Vulnerabilities > CVE-2017-7542 - Integer Overflow or Wraparound vulnerability in Linux Kernel

047910
CVSS 5.5 - MEDIUM
Attack vector
LOCAL
Attack complexity
LOW
Privileges required
LOW
Confidentiality impact
NONE
Integrity impact
NONE
Availability impact
HIGH
local
low complexity
linux
CWE-190
nessus

Summary

The ip6_find_1stfragopt function in net/ipv6/output_core.c in the Linux kernel through 4.12.3 allows local users to cause a denial of service (integer overflow and infinite loop) by leveraging the ability to open a raw socket.

Vulnerable Configurations

Part Description Count
OS
Linux
3230

Common Weakness Enumeration (CWE)

Common Attack Pattern Enumeration and Classification (CAPEC)

  • Forced Integer Overflow
    This attack forces an integer variable to go out of range. The integer variable is often used as an offset such as size of memory allocation or similarly. The attacker would typically control the value of such variable and try to get it out of range. For instance the integer in question is incremented past the maximum possible value, it may wrap to become a very small, or negative number, therefore providing a very incorrect value which can lead to unexpected behavior. At worst the attacker can execute arbitrary code.

Nessus

  • NASL familyOracle Linux Local Security Checks
    NASL idORACLELINUX_ELSA-2017-3657.NASL
    descriptionDescription of changes: [3.8.13-118.20.1.el7uek] - tty: Fix race in pty_write() leading to NULL deref (Todd Vierling) [Orabug: 25392692] - ocfs2/dlm: ignore cleaning the migration mle that is inuse (xuejiufei) [Orabug: 26479780] - KEYS: fix dereferencing NULL payload with nonzero length (Eric Biggers) [Orabug: 26592025] - oracleasm: Copy the integrity descriptor (Martin K. Petersen) [Orabug: 26649818] - mm: Tighten x86 /dev/mem with zeroing reads (Kees Cook) [Orabug: 26675925] {CVE-2017-7889} - xscore: add dma address check (Zhu Yanjun) [Orabug: 27058468] - more bio_map_user_iov() leak fixes (Al Viro) [Orabug: 27069042] {CVE-2017-12190} - fix unbalanced page refcounting in bio_map_user_iov (Vitaly Mayatskikh) [Orabug: 27069042] {CVE-2017-12190} - nvme: Drop nvmeq->q_lock before dma_pool_alloc(), so as to prevent hard lockups (Aruna Ramakrishna) [Orabug: 25409587] - nvme: Handle PM1725 HIL reset (Martin K. Petersen) [Orabug: 26277600] - char: lp: fix possible integer overflow in lp_setup() (Willy Tarreau) [Orabug: 26403940] {CVE-2017-1000363} - ALSA: timer: Fix missing queue indices reset at SNDRV_TIMER_IOCTL_SELECT (Takashi Iwai) [Orabug: 26403956] {CVE-2017-1000380} - ALSA: timer: Fix race between read and ioctl (Takashi Iwai) [Orabug: 26403956] {CVE-2017-1000380} - ALSA: timer: fix NULL pointer dereference in read()/ioctl() race (Vegard Nossum) [Orabug: 26403956] {CVE-2017-1000380} - ALSA: timer: Fix negative queue usage by racy accesses (Takashi Iwai) [Orabug: 26403956] {CVE-2017-1000380} - ALSA: timer: Fix race at concurrent reads (Takashi Iwai) [Orabug: 26403956] {CVE-2017-1000380} - ALSA: timer: Fix race among timer ioctls (Takashi Iwai) [Orabug: 26403956] {CVE-2017-1000380} - ipv6/dccp: do not inherit ipv6_mc_list from parent (WANG Cong) [Orabug: 26404005] {CVE-2017-9077} - ocfs2: fix deadlock issue when taking inode lock at vfs entry points (Eric Ren) [Orabug: 26427126] - ocfs2/dlmglue: prepare tracking logic to avoid recursive cluster lock (Eric Ren) [Orabug: 26427126] - ping: implement proper locking (Eric Dumazet) [Orabug: 26540286] {CVE-2017-2671} - aio: mark AIO pseudo-fs noexec (Jann Horn) [Orabug: 26643598] {CVE-2016-10044} - vfs: Commit to never having exectuables on proc and sysfs. (Eric W. Biederman) [Orabug: 26643598] {CVE-2016-10044} - vfs, writeback: replace FS_CGROUP_WRITEBACK with SB_I_CGROUPWB (Tejun Heo) [Orabug: 26643598] {CVE-2016-10044} - x86/acpi: Prevent out of bound access caused by broken ACPI tables (Seunghun Han) [Orabug: 26643645] {CVE-2017-11473} - sctp: do not inherit ipv6_{mc|ac|fl}_list from parent (Eric Dumazet) [Orabug: 26650883] {CVE-2017-9075} - [media] saa7164: fix double fetch PCIe access condition (Steven Toth) [Orabug: 26675142] {CVE-2017-8831} - [media] saa7164: fix sparse warnings (Hans Verkuil) [Orabug: 26675142] {CVE-2017-8831} - fs: __generic_file_splice_read retry lookup on AOP_TRUNCATED_PAGE (Abhi Das) [Orabug: 26797306] - timerfd: Protect the might cancel mechanism proper (Thomas Gleixner) [Orabug: 26899787] {CVE-2017-10661} - scsi: scsi_transport_iscsi: fix the issue that iscsi_if_rx doesn
    last seen2020-06-05
    modified2017-12-11
    plugin id105144
    published2017-12-11
    reporterThis script is Copyright (C) 2017-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/105144
    titleOracle Linux 6 / 7 : Unbreakable Enterprise kernel (ELSA-2017-3657) (BlueBorne) (Stack Clash)
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were
    # extracted from Oracle Linux Security Advisory ELSA-2017-3657.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(105144);
      script_version("3.13");
      script_set_attribute(attribute:"plugin_modification_date", value:"2020/06/04");
    
      script_cve_id("CVE-2016-10044", "CVE-2016-10200", "CVE-2016-7097", "CVE-2016-9604", "CVE-2016-9685", "CVE-2017-1000111", "CVE-2017-1000251", "CVE-2017-1000363", "CVE-2017-1000365", "CVE-2017-1000380", "CVE-2017-10661", "CVE-2017-11176", "CVE-2017-11473", "CVE-2017-12134", "CVE-2017-12190", "CVE-2017-14489", "CVE-2017-2671", "CVE-2017-7542", "CVE-2017-7645", "CVE-2017-7889", "CVE-2017-8831", "CVE-2017-9075", "CVE-2017-9077", "CVE-2017-9242");
    
      script_name(english:"Oracle Linux 6 / 7 : Unbreakable Enterprise kernel (ELSA-2017-3657) (BlueBorne) (Stack Clash)");
      script_summary(english:"Checks rpm output for the updated packages");
    
      script_set_attribute(
        attribute:"synopsis",
        value:"The remote Oracle Linux host is missing one or more security updates."
      );
      script_set_attribute(
        attribute:"description",
        value:
    "Description of changes:
    
    [3.8.13-118.20.1.el7uek]
    - tty: Fix race in pty_write() leading to NULL deref (Todd Vierling) 
    [Orabug: 25392692]
    - ocfs2/dlm: ignore cleaning the migration mle that is inuse (xuejiufei) 
      [Orabug: 26479780]
    - KEYS: fix dereferencing NULL payload with nonzero length (Eric 
    Biggers)  [Orabug: 26592025]
    - oracleasm: Copy the integrity descriptor (Martin K. Petersen) 
    [Orabug: 26649818]
    - mm: Tighten x86 /dev/mem with zeroing reads (Kees Cook)  [Orabug: 
    26675925]  {CVE-2017-7889}
    - xscore: add dma address check (Zhu Yanjun)  [Orabug: 27058468]
    - more bio_map_user_iov() leak fixes (Al Viro)  [Orabug: 27069042] 
    {CVE-2017-12190}
    - fix unbalanced page refcounting in bio_map_user_iov (Vitaly 
    Mayatskikh)  [Orabug: 27069042]  {CVE-2017-12190}
    - nvme: Drop nvmeq->q_lock before dma_pool_alloc(), so as to prevent 
    hard lockups (Aruna Ramakrishna)  [Orabug: 25409587]
    - nvme: Handle PM1725 HIL reset (Martin K. Petersen)  [Orabug: 26277600]
    - char: lp: fix possible integer overflow in lp_setup() (Willy Tarreau) 
    [Orabug: 26403940]  {CVE-2017-1000363}
    - ALSA: timer: Fix missing queue indices reset at 
    SNDRV_TIMER_IOCTL_SELECT (Takashi Iwai)  [Orabug: 26403956] 
    {CVE-2017-1000380}
    - ALSA: timer: Fix race between read and ioctl (Takashi Iwai)  [Orabug: 
    26403956]  {CVE-2017-1000380}
    - ALSA: timer: fix NULL pointer dereference in read()/ioctl() race 
    (Vegard Nossum)  [Orabug: 26403956]  {CVE-2017-1000380}
    - ALSA: timer: Fix negative queue usage by racy accesses (Takashi Iwai) 
    [Orabug: 26403956]  {CVE-2017-1000380}
    - ALSA: timer: Fix race at concurrent reads (Takashi Iwai)  [Orabug: 
    26403956]  {CVE-2017-1000380}
    - ALSA: timer: Fix race among timer ioctls (Takashi Iwai)  [Orabug: 
    26403956]  {CVE-2017-1000380}
    - ipv6/dccp: do not inherit ipv6_mc_list from parent (WANG Cong) 
    [Orabug: 26404005]  {CVE-2017-9077}
    - ocfs2: fix deadlock issue when taking inode lock at vfs entry points 
    (Eric Ren)  [Orabug: 26427126]
    - ocfs2/dlmglue: prepare tracking logic to avoid recursive cluster lock 
    (Eric Ren)  [Orabug: 26427126]
    - ping: implement proper locking (Eric Dumazet)  [Orabug: 26540286] 
    {CVE-2017-2671}
    - aio: mark AIO pseudo-fs noexec (Jann Horn)  [Orabug: 26643598] 
    {CVE-2016-10044}
    - vfs: Commit to never having exectuables on proc and sysfs. (Eric W. 
    Biederman)  [Orabug: 26643598]  {CVE-2016-10044}
    - vfs, writeback: replace FS_CGROUP_WRITEBACK with SB_I_CGROUPWB (Tejun 
    Heo)  [Orabug: 26643598]  {CVE-2016-10044}
    - x86/acpi: Prevent out of bound access caused by broken ACPI tables 
    (Seunghun Han)  [Orabug: 26643645]  {CVE-2017-11473}
    - sctp: do not inherit ipv6_{mc|ac|fl}_list from parent (Eric Dumazet) 
    [Orabug: 26650883]  {CVE-2017-9075}
    - [media] saa7164: fix double fetch PCIe access condition (Steven Toth) 
    [Orabug: 26675142]  {CVE-2017-8831}
    - [media] saa7164: fix sparse warnings (Hans Verkuil)  [Orabug: 
    26675142]  {CVE-2017-8831}
    - fs: __generic_file_splice_read retry lookup on AOP_TRUNCATED_PAGE 
    (Abhi Das)  [Orabug: 26797306]
    - timerfd: Protect the might cancel mechanism proper (Thomas Gleixner) 
    [Orabug: 26899787]  {CVE-2017-10661}
    - scsi: scsi_transport_iscsi: fix the issue that iscsi_if_rx doesn't 
    parse nlmsg properly (Xin Long)  [Orabug: 26988627]  {CVE-2017-14489}
    - mqueue: fix a use-after-free in sys_mq_notify() (Cong Wang)  [Orabug: 
    26643556]  {CVE-2017-11176}
    - ipv6: avoid overflow of offset in ip6_find_1stfragopt (Sabrina 
    Dubroca)  [Orabug: 27011273]  {CVE-2017-7542}
    - packet: fix tp_reserve race in packet_set_ring (Willem de Bruijn) 
    [Orabug: 27002450]  {CVE-2017-1000111}
    - mlx4_core: calculate log_num_mtt based on total system memory (Wei Lin 
    Guay)  [Orabug: 26883934]
    - xen/x86: Add interface for querying amount of host memory (Boris 
    Ostrovsky)  [Orabug: 26883934]
    - Bluetooth: Properly check L2CAP config option output buffer length 
    (Ben Seri)  [Orabug: 26796364]  {CVE-2017-1000251}
    - xen: fix bio vec merging (Roger Pau Monne)  [Orabug: 26645550] 
    {CVE-2017-12134}
    - fs/exec.c: account for argv/envp pointers (Kees Cook)  [Orabug: 
    26638921]  {CVE-2017-1000365} {CVE-2017-1000365}
    - l2tp: fix racy SOCK_ZAPPED flag check in l2tp_ip{,6}_bind() (Guillaume 
    Nault)  [Orabug: 26586047]  {CVE-2016-10200}
    - xfs: fix two memory leaks in xfs_attr_list.c error paths (Mateusz 
    Guzik)  [Orabug: 26586022]  {CVE-2016-9685}
    - KEYS: Disallow keyrings beginning with '.' to be joined as session 
    keyrings (David Howells)  [Orabug: 26585994]  {CVE-2016-9604}
    - ipv6: fix out of bound writes in __ip6_append_data() (Eric Dumazet) 
    [Orabug: 26578198]  {CVE-2017-9242}
    - posix_acl: Clear SGID bit when setting file permissions (Jan Kara) 
    [Orabug: 25507344]  {CVE-2016-7097} {CVE-2016-7097}
    - nfsd: check for oversized NFSv2/v3 arguments (J. Bruce Fields) 
    [Orabug: 26366022]  {CVE-2017-7645}"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://oss.oracle.com/pipermail/el-errata/2017-December/007407.html"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://oss.oracle.com/pipermail/el-errata/2017-December/007408.html"
      );
      script_set_attribute(
        attribute:"solution",
        value:"Update the affected unbreakable enterprise kernel packages."
      );
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:C");
      script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
      script_set_cvss3_base_vector("CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H");
      script_set_cvss3_temporal_vector("CVSS:3.0/E:P/RL:O/RC:C");
      script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"true");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:dtrace-modules-3.8.13-118.20.1.el6uek");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:dtrace-modules-3.8.13-118.20.1.el7uek");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:kernel-uek");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:kernel-uek-debug");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:kernel-uek-debug-devel");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:kernel-uek-devel");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:kernel-uek-doc");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:kernel-uek-firmware");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:oracle:linux:6");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:oracle:linux:7");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2016/10/16");
      script_set_attribute(attribute:"patch_publication_date", value:"2017/12/08");
      script_set_attribute(attribute:"plugin_publication_date", value:"2017/12/11");
      script_set_attribute(attribute:"in_the_news", value:"true");
      script_set_attribute(attribute:"generated_plugin", value:"current");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2017-2020 and is owned by Tenable, Inc. or an Affiliate thereof.");
      script_family(english:"Oracle Linux Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl", "linux_alt_patch_detect.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/OracleLinux", "Host/RedHat/release", "Host/RedHat/rpm-list");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("global_settings.inc");
    include("rpm.inc");
    include("ksplice.inc");
    
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    if (!get_kb_item("Host/OracleLinux")) audit(AUDIT_OS_NOT, "Oracle Linux");
    release = get_kb_item("Host/RedHat/release");
    if (isnull(release) || !pregmatch(pattern: "Oracle (?:Linux Server|Enterprise Linux)", string:release)) audit(AUDIT_OS_NOT, "Oracle Linux");
    os_ver = pregmatch(pattern: "Oracle (?:Linux Server|Enterprise Linux) .*release ([0-9]+(\.[0-9]+)?)", string:release);
    if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Oracle Linux");
    os_ver = os_ver[1];
    if (! preg(pattern:"^(6|7)([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Oracle Linux 6 / 7", "Oracle Linux " + os_ver);
    
    if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    cpu = get_kb_item("Host/cpu");
    if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
    if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Oracle Linux", cpu);
    if ("x86_64" >!< cpu) audit(AUDIT_ARCH_NOT, "x86_64", cpu);
    
    if (get_one_kb_item("Host/ksplice/kernel-cves"))
    {
      rm_kb_item(name:"Host/uptrack-uname-r");
      cve_list = make_list("CVE-2016-10044", "CVE-2016-10200", "CVE-2016-7097", "CVE-2016-9604", "CVE-2016-9685", "CVE-2017-1000111", "CVE-2017-1000251", "CVE-2017-1000363", "CVE-2017-1000365", "CVE-2017-1000380", "CVE-2017-10661", "CVE-2017-11176", "CVE-2017-11473", "CVE-2017-12134", "CVE-2017-12190", "CVE-2017-14489", "CVE-2017-2671", "CVE-2017-7542", "CVE-2017-7645", "CVE-2017-7889", "CVE-2017-8831", "CVE-2017-9075", "CVE-2017-9077", "CVE-2017-9242");  
      if (ksplice_cves_check(cve_list))
      {
        audit(AUDIT_PATCH_INSTALLED, "KSplice hotfix for ELSA-2017-3657");
      }
      else
      {
        __rpm_report = ksplice_reporting_text();
      }
    }
    
    kernel_major_minor = get_kb_item("Host/uname/major_minor");
    if (empty_or_null(kernel_major_minor)) exit(1, "Unable to determine kernel major-minor level.");
    expected_kernel_major_minor = "3.8";
    if (kernel_major_minor != expected_kernel_major_minor)
      audit(AUDIT_OS_NOT, "running kernel level " + expected_kernel_major_minor + ", it is running kernel level " + kernel_major_minor);
    
    flag = 0;
    if (rpm_check(release:"EL6", cpu:"x86_64", reference:"dtrace-modules-3.8.13-118.20.1.el6uek-0.4.5-3.el6")) flag++;
    if (rpm_exists(release:"EL6", rpm:"kernel-uek-3.8.13") && rpm_check(release:"EL6", cpu:"x86_64", reference:"kernel-uek-3.8.13-118.20.1.el6uek")) flag++;
    if (rpm_exists(release:"EL6", rpm:"kernel-uek-debug-3.8.13") && rpm_check(release:"EL6", cpu:"x86_64", reference:"kernel-uek-debug-3.8.13-118.20.1.el6uek")) flag++;
    if (rpm_exists(release:"EL6", rpm:"kernel-uek-debug-devel-3.8.13") && rpm_check(release:"EL6", cpu:"x86_64", reference:"kernel-uek-debug-devel-3.8.13-118.20.1.el6uek")) flag++;
    if (rpm_exists(release:"EL6", rpm:"kernel-uek-devel-3.8.13") && rpm_check(release:"EL6", cpu:"x86_64", reference:"kernel-uek-devel-3.8.13-118.20.1.el6uek")) flag++;
    if (rpm_exists(release:"EL6", rpm:"kernel-uek-doc-3.8.13") && rpm_check(release:"EL6", cpu:"x86_64", reference:"kernel-uek-doc-3.8.13-118.20.1.el6uek")) flag++;
    if (rpm_exists(release:"EL6", rpm:"kernel-uek-firmware-3.8.13") && rpm_check(release:"EL6", cpu:"x86_64", reference:"kernel-uek-firmware-3.8.13-118.20.1.el6uek")) flag++;
    
    if (rpm_check(release:"EL7", cpu:"x86_64", reference:"dtrace-modules-3.8.13-118.20.1.el7uek-0.4.5-3.el7")) flag++;
    if (rpm_exists(release:"EL7", rpm:"kernel-uek-3.8.13") && rpm_check(release:"EL7", cpu:"x86_64", reference:"kernel-uek-3.8.13-118.20.1.el7uek")) flag++;
    if (rpm_exists(release:"EL7", rpm:"kernel-uek-debug-3.8.13") && rpm_check(release:"EL7", cpu:"x86_64", reference:"kernel-uek-debug-3.8.13-118.20.1.el7uek")) flag++;
    if (rpm_exists(release:"EL7", rpm:"kernel-uek-debug-devel-3.8.13") && rpm_check(release:"EL7", cpu:"x86_64", reference:"kernel-uek-debug-devel-3.8.13-118.20.1.el7uek")) flag++;
    if (rpm_exists(release:"EL7", rpm:"kernel-uek-devel-3.8.13") && rpm_check(release:"EL7", cpu:"x86_64", reference:"kernel-uek-devel-3.8.13-118.20.1.el7uek")) flag++;
    if (rpm_exists(release:"EL7", rpm:"kernel-uek-doc-3.8.13") && rpm_check(release:"EL7", cpu:"x86_64", reference:"kernel-uek-doc-3.8.13-118.20.1.el7uek")) flag++;
    if (rpm_exists(release:"EL7", rpm:"kernel-uek-firmware-3.8.13") && rpm_check(release:"EL7", cpu:"x86_64", reference:"kernel-uek-firmware-3.8.13-118.20.1.el7uek")) flag++;
    
    
    if (flag)
    {
      if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());
      else security_hole(0);
      exit(0);
    }
    else
    {
      tested = pkg_tests_get();
      if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
      else audit(AUDIT_PACKAGE_NOT_INSTALLED, "affected kernel");
    }
    
