contain the Linux kernel, the core of any Linux operating system. Security Fix(es) : * A flaw named FragmentSmack was found in the way the Linux kernel handled reassembly of fragmented IPv4 and IPv6 packets. A remote attacker could use this flaw to trigger time and calculation expensive fragment reassembly algorithm by sending specially crafted packets which could lead to a CPU saturation and hence a denial of service on the system. (CVE-2018-5391) * kernel: out-of-bounds access in the show_timer function in kernel/time/ posix-timers.c (CVE-2017-18344) * kernel: Integer overflow in udl_fb_mmap() can allow attackers to execute code in kernel space (CVE-2018-8781) * kernel: MIDI driver race condition leads to a double-free (CVE-2018-10902) * kernel: Missing check in inode_init_owner() does not clear SGID bit on non-directories for non-members (CVE-2018-13405) * kernel: AIO write triggers integer overflow in some protocols (CVE-2015-8830) * kernel: Use-after-free in snd_pcm_info function in ALSA subsystem potentially leads to privilege escalation (CVE-2017-0861) * kernel: Handling of might_cancel queueing is not properly pretected against race (CVE-2017-10661) * kernel: Salsa20 encryption algorithm does not correctly handle zero-length inputs allowing local attackers to cause denial of service (CVE-2017-17805) * kernel: Inifinite loop vulnerability in madvise_willneed() function allows local denial of service (CVE-2017-18208) * kernel: fuse-backed file mmap-ed onto process cmdline arguments causes denial of service (CVE-2018-1120) * kernel: a NULL pointer dereference in dccp_write_xmit() leads to a system crash (CVE-2018-1130) * kernel: drivers/block/loop.c mishandles lo_release serialization allowing denial of service (CVE-2018-5344) * kernel: Missing length check of payload in _sctp_make_chunk() function allows denial of service (CVE-2018-5803) * kernel: buffer overflow in drivers/net/wireless/ath/wil6210/ wmi.c:wmi_set_ie() may lead to memory corruption (CVE-2018-5848) * kernel: out-of-bound write in ext4_init_block_bitmap function with a crafted ext4 image (CVE-2018-10878) * kernel: Improper validation in bnx2x network card driver can allow for denial of service attacks via crafted packet (CVE-2018-1000026) * kernel: Information leak when handling NM entries containing NUL (CVE-2016-4913) * kernel: Mishandling mutex within libsas allowing local Denial of Service (CVE-2017-18232) * kernel: NULL pointer dereference in ext4_process_freed_data() when mounting crafted ext4 image (CVE-2018-1092) * kernel: NULL pointer dereference in ext4_xattr_inode_hash() causes crash with crafted ext4 image (CVE-2018-1094) * kernel: vhost: Information disclosure in vhost/vhost.c:vhost_new_msg() (CVE-2018-1118) * kernel: Denial of service in resv_map_release function in mm/hugetlb.c (CVE-2018-7740) * kernel: Memory leak in the sas_smp_get_phy_events function in drivers/scsi/ libsas/sas_expander.c (CVE-2018-7757) * kernel: Invalid pointer dereference in xfs_ilock_attr_map_shared() when mounting crafted xfs image allowing denial of service (CVE-2018-10322) * kernel: use-after-free detected in ext4_xattr_set_entry with a crafted file (CVE-2018-10879) * kernel: out-of-bound access in ext4_get_group_info() when mounting and operating a crafted ext4 image (CVE-2018-10881) * kernel: stack-out-of-bounds write in jbd2_journal_dirty_metadata function (CVE-2018-10883) * kernel: incorrect memory bounds check in drivers/cdrom/cdrom.c (CVE-2018-10940) Red Hat would like to thank Juha-Matti Tilli (Aalto University - Department of Communications and Networking and Nokia Bell Labs) for reporting CVE-2018-5391; Trend Micro Zero Day Initiative for reporting CVE-2018-10902; Qualys Research Labs for reporting CVE-2018-1120; Evgenii Shatokhin (Virtuozzo Team) for reporting CVE-2018-1130; and Wen Xu for reporting CVE-2018-1092 and CVE-2018-1094.
