Vulnerabilities > CVE-2017-7518 - Improper Handling of Exceptional Conditions vulnerability in multiple products

#
# (C) Tenable Network Security, Inc.
#
# The descriptive text and package checks in this plugin were  
# extracted from Debian Security Advisory DSA-3981. The text 
# itself is copyright (C) Software in the Public Interest, Inc.
#

include("compat.inc");

if (description)
{
  script_id(103365);
  script_version("3.10");
  script_set_attribute(attribute:"plugin_modification_date", value:"2020/06/04");

  script_cve_id("CVE-2017-1000111", "CVE-2017-1000112", "CVE-2017-1000251", "CVE-2017-1000252", "CVE-2017-1000370", "CVE-2017-1000371", "CVE-2017-1000380", "CVE-2017-10661", "CVE-2017-11600", "CVE-2017-12134", "CVE-2017-12146", "CVE-2017-12153", "CVE-2017-12154", "CVE-2017-14106", "CVE-2017-14140", "CVE-2017-14156", "CVE-2017-14340", "CVE-2017-14489", "CVE-2017-14497", "CVE-2017-7518", "CVE-2017-7558");
  script_xref(name:"DSA", value:"3981");

  script_name(english:"Debian DSA-3981-1 : linux - security update (BlueBorne) (Stack Clash)");
  script_summary(english:"Checks dpkg output for the updated package");

  script_set_attribute(
    attribute:"synopsis",
    value:"The remote Debian host is missing a security-related update."
  );
  script_set_attribute(
    attribute:"description",
    value:
"Several vulnerabilities have been discovered in the Linux kernel that
may lead to privilege escalation, denial of service or information
leaks.

  - CVE-2017-7518
    Andy Lutomirski discovered that KVM is prone to an
    incorrect debug exception (#DB) error occurring while
    emulating a syscall instruction. A process inside a
    guest can take advantage of this flaw for privilege
    escalation inside a guest.

  - CVE-2017-7558 (stretch only)
    Stefano Brivio of Red Hat discovered that the SCTP
    subsystem is prone to a data leak vulnerability due to
    an out-of-bounds read flaw, allowing to leak up to 100
    uninitialized bytes to userspace.

  - CVE-2017-10661 (jessie only)
    Dmitry Vyukov of Google reported that the timerfd
    facility does not properly handle certain concurrent
    operations on a single file descriptor. This allows a
    local attacker to cause a denial of service or
    potentially execute arbitrary code.

  - CVE-2017-11600
    Bo Zhang reported that the xfrm subsystem does not
    properly validate one of the parameters to a netlink
    message. Local users with the CAP_NET_ADMIN capability
    can use this to cause a denial of service or potentially
    to execute arbitrary code.

  - CVE-2017-12134 / #866511 / XSA-229
    Jan H. Schoenherr of Amazon discovered that when Linux
    is running in a Xen PV domain on an x86 system, it may
    incorrectly merge block I/O requests. A buggy or
    malicious guest may trigger this bug in dom0 or a PV
    driver domain, causing a denial of service or
    potentially execution of arbitrary code.

  This issue can be mitigated by disabling merges on the underlying
  back-end block devices, e.g.:echo 2 >
  /sys/block/nvme0n1/queue/nomerges

  - CVE-2017-12146 (stretch only)
    Adrian Salido of Google reported a race condition in
    access to the'driver_override' attribute for platform
    devices in sysfs. If unprivileged users are permitted to
    access this attribute, this might allow them to gain
    privileges.

  - CVE-2017-12153
    Bo Zhang reported that the cfg80211 (wifi) subsystem
    does not properly validate the parameters to a netlink
    message. Local users with the CAP_NET_ADMIN capability
    (in any user namespace with a wifi device) can use this
    to cause a denial of service.

  - CVE-2017-12154
    Jim Mattson of Google reported that the KVM
    implementation for Intel x86 processors did not
    correctly handle certain nested hypervisor
    configurations. A malicious guest (or nested guest in a
    suitable L1 hypervisor) could use this for denial of
    service.

  - CVE-2017-14106
    Andrey Konovalov discovered that a user-triggerable
    division by zero in the tcp_disconnect() function could
    result in local denial of service.

  - CVE-2017-14140
    Otto Ebeling reported that the move_pages() system call
    performed insufficient validation of the UIDs of the
    calling and target processes, resulting in a partial
    ASLR bypass. This made it easier for local users to
    exploit vulnerabilities in programs installed with the
    set-UID permission bit set.

  - CVE-2017-14156
    'sohu0106' reported an information leak in the atyfb
    video driver. A local user with access to a framebuffer
    device handled by this driver could use this to obtain
    sensitive information.

  - CVE-2017-14340
    Richard Wareing discovered that the XFS implementation
    allows the creation of files with the 'realtime' flag on
    a filesystem with no realtime device, which can result
    in a crash (oops). A local user with access to an XFS
    filesystem that does not have a realtime device can use
    this for denial of service.

  - CVE-2017-14489
    ChunYu Wang of Red Hat discovered that the iSCSI
    subsystem does not properly validate the length of a
    netlink message, leading to memory corruption. A local
    user with permission to manage iSCSI devices can use
    this for denial of service or possibly to execute
    arbitrary code.

  - CVE-2017-14497 (stretch only)
    Benjamin Poirier of SUSE reported that vnet headers are
    not properly handled within the tpacket_rcv() function
    in the raw packet (af_packet) feature. A local user with
    the CAP_NET_RAW capability can take advantage of this
    flaw to cause a denial of service (buffer overflow, and
    disk and memory corruption) or have other impact.

  - CVE-2017-1000111
    Andrey Konovalov of Google reported a race condition in
    the raw packet (af_packet) feature. Local users with the
    CAP_NET_RAW capability can use this for denial of
    service or possibly to execute arbitrary code.

  - CVE-2017-1000112
    Andrey Konovalov of Google reported a race condition
    flaw in the UDP Fragmentation Offload (UFO) code. A
    local user can use this flaw for denial of service or
    possibly to execute arbitrary code.

  - CVE-2017-1000251 / #875881
    Armis Labs discovered that the Bluetooth subsystem does
    not properly validate L2CAP configuration responses,
    leading to a stack-based buffer overflow. This is one of
    several vulnerabilities dubbed 'Blueborne'. A nearby
    attacker can use this to cause a denial of service or
    possibly to execute arbitrary code on a system with
    Bluetooth enabled.

  - CVE-2017-1000252 (stretch only)
    Jan H. Schoenherr of Amazon reported that the KVM
    implementation for Intel x86 processors did not
    correctly validate interrupt injection requests. A local
    user with permission to use KVM could use this for
    denial of service.

  - CVE-2017-1000370
    The Qualys Research Labs reported that a large argument
    or environment list can result in ASLR bypass for 32-bit
    PIE binaries.

  - CVE-2017-1000371
    The Qualys Research Labs reported that a large argument
    or environment list can result in a stack/heap clash for
    32-bit PIE binaries.

  - CVE-2017-1000380
    Alexander Potapenko of Google reported a race condition
    in the ALSA (sound) timer driver, leading to an
    information leak. A local user with permission to access
    sound devices could use this to obtain sensitive
    information.

Debian disables unprivileged user namespaces by default, but if they
are enabled (via the kernel.unprivileged_userns_clone sysctl) then
CVE-2017-11600, CVE-2017-14497 and CVE-2017-1000111 can be exploited
by any local user."
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=866511"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=875881"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://security-tracker.debian.org/tracker/CVE-2017-7518"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://security-tracker.debian.org/tracker/CVE-2017-7558"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://security-tracker.debian.org/tracker/CVE-2017-10661"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://security-tracker.debian.org/tracker/CVE-2017-11600"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://security-tracker.debian.org/tracker/CVE-2017-12134"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://security-tracker.debian.org/tracker/CVE-2017-12146"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://security-tracker.debian.org/tracker/CVE-2017-12153"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://security-tracker.debian.org/tracker/CVE-2017-12154"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://security-tracker.debian.org/tracker/CVE-2017-14106"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://security-tracker.debian.org/tracker/CVE-2017-14140"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://security-tracker.debian.org/tracker/CVE-2017-14156"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://security-tracker.debian.org/tracker/CVE-2017-14340"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://security-tracker.debian.org/tracker/CVE-2017-14489"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://security-tracker.debian.org/tracker/CVE-2017-14497"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://security-tracker.debian.org/tracker/CVE-2017-1000111"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://security-tracker.debian.org/tracker/CVE-2017-1000112"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://security-tracker.debian.org/tracker/CVE-2017-1000251"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://security-tracker.debian.org/tracker/CVE-2017-1000252"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://security-tracker.debian.org/tracker/CVE-2017-1000370"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://security-tracker.debian.org/tracker/CVE-2017-1000371"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://security-tracker.debian.org/tracker/CVE-2017-1000380"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://security-tracker.debian.org/tracker/CVE-2017-11600"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://security-tracker.debian.org/tracker/CVE-2017-14497"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://security-tracker.debian.org/tracker/CVE-2017-1000111"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://packages.debian.org/source/jessie/linux"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://packages.debian.org/source/stretch/linux"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://www.debian.org/security/2017/dsa-3981"
  );
  script_set_attribute(
    attribute:"solution",
    value:
"Upgrade the linux packages.

For the oldstable distribution (jessie), these problems have been
fixed in version 3.16.43-2+deb8u5.

For the stable distribution (stretch), these problems have been fixed
in version 4.9.30-2+deb9u5."
  );
  script_set_cvss_base_vector("CVSS2#AV:A/AC:L/Au:S/C:C/I:C/A:C");
  script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:F/RL:O/RC:C");
  script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"true");
  script_set_attribute(attribute:"exploit_framework_core", value:"true");
  script_set_attribute(attribute:"exploited_by_malware", value:"true");
  script_set_attribute(attribute:"metasploit_name", value:'Linux Kernel UDP Fragmentation Offset (UFO) Privilege Escalation');
  script_set_attribute(attribute:"exploit_framework_metasploit", value:"true");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:linux");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:debian:debian_linux:8.0");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:debian:debian_linux:9.0");

  script_set_attribute(attribute:"vuln_publication_date", value:"2017/06/17");
  script_set_attribute(attribute:"patch_publication_date", value:"2017/09/20");
  script_set_attribute(attribute:"plugin_publication_date", value:"2017/09/21");
  script_set_attribute(attribute:"in_the_news", value:"true");
  script_set_attribute(attribute:"generated_plugin", value:"current");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_copyright(english:"This script is Copyright (C) 2017-2020 and is owned by Tenable, Inc. or an Affiliate thereof.");
  script_family(english:"Debian Local Security Checks");

  script_dependencies("ssh_get_info.nasl");
  script_require_keys("Host/local_checks_enabled", "Host/Debian/release", "Host/Debian/dpkg-l");

  exit(0);
}


include("audit.inc");
include("debian_package.inc");


if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
if (!get_kb_item("Host/Debian/release")) audit(AUDIT_OS_NOT, "Debian");
if (!get_kb_item("Host/Debian/dpkg-l")) audit(AUDIT_PACKAGE_LIST_MISSING);


