Vulnerabilities > CVE-2017-9725 - Incorrect Calculation vulnerability in Google Android

#
# (C) Tenable Network Security, Inc.
#
# The descriptive text and package checks in this plugin were
# extracted from Oracle Linux Security Advisory ELSA-2019-4315.
#

include("compat.inc");

if (description)
{
  script_id(120976);
  script_version("1.7");
  script_set_attribute(attribute:"plugin_modification_date", value:"2020/02/26");

  script_cve_id("CVE-2017-18079", "CVE-2017-18174", "CVE-2017-18221", "CVE-2017-18255", "CVE-2017-9725", "CVE-2018-1092", "CVE-2018-7995", "CVE-2018-9363", "CVE-2018-9516");

  script_name(english:"Oracle Linux 6 / 7 : Unbreakable Enterprise kernel (ELSA-2019-4315)");
  script_summary(english:"Checks rpm output for the updated packages");

  script_set_attribute(
    attribute:"synopsis", 
    value:"The remote Oracle Linux host is missing one or more security updates."
  );
  script_set_attribute(
    attribute:"description", 
    value:
"Description of changes:

[4.1.12-124.24.1.el7uek]
- pinctrl: amd: Use devm_pinctrl_register() for pinctrl registration 
(Laxman Dewangan)  [Orabug: 27539246]  {CVE-2017-18174}
- mlock: fix mlock count can not decrease in race condition (Yisheng 
Xie)  [Orabug: 27677611]  {CVE-2017-18221}
- perf/core: Fix the perf_cpu_time_max_percent check (Tan Xiaojun) 
[Orabug: 27823815]  {CVE-2017-18255}
- x86/microcode/intel: Fix a wrong assignment of revision in _save_mc 
(Zhenzhong Duan)  [Orabug: 28190263] - mm: cma: fix incorrect type 
conversion for size during dma allocation (Rohit Vaswani)  [Orabug: 
28407826]  {CVE-2017-9725}
- x86/speculation: Make enhanced IBRS the default spectre v2 mitigation 
(Alejandro Jimenez)  [Orabug: 28474851] - x86/speculation: Enable 
enhanced IBRS usage (Alejandro Jimenez)  [Orabug: 28474851] - 
x86/speculation: functions for supporting enhanced IBRS (Alejandro 
Jimenez)  [Orabug: 28474851] - xen/blkback: fix disconnect while I/Os in 
flight (Juergen Gross)  [Orabug: 28744234] - mlx4_vnic: use the mlid 
while calling ib_detach_mcast (aru kolappan)  [Orabug: 29029705] - ext4: 
fail ext4_iget for root directory if unallocated (Theodore Ts'o) 
[Orabug: 29048557]  {CVE-2018-1092} {CVE-2018-1092}
- Bluetooth: hidp: buffer overflow in hidp_process_report (Mark Salyzyn) 
  [Orabug: 29121215]  {CVE-2018-9363} {CVE-2018-9363}
- HID: debug: check length before copy_to_user() (Daniel Rosenberg) 
[Orabug: 29128165]  {CVE-2018-9516}
- x86/MCE: Serialize sysfs changes (Seunghun Han)  [Orabug: 29149888] 
{CVE-2018-7995}
- Input: i8042 - fix crash at boot time (Chen Hong)  [Orabug: 29152328] 
{CVE-2017-18079}"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://oss.oracle.com/pipermail/el-errata/2019-January/008354.html"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://oss.oracle.com/pipermail/el-errata/2019-January/008355.html"
  );
  script_set_attribute(
    attribute:"solution", 
    value:"Update the affected unbreakable enterprise kernel packages."
  );
  script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C");
  script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2017-9725");
  script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:kernel-uek");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:kernel-uek-debug");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:kernel-uek-debug-devel");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:kernel-uek-devel");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:kernel-uek-doc");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:kernel-uek-firmware");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:oracle:linux:6");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:oracle:linux:7");

  script_set_attribute(attribute:"vuln_publication_date", value:"2017/09/21");
  script_set_attribute(attribute:"patch_publication_date", value:"2019/01/03");
  script_set_attribute(attribute:"plugin_publication_date", value:"2019/01/07");
  script_set_attribute(attribute:"generated_plugin", value:"current");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_copyright(english:"This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.");
  script_family(english:"Oracle Linux Local Security Checks");

  script_dependencies("ssh_get_info.nasl", "linux_alt_patch_detect.nasl");
  script_require_keys("Host/local_checks_enabled", "Host/OracleLinux", "Host/RedHat/release", "Host/RedHat/rpm-list");

  exit(0);
}


include("audit.inc");
include("global_settings.inc");
include("rpm.inc");
include("ksplice.inc");


if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
if (!get_kb_item("Host/OracleLinux")) audit(AUDIT_OS_NOT, "Oracle Linux");
release = get_kb_item("Host/RedHat/release");
if (isnull(release) || !pregmatch(pattern: "Oracle (?:Linux Server|Enterprise Linux)", string:release)) audit(AUDIT_OS_NOT, "Oracle Linux");
os_ver = pregmatch(pattern: "Oracle (?:Linux Server|Enterprise Linux) .*release ([0-9]+(\.[0-9]+)?)", string:release);
if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Oracle Linux");
os_ver = os_ver[1];
if (! preg(pattern:"^(6|7)([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Oracle Linux 6 / 7", "Oracle Linux " + os_ver);

if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);

cpu = get_kb_item("Host/cpu");
if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Oracle Linux", cpu);
if ("x86_64" >!< cpu) audit(AUDIT_ARCH_NOT, "x86_64", cpu);

if (get_one_kb_item("Host/ksplice/kernel-cves"))
{
  rm_kb_item(name:"Host/uptrack-uname-r");
  cve_list = make_list("CVE-2017-18079", "CVE-2017-18174", "CVE-2017-18221", "CVE-2017-18255", "CVE-2017-9725", "CVE-2018-1092", "CVE-2018-7995", "CVE-2018-9363", "CVE-2018-9516");  
  if (ksplice_cves_check(cve_list))
  {
    audit(AUDIT_PATCH_INSTALLED, "KSplice hotfix for ELSA-2019-4315");
  }
  else
  {
    __rpm_report = ksplice_reporting_text();
  }
}

kernel_major_minor = get_kb_item("Host/uname/major_minor");
if (empty_or_null(kernel_major_minor)) exit(1, "Unable to determine kernel major-minor level.");
expected_kernel_major_minor = "4.1";
if (kernel_major_minor != expected_kernel_major_minor)
  audit(AUDIT_OS_NOT, "running kernel level " + expected_kernel_major_minor + ", it is running kernel level " + kernel_major_minor);

flag = 0;
if (rpm_exists(release:"EL6", rpm:"kernel-uek-4.1.12") && rpm_check(release:"EL6", cpu:"x86_64", reference:"kernel-uek-4.1.12-124.24.1.el6uek")) flag++;
if (rpm_exists(release:"EL6", rpm:"kernel-uek-debug-4.1.12") && rpm_check(release:"EL6", cpu:"x86_64", reference:"kernel-uek-debug-4.1.12-124.24.1.el6uek")) flag++;
if (rpm_exists(release:"EL6", rpm:"kernel-uek-debug-devel-4.1.12") && rpm_check(release:"EL6", cpu:"x86_64", reference:"kernel-uek-debug-devel-4.1.12-124.24.1.el6uek")) flag++;
if (rpm_exists(release:"EL6", rpm:"kernel-uek-devel-4.1.12") && rpm_check(release:"EL6", cpu:"x86_64", reference:"kernel-uek-devel-4.1.12-124.24.1.el6uek")) flag++;
if (rpm_exists(release:"EL6", rpm:"kernel-uek-doc-4.1.12") && rpm_check(release:"EL6", cpu:"x86_64", reference:"kernel-uek-doc-4.1.12-124.24.1.el6uek")) flag++;
if (rpm_exists(release:"EL6", rpm:"kernel-uek-firmware-4.1.12") && rpm_check(release:"EL6", cpu:"x86_64", reference:"kernel-uek-firmware-4.1.12-124.24.1.el6uek")) flag++;

if (rpm_exists(release:"EL7", rpm:"kernel-uek-4.1.12") && rpm_check(release:"EL7", cpu:"x86_64", reference:"kernel-uek-4.1.12-124.24.1.el7uek")) flag++;
if (rpm_exists(release:"EL7", rpm:"kernel-uek-debug-4.1.12") && rpm_check(release:"EL7", cpu:"x86_64", reference:"kernel-uek-debug-4.1.12-124.24.1.el7uek")) flag++;
if (rpm_exists(release:"EL7", rpm:"kernel-uek-debug-devel-4.1.12") && rpm_check(release:"EL7", cpu:"x86_64", reference:"kernel-uek-debug-devel-4.1.12-124.24.1.el7uek")) flag++;
if (rpm_exists(release:"EL7", rpm:"kernel-uek-devel-4.1.12") && rpm_check(release:"EL7", cpu:"x86_64", reference:"kernel-uek-devel-4.1.12-124.24.1.el7uek")) flag++;
if (rpm_exists(release:"EL7", rpm:"kernel-uek-doc-4.1.12") && rpm_check(release:"EL7", cpu:"x86_64", reference:"kernel-uek-doc-4.1.12-124.24.1.el7uek")) flag++;
if (rpm_exists(release:"EL7", rpm:"kernel-uek-firmware-4.1.12") && rpm_check(release:"EL7", cpu:"x86_64", reference:"kernel-uek-firmware-4.1.12-124.24.1.el7uek")) flag++;


if (flag)
{
  if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());
  else security_hole(0);
  exit(0);
}
else
{
  tested = pkg_tests_get();
  if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
  else audit(AUDIT_PACKAGE_NOT_INSTALLED, "affected kernel");
}

