Vulnerabilities > CVE-2017-18232 - Unspecified vulnerability in Linux Kernel

047910
CVSS 2.1 - LOW
Attack vector
LOCAL
Attack complexity
LOW
Privileges required
NONE
Confidentiality impact
NONE
Integrity impact
NONE
Availability impact
PARTIAL
local
low complexity
linux
nessus

Summary

The Serial Attached SCSI (SAS) implementation in the Linux kernel through 4.15.9 mishandles a mutex within libsas, which allows local users to cause a denial of service (deadlock) by triggering certain error-handling code.

Vulnerable Configurations

Part Description Count
OS
Linux
2895

Nessus

  • NASL familyPhotonOS Local Security Checks
    NASL idPHOTONOS_PHSA-2018-1_0-0161_LINUX.NASL
    descriptionAn update of the linux package has been released.
    last seen2020-03-17
    modified2019-02-07
    plugin id121857
    published2019-02-07
    reporterThis script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/121857
    titlePhoton OS 1.0: Linux PHSA-2018-1.0-0161
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    
    
    # The descriptive text and package checks in this plugin were
    # extracted from VMware Security Advisory PHSA-2018-1.0-0161. The text
    # itself is copyright (C) VMware, Inc.
    
    
    include('compat.inc');
    
    if (description)
    {
      script_id(121857);
      script_version("1.2");
      script_set_attribute(attribute:"plugin_modification_date", value:"2019/02/07");
    
      script_cve_id("CVE-2017-18232", "CVE-2018-10323");
    
      script_name(english:"Photon OS 1.0: Linux PHSA-2018-1.0-0161");
      script_summary(english:"Checks the rpm output for the updated packages.");
    
      script_set_attribute(attribute:"synopsis", value:
    "The remote PhotonOS host is missing multiple security updates.");
      script_set_attribute(attribute:"description", value:
    "An update of the linux package has been released.");
      script_set_attribute(attribute:"see_also", value:"https://github.com/vmware/photon/wiki/Security-Updates-1.0-161.md");
      script_set_attribute(attribute:"solution", value:
    "Update the affected Linux packages.");
      script_set_cvss_base_vector("CVSS2#AV:L/AC:L/Au:N/C:N/I:N/A:C");
      script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
      script_set_cvss3_base_vector("CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H");
      script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
      script_set_attribute(attribute:"cvss_score_source", value:"CVE-2018-10323");
    
      script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2018/07/12");
      script_set_attribute(attribute:"patch_publication_date", value:"2018/07/12");
      script_set_attribute(attribute:"plugin_publication_date", value:"2019/02/07");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:vmware:photonos:linux");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:vmware:photonos:1.0");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_family(english:"PhotonOS Local Security Checks");
    
      script_copyright(english:"This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/PhotonOS/release", "Host/PhotonOS/rpm-list");
    
      exit(0);
    }
    
    include("audit.inc");
    include("global_settings.inc");
    include("rpm.inc");
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    
    release = get_kb_item("Host/PhotonOS/release");
    if (isnull(release) || release !~ "^VMware Photon") audit(AUDIT_OS_NOT, "PhotonOS");
    if (release !~ "^VMware Photon (?:Linux|OS) 1\.0(\D|$)") audit(AUDIT_OS_NOT, "PhotonOS 1.0");
    
    if (!get_kb_item("Host/PhotonOS/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    cpu = get_kb_item("Host/cpu");
    if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
    if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "PhotonOS", cpu);
    
    flag = 0;
    
    if (rpm_check(release:"PhotonOS-1.0", reference:"linux-4.4.139-2.ph1")) flag++;
    if (rpm_check(release:"PhotonOS-1.0", reference:"linux-4.4.139-2.ph1")) flag++;
    if (rpm_check(release:"PhotonOS-1.0", reference:"linux-debuginfo-4.4.139-2.ph1")) flag++;
    if (rpm_check(release:"PhotonOS-1.0", reference:"linux-debuginfo-4.4.139-2.ph1")) flag++;
    if (rpm_check(release:"PhotonOS-1.0", reference:"linux-dev-4.4.139-2.ph1")) flag++;
    if (rpm_check(release:"PhotonOS-1.0", reference:"linux-dev-4.4.139-2.ph1")) flag++;
    if (rpm_check(release:"PhotonOS-1.0", reference:"linux-docs-4.4.139-2.ph1")) flag++;
    if (rpm_check(release:"PhotonOS-1.0", reference:"linux-docs-4.4.139-2.ph1")) flag++;
    if (rpm_check(release:"PhotonOS-1.0", reference:"linux-drivers-gpu-4.4.139-2.ph1")) flag++;
    if (rpm_check(release:"PhotonOS-1.0", reference:"linux-drivers-gpu-4.4.139-2.ph1")) flag++;
    if (rpm_check(release:"PhotonOS-1.0", reference:"linux-esx-4.4.139-2.ph1")) flag++;
    if (rpm_check(release:"PhotonOS-1.0", reference:"linux-esx-4.4.139-2.ph1")) flag++;
    if (rpm_check(release:"PhotonOS-1.0", reference:"linux-esx-debuginfo-4.4.139-2.ph1")) flag++;
    if (rpm_check(release:"PhotonOS-1.0", reference:"linux-esx-debuginfo-4.4.139-2.ph1")) flag++;
    if (rpm_check(release:"PhotonOS-1.0", reference:"linux-esx-devel-4.4.139-2.ph1")) flag++;
    if (rpm_check(release:"PhotonOS-1.0", reference:"linux-esx-devel-4.4.139-2.ph1")) flag++;
    if (rpm_check(release:"PhotonOS-1.0", reference:"linux-esx-docs-4.4.139-2.ph1")) flag++;
    if (rpm_check(release:"PhotonOS-1.0", reference:"linux-esx-docs-4.4.139-2.ph1")) flag++;
    if (rpm_check(release:"PhotonOS-1.0", reference:"linux-oprofile-4.4.139-2.ph1")) flag++;
    if (rpm_check(release:"PhotonOS-1.0", reference:"linux-oprofile-4.4.139-2.ph1")) flag++;
    if (rpm_check(release:"PhotonOS-1.0", reference:"linux-sound-4.4.139-2.ph1")) flag++;
    if (rpm_check(release:"PhotonOS-1.0", reference:"linux-sound-4.4.139-2.ph1")) flag++;
    if (rpm_check(release:"PhotonOS-1.0", reference:"linux-tools-4.4.139-2.ph1")) flag++;
    if (rpm_check(release:"PhotonOS-1.0", reference:"linux-tools-4.4.139-2.ph1")) flag++;
    
    if (flag)
    {
      security_report_v4(
        port       : 0,
        severity   : SECURITY_WARNING,
        extra      : rpm_report_get()
      );
      exit(0);
    }
    else
    {
      tested = pkg_tests_get();
      if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
      else audit(AUDIT_PACKAGE_NOT_INSTALLED, "linux");
    }
    
  • NASL familyHuawei Local Security Checks
    NASL idEULEROS_SA-2019-1505.NASL
    descriptionAccording to the versions of the kernel packages installed, the EulerOS Virtualization for ARM 64 installation on the remote host is affected by the following vulnerabilities : - The kernel package contains the Linux kernel (vmlinuz), the core of any Linux operating system. The kernel handles the basic functions of the operating system: memory allocation, process allocation, device input and output, etc.Security Fix(es):A flaw named FragmentSmack was found in the way the Linux kernel handled reassembly of fragmented IPv4 and IPv6 packets. A remote attacker could use this flaw to trigger time and calculation expensive fragment reassembly algorithm by sending specially crafted packets which could lead to a CPU saturation and hence a denial of service on the system.(CVE-2018-5391)Multiple out-of-bounds write flaws were found in the way the Cherry Cymotion keyboard driver, KYE/Genius device drivers, Logitech device drivers, Monterey Genius KB29E keyboard driver, Petalynx Maxter remote control driver, and Sunplus wireless desktop driver handled HID reports with an invalid report descriptor size. An attacker with physical access to the system could use either of these flaws to write data past an allocated memory buffer.(CVE-2014-3184)The __get_data_block function in fs/f2fs/data.c in the Linux kernel before 4.11 allows local users to cause a denial of service (integer overflow and loop) via crafted use of the open and fallocate system calls with an FS_IOC_FIEMAP ioctl.(CVE-2017-18257)netetfilter/xt_osf.c in the Linux kernel through 4.14.4 does not require the CAP_NET_ADMIN capability for add_callback and remove_callback operations. This allows local users to bypass intended access restrictions because the xt_osf_fingers data structure is shared across all network namespaces.(CVE-2017-17450)A denial of service flaw was discovered in the Linux kernel, where a race condition caused a NULL pointer dereference in the RDS socket-creation code. A local attacker could use this flaw to create a situation in which a NULL pointer crashed the kernel.(CVE-2015-7990)An issue was discovered in the Linux kernel before 4.19.9. The USB subsystem mishandles size checks during the reading of an extra descriptor, related to __usb_get_extra_descriptor in drivers/usb/core/usb.c.(CVE-2018-20169)mm/memory.c in the Linux kernel before 4.1.4 mishandles anonymous pages, which allows local users to gain privileges or cause a denial of service (page tainting) via a crafted application that triggers writing to page zero.(CVE-2015-3288)The ovl_setattr function in fs/overlayfs/inode.c in the Linux kernel through 4.3.3 attempts to merge distinct setattr operations, which allows local users to bypass intended access restrictions and modify the attributes of arbitrary overlay files via a crafted application.(CVE-2015-8660)A flaw was found in the Linux kernel where a local user with a shell account can abuse the userfaultfd syscall when using hugetlbfs. A missing size check in hugetlb_mcopy_atomic_pte could create an invalid inode variable, leading to a kernel panic.(CVE-2017-15128)An integer overflow flaw was found in the way the lzo1x_decompress_safe() function of the Linux kernel
    last seen2020-04-16
    modified2019-05-13
    plugin id124828
    published2019-05-13
    reporterThis script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/124828
    titleEulerOS Virtualization for ARM 64 3.0.1.0 : kernel (EulerOS-SA-2019-1505)
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(124828);
      script_version("1.6");
      script_set_attribute(attribute:"plugin_modification_date", value:"2020/04/14");
    
      script_cve_id(
        "CVE-2014-3184",
        "CVE-2014-3534",
        "CVE-2014-4608",
        "CVE-2014-8481",
        "CVE-2014-9904",
        "CVE-2015-3288",
        "CVE-2015-7990",
        "CVE-2015-8660",
        "CVE-2016-10044",
        "CVE-2016-3955",
        "CVE-2016-6828",
        "CVE-2017-1000405",
        "CVE-2017-15128",
        "CVE-2017-17450",
        "CVE-2017-18232",
        "CVE-2017-18257",
        "CVE-2017-7374",
        "CVE-2018-20169",
        "CVE-2018-5391",
        "CVE-2018-7740"
      );
      script_bugtraq_id(
        68214,
        68940,
        69768,
        70712
      );
    
      script_name(english:"EulerOS Virtualization for ARM 64 3.0.1.0 : kernel (EulerOS-SA-2019-1505)");
      script_summary(english:"Checks the rpm output for the updated packages.");
    
      script_set_attribute(attribute:"synopsis", value:
    "The remote EulerOS Virtualization for ARM 64 host is missing multiple security
    updates.");
      script_set_attribute(attribute:"description", value:
    "According to the versions of the kernel packages installed, the
    EulerOS Virtualization for ARM 64 installation on the remote host is
    affected by the following vulnerabilities :
    
      - The kernel package contains the Linux kernel (vmlinuz),
        the core of any Linux operating system. The kernel
        handles the basic functions of the operating system:
        memory allocation, process allocation, device input and
        output, etc.Security Fix(es):A flaw named FragmentSmack
        was found in the way the Linux kernel handled
        reassembly of fragmented IPv4 and IPv6 packets. A
        remote attacker could use this flaw to trigger time and
        calculation expensive fragment reassembly algorithm by
        sending specially crafted packets which could lead to a
        CPU saturation and hence a denial of service on the
        system.(CVE-2018-5391)Multiple out-of-bounds write
        flaws were found in the way the Cherry Cymotion
        keyboard driver, KYE/Genius device drivers, Logitech
        device drivers, Monterey Genius KB29E keyboard driver,
        Petalynx Maxter remote control driver, and Sunplus
        wireless desktop driver handled HID reports with an
        invalid report descriptor size. An attacker with
        physical access to the system could use either of these
        flaws to write data past an allocated memory
        buffer.(CVE-2014-3184)The __get_data_block function in
        fs/f2fs/data.c in the Linux kernel before 4.11 allows
        local users to cause a denial of service (integer
        overflow and loop) via crafted use of the open and
        fallocate system calls with an FS_IOC_FIEMAP
        ioctl.(CVE-2017-18257)netetfilter/xt_osf.c in the Linux
        kernel through 4.14.4 does not require the
        CAP_NET_ADMIN capability for add_callback and
        remove_callback operations. This allows local users to
        bypass intended access restrictions because the
        xt_osf_fingers data structure is shared across all
        network namespaces.(CVE-2017-17450)A denial of service
        flaw was discovered in the Linux kernel, where a race
        condition caused a NULL pointer dereference in the RDS
        socket-creation code. A local attacker could use this
        flaw to create a situation in which a NULL pointer
        crashed the kernel.(CVE-2015-7990)An issue was
        discovered in the Linux kernel before 4.19.9. The USB
        subsystem mishandles size checks during the reading of
        an extra descriptor, related to
        __usb_get_extra_descriptor in
        drivers/usb/core/usb.c.(CVE-2018-20169)mm/memory.c in
        the Linux kernel before 4.1.4 mishandles anonymous
        pages, which allows local users to gain privileges or
        cause a denial of service (page tainting) via a crafted
        application that triggers writing to page
        zero.(CVE-2015-3288)The ovl_setattr function in
        fs/overlayfs/inode.c in the Linux kernel through 4.3.3
        attempts to merge distinct setattr operations, which
        allows local users to bypass intended access
        restrictions and modify the attributes of arbitrary
        overlay files via a crafted
        application.(CVE-2015-8660)A flaw was found in the
        Linux kernel where a local user with a shell account
        can abuse the userfaultfd syscall when using hugetlbfs.
        A missing size check in hugetlb_mcopy_atomic_pte could
        create an invalid inode variable, leading to a kernel
        panic.(CVE-2017-15128)An integer overflow flaw was
        found in the way the lzo1x_decompress_safe() function
        of the Linux kernel's LZO implementation processed
        Literal Runs. A local attacker could, in extremely rare
        cases, use this flaw to crash the system or,
        potentially, escalate their privileges on the
        system.(CVE-2014-4608)It was found that Linux kernel's
        ptrace subsystem did not properly sanitize the
        address-space-control bits when the program-status word
        (PSW) was being set. On IBM S/390 systems, a local,
        unprivileged user could use this flaw to set
        address-space-control bits to the kernel space, and
        thus gain read and write access to kernel
        memory.(CVE-2014-3534)A use-after-free flaw was found
        in the Linux kernel's file system encryption
        implementation. A local user could revoke keyring keys
        being used for ext4, f2fs, or ubifs encryption, causing
        a denial of service on the system.(CVE-2017-7374)The
        usbip_recv_xbuff function in
        drivers/usb/usbip/usbip_common.c in the Linux kernel
        before 4.5.3 allows remote attackers to cause a denial
        of service (out-of-bounds write) or possibly have
        unspecified other impact via a crafted length value in
        a USB/IP packet.(CVE-2016-3955)A flaw was found in the
        patches used to fix the 'dirtycow' vulnerability
        (CVE-2016-5195). An attacker, able to run local code,
        can exploit a race condition in transparent huge pages
        to modify usually read-only huge
        pages.(CVE-2017-1000405)The aio_mount function in
        fs/aio.c in the Linux kernel does not properly restrict
        execute access, which makes it easier for local users
        to bypass intended SELinux W^X policy
        restrictions.(CVE-2016-10044)The Serial Attached SCSI
        (SAS) implementation in the Linux kernel mishandles a
        mutex within libsas. This allows local users to cause a
        denial of service (deadlock) by triggering certain
        error-handling code.(CVE-2017-18232)A use-after-free
        vulnerability was found in tcp_xmit_retransmit_queue
        and other tcp_* functions. This condition could allow
        an attacker to send an incorrect selective
        acknowledgment to existing connections, possibly
        resetting a connection.(CVE-2016-6828)The instruction
        decoder in arch/x86/kvm/emulate.c in the KVM subsystem
        in the Linux kernel before 3.18-rc2 does not properly
        handle invalid instructions, which allows guest OS
        users to cause a denial of service (NULL pointer
        dereference and host OS crash) via a crafted
        application that triggers (1) an improperly fetched
        instruction or (2) an instruction that occupies too
        many bytes. NOTE: this vulnerability exists because of
        an incomplete fix for CVE-2014-8480.(CVE-2014-8481)The
        snd_compress_check_input function in
        sound/core/compress_offload.c in the ALSA subsystem in
        the Linux kernel before 3.17 does not properly check
        for an integer overflow, which allows local users to
        cause a denial of service (insufficient memory
        allocation) or possibly have unspecified other impact
        via a crafted SNDRV_COMPRESS_SET_PARAMS ioctl
        call.(CVE-2014-9904)The resv_map_release function in
        mm/hugetlb.c in the Linux kernel, through 4.15.7,
        allows local users to cause a denial of service (BUG)
        via a crafted application that makes mmap system calls
        and has a large pgoff argument to the remap_file_pages
        system call.(CVE-2018-7740)
    