    last seen2020-06-01
    modified2020-06-02
    plugin id118990
    published2018-11-16
    reporterThis script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/118990
    titleCentOS 7 : kernel (CESA-2018:3083)
  • NASL familySuSE Local Security Checks
    NASL idSUSE_SU-2018-0848-1.NASL
    descriptionThe SUSE Linux Enterprise 12 SP1 kernel was updated to receive various security and bugfixes. The following security bugs were fixed : - CVE-2018-1068: Fixed flaw in the implementation of 32-bit syscall interface for bridging. This allowed a privileged user to arbitrarily write to a limited range of kernel memory (bnc#1085107). - CVE-2017-18221: The __munlock_pagevec function allowed local users to cause a denial of service (NR_MLOCK accounting corruption) via crafted use of mlockall and munlockall system calls (bnc#1084323). - CVE-2018-1066: Prevent NULL pointer dereference in fs/cifs/cifsencrypt.c:setup_ntlmv2_rsp() that allowed an attacker controlling a CIFS server to kernel panic a client that has this server mounted, because an empty TargetInfo field in an NTLMSSP setup negotiation response was mishandled during session recovery (bnc#1083640). - CVE-2017-13166: Prevent elevation of privilege vulnerability in the kernel v4l2 video driver (bnc#1072865). - CVE-2017-16911: The vhci_hcd driver allowed local attackers to disclose kernel memory addresses. Successful exploitation required that a USB device was attached over IP (bnc#1078674). - CVE-2017-15299: The KEYS subsystem mishandled use of add_key for a key that already exists but is uninstantiated, which allowed local users to cause a denial of service (NULL pointer dereference and system crash) or possibly have unspecified other impact via a crafted system call (bnc#1063416). - CVE-2017-18208: The madvise_willneed function kernel allowed local users to cause a denial of service (infinite loop) by triggering use of MADVISE_WILLNEED for a DAX mapping (bnc#1083494). - CVE-2018-7566: The ALSA sequencer core initializes the event pool on demand by invoking snd_seq_pool_init() when the first write happens and the pool is empty. A user could have reset the pool size manually via ioctl concurrently, which may have lead UAF or out-of-bound access (bsc#1083483). - CVE-2017-18204: The ocfs2_setattr function allowed local users to cause a denial of service (deadlock) via DIO requests (bnc#1083244). - CVE-2017-16644: The hdpvr_probe function allowed local users to cause a denial of service (improper error handling and system crash) or possibly have unspecified other impact via a crafted USB device (bnc#1067118). - CVE-2018-6927: The futex_requeue function allowed attackers to cause a denial of service (integer overflow) or possibly have unspecified other impact by triggering a negative wake or requeue value (bnc#1080757). - CVE-2017-16914: The
    last seen2020-06-01
    modified2020-06-02
    plugin id108748
    published2018-03-30
    reporterThis script is Copyright (C) 2018-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/108748
    titleSUSE SLES12 Security Update : kernel (SUSE-SU-2018:0848-1)
  • NASL familyUbuntu Local Security Checks
    NASL idUBUNTU_USN-3655-1.NASL