flag = 0;
if (deb_check(release:"8.0", prefix:"linux-compiler-gcc-4.8-arm", reference:"3.16.43-2+deb8u5")) flag++;
if (deb_check(release:"8.0", prefix:"linux-compiler-gcc-4.8-x86", reference:"3.16.43-2+deb8u5")) flag++;
if (deb_check(release:"8.0", prefix:"linux-compiler-gcc-4.9-x86", reference:"3.16.43-2+deb8u5")) flag++;
if (deb_check(release:"8.0", prefix:"linux-doc-3.16", reference:"3.16.43-2+deb8u5")) flag++;
if (deb_check(release:"8.0", prefix:"linux-headers-3.16.0-9-586", reference:"3.16.43-2+deb8u5")) flag++;
if (deb_check(release:"8.0", prefix:"linux-headers-3.16.0-9-686-pae", reference:"3.16.43-2+deb8u5")) flag++;
if (deb_check(release:"8.0", prefix:"linux-headers-3.16.0-9-all", reference:"3.16.43-2+deb8u5")) flag++;
if (deb_check(release:"8.0", prefix:"linux-headers-3.16.0-9-all-amd64", reference:"3.16.43-2+deb8u5")) flag++;
if (deb_check(release:"8.0", prefix:"linux-headers-3.16.0-9-all-armel", reference:"3.16.43-2+deb8u5")) flag++;
if (deb_check(release:"8.0", prefix:"linux-headers-3.16.0-9-all-armhf", reference:"3.16.43-2+deb8u5")) flag++;
if (deb_check(release:"8.0", prefix:"linux-headers-3.16.0-9-all-i386", reference:"3.16.43-2+deb8u5")) flag++;
if (deb_check(release:"8.0", prefix:"linux-headers-3.16.0-9-amd64", reference:"3.16.43-2+deb8u5")) flag++;
if (deb_check(release:"8.0", prefix:"linux-headers-3.16.0-9-armmp", reference:"3.16.43-2+deb8u5")) flag++;
if (deb_check(release:"8.0", prefix:"linux-headers-3.16.0-9-armmp-lpae", reference:"3.16.43-2+deb8u5")) flag++;
if (deb_check(release:"8.0", prefix:"linux-headers-3.16.0-9-common", reference:"3.16.43-2+deb8u5")) flag++;
if (deb_check(release:"8.0", prefix:"linux-headers-3.16.0-9-ixp4xx", reference:"3.16.43-2+deb8u5")) flag++;
if (deb_check(release:"8.0", prefix:"linux-headers-3.16.0-9-kirkwood", reference:"3.16.43-2+deb8u5")) flag++;
if (deb_check(release:"8.0", prefix:"linux-headers-3.16.0-9-orion5x", reference:"3.16.43-2+deb8u5")) flag++;
if (deb_check(release:"8.0", prefix:"linux-headers-3.16.0-9-versatile", reference:"3.16.43-2+deb8u5")) flag++;
if (deb_check(release:"8.0", prefix:"linux-image-3.16.0-9-586", reference:"3.16.43-2+deb8u5")) flag++;
if (deb_check(release:"8.0", prefix:"linux-image-3.16.0-9-686-pae", reference:"3.16.43-2+deb8u5")) flag++;
if (deb_check(release:"8.0", prefix:"linux-image-3.16.0-9-686-pae-dbg", reference:"3.16.43-2+deb8u5")) flag++;
if (deb_check(release:"8.0", prefix:"linux-image-3.16.0-9-amd64", reference:"3.16.43-2+deb8u5")) flag++;
if (deb_check(release:"8.0", prefix:"linux-image-3.16.0-9-amd64-dbg", reference:"3.16.43-2+deb8u5")) flag++;
if (deb_check(release:"8.0", prefix:"linux-image-3.16.0-9-armmp", reference:"3.16.43-2+deb8u5")) flag++;
if (deb_check(release:"8.0", prefix:"linux-image-3.16.0-9-armmp-lpae", reference:"3.16.43-2+deb8u5")) flag++;
if (deb_check(release:"8.0", prefix:"linux-image-3.16.0-9-ixp4xx", reference:"3.16.43-2+deb8u5")) flag++;
if (deb_check(release:"8.0", prefix:"linux-image-3.16.0-9-kirkwood", reference:"3.16.43-2+deb8u5")) flag++;
if (deb_check(release:"8.0", prefix:"linux-image-3.16.0-9-orion5x", reference:"3.16.43-2+deb8u5")) flag++;
if (deb_check(release:"8.0", prefix:"linux-image-3.16.0-9-versatile", reference:"3.16.43-2+deb8u5")) flag++;
if (deb_check(release:"8.0", prefix:"linux-libc-dev", reference:"3.16.43-2+deb8u5")) flag++;
if (deb_check(release:"8.0", prefix:"linux-manual-3.16", reference:"3.16.43-2+deb8u5")) flag++;
if (deb_check(release:"8.0", prefix:"linux-source-3.16", reference:"3.16.43-2+deb8u5")) flag++;
if (deb_check(release:"8.0", prefix:"linux-support-3.16.0-9", reference:"3.16.43-2+deb8u5")) flag++;
if (deb_check(release:"8.0", prefix:"xen-linux-system-3.16.0-9-amd64", reference:"3.16.43-2+deb8u5")) flag++;
if (deb_check(release:"9.0", prefix:"hyperv-daemons", reference:"4.9.30-2+deb9u5")) flag++;
if (deb_check(release:"9.0", prefix:"libcpupower-dev", reference:"4.9.30-2+deb9u5")) flag++;
if (deb_check(release:"9.0", prefix:"libcpupower1", reference:"4.9.30-2+deb9u5")) flag++;
if (deb_check(release:"9.0", prefix:"libusbip-dev", reference:"4.9.30-2+deb9u5")) flag++;
if (deb_check(release:"9.0", prefix:"linux-compiler-gcc-6-arm", reference:"4.9.30-2+deb9u5")) flag++;
if (deb_check(release:"9.0", prefix:"linux-compiler-gcc-6-s390", reference:"4.9.30-2+deb9u5")) flag++;
if (deb_check(release:"9.0", prefix:"linux-compiler-gcc-6-x86", reference:"4.9.30-2+deb9u5")) flag++;
if (deb_check(release:"9.0", prefix:"linux-cpupower", reference:"4.9.30-2+deb9u5")) flag++;
if (deb_check(release:"9.0", prefix:"linux-doc-4.9", reference:"4.9.30-2+deb9u5")) flag++;
if (deb_check(release:"9.0", prefix:"linux-headers-4.9.0-9-4kc-malta", reference:"4.9.30-2+deb9u5")) flag++;
if (deb_check(release:"9.0", prefix:"linux-headers-4.9.0-9-5kc-malta", reference:"4.9.30-2+deb9u5")) flag++;
if (deb_check(release:"9.0", prefix:"linux-headers-4.9.0-9-686", reference:"4.9.30-2+deb9u5")) flag++;
if (deb_check(release:"9.0", prefix:"linux-headers-4.9.0-9-686-pae", reference:"4.9.30-2+deb9u5")) flag++;
if (deb_check(release:"9.0", prefix:"linux-headers-4.9.0-9-all", reference:"4.9.30-2+deb9u5")) flag++;
if (deb_check(release:"9.0", prefix:"linux-headers-4.9.0-9-all-amd64", reference:"4.9.30-2+deb9u5")) flag++;
if (deb_check(release:"9.0", prefix:"linux-headers-4.9.0-9-all-arm64", reference:"4.9.30-2+deb9u5")) flag++;
if (deb_check(release:"9.0", prefix:"linux-headers-4.9.0-9-all-armel", reference:"4.9.30-2+deb9u5")) flag++;
if (deb_check(release:"9.0", prefix:"linux-headers-4.9.0-9-all-armhf", reference:"4.9.30-2+deb9u5")) flag++;
if (deb_check(release:"9.0", prefix:"linux-headers-4.9.0-9-all-i386", reference:"4.9.30-2+deb9u5")) flag++;
if (deb_check(release:"9.0", prefix:"linux-headers-4.9.0-9-all-mips", reference:"4.9.30-2+deb9u5")) flag++;
if (deb_check(release:"9.0", prefix:"linux-headers-4.9.0-9-all-mips64el", reference:"4.9.30-2+deb9u5")) flag++;
if (deb_check(release:"9.0", prefix:"linux-headers-4.9.0-9-all-mipsel", reference:"4.9.30-2+deb9u5")) flag++;
if (deb_check(release:"9.0", prefix:"linux-headers-4.9.0-9-all-ppc64el", reference:"4.9.30-2+deb9u5")) flag++;
if (deb_check(release:"9.0", prefix:"linux-headers-4.9.0-9-all-s390x", reference:"4.9.30-2+deb9u5")) flag++;
if (deb_check(release:"9.0", prefix:"linux-headers-4.9.0-9-amd64", reference:"4.9.30-2+deb9u5")) flag++;
if (deb_check(release:"9.0", prefix:"linux-headers-4.9.0-9-arm64", reference:"4.9.30-2+deb9u5")) flag++;
if (deb_check(release:"9.0", prefix:"linux-headers-4.9.0-9-armmp", reference:"4.9.30-2+deb9u5")) flag++;
if (deb_check(release:"9.0", prefix:"linux-headers-4.9.0-9-armmp-lpae", reference:"4.9.30-2+deb9u5")) flag++;
if (deb_check(release:"9.0", prefix:"linux-headers-4.9.0-9-common", reference:"4.9.30-2+deb9u5")) flag++;
if (deb_check(release:"9.0", prefix:"linux-headers-4.9.0-9-common-rt", reference:"4.9.30-2+deb9u5")) flag++;
if (deb_check(release:"9.0", prefix:"linux-headers-4.9.0-9-loongson-3", reference:"4.9.30-2+deb9u5")) flag++;
if (deb_check(release:"9.0", prefix:"linux-headers-4.9.0-9-marvell", reference:"4.9.30-2+deb9u5")) flag++;
if (deb_check(release:"9.0", prefix:"linux-headers-4.9.0-9-octeon", reference:"4.9.30-2+deb9u5")) flag++;
if (deb_check(release:"9.0", prefix:"linux-headers-4.9.0-9-powerpc64le", reference:"4.9.30-2+deb9u5")) flag++;
if (deb_check(release:"9.0", prefix:"linux-headers-4.9.0-9-rt-686-pae", reference:"4.9.30-2+deb9u5")) flag++;
if (deb_check(release:"9.0", prefix:"linux-headers-4.9.0-9-rt-amd64", reference:"4.9.30-2+deb9u5")) flag++;
if (deb_check(release:"9.0", prefix:"linux-headers-4.9.0-9-s390x", reference:"4.9.30-2+deb9u5")) flag++;
if (deb_check(release:"9.0", prefix:"linux-image-4.9.0-9-4kc-malta", reference:"4.9.30-2+deb9u5")) flag++;
if (deb_check(release:"9.0", prefix:"linux-image-4.9.0-9-4kc-malta-dbg", reference:"4.9.30-2+deb9u5")) flag++;
if (deb_check(release:"9.0", prefix:"linux-image-4.9.0-9-5kc-malta", reference:"4.9.30-2+deb9u5")) flag++;
if (deb_check(release:"9.0", prefix:"linux-image-4.9.0-9-5kc-malta-dbg", reference:"4.9.30-2+deb9u5")) flag++;
if (deb_check(release:"9.0", prefix:"linux-image-4.9.0-9-686", reference:"4.9.30-2+deb9u5")) flag++;
if (deb_check(release:"9.0", prefix:"linux-image-4.9.0-9-686-dbg", reference:"4.9.30-2+deb9u5")) flag++;
if (deb_check(release:"9.0", prefix:"linux-image-4.9.0-9-686-pae", reference:"4.9.30-2+deb9u5")) flag++;
if (deb_check(release:"9.0", prefix:"linux-image-4.9.0-9-686-pae-dbg", reference:"4.9.30-2+deb9u5")) flag++;
if (deb_check(release:"9.0", prefix:"linux-image-4.9.0-9-amd64", reference:"4.9.30-2+deb9u5")) flag++;
if (deb_check(release:"9.0", prefix:"linux-image-4.9.0-9-amd64-dbg", reference:"4.9.30-2+deb9u5")) flag++;
if (deb_check(release:"9.0", prefix:"linux-image-4.9.0-9-arm64", reference:"4.9.30-2+deb9u5")) flag++;
if (deb_check(release:"9.0", prefix:"linux-image-4.9.0-9-arm64-dbg", reference:"4.9.30-2+deb9u5")) flag++;
if (deb_check(release:"9.0", prefix:"linux-image-4.9.0-9-armmp", reference:"4.9.30-2+deb9u5")) flag++;
if (deb_check(release:"9.0", prefix:"linux-image-4.9.0-9-armmp-dbg", reference:"4.9.30-2+deb9u5")) flag++;
if (deb_check(release:"9.0", prefix:"linux-image-4.9.0-9-armmp-lpae", reference:"4.9.30-2+deb9u5")) flag++;
if (deb_check(release:"9.0", prefix:"linux-image-4.9.0-9-armmp-lpae-dbg", reference:"4.9.30-2+deb9u5")) flag++;
if (deb_check(release:"9.0", prefix:"linux-image-4.9.0-9-loongson-3", reference:"4.9.30-2+deb9u5")) flag++;
if (deb_check(release:"9.0", prefix:"linux-image-4.9.0-9-loongson-3-dbg", reference:"4.9.30-2+deb9u5")) flag++;
if (deb_check(release:"9.0", prefix:"linux-image-4.9.0-9-marvell", reference:"4.9.30-2+deb9u5")) flag++;
if (deb_check(release:"9.0", prefix:"linux-image-4.9.0-9-marvell-dbg", reference:"4.9.30-2+deb9u5")) flag++;
if (deb_check(release:"9.0", prefix:"linux-image-4.9.0-9-octeon", reference:"4.9.30-2+deb9u5")) flag++;
if (deb_check(release:"9.0", prefix:"linux-image-4.9.0-9-octeon-dbg", reference:"4.9.30-2+deb9u5")) flag++;
if (deb_check(release:"9.0", prefix:"linux-image-4.9.0-9-powerpc64le", reference:"4.9.30-2+deb9u5")) flag++;
if (deb_check(release:"9.0", prefix:"linux-image-4.9.0-9-powerpc64le-dbg", reference:"4.9.30-2+deb9u5")) flag++;
if (deb_check(release:"9.0", prefix:"linux-image-4.9.0-9-rt-686-pae", reference:"4.9.30-2+deb9u5")) flag++;
if (deb_check(release:"9.0", prefix:"linux-image-4.9.0-9-rt-686-pae-dbg", reference:"4.9.30-2+deb9u5")) flag++;
if (deb_check(release:"9.0", prefix:"linux-image-4.9.0-9-rt-amd64", reference:"4.9.30-2+deb9u5")) flag++;
if (deb_check(release:"9.0", prefix:"linux-image-4.9.0-9-rt-amd64-dbg", reference:"4.9.30-2+deb9u5")) flag++;
if (deb_check(release:"9.0", prefix:"linux-image-4.9.0-9-s390x", reference:"4.9.30-2+deb9u5")) flag++;
if (deb_check(release:"9.0", prefix:"linux-image-4.9.0-9-s390x-dbg", reference:"4.9.30-2+deb9u5")) flag++;
if (deb_check(release:"9.0", prefix:"linux-kbuild-4.9", reference:"4.9.30-2+deb9u5")) flag++;
if (deb_check(release:"9.0", prefix:"linux-libc-dev", reference:"4.9.30-2+deb9u5")) flag++;
if (deb_check(release:"9.0", prefix:"linux-manual-4.9", reference:"4.9.30-2+deb9u5")) flag++;
if (deb_check(release:"9.0", prefix:"linux-perf-4.9", reference:"4.9.30-2+deb9u5")) flag++;
if (deb_check(release:"9.0", prefix:"linux-source-4.9", reference:"4.9.30-2+deb9u5")) flag++;
if (deb_check(release:"9.0", prefix:"linux-support-4.9.0-9", reference:"4.9.30-2+deb9u5")) flag++;
if (deb_check(release:"9.0", prefix:"usbip", reference:"4.9.30-2+deb9u5")) flag++;

if (flag)
{
  if (report_verbosity > 0) security_hole(port:0, extra:deb_report_get());
  else security_hole(0);
  exit(0);
}
else audit(AUDIT_HOST_NOT, "affected");

#
# (C) Tenable Network Security, Inc.
#
# The descriptive text and package checks in this plugin were
# extracted from Red Hat Security Advisory RHSA-2018:0395 and 
# Oracle Linux Security Advisory ELSA-2018-0395 respectively.
#

include("compat.inc");

if (description)
{
  script_id(107203);
  script_version("1.5");
  script_cvs_date("Date: 2019/09/27 13:00:38");

  script_cve_id("CVE-2017-12188", "CVE-2017-7518");
  script_xref(name:"RHSA", value:"2018:0395");

  script_name(english:"Oracle Linux 7 : kernel (ELSA-2018-0395)");
  script_summary(english:"Checks rpm output for the updated packages");

  script_set_attribute(
    attribute:"synopsis", 
    value:"The remote Oracle Linux host is missing one or more security updates."
  );
  script_set_attribute(
    attribute:"description", 
    value:
"From Red Hat Security Advisory 2018:0395 :

An update for kernel is now available for Red Hat Enterprise Linux 7.

Red Hat Product Security has rated this update as having a security
impact of Important. A Common Vulnerability Scoring System (CVSS) base
score, which gives a detailed severity rating, is available for each
vulnerability from the CVE link(s) in the References section.

The kernel packages contain the Linux kernel, the core of any Linux
operating system.

These updated kernel packages include several security issues and
numerous bug fixes, some of which you can see below. Space precludes
documenting all of these bug fixes in this advisory. To see the
complete list of bug fixes, users are directed to the related
Knowledge Article: https://access.redhat.com/articles/3368501.

Security Fix(es) :

* Kernel: KVM: MMU potential stack buffer overrun during page walks
(CVE-2017-12188, Important)

* Kernel: KVM: debug exception via syscall emulation (CVE-2017-7518,
Moderate)