#
# (C) Tenable Network Security, Inc.
#

# The descriptive text and package checks in this plugin were
# extracted from ZTE advisory NS-SA-2019-0070. The text
# itself is copyright (C) ZTE, Inc.

include("compat.inc");

if (description)
{
  script_id(127272);
  script_version("1.2");
  script_cvs_date("Date: 2019/09/24 11:01:33");

  script_cve_id(
    "CVE-2015-8830",
    "CVE-2016-3672",
    "CVE-2016-7913",
    "CVE-2017-0861",
    "CVE-2017-9725",
    "CVE-2017-10661",
    "CVE-2017-12154",
    "CVE-2017-12190",
    "CVE-2017-13305",
    "CVE-2017-15129",
    "CVE-2017-15265",
    "CVE-2017-15274",
    "CVE-2017-17448",
    "CVE-2017-17449",
    "CVE-2017-17558",
    "CVE-2017-17805",
    "CVE-2017-18017",
    "CVE-2017-18203",
    "CVE-2017-18208",
    "CVE-2017-1000252",
    "CVE-2017-1000407",
    "CVE-2017-1000410",
    "CVE-2018-1120",
    "CVE-2018-1130",
    "CVE-2018-3646",
    "CVE-2018-5344",
    "CVE-2018-5750",
    "CVE-2018-5803",
    "CVE-2018-5848",
    "CVE-2018-7566",
    "CVE-2018-9568",
    "CVE-2018-17972",
    "CVE-2018-18397",
    "CVE-2018-18690",
    "CVE-2018-1000004",
    "CVE-2018-1000026"
  );
  script_bugtraq_id(102329);

  script_name(english:"NewStart CGSL CORE 5.04 / MAIN 5.04 : kernel Multiple Vulnerabilities (NS-SA-2019-0070)");

  script_set_attribute(attribute:"synopsis", value:
"The remote machine is affected by multiple vulnerabilities.");
  script_set_attribute(attribute:"description", value:
"The remote NewStart CGSL host, running version CORE 5.04 / MAIN 5.04, has kernel packages installed that are affected by
multiple vulnerabilities:

  - Integer overflow in the aio_setup_single_vector function
    in fs/aio.c in the Linux kernel 4.0 allows local users
    to cause a denial of service or possibly have
    unspecified other impact via a large AIO iovec. NOTE:
    this vulnerability exists because of a CVE-2012-6701
    regression. (CVE-2015-8830)

  - A weakness was found in the Linux ASLR implementation.
    Any user able to running 32-bit applications in a x86
    machine can disable ASLR by setting the RLIMIT_STACK
    resource to unlimited. (CVE-2016-3672)

  - The xc2028_set_config function in
    drivers/media/tuners/tuner-xc2028.c in the Linux kernel
    before 4.6 allows local users to gain privileges or
    cause a denial of service (use-after-free) via vectors
    involving omission of the firmware name from a certain
    data structure. Due to the nature of the flaw, privilege
    escalation cannot be fully ruled out, although we
    believe it is unlikely. (CVE-2016-7913)

  - Use-after-free vulnerability in the snd_pcm_info()
    function in the ALSA subsystem in the Linux kernel
    allows attackers to induce a kernel memory corruption
    and possibly crash or lock up a system. Due to the
    nature of the flaw, a privilege escalation cannot be
    fully ruled out, although we believe it is unlikely.
    (CVE-2017-0861)

  - A reachable assertion failure flaw was found in the
    Linux kernel built with KVM virtualisation(CONFIG_KVM)
    support with Virtual Function I/O feature (CONFIG_VFIO)
    enabled. This failure could occur if a malicious guest
    device sent a virtual interrupt (guest IRQ) with a
    larger (>1024) index value. (CVE-2017-1000252)

  - Linux kernel Virtualization Module (CONFIG_KVM) for the
    Intel processor family (CONFIG_KVM_INTEL) is vulnerable
    to a DoS issue. It could occur if a guest was to flood
    the I/O port 0x80 with write requests. A guest user
    could use this flaw to crash the host kernel resulting
    in DoS. (CVE-2017-1000407)

  - A flaw was found in the processing of incoming L2CAP
    bluetooth commands. Uninitialized stack variables can be
    sent to an attacker leaking data in kernel address
    space. (CVE-2017-1000410)

  - A race condition was found in the Linux kernel before
    version 4.11-rc1 in 'fs/timerfd.c' file which allows a
    local user to cause a kernel list corruption or use-
    after-free via simultaneous operations with a file
    descriptor which leverage improper 'might_cancel'
    queuing. An unprivileged local user could use this flaw
    to cause a denial of service of the system. Due to the
    nature of the flaw, privilege escalation cannot be fully
    ruled out, although we believe it is unlikely.
    (CVE-2017-10661)

  - Linux kernel built with the KVM visualization support
    (CONFIG_KVM), with nested visualization (nVMX) feature
    enabled (nested=1), is vulnerable to a crash due to
    disabled external interrupts. As L2 guest could access
    (r/w) hardware CR8 register of the host(L0). In a nested
    visualization setup, L2 guest user could use this flaw
    to potentially crash the host(L0) resulting in DoS.
    (CVE-2017-12154)

  - It was found that in the Linux kernel through v4.14-rc5,
    bio_map_user_iov() and bio_unmap_user() in 'block/bio.c'
    do unbalanced pages refcounting if IO vector has small
    consecutive buffers belonging to the same page.
    bio_add_pc_page() merges them into one, but the page
    reference is never dropped, causing a memory leak and
    possible system lockup due to out-of-memory condition.
    (CVE-2017-12190)

  - A flaw was found in the Linux kernel's implementation of
    valid_master_desc() in which a memory buffer would be
    compared to a userspace value with an incorrect size of
    comparison. By bruteforcing the comparison, an attacker
    could determine what was in memory after the description
    and possibly obtain sensitive information from kernel
    memory. (CVE-2017-13305)

  - A use-after-free vulnerability was found in a network
    namespaces code affecting the Linux kernel since
    v4.0-rc1 through v4.15-rc5. The function
    get_net_ns_by_id() does not check for the net::count
    value after it has found a peer network in netns_ids idr
    which could lead to double free and memory corruption.
    This vulnerability could allow an unprivileged local
    user to induce kernel memory corruption on the system,
    leading to a crash. Due to the nature of the flaw,
    privilege escalation cannot be fully ruled out, although
    it is thought to be unlikely. (CVE-2017-15129)

  - A use-after-free vulnerability was found when issuing an
    ioctl to a sound device. This could allow a user to
    exploit a race condition and create memory corruption or
    possibly privilege escalation. (CVE-2017-15265)

  - A flaw was found in the implementation of associative
    arrays where the add_key systemcall and KEYCTL_UPDATE
    operations allowed for a NULL payload with a nonzero
    length. When accessing the payload within this length
    parameters value, an unprivileged user could trivially
    cause a NULL pointer dereference (kernel oops).
    (CVE-2017-15274)

  - The net/netfilter/nfnetlink_cthelper.c function in the
    Linux kernel through 4.14.4 does not require the
    CAP_NET_ADMIN capability for new, get, and del
    operations. This allows local users to bypass intended
    access restrictions because the nfnl_cthelper_list data
    structure is shared across all net namespaces.
    (CVE-2017-17448)

  - The __netlink_deliver_tap_skb function in
    net/netlink/af_netlink.c in the Linux kernel, through
    4.14.4, does not restrict observations of Netlink
    messages to a single net namespace, when CONFIG_NLMON is
    enabled. This allows local users to obtain sensitive
    information by leveraging the CAP_NET_ADMIN capability
    to sniff an nlmon interface for all Netlink activity on
    the system. (CVE-2017-17449)

