Vulnerabilities > CVE-2017-7558 - Out-of-bounds Read vulnerability in multiple products

047910
CVSS 7.5 - HIGH
Attack vector
NETWORK
Attack complexity
LOW
Privileges required
NONE
Confidentiality impact
HIGH
Integrity impact
NONE
Availability impact
NONE
network
low complexity
linux
debian
CWE-125
nessus

Summary

A kernel data leak due to an out-of-bound read was found in the Linux kernel in inet_diag_msg_sctp{,l}addr_fill() and sctp_get_sctp_info() functions present since version 4.7-rc1 through version 4.13. A data leak happens when these functions fill in sockaddr data structures used to export socket's diagnostic information. As a result, up to 100 bytes of the slab data could be leaked to a userspace.

Vulnerable Configurations

Part Description Count
OS
Linux
352
OS
Debian
2

Common Weakness Enumeration (CWE)

Common Attack Pattern Enumeration and Classification (CAPEC)

  • Overread Buffers
    An adversary attacks a target by providing input that causes an application to read beyond the boundary of a defined buffer. This typically occurs when a value influencing where to start or stop reading is set to reflect positions outside of the valid memory location of the buffer. This type of attack may result in exposure of sensitive information, a system crash, or arbitrary code execution.

Nessus

  • NASL familyDebian Local Security Checks
    NASL idDEBIAN_DSA-3981.NASL
    descriptionSeveral vulnerabilities have been discovered in the Linux kernel that may lead to privilege escalation, denial of service or information leaks. - CVE-2017-7518 Andy Lutomirski discovered that KVM is prone to an incorrect debug exception (#DB) error occurring while emulating a syscall instruction. A process inside a guest can take advantage of this flaw for privilege escalation inside a guest. - CVE-2017-7558 (stretch only) Stefano Brivio of Red Hat discovered that the SCTP subsystem is prone to a data leak vulnerability due to an out-of-bounds read flaw, allowing to leak up to 100 uninitialized bytes to userspace. - CVE-2017-10661 (jessie only) Dmitry Vyukov of Google reported that the timerfd facility does not properly handle certain concurrent operations on a single file descriptor. This allows a local attacker to cause a denial of service or potentially execute arbitrary code. - CVE-2017-11600 Bo Zhang reported that the xfrm subsystem does not properly validate one of the parameters to a netlink message. Local users with the CAP_NET_ADMIN capability can use this to cause a denial of service or potentially to execute arbitrary code. - CVE-2017-12134 / #866511 / XSA-229 Jan H. Schoenherr of Amazon discovered that when Linux is running in a Xen PV domain on an x86 system, it may incorrectly merge block I/O requests. A buggy or malicious guest may trigger this bug in dom0 or a PV driver domain, causing a denial of service or potentially execution of arbitrary code. This issue can be mitigated by disabling merges on the underlying back-end block devices, e.g.:echo 2 > /sys/block/nvme0n1/queue/nomerges - CVE-2017-12146 (stretch only) Adrian Salido of Google reported a race condition in access to the
    last seen2020-06-05
    modified2017-09-21
    plugin id103365
    published2017-09-21
    reporterThis script is Copyright (C) 2017-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/103365
    titleDebian DSA-3981-1 : linux - security update (BlueBorne) (Stack Clash)
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were  
    # extracted from Debian Security Advisory DSA-3981. The text 
    # itself is copyright (C) Software in the Public Interest, Inc.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(103365);
      script_version("3.10");
      script_set_attribute(attribute:"plugin_modification_date", value:"2020/06/04");
    
      script_cve_id("CVE-2017-1000111", "CVE-2017-1000112", "CVE-2017-1000251", "CVE-2017-1000252", "CVE-2017-1000370", "CVE-2017-1000371", "CVE-2017-1000380", "CVE-2017-10661", "CVE-2017-11600", "CVE-2017-12134", "CVE-2017-12146", "CVE-2017-12153", "CVE-2017-12154", "CVE-2017-14106", "CVE-2017-14140", "CVE-2017-14156", "CVE-2017-14340", "CVE-2017-14489", "CVE-2017-14497", "CVE-2017-7518", "CVE-2017-7558");
      script_xref(name:"DSA", value:"3981");
    
      script_name(english:"Debian DSA-3981-1 : linux - security update (BlueBorne) (Stack Clash)");
      script_summary(english:"Checks dpkg output for the updated package");
    
      script_set_attribute(
        attribute:"synopsis",
        value:"The remote Debian host is missing a security-related update."
      );
      script_set_attribute(
        attribute:"description",
        value:
    "Several vulnerabilities have been discovered in the Linux kernel that
    may lead to privilege escalation, denial of service or information
    leaks.
    
      - CVE-2017-7518
        Andy Lutomirski discovered that KVM is prone to an
        incorrect debug exception (#DB) error occurring while
        emulating a syscall instruction. A process inside a
        guest can take advantage of this flaw for privilege
        escalation inside a guest.
    
      - CVE-2017-7558 (stretch only)
        Stefano Brivio of Red Hat discovered that the SCTP
        subsystem is prone to a data leak vulnerability due to
        an out-of-bounds read flaw, allowing to leak up to 100
        uninitialized bytes to userspace.
    
      - CVE-2017-10661 (jessie only)
        Dmitry Vyukov of Google reported that the timerfd
        facility does not properly handle certain concurrent
        operations on a single file descriptor. This allows a
        local attacker to cause a denial of service or
        potentially execute arbitrary code.
    
      - CVE-2017-11600
        Bo Zhang reported that the xfrm subsystem does not
        properly validate one of the parameters to a netlink
        message. Local users with the CAP_NET_ADMIN capability
        can use this to cause a denial of service or potentially
        to execute arbitrary code.
    
      - CVE-2017-12134 / #866511 / XSA-229
        Jan H. Schoenherr of Amazon discovered that when Linux
        is running in a Xen PV domain on an x86 system, it may
        incorrectly merge block I/O requests. A buggy or
        malicious guest may trigger this bug in dom0 or a PV
        driver domain, causing a denial of service or
        potentially execution of arbitrary code.
    
      This issue can be mitigated by disabling merges on the underlying
      back-end block devices, e.g.:echo 2 >
      /sys/block/nvme0n1/queue/nomerges
    
      - CVE-2017-12146 (stretch only)
        Adrian Salido of Google reported a race condition in
        access to the'driver_override' attribute for platform
        devices in sysfs. If unprivileged users are permitted to
        access this attribute, this might allow them to gain
        privileges.
    
      - CVE-2017-12153
        Bo Zhang reported that the cfg80211 (wifi) subsystem
        does not properly validate the parameters to a netlink
        message. Local users with the CAP_NET_ADMIN capability
        (in any user namespace with a wifi device) can use this
        to cause a denial of service.
    
      - CVE-2017-12154
        Jim Mattson of Google reported that the KVM
        implementation for Intel x86 processors did not
        correctly handle certain nested hypervisor
        configurations. A malicious guest (or nested guest in a
        suitable L1 hypervisor) could use this for denial of
        service.
    
      - CVE-2017-14106
        Andrey Konovalov discovered that a user-triggerable
        division by zero in the tcp_disconnect() function could
        result in local denial of service.
    
      - CVE-2017-14140
        Otto Ebeling reported that the move_pages() system call
        performed insufficient validation of the UIDs of the
        calling and target processes, resulting in a partial
        ASLR bypass. This made it easier for local users to
        exploit vulnerabilities in programs installed with the
        set-UID permission bit set.
    
      - CVE-2017-14156
        'sohu0106' reported an information leak in the atyfb
        video driver. A local user with access to a framebuffer
        device handled by this driver could use this to obtain
        sensitive information.
    
      - CVE-2017-14340
        Richard Wareing discovered that the XFS implementation
        allows the creation of files with the 'realtime' flag on
        a filesystem with no realtime device, which can result
        in a crash (oops). A local user with access to an XFS
        filesystem that does not have a realtime device can use
        this for denial of service.
    
      - CVE-2017-14489
        ChunYu Wang of Red Hat discovered that the iSCSI
        subsystem does not properly validate the length of a
        netlink message, leading to memory corruption. A local
        user with permission to manage iSCSI devices can use
        this for denial of service or possibly to execute
        arbitrary code.
    
      - CVE-2017-14497 (stretch only)
        Benjamin Poirier of SUSE reported that vnet headers are
        not properly handled within the tpacket_rcv() function
        in the raw packet (af_packet) feature. A local user with
        the CAP_NET_RAW capability can take advantage of this
        flaw to cause a denial of service (buffer overflow, and
        disk and memory corruption) or have other impact.
    
      - CVE-2017-1000111
        Andrey Konovalov of Google reported a race condition in
        the raw packet (af_packet) feature. Local users with the
        CAP_NET_RAW capability can use this for denial of
        service or possibly to execute arbitrary code.
    
      - CVE-2017-1000112
        Andrey Konovalov of Google reported a race condition
        flaw in the UDP Fragmentation Offload (UFO) code. A
        local user can use this flaw for denial of service or
        possibly to execute arbitrary code.
    
      - CVE-2017-1000251 / #875881
        Armis Labs discovered that the Bluetooth subsystem does
        not properly validate L2CAP configuration responses,
        leading to a stack-based buffer overflow. This is one of
        several vulnerabilities dubbed 'Blueborne'. A nearby
        attacker can use this to cause a denial of service or
        possibly to execute arbitrary code on a system with
        Bluetooth enabled.
    
      - CVE-2017-1000252 (stretch only)
        Jan H. Schoenherr of Amazon reported that the KVM
        implementation for Intel x86 processors did not
        correctly validate interrupt injection requests. A local
        user with permission to use KVM could use this for
        denial of service.
    
      - CVE-2017-1000370
        The Qualys Research Labs reported that a large argument
        or environment list can result in ASLR bypass for 32-bit
        PIE binaries.
    
      - CVE-2017-1000371
        The Qualys Research Labs reported that a large argument
        or environment list can result in a stack/heap clash for
        32-bit PIE binaries.
    
      - CVE-2017-1000380
        Alexander Potapenko of Google reported a race condition
        in the ALSA (sound) timer driver, leading to an
        information leak. A local user with permission to access
        sound devices could use this to obtain sensitive
        information.
    
    Debian disables unprivileged user namespaces by default, but if they
    are enabled (via the kernel.unprivileged_userns_clone sysctl) then
    CVE-2017-11600, CVE-2017-14497 and CVE-2017-1000111 can be exploited
    by any local user."
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=866511"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=875881"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://security-tracker.debian.org/tracker/CVE-2017-7518"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://security-tracker.debian.org/tracker/CVE-2017-7558"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://security-tracker.debian.org/tracker/CVE-2017-10661"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://security-tracker.debian.org/tracker/CVE-2017-11600"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://security-tracker.debian.org/tracker/CVE-2017-12134"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://security-tracker.debian.org/tracker/CVE-2017-12146"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://security-tracker.debian.org/tracker/CVE-2017-12153"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://security-tracker.debian.org/tracker/CVE-2017-12154"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://security-tracker.debian.org/tracker/CVE-2017-14106"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://security-tracker.debian.org/tracker/CVE-2017-14140"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://security-tracker.debian.org/tracker/CVE-2017-14156"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://security-tracker.debian.org/tracker/CVE-2017-14340"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://security-tracker.debian.org/tracker/CVE-2017-14489"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://security-tracker.debian.org/tracker/CVE-2017-14497"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://security-tracker.debian.org/tracker/CVE-2017-1000111"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://security-tracker.debian.org/tracker/CVE-2017-1000112"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://security-tracker.debian.org/tracker/CVE-2017-1000251"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://security-tracker.debian.org/tracker/CVE-2017-1000252"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://security-tracker.debian.org/tracker/CVE-2017-1000370"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://security-tracker.debian.org/tracker/CVE-2017-1000371"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://security-tracker.debian.org/tracker/CVE-2017-1000380"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://security-tracker.debian.org/tracker/CVE-2017-11600"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://security-tracker.debian.org/tracker/CVE-2017-14497"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://security-tracker.debian.org/tracker/CVE-2017-1000111"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://packages.debian.org/source/jessie/linux"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://packages.debian.org/source/stretch/linux"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://www.debian.org/security/2017/dsa-3981"
      );
      script_set_attribute(
        attribute:"solution",
        value:
    "Upgrade the linux packages.
    
    For the oldstable distribution (jessie), these problems have been
    fixed in version 3.16.43-2+deb8u5.
    
    For the stable distribution (stretch), these problems have been fixed
    in version 4.9.30-2+deb9u5."
      );
      script_set_cvss_base_vector("CVSS2#AV:A/AC:L/Au:S/C:C/I:C/A:C");
      script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:C");
      script_set_cvss3_base_vector("CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H");
      script_set_cvss3_temporal_vector("CVSS:3.0/E:F/RL:O/RC:C");
      script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"true");
      script_set_attribute(attribute:"exploit_framework_core", value:"true");
      script_set_attribute(attribute:"exploited_by_malware", value:"true");
      script_set_attribute(attribute:"metasploit_name", value:'Linux Kernel UDP Fragmentation Offset (UFO) Privilege Escalation');
      script_set_attribute(attribute:"exploit_framework_metasploit", value:"true");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:linux");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:debian:debian_linux:8.0");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:debian:debian_linux:9.0");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2017/06/17");
      script_set_attribute(attribute:"patch_publication_date", value:"2017/09/20");
      script_set_attribute(attribute:"plugin_publication_date", value:"2017/09/21");
      script_set_attribute(attribute:"in_the_news", value:"true");
      script_set_attribute(attribute:"generated_plugin", value:"current");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2017-2020 and is owned by Tenable, Inc. or an Affiliate thereof.");
      script_family(english:"Debian Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/Debian/release", "Host/Debian/dpkg-l");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("debian_package.inc");
    