For more details about the security issue(s), including the impact, a
CVSS score, acknowledgments, and other related information, refer to
the CVE page(s) listed in the References section."
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://oss.oracle.com/pipermail/el-errata/2018-March/007562.html"
  );
  script_set_attribute(
    attribute:"solution", 
    value:"Update the affected kernel packages."
  );
  script_set_cvss_base_vector("CVSS2#AV:L/AC:M/Au:N/C:C/I:C/A:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:kernel");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:kernel-abi-whitelists");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:kernel-debug");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:kernel-debug-devel");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:kernel-devel");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:kernel-doc");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:kernel-headers");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:kernel-tools");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:kernel-tools-libs");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:kernel-tools-libs-devel");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:perf");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:python-perf");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:oracle:linux:7");

  script_set_attribute(attribute:"vuln_publication_date", value:"2017/10/11");
  script_set_attribute(attribute:"patch_publication_date", value:"2018/03/07");
  script_set_attribute(attribute:"plugin_publication_date", value:"2018/03/08");
  script_set_attribute(attribute:"generated_plugin", value:"current");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_copyright(english:"This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");
  script_family(english:"Oracle Linux Local Security Checks");

  script_dependencies("ssh_get_info.nasl", "linux_alt_patch_detect.nasl");
  script_require_keys("Host/local_checks_enabled", "Host/OracleLinux", "Host/RedHat/release", "Host/RedHat/rpm-list");

  exit(0);
}


include("audit.inc");
include("global_settings.inc");
include("rpm.inc");
include("ksplice.inc");


if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
if (!get_kb_item("Host/OracleLinux")) audit(AUDIT_OS_NOT, "Oracle Linux");
release = get_kb_item("Host/RedHat/release");
if (isnull(release) || !pregmatch(pattern: "Oracle (?:Linux Server|Enterprise Linux)", string:release)) audit(AUDIT_OS_NOT, "Oracle Linux");
os_ver = pregmatch(pattern: "Oracle (?:Linux Server|Enterprise Linux) .*release ([0-9]+(\.[0-9]+)?)", string:release);
if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Oracle Linux");
os_ver = os_ver[1];
if (! preg(pattern:"^7([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Oracle Linux 7", "Oracle Linux " + os_ver);

if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);

cpu = get_kb_item("Host/cpu");
if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Oracle Linux", cpu);
if ("x86_64" >!< cpu) audit(AUDIT_ARCH_NOT, "x86_64", cpu);

if (get_one_kb_item("Host/ksplice/kernel-cves"))
{
  rm_kb_item(name:"Host/uptrack-uname-r");
  cve_list = make_list("CVE-2017-12188", "CVE-2017-7518");  
  if (ksplice_cves_check(cve_list))
  {
    audit(AUDIT_PATCH_INSTALLED, "KSplice hotfix for ELSA-2018-0395");
  }
  else
  {
    __rpm_report = ksplice_reporting_text();
  }
}

kernel_major_minor = get_kb_item("Host/uname/major_minor");
if (empty_or_null(kernel_major_minor)) exit(1, "Unable to determine kernel major-minor level.");
expected_kernel_major_minor = "3.10";
if (kernel_major_minor != expected_kernel_major_minor)
  audit(AUDIT_OS_NOT, "running kernel level " + expected_kernel_major_minor + ", it is running kernel level " + kernel_major_minor);

flag = 0;
if (rpm_exists(release:"EL7", rpm:"kernel-3.10.0") && rpm_check(release:"EL7", cpu:"x86_64", reference:"kernel-3.10.0-693.21.1.el7")) flag++;
if (rpm_exists(release:"EL7", rpm:"kernel-abi-whitelists-3.10.0") && rpm_check(release:"EL7", cpu:"x86_64", reference:"kernel-abi-whitelists-3.10.0-693.21.1.el7")) flag++;
if (rpm_exists(release:"EL7", rpm:"kernel-debug-3.10.0") && rpm_check(release:"EL7", cpu:"x86_64", reference:"kernel-debug-3.10.0-693.21.1.el7")) flag++;
if (rpm_exists(release:"EL7", rpm:"kernel-debug-devel-3.10.0") && rpm_check(release:"EL7", cpu:"x86_64", reference:"kernel-debug-devel-3.10.0-693.21.1.el7")) flag++;
if (rpm_exists(release:"EL7", rpm:"kernel-devel-3.10.0") && rpm_check(release:"EL7", cpu:"x86_64", reference:"kernel-devel-3.10.0-693.21.1.el7")) flag++;
if (rpm_exists(release:"EL7", rpm:"kernel-doc-3.10.0") && rpm_check(release:"EL7", cpu:"x86_64", reference:"kernel-doc-3.10.0-693.21.1.el7")) flag++;
if (rpm_exists(release:"EL7", rpm:"kernel-headers-3.10.0") && rpm_check(release:"EL7", cpu:"x86_64", reference:"kernel-headers-3.10.0-693.21.1.el7")) flag++;
if (rpm_exists(release:"EL7", rpm:"kernel-tools-3.10.0") && rpm_check(release:"EL7", cpu:"x86_64", reference:"kernel-tools-3.10.0-693.21.1.el7")) flag++;
if (rpm_exists(release:"EL7", rpm:"kernel-tools-libs-3.10.0") && rpm_check(release:"EL7", cpu:"x86_64", reference:"kernel-tools-libs-3.10.0-693.21.1.el7")) flag++;
if (rpm_exists(release:"EL7", rpm:"kernel-tools-libs-devel-3.10.0") && rpm_check(release:"EL7", cpu:"x86_64", reference:"kernel-tools-libs-devel-3.10.0-693.21.1.el7")) flag++;
if (rpm_check(release:"EL7", cpu:"x86_64", reference:"perf-3.10.0-693.21.1.el7")) flag++;
if (rpm_check(release:"EL7", cpu:"x86_64", reference:"python-perf-3.10.0-693.21.1.el7")) flag++;


if (flag)
{
  if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get());
  else security_warning(0);
  exit(0);
}
else
{
  tested = pkg_tests_get();
  if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
  else audit(AUDIT_PACKAGE_NOT_INSTALLED, "affected kernel");
}

#
# (C) Tenable Network Security, Inc.
#
# The descriptive text and package checks in this plugin were
# extracted from Ubuntu Security Notice USN-3754-1. The text 
# itself is copyright (C) Canonical, Inc. See 
# <http://www.ubuntu.com/usn/>. Ubuntu(R) is a registered 
# trademark of Canonical, Inc.
#

include("compat.inc");

if (description)
{
  script_id(112113);
  script_version("1.6");
  script_cvs_date("Date: 2019/09/18 12:31:48");

  script_cve_id("CVE-2016-10208", "CVE-2017-11472", "CVE-2017-11473", "CVE-2017-14991", "CVE-2017-15649", "CVE-2017-16526", "CVE-2017-16527", "CVE-2017-16529", "CVE-2017-16531", "CVE-2017-16532", "CVE-2017-16533", "CVE-2017-16535", "CVE-2017-16536", "CVE-2017-16537", "CVE-2017-16538", "CVE-2017-16643", "CVE-2017-16644", "CVE-2017-16645", "CVE-2017-16650", "CVE-2017-16911", "CVE-2017-16912", "CVE-2017-16913", "CVE-2017-16914", "CVE-2017-17558", "CVE-2017-18255", "CVE-2017-18270", "CVE-2017-2583", "CVE-2017-2584", "CVE-2017-2671", "CVE-2017-5549", "CVE-2017-5897", "CVE-2017-6345", "CVE-2017-6348", "CVE-2017-7518", "CVE-2017-7645", "CVE-2017-8831", "CVE-2017-9984", "CVE-2017-9985", "CVE-2018-1000204", "CVE-2018-10021", "CVE-2018-10087", "CVE-2018-10124", "CVE-2018-10323", "CVE-2018-10675", "CVE-2018-10877", "CVE-2018-10881", "CVE-2018-1092", "CVE-2018-1093", "CVE-2018-10940", "CVE-2018-12233", "CVE-2018-13094", "CVE-2018-13405", "CVE-2018-13406");
  script_xref(name:"USN", value:"3754-1");

  script_name(english:"Ubuntu 14.04 LTS : linux vulnerabilities (USN-3754-1)");
  script_summary(english:"Checks dpkg output for updated packages.");

  script_set_attribute(
    attribute:"synopsis", 
    value:
"The remote Ubuntu host is missing one or more security-related
patches."
  );
  script_set_attribute(
    attribute:"description", 
    value:
"Ralf Spenneberg discovered that the ext4 implementation in the Linux
kernel did not properly validate meta block groups. An attacker with
physical access could use this to specially craft an ext4 image that
causes a denial of service (system crash). (CVE-2016-10208)

It was discovered that an information disclosure vulnerability existed
in the ACPI implementation of the Linux kernel. A local attacker could
use this to expose sensitive information (kernel memory addresses).
(CVE-2017-11472)

It was discovered that a buffer overflow existed in the ACPI table
parsing implementation in the Linux kernel. A local attacker could use
this to construct a malicious ACPI table that, when loaded, caused a
denial of service (system crash) or possibly execute arbitrary code.
(CVE-2017-11473)

It was discovered that the generic SCSI driver in the Linux kernel did
not properly initialize data returned to user space in some
situations. A local attacker could use this to expose sensitive
information (kernel memory). (CVE-2017-14991)

It was discovered that a race condition existed in the packet fanout
implementation in the Linux kernel. A local attacker could use this to
cause a denial of service (system crash) or possibly execute arbitrary
code. (CVE-2017-15649)

Andrey Konovalov discovered that the Ultra Wide Band driver in the
Linux kernel did not properly check for an error condition. A
physically proximate attacker could use this to cause a denial of
service (system crash) or possibly execute arbitrary code.
(CVE-2017-16526)

Andrey Konovalov discovered that the ALSA subsystem in the Linux
kernel contained a use-after-free vulnerability. A local attacker
could use this to cause a denial of service (system crash) or possibly
execute arbitrary code. (CVE-2017-16527)

Andrey Konovalov discovered that the ALSA subsystem in the Linux
kernel did not properly validate USB audio buffer descriptors. A
physically proximate attacker could use this cause a denial of service
(system crash) or possibly execute arbitrary code. (CVE-2017-16529)

Andrey Konovalov discovered that the USB subsystem in the Linux kernel
did not properly validate USB interface association descriptors. A
physically proximate attacker could use this to cause a denial of
service (system crash). (CVE-2017-16531)

Andrey Konovalov discovered that the usbtest device driver in the
Linux kernel did not properly validate endpoint metadata. A physically
proximate attacker could use this to cause a denial of service (system
crash). (CVE-2017-16532)

Andrey Konovalov discovered that the USB subsystem in the Linux kernel
did not properly validate USB HID descriptors. A physically proximate
attacker could use this to cause a denial of service (system crash).
(CVE-2017-16533)

Andrey Konovalov discovered that the USB subsystem in the Linux kernel
did not properly validate USB BOS metadata. A physically proximate
attacker could use this to cause a denial of service (system crash).
(CVE-2017-16535)

Andrey Konovalov discovered that the Conexant cx231xx USB video
capture driver in the Linux kernel did not properly validate interface
descriptors. A physically proximate attacker could use this to cause a
denial of service (system crash). (CVE-2017-16536)

Andrey Konovalov discovered that the SoundGraph iMON USB driver in the
Linux kernel did not properly validate device metadata. A physically
proximate attacker could use this to cause a denial of service (system
crash). (CVE-2017-16537)

It was discovered that the DM04/QQBOX USB driver in the Linux kernel
did not properly handle device attachment and warm-start. A physically
proximate attacker could use this to cause a denial of service (system
crash) or possibly execute arbitrary code. (CVE-2017-16538)

Andrey Konovalov discovered an out-of-bounds read in the GTCO
digitizer USB driver for the Linux kernel. A physically proximate
attacker could use this to cause a denial of service (system crash) or
possibly execute arbitrary code. (CVE-2017-16643)

Andrey Konovalov discovered that the video4linux driver for Hauppauge
HD PVR USB devices in the Linux kernel did not properly handle some
error conditions. A physically proximate attacker could use this to
cause a denial of service (system crash) or possibly execute arbitrary
code. (CVE-2017-16644)

Andrey Konovalov discovered that the IMS Passenger Control Unit USB
driver in the Linux kernel did not properly validate device
descriptors. A physically proximate attacker could use this to cause a
denial of service (system crash). (CVE-2017-16645)

Andrey Konovalov discovered that the QMI WWAN USB driver did not
properly validate device descriptors. A physically proximate attacker
could use this to cause a denial of service (system crash).
(CVE-2017-16650)

It was discovered that the USB Virtual Host Controller Interface
(VHCI) driver in the Linux kernel contained an information disclosure
vulnerability. A physically proximate attacker could use this to
expose sensitive information (kernel memory). (CVE-2017-16911)

It was discovered that the USB over IP implementation in the Linux
kernel did not validate endpoint numbers. A remote attacker could use
this to cause a denial of service (system crash). (CVE-2017-16912)

It was discovered that the USB over IP implementation in the Linux
kernel did not properly validate CMD_SUBMIT packets. A remote attacker
could use this to cause a denial of service (excessive memory
consumption). (CVE-2017-16913)

It was discovered that the USB over IP implementation in the Linux
kernel contained a NULL pointer dereference error. A remote attacker
could use this to cause a denial of service (system crash).
(CVE-2017-16914)

It was discovered that the core USB subsystem in the Linux kernel did
not validate the number of configurations and interfaces in a device.
A physically proximate attacker could use this to cause a denial of
service (system crash). (CVE-2017-17558)

It was discovered that an integer overflow existed in the perf
subsystem of the Linux kernel. A local attacker could use this to
cause a denial of service (system crash). (CVE-2017-18255)

It was discovered that the keyring subsystem in the Linux kernel did
not properly prevent a user from creating keyrings for other users. A
local attacker could use this cause a denial of service or expose
sensitive information. (CVE-2017-18270)

Andy Lutomirski and Willy Tarreau discovered that the KVM
implementation in the Linux kernel did not properly emulate
instructions on the SS segment register. A local attacker in a guest
virtual machine could use this to cause a denial of service (guest OS
crash) or possibly gain administrative privileges in the guest OS.
(CVE-2017-2583)

Dmitry Vyukov discovered that the KVM implementation in the Linux
kernel improperly emulated certain instructions. A local attacker
could use this to obtain sensitive information (kernel memory).
(CVE-2017-2584)

It was discovered that the KLSI KL5KUSB105 serial-to-USB device driver
in the Linux kernel did not properly initialize memory related to
logging. A local attacker could use this to expose sensitive
information (kernel memory). (CVE-2017-5549)

Andrey Konovalov discovered an out-of-bounds access in the IPv6
Generic Routing Encapsulation (GRE) tunneling implementation in the
Linux kernel. An attacker could use this to possibly expose sensitive
information. (CVE-2017-5897)

Andrey Konovalov discovered that the LLC subsytem in the Linux kernel
did not properly set up a destructor in certain situations. A local
attacker could use this to cause a denial of service (system crash).
(CVE-2017-6345)

Dmitry Vyukov discovered race conditions in the Infrared (IrDA)
subsystem in the Linux kernel. A local attacker could use this to
cause a denial of service (deadlock). (CVE-2017-6348)

Andy Lutomirski discovered that the KVM implementation in the Linux
kernel was vulnerable to a debug exception error when single-stepping
through a syscall. A local attacker in a non-Linux guest vm could
possibly use this to gain administrative privileges in the guest vm.
(CVE-2017-7518)

Tuomas Haanpaa and Ari Kauppi discovered that the NFSv2 and NFSv3
server implementations in the Linux kernel did not properly handle
certain long RPC replies. A remote attacker could use this to cause a
denial of service (system crash). (CVE-2017-7645)

Pengfei Wang discovered that a race condition existed in the NXP
SAA7164 TV Decoder driver for the Linux kernel. A local attacker could
use this to cause a denial of service (system crash) or possibly
execute arbitrary code. (CVE-2017-8831)

Pengfei Wang discovered that the Turtle Beach MultiSound audio device
driver in the Linux kernel contained race conditions when fetching
from the ring-buffer. A local attacker could use this to cause a
denial of service (infinite loop). (CVE-2017-9984, CVE-2017-9985)

It was discovered that the wait4() system call in the Linux kernel did
not properly validate its arguments in some situations. A local
attacker could possibly use this to cause a denial of service.
(CVE-2018-10087)

It was discovered that the kill() system call implementation in the
Linux kernel did not properly validate its arguments in some
situations. A local attacker could possibly use this to cause a denial
of service. (CVE-2018-10124)

Wen Xu discovered that the XFS filesystem implementation in the Linux
kernel did not properly validate meta-data information. An attacker
could use this to construct a malicious xfs image that, when mounted,
could cause a denial of service (system crash). (CVE-2018-10323)

Zhong Jiang discovered that a use-after-free vulnerability existed in
the NUMA memory policy implementation in the Linux kernel. A local
attacker could use this to cause a denial of service (system crash) or
possibly execute arbitrary code. (CVE-2018-10675)

Wen Xu discovered that a buffer overflow existed in the ext4
filesystem implementation in the Linux kernel. An attacker could use
this to construct a malicious ext4 image that, when mounted, could
cause a denial of service (system crash) or possibly execute arbitrary
code. (CVE-2018-10877)

Wen Xu discovered that the ext4 filesystem implementation in the Linux
kernel did not properly keep meta-data information consistent in some
situations. An attacker could use this to construct a malicious ext4
image that, when mounted, could cause a denial of service (system
crash). (CVE-2018-10881)

Wen Xu discovered that the ext4 filesystem implementation in the Linux
kernel did not properly handle corrupted meta data in some situations.
An attacker could use this to specially craft an ext4 file system that
caused a denial of service (system crash) when mounted.
(CVE-2018-1092)

Wen Xu discovered that the ext4 filesystem implementation in the Linux
kernel did not properly handle corrupted meta data in some situations.
An attacker could use this to specially craft an ext4 filesystem that
caused a denial of service (system crash) when mounted.
(CVE-2018-1093)

It was discovered that the cdrom driver in the Linux kernel contained
an incorrect bounds check. A local attacker could use this to expose
sensitive information (kernel memory). (CVE-2018-10940)

Shankara Pailoor discovered that the JFS filesystem implementation in
the Linux kernel contained a buffer overflow when handling extended
attributes. A local attacker could use this to cause a denial of
service (system crash) or possibly execute arbitrary code.
(CVE-2018-12233)

Wen Xu discovered that the XFS filesystem implementation in the Linux
kernel did not properly handle an error condition with a corrupted xfs
image. An attacker could use this to construct a malicious xfs image
that, when mounted, could cause a denial of service (system crash).
(CVE-2018-13094)

It was discovered that the Linux kernel did not properly handle setgid
file creation when performed by a non-member of the group. A local
attacker could use this to gain elevated privileges. (CVE-2018-13405)

Silvio Cesare discovered that the generic VESA frame buffer driver in
the Linux kernel contained an integer overflow. A local attacker could
use this to cause a denial of service (system crash) or possibly
execute arbitrary code. (CVE-2018-13406)

Daniel Jiang discovered that a race condition existed in the ipv4 ping
socket implementation in the Linux kernel. A local privileged attacker
could use this to cause a denial of service (system crash).
(CVE-2017-2671)

It was discovered that an information leak existed in the generic SCSI
driver in the Linux kernel. A local attacker could use this to expose
sensitive information (kernel memory). (CVE-2018-1000204)

It was discovered that a memory leak existed in the Serial Attached
SCSI (SAS) implementation in the Linux kernel. A physically proximate
attacker could use this to cause a denial of service (memory
exhaustion). (CVE-2018-10021).