    Note that Tenable Network Security has extracted the preceding
    description block directly from the EulerOS security advisory. Tenable
    has attempted to automatically clean and format it as much as possible
    without introducing additional issues.");
      # https://developer.huaweicloud.com/ict/en/site-euleros/euleros/security-advisories/EulerOS-SA-2019-1505
      script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?0dd8d759");
      script_set_attribute(attribute:"solution", value:
    "Update the affected kernel packages.");
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C");
      script_set_cvss_temporal_vector("CVSS2#E:H/RL:OF/RC:C");
      script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H");
      script_set_cvss3_temporal_vector("CVSS:3.0/E:H/RL:O/RC:C");
      script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"true");
      script_set_attribute(attribute:"exploit_framework_core", value:"true");
      script_set_attribute(attribute:"exploited_by_malware", value:"true");
      script_set_attribute(attribute:"metasploit_name", value:'Overlayfs Privilege Escalation');
      script_set_attribute(attribute:"exploit_framework_metasploit", value:"true");
      script_set_attribute(attribute:"exploit_framework_canvas", value:"true");
      script_set_attribute(attribute:"canvas_package", value:'CANVAS');
    
      script_set_attribute(attribute:"patch_publication_date", value:"2019/05/09");
      script_set_attribute(attribute:"plugin_publication_date", value:"2019/05/13");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:kernel");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:kernel-devel");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:kernel-headers");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:kernel-tools");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:kernel-tools-libs");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:kernel-tools-libs-devel");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:perf");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:python-perf");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:huawei:euleros:uvp:3.0.1.0");
      script_set_attribute(attribute:"generated_plugin", value:"current");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_family(english:"Huawei Local Security Checks");
    
      script_copyright(english:"This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/cpu", "Host/EulerOS/release", "Host/EulerOS/rpm-list", "Host/EulerOS/uvp_version");
    
      exit(0);
    }
    
    include("audit.inc");
    include("global_settings.inc");
    include("rpm.inc");
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    
    release = get_kb_item("Host/EulerOS/release");
    if (isnull(release) || release !~ "^EulerOS") audit(AUDIT_OS_NOT, "EulerOS");
    uvp = get_kb_item("Host/EulerOS/uvp_version");
    if (uvp != "3.0.1.0") audit(AUDIT_OS_NOT, "EulerOS Virtualization 3.0.1.0");
    if (!get_kb_item("Host/EulerOS/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    cpu = get_kb_item("Host/cpu");
    if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
    if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$" && "aarch64" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "EulerOS", cpu);
    if ("aarch64" >!< cpu) audit(AUDIT_ARCH_NOT, "aarch64", cpu);
    
    flag = 0;
    
    pkgs = ["kernel-4.19.28-1.2.117",
            "kernel-devel-4.19.28-1.2.117",
            "kernel-headers-4.19.28-1.2.117",
            "kernel-tools-4.19.28-1.2.117",
            "kernel-tools-libs-4.19.28-1.2.117",
            "kernel-tools-libs-devel-4.19.28-1.2.117",
            "perf-4.19.28-1.2.117",
            "python-perf-4.19.28-1.2.117"];
    
    foreach (pkg in pkgs)
      if (rpm_check(release:"EulerOS-2.0", reference:pkg)) flag++;
    
    if (flag)
    {
      security_report_v4(
        port       : 0,
        severity   : SECURITY_HOLE,
        extra      : rpm_report_get()
      );
      exit(0);
    }
    else
    {
      tested = pkg_tests_get();
      if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
      else audit(AUDIT_PACKAGE_NOT_INSTALLED, "kernel");
    }
    
  • NASL familyScientific Linux Local Security Checks
    NASL idSL_20181030_KERNEL_ON_SL7_X.NASL
    descriptionSecurity Fix(es) : - A flaw named FragmentSmack was found in the way the Linux kernel handled reassembly of fragmented IPv4 and IPv6 packets. A remote attacker could use this flaw to trigger time and calculation expensive fragment reassembly algorithm by sending specially crafted packets which could lead to a CPU saturation and hence a denial of service on the system. (CVE-2018-5391) - kernel: out-of-bounds access in the show_timer function in kernel/time /posix-timers.c (CVE-2017-18344) - kernel: Integer overflow in udl_fb_mmap() can allow attackers to execute code in kernel space (CVE-2018-8781) - kernel: MIDI driver race condition leads to a double-free (CVE-2018-10902) - kernel: Missing check in inode_init_owner() does not clear SGID bit on non-directories for non-members (CVE-2018-13405) - kernel: AIO write triggers integer overflow in some protocols (CVE-2015-8830) - kernel: Use-after-free in snd_pcm_info function in ALSA subsystem potentially leads to privilege escalation (CVE-2017-0861) - kernel: Handling of might_cancel queueing is not properly pretected against race (CVE-2017-10661) - kernel: Salsa20 encryption algorithm does not correctly handle zero- length inputs allowing local attackers to cause denial of service (CVE-2017-17805) - kernel: Inifinite loop vulnerability in madvise_willneed() function allows local denial of service (CVE-2017-18208) - kernel: fuse-backed file mmap-ed onto process cmdline arguments causes denial of service (CVE-2018-1120) - kernel: a NULL pointer dereference in dccp_write_xmit() leads to a system crash (CVE-2018-1130) - kernel: drivers/block/loop.c mishandles lo_release serialization allowing denial of service (CVE-2018-5344) - kernel: Missing length check of payload in _sctp_make_chunk() function allows denial of service (CVE-2018-5803) - kernel: buffer overflow in drivers/net/wireless/ath/wil6210/wmi.c:wmi_set_ie() may lead to memory corruption (CVE-2018-5848) - kernel: out-of-bound write in ext4_init_block_bitmap function with a crafted ext4 image (CVE-2018-10878) - kernel: Improper validation in bnx2x network card driver can allow for denial of service attacks via crafted packet (CVE-2018-1000026) - kernel: Information leak when handling NM entries containing NUL (CVE-2016-4913) - kernel: Mishandling mutex within libsas allowing local Denial of Service (CVE-2017-18232) - kernel: NULL pointer dereference in ext4_process_freed_data() when mounting crafted ext4 image (CVE-2018-1092) - kernel: NULL pointer dereference in ext4_xattr_inode_hash() causes crash with crafted ext4 image (CVE-2018-1094) - kernel: vhost: Information disclosure in vhost/vhost.c:vhost_new_msg() (CVE-2018-1118) - kernel: Denial of service in resv_map_release function in mm/hugetlb.c (CVE-2018-7740) - kernel: Memory leak in the sas_smp_get_phy_events function in drivers/scsi/libsas/sas_expander.c (CVE-2018-7757) - kernel: Invalid pointer dereference in xfs_ilock_attr_map_shared() when mounting crafted xfs image allowing denial of service (CVE-2018-10322) - kernel: use-after-free detected in ext4_xattr_set_entry with a crafted file (CVE-2018-10879) - kernel: out-of-bound access in ext4_get_group_info() when mounting and operating a crafted ext4 image (CVE-2018-10881) - kernel: stack-out-of-bounds write in jbd2_journal_dirty_metadata function (CVE-2018-10883) - kernel: incorrect memory bounds check in drivers/cdrom/cdrom.c (CVE-2018-10940)
    last seen2020-03-18
    modified2018-11-27
    plugin id119187
    published2018-11-27
    reporterThis script is Copyright (C) 2018-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/119187
    titleScientific Linux Security Update : kernel on SL7.x x86_64 (20181030)
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text is (C) Scientific Linux.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(119187);
      script_version("1.6");
      script_set_attribute(attribute:"plugin_modification_date", value:"2020/07/01");
    
      script_cve_id("CVE-2015-8830", "CVE-2016-4913", "CVE-2017-0861", "CVE-2017-10661", "CVE-2017-17805", "CVE-2017-18208", "CVE-2017-18232", "CVE-2017-18344", "CVE-2018-1000026", "CVE-2018-10322", "CVE-2018-10878", "CVE-2018-10879", "CVE-2018-10881", "CVE-2018-10883", "CVE-2018-10902", "CVE-2018-1092", "CVE-2018-1094", "CVE-2018-10940", "CVE-2018-1118", "CVE-2018-1120", "CVE-2018-1130", "CVE-2018-13405", "CVE-2018-5344", "CVE-2018-5391", "CVE-2018-5803", "CVE-2018-5848", "CVE-2018-7740", "CVE-2018-7757", "CVE-2018-8781");
    
      script_name(english:"Scientific Linux Security Update : kernel on SL7.x x86_64 (20181030)");
      script_summary(english:"Checks rpm output for the updated packages");
    
      script_set_attribute(
        attribute:"synopsis",
        value:
    "The remote Scientific Linux host is missing one or more security
    updates."
      );
      script_set_attribute(
        attribute:"description",
        value:
    "Security Fix(es) :
    
      - A flaw named FragmentSmack was found in the way the
        Linux kernel handled reassembly of fragmented IPv4 and
        IPv6 packets. A remote attacker could use this flaw to
        trigger time and calculation expensive fragment
        reassembly algorithm by sending specially crafted
        packets which could lead to a CPU saturation and hence a
        denial of service on the system. (CVE-2018-5391)
    
      - kernel: out-of-bounds access in the show_timer function
        in kernel/time /posix-timers.c (CVE-2017-18344)
    
      - kernel: Integer overflow in udl_fb_mmap() can allow
        attackers to execute code in kernel space
        (CVE-2018-8781)
    
      - kernel: MIDI driver race condition leads to a
        double-free (CVE-2018-10902)
    
      - kernel: Missing check in inode_init_owner() does not
        clear SGID bit on non-directories for non-members
        (CVE-2018-13405)
    
      - kernel: AIO write triggers integer overflow in some
        protocols (CVE-2015-8830)
    
      - kernel: Use-after-free in snd_pcm_info function in ALSA
        subsystem potentially leads to privilege escalation
        (CVE-2017-0861)
    
      - kernel: Handling of might_cancel queueing is not
        properly pretected against race (CVE-2017-10661)
    
      - kernel: Salsa20 encryption algorithm does not correctly
        handle zero- length inputs allowing local attackers to
        cause denial of service (CVE-2017-17805)
    
      - kernel: Inifinite loop vulnerability in
        madvise_willneed() function allows local denial of
        service (CVE-2017-18208)
    
      - kernel: fuse-backed file mmap-ed onto process cmdline
        arguments causes denial of service (CVE-2018-1120)
    
      - kernel: a NULL pointer dereference in dccp_write_xmit()
        leads to a system crash (CVE-2018-1130)
    
      - kernel: drivers/block/loop.c mishandles lo_release
        serialization allowing denial of service (CVE-2018-5344)
    
      - kernel: Missing length check of payload in
        _sctp_make_chunk() function allows denial of service
        (CVE-2018-5803)
    
      - kernel: buffer overflow in
        drivers/net/wireless/ath/wil6210/wmi.c:wmi_set_ie() may
        lead to memory corruption (CVE-2018-5848)
    
      - kernel: out-of-bound write in ext4_init_block_bitmap
        function with a crafted ext4 image (CVE-2018-10878)
    
      - kernel: Improper validation in bnx2x network card driver
        can allow for denial of service attacks via crafted
        packet (CVE-2018-1000026)
    
      - kernel: Information leak when handling NM entries
        containing NUL (CVE-2016-4913)
    
      - kernel: Mishandling mutex within libsas allowing local
        Denial of Service (CVE-2017-18232)
    
      - kernel: NULL pointer dereference in
        ext4_process_freed_data() when mounting crafted ext4
        image (CVE-2018-1092)
    
      - kernel: NULL pointer dereference in
        ext4_xattr_inode_hash() causes crash with crafted ext4
        image (CVE-2018-1094)
    
      - kernel: vhost: Information disclosure in
        vhost/vhost.c:vhost_new_msg() (CVE-2018-1118)
    
      - kernel: Denial of service in resv_map_release function
        in mm/hugetlb.c (CVE-2018-7740)
    
      - kernel: Memory leak in the sas_smp_get_phy_events
        function in drivers/scsi/libsas/sas_expander.c
        (CVE-2018-7757)
    
      - kernel: Invalid pointer dereference in
        xfs_ilock_attr_map_shared() when mounting crafted xfs
        image allowing denial of service (CVE-2018-10322)
    
      - kernel: use-after-free detected in ext4_xattr_set_entry
        with a crafted file (CVE-2018-10879)
    
      - kernel: out-of-bound access in ext4_get_group_info()
        when mounting and operating a crafted ext4 image
        (CVE-2018-10881)
    
      - kernel: stack-out-of-bounds write in
        jbd2_journal_dirty_metadata function (CVE-2018-10883)
    
      - kernel: incorrect memory bounds check in
        drivers/cdrom/cdrom.c (CVE-2018-10940)"
      );
      # https://listserv.fnal.gov/scripts/wa.exe?A2=ind1811&L=scientific-linux-errata&F=&S=&P=8524
      script_set_attribute(
        attribute:"see_also",
        value:"http://www.nessus.org/u?faf0e575"
      );
      script_set_attribute(attribute:"solution", value:"Update the affected packages.");
      script_set_cvss_base_vector("CVSS2#AV:N/AC:H/Au:N/C:C/I:C/A:C");
      script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:C");
      script_set_cvss3_base_vector("CVSS:3.0/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H");
      script_set_cvss3_temporal_vector("CVSS:3.0/E:F/RL:O/RC:C");
      script_set_attribute(attribute:"cvss_score_source", value:"CVE-2017-10661");
      script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"true");
      script_set_attribute(attribute:"exploit_framework_canvas", value:"true");
      script_set_attribute(attribute:"canvas_package", value:'CANVAS');
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fermilab:scientific_linux:bpftool");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fermilab:scientific_linux:kernel");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fermilab:scientific_linux:kernel-abi-whitelists");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fermilab:scientific_linux:kernel-debug");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fermilab:scientific_linux:kernel-debug-debuginfo");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fermilab:scientific_linux:kernel-debug-devel");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fermilab:scientific_linux:kernel-debuginfo");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fermilab:scientific_linux:kernel-debuginfo-common-x86_64");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fermilab:scientific_linux:kernel-devel");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fermilab:scientific_linux:kernel-doc");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fermilab:scientific_linux:kernel-headers");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fermilab:scientific_linux:kernel-tools");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fermilab:scientific_linux:kernel-tools-debuginfo");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fermilab:scientific_linux:kernel-tools-libs");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fermilab:scientific_linux:kernel-tools-libs-devel");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fermilab:scientific_linux:perf");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fermilab:scientific_linux:perf-debuginfo");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fermilab:scientific_linux:python-perf");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fermilab:scientific_linux:python-perf-debuginfo");
      script_set_attribute(attribute:"cpe", value:"x-cpe:/o:fermilab:scientific_linux");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2016/05/02");
      script_set_attribute(attribute:"patch_publication_date", value:"2018/10/30");
      script_set_attribute(attribute:"plugin_publication_date", value:"2018/11/27");
      script_set_attribute(attribute:"generated_plugin", value:"current");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2018-2020 and is owned by Tenable, Inc. or an Affiliate thereof.");
      script_family(english:"Scientific Linux Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/cpu", "Host/RedHat/release", "Host/RedHat/rpm-list");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("global_settings.inc");
    include("misc_func.inc");
    include("rpm.inc");
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    release = get_kb_item("Host/RedHat/release");
    if (isnull(release) || "Scientific Linux " >!< release) audit(AUDIT_HOST_NOT, "running Scientific Linux");
    os_ver = pregmatch(pattern: "Scientific Linux.*release ([0-9]+(\.[0-9]+)?)", string:release);
    if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Scientific Linux");
    os_ver = os_ver[1];
    if (! preg(pattern:"^7([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Scientific Linux 7.x", "Scientific Linux " + os_ver);
    if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    cpu = get_kb_item("Host/cpu");
    if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
    if (cpu >!< "x86_64" && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Scientific Linux", cpu);
    