  - The usb_destroy_configuration() function, in
    'drivers/usb/core/config.c' in the USB core subsystem,
    in the Linux kernel through 4.14.5 does not consider the
    maximum number of configurations and interfaces before
    attempting to release resources. This allows local users
    to cause a denial of service, due to out-of-bounds write
    access, or possibly have unspecified other impact via a
    crafted USB device. Due to the nature of the flaw,
    privilege escalation cannot be fully ruled out, although
    we believe it is unlikely. (CVE-2017-17558)

  - The Salsa20 encryption algorithm in the Linux kernel,
    before 4.14.8, does not correctly handle zero-length
    inputs. This allows a local attacker the ability to use
    the AF_ALG-based skcipher interface to cause a denial of
    service (uninitialized-memory free and kernel crash) or
    have an unspecified other impact by executing a crafted
    sequence of system calls that use the blkcipher_walk
    API. Both the generic implementation
    (crypto/salsa20_generic.c) and x86 implementation
    (arch/x86/crypto/salsa20_glue.c) of Salsa20 are
    vulnerable. (CVE-2017-17805)

  - The tcpmss_mangle_packet function in
    net/netfilter/xt_TCPMSS.c in the Linux kernel before
    4.11, and 4.9.x before 4.9.36, allows remote attackers
    to cause a denial of service (use-after-free and memory
    corruption) or possibly have unspecified other impact by
    leveraging the presence of xt_TCPMSS in an iptables
    action. Due to the nature of the flaw, privilege
    escalation cannot be fully ruled out, although we
    believe it is unlikely. (CVE-2017-18017)

  - The Linux kernel, before version 4.14.3, is vulnerable
    to a denial of service in
    drivers/md/dm.c:dm_get_from_kobject() which can be
    caused by local users leveraging a race condition with
    __dm_destroy() during creation and removal of DM
    devices. Only privileged local users (with CAP_SYS_ADMIN
    capability) can directly perform the ioctl operations
    for dm device creation and removal and this would
    typically be outside the direct control of the
    unprivileged attacker. (CVE-2017-18203)

  - The madvise_willneed function in the Linux kernel allows
    local users to cause a denial of service (infinite loop)
    by triggering use of MADVISE_WILLNEED for a DAX mapping.
    (CVE-2017-18208)

  - A flaw was found where the kernel truncated the value
    used to indicate the size of a buffer which it would
    later become zero using an untruncated value. This can
    corrupt memory outside of the original allocation.
    (CVE-2017-9725)

  - In the Linux kernel versions 4.12, 3.10, 2.6, and
    possibly earlier, a race condition vulnerability exists
    in the sound system allowing for a potential deadlock
    and memory corruption due to use-after-free condition
    and thus denial of service. Due to the nature of the
    flaw, privilege escalation cannot be fully ruled out,
    although we believe it is unlikely. (CVE-2018-1000004)

  - Improper validation in the bnx2x network card driver of
    the Linux kernel version 4.15 can allow for denial of
    service (DoS) attacks via a packet with a gso_size
    larger than ~9700 bytes. Untrusted guest VMs can exploit
    this vulnerability in the host machine, causing a crash
    in the network card. (CVE-2018-1000026)

  - By mmap()ing a FUSE-backed file onto a process's memory
    containing command line arguments (or environment
    strings), an attacker can cause utilities from psutils
    or procps (such as ps, w) or any other program which
    makes a read() call to the /proc//cmdline (or
    /proc//environ) files to block indefinitely (denial
    of service) or for some controlled time (as a
    synchronization primitive for other attacks).
    (CVE-2018-1120)

  - A null pointer dereference in dccp_write_xmit() function
    in net/dccp/output.c in the Linux kernel allows a local
    user to cause a denial of service by a number of certain
    crafted system calls. (CVE-2018-1130)

  - An issue was discovered in the proc_pid_stack function
    in fs/proc/base.c in the Linux kernel. An attacker with
    a local account can trick the stack unwinder code to
    leak stack contents to userspace. The fix allows only
    root to inspect the kernel stack of an arbitrary task.
    (CVE-2018-17972)

  - A flaw was found in the Linux kernel with files on tmpfs
    and hugetlbfs. An attacker is able to bypass file
    permissions on filesystems mounted with tmpfs/hugetlbs
    to modify a file and possibly disrupt normal system
    behavior. At this time there is an understanding there
    is no crash or privilege escalation but the impact of
    modifications on these filesystems of files in
    production systems may have adverse affects.
    (CVE-2018-18397)

  - In the Linux kernel before 4.17, a local attacker able
    to set attributes on an xfs filesystem could make this
    filesystem non-operational until the next mount by
    triggering an unchecked error condition during an xfs
    attribute change, because xfs_attr_shortform_addname in
    fs/xfs/libxfs/xfs_attr.c mishandles ATTR_REPLACE
    operations with conversion of an attr from short to long
    form. (CVE-2018-18690)

  - Modern operating systems implement virtualization of
    physical memory to efficiently use available system
    resources and provide inter-domain protection through
    access control and isolation. The L1TF issue was found
    in the way the x86 microprocessor designs have
    implemented speculative execution of instructions (a
    commonly used performance optimization) in combination
    with handling of page-faults caused by terminated
    virtual to physical address resolving process. As a
    result, an unprivileged attacker could use this flaw to
    read privileged memory of the kernel or other processes
    and/or cross guest/host boundaries to read host memory
    by conducting targeted cache side-channel attacks.
    (CVE-2018-3646)

  - A flaw was found in the Linux kernel's handling of
    loopback devices. An attacker, who has permissions to
    setup loopback disks, may create a denial of service or
    other unspecified actions. (CVE-2018-5344)

  - The acpi_smbus_hc_add function in drivers/acpi/sbshc.c
    in the Linux kernel, through 4.14.15, allows local users
    to obtain sensitive address information by reading dmesg
    data from an SBS HC printk call. (CVE-2018-5750)

  - An error in the _sctp_make_chunk() function
    (net/sctp/sm_make_chunk.c) when handling SCTP, packet
    length can be exploited by a malicious local user to
    cause a kernel crash and a DoS. (CVE-2018-5803)

  - In the function wmi_set_ie() in the Linux kernel the
    length validation code does not handle unsigned integer
    overflow properly. As a result, a large value of the
    ie_len argument can cause a buffer overflow and thus a
    memory corruption leading to a system crash or other or
    unspecified impact. Due to the nature of the flaw,
    privilege escalation cannot be fully ruled out, although
    we believe it is unlikely. (CVE-2018-5848)

  - ALSA sequencer core initializes the event pool on demand
    by invoking snd_seq_pool_init() when the first write
    happens and the pool is empty. A user can reset the pool
    size manually via ioctl concurrently, and this may lead
    to UAF or out-of-bound access. (CVE-2018-7566)

  - A possible memory corruption due to a type confusion was
    found in the Linux kernel in the sk_clone_lock()
    function in the net/core/sock.c. The possibility of
    local escalation of privileges cannot be fully ruled out
    for a local unprivileged attacker. (CVE-2018-9568)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version
number.");
  script_set_attribute(attribute:"see_also", value:"http://security.gd-linux.com/notice/NS-SA-2019-0070");
  script_set_attribute(attribute:"solution", value:
"Upgrade the vulnerable CGSL kernel packages. Note that updated packages may not be available yet. Please contact ZTE for
more information.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C");
  script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:P/RL:O/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2017-18017");
  script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"true");

  script_set_attribute(attribute:"vuln_publication_date", value:"2016/04/27");
  script_set_attribute(attribute:"patch_publication_date", value:"2019/07/17");
  script_set_attribute(attribute:"plugin_publication_date", value:"2019/08/12");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"NewStart CGSL Local Security Checks");

  script_copyright(english:"This script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("ssh_get_info.nasl");
  script_require_keys("Host/local_checks_enabled", "Host/ZTE-CGSL/release", "Host/ZTE-CGSL/rpm-list", "Host/cpu");

  exit(0);
}

include("audit.inc");
include("global_settings.inc");
include("rpm.inc");

if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);

release = get_kb_item("Host/ZTE-CGSL/release");
if (isnull(release) || release !~ "^CGSL (MAIN|CORE)") audit(AUDIT_OS_NOT, "NewStart Carrier Grade Server Linux");

if (release !~ "CGSL CORE 5.04" &&
    release !~ "CGSL MAIN 5.04")
  audit(AUDIT_OS_NOT, 'NewStart CGSL CORE 5.04 / NewStart CGSL MAIN 5.04');