Note that Tenable Network Security has extracted the preceding
description block directly from the Ubuntu security advisory. Tenable
has attempted to automatically clean and format it as much as possible
without introducing additional issues."
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://usn.ubuntu.com/3754-1/"
  );
  script_set_attribute(attribute:"solution", value:"Update the affected packages.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:C");
  script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:P/RL:O/RC:C");
  script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"true");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-3.13-generic");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-3.13-generic-lpae");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-3.13-lowlatency");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-generic");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-generic-lpae");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-lowlatency");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:canonical:ubuntu_linux:14.04");

  script_set_attribute(attribute:"vuln_publication_date", value:"2017/01/15");
  script_set_attribute(attribute:"patch_publication_date", value:"2018/08/24");
  script_set_attribute(attribute:"plugin_publication_date", value:"2018/08/24");
  script_set_attribute(attribute:"generated_plugin", value:"current");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_copyright(english:"Ubuntu Security Notice (C) 2018-2019 Canonical, Inc. / NASL script (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");
  script_family(english:"Ubuntu Local Security Checks");

  script_dependencies("ssh_get_info.nasl", "linux_alt_patch_detect.nasl");
  script_require_keys("Host/cpu", "Host/Ubuntu", "Host/Ubuntu/release", "Host/Debian/dpkg-l");

  exit(0);
}


include("audit.inc");
include("ubuntu.inc");
include("ksplice.inc");

if ( ! get_kb_item("Host/local_checks_enabled") ) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
release = get_kb_item("Host/Ubuntu/release");
if ( isnull(release) ) audit(AUDIT_OS_NOT, "Ubuntu");
release = chomp(release);
if (! preg(pattern:"^(14\.04)$", string:release)) audit(AUDIT_OS_NOT, "Ubuntu 14.04", "Ubuntu " + release);
if ( ! get_kb_item("Host/Debian/dpkg-l") ) audit(AUDIT_PACKAGE_LIST_MISSING);

cpu = get_kb_item("Host/cpu");
if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Ubuntu", cpu);

if (get_one_kb_item("Host/ksplice/kernel-cves"))
{
  rm_kb_item(name:"Host/uptrack-uname-r");
  cve_list = make_list("CVE-2016-10208", "CVE-2017-11472", "CVE-2017-11473", "CVE-2017-14991", "CVE-2017-15649", "CVE-2017-16526", "CVE-2017-16527", "CVE-2017-16529", "CVE-2017-16531", "CVE-2017-16532", "CVE-2017-16533", "CVE-2017-16535", "CVE-2017-16536", "CVE-2017-16537", "CVE-2017-16538", "CVE-2017-16643", "CVE-2017-16644", "CVE-2017-16645", "CVE-2017-16650", "CVE-2017-16911", "CVE-2017-16912", "CVE-2017-16913", "CVE-2017-16914", "CVE-2017-17558", "CVE-2017-18255", "CVE-2017-18270", "CVE-2017-2583", "CVE-2017-2584", "CVE-2017-2671", "CVE-2017-5549", "CVE-2017-5897", "CVE-2017-6345", "CVE-2017-6348", "CVE-2017-7518", "CVE-2017-7645", "CVE-2017-8831", "CVE-2017-9984", "CVE-2017-9985", "CVE-2018-1000204", "CVE-2018-10021", "CVE-2018-10087", "CVE-2018-10124", "CVE-2018-10323", "CVE-2018-10675", "CVE-2018-10877", "CVE-2018-10881", "CVE-2018-1092", "CVE-2018-1093", "CVE-2018-10940", "CVE-2018-12233", "CVE-2018-13094", "CVE-2018-13405", "CVE-2018-13406");
  if (ksplice_cves_check(cve_list))
  {
    audit(AUDIT_PATCH_INSTALLED, "KSplice hotfix for USN-3754-1");
  }
  else
  {
    _ubuntu_report = ksplice_reporting_text();
  }
}

flag = 0;

if (ubuntu_check(osver:"14.04", pkgname:"linux-image-3.13.0-157-generic", pkgver:"3.13.0-157.207")) flag++;
if (ubuntu_check(osver:"14.04", pkgname:"linux-image-3.13.0-157-generic-lpae", pkgver:"3.13.0-157.207")) flag++;
if (ubuntu_check(osver:"14.04", pkgname:"linux-image-3.13.0-157-lowlatency", pkgver:"3.13.0-157.207")) flag++;
if (ubuntu_check(osver:"14.04", pkgname:"linux-image-generic", pkgver:"3.13.0.157.167")) flag++;
if (ubuntu_check(osver:"14.04", pkgname:"linux-image-generic-lpae", pkgver:"3.13.0.157.167")) flag++;
if (ubuntu_check(osver:"14.04", pkgname:"linux-image-lowlatency", pkgver:"3.13.0.157.167")) flag++;

if (flag)
{
  security_report_v4(
    port       : 0,
    severity   : SECURITY_HOLE,
    extra      : ubuntu_report_get()
  );
  exit(0);
}
else
{
  tested = ubuntu_pkg_tests_get();
  if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
  else audit(AUDIT_PACKAGE_NOT_INSTALLED, "linux-image-3.13-generic / linux-image-3.13-generic-lpae / etc");
}

#
# (C) Tenable Network Security, Inc.
#

# The descriptive text and package checks in this plugin were
# extracted from ZTE advisory NS-SA-2019-0014. The text
# itself is copyright (C) ZTE, Inc.

include("compat.inc");

if (description)
{
  script_id(127165);
  script_version("1.2");
  script_cvs_date("Date: 2019/09/24 11:01:33");

  script_cve_id(
    "CVE-2015-8539",
    "CVE-2017-7472",
    "CVE-2017-7518",
    "CVE-2017-12188",
    "CVE-2017-12192",
    "CVE-2017-12193",
    "CVE-2017-15649"
  );

  script_name(english:"NewStart CGSL MAIN 5.04 : kernel Multiple Vulnerabilities (NS-SA-2019-0014)");

  script_set_attribute(attribute:"synopsis", value:
"The remote machine is affected by multiple vulnerabilities.");
  script_set_attribute(attribute:"description", value:
"The remote NewStart CGSL host, running version MAIN 5.04, has kernel packages installed that are affected by multiple
vulnerabilities:

  - A flaw was found in the Linux kernel's key management
    system where it was possible for an attacker to escalate
    privileges or crash the machine. If a user key gets
    negatively instantiated, an error code is cached in the
    payload area. A negatively instantiated key may be then
    be positively instantiated by updating it with valid
    data. However, the ->update key type method must be
    aware that the error code may be there. (CVE-2015-8539)

  - A flaw was found in the way the Linux KVM module
    processed the trap flag(TF) bit in EFLAGS during
    emulation of the syscall instruction, which leads to a
    debug exception(#DB) being raised in the guest stack. A
    user/process inside a guest could use this flaw to
    potentially escalate their privileges inside the guest.
    Linux guests are not affected by this. (CVE-2017-7518)

  - A vulnerability was found in the Key Management sub
    component of the Linux kernel, where when trying to
    issue a KEYTCL_READ on a negative key would lead to a
    NULL pointer dereference. A local attacker could use
    this flaw to crash the kernel. (CVE-2017-12192)

  - The Linux kernel built with the KVM visualization
    support (CONFIG_KVM), with nested visualization(nVMX)
    feature enabled (nested=1), was vulnerable to a stack
    buffer overflow issue. The vulnerability could occur
    while traversing guest page table entries to resolve
    guest virtual address(gva). An L1 guest could use this
    flaw to crash the host kernel resulting in denial of
    service (DoS) or potentially execute arbitrary code on
    the host to gain privileges on the system.
    (CVE-2017-12188)

  - A flaw was found in the Linux kernel's implementation of
    associative arrays introduced in 3.13. This
    functionality was backported to the 3.10 kernels in Red
    Hat Enterprise Linux 7. The flaw involved a null pointer
    dereference in assoc_array_apply_edit() due to incorrect
    node-splitting in assoc_array implementation. This
    affects the keyring key type and thus key addition and
    link creation operations may cause the kernel to panic.
    (CVE-2017-12193)

  - It was found that fanout_add() in
    'net/packet/af_packet.c' in the Linux kernel, before
    version 4.13.6, allows local users to gain privileges
    via crafted system calls that trigger mishandling of
    packet_fanout data structures, because of a race
    condition (involving fanout_add and packet_do_bind) that
    leads to a use-after-free bug. (CVE-2017-15649)

  - A vulnerability was found in the Linux kernel where the
    keyctl_set_reqkey_keyring() function leaks the thread
    keyring. This allows an unprivileged local user to
    exhaust kernel memory and thus cause a DoS.
    (CVE-2017-7472)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version
number.");
  script_set_attribute(attribute:"see_also", value:"http://security.gd-linux.com/notice/NS-SA-2019-0014");
  script_set_attribute(attribute:"solution", value:
"Upgrade the vulnerable CGSL kernel packages. Note that updated packages may not be available yet. Please contact ZTE for
more information.");
  script_set_cvss_base_vector("CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C");
  script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:P/RL:O/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2015-8539");
  script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"true");

  script_set_attribute(attribute:"vuln_publication_date", value:"2016/02/08");
  script_set_attribute(attribute:"patch_publication_date", value:"2019/07/17");
  script_set_attribute(attribute:"plugin_publication_date", value:"2019/08/12");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"NewStart CGSL Local Security Checks");

  script_copyright(english:"This script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("ssh_get_info.nasl");
  script_require_keys("Host/local_checks_enabled", "Host/ZTE-CGSL/release", "Host/ZTE-CGSL/rpm-list", "Host/cpu");

  exit(0);
}

include("audit.inc");
include("global_settings.inc");
include("rpm.inc");

if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);

release = get_kb_item("Host/ZTE-CGSL/release");
if (isnull(release) || release !~ "^CGSL (MAIN|CORE)") audit(AUDIT_OS_NOT, "NewStart Carrier Grade Server Linux");

if (release !~ "CGSL MAIN 5.04")
  audit(AUDIT_OS_NOT, 'NewStart CGSL MAIN 5.04');

if (!get_kb_item("Host/ZTE-CGSL/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);

cpu = get_kb_item("Host/cpu");
if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "NewStart Carrier Grade Server Linux", cpu);

flag = 0;

pkgs = {
  "CGSL MAIN 5.04": [
    "kernel-3.10.0-693.21.1.el7.cgslv5u4.0.38.g13ce111",
    "kernel-abi-whitelists-3.10.0-693.21.1.el7.cgslv5u4.0.38.g13ce111",
    "kernel-debug-3.10.0-693.21.1.el7.cgslv5u4.0.38.g13ce111",
    "kernel-debug-debuginfo-3.10.0-693.21.1.el7.cgslv5u4.0.38.g13ce111",
    "kernel-debug-devel-3.10.0-693.21.1.el7.cgslv5u4.0.38.g13ce111",
    "kernel-debuginfo-3.10.0-693.21.1.el7.cgslv5u4.0.38.g13ce111",
    "kernel-debuginfo-common-x86_64-3.10.0-693.21.1.el7.cgslv5u4.0.38.g13ce111",
    "kernel-devel-3.10.0-693.21.1.el7.cgslv5u4.0.38.g13ce111",
    "kernel-doc-3.10.0-693.21.1.el7.cgslv5u4.0.38.g13ce111",
    "kernel-headers-3.10.0-693.21.1.el7.cgslv5u4.0.38.g13ce111",
    "kernel-tools-3.10.0-693.21.1.el7.cgslv5u4.0.38.g13ce111",
    "kernel-tools-debuginfo-3.10.0-693.21.1.el7.cgslv5u4.0.38.g13ce111",
    "kernel-tools-libs-3.10.0-693.21.1.el7.cgslv5u4.0.38.g13ce111",
    "kernel-tools-libs-devel-3.10.0-693.21.1.el7.cgslv5u4.0.38.g13ce111",
    "perf-3.10.0-693.21.1.el7.cgslv5u4.0.38.g13ce111",
    "perf-debuginfo-3.10.0-693.21.1.el7.cgslv5u4.0.38.g13ce111",
    "python-perf-3.10.0-693.21.1.el7.cgslv5u4.0.38.g13ce111",
    "python-perf-debuginfo-3.10.0-693.21.1.el7.cgslv5u4.0.38.g13ce111"
  ]
};
pkg_list = pkgs[release];

foreach (pkg in pkg_list)
  if (rpm_check(release:"ZTE " + release, reference:pkg)) flag++;

if (flag)
{
  security_report_v4(
    port       : 0,
    severity   : SECURITY_HOLE,
    extra      : rpm_report_get()
  );
  exit(0);
}
else
{
  tested = pkg_tests_get();
  if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
  else audit(AUDIT_PACKAGE_NOT_INSTALLED, "kernel");
}

#
# (C) Tenable Network Security, Inc.
#

include("compat.inc");

if (description)
{
  script_id(124953);
  script_version("1.8");
  script_set_attribute(attribute:"plugin_modification_date", value:"2020/03/19");

  script_cve_id(
    "CVE-2016-3713",
    "CVE-2016-8630",
    "CVE-2017-1000252",
    "CVE-2017-17741",
    "CVE-2017-2583",
    "CVE-2017-2584",
    "CVE-2017-5715",
    "CVE-2017-7518",
    "CVE-2018-10853",
    "CVE-2018-3639",
    "CVE-2019-6974",
    "CVE-2019-7221",
    "CVE-2019-7222"
  );

  script_name(english:"EulerOS Virtualization 3.0.1.0 : kvm (EulerOS-SA-2019-1450)");
  script_summary(english:"Checks the rpm output for the updated packages.");

  script_set_attribute(attribute:"synopsis", value:
"The remote EulerOS Virtualization host is missing multiple security
updates.");
  script_set_attribute(attribute:"description", value:
"According to the versions of the kvm package installed, the EulerOS
Virtualization installation on the remote host is affected by the
following vulnerabilities :