    
    flag = 0;
    if (rpm_check(release:"SL7", cpu:"x86_64", reference:"bpftool-3.10.0-957.el7")) flag++;
    if (rpm_check(release:"SL7", cpu:"x86_64", reference:"kernel-3.10.0-957.el7")) flag++;
    if (rpm_check(release:"SL7", reference:"kernel-abi-whitelists-3.10.0-957.el7")) flag++;
    if (rpm_check(release:"SL7", cpu:"x86_64", reference:"kernel-debug-3.10.0-957.el7")) flag++;
    if (rpm_check(release:"SL7", cpu:"x86_64", reference:"kernel-debug-debuginfo-3.10.0-957.el7")) flag++;
    if (rpm_check(release:"SL7", cpu:"x86_64", reference:"kernel-debug-devel-3.10.0-957.el7")) flag++;
    if (rpm_check(release:"SL7", cpu:"x86_64", reference:"kernel-debuginfo-3.10.0-957.el7")) flag++;
    if (rpm_check(release:"SL7", cpu:"x86_64", reference:"kernel-debuginfo-common-x86_64-3.10.0-957.el7")) flag++;
    if (rpm_check(release:"SL7", cpu:"x86_64", reference:"kernel-devel-3.10.0-957.el7")) flag++;
    if (rpm_check(release:"SL7", reference:"kernel-doc-3.10.0-957.el7")) flag++;
    if (rpm_check(release:"SL7", cpu:"x86_64", reference:"kernel-headers-3.10.0-957.el7")) flag++;
    if (rpm_check(release:"SL7", cpu:"x86_64", reference:"kernel-tools-3.10.0-957.el7")) flag++;
    if (rpm_check(release:"SL7", cpu:"x86_64", reference:"kernel-tools-debuginfo-3.10.0-957.el7")) flag++;
    if (rpm_check(release:"SL7", cpu:"x86_64", reference:"kernel-tools-libs-3.10.0-957.el7")) flag++;
    if (rpm_check(release:"SL7", cpu:"x86_64", reference:"kernel-tools-libs-devel-3.10.0-957.el7")) flag++;
    if (rpm_check(release:"SL7", cpu:"x86_64", reference:"perf-3.10.0-957.el7")) flag++;
    if (rpm_check(release:"SL7", cpu:"x86_64", reference:"perf-debuginfo-3.10.0-957.el7")) flag++;
    if (rpm_check(release:"SL7", cpu:"x86_64", reference:"python-perf-3.10.0-957.el7")) flag++;
    if (rpm_check(release:"SL7", cpu:"x86_64", reference:"python-perf-debuginfo-3.10.0-957.el7")) flag++;
    
    
    if (flag)
    {
      security_report_v4(
        port       : 0,
        severity   : SECURITY_HOLE,
        extra      : rpm_report_get()
      );
      exit(0);
    }
    else
    {
      tested = pkg_tests_get();
      if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
      else audit(AUDIT_PACKAGE_NOT_INSTALLED, "bpftool / kernel / kernel-abi-whitelists / kernel-debug / etc");
    }
    
  • NASL familyRed Hat Local Security Checks
    NASL idREDHAT-RHSA-2018-3083.NASL
    descriptionAn update for kernel is now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. The kernel packages contain the Linux kernel, the core of any Linux operating system. Security Fix(es) : * A flaw named FragmentSmack was found in the way the Linux kernel handled reassembly of fragmented IPv4 and IPv6 packets. A remote attacker could use this flaw to trigger time and calculation expensive fragment reassembly algorithm by sending specially crafted packets which could lead to a CPU saturation and hence a denial of service on the system. (CVE-2018-5391) * kernel: out-of-bounds access in the show_timer function in kernel/time/ posix-timers.c (CVE-2017-18344) * kernel: Integer overflow in udl_fb_mmap() can allow attackers to execute code in kernel space (CVE-2018-8781) * kernel: MIDI driver race condition leads to a double-free (CVE-2018-10902) * kernel: Missing check in inode_init_owner() does not clear SGID bit on non-directories for non-members (CVE-2018-13405) * kernel: AIO write triggers integer overflow in some protocols (CVE-2015-8830) * kernel: Use-after-free in snd_pcm_info function in ALSA subsystem potentially leads to privilege escalation (CVE-2017-0861) * kernel: Handling of might_cancel queueing is not properly pretected against race (CVE-2017-10661) * kernel: Salsa20 encryption algorithm does not correctly handle zero-length inputs allowing local attackers to cause denial of service (CVE-2017-17805) * kernel: Inifinite loop vulnerability in madvise_willneed() function allows local denial of service (CVE-2017-18208) * kernel: fuse-backed file mmap-ed onto process cmdline arguments causes denial of service (CVE-2018-1120) * kernel: a NULL pointer dereference in dccp_write_xmit() leads to a system crash (CVE-2018-1130) * kernel: drivers/block/loop.c mishandles lo_release serialization allowing denial of service (CVE-2018-5344) * kernel: Missing length check of payload in _sctp_make_chunk() function allows denial of service (CVE-2018-5803) * kernel: buffer overflow in drivers/net/wireless/ath/wil6210/ wmi.c:wmi_set_ie() may lead to memory corruption (CVE-2018-5848) * kernel: out-of-bound write in ext4_init_block_bitmap function with a crafted ext4 image (CVE-2018-10878) * kernel: Improper validation in bnx2x network card driver can allow for denial of service attacks via crafted packet (CVE-2018-1000026) * kernel: Information leak when handling NM entries containing NUL (CVE-2016-4913) * kernel: Mishandling mutex within libsas allowing local Denial of Service (CVE-2017-18232) * kernel: NULL pointer dereference in ext4_process_freed_data() when mounting crafted ext4 image (CVE-2018-1092) * kernel: NULL pointer dereference in ext4_xattr_inode_hash() causes crash with crafted ext4 image (CVE-2018-1094) * kernel: vhost: Information disclosure in vhost/vhost.c:vhost_new_msg() (CVE-2018-1118) * kernel: Denial of service in resv_map_release function in mm/hugetlb.c (CVE-2018-7740) * kernel: Memory leak in the sas_smp_get_phy_events function in drivers/scsi/ libsas/sas_expander.c (CVE-2018-7757) * kernel: Invalid pointer dereference in xfs_ilock_attr_map_shared() when mounting crafted xfs image allowing denial of service (CVE-2018-10322) * kernel: use-after-free detected in ext4_xattr_set_entry with a crafted file (CVE-2018-10879) * kernel: out-of-bound access in ext4_get_group_info() when mounting and operating a crafted ext4 image (CVE-2018-10881) * kernel: stack-out-of-bounds write in jbd2_journal_dirty_metadata function (CVE-2018-10883) * kernel: incorrect memory bounds check in drivers/cdrom/cdrom.c (CVE-2018-10940) Red Hat would like to thank Juha-Matti Tilli (Aalto University - Department of Communications and Networking and Nokia Bell Labs) for reporting CVE-2018-5391; Trend Micro Zero Day Initiative for reporting CVE-2018-10902; Qualys Research Labs for reporting CVE-2018-1120; Evgenii Shatokhin (Virtuozzo Team) for reporting CVE-2018-1130; and Wen Xu for reporting CVE-2018-1092 and CVE-2018-1094.
    last seen2020-06-01
    modified2020-06-02
    plugin id118525
    published2018-10-31
    reporterThis script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/118525
    titleRHEL 7 : kernel (RHSA-2018:3083)
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were  
    # extracted from Red Hat Security Advisory RHSA-2018:3083. The text 
    # itself is copyright (C) Red Hat, Inc.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(118525);
      script_version("1.12");
      script_cvs_date("Date: 2019/10/24 15:35:45");
    
      script_cve_id("CVE-2015-8830", "CVE-2016-4913", "CVE-2017-0861", "CVE-2017-10661", "CVE-2017-17805", "CVE-2017-18208", "CVE-2017-18232", "CVE-2017-18344", "CVE-2017-18360", "CVE-2018-1000026", "CVE-2018-10322", "CVE-2018-10878", "CVE-2018-10879", "CVE-2018-10881", "CVE-2018-10883", "CVE-2018-10902", "CVE-2018-1092", "CVE-2018-1094", "CVE-2018-10940", "CVE-2018-1118", "CVE-2018-1120", "CVE-2018-1130", "CVE-2018-13405", "CVE-2018-18690", "CVE-2018-5344", "CVE-2018-5391", "CVE-2018-5803", "CVE-2018-5848", "CVE-2018-7740", "CVE-2018-7757", "CVE-2018-8781");
      script_xref(name:"RHSA", value:"2018:3083");
    
      script_name(english:"RHEL 7 : kernel (RHSA-2018:3083)");
      script_summary(english:"Checks the rpm output for the updated packages");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote Red Hat host is missing one or more security updates."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "An update for kernel is now available for Red Hat Enterprise Linux 7.
    
    Red Hat Product Security has rated this update as having a security
    impact of Important. A Common Vulnerability Scoring System (CVSS) base
    score, which gives a detailed severity rating, is available for each
    vulnerability from the CVE link(s) in the References section.
    
    The kernel packages contain the Linux kernel, the core of any Linux
    operating system.
    
    Security Fix(es) :
    
    * A flaw named FragmentSmack was found in the way the Linux kernel
    handled reassembly of fragmented IPv4 and IPv6 packets. A remote
    attacker could use this flaw to trigger time and calculation expensive
    fragment reassembly algorithm by sending specially crafted packets
    which could lead to a CPU saturation and hence a denial of service on
    the system. (CVE-2018-5391)
    
    * kernel: out-of-bounds access in the show_timer function in
    kernel/time/ posix-timers.c (CVE-2017-18344)
    
    * kernel: Integer overflow in udl_fb_mmap() can allow attackers to
    execute code in kernel space (CVE-2018-8781)
    
    * kernel: MIDI driver race condition leads to a double-free
    (CVE-2018-10902)
    
    * kernel: Missing check in inode_init_owner() does not clear SGID bit
    on non-directories for non-members (CVE-2018-13405)
    
    * kernel: AIO write triggers integer overflow in some protocols
    (CVE-2015-8830)
    
    * kernel: Use-after-free in snd_pcm_info function in ALSA subsystem
    potentially leads to privilege escalation (CVE-2017-0861)
    
    * kernel: Handling of might_cancel queueing is not properly pretected
    against race (CVE-2017-10661)
    
    * kernel: Salsa20 encryption algorithm does not correctly handle
    zero-length inputs allowing local attackers to cause denial of service
    (CVE-2017-17805)
    
    * kernel: Inifinite loop vulnerability in madvise_willneed() function
    allows local denial of service (CVE-2017-18208)
    
    * kernel: fuse-backed file mmap-ed onto process cmdline arguments
    causes denial of service (CVE-2018-1120)
    
    * kernel: a NULL pointer dereference in dccp_write_xmit() leads to a
    system crash (CVE-2018-1130)
    
    * kernel: drivers/block/loop.c mishandles lo_release serialization
    allowing denial of service (CVE-2018-5344)
    
    * kernel: Missing length check of payload in _sctp_make_chunk()
    function allows denial of service (CVE-2018-5803)
    
    * kernel: buffer overflow in drivers/net/wireless/ath/wil6210/
    wmi.c:wmi_set_ie() may lead to memory corruption (CVE-2018-5848)
    
    * kernel: out-of-bound write in ext4_init_block_bitmap function with a
    crafted ext4 image (CVE-2018-10878)
    
    * kernel: Improper validation in bnx2x network card driver can allow
    for denial of service attacks via crafted packet (CVE-2018-1000026)
    
    * kernel: Information leak when handling NM entries containing NUL
    (CVE-2016-4913)
    
    * kernel: Mishandling mutex within libsas allowing local Denial of
    Service (CVE-2017-18232)
    
    * kernel: NULL pointer dereference in ext4_process_freed_data() when
    mounting crafted ext4 image (CVE-2018-1092)
    
    * kernel: NULL pointer dereference in ext4_xattr_inode_hash() causes
    crash with crafted ext4 image (CVE-2018-1094)
    
    * kernel: vhost: Information disclosure in
    vhost/vhost.c:vhost_new_msg() (CVE-2018-1118)
    
    * kernel: Denial of service in resv_map_release function in
    mm/hugetlb.c (CVE-2018-7740)
    
    * kernel: Memory leak in the sas_smp_get_phy_events function in
    drivers/scsi/ libsas/sas_expander.c (CVE-2018-7757)
    
    * kernel: Invalid pointer dereference in xfs_ilock_attr_map_shared()
    when mounting crafted xfs image allowing denial of service
    (CVE-2018-10322)
    
    * kernel: use-after-free detected in ext4_xattr_set_entry with a
    crafted file (CVE-2018-10879)
    
    * kernel: out-of-bound access in ext4_get_group_info() when mounting
    and operating a crafted ext4 image (CVE-2018-10881)
    
    * kernel: stack-out-of-bounds write in jbd2_journal_dirty_metadata
    function (CVE-2018-10883)
    
    * kernel: incorrect memory bounds check in drivers/cdrom/cdrom.c
    (CVE-2018-10940)
    
    Red Hat would like to thank Juha-Matti Tilli (Aalto University -
    Department of Communications and Networking and Nokia Bell Labs) for
    reporting CVE-2018-5391; Trend Micro Zero Day Initiative for reporting
    CVE-2018-10902; Qualys Research Labs for reporting CVE-2018-1120;
    Evgenii Shatokhin (Virtuozzo Team) for reporting CVE-2018-1130; and
    Wen Xu for reporting CVE-2018-1092 and CVE-2018-1094."
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://access.redhat.com/articles/3553061"
      );
      # https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/
      script_set_attribute(
        attribute:"see_also",
        value:"http://www.nessus.org/u?3395ff0b"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://access.redhat.com/errata/RHSA-2018:3083"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://access.redhat.com/security/cve/cve-2015-8830"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://access.redhat.com/security/cve/cve-2016-4913"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://access.redhat.com/security/cve/cve-2017-0861"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://access.redhat.com/security/cve/cve-2017-10661"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://access.redhat.com/security/cve/cve-2017-17805"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://access.redhat.com/security/cve/cve-2017-18208"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://access.redhat.com/security/cve/cve-2017-18232"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://access.redhat.com/security/cve/cve-2017-18344"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://access.redhat.com/security/cve/cve-2017-18360"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://access.redhat.com/security/cve/cve-2018-1092"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://access.redhat.com/security/cve/cve-2018-1094"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://access.redhat.com/security/cve/cve-2018-1118"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://access.redhat.com/security/cve/cve-2018-1120"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://access.redhat.com/security/cve/cve-2018-1130"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://access.redhat.com/security/cve/cve-2018-5344"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://access.redhat.com/security/cve/cve-2018-5391"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://access.redhat.com/security/cve/cve-2018-5803"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://access.redhat.com/security/cve/cve-2018-5848"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://access.redhat.com/security/cve/cve-2018-7740"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://access.redhat.com/security/cve/cve-2018-7757"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://access.redhat.com/security/cve/cve-2018-8781"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://access.redhat.com/security/cve/cve-2018-10322"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://access.redhat.com/security/cve/cve-2018-10878"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://access.redhat.com/security/cve/cve-2018-10879"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://access.redhat.com/security/cve/cve-2018-10881"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://access.redhat.com/security/cve/cve-2018-10883"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://access.redhat.com/security/cve/cve-2018-10902"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://access.redhat.com/security/cve/cve-2018-10940"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://access.redhat.com/security/cve/cve-2018-13405"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://access.redhat.com/security/cve/cve-2018-18690"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://access.redhat.com/security/cve/cve-2018-1000026"
      );
      script_set_attribute(attribute:"solution", value:"Update the affected packages.");
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:C");
      script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:C");
      script_set_cvss3_base_vector("CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H");
      script_set_cvss3_temporal_vector("CVSS:3.0/E:F/RL:O/RC:C");
      script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"true");
      script_set_attribute(attribute:"exploit_framework_canvas", value:"true");
      script_set_attribute(attribute:"canvas_package", value:'CANVAS');
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:bpftool");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:kernel");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:kernel-abi-whitelists");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:kernel-debug");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:kernel-debug-debuginfo");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:kernel-debug-devel");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:kernel-debuginfo");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:kernel-debuginfo-common-s390x");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:kernel-debuginfo-common-x86_64");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:kernel-devel");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:kernel-doc");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:kernel-headers");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:kernel-kdump");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:kernel-kdump-debuginfo");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:kernel-kdump-devel");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:kernel-tools");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:kernel-tools-debuginfo");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:kernel-tools-libs");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:kernel-tools-libs-devel");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:perf");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:perf-debuginfo");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:python-perf");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:python-perf-debuginfo");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:redhat:enterprise_linux:7");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2016/05/02");
      script_set_attribute(attribute:"patch_publication_date", value:"2018/10/30");
      script_set_attribute(attribute:"plugin_publication_date", value:"2018/10/31");
      script_set_attribute(attribute:"generated_plugin", value:"current");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");
      script_family(english:"Red Hat Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl", "linux_alt_patch_detect.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/RedHat/release", "Host/RedHat/rpm-list", "Host/cpu");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("global_settings.inc");
    include("misc_func.inc");
    include("rpm.inc");
    include("ksplice.inc");
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    release = get_kb_item("Host/RedHat/release");
    if (isnull(release) || "Red Hat" >!< release) audit(AUDIT_OS_NOT, "Red Hat");
    os_ver = pregmatch(pattern: "Red Hat Enterprise Linux.*release ([0-9]+(\.[0-9]+)?)", string:release);
    if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Red Hat");
    os_ver = os_ver[1];
    if (! preg(pattern:"^7([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Red Hat 7.x", "Red Hat " + os_ver);
    