  • NASL familyOracle Linux Local Security Checks
    NASL idORACLELINUX_ELSA-2017-3658.NASL
    descriptionDescription of changes: [2.6.39-400.298.1.el6uek] - ocfs2/dlm: ignore cleaning the migration mle that is inuse (xuejiufei) [Orabug: 23320090] - tty: Fix race in pty_write() leading to NULL deref (Todd Vierling) [Orabug: 24337879] - xen-netfront: cast grant table reference first to type int (Dongli Zhang) [Orabug: 25102637] - xen-netfront: do not cast grant table reference to signed short (Dongli Zhang) [Orabug: 25102637] - RDS: Print failed rdma op details if failure is remote access error (Rama Nichanamatlu) [Orabug: 25440316] - ping: implement proper locking (Eric Dumazet) [Orabug: 26540288] {CVE-2017-2671} - KEYS: fix dereferencing NULL payload with nonzero length (Eric Biggers) [Orabug: 26592013] - oracleasm: Copy the integrity descriptor (Martin K. Petersen) [Orabug: 26650039] - mm: Tighten x86 /dev/mem with zeroing reads (Kees Cook) [Orabug: 26675934] {CVE-2017-7889} - fs: __generic_file_splice_read retry lookup on AOP_TRUNCATED_PAGE (Abhi Das) [Orabug: 26797307] - xscore: add dma address check (Zhu Yanjun) [Orabug: 27058559] - more bio_map_user_iov() leak fixes (Al Viro) [Orabug: 27069045] {CVE-2017-12190} - fix unbalanced page refcounting in bio_map_user_iov (Vitaly Mayatskikh) [Orabug: 27069045] {CVE-2017-12190} - xsigo: [backport] Fix race in freeing aged Forwarding tables (Pradeep Gopanapalli) [Orabug: 24823234] - ocfs2: fix deadlock issue when taking inode lock at vfs entry points (Eric Ren) [Orabug: 25671723] - ocfs2/dlmglue: prepare tracking logic to avoid recursive cluster lock (Eric Ren) [Orabug: 25671723] - net/packet: fix overflow in check for tp_reserve (Andrey Konovalov) [Orabug: 26143563] {CVE-2017-7308} - net/packet: fix overflow in check for tp_frame_nr (Andrey Konovalov) [Orabug: 26143563] {CVE-2017-7308} - char: lp: fix possible integer overflow in lp_setup() (Willy Tarreau) [Orabug: 26403941] {CVE-2017-1000363} - ALSA: timer: Fix missing queue indices reset at SNDRV_TIMER_IOCTL_SELECT (Takashi Iwai) [Orabug: 26403958] {CVE-2017-1000380} - ALSA: timer: Fix race between read and ioctl (Takashi Iwai) [Orabug: 26403958] {CVE-2017-1000380} - ALSA: timer: fix NULL pointer dereference in read()/ioctl() race (Vegard Nossum) [Orabug: 26403958] {CVE-2017-1000380} - ALSA: timer: Fix negative queue usage by racy accesses (Takashi Iwai) [Orabug: 26403958] {CVE-2017-1000380} - ALSA: timer: Fix race at concurrent reads (Takashi Iwai) [Orabug: 26403958] {CVE-2017-1000380} - ALSA: timer: Fix race among timer ioctls (Takashi Iwai) [Orabug: 26403958] {CVE-2017-1000380} - ipv6: xfrm: Handle errors reported by xfrm6_find_1stfragopt() (Ben Hutchings) [Orabug: 26403974] {CVE-2017-9074} - ipv6: Check ip6_find_1stfragopt() return value properly. (David S. Miller) [Orabug: 26403974] {CVE-2017-9074} - ipv6: Prevent overrun when parsing v6 header options (Craig Gallek) [Orabug: 26403974] {CVE-2017-9074} - ipv6/dccp: do not inherit ipv6_mc_list from parent (WANG Cong) [Orabug: 26404007] {CVE-2017-9077} - aio: mark AIO pseudo-fs noexec (Jann Horn) [Orabug: 26643601] {CVE-2016-10044} - vfs: Commit to never having exectuables on proc and sysfs. (Eric W. Biederman) [Orabug: 26643601] {CVE-2016-10044} - vfs, writeback: replace FS_CGROUP_WRITEBACK with SB_I_CGROUPWB (Tejun Heo) [Orabug: 26643601] {CVE-2016-10044} - x86/acpi: Prevent out of bound access caused by broken ACPI tables (Seunghun Han) [Orabug: 26643652] {CVE-2017-11473} - sctp: do not inherit ipv6_{mc|ac|fl}_list from parent (Eric Dumazet) [Orabug: 26650889] {CVE-2017-9075} - saa7164: fix double fetch PCIe access condition (Steven Toth) [Orabug: 26675148] {CVE-2017-8831} - saa7164: fix sparse warnings (Hans Verkuil) [Orabug: 26675148] {CVE-2017-8831} - saa7164: get rid of warning: no previous prototype (Mauro Carvalho Chehab) [Orabug: 26675148] {CVE-2017-8831} - [scsi] lpfc 8.3.44: Fix kernel panics from corrupted ndlp (James Smart) [Orabug: 26765341] - timerfd: Protect the might cancel mechanism proper (Thomas Gleixner) [Orabug: 26899791] {CVE-2017-10661} - scsi: scsi_transport_iscsi: fix the issue that iscsi_if_rx doesn
    last seen2020-06-05
    modified2017-12-11
    plugin id105145
    published2017-12-11
    reporterThis script is Copyright (C) 2017-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/105145
    titleOracle Linux 6 : Unbreakable Enterprise kernel (ELSA-2017-3658) (BlueBorne) (Stack Clash)
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were
    # extracted from Oracle Linux Security Advisory ELSA-2017-3658.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(105145);
      script_version("3.18");
      script_set_attribute(attribute:"plugin_modification_date", value:"2020/06/04");
    
      script_cve_id("CVE-2014-9710", "CVE-2015-1465", "CVE-2015-2686", "CVE-2015-4167", "CVE-2016-10044", "CVE-2016-10200", "CVE-2016-9604", "CVE-2016-9685", "CVE-2017-1000111", "CVE-2017-1000251", "CVE-2017-1000253", "CVE-2017-1000363", "CVE-2017-1000364", "CVE-2017-1000365", "CVE-2017-1000380", "CVE-2017-10661", "CVE-2017-11176", "CVE-2017-11473", "CVE-2017-12134", "CVE-2017-12190", "CVE-2017-14489", "CVE-2017-2671", "CVE-2017-7273", "CVE-2017-7308", "CVE-2017-7542", "CVE-2017-7645", "CVE-2017-7889", "CVE-2017-8831", "CVE-2017-9074", "CVE-2017-9075", "CVE-2017-9077", "CVE-2017-9242");
    
      script_name(english:"Oracle Linux 6 : Unbreakable Enterprise kernel (ELSA-2017-3658) (BlueBorne) (Stack Clash)");
      script_summary(english:"Checks rpm output for the updated packages");
    
      script_set_attribute(
        attribute:"synopsis",
        value:"The remote Oracle Linux host is missing one or more security updates."
      );
      script_set_attribute(
        attribute:"description",
        value:
    "Description of changes:
    
    [2.6.39-400.298.1.el6uek]
    - ocfs2/dlm: ignore cleaning the migration mle that is inuse (xuejiufei) 
      [Orabug: 23320090]
    - tty: Fix race in pty_write() leading to NULL deref (Todd Vierling) 
    [Orabug: 24337879]
    - xen-netfront: cast grant table reference first to type int (Dongli 
    Zhang)  [Orabug: 25102637]
    - xen-netfront: do not cast grant table reference to signed short 
    (Dongli Zhang)  [Orabug: 25102637]
    - RDS: Print failed rdma op details if failure is remote access error 
    (Rama Nichanamatlu)  [Orabug: 25440316]
    - ping: implement proper locking (Eric Dumazet)  [Orabug: 26540288] 
    {CVE-2017-2671}
    - KEYS: fix dereferencing NULL payload with nonzero length (Eric 
    Biggers)  [Orabug: 26592013]
    - oracleasm: Copy the integrity descriptor (Martin K. Petersen) 
    [Orabug: 26650039]
    - mm: Tighten x86 /dev/mem with zeroing reads (Kees Cook)  [Orabug: 
    26675934]  {CVE-2017-7889}
    - fs: __generic_file_splice_read retry lookup on AOP_TRUNCATED_PAGE 
    (Abhi Das)  [Orabug: 26797307]
    - xscore: add dma address check (Zhu Yanjun)  [Orabug: 27058559]
    - more bio_map_user_iov() leak fixes (Al Viro)  [Orabug: 27069045] 
    {CVE-2017-12190}
    - fix unbalanced page refcounting in bio_map_user_iov (Vitaly 
    Mayatskikh)  [Orabug: 27069045]  {CVE-2017-12190}
    - xsigo: [backport] Fix race in freeing aged Forwarding tables (Pradeep 
    Gopanapalli)  [Orabug: 24823234]
    - ocfs2: fix deadlock issue when taking inode lock at vfs entry points 
    (Eric Ren)  [Orabug: 25671723]
    - ocfs2/dlmglue: prepare tracking logic to avoid recursive cluster lock 
    (Eric Ren)  [Orabug: 25671723]
    - net/packet: fix overflow in check for tp_reserve (Andrey Konovalov) 
    [Orabug: 26143563]  {CVE-2017-7308}
    - net/packet: fix overflow in check for tp_frame_nr (Andrey Konovalov) 
    [Orabug: 26143563]  {CVE-2017-7308}
    - char: lp: fix possible integer overflow in lp_setup() (Willy Tarreau) 
    [Orabug: 26403941]  {CVE-2017-1000363}
    - ALSA: timer: Fix missing queue indices reset at 
    SNDRV_TIMER_IOCTL_SELECT (Takashi Iwai)  [Orabug: 26403958] 
    {CVE-2017-1000380}
    - ALSA: timer: Fix race between read and ioctl (Takashi Iwai)  [Orabug: 
    26403958]  {CVE-2017-1000380}
    - ALSA: timer: fix NULL pointer dereference in read()/ioctl() race 
    (Vegard Nossum)  [Orabug: 26403958]  {CVE-2017-1000380}
    - ALSA: timer: Fix negative queue usage by racy accesses (Takashi Iwai) 
    [Orabug: 26403958]  {CVE-2017-1000380}
    - ALSA: timer: Fix race at concurrent reads (Takashi Iwai)  [Orabug: 
    26403958]  {CVE-2017-1000380}
    - ALSA: timer: Fix race among timer ioctls (Takashi Iwai)  [Orabug: 
    26403958]  {CVE-2017-1000380}
    - ipv6: xfrm: Handle errors reported by xfrm6_find_1stfragopt() (Ben 
    Hutchings)  [Orabug: 26403974]  {CVE-2017-9074}
    - ipv6: Check ip6_find_1stfragopt() return value properly. (David S. 
    Miller)  [Orabug: 26403974]  {CVE-2017-9074}
    - ipv6: Prevent overrun when parsing v6 header options (Craig Gallek) 
    [Orabug: 26403974]  {CVE-2017-9074}
    - ipv6/dccp: do not inherit ipv6_mc_list from parent (WANG Cong) 
    [Orabug: 26404007]  {CVE-2017-9077}
    - aio: mark AIO pseudo-fs noexec (Jann Horn)  [Orabug: 26643601] 
    {CVE-2016-10044}
    - vfs: Commit to never having exectuables on proc and sysfs. (Eric W. 
    Biederman)  [Orabug: 26643601]  {CVE-2016-10044}
    - vfs, writeback: replace FS_CGROUP_WRITEBACK with SB_I_CGROUPWB (Tejun 
    Heo)  [Orabug: 26643601]  {CVE-2016-10044}
    - x86/acpi: Prevent out of bound access caused by broken ACPI tables 
    (Seunghun Han)  [Orabug: 26643652]  {CVE-2017-11473}
    - sctp: do not inherit ipv6_{mc|ac|fl}_list from parent (Eric Dumazet) 
    [Orabug: 26650889]  {CVE-2017-9075}
    - saa7164: fix double fetch PCIe access condition (Steven Toth) 
    [Orabug: 26675148]  {CVE-2017-8831}
    - saa7164: fix sparse warnings (Hans Verkuil)  [Orabug: 26675148] 
    {CVE-2017-8831}
    - saa7164: get rid of warning: no previous prototype (Mauro Carvalho 
    Chehab)  [Orabug: 26675148]  {CVE-2017-8831}
    - [scsi] lpfc 8.3.44: Fix kernel panics from corrupted ndlp (James 
    Smart)  [Orabug: 26765341]
    - timerfd: Protect the might cancel mechanism proper (Thomas Gleixner) 
    [Orabug: 26899791]  {CVE-2017-10661}
    - scsi: scsi_transport_iscsi: fix the issue that iscsi_if_rx doesn't 
    parse nlmsg properly (Xin Long)  [Orabug: 26988628]  {CVE-2017-14489}
    - mqueue: fix a use-after-free in sys_mq_notify() (Cong Wang)  [Orabug: 
    26643562]  {CVE-2017-11176}
    - ipv6: avoid overflow of offset in ip6_find_1stfragopt (Sabrina 
    Dubroca)  [Orabug: 27011278]  {CVE-2017-7542}
    - packet: fix tp_reserve race in packet_set_ring (Willem de Bruijn) 
    [Orabug: 27002453]  {CVE-2017-1000111}
    - mlx4_core: calculate log_mtt based on total system memory (Wei Lin 
    Guay)  [Orabug: 26867355]
    - xen/x86: Add interface for querying amount of host memory (Boris 
    Ostrovsky)  [Orabug: 26867355]
    - fs/binfmt_elf.c: fix bug in loading of PIE binaries (Michael Davidson) 
      [Orabug: 26870958]  {CVE-2017-1000253}
    - Bluetooth: Properly check L2CAP config option output buffer length 
    (Ben Seri)  [Orabug: 26796428]  {CVE-2017-1000251}
    - xen: fix bio vec merging (Roger Pau Monne)  [Orabug: 26645562] 
    {CVE-2017-12134}
    - fs/exec.c: account for argv/envp pointers (Kees Cook)  [Orabug: 
    26638926]  {CVE-2017-1000365} {CVE-2017-1000365}
    - l2tp: fix racy SOCK_ZAPPED flag check in l2tp_ip{,6}_bind() (Guillaume 
    Nault)  [Orabug: 26586050]  {CVE-2016-10200}
    - xfs: fix two memory leaks in xfs_attr_list.c error paths (Mateusz 
    Guzik)  [Orabug: 26586024]  {CVE-2016-9685}
    - KEYS: Disallow keyrings beginning with '.' to be joined as session 
    keyrings (David Howells)  [Orabug: 26586002]  {CVE-2016-9604}
    - ipv6: fix out of bound writes in __ip6_append_data() (Eric Dumazet) 
    [Orabug: 26578202]  {CVE-2017-9242}
    - selinux: quiet the filesystem labeling behavior message (Paul Moore) 
    [Orabug: 25721485]
    - RDS/IB: active bonding port state fix for intfs added late (Mukesh 
    Kacker)  [Orabug: 25875426]
    - HID: hid-cypress: validate length of report (Greg Kroah-Hartman) 
    [Orabug: 25891914]  {CVE-2017-7273}
    - udf: Remove repeated loads blocksize (Jan Kara)  [Orabug: 25905722] 
    {CVE-2015-4167}
    - udf: Check length of extended attributes and allocation descriptors 
    (Jan Kara)  [Orabug: 25905722]  {CVE-2015-4167}
    - udf: Verify i_size when loading inode (Jan Kara)  [Orabug: 25905722] 
    {CVE-2015-4167}
    - btrfs: drop unused parameter from btrfs_item_nr (Ross Kirk)  [Orabug: 
    25948102]  {CVE-2014-9710}
    - Btrfs: cleanup of function where fixup_low_keys() is called (Tsutomu 
    Itoh)  [Orabug: 25948102]  {CVE-2014-9710}
    - Btrfs: remove unused argument of fixup_low_keys() (Tsutomu Itoh) 
    [Orabug: 25948102]  {CVE-2014-9710}
    - Btrfs: remove unused argument of btrfs_extend_item() (Tsutomu Itoh) 
    [Orabug: 25948102]  {CVE-2014-9710}
    - Btrfs: add support for asserts (Josef Bacik)  [Orabug: 25948102] 
    {CVE-2014-9710}
    - Btrfs: make xattr replace operations atomic (Filipe Manana)  [Orabug: 
    25948102]  {CVE-2014-9710}
    - net: validate the range we feed to iov_iter_init() in 
    sys_sendto/sys_recvfrom (Al Viro)  [Orabug: 25948149]  {CVE-2015-2686}
    - xsigo: Compute node crash on FC failover (Joe Jin)  [Orabug: 25965445]
    - PCI: Prevent VPD access for QLogic ISP2722 (Ethan Zhao)  [Orabug: 
    25975513]
    - PCI: Prevent VPD access for buggy devices (Babu Moger)  [Orabug: 
    25975513]
    - ipv4: try to cache dst_entries which would cause a redirect (Hannes 
    Frederic Sowa)  [Orabug: 26032377]  {CVE-2015-1465}
    - mm: larger stack guard gap, between vmas (Hugh Dickins)  [Orabug: 
    26326145]  {CVE-2017-1000364}
    - nfsd: check for oversized NFSv2/v3 arguments (J. Bruce Fields) 
    [Orabug: 26366024]  {CVE-2017-7645}
    - dm mpath: allow ioctls to trigger pg init (Mikulas Patocka)  [Orabug: 
    25645229]
    - xen/manage: Always freeze/thaw processes when suspend/resuming (Ross 
    Lagerwall)  [Orabug: 25795530]
    - lpfc cannot establish connection with targets that send PRLI under P2P 
    mode (Joe Jin)  [Orabug: 25955028]"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://oss.oracle.com/pipermail/el-errata/2017-December/007409.html"
      );
      script_set_attribute(
        attribute:"solution",
        value:"Update the affected unbreakable enterprise kernel packages."
      );
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:C");
      script_set_cvss_temporal_vector("CVSS2#E:H/RL:OF/RC:C");
      script_set_cvss3_base_vector("CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H");
      script_set_cvss3_temporal_vector("CVSS:3.0/E:H/RL:O/RC:C");
      script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"true");
      script_set_attribute(attribute:"exploit_framework_core", value:"true");
      script_set_attribute(attribute:"exploited_by_malware", value:"true");
      script_set_attribute(attribute:"metasploit_name", value:'AF_PACKET packet_set_ring Privilege Escalation');
      script_set_attribute(attribute:"exploit_framework_metasploit", value:"true");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:kernel-uek");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:kernel-uek-debug");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:kernel-uek-debug-devel");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:kernel-uek-devel");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:kernel-uek-doc");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:kernel-uek-firmware");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:oracle:linux:6");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2015/04/05");
      script_set_attribute(attribute:"patch_publication_date", value:"2017/12/08");
      script_set_attribute(attribute:"plugin_publication_date", value:"2017/12/11");
      script_set_attribute(attribute:"in_the_news", value:"true");
      script_set_attribute(attribute:"generated_plugin", value:"current");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2017-2020 and is owned by Tenable, Inc. or an Affiliate thereof.");
      script_family(english:"Oracle Linux Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl", "linux_alt_patch_detect.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/OracleLinux", "Host/RedHat/release", "Host/RedHat/rpm-list");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("global_settings.inc");
    include("rpm.inc");
    include("ksplice.inc");
    