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    if (!get_kb_item("Host/Debian/release")) audit(AUDIT_OS_NOT, "Debian");
    if (!get_kb_item("Host/Debian/dpkg-l")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    
    flag = 0;
    if (deb_check(release:"8.0", prefix:"linux-compiler-gcc-4.8-arm", reference:"3.16.43-2+deb8u5")) flag++;
    if (deb_check(release:"8.0", prefix:"linux-compiler-gcc-4.8-x86", reference:"3.16.43-2+deb8u5")) flag++;
    if (deb_check(release:"8.0", prefix:"linux-compiler-gcc-4.9-x86", reference:"3.16.43-2+deb8u5")) flag++;
    if (deb_check(release:"8.0", prefix:"linux-doc-3.16", reference:"3.16.43-2+deb8u5")) flag++;
    if (deb_check(release:"8.0", prefix:"linux-headers-3.16.0-9-586", reference:"3.16.43-2+deb8u5")) flag++;
    if (deb_check(release:"8.0", prefix:"linux-headers-3.16.0-9-686-pae", reference:"3.16.43-2+deb8u5")) flag++;
    if (deb_check(release:"8.0", prefix:"linux-headers-3.16.0-9-all", reference:"3.16.43-2+deb8u5")) flag++;
    if (deb_check(release:"8.0", prefix:"linux-headers-3.16.0-9-all-amd64", reference:"3.16.43-2+deb8u5")) flag++;
    if (deb_check(release:"8.0", prefix:"linux-headers-3.16.0-9-all-armel", reference:"3.16.43-2+deb8u5")) flag++;
    if (deb_check(release:"8.0", prefix:"linux-headers-3.16.0-9-all-armhf", reference:"3.16.43-2+deb8u5")) flag++;
    if (deb_check(release:"8.0", prefix:"linux-headers-3.16.0-9-all-i386", reference:"3.16.43-2+deb8u5")) flag++;
    if (deb_check(release:"8.0", prefix:"linux-headers-3.16.0-9-amd64", reference:"3.16.43-2+deb8u5")) flag++;
    if (deb_check(release:"8.0", prefix:"linux-headers-3.16.0-9-armmp", reference:"3.16.43-2+deb8u5")) flag++;
    if (deb_check(release:"8.0", prefix:"linux-headers-3.16.0-9-armmp-lpae", reference:"3.16.43-2+deb8u5")) flag++;
    if (deb_check(release:"8.0", prefix:"linux-headers-3.16.0-9-common", reference:"3.16.43-2+deb8u5")) flag++;
    if (deb_check(release:"8.0", prefix:"linux-headers-3.16.0-9-ixp4xx", reference:"3.16.43-2+deb8u5")) flag++;
    if (deb_check(release:"8.0", prefix:"linux-headers-3.16.0-9-kirkwood", reference:"3.16.43-2+deb8u5")) flag++;
    if (deb_check(release:"8.0", prefix:"linux-headers-3.16.0-9-orion5x", reference:"3.16.43-2+deb8u5")) flag++;
    if (deb_check(release:"8.0", prefix:"linux-headers-3.16.0-9-versatile", reference:"3.16.43-2+deb8u5")) flag++;
    if (deb_check(release:"8.0", prefix:"linux-image-3.16.0-9-586", reference:"3.16.43-2+deb8u5")) flag++;
    if (deb_check(release:"8.0", prefix:"linux-image-3.16.0-9-686-pae", reference:"3.16.43-2+deb8u5")) flag++;
    if (deb_check(release:"8.0", prefix:"linux-image-3.16.0-9-686-pae-dbg", reference:"3.16.43-2+deb8u5")) flag++;
    if (deb_check(release:"8.0", prefix:"linux-image-3.16.0-9-amd64", reference:"3.16.43-2+deb8u5")) flag++;
    if (deb_check(release:"8.0", prefix:"linux-image-3.16.0-9-amd64-dbg", reference:"3.16.43-2+deb8u5")) flag++;
    if (deb_check(release:"8.0", prefix:"linux-image-3.16.0-9-armmp", reference:"3.16.43-2+deb8u5")) flag++;
    if (deb_check(release:"8.0", prefix:"linux-image-3.16.0-9-armmp-lpae", reference:"3.16.43-2+deb8u5")) flag++;
    if (deb_check(release:"8.0", prefix:"linux-image-3.16.0-9-ixp4xx", reference:"3.16.43-2+deb8u5")) flag++;
    if (deb_check(release:"8.0", prefix:"linux-image-3.16.0-9-kirkwood", reference:"3.16.43-2+deb8u5")) flag++;
    if (deb_check(release:"8.0", prefix:"linux-image-3.16.0-9-orion5x", reference:"3.16.43-2+deb8u5")) flag++;
    if (deb_check(release:"8.0", prefix:"linux-image-3.16.0-9-versatile", reference:"3.16.43-2+deb8u5")) flag++;
    if (deb_check(release:"8.0", prefix:"linux-libc-dev", reference:"3.16.43-2+deb8u5")) flag++;
    if (deb_check(release:"8.0", prefix:"linux-manual-3.16", reference:"3.16.43-2+deb8u5")) flag++;
    if (deb_check(release:"8.0", prefix:"linux-source-3.16", reference:"3.16.43-2+deb8u5")) flag++;
    if (deb_check(release:"8.0", prefix:"linux-support-3.16.0-9", reference:"3.16.43-2+deb8u5")) flag++;
    if (deb_check(release:"8.0", prefix:"xen-linux-system-3.16.0-9-amd64", reference:"3.16.43-2+deb8u5")) flag++;
    if (deb_check(release:"9.0", prefix:"hyperv-daemons", reference:"4.9.30-2+deb9u5")) flag++;
    if (deb_check(release:"9.0", prefix:"libcpupower-dev", reference:"4.9.30-2+deb9u5")) flag++;
    if (deb_check(release:"9.0", prefix:"libcpupower1", reference:"4.9.30-2+deb9u5")) flag++;
    if (deb_check(release:"9.0", prefix:"libusbip-dev", reference:"4.9.30-2+deb9u5")) flag++;
    if (deb_check(release:"9.0", prefix:"linux-compiler-gcc-6-arm", reference:"4.9.30-2+deb9u5")) flag++;
    if (deb_check(release:"9.0", prefix:"linux-compiler-gcc-6-s390", reference:"4.9.30-2+deb9u5")) flag++;
    if (deb_check(release:"9.0", prefix:"linux-compiler-gcc-6-x86", reference:"4.9.30-2+deb9u5")) flag++;
    if (deb_check(release:"9.0", prefix:"linux-cpupower", reference:"4.9.30-2+deb9u5")) flag++;
    if (deb_check(release:"9.0", prefix:"linux-doc-4.9", reference:"4.9.30-2+deb9u5")) flag++;
    if (deb_check(release:"9.0", prefix:"linux-headers-4.9.0-9-4kc-malta", reference:"4.9.30-2+deb9u5")) flag++;
    if (deb_check(release:"9.0", prefix:"linux-headers-4.9.0-9-5kc-malta", reference:"4.9.30-2+deb9u5")) flag++;
    if (deb_check(release:"9.0", prefix:"linux-headers-4.9.0-9-686", reference:"4.9.30-2+deb9u5")) flag++;
    if (deb_check(release:"9.0", prefix:"linux-headers-4.9.0-9-686-pae", reference:"4.9.30-2+deb9u5")) flag++;
    if (deb_check(release:"9.0", prefix:"linux-headers-4.9.0-9-all", reference:"4.9.30-2+deb9u5")) flag++;
    if (deb_check(release:"9.0", prefix:"linux-headers-4.9.0-9-all-amd64", reference:"4.9.30-2+deb9u5")) flag++;
    if (deb_check(release:"9.0", prefix:"linux-headers-4.9.0-9-all-arm64", reference:"4.9.30-2+deb9u5")) flag++;
    if (deb_check(release:"9.0", prefix:"linux-headers-4.9.0-9-all-armel", reference:"4.9.30-2+deb9u5")) flag++;
    if (deb_check(release:"9.0", prefix:"linux-headers-4.9.0-9-all-armhf", reference:"4.9.30-2+deb9u5")) flag++;
    if (deb_check(release:"9.0", prefix:"linux-headers-4.9.0-9-all-i386", reference:"4.9.30-2+deb9u5")) flag++;
    if (deb_check(release:"9.0", prefix:"linux-headers-4.9.0-9-all-mips", reference:"4.9.30-2+deb9u5")) flag++;
    if (deb_check(release:"9.0", prefix:"linux-headers-4.9.0-9-all-mips64el", reference:"4.9.30-2+deb9u5")) flag++;
    if (deb_check(release:"9.0", prefix:"linux-headers-4.9.0-9-all-mipsel", reference:"4.9.30-2+deb9u5")) flag++;
    if (deb_check(release:"9.0", prefix:"linux-headers-4.9.0-9-all-ppc64el", reference:"4.9.30-2+deb9u5")) flag++;
    if (deb_check(release:"9.0", prefix:"linux-headers-4.9.0-9-all-s390x", reference:"4.9.30-2+deb9u5")) flag++;
    if (deb_check(release:"9.0", prefix:"linux-headers-4.9.0-9-amd64", reference:"4.9.30-2+deb9u5")) flag++;
    if (deb_check(release:"9.0", prefix:"linux-headers-4.9.0-9-arm64", reference:"4.9.30-2+deb9u5")) flag++;
    if (deb_check(release:"9.0", prefix:"linux-headers-4.9.0-9-armmp", reference:"4.9.30-2+deb9u5")) flag++;
    if (deb_check(release:"9.0", prefix:"linux-headers-4.9.0-9-armmp-lpae", reference:"4.9.30-2+deb9u5")) flag++;
    if (deb_check(release:"9.0", prefix:"linux-headers-4.9.0-9-common", reference:"4.9.30-2+deb9u5")) flag++;
    if (deb_check(release:"9.0", prefix:"linux-headers-4.9.0-9-common-rt", reference:"4.9.30-2+deb9u5")) flag++;
    if (deb_check(release:"9.0", prefix:"linux-headers-4.9.0-9-loongson-3", reference:"4.9.30-2+deb9u5")) flag++;
    if (deb_check(release:"9.0", prefix:"linux-headers-4.9.0-9-marvell", reference:"4.9.30-2+deb9u5")) flag++;
    if (deb_check(release:"9.0", prefix:"linux-headers-4.9.0-9-octeon", reference:"4.9.30-2+deb9u5")) flag++;
    if (deb_check(release:"9.0", prefix:"linux-headers-4.9.0-9-powerpc64le", reference:"4.9.30-2+deb9u5")) flag++;
    if (deb_check(release:"9.0", prefix:"linux-headers-4.9.0-9-rt-686-pae", reference:"4.9.30-2+deb9u5")) flag++;
    if (deb_check(release:"9.0", prefix:"linux-headers-4.9.0-9-rt-amd64", reference:"4.9.30-2+deb9u5")) flag++;
    if (deb_check(release:"9.0", prefix:"linux-headers-4.9.0-9-s390x", reference:"4.9.30-2+deb9u5")) flag++;
    if (deb_check(release:"9.0", prefix:"linux-image-4.9.0-9-4kc-malta", reference:"4.9.30-2+deb9u5")) flag++;
    if (deb_check(release:"9.0", prefix:"linux-image-4.9.0-9-4kc-malta-dbg", reference:"4.9.30-2+deb9u5")) flag++;
    if (deb_check(release:"9.0", prefix:"linux-image-4.9.0-9-5kc-malta", reference:"4.9.30-2+deb9u5")) flag++;
    if (deb_check(release:"9.0", prefix:"linux-image-4.9.0-9-5kc-malta-dbg", reference:"4.9.30-2+deb9u5")) flag++;
    if (deb_check(release:"9.0", prefix:"linux-image-4.9.0-9-686", reference:"4.9.30-2+deb9u5")) flag++;
    if (deb_check(release:"9.0", prefix:"linux-image-4.9.0-9-686-dbg", reference:"4.9.30-2+deb9u5")) flag++;
    if (deb_check(release:"9.0", prefix:"linux-image-4.9.0-9-686-pae", reference:"4.9.30-2+deb9u5")) flag++;
    if (deb_check(release:"9.0", prefix:"linux-image-4.9.0-9-686-pae-dbg", reference:"4.9.30-2+deb9u5")) flag++;
    if (deb_check(release:"9.0", prefix:"linux-image-4.9.0-9-amd64", reference:"4.9.30-2+deb9u5")) flag++;
    if (deb_check(release:"9.0", prefix:"linux-image-4.9.0-9-amd64-dbg", reference:"4.9.30-2+deb9u5")) flag++;
    if (deb_check(release:"9.0", prefix:"linux-image-4.9.0-9-arm64", reference:"4.9.30-2+deb9u5")) flag++;
    if (deb_check(release:"9.0", prefix:"linux-image-4.9.0-9-arm64-dbg", reference:"4.9.30-2+deb9u5")) flag++;
    if (deb_check(release:"9.0", prefix:"linux-image-4.9.0-9-armmp", reference:"4.9.30-2+deb9u5")) flag++;
    if (deb_check(release:"9.0", prefix:"linux-image-4.9.0-9-armmp-dbg", reference:"4.9.30-2+deb9u5")) flag++;
    if (deb_check(release:"9.0", prefix:"linux-image-4.9.0-9-armmp-lpae", reference:"4.9.30-2+deb9u5")) flag++;
    if (deb_check(release:"9.0", prefix:"linux-image-4.9.0-9-armmp-lpae-dbg", reference:"4.9.30-2+deb9u5")) flag++;
    if (deb_check(release:"9.0", prefix:"linux-image-4.9.0-9-loongson-3", reference:"4.9.30-2+deb9u5")) flag++;
    if (deb_check(release:"9.0", prefix:"linux-image-4.9.0-9-loongson-3-dbg", reference:"4.9.30-2+deb9u5")) flag++;
    if (deb_check(release:"9.0", prefix:"linux-image-4.9.0-9-marvell", reference:"4.9.30-2+deb9u5")) flag++;
    if (deb_check(release:"9.0", prefix:"linux-image-4.9.0-9-marvell-dbg", reference:"4.9.30-2+deb9u5")) flag++;
    if (deb_check(release:"9.0", prefix:"linux-image-4.9.0-9-octeon", reference:"4.9.30-2+deb9u5")) flag++;
    if (deb_check(release:"9.0", prefix:"linux-image-4.9.0-9-octeon-dbg", reference:"4.9.30-2+deb9u5")) flag++;
    if (deb_check(release:"9.0", prefix:"linux-image-4.9.0-9-powerpc64le", reference:"4.9.30-2+deb9u5")) flag++;
    if (deb_check(release:"9.0", prefix:"linux-image-4.9.0-9-powerpc64le-dbg", reference:"4.9.30-2+deb9u5")) flag++;
    if (deb_check(release:"9.0", prefix:"linux-image-4.9.0-9-rt-686-pae", reference:"4.9.30-2+deb9u5")) flag++;
    if (deb_check(release:"9.0", prefix:"linux-image-4.9.0-9-rt-686-pae-dbg", reference:"4.9.30-2+deb9u5")) flag++;
    if (deb_check(release:"9.0", prefix:"linux-image-4.9.0-9-rt-amd64", reference:"4.9.30-2+deb9u5")) flag++;
    if (deb_check(release:"9.0", prefix:"linux-image-4.9.0-9-rt-amd64-dbg", reference:"4.9.30-2+deb9u5")) flag++;
    if (deb_check(release:"9.0", prefix:"linux-image-4.9.0-9-s390x", reference:"4.9.30-2+deb9u5")) flag++;
    if (deb_check(release:"9.0", prefix:"linux-image-4.9.0-9-s390x-dbg", reference:"4.9.30-2+deb9u5")) flag++;
    if (deb_check(release:"9.0", prefix:"linux-kbuild-4.9", reference:"4.9.30-2+deb9u5")) flag++;
    if (deb_check(release:"9.0", prefix:"linux-libc-dev", reference:"4.9.30-2+deb9u5")) flag++;
    if (deb_check(release:"9.0", prefix:"linux-manual-4.9", reference:"4.9.30-2+deb9u5")) flag++;
    if (deb_check(release:"9.0", prefix:"linux-perf-4.9", reference:"4.9.30-2+deb9u5")) flag++;
    if (deb_check(release:"9.0", prefix:"linux-source-4.9", reference:"4.9.30-2+deb9u5")) flag++;
    if (deb_check(release:"9.0", prefix:"linux-support-4.9.0-9", reference:"4.9.30-2+deb9u5")) flag++;
    if (deb_check(release:"9.0", prefix:"usbip", reference:"4.9.30-2+deb9u5")) flag++;
    
    if (flag)
    {
      if (report_verbosity > 0) security_hole(port:0, extra:deb_report_get());
      else security_hole(0);
      exit(0);
    }
    else audit(AUDIT_HOST_NOT, "affected");
    
  • NASL familyFedora Local Security Checks
    NASL idFEDORA_2017-4B4C022807.NASL
    descriptionThe 4.12.9 stable kernel update contains a number of important fixes across the tree. Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-05
    modified2017-09-01
    plugin id102895
    published2017-09-01
    reporterThis script is Copyright (C) 2017-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/102895
    titleFedora 25 : kernel (2017-4b4c022807)
    code
    #%NASL_MIN_LEVEL 80502
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were  
    # extracted from Fedora Security Advisory FEDORA-2017-4b4c022807.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(102895);
      script_version("3.6");
      script_set_attribute(attribute:"plugin_modification_date", value:"2020/06/04");
    
      script_cve_id("CVE-2017-7558");
      script_xref(name:"FEDORA", value:"2017-4b4c022807");
    
      script_name(english:"Fedora 25 : kernel (2017-4b4c022807)");
      script_summary(english:"Checks rpm output for the updated package.");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote Fedora host is missing a security update."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "The 4.12.9 stable kernel update contains a number of important fixes
    across the tree.
    