if (!get_kb_item("Host/ZTE-CGSL/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);

cpu = get_kb_item("Host/cpu");
if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "NewStart Carrier Grade Server Linux", cpu);

flag = 0;

pkgs = {
  "CGSL CORE 5.04": [
    "kernel-3.10.0-693.21.1.el7.cgslv5_4.12.322.gc3912fd.lite",
    "kernel-abi-whitelists-3.10.0-693.21.1.el7.cgslv5_4.12.322.gc3912fd.lite",
    "kernel-core-3.10.0-693.21.1.el7.cgslv5_4.12.322.gc3912fd.lite",
    "kernel-debug-core-3.10.0-693.21.1.el7.cgslv5_4.12.322.gc3912fd.lite",
    "kernel-debug-debuginfo-3.10.0-693.21.1.el7.cgslv5_4.12.322.gc3912fd.lite",
    "kernel-debug-devel-3.10.0-693.21.1.el7.cgslv5_4.12.322.gc3912fd.lite",
    "kernel-debug-modules-3.10.0-693.21.1.el7.cgslv5_4.12.322.gc3912fd.lite",
    "kernel-debuginfo-3.10.0-693.21.1.el7.cgslv5_4.12.322.gc3912fd.lite",
    "kernel-debuginfo-common-x86_64-3.10.0-693.21.1.el7.cgslv5_4.12.322.gc3912fd.lite",
    "kernel-devel-3.10.0-693.21.1.el7.cgslv5_4.12.322.gc3912fd.lite",
    "kernel-doc-3.10.0-693.21.1.el7.cgslv5_4.12.322.gc3912fd.lite",
    "kernel-headers-3.10.0-693.21.1.el7.cgslv5_4.12.322.gc3912fd.lite",
    "kernel-modules-3.10.0-693.21.1.el7.cgslv5_4.12.322.gc3912fd.lite",
    "kernel-tools-3.10.0-693.21.1.el7.cgslv5_4.12.322.gc3912fd.lite",
    "kernel-tools-debuginfo-3.10.0-693.21.1.el7.cgslv5_4.12.322.gc3912fd.lite",
    "kernel-tools-libs-3.10.0-693.21.1.el7.cgslv5_4.12.322.gc3912fd.lite",
    "kernel-tools-libs-devel-3.10.0-693.21.1.el7.cgslv5_4.12.322.gc3912fd.lite",
    "perf-3.10.0-693.21.1.el7.cgslv5_4.12.322.gc3912fd.lite",
    "perf-debuginfo-3.10.0-693.21.1.el7.cgslv5_4.12.322.gc3912fd.lite",
    "python-perf-3.10.0-693.21.1.el7.cgslv5_4.12.322.gc3912fd.lite",
    "python-perf-debuginfo-3.10.0-693.21.1.el7.cgslv5_4.12.322.gc3912fd.lite"
  ],
  "CGSL MAIN 5.04": [
    "kernel-3.10.0-693.21.1.el7.cgslv5_4.12.319.g46331d9",
    "kernel-abi-whitelists-3.10.0-693.21.1.el7.cgslv5_4.12.319.g46331d9",
    "kernel-debug-3.10.0-693.21.1.el7.cgslv5_4.12.319.g46331d9",
    "kernel-debug-debuginfo-3.10.0-693.21.1.el7.cgslv5_4.12.319.g46331d9",
    "kernel-debug-devel-3.10.0-693.21.1.el7.cgslv5_4.12.319.g46331d9",
    "kernel-debuginfo-3.10.0-693.21.1.el7.cgslv5_4.12.319.g46331d9",
    "kernel-debuginfo-common-x86_64-3.10.0-693.21.1.el7.cgslv5_4.12.319.g46331d9",
    "kernel-devel-3.10.0-693.21.1.el7.cgslv5_4.12.319.g46331d9",
    "kernel-doc-3.10.0-693.21.1.el7.cgslv5_4.12.319.g46331d9",
    "kernel-headers-3.10.0-693.21.1.el7.cgslv5_4.12.319.g46331d9",
    "kernel-tools-3.10.0-693.21.1.el7.cgslv5_4.12.319.g46331d9",
    "kernel-tools-debuginfo-3.10.0-693.21.1.el7.cgslv5_4.12.319.g46331d9",
    "kernel-tools-libs-3.10.0-693.21.1.el7.cgslv5_4.12.319.g46331d9",
    "kernel-tools-libs-devel-3.10.0-693.21.1.el7.cgslv5_4.12.319.g46331d9",
    "perf-3.10.0-693.21.1.el7.cgslv5_4.12.319.g46331d9",
    "perf-debuginfo-3.10.0-693.21.1.el7.cgslv5_4.12.319.g46331d9",
    "python-perf-3.10.0-693.21.1.el7.cgslv5_4.12.319.g46331d9",
    "python-perf-debuginfo-3.10.0-693.21.1.el7.cgslv5_4.12.319.g46331d9"
  ]
};
pkg_list = pkgs[release];

foreach (pkg in pkg_list)
  if (rpm_check(release:"ZTE " + release, reference:pkg)) flag++;

if (flag)
{
  security_report_v4(
    port       : 0,
    severity   : SECURITY_HOLE,
    extra      : rpm_report_get()
  );
  exit(0);
}
else
{
  tested = pkg_tests_get();
  if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
  else audit(AUDIT_PACKAGE_NOT_INSTALLED, "kernel");
}

#
# (C) Tenable Network Security, Inc.
#
# The descriptive text and package checks in this plugin were
# extracted from Red Hat Security Advisory RHSA-2018:1062 and 
# Oracle Linux Security Advisory ELSA-2018-1062 respectively.
#

include("compat.inc");

if (description)
{
  script_id(109113);
  script_version("1.9");
  script_cvs_date("Date: 2019/09/27 13:00:38");

  script_cve_id("CVE-2016-3672", "CVE-2016-7913", "CVE-2016-8633", "CVE-2017-1000252", "CVE-2017-1000407", "CVE-2017-1000410", "CVE-2017-12154", "CVE-2017-12190", "CVE-2017-13166", "CVE-2017-13305", "CVE-2017-14140", "CVE-2017-15116", "CVE-2017-15121", "CVE-2017-15126", "CVE-2017-15127", "CVE-2017-15129", "CVE-2017-15265", "CVE-2017-15274", "CVE-2017-17448", "CVE-2017-17449", "CVE-2017-17558", "CVE-2017-18017", "CVE-2017-18203", "CVE-2017-18270", "CVE-2017-7294", "CVE-2017-8824", "CVE-2017-9725", "CVE-2018-1000004", "CVE-2018-5750", "CVE-2018-6927");
  script_xref(name:"RHSA", value:"2018:1062");

  script_name(english:"Oracle Linux 7 : kernel (ELSA-2018-1062)");
  script_summary(english:"Checks rpm output for the updated packages");

  script_set_attribute(
    attribute:"synopsis", 
    value:"The remote Oracle Linux host is missing one or more security updates."
  );
  script_set_attribute(
    attribute:"description", 
    value:
"From Red Hat Security Advisory 2018:1062 :

An update for kernel is now available for Red Hat Enterprise Linux 7.

Red Hat Product Security has rated this update as having a security
impact of Important. A Common Vulnerability Scoring System (CVSS) base
score, which gives a detailed severity rating, is available for each
vulnerability from the CVE link(s) in the References section.

The kernel packages contain the Linux kernel, the core of any Linux
operating system.