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    if (!get_kb_item("Host/OracleLinux")) audit(AUDIT_OS_NOT, "Oracle Linux");
    release = get_kb_item("Host/RedHat/release");
    if (isnull(release) || !pregmatch(pattern: "Oracle (?:Linux Server|Enterprise Linux)", string:release)) audit(AUDIT_OS_NOT, "Oracle Linux");
    os_ver = pregmatch(pattern: "Oracle (?:Linux Server|Enterprise Linux) .*release ([0-9]+(\.[0-9]+)?)", string:release);
    if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Oracle Linux");
    os_ver = os_ver[1];
    if (! preg(pattern:"^6([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Oracle Linux 6", "Oracle Linux " + os_ver);
    
    if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    cpu = get_kb_item("Host/cpu");
    if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
    if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Oracle Linux", cpu);
    
    if (get_one_kb_item("Host/ksplice/kernel-cves"))
    {
      rm_kb_item(name:"Host/uptrack-uname-r");
      cve_list = make_list("CVE-2014-9710", "CVE-2015-1465", "CVE-2015-2686", "CVE-2015-4167", "CVE-2016-10044", "CVE-2016-10200", "CVE-2016-9604", "CVE-2016-9685", "CVE-2017-1000111", "CVE-2017-1000251", "CVE-2017-1000253", "CVE-2017-1000363", "CVE-2017-1000364", "CVE-2017-1000365", "CVE-2017-1000380", "CVE-2017-10661", "CVE-2017-11176", "CVE-2017-11473", "CVE-2017-12134", "CVE-2017-12190", "CVE-2017-14489", "CVE-2017-2671", "CVE-2017-7273", "CVE-2017-7308", "CVE-2017-7542", "CVE-2017-7645", "CVE-2017-7889", "CVE-2017-8831", "CVE-2017-9074", "CVE-2017-9075", "CVE-2017-9077", "CVE-2017-9242");  
      if (ksplice_cves_check(cve_list))
      {
        audit(AUDIT_PATCH_INSTALLED, "KSplice hotfix for ELSA-2017-3658");
      }
      else
      {
        __rpm_report = ksplice_reporting_text();
      }
    }
    
    kernel_major_minor = get_kb_item("Host/uname/major_minor");
    if (empty_or_null(kernel_major_minor)) exit(1, "Unable to determine kernel major-minor level.");
    expected_kernel_major_minor = "2.6";
    if (kernel_major_minor != expected_kernel_major_minor)
      audit(AUDIT_OS_NOT, "running kernel level " + expected_kernel_major_minor + ", it is running kernel level " + kernel_major_minor);
    
    flag = 0;
    if (rpm_exists(release:"EL6", rpm:"kernel-uek-2.6.39") && rpm_check(release:"EL6", reference:"kernel-uek-2.6.39-400.298.1.el6uek")) flag++;
    if (rpm_exists(release:"EL6", rpm:"kernel-uek-debug-2.6.39") && rpm_check(release:"EL6", reference:"kernel-uek-debug-2.6.39-400.298.1.el6uek")) flag++;
    if (rpm_exists(release:"EL6", rpm:"kernel-uek-debug-devel-2.6.39") && rpm_check(release:"EL6", reference:"kernel-uek-debug-devel-2.6.39-400.298.1.el6uek")) flag++;
    if (rpm_exists(release:"EL6", rpm:"kernel-uek-devel-2.6.39") && rpm_check(release:"EL6", reference:"kernel-uek-devel-2.6.39-400.298.1.el6uek")) flag++;
    if (rpm_exists(release:"EL6", rpm:"kernel-uek-doc-2.6.39") && rpm_check(release:"EL6", reference:"kernel-uek-doc-2.6.39-400.298.1.el6uek")) flag++;
    if (rpm_exists(release:"EL6", rpm:"kernel-uek-firmware-2.6.39") && rpm_check(release:"EL6", reference:"kernel-uek-firmware-2.6.39-400.298.1.el6uek")) flag++;
    
    
    if (flag)
    {
      if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());
      else security_hole(0);
      exit(0);
    }
    else
    {
      tested = pkg_tests_get();
      if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
      else audit(AUDIT_PACKAGE_NOT_INSTALLED, "affected kernel");
    }
    
  • NASL familyHuawei Local Security Checks
    NASL idEULEROS_SA-2018-1026.NASL
    descriptionAccording to the versions of the kernel packages installed, the EulerOS installation on the remote host is affected by the following vulnerabilities : - The XFRM dump policy implementation in net/xfrm/xfrm_user.c in the Linux kernel before 4.13.11 allows local users to gain privileges or cause a denial of service (use-after-free) via a crafted SO_RCVBUF setsockopt system call in conjunction with XFRM_MSG_GETPOLICY Netlink messages.(CVE-2017-16939) - The bio_map_user_iov and bio_unmap_user functions in block/bio.c in the Linux kernel before 4.13.8 do unbalanced refcounting when a SCSI I/O vector has small consecutive buffers belonging to the same page. The bio_add_pc_page function merges them into one, but the page reference is never dropped. This causes a memory leak and possible system lockup (exploitable against the host OS by a guest OS user, if a SCSI disk is passed through to a virtual machine) due to an out-of-memory condition.(CVE-2017-12190) - The assoc_array_insert_into_terminal_node function in lib/assoc_array.c in the Linux kernel before 4.13.11 mishandles node splitting, which allows local users to cause a denial of service (NULL pointer dereference and panic) via a crafted application, as demonstrated by the keyring key type, and key addition and link creation operations.(CVE-2017-12193) - The ip6_find_1stfragopt function in net/ipv6/output_core.c in the Linux kernel through 4.12.3 allows local users to cause a denial of service (integer overflow and infinite loop) by leveraging the ability to open a raw socket.(CVE-2017-7542) - The bnep_add_connection function in net/bluetooth/bnep/core.c in the Linux kernel before 3.19 does not ensure that an l2cap socket is available, which allows local users to gain privileges via a crafted application.(CVE-2017-15868) - The dccp_disconnect function in net/dccp/proto.c in the Linux kernel through 4.14.3 allows local users to gain privileges or cause a denial of service (use-after-free) via an AF_UNSPEC connect system call during the DCCP_LISTEN state.(CVE-2017-8824) - net/netfilter/nfnetlink_cthelper.c in the Linux kernel through 4.14.4 does not require the CAP_NET_ADMIN capability for new, get, and del operations, which allows local users to bypass intended access restrictions because the nfnl_cthelper_list data structure is shared across all net namespaces.(CVE-2017-17448) - The __netlink_deliver_tap_skb function in net/netlink/af_netlink.c in the Linux kernel through 4.14.4, when CONFIG_NLMON is enabled, does not restrict observations of Netlink messages to a single net namespace, which allows local users to obtain sensitive information by leveraging the CAP_NET_ADMIN capability to sniff an nlmon interface for all Netlink activity on the system.(CVE-2017-17449) - net/netfilter/xt_osf.c in the Linux kernel through 4.14.4 does not require the CAP_NET_ADMIN capability for add_callback and remove_callback operations, which allows local users to bypass intended access restrictions because the xt_osf_fingers data structure is shared across all net namespaces.(CVE-2017-17450) - The usb_destroy_configuration function in drivers/usb/core/config.c in the USB core subsystem in the Linux kernel through 4.14.5 does not consider the maximum number of configurations and interfaces before attempting to release resources, which allows local users to cause a denial of service (out-of-bounds write access) or possibly have unspecified other impact via a crafted USB device.(CVE-2017-17558) - The Salsa20 encryption algorithm in the Linux kernel before 4.14.8 does not correctly handle zero-length inputs, allowing a local attacker able to use the AF_ALG-based skcipher interface (CONFIG_CRYPTO_USER_API_SKCIPHER) to cause a denial of service (uninitialized-memory free and kernel crash) or have unspecified other impact by executing a crafted sequence of system calls that use the blkcipher_walk API. Both the generic implementation (crypto/salsa20_generic.c) and x86 implementation (arch/x86/crypto/salsa20_glue.c) of Salsa20 were vulnerable.(CVE-2017-17805) - The HMAC implementation (crypto/hmac.c) in the Linux kernel before 4.14.8 does not validate that the underlying cryptographic hash algorithm is unkeyed, allowing a local attacker able to use the AF_ALG-based hash interface (CONFIG_CRYPTO_USER_API_HASH) and the SHA-3 hash algorithm (CONFIG_CRYPTO_SHA3) to cause a kernel stack buffer overflow by executing a crafted sequence of system calls that encounter a missing SHA-3 initialization.(CVE-2017-17806) - he KEYS subsystem in the Linux kernel before 4.14.6 omitted an access-control check when adding a key to the current task
    last seen2020-06-10
    modified2018-01-19
    plugin id106167
    published2018-01-19
    reporterThis script is Copyright (C) 2018-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/106167
    titleEulerOS 2.0 SP2 : kernel (EulerOS-SA-2018-1026)
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(106167);
      script_version("3.63");
      script_set_attribute(attribute:"plugin_modification_date", value:"2020/06/23");
    
      script_cve_id(
        "CVE-2017-1000407",
        "CVE-2017-12190",
        "CVE-2017-12193",
        "CVE-2017-15868",
        "CVE-2017-16939",
        "CVE-2017-17448",
        "CVE-2017-17449",
        "CVE-2017-17450",
        "CVE-2017-17558",
        "CVE-2017-17805",
        "CVE-2017-17806",
        "CVE-2017-17807",
        "CVE-2017-7542",
        "CVE-2017-8824"
      );
    
      script_name(english:"EulerOS 2.0 SP2 : kernel (EulerOS-SA-2018-1026)");
      script_summary(english:"Checks the rpm output for the updated packages.");
    
      script_set_attribute(attribute:"synopsis", value:
    "The remote EulerOS host is missing multiple security updates.");
      script_set_attribute(attribute:"description", value:
    "According to the versions of the kernel packages installed, the
    EulerOS installation on the remote host is affected by the following
    vulnerabilities :
    
      - The XFRM dump policy implementation in
        net/xfrm/xfrm_user.c in the Linux kernel before 4.13.11
        allows local users to gain privileges or cause a denial
        of service (use-after-free) via a crafted SO_RCVBUF
        setsockopt system call in conjunction with
        XFRM_MSG_GETPOLICY Netlink messages.(CVE-2017-16939)
    
      - The bio_map_user_iov and bio_unmap_user functions in
        block/bio.c in the Linux kernel before 4.13.8 do
        unbalanced refcounting when a SCSI I/O vector has small
        consecutive buffers belonging to the same page. The
        bio_add_pc_page function merges them into one, but the
        page reference is never dropped. This causes a memory
        leak and possible system lockup (exploitable against
        the host OS by a guest OS user, if a SCSI disk is
        passed through to a virtual machine) due to an
        out-of-memory condition.(CVE-2017-12190)
    
      - The assoc_array_insert_into_terminal_node function in
        lib/assoc_array.c in the Linux kernel before 4.13.11
        mishandles node splitting, which allows local users to
        cause a denial of service (NULL pointer dereference and
        panic) via a crafted application, as demonstrated by
        the keyring key type, and key addition and link
        creation operations.(CVE-2017-12193)
    
      - The ip6_find_1stfragopt function in
        net/ipv6/output_core.c in the Linux kernel through
        4.12.3 allows local users to cause a denial of service
        (integer overflow and infinite loop) by leveraging the
        ability to open a raw socket.(CVE-2017-7542)
    
      - The bnep_add_connection function in
        net/bluetooth/bnep/core.c in the Linux kernel before
        3.19 does not ensure that an l2cap socket is available,
        which allows local users to gain privileges via a
        crafted application.(CVE-2017-15868)
    
      - The dccp_disconnect function in net/dccp/proto.c in the
        Linux kernel through 4.14.3 allows local users to gain
        privileges or cause a denial of service
        (use-after-free) via an AF_UNSPEC connect system call
        during the DCCP_LISTEN state.(CVE-2017-8824)
    
      - net/netfilter/nfnetlink_cthelper.c in the Linux kernel
        through 4.14.4 does not require the CAP_NET_ADMIN
        capability for new, get, and del operations, which
        allows local users to bypass intended access
        restrictions because the nfnl_cthelper_list data
        structure is shared across all net
        namespaces.(CVE-2017-17448)
    
      - The __netlink_deliver_tap_skb function in
        net/netlink/af_netlink.c in the Linux kernel through
        4.14.4, when CONFIG_NLMON is enabled, does not restrict
        observations of Netlink messages to a single net
        namespace, which allows local users to obtain sensitive
        information by leveraging the CAP_NET_ADMIN capability
        to sniff an nlmon interface for all Netlink activity on
        the system.(CVE-2017-17449)
    
      - net/netfilter/xt_osf.c in the Linux kernel through
        4.14.4 does not require the CAP_NET_ADMIN capability
        for add_callback and remove_callback operations, which
        allows local users to bypass intended access
        restrictions because the xt_osf_fingers data structure
        is shared across all net namespaces.(CVE-2017-17450)
    
      - The usb_destroy_configuration function in
        drivers/usb/core/config.c in the USB core subsystem in
        the Linux kernel through 4.14.5 does not consider the
        maximum number of configurations and interfaces before
        attempting to release resources, which allows local
        users to cause a denial of service (out-of-bounds write
        access) or possibly have unspecified other impact via a
        crafted USB device.(CVE-2017-17558)
    
      - The Salsa20 encryption algorithm in the Linux kernel
        before 4.14.8 does not correctly handle zero-length
        inputs, allowing a local attacker able to use the
        AF_ALG-based skcipher interface
        (CONFIG_CRYPTO_USER_API_SKCIPHER) to cause a denial of
        service (uninitialized-memory free and kernel crash) or
        have unspecified other impact by executing a crafted
        sequence of system calls that use the blkcipher_walk
        API. Both the generic implementation
        (crypto/salsa20_generic.c) and x86 implementation
        (arch/x86/crypto/salsa20_glue.c) of Salsa20 were
        vulnerable.(CVE-2017-17805)
    
      - The HMAC implementation (crypto/hmac.c) in the Linux
        kernel before 4.14.8 does not validate that the
        underlying cryptographic hash algorithm is unkeyed,
        allowing a local attacker able to use the AF_ALG-based
        hash interface (CONFIG_CRYPTO_USER_API_HASH) and the
        SHA-3 hash algorithm (CONFIG_CRYPTO_SHA3) to cause a
        kernel stack buffer overflow by executing a crafted
        sequence of system calls that encounter a missing SHA-3
        initialization.(CVE-2017-17806)
    
      - he KEYS subsystem in the Linux kernel before 4.14.6
        omitted an access-control check when adding a key to
        the current task's 'default request-key keyring' via
        the request_key() system call, allowing a local user to
        use a sequence of crafted system calls to add keys to a
        keyring with only Search permission (not Write
        permission) to that keyring, related to
        construct_get_dest_keyring() in
        security/keys/request_key.c.(CVE-2017-17807)
    
      - The Linux Kernel 2.6.32 and later are affected by a
        denial of service, by flooding the diagnostic port 0x80
        an exception can be triggered leading to a kernel
        panic.(CVE-2017-1000407)
    
    Note that Tenable Network Security has extracted the preceding
    description block directly from the EulerOS security advisory. Tenable
    has attempted to automatically clean and format it as much as possible
    without introducing additional issues.");
      # https://developer.huaweicloud.com/ict/en/site-euleros/euleros/security-advisories/EulerOS-SA-2018-1026
      script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?eab3a3ba");
      script_set_attribute(attribute:"solution", value:
    "Update the affected kernel packages.");
      script_set_cvss_base_vector("CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C");
      script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
      script_set_cvss3_base_vector("CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H");
      script_set_cvss3_temporal_vector("CVSS:3.0/E:P/RL:O/RC:C");
    
      script_set_attribute(attribute:"patch_publication_date", value:"2018/01/19");
      script_set_attribute(attribute:"plugin_publication_date", value:"2018/01/19");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:kernel");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:kernel-debug");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:kernel-debug-devel");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:kernel-debuginfo");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:kernel-debuginfo-common-x86_64");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:kernel-devel");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:kernel-headers");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:kernel-tools");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:kernel-tools-libs");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:perf");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:python-perf");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:huawei:euleros:2.0");
      script_set_attribute(attribute:"generated_plugin", value:"current");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_family(english:"Huawei Local Security Checks");
    
      script_copyright(english:"This script is Copyright (C) 2018-2020 and is owned by Tenable, Inc. or an Affiliate thereof.");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/EulerOS/release", "Host/EulerOS/rpm-list", "Host/EulerOS/sp");
      script_exclude_keys("Host/EulerOS/uvp_version");
    
      exit(0);
    }
    
    include("audit.inc");
    include("global_settings.inc");
    include("rpm.inc");
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    
    release = get_kb_item("Host/EulerOS/release");
    if (isnull(release) || release !~ "^EulerOS") audit(AUDIT_OS_NOT, "EulerOS");
    if (release !~ "^EulerOS release 2\.0(\D|$)") audit(AUDIT_OS_NOT, "EulerOS 2.0");
    
    sp = get_kb_item("Host/EulerOS/sp");
    if (isnull(sp) || sp !~ "^(2)$") audit(AUDIT_OS_NOT, "EulerOS 2.0 SP2");
    
    uvp = get_kb_item("Host/EulerOS/uvp_version");
    if (!empty_or_null(uvp)) audit(AUDIT_OS_NOT, "EulerOS 2.0 SP2", "EulerOS UVP " + uvp);
    
    if (!get_kb_item("Host/EulerOS/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    cpu = get_kb_item("Host/cpu");
    if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
    if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$" && "aarch64" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "EulerOS", cpu);
    if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_ARCH_NOT, "i686 / x86_64", cpu);
    
    flag = 0;
    
    pkgs = ["kernel-3.10.0-327.59.59.46.h49",
            "kernel-debug-3.10.0-327.59.59.46.h49",
            "kernel-debug-devel-3.10.0-327.59.59.46.h49",
            "kernel-debuginfo-3.10.0-327.59.59.46.h49",
            "kernel-debuginfo-common-x86_64-3.10.0-327.59.59.46.h49",
            "kernel-devel-3.10.0-327.59.59.46.h49",
            "kernel-headers-3.10.0-327.59.59.46.h49",
            "kernel-tools-3.10.0-327.59.59.46.h49",
            "kernel-tools-libs-3.10.0-327.59.59.46.h49",
            "perf-3.10.0-327.59.59.46.h49",
            "python-perf-3.10.0-327.59.59.46.h49"];
    
    foreach (pkg in pkgs)
      if (rpm_check(release:"EulerOS-2.0", sp:"2", reference:pkg)) flag++;
    
    if (flag)
    {
      security_report_v4(
        port       : 0,
        severity   : SECURITY_HOLE,
        extra      : rpm_report_get()
      );
      exit(0);
    }
    else
    {
      tested = pkg_tests_get();
      if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
      else audit(AUDIT_PACKAGE_NOT_INSTALLED, "kernel");
    }
    
  • NASL familyRed Hat Local Security Checks
    NASL idREDHAT-RHSA-2017-2918.NASL
    descriptionAn update for kernel-rt is now available for Red Hat Enterprise MRG 2. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. The kernel-rt packages provide the Real Time Linux Kernel, which enables fine-tuning for systems with extremely high determinism requirements. Security Fix(es) : * Out-of-bounds kernel heap access vulnerability was found in xfrm, kernel
    last seen2020-06-01
    modified2020-06-02
    plugin id104090
    published2017-10-23
    reporterThis script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/104090
    titleRHEL 6 : MRG (RHSA-2017:2918)
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were  
    # extracted from Red Hat Security Advisory RHSA-2017:2918. The text 
    # itself is copyright (C) Red Hat, Inc.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(104090);
      script_version("3.12");
      script_cvs_date("Date: 2019/10/24 15:35:43");
    
      script_cve_id("CVE-2017-1000111", "CVE-2017-1000112", "CVE-2017-11176", "CVE-2017-14106", "CVE-2017-14340", "CVE-2017-7184", "CVE-2017-7541", "CVE-2017-7542", "CVE-2017-7558");
      script_xref(name:"RHSA", value:"2017:2918");
    
      script_name(english:"RHEL 6 : MRG (RHSA-2017:2918)");
      script_summary(english:"Checks the rpm output for the updated packages");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote Red Hat host is missing one or more security updates."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "An update for kernel-rt is now available for Red Hat Enterprise MRG 2.
    
    Red Hat Product Security has rated this update as having a security
    impact of Important. A Common Vulnerability Scoring System (CVSS) base
    score, which gives a detailed severity rating, is available for each
    vulnerability from the CVE link(s) in the References section.
    
    The kernel-rt packages provide the Real Time Linux Kernel, which
    enables fine-tuning for systems with extremely high determinism
    requirements.
    