    descriptionJann Horn and Ken Johnson discovered that microprocessors utilizing speculative execution of a memory read may allow unauthorized memory reads via a sidechannel attack. This flaw is known as Spectre Variant 4. A local attacker could use this to expose sensitive information, including kernel memory. (CVE-2018-3639) Jan H. Schonherr discovered that the Xen subsystem did not properly handle block IO merges correctly in some situations. An attacker in a guest vm could use this to cause a denial of service (host crash) or possibly gain administrative privileges in the host. (CVE-2017-12134) It was discovered that the Bluetooth HIP Protocol implementation in the Linux kernel did not properly validate HID connection setup information. An attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2017-13220) It was discovered that a buffer overread vulnerability existed in the keyring subsystem of the Linux kernel. A local attacker could possibly use this to expose sensitive information (kernel memory). (CVE-2017-13305) It was discovered that the netlink subsystem in the Linux kernel did not properly restrict observations of netlink messages to the appropriate net namespace. A local attacker could use this to expose sensitive information (kernel netlink traffic). (CVE-2017-17449) It was discovered that a race condition existed in the i8042 serial device driver implementation in the Linux kernel. A physically proximate attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2017-18079) It was discovered that a race condition existed in the Device Mapper component of the Linux kernel. A local attacker could use this to cause a denial of service (system crash). (CVE-2017-18203) It was discovered that a race condition existed in the OCFS2 file system implementation in the Linux kernel. A local attacker could use this to cause a denial of service (kernel deadlock). (CVE-2017-18204) It was discovered that an infinite loop could occur in the madvise(2) implementation in the Linux kernel in certain circumstances. A local attacker could use this to cause a denial of service (system hang). (CVE-2017-18208) Kefeng Wang discovered that a race condition existed in the memory locking implementation in the Linux kernel. A local attacker could use this to cause a denial of service. (CVE-2017-18221) Silvio Cesare discovered a buffer overwrite existed in the NCPFS implementation in the Linux kernel. A remote attacker controlling a malicious NCPFS server could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2018-8822). Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id110050
    published2018-05-23
    reporterUbuntu Security Notice (C) 2018-2019 Canonical, Inc. / NASL script (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/110050
    titleUbuntu 14.04 LTS : linux vulnerabilities (USN-3655-1) (Spectre)
  • NASL familySuSE Local Security Checks
    NASL idOPENSUSE-2018-292.NASL
    descriptionThe openSUSE Leap 42.3 kernel was updated to 4.4.120 to receive various security and bugfixes. The following security bugs were fixed : - CVE-2018-8087: Memory leak in the hwsim_new_radio_nl function in drivers/net/wireless/mac80211_hwsim.c allowed local users to cause a denial of service (memory consumption) by triggering an out-of-array error case (bnc#1085053). - CVE-2017-13166: An elevation of privilege vulnerability in the v4l2 video driver was fixed. (bnc#1072865). - CVE-2017-18208: The madvise_willneed function in mm/madvise.c in the Linux kernel allowed local users to cause a denial of service (infinite loop) by triggering use of MADVISE_WILLNEED for a DAX mapping (bnc#1083494). - CVE-2017-17975: Use-after-free in the usbtv_probe function in drivers/media/usb/usbtv/usbtv-core.c allowed attackers to cause a denial of service (system crash) or possibly have unspecified other impact by triggering failure of audio registration, because a kfree of the usbtv data structure occurs during a usbtv_video_free call, but the usbtv_video_fail label