    if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    cpu = get_kb_item("Host/cpu");
    if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
    if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$" && "s390" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Red Hat", cpu);
    
    if (get_one_kb_item("Host/ksplice/kernel-cves"))
    {
      rm_kb_item(name:"Host/uptrack-uname-r");
      cve_list = make_list("CVE-2015-8830", "CVE-2016-4913", "CVE-2017-0861", "CVE-2017-10661", "CVE-2017-17805", "CVE-2017-18208", "CVE-2017-18232", "CVE-2017-18344", "CVE-2017-18360", "CVE-2018-1000026", "CVE-2018-10322", "CVE-2018-10878", "CVE-2018-10879", "CVE-2018-10881", "CVE-2018-10883", "CVE-2018-10902", "CVE-2018-1092", "CVE-2018-1094", "CVE-2018-10940", "CVE-2018-1118", "CVE-2018-1120", "CVE-2018-1130", "CVE-2018-13405", "CVE-2018-18690", "CVE-2018-5344", "CVE-2018-5391", "CVE-2018-5803", "CVE-2018-5848", "CVE-2018-7740", "CVE-2018-7757", "CVE-2018-8781");
      if (ksplice_cves_check(cve_list))
      {
        audit(AUDIT_PATCH_INSTALLED, "KSplice hotfix for RHSA-2018:3083");
      }
      else
      {
        __rpm_report = ksplice_reporting_text();
      }
    }
    
    yum_updateinfo = get_kb_item("Host/RedHat/yum-updateinfo");
    if (!empty_or_null(yum_updateinfo)) 
    {
      rhsa = "RHSA-2018:3083";
      yum_report = redhat_generate_yum_updateinfo_report(rhsa:rhsa);
      if (!empty_or_null(yum_report))
      {
        security_report_v4(
          port       : 0,
          severity   : SECURITY_HOLE,
          extra      : yum_report 
        );
        exit(0);
      }
      else
      {
        audit_message = "affected by Red Hat security advisory " + rhsa;
        audit(AUDIT_OS_NOT, audit_message);
      }
    }
    else
    {
      flag = 0;
      if (rpm_check(release:"RHEL7", cpu:"x86_64", reference:"bpftool-3.10.0-957.el7")) flag++;
      if (rpm_check(release:"RHEL7", cpu:"s390x", reference:"kernel-3.10.0-957.el7")) flag++;
      if (rpm_check(release:"RHEL7", cpu:"x86_64", reference:"kernel-3.10.0-957.el7")) flag++;
      if (rpm_check(release:"RHEL7", reference:"kernel-abi-whitelists-3.10.0-957.el7")) flag++;
      if (rpm_check(release:"RHEL7", cpu:"s390x", reference:"kernel-debug-3.10.0-957.el7")) flag++;
      if (rpm_check(release:"RHEL7", cpu:"x86_64", reference:"kernel-debug-3.10.0-957.el7")) flag++;
      if (rpm_check(release:"RHEL7", cpu:"s390x", reference:"kernel-debug-debuginfo-3.10.0-957.el7")) flag++;
      if (rpm_check(release:"RHEL7", cpu:"x86_64", reference:"kernel-debug-debuginfo-3.10.0-957.el7")) flag++;
      if (rpm_check(release:"RHEL7", cpu:"s390x", reference:"kernel-debug-devel-3.10.0-957.el7")) flag++;
      if (rpm_check(release:"RHEL7", cpu:"x86_64", reference:"kernel-debug-devel-3.10.0-957.el7")) flag++;
      if (rpm_check(release:"RHEL7", cpu:"s390x", reference:"kernel-debuginfo-3.10.0-957.el7")) flag++;
      if (rpm_check(release:"RHEL7", cpu:"x86_64", reference:"kernel-debuginfo-3.10.0-957.el7")) flag++;
      if (rpm_check(release:"RHEL7", cpu:"s390x", reference:"kernel-debuginfo-common-s390x-3.10.0-957.el7")) flag++;
      if (rpm_check(release:"RHEL7", cpu:"x86_64", reference:"kernel-debuginfo-common-x86_64-3.10.0-957.el7")) flag++;
      if (rpm_check(release:"RHEL7", cpu:"s390x", reference:"kernel-devel-3.10.0-957.el7")) flag++;
      if (rpm_check(release:"RHEL7", cpu:"x86_64", reference:"kernel-devel-3.10.0-957.el7")) flag++;
      if (rpm_check(release:"RHEL7", reference:"kernel-doc-3.10.0-957.el7")) flag++;
      if (rpm_check(release:"RHEL7", cpu:"s390x", reference:"kernel-headers-3.10.0-957.el7")) flag++;
      if (rpm_check(release:"RHEL7", cpu:"x86_64", reference:"kernel-headers-3.10.0-957.el7")) flag++;
      if (rpm_check(release:"RHEL7", cpu:"s390x", reference:"kernel-kdump-3.10.0-957.el7")) flag++;
      if (rpm_check(release:"RHEL7", cpu:"s390x", reference:"kernel-kdump-debuginfo-3.10.0-957.el7")) flag++;
      if (rpm_check(release:"RHEL7", cpu:"s390x", reference:"kernel-kdump-devel-3.10.0-957.el7")) flag++;
      if (rpm_check(release:"RHEL7", cpu:"x86_64", reference:"kernel-tools-3.10.0-957.el7")) flag++;
      if (rpm_check(release:"RHEL7", cpu:"x86_64", reference:"kernel-tools-debuginfo-3.10.0-957.el7")) flag++;
      if (rpm_check(release:"RHEL7", cpu:"x86_64", reference:"kernel-tools-libs-3.10.0-957.el7")) flag++;
      if (rpm_check(release:"RHEL7", cpu:"x86_64", reference:"kernel-tools-libs-devel-3.10.0-957.el7")) flag++;
      if (rpm_check(release:"RHEL7", cpu:"s390x", reference:"perf-3.10.0-957.el7")) flag++;
      if (rpm_check(release:"RHEL7", cpu:"x86_64", reference:"perf-3.10.0-957.el7")) flag++;
      if (rpm_check(release:"RHEL7", cpu:"s390x", reference:"perf-debuginfo-3.10.0-957.el7")) flag++;
      if (rpm_check(release:"RHEL7", cpu:"x86_64", reference:"perf-debuginfo-3.10.0-957.el7")) flag++;
      if (rpm_check(release:"RHEL7", cpu:"s390x", reference:"python-perf-3.10.0-957.el7")) flag++;
      if (rpm_check(release:"RHEL7", cpu:"x86_64", reference:"python-perf-3.10.0-957.el7")) flag++;
      if (rpm_check(release:"RHEL7", cpu:"s390x", reference:"python-perf-debuginfo-3.10.0-957.el7")) flag++;
      if (rpm_check(release:"RHEL7", cpu:"x86_64", reference:"python-perf-debuginfo-3.10.0-957.el7")) flag++;
    
      if (flag)
      {
        security_report_v4(
          port       : 0,
          severity   : SECURITY_HOLE,
          extra      : rpm_report_get() + redhat_report_package_caveat()
        );
        exit(0);
      }
      else
      {
        tested = pkg_tests_get();
        if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
        else audit(AUDIT_PACKAGE_NOT_INSTALLED, "bpftool / kernel / kernel-abi-whitelists / kernel-debug / etc");
      }
    }
    
  • NASL familyUbuntu Local Security Checks
    NASL idUBUNTU_USN-4163-1.NASL
    descriptionIt was discovered that a race condition existed in the ARC EMAC ethernet driver for the Linux kernel, resulting in a use-after-free vulnerability. An attacker could use this to cause a denial of service (system crash). (CVE-2016-10906) It was discovered that a race condition existed in the Serial Attached SCSI (SAS) implementation in the Linux kernel when handling certain error conditions. A local attacker could use this to cause a denial of service (kernel deadlock). (CVE-2017-18232) It was discovered that the RSI 91x Wi-Fi driver in the Linux kernel did not did not handle detach operations correctly, leading to a use-after-free vulnerability. A physically proximate attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2018-21008) Wen Huang discovered that the Marvell Wi-Fi device driver in the Linux kernel did not properly perform bounds checking, leading to a heap overflow. A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2019-14814, CVE-2019-14816) Matt Delco discovered that the KVM hypervisor implementation in the Linux kernel did not properly perform bounds checking when handling coalesced MMIO write operations. A local attacker with write access to /dev/kvm could use this to cause a denial of service (system crash). (CVE-2019-14821) Hui Peng and Mathias Payer discovered that the USB audio driver for the Linux kernel did not properly validate device meta data. A physically proximate attacker could use this to cause a denial of service (system crash). (CVE-2019-15117) Hui Peng and Mathias Payer discovered that the USB audio driver for the Linux kernel improperly performed recursion while handling device meta data. A physically proximate attacker could use this to cause a denial of service (system crash). (CVE-2019-15118) It was discovered that the Technisat DVB-S/S2 USB device driver in the Linux kernel contained a buffer overread. A physically proximate attacker could use this to cause a denial of service (system crash) or possibly expose sensitive information. (CVE-2019-15505) Brad Spengler discovered that a Spectre mitigation was improperly implemented in the ptrace susbsystem of the Linux kernel. A local attacker could possibly use this to expose sensitive information. (CVE-2019-15902). Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id130152
    published2019-10-22
    reporterUbuntu Security Notice (C) 2019 Canonical, Inc. / NASL script (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/130152
    titleUbuntu 16.04 LTS : linux, linux-aws, linux-kvm, linux-raspi2, linux-snapdragon vulnerabilities (USN-4163-1)
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were
    # extracted from Ubuntu Security Notice USN-4163-1. The text 
    # itself is copyright (C) Canonical, Inc. See 
    # <http://www.ubuntu.com/usn/>. Ubuntu(R) is a registered 
    # trademark of Canonical, Inc.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(130152);
      script_version("1.2");
      script_cvs_date("Date: 2019/12/18");
    
      script_cve_id("CVE-2016-10906", "CVE-2017-18232", "CVE-2018-21008", "CVE-2019-14814", "CVE-2019-14816", "CVE-2019-14821", "CVE-2019-15117", "CVE-2019-15118", "CVE-2019-15505", "CVE-2019-15902");
      script_xref(name:"USN", value:"4163-1");
    
      script_name(english:"Ubuntu 16.04 LTS : linux, linux-aws, linux-kvm, linux-raspi2, linux-snapdragon vulnerabilities (USN-4163-1)");
      script_summary(english:"Checks dpkg output for updated packages.");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:
    "The remote Ubuntu host is missing one or more security-related
    patches."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "It was discovered that a race condition existed in the ARC EMAC
    ethernet driver for the Linux kernel, resulting in a use-after-free
    vulnerability. An attacker could use this to cause a denial of service
    (system crash). (CVE-2016-10906)
    
    It was discovered that a race condition existed in the Serial Attached
    SCSI (SAS) implementation in the Linux kernel when handling certain
    error conditions. A local attacker could use this to cause a denial of
    service (kernel deadlock). (CVE-2017-18232)
    
    It was discovered that the RSI 91x Wi-Fi driver in the Linux kernel
    did not did not handle detach operations correctly, leading to a
    use-after-free vulnerability. A physically proximate attacker could
    use this to cause a denial of service (system crash) or possibly
    execute arbitrary code. (CVE-2018-21008)
    
    Wen Huang discovered that the Marvell Wi-Fi device driver in the Linux
    kernel did not properly perform bounds checking, leading to a heap
    overflow. A local attacker could use this to cause a denial of service
    (system crash) or possibly execute arbitrary code. (CVE-2019-14814,
    CVE-2019-14816)
    
    Matt Delco discovered that the KVM hypervisor implementation in the
    Linux kernel did not properly perform bounds checking when handling
    coalesced MMIO write operations. A local attacker with write access to
    /dev/kvm could use this to cause a denial of service (system crash).
    (CVE-2019-14821)
    
    Hui Peng and Mathias Payer discovered that the USB audio driver for
    the Linux kernel did not properly validate device meta data. A
    physically proximate attacker could use this to cause a denial of
    service (system crash). (CVE-2019-15117)
    
    Hui Peng and Mathias Payer discovered that the USB audio driver for
    the Linux kernel improperly performed recursion while handling device
    meta data. A physically proximate attacker could use this to cause a
    denial of service (system crash). (CVE-2019-15118)
    
    It was discovered that the Technisat DVB-S/S2 USB device driver in the
    Linux kernel contained a buffer overread. A physically proximate
    attacker could use this to cause a denial of service (system crash) or
    possibly expose sensitive information. (CVE-2019-15505)
    
    Brad Spengler discovered that a Spectre mitigation was improperly
    implemented in the ptrace susbsystem of the Linux kernel. A local
    attacker could possibly use this to expose sensitive information.
    (CVE-2019-15902).
    
    Note that Tenable Network Security has extracted the preceding
    description block directly from the Ubuntu security advisory. Tenable
    has attempted to automatically clean and format it as much as possible
    without introducing additional issues."
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://usn.ubuntu.com/4163-1/"
      );
      script_set_attribute(attribute:"solution", value:"Update the affected packages.");
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C");
      script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
      script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H");
      script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
      script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-4.4-aws");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-4.4-generic");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-4.4-generic-lpae");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-4.4-kvm");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-4.4-lowlatency");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-4.4-raspi2");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-4.4-snapdragon");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-aws");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-generic");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-generic-lpae");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-kvm");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-lowlatency");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-raspi2");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-snapdragon");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-virtual");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:canonical:ubuntu_linux:16.04");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2018/03/15");
      script_set_attribute(attribute:"patch_publication_date", value:"2019/10/22");
      script_set_attribute(attribute:"plugin_publication_date", value:"2019/10/22");
      script_set_attribute(attribute:"generated_plugin", value:"current");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"Ubuntu Security Notice (C) 2019 Canonical, Inc. / NASL script (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.");
      script_family(english:"Ubuntu Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl", "linux_alt_patch_detect.nasl");
      script_require_keys("Host/cpu", "Host/Ubuntu", "Host/Ubuntu/release", "Host/Debian/dpkg-l");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("ubuntu.inc");
    include("ksplice.inc");
    
    if ( ! get_kb_item("Host/local_checks_enabled") ) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    release = get_kb_item("Host/Ubuntu/release");
    if ( isnull(release) ) audit(AUDIT_OS_NOT, "Ubuntu");
    release = chomp(release);
    if (! preg(pattern:"^(16\.04)$", string:release)) audit(AUDIT_OS_NOT, "Ubuntu 16.04", "Ubuntu " + release);
    if ( ! get_kb_item("Host/Debian/dpkg-l") ) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    cpu = get_kb_item("Host/cpu");
    if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
    if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Ubuntu", cpu);
    
    if (get_one_kb_item("Host/ksplice/kernel-cves"))
    {
      rm_kb_item(name:"Host/uptrack-uname-r");
      cve_list = make_list("CVE-2016-10906", "CVE-2017-18232", "CVE-2018-21008", "CVE-2019-14814", "CVE-2019-14816", "CVE-2019-14821", "CVE-2019-15117", "CVE-2019-15118", "CVE-2019-15505", "CVE-2019-15902");
      if (ksplice_cves_check(cve_list))
      {
        audit(AUDIT_PATCH_INSTALLED, "KSplice hotfix for USN-4163-1");
      }
      else
      {
        _ubuntu_report = ksplice_reporting_text();
      }
    }
    
    flag = 0;
    
    if (ubuntu_check(osver:"16.04", pkgname:"linux-image-4.4.0-1060-kvm", pkgver:"4.4.0-1060.67")) flag++;
    if (ubuntu_check(osver:"16.04", pkgname:"linux-image-4.4.0-1096-aws", pkgver:"4.4.0-1096.107")) flag++;
    if (ubuntu_check(osver:"16.04", pkgname:"linux-image-4.4.0-1124-raspi2", pkgver:"4.4.0-1124.133")) flag++;
    if (ubuntu_check(osver:"16.04", pkgname:"linux-image-4.4.0-1128-snapdragon", pkgver:"4.4.0-1128.136")) flag++;
    if (ubuntu_check(osver:"16.04", pkgname:"linux-image-4.4.0-166-generic", pkgver:"4.4.0-166.195")) flag++;
    if (ubuntu_check(osver:"16.04", pkgname:"linux-image-4.4.0-166-generic-lpae", pkgver:"4.4.0-166.195")) flag++;
    if (ubuntu_check(osver:"16.04", pkgname:"linux-image-4.4.0-166-lowlatency", pkgver:"4.4.0-166.195")) flag++;
    if (ubuntu_check(osver:"16.04", pkgname:"linux-image-aws", pkgver:"4.4.0.1096.100")) flag++;
    if (ubuntu_check(osver:"16.04", pkgname:"linux-image-generic", pkgver:"4.4.0.166.174")) flag++;
    if (ubuntu_check(osver:"16.04", pkgname:"linux-image-generic-lpae", pkgver:"4.4.0.166.174")) flag++;
    if (ubuntu_check(osver:"16.04", pkgname:"linux-image-kvm", pkgver:"4.4.0.1060.60")) flag++;
    if (ubuntu_check(osver:"16.04", pkgname:"linux-image-lowlatency", pkgver:"4.4.0.166.174")) flag++;
    if (ubuntu_check(osver:"16.04", pkgname:"linux-image-raspi2", pkgver:"4.4.0.1124.124")) flag++;
    if (ubuntu_check(osver:"16.04", pkgname:"linux-image-snapdragon", pkgver:"4.4.0.1128.120")) flag++;
    if (ubuntu_check(osver:"16.04", pkgname:"linux-image-virtual", pkgver:"4.4.0.166.174")) flag++;
    
    if (flag)
    {
      security_report_v4(
        port       : 0,
        severity   : SECURITY_HOLE,
        extra      : ubuntu_report_get()
      );
      exit(0);
    }
    else
    {
      tested = ubuntu_pkg_tests_get();
      if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
      else audit(AUDIT_PACKAGE_NOT_INSTALLED, "linux-image-4.4-aws / linux-image-4.4-generic / etc");
    }
    