    Security Fix(es) :
    
    * Out-of-bounds kernel heap access vulnerability was found in xfrm,
    kernel's IP framework for transforming packets. An error dealing with
    netlink messages from an unprivileged user leads to arbitrary
    read/write and privilege escalation. (CVE-2017-7184, Important)
    
    * A race condition issue leading to a use-after-free flaw was found in
    the way the raw packet sockets are implemented in the Linux kernel
    networking subsystem handling synchronization. A local user able to
    open a raw packet socket (requires the CAP_NET_RAW capability) could
    use this flaw to elevate their privileges on the system.
    (CVE-2017-1000111, Important)
    
    * An exploitable memory corruption flaw was found in the Linux kernel.
    The append path can be erroneously switched from UFO to non-UFO in
    ip_ufo_append_data() when building an UFO packet with MSG_MORE option.
    If unprivileged user namespaces are available, this flaw can be
    exploited to gain root privileges. (CVE-2017-1000112, Important)
    
    * Kernel memory corruption due to a buffer overflow was found in
    brcmf_cfg80211_mgmt_tx() function in Linux kernels from v3.9-rc1 to
    v4.13-rc1. The vulnerability can be triggered by sending a crafted
    NL80211_CMD_FRAME packet via netlink. This flaw is unlikely to be
    triggered remotely as certain userspace code is needed for this. An
    unprivileged local user could use this flaw to induce kernel memory
    corruption on the system, leading to a crash. Due to the nature of the
    flaw, privilege escalation cannot be fully ruled out, although it is
    unlikely. (CVE-2017-7541, Moderate)
    
    * An integer overflow vulnerability in ip6_find_1stfragopt() function
    was found. A local attacker that has privileges (of CAP_NET_RAW) to
    open raw socket can cause an infinite loop inside the
    ip6_find_1stfragopt() function. (CVE-2017-7542, Moderate)
    
    * A kernel data leak due to an out-of-bound read was found in the
    Linux kernel in inet_diag_msg_sctp{,l}addr_fill() and
    sctp_get_sctp_info() functions present since version 4.7-rc1 through
    version 4.13. A data leak happens when these functions fill in
    sockaddr data structures used to export socket's diagnostic
    information. As a result, up to 100 bytes of the slab data could be
    leaked to a userspace. (CVE-2017-7558, Moderate)
    
    * The mq_notify function in the Linux kernel through 4.11.9 does not
    set the sock pointer to NULL upon entry into the retry logic. During a
    user-space close of a Netlink socket, it allows attackers to possibly
    cause a situation where a value may be used after being freed
    (use-after-free) which may lead to memory corruption or other
    unspecified other impact. (CVE-2017-11176, Moderate)
    
    * A divide-by-zero vulnerability was found in the __tcp_select_window
    function in the Linux kernel. This can result in a kernel panic
    causing a local denial of service. (CVE-2017-14106, Moderate)
    
    * A flaw was found where the XFS filesystem code mishandles a
    user-settable inode flag in the Linux kernel prior to 4.14-rc1. This
    can cause a local denial of service via a kernel panic.
    (CVE-2017-14340, Moderate)
    
    Red Hat would like to thank Chaitin Security Research Lab for
    reporting CVE-2017-7184; Willem de Bruijn for reporting
    CVE-2017-1000111; and Andrey Konovalov for reporting CVE-2017-1000112.
    The CVE-2017-7558 issue was discovered by Stefano Brivio (Red Hat) and
    the CVE-2017-14340 issue was discovered by Dave Chinner (Red Hat).
    
    Bug Fix(es) :
    
    * kernel-rt packages have been upgraded to the 3.10.0-693.5.2 source
    tree, which provides number of bug fixes over the previous version.
    (BZ#1489085)"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://access.redhat.com/errata/RHSA-2017:2918"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://access.redhat.com/security/cve/cve-2017-1000111"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://access.redhat.com/security/cve/cve-2017-1000112"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://access.redhat.com/security/cve/cve-2017-11176"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://access.redhat.com/security/cve/cve-2017-14106"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://access.redhat.com/security/cve/cve-2017-14340"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://access.redhat.com/security/cve/cve-2017-7184"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://access.redhat.com/security/cve/cve-2017-7541"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://access.redhat.com/security/cve/cve-2017-7542"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://access.redhat.com/security/cve/cve-2017-7558"
      );
      script_set_attribute(attribute:"solution", value:"Update the affected packages.");
      script_set_cvss_base_vector("CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C");
      script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:C");
      script_set_cvss3_base_vector("CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H");
      script_set_cvss3_temporal_vector("CVSS:3.0/E:F/RL:O/RC:C");
      script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"true");
      script_set_attribute(attribute:"exploit_framework_core", value:"true");
      script_set_attribute(attribute:"exploited_by_malware", value:"true");
      script_set_attribute(attribute:"metasploit_name", value:'Linux Kernel UDP Fragmentation Offset (UFO) Privilege Escalation');
      script_set_attribute(attribute:"exploit_framework_metasploit", value:"true");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:kernel-rt");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:kernel-rt-debug");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:kernel-rt-debug-debuginfo");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:kernel-rt-debug-devel");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:kernel-rt-debuginfo");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:kernel-rt-debuginfo-common-x86_64");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:kernel-rt-devel");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:kernel-rt-doc");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:kernel-rt-firmware");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:kernel-rt-trace");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:kernel-rt-trace-debuginfo");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:kernel-rt-trace-devel");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:kernel-rt-vanilla");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:kernel-rt-vanilla-debuginfo");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:kernel-rt-vanilla-devel");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:redhat:enterprise_linux:6");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2017/03/19");
      script_set_attribute(attribute:"patch_publication_date", value:"2017/10/19");
      script_set_attribute(attribute:"plugin_publication_date", value:"2017/10/23");
      script_set_attribute(attribute:"generated_plugin", value:"current");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");
      script_family(english:"Red Hat Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl", "linux_alt_patch_detect.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/RedHat/release", "Host/RedHat/rpm-list", "Host/cpu");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("global_settings.inc");
    include("misc_func.inc");
    include("rpm.inc");
    include("ksplice.inc");
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    release = get_kb_item("Host/RedHat/release");
    if (isnull(release) || "Red Hat" >!< release) audit(AUDIT_OS_NOT, "Red Hat");
    os_ver = pregmatch(pattern: "Red Hat Enterprise Linux.*release ([0-9]+(\.[0-9]+)?)", string:release);
    if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Red Hat");
    os_ver = os_ver[1];
    if (! preg(pattern:"^6([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Red Hat 6.x", "Red Hat " + os_ver);
    
    if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    cpu = get_kb_item("Host/cpu");
    if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
    if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$" && "s390" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Red Hat", cpu);
    
    if (get_one_kb_item("Host/ksplice/kernel-cves"))
    {
      rm_kb_item(name:"Host/uptrack-uname-r");
      cve_list = make_list("CVE-2017-1000111", "CVE-2017-1000112", "CVE-2017-11176", "CVE-2017-14106", "CVE-2017-14340", "CVE-2017-7184", "CVE-2017-7541", "CVE-2017-7542", "CVE-2017-7558");
      if (ksplice_cves_check(cve_list))
      {
        audit(AUDIT_PATCH_INSTALLED, "KSplice hotfix for RHSA-2017:2918");
      }
      else
      {
        __rpm_report = ksplice_reporting_text();
      }
    }
    
    yum_updateinfo = get_kb_item("Host/RedHat/yum-updateinfo");
    if (!empty_or_null(yum_updateinfo)) 
    {
      rhsa = "RHSA-2017:2918";
      yum_report = redhat_generate_yum_updateinfo_report(rhsa:rhsa);
      if (!empty_or_null(yum_report))
      {
        security_report_v4(
          port       : 0,
          severity   : SECURITY_HOLE,
          extra      : yum_report 
        );
        exit(0);
      }
      else
      {
        audit_message = "affected by Red Hat security advisory " + rhsa;
        audit(AUDIT_OS_NOT, audit_message);
      }
    }
    else
    {
      flag = 0;
    
      if (! (rpm_exists(release:"RHEL6", rpm:"mrg-release"))) audit(AUDIT_PACKAGE_NOT_INSTALLED, "MRG");
    
      if (rpm_check(release:"RHEL6", cpu:"x86_64", reference:"kernel-rt-3.10.0-693.5.2.rt56.592.el6")) flag++;
      if (rpm_check(release:"RHEL6", cpu:"x86_64", reference:"kernel-rt-debug-3.10.0-693.5.2.rt56.592.el6")) flag++;
      if (rpm_check(release:"RHEL6", cpu:"x86_64", reference:"kernel-rt-debug-debuginfo-3.10.0-693.5.2.rt56.592.el6")) flag++;
      if (rpm_check(release:"RHEL6", cpu:"x86_64", reference:"kernel-rt-debug-devel-3.10.0-693.5.2.rt56.592.el6")) flag++;
      if (rpm_check(release:"RHEL6", cpu:"x86_64", reference:"kernel-rt-debuginfo-3.10.0-693.5.2.rt56.592.el6")) flag++;
      if (rpm_check(release:"RHEL6", cpu:"x86_64", reference:"kernel-rt-debuginfo-common-x86_64-3.10.0-693.5.2.rt56.592.el6")) flag++;
      if (rpm_check(release:"RHEL6", cpu:"x86_64", reference:"kernel-rt-devel-3.10.0-693.5.2.rt56.592.el6")) flag++;
      if (rpm_check(release:"RHEL6", reference:"kernel-rt-doc-3.10.0-693.5.2.rt56.592.el6")) flag++;
      if (rpm_check(release:"RHEL6", reference:"kernel-rt-firmware-3.10.0-693.5.2.rt56.592.el6")) flag++;
      if (rpm_check(release:"RHEL6", cpu:"x86_64", reference:"kernel-rt-trace-3.10.0-693.5.2.rt56.592.el6")) flag++;
      if (rpm_check(release:"RHEL6", cpu:"x86_64", reference:"kernel-rt-trace-debuginfo-3.10.0-693.5.2.rt56.592.el6")) flag++;
      if (rpm_check(release:"RHEL6", cpu:"x86_64", reference:"kernel-rt-trace-devel-3.10.0-693.5.2.rt56.592.el6")) flag++;
      if (rpm_check(release:"RHEL6", cpu:"x86_64", reference:"kernel-rt-vanilla-3.10.0-693.5.2.rt56.592.el6")) flag++;
      if (rpm_check(release:"RHEL6", cpu:"x86_64", reference:"kernel-rt-vanilla-debuginfo-3.10.0-693.5.2.rt56.592.el6")) flag++;
      if (rpm_check(release:"RHEL6", cpu:"x86_64", reference:"kernel-rt-vanilla-devel-3.10.0-693.5.2.rt56.592.el6")) flag++;
    
      if (flag)
      {
        security_report_v4(
          port       : 0,
          severity   : SECURITY_HOLE,
          extra      : rpm_report_get() + redhat_report_package_caveat()
        );
        exit(0);
      }
      else
      {
        tested = pkg_tests_get();
        if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
        else audit(AUDIT_PACKAGE_NOT_INSTALLED, "kernel-rt / kernel-rt-debug / kernel-rt-debug-debuginfo / etc");
      }
    }
    