Security Fix(es) :

* hw: cpu: speculative execution permission faults handling
(CVE-2017-5754, Important, KVM for Power)

* kernel: Buffer overflow in firewire driver via crafted incoming
packets (CVE-2016-8633, Important)

* kernel: Use-after-free vulnerability in DCCP socket (CVE-2017-8824,
Important)

* Kernel: kvm: nVMX: L2 guest could access hardware(L0) CR8 register
(CVE-2017-12154, Important)

* kernel: v4l2: disabled memory access protection mechanism allowing
privilege escalation (CVE-2017-13166, Important)

* kernel: media: use-after-free in [tuner-xc2028] media driver
(CVE-2016-7913, Moderate)

* kernel: drm/vmwgfx: fix integer overflow in
vmw_surface_define_ioctl() (CVE-2017-7294, Moderate)

* kernel: Incorrect type conversion for size during dma allocation
(CVE-2017-9725, Moderate)

* kernel: memory leak when merging buffers in SCSI IO vectors
(CVE-2017-12190, Moderate)

* kernel: vfs: BUG in truncate_inode_pages_range() and fuse client
(CVE-2017-15121, Moderate)

* kernel: Use-after-free in userfaultfd_event_wait_completion function
in userfaultfd.c (CVE-2017-15126, Moderate)

* kernel: net: double-free and memory corruption in get_net_ns_by_id()
(CVE-2017-15129, Moderate)

* kernel: Use-after-free in snd_seq_ioctl_create_port()
(CVE-2017-15265, Moderate)

* kernel: Missing capabilities check in
net/netfilter/nfnetlink_cthelper.c allows for unprivileged access to
systemwide nfnl_cthelper_list structure (CVE-2017-17448, Moderate)

* kernel: Missing namespace check in net/netlink/af_netlink.c allows
for network monitors to observe systemwide activity (CVE-2017-17449,
Moderate)

* kernel: Unallocated memory access by malicious USB device via
bNumInterfaces overflow (CVE-2017-17558, Moderate)

* kernel: netfilter: use-after-free in tcpmss_mangle_packet function
in net/ netfilter/xt_TCPMSS.c (CVE-2017-18017, Moderate)

* kernel: Race condition in drivers/md/dm.c:dm_get_from_kobject()
allows local users to cause a denial of service (CVE-2017-18203,
Moderate)

* kernel: kvm: Reachable BUG() on out-of-bounds guest IRQ
(CVE-2017-1000252, Moderate)

* Kernel: KVM: DoS via write flood to I/O port 0x80 (CVE-2017-1000407,
Moderate)

* kernel: Stack information leak in the EFS element (CVE-2017-1000410,
Moderate)

* kernel: Kernel address information leak in drivers/acpi/
sbshc.c:acpi_smbus_hc_add() function potentially allowing KASLR bypass
(CVE-2018-5750, Moderate)

* kernel: Race condition in sound system can lead to denial of service
(CVE-2018-1000004, Moderate)

* kernel: multiple Low security impact security issues (CVE-2016-3672,
CVE-2017-14140, CVE-2017-15116, CVE-2017-15127, CVE-2018-6927, Low)

Red Hat would like to thank Eyal Itkin for reporting CVE-2016-8633;
Google Project Zero for reporting CVE-2017-5754; Mohamed Ghannam for
reporting CVE-2017-8824; Jim Mattson (Google.com) for reporting
CVE-2017-12154; Vitaly Mayatskih for reporting CVE-2017-12190; Andrea
Arcangeli (Engineering) for reporting CVE-2017-15126; Kirill Tkhai for
reporting CVE-2017-15129; Jan H. Schonherr (Amazon) for reporting
CVE-2017-1000252; and Armis Labs for reporting CVE-2017-1000410. The
CVE-2017-15121 issue was discovered by Miklos Szeredi (Red Hat) and
the CVE-2017-15116 issue was discovered by ChunYu Wang (Red Hat).

For more details about the security issue(s), including the impact, a
CVSS score, and other related information, refer to the CVE page(s)
listed in the References section.

Additional Changes :

For detailed information on changes in this release, see the Red Hat
Enterprise Linux 7.5 Release Notes linked from the References section."
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://oss.oracle.com/pipermail/el-errata/2018-April/007619.html"
  );
  script_set_attribute(
    attribute:"solution", 
    value:"Update the affected kernel packages."
  );
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C");
  script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:P/RL:O/RC:C");
  script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"true");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:kernel");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:kernel-abi-whitelists");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:kernel-debug");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:kernel-debug-devel");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:kernel-devel");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:kernel-doc");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:kernel-headers");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:kernel-tools");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:kernel-tools-libs");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:kernel-tools-libs-devel");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:perf");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:python-perf");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:oracle:linux:7");

  script_set_attribute(attribute:"vuln_publication_date", value:"2016/04/27");
  script_set_attribute(attribute:"patch_publication_date", value:"2018/04/17");
  script_set_attribute(attribute:"plugin_publication_date", value:"2018/04/18");
  script_set_attribute(attribute:"generated_plugin", value:"current");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_copyright(english:"This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");
  script_family(english:"Oracle Linux Local Security Checks");

  script_dependencies("ssh_get_info.nasl", "linux_alt_patch_detect.nasl");
  script_require_keys("Host/local_checks_enabled", "Host/OracleLinux", "Host/RedHat/release", "Host/RedHat/rpm-list");

  exit(0);
}


include("audit.inc");
include("global_settings.inc");
include("rpm.inc");
include("ksplice.inc");


if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
if (!get_kb_item("Host/OracleLinux")) audit(AUDIT_OS_NOT, "Oracle Linux");
release = get_kb_item("Host/RedHat/release");
if (isnull(release) || !pregmatch(pattern: "Oracle (?:Linux Server|Enterprise Linux)", string:release)) audit(AUDIT_OS_NOT, "Oracle Linux");
os_ver = pregmatch(pattern: "Oracle (?:Linux Server|Enterprise Linux) .*release ([0-9]+(\.[0-9]+)?)", string:release);
if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Oracle Linux");
os_ver = os_ver[1];
if (! preg(pattern:"^7([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Oracle Linux 7", "Oracle Linux " + os_ver);

if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);

cpu = get_kb_item("Host/cpu");
if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Oracle Linux", cpu);
if ("x86_64" >!< cpu) audit(AUDIT_ARCH_NOT, "x86_64", cpu);

if (get_one_kb_item("Host/ksplice/kernel-cves"))
{
  rm_kb_item(name:"Host/uptrack-uname-r");
  cve_list = make_list("CVE-2016-3672", "CVE-2016-7913", "CVE-2016-8633", "CVE-2017-1000252", "CVE-2017-1000407", "CVE-2017-1000410", "CVE-2017-12154", "CVE-2017-12190", "CVE-2017-13166", "CVE-2017-13305", "CVE-2017-14140", "CVE-2017-15116", "CVE-2017-15121", "CVE-2017-15126", "CVE-2017-15127", "CVE-2017-15129", "CVE-2017-15265", "CVE-2017-15274", "CVE-2017-17448", "CVE-2017-17449", "CVE-2017-17558", "CVE-2017-18017", "CVE-2017-18203", "CVE-2017-18270", "CVE-2017-7294", "CVE-2017-8824", "CVE-2017-9725", "CVE-2018-1000004", "CVE-2018-5750", "CVE-2018-6927");  
  if (ksplice_cves_check(cve_list))
  {
    audit(AUDIT_PATCH_INSTALLED, "KSplice hotfix for ELSA-2018-1062");
  }
  else
  {
    __rpm_report = ksplice_reporting_text();
  }
}

kernel_major_minor = get_kb_item("Host/uname/major_minor");
if (empty_or_null(kernel_major_minor)) exit(1, "Unable to determine kernel major-minor level.");
expected_kernel_major_minor = "3.10";
if (kernel_major_minor != expected_kernel_major_minor)
  audit(AUDIT_OS_NOT, "running kernel level " + expected_kernel_major_minor + ", it is running kernel level " + kernel_major_minor);

flag = 0;
if (rpm_exists(release:"EL7", rpm:"kernel-3.10.0") && rpm_check(release:"EL7", cpu:"x86_64", reference:"kernel-3.10.0-862.el7")) flag++;
if (rpm_exists(release:"EL7", rpm:"kernel-abi-whitelists-3.10.0") && rpm_check(release:"EL7", cpu:"x86_64", reference:"kernel-abi-whitelists-3.10.0-862.el7")) flag++;
if (rpm_exists(release:"EL7", rpm:"kernel-debug-3.10.0") && rpm_check(release:"EL7", cpu:"x86_64", reference:"kernel-debug-3.10.0-862.el7")) flag++;
if (rpm_exists(release:"EL7", rpm:"kernel-debug-devel-3.10.0") && rpm_check(release:"EL7", cpu:"x86_64", reference:"kernel-debug-devel-3.10.0-862.el7")) flag++;
if (rpm_exists(release:"EL7", rpm:"kernel-devel-3.10.0") && rpm_check(release:"EL7", cpu:"x86_64", reference:"kernel-devel-3.10.0-862.el7")) flag++;
if (rpm_exists(release:"EL7", rpm:"kernel-doc-3.10.0") && rpm_check(release:"EL7", cpu:"x86_64", reference:"kernel-doc-3.10.0-862.el7")) flag++;
if (rpm_exists(release:"EL7", rpm:"kernel-headers-3.10.0") && rpm_check(release:"EL7", cpu:"x86_64", reference:"kernel-headers-3.10.0-862.el7")) flag++;
if (rpm_exists(release:"EL7", rpm:"kernel-tools-3.10.0") && rpm_check(release:"EL7", cpu:"x86_64", reference:"kernel-tools-3.10.0-862.el7")) flag++;
if (rpm_exists(release:"EL7", rpm:"kernel-tools-libs-3.10.0") && rpm_check(release:"EL7", cpu:"x86_64", reference:"kernel-tools-libs-3.10.0-862.el7")) flag++;
if (rpm_exists(release:"EL7", rpm:"kernel-tools-libs-devel-3.10.0") && rpm_check(release:"EL7", cpu:"x86_64", reference:"kernel-tools-libs-devel-3.10.0-862.el7")) flag++;
if (rpm_check(release:"EL7", cpu:"x86_64", reference:"perf-3.10.0-862.el7")) flag++;
if (rpm_check(release:"EL7", cpu:"x86_64", reference:"python-perf-3.10.0-862.el7")) flag++;


if (flag)
{
  if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());
  else security_hole(0);
  exit(0);
}
else
{
  tested = pkg_tests_get();
  if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
  else audit(AUDIT_PACKAGE_NOT_INSTALLED, "affected kernel");
}