    Note that Tenable Network Security has extracted the preceding
    description block directly from the Fedora update system website.
    Tenable has attempted to automatically clean and format it as much as
    possible without introducing additional issues."
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bodhi.fedoraproject.org/updates/FEDORA-2017-4b4c022807"
      );
      script_set_attribute(
        attribute:"solution", 
        value:"Update the affected kernel package."
      );
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N");
      script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
      script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N");
      script_set_cvss3_temporal_vector("CVSS:3.0/E:P/RL:O/RC:C");
      script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"true");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fedoraproject:fedora:kernel");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:fedoraproject:fedora:25");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2018/07/26");
      script_set_attribute(attribute:"patch_publication_date", value:"2017/08/31");
      script_set_attribute(attribute:"plugin_publication_date", value:"2017/09/01");
      script_set_attribute(attribute:"generated_plugin", value:"current");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2017-2020 and is owned by Tenable, Inc. or an Affiliate thereof.");
      script_family(english:"Fedora Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl", "linux_alt_patch_detect.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/RedHat/release", "Host/RedHat/rpm-list");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("global_settings.inc");
    include("rpm.inc");
    include("ksplice.inc");
    
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    release = get_kb_item("Host/RedHat/release");
    if (isnull(release) || "Fedora" >!< release) audit(AUDIT_OS_NOT, "Fedora");
    os_ver = pregmatch(pattern: "Fedora.*release ([0-9]+)", string:release);
    if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Fedora");
    os_ver = os_ver[1];
    if (! preg(pattern:"^25([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Fedora 25", "Fedora " + os_ver);
    
    if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    
    cpu = get_kb_item("Host/cpu");
    if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
    if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Fedora", cpu);
    
    if (get_one_kb_item("Host/ksplice/kernel-cves"))
    {
      rm_kb_item(name:"Host/uptrack-uname-r");
      cve_list = make_list("CVE-2017-7558");
      if (ksplice_cves_check(cve_list))
      {
        audit(AUDIT_PATCH_INSTALLED, "KSplice hotfix for FEDORA-2017-4b4c022807");
      }
      else
      {
        __rpm_report = ksplice_reporting_text();
      }
    }
    
    flag = 0;
    if (rpm_check(release:"FC25", reference:"kernel-4.12.9-200.fc25")) flag++;
    
    
    if (flag)
    {
      security_report_v4(
        port       : 0,
        severity   : SECURITY_WARNING,
        extra      : rpm_report_get()
      );
      exit(0);
    }
    else
    {
      tested = pkg_tests_get();
      if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
      else audit(AUDIT_PACKAGE_NOT_INSTALLED, "kernel");
    }
    
  • NASL familyRed Hat Local Security Checks
    NASL idREDHAT-RHSA-2017-2918.NASL
    descriptionAn update for kernel-rt is now available for Red Hat Enterprise MRG 2. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. The kernel-rt packages provide the Real Time Linux Kernel, which enables fine-tuning for systems with extremely high determinism requirements. Security Fix(es) : * Out-of-bounds kernel heap access vulnerability was found in xfrm, kernel
    last seen2020-06-01
    modified2020-06-02
    plugin id104090
    published2017-10-23
    reporterThis script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/104090
    titleRHEL 6 : MRG (RHSA-2017:2918)
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were  
    # extracted from Red Hat Security Advisory RHSA-2017:2918. The text 
    # itself is copyright (C) Red Hat, Inc.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(104090);
      script_version("3.12");
      script_cvs_date("Date: 2019/10/24 15:35:43");
    
      script_cve_id("CVE-2017-1000111", "CVE-2017-1000112", "CVE-2017-11176", "CVE-2017-14106", "CVE-2017-14340", "CVE-2017-7184", "CVE-2017-7541", "CVE-2017-7542", "CVE-2017-7558");
      script_xref(name:"RHSA", value:"2017:2918");
    
      script_name(english:"RHEL 6 : MRG (RHSA-2017:2918)");
      script_summary(english:"Checks the rpm output for the updated packages");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote Red Hat host is missing one or more security updates."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "An update for kernel-rt is now available for Red Hat Enterprise MRG 2.
    
    Red Hat Product Security has rated this update as having a security
    impact of Important. A Common Vulnerability Scoring System (CVSS) base
    score, which gives a detailed severity rating, is available for each
    vulnerability from the CVE link(s) in the References section.
    
    The kernel-rt packages provide the Real Time Linux Kernel, which
    enables fine-tuning for systems with extremely high determinism
    requirements.
    
    Security Fix(es) :
    
    * Out-of-bounds kernel heap access vulnerability was found in xfrm,
    kernel's IP framework for transforming packets. An error dealing with
    netlink messages from an unprivileged user leads to arbitrary
    read/write and privilege escalation. (CVE-2017-7184, Important)
    
    * A race condition issue leading to a use-after-free flaw was found in
    the way the raw packet sockets are implemented in the Linux kernel
    networking subsystem handling synchronization. A local user able to
    open a raw packet socket (requires the CAP_NET_RAW capability) could
    use this flaw to elevate their privileges on the system.
    (CVE-2017-1000111, Important)
    
    * An exploitable memory corruption flaw was found in the Linux kernel.
    The append path can be erroneously switched from UFO to non-UFO in
    ip_ufo_append_data() when building an UFO packet with MSG_MORE option.
    If unprivileged user namespaces are available, this flaw can be
    exploited to gain root privileges. (CVE-2017-1000112, Important)
    
    * Kernel memory corruption due to a buffer overflow was found in
    brcmf_cfg80211_mgmt_tx() function in Linux kernels from v3.9-rc1 to
    v4.13-rc1. The vulnerability can be triggered by sending a crafted
    NL80211_CMD_FRAME packet via netlink. This flaw is unlikely to be
    triggered remotely as certain userspace code is needed for this. An
    unprivileged local user could use this flaw to induce kernel memory
    corruption on the system, leading to a crash. Due to the nature of the
    flaw, privilege escalation cannot be fully ruled out, although it is
    unlikely. (CVE-2017-7541, Moderate)
    
    * An integer overflow vulnerability in ip6_find_1stfragopt() function
    was found. A local attacker that has privileges (of CAP_NET_RAW) to
    open raw socket can cause an infinite loop inside the
    ip6_find_1stfragopt() function. (CVE-2017-7542, Moderate)
    
    * A kernel data leak due to an out-of-bound read was found in the
    Linux kernel in inet_diag_msg_sctp{,l}addr_fill() and
    sctp_get_sctp_info() functions present since version 4.7-rc1 through
    version 4.13. A data leak happens when these functions fill in
    sockaddr data structures used to export socket's diagnostic
    information. As a result, up to 100 bytes of the slab data could be
    leaked to a userspace. (CVE-2017-7558, Moderate)
    
    * The mq_notify function in the Linux kernel through 4.11.9 does not
    set the sock pointer to NULL upon entry into the retry logic. During a
    user-space close of a Netlink socket, it allows attackers to possibly
    cause a situation where a value may be used after being freed
    (use-after-free) which may lead to memory corruption or other
    unspecified other impact. (CVE-2017-11176, Moderate)
    
    * A divide-by-zero vulnerability was found in the __tcp_select_window
    function in the Linux kernel. This can result in a kernel panic
    causing a local denial of service. (CVE-2017-14106, Moderate)
    
    * A flaw was found where the XFS filesystem code mishandles a
    user-settable inode flag in the Linux kernel prior to 4.14-rc1. This
    can cause a local denial of service via a kernel panic.
    (CVE-2017-14340, Moderate)
    
    Red Hat would like to thank Chaitin Security Research Lab for
    reporting CVE-2017-7184; Willem de Bruijn for reporting
    CVE-2017-1000111; and Andrey Konovalov for reporting CVE-2017-1000112.
    The CVE-2017-7558 issue was discovered by Stefano Brivio (Red Hat) and
    the CVE-2017-14340 issue was discovered by Dave Chinner (Red Hat).
    
    Bug Fix(es) :
    
    * kernel-rt packages have been upgraded to the 3.10.0-693.5.2 source
    tree, which provides number of bug fixes over the previous version.
    (BZ#1489085)"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://access.redhat.com/errata/RHSA-2017:2918"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://access.redhat.com/security/cve/cve-2017-1000111"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://access.redhat.com/security/cve/cve-2017-1000112"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://access.redhat.com/security/cve/cve-2017-11176"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://access.redhat.com/security/cve/cve-2017-14106"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://access.redhat.com/security/cve/cve-2017-14340"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://access.redhat.com/security/cve/cve-2017-7184"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://access.redhat.com/security/cve/cve-2017-7541"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://access.redhat.com/security/cve/cve-2017-7542"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://access.redhat.com/security/cve/cve-2017-7558"
      );
      script_set_attribute(attribute:"solution", value:"Update the affected packages.");
      script_set_cvss_base_vector("CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C");
      script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:C");
      script_set_cvss3_base_vector("CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H");
      script_set_cvss3_temporal_vector("CVSS:3.0/E:F/RL:O/RC:C");
      script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"true");
      script_set_attribute(attribute:"exploit_framework_core", value:"true");
      script_set_attribute(attribute:"exploited_by_malware", value:"true");
      script_set_attribute(attribute:"metasploit_name", value:'Linux Kernel UDP Fragmentation Offset (UFO) Privilege Escalation');
      script_set_attribute(attribute:"exploit_framework_metasploit", value:"true");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:kernel-rt");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:kernel-rt-debug");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:kernel-rt-debug-debuginfo");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:kernel-rt-debug-devel");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:kernel-rt-debuginfo");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:kernel-rt-debuginfo-common-x86_64");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:kernel-rt-devel");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:kernel-rt-doc");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:kernel-rt-firmware");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:kernel-rt-trace");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:kernel-rt-trace-debuginfo");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:kernel-rt-trace-devel");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:kernel-rt-vanilla");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:kernel-rt-vanilla-debuginfo");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:kernel-rt-vanilla-devel");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:redhat:enterprise_linux:6");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2017/03/19");
      script_set_attribute(attribute:"patch_publication_date", value:"2017/10/19");
      script_set_attribute(attribute:"plugin_publication_date", value:"2017/10/23");
      script_set_attribute(attribute:"generated_plugin", value:"current");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");
      script_family(english:"Red Hat Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl", "linux_alt_patch_detect.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/RedHat/release", "Host/RedHat/rpm-list", "Host/cpu");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("global_settings.inc");
    include("misc_func.inc");
    include("rpm.inc");
    include("ksplice.inc");
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    release = get_kb_item("Host/RedHat/release");
    if (isnull(release) || "Red Hat" >!< release) audit(AUDIT_OS_NOT, "Red Hat");
    os_ver = pregmatch(pattern: "Red Hat Enterprise Linux.*release ([0-9]+(\.[0-9]+)?)", string:release);
    if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Red Hat");
    os_ver = os_ver[1];
    if (! preg(pattern:"^6([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Red Hat 6.x", "Red Hat " + os_ver);
    
    if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    cpu = get_kb_item("Host/cpu");
    if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
    if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$" && "s390" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Red Hat", cpu);
    
    if (get_one_kb_item("Host/ksplice/kernel-cves"))
    {
      rm_kb_item(name:"Host/uptrack-uname-r");
      cve_list = make_list("CVE-2017-1000111", "CVE-2017-1000112", "CVE-2017-11176", "CVE-2017-14106", "CVE-2017-14340", "CVE-2017-7184", "CVE-2017-7541", "CVE-2017-7542", "CVE-2017-7558");
      if (ksplice_cves_check(cve_list))
      {
        audit(AUDIT_PATCH_INSTALLED, "KSplice hotfix for RHSA-2017:2918");
      }
      else
      {
        __rpm_report = ksplice_reporting_text();
      }
    }
    
    yum_updateinfo = get_kb_item("Host/RedHat/yum-updateinfo");
    if (!empty_or_null(yum_updateinfo)) 
    {
      rhsa = "RHSA-2017:2918";
      yum_report = redhat_generate_yum_updateinfo_report(rhsa:rhsa);
      if (!empty_or_null(yum_report))
      {
        security_report_v4(
          port       : 0,
          severity   : SECURITY_HOLE,
          extra      : yum_report 
        );
        exit(0);
      }
      else
      {
        audit_message = "affected by Red Hat security advisory " + rhsa;
        audit(AUDIT_OS_NOT, audit_message);
      }
    }
    else
    {
      flag = 0;
    
      if (! (rpm_exists(release:"RHEL6", rpm:"mrg-release"))) audit(AUDIT_PACKAGE_NOT_INSTALLED, "MRG");
    