  • NASL familyRed Hat Local Security Checks
    NASL idREDHAT-RHSA-2018-0169.NASL
    descriptionAn update for kernel is now available for Red Hat Enterprise Linux 6. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. The kernel packages contain the Linux kernel, the core of any Linux operating system. Security Fix(es) : * An integer overflow vulnerability in ip6_find_1stfragopt() function was found. A local attacker that has privileges (of CAP_NET_RAW) to open raw socket can cause an infinite loop inside the ip6_find_1stfragopt() function. (CVE-2017-7542, Moderate) * The IPv6 fragmentation implementation in the Linux kernel does not consider that the nexthdr field may be associated with an invalid option, which allows local users to cause a denial of service (out-of-bounds read and BUG) or possibly have unspecified other impact via crafted socket and send system calls. Due to the nature of the flaw, privilege escalation cannot be fully ruled out, although we believe it is unlikely. (CVE-2017-9074, Moderate) * A use-after-free flaw was found in the Netlink functionality of the Linux kernel networking subsystem. Due to the insufficient cleanup in the mq_notify function, a local attacker could potentially use this flaw to escalate their privileges on the system. (CVE-2017-11176, Moderate) Bug Fix(es) : * Previously, the default timeout and retry settings in the VMBus driver were insufficient in some cases, for example when a Hyper-V host was under a significant load. Consequently, in Windows Server 2016, Hyper-V Server 2016, and Windows Azure Platform, when running a Red Hat Enterprise Linux Guest on the Hyper-V hypervisor, the guest failed to boot or booted with certain Hyper-V devices missing. This update alters the timeout and retry settings in VMBus, and Red Hat Enterprise Linux guests now boot as expected under the described conditions. (BZ#1506145) * Previously, an incorrect external declaration in the be2iscsi driver caused a kernel panic when using the systool utility. With this update, the external declaration in be2iscsi has been fixed, and the kernel no longer panics when using systool. (BZ#1507512) * Under high usage of the NFSD file system and memory pressure, if many tasks in the Linux kernel attempted to obtain the global spinlock to clean the Duplicate Reply Cache (DRC), these tasks stayed in an active wait in the nfsd_reply_cache_shrink() function for up to 99% of time. Consequently, a high load average occurred. This update fixes the bug by separating the DRC in several parts, each with an independent spinlock. As a result, the load and CPU utilization is no longer excessive under the described circumstances. (BZ#1509876) * When attempting to attach multiple SCSI devices simultaneously, Red Hat Enterprise Linux 6.9 on IBM z Systems sometimes became unresponsive. This update fixes the zfcp device driver, and attaching multiple SCSI devices simultaneously now works as expected in the described scenario. (BZ# 1512425) * On IBM z Systems, the tiqdio_call_inq_handlers() function in the Linux kernel incorrectly cleared the device state change indicator (DSCI) for the af_iucv devices using the HiperSockets transport with multiple input queues. Consequently, queue stalls on such devices occasionally occurred. With this update, tiqdio_call_inq_handlers() has been fixed to clear the DSCI only once, prior to scanning the queues. As a result, queue stalls for af_iucv devices using the HiperSockets transport no longer occur under the described circumstances. (BZ#1513314) * Previously, small data chunks caused the Stream Control Transmission Protocol (SCTP) to account the receiver_window (rwnd) values incorrectly when recovering from a
    last seen2020-06-01
    modified2020-06-02
    plugin id106334
    published2018-01-25
    reporterThis script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/106334
    titleRHEL 6 : kernel (RHSA-2018:0169)
  • NASL familyDebian Local Security Checks
    NASL idDEBIAN_DSA-3927.NASL
    descriptionSeveral vulnerabilities have been discovered in the Linux kernel that may lead to a privilege escalation, denial of service or information leaks. - CVE-2017-7346 Li Qiang discovered that the DRM driver for VMware virtual GPUs does not properly check user-controlled values in the vmw_surface_define_ioctl() functions for upper limits. A local user can take advantage of this flaw to cause a denial of service. - CVE-2017-7482 Shi Lei discovered that RxRPC Kerberos 5 ticket handling code does not properly verify metadata, leading to information disclosure, denial of service or potentially execution of arbitrary code. - CVE-2017-7533 Fan Wu and Shixiong Zhao discovered a race condition between inotify events and VFS rename operations allowing an unprivileged local attacker to cause a denial of service or escalate privileges. - CVE-2017-7541 A buffer overflow flaw in the Broadcom IEEE802.11n PCIe SoftMAC WLAN driver could allow a local user to cause kernel memory corruption, leading to a denial of service or potentially privilege escalation. - CVE-2017-7542 An integer overflow vulnerability in the ip6_find_1stfragopt() function was found allowing a local attacker with privileges to open raw sockets to cause a denial of service. - CVE-2017-9605 Murray McAllister discovered that the DRM driver for VMware virtual GPUs does not properly initialize memory, potentially allowing a local attacker to obtain sensitive information from uninitialized kernel memory via a crafted ioctl call. - CVE-2017-10810 Li Qiang discovered a memory leak flaw within the VirtIO GPU driver resulting in denial of service (memory consumption). - CVE-2017-10911 / XSA-216 Anthony Perard of Citrix discovered an information leak flaw in Xen blkif response handling, allowing a malicious unprivileged guest to obtain sensitive information from the host or other guests. - CVE-2017-11176 It was discovered that the mq_notify() function does not set the sock pointer to NULL upon entry into the retry logic. An attacker can take advantage of this flaw during a user-space close of a Netlink socket to cause a denial of service or potentially cause other impact. - CVE-2017-1000365 It was discovered that argument and environment pointers are not taken properly into account to the imposed size restrictions on arguments and environmental strings passed through RLIMIT_STACK/RLIMIT_INFINITY. A local attacker can take advantage of this flaw in conjunction with other flaws to execute arbitrary code.
    last seen2020-06-01
    modified2020-06-02
    plugin id102211
    published2017-08-07
    reporterThis script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/102211
    titleDebian DSA-3927-1 : linux - security update (Stack Clash)
  • NASL familyOracleVM Local Security Checks
    NASL idORACLEVM_OVMSA-2017-0167.NASL
    descriptionThe remote OracleVM system is missing necessary patches to address critical security updates : - Revert
    last seen2020-06-01
    modified2020-06-02
    plugin id104453
    published2017-11-08
    reporterThis script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/104453
    titleOracleVM 3.4 : Unbreakable / etc (OVMSA-2017-0167)
  • NASL familyFedora Local Security Checks
    NASL idFEDORA_2017-39B5FACDA0.NASL
    descriptionThe 4.11.12 update contains a number of important fixes across the tree. Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-05
    modified2017-07-27
    plugin id101992
    published2017-07-27
    reporterThis script is Copyright (C) 2017-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/101992
    titleFedora 25 : kernel (2017-39b5facda0)
  • NASL familyOracleVM Local Security Checks
    NASL idORACLEVM_OVMSA-2017-0174.NASL
    descriptionThe remote OracleVM system is missing necessary patches to address critical security updates : please see Oracle VM Security Advisory OVMSA-2017-0174 for details.
    last seen2020-06-05
    modified2017-12-14
    plugin id105248
    published2017-12-14
    reporterThis script is Copyright (C) 2017-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/105248
    titleOracleVM 3.4 : Unbreakable / etc (OVMSA-2017-0174) (BlueBorne) (Dirty COW) (Stack Clash)
  • NASL familyOracle Linux Local Security Checks
    NASL idORACLELINUX_ELSA-2017-3635.NASL
    descriptionDescription of changes: [4.1.12-103.9.2.el7uek] - Revert
    last seen2020-06-01
    modified2020-06-02
    plugin id104369
    published2017-11-03
    reporterThis script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/104369
    titleOracle Linux 6 / 7 : Unbreakable Enterprise kernel (ELSA-2017-3635)
  • NASL familyF5 Networks Local Security Checks
    NASL idF5_BIGIP_SOL84024430.NASL
    descriptionThe ip6_find_1stfragopt function in net/ipv6/output_core.c in the Linux kernel through 4.12.3 allows local users to cause a denial of service (integer overflow and infinite loop) by leveraging the ability to open a raw socket. (CVE-2017-7542) Impact This vulnerability allowsdisruption of service.
    last seen2020-03-17
    modified2018-11-02
    plugin id118701
    published2018-11-02
    reporterThis script is Copyright (C) 2018-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/118701
    titleF5 Networks BIG-IP : Linux kernel vulnerability (K84024430)
  • NASL familySuSE Local Security Checks
    NASL idSUSE_SU-2017-2525-1.NASL
    descriptionThe SUSE Linux Enterprise 11 SP3 LTSS kernel was updated receive various security and bugfixes. The following security bugs were fixed : - CVE-2016-5243: The tipc_nl_compat_link_dump function in net/tipc/netlink_compat.c in the Linux kernel did not properly copy a certain string, which allowed local users to obtain sensitive information from kernel stack memory by reading a Netlink message (bnc#983212) - CVE-2016-10200: Race condition in the L2TPv3 IP Encapsulation feature in the Linux kernel allowed local users to gain privileges or cause a denial of service (use-after-free) by making multiple bind system calls without properly ascertaining whether a socket has the SOCK_ZAPPED status, related to net/l2tp/l2tp_ip.c and net/l2tp/l2tp_ip6.c (bnc#1028415) - CVE-2017-2647: The KEYS subsystem in the Linux kernel allowed local users to gain privileges or cause a denial of service (NULL pointer dereference and system crash) via vectors involving a NULL value for a certain match field, related to the keyring_search_iterator function in keyring.c (bsc#1030593). - CVE-2017-2671: The ping_unhash function in net/ipv4/ping.c in the Linux kernel was too late in obtaining a certain lock and consequently could not ensure that disconnect function calls are safe, which allowed local users to cause a denial of service (panic) by leveraging access to the protocol value of IPPROTO_ICMP in a socket system call (bnc#1031003) - CVE-2017-5669: The do_shmat function in ipc/shm.c in the Linux kernel did not restrict the address calculated by a certain rounding operation, which allowed local users to map page zero, and consequently bypass a protection mechanism that exists for the mmap system call, by making crafted shmget and shmat system calls in a privileged context (bnc#1026914) - CVE-2017-5970: The ipv4_pktinfo_prepare function in net/ipv4/ip_sockglue.c in the Linux kernel allowed attackers to cause a denial of service (system crash) via (1) an application that made crafted system calls or possibly (2) IPv4 traffic with invalid IP options (bsc#1024938) - CVE-2017-5986: Race condition in the sctp_wait_for_sndbuf function in net/sctp/socket.c in the Linux kernel allowed local users to cause a denial of service (assertion failure and panic) via a multithreaded application that peels off an association in a certain buffer-full state (bsc#1025235) - CVE-2017-6074: The dccp_rcv_state_process function in net/dccp/input.c in the Linux kernel mishandled DCCP_PKT_REQUEST packet data structures in the LISTEN state, which allowed local users to obtain root privileges or cause a denial of service (double free) via an application that made an IPV6_RECVPKTINFO setsockopt system call (bnc#1026024) - CVE-2017-6214: The tcp_splice_read function in net/ipv4/tcp.c in the Linux kernel allowed remote attackers to cause a denial of service (infinite loop and soft lockup) via vectors involving a TCP packet with the URG flag (bnc#1026722) - CVE-2017-6348: The hashbin_delete function in net/irda/irqueue.c in the Linux kernel improperly managed lock dropping, which allowed local users to cause a denial of service (deadlock) via crafted operations on IrDA devices (bnc#1027178) - CVE-2017-6353: net/sctp/socket.c in the Linux kernel did not properly restrict association peel-off operations during certain wait states, which allowed local users to cause a denial of service (invalid unlock and double free) via a multithreaded application. NOTE: this vulnerability exists because of an incorrect fix for CVE-2017-5986 (bnc#1027066) - CVE-2017-6951: The keyring_search_aux function in security/keys/keyring.c in the Linux kernel allowed local users to cause a denial of service (NULL pointer dereference and OOPS) via a request_key system call for the
    last seen2020-06-01
    modified2020-06-02
    plugin id103354
    published2017-09-20
    reporterThis script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/103354
    titleSUSE SLES11 Security Update : kernel (SUSE-SU-2017:2525-1) (Stack Clash)
  • NASL familyOracle Linux Local Security Checks
    NASL idORACLELINUX_ELSA-2017-2930.NASL
    descriptionFrom Red Hat Security Advisory 2017:2930 : An update for kernel is now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. The kernel packages contain the Linux kernel, the core of any Linux operating system. Security Fix(es) : * Out-of-bounds kernel heap access vulnerability was found in xfrm, kernel
    last seen2020-06-01
    modified2020-06-02
    plugin id104001
    published2017-10-20
    reporterThis script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/104001
    titleOracle Linux 7 : kernel (ELSA-2017-2930)
  • NASL familySuSE Local Security Checks
    NASL idSUSE_SU-2017-2286-1.NASL
    descriptionThe SUSE Linux Enterprise 12 SP3 kernel was updated to 4.4.82 to receive various security and bugfixes. The following security bugs were fixed : - CVE-2017-1000111: Fixed a race condition in net-packet code that could be exploited to cause out-of-bounds memory access (bsc#1052365). - CVE-2017-1000112: Fixed a race condition in net-packet code that could have been exploited by unprivileged users to gain root access. (bsc#1052311). - CVE-2017-8831: The saa7164_bus_get function in drivers/media/pci/saa7164/saa7164-bus.c in the Linux kernel allowed local users to cause a denial of service (out-of-bounds array access) or possibly have unspecified other impact by changing a certain sequence-number value, aka a
    last seen2020-06-01
    modified2020-06-02
    plugin id102838
    published2017-08-30
    reporterThis script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/102838
    titleSUSE SLED12 / SLES12 Security Update : kernel (SUSE-SU-2017:2286-1)
  • NASL familyScientific Linux Local Security Checks
    NASL idSL_20180125_KERNEL_ON_SL6_X.NASL
    descriptionSecurity Fix(es) : - An integer overflow vulnerability in ip6_find_1stfragopt() function was found. A local attacker that has privileges (of CAP_NET_RAW) to open raw socket can cause an infinite loop inside the ip6_find_1stfragopt() function. (CVE-2017-7542, Moderate) - The IPv6 fragmentation implementation in the Linux kernel does not consider that the nexthdr field may be associated with an invalid option, which allows local users to cause a denial of service (out-of-bounds read and BUG) or possibly have unspecified other impact via crafted socket and send system calls. Due to the nature of the flaw, privilege escalation cannot be fully ruled out, although we believe it is unlikely. (CVE-2017-9074, Moderate) - A use-after-free flaw was found in the Netlink functionality of the Linux kernel networking subsystem. Due to the insufficient cleanup in the mq_notify function, a local attacker could potentially use this flaw to escalate their privileges on the system. (CVE-2017-11176, Moderate) Bug Fix(es) : - Previously, the default timeout and retry settings in the VMBus driver were insufficient in some cases, for example when a Hyper-V host was under a significant load. Consequently, in Windows Server 2016, Hyper-V Server 2016, and Windows Azure Platform, when running a Scientific Linux Guest on the Hyper-V hypervisor, the guest failed to boot or booted with certain Hyper-V devices missing. This update alters the timeout and retry settings in VMBus, and Scientific Linux guests now boot as expected under the described conditions. - Previously, an incorrect external declaration in the be2iscsi driver caused a kernel panic when using the systool utility. With this update, the external declaration in be2iscsi has been fixed, and the kernel no longer panics when using systool. - Under high usage of the NFSD file system and memory pressure, if many tasks in the Linux kernel attempted to obtain the global spinlock to clean the Duplicate Reply Cache (DRC), these tasks stayed in an active wait in the nfsd_reply_cache_shrink() function for up to 99% of time. Consequently, a high load average occurred. This update fixes the bug by separating the DRC in several parts, each with an independent spinlock. As a result, the load and CPU utilization is no longer excessive under the described circumstances. - When attempting to attach multiple SCSI devices simultaneously, Scientific Linux 6.9 on IBM z Systems sometimes became unresponsive. This update fixes the zfcp device driver, and attaching multiple SCSI devices simultaneously now works as expected in the described scenario. - On IBM z Systems, the tiqdio_call_inq_handlers() function in the Linux kernel incorrectly cleared the device state change indicator (DSCI) for the af_iucv devices using the HiperSockets transport with multiple input queues. Consequently, queue stalls on such devices occasionally occurred. With this update, tiqdio_call_inq_handlers() has been fixed to clear the DSCI only once, prior to scanning the queues. As a result, queue stalls for af_iucv devices using the HiperSockets transport no longer occur under the described circumstances. - Previously, small data chunks caused the Stream Control Transmission Protocol (SCTP) to account the receiver_window (rwnd) values incorrectly when recovering from a
    last seen2020-03-18
    modified2018-01-26
    plugin id106369
    published2018-01-26
    reporterThis script is Copyright (C) 2018-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/106369
    titleScientific Linux Security Update : kernel on SL6.x i386/x86_64 (20180125)
  • NASL familyFedora Local Security Checks
    NASL idFEDORA_2017-544EEF948F.NASL
    descriptionThe 4.11.12 update contains a number of important fixes across the tree. ---- The 4.11.11 update contains a number of important fixes across the tree. Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-05
    modified2017-07-27
    plugin id101994
    published2017-07-27
    reporterThis script is Copyright (C) 2017-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/101994
    titleFedora 24 : kernel (2017-544eef948f)
  • NASL familyOracle Linux Local Security Checks
    NASL idORACLELINUX_ELSA-2017-3631.NASL
    descriptionDescription of changes: [4.1.12-103.7.4.el7uek] - ipv6: avoid overflow of offset in ip6_find_1stfragopt (Sabrina Dubroca) [Orabug: 27011255] {CVE-2017-7542} - udp: consistently apply ufo or fragmentation (Willem de Bruijn) [Orabug: 26921320] {CVE-2017-1000112}
    last seen2020-06-01
    modified2020-06-02
    plugin id104167
    published2017-10-26
    reporterThis script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/104167
    titleOracle Linux 6 / 7 : Unbreakable Enterprise kernel (ELSA-2017-3631)
  • NASL familyAmazon Linux Local Security Checks
    NASL idALA_ALAS-2017-870.NASL
    descriptionBuffer overflow in mp_override_legacy_irq() : Buffer overflow in the mp_override_legacy_irq() function in arch/x86/kernel/acpi/boot.c in the Linux kernel through 4.12.2 allows local users to gain privileges via a crafted ACPI table. (CVE-2017-11473) A race between inotify_handle_event() and sys_rename() : A race condition was found in the Linux kernel, present since v3.14-rc1 through v4.12. The race happens between threads of inotify_handle_event() and vfs_rename() while running the rename operation against the same file. As a result of the race the next slab data or the slab
    last seen2020-06-01
    modified2020-06-02
    plugin id102544
    published2017-08-18
    reporterThis script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/102544
    titleAmazon Linux AMI : kernel (ALAS-2017-870)
  • NASL familyDebian Local Security Checks
    NASL idDEBIAN_DLA-1099.NASL
    descriptionSeveral vulnerabilities have been discovered in the Linux kernel that may lead to a privilege escalation, denial of service or information leaks. CVE-2017-7482 Shi Lei discovered that RxRPC Kerberos 5 ticket handling code does not properly verify metadata, leading to information disclosure, denial of service or potentially execution of arbitrary code. CVE-2017-7542 An integer overflow vulnerability in the ip6_find_1stfragopt() function was found allowing a local attacker with privileges to open raw sockets to cause a denial of service. CVE-2017-7889 Tommi Rantala and Brad Spengler reported that the mm subsystem does not properly enforce the CONFIG_STRICT_DEVMEM protection mechanism, allowing a local attacker with access to /dev/mem to obtain sensitive information or potentially execute arbitrary code. CVE-2017-10661 Dmitry Vyukov of Google reported that the timerfd facility does not properly handle certain concurrent operations on a single file descriptor. This allows a local attacker to cause a denial of service or potentially to execute arbitrary code. CVE-2017-10911 / XSA-216 Anthony Perard of Citrix discovered an information leak flaw in Xen blkif response handling, allowing a malicious unprivileged guest to obtain sensitive information from the host or other guests. CVE-2017-11176 It was discovered that the mq_notify() function does not set the sock pointer to NULL upon entry into the retry logic. An attacker can take advantage of this flaw during a userspace close of a Netlink socket to cause a denial of service or potentially cause other impact. CVE-2017-11600 bo Zhang reported that the xfrm subsystem does not properly validate one of the parameters to a netlink message. Local users with the CAP_NET_ADMIN capability can use this to cause a denial of service or potentially to execute arbitrary code. CVE-2017-12134 / #866511 / XSA-229 Jan H. Sch&ouml;nherr of Amazon discovered that when Linux is running in a Xen PV domain on an x86 system, it may incorrectly merge block I/O requests. A buggy or malicious guest may trigger this bug in dom0 or a PV driver domain, causing a denial of service or potentially execution of arbitrary code. This issue can be mitigated by disabling merges on the underlying back-end block devices, e.g.: echo 2 > /sys/block/nvme0n1/queue/nomerges CVE-2017-12153 bo Zhang reported that the cfg80211 (wifi) subsystem does not properly validate the parameters to a netlink message. Local users with the CAP_NET_ADMIN capability on a system with a wifi device can use this to cause a denial of service. CVE-2017-12154 Jim Mattson of Google reported that the KVM implementation for Intel x86 processors did not correctly handle certain nested hypervisor configurations. A malicious guest (or nested guest in a suitable L1 hypervisor) could use this for denial of service. CVE-2017-14106 Andrey Konovalov of Google reported that a specific sequence of operations on a TCP socket could lead to division by zero. A local user could use this for denial of service. CVE-2017-14140 Otto Ebeling reported that the move_pages() system call permitted users to discover the memory layout of a set-UID process running under their real user-ID. This made it easier for local users to exploit vulnerabilities in programs installed with the set-UID permission bit set. CVE-2017-14156
    last seen2020-03-17
    modified2017-09-21
    plugin id103363
    published2017-09-21
    reporterThis script is Copyright (C) 2017-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/103363
    titleDebian DLA-1099-1 : linux security update (BlueBorne) (Stack Clash)
  • NASL familySuSE Local Security Checks
    NASL idOPENSUSE-2017-891.NASL
    descriptionThe openSUSE Leap 42.2 kernel was updated to 4.4.79 to receive various security and bugfixes. The following security bugs were fixed : - CVE-2017-7542: The ip6_find_1stfragopt function in net/ipv6/output_core.c in the Linux kernel allowed local users to cause a denial of service (integer overflow and infinite loop) by leveraging the ability to open a raw socket (bnc#1049882). - CVE-2017-11473: Buffer overflow in the mp_override_legacy_irq() function in arch/x86/kernel/acpi/boot.c in the Linux kernel allowed local users to gain privileges via a crafted ACPI table (bnc#1049603). - CVE-2017-7533: A bug in inotify code allowed local users to escalate privilege (bnc#1049483). - CVE-2017-7541: The brcmf_cfg80211_mgmt_tx function in drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg8021 1.c in the Linux kernel allowed local users to cause a denial of service (buffer overflow and system crash) or possibly gain privileges via a crafted NL80211_CMD_FRAME Netlink packet (bnc#1049645). - CVE-2017-10810: Memory leak in the virtio_gpu_object_create function in drivers/gpu/drm/virtio/virtgpu_object.c in the Linux kernel allowed attackers to cause a denial of service (memory consumption) by triggering object-initialization failures (bnc#1047277). The following non-security bugs were fixed : - acpi / processor: Avoid reserving IO regions too early (bsc#1051478). - af_key: Add lock to key dump (bsc#1047653). - af_key: Fix slab-out-of-bounds in pfkey_compile_policy (bsc#1047354). - alsa: fm801: Initialize chip after IRQ handler is registered (bsc#1031717). - alsa: hda - Fix endless loop of codec configure (bsc#1031717). - alsa: hda - set input_path bitmap to zero after moving it to new place (bsc#1031717). - b43: Add missing MODULE_FIRMWARE() (bsc#1037344). - bcache: force trigger gc (bsc#1038078). - bcache: only recovery I/O error for writethrough mode (bsc#1043652). - bdi: Fix use-after-free in wb_congested_put() (bsc#1040307). - blacklist 2400fd822f46 powerpc/asm: Mark cr0 as clobbered in mftb() - blacklist.conf : - blacklist.conf: 1151f838cb62 is high-risk and we
    last seen2020-06-05
    modified2017-08-10
    plugin id102333
    published2017-08-10
    reporterThis script is Copyright (C) 2017-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/102333
    titleopenSUSE Security Update : the Linux Kernel (openSUSE-2017-891)
  • NASL familyRed Hat Local Security Checks
    NASL idREDHAT-RHSA-2017-2931.NASL
    descriptionAn update for kernel-rt is now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. The kernel-rt packages provide the Real Time Linux Kernel, which enables fine-tuning for systems with extremely high determinism requirements. Security Fix(es) : * Out-of-bounds kernel heap access vulnerability was found in xfrm, kernel
    last seen2020-06-01
    modified2020-06-02
    plugin id104004
    published2017-10-20
    reporterThis script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/104004
    titleRHEL 7 : kernel-rt (RHSA-2017:2931)
  • NASL familyOracleVM Local Security Checks
    NASL idORACLEVM_OVMSA-2017-0163.NASL
    descriptionThe remote OracleVM system is missing necessary patches to address critical security updates : - ipv6: avoid overflow of offset in ip6_find_1stfragopt (Sabrina Dubroca) [Orabug: 27011255] (CVE-2017-7542) - udp: consistently apply ufo or fragmentation (Willem de Bruijn) [Orabug: 26921320] (CVE-2017-1000112)
    last seen2020-06-01
    modified2020-06-02
    plugin id104202
    published2017-10-27
    reporterThis script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/104202
    titleOracleVM 3.4 : Unbreakable / etc (OVMSA-2017-0163)
  • NASL familyVirtuozzo Local Security Checks
    NASL idVIRTUOZZO_VZA-2017-076.NASL
    descriptionAccording to the versions of the parallels-server-bm-release / vzkernel / etc packages installed, the Virtuozzo installation on the remote host is affected by the following vulnerabilities : - An integer overflow vulnerability in ip6_find_1stfragopt() function was found. A local attacker that has privileges (of CAP_NET_RAW) to open raw socket can cause an infinite loop inside the ip6_find_1stfragopt() function. - Race condition in fs/timerfd.c in the Linux kernel before 4.10.15 allows local users to gain privileges or cause a denial of service (list corruption or use-after-free) via simultaneous file-descriptor operations that leverage improper might_cancel queueing. - A race condition issue leading to a use-after-free flaw was found in the way the raw packet sockets are implemented in the Linux kernel networking subsystem handling synchronization. A local user able to open a raw packet socket (requires the CAP_NET_RAW capability) could use this flaw to elevate their privileges on the system. - Andrey Konovalov discovered a race condition in the UDP Fragmentation Offload (UFO) code in the Linux kernel. A local attacker could use this to cause a denial of service or execute arbitrary code. - Kernel memory corruption due to a buffer overflow was found in brcmf_cfg80211_mgmt_tx() function in Linux kernels from v3.9-rc1 to v4.13-rc1. The vulnerability can be triggered by sending a crafted NL80211_CMD_FRAME packet via netlink. This flaw is unlikely to be triggered remotely as certain userspace code is needed for this. An unprivileged local user could use this flaw to induce kernel memory corruption on the system, leading to a crash. Due to the nature of the flaw, privilege escalation cannot be fully ruled out, although we believe it is unlikely. - The mq_notify function in the Linux kernel through 4.11.9 does not set the sock pointer to NULL upon entry into the retry logic. During a user-space close of a Netlink socket, it allows attackers to possibly cause a situation where a value may be used after being freed (use after free) which may lead to memory corruption or other unspecified other impact. - The tcp_disconnect function in net/ipv4/tcp.c in the Linux kernel before 4.12 allows local users to cause a denial of service (__tcp_select_window divide-by-zero error and system crash) by triggering a disconnect within a certain tcp_recvmsg code path. Note that Tenable Network Security has extracted the preceding description block directly from the Virtuozzo security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id102922
    published2017-09-05
    reporterThis script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/102922