  - The msr_mtrr_valid function in arch/x86/kvm/mtrr.c in
    the Linux kernel before 4.6.1 supports MSR 0x2f8, which
    allows guest OS users to read or write to the
    kvm_arch_vcpu data structure, and consequently obtain
    sensitive information or cause a denial of service
    (system crash), via a crafted ioctl
    call.(CVE-2016-3713)

  - Linux kernel built with the Kernel-based Virtual
    Machine (CONFIG_KVM) support is vulnerable to a null
    pointer dereference flaw. It could occur on x86
    platform, when emulating an undefined instruction. An
    attacker could use this flaw to crash the host kernel
    resulting in DoS.(CVE-2016-8630)

  - Linux kernel built with the Kernel-based Virtual
    Machine (CONFIG_KVM) support was vulnerable to an
    incorrect segment selector(SS) value error. The error
    could occur while loading values into the SS register
    in long mode. A user or process inside a guest could
    use this flaw to crash the guest, resulting in DoS or
    potentially escalate their privileges inside the
    guest.(CVE-2017-2583)

  - arch/x86/kvm/emulate.c in the Linux kernel through
    4.9.3 allows local users to obtain sensitive
    information from kernel memory or cause a denial of
    service (use-after-free) via a crafted application that
    leverages instruction emulation for fxrstor, fxsave,
    sgdt, and sidt.(CVE-2017-2584)

  - A reachable assertion failure flaw was found in the
    Linux kernel built with KVM virtualisation(CONFIG_KVM)
    support with Virtual Function I/O feature (CONFIG_VFIO)
    enabled. This failure could occur if a malicious guest
    device sent a virtual interrupt (guest IRQ) with a
    larger (i1/4z1024) index value.(CVE-2017-1000252)

  - An industry-wide issue was found in the way many modern
    microprocessor designs have implemented speculative
    execution of instructions (a commonly used performance
    optimization). There are three primary variants of the
    issue which differ in the way the speculative execution
    can be exploited. Variant CVE-2017-5715 triggers the
    speculative execution by utilizing branch target
    injection. It relies on the presence of a
    precisely-defined instruction sequence in the
    privileged code as well as the fact that memory
    accesses may cause allocation into the microprocessor's
    data cache even for speculatively executed instructions
    that never actually commit (retire). As a result, an
    unprivileged attacker could use this flaw to cross the
    syscall and guest/host boundaries and read privileged
    memory by conducting targeted cache side-channel
    attacks.(CVE-2017-5715)

  - A flaw was found in the way the Linux KVM module
    processed the trap flag(TF) bit in EFLAGS during
    emulation of the syscall instruction, which leads to a
    debug exception(#DB) being raised in the guest stack. A
    user/process inside a guest could use this flaw to
    potentially escalate their privileges inside the guest.
    Linux guests are not affected by this.(CVE-2017-7518)

  - Linux kernel compiled with the KVM virtualization
    (CONFIG_KVM) support is vulnerable to an out-of-bounds
    read access issue. It could occur when emulating vmcall
    instructions invoked by a guest. A guest user/process
    could use this flaw to disclose kernel memory
    bytes.(CVE-2017-17741)

  - Systems with microprocessors utilizing speculative
    execution and speculative execution of memory reads
    before the addresses of all prior memory writes are
    known may allow unauthorized disclosure of information
    to an attacker with local user access via a
    side-channel analysis, aka Speculative Store Bypass
    (SSB), Variant 4.(CVE-2018-3639)

  - kernel: kvm: guest userspace to guest kernel
    write(CVE-2018-10853)

  - In the Linux kernel before 4.20.8,
    kvm_ioctl_create_device in virt/kvm/kvm_main.c
    mishandles reference counting because of a race
    condition, leading to a use-after-free.(CVE-2019-6974)

  - The KVM implementation in the Linux kernel through
    4.20.5 has an Information Leak.(CVE-2019-7222)

  - The KVM implementation in the Linux kernel through
    4.20.5 has a Use-after-Free.(CVE-2019-7221)

Note that Tenable Network Security has extracted the preceding
description block directly from the EulerOS security advisory. Tenable
has attempted to automatically clean and format it as much as possible
without introducing additional issues.");
  # https://developer.huaweicloud.com/ict/en/site-euleros/euleros/security-advisories/EulerOS-SA-2019-1450
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?3d6cefe5");
  script_set_attribute(attribute:"solution", value:
"Update the affected kvm packages.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P");
  script_set_cvss_temporal_vector("CVSS2#E:H/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:H/RL:O/RC:C");
  script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"true");
  script_set_attribute(attribute:"exploited_by_malware", value:"true");

  script_set_attribute(attribute:"patch_publication_date", value:"2019/05/08");
  script_set_attribute(attribute:"plugin_publication_date", value:"2019/05/14");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:kvm");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:huawei:euleros:uvp:3.0.1.0");
  script_set_attribute(attribute:"generated_plugin", value:"current");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Huawei Local Security Checks");

  script_copyright(english:"This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("ssh_get_info.nasl");
  script_require_keys("Host/local_checks_enabled", "Host/cpu", "Host/EulerOS/release", "Host/EulerOS/rpm-list", "Host/EulerOS/uvp_version");

  exit(0);
}

include("audit.inc");
include("global_settings.inc");
include("rpm.inc");

if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);

release = get_kb_item("Host/EulerOS/release");
if (isnull(release) || release !~ "^EulerOS") audit(AUDIT_OS_NOT, "EulerOS");
uvp = get_kb_item("Host/EulerOS/uvp_version");
if (uvp != "3.0.1.0") audit(AUDIT_OS_NOT, "EulerOS Virtualization 3.0.1.0");
if (!get_kb_item("Host/EulerOS/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);

cpu = get_kb_item("Host/cpu");
if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$" && "aarch64" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "EulerOS", cpu);
if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_ARCH_NOT, "i686 / x86_64", cpu);

flag = 0;

pkgs = ["kvm-4.4.11-30.011"];

foreach (pkg in pkgs)
  if (rpm_check(release:"EulerOS-2.0", reference:pkg)) flag++;

if (flag)
{
  security_report_v4(
    port       : 0,
    severity   : SECURITY_WARNING,
    extra      : rpm_report_get()
  );
  exit(0);
}
else
{
  tested = pkg_tests_get();
  if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
  else audit(AUDIT_PACKAGE_NOT_INSTALLED, "kvm");
}

#
# (C) Tenable Network Security, Inc.
#
# The descriptive text is (C) Scientific Linux.
#

include("compat.inc");

if (description)
{
  script_id(107210);
  script_version("1.3");
  script_set_attribute(attribute:"plugin_modification_date", value:"2020/02/24");

  script_cve_id("CVE-2017-12188", "CVE-2017-7518");

  script_name(english:"Scientific Linux Security Update : kernel on SL7.x x86_64 (20180306)");
  script_summary(english:"Checks rpm output for the updated packages");

  script_set_attribute(
    attribute:"synopsis", 
    value:
"The remote Scientific Linux host is missing one or more security
updates."
  );
  script_set_attribute(
    attribute:"description", 
    value:
"Security Fix(es) :

  - Kernel: KVM: MMU potential stack buffer overrun during
    page walks (CVE-2017-12188, Important)

  - Kernel: KVM: debug exception via syscall emulation
    (CVE-2017-7518, Moderate)"
  );
  # https://listserv.fnal.gov/scripts/wa.exe?A2=ind1803&L=scientific-linux-errata&F=&S=&P=1085
  script_set_attribute(
    attribute:"see_also",
    value:"http://www.nessus.org/u?84c84036"
  );
  script_set_attribute(attribute:"solution", value:"Update the affected packages.");
  script_set_cvss_base_vector("CVSS2#AV:L/AC:M/Au:N/C:C/I:C/A:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fermilab:scientific_linux:kernel");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fermilab:scientific_linux:kernel-abi-whitelists");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fermilab:scientific_linux:kernel-debug");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fermilab:scientific_linux:kernel-debug-debuginfo");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fermilab:scientific_linux:kernel-debug-devel");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fermilab:scientific_linux:kernel-debuginfo");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fermilab:scientific_linux:kernel-debuginfo-common-x86_64");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fermilab:scientific_linux:kernel-devel");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fermilab:scientific_linux:kernel-doc");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fermilab:scientific_linux:kernel-headers");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fermilab:scientific_linux:kernel-tools");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fermilab:scientific_linux:kernel-tools-debuginfo");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fermilab:scientific_linux:kernel-tools-libs");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fermilab:scientific_linux:kernel-tools-libs-devel");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fermilab:scientific_linux:perf");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fermilab:scientific_linux:perf-debuginfo");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fermilab:scientific_linux:python-perf");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fermilab:scientific_linux:python-perf-debuginfo");
  script_set_attribute(attribute:"cpe", value:"x-cpe:/o:fermilab:scientific_linux");

  script_set_attribute(attribute:"vuln_publication_date", value:"2017/10/11");
  script_set_attribute(attribute:"patch_publication_date", value:"2018/03/06");
  script_set_attribute(attribute:"plugin_publication_date", value:"2018/03/08");
  script_set_attribute(attribute:"generated_plugin", value:"current");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_copyright(english:"This script is Copyright (C) 2018-2020 and is owned by Tenable, Inc. or an Affiliate thereof.");
  script_family(english:"Scientific Linux Local Security Checks");

  script_dependencies("ssh_get_info.nasl");
  script_require_keys("Host/local_checks_enabled", "Host/cpu", "Host/RedHat/release", "Host/RedHat/rpm-list");

  exit(0);
}


include("audit.inc");
include("global_settings.inc");
include("misc_func.inc");
include("rpm.inc");

if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
release = get_kb_item("Host/RedHat/release");
if (isnull(release) || "Scientific Linux " >!< release) audit(AUDIT_HOST_NOT, "running Scientific Linux");
os_ver = pregmatch(pattern: "Scientific Linux.*release ([0-9]+(\.[0-9]+)?)", string:release);
if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Scientific Linux");
os_ver = os_ver[1];
if (! preg(pattern:"^7([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Scientific Linux 7.x", "Scientific Linux " + os_ver);
if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);

cpu = get_kb_item("Host/cpu");
if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
if (cpu >!< "x86_64" && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Scientific Linux", cpu);


flag = 0;
if (rpm_check(release:"SL7", cpu:"x86_64", reference:"kernel-3.10.0-693.21.1.el7")) flag++;
if (rpm_check(release:"SL7", reference:"kernel-abi-whitelists-3.10.0-693.21.1.el7")) flag++;
if (rpm_check(release:"SL7", cpu:"x86_64", reference:"kernel-debug-3.10.0-693.21.1.el7")) flag++;
if (rpm_check(release:"SL7", cpu:"x86_64", reference:"kernel-debug-debuginfo-3.10.0-693.21.1.el7")) flag++;
if (rpm_check(release:"SL7", cpu:"x86_64", reference:"kernel-debug-devel-3.10.0-693.21.1.el7")) flag++;
if (rpm_check(release:"SL7", cpu:"x86_64", reference:"kernel-debuginfo-3.10.0-693.21.1.el7")) flag++;
if (rpm_check(release:"SL7", cpu:"x86_64", reference:"kernel-debuginfo-common-x86_64-3.10.0-693.21.1.el7")) flag++;
if (rpm_check(release:"SL7", cpu:"x86_64", reference:"kernel-devel-3.10.0-693.21.1.el7")) flag++;
if (rpm_check(release:"SL7", reference:"kernel-doc-3.10.0-693.21.1.el7")) flag++;
if (rpm_check(release:"SL7", cpu:"x86_64", reference:"kernel-headers-3.10.0-693.21.1.el7")) flag++;
if (rpm_check(release:"SL7", cpu:"x86_64", reference:"kernel-tools-3.10.0-693.21.1.el7")) flag++;
if (rpm_check(release:"SL7", cpu:"x86_64", reference:"kernel-tools-debuginfo-3.10.0-693.21.1.el7")) flag++;
if (rpm_check(release:"SL7", cpu:"x86_64", reference:"kernel-tools-libs-3.10.0-693.21.1.el7")) flag++;
if (rpm_check(release:"SL7", cpu:"x86_64", reference:"kernel-tools-libs-devel-3.10.0-693.21.1.el7")) flag++;
if (rpm_check(release:"SL7", cpu:"x86_64", reference:"perf-3.10.0-693.21.1.el7")) flag++;
if (rpm_check(release:"SL7", cpu:"x86_64", reference:"perf-debuginfo-3.10.0-693.21.1.el7")) flag++;
if (rpm_check(release:"SL7", cpu:"x86_64", reference:"python-perf-3.10.0-693.21.1.el7")) flag++;
if (rpm_check(release:"SL7", cpu:"x86_64", reference:"python-perf-debuginfo-3.10.0-693.21.1.el7")) flag++;


if (flag)
{
  security_report_v4(
    port       : 0,
    severity   : SECURITY_WARNING,
    extra      : rpm_report_get()
  );
  exit(0);
}
else
{
  tested = pkg_tests_get();
  if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
  else audit(AUDIT_PACKAGE_NOT_INSTALLED, "kernel / kernel-abi-whitelists / kernel-debug / etc");
}

#%NASL_MIN_LEVEL 80502
#
# (C) Tenable Network Security, Inc.
#
# The descriptive text and package checks in this plugin were
# extracted from openSUSE Security Update openSUSE-2017-798.
#
# The text description of this plugin is (C) SUSE LLC.
#

include("compat.inc");

if (description)
{
  script_id(101348);
  script_version("3.3");
  script_set_attribute(attribute:"plugin_modification_date", value:"2020/06/04");

  script_cve_id("CVE-2017-1000365", "CVE-2017-7518");

  script_name(english:"openSUSE Security Update : the Linux Kernel (openSUSE-2017-798) (Stack Clash)");
  script_summary(english:"Check for the openSUSE-2017-798 patch");

  script_set_attribute(
    attribute:"synopsis", 
    value:"The remote openSUSE host is missing a security update."
  );
  script_set_attribute(
    attribute:"description", 
    value:
"The openSUSE Leap 42.2 kernel was updated to 4.4.74 to receive various
security and bugfixes.

This update fixes some long standing btrfs issues.

The following security bugs were fixed :

  - CVE-2017-7518: A KVM debug exception in the syscall
    handling was fixed which might have been used for local
    privilege escalation. (bnc#1045922).

  - CVE-2017-1000365: The Linux Kernel imposes a size
    restriction on the arguments and environmental strings
    passed through RLIMIT_STACK/RLIM_INFINITY (1/4 of the
    size), but did not take the argument and environment
    pointers into account, which allowed attackers to bypass
    this limitation. (bnc#1039354).

The following non-security bugs were fixed :

  - bluetooth: hidp: fix possible might sleep error in
    hidp_session_thread (bsc#1031784).

  - btrfs: disable possible cause of premature ENOSPC
    (bsc#1040182)

  - btrfs: Manually implement device_total_bytes
    getter/setter (bsc#1043912).

  - btrfs: Round down values which are written for
    total_bytes_size (bsc#1043912).

  - drm/i915: Serialize GTT/Aperture accesses on BXT
    (bsc#1046821).

  - Fix kABI breakage by KVM CVE fix (bsc#1045922).

  - hpsa: limit transfer length to 1MB (bsc#1025461).

  - hwpoison, memcg: forcibly uncharge LRU pages
    (bnc#1046105).

  - ibmvnic: Fix assignment of RX/TX IRQ's (bsc#1046589).

  - iw_cxgb4: Fix error return code in c4iw_rdev_open()
    (bsc#1026570).

  - iwlwifi: 8000: fix MODULE_FIRMWARE input (FATE#321353,
    FATE#323335).