      if (rpm_check(release:"RHEL6", cpu:"x86_64", reference:"kernel-rt-3.10.0-693.5.2.rt56.592.el6")) flag++;
      if (rpm_check(release:"RHEL6", cpu:"x86_64", reference:"kernel-rt-debug-3.10.0-693.5.2.rt56.592.el6")) flag++;
      if (rpm_check(release:"RHEL6", cpu:"x86_64", reference:"kernel-rt-debug-debuginfo-3.10.0-693.5.2.rt56.592.el6")) flag++;
      if (rpm_check(release:"RHEL6", cpu:"x86_64", reference:"kernel-rt-debug-devel-3.10.0-693.5.2.rt56.592.el6")) flag++;
      if (rpm_check(release:"RHEL6", cpu:"x86_64", reference:"kernel-rt-debuginfo-3.10.0-693.5.2.rt56.592.el6")) flag++;
      if (rpm_check(release:"RHEL6", cpu:"x86_64", reference:"kernel-rt-debuginfo-common-x86_64-3.10.0-693.5.2.rt56.592.el6")) flag++;
      if (rpm_check(release:"RHEL6", cpu:"x86_64", reference:"kernel-rt-devel-3.10.0-693.5.2.rt56.592.el6")) flag++;
      if (rpm_check(release:"RHEL6", reference:"kernel-rt-doc-3.10.0-693.5.2.rt56.592.el6")) flag++;
      if (rpm_check(release:"RHEL6", reference:"kernel-rt-firmware-3.10.0-693.5.2.rt56.592.el6")) flag++;
      if (rpm_check(release:"RHEL6", cpu:"x86_64", reference:"kernel-rt-trace-3.10.0-693.5.2.rt56.592.el6")) flag++;
      if (rpm_check(release:"RHEL6", cpu:"x86_64", reference:"kernel-rt-trace-debuginfo-3.10.0-693.5.2.rt56.592.el6")) flag++;
      if (rpm_check(release:"RHEL6", cpu:"x86_64", reference:"kernel-rt-trace-devel-3.10.0-693.5.2.rt56.592.el6")) flag++;
      if (rpm_check(release:"RHEL6", cpu:"x86_64", reference:"kernel-rt-vanilla-3.10.0-693.5.2.rt56.592.el6")) flag++;
      if (rpm_check(release:"RHEL6", cpu:"x86_64", reference:"kernel-rt-vanilla-debuginfo-3.10.0-693.5.2.rt56.592.el6")) flag++;
      if (rpm_check(release:"RHEL6", cpu:"x86_64", reference:"kernel-rt-vanilla-devel-3.10.0-693.5.2.rt56.592.el6")) flag++;
    
      if (flag)
      {
        security_report_v4(
          port       : 0,
          severity   : SECURITY_HOLE,
          extra      : rpm_report_get() + redhat_report_package_caveat()
        );
        exit(0);
      }
      else
      {
        tested = pkg_tests_get();
        if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
        else audit(AUDIT_PACKAGE_NOT_INSTALLED, "kernel-rt / kernel-rt-debug / kernel-rt-debug-debuginfo / etc");
      }
    }
    
  • NASL familyFedora Local Security Checks
    NASL idFEDORA_2017-78C4C71539.NASL
    descriptionThe 4.12.9 stable kernel update contains a number of important fixes across the tree. Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-05
    modified2017-09-01
    plugin id102898
    published2017-09-01
    reporterThis script is Copyright (C) 2017-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/102898
    titleFedora 26 : kernel (2017-78c4c71539)
    code
    #%NASL_MIN_LEVEL 80502
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were  
    # extracted from Fedora Security Advisory FEDORA-2017-78c4c71539.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(102898);
      script_version("3.6");
      script_set_attribute(attribute:"plugin_modification_date", value:"2020/06/04");
    
      script_cve_id("CVE-2017-7558");
      script_xref(name:"FEDORA", value:"2017-78c4c71539");
    
      script_name(english:"Fedora 26 : kernel (2017-78c4c71539)");
      script_summary(english:"Checks rpm output for the updated package.");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote Fedora host is missing a security update."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "The 4.12.9 stable kernel update contains a number of important fixes
    across the tree.
    
    Note that Tenable Network Security has extracted the preceding
    description block directly from the Fedora update system website.
    Tenable has attempted to automatically clean and format it as much as
    possible without introducing additional issues."
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bodhi.fedoraproject.org/updates/FEDORA-2017-78c4c71539"
      );
      script_set_attribute(
        attribute:"solution", 
        value:"Update the affected kernel package."
      );
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N");
      script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
      script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N");
      script_set_cvss3_temporal_vector("CVSS:3.0/E:P/RL:O/RC:C");
      script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"true");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fedoraproject:fedora:kernel");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:fedoraproject:fedora:26");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2018/07/26");
      script_set_attribute(attribute:"patch_publication_date", value:"2017/08/31");
      script_set_attribute(attribute:"plugin_publication_date", value:"2017/09/01");
      script_set_attribute(attribute:"generated_plugin", value:"current");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2017-2020 and is owned by Tenable, Inc. or an Affiliate thereof.");
      script_family(english:"Fedora Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl", "linux_alt_patch_detect.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/RedHat/release", "Host/RedHat/rpm-list");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("global_settings.inc");
    include("rpm.inc");
    include("ksplice.inc");
    
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    release = get_kb_item("Host/RedHat/release");
    if (isnull(release) || "Fedora" >!< release) audit(AUDIT_OS_NOT, "Fedora");
    os_ver = pregmatch(pattern: "Fedora.*release ([0-9]+)", string:release);
    if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Fedora");
    os_ver = os_ver[1];
    if (! preg(pattern:"^26([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Fedora 26", "Fedora " + os_ver);
    
    if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    
    cpu = get_kb_item("Host/cpu");
    if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
    if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Fedora", cpu);
    
    if (get_one_kb_item("Host/ksplice/kernel-cves"))
    {
      rm_kb_item(name:"Host/uptrack-uname-r");
      cve_list = make_list("CVE-2017-7558");
      if (ksplice_cves_check(cve_list))
      {
        audit(AUDIT_PATCH_INSTALLED, "KSplice hotfix for FEDORA-2017-78c4c71539");
      }
      else
      {
        __rpm_report = ksplice_reporting_text();
      }
    }
    
    flag = 0;
    if (rpm_check(release:"FC26", reference:"kernel-4.12.9-300.fc26")) flag++;
    
    
    if (flag)
    {
      security_report_v4(
        port       : 0,
        severity   : SECURITY_WARNING,
        extra      : rpm_report_get()
      );
      exit(0);
    }
    else
    {
      tested = pkg_tests_get();
      if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
      else audit(AUDIT_PACKAGE_NOT_INSTALLED, "kernel");
    }
    
  • NASL familyOracle Linux Local Security Checks
    NASL idORACLELINUX_ELSA-2017-2930.NASL
    descriptionFrom Red Hat Security Advisory 2017:2930 : An update for kernel is now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. The kernel packages contain the Linux kernel, the core of any Linux operating system. Security Fix(es) : * Out-of-bounds kernel heap access vulnerability was found in xfrm, kernel
    last seen2020-06-01
    modified2020-06-02
    plugin id104001
    published2017-10-20
    reporterThis script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/104001
    titleOracle Linux 7 : kernel (ELSA-2017-2930)
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were
    # extracted from Red Hat Security Advisory RHSA-2017:2930 and 
    # Oracle Linux Security Advisory ELSA-2017-2930 respectively.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(104001);
      script_version("3.12");
      script_cvs_date("Date: 2019/09/27 13:00:38");
    
      script_cve_id("CVE-2016-8399", "CVE-2017-1000111", "CVE-2017-1000112", "CVE-2017-11176", "CVE-2017-14106", "CVE-2017-7184", "CVE-2017-7541", "CVE-2017-7542", "CVE-2017-7558");
      script_xref(name:"RHSA", value:"2017:2930");
    
      script_name(english:"Oracle Linux 7 : kernel (ELSA-2017-2930)");
      script_summary(english:"Checks rpm output for the updated packages");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote Oracle Linux host is missing one or more security updates."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "From Red Hat Security Advisory 2017:2930 :
    
    An update for kernel is now available for Red Hat Enterprise Linux 7.
    
    Red Hat Product Security has rated this update as having a security
    impact of Important. A Common Vulnerability Scoring System (CVSS) base
    score, which gives a detailed severity rating, is available for each
    vulnerability from the CVE link(s) in the References section.
    
    The kernel packages contain the Linux kernel, the core of any Linux
    operating system.
    
    Security Fix(es) :
    
    * Out-of-bounds kernel heap access vulnerability was found in xfrm,
    kernel's IP framework for transforming packets. An error dealing with
    netlink messages from an unprivileged user leads to arbitrary
    read/write and privilege escalation. (CVE-2017-7184, Important)
    
    * A race condition issue leading to a use-after-free flaw was found in
    the way the raw packet sockets are implemented in the Linux kernel
    networking subsystem handling synchronization. A local user able to
    open a raw packet socket (requires the CAP_NET_RAW capability) could
    use this flaw to elevate their privileges on the system.
    (CVE-2017-1000111, Important)
    
    * An exploitable memory corruption flaw was found in the Linux kernel.
    The append path can be erroneously switched from UFO to non-UFO in
    ip_ufo_append_data() when building an UFO packet with MSG_MORE option.
    If unprivileged user namespaces are available, this flaw can be
    exploited to gain root privileges. (CVE-2017-1000112, Important)
    
    * A flaw was found in the Linux networking subsystem where a local
    attacker with CAP_NET_ADMIN capabilities could cause an out-of-bounds
    memory access by creating a smaller-than-expected ICMP header and
    sending to its destination via sendto(). (CVE-2016-8399, Moderate)
    
    * Kernel memory corruption due to a buffer overflow was found in
    brcmf_cfg80211_mgmt_tx() function in Linux kernels from v3.9-rc1 to
    v4.13-rc1. The vulnerability can be triggered by sending a crafted
    NL80211_CMD_FRAME packet via netlink. This flaw is unlikely to be
    triggered remotely as certain userspace code is needed for this. An
    unprivileged local user could use this flaw to induce kernel memory
    corruption on the system, leading to a crash. Due to the nature of the
    flaw, privilege escalation cannot be fully ruled out, although it is
    unlikely. (CVE-2017-7541, Moderate)
    
    * An integer overflow vulnerability in ip6_find_1stfragopt() function
    was found. A local attacker that has privileges (of CAP_NET_RAW) to
    open raw socket can cause an infinite loop inside the
    ip6_find_1stfragopt() function. (CVE-2017-7542, Moderate)
    
    * A kernel data leak due to an out-of-bound read was found in the
    Linux kernel in inet_diag_msg_sctp{,l}addr_fill() and
    sctp_get_sctp_info() functions present since version 4.7-rc1 through
    version 4.13. A data leak happens when these functions fill in
    sockaddr data structures used to export socket's diagnostic
    information. As a result, up to 100 bytes of the slab data could be
    leaked to a userspace. (CVE-2017-7558, Moderate)
    
    * The mq_notify function in the Linux kernel through 4.11.9 does not
    set the sock pointer to NULL upon entry into the retry logic. During a
    user-space close of a Netlink socket, it allows attackers to possibly
    cause a situation where a value may be used after being freed
    (use-after-free) which may lead to memory corruption or other
    unspecified other impact. (CVE-2017-11176, Moderate)
    
    * A divide-by-zero vulnerability was found in the __tcp_select_window
    function in the Linux kernel. This can result in a kernel panic
    causing a local denial of service. (CVE-2017-14106, Moderate)
    
    Red Hat would like to thank Chaitin Security Research Lab for
    reporting CVE-2017-7184; Willem de Bruijn for reporting
    CVE-2017-1000111; and Andrey Konovalov for reporting CVE-2017-1000112.
    The CVE-2017-7558 issue was discovered by Stefano Brivio (Red Hat).
    
    Space precludes documenting all of the bug fixes and enhancements
    included in this advisory. To see the complete list of bug fixes and
    enhancements, refer to the following KnowledgeBase article:
    https://access.redhat.com/node/3212921."
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://oss.oracle.com/pipermail/el-errata/2017-October/007282.html"
      );
      script_set_attribute(
        attribute:"solution", 
        value:"Update the affected kernel packages."
      );
      script_set_cvss_base_vector("CVSS2#AV:N/AC:H/Au:N/C:C/I:C/A:C");
      script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:C");
      script_set_cvss3_base_vector("CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H");
      script_set_cvss3_temporal_vector("CVSS:3.0/E:F/RL:O/RC:C");
      script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"true");
      script_set_attribute(attribute:"exploit_framework_core", value:"true");
      script_set_attribute(attribute:"exploited_by_malware", value:"true");
      script_set_attribute(attribute:"metasploit_name", value:'Linux Kernel UDP Fragmentation Offset (UFO) Privilege Escalation');
      script_set_attribute(attribute:"exploit_framework_metasploit", value:"true");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:kernel");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:kernel-abi-whitelists");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:kernel-debug");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:kernel-debug-devel");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:kernel-devel");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:kernel-doc");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:kernel-headers");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:kernel-tools");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:kernel-tools-libs");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:kernel-tools-libs-devel");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:perf");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:python-perf");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:oracle:linux:7");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2017/01/12");
      script_set_attribute(attribute:"patch_publication_date", value:"2017/10/20");
      script_set_attribute(attribute:"plugin_publication_date", value:"2017/10/20");
      script_set_attribute(attribute:"generated_plugin", value:"current");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");
      script_family(english:"Oracle Linux Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl", "linux_alt_patch_detect.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/OracleLinux", "Host/RedHat/release", "Host/RedHat/rpm-list");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("global_settings.inc");
    include("rpm.inc");
    include("ksplice.inc");
    