    last seen2020-06-05
    modified2018-03-23
    plugin id108577
    published2018-03-23
    reporterThis script is Copyright (C) 2018-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/108577
    titleopenSUSE Security Update : the Linux Kernel (openSUSE-2018-292)
  • NASL familyNewStart CGSL Local Security Checks
    NASL idNEWSTART_CGSL_NS-SA-2019-0074_KERNEL-RT.NASL
    descriptionThe remote NewStart CGSL host, running version CORE 5.04 / MAIN 5.04, has kernel-rt packages installed that are affected by multiple vulnerabilities: - Integer overflow in the aio_setup_single_vector function in fs/aio.c in the Linux kernel 4.0 allows local users to cause a denial of service or possibly have unspecified other impact via a large AIO iovec. NOTE: this vulnerability exists because of a CVE-2012-6701 regression. (CVE-2015-8830) - A weakness was found in the Linux ASLR implementation. Any user able to running 32-bit applications in a x86 machine can disable ASLR by setting the RLIMIT_STACK resource to unlimited. (CVE-2016-3672) - The xc2028_set_config function in drivers/media/tuners/tuner-xc2028.c in the Linux kernel before 4.6 allows local users to gain privileges or cause a denial of service (use-after-free) via vectors involving omission of the firmware name from a certain data structure. Due to the nature of the flaw, privilege escalation cannot be fully ruled out, although we believe it is unlikely. (CVE-2016-7913) - Use-after-free vulnerability in the snd_pcm_info() function in the ALSA subsystem in the Linux kernel allows attackers to induce a kernel memory corruption and possibly crash or lock up a system. Due to the nature of the flaw, a privilege escalation cannot be fully ruled out, although we believe it is unlikely. (CVE-2017-0861) - A reachable assertion failure flaw was found in the Linux kernel built with KVM virtualisation(CONFIG_KVM) support with Virtual Function I/O feature (CONFIG_VFIO) enabled. This failure could occur if a malicious guest device sent a virtual interrupt (guest IRQ) with a larger (>1024) index value. (CVE-2017-1000252) - Linux kernel Virtualization Module (CONFIG_KVM) for the Intel processor family (CONFIG_KVM_INTEL) is vulnerable to a DoS issue. It could occur if a guest was to flood the I/O port 0x80 with write requests. A guest user could use this flaw to crash the host kernel resulting in DoS. (CVE-2017-1000407) - A flaw was found in the processing of incoming L2CAP bluetooth commands. Uninitialized stack variables can be sent to an attacker leaking data in kernel address space. (CVE-2017-1000410) - A race condition was found in the Linux kernel before version 4.11-rc1 in
    last seen2020-06-01
    modified2020-06-02
    plugin id127281
    published2019-08-12
    reporterThis script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/127281
    titleNewStart CGSL CORE 5.04 / MAIN 5.04 : kernel-rt Multiple Vulnerabilities (NS-SA-2019-0074)
  • NASL familyHuawei Local Security Checks
    NASL idEULEROS_SA-2019-1526.NASL
    descriptionAccording to the versions of the kernel packages installed, the EulerOS Virtualization for ARM 64 installation on the remote host is affected by the following vulnerabilities : - A double free vulnerability was found in netlink_dump, which could cause a denial of service or possibly other unspecified impact. Due to the nature of the flaw, privilege escalation cannot be fully ruled out, although we believe it is unlikely.