  - iwlwifi: 9000: increase the number of queues
    (FATE#321353, FATE#323335).

  - iwlwifi: add device ID for 8265 (FATE#321353,
    FATE#323335).

  - iwlwifi: add device IDs for the 8265 device
    (FATE#321353, FATE#323335).

  - iwlwifi: add disable_11ac module param (FATE#321353,
    FATE#323335).

  - iwlwifi: add new 3168 series devices support
    (FATE#321353, FATE#323335).

  - iwlwifi: add new 8260 PCI IDs (FATE#321353,
    FATE#323335).

  - iwlwifi: add new 8265 (FATE#321353, FATE#323335).

  - iwlwifi: add new 8265 series PCI ID (FATE#321353,
    FATE#323335).

  - iwlwifi: Add new PCI IDs for 9260 and 5165 series
    (FATE#321353, FATE#323335).

  - iwlwifi: Add PCI IDs for the new 3168 series
    (FATE#321353, FATE#323335).

  - iwlwifi: Add PCI IDs for the new series 8165
    (FATE#321353, FATE#323335).

  - iwlwifi: add support for 12K Receive Buffers
    (FATE#321353, FATE#323335).

  - iwlwifi: add support for getting HW address from CSR
    (FATE#321353, FATE#323335).

  - iwlwifi: avoid d0i3 commands when no/init ucode is
    loaded (FATE#321353, FATE#323335).

  - iwlwifi: bail out in case of bad trans state
    (FATE#321353, FATE#323335).

  - iwlwifi: block the queues when we send ADD_STA for uAPSD
    (FATE#321353, FATE#323335).

  - iwlwifi: change the Intel Wireless email address
    (FATE#321353, FATE#323335).

  - iwlwifi: change the Intel Wireless email address
    (FATE#321353, FATE#323335).

  - iwlwifi: check for valid ethernet address provided by
    OEM (FATE#321353, FATE#323335).

  - iwlwifi: clean up transport debugfs handling
    (FATE#321353, FATE#323335).

  - iwlwifi: clear ieee80211_tx_info->driver_data in the
    op_mode (FATE#321353, FATE#323335).

  - iwlwifi: Document missing module options (FATE#321353,
    FATE#323335).

  - iwlwifi: dump prph registers in a common place for all
    transports (FATE#321353, FATE#323335).

  - iwlwifi: dvm: advertise NETIF_F_SG (FATE#321353,
    FATE#323335).

  - iwlwifi: dvm: fix compare_const_fl.cocci warnings
    (FATE#321353, FATE#323335).

  - iwlwifi: dvm: handle zero brightness for wifi LED
    (FATE#321353, FATE#323335).

  - iwlwifi: dvm: remove a wrong dependency on m
    (FATE#321353, FATE#323335).

  - iwlwifi: dvm: remove Kconfig default (FATE#321353,
    FATE#323335).

  - iwlwifi: dvm: remove stray debug code (FATE#321353,
    FATE#323335).

  - iwlwifi: export the _no_grab version of PRPH IO
    functions (FATE#321353, FATE#323335).

  - iwlwifi: expose fw usniffer mode to more utilities
    (FATE#321353, FATE#323335).

  - iwlwifi: fix double hyphen in MODULE_FIRMWARE for 8000
    (FATE#321353, FATE#323335).

  - iwlwifi: Fix firmware name maximum length definition
    (FATE#321353, FATE#323335).

  - iwlwifi: fix name of ucode loaded for 8265 series
    (FATE#321353, FATE#323335).

  - iwlwifi: fix printf specifier (FATE#321353,
    FATE#323335).

  - iwlwifi: generalize d0i3_entry_timeout module parameter
    (FATE#321353, FATE#323335).

  - iwlwifi: mvm: adapt the firmware assert log to new
    firmware (FATE#321353, FATE#323335).

  - iwlwifi: mvm: add 9000-series RX API (FATE#321353,
    FATE#323335).

  - iwlwifi: mvm: add 9000 series RX processing
    (FATE#321353, FATE#323335).

  - iwlwifi: mvm: add a non-trigger window to fw dbg
    triggers (FATE#321353, FATE#323335).

  - iwlwifi: mvm: add an option to start rs from HT/VHT
    rates (FATE#321353, FATE#323335).

  - iwlwifi: mvm: Add a station in monitor mode
    (FATE#321353, FATE#323335).

  - iwlwifi: mvm: add bt rrc and ttc to debugfs
    (FATE#321353, FATE#323335).

  - iwlwifi: mvm: add bt settings to debugfs (FATE#321353,
    FATE#323335).

  - iwlwifi: mvm: add ctdp operations to debugfs
    (FATE#321353, FATE#323335).

  - iwlwifi: mvm: add CT-KILL notification (FATE#321353,
    FATE#323335).

  - iwlwifi: mvm: add debug print if scan config is ignored
    (FATE#321353, FATE#323335).

  - iwlwifi: mvm: add extended dwell time (FATE#321353,
    FATE#323335).

  - iwlwifi: mvm: add new ADD_STA command version
    (FATE#321353, FATE#323335).

  - iwlwifi: mvm: Add P2P client snoozing (FATE#321353,
    FATE#323335).

  - iwlwifi: mvm: add registration to cooling device
    (FATE#321353, FATE#323335).

  - iwlwifi: mvm: add registration to thermal zone
    (FATE#321353, FATE#323335).

  - iwlwifi: mvm: add support for negative temperatures
    (FATE#321353, FATE#323335).

  - iwlwifi: mvm: add tlv for multi queue rx support
    (FATE#321353, FATE#323335).

  - iwlwifi: mvm: add trigger for firmware dump upon TDLS
    events (FATE#321353, FATE#323335).

  - iwlwifi: mvm: add trigger for firmware dump upon TX
    response status (FATE#321353, FATE#323335).

  - iwlwifi: mvm: advertise NETIF_F_SG (FATE#321353,
    FATE#323335).

  - iwlwifi: mvm: Align bt-coex priority with requirements
    (FATE#321353, FATE#323335).

  - iwlwifi: mvm: allow to disable beacon filtering for
    AP/GO interface (FATE#321353, FATE#323335).

  - iwlwifi: mvm: avoid harmless -Wmaybe-uninialized warning
    (FATE#321353, FATE#323335).

  - iwlwifi: mvm: avoid panics with thermal device usage
    (FATE#321353, FATE#323335).

  - iwlwifi: mvm: avoid to WARN about gscan capabilities
    (FATE#321353, FATE#323335).

  - iwlwifi: mvm: bail out if CTDP start operation fails
    (FATE#321353, FATE#323335).

  - iwlwifi: mvm: bump firmware API to 21 (FATE#321353,
    FATE#323335).

  - iwlwifi: mvm: bump max API to 20 (FATE#321353,
    FATE#323335).

  - iwlwifi: mvm: change access to ieee80211_hdr
    (FATE#321353, FATE#323335).

  - iwlwifi: mvm: change iwl_mvm_get_key_sta_id() to return
    the station (FATE#321353, FATE#323335).

  - iwlwifi: mvm: change mcc update API (FATE#321353,
    FATE#323335).

  - iwlwifi: mvm: change name of iwl_mvm_d3_update_gtk
    (FATE#321353, FATE#323335).

  - iwlwifi: mvm: Change number of associated stations when
    station becomes associated (FATE#321353, FATE#323335).

  - iwlwifi: mvm: change protocol offload flows
    (FATE#321353, FATE#323335).

  - iwlwifi: mvm: change the check for ADD_STA status
    (FATE#321353, FATE#323335).

  - iwlwifi: mvm: check FW's response for nvm access write
    cmd (FATE#321353, FATE#323335).

  - iwlwifi: mvm: check iwl_mvm_wowlan_config_key_params()
    return value (FATE#321353, FATE#323335).

  - iwlwifi: mvm: check minimum temperature notification
    length (FATE#321353, FATE#323335).

  - iwlwifi: mvm: cleanup roc te on restart cleanup
    (FATE#321353, FATE#323335).

  - iwlwifi: mvm: Configure fragmented scan for scheduled
    scan (FATE#321353, FATE#323335).

  - iwlwifi: mvm: configure scheduled scan according to
    traffic conditions (FATE#321353, FATE#323335).

  - iwlwifi: mvm: constify the parameters of a few functions
    in fw-dbg.c (FATE#321353, FATE#323335).

  - iwlwifi: mvm: Disable beacon storing in D3 when WOWLAN
    configured (FATE#321353, FATE#323335).

  - iwlwifi: mvm: disable DQA support (FATE#321353,
    FATE#323335).

  - iwlwifi: mvm: do not ask beacons when P2P GO vif and no
    assoc sta (FATE#321353, FATE#323335).

  - iwlwifi: mvm: do not keep an mvm ref when the interface
    is down (FATE#321353, FATE#323335).

  - iwlwifi: mvm: do not let NDPs mess the packet tracking
    (FATE#321353, FATE#323335).

  - iwlwifi: mvm: do not restart HW if suspend fails with
    unified image (FATE#321353, FATE#323335).

  - iwlwifi: mvm: Do not switch to D3 image on suspend
    (FATE#321353, FATE#323335).

  - iwlwifi: mvm: do not try to offload AES-CMAC in AP/IBSS
    modes (FATE#321353, FATE#323335).

  - iwlwifi: mvm: drop low_latency_agg_frame_cnt_limit
    (FATE#321353, FATE#323335).

  - iwlwifi: mvm: dump more registers upon error
    (FATE#321353, FATE#323335).

  - iwlwifi: mvm: dump the radio registers when the firmware
    crashes (FATE#321353, FATE#323335).

  - iwlwifi: mvm: enable L3 filtering (FATE#321353,
    FATE#323335).

  - iwlwifi: mvm: Enable MPLUT only on supported hw
    (FATE#321353, FATE#323335).

  - iwlwifi: mvm: enable VHT MU-MIMO for supported hardware
    (FATE#321353, FATE#323335).

  - iwlwifi: mvm: extend time event duration (FATE#321353,
    FATE#323335).

  - iwlwifi: mvm: fix accessing NULL pointer during fw dump
    collection (FATE#321353, FATE#323335).

  - iwlwifi: mvm: fix d3_test with unified D0/D3 images
    (FATE#321353, FATE#323335).

  - iwlwifi: mvm: fix debugfs signedness warning
    (FATE#321353, FATE#323335).

  - iwlwifi: mvm: fix extended dwell time (FATE#321353,
    FATE#323335).

  - iwlwifi: mvm: fix incorrect fallthrough in
    iwl_mvm_check_running_scans() (FATE#321353,
    FATE#323335).

  - iwlwifi: mvm: fix memory leaks in error paths upon fw
    error dump (FATE#321353, FATE#323335).

  - iwlwifi: mvm: fix netdetect starting/stopping for
    unified images (FATE#321353, FATE#323335).

  - iwlwifi: mvm: fix RSS key sizing (FATE#321353,
    FATE#323335).

  - iwlwifi: mvm: fix unregistration of thermal in some
    error flows (FATE#321353, FATE#323335).

  - iwlwifi: mvm: flush all used TX queues before suspending
    (FATE#321353, FATE#323335).

  - iwlwifi: mvm: forbid U-APSD for P2P Client if the
    firmware does not support it (FATE#321353, FATE#323335).

  - iwlwifi: mvm: handle pass all scan reporting
    (FATE#321353, FATE#323335).

  - iwlwifi: mvm: ignore LMAC scan notifications when
    running UMAC scans (FATE#321353, FATE#323335).

  - iwlwifi: mvm: infrastructure for frame-release message
    (FATE#321353, FATE#323335).

  - iwlwifi: mvm: kill iwl_mvm_enable_agg_txq (FATE#321353,
    FATE#323335).

  - iwlwifi: mvm: let the firmware choose the antenna for
    beacons (FATE#321353, FATE#323335).

  - iwlwifi: mvm: make collecting fw debug data optional
    (FATE#321353, FATE#323335).

  - iwlwifi: mvm: move fw-dbg code to separate file
    (FATE#321353, FATE#323335).

  - iwlwifi: mvm: only release the trans ref if d0i3 is
    supported in fw (FATE#321353, FATE#323335).

  - iwlwifi: mvm: prepare the code towards TSO
    implementation (FATE#321353, FATE#323335).

  - iwlwifi: mvm: refactor d3 key update functions
    (FATE#321353, FATE#323335).

  - iwlwifi: mvm: refactor the way fw_key_table is handled
    (FATE#321353, FATE#323335).

  - iwlwifi: mvm: remove an extra tab (FATE#321353,
    FATE#323335).

  - iwlwifi: mvm: Remove bf_vif from iwl_power_vifs
    (FATE#321353, FATE#323335).

  - iwlwifi: mvm: Remove iwl_mvm_update_beacon_abort
    (FATE#321353, FATE#323335).

  - iwlwifi: mvm: remove redundant d0i3 flag from the config
    struct (FATE#321353, FATE#323335).

  - iwlwifi: mvm: remove shadowing variable (FATE#321353,
    FATE#323335).

  - iwlwifi: mvm: remove stray nd_config element
    (FATE#321353, FATE#323335).

  - iwlwifi: mvm: remove the vif parameter of
    iwl_mvm_configure_bcast_filter() (FATE#321353,
    FATE#323335).

  - iwlwifi: mvm: remove unnecessary check in
    iwl_mvm_is_d0i3_supported() (FATE#321353, FATE#323335).

  - iwlwifi: mvm: remove useless WARN_ON and rely on
    cfg80211's combination (FATE#321353, FATE#323335).

  - iwlwifi: mvm: report wakeup for wowlan (FATE#321353,
    FATE#323335).

  - iwlwifi: mvm: reset mvm->scan_type when firmware is
    started (FATE#321353, FATE#323335).

  - iwlwifi: mvm: return the cooling state index instead of
    the budget (FATE#321353, FATE#323335).

  - iwlwifi: mvm: ROC: cleanup time event info on FW failure
    (FATE#321353, FATE#323335).

  - iwlwifi: mvm: ROC: Extend the ROC max delay duration &
    limit ROC duration (FATE#321353, FATE#323335).

  - iwlwifi: mvm: rs: fix a potential out of bounds access
    (FATE#321353, FATE#323335).

  - iwlwifi: mvm: rs: fix a theoretical access to
    uninitialized array elements (FATE#321353, FATE#323335).

  - iwlwifi: mvm: rs: fix a warning message (FATE#321353,
    FATE#323335).

  - iwlwifi: mvm: rs: fix TPC action decision algorithm
    (FATE#321353, FATE#323335).

  - iwlwifi: mvm: rs: fix TPC statistics handling
    (FATE#321353, FATE#323335).

  - iwlwifi: mvm: Send power command on
    BSS_CHANGED_BEACON_INFO if needed (FATE#321353,
    FATE#323335).

  - iwlwifi: mvm: set default new STA as non-aggregated
    (FATE#321353, FATE#323335).

  - iwlwifi: mvm: set the correct amsdu enum values
    (FATE#321353, FATE#323335).

  - iwlwifi: mvm: set the correct descriptor size for
    tracing (FATE#321353, FATE#323335).

  - iwlwifi: mvm: small update in the firmware API
    (FATE#321353, FATE#323335).

  - iwlwifi: mvm: support A-MSDU in A-MPDU (FATE#321353,
    FATE#323335).

  - iwlwifi: mvm: support beacon storing (FATE#321353,
    FATE#323335).

  - iwlwifi: mvm: support description for user triggered fw
    dbg collection (FATE#321353, FATE#323335).

  - iwlwifi: mvm: support rss queues configuration command
    (FATE#321353, FATE#323335).

  - iwlwifi: mvm: Support setting continuous recording debug
    mode (FATE#321353, FATE#323335).