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    if (!get_kb_item("Host/OracleLinux")) audit(AUDIT_OS_NOT, "Oracle Linux");
    release = get_kb_item("Host/RedHat/release");
    if (isnull(release) || !pregmatch(pattern: "Oracle (?:Linux Server|Enterprise Linux)", string:release)) audit(AUDIT_OS_NOT, "Oracle Linux");
    os_ver = pregmatch(pattern: "Oracle (?:Linux Server|Enterprise Linux) .*release ([0-9]+(\.[0-9]+)?)", string:release);
    if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Oracle Linux");
    os_ver = os_ver[1];
    if (! preg(pattern:"^7([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Oracle Linux 7", "Oracle Linux " + os_ver);
    
    if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    cpu = get_kb_item("Host/cpu");
    if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
    if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Oracle Linux", cpu);
    if ("x86_64" >!< cpu) audit(AUDIT_ARCH_NOT, "x86_64", cpu);
    
    if (get_one_kb_item("Host/ksplice/kernel-cves"))
    {
      rm_kb_item(name:"Host/uptrack-uname-r");
      cve_list = make_list("CVE-2016-8399", "CVE-2017-1000111", "CVE-2017-1000112", "CVE-2017-11176", "CVE-2017-14106", "CVE-2017-7184", "CVE-2017-7541", "CVE-2017-7542", "CVE-2017-7558");  
      if (ksplice_cves_check(cve_list))
      {
        audit(AUDIT_PATCH_INSTALLED, "KSplice hotfix for ELSA-2017-2930");
      }
      else
      {
        __rpm_report = ksplice_reporting_text();
      }
    }
    
    kernel_major_minor = get_kb_item("Host/uname/major_minor");
    if (empty_or_null(kernel_major_minor)) exit(1, "Unable to determine kernel major-minor level.");
    expected_kernel_major_minor = "3.10";
    if (kernel_major_minor != expected_kernel_major_minor)
      audit(AUDIT_OS_NOT, "running kernel level " + expected_kernel_major_minor + ", it is running kernel level " + kernel_major_minor);
    
    flag = 0;
    if (rpm_exists(release:"EL7", rpm:"kernel-3.10.0") && rpm_check(release:"EL7", cpu:"x86_64", reference:"kernel-3.10.0-693.5.2.el7")) flag++;
    if (rpm_exists(release:"EL7", rpm:"kernel-abi-whitelists-3.10.0") && rpm_check(release:"EL7", cpu:"x86_64", reference:"kernel-abi-whitelists-3.10.0-693.5.2.el7")) flag++;
    if (rpm_exists(release:"EL7", rpm:"kernel-debug-3.10.0") && rpm_check(release:"EL7", cpu:"x86_64", reference:"kernel-debug-3.10.0-693.5.2.el7")) flag++;
    if (rpm_exists(release:"EL7", rpm:"kernel-debug-devel-3.10.0") && rpm_check(release:"EL7", cpu:"x86_64", reference:"kernel-debug-devel-3.10.0-693.5.2.el7")) flag++;
    if (rpm_exists(release:"EL7", rpm:"kernel-devel-3.10.0") && rpm_check(release:"EL7", cpu:"x86_64", reference:"kernel-devel-3.10.0-693.5.2.el7")) flag++;
    if (rpm_exists(release:"EL7", rpm:"kernel-doc-3.10.0") && rpm_check(release:"EL7", cpu:"x86_64", reference:"kernel-doc-3.10.0-693.5.2.el7")) flag++;
    if (rpm_exists(release:"EL7", rpm:"kernel-headers-3.10.0") && rpm_check(release:"EL7", cpu:"x86_64", reference:"kernel-headers-3.10.0-693.5.2.el7")) flag++;
    if (rpm_exists(release:"EL7", rpm:"kernel-tools-3.10.0") && rpm_check(release:"EL7", cpu:"x86_64", reference:"kernel-tools-3.10.0-693.5.2.el7")) flag++;
    if (rpm_exists(release:"EL7", rpm:"kernel-tools-libs-3.10.0") && rpm_check(release:"EL7", cpu:"x86_64", reference:"kernel-tools-libs-3.10.0-693.5.2.el7")) flag++;
    if (rpm_exists(release:"EL7", rpm:"kernel-tools-libs-devel-3.10.0") && rpm_check(release:"EL7", cpu:"x86_64", reference:"kernel-tools-libs-devel-3.10.0-693.5.2.el7")) flag++;
    if (rpm_check(release:"EL7", cpu:"x86_64", reference:"perf-3.10.0-693.5.2.el7")) flag++;
    if (rpm_check(release:"EL7", cpu:"x86_64", reference:"python-perf-3.10.0-693.5.2.el7")) flag++;
    
    
    if (flag)
    {
      if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());
      else security_hole(0);
      exit(0);
    }
    else
    {
      tested = pkg_tests_get();
      if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
      else audit(AUDIT_PACKAGE_NOT_INSTALLED, "affected kernel");
    }
    
  • NASL familyRed Hat Local Security Checks
    NASL idREDHAT-RHSA-2017-2931.NASL
    descriptionAn update for kernel-rt is now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. The kernel-rt packages provide the Real Time Linux Kernel, which enables fine-tuning for systems with extremely high determinism requirements. Security Fix(es) : * Out-of-bounds kernel heap access vulnerability was found in xfrm, kernel
    last seen2020-06-01
    modified2020-06-02
    plugin id104004
    published2017-10-20
    reporterThis script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/104004
    titleRHEL 7 : kernel-rt (RHSA-2017:2931)
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were  
    # extracted from Red Hat Security Advisory RHSA-2017:2931. The text 
    # itself is copyright (C) Red Hat, Inc.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(104004);
      script_version("3.13");
      script_cvs_date("Date: 2019/10/24 15:35:43");
    
      script_cve_id("CVE-2016-8399", "CVE-2017-1000111", "CVE-2017-1000112", "CVE-2017-11176", "CVE-2017-14106", "CVE-2017-7184", "CVE-2017-7541", "CVE-2017-7542", "CVE-2017-7558");
      script_xref(name:"RHSA", value:"2017:2931");
    
      script_name(english:"RHEL 7 : kernel-rt (RHSA-2017:2931)");
      script_summary(english:"Checks the rpm output for the updated packages");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote Red Hat host is missing one or more security updates."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "An update for kernel-rt is now available for Red Hat Enterprise Linux
    7.
    
    Red Hat Product Security has rated this update as having a security
    impact of Important. A Common Vulnerability Scoring System (CVSS) base
    score, which gives a detailed severity rating, is available for each
    vulnerability from the CVE link(s) in the References section.
    
    The kernel-rt packages provide the Real Time Linux Kernel, which
    enables fine-tuning for systems with extremely high determinism
    requirements.
    
    Security Fix(es) :
    
    * Out-of-bounds kernel heap access vulnerability was found in xfrm,
    kernel's IP framework for transforming packets. An error dealing with
    netlink messages from an unprivileged user leads to arbitrary
    read/write and privilege escalation. (CVE-2017-7184, Important)
    
    * A race condition issue leading to a use-after-free flaw was found in
    the way the raw packet sockets are implemented in the Linux kernel
    networking subsystem handling synchronization. A local user able to
    open a raw packet socket (requires the CAP_NET_RAW capability) could
    use this flaw to elevate their privileges on the system.
    (CVE-2017-1000111, Important)
    
    * An exploitable memory corruption flaw was found in the Linux kernel.
    The append path can be erroneously switched from UFO to non-UFO in
    ip_ufo_append_data() when building an UFO packet with MSG_MORE option.
    If unprivileged user namespaces are available, this flaw can be
    exploited to gain root privileges. (CVE-2017-1000112, Important)
    
    * A flaw was found in the Linux networking subsystem where a local
    attacker with CAP_NET_ADMIN capabilities could cause an out-of-bounds
    memory access by creating a smaller-than-expected ICMP header and
    sending to its destination via sendto(). (CVE-2016-8399, Moderate)
    
    * Kernel memory corruption due to a buffer overflow was found in
    brcmf_cfg80211_mgmt_tx() function in Linux kernels from v3.9-rc1 to
    v4.13-rc1. The vulnerability can be triggered by sending a crafted
    NL80211_CMD_FRAME packet via netlink. This flaw is unlikely to be
    triggered remotely as certain userspace code is needed for this. An
    unprivileged local user could use this flaw to induce kernel memory
    corruption on the system, leading to a crash. Due to the nature of the
    flaw, privilege escalation cannot be fully ruled out, although it is
    unlikely. (CVE-2017-7541, Moderate)
    
    * An integer overflow vulnerability in ip6_find_1stfragopt() function
    was found. A local attacker that has privileges (of CAP_NET_RAW) to
    open raw socket can cause an infinite loop inside the
    ip6_find_1stfragopt() function. (CVE-2017-7542, Moderate)
    
    * A kernel data leak due to an out-of-bound read was found in the
    Linux kernel in inet_diag_msg_sctp{,l}addr_fill() and
    sctp_get_sctp_info() functions present since version 4.7-rc1 through
    version 4.13. A data leak happens when these functions fill in
    sockaddr data structures used to export socket's diagnostic
    information. As a result, up to 100 bytes of the slab data could be
    leaked to a userspace. (CVE-2017-7558, Moderate)
    
    * The mq_notify function in the Linux kernel through 4.11.9 does not
    set the sock pointer to NULL upon entry into the retry logic. During a
    user-space close of a Netlink socket, it allows attackers to possibly
    cause a situation where a value may be used after being freed
    (use-after-free) which may lead to memory corruption or other
    unspecified other impact. (CVE-2017-11176, Moderate)
    
    * A divide-by-zero vulnerability was found in the __tcp_select_window
    function in the Linux kernel. This can result in a kernel panic
    causing a local denial of service. (CVE-2017-14106, Moderate)
    
    Red Hat would like to thank Chaitin Security Research Lab for
    reporting CVE-2017-7184; Willem de Bruijn for reporting
    CVE-2017-1000111; and Andrey Konovalov for reporting CVE-2017-1000112.
    The CVE-2017-7558 issue was discovered by Stefano Brivio (Red Hat).
    
    Bug Fix(es) :
    
    * The kernel-rt packages have been upgraded to the 3.10.0-693.5.2
    source tree, which provides number of bug fixes over the previous
    version. (BZ# 1489084)"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://access.redhat.com/errata/RHSA-2017:2931"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://access.redhat.com/security/cve/cve-2016-8399"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://access.redhat.com/security/cve/cve-2017-1000111"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://access.redhat.com/security/cve/cve-2017-1000112"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://access.redhat.com/security/cve/cve-2017-11176"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://access.redhat.com/security/cve/cve-2017-14106"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://access.redhat.com/security/cve/cve-2017-7184"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://access.redhat.com/security/cve/cve-2017-7541"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://access.redhat.com/security/cve/cve-2017-7542"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://access.redhat.com/security/cve/cve-2017-7558"
      );
      script_set_attribute(attribute:"solution", value:"Update the affected packages.");
      script_set_cvss_base_vector("CVSS2#AV:N/AC:H/Au:N/C:C/I:C/A:C");
      script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:C");
      script_set_cvss3_base_vector("CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H");
      script_set_cvss3_temporal_vector("CVSS:3.0/E:F/RL:O/RC:C");
      script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"true");
      script_set_attribute(attribute:"exploit_framework_core", value:"true");
      script_set_attribute(attribute:"exploited_by_malware", value:"true");
      script_set_attribute(attribute:"metasploit_name", value:'Linux Kernel UDP Fragmentation Offset (UFO) Privilege Escalation');
      script_set_attribute(attribute:"exploit_framework_metasploit", value:"true");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:kernel-rt");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:kernel-rt-debug");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:kernel-rt-debug-debuginfo");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:kernel-rt-debug-devel");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:kernel-rt-debug-kvm");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:kernel-rt-debug-kvm-debuginfo");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:kernel-rt-debuginfo");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:kernel-rt-debuginfo-common-x86_64");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:kernel-rt-devel");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:kernel-rt-doc");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:kernel-rt-kvm");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:kernel-rt-kvm-debuginfo");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:kernel-rt-trace");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:kernel-rt-trace-debuginfo");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:kernel-rt-trace-devel");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:kernel-rt-trace-kvm");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:kernel-rt-trace-kvm-debuginfo");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:redhat:enterprise_linux:7");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2017/01/12");
      script_set_attribute(attribute:"patch_publication_date", value:"2017/10/19");
      script_set_attribute(attribute:"plugin_publication_date", value:"2017/10/20");
      script_set_attribute(attribute:"generated_plugin", value:"current");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");
      script_family(english:"Red Hat Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl", "linux_alt_patch_detect.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/RedHat/release", "Host/RedHat/rpm-list", "Host/cpu");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("global_settings.inc");
    include("misc_func.inc");
    include("rpm.inc");
    include("ksplice.inc");
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    release = get_kb_item("Host/RedHat/release");
    if (isnull(release) || "Red Hat" >!< release) audit(AUDIT_OS_NOT, "Red Hat");
    os_ver = pregmatch(pattern: "Red Hat Enterprise Linux.*release ([0-9]+(\.[0-9]+)?)", string:release);
    if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Red Hat");
    os_ver = os_ver[1];
    if (! preg(pattern:"^7([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Red Hat 7.x", "Red Hat " + os_ver);
    
    if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    cpu = get_kb_item("Host/cpu");
    if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
    if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$" && "s390" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Red Hat", cpu);
    
    if (get_one_kb_item("Host/ksplice/kernel-cves"))
    {
      rm_kb_item(name:"Host/uptrack-uname-r");
      cve_list = make_list("CVE-2016-8399", "CVE-2017-1000111", "CVE-2017-1000112", "CVE-2017-11176", "CVE-2017-14106", "CVE-2017-7184", "CVE-2017-7541", "CVE-2017-7542", "CVE-2017-7558");
      if (ksplice_cves_check(cve_list))
      {
        audit(AUDIT_PATCH_INSTALLED, "KSplice hotfix for RHSA-2017:2931");
      }
      else
      {
        __rpm_report = ksplice_reporting_text();
      }
    }
    
    yum_updateinfo = get_kb_item("Host/RedHat/yum-updateinfo");
    if (!empty_or_null(yum_updateinfo)) 
    {
      rhsa = "RHSA-2017:2931";
      yum_report = redhat_generate_yum_updateinfo_report(rhsa:rhsa);
      if (!empty_or_null(yum_report))
      {
        security_report_v4(
          port       : 0,
          severity   : SECURITY_HOLE,
          extra      : yum_report 
        );
        exit(0);
      }
      else
      {
        audit_message = "affected by Red Hat security advisory " + rhsa;
        audit(AUDIT_OS_NOT, audit_message);
      }
    }
    else
    {
      flag = 0;
      if (rpm_check(release:"RHEL7", cpu:"x86_64", reference:"kernel-rt-3.10.0-693.5.2.rt56.626.el7")) flag++;
      if (rpm_check(release:"RHEL7", cpu:"x86_64", reference:"kernel-rt-debug-3.10.0-693.5.2.rt56.626.el7")) flag++;
      if (rpm_check(release:"RHEL7", cpu:"x86_64", reference:"kernel-rt-debug-debuginfo-3.10.0-693.5.2.rt56.626.el7")) flag++;
      if (rpm_check(release:"RHEL7", cpu:"x86_64", reference:"kernel-rt-debug-devel-3.10.0-693.5.2.rt56.626.el7")) flag++;
      if (rpm_check(release:"RHEL7", cpu:"x86_64", reference:"kernel-rt-debug-kvm-3.10.0-693.5.2.rt56.626.el7")) flag++;
      if (rpm_check(release:"RHEL7", cpu:"x86_64", reference:"kernel-rt-debug-kvm-debuginfo-3.10.0-693.5.2.rt56.626.el7")) flag++;
      if (rpm_check(release:"RHEL7", cpu:"x86_64", reference:"kernel-rt-debuginfo-3.10.0-693.5.2.rt56.626.el7")) flag++;
      if (rpm_check(release:"RHEL7", cpu:"x86_64", reference:"kernel-rt-debuginfo-common-x86_64-3.10.0-693.5.2.rt56.626.el7")) flag++;
      if (rpm_check(release:"RHEL7", cpu:"x86_64", reference:"kernel-rt-devel-3.10.0-693.5.2.rt56.626.el7")) flag++;
      if (rpm_check(release:"RHEL7", reference:"kernel-rt-doc-3.10.0-693.5.2.rt56.626.el7")) flag++;
      if (rpm_check(release:"RHEL7", cpu:"x86_64", reference:"kernel-rt-kvm-3.10.0-693.5.2.rt56.626.el7")) flag++;
      if (rpm_check(release:"RHEL7", cpu:"x86_64", reference:"kernel-rt-kvm-debuginfo-3.10.0-693.5.2.rt56.626.el7")) flag++;
      if (rpm_check(release:"RHEL7", cpu:"x86_64", reference:"kernel-rt-trace-3.10.0-693.5.2.rt56.626.el7")) flag++;
      if (rpm_check(release:"RHEL7", cpu:"x86_64", reference:"kernel-rt-trace-debuginfo-3.10.0-693.5.2.rt56.626.el7")) flag++;
      if (rpm_check(release:"RHEL7", cpu:"x86_64", reference:"kernel-rt-trace-devel-3.10.0-693.5.2.rt56.626.el7")) flag++;
      if (rpm_check(release:"RHEL7", cpu:"x86_64", reference:"kernel-rt-trace-kvm-3.10.0-693.5.2.rt56.626.el7")) flag++;
      if (rpm_check(release:"RHEL7", cpu:"x86_64", reference:"kernel-rt-trace-kvm-debuginfo-3.10.0-693.5.2.rt56.626.el7")) flag++;
    
      if (flag)
      {
        security_report_v4(
          port       : 0,
          severity   : SECURITY_HOLE,
          extra      : rpm_report_get() + redhat_report_package_caveat()
        );
        exit(0);
      }
      else
      {
        tested = pkg_tests_get();
        if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
        else audit(AUDIT_PACKAGE_NOT_INSTALLED, "kernel-rt / kernel-rt-debug / kernel-rt-debug-debuginfo / etc");
      }
    }
    