  • NASL familyOracle Linux Local Security Checks
    NASL idORACLELINUX_ELSA-2018-3083.NASL
    descriptionFrom Red Hat Security Advisory 2018:3083 : An update for kernel is now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. The kernel packages contain the Linux kernel, the core of any Linux operating system. Security Fix(es) : * A flaw named FragmentSmack was found in the way the Linux kernel handled reassembly of fragmented IPv4 and IPv6 packets. A remote attacker could use this flaw to trigger time and calculation expensive fragment reassembly algorithm by sending specially crafted packets which could lead to a CPU saturation and hence a denial of service on the system. (CVE-2018-5391) * kernel: out-of-bounds access in the show_timer function in kernel/time/ posix-timers.c (CVE-2017-18344) * kernel: Integer overflow in udl_fb_mmap() can allow attackers to execute code in kernel space (CVE-2018-8781) * kernel: MIDI driver race condition leads to a double-free (CVE-2018-10902) * kernel: Missing check in inode_init_owner() does not clear SGID bit on non-directories for non-members (CVE-2018-13405) * kernel: AIO write triggers integer overflow in some protocols (CVE-2015-8830) * kernel: Use-after-free in snd_pcm_info function in ALSA subsystem potentially leads to privilege escalation (CVE-2017-0861) * kernel: Handling of might_cancel queueing is not properly pretected against race (CVE-2017-10661) * kernel: Salsa20 encryption algorithm does not correctly handle zero-length inputs allowing local attackers to cause denial of service (CVE-2017-17805) * kernel: Inifinite loop vulnerability in madvise_willneed() function allows local denial of service (CVE-2017-18208) * kernel: fuse-backed file mmap-ed onto process cmdline arguments causes denial of service (CVE-2018-1120) * kernel: a NULL pointer dereference in dccp_write_xmit() leads to a system crash (CVE-2018-1130) * kernel: drivers/block/loop.c mishandles lo_release serialization allowing denial of service (CVE-2018-5344) * kernel: Missing length check of payload in _sctp_make_chunk() function allows denial of service (CVE-2018-5803) * kernel: buffer overflow in drivers/net/wireless/ath/wil6210/ wmi.c:wmi_set_ie() may lead to memory corruption (CVE-2018-5848) * kernel: out-of-bound write in ext4_init_block_bitmap function with a crafted ext4 image (CVE-2018-10878) * kernel: Improper validation in bnx2x network card driver can allow for denial of service attacks via crafted packet (CVE-2018-1000026) * kernel: Information leak when handling NM entries containing NUL (CVE-2016-4913) * kernel: Mishandling mutex within libsas allowing local Denial of Service (CVE-2017-18232) * kernel: NULL pointer dereference in ext4_process_freed_data() when mounting crafted ext4 image (CVE-2018-1092) * kernel: NULL pointer dereference in ext4_xattr_inode_hash() causes crash with crafted ext4 image (CVE-2018-1094) * kernel: vhost: Information disclosure in vhost/vhost.c:vhost_new_msg() (CVE-2018-1118) * kernel: Denial of service in resv_map_release function in mm/hugetlb.c (CVE-2018-7740) * kernel: Memory leak in the sas_smp_get_phy_events function in drivers/scsi/ libsas/sas_expander.c (CVE-2018-7757) * kernel: Invalid pointer dereference in xfs_ilock_attr_map_shared() when mounting crafted xfs image allowing denial of service (CVE-2018-10322) * kernel: use-after-free detected in ext4_xattr_set_entry with a crafted file (CVE-2018-10879) * kernel: out-of-bound access in ext4_get_group_info() when mounting and operating a crafted ext4 image (CVE-2018-10881) * kernel: stack-out-of-bounds write in jbd2_journal_dirty_metadata function (CVE-2018-10883) * kernel: incorrect memory bounds check in drivers/cdrom/cdrom.c (CVE-2018-10940) Red Hat would like to thank Juha-Matti Tilli (Aalto University - Department of Communications and Networking and Nokia Bell Labs) for reporting CVE-2018-5391; Trend Micro Zero Day Initiative for reporting CVE-2018-10902; Qualys Research Labs for reporting CVE-2018-1120; Evgenii Shatokhin (Virtuozzo Team) for reporting CVE-2018-1130; and Wen Xu for reporting CVE-2018-1092 and CVE-2018-1094.
    last seen2020-06-01
    modified2020-06-02
    plugin id118770
    published2018-11-07
    reporterThis script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/118770
    titleOracle Linux 7 : kernel (ELSA-2018-3083)
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were
    # extracted from Red Hat Security Advisory RHSA-2018:3083 and 
    # Oracle Linux Security Advisory ELSA-2018-3083 respectively.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(118770);
      script_version("1.10");
      script_cvs_date("Date: 2019/09/27 13:00:39");
    
      script_cve_id("CVE-2015-8830", "CVE-2016-4913", "CVE-2017-0861", "CVE-2017-10661", "CVE-2017-17805", "CVE-2017-18208", "CVE-2017-18232", "CVE-2017-18344", "CVE-2017-18360", "CVE-2018-1000026", "CVE-2018-10322", "CVE-2018-10878", "CVE-2018-10879", "CVE-2018-10881", "CVE-2018-10883", "CVE-2018-10902", "CVE-2018-1092", "CVE-2018-1094", "CVE-2018-10940", "CVE-2018-1118", "CVE-2018-1120", "CVE-2018-1130", "CVE-2018-13405", "CVE-2018-18690", "CVE-2018-5344", "CVE-2018-5391", "CVE-2018-5803", "CVE-2018-5848", "CVE-2018-7740", "CVE-2018-7757", "CVE-2018-8781");
      script_xref(name:"RHSA", value:"2018:3083");
    
      script_name(english:"Oracle Linux 7 : kernel (ELSA-2018-3083)");
      script_summary(english:"Checks rpm output for the updated packages");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote Oracle Linux host is missing one or more security updates."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "From Red Hat Security Advisory 2018:3083 :
    
    An update for kernel is now available for Red Hat Enterprise Linux 7.
    
    Red Hat Product Security has rated this update as having a security
    impact of Important. A Common Vulnerability Scoring System (CVSS) base
    score, which gives a detailed severity rating, is available for each
    vulnerability from the CVE link(s) in the References section.
    
    The kernel packages contain the Linux kernel, the core of any Linux
    operating system.
    
    Security Fix(es) :
    
    * A flaw named FragmentSmack was found in the way the Linux kernel
    handled reassembly of fragmented IPv4 and IPv6 packets. A remote
    attacker could use this flaw to trigger time and calculation expensive
    fragment reassembly algorithm by sending specially crafted packets
    which could lead to a CPU saturation and hence a denial of service on
    the system. (CVE-2018-5391)
    
    * kernel: out-of-bounds access in the show_timer function in
    kernel/time/ posix-timers.c (CVE-2017-18344)
    
    * kernel: Integer overflow in udl_fb_mmap() can allow attackers to
    execute code in kernel space (CVE-2018-8781)
    
    * kernel: MIDI driver race condition leads to a double-free
    (CVE-2018-10902)
    
    * kernel: Missing check in inode_init_owner() does not clear SGID bit
    on non-directories for non-members (CVE-2018-13405)
    
    * kernel: AIO write triggers integer overflow in some protocols
    (CVE-2015-8830)
    
    * kernel: Use-after-free in snd_pcm_info function in ALSA subsystem
    potentially leads to privilege escalation (CVE-2017-0861)
    
    * kernel: Handling of might_cancel queueing is not properly pretected
    against race (CVE-2017-10661)
    
    * kernel: Salsa20 encryption algorithm does not correctly handle
    zero-length inputs allowing local attackers to cause denial of service
    (CVE-2017-17805)
    
    * kernel: Inifinite loop vulnerability in madvise_willneed() function
    allows local denial of service (CVE-2017-18208)
    
    * kernel: fuse-backed file mmap-ed onto process cmdline arguments
    causes denial of service (CVE-2018-1120)
    
    * kernel: a NULL pointer dereference in dccp_write_xmit() leads to a
    system crash (CVE-2018-1130)
    
    * kernel: drivers/block/loop.c mishandles lo_release serialization
    allowing denial of service (CVE-2018-5344)
    
    * kernel: Missing length check of payload in _sctp_make_chunk()
    function allows denial of service (CVE-2018-5803)
    
    * kernel: buffer overflow in drivers/net/wireless/ath/wil6210/
    wmi.c:wmi_set_ie() may lead to memory corruption (CVE-2018-5848)
    
    * kernel: out-of-bound write in ext4_init_block_bitmap function with a
    crafted ext4 image (CVE-2018-10878)
    
    * kernel: Improper validation in bnx2x network card driver can allow
    for denial of service attacks via crafted packet (CVE-2018-1000026)
    
    * kernel: Information leak when handling NM entries containing NUL
    (CVE-2016-4913)
    
    * kernel: Mishandling mutex within libsas allowing local Denial of
    Service (CVE-2017-18232)
    
    * kernel: NULL pointer dereference in ext4_process_freed_data() when
    mounting crafted ext4 image (CVE-2018-1092)
    
    * kernel: NULL pointer dereference in ext4_xattr_inode_hash() causes
    crash with crafted ext4 image (CVE-2018-1094)
    
    * kernel: vhost: Information disclosure in
    vhost/vhost.c:vhost_new_msg() (CVE-2018-1118)
    
    * kernel: Denial of service in resv_map_release function in
    mm/hugetlb.c (CVE-2018-7740)
    
    * kernel: Memory leak in the sas_smp_get_phy_events function in
    drivers/scsi/ libsas/sas_expander.c (CVE-2018-7757)
    
    * kernel: Invalid pointer dereference in xfs_ilock_attr_map_shared()
    when mounting crafted xfs image allowing denial of service
    (CVE-2018-10322)
    
    * kernel: use-after-free detected in ext4_xattr_set_entry with a
    crafted file (CVE-2018-10879)
    
    * kernel: out-of-bound access in ext4_get_group_info() when mounting
    and operating a crafted ext4 image (CVE-2018-10881)
    
    * kernel: stack-out-of-bounds write in jbd2_journal_dirty_metadata
    function (CVE-2018-10883)
    
    * kernel: incorrect memory bounds check in drivers/cdrom/cdrom.c
    (CVE-2018-10940)
    
    Red Hat would like to thank Juha-Matti Tilli (Aalto University -
    Department of Communications and Networking and Nokia Bell Labs) for
    reporting CVE-2018-5391; Trend Micro Zero Day Initiative for reporting
    CVE-2018-10902; Qualys Research Labs for reporting CVE-2018-1120;
    Evgenii Shatokhin (Virtuozzo Team) for reporting CVE-2018-1130; and
    Wen Xu for reporting CVE-2018-1092 and CVE-2018-1094."
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://oss.oracle.com/pipermail/el-errata/2018-November/008203.html"
      );
      script_set_attribute(
        attribute:"solution", 
        value:"Update the affected kernel packages."
      );
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:C");
      script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:C");
      script_set_cvss3_base_vector("CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H");
      script_set_cvss3_temporal_vector("CVSS:3.0/E:F/RL:O/RC:C");
      script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"true");
      script_set_attribute(attribute:"exploit_framework_canvas", value:"true");
      script_set_attribute(attribute:"canvas_package", value:'CANVAS');
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:bpftool");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:kernel");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:kernel-abi-whitelists");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:kernel-debug");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:kernel-debug-devel");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:kernel-devel");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:kernel-doc");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:kernel-headers");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:kernel-tools");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:kernel-tools-libs");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:kernel-tools-libs-devel");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:perf");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:python-perf");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:oracle:linux:7");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2016/05/02");
      script_set_attribute(attribute:"patch_publication_date", value:"2018/11/06");
      script_set_attribute(attribute:"plugin_publication_date", value:"2018/11/07");
      script_set_attribute(attribute:"generated_plugin", value:"current");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");
      script_family(english:"Oracle Linux Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl", "linux_alt_patch_detect.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/OracleLinux", "Host/RedHat/release", "Host/RedHat/rpm-list");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("global_settings.inc");
    include("rpm.inc");
    include("ksplice.inc");
    
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    if (!get_kb_item("Host/OracleLinux")) audit(AUDIT_OS_NOT, "Oracle Linux");
    release = get_kb_item("Host/RedHat/release");
    if (isnull(release) || !pregmatch(pattern: "Oracle (?:Linux Server|Enterprise Linux)", string:release)) audit(AUDIT_OS_NOT, "Oracle Linux");
    os_ver = pregmatch(pattern: "Oracle (?:Linux Server|Enterprise Linux) .*release ([0-9]+(\.[0-9]+)?)", string:release);
    if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Oracle Linux");
    os_ver = os_ver[1];
    if (! preg(pattern:"^7([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Oracle Linux 7", "Oracle Linux " + os_ver);
    
    if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    cpu = get_kb_item("Host/cpu");
    if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
    if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Oracle Linux", cpu);
    if ("x86_64" >!< cpu) audit(AUDIT_ARCH_NOT, "x86_64", cpu);
    
    if (get_one_kb_item("Host/ksplice/kernel-cves"))
    {
      rm_kb_item(name:"Host/uptrack-uname-r");
      cve_list = make_list("CVE-2015-8830", "CVE-2016-4913", "CVE-2017-0861", "CVE-2017-10661", "CVE-2017-17805", "CVE-2017-18208", "CVE-2017-18232", "CVE-2017-18344", "CVE-2017-18360", "CVE-2018-1000026", "CVE-2018-10322", "CVE-2018-10878", "CVE-2018-10879", "CVE-2018-10881", "CVE-2018-10883", "CVE-2018-10902", "CVE-2018-1092", "CVE-2018-1094", "CVE-2018-10940", "CVE-2018-1118", "CVE-2018-1120", "CVE-2018-1130", "CVE-2018-13405", "CVE-2018-18690", "CVE-2018-5344", "CVE-2018-5391", "CVE-2018-5803", "CVE-2018-5848", "CVE-2018-7740", "CVE-2018-7757", "CVE-2018-8781");  
      if (ksplice_cves_check(cve_list))
      {
        audit(AUDIT_PATCH_INSTALLED, "KSplice hotfix for ELSA-2018-3083");
      }
      else
      {
        __rpm_report = ksplice_reporting_text();
      }
    }
    
    kernel_major_minor = get_kb_item("Host/uname/major_minor");
    if (empty_or_null(kernel_major_minor)) exit(1, "Unable to determine kernel major-minor level.");
    expected_kernel_major_minor = "3.10";
    if (kernel_major_minor != expected_kernel_major_minor)
      audit(AUDIT_OS_NOT, "running kernel level " + expected_kernel_major_minor + ", it is running kernel level " + kernel_major_minor);
    
    flag = 0;
    if (rpm_check(release:"EL7", cpu:"x86_64", reference:"bpftool-3.10.0-957.el7")) flag++;
    if (rpm_exists(release:"EL7", rpm:"kernel-3.10.0") && rpm_check(release:"EL7", cpu:"x86_64", reference:"kernel-3.10.0-957.el7")) flag++;
    if (rpm_exists(release:"EL7", rpm:"kernel-abi-whitelists-3.10.0") && rpm_check(release:"EL7", cpu:"x86_64", reference:"kernel-abi-whitelists-3.10.0-957.el7")) flag++;
    if (rpm_exists(release:"EL7", rpm:"kernel-debug-3.10.0") && rpm_check(release:"EL7", cpu:"x86_64", reference:"kernel-debug-3.10.0-957.el7")) flag++;
    if (rpm_exists(release:"EL7", rpm:"kernel-debug-devel-3.10.0") && rpm_check(release:"EL7", cpu:"x86_64", reference:"kernel-debug-devel-3.10.0-957.el7")) flag++;
    if (rpm_exists(release:"EL7", rpm:"kernel-devel-3.10.0") && rpm_check(release:"EL7", cpu:"x86_64", reference:"kernel-devel-3.10.0-957.el7")) flag++;
    if (rpm_exists(release:"EL7", rpm:"kernel-doc-3.10.0") && rpm_check(release:"EL7", cpu:"x86_64", reference:"kernel-doc-3.10.0-957.el7")) flag++;
    if (rpm_exists(release:"EL7", rpm:"kernel-headers-3.10.0") && rpm_check(release:"EL7", cpu:"x86_64", reference:"kernel-headers-3.10.0-957.el7")) flag++;
    if (rpm_exists(release:"EL7", rpm:"kernel-tools-3.10.0") && rpm_check(release:"EL7", cpu:"x86_64", reference:"kernel-tools-3.10.0-957.el7")) flag++;
    if (rpm_exists(release:"EL7", rpm:"kernel-tools-libs-3.10.0") && rpm_check(release:"EL7", cpu:"x86_64", reference:"kernel-tools-libs-3.10.0-957.el7")) flag++;
    if (rpm_exists(release:"EL7", rpm:"kernel-tools-libs-devel-3.10.0") && rpm_check(release:"EL7", cpu:"x86_64", reference:"kernel-tools-libs-devel-3.10.0-957.el7")) flag++;
    if (rpm_check(release:"EL7", cpu:"x86_64", reference:"perf-3.10.0-957.el7")) flag++;
    if (rpm_check(release:"EL7", cpu:"x86_64", reference:"python-perf-3.10.0-957.el7")) flag++;
    
    
    if (flag)
    {
      if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());
      else security_hole(0);
      exit(0);
    }
    else
    {
      tested = pkg_tests_get();
      if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
      else audit(AUDIT_PACKAGE_NOT_INSTALLED, "affected kernel");
    }
    