  - iwlwifi: mvm: support setting minimum quota from debugfs
    (FATE#321353, FATE#323335).

  - iwlwifi: mvm: support sw queue start/stop from mvm
    (FATE#321353, FATE#323335).

  - iwlwifi: mvm: take care of padded packets (FATE#321353,
    FATE#323335).

  - iwlwifi: mvm: take the transport ref back when leaving
    (FATE#321353, FATE#323335).

  - iwlwifi: mvm: track low-latency sources separately
    (FATE#321353, FATE#323335).

  - iwlwifi: mvm: update GSCAN capabilities (FATE#321353,
    FATE#323335).

  - iwlwifi: mvm: update ucode status before stopping device
    (FATE#321353, FATE#323335).

  - iwlwifi: mvm: use build-time assertion for fw trigger ID
    (FATE#321353, FATE#323335).

  - iwlwifi: mvm: use firmware station lookup, combine code
    (FATE#321353, FATE#323335).

  - iwlwifi: mvm: various trivial cleanups (FATE#321353,
    FATE#323335).

  - iwlwifi: mvm: writing zero bytes to debugfs causes a
    crash (FATE#321353, FATE#323335).

  - iwlwifi: nvm: fix loading default NVM file (FATE#321353,
    FATE#323335).

  - iwlwifi: nvm: fix up phy section when reading it
    (FATE#321353, FATE#323335).

  - iwlwifi: pcie: add 9000 series multi queue rx DMA
    support (FATE#321353, FATE#323335).

  - iwlwifi: pcie: add infrastructure for multi-queue rx
    (FATE#321353, FATE#323335).

  - iwlwifi: pcie: add initial RTPM support for PCI
    (FATE#321353, FATE#323335).

  - iwlwifi: pcie: Add new configuration to enable MSIX
    (FATE#321353, FATE#323335).

  - iwlwifi: pcie: add pm_prepare and pm_complete ops
    (FATE#321353, FATE#323335).

  - iwlwifi: pcie: add RTPM support when wifi is enabled
    (FATE#321353, FATE#323335).

  - iwlwifi: pcie: aggregate Flow Handler configuration
    writes (FATE#321353, FATE#323335).

  - iwlwifi: pcie: allow the op_mode to block the tx queues
    (FATE#321353, FATE#323335).

  - iwlwifi: pcie: allow to pretend to have Tx CSUM for
    debug (FATE#321353, FATE#323335).

  - iwlwifi: pcie: avoid restocks inside rx loop if not
    emergency (FATE#321353, FATE#323335).

  - iwlwifi: pcie: buffer packets to avoid overflowing Tx
    queues (FATE#321353, FATE#323335).

  - iwlwifi: pcie: build an A-MSDU using TSO core
    (FATE#321353, FATE#323335).

  - iwlwifi: pcie: configure more RFH settings (FATE#321353,
    FATE#323335).

  - iwlwifi: pcie: detect and workaround invalid write ptr
    behavior (FATE#321353, FATE#323335).

  - iwlwifi: pcie: do not increment / decrement a bool
    (FATE#321353, FATE#323335).

  - iwlwifi: pcie: enable interrupts before releasing the
    NIC's CPU (FATE#321353, FATE#323335).

  - iwlwifi: pcie: enable multi-queue rx path (FATE#321353,
    FATE#323335).

  - iwlwifi: pcie: extend device reset delay (FATE#321353,
    FATE#323335).

  - iwlwifi: pcie: fine tune number of rxbs (FATE#321353,
    FATE#323335).

  - iwlwifi: pcie: fix a race in firmware loading flow
    (FATE#321353, FATE#323335).

  - iwlwifi: pcie: fix erroneous return value (FATE#321353,
    FATE#323335).

  - iwlwifi: pcie: fix global table size (FATE#321353,
    FATE#323335).

  - iwlwifi: pcie: fix identation in trans.c (FATE#321353,
    FATE#323335).

  - iwlwifi: pcie: fix RF-Kill vs. firmware load race
    (FATE#321353, FATE#323335).

  - iwlwifi: pcie: forbid RTPM on device removal
    (FATE#321353, FATE#323335).

  - iwlwifi: pcie: mark command queue lock with separate
    lockdep class (FATE#321353, FATE#323335).

  - iwlwifi: pcie: prevent skbs shadowing in
    iwl_trans_pcie_reclaim (FATE#321353, FATE#323335).

  - iwlwifi: pcie: refactor RXBs reclaiming code
    (FATE#321353, FATE#323335).

  - iwlwifi: pcie: remove ICT allocation message
    (FATE#321353, FATE#323335).

  - iwlwifi: pcie: remove pointer from debug message
    (FATE#321353, FATE#323335).

  - iwlwifi: pcie: re-organize code towards TSO
    (FATE#321353, FATE#323335).

  - iwlwifi: pcie: set RB chunk size back to 64
    (FATE#321353, FATE#323335).

  - iwlwifi: pcie: update iwl_mpdu_desc fields (FATE#321353,
    FATE#323335).

  - iwlwifi: print index in api/capa flags parsing message
    (FATE#321353, FATE#323335).

  - iwlwifi: refactor the code that reads the MAC address
    from the NVM (FATE#321353, FATE#323335).

  - iwlwifi: remove IWL_DL_LED (FATE#321353, FATE#323335).

  - iwlwifi: remove unused parameter from grab_nic_access
    (FATE#321353, FATE#323335).

  - iwlwifi: replace d0i3_mode and wowlan_d0i3 with more
    generic variables (FATE#321353, FATE#323335).

  - iwlwifi: set max firmware version of 7265 to 17
    (FATE#321353, FATE#323335).

  - iwlwifi: support ucode with d0 unified image - regular
    and usniffer (FATE#321353, FATE#323335).

  - iwlwifi: trans: make various conversion macros inlines
    (FATE#321353, FATE#323335).

  - iwlwifi: trans: support a callback for ASYNC commands
    (FATE#321353, FATE#323335).

  - iwlwifi: treat iwl_parse_nvm_data() MAC addr as little
    endian (FATE#321353, FATE#323335).

  - iwlwifi: tt: move ucode_loaded check under mutex
    (FATE#321353, FATE#323335).

  - iwlwifi: uninline iwl_trans_send_cmd (FATE#321353,
    FATE#323335).

  - iwlwifi: update host command messages to new format
    (FATE#321353, FATE#323335).

  - iwlwifi: Update PCI IDs for 8000 and 9000 series
    (FATE#321353, FATE#323335).

  - iwlwifi: update support for 3168 series firmware and NVM
    (FATE#321353, FATE#323335).

  - iwlwifi: various comments and code cleanups
    (FATE#321353, FATE#323335).

  - kabi: ignore fs_info parameter for tracepoints that
    didn't have it (bsc#1044912).

  - kabi/severities: ignore kABi changes in iwlwifi stuff
    itself

  - powerpc/ftrace: Pass the correct stack pointer for
    DYNAMIC_FTRACE_WITH_REGS (FATE#322421).

  - printk: Correctly handle preemption in console_unlock()
    (bsc#1046434).

  - printk/xen: Force printk sync mode when migrating Xen
    guest (bsc#1043347).

  - RDMA/iw_cxgb4: Always wake up waiter in
    c4iw_peer_abort_intr() (bsc#1026570).

  - smartpqi: limit transfer length to 1MB (bsc#1025461).

  - tty: Destroy ldisc instance on hangup (bnc#1043488).

  - tty: Fix ldisc crash on reopened tty (bnc#1043488).

  - tty: Handle NULL tty->ldisc (bnc#1043488).

  - tty: Move tty_ldisc_kill() (bnc#1043488).

  - tty: Prepare for destroying line discipline on hangup
    (bnc#1043488).

  - tty: Refactor tty_ldisc_reinit() for reuse
    (bnc#1043488).

  - tty: Reset c_line from driver's init_termios
    (bnc#1043488).

  - tty: Simplify tty_set_ldisc() exit handling
    (bnc#1043488).

  - tty: Use 'disc' for line discipline index name
    (bnc#1043488).

  - Update config files: add CONFIG_IWLWIFI_PCIE_RTPM=y
    (FATE#323335)

  - Update patches.fixes/nfs-svc-rdma.fix (bsc#1044854). Fix
    bsc reference

  - Update
    patches.fixes/xfs-split-default-quota-limits-by-quota-ty
    pe.patch (bsc#1040941). Fix the bug nr used."
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://bugzilla.opensuse.org/show_bug.cgi?id=1025461"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://bugzilla.opensuse.org/show_bug.cgi?id=1026570"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://bugzilla.opensuse.org/show_bug.cgi?id=1031784"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://bugzilla.opensuse.org/show_bug.cgi?id=1039354"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://bugzilla.opensuse.org/show_bug.cgi?id=1040182"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://bugzilla.opensuse.org/show_bug.cgi?id=1040941"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://bugzilla.opensuse.org/show_bug.cgi?id=1043347"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://bugzilla.opensuse.org/show_bug.cgi?id=1043488"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://bugzilla.opensuse.org/show_bug.cgi?id=1043912"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://bugzilla.opensuse.org/show_bug.cgi?id=1044854"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://bugzilla.opensuse.org/show_bug.cgi?id=1044912"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://bugzilla.opensuse.org/show_bug.cgi?id=1045922"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://bugzilla.opensuse.org/show_bug.cgi?id=1046105"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://bugzilla.opensuse.org/show_bug.cgi?id=1046434"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://bugzilla.opensuse.org/show_bug.cgi?id=1046589"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://bugzilla.opensuse.org/show_bug.cgi?id=1046821"
  );
  script_set_attribute(
    attribute:"solution", 
    value:"Update the affected the Linux Kernel packages."
  );
  script_set_cvss_base_vector("CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:kernel-debug");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:kernel-debug-base");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:kernel-debug-base-debuginfo");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:kernel-debug-debuginfo");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:kernel-debug-debugsource");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:kernel-debug-devel");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:kernel-debug-devel-debuginfo");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:kernel-default");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:kernel-default-base");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:kernel-default-base-debuginfo");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:kernel-default-debuginfo");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:kernel-default-debugsource");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:kernel-default-devel");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:kernel-devel");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:kernel-docs-html");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:kernel-docs-pdf");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:kernel-macros");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:kernel-obs-build");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:kernel-obs-build-debugsource");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:kernel-obs-qa");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:kernel-source");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:kernel-source-vanilla");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:kernel-syms");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:kernel-vanilla");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:kernel-vanilla-base");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:kernel-vanilla-base-debuginfo");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:kernel-vanilla-debuginfo");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:kernel-vanilla-debugsource");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:kernel-vanilla-devel");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:novell:opensuse:42.2");

  script_set_attribute(attribute:"patch_publication_date", value:"2017/07/08");
  script_set_attribute(attribute:"in_the_news", value:"true");
  script_set_attribute(attribute:"plugin_publication_date", value:"2017/07/10");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_copyright(english:"This script is Copyright (C) 2017-2020 Tenable Network Security, Inc.");
  script_family(english:"SuSE Local Security Checks");

  script_dependencies("ssh_get_info.nasl");
  script_require_keys("Host/local_checks_enabled", "Host/SuSE/release", "Host/SuSE/rpm-list", "Host/cpu");

  exit(0);
}


include("audit.inc");
include("global_settings.inc");
include("rpm.inc");

if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
release = get_kb_item("Host/SuSE/release");
if (isnull(release) || release =~ "^(SLED|SLES)") audit(AUDIT_OS_NOT, "openSUSE");
if (release !~ "^(SUSE42\.2)$") audit(AUDIT_OS_RELEASE_NOT, "openSUSE", "42.2", release);
if (!get_kb_item("Host/SuSE/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);

ourarch = get_kb_item("Host/cpu");
if (!ourarch) audit(AUDIT_UNKNOWN_ARCH);
if (ourarch !~ "^(x86_64)$") audit(AUDIT_ARCH_NOT, "x86_64", ourarch);

flag = 0;

if ( rpm_check(release:"SUSE42.2", reference:"kernel-debug-4.4.74-18.20.1") ) flag++;
if ( rpm_check(release:"SUSE42.2", reference:"kernel-debug-base-4.4.74-18.20.1") ) flag++;
if ( rpm_check(release:"SUSE42.2", reference:"kernel-debug-base-debuginfo-4.4.74-18.20.1") ) flag++;
if ( rpm_check(release:"SUSE42.2", reference:"kernel-debug-debuginfo-4.4.74-18.20.1") ) flag++;
if ( rpm_check(release:"SUSE42.2", reference:"kernel-debug-debugsource-4.4.74-18.20.1") ) flag++;
if ( rpm_check(release:"SUSE42.2", reference:"kernel-debug-devel-4.4.74-18.20.1") ) flag++;
if ( rpm_check(release:"SUSE42.2", reference:"kernel-debug-devel-debuginfo-4.4.74-18.20.1") ) flag++;
if ( rpm_check(release:"SUSE42.2", reference:"kernel-default-4.4.74-18.20.1") ) flag++;
if ( rpm_check(release:"SUSE42.2", reference:"kernel-default-base-4.4.74-18.20.1") ) flag++;
if ( rpm_check(release:"SUSE42.2", reference:"kernel-default-base-debuginfo-4.4.74-18.20.1") ) flag++;
if ( rpm_check(release:"SUSE42.2", reference:"kernel-default-debuginfo-4.4.74-18.20.1") ) flag++;
if ( rpm_check(release:"SUSE42.2", reference:"kernel-default-debugsource-4.4.74-18.20.1") ) flag++;
if ( rpm_check(release:"SUSE42.2", reference:"kernel-default-devel-4.4.74-18.20.1") ) flag++;
if ( rpm_check(release:"SUSE42.2", reference:"kernel-devel-4.4.74-18.20.1") ) flag++;
if ( rpm_check(release:"SUSE42.2", reference:"kernel-docs-html-4.4.74-18.20.3") ) flag++;
if ( rpm_check(release:"SUSE42.2", reference:"kernel-docs-pdf-4.4.74-18.20.3") ) flag++;
if ( rpm_check(release:"SUSE42.2", reference:"kernel-macros-4.4.74-18.20.1") ) flag++;
if ( rpm_check(release:"SUSE42.2", reference:"kernel-obs-build-4.4.74-18.20.1") ) flag++;
if ( rpm_check(release:"SUSE42.2", reference:"kernel-obs-build-debugsource-4.4.74-18.20.1") ) flag++;
if ( rpm_check(release:"SUSE42.2", reference:"kernel-obs-qa-4.4.74-18.20.1") ) flag++;
if ( rpm_check(release:"SUSE42.2", reference:"kernel-source-4.4.74-18.20.1") ) flag++;
if ( rpm_check(release:"SUSE42.2", reference:"kernel-source-vanilla-4.4.74-18.20.1") ) flag++;
if ( rpm_check(release:"SUSE42.2", reference:"kernel-syms-4.4.74-18.20.1") ) flag++;
if ( rpm_check(release:"SUSE42.2", reference:"kernel-vanilla-4.4.74-18.20.1") ) flag++;
if ( rpm_check(release:"SUSE42.2", reference:"kernel-vanilla-base-4.4.74-18.20.1") ) flag++;
if ( rpm_check(release:"SUSE42.2", reference:"kernel-vanilla-base-debuginfo-4.4.74-18.20.1") ) flag++;
if ( rpm_check(release:"SUSE42.2", reference:"kernel-vanilla-debuginfo-4.4.74-18.20.1") ) flag++;
if ( rpm_check(release:"SUSE42.2", reference:"kernel-vanilla-debugsource-4.4.74-18.20.1") ) flag++;
if ( rpm_check(release:"SUSE42.2", reference:"kernel-vanilla-devel-4.4.74-18.20.1") ) flag++;

if (flag)
{
  if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());
  else security_hole(0);
  exit(0);
}
else
{
  tested = pkg_tests_get();
  if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
  else audit(AUDIT_PACKAGE_NOT_INSTALLED, "kernel-docs-html / kernel-docs-pdf / kernel-devel / kernel-macros / etc");
}