  • NASL familyScientific Linux Local Security Checks
    NASL idSL_20171019_KERNEL_ON_SL7_X.NASL
    descriptionSecurity Fix(es) : - Out-of-bounds kernel heap access vulnerability was found in xfrm, kernel
    last seen2020-03-18
    modified2017-10-20
    plugin id104008
    published2017-10-20
    reporterThis script is Copyright (C) 2017-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/104008
    titleScientific Linux Security Update : kernel on SL7.x x86_64 (20171019)
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text is (C) Scientific Linux.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(104008);
      script_version("3.9");
      script_set_attribute(attribute:"plugin_modification_date", value:"2020/02/25");
    
      script_cve_id("CVE-2016-8399", "CVE-2017-1000111", "CVE-2017-1000112", "CVE-2017-11176", "CVE-2017-14106", "CVE-2017-7184", "CVE-2017-7541", "CVE-2017-7542", "CVE-2017-7558");
    
      script_name(english:"Scientific Linux Security Update : kernel on SL7.x x86_64 (20171019)");
      script_summary(english:"Checks rpm output for the updated packages");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:
    "The remote Scientific Linux host is missing one or more security
    updates."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "Security Fix(es) :
    
      - Out-of-bounds kernel heap access vulnerability was found
        in xfrm, kernel's IP framework for transforming packets.
        An error dealing with netlink messages from an
        unprivileged user leads to arbitrary read/write and
        privilege escalation. (CVE-2017-7184, Important)
    
      - A race condition issue leading to a use-after-free flaw
        was found in the way the raw packet sockets are
        implemented in the Linux kernel networking subsystem
        handling synchronization. A local user able to open a
        raw packet socket (requires the CAP_NET_RAW capability)
        could use this flaw to elevate their privileges on the
        system. (CVE-2017-1000111, Important)
    
      - An exploitable memory corruption flaw was found in the
        Linux kernel. The append path can be erroneously
        switched from UFO to non-UFO in ip_ufo_append_data()
        when building an UFO packet with MSG_MORE option. If
        unprivileged user namespaces are available, this flaw
        can be exploited to gain root privileges.
        (CVE-2017-1000112, Important)
    
      - A flaw was found in the Linux networking subsystem where
        a local attacker with CAP_NET_ADMIN capabilities could
        cause an out-of-bounds memory access by creating a
        smaller-than-expected ICMP header and sending to its
        destination via sendto(). (CVE-2016-8399, Moderate)
    
      - Kernel memory corruption due to a buffer overflow was
        found in brcmf_cfg80211_mgmt_tx() function in Linux
        kernels from v3.9-rc1 to v4.13-rc1. The vulnerability
        can be triggered by sending a crafted NL80211_CMD_FRAME
        packet via netlink. This flaw is unlikely to be
        triggered remotely as certain userspace code is needed
        for this. An unprivileged local user could use this flaw
        to induce kernel memory corruption on the system,
        leading to a crash. Due to the nature of the flaw,
        privilege escalation cannot be fully ruled out, although
        it is unlikely. (CVE-2017-7541, Moderate)
    
      - An integer overflow vulnerability in
        ip6_find_1stfragopt() function was found. A local
        attacker that has privileges (of CAP_NET_RAW) to open
        raw socket can cause an infinite loop inside the
        ip6_find_1stfragopt() function. (CVE-2017-7542,
        Moderate)
    
      - A kernel data leak due to an out-of-bound read was found
        in the Linux kernel in inet_diag_msg_sctp{,l}addr_fill()
        and sctp_get_sctp_info() functions present since version
        4.7-rc1 through version 4.13. A data leak happens when
        these functions fill in sockaddr data structures used to
        export socket's diagnostic information. As a result, up
        to 100 bytes of the slab data could be leaked to a
        userspace. (CVE-2017-7558, Moderate)
    
      - The mq_notify function in the Linux kernel through
        4.11.9 does not set the sock pointer to NULL upon entry
        into the retry logic. During a user- space close of a
        Netlink socket, it allows attackers to possibly cause a
        situation where a value may be used after being freed
        (use-after-free) which may lead to memory corruption or
        other unspecified other impact. (CVE-2017-11176,
        Moderate)
    
      - A divide-by-zero vulnerability was found in the
        __tcp_select_window function in the Linux kernel. This
        can result in a kernel panic causing a local denial of
        service. (CVE-2017-14106, Moderate)"
      );
      # https://listserv.fnal.gov/scripts/wa.exe?A2=ind1710&L=scientific-linux-errata&F=&S=&P=12344
      script_set_attribute(
        attribute:"see_also",
        value:"http://www.nessus.org/u?35dfde1c"
      );
      script_set_attribute(attribute:"solution", value:"Update the affected packages.");
      script_set_cvss_base_vector("CVSS2#AV:N/AC:H/Au:N/C:C/I:C/A:C");
      script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:C");
      script_set_cvss3_base_vector("CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H");
      script_set_cvss3_temporal_vector("CVSS:3.0/E:F/RL:O/RC:C");
      script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"true");
      script_set_attribute(attribute:"exploit_framework_core", value:"true");
      script_set_attribute(attribute:"exploited_by_malware", value:"true");
      script_set_attribute(attribute:"metasploit_name", value:'Linux Kernel UDP Fragmentation Offset (UFO) Privilege Escalation');
      script_set_attribute(attribute:"exploit_framework_metasploit", value:"true");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fermilab:scientific_linux:kernel");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fermilab:scientific_linux:kernel-abi-whitelists");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fermilab:scientific_linux:kernel-debug");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fermilab:scientific_linux:kernel-debug-debuginfo");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fermilab:scientific_linux:kernel-debug-devel");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fermilab:scientific_linux:kernel-debuginfo");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fermilab:scientific_linux:kernel-debuginfo-common-x86_64");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fermilab:scientific_linux:kernel-devel");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fermilab:scientific_linux:kernel-doc");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fermilab:scientific_linux:kernel-headers");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fermilab:scientific_linux:kernel-tools");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fermilab:scientific_linux:kernel-tools-debuginfo");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fermilab:scientific_linux:kernel-tools-libs");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fermilab:scientific_linux:kernel-tools-libs-devel");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fermilab:scientific_linux:perf");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fermilab:scientific_linux:perf-debuginfo");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fermilab:scientific_linux:python-perf");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fermilab:scientific_linux:python-perf-debuginfo");
      script_set_attribute(attribute:"cpe", value:"x-cpe:/o:fermilab:scientific_linux");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2017/01/12");
      script_set_attribute(attribute:"patch_publication_date", value:"2017/10/19");
      script_set_attribute(attribute:"plugin_publication_date", value:"2017/10/20");
      script_set_attribute(attribute:"generated_plugin", value:"current");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2017-2020 and is owned by Tenable, Inc. or an Affiliate thereof.");
      script_family(english:"Scientific Linux Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/cpu", "Host/RedHat/release", "Host/RedHat/rpm-list");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("global_settings.inc");
    include("misc_func.inc");
    include("rpm.inc");
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    release = get_kb_item("Host/RedHat/release");
    if (isnull(release) || "Scientific Linux " >!< release) audit(AUDIT_HOST_NOT, "running Scientific Linux");
    os_ver = pregmatch(pattern: "Scientific Linux.*release ([0-9]+(\.[0-9]+)?)", string:release);
    if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Scientific Linux");
    os_ver = os_ver[1];
    if (! preg(pattern:"^7([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Scientific Linux 7.x", "Scientific Linux " + os_ver);
    if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    cpu = get_kb_item("Host/cpu");
    if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
    if (cpu >!< "x86_64" && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Scientific Linux", cpu);
    
    
    flag = 0;
    if (rpm_check(release:"SL7", cpu:"x86_64", reference:"kernel-3.10.0-693.5.2.el7")) flag++;
    if (rpm_check(release:"SL7", reference:"kernel-abi-whitelists-3.10.0-693.5.2.el7")) flag++;
    if (rpm_check(release:"SL7", cpu:"x86_64", reference:"kernel-debug-3.10.0-693.5.2.el7")) flag++;
    if (rpm_check(release:"SL7", cpu:"x86_64", reference:"kernel-debug-debuginfo-3.10.0-693.5.2.el7")) flag++;
    if (rpm_check(release:"SL7", cpu:"x86_64", reference:"kernel-debug-devel-3.10.0-693.5.2.el7")) flag++;
    if (rpm_check(release:"SL7", cpu:"x86_64", reference:"kernel-debuginfo-3.10.0-693.5.2.el7")) flag++;
    if (rpm_check(release:"SL7", cpu:"x86_64", reference:"kernel-debuginfo-common-x86_64-3.10.0-693.5.2.el7")) flag++;
    if (rpm_check(release:"SL7", cpu:"x86_64", reference:"kernel-devel-3.10.0-693.5.2.el7")) flag++;
    if (rpm_check(release:"SL7", reference:"kernel-doc-3.10.0-693.5.2.el7")) flag++;
    if (rpm_check(release:"SL7", cpu:"x86_64", reference:"kernel-headers-3.10.0-693.5.2.el7")) flag++;
    if (rpm_check(release:"SL7", cpu:"x86_64", reference:"kernel-tools-3.10.0-693.5.2.el7")) flag++;
    if (rpm_check(release:"SL7", cpu:"x86_64", reference:"kernel-tools-debuginfo-3.10.0-693.5.2.el7")) flag++;
    if (rpm_check(release:"SL7", cpu:"x86_64", reference:"kernel-tools-libs-3.10.0-693.5.2.el7")) flag++;
    if (rpm_check(release:"SL7", cpu:"x86_64", reference:"kernel-tools-libs-devel-3.10.0-693.5.2.el7")) flag++;
    if (rpm_check(release:"SL7", cpu:"x86_64", reference:"perf-3.10.0-693.5.2.el7")) flag++;
    if (rpm_check(release:"SL7", cpu:"x86_64", reference:"perf-debuginfo-3.10.0-693.5.2.el7")) flag++;
    if (rpm_check(release:"SL7", cpu:"x86_64", reference:"python-perf-3.10.0-693.5.2.el7")) flag++;
    if (rpm_check(release:"SL7", cpu:"x86_64", reference:"python-perf-debuginfo-3.10.0-693.5.2.el7")) flag++;
    
    
    if (flag)
    {
      security_report_v4(
        port       : 0,
        severity   : SECURITY_HOLE,
        extra      : rpm_report_get()
      );
      exit(0);
    }
    else
    {
      tested = pkg_tests_get();
      if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
      else audit(AUDIT_PACKAGE_NOT_INSTALLED, "kernel / kernel-abi-whitelists / kernel-debug / etc");
    }
    