#
# (C) Tenable Network Security, Inc.
#

include("compat.inc");

if (description)
{
  script_id(124836);
  script_version("1.4");
  script_cvs_date("Date: 2019/06/27 13:33:26");

  script_cve_id(
    "CVE-2014-8171",
    "CVE-2017-12762",
    "CVE-2017-5715",
    "CVE-2017-5753",
    "CVE-2017-9725",
    "CVE-2018-3620",
    "CVE-2018-3639",
    "CVE-2018-3646",
    "CVE-2018-9516",
    "CVE-2018-9568"
  );
  script_bugtraq_id(
    74293
  );

  script_name(english:"EulerOS Virtualization 3.0.1.0 : kernel (EulerOS-SA-2019-1515)");
  script_summary(english:"Checks the rpm output for the updated packages.");

  script_set_attribute(attribute:"synopsis", value:
"The remote EulerOS Virtualization host is missing multiple security
updates.");
  script_set_attribute(attribute:"description", value:
"According to the versions of the kernel packages installed, the
EulerOS Virtualization installation on the remote host is affected by
the following vulnerabilities :

  - A flaw was found where the kernel truncated the value
    used to indicate the size of a buffer which it would
    later become zero using an untruncated value. This can
    corrupt memory outside of the original
    allocation.(CVE-2017-9725)

  - An industry-wide issue was found in the way many modern
    microprocessor designs have implemented speculative
    execution of instructions (a commonly used performance
    optimization). There are three primary variants of the
    issue which differ in the way the speculative execution
    can be exploited. Variant CVE-2017-5753 triggers the
    speculative execution by performing a bounds-check
    bypass. It relies on the presence of a
    precisely-defined instruction sequence in the
    privileged code as well as the fact that memory
    accesses may cause allocation into the microprocessor's
    data cache even for speculatively executed instructions
    that never actually commit (retire). As a result, an
    unprivileged attacker could use this flaw to cross the
    syscall boundary and read privileged memory by
    conducting targeted cache side-channel
    attacks.(CVE-2017-5753)

  - A buffer overflow was found in the Linux kernel's
    isdn_net_newslave() function in the
    /drivers/isdn/i4l/isdn_net.c file. An overflow happens
    when the user-controlled buffer is copied into a local
    buffer of constant size using strcpy() without a length
    check.(CVE-2017-12762)

  - Modern operating systems implement virtualization of
    physical memory to efficiently use available system
    resources and provide inter-domain protection through
    access control and isolation. The L1TF issue was found
    in the way the x86 microprocessor designs have
    implemented speculative execution of instructions (a
    commonly used performance optimization) in combination
    with handling of page-faults caused by terminated
    virtual to physical address resolving process. As a
    result, an unprivileged attacker could use this flaw to
    read privileged memory of the kernel or other processes
    and/or cross guest/host boundaries to read host memory
    by conducting targeted cache side-channel
    attacks.(CVE-2018-3646)

  - An industry-wide issue was found in the way many modern
    microprocessor designs have implemented speculative
    execution of instructions (a commonly used performance
    optimization). There are three primary variants of the
    issue which differ in the way the speculative execution
    can be exploited. Variant CVE-2017-5715 triggers the
    speculative execution by utilizing branch target
    injection. It relies on the presence of a
    precisely-defined instruction sequence in the
    privileged code as well as the fact that memory
    accesses may cause allocation into the microprocessor's
    data cache even for speculatively executed instructions
    that never actually commit (retire). As a result, an
    unprivileged attacker could use this flaw to cross the
    syscall and guest/host boundaries and read privileged
    memory by conducting targeted cache side-channel
    attacks.(CVE-2017-5715)

  - Modern operating systems implement virtualization of
    physical memory to efficiently use available system
    resources and provide inter-domain protection through
    access control and isolation. The L1TF issue was found
    in the way the x86 microprocessor designs have
    implemented speculative execution of instructions (a
    commonly used performance optimization) in combination
    with handling of page-faults caused by terminated
    virtual to physical address resolving process. As a
    result, an unprivileged attacker could use this flaw to
    read privileged memory of the kernel or other processes
    and/or cross guest/host boundaries to read host memory
    by conducting targeted cache side-channel
    attacks.(CVE-2018-3620)

  - In hid_debug_events_read of drivers/hid/hid-debug.c,
    there is a possible out of bounds write due to a
    missing bounds check. This could lead to local
    escalation of privilege with System execution
    privileges needed. User interaction is not needed for
    exploitation. Product: Android Versions: Android kernel
    Android ID: A-71361580.(CVE-2018-9516)

  - Systems with microprocessors utilizing speculative
    execution and speculative execution of memory reads
    before the addresses of all prior memory writes are
    known may allow unauthorized disclosure of information
    to an attacker with local user access via a
    side-channel analysis, aka Speculative Store Bypass
    (SSB), Variant 4.(CVE-2018-3639)

  - It was found that the Linux kernel memory resource
    controller's (memcg) handling of OOM (out of memory)
    conditions could lead to deadlocks. An attacker able to
    continuously spawn new processes within a single
    memory-constrained cgroup during an OOM event could use
    this flaw to lock up the system.(CVE-2014-8171)

  - In sk_clone_lock of sock.c, there is a possible memory
    corruption due to type confusion. This could lead to
    local escalation of privilege with no additional
    execution privileges needed. User interaction is not
    needed for exploitation. Product: Android. Versions:
    Android kernel. Android ID: A-113509306. References:
    Upstream kernel.(CVE-2018-9568)

Note that Tenable Network Security has extracted the preceding
description block directly from the EulerOS security advisory. Tenable
has attempted to automatically clean and format it as much as possible
without introducing additional issues.");
  # https://developer.huaweicloud.com/ict/en/site-euleros/euleros/security-advisories/EulerOS-SA-2019-1515
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?789df8aa");
  script_set_attribute(attribute:"solution", value:
"Update the affected kernel packages.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C");
  script_set_cvss_temporal_vector("CVSS2#E:H/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:H/RL:O/RC:C");
  script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"true");
  script_set_attribute(attribute:"exploited_by_malware", value:"true");
  script_set_attribute(attribute:"exploit_framework_canvas", value:"true");
  script_set_attribute(attribute:"canvas_package", value:'CANVAS');

  script_set_attribute(attribute:"patch_publication_date", value:"2019/05/08");
  script_set_attribute(attribute:"plugin_publication_date", value:"2019/05/13");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:kernel");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:kernel-devel");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:kernel-headers");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:kernel-tools");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:kernel-tools-libs");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:kernel-tools-libs-devel");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:perf");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:python-perf");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:huawei:euleros:uvp:3.0.1.0");
  script_set_attribute(attribute:"generated_plugin", value:"current");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Huawei Local Security Checks");

  script_copyright(english:"This script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("ssh_get_info.nasl");
  script_require_keys("Host/local_checks_enabled", "Host/cpu", "Host/EulerOS/release", "Host/EulerOS/rpm-list", "Host/EulerOS/uvp_version");

  exit(0);
}

include("audit.inc");
include("global_settings.inc");
include("rpm.inc");

if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);

release = get_kb_item("Host/EulerOS/release");
if (isnull(release) || release !~ "^EulerOS") audit(AUDIT_OS_NOT, "EulerOS");
uvp = get_kb_item("Host/EulerOS/uvp_version");
if (uvp != "3.0.1.0") audit(AUDIT_OS_NOT, "EulerOS Virtualization 3.0.1.0");
if (!get_kb_item("Host/EulerOS/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);

cpu = get_kb_item("Host/cpu");
if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$" && "aarch64" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "EulerOS", cpu);
if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_ARCH_NOT, "i686 / x86_64", cpu);

flag = 0;

pkgs = ["kernel-3.10.0-862.14.1.6_42",
        "kernel-devel-3.10.0-862.14.1.6_42",
        "kernel-headers-3.10.0-862.14.1.6_42",
        "kernel-tools-3.10.0-862.14.1.6_42",
        "kernel-tools-libs-3.10.0-862.14.1.6_42",
        "kernel-tools-libs-devel-3.10.0-862.14.1.6_42",
        "perf-3.10.0-862.14.1.6_42",
        "python-perf-3.10.0-862.14.1.6_42"];

foreach (pkg in pkgs)
  if (rpm_check(release:"EulerOS-2.0", reference:pkg)) flag++;

if (flag)
{
  security_report_v4(
    port       : 0,
    severity   : SECURITY_HOLE,
    extra      : rpm_report_get()
  );
  exit(0);
}
else
{
  tested = pkg_tests_get();
  if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
  else audit(AUDIT_PACKAGE_NOT_INSTALLED, "kernel");
}