(CVE-2016-9806i1/4%0 - Memory leak in drivers/media/video/videobuf-core.c in the videobuf subsystem in the Linux kernel 2.6.x through 4.x allows local users to cause a denial of service (memory consumption) by leveraging /dev/video access for a series of mmap calls that require new allocations, a different vulnerability than CVE-2007-6761. NOTE: as of 2016-06-18, this affects only 11 drivers that have not been updated to use videobuf2 instead of videobuf.(CVE-2010-5321i1/4%0 - ** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided.(CVE-2018-1108i1/4%0 - The KVM implementation in the Linux kernel through 4.20.5 has an Information Leak.(CVE-2019-7222i1/4%0 - The adreno_perfcounter_query_group function in drivers/gpu/msm/adreno_perfcounter.c in the Adreno GPU driver for the Linux kernel 3.x, as used in Qualcomm Innovation Center (QuIC) Android contributions for MSM devices and other products, uses an incorrect integer data type, which allows attackers to cause a denial of service (integer overflow, heap-based buffer overflow, and incorrect memory allocation) or possibly have unspecified other impact via a crafted IOCTL_KGSL_PERFCOUNTER_QUERY ioctl call.(CVE-2016-2062i1/4%0 - drivers/hid/hid-ntrig.c in the Human Interface Device (HID) subsystem in the Linux kernel through 3.11, when CONFIG_HID_NTRIG is enabled, allows physically proximate attackers to cause a denial of service (NULL pointer dereference and OOPS) via a crafted device.(CVE-2013-2896i1/4%0 - The wacom_probe function in drivers/input/tablet/wacom_sys.c in the Linux kernel before 3.17 allows physically proximate attackers to cause a denial of service (NULL pointer dereference and system crash) via a crafted endpoints value in a USB device descriptor.(CVE-2016-3139i1/4%0 - An integer overflow vulnerability in ip6_find_1stfragopt() function was found. A local attacker that has privileges (of CAP_NET_RAW) to open raw socket can cause an infinite loop inside the ip6_find_1stfragopt() function.(CVE-2017-7542i1/4%0 - Memory leak in the virtio_gpu_object_create function in drivers/gpu/drm/virtio/virtgpu_object.c in the Linux kernel through 4.11.8 allows attackers to cause a denial of service (memory consumption) by triggering object-initialization failures.(CVE-2017-10810i1/4%0 - The ping_recvmsg function in net/ipv4/ping.c in the Linux kernel before 3.12.4 does not properly interact with read system calls on ping sockets, which allows local users to cause a denial of service (NULL pointer dereference and system crash) by leveraging unspecified privileges to execute a crafted application.(CVE-2013-6432i1/4%0 - The madvise_willneed function in the Linux kernel allows local users to cause a denial of service (infinite loop) by triggering use of MADVISE_WILLNEED for a DAX mapping.(CVE-2017-18208i1/4%0 - An issue was discovered in the Linux kernel through 4.18.8. The vmacache_flush_all function in mm/vmacache.c mishandles sequence number overflows. An attacker can trigger a use-after-free (and possibly gain privileges) via certain thread creation, map, unmap, invalidation, and dereference operations.(CVE-2018-17182i1/4%0 - The ieee80211_radiotap_iterator_init function in net/wireless/radiotap.c in the Linux kernel before 3.11.7 does not check whether a frame contains any data outside of the header, which might allow attackers to cause a denial of service (buffer over-read) via a crafted header.(CVE-2013-7027i1/4%0 - The Btrfs implementation in the Linux kernel before 3.19 does not ensure that the visible xattr state is consistent with a requested replacement, which allows local users to bypass intended ACL settings and gain privileges via standard filesystem operations (1) during an xattr-replacement time window, related to a race condition, or (2) after an xattr-replacement attempt that fails because the data does not fit.(CVE-2014-9710i1/4%0 - A flaw was found in the way the Linux kernel