  • NASL familyVirtuozzo Local Security Checks
    NASL idVIRTUOZZO_VZA-2017-079.NASL
    descriptionAccording to the version of the vzkernel package and the readykernel-patch installed, the Virtuozzo installation on the remote host is affected by the following vulnerabilities : - A kernel data leak due to an out-of-bound read was found in the Linux kernel in inet_diag_msg_sctp{,l}addr_fill() and sctp_get_sctp_info() functions present since version 4.7-rc1 through version 4.13. A data leak happens when these functions fill in sockaddr data structures used to export socket
    last seen2020-06-01
    modified2020-06-02
    plugin id102981
    published2017-09-07
    reporterThis script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/102981
    titleVirtuozzo 7 : readykernel-patch (VZA-2017-079)
  • NASL familyCentOS Local Security Checks
    NASL idCENTOS_RHSA-2017-2930.NASL
    descriptionAn update for kernel is now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. The kernel packages contain the Linux kernel, the core of any Linux operating system. Security Fix(es) : * Out-of-bounds kernel heap access vulnerability was found in xfrm, kernel
    last seen2020-06-01
    modified2020-06-02
    plugin id104106
    published2017-10-24
    reporterThis script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/104106
    titleCentOS 7 : kernel (CESA-2017:2930)
  • NASL familyAmazon Linux Local Security Checks
    NASL idALA_ALAS-2017-901.NASL
    descriptionA buffer overflow was discovered in tpacket_rcv() function in the Linux kernel since v4.6-rc1 through v4.13. A number of socket-related syscalls can be made to set up a configuration when each packet received by a network interface can cause writing up to 10 bytes to a kernel memory outside of a kernel buffer. This can cause unspecified kernel data corruption effects, including damage of in-memory and on-disk XFS data. (CVE-2017-14497) A kernel data leak due to an out-of-bound read was found in the Linux kernel in inet_diag_msg_sctp{,l}addr_fill() and sctp_get_sctp_info() functions present since version 4.7-rc1 through version 4.13. A data leak happens when these functions fill in sockaddr data structures used to export socket
    last seen2020-06-01
    modified2020-06-02
    plugin id103653
    published2017-10-04
    reporterThis script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/103653
    titleAmazon Linux AMI : kernel (ALAS-2017-901)
  • NASL familyOracle Linux Local Security Checks
    NASL idORACLELINUX_ELSA-2017-2930-1.NASL
    descriptionDescription of changes: - [3.10.0-693.5.2.0.1.el7.OL7] - [ipc] ipc/sem.c: bugfix for semctl(,,GETZCNT) (Manfred Spraul) [orabug 22552377] - Oracle Linux certificates (Alexey Petrenko) - Oracle Linux RHCK Module Signing Key was compiled into kernel (olkmod_signing_key.x509)(<A HREF=
    last seen2020-06-01
    modified2020-06-02
    plugin id104088
    published2017-10-23
    reporterThis script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/104088
    titleOracle Linux 7 : kernel (ELSA-2017-2930-1) (BlueBorne)
  • NASL familyNewStart CGSL Local Security Checks
    NASL idNEWSTART_CGSL_NS-SA-2019-0004_KERNEL.NASL
    descriptionThe remote NewStart CGSL host, running version MAIN 5.04, has kernel packages installed that are affected by multiple vulnerabilities: - Multiple array index errors in drivers/hid/hid-core.c in the Human Interface Device (HID) subsystem in the Linux kernel through 3.11 allow physically proximate attackers to execute arbitrary code or cause a denial of service (heap memory corruption) via a crafted device that provides an invalid Report ID. (CVE-2013-2888) - drivers/hid/hid-zpff.c in the Human Interface Device (HID) subsystem in the Linux kernel through 3.11, when CONFIG_HID_ZEROPLUS is enabled, allows physically proximate attackers to cause a denial of service (heap- based out-of-bounds write) via a crafted device. (CVE-2013-2889) - drivers/hid/hid-pl.c in the Human Interface Device (HID) subsystem in the Linux kernel through 3.11, when CONFIG_HID_PANTHERLORD is enabled, allows physically proximate attackers to cause a denial of service (heap- based out-of-bounds write) via a crafted device. (CVE-2013-2892) - The perf_trace_event_perm function in kernel/trace/trace_event_perf.c in the Linux kernel before 3.12.2 does not properly restrict access to the perf subsystem, which allows local users to enable function tracing via a crafted application. (CVE-2013-2930) - Use-after-free vulnerability in the vhost_net_set_backend function in drivers/vhost/net.c in the Linux kernel through 3.10.3 allows local users to cause a denial of service (OOPS and system crash) via vectors involving powering on a virtual machine. (CVE-2013-4127) - The udp_v6_push_pending_frames function in net/ipv6/udp.c in the IPv6 implementation in the Linux kernel through 3.10.3 makes an incorrect function call for pending data, which allows local users to cause a denial of service (BUG and system crash) via a crafted application that uses the UDP_CORK option in a setsockopt system call. (CVE-2013-4162) - The ip6_append_data_mtu function in net/ipv6/ip6_output.c in the IPv6 implementation in the Linux kernel through 3.10.3 does not properly maintain information about whether the IPV6_MTU setsockopt option had been specified, which allows local users to cause a denial of service (BUG and system crash) via a crafted application that uses the UDP_CORK option in a setsockopt system call. (CVE-2013-4163) - Use-after-free vulnerability in drivers/net/tun.c in the Linux kernel through 3.11.1 allows local users to gain privileges by leveraging the CAP_NET_ADMIN capability and providing an invalid tuntap interface name in a TUNSETIFF ioctl call. (CVE-2013-4343) - The skb_flow_dissect function in net/core/flow_dissector.c in the Linux kernel through 3.12 allows remote attackers to cause a denial of service (infinite loop) via a small value in the IHL field of a packet with IPIP encapsulation. (CVE-2013-4348) - The IPv6 SCTP implementation in net/sctp/ipv6.c in the Linux kernel through 3.11.1 uses data structures and function calls that do not trigger an intended configuration of IPsec encryption, which allows remote attackers to obtain sensitive information by sniffing the network. (CVE-2013-4350) - net/ipv6/ip6_output.c in the Linux kernel through 3.11.4 does not properly determine the need for UDP Fragmentation Offload (UFO) processing of small packets after the UFO queueing of a large packet, which allows remote attackers to cause a denial of service (memory corruption and system crash) or possibly have unspecified other impact via network traffic that triggers a large response packet. (CVE-2013-4387) - The udp6_ufo_fragment function in net/ipv6/udp_offload.c in the Linux kernel through 3.12, when UDP Fragmentation Offload (UFO) is enabled, does not properly perform a certain size comparison before inserting a fragment header, which allows remote attackers to cause a denial of service (panic) via a large IPv6 UDP packet, as demonstrated by use of the Token Bucket Filter (TBF) queueing discipline. (CVE-2013-4563) - The ath9k_htc_set_bssid_mask function in drivers/net/wireless/ath/ath9k/htc_drv_main.c in the Linux kernel through 3.12 uses a BSSID masking approach to determine the set of MAC addresses on which a Wi-Fi device is listening, which allows remote attackers to discover the original MAC address after spoofing by sending a series of packets to MAC addresses with certain bit manipulations. (CVE-2013-4579) - Array index error in the kvm_vm_ioctl_create_vcpu function in virt/kvm/kvm_main.c in the KVM subsystem in the Linux kernel through 3.12.5 allows local users to gain privileges via a large id value. (CVE-2013-4587) - The apic_get_tmcct function in arch/x86/kvm/lapic.c in the KVM subsystem in the Linux kernel through 3.12.5 allows guest OS users to cause a denial of service (divide-by-zero error and host OS crash) via crafted modifications of the TMICT value. (CVE-2013-6367) - The KVM subsystem in the Linux kernel through 3.12.5 allows local users to gain privileges or cause a denial of service (system crash) via a VAPIC synchronization operation involving a page-end address. (CVE-2013-6368) - The recalculate_apic_map function in arch/x86/kvm/lapic.c in the KVM subsystem in the Linux kernel through 3.12.5 allows guest OS users to cause a denial of service (host OS crash) via a crafted ICR write operation in x2apic mode. (CVE-2013-6376) - The lbs_debugfs_write function in drivers/net/wireless/libertas/debugfs.c in the Linux kernel through 3.12.1 allows local users to cause a denial of service (OOPS) by leveraging root privileges for a zero-length write operation. (CVE-2013-6378) - The aac_send_raw_srb function in drivers/scsi/aacraid/commctrl.c in the Linux kernel through 3.12.1 does not properly validate a certain size value, which allows local users to cause a denial of service (invalid pointer dereference) or possibly have unspecified other impact via an FSACTL_SEND_RAW_SRB ioctl call that triggers a crafted SRB command. (CVE-2013-6380) - Multiple buffer underflows in the XFS implementation in the Linux kernel through 3.12.1 allow local users to cause a denial of service (memory corruption) or possibly have unspecified other impact by leveraging the CAP_SYS_ADMIN capability for a (1) XFS_IOC_ATTRLIST_BY_HANDLE or (2) XFS_IOC_ATTRLIST_BY_HANDLE_32 ioctl call with a crafted length value, related to the xfs_attrlist_by_handle function in fs/xfs/xfs_ioctl.c and the xfs_compat_attrlist_by_handle function in fs/xfs/xfs_ioctl32.c. (CVE-2013-6382) - Multiple race conditions in ipc/shm.c in the Linux kernel before 3.12.2 allow local users to cause a denial of service (use-after-free and system crash) or possibly have unspecified other impact via a crafted application that uses shmctl IPC_RMID operations in conjunction with other shm system calls. (CVE-2013-7026) - The mISDN_sock_recvmsg function in drivers/isdn/mISDN/socket.c in the Linux kernel before 3.12.4 does not ensure that a certain length value is consistent with the size of an associated data structure, which allows local users to obtain sensitive information from kernel memory via a (1) recvfrom, (2) recvmmsg, or (3) recvmsg system call. (CVE-2013-7266) - The atalk_recvmsg function in net/appletalk/ddp.c in the Linux kernel before 3.12.4 updates a certain length value without ensuring that an associated data structure has been initialized, which allows local users to obtain sensitive information from kernel memory via a (1) recvfrom, (2) recvmmsg, or (3) recvmsg system call. (CVE-2013-7267) - The ipx_recvmsg function in net/ipx/af_ipx.c in the Linux kernel before 3.12.4 updates a certain length value without ensuring that an associated data structure has been initialized, which allows local users to obtain sensitive information from kernel memory via a (1) recvfrom, (2) recvmmsg, or (3) recvmsg system call. (CVE-2013-7268) - The nr_recvmsg function in net/netrom/af_netrom.c in the Linux kernel before 3.12.4 updates a certain length value without ensuring that an associated data structure has been initialized, which allows local users to obtain sensitive information from kernel memory via a (1) recvfrom, (2) recvmmsg, or (3) recvmsg system call. (CVE-2013-7269) - The packet_recvmsg function in net/packet/af_packet.c in the Linux kernel before 3.12.4 updates a certain length value before ensuring that an associated data structure has been initialized, which allows local users to obtain sensitive information from kernel memory via a (1) recvfrom, (2) recvmmsg, or (3) recvmsg system call. (CVE-2013-7270) - The x25_recvmsg function in net/x25/af_x25.c in the Linux kernel before 3.12.4 updates a certain length value without ensuring that an associated data structure has been initialized, which allows local users to obtain sensitive information from kernel memory via a (1) recvfrom, (2) recvmmsg, or (3) recvmsg system call. (CVE-2013-7271) - Buffer overflow in the complete_emulated_mmio function in arch/x86/kvm/x86.c in the Linux kernel before 3.13.6 allows guest OS users to execute arbitrary code on the host OS by leveraging a loop that triggers an invalid memory copy affecting certain cancel_work_item data. (CVE-2014-0049) - The get_rx_bufs function in drivers/vhost/net.c in the vhost-net subsystem in the Linux kernel package before 2.6.32-431.11.2 on Red Hat Enterprise Linux (RHEL) 6 does not properly handle vhost_get_vq_desc errors, which allows guest OS users to cause a denial of service (host OS crash) via unspecified vectors. (CVE-2014-0055) - The cifs_iovec_write function in fs/cifs/file.c in the Linux kernel through 3.13.5 does not properly handle uncached write operations that copy fewer than the requested number of bytes, which allows local users to obtain sensitive information from kernel memory, cause a denial of service (memory corruption and system crash), or possibly gain privileges via a writev system call with a crafted pointer. (CVE-2014-0069) - drivers/vhost/net.c in the Linux kernel before 3.13.10, when mergeable buffers are disabled, does not properly validate packet lengths, which allows guest OS users to cause a denial of service (memory corruption and host OS crash) or possibly gain privileges on the host OS via crafted packets, related to the handle_rx and get_rx_bufs functions. (CVE-2014-0077) - Race condition in the inet_frag_intern function in net/ipv4/inet_fragment.c in the Linux kernel through 3.13.6 allows remote attackers to cause a denial of service (use-after-free error) or possibly have unspecified other impact via a large series of fragmented ICMP Echo Request packets to a system with a heavy CPU load. (CVE-2014-0100) - A flaw was found in the way the Linux kernel processed an authenticated COOKIE_ECHO chunk during the initialization of an SCTP connection. A remote attacker could use this flaw to crash the system by initiating a specially crafted SCTP handshake in order to trigger a NULL pointer dereference on the system. (CVE-2014-0101) - The keyring_detect_cycle_iterator function in security/keys/keyring.c in the Linux kernel through 3.13.6 does not properly determine whether keyrings are identical, which allows local users to cause a denial of service (OOPS) via crafted keyctl commands. (CVE-2014-0102) - Use-after-free vulnerability in the skb_segment function in net/core/skbuff.c in the Linux kernel through 3.13.6 allows attackers to obtain sensitive information from kernel memory by leveraging the absence of a certain orphaning operation. (CVE-2014-0131) - The ioapic_deliver function in virt/kvm/ioapic.c in the Linux kernel through 3.14.1 does not properly validate the kvm_irq_delivery_to_apic return value, which allows guest OS users to cause a denial of service (host OS crash) via a crafted entry in the redirection table of an I/O APIC. NOTE: the affected code was moved to the ioapic_service function before the vulnerability was announced. (CVE-2014-0155) - The restore_fpu_checking function in arch/x86/include/asm/fpu-internal.h in the Linux kernel before 3.12.8 on the AMD K7 and K8 platforms does not clear pending exceptions before proceeding to an EMMS instruction, which allows local users to cause a denial of service (task kill) or possibly gain privileges via a crafted application. (CVE-2014-1438) - The help function in net/netfilter/nf_nat_irc.c in the Linux kernel before 3.12.8 allows remote attackers to obtain sensitive information from kernel memory by establishing an IRC DCC session in which incorrect packet data is transmitted during use of the NAT mangle feature. (CVE-2014-1690) - The ip6_route_add function in net/ipv6/route.c in the Linux kernel through 3.13.6 does not properly count the addition of routes, which allows remote attackers to cause a denial of service (memory consumption) via a flood of ICMPv6 Router Advertisement packets. (CVE-2014-2309) - net/netfilter/nf_conntrack_proto_dccp.c in the Linux kernel through 3.13.6 uses a DCCP header pointer incorrectly, which allows remote attackers to cause a denial of service (system crash) or possibly execute arbitrary code via a DCCP packet that triggers a call to the (1) dccp_new, (2) dccp_packet, or (3) dccp_error function. (CVE-2014-2523) - It was found that the try_to_unmap_cluster() function in the Linux kernel
    last seen2020-06-01
    modified2020-06-02
    plugin id127146
    published2019-08-12
    reporterThis script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/127146
    titleNewStart CGSL MAIN 5.04 : kernel Multiple Vulnerabilities (NS-SA-2019-0004)
  • NASL familyRed Hat Local Security Checks
    NASL idREDHAT-RHSA-2017-2930.NASL
    descriptionAn update for kernel is now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. The kernel packages contain the Linux kernel, the core of any Linux operating system. Security Fix(es) : * Out-of-bounds kernel heap access vulnerability was found in xfrm, kernel
    last seen2020-06-01
    modified2020-06-02
    plugin id104003
    published2017-10-20
    reporterThis script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/104003
    titleRHEL 7 : kernel (RHSA-2017:2930)
  • NASL familyHuawei Local Security Checks
    NASL idEULEROS_SA-2019-1539.NASL
    descriptionAccording to the versions of the kernel packages installed, the EulerOS Virtualization for ARM 64 installation on the remote host is affected by the following vulnerabilities : - An industry-wide issue was found in the way many modern microprocessor designs have implemented speculative execution of instructions past bounds check. The flaw relies on the presence of a precisely-defined instruction sequence in the privileged code and the fact that memory writes occur to an address which depends on the untrusted value. Such writes cause an update into the microprocessor
    last seen2020-06-01
    modified2020-06-02
    plugin id124992
    published2019-05-14
    reporterThis script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/124992
    titleEulerOS Virtualization for ARM 64 3.0.1.0 : kernel (EulerOS-SA-2019-1539)
  • NASL familyVirtuozzo Local Security Checks
    NASL idVIRTUOZZO_VZA-2017-078.NASL
    descriptionAccording to the version of the vzkernel package and the readykernel-patch installed, the Virtuozzo installation on the remote host is affected by the following vulnerabilities : - A kernel data leak due to an out-of-bound read was found in the Linux kernel in inet_diag_msg_sctp{,l}addr_fill() and sctp_get_sctp_info() functions present since version 4.7-rc1 through version 4.13. A data leak happens when these functions fill in sockaddr data structures used to export socket
    last seen2020-06-01
    modified2020-06-02
    plugin id102980
    published2017-09-07
    reporterThis script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/102980
    titleVirtuozzo 7 : readykernel-patch (VZA-2017-078)