#
# (C) Tenable Network Security, Inc.
#
# The package checks in this plugin were extracted from OracleVM
# Security Advisory OVMSA-2018-0035.
#

include("compat.inc");

if (description)
{
  script_id(109158);
  script_version("1.7");
  script_cvs_date("Date: 2019/09/27 13:00:35");

  script_cve_id("CVE-2016-10318", "CVE-2016-9191", "CVE-2017-0861", "CVE-2017-1000112", "CVE-2017-1000405", "CVE-2017-1000407", "CVE-2017-10661", "CVE-2017-12154", "CVE-2017-12190", "CVE-2017-12192", "CVE-2017-12193", "CVE-2017-14106", "CVE-2017-14140", "CVE-2017-14489", "CVE-2017-15115", "CVE-2017-15537", "CVE-2017-15649", "CVE-2017-16525", "CVE-2017-16526", "CVE-2017-16527", "CVE-2017-16529", "CVE-2017-16530", "CVE-2017-16531", "CVE-2017-16532", "CVE-2017-16533", "CVE-2017-16535", "CVE-2017-16536", "CVE-2017-16646", "CVE-2017-16649", "CVE-2017-16650", "CVE-2017-17052", "CVE-2017-17712", "CVE-2017-2618", "CVE-2017-5715", "CVE-2017-5753", "CVE-2017-5754", "CVE-2017-7482", "CVE-2017-7518", "CVE-2017-7541", "CVE-2017-7542", "CVE-2017-7618", "CVE-2017-8824", "CVE-2018-1068");

  script_name(english:"OracleVM 3.4 : Unbreakable / etc (OVMSA-2018-0035) (Dirty COW) (Meltdown) (Spectre)");
  script_summary(english:"Checks the RPM output for the updated packages.");

  script_set_attribute(
    attribute:"synopsis", 
    value:"The remote OracleVM host is missing one or more security updates."
  );
  script_set_attribute(
    attribute:"description", 
    value:
"The remote OracleVM system is missing necessary patches to address
critical security updates : please see Oracle VM Security Advisory
OVMSA-2018-0035 for details."
  );
  # https://oss.oracle.com/pipermail/oraclevm-errata/2018-April/000845.html
  script_set_attribute(
    attribute:"see_also",
    value:"http://www.nessus.org/u?756979c2"
  );
  script_set_attribute(
    attribute:"solution", 
    value:"Update the affected kernel-uek / kernel-uek-firmware packages."
  );
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:C");
  script_set_cvss_temporal_vector("CVSS2#E:H/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:H/RL:O/RC:C");
  script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"true");
  script_set_attribute(attribute:"exploit_framework_core", value:"true");
  script_set_attribute(attribute:"exploited_by_malware", value:"true");
  script_set_attribute(attribute:"metasploit_name", value:'Linux Kernel UDP Fragmentation Offset (UFO) Privilege Escalation');
  script_set_attribute(attribute:"exploit_framework_metasploit", value:"true");
  script_set_attribute(attribute:"exploit_framework_canvas", value:"true");
  script_set_attribute(attribute:"canvas_package", value:'CANVAS');

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:vm:kernel-uek");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:vm:kernel-uek-firmware");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:oracle:vm_server:3.4");

  script_set_attribute(attribute:"vuln_publication_date", value:"2016/11/28");
  script_set_attribute(attribute:"patch_publication_date", value:"2018/04/18");
  script_set_attribute(attribute:"plugin_publication_date", value:"2018/04/19");
  script_set_attribute(attribute:"in_the_news", value:"true");
  script_set_attribute(attribute:"generated_plugin", value:"current");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_copyright(english:"This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");
  script_family(english:"OracleVM Local Security Checks");

  script_dependencies("ssh_get_info.nasl");
  script_require_keys("Host/local_checks_enabled", "Host/OracleVM/release", "Host/OracleVM/rpm-list");

  exit(0);
}


include("audit.inc");
include("global_settings.inc");
include("rpm.inc");

if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
release = get_kb_item("Host/OracleVM/release");
if (isnull(release) || "OVS" >!< release) audit(AUDIT_OS_NOT, "OracleVM");
if (! preg(pattern:"^OVS" + "3\.4" + "(\.[0-9]|$)", string:release)) audit(AUDIT_OS_NOT, "OracleVM 3.4", "OracleVM " + release);
if (!get_kb_item("Host/OracleVM/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);

cpu = get_kb_item("Host/cpu");
if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "OracleVM", cpu);
if ("x86_64" >!< cpu) audit(AUDIT_ARCH_NOT, "x86_64", cpu);

flag = 0;
if (rpm_check(release:"OVS3.4", reference:"kernel-uek-4.1.12-124.14.1.el6uek")) flag++;
if (rpm_check(release:"OVS3.4", reference:"kernel-uek-firmware-4.1.12-124.14.1.el6uek")) flag++;

if (flag)
{
  if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());
  else security_hole(0);
  exit(0);
}
else
{
  tested = pkg_tests_get();
  if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
  else audit(AUDIT_PACKAGE_NOT_INSTALLED, "kernel-uek / kernel-uek-firmware");
}

#
# (C) Tenable Network Security, Inc.
#
# The descriptive text and package checks in this plugin were  
# extracted from Red Hat Security Advisory RHSA-2018:0395 and 
# CentOS Errata and Security Advisory 2018:0395 respectively.
#

include("compat.inc");

if (description)
{
  script_id(107271);
  script_version("1.4");
  script_cvs_date("Date: 2019/12/31");

  script_cve_id("CVE-2017-12188", "CVE-2017-7518");
  script_xref(name:"RHSA", value:"2018:0395");

  script_name(english:"CentOS 7 : kernel (CESA-2018:0395)");
  script_summary(english:"Checks rpm output for the updated packages");

  script_set_attribute(
    attribute:"synopsis", 
    value:"The remote CentOS host is missing one or more security updates."
  );
  script_set_attribute(
    attribute:"description", 
    value:
"An update for kernel is now available for Red Hat Enterprise Linux 7.

Red Hat Product Security has rated this update as having a security
impact of Important. A Common Vulnerability Scoring System (CVSS) base
score, which gives a detailed severity rating, is available for each
vulnerability from the CVE link(s) in the References section.

The kernel packages contain the Linux kernel, the core of any Linux
operating system.

These updated kernel packages include several security issues and
numerous bug fixes, some of which you can see below. Space precludes
documenting all of these bug fixes in this advisory. To see the
complete list of bug fixes, users are directed to the related
Knowledge Article: https://access.redhat.com/articles/3368501.

Security Fix(es) :

* Kernel: KVM: MMU potential stack buffer overrun during page walks
(CVE-2017-12188, Important)

* Kernel: KVM: debug exception via syscall emulation (CVE-2017-7518,
Moderate)

For more details about the security issue(s), including the impact, a
CVSS score, acknowledgments, and other related information, refer to
the CVE page(s) listed in the References section."
  );
  # https://lists.centos.org/pipermail/centos-announce/2018-March/022768.html
  script_set_attribute(
    attribute:"see_also",
    value:"http://www.nessus.org/u?56379f33"
  );
  script_set_attribute(
    attribute:"solution", 
    value:"Update the affected kernel packages."
  );
  script_set_cvss_base_vector("CVSS2#AV:L/AC:M/Au:N/C:C/I:C/A:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2017-12188");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:centos:centos:kernel");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:centos:centos:kernel-abi-whitelists");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:centos:centos:kernel-debug");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:centos:centos:kernel-debug-devel");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:centos:centos:kernel-devel");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:centos:centos:kernel-doc");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:centos:centos:kernel-headers");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:centos:centos:kernel-tools");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:centos:centos:kernel-tools-libs");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:centos:centos:kernel-tools-libs-devel");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:centos:centos:perf");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:centos:centos:python-perf");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:centos:centos:7");

  script_set_attribute(attribute:"vuln_publication_date", value:"2017/10/11");
  script_set_attribute(attribute:"patch_publication_date", value:"2018/03/09");
  script_set_attribute(attribute:"plugin_publication_date", value:"2018/03/12");
  script_set_attribute(attribute:"generated_plugin", value:"current");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_copyright(english:"This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");
  script_family(english:"CentOS Local Security Checks");

  script_dependencies("ssh_get_info.nasl");
  script_require_keys("Host/local_checks_enabled", "Host/CentOS/release", "Host/CentOS/rpm-list");

  exit(0);
}


include("audit.inc");
include("global_settings.inc");
include("rpm.inc");


if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
release = get_kb_item("Host/CentOS/release");
if (isnull(release) || "CentOS" >!< release) audit(AUDIT_OS_NOT, "CentOS");
os_ver = pregmatch(pattern: "CentOS(?: Linux)? release ([0-9]+)", string:release);
if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "CentOS");
os_ver = os_ver[1];
if (! preg(pattern:"^7([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "CentOS 7.x", "CentOS " + os_ver);

if (!get_kb_item("Host/CentOS/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);


cpu = get_kb_item("Host/cpu");
if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "CentOS", cpu);


flag = 0;
if (rpm_check(release:"CentOS-7", cpu:"x86_64", reference:"kernel-3.10.0-693.21.1.el7")) flag++;
if (rpm_check(release:"CentOS-7", cpu:"x86_64", reference:"kernel-abi-whitelists-3.10.0-693.21.1.el7")) flag++;
if (rpm_check(release:"CentOS-7", cpu:"x86_64", reference:"kernel-debug-3.10.0-693.21.1.el7")) flag++;
if (rpm_check(release:"CentOS-7", cpu:"x86_64", reference:"kernel-debug-devel-3.10.0-693.21.1.el7")) flag++;
if (rpm_check(release:"CentOS-7", cpu:"x86_64", reference:"kernel-devel-3.10.0-693.21.1.el7")) flag++;
if (rpm_check(release:"CentOS-7", cpu:"x86_64", reference:"kernel-doc-3.10.0-693.21.1.el7")) flag++;
if (rpm_check(release:"CentOS-7", cpu:"x86_64", reference:"kernel-headers-3.10.0-693.21.1.el7")) flag++;
if (rpm_check(release:"CentOS-7", cpu:"x86_64", reference:"kernel-tools-3.10.0-693.21.1.el7")) flag++;
if (rpm_check(release:"CentOS-7", cpu:"x86_64", reference:"kernel-tools-libs-3.10.0-693.21.1.el7")) flag++;
if (rpm_check(release:"CentOS-7", cpu:"x86_64", reference:"kernel-tools-libs-devel-3.10.0-693.21.1.el7")) flag++;
if (rpm_check(release:"CentOS-7", cpu:"x86_64", reference:"perf-3.10.0-693.21.1.el7")) flag++;
if (rpm_check(release:"CentOS-7", cpu:"x86_64", reference:"python-perf-3.10.0-693.21.1.el7")) flag++;


if (flag)
{
  security_report_v4(
    port       : 0,
    severity   : SECURITY_WARNING,
    extra      : rpm_report_get()
  );
  exit(0);
}
else
{
  tested = pkg_tests_get();
  if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
  else audit(AUDIT_PACKAGE_NOT_INSTALLED, "kernel / kernel-abi-whitelists / kernel-debug / kernel-debug-devel / etc");
}

#
# (C) Tenable Network Security, Inc.
#
# @DEPRECATED@
#
# Disabled on 2/7/2019
#

# The descriptive text and package checks in this plugin were
# extracted from VMware Security Advisory PHSA-2018-2.0-0101. The text
# itself is copyright (C) VMware, Inc.

include("compat.inc");

if (description)
{
  script_id(119423);
  script_version("1.2");
  script_cvs_date("Date: 2019/02/07 18:59:51");

  script_cve_id(
    "CVE-2017-7482",
    "CVE-2017-7518",
    "CVE-2017-1000363",
    "CVE-2018-5390",
    "CVE-2018-6555"
  );

  script_name(english:"Photon OS 2.0: Linux PHSA-2018-2.0-0101 (deprecated)");
  script_summary(english:"Checks the rpm output for the updated packages.");

  script_set_attribute(attribute:"synopsis", value:
"This plugin has been deprecated.");
  script_set_attribute(attribute:"description", value:
"An update of 'linux-secure', 'linux', 'linux-aws', 'linux-esx'
packages of Photon OS has been released.");
  # https://github.com/vmware/photon/wiki/Security-Updates-2-101
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?eff6eebe");
  script_set_attribute(attribute:"solution", value:"n/a.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2018-5390");

  script_set_attribute(attribute:"patch_publication_date", value:"2018/10/10");
  script_set_attribute(attribute:"plugin_publication_date", value:"2018/12/05");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:vmware:photonos:linux");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:vmware:photonos:2.0");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"PhotonOS Local Security Checks");

  script_copyright(english:"This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("ssh_get_info.nasl");
  script_require_keys("Host/local_checks_enabled", "Host/PhotonOS/release", "Host/PhotonOS/rpm-list");

  exit(0);
}

exit(0, "This plugin has been deprecated.");

include("audit.inc");
include("global_settings.inc");
include("rpm.inc");

if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);

release = get_kb_item("Host/PhotonOS/release");
if (isnull(release) || release !~ "^VMware Photon") audit(AUDIT_OS_NOT, "PhotonOS");
if (release !~ "^VMware Photon (?:Linux|OS) 2\.0(\D|$)") audit(AUDIT_OS_NOT, "PhotonOS 2.0");

if (!get_kb_item("Host/PhotonOS/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);

cpu = get_kb_item("Host/cpu");
if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "PhotonOS", cpu);

flag = 0;

pkgs = [
  "linux-4.9.130-2.ph2",
  "linux-api-headers-4.9.130-1.ph2",
  "linux-aws-4.9.130-2.ph2",
  "linux-aws-debuginfo-4.9.130-2.ph2",
  "linux-aws-devel-4.9.130-2.ph2",
  "linux-aws-docs-4.9.130-2.ph2",
  "linux-aws-drivers-gpu-4.9.130-2.ph2",
  "linux-aws-oprofile-4.9.130-2.ph2",
  "linux-aws-sound-4.9.130-2.ph2",
  "linux-aws-tools-4.9.130-2.ph2",
  "linux-debuginfo-4.9.130-2.ph2",
  "linux-devel-4.9.130-2.ph2",
  "linux-docs-4.9.130-2.ph2",
  "linux-drivers-gpu-4.9.130-2.ph2",
  "linux-esx-4.9.130-2.ph2",
  "linux-esx-debuginfo-4.9.130-2.ph2",
  "linux-esx-devel-4.9.130-2.ph2",
  "linux-esx-docs-4.9.130-2.ph2",
  "linux-oprofile-4.9.130-2.ph2",
  "linux-secure-4.9.130-2.ph2",
  "linux-secure-debuginfo-4.9.130-2.ph2",
  "linux-secure-devel-4.9.130-2.ph2",
  "linux-secure-docs-4.9.130-2.ph2",
  "linux-secure-lkcm-4.9.130-2.ph2",
  "linux-sound-4.9.130-2.ph2",
  "linux-tools-4.9.130-2.ph2"
];

foreach (pkg in pkgs)
  if (rpm_check(release:"PhotonOS-2.0", reference:pkg)) flag++;

if (flag)
{
  security_report_v4(
    port       : 0,
    severity   : SECURITY_HOLE,
    extra      : rpm_report_get()
  );
  exit(0);
}
else
{
  tested = pkg_tests_get();
  if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
  else audit(AUDIT_PACKAGE_NOT_INSTALLED, "linux");
}