    last seen2020-03-19
    modified2019-05-14
    plugin id124979
    published2019-05-14
    reporterThis script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/124979
    titleEulerOS Virtualization for ARM 64 3.0.1.0 : kernel (EulerOS-SA-2019-1526)
  • NASL familyHuawei Local Security Checks
    NASL idEULEROS_SA-2019-1501.NASL
    descriptionAccording to the versions of the kernel packages installed, the EulerOS Virtualization installation on the remote host is affected by the following vulnerabilities : - The usbhid_parse function in drivers/hid/usbhid/hid-core.c in the Linux kernel, before 4.13.8, allows local users to cause a denial of service (out-of-bounds read and system crash) or possibly have unspecified other impact via a crafted USB device.(CVE-2017-16533) - The cdc_parse_cdc_header() function in
    last seen2020-06-01
    modified2020-06-02
    plugin id124824
    published2019-05-13
    reporterThis script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/124824
    titleEulerOS Virtualization 3.0.1.0 : kernel (EulerOS-SA-2019-1501)

Redhat

advisories
  • rhsa
    idRHSA-2018:2948
  • rhsa
    idRHSA-2018:3083
  • rhsa
    idRHSA-2018:3096
  • rhsa
    idRHSA-2019:3967
  • rhsa
    idRHSA-2019:4057
  • rhsa
    idRHSA-2019:4058
rpms
  • kernel-0:4.14.0-115.el7a
  • kernel-abi-whitelists-0:4.14.0-115.el7a
  • kernel-bootwrapper-0:4.14.0-115.el7a
  • kernel-debug-0:4.14.0-115.el7a
  • kernel-debug-debuginfo-0:4.14.0-115.el7a
  • kernel-debug-devel-0:4.14.0-115.el7a
  • kernel-debuginfo-0:4.14.0-115.el7a
  • kernel-debuginfo-common-aarch64-0:4.14.0-115.el7a
  • kernel-debuginfo-common-ppc64le-0:4.14.0-115.el7a
  • kernel-debuginfo-common-s390x-0:4.14.0-115.el7a
  • kernel-devel-0:4.14.0-115.el7a
  • kernel-doc-0:4.14.0-115.el7a
  • kernel-headers-0:4.14.0-115.el7a
  • kernel-kdump-0:4.14.0-115.el7a
  • kernel-kdump-debuginfo-0:4.14.0-115.el7a
  • kernel-kdump-devel-0:4.14.0-115.el7a
  • kernel-tools-0:4.14.0-115.el7a
  • kernel-tools-debuginfo-0:4.14.0-115.el7a
  • kernel-tools-libs-0:4.14.0-115.el7a
  • kernel-tools-libs-devel-0:4.14.0-115.el7a
  • perf-0:4.14.0-115.el7a
  • perf-debuginfo-0:4.14.0-115.el7a
  • python-perf-0:4.14.0-115.el7a
  • python-perf-debuginfo-0:4.14.0-115.el7a
  • bpftool-0:3.10.0-957.el7
  • kernel-0:3.10.0-957.el7
  • kernel-abi-whitelists-0:3.10.0-957.el7
  • kernel-bootwrapper-0:3.10.0-957.el7
  • kernel-debug-0:3.10.0-957.el7
  • kernel-debug-debuginfo-0:3.10.0-957.el7
  • kernel-debug-devel-0:3.10.0-957.el7
  • kernel-debuginfo-0:3.10.0-957.el7
  • kernel-debuginfo-common-ppc64-0:3.10.0-957.el7
  • kernel-debuginfo-common-ppc64le-0:3.10.0-957.el7
  • kernel-debuginfo-common-s390x-0:3.10.0-957.el7
  • kernel-debuginfo-common-x86_64-0:3.10.0-957.el7
  • kernel-devel-0:3.10.0-957.el7
  • kernel-doc-0:3.10.0-957.el7
  • kernel-headers-0:3.10.0-957.el7
  • kernel-kdump-0:3.10.0-957.el7
  • kernel-kdump-debuginfo-0:3.10.0-957.el7
  • kernel-kdump-devel-0:3.10.0-957.el7
  • kernel-tools-0:3.10.0-957.el7
  • kernel-tools-debuginfo-0:3.10.0-957.el7
  • kernel-tools-libs-0:3.10.0-957.el7
  • kernel-tools-libs-devel-0:3.10.0-957.el7
  • perf-0:3.10.0-957.el7
  • perf-debuginfo-0:3.10.0-957.el7
  • python-perf-0:3.10.0-957.el7
  • python-perf-debuginfo-0:3.10.0-957.el7
  • kernel-rt-0:3.10.0-957.rt56.910.el7
  • kernel-rt-debug-0:3.10.0-957.rt56.910.el7
  • kernel-rt-debug-debuginfo-0:3.10.0-957.rt56.910.el7