  • NASL familyPhotonOS Local Security Checks
    NASL idPHOTONOS_PHSA-2018-1_0-0161.NASL
    descriptionAn update of 'linux', 'linux-esx' packages of Photon OS has been released.
    last seen2019-02-21
    modified2019-02-07
    plugin id111943
    published2018-08-17
    reporterTenable
    sourcehttps://www.tenable.com/plugins/index.php?view=single&id=111943
    titlePhoton OS 1.0: Linux PHSA-2018-1.0-0161 (deprecated)
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    # @DEPRECATED@
    #
    # Disabled on 2/7/2019
    #
    
    # The descriptive text and package checks in this plugin were
    # extracted from VMware Security Advisory PHSA-2018-1.0-0161. The text
    # itself is copyright (C) VMware, Inc.
    
    include("compat.inc");
    
    if (description)
    {
      script_id(111943);
      script_version("1.2");
      script_cvs_date("Date: 2019/02/07 18:59:50");
    
      script_cve_id("CVE-2017-18232", "CVE-2018-10323");
    
      script_name(english:"Photon OS 1.0: Linux PHSA-2018-1.0-0161 (deprecated)");
      script_summary(english:"Checks the rpm output for the updated packages.");
    
      script_set_attribute(attribute:"synopsis", value:
    "This plugin has been deprecated.");
      script_set_attribute(attribute:"description", value:
    "An update of 'linux', 'linux-esx' packages of Photon OS has been
    released.");
      # https://github.com/vmware/photon/wiki/Security-Updates-1.0-161
      script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?f3300528");
      script_set_attribute(attribute:"solution", value:"n/a.");
      script_set_cvss_base_vector("CVSS2#AV:L/AC:L/Au:N/C:N/I:N/A:C");
      script_set_cvss3_base_vector("CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H");
      script_set_attribute(attribute:"cvss_score_source", value:"CVE-2018-10323");
    
      script_set_attribute(attribute:"patch_publication_date", value:"2018/07/12");
      script_set_attribute(attribute:"plugin_publication_date", value:"2018/08/17");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:vmware:photonos:linux");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:vmware:photonos:1.0");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_family(english:"PhotonOS Local Security Checks");
    
      script_copyright(english:"This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/PhotonOS/release", "Host/PhotonOS/rpm-list");
    
      exit(0);
    }
    
    exit(0, "This plugin has been deprecated.");
    
    include("audit.inc");
    include("global_settings.inc");
    include("rpm.inc");
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    
    release = get_kb_item("Host/PhotonOS/release");
    if (isnull(release) || release !~ "^VMware Photon") audit(AUDIT_OS_NOT, "PhotonOS");
    if (release !~ "^VMware Photon (?:Linux|OS) 1\.0(\D|$)") audit(AUDIT_OS_NOT, "PhotonOS 1.0");
    
    if (!get_kb_item("Host/PhotonOS/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    cpu = get_kb_item("Host/cpu");
    if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
    if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "PhotonOS", cpu);
    
    flag = 0;
    
    pkgs = [
      "linux-4.4.139-2.ph1",
      "linux-debuginfo-4.4.139-2.ph1",
      "linux-dev-4.4.139-2.ph1",
      "linux-docs-4.4.139-2.ph1",
      "linux-drivers-gpu-4.4.139-2.ph1",
      "linux-esx-4.4.139-2.ph1",
      "linux-esx-debuginfo-4.4.139-2.ph1",
      "linux-esx-devel-4.4.139-2.ph1",
      "linux-esx-docs-4.4.139-2.ph1",
      "linux-oprofile-4.4.139-2.ph1",
      "linux-sound-4.4.139-2.ph1",
      "linux-tools-4.4.139-2.ph1"
    ];
    
    foreach (pkg in pkgs)
      if (rpm_check(release:"PhotonOS-1.0", reference:pkg)) flag++;
    
    if (flag)
    {
      security_report_v4(
        port       : 0,
        severity   : SECURITY_WARNING,
        extra      : rpm_report_get()
      );
      exit(0);
    }
    else
    {
      tested = pkg_tests_get();
      if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
      else audit(AUDIT_PACKAGE_NOT_INSTALLED, "linux");
    }
    
  • NASL familyRed Hat Local Security Checks
    NASL idREDHAT-RHSA-2018-3096.NASL
    descriptionAn update for kernel-rt is now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. The kernel-rt packages provide the Real Time Linux Kernel, which enables fine-tuning for systems with extremely high determinism requirements. Security Fix(es) : * A flaw named FragmentSmack was found in the way the Linux kernel handled reassembly of fragmented IPv4 and IPv6 packets. A remote attacker could use this flaw to trigger time and calculation expensive fragment reassembly algorithm by sending specially crafted packets which could lead to a CPU saturation and hence a denial of service on the system. (CVE-2018-5391) * kernel: out-of-bounds access in the show_timer function in kernel/time/ posix-timers.c (CVE-2017-18344) * kernel: Integer overflow in udl_fb_mmap() can allow attackers to execute code in kernel space (CVE-2018-8781) * kernel: MIDI driver race condition leads to a double-free (CVE-2018-10902) * kernel: Missing check in inode_init_owner() does not clear SGID bit on non-directories for non-members (CVE-2018-13405) * kernel: AIO write triggers integer overflow in some protocols (CVE-2015-8830) * kernel: Use-after-free in snd_pcm_info function in ALSA subsystem potentially leads to privilege escalation (CVE-2017-0861) * kernel: Handling of might_cancel queueing is not properly pretected against race (CVE-2017-10661) * kernel: Salsa20 encryption algorithm does not correctly handle zero-length inputs allowing local attackers to cause denial of service (CVE-2017-17805) * kernel: Inifinite loop vulnerability in madvise_willneed() function allows local denial of service (CVE-2017-18208) * kernel: fuse-backed file mmap-ed onto process cmdline arguments causes denial of service (CVE-2018-1120) * kernel: a NULL pointer dereference in dccp_write_xmit() leads to a system crash (CVE-2018-1130) * kernel: drivers/block/loop.c mishandles lo_release serialization allowing denial of service (CVE-2018-5344) * kernel: Missing length check of payload in _sctp_make_chunk() function allows denial of service (CVE-2018-5803) * kernel: buffer overflow in drivers/net/wireless/ath/wil6210/ wmi.c:wmi_set_ie() may lead to memory corruption (CVE-2018-5848) * kernel: out-of-bound write in ext4_init_block_bitmap function with a crafted ext4 image (CVE-2018-10878) * kernel: Improper validation in bnx2x network card driver can allow for denial of service attacks via crafted packet (CVE-2018-1000026) * kernel: Information leak when handling NM entries containing NUL (CVE-2016-4913) * kernel: Mishandling mutex within libsas allowing local Denial of Service (CVE-2017-18232) * kernel: NULL pointer dereference in ext4_process_freed_data() when mounting crafted ext4 image (CVE-2018-1092) * kernel: NULL pointer dereference in ext4_xattr_inode_hash() causes crash with crafted ext4 image (CVE-2018-1094) * kernel: vhost: Information disclosure in vhost.c:vhost_new_msg() (CVE-2018-1118) * kernel: Denial of service in resv_map_release function in mm/hugetlb.c (CVE-2018-7740) * kernel: Memory leak in the sas_smp_get_phy_events function in drivers/scsi/ libsas/sas_expander.c (CVE-2018-7757) * kernel: Invalid pointer dereference in xfs_ilock_attr_map_shared() when mounting crafted xfs image allowing denial of service (CVE-2018-10322) * kernel: use-after-free detected in ext4_xattr_set_entry with a crafted file (CVE-2018-10879) * kernel: out-of-bound access in ext4_get_group_info() when mounting and operating a crafted ext4 image (CVE-2018-10881) * kernel: stack-out-of-bounds write in jbd2_journal_dirty_metadata function (CVE-2018-10883) * kernel: incorrect memory bounds check in drivers/cdrom/cdrom.c (CVE-2018-10940) Red Hat would like to thank Juha-Matti Tilli (Aalto University - Department of Communications and Networking and Nokia Bell Labs) for reporting CVE-2018-5391; Trend Micro Zero Day Initiative for reporting CVE-2018-10902; Qualys Research Labs for reporting CVE-2018-1120; Evgenii Shatokhin (Virtuozzo Team) for reporting CVE-2018-1130; and Wen Xu for reporting CVE-2018-1092 and CVE-2018-1094.
    last seen2020-06-01
    modified2020-06-02
    plugin id118528
    published2018-10-31
    reporterThis script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/118528
    titleRHEL 7 : kernel-rt (RHSA-2018:3096)
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were  
    # extracted from Red Hat Security Advisory RHSA-2018:3096. The text 
    # itself is copyright (C) Red Hat, Inc.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(118528);
      script_version("1.12");
      script_cvs_date("Date: 2019/10/24 15:35:45");
    
      script_cve_id("CVE-2015-8830", "CVE-2016-4913", "CVE-2017-0861", "CVE-2017-10661", "CVE-2017-17805", "CVE-2017-18208", "CVE-2017-18232", "CVE-2017-18344", "CVE-2017-18360", "CVE-2018-1000026", "CVE-2018-10322", "CVE-2018-10878", "CVE-2018-10879", "CVE-2018-10881", "CVE-2018-10883", "CVE-2018-10902", "CVE-2018-1092", "CVE-2018-1094", "CVE-2018-10940", "CVE-2018-1118", "CVE-2018-1120", "CVE-2018-1130", "CVE-2018-13405", "CVE-2018-18690", "CVE-2018-5344", "CVE-2018-5391", "CVE-2018-5803", "CVE-2018-5848", "CVE-2018-7740", "CVE-2018-7757", "CVE-2018-8781");
      script_xref(name:"RHSA", value:"2018:3096");
    
      script_name(english:"RHEL 7 : kernel-rt (RHSA-2018:3096)");
      script_summary(english:"Checks the rpm output for the updated packages");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote Red Hat host is missing one or more security updates."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "An update for kernel-rt is now available for Red Hat Enterprise Linux
    7.
    
    Red Hat Product Security has rated this update as having a security
    impact of Important. A Common Vulnerability Scoring System (CVSS) base
    score, which gives a detailed severity rating, is available for each
    vulnerability from the CVE link(s) in the References section.
    
    The kernel-rt packages provide the Real Time Linux Kernel, which
    enables fine-tuning for systems with extremely high determinism
    requirements.
    
    Security Fix(es) :
    
    * A flaw named FragmentSmack was found in the way the Linux kernel
    handled reassembly of fragmented IPv4 and IPv6 packets. A remote
    attacker could use this flaw to trigger time and calculation expensive
    fragment reassembly algorithm by sending specially crafted packets
    which could lead to a CPU saturation and hence a denial of service on
    the system. (CVE-2018-5391)
    
    * kernel: out-of-bounds access in the show_timer function in
    kernel/time/ posix-timers.c (CVE-2017-18344)
    
    * kernel: Integer overflow in udl_fb_mmap() can allow attackers to
    execute code in kernel space (CVE-2018-8781)
    
    * kernel: MIDI driver race condition leads to a double-free
    (CVE-2018-10902)
    
    * kernel: Missing check in inode_init_owner() does not clear SGID bit
    on non-directories for non-members (CVE-2018-13405)
    
    * kernel: AIO write triggers integer overflow in some protocols
    (CVE-2015-8830)
    
    * kernel: Use-after-free in snd_pcm_info function in ALSA subsystem
    potentially leads to privilege escalation (CVE-2017-0861)
    
    * kernel: Handling of might_cancel queueing is not properly pretected
    against race (CVE-2017-10661)
    
    * kernel: Salsa20 encryption algorithm does not correctly handle
    zero-length inputs allowing local attackers to cause denial of service
    (CVE-2017-17805)
    
    * kernel: Inifinite loop vulnerability in madvise_willneed() function
    allows local denial of service (CVE-2017-18208)
    
    * kernel: fuse-backed file mmap-ed onto process cmdline arguments
    causes denial of service (CVE-2018-1120)
    
    * kernel: a NULL pointer dereference in dccp_write_xmit() leads to a
    system crash (CVE-2018-1130)
    
    * kernel: drivers/block/loop.c mishandles lo_release serialization
    allowing denial of service (CVE-2018-5344)
    
    * kernel: Missing length check of payload in _sctp_make_chunk()
    function allows denial of service (CVE-2018-5803)
    
    * kernel: buffer overflow in drivers/net/wireless/ath/wil6210/
    wmi.c:wmi_set_ie() may lead to memory corruption (CVE-2018-5848)
    
    * kernel: out-of-bound write in ext4_init_block_bitmap function with a
    crafted ext4 image (CVE-2018-10878)
    
    * kernel: Improper validation in bnx2x network card driver can allow
    for denial of service attacks via crafted packet (CVE-2018-1000026)
    
    * kernel: Information leak when handling NM entries containing NUL
    (CVE-2016-4913)
    
    * kernel: Mishandling mutex within libsas allowing local Denial of
    Service (CVE-2017-18232)
    
    * kernel: NULL pointer dereference in ext4_process_freed_data() when
    mounting crafted ext4 image (CVE-2018-1092)
    
    * kernel: NULL pointer dereference in ext4_xattr_inode_hash() causes
    crash with crafted ext4 image (CVE-2018-1094)
    
    * kernel: vhost: Information disclosure in vhost.c:vhost_new_msg()
    (CVE-2018-1118)
    
    * kernel: Denial of service in resv_map_release function in
    mm/hugetlb.c (CVE-2018-7740)
    
    * kernel: Memory leak in the sas_smp_get_phy_events function in
    drivers/scsi/ libsas/sas_expander.c (CVE-2018-7757)
    
    * kernel: Invalid pointer dereference in xfs_ilock_attr_map_shared()
    when mounting crafted xfs image allowing denial of service
    (CVE-2018-10322)
    
    * kernel: use-after-free detected in ext4_xattr_set_entry with a
    crafted file (CVE-2018-10879)
    
    * kernel: out-of-bound access in ext4_get_group_info() when mounting
    and operating a crafted ext4 image (CVE-2018-10881)
    
    * kernel: stack-out-of-bounds write in jbd2_journal_dirty_metadata
    function (CVE-2018-10883)
    
    * kernel: incorrect memory bounds check in drivers/cdrom/cdrom.c
    (CVE-2018-10940)
    