    titleVirtuozzo 6 : parallels-server-bm-release / vzkernel / etc (VZA-2017-076)
  • NASL familyOracleVM Local Security Checks
    NASL idORACLEVM_OVMSA-2018-0035.NASL
    descriptionThe remote OracleVM system is missing necessary patches to address critical security updates : please see Oracle VM Security Advisory OVMSA-2018-0035 for details.
    last seen2020-06-01
    modified2020-06-02
    plugin id109158
    published2018-04-19
    reporterThis script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/109158
    titleOracleVM 3.4 : Unbreakable / etc (OVMSA-2018-0035) (Dirty COW) (Meltdown) (Spectre)
  • NASL familyScientific Linux Local Security Checks
    NASL idSL_20171019_KERNEL_ON_SL7_X.NASL
    descriptionSecurity Fix(es) : - Out-of-bounds kernel heap access vulnerability was found in xfrm, kernel
    last seen2020-03-18
    modified2017-10-20
    plugin id104008
    published2017-10-20
    reporterThis script is Copyright (C) 2017-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/104008
    titleScientific Linux Security Update : kernel on SL7.x x86_64 (20171019)
  • NASL familyOracle Linux Local Security Checks
    NASL idORACLELINUX_ELSA-2018-4071.NASL
    descriptionThe remote Oracle Linux host is missing a security update for the Unbreakable Enterprise kernel package(s).
    last seen2020-06-01
    modified2020-06-02
    plugin id109156
    published2018-04-19
    reporterThis script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/109156
    titleOracle Linux 6 / 7 : Unbreakable Enterprise kernel (ELSA-2018-4071) (Dirty COW) (Meltdown) (Spectre)
  • NASL familyDebian Local Security Checks
    NASL idDEBIAN_DSA-3945.NASL
    descriptionSeveral vulnerabilities have been discovered in the Linux kernel that may lead to a privilege escalation, denial of service or information leaks. - CVE-2014-9940 A use-after-free flaw in the voltage and current regulator driver could allow a local user to cause a denial of service or potentially escalate privileges. - CVE-2017-7346 Li Qiang discovered that the DRM driver for VMware virtual GPUs does not properly check user-controlled values in the vmw_surface_define_ioctl() functions for upper limits. A local user can take advantage of this flaw to cause a denial of service. - CVE-2017-7482 Shi Lei discovered that RxRPC Kerberos 5 ticket handling code does not properly verify metadata, leading to information disclosure, denial of service or potentially execution of arbitrary code. - CVE-2017-7533 Fan Wu and Shixiong Zhao discovered a race condition between inotify events and VFS rename operations allowing an unprivileged local attacker to cause a denial of service or escalate privileges. - CVE-2017-7541 A buffer overflow flaw in the Broadcom IEEE802.11n PCIe SoftMAC WLAN driver could allow a local user to cause kernel memory corruption, leading to a denial of service or potentially privilege escalation. - CVE-2017-7542 An integer overflow vulnerability in the ip6_find_1stfragopt() function was found allowing a local attacker with privileges to open raw sockets to cause a denial of service. - CVE-2017-7889 Tommi Rantala and Brad Spengler reported that the mm subsystem does not properly enforce the CONFIG_STRICT_DEVMEM protection mechanism, allowing a local attacker with access to /dev/mem to obtain sensitive information or potentially execute arbitrary code. - CVE-2017-9605 Murray McAllister discovered that the DRM driver for VMware virtual GPUs does not properly initialize memory, potentially allowing a local attacker to obtain sensitive information from uninitialized kernel memory via a crafted ioctl call. - CVE-2017-10911 / XSA-216 Anthony Perard of Citrix discovered an information leak flaw in Xen blkif response handling, allowing a malicious unprivileged guest to obtain sensitive information from the host or other guests. - CVE-2017-11176 It was discovered that the mq_notify() function does not set the sock pointer to NULL upon entry into the retry logic. An attacker can take advantage of this flaw during a userspace close of a Netlink socket to cause a denial of service or potentially cause other impact. - CVE-2017-1000363 Roee Hay reported that the lp driver does not properly bounds-check passed arguments, allowing a local attacker with write access to the kernel command line arguments to execute arbitrary code. - CVE-2017-1000365 It was discovered that argument and environment pointers are not taken properly into account to the imposed size restrictions on arguments and environmental strings passed through RLIMIT_STACK/RLIMIT_INFINITY. A local attacker can take advantage of this flaw in conjunction with other flaws to execute arbitrary code.
    last seen2020-06-01
    modified2020-06-02
    plugin id102550
    published2017-08-18
    reporterThis script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/102550
    titleDebian DSA-3945-1 : linux - security update (Stack Clash)
  • NASL familyOracle Linux Local Security Checks
    NASL idORACLELINUX_ELSA-2017-3633.NASL
    descriptionDescription of changes: [2.6.39-400.297.11.el6uek] - mqueue: fix a use-after-free in sys_mq_notify() (Cong Wang) [Orabug: 26643562] {CVE-2017-11176} - ipv6: avoid overflow of offset in ip6_find_1stfragopt (Sabrina Dubroca) [Orabug: 27011278] {CVE-2017-7542} - packet: fix tp_reserve race in packet_set_ring (Willem de Bruijn) [Orabug: 27002453] {CVE-2017-1000111} [2.6.39-400.297.10.el6uek] - mlx4_core: calculate log_mtt based on total system memory (Wei Lin Guay) [Orabug: 26867355] - xen/x86: Add interface for querying amount of host memory (Boris Ostrovsky) [Orabug: 26867355]
    last seen2020-06-01
    modified2020-06-02
    plugin id104169
    published2017-10-26
    reporterThis script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/104169
    titleOracle Linux 6 : Unbreakable Enterprise kernel (ELSA-2017-3633)
  • NASL familyVirtuozzo Local Security Checks
    NASL idVIRTUOZZO_VZA-2017-067.NASL
    descriptionAccording to the version of the vzkernel package and the readykernel-patch installed, the Virtuozzo installation on the remote host is affected by the following vulnerabilities : - A vulnerability was found in the handling of xfrm Netlink messages. A privileged user inside a container could cause a denial of service (kernel crash) by sending a crafted Netlink message with type XFRM_MSG_MIGRATE to the kernel. - Integer overflow vulnerability in ip6_find_1stfragopt() function was found. Local attacker that has privileges to open raw sockets can cause infinite loop inside ip6_find_1stfragopt() function. - Kernel memory corruption due to a buffer overflow was found in brcmf_cfg80211_mgmt_tx() function in Linux kernels from v3.9-rc1 to v4.13-rc1. The vulnerability can be triggered by sending a crafted NL80211_CMD_FRAME packet via netlink. An unprivileged local user could use this flaw to induce kernel memory corruption on the system, leading to a crash. Note that Tenable Network Security has extracted the preceding description block directly from the Virtuozzo security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id102205
    published2017-08-07
    reporterThis script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/102205
    titleVirtuozzo 7 : readykernel-patch (VZA-2017-067)
  • NASL familyOracleVM Local Security Checks
    NASL idORACLEVM_OVMSA-2017-0173.NASL
    descriptionThe remote OracleVM system is missing necessary patches to address critical security updates : - tty: Fix race in pty_write leading to NULL deref (Todd Vierling) - ocfs2/dlm: ignore cleaning the migration mle that is inuse (xuejiufei) [Orabug: 26479780] - KEYS: fix dereferencing NULL payload with nonzero length (Eric Biggers) [Orabug: 26592025] - oracleasm: Copy the integrity descriptor (Martin K. Petersen) - mm: Tighten x86 /dev/mem with zeroing reads (Kees Cook) [Orabug: 26675925] (CVE-2017-7889) - xscore: add dma address check (Zhu Yanjun) [Orabug: 27058468] - more bio_map_user_iov leak fixes (Al Viro) [Orabug: 27069042] (CVE-2017-12190) - fix unbalanced page refcounting in bio_map_user_iov (Vitaly Mayatskikh) [Orabug: 27069042] (CVE-2017-12190) - nvme: Drop nvmeq->q_lock before dma_pool_alloc, so as to prevent hard lockups (Aruna Ramakrishna) [Orabug: 25409587] - nvme: Handle PM1725 HIL reset (Martin K. Petersen) [Orabug: 26277600] - char: lp: fix possible integer overflow in lp_setup (Willy Tarreau) [Orabug: 26403940] (CVE-2017-1000363) - ALSA: timer: Fix missing queue indices reset at SNDRV_TIMER_IOCTL_SELECT (Takashi Iwai) [Orabug: 26403956] (CVE-2017-1000380) - ALSA: timer: Fix race between read and ioctl (Takashi Iwai) [Orabug: 26403956] (CVE-2017-1000380) - ALSA: timer: fix NULL pointer dereference in read/ioctl race (Vegard Nossum) [Orabug: 26403956] (CVE-2017-1000380) - ALSA: timer: Fix negative queue usage by racy accesses (Takashi Iwai) [Orabug: 26403956] (CVE-2017-1000380) - ALSA: timer: Fix race at concurrent reads (Takashi Iwai) [Orabug: 26403956] (CVE-2017-1000380) - ALSA: timer: Fix race among timer ioctls (Takashi Iwai) [Orabug: 26403956] (CVE-2017-1000380) - ipv6/dccp: do not inherit ipv6_mc_list from parent (WANG Cong) [Orabug: 26404005] (CVE-2017-9077) - ocfs2: fix deadlock issue when taking inode lock at vfs entry points (Eric Ren) [Orabug: 26427126] - ocfs2/dlmglue: prepare tracking logic to avoid recursive cluster lock (Eric Ren) [Orabug: 26427126] - ping: implement proper locking (Eric Dumazet) [Orabug: 26540286] (CVE-2017-2671) - aio: mark AIO pseudo-fs noexec (Jann Horn) [Orabug: 26643598] (CVE-2016-10044) - vfs: Commit to never having exectuables on proc and sysfs. (Eric W. Biederman) [Orabug: 26643598] (CVE-2016-10044) - vfs, writeback: replace FS_CGROUP_WRITEBACK with SB_I_CGROUPWB (Tejun Heo) [Orabug: 26643598] (CVE-2016-10044) - x86/acpi: Prevent out of bound access caused by broken ACPI tables (Seunghun Han) [Orabug: 26643645] (CVE-2017-11473) - sctp: do not inherit ipv6_[mc|ac|fl]_list from parent (Eric Dumazet) [Orabug: 26650883] (CVE-2017-9075) - [media] saa7164: fix double fetch PCIe access condition (Steven Toth) [Orabug: 26675142] (CVE-2017-8831) - [media] saa7164: fix sparse warnings (Hans Verkuil) [Orabug: 26675142] (CVE-2017-8831) - fs: __generic_file_splice_read retry lookup on AOP_TRUNCATED_PAGE (Abhi Das) [Orabug: 26797306] - timerfd: Protect the might cancel mechanism proper (Thomas Gleixner) [Orabug: 26899787] (CVE-2017-10661) - scsi: scsi_transport_iscsi: fix the issue that iscsi_if_rx doesn
    last seen2020-06-05
    modified2017-12-11
    plugin id105147
    published2017-12-11
    reporterThis script is Copyright (C) 2017-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/105147
    titleOracleVM 3.3 : Unbreakable / etc (OVMSA-2017-0173) (BlueBorne) (Stack Clash)
  • NASL familyOracle Linux Local Security Checks
    NASL idORACLELINUX_ELSA-2018-0169.NASL
    descriptionFrom Red Hat Security Advisory 2018:0169 : An update for kernel is now available for Red Hat Enterprise Linux 6. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. The kernel packages contain the Linux kernel, the core of any Linux operating system. Security Fix(es) : * An integer overflow vulnerability in ip6_find_1stfragopt() function was found. A local attacker that has privileges (of CAP_NET_RAW) to open raw socket can cause an infinite loop inside the ip6_find_1stfragopt() function. (CVE-2017-7542, Moderate) * The IPv6 fragmentation implementation in the Linux kernel does not consider that the nexthdr field may be associated with an invalid option, which allows local users to cause a denial of service (out-of-bounds read and BUG) or possibly have unspecified other impact via crafted socket and send system calls. Due to the nature of the flaw, privilege escalation cannot be fully ruled out, although we believe it is unlikely. (CVE-2017-9074, Moderate) * A use-after-free flaw was found in the Netlink functionality of the Linux kernel networking subsystem. Due to the insufficient cleanup in the mq_notify function, a local attacker could potentially use this flaw to escalate their privileges on the system. (CVE-2017-11176, Moderate) Bug Fix(es) : * Previously, the default timeout and retry settings in the VMBus driver were insufficient in some cases, for example when a Hyper-V host was under a significant load. Consequently, in Windows Server 2016, Hyper-V Server 2016, and Windows Azure Platform, when running a Red Hat Enterprise Linux Guest on the Hyper-V hypervisor, the guest failed to boot or booted with certain Hyper-V devices missing. This update alters the timeout and retry settings in VMBus, and Red Hat Enterprise Linux guests now boot as expected under the described conditions. (BZ#1506145) * Previously, an incorrect external declaration in the be2iscsi driver caused a kernel panic when using the systool utility. With this update, the external declaration in be2iscsi has been fixed, and the kernel no longer panics when using systool. (BZ#1507512) * Under high usage of the NFSD file system and memory pressure, if many tasks in the Linux kernel attempted to obtain the global spinlock to clean the Duplicate Reply Cache (DRC), these tasks stayed in an active wait in the nfsd_reply_cache_shrink() function for up to 99% of time. Consequently, a high load average occurred. This update fixes the bug by separating the DRC in several parts, each with an independent spinlock. As a result, the load and CPU utilization is no longer excessive under the described circumstances. (BZ#1509876) * When attempting to attach multiple SCSI devices simultaneously, Red Hat Enterprise Linux 6.9 on IBM z Systems sometimes became unresponsive. This update fixes the zfcp device driver, and attaching multiple SCSI devices simultaneously now works as expected in the described scenario. (BZ# 1512425) * On IBM z Systems, the tiqdio_call_inq_handlers() function in the Linux kernel incorrectly cleared the device state change indicator (DSCI) for the af_iucv devices using the HiperSockets transport with multiple input queues. Consequently, queue stalls on such devices occasionally occurred. With this update, tiqdio_call_inq_handlers() has been fixed to clear the DSCI only once, prior to scanning the queues. As a result, queue stalls for af_iucv devices using the HiperSockets transport no longer occur under the described circumstances. (BZ#1513314) * Previously, small data chunks caused the Stream Control Transmission Protocol (SCTP) to account the receiver_window (rwnd) values incorrectly when recovering from a 'zero-window situation'. As a consequence, window updates were not sent to the peer, and an artificial growth of rwnd could lead to packet drops. This update properly accounts such small data chunks and ignores the rwnd pressure values when reopening a window. As a result, window updates are now sent, and the announced rwnd reflects better the real state of the receive buffer. (BZ#1514443) This plugin has been deprecated because Oracle has changed their mind and decided that ELSA-2018-0169 does not fix any security problems.
    last seen2018-02-01
    modified2018-01-31
    plugin id106367
    published2018-01-26
    reporterTenable
    sourcehttps://www.tenable.com/plugins/index.php?view=single&id=106367
    titleOracle Linux 6 : kernel (ELSA-2018-0169) (deprecated)
  • NASL familyHuawei Local Security Checks
    NASL idEULEROS_SA-2019-1504.NASL
    descriptionAccording to the versions of the kernel packages installed, the EulerOS Virtualization installation on the remote host is affected by the following vulnerabilities : - A vulnerability was found in the Linux kernel where the keyctl_set_reqkey_keyring() function leaks the thread keyring. This allows an unprivileged local user to exhaust kernel memory and thus cause a DoS.(CVE-2017-7472) - A reference counter leak in Linux kernel in ipxitf_ioctl function was found which results in a use after free vulnerability that
    last seen2020-06-01
    modified2020-06-02
    plugin id124827
    published2019-05-13
    reporterThis script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/124827
    titleEulerOS Virtualization 3.0.1.0 : kernel (EulerOS-SA-2019-1504)
  • NASL familyCentOS Local Security Checks
    NASL idCENTOS_RHSA-2017-2930.NASL
    descriptionAn update for kernel is now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. The kernel packages contain the Linux kernel, the core of any Linux operating system. Security Fix(es) : * Out-of-bounds kernel heap access vulnerability was found in xfrm, kernel
    last seen2020-06-01
    modified2020-06-02
    plugin id104106
    published2017-10-24
    reporterThis script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/104106
    titleCentOS 7 : kernel (CESA-2017:2930)
  • NASL familyOracle Linux Local Security Checks
    NASL idORACLELINUX_ELSA-2017-3632.NASL
    descriptionDescription of changes: kernel-uek [3.8.13-118.19.10.el7uek] - mqueue: fix a use-after-free in sys_mq_notify() (Cong Wang) [Orabug: 26643556] {CVE-2017-11176} [3.8.13-118.19.9.el7uek] - ipv6: avoid overflow of offset in ip6_find_1stfragopt (Sabrina Dubroca) [Orabug: 27011273] {CVE-2017-7542} - packet: fix tp_reserve race in packet_set_ring (Willem de Bruijn) [Orabug: 27002450] {CVE-2017-1000111} [3.8.13-118.19.8.el7uek] - mlx4_core: calculate log_num_mtt based on total system memory (Wei Lin Guay) [Orabug: 26883934] - xen/x86: Add interface for querying amount of host memory (Boris Ostrovsky) [Orabug: 26883934]
    last seen2020-06-01
    modified2020-06-02
    plugin id104168
    published2017-10-26
    reporterThis script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/104168
    titleOracle Linux 6 / 7 : Unbreakable Enterprise kernel (ELSA-2017-3632)
  • NASL familyVirtuozzo Local Security Checks
    NASL idVIRTUOZZO_VZA-2017-069.NASL
    descriptionAccording to the version of the vzkernel package and the readykernel-patch installed, the Virtuozzo installation on the remote host is affected by the following vulnerabilities : - Integer overflow vulnerability in ip6_find_1stfragopt() function was found. Local attacker that has privileges to open raw sockets can cause infinite loop inside ip6_find_1stfragopt() function. - Kernel memory corruption due to a buffer overflow was found in brcmf_cfg80211_mgmt_tx() function in Linux kernels from v3.9-rc1 to v4.13-rc1. The vulnerability can be triggered by sending a crafted NL80211_CMD_FRAME packet via netlink. An unprivileged local user could use this flaw to induce kernel memory corruption on the system, leading to a crash. Note that Tenable Network Security has extracted the preceding description block directly from the Virtuozzo security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id102207
    published2017-08-07
    reporterThis script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/102207
    titleVirtuozzo 7 : readykernel-patch (VZA-2017-069)
  • NASL familyOracleVM Local Security Checks
    NASL idORACLEVM_OVMSA-2017-0164.NASL
    descriptionThe remote OracleVM system is missing necessary patches to address critical security updates : - mqueue: fix a use-after-free in sys_mq_notify (Cong Wang) [Orabug: 26643556] (CVE-2017-11176) - ipv6: avoid overflow of offset in ip6_find_1stfragopt (Sabrina Dubroca) [Orabug: 27011273] (CVE-2017-7542) - packet: fix tp_reserve race in packet_set_ring (Willem de Bruijn) [Orabug: 27002450] (CVE-2017-1000111) - mlx4_core: calculate log_num_mtt based on total system memory (Wei Lin Guay) [Orabug: 26883934] - xen/x86: Add interface for querying amount of host memory (Boris Ostrovsky) [Orabug: 26883934]
    last seen2020-06-01
    modified2020-06-02
    plugin id104203
    published2017-10-27
    reporterThis script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/104203
    titleOracleVM 3.3 : Unbreakable / etc (OVMSA-2017-0164)
  • NASL familyVirtuozzo Local Security Checks
    NASL idVIRTUOZZO_VZA-2017-068.NASL
    descriptionAccording to the version of the vzkernel package and the readykernel-patch installed, the Virtuozzo installation on the remote host is affected by the following vulnerabilities : - A vulnerability was found in the handling of xfrm Netlink messages. A privileged user inside a container could cause a denial of service (kernel crash) by sending a crafted Netlink message with type XFRM_MSG_MIGRATE to the kernel. - Integer overflow vulnerability in ip6_find_1stfragopt() function was found. Local attacker that has privileges to open raw sockets can cause infinite loop inside ip6_find_1stfragopt() function. - Kernel memory corruption due to a buffer overflow was found in brcmf_cfg80211_mgmt_tx() function in Linux kernels from v3.9-rc1 to v4.13-rc1. The vulnerability can be triggered by sending a crafted NL80211_CMD_FRAME packet via netlink. An unprivileged local user could use this flaw to induce kernel memory corruption on the system, leading to a crash. Note that Tenable Network Security has extracted the preceding description block directly from the Virtuozzo security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id102206
    published2017-08-07
    reporterThis script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/102206
    titleVirtuozzo 7 : readykernel-patch (VZA-2017-068)
  • NASL familySuSE Local Security Checks
    NASL idSUSE_SU-2017-2869-1.NASL
    descriptionThe SUSE Linux Enterprise 12 SP2 kernel was updated to 4.4.90 to receive various security and bugfixes. The following security bugs were fixed : - CVE-2017-1000252: The KVM subsystem in the Linux kernel allowed guest OS users to cause a denial of service (assertion failure, and hypervisor hang or crash) via an out-of bounds guest_irq value, related to arch/x86/kvm/vmx.c and virt/kvm/eventfd.c (bnc#1058038). - CVE-2017-10810: Memory leak in the virtio_gpu_object_create function in drivers/gpu/drm/virtio/virtgpu_object.c in the Linux kernel allowed attackers to cause a denial of service (memory consumption) by triggering object-initialization failures (bnc#1047277). - CVE-2017-11472: The acpi_ns_terminate() function in drivers/acpi/acpica/nsutils.c in the Linux kernel did not flush the operand cache and causes a kernel stack dump, which allowed local users to obtain sensitive information from kernel memory and bypass the KASLR protection mechanism (in the kernel through 4.9) via a crafted ACPI table (bnc#1049580). - CVE-2017-11473: Buffer overflow in the mp_override_legacy_irq() function in arch/x86/kernel/acpi/boot.c in the Linux kernel allowed local users to gain privileges via a crafted ACPI table (bnc#1049603). - CVE-2017-12134: The xen_biovec_phys_mergeable function in drivers/xen/biomerge.c in Xen might allow local OS guest users to corrupt block device data streams and consequently obtain sensitive memory information, cause a denial of service, or gain host OS privileges by leveraging incorrect block IO merge-ability calculation (bnc#1051790 bnc#1053919). - CVE-2017-12153: A security flaw was discovered in the nl80211_set_rekey_data() function in net/wireless/nl80211.c in the Linux kernel This function did not check whether the required attributes are present in a Netlink request. This request can be issued by a user with the CAP_NET_ADMIN capability and may result in a NULL pointer dereference and system crash (bnc#1058410). - CVE-2017-12154: The prepare_vmcs02 function in arch/x86/kvm/vmx.c in the Linux kernel did not ensure that the
    last seen2020-06-01
    modified2020-06-02
    plugin id104253
    published2017-10-30
    reporterThis script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/104253
    titleSUSE SLED12 / SLES12 Security Update : kernel (SUSE-SU-2017:2869-1) (KRACK)
  • NASL familyOracle Linux Local Security Checks
    NASL idORACLELINUX_ELSA-2017-2930-1.NASL
    descriptionDescription of changes: - [3.10.0-693.5.2.0.1.el7.OL7] - [ipc] ipc/sem.c: bugfix for semctl(,,GETZCNT) (Manfred Spraul) [orabug 22552377] - Oracle Linux certificates (Alexey Petrenko) - Oracle Linux RHCK Module Signing Key was compiled into kernel (olkmod_signing_key.x509)(<A HREF=
    last seen2020-06-01
    modified2020-06-02
    plugin id104088
    published2017-10-23
    reporterThis script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/104088
    titleOracle Linux 7 : kernel (ELSA-2017-2930-1) (BlueBorne)
  • NASL familySuSE Local Security Checks
    NASL idSUSE_SU-2017-2389-1.NASL
    descriptionThe SUSE Linux Enterprise 11 SP4 kernel was updated to receive various security and bugfixes. The following security bugs were fixed : - CVE-2017-7482: Several missing length checks ticket decode allowing for information leak or potentially code execution (bsc#1046107). - CVE-2016-10277: Potential privilege escalation due to a missing bounds check in the lp driver. A kernel command-line adversary can overflow the parport_nr array to execute code (bsc#1039456). - CVE-2017-7542: The ip6_find_1stfragopt function in net/ipv6/output_core.c in the Linux kernel allowed local users to cause a denial of service (integer overflow and infinite loop) by leveraging the ability to open a raw socket (bsc#1049882). - CVE-2017-7533: Bug in inotify code allowing privilege escalation (bsc#1049483). - CVE-2017-11176: The mq_notify function in the Linux kernel did not set the sock pointer to NULL upon entry into the retry logic. During a user-space close of a Netlink socket, it allowed attackers to cause a denial of service (use-after-free) or possibly have unspecified other impact (bsc#1048275). - CVE-2017-11473: Buffer overflow in the mp_override_legacy_irq() function in arch/x86/kernel/acpi/boot.c in the Linux kernel allowed local users to gain privileges via a crafted ACPI table (bnc#1049603). - CVE-2017-1000365: The Linux Kernel imposed a size restriction on the arguments and environmental strings passed through RLIMIT_STACK/RLIM_INFINITY (1/4 of the size), but did not take the argument and environment pointers into account, which allowed attackers to bypass this limitation. (bnc#1039354) - CVE-2014-9922: The eCryptfs subsystem in the Linux kernel allowed local users to gain privileges via a large filesystem stack that includes an overlayfs layer, related to fs/ecryptfs/main.c and fs/overlayfs/super.c (bnc#1032340) - CVE-2017-8924: The edge_bulk_in_callback function in drivers/usb/serial/io_ti.c in the Linux kernel allowed local users to obtain sensitive information (in the dmesg ringbuffer and syslog) from uninitialized kernel memory by using a crafted USB device (posing as an io_ti USB serial device) to trigger an integer underflow (bnc#1038982). - CVE-2017-8925: The omninet_open function in drivers/usb/serial/omninet.c in the Linux kernel allowed local users to cause a denial of service (tty exhaustion) by leveraging reference count mishandling (bnc#1038981). - CVE-2017-1000380: sound/core/timer.c was vulnerable to a data race in the ALSA /dev/snd/timer driver resulting in local users being able to read information belonging to other users, i.e., uninitialized memory contents could have bene disclosed when a read and an ioctl happen at the same time (bnc#1044125) - CVE-2017-9242: The __ip6_append_data function in net/ipv6/ip6_output.c was too late in checking whether an overwrite of an skb data structure may occur, which allowed local users to cause a denial of service (system crash) via crafted system calls (bnc#1041431) - CVE-2017-1000363: A buffer overflow in kernel commandline handling of the
    last seen2020-06-01
    modified2020-06-02
    plugin id103110
    published2017-09-11
    reporterThis script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/103110
    titleSUSE SLES11 Security Update : kernel (SUSE-SU-2017:2389-1) (Stack Clash)
  • NASL familyNewStart CGSL Local Security Checks
    NASL idNEWSTART_CGSL_NS-SA-2019-0004_KERNEL.NASL