#
# (C) Tenable Network Security, Inc.
#
# The descriptive text and package checks in this plugin were  
# extracted from Red Hat Security Advisory RHSA-2018:1062 and 
# CentOS Errata and Security Advisory 2018:1062 respectively.
#

include("compat.inc");

if (description)
{
  script_id(109380);
  script_version("1.8");
  script_cvs_date("Date: 2019/12/31");

  script_cve_id("CVE-2016-3672", "CVE-2016-7913", "CVE-2016-8633", "CVE-2017-1000252", "CVE-2017-1000407", "CVE-2017-1000410", "CVE-2017-12154", "CVE-2017-12190", "CVE-2017-13166", "CVE-2017-13305", "CVE-2017-14140", "CVE-2017-15116", "CVE-2017-15121", "CVE-2017-15126", "CVE-2017-15127", "CVE-2017-15129", "CVE-2017-15265", "CVE-2017-15274", "CVE-2017-17448", "CVE-2017-17449", "CVE-2017-17558", "CVE-2017-18017", "CVE-2017-18203", "CVE-2017-18270", "CVE-2017-7294", "CVE-2017-8824", "CVE-2017-9725", "CVE-2018-1000004", "CVE-2018-5750", "CVE-2018-6927");
  script_xref(name:"RHSA", value:"2018:1062");

  script_name(english:"CentOS 7 : kernel (CESA-2018:1062)");
  script_summary(english:"Checks rpm output for the updated packages");

  script_set_attribute(
    attribute:"synopsis", 
    value:"The remote CentOS host is missing one or more security updates."
  );
  script_set_attribute(
    attribute:"description", 
    value:
"An update for kernel is now available for Red Hat Enterprise Linux 7.

Red Hat Product Security has rated this update as having a security
impact of Important. A Common Vulnerability Scoring System (CVSS) base
score, which gives a detailed severity rating, is available for each
vulnerability from the CVE link(s) in the References section.

The kernel packages contain the Linux kernel, the core of any Linux
operating system.

Security Fix(es) :

* hw: cpu: speculative execution permission faults handling
(CVE-2017-5754, Important, KVM for Power)

* kernel: Buffer overflow in firewire driver via crafted incoming
packets (CVE-2016-8633, Important)

* kernel: Use-after-free vulnerability in DCCP socket (CVE-2017-8824,
Important)

* Kernel: kvm: nVMX: L2 guest could access hardware(L0) CR8 register
(CVE-2017-12154, Important)

* kernel: v4l2: disabled memory access protection mechanism allowing
privilege escalation (CVE-2017-13166, Important)

* kernel: media: use-after-free in [tuner-xc2028] media driver
(CVE-2016-7913, Moderate)

* kernel: drm/vmwgfx: fix integer overflow in
vmw_surface_define_ioctl() (CVE-2017-7294, Moderate)

* kernel: Incorrect type conversion for size during dma allocation
(CVE-2017-9725, Moderate)

* kernel: memory leak when merging buffers in SCSI IO vectors
(CVE-2017-12190, Moderate)

* kernel: vfs: BUG in truncate_inode_pages_range() and fuse client
(CVE-2017-15121, Moderate)

* kernel: Use-after-free in userfaultfd_event_wait_completion function
in userfaultfd.c (CVE-2017-15126, Moderate)

* kernel: net: double-free and memory corruption in get_net_ns_by_id()
(CVE-2017-15129, Moderate)

* kernel: Use-after-free in snd_seq_ioctl_create_port()
(CVE-2017-15265, Moderate)

* kernel: Missing capabilities check in
net/netfilter/nfnetlink_cthelper.c allows for unprivileged access to
systemwide nfnl_cthelper_list structure (CVE-2017-17448, Moderate)

* kernel: Missing namespace check in net/netlink/af_netlink.c allows
for network monitors to observe systemwide activity (CVE-2017-17449,
Moderate)

* kernel: Unallocated memory access by malicious USB device via
bNumInterfaces overflow (CVE-2017-17558, Moderate)

* kernel: netfilter: use-after-free in tcpmss_mangle_packet function
in net/ netfilter/xt_TCPMSS.c (CVE-2017-18017, Moderate)

* kernel: Race condition in drivers/md/dm.c:dm_get_from_kobject()
allows local users to cause a denial of service (CVE-2017-18203,
Moderate)

* kernel: kvm: Reachable BUG() on out-of-bounds guest IRQ
(CVE-2017-1000252, Moderate)

* Kernel: KVM: DoS via write flood to I/O port 0x80 (CVE-2017-1000407,
Moderate)

* kernel: Stack information leak in the EFS element (CVE-2017-1000410,
Moderate)

* kernel: Kernel address information leak in drivers/acpi/
sbshc.c:acpi_smbus_hc_add() function potentially allowing KASLR bypass
(CVE-2018-5750, Moderate)

* kernel: Race condition in sound system can lead to denial of service
(CVE-2018-1000004, Moderate)

* kernel: multiple Low security impact security issues (CVE-2016-3672,
CVE-2017-14140, CVE-2017-15116, CVE-2017-15127, CVE-2018-6927, Low)

Red Hat would like to thank Eyal Itkin for reporting CVE-2016-8633;
Google Project Zero for reporting CVE-2017-5754; Mohamed Ghannam for
reporting CVE-2017-8824; Jim Mattson (Google.com) for reporting
CVE-2017-12154; Vitaly Mayatskih for reporting CVE-2017-12190; Andrea
Arcangeli (Engineering) for reporting CVE-2017-15126; Kirill Tkhai for
reporting CVE-2017-15129; Jan H. Schonherr (Amazon) for reporting
CVE-2017-1000252; and Armis Labs for reporting CVE-2017-1000410. The
CVE-2017-15121 issue was discovered by Miklos Szeredi (Red Hat) and
the CVE-2017-15116 issue was discovered by ChunYu Wang (Red Hat).

For more details about the security issue(s), including the impact, a
CVSS score, and other related information, refer to the CVE page(s)
listed in the References section.

Additional Changes :

For detailed information on changes in this release, see the Red Hat
Enterprise Linux 7.5 Release Notes linked from the References section."
  );
  # https://lists.centos.org/pipermail/centos-cr-announce/2018-April/005226.html
  script_set_attribute(
    attribute:"see_also",
    value:"http://www.nessus.org/u?14036024"
  );
  script_set_attribute(
    attribute:"solution", 
    value:"Update the affected kernel packages."
  );
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C");
  script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:P/RL:O/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2017-18017");
  script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"true");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:centos:centos:kernel-abi-whitelists");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:centos:centos:kernel-doc");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:centos:centos:7");

  script_set_attribute(attribute:"vuln_publication_date", value:"2016/04/27");
  script_set_attribute(attribute:"patch_publication_date", value:"2018/04/27");
  script_set_attribute(attribute:"plugin_publication_date", value:"2018/04/27");
  script_set_attribute(attribute:"generated_plugin", value:"current");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_copyright(english:"This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");
  script_family(english:"CentOS Local Security Checks");

  script_dependencies("ssh_get_info.nasl");
  script_require_keys("Host/local_checks_enabled", "Host/CentOS/release", "Host/CentOS/rpm-list");

  exit(0);
}


include("audit.inc");
include("global_settings.inc");
include("rpm.inc");


if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
release = get_kb_item("Host/CentOS/release");
if (isnull(release) || "CentOS" >!< release) audit(AUDIT_OS_NOT, "CentOS");
os_ver = pregmatch(pattern: "CentOS(?: Linux)? release ([0-9]+)", string:release);
if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "CentOS");
os_ver = os_ver[1];
if (! preg(pattern:"^7([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "CentOS 7.x", "CentOS " + os_ver);

if (!get_kb_item("Host/CentOS/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);


cpu = get_kb_item("Host/cpu");
if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "CentOS", cpu);


flag = 0;
if (rpm_check(release:"CentOS-7", cpu:"x86_64", reference:"kernel-abi-whitelists-3.10.0-862.el7")) flag++;
if (rpm_check(release:"CentOS-7", cpu:"x86_64", reference:"kernel-doc-3.10.0-862.el7")) flag++;


if (flag)
{
  cr_plugin_caveat = '\n' +
    'NOTE: The security advisory associated with this vulnerability has a\n' +
    'fixed package version that may only be available in the continuous\n' +
    'release (CR) repository for CentOS, until it is present in the next\n' +
    'point release of CentOS.\n\n' +