    Red Hat would like to thank Juha-Matti Tilli (Aalto University -
    Department of Communications and Networking and Nokia Bell Labs) for
    reporting CVE-2018-5391; Trend Micro Zero Day Initiative for reporting
    CVE-2018-10902; Qualys Research Labs for reporting CVE-2018-1120;
    Evgenii Shatokhin (Virtuozzo Team) for reporting CVE-2018-1130; and
    Wen Xu for reporting CVE-2018-1092 and CVE-2018-1094."
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://access.redhat.com/articles/3553061"
      );
      # https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/
      script_set_attribute(
        attribute:"see_also",
        value:"http://www.nessus.org/u?3395ff0b"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://access.redhat.com/errata/RHSA-2018:3096"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://access.redhat.com/security/cve/cve-2015-8830"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://access.redhat.com/security/cve/cve-2016-4913"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://access.redhat.com/security/cve/cve-2017-0861"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://access.redhat.com/security/cve/cve-2017-10661"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://access.redhat.com/security/cve/cve-2017-17805"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://access.redhat.com/security/cve/cve-2017-18208"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://access.redhat.com/security/cve/cve-2017-18232"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://access.redhat.com/security/cve/cve-2017-18344"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://access.redhat.com/security/cve/cve-2017-18360"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://access.redhat.com/security/cve/cve-2018-1092"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://access.redhat.com/security/cve/cve-2018-1094"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://access.redhat.com/security/cve/cve-2018-1118"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://access.redhat.com/security/cve/cve-2018-1120"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://access.redhat.com/security/cve/cve-2018-1130"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://access.redhat.com/security/cve/cve-2018-5344"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://access.redhat.com/security/cve/cve-2018-5391"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://access.redhat.com/security/cve/cve-2018-5803"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://access.redhat.com/security/cve/cve-2018-5848"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://access.redhat.com/security/cve/cve-2018-7740"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://access.redhat.com/security/cve/cve-2018-7757"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://access.redhat.com/security/cve/cve-2018-8781"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://access.redhat.com/security/cve/cve-2018-10322"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://access.redhat.com/security/cve/cve-2018-10878"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://access.redhat.com/security/cve/cve-2018-10879"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://access.redhat.com/security/cve/cve-2018-10881"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://access.redhat.com/security/cve/cve-2018-10883"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://access.redhat.com/security/cve/cve-2018-10902"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://access.redhat.com/security/cve/cve-2018-10940"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://access.redhat.com/security/cve/cve-2018-13405"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://access.redhat.com/security/cve/cve-2018-18690"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://access.redhat.com/security/cve/cve-2018-1000026"
      );
      script_set_attribute(attribute:"solution", value:"Update the affected packages.");
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:C");
      script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:C");
      script_set_cvss3_base_vector("CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H");
      script_set_cvss3_temporal_vector("CVSS:3.0/E:F/RL:O/RC:C");
      script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"true");
      script_set_attribute(attribute:"exploit_framework_canvas", value:"true");
      script_set_attribute(attribute:"canvas_package", value:'CANVAS');
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:kernel-rt");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:kernel-rt-debug");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:kernel-rt-debug-debuginfo");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:kernel-rt-debug-devel");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:kernel-rt-debug-kvm");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:kernel-rt-debug-kvm-debuginfo");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:kernel-rt-debuginfo");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:kernel-rt-debuginfo-common-x86_64");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:kernel-rt-devel");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:kernel-rt-doc");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:kernel-rt-kvm");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:kernel-rt-kvm-debuginfo");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:kernel-rt-trace");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:kernel-rt-trace-debuginfo");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:kernel-rt-trace-devel");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:kernel-rt-trace-kvm");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:kernel-rt-trace-kvm-debuginfo");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:redhat:enterprise_linux:7");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2016/05/02");
      script_set_attribute(attribute:"patch_publication_date", value:"2018/10/30");
      script_set_attribute(attribute:"plugin_publication_date", value:"2018/10/31");
      script_set_attribute(attribute:"generated_plugin", value:"current");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");
      script_family(english:"Red Hat Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl", "linux_alt_patch_detect.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/RedHat/release", "Host/RedHat/rpm-list", "Host/cpu");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("global_settings.inc");
    include("misc_func.inc");
    include("rpm.inc");
    include("ksplice.inc");
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    release = get_kb_item("Host/RedHat/release");
    if (isnull(release) || "Red Hat" >!< release) audit(AUDIT_OS_NOT, "Red Hat");
    os_ver = pregmatch(pattern: "Red Hat Enterprise Linux.*release ([0-9]+(\.[0-9]+)?)", string:release);
    if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Red Hat");
    os_ver = os_ver[1];
    if (! preg(pattern:"^7([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Red Hat 7.x", "Red Hat " + os_ver);
    
    if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    cpu = get_kb_item("Host/cpu");
    if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
    if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$" && "s390" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Red Hat", cpu);
    
    if (get_one_kb_item("Host/ksplice/kernel-cves"))
    {
      rm_kb_item(name:"Host/uptrack-uname-r");
      cve_list = make_list("CVE-2015-8830", "CVE-2016-4913", "CVE-2017-0861", "CVE-2017-10661", "CVE-2017-17805", "CVE-2017-18208", "CVE-2017-18232", "CVE-2017-18344", "CVE-2017-18360", "CVE-2018-1000026", "CVE-2018-10322", "CVE-2018-10878", "CVE-2018-10879", "CVE-2018-10881", "CVE-2018-10883", "CVE-2018-10902", "CVE-2018-1092", "CVE-2018-1094", "CVE-2018-10940", "CVE-2018-1118", "CVE-2018-1120", "CVE-2018-1130", "CVE-2018-13405", "CVE-2018-18690", "CVE-2018-5344", "CVE-2018-5391", "CVE-2018-5803", "CVE-2018-5848", "CVE-2018-7740", "CVE-2018-7757", "CVE-2018-8781");
      if (ksplice_cves_check(cve_list))
      {
        audit(AUDIT_PATCH_INSTALLED, "KSplice hotfix for RHSA-2018:3096");
      }
      else
      {
        __rpm_report = ksplice_reporting_text();
      }
    }
    
    yum_updateinfo = get_kb_item("Host/RedHat/yum-updateinfo");
    if (!empty_or_null(yum_updateinfo)) 
    {
      rhsa = "RHSA-2018:3096";
      yum_report = redhat_generate_yum_updateinfo_report(rhsa:rhsa);
      if (!empty_or_null(yum_report))
      {
        security_report_v4(
          port       : 0,
          severity   : SECURITY_HOLE,
          extra      : yum_report 
        );
        exit(0);
      }
      else
      {
        audit_message = "affected by Red Hat security advisory " + rhsa;
        audit(AUDIT_OS_NOT, audit_message);
      }
    }
    else
    {
      flag = 0;
      if (rpm_check(release:"RHEL7", cpu:"x86_64", reference:"kernel-rt-3.10.0-957.rt56.910.el7")) flag++;
      if (rpm_check(release:"RHEL7", cpu:"x86_64", reference:"kernel-rt-debug-3.10.0-957.rt56.910.el7")) flag++;
      if (rpm_check(release:"RHEL7", cpu:"x86_64", reference:"kernel-rt-debug-debuginfo-3.10.0-957.rt56.910.el7")) flag++;
      if (rpm_check(release:"RHEL7", cpu:"x86_64", reference:"kernel-rt-debug-devel-3.10.0-957.rt56.910.el7")) flag++;
      if (rpm_check(release:"RHEL7", cpu:"x86_64", reference:"kernel-rt-debug-kvm-3.10.0-957.rt56.910.el7")) flag++;
      if (rpm_check(release:"RHEL7", cpu:"x86_64", reference:"kernel-rt-debug-kvm-debuginfo-3.10.0-957.rt56.910.el7")) flag++;
      if (rpm_check(release:"RHEL7", cpu:"x86_64", reference:"kernel-rt-debuginfo-3.10.0-957.rt56.910.el7")) flag++;
      if (rpm_check(release:"RHEL7", cpu:"x86_64", reference:"kernel-rt-debuginfo-common-x86_64-3.10.0-957.rt56.910.el7")) flag++;
      if (rpm_check(release:"RHEL7", cpu:"x86_64", reference:"kernel-rt-devel-3.10.0-957.rt56.910.el7")) flag++;
      if (rpm_check(release:"RHEL7", reference:"kernel-rt-doc-3.10.0-957.rt56.910.el7")) flag++;
      if (rpm_check(release:"RHEL7", cpu:"x86_64", reference:"kernel-rt-kvm-3.10.0-957.rt56.910.el7")) flag++;
      if (rpm_check(release:"RHEL7", cpu:"x86_64", reference:"kernel-rt-kvm-debuginfo-3.10.0-957.rt56.910.el7")) flag++;
      if (rpm_check(release:"RHEL7", cpu:"x86_64", reference:"kernel-rt-trace-3.10.0-957.rt56.910.el7")) flag++;
      if (rpm_check(release:"RHEL7", cpu:"x86_64", reference:"kernel-rt-trace-debuginfo-3.10.0-957.rt56.910.el7")) flag++;
      if (rpm_check(release:"RHEL7", cpu:"x86_64", reference:"kernel-rt-trace-devel-3.10.0-957.rt56.910.el7")) flag++;
      if (rpm_check(release:"RHEL7", cpu:"x86_64", reference:"kernel-rt-trace-kvm-3.10.0-957.rt56.910.el7")) flag++;
      if (rpm_check(release:"RHEL7", cpu:"x86_64", reference:"kernel-rt-trace-kvm-debuginfo-3.10.0-957.rt56.910.el7")) flag++;
    
      if (flag)
      {
        security_report_v4(
          port       : 0,
          severity   : SECURITY_HOLE,
          extra      : rpm_report_get() + redhat_report_package_caveat()
        );
        exit(0);
      }
      else
      {
        tested = pkg_tests_get();
        if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
        else audit(AUDIT_PACKAGE_NOT_INSTALLED, "kernel-rt / kernel-rt-debug / kernel-rt-debug-debuginfo / etc");
      }
    }
    