    descriptionThe remote NewStart CGSL host, running version MAIN 5.04, has kernel packages installed that are affected by multiple vulnerabilities: - Multiple array index errors in drivers/hid/hid-core.c in the Human Interface Device (HID) subsystem in the Linux kernel through 3.11 allow physically proximate attackers to execute arbitrary code or cause a denial of service (heap memory corruption) via a crafted device that provides an invalid Report ID. (CVE-2013-2888) - drivers/hid/hid-zpff.c in the Human Interface Device (HID) subsystem in the Linux kernel through 3.11, when CONFIG_HID_ZEROPLUS is enabled, allows physically proximate attackers to cause a denial of service (heap- based out-of-bounds write) via a crafted device. (CVE-2013-2889) - drivers/hid/hid-pl.c in the Human Interface Device (HID) subsystem in the Linux kernel through 3.11, when CONFIG_HID_PANTHERLORD is enabled, allows physically proximate attackers to cause a denial of service (heap- based out-of-bounds write) via a crafted device. (CVE-2013-2892) - The perf_trace_event_perm function in kernel/trace/trace_event_perf.c in the Linux kernel before 3.12.2 does not properly restrict access to the perf subsystem, which allows local users to enable function tracing via a crafted application. (CVE-2013-2930) - Use-after-free vulnerability in the vhost_net_set_backend function in drivers/vhost/net.c in the Linux kernel through 3.10.3 allows local users to cause a denial of service (OOPS and system crash) via vectors involving powering on a virtual machine. (CVE-2013-4127) - The udp_v6_push_pending_frames function in net/ipv6/udp.c in the IPv6 implementation in the Linux kernel through 3.10.3 makes an incorrect function call for pending data, which allows local users to cause a denial of service (BUG and system crash) via a crafted application that uses the UDP_CORK option in a setsockopt system call. (CVE-2013-4162) - The ip6_append_data_mtu function in net/ipv6/ip6_output.c in the IPv6 implementation in the Linux kernel through 3.10.3 does not properly maintain information about whether the IPV6_MTU setsockopt option had been specified, which allows local users to cause a denial of service (BUG and system crash) via a crafted application that uses the UDP_CORK option in a setsockopt system call. (CVE-2013-4163) - Use-after-free vulnerability in drivers/net/tun.c in the Linux kernel through 3.11.1 allows local users to gain privileges by leveraging the CAP_NET_ADMIN capability and providing an invalid tuntap interface name in a TUNSETIFF ioctl call. (CVE-2013-4343) - The skb_flow_dissect function in net/core/flow_dissector.c in the Linux kernel through 3.12 allows remote attackers to cause a denial of service (infinite loop) via a small value in the IHL field of a packet with IPIP encapsulation. (CVE-2013-4348) - The IPv6 SCTP implementation in net/sctp/ipv6.c in the Linux kernel through 3.11.1 uses data structures and function calls that do not trigger an intended configuration of IPsec encryption, which allows remote attackers to obtain sensitive information by sniffing the network. (CVE-2013-4350) - net/ipv6/ip6_output.c in the Linux kernel through 3.11.4 does not properly determine the need for UDP Fragmentation Offload (UFO) processing of small packets after the UFO queueing of a large packet, which allows remote attackers to cause a denial of service (memory corruption and system crash) or possibly have unspecified other impact via network traffic that triggers a large response packet. (CVE-2013-4387) - The udp6_ufo_fragment function in net/ipv6/udp_offload.c in the Linux kernel through 3.12, when UDP Fragmentation Offload (UFO) is enabled, does not properly perform a certain size comparison before inserting a fragment header, which allows remote attackers to cause a denial of service (panic) via a large IPv6 UDP packet, as demonstrated by use of the Token Bucket Filter (TBF) queueing discipline. (CVE-2013-4563) - The ath9k_htc_set_bssid_mask function in drivers/net/wireless/ath/ath9k/htc_drv_main.c in the Linux kernel through 3.12 uses a BSSID masking approach to determine the set of MAC addresses on which a Wi-Fi device is listening, which allows remote attackers to discover the original MAC address after spoofing by sending a series of packets to MAC addresses with certain bit manipulations. (CVE-2013-4579) - Array index error in the kvm_vm_ioctl_create_vcpu function in virt/kvm/kvm_main.c in the KVM subsystem in the Linux kernel through 3.12.5 allows local users to gain privileges via a large id value. (CVE-2013-4587) - The apic_get_tmcct function in arch/x86/kvm/lapic.c in the KVM subsystem in the Linux kernel through 3.12.5 allows guest OS users to cause a denial of service (divide-by-zero error and host OS crash) via crafted modifications of the TMICT value. (CVE-2013-6367) - The KVM subsystem in the Linux kernel through 3.12.5 allows local users to gain privileges or cause a denial of service (system crash) via a VAPIC synchronization operation involving a page-end address. (CVE-2013-6368) - The recalculate_apic_map function in arch/x86/kvm/lapic.c in the KVM subsystem in the Linux kernel through 3.12.5 allows guest OS users to cause a denial of service (host OS crash) via a crafted ICR write operation in x2apic mode. (CVE-2013-6376) - The lbs_debugfs_write function in drivers/net/wireless/libertas/debugfs.c in the Linux kernel through 3.12.1 allows local users to cause a denial of service (OOPS) by leveraging root privileges for a zero-length write operation. (CVE-2013-6378) - The aac_send_raw_srb function in drivers/scsi/aacraid/commctrl.c in the Linux kernel through 3.12.1 does not properly validate a certain size value, which allows local users to cause a denial of service (invalid pointer dereference) or possibly have unspecified other impact via an FSACTL_SEND_RAW_SRB ioctl call that triggers a crafted SRB command. (CVE-2013-6380) - Multiple buffer underflows in the XFS implementation in the Linux kernel through 3.12.1 allow local users to cause a denial of service (memory corruption) or possibly have unspecified other impact by leveraging the CAP_SYS_ADMIN capability for a (1) XFS_IOC_ATTRLIST_BY_HANDLE or (2) XFS_IOC_ATTRLIST_BY_HANDLE_32 ioctl call with a crafted length value, related to the xfs_attrlist_by_handle function in fs/xfs/xfs_ioctl.c and the xfs_compat_attrlist_by_handle function in fs/xfs/xfs_ioctl32.c. (CVE-2013-6382) - Multiple race conditions in ipc/shm.c in the Linux kernel before 3.12.2 allow local users to cause a denial of service (use-after-free and system crash) or possibly have unspecified other impact via a crafted application that uses shmctl IPC_RMID operations in conjunction with other shm system calls. (CVE-2013-7026) - The mISDN_sock_recvmsg function in drivers/isdn/mISDN/socket.c in the Linux kernel before 3.12.4 does not ensure that a certain length value is consistent with the size of an associated data structure, which allows local users to obtain sensitive information from kernel memory via a (1) recvfrom, (2) recvmmsg, or (3) recvmsg system call. (CVE-2013-7266) - The atalk_recvmsg function in net/appletalk/ddp.c in the Linux kernel before 3.12.4 updates a certain length value without ensuring that an associated data structure has been initialized, which allows local users to obtain sensitive information from kernel memory via a (1) recvfrom, (2) recvmmsg, or (3) recvmsg system call. (CVE-2013-7267) - The ipx_recvmsg function in net/ipx/af_ipx.c in the Linux kernel before 3.12.4 updates a certain length value without ensuring that an associated data structure has been initialized, which allows local users to obtain sensitive information from kernel memory via a (1) recvfrom, (2) recvmmsg, or (3) recvmsg system call. (CVE-2013-7268) - The nr_recvmsg function in net/netrom/af_netrom.c in the Linux kernel before 3.12.4 updates a certain length value without ensuring that an associated data structure has been initialized, which allows local users to obtain sensitive information from kernel memory via a (1) recvfrom, (2) recvmmsg, or (3) recvmsg system call. (CVE-2013-7269) - The packet_recvmsg function in net/packet/af_packet.c in the Linux kernel before 3.12.4 updates a certain length value before ensuring that an associated data structure has been initialized, which allows local users to obtain sensitive information from kernel memory via a (1) recvfrom, (2) recvmmsg, or (3) recvmsg system call. (CVE-2013-7270) - The x25_recvmsg function in net/x25/af_x25.c in the Linux kernel before 3.12.4 updates a certain length value without ensuring that an associated data structure has been initialized, which allows local users to obtain sensitive information from kernel memory via a (1) recvfrom, (2) recvmmsg, or (3) recvmsg system call. (CVE-2013-7271) - Buffer overflow in the complete_emulated_mmio function in arch/x86/kvm/x86.c in the Linux kernel before 3.13.6 allows guest OS users to execute arbitrary code on the host OS by leveraging a loop that triggers an invalid memory copy affecting certain cancel_work_item data. (CVE-2014-0049) - The get_rx_bufs function in drivers/vhost/net.c in the vhost-net subsystem in the Linux kernel package before 2.6.32-431.11.2 on Red Hat Enterprise Linux (RHEL) 6 does not properly handle vhost_get_vq_desc errors, which allows guest OS users to cause a denial of service (host OS crash) via unspecified vectors. (CVE-2014-0055) - The cifs_iovec_write function in fs/cifs/file.c in the Linux kernel through 3.13.5 does not properly handle uncached write operations that copy fewer than the requested number of bytes, which allows local users to obtain sensitive information from kernel memory, cause a denial of service (memory corruption and system crash), or possibly gain privileges via a writev system call with a crafted pointer. (CVE-2014-0069) - drivers/vhost/net.c in the Linux kernel before 3.13.10, when mergeable buffers are disabled, does not properly validate packet lengths, which allows guest OS users to cause a denial of service (memory corruption and host OS crash) or possibly gain privileges on the host OS via crafted packets, related to the handle_rx and get_rx_bufs functions. (CVE-2014-0077) - Race condition in the inet_frag_intern function in net/ipv4/inet_fragment.c in the Linux kernel through 3.13.6 allows remote attackers to cause a denial of service (use-after-free error) or possibly have unspecified other impact via a large series of fragmented ICMP Echo Request packets to a system with a heavy CPU load. (CVE-2014-0100) - A flaw was found in the way the Linux kernel processed an authenticated COOKIE_ECHO chunk during the initialization of an SCTP connection. A remote attacker could use this flaw to crash the system by initiating a specially crafted SCTP handshake in order to trigger a NULL pointer dereference on the system. (CVE-2014-0101) - The keyring_detect_cycle_iterator function in security/keys/keyring.c in the Linux kernel through 3.13.6 does not properly determine whether keyrings are identical, which allows local users to cause a denial of service (OOPS) via crafted keyctl commands. (CVE-2014-0102) - Use-after-free vulnerability in the skb_segment function in net/core/skbuff.c in the Linux kernel through 3.13.6 allows attackers to obtain sensitive information from kernel memory by leveraging the absence of a certain orphaning operation. (CVE-2014-0131) - The ioapic_deliver function in virt/kvm/ioapic.c in the Linux kernel through 3.14.1 does not properly validate the kvm_irq_delivery_to_apic return value, which allows guest OS users to cause a denial of service (host OS crash) via a crafted entry in the redirection table of an I/O APIC. NOTE: the affected code was moved to the ioapic_service function before the vulnerability was announced. (CVE-2014-0155) - The restore_fpu_checking function in arch/x86/include/asm/fpu-internal.h in the Linux kernel before 3.12.8 on the AMD K7 and K8 platforms does not clear pending exceptions before proceeding to an EMMS instruction, which allows local users to cause a denial of service (task kill) or possibly gain privileges via a crafted application. (CVE-2014-1438) - The help function in net/netfilter/nf_nat_irc.c in the Linux kernel before 3.12.8 allows remote attackers to obtain sensitive information from kernel memory by establishing an IRC DCC session in which incorrect packet data is transmitted during use of the NAT mangle feature. (CVE-2014-1690) - The ip6_route_add function in net/ipv6/route.c in the Linux kernel through 3.13.6 does not properly count the addition of routes, which allows remote attackers to cause a denial of service (memory consumption) via a flood of ICMPv6 Router Advertisement packets. (CVE-2014-2309) - net/netfilter/nf_conntrack_proto_dccp.c in the Linux kernel through 3.13.6 uses a DCCP header pointer incorrectly, which allows remote attackers to cause a denial of service (system crash) or possibly execute arbitrary code via a DCCP packet that triggers a call to the (1) dccp_new, (2) dccp_packet, or (3) dccp_error function. (CVE-2014-2523) - It was found that the try_to_unmap_cluster() function in the Linux kernel
    last seen2020-06-01
    modified2020-06-02
    plugin id127146
    published2019-08-12
    reporterThis script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/127146
    titleNewStart CGSL MAIN 5.04 : kernel Multiple Vulnerabilities (NS-SA-2019-0004)
  • NASL familyHuawei Local Security Checks
    NASL idEULEROS_SA-2017-1159.NASL
    descriptionAccording to the versions of the kernel packages installed, the EulerOS installation on the remote host is affected by the following vulnerabilities : - The mq_notify function in the Linux kernel through 4.11.9 does not set the sock pointer to NULL upon entry into the retry logic. During a user-space close of a Netlink socket, it allows attackers to cause a denial of service (use-after-free) or possibly have unspecified other impact.(CVE-2017-11176) - The brcmf_cfg80211_mgmt_tx function in drivers/net/wireless/broadcom/brcm80211/brcmfmac/ cfg80211.c in the Linux kernel before 4.12.3 allows local users to cause a denial of service (buffer overflow and system crash) or possibly gain privileges via a crafted NL80211_CMD_FRAME Netlink packet.(CVE-2017-7541) - The ip6_find_1stfragopt function in net/ipv6/output_core.c in the Linux kernel through 4.12.3 allows local users to cause a denial of service (integer overflow and infinite loop) by leveraging the ability to open a raw socket.(CVE-2017-7542) - Buffer overflow in the mp_override_legacy_irq() function in arch/x86/kernel/acpi/boot.c in the Linux kernel through 4.12.2 allows local users to gain privileges via a crafted ACPI table.(CVE-2017-11473) - net/xfrm/xfrm_policy.c in the Linux kernel through 4.12.3, when CONFIG_XFRM_MIGRATE is enabled, does not ensure that the dir value of xfrm_userpolicy_id is XFRM_POLICY_MAX or less, which allows local users to cause a denial of service (out-of-bounds access) or possibly have unspecified other impact via an XFRM_MSG_MIGRATE xfrm Netlink message.(CVE-2017-11600) - It was discovered that root can gain direct access to an internal keyring, such as
    last seen2020-05-06
    modified2017-09-08
    plugin id102997
    published2017-09-08
    reporterThis script is Copyright (C) 2017-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/102997
    titleEulerOS 2.0 SP1 : kernel (EulerOS-SA-2017-1159)
  • NASL familyOracle Linux Local Security Checks
    NASL idORACLELINUX_ELSA-2017-3659.NASL
    descriptionThe remote Oracle Linux host is missing a security update for the Unbreakable Enterprise kernel package(s).
    last seen2020-06-05
    modified2017-12-14
    plugin id105247
    published2017-12-14
    reporterThis script is Copyright (C) 2017-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/105247
    titleOracle Linux 6 / 7 : Unbreakable Enterprise kernel (ELSA-2017-3659) (BlueBorne) (Dirty COW) (Stack Clash)
  • NASL familyPhotonOS Local Security Checks
    NASL idPHOTONOS_PHSA-2017-0029.NASL
    descriptionAn update of [ruby,cassandra,linux,libxml2] packages for PhotonOS has been released.
    last seen2019-02-21
    modified2019-02-07
    plugin id111878
    published2018-08-17
    reporterTenable
    sourcehttps://www.tenable.com/plugins/index.php?view=single&id=111878
    titlePhoton OS 1.0: Cassandra / Libxml2 / Linux / Ruby PHSA-2017-0029 (deprecated)
  • NASL familySuSE Local Security Checks
    NASL idOPENSUSE-2017-890.NASL
    descriptionThe openSUSE Leap 42.3 kernel was updated to 4.4.79 to receive various security and bugfixes. The following security bugs were fixed : - CVE-2017-7542: The ip6_find_1stfragopt function in net/ipv6/output_core.c in the Linux kernel allowed local users to cause a denial of service (integer overflow and infinite loop) by leveraging the ability to open a raw socket (bnc#1049882). - CVE-2017-11473: Buffer overflow in the mp_override_legacy_irq() function in arch/x86/kernel/acpi/boot.c in the Linux kernel allowed local users to gain privileges via a crafted ACPI table (bnc#1049603). - CVE-2017-7533: A bug in inotify code allowed local users to escalate privilege (bnc#1049483). - CVE-2017-7541: The brcmf_cfg80211_mgmt_tx function in drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg8021 1.c in the Linux kernel allowed local users to cause a denial of service (buffer overflow and system crash) or possibly gain privileges via a crafted NL80211_CMD_FRAME Netlink packet (bnc#1049645). The following non-security bugs were fixed : - ACPI / processor: Avoid reserving IO regions too early (bsc#1051478). - ALSA: fm801: Initialize chip after IRQ handler is registered (bsc#1031717). - Added sbitmap patch to blacklist.conf Add a patch
    last seen2020-06-05
    modified2017-08-10
    plugin id102332
    published2017-08-10
    reporterThis script is Copyright (C) 2017-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/102332
    titleopenSUSE Security Update : the Linux Kernel (openSUSE-2017-890)
  • NASL familyRed Hat Local Security Checks
    NASL idREDHAT-RHSA-2017-2930.NASL
    descriptionAn update for kernel is now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. The kernel packages contain the Linux kernel, the core of any Linux operating system. Security Fix(es) : * Out-of-bounds kernel heap access vulnerability was found in xfrm, kernel
    last seen2020-06-01
    modified2020-06-02
    plugin id104003
    published2017-10-20
    reporterThis script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/104003
    titleRHEL 7 : kernel (RHSA-2017:2930)
  • NASL familySuSE Local Security Checks
    NASL idSUSE_SU-2017-2920-1.NASL
    descriptionThe SUSE Linux Enterprise 12 GA LTS kernel was updated to receive various security and bugfixes. The following security bugs were fixed : - CVE-2017-15649: net/packet/af_packet.c in the Linux kernel allowed local users to gain privileges via crafted system calls that trigger mishandling of packet_fanout data structures, because of a race condition (involving fanout_add and packet_do_bind) that leads to a use-after-free, a different vulnerability than CVE-2017-6346 (bnc#1064388). - CVE-2015-9004: kernel/events/core.c in the Linux kernel mishandled counter grouping, which allowed local users to gain privileges via a crafted application, related to the perf_pmu_register and perf_event_open functions (bnc#1037306). - CVE-2016-10229: udp.c in the Linux kernel allowed remote attackers to execute arbitrary code via UDP traffic that triggers an unsafe second checksum calculation during execution of a recv system call with the MSG_PEEK flag (bnc#1032268). - CVE-2016-9604: The handling of keyrings starting with
    last seen2020-06-01
    modified2020-06-02
    plugin id104374
    published2017-11-03
    reporterThis script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/104374
    titleSUSE SLES12 Security Update : kernel (SUSE-SU-2017:2920-1) (KRACK) (Stack Clash)
  • NASL familySuSE Local Security Checks
    NASL idSUSE_SU-2017-2908-1.NASL
    descriptionThe SUSE Linux Enterprise 12 SP1 LTS kernel was updated to receive various security and bugfixes. The following security bugs were fixed : - CVE-2017-15649: net/packet/af_packet.c in the Linux kernel allowed local users to gain privileges via crafted system calls that trigger mishandling of packet_fanout data structures, because of a race condition (involving fanout_add and packet_do_bind) that leads to a use-after-free, a different vulnerability than CVE-2017-6346 (bnc#1064388). - CVE-2017-13080: Wi-Fi Protected Access (WPA and WPA2) allowed reinstallation of the Group Temporal Key (GTK) during the group key handshake, allowing an attacker within radio range to replay frames from access points to clients (bnc#1063667). - CVE-2017-15274: security/keys/keyctl.c in the Linux kernel did not consider the case of a NULL payload in conjunction with a nonzero length value, which allowed local users to cause a denial of service (NULL pointer dereference and OOPS) via a crafted add_key or keyctl system call, a different vulnerability than CVE-2017-12192 (bnc#1045327). - CVE-2017-15265: Use-after-free vulnerability in the Linux kernel allowed local users to have unspecified impact via vectors related to /dev/snd/seq (bnc#1062520). - CVE-2017-1000365: The Linux Kernel imposes a size restriction on the arguments and environmental strings passed through RLIMIT_STACK/RLIM_INFINITY (1/4 of the size), but did not take the argument and environment pointers into account, which allowed attackers to bypass this limitation. (bnc#1039354). - CVE-2017-12153: A security flaw was discovered in the nl80211_set_rekey_data() function in net/wireless/nl80211.c in the Linux kernel This function did not check whether the required attributes are present in a Netlink request. This request can be issued by a user with the CAP_NET_ADMIN capability and may result in a NULL pointer dereference and system crash (bnc#1058410). - CVE-2017-12154: The prepare_vmcs02 function in arch/x86/kvm/vmx.c in the Linux kernel did not ensure that the
    last seen2020-06-01
    modified2020-06-02
    plugin id104271
    published2017-10-31
    reporterThis script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/104271
    titleSUSE SLES12 Security Update : kernel (SUSE-SU-2017:2908-1) (KRACK) (Stack Clash)
  • NASL familyUbuntu Local Security Checks
    NASL idUBUNTU_USN-3583-1.NASL
    descriptionIt was discovered that an out-of-bounds write vulnerability existed in the Flash-Friendly File System (f2fs) in the Linux kernel. An attacker could construct a malicious file system that, when mounted, could cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2017-0750) It was discovered that a race condition leading to a use-after-free vulnerability existed in the ALSA PCM subsystem of the Linux kernel. A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2017-0861) It was discovered that the KVM implementation in the Linux kernel allowed passthrough of the diagnostic I/O port 0x80. An attacker in a guest VM could use this to cause a denial of service (system crash) in the host OS. (CVE-2017-1000407) Bo Zhang discovered that the netlink wireless configuration interface in the Linux kernel did not properly validate attributes when handling certain requests. A local attacker with the CAP_NET_ADMIN could use this to cause a denial of service (system crash). (CVE-2017-12153) Vitaly Mayatskikh discovered that the SCSI subsystem in the Linux kernel did not properly track reference counts when merging buffers. A local attacker could use this to cause a denial of service (memory exhaustion). (CVE-2017-12190) It was discovered that the key management subsystem in the Linux kernel did not properly restrict key reads on negatively instantiated keys. A local attacker could use this to cause a denial of service (system crash). (CVE-2017-12192) It was discovered that an integer overflow existed in the sysfs interface for the QLogic 24xx+ series SCSI driver in the Linux kernel. A local privileged attacker could use this to cause a denial of service (system crash). (CVE-2017-14051) Otto Ebeling discovered that the memory manager in the Linux kernel did not properly check the effective UID in some situations. A local attacker could use this to expose sensitive information. (CVE-2017-14140) It was discovered that the ATI Radeon framebuffer driver in the Linux kernel did not properly initialize a data structure returned to user space. A local attacker could use this to expose sensitive information (kernel memory). (CVE-2017-14156) ChunYu Wang discovered that the iSCSI transport implementation in the Linux kernel did not properly validate data structures. A local attacker could use this to cause a denial of service (system crash). (CVE-2017-14489) James Patrick-Evans discovered a race condition in the LEGO USB Infrared Tower driver in the Linux kernel. A physically proximate attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2017-15102) ChunYu Wang discovered that a use-after-free vulnerability existed in the SCTP protocol implementation in the Linux kernel. A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code, (CVE-2017-15115) It was discovered that the key management subsystem in the Linux kernel did not properly handle NULL payloads with non-zero length values. A local attacker could use this to cause a denial of service (system crash). (CVE-2017-15274) It was discovered that the Bluebooth Network Encapsulation Protocol (BNEP) implementation in the Linux kernel did not validate the type of socket passed in the BNEPCONNADD ioctl(). A local attacker with the CAP_NET_ADMIN privilege could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2017-15868) Andrey Konovalov discovered a use-after-free vulnerability in the USB serial console driver in the Linux kernel. A physically proximate attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2017-16525) It was discovered that the netfilter passive OS fingerprinting (xt_osf) module did not properly perform access control checks. A local attacker could improperly modify the systemwide OS fingerprint list. (CVE-2017-17450) It was discovered that the HMAC implementation did not validate the state of the underlying cryptographic hash algorithm. A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2017-17806) Denys Fedoryshchenko discovered a use-after-free vulnerability in the netfilter xt_TCPMSS filter of the Linux kernel. A remote attacker could use this to cause a denial of service (system crash). (CVE-2017-18017) Gareth Evans discovered that the shm IPC subsystem in the Linux kernel did not properly restrict mapping page zero. A local privileged attacker could use this to execute arbitrary code. (CVE-2017-5669) It was discovered that an integer overflow vulnerability existing in the IPv6 implementation in the Linux kernel. A local attacker could use this to cause a denial of service (infinite loop). (CVE-2017-7542) Tommi Rantala and Brad Spengler discovered that the memory manager in the Linux kernel did not properly enforce the CONFIG_STRICT_DEVMEM protection mechanism. A local attacker with access to /dev/mem could use this to expose sensitive information or possibly execute arbitrary code. (CVE-2017-7889) Mohamed Ghannam discovered a use-after-free vulnerability in the DCCP protocol implementation in the Linux kernel. A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2017-8824) Mohamed Ghannam discovered a NULL pointer dereference in the RDS (Reliable Datagram Sockets) protocol implementation of the Linux kernel. A local attacker could use this to cause a denial of service (system crash). (CVE-2018-5333) Fan Long Fei discovered that a race condition existed in loop block device implementation in the Linux kernel. A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2018-5344) USN-3524-1 mitigated CVE-2017-5754 (Meltdown) for the amd64 architecture in Ubuntu 14.04 LTS. This update provides the corresponding mitigations for the ppc64el architecture. Original advisory details : Jann Horn discovered that microprocessors utilizing speculative execution and indirect branch prediction may allow unauthorized memory reads via sidechannel attacks. This flaw is known as Meltdown. A local attacker could use this to expose sensitive information, including kernel memory. (CVE-2017-5754). Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id107003
    published2018-02-26
    reporterUbuntu Security Notice (C) 2018-2020 Canonical, Inc. / NASL script (C) 2018-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/107003
    titleUbuntu 14.04 LTS : linux vulnerabilities (USN-3583-1) (Meltdown)
  • NASL familyNewStart CGSL Local Security Checks
    NASL idNEWSTART_CGSL_NS-SA-2019-0152_KERNEL.NASL
    descriptionThe remote NewStart CGSL host, running version MAIN 4.05, has kernel packages installed that are affected by multiple vulnerabilities: - It was found that AIO interface didn
    last seen2020-06-01
    modified2020-06-02
    plugin id127425
    published2019-08-12
    reporterThis script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/127425
    titleNewStart CGSL MAIN 4.05 : kernel Multiple Vulnerabilities (NS-SA-2019-0152)
  • NASL familyHuawei Local Security Checks
    NASL idEULEROS_SA-2019-1526.NASL
    descriptionAccording to the versions of the kernel packages installed, the EulerOS Virtualization for ARM 64 installation on the remote host is affected by the following vulnerabilities : - A double free vulnerability was found in netlink_dump, which could cause a denial of service or possibly other unspecified impact. Due to the nature of the flaw, privilege escalation cannot be fully ruled out, although we believe it is unlikely.(CVE-2016-9806i1/4%0 - Memory leak in drivers/media/video/videobuf-core.c in the videobuf subsystem in the Linux kernel 2.6.x through 4.x allows local users to cause a denial of service (memory consumption) by leveraging /dev/video access for a series of mmap calls that require new allocations, a different vulnerability than CVE-2007-6761. NOTE: as of 2016-06-18, this affects only 11 drivers that have not been updated to use videobuf2 instead of videobuf.(CVE-2010-5321i1/4%0 - ** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided.(CVE-2018-1108i1/4%0 - The KVM implementation in the Linux kernel through 4.20.5 has an Information Leak.(CVE-2019-7222i1/4%0 - The adreno_perfcounter_query_group function in drivers/gpu/msm/adreno_perfcounter.c in the Adreno GPU driver for the Linux kernel 3.x, as used in Qualcomm Innovation Center (QuIC) Android contributions for MSM devices and other products, uses an incorrect integer data type, which allows attackers to cause a denial of service (integer overflow, heap-based buffer overflow, and incorrect memory allocation) or possibly have unspecified other impact via a crafted IOCTL_KGSL_PERFCOUNTER_QUERY ioctl call.(CVE-2016-2062i1/4%0 - drivers/hid/hid-ntrig.c in the Human Interface Device (HID) subsystem in the Linux kernel through 3.11, when CONFIG_HID_NTRIG is enabled, allows physically proximate attackers to cause a denial of service (NULL pointer dereference and OOPS) via a crafted device.(CVE-2013-2896i1/4%0 - The wacom_probe function in drivers/input/tablet/wacom_sys.c in the Linux kernel before 3.17 allows physically proximate attackers to cause a denial of service (NULL pointer dereference and system crash) via a crafted endpoints value in a USB device descriptor.(CVE-2016-3139i1/4%0 - An integer overflow vulnerability in ip6_find_1stfragopt() function was found. A local attacker that has privileges (of CAP_NET_RAW) to open raw socket can cause an infinite loop inside the ip6_find_1stfragopt() function.(CVE-2017-7542i1/4%0 - Memory leak in the virtio_gpu_object_create function in drivers/gpu/drm/virtio/virtgpu_object.c in the Linux kernel through 4.11.8 allows attackers to cause a denial of service (memory consumption) by triggering object-initialization failures.(CVE-2017-10810i1/4%0 - The ping_recvmsg function in net/ipv4/ping.c in the Linux kernel before 3.12.4 does not properly interact with read system calls on ping sockets, which allows local users to cause a denial of service (NULL pointer dereference and system crash) by leveraging unspecified privileges to execute a crafted application.(CVE-2013-6432i1/4%0 - The madvise_willneed function in the Linux kernel allows local users to cause a denial of service (infinite loop) by triggering use of MADVISE_WILLNEED for a DAX mapping.(CVE-2017-18208i1/4%0 - An issue was discovered in the Linux kernel through 4.18.8. The vmacache_flush_all function in mm/vmacache.c mishandles sequence number overflows. An attacker can trigger a use-after-free (and possibly gain privileges) via certain thread creation, map, unmap, invalidation, and dereference operations.(CVE-2018-17182i1/4%0 - The ieee80211_radiotap_iterator_init function in net/wireless/radiotap.c in the Linux kernel before 3.11.7 does not check whether a frame contains any data outside of the header, which might allow attackers to cause a denial of service (buffer over-read) via a crafted header.(CVE-2013-7027i1/4%0 - The Btrfs implementation in the Linux kernel before 3.19 does not ensure that the visible xattr state is consistent with a requested replacement, which allows local users to bypass intended ACL settings and gain privileges via standard filesystem operations (1) during an xattr-replacement time window, related to a race condition, or (2) after an xattr-replacement attempt that fails because the data does not fit.(CVE-2014-9710i1/4%0 - A flaw was found in the way the Linux kernel
    last seen2020-03-19
    modified2019-05-14
    plugin id124979
    published2019-05-14
    reporterThis script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/124979
    titleEulerOS Virtualization for ARM 64 3.0.1.0 : kernel (EulerOS-SA-2019-1526)
  • NASL familyPhotonOS Local Security Checks
    NASL idPHOTONOS_PHSA-2017-0029_LINUX.NASL
    descriptionAn update of the linux package has been released.
    last seen2020-06-01
    modified2020-06-02
    plugin id121724
    published2019-02-07
    reporterThis script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/121724
    titlePhoton OS 1.0: Linux PHSA-2017-0029