    'If an equal or higher package level does not exist in the baseline\n' +
    'repository for your major version of CentOS, then updates from the CR\n' +
    'repository will need to be applied in order to address the\n' +
    'vulnerability.\n';
  security_report_v4(
    port       : 0,
    severity   : SECURITY_HOLE,
    extra      : rpm_report_get() + cr_plugin_caveat
  );
  exit(0);
}
else
{
  tested = pkg_tests_get();
  if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
  else audit(AUDIT_PACKAGE_NOT_INSTALLED, "kernel-abi-whitelists / kernel-doc");
}

#
# (C) Tenable Network Security, Inc.
#
# The descriptive text and package checks in this plugin were  
# extracted from Red Hat Security Advisory RHSA-2018:1130. The text 
# itself is copyright (C) Red Hat, Inc.
#

include("compat.inc");

if (description)
{
  script_id(109116);
  script_version("1.10");
  script_cvs_date("Date: 2019/10/24 15:35:44");

  script_cve_id("CVE-2017-1000252", "CVE-2017-1000410", "CVE-2017-13166", "CVE-2017-15265", "CVE-2017-17449", "CVE-2017-18017", "CVE-2017-8824", "CVE-2017-9725");
  script_xref(name:"RHSA", value:"2018:1130");

  script_name(english:"RHEL 7 : kernel (RHSA-2018:1130)");
  script_summary(english:"Checks the rpm output for the updated packages");

  script_set_attribute(
    attribute:"synopsis", 
    value:"The remote Red Hat host is missing one or more security updates."
  );
  script_set_attribute(
    attribute:"description", 
    value:
"An update for kernel is now available for Red Hat Enterprise Linux 7.4
Extended Update Support.

Red Hat Product Security has rated this update as having a security
impact of Important. A Common Vulnerability Scoring System (CVSS) base
score, which gives a detailed severity rating, is available for each
vulnerability from the CVE link(s) in the References section.

The kernel packages contain the Linux kernel, the core of any Linux
operating system.

Security Fix(es) :

* kernel: Use-after-free vulnerability in DCCP socket (CVE-2017-8824,
Important)

* kernel: v4l2: disabled memory access protection mechanism allowing
privilege escalation (CVE-2017-13166, Important)

* kernel: Incorrect type conversion for size during dma allocation
(CVE-2017-9725, Moderate)

* kernel: Use-after-free in snd_seq_ioctl_create_port()
(CVE-2017-15265, Moderate)

* kernel: Missing namespace check in net/netlink/af_netlink.c allows
for network monitors to observe systemwide activity (CVE-2017-17449,
Moderate)

* kernel: netfilter: use-after-free in tcpmss_mangle_packet function
in net/ netfilter/xt_TCPMSS.c (CVE-2017-18017, Moderate)

* kernel: kvm: Reachable BUG() on out-of-bounds guest IRQ
(CVE-2017-1000252, Moderate)

* kernel: Stack information leak in the EFS element (CVE-2017-1000410,
Moderate)

For more details about the security issue(s), including the impact, a
CVSS score, and other related information, refer to the CVE page(s)
listed in the References section.

Red Hat would like to thank Mohamed Ghannam for reporting
CVE-2017-8824; Jan H. Schonherr (Amazon) for reporting
CVE-2017-1000252; and Armis Labs for reporting CVE-2017-1000410.

Bug Fix(es) :

These updated kernel packages include also numerous bug fixes. Space
precludes documenting all of these bug fixes in this advisory. See the
bug fix descriptions in the related Knowledge Article:
https://access.redhat.com/articles/3411331"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://access.redhat.com/articles/3411331"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://access.redhat.com/errata/RHSA-2018:1130"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://access.redhat.com/security/cve/cve-2017-8824"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://access.redhat.com/security/cve/cve-2017-9725"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://access.redhat.com/security/cve/cve-2017-13166"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://access.redhat.com/security/cve/cve-2017-15265"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://access.redhat.com/security/cve/cve-2017-17449"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://access.redhat.com/security/cve/cve-2017-18017"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://access.redhat.com/security/cve/cve-2017-1000252"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://access.redhat.com/security/cve/cve-2017-1000410"
  );
  script_set_attribute(attribute:"solution", value:"Update the affected packages.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C");
  script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:P/RL:O/RC:C");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:kernel");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:kernel-abi-whitelists");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:kernel-debug");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:kernel-debug-debuginfo");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:kernel-debug-devel");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:kernel-debuginfo");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:kernel-debuginfo-common-s390x");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:kernel-debuginfo-common-x86_64");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:kernel-devel");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:kernel-doc");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:kernel-headers");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:kernel-kdump");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:kernel-kdump-debuginfo");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:kernel-kdump-devel");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:kernel-tools");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:kernel-tools-debuginfo");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:kernel-tools-libs");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:kernel-tools-libs-devel");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:perf");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:perf-debuginfo");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:python-perf");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:python-perf-debuginfo");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:redhat:enterprise_linux:7.4");

  script_set_attribute(attribute:"vuln_publication_date", value:"2017/09/21");
  script_set_attribute(attribute:"patch_publication_date", value:"2018/04/17");
  script_set_attribute(attribute:"plugin_publication_date", value:"2018/04/18");
  script_set_attribute(attribute:"generated_plugin", value:"current");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_copyright(english:"This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");
  script_family(english:"Red Hat Local Security Checks");

  script_dependencies("ssh_get_info.nasl", "linux_alt_patch_detect.nasl");
  script_require_keys("Host/local_checks_enabled", "Host/RedHat/release", "Host/RedHat/rpm-list", "Host/cpu");

  exit(0);
}


include("audit.inc");
include("global_settings.inc");
include("misc_func.inc");
include("rpm.inc");
include("ksplice.inc");

if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
release = get_kb_item("Host/RedHat/release");
if (isnull(release) || "Red Hat" >!< release) audit(AUDIT_OS_NOT, "Red Hat");
os_ver = pregmatch(pattern: "Red Hat Enterprise Linux.*release ([0-9]+(\.[0-9]+)?)", string:release);
if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Red Hat");
os_ver = os_ver[1];
if (! preg(pattern:"^7\.4([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Red Hat 7.4", "Red Hat " + os_ver);

if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);

cpu = get_kb_item("Host/cpu");
if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$" && "s390" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Red Hat", cpu);

if (get_one_kb_item("Host/ksplice/kernel-cves"))
{
  rm_kb_item(name:"Host/uptrack-uname-r");
  cve_list = make_list("CVE-2017-1000252", "CVE-2017-1000410", "CVE-2017-13166", "CVE-2017-15265", "CVE-2017-17449", "CVE-2017-18017", "CVE-2017-8824", "CVE-2017-9725");
  if (ksplice_cves_check(cve_list))
  {
    audit(AUDIT_PATCH_INSTALLED, "KSplice hotfix for RHSA-2018:1130");
  }
  else
  {
    __rpm_report = ksplice_reporting_text();
  }
}

yum_updateinfo = get_kb_item("Host/RedHat/yum-updateinfo");
if (!empty_or_null(yum_updateinfo)) 
{
  rhsa = "RHSA-2018:1130";
  yum_report = redhat_generate_yum_updateinfo_report(rhsa:rhsa);
  if (!empty_or_null(yum_report))
  {
    security_report_v4(
      port       : 0,
      severity   : SECURITY_HOLE,
      extra      : yum_report 
    );
    exit(0);
  }
  else
  {
    audit_message = "affected by Red Hat security advisory " + rhsa;
    audit(AUDIT_OS_NOT, audit_message);
  }
}
else
{
  flag = 0;
  if (rpm_check(release:"RHEL7", sp:"4", cpu:"s390x", reference:"kernel-3.10.0-693.25.2.el7")) flag++;
  if (rpm_check(release:"RHEL7", sp:"4", cpu:"x86_64", reference:"kernel-3.10.0-693.25.2.el7")) flag++;
  if (rpm_check(release:"RHEL7