Packetstorm

data sourcehttps://packetstormsecurity.com/files/download/150552/linkernel48-leak.txt
idPACKETSTORM:150552
last seen2018-12-01
published2018-12-01
reporterJinbum Park
sourcehttps://packetstormsecurity.com/files/150552/Linux-Kernel-4.8-Ubuntu-16.04-sctp-Kernel-Pointer-Leak.html
titleLinux Kernel 4.8 (Ubuntu 16.04) sctp Kernel Pointer Leak

Redhat

advisories
  • bugzilla
    id1487295
    titleCVE-2017-14106 kernel: Divide-by-zero in __tcp_select_window
    oval
    OR
    • commentRed Hat Enterprise Linux must be installed
      ovaloval:com.redhat.rhba:tst:20070304026
    • AND
      • commentRed Hat Enterprise Linux 7 is installed
        ovaloval:com.redhat.rhba:tst:20150364027
      • OR
        • commentkernel earlier than 0:3.10.0-693.5.2.el7 is currently running
          ovaloval:com.redhat.rhsa:tst:20172930031
        • commentkernel earlier than 0:3.10.0-693.5.2.el7 is set to boot up on next boot
          ovaloval:com.redhat.rhsa:tst:20172930032
      • OR
        • AND
          • commentkernel-tools-libs-devel is earlier than 0:3.10.0-693.5.2.el7
            ovaloval:com.redhat.rhsa:tst:20172930001
          • commentkernel-tools-libs-devel is signed with Red Hat redhatrelease2 key
            ovaloval:com.redhat.rhsa:tst:20140678022
        • AND
          • commentkernel-abi-whitelists is earlier than 0:3.10.0-693.5.2.el7
            ovaloval:com.redhat.rhsa:tst:20172930003
          • commentkernel-abi-whitelists is signed with Red Hat redhatrelease2 key
            ovaloval:com.redhat.rhsa:tst:20131645022
        • AND
          • commentkernel-doc is earlier than 0:3.10.0-693.5.2.el7
            ovaloval:com.redhat.rhsa:tst:20172930005
          • commentkernel-doc is signed with Red Hat redhatrelease2 key
            ovaloval:com.redhat.rhsa:tst:20100842002
        • AND
          • commentperf is earlier than 0:3.10.0-693.5.2.el7
            ovaloval:com.redhat.rhsa:tst:20172930007
          • commentperf is signed with Red Hat redhatrelease2 key
            ovaloval:com.redhat.rhsa:tst:20100842006
        • AND
          • commentkernel is earlier than 0:3.10.0-693.5.2.el7
            ovaloval:com.redhat.rhsa:tst:20172930009
          • commentkernel is signed with Red Hat redhatrelease2 key
            ovaloval:com.redhat.rhsa:tst:20100842012
        • AND
          • commentkernel-tools-libs is earlier than 0:3.10.0-693.5.2.el7
            ovaloval:com.redhat.rhsa:tst:20172930011
          • commentkernel-tools-libs is signed with Red Hat redhatrelease2 key
            ovaloval:com.redhat.rhsa:tst:20140678016
        • AND
          • commentkernel-headers is earlier than 0:3.10.0-693.5.2.el7
            ovaloval:com.redhat.rhsa:tst:20172930013
          • commentkernel-headers is signed with Red Hat redhatrelease2 key
            ovaloval:com.redhat.rhsa:tst:20100842010
        • AND
          • commentkernel-debug is earlier than 0:3.10.0-693.5.2.el7
            ovaloval:com.redhat.rhsa:tst:20172930015
          • commentkernel-debug is signed with Red Hat redhatrelease2 key
            ovaloval:com.redhat.rhsa:tst:20100842014
        • AND
          • commentkernel-tools is earlier than 0:3.10.0-693.5.2.el7
            ovaloval:com.redhat.rhsa:tst:20172930017
          • commentkernel-tools is signed with Red Hat redhatrelease2 key
            ovaloval:com.redhat.rhsa:tst:20140678012
        • AND
          • commentkernel-debug-devel is earlier than 0:3.10.0-693.5.2.el7
            ovaloval:com.redhat.rhsa:tst:20172930019
          • commentkernel-debug-devel is signed with Red Hat redhatrelease2 key
            ovaloval:com.redhat.rhsa:tst:20100842008
        • AND
          • commentpython-perf is earlier than 0:3.10.0-693.5.2.el7
            ovaloval:com.redhat.rhsa:tst:20172930021
          • commentpython-perf is signed with Red Hat redhatrelease2 key
            ovaloval:com.redhat.rhsa:tst:20111530024
        • AND
          • commentkernel-devel is earlier than 0:3.10.0-693.5.2.el7
            ovaloval:com.redhat.rhsa:tst:20172930023
          • commentkernel-devel is signed with Red Hat redhatrelease2 key
            ovaloval:com.redhat.rhsa:tst:20100842016
        • AND
          • commentkernel-bootwrapper is earlier than 0:3.10.0-693.5.2.el7
            ovaloval:com.redhat.rhsa:tst:20172930025
          • commentkernel-bootwrapper is signed with Red Hat redhatrelease2 key
            ovaloval:com.redhat.rhsa:tst:20100842018
        • AND
          • commentkernel-kdump-devel is earlier than 0:3.10.0-693.5.2.el7
            ovaloval:com.redhat.rhsa:tst:20172930027
          • commentkernel-kdump-devel is signed with Red Hat redhatrelease2 key
            ovaloval:com.redhat.rhsa:tst:20100842022
        • AND
          • commentkernel-kdump is earlier than 0:3.10.0-693.5.2.el7
            ovaloval:com.redhat.rhsa:tst:20172930029
          • commentkernel-kdump is signed with Red Hat redhatrelease2 key
            ovaloval:com.redhat.rhsa:tst:20100842020
    rhsa
    idRHSA-2017:2930
    released2017-10-19
    severityImportant
    titleRHSA-2017:2930: kernel security and bug fix update (Important)
  • bugzilla
    id1489084
    titlekernel-rt: update to the RHEL7.4.z batch#2 source tree
    oval
    OR
    • commentRed Hat Enterprise Linux must be installed
      ovaloval:com.redhat.rhba:tst:20070304026
    • AND
      • commentRed Hat Enterprise Linux 7 is installed
        ovaloval:com.redhat.rhba:tst:20150364027
      • OR
        • AND
          • commentkernel-rt-doc is earlier than 0:3.10.0-693.5.2.rt56.626.el7
            ovaloval:com.redhat.rhsa:tst:20172931001
          • commentkernel-rt-doc is signed with Red Hat redhatrelease2 key
            ovaloval:com.redhat.rhsa:tst:20150727002
        • AND
          • commentkernel-rt-trace is earlier than 0:3.10.0-693.5.2.rt56.626.el7
            ovaloval:com.redhat.rhsa:tst:20172931003
          • commentkernel-rt-trace is signed with Red Hat redhatrelease2 key
            ovaloval:com.redhat.rhsa:tst:20150727008
        • AND
          • commentkernel-rt-debug is earlier than 0:3.10.0-693.5.2.rt56.626.el7
            ovaloval:com.redhat.rhsa:tst:20172931005
          • commentkernel-rt-debug is signed with Red Hat redhatrelease2 key
            ovaloval:com.redhat.rhsa:tst:20150727014
        • AND
          • commentkernel-rt-trace-devel is earlier than 0:3.10.0-693.5.2.rt56.626.el7
            ovaloval:com.redhat.rhsa:tst:20172931007
          • commentkernel-rt-trace-devel is signed with Red Hat redhatrelease2 key
            ovaloval:com.redhat.rhsa:tst:20150727004
        • AND
          • commentkernel-rt-devel is earlier than 0:3.10.0-693.5.2.rt56.626.el7
            ovaloval:com.redhat.rhsa:tst:20172931009
          • commentkernel-rt-devel is signed with Red Hat redhatrelease2 key
            ovaloval:com.redhat.rhsa:tst:20150727012
        • AND
          • commentkernel-rt-debug-devel is earlier than 0:3.10.0-693.5.2.rt56.626.el7
            ovaloval:com.redhat.rhsa:tst:20172931011
          • commentkernel-rt-debug-devel is signed with Red Hat redhatrelease2 key
            ovaloval:com.redhat.rhsa:tst:20150727010
        • AND
          • commentkernel-rt is earlier than 0:3.10.0-693.5.2.rt56.626.el7
            ovaloval:com.redhat.rhsa:tst:20172931013
          • commentkernel-rt is signed with Red Hat redhatrelease2 key
            ovaloval:com.redhat.rhsa:tst:20150727006
        • AND
          • commentkernel-rt-kvm is earlier than 0:3.10.0-693.5.2.rt56.626.el7
            ovaloval:com.redhat.rhsa:tst:20172931015
          • commentkernel-rt-kvm is signed with Red Hat redhatrelease2 key
            ovaloval:com.redhat.rhsa:tst:20160212018
        • AND
          • commentkernel-rt-trace-kvm is earlier than 0:3.10.0-693.5.2.rt56.626.el7
            ovaloval:com.redhat.rhsa:tst:20172931017
          • commentkernel-rt-trace-kvm is signed with Red Hat redhatrelease2 key
            ovaloval:com.redhat.rhsa:tst:20160212016
        • AND
          • commentkernel-rt-debug-kvm is earlier than 0:3.10.0-693.5.2.rt56.626.el7
            ovaloval:com.redhat.rhsa:tst:20172931019
          • commentkernel-rt-debug-kvm is signed with Red Hat redhatrelease2 key
            ovaloval:com.redhat.rhsa:tst:20160212020
    rhsa
    idRHSA-2017:2931
    released2017-10-19
    severityImportant
    titleRHSA-2017:2931: kernel-rt security and bug fix update (Important)
  • rhsa
    idRHSA-2017:2918
rpms
  • kernel-rt-1:3.10.0-693.5.2.rt56.592.el6rt
  • kernel-rt-debug-1:3.10.0-693.5.2.rt56.592.el6rt
  • kernel-rt-debug-debuginfo-1:3.10.0-693.5.2.rt56.592.el6rt
  • kernel-rt-debug-devel-1:3.10.0-693.5.2.rt56.592.el6rt
  • kernel-rt-debuginfo-1:3.10.0-693.5.2.rt56.592.el6rt
  • kernel-rt-debuginfo-common-x86_64-1:3.10.0-693.5.2.rt56.592.el6rt
  • kernel-rt-devel-1:3.10.0-693.5.2.rt56.592.el6rt
  • kernel-rt-doc-1:3.10.0-693.5.2.rt56.592.el6rt
  • kernel-rt-firmware-1:3.10.0-693.5.2.rt56.592.el6rt
  • kernel-rt-trace-1:3.10.0-693.5.2.rt56.592.el6rt
  • kernel-rt-trace-debuginfo-1:3.10.0-693.5.2.rt56.592.el6rt
  • kernel-rt-trace-devel-1:3.10.0-693.5.2.rt56.592.el6rt
  • kernel-rt-vanilla-1:3.10.0-693.5.2.rt56.592.el6rt
  • kernel-rt-vanilla-debuginfo-1:3.10.0-693.5.2.rt56.592.el6rt
  • kernel-rt-vanilla-devel-1:3.10.0-693.5.2.rt56.592.el6rt
  • kernel-0:3.10.0-693.5.2.el7
  • kernel-abi-whitelists-0:3.10.0-693.5.2.el7
  • kernel-bootwrapper-0:3.10.0-693.5.2.el7
  • kernel-debug-0:3.10.0-693.5.2.el7
  • kernel-debug-debuginfo-0:3.10.0-693.5.2.el7
  • kernel-debug-devel-0:3.10.0-693.5.2.el7
  • kernel-debuginfo-0:3.10.0-693.5.2.el7
  • kernel-debuginfo-common-ppc64-0:3.10.0-693.5.2.el7
  • kernel-debuginfo-common-ppc64le-0:3.10.0-693.5.2.el7
  • kernel-debuginfo-common-s390x-0:3.10.0-693.5.2.el7
  • kernel-debuginfo-common-x86_64-0:3.10.0-693.5.2.el7
  • kernel-devel-0:3.10.0-693.5.2.el7
  • kernel-doc-0:3.10.0-693.5.2.el7
  • kernel-headers-0:3.10.0-693.5.2.el7
  • kernel-kdump-0:3.10.0-693.5.2.el7
  • kernel-kdump-debuginfo-0:3.10.0-693.5.2.el7
  • kernel-kdump-devel-0:3.10.0-693.5.2.el7
  • kernel-tools-0:3.10.0-693.5.2.el7
  • kernel-tools-debuginfo-0:3.10.0-693.5.2.el7
  • kernel-tools-libs-0:3.10.0-693.5.2.el7
  • kernel-tools-libs-devel-0:3.10.0-693.5.2.el7
  • perf-0:3.10.0-693.5.2.el7
  • perf-debuginfo-0:3.10.0-693.5.2.el7
  • python-perf-0:3.10.0-693.5.2.el7
  • python-perf-debuginfo-0:3.10.0-693.5.2.el7
  • kernel-rt-0:3.10.0-693.5.2.rt56.626.el7
  • kernel-rt-debug-0:3.10.0-693.5.2.rt56.626.el7
  • kernel-rt-debug-debuginfo-0:3.10.0-693.5.2.rt56.626.el7
  • kernel-rt-debug-devel-0:3.10.0-693.5.2.rt56.626.el7
  • kernel-rt-debug-kvm-0:3.10.0-693.5.2.rt56.626.el7
  • kernel-rt-debug-kvm-debuginfo-0:3.10.0-693.5.2.rt56.626.el7
  • kernel-rt-debuginfo-0:3.10.0-693.5.2.rt56.626.el7
  • kernel-rt-debuginfo-common-x86_64-0:3.10.0-693.5.2.rt56.626.el7
  • kernel-rt-devel-0:3.10.0-693.5.2.rt56.626.el7
  • kernel-rt-doc-0:3.10.0-693.5.2.rt56.626.el7
  • kernel-rt-kvm-0:3.10.0-693.5.2.rt56.626.el7
  • kernel-rt-kvm-debuginfo-0:3.10.0-693.5.2.rt56.626.el7
  • kernel-rt-trace-0:3.10.0-693.5.2.rt56.626.el7
  • kernel-rt-trace-debuginfo-0:3.10.0-693.5.2.rt56.626.el7
  • kernel-rt-trace-devel-0:3.10.0-693.5.2.rt56.626.el7
  • kernel-rt-trace-kvm-0:3.10.0-693.5.2.rt56.626.el7
  • kernel-rt-trace-kvm-debuginfo-0:3.10.0-693.5.2.rt56.626.el7