  • NASL familyDebian Local Security Checks
    NASL idDEBIAN_DSA-4187.NASL
    descriptionSeveral vulnerabilities have been discovered in the Linux kernel that may lead to a privilege escalation, denial of service or information leaks. - CVE-2015-9016 Ming Lei reported a race condition in the multiqueue block layer (blk-mq). On a system with a driver using blk-mq (mtip32xx, null_blk, or virtio_blk), a local user might be able to use this for denial of service or possibly for privilege escalation. - CVE-2017-0861 Robb Glasser reported a potential use-after-free in the ALSA (sound) PCM core. We believe this was not possible in practice. - CVE-2017-5715 Multiple researchers have discovered a vulnerability in various processors supporting speculative execution, enabling an attacker controlling an unprivileged process to read memory from arbitrary addresses, including from the kernel and all other processes running on the system. This specific attack has been named Spectre variant 2 (branch target injection) and is mitigated for the x86 architecture (amd64 and i386) by using the
    last seen2020-06-01
    modified2020-06-02
    plugin id109517
    published2018-05-02
    reporterThis script is Copyright (C) 2018-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/109517
    titleDebian DSA-4187-1 : linux - security update (Spectre)
  • NASL familyFedora Local Security Checks
    NASL idFEDORA_2018-BA39FC0E07.NASL
    descriptionIncremental update to fix kernel-devel issues. ---- The 4.15.12 update contains a variety of fixes across the tree. ---- The 4.15.11 update contains a number of important fixes across the tree Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-05
    modified2018-03-28
    plugin id108673
    published2018-03-28
    reporterThis script is Copyright (C) 2018-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/108673
    titleFedora 26 : kernel (2018-ba39fc0e07)
  • NASL familyAmazon Linux Local Security Checks
    NASL idALA_ALAS-2018-993.NASL
    descriptionMissing length check of payload in net/sctp/sm_make_chunk.c:_sctp_make_chunk() function allows denial of service : An error in the
    last seen2020-06-01
    modified2020-06-02
    plugin id109183
    published2018-04-20
    reporterThis script is Copyright (C) 2018 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/109183
    titleAmazon Linux AMI : kernel (ALAS-2018-993)
  • NASL familyPhotonOS Local Security Checks
    NASL idPHOTONOS_PHSA-2018-2_0-0072_LINUX.NASL
    descriptionAn update of the linux package has been released.
    last seen2020-03-17
    modified2019-02-07
    plugin id121966
    published2019-02-07
    reporterThis script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/121966
    titlePhoton OS 2.0: Linux PHSA-2018-2.0-0072
  • NASL familyCentOS Local Security Checks
    NASL idCENTOS_RHSA-2018-3083.NASL
    descriptionAn update for kernel is now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. The kernel packages contain the Linux kernel, the core of any Linux operating system. Security Fix(es) : * A flaw named FragmentSmack was found in the way the Linux kernel handled reassembly of fragmented IPv4 and IPv6 packets. A remote attacker could use this flaw to trigger time and calculation expensive fragment reassembly algorithm by sending specially crafted packets which could lead to a CPU saturation and hence a denial of service on the system. (CVE-2018-5391) * kernel: out-of-bounds access in the show_timer function in kernel/time/ posix-timers.c (CVE-2017-18344) * kernel: Integer overflow in udl_fb_mmap() can allow attackers to execute code in kernel space (CVE-2018-8781) * kernel: MIDI driver race condition leads to a double-free (CVE-2018-10902) * kernel: Missing check in inode_init_owner() does not clear SGID bit on non-directories for non-members (CVE-2018-13405) * kernel: AIO write triggers integer overflow in some protocols (CVE-2015-8830) * kernel: Use-after-free in snd_pcm_info function in ALSA subsystem potentially leads to privilege escalation (CVE-2017-0861) * kernel: Handling of might_cancel queueing is not properly pretected against race (CVE-2017-10661) * kernel: Salsa20 encryption algorithm does not correctly handle zero-length inputs allowing local attackers to cause denial of service (CVE-2017-17805) * kernel: Inifinite loop vulnerability in madvise_willneed() function allows local denial of service (CVE-2017-18208) * kernel: fuse-backed file mmap-ed onto process cmdline arguments causes denial of service (CVE-2018-1120) * kernel: a NULL pointer dereference in dccp_write_xmit() leads to a system crash (CVE-2018-1130) * kernel: drivers/block/loop.c mishandles lo_release serialization allowing denial of service (CVE-2018-5344) * kernel: Missing length check of payload in _sctp_make_chunk() function allows denial of service (CVE-2018-5803) * kernel: buffer overflow in drivers/net/wireless/ath/wil6210/ wmi.c:wmi_set_ie() may lead to memory corruption (CVE-2018-5848) * kernel: out-of-bound write in ext4_init_block_bitmap function with a crafted ext4 image (CVE-2018-10878) * kernel: Improper validation in bnx2x network card driver can allow for denial of service attacks via crafted packet (CVE-2018-1000026) * kernel: Information leak when handling NM entries containing NUL (CVE-2016-4913) * kernel: Mishandling mutex within libsas allowing local Denial of Service (CVE-2017-18232) * kernel: NULL pointer dereference in ext4_process_freed_data() when mounting crafted ext4 image (CVE-2018-1092) * kernel: NULL pointer dereference in ext4_xattr_inode_hash() causes crash with crafted ext4 image (CVE-2018-1094) * kernel: vhost: Information disclosure in vhost/vhost.c:vhost_new_msg() (CVE-2018-1118) * kernel: Denial of service in resv_map_release function in mm/hugetlb.c (CVE-2018-7740) * kernel: Memory leak in the sas_smp_get_phy_events function in drivers/scsi/ libsas/sas_expander.c (CVE-2018-7757) * kernel: Invalid pointer dereference in xfs_ilock_attr_map_shared() when mounting crafted xfs image allowing denial of service (CVE-2018-10322) * kernel: use-after-free detected in ext4_xattr_set_entry with a crafted file (CVE-2018-10879) * kernel: out-of-bound access in ext4_get_group_info() when mounting and operating a crafted ext4 image (CVE-2018-10881) * kernel: stack-out-of-bounds write in jbd2_journal_dirty_metadata function (CVE-2018-10883) * kernel: incorrect memory bounds check in drivers/cdrom/cdrom.c (CVE-2018-10940) Red Hat would like to thank Juha-Matti Tilli (Aalto University - Department of Communications and Networking and Nokia Bell Labs) for reporting CVE-2018-5391; Trend Micro Zero Day Initiative for reporting CVE-2018-10902; Qualys Research Labs for reporting CVE-2018-1120; Evgenii Shatokhin (Virtuozzo Team) for reporting CVE-2018-1130; and Wen Xu for reporting CVE-2018-1092 and CVE-2018-1094.
    last seen2020-06-01
    modified2020-06-02
    plugin id118990
    published2018-11-16
    reporterThis script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/118990
    titleCentOS 7 : kernel (CESA-2018:3083)
  • NASL familyHuawei Local Security Checks
    NASL idEULEROS_SA-2019-2353.NASL
    descriptionAccording to the versions of the kernel packages installed, the EulerOS installation on the remote host is affected by the following vulnerabilities : - The kernel package contains the Linux kernel (vmlinuz), the core of any Linux operating system. The kernel handles the basic functions of the operating system: memory allocation, process allocation, device input and output, etc.Security Fix(es):The yam_ioctl function in drivers et/hamradio/yam.c in the Linux kernel before 3.12.8 does not initialize a certain structure member, which allows local users to obtain sensitive information from kernel memory by leveraging the CAP_NET_ADMIN capability for an SIOCYAMGCFG ioctl call.(CVE-2014-1446)The VFS subsystem in the Linux kernel 3.x provides an incomplete set of requirements for setattr operations that underspecifies removing extended privilege attributes, which allows local users to cause a denial of service (capability stripping) via a failed invocation of a system call, as demonstrated by using chown to remove a capability from the ping or Wireshark dumpcap program.(CVE-2015-1350)A certain backport in the TCP Fast Open implementation for the Linux kernel before 3.18 does not properly maintain a count value, which allow local users to cause a denial of service (system crash) via the Fast Open feature, as demonstrated by visiting the chrome://flags/#enable-tcp-fast-open URL when using certain 3.10.x through 3.16.x kernel builds, including longterm-maintenance releases and ckt (aka Canonical Kernel Team) builds.(CVE-2015-3332)The hub_activate function in drivers/usb/core/hub.c in the Linux kernel before 4.3.5 does not properly maintain a hub-interface data structure, which allows physically proximate attackers to cause a denial of service (invalid memory access and system crash) or possibly have unspecified other impact by unplugging a USB hub device.(CVE-2015-8816)In the Linux kernel before 4.1.4, a buffer overflow occurs when checking userspace params in drivers/media/dvb-frontends/cx24116.c. The maximum size for a DiSEqC command is 6, according to the userspace API. However, the code allows larger values such as 23.(CVE-2015-9289)The create_fixed_stream_quirk function in sound/usb/quirks.c in the snd-usb-audio driver in the Linux kernel before 4.5.1 allows physically proximate attackers to cause a denial of service (NULL pointer dereference or double free, and system crash) via a crafted endpoints value in a USB device descriptor.(CVE-2016-2184)The ati_remote2_probe function in drivers/input/misc/ati_remote2.c in the Linux kernel before 4.5.1 allows physically proximate attackers to cause a denial of service (NULL pointer dereference and system crash) via a crafted endpoints value in a USB device descriptor.(CVE-2016-2185)The powermate_probe function in drivers/input/misc/powermate.c in the Linux kernel before 4.5.1 allows physically proximate attackers to cause a denial of service (NULL pointer dereference and system crash) via a crafted endpoints value in a USB device descriptor.(CVE-2016-2186)The gtco_probe function in drivers/input/tablet/gtco.c in the Linux kernel through 4.5.2 allows physically proximate attackers to cause a denial of service (NULL pointer dereference and system crash) via a crafted endpoints value in a USB device descriptor.(CVE-2016-2187)Double free vulnerability in the snd_usbmidi_create function in sound/usb/midi.c in the Linux kernel before 4.5 allows physically proximate attackers to cause a denial of service (panic) or possibly have unspecified other impact via vectors involving an invalid USB descriptor.(CVE-2016-2384)The treo_attach function in drivers/usb/serial/visor.c in the Linux kernel before 4.5 allows physically proximate attackers to cause a denial of service (NULL pointer dereference and system crash) or possibly have unspecified other impact by inserting a USB device that lacks a (1) bulk-in or (2) interrupt-in endpoint.(CVE-2016-2782)The acm_probe function in drivers/usb/class/cdc-acm.c in the Linux kernel before 4.5.1 allows physically proximate attackers to cause a denial of service (NULL pointer dereference and system crash) via a USB device without both a control and a data endpoint descriptor.(CVE-2016-3138)The wacom_probe function in drivers/input/tablet/wacom_sys.c in the Linux kernel before 3.17 allows physically proximate attackers to cause a denial of service (NULL pointer dereference and system crash) via a crafted endpoints value in a USB device descriptor.(CVE-2016-3139)The digi_port_init function in drivers/usb/serial/digi_acceleport.c in the Linux kernel before 4.5.1 allows physically proximate attackers to cause a denial of service (NULL pointer dereference and system crash) via a crafted endpoints value in a USB device descriptor.(CVE-2016-3140)The ims_pcu_parse_cdc_data function in drivers/input/misc/ims-pcu.c in the Linux kernel before 4.5.1 allows physically proximate attackers to cause a denial of service (system crash) via a USB device without both a master and a slave interface.(CVE-2016-3689)The snd_timer_user_params function in sound/core/timer.c in the Linux kernel through 4.6 does not initialize a certain data structure, which allows local users to obtain sensitive information from kernel stack memory via crafted use of the ALSA timer interface.(CVE-2016-4569)sound/core/timer.c in the Linux kernel through 4.6 does not initialize certain r1 data structures, which allows local users to obtain sensitive information from kernel stack memory via crafted use of the ALSA timer interface, related to the (1) snd_timer_user_ccallback and (2) snd_timer_user_tinterrupt functions.(CVE-2016-4578)The x25_negotiate_facilities function in net/x25/x25_facilities.c in the Linux kernel before 4.5.5 does not properly initialize a certain data structure, which allows attackers to obtain sensitive information from kernel stack memory via an X.25 Call Request.(CVE-2016-4580)The arcmsr_iop_message_xfer function in drivers/scsi/arcmsr/arcmsr_hba.c in the Linux kernel through 4.8.2 does not restrict a certain length field, which allows local users to gain privileges or cause a denial of service (heap-based buffer overflow) via an ARCMSR_MESSAGE_WRITE_WQBUFFER control code.(CVE-2016-7425)The Linux Kernel running on AMD64 systems will sometimes map the contents of PIE executable, the heap or ld.so to where the stack is mapped allowing attackers to more easily manipulate the stack. Linux Kernel version 4.11.5 is affected.(CVE-2017-1000379)In android for MSM, Firefox OS for MSM, QRD Android, with all Android releases from CAF using the Linux kernel, a buffer overread is observed in nl80211_set_station when user space application sends attribute NL80211_ATTR_LOCAL_MESH_POWER_MODE with data of size less than 4 bytes(CVE-2017-11089)An elevation of privilege vulnerability in the kernel sound timer. Product: Android. Versions: Android kernel. Android ID A-37240993.(CVE-2017-13167)In ashmem_ioctl of ashmem.c, there is an out-of-bounds write due to insufficient locking when accessing asma. This could lead to a local elevation of privilege enabling code execution as a privileged process with no additional execution privileges needed. User interaction is not needed for exploitation. Product: Android. Versions: Android kernel. Android ID: A-66954097.(CVE-2017-13216)A information disclosure vulnerability in the Upstream kernel encrypted-keys. Product: Android. Versions: Android kernel. Android ID: A-70526974.(CVE-2017-13305)An integer overflow in the qla2x00_sysfs_write_optrom_ctl function in drivers/scsi/qla2xxx/qla_attr.c in the Linux kernel through 4.12.10 allows local users to cause a denial of service (memory corruption and system crash) by leveraging root access.(CVE-2017-14051)The Serial Attached SCSI (SAS) implementation in the Linux kernel through 4.15.9 mishandles a mutex within libsas, which allows local users to cause a denial of service (deadlock) by triggering certain error-handling code.(CVE-2017-18232)An issue was discovered in net/ipv6/ip6mr.c in the Linux kernel before 4.11. By setting a specific socket option, an attacker can control a pointer in kernel land and cause an inet_csk_listen_stop general protection fault, or potentially execute arbitrary code under certain circumstances. The issue can be triggered as root (e.g., inside a default LXC container or with the CAP_NET_ADMIN capability) or after namespace unsharing. This occurs because sk_type and protocol are not checked in the appropriate part of the ip6_mroute_* functions. NOTE: this affects Linux distributions that use 4.9.x longterm kernels before 4.9.187.(CVE-2017-18509)An issue was discovered in drivers/i2c/i2c-core-smbus.c in the Linux kernel before 4.14.15. There is an out of bounds write in the function i2c_smbus_xfer_emulated.(CVE-2017-18551)An issue was discovered in the Linux kernel before 4.14.11. A double free may be caused by the function allocate_trace_buffer in the file kernel/trace/trace.c.(CVE-2017-18595)The vmw_surface_define_ioctl function in drivers/gpu/drm/vmwgfx/vmwgfx_surface.c in the Linux kernel through 4.10.5 does not check for a zero value of certain levels data, which allows local users to cause a denial of service (ZERO_SIZE_PTR dereference, and GPF and possibly panic) via a crafted ioctl call for a /dev/dri/renderD* device.(CVE-2017-7261)The KEYS subsystem in the Linux kernel before 4.10.13 allows local users to cause a denial of service (memory consumption) via a series of KEY_REQKEY_DEFL_THREAD_KEYRING keyctl_set_reqkey_keyring calls.(CVE-2017-7472)The kernel_wait4 function in kernel/exit.c in the Linux kernel before 4.13, when an unspecified architecture and compiler is used, might allow local users to cause a denial of service by triggering an attempted use of the -INT_MIN value.(CVE-2018-10087)The kill_something_info function in kernel/signal.c in the Linux kernel before 4.13, when an unspecified architecture and compiler is used, might allow local users to cause a denial of service via an INT_MIN argument.(CVE-2018-10124)The xfs_dinode_verify function in fs/xfs/libxfs/xfs_inode_buf.c in the Linux kernel through 4.16.3 allows local users to cause a denial of service (xfs_ilock_attr_map_shared invalid pointer dereference) via a crafted xfs image.(CVE-2018-10322)The xfs_bmap_extents_to_btree function in fs/xfs/libxfs/xfs_bmap.c in the Linux kernel through 4.16.3 allows local users to cause a denial of service (xfs_bmapi_write NULL pointer dereference) via a crafted xfs image.(CVE-2018-10323)The do_get_mempolicy function in mm/mempolicy.c in the Linux kernel before 4.12.9 allows local users to cause a denial of service (use-after-free) or possibly have unspecified other impact via crafted system calls.(CVE-2018-10675)Linux kernel is vulnerable to a stack-out-of-bounds write in the ext4 filesystem code when mounting and writing to a crafted ext4 image in ext4_update_inline_data(). An attacker could use this to cause a system crash and a denial of service.(CVE-2018-10880)An issue was discovered in the Linux kernel through 4.17.3. An Integer Overflow in kernel/time/posix-timers.c in the POSIX timer code is caused by the way the overrun accounting works. Depending on interval and expiry time values, the overrun can be larger than INT_MAX, but the accounting is int based. This basically makes the accounting values, which are visible to user space via timer_getoverrun(2) and siginfo::si_overrun, random. For example, a local user can cause a denial of service (signed integer overflow) via crafted mmap, futex, timer_create, and timer_settime system calls.(CVE-2018-12896)An issue was discovered in the proc_pid_stack function in fs/proc/base.c in the Linux kernel through 4.18.11. It does not ensure that only root may inspect the kernel stack of an arbitrary task, allowing a local attacker to exploit racy stack unwinding and leak kernel task stack contents.(CVE-2018-17972)An issue was discovered in the Linux kernel through 4.19. An information leak in cdrom_ioctl_select_disc in drivers/cdrom/cdrom.c could be used by local attackers to read kernel memory because a cast from unsigned long to int interferes with bounds checking. This is similar to CVE-2018-10940 and CVE-2018-16658.(CVE-2018-18710 )An issue was discovered in the Linux kernel before 4.18.11. The ipddp_ioctl function in drivers et/appletalk/ipddp.c allows local users to obtain sensitive kernel address information by leveraging CAP_NET_ADMIN to read the ipddp_route dev and next fields via an SIOCFINDIPDDPRT ioctl call.(CVE-2018-20511)An issue was discovered in the Linux kernel before 4.18.7. In block/blk-core.c, there is an __blk_drain_queue() use-after-free because a certain error case is mishandled.(CVE-2018-20856)An issue was discovered in fs/xfs/xfs_super.c in the Linux kernel before 4.18. A use after free exists, related to xfs_fs_fill_super failure.(CVE-2018-20976)Systems with microprocessors utilizing speculative execution and branch prediction may allow unauthorized disclosure of information to an attacker with local user access via a speculative buffer overflow and side-channel analysis.(CVE-2018-3693)In the function sbusfb_ioctl_helper() in drivers/video/fbdev/sbuslib.c in the Linux kernel through 4.15, an integer signedness error allows arbitrary information leakage for the FBIOPUTCMAP_SPARC and FBIOGETCMAP_SPARC commands.(CVE-2018-6412)In nfc_llcp_build_sdreq_tlv of llcp_commands.c, there is a possible out of bounds write due to a missing bounds check. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation. Product: Android. Versions: Android kernel. Android ID: A-73083945.(CVE-2018-9518 )Insufficient access control in the Intel(R) PROSet/Wireless WiFi Software driver before version 21.10 may allow an unauthenticated user to potentially enable denial of service via adjacent access.(CVE-2019-0136)A vulnerability was found in Linux kernel
    last seen2020-05-08
    modified2019-12-10
    plugin id131845
    published2019-12-10
    reporterThis script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/131845
    titleEulerOS 2.0 SP2 : kernel (EulerOS-SA-2019-2353)
  • NASL familyPhotonOS Local Security Checks
    NASL idPHOTONOS_PHSA-2018-2_0-0072.NASL
    descriptionAn update of 'linux-aws', 'linux', 'linux-esx', 'linux-secure' packages of Photon OS has been released.
    last seen2019-02-21
    modified2019-02-07
    plugin id111956
    published2018-08-17
    reporterTenable
    sourcehttps://www.tenable.com/plugins/index.php?view=single&id=111956
    titlePhoton OS 2.0: Linux PHSA-2018-2.0-0072 (deprecated)
  • NASL familyFedora Local Security Checks
    NASL idFEDORA_2018-E378863E47.NASL
    descriptionIncremental update to fix kernel-devel issues. ---- The 4.15.12 update contains numerous fixes across the tree. ---- The 4.15.11 update contains a number of important fixes across the tree Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-05
    modified2018-03-28
    plugin id108677
    published2018-03-28
    reporterThis script is Copyright (C) 2018-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/108677
    titleFedora 27 : kernel (2018-e378863e47)

Redhat

advisories
  • rhsa
    idRHSA-2018:3083
  • rhsa
    idRHSA-2018:3096
rpms
  • bpftool-0:3.10.0-957.el7
  • kernel-0:3.10.0-957.el7
  • kernel-abi-whitelists-0:3.10.0-957.el7
  • kernel-bootwrapper-0:3.10.0-957.el7
  • kernel-debug-0:3.10.0-957.el7
  • kernel-debug-debuginfo-0:3.10.0-957.el7
  • kernel-debug-devel-0:3.10.0-957.el7
  • kernel-debuginfo-0:3.10.0-957.el7
  • kernel-debuginfo-common-ppc64-0:3.10.0-957.el7
  • kernel-debuginfo-common-ppc64le-0:3.10.0-957.el7
  • kernel-debuginfo-common-s390x-0:3.10.0-957.el7
  • kernel-debuginfo-common-x86_64-0:3.10.0-957.el7
  • kernel-devel-0:3.10.0-957.el7
  • kernel-doc-0:3.10.0-957.el7
  • kernel-headers-0:3.10.0-957.el7
  • kernel-kdump-0:3.10.0-957.el7
  • kernel-kdump-debuginfo-0:3.10.0-957.el7
  • kernel-kdump-devel-0:3.10.0-957.el7
  • kernel-tools-0:3.10.0-957.el7
  • kernel-tools-debuginfo-0:3.10.0-957.el7
  • kernel-tools-libs-0:3.10.0-957.el7
  • kernel-tools-libs-devel-0:3.10.0-957.el7
  • perf-0:3.10.0-957.el7
  • perf-debuginfo-0:3.10.0-957.el7
  • python-perf-0:3.10.0-957.el7
  • python-perf-debuginfo-0:3.10.0-957.el7
  • kernel-rt-0:3.10.0-957.rt56.910.el7
  • kernel-rt-debug-0:3.10.0-957.rt56.910.el7
  • kernel-rt-debug-debuginfo-0:3.10.0-957.rt56.910.el7
  • kernel-rt-debug-devel-0:3.10.0-957.rt56.910.el7
  • kernel-rt-debug-kvm-0:3.10.0-957.rt56.910.el7
  • kernel-rt-debug-kvm-debuginfo-0:3.10.0-957.rt56.910.el7
  • kernel-rt-debuginfo-0:3.10.0-957.rt56.910.el7
  • kernel-rt-debuginfo-common-x86_64-0:3.10.0-957.rt56.910.el7
  • kernel-rt-devel-0:3.10.0-957.rt56.910.el7
  • kernel-rt-doc-0:3.10.0-957.rt56.910.el7
  • kernel-rt-kvm-0:3.10.0-957.rt56.910.el7
  • kernel-rt-kvm-debuginfo-0:3.10.0-957.rt56.910.el7
  • kernel-rt-trace-0:3.10.0-957.rt56.910.el7
  • kernel-rt-trace-debuginfo-0:3.10.0-957.rt56.910.el7
  • kernel-rt-trace-devel-0:3.10.0-957.rt56.910.el7
  • kernel-rt-trace-kvm-0:3.10.0-957.rt56.910.el7
  • kernel-rt-trace-kvm-debuginfo-0:3.10.0-957.rt56.910.el7