  • kernel-rt-debug-devel-0:3.10.0-957.rt56.910.el7
  • kernel-rt-debug-kvm-0:3.10.0-957.rt56.910.el7
  • kernel-rt-debug-kvm-debuginfo-0:3.10.0-957.rt56.910.el7
  • kernel-rt-debuginfo-0:3.10.0-957.rt56.910.el7
  • kernel-rt-debuginfo-common-x86_64-0:3.10.0-957.rt56.910.el7
  • kernel-rt-devel-0:3.10.0-957.rt56.910.el7
  • kernel-rt-doc-0:3.10.0-957.rt56.910.el7
  • kernel-rt-kvm-0:3.10.0-957.rt56.910.el7
  • kernel-rt-kvm-debuginfo-0:3.10.0-957.rt56.910.el7
  • kernel-rt-trace-0:3.10.0-957.rt56.910.el7
  • kernel-rt-trace-debuginfo-0:3.10.0-957.rt56.910.el7
  • kernel-rt-trace-devel-0:3.10.0-957.rt56.910.el7
  • kernel-rt-trace-kvm-0:3.10.0-957.rt56.910.el7
  • kernel-rt-trace-kvm-debuginfo-0:3.10.0-957.rt56.910.el7
  • kernel-0:3.10.0-862.44.2.el7
  • kernel-abi-whitelists-0:3.10.0-862.44.2.el7
  • kernel-bootwrapper-0:3.10.0-862.44.2.el7
  • kernel-debug-0:3.10.0-862.44.2.el7
  • kernel-debug-debuginfo-0:3.10.0-862.44.2.el7
  • kernel-debug-devel-0:3.10.0-862.44.2.el7
  • kernel-debuginfo-0:3.10.0-862.44.2.el7
  • kernel-debuginfo-common-ppc64-0:3.10.0-862.44.2.el7
  • kernel-debuginfo-common-ppc64le-0:3.10.0-862.44.2.el7
  • kernel-debuginfo-common-s390x-0:3.10.0-862.44.2.el7
  • kernel-debuginfo-common-x86_64-0:3.10.0-862.44.2.el7
  • kernel-devel-0:3.10.0-862.44.2.el7
  • kernel-doc-0:3.10.0-862.44.2.el7
  • kernel-headers-0:3.10.0-862.44.2.el7
  • kernel-kdump-0:3.10.0-862.44.2.el7
  • kernel-kdump-debuginfo-0:3.10.0-862.44.2.el7
  • kernel-kdump-devel-0:3.10.0-862.44.2.el7
  • kernel-tools-0:3.10.0-862.44.2.el7
  • kernel-tools-debuginfo-0:3.10.0-862.44.2.el7
  • kernel-tools-libs-0:3.10.0-862.44.2.el7
  • kernel-tools-libs-devel-0:3.10.0-862.44.2.el7
  • perf-0:3.10.0-862.44.2.el7
  • perf-debuginfo-0:3.10.0-862.44.2.el7
  • python-perf-0:3.10.0-862.44.2.el7
  • python-perf-debuginfo-0:3.10.0-862.44.2.el7
  • kernel-rt-1:3.10.0-693.61.1.rt56.656.el6rt
  • kernel-rt-debug-1:3.10.0-693.61.1.rt56.656.el6rt
  • kernel-rt-debug-debuginfo-1:3.10.0-693.61.1.rt56.656.el6rt
  • kernel-rt-debug-devel-1:3.10.0-693.61.1.rt56.656.el6rt
  • kernel-rt-debuginfo-1:3.10.0-693.61.1.rt56.656.el6rt
  • kernel-rt-debuginfo-common-x86_64-1:3.10.0-693.61.1.rt56.656.el6rt
  • kernel-rt-devel-1:3.10.0-693.61.1.rt56.656.el6rt
  • kernel-rt-doc-1:3.10.0-693.61.1.rt56.656.el6rt
  • kernel-rt-firmware-1:3.10.0-693.61.1.rt56.656.el6rt
  • kernel-rt-trace-1:3.10.0-693.61.1.rt56.656.el6rt
  • kernel-rt-trace-debuginfo-1:3.10.0-693.61.1.rt56.656.el6rt
  • kernel-rt-trace-devel-1:3.10.0-693.61.1.rt56.656.el6rt
  • kernel-rt-vanilla-1:3.10.0-693.61.1.rt56.656.el6rt
  • kernel-rt-vanilla-debuginfo-1:3.10.0-693.61.1.rt56.656.el6rt
  • kernel-rt-vanilla-devel-1:3.10.0-693.61.1.rt56.656.el6rt
  • kernel-0:3.10.0-693.61.1.el7
  • kernel-abi-whitelists-0:3.10.0-693.61.1.el7
  • kernel-bootwrapper-0:3.10.0-693.61.1.el7
  • kernel-debug-0:3.10.0-693.61.1.el7
  • kernel-debug-debuginfo-0:3.10.0-693.61.1.el7
  • kernel-debug-devel-0:3.10.0-693.61.1.el7
  • kernel-debuginfo-0:3.10.0-693.61.1.el7
  • kernel-debuginfo-common-ppc64le-0:3.10.0-693.61.1.el7
  • kernel-debuginfo-common-x86_64-0:3.10.0-693.61.1.el7
  • kernel-devel-0:3.10.0-693.61.1.el7
  • kernel-doc-0:3.10.0-693.61.1.el7
  • kernel-headers-0:3.10.0-693.61.1.el7
  • kernel-tools-0:3.10.0-693.61.1.el7
  • kernel-tools-debuginfo-0:3.10.0-693.61.1.el7
  • kernel-tools-libs-0:3.10.0-693.61.1.el7
  • kernel-tools-libs-devel-0:3.10.0-693.61.1.el7
  • perf-0:3.10.0-693.61.1.el7
  • perf-debuginfo-0:3.10.0-693.61.1.el7
  • python-perf-0:3.10.0-693.61.1.el7
  • python-perf-debuginfo-0:3.10.0-693.61.1.el7

References