Redhat

advisories
  • rhsa
    idRHSA-2017:2918
  • rhsa
    idRHSA-2017:2930
  • rhsa
    idRHSA-2017:2931
  • rhsa
    idRHSA-2018:0169
rpms
  • kernel-rt-1:3.10.0-693.5.2.rt56.592.el6rt
  • kernel-rt-debug-1:3.10.0-693.5.2.rt56.592.el6rt
  • kernel-rt-debug-debuginfo-1:3.10.0-693.5.2.rt56.592.el6rt
  • kernel-rt-debug-devel-1:3.10.0-693.5.2.rt56.592.el6rt
  • kernel-rt-debuginfo-1:3.10.0-693.5.2.rt56.592.el6rt
  • kernel-rt-debuginfo-common-x86_64-1:3.10.0-693.5.2.rt56.592.el6rt
  • kernel-rt-devel-1:3.10.0-693.5.2.rt56.592.el6rt
  • kernel-rt-doc-1:3.10.0-693.5.2.rt56.592.el6rt
  • kernel-rt-firmware-1:3.10.0-693.5.2.rt56.592.el6rt
  • kernel-rt-trace-1:3.10.0-693.5.2.rt56.592.el6rt
  • kernel-rt-trace-debuginfo-1:3.10.0-693.5.2.rt56.592.el6rt
  • kernel-rt-trace-devel-1:3.10.0-693.5.2.rt56.592.el6rt
  • kernel-rt-vanilla-1:3.10.0-693.5.2.rt56.592.el6rt
  • kernel-rt-vanilla-debuginfo-1:3.10.0-693.5.2.rt56.592.el6rt
  • kernel-rt-vanilla-devel-1:3.10.0-693.5.2.rt56.592.el6rt
  • kernel-0:3.10.0-693.5.2.el7
  • kernel-abi-whitelists-0:3.10.0-693.5.2.el7
  • kernel-bootwrapper-0:3.10.0-693.5.2.el7
  • kernel-debug-0:3.10.0-693.5.2.el7
  • kernel-debug-debuginfo-0:3.10.0-693.5.2.el7
  • kernel-debug-devel-0:3.10.0-693.5.2.el7
  • kernel-debuginfo-0:3.10.0-693.5.2.el7
  • kernel-debuginfo-common-ppc64-0:3.10.0-693.5.2.el7
  • kernel-debuginfo-common-ppc64le-0:3.10.0-693.5.2.el7
  • kernel-debuginfo-common-s390x-0:3.10.0-693.5.2.el7
  • kernel-debuginfo-common-x86_64-0:3.10.0-693.5.2.el7
  • kernel-devel-0:3.10.0-693.5.2.el7
  • kernel-doc-0:3.10.0-693.5.2.el7
  • kernel-headers-0:3.10.0-693.5.2.el7
  • kernel-kdump-0:3.10.0-693.5.2.el7
  • kernel-kdump-debuginfo-0:3.10.0-693.5.2.el7
  • kernel-kdump-devel-0:3.10.0-693.5.2.el7
  • kernel-tools-0:3.10.0-693.5.2.el7
  • kernel-tools-debuginfo-0:3.10.0-693.5.2.el7
  • kernel-tools-libs-0:3.10.0-693.5.2.el7
  • kernel-tools-libs-devel-0:3.10.0-693.5.2.el7
  • perf-0:3.10.0-693.5.2.el7
  • perf-debuginfo-0:3.10.0-693.5.2.el7
  • python-perf-0:3.10.0-693.5.2.el7
  • python-perf-debuginfo-0:3.10.0-693.5.2.el7
  • kernel-rt-0:3.10.0-693.5.2.rt56.626.el7
  • kernel-rt-debug-0:3.10.0-693.5.2.rt56.626.el7
  • kernel-rt-debug-debuginfo-0:3.10.0-693.5.2.rt56.626.el7
  • kernel-rt-debug-devel-0:3.10.0-693.5.2.rt56.626.el7
  • kernel-rt-debug-kvm-0:3.10.0-693.5.2.rt56.626.el7
  • kernel-rt-debug-kvm-debuginfo-0:3.10.0-693.5.2.rt56.626.el7
  • kernel-rt-debuginfo-0:3.10.0-693.5.2.rt56.626.el7
  • kernel-rt-debuginfo-common-x86_64-0:3.10.0-693.5.2.rt56.626.el7
  • kernel-rt-devel-0:3.10.0-693.5.2.rt56.626.el7
  • kernel-rt-doc-0:3.10.0-693.5.2.rt56.626.el7
  • kernel-rt-kvm-0:3.10.0-693.5.2.rt56.626.el7
  • kernel-rt-kvm-debuginfo-0:3.10.0-693.5.2.rt56.626.el7
  • kernel-rt-trace-0:3.10.0-693.5.2.rt56.626.el7
  • kernel-rt-trace-debuginfo-0:3.10.0-693.5.2.rt56.626.el7
  • kernel-rt-trace-devel-0:3.10.0-693.5.2.rt56.626.el7
  • kernel-rt-trace-kvm-0:3.10.0-693.5.2.rt56.626.el7
  • kernel-rt-trace-kvm-debuginfo-0:3.10.0-693.5.2.rt56.626.el7
  • kernel-0:2.6.32-696.20.1.el6
  • kernel-abi-whitelists-0:2.6.32-696.20.1.el6
  • kernel-bootwrapper-0:2.6.32-696.20.1.el6
  • kernel-debug-0:2.6.32-696.20.1.el6
  • kernel-debug-debuginfo-0:2.6.32-696.20.1.el6
  • kernel-debug-devel-0:2.6.32-696.20.1.el6
  • kernel-debuginfo-0:2.6.32-696.20.1.el6
  • kernel-debuginfo-common-i686-0:2.6.32-696.20.1.el6
  • kernel-debuginfo-common-ppc64-0:2.6.32-696.20.1.el6
  • kernel-debuginfo-common-s390x-0:2.6.32-696.20.1.el6
  • kernel-debuginfo-common-x86_64-0:2.6.32-696.20.1.el6
  • kernel-devel-0:2.6.32-696.20.1.el6
  • kernel-doc-0:2.6.32-696.20.1.el6
  • kernel-firmware-0:2.6.32-696.20.1.el6
  • kernel-headers-0:2.6.32-696.20.1.el6
  • kernel-kdump-0:2.6.32-696.20.1.el6
  • kernel-kdump-debuginfo-0:2.6.32-696.20.1.el6
  • kernel-kdump-devel-0:2.6.32-696.20.1.el6
  • perf-0:2.6.32-696.20.1.el6
  • perf-debuginfo-0:2.6.32-696.20.1.el6
  • python-perf-0:2.6.32-696.20.1.el6
  • python-perf-debuginfo-0:2.6.32-696.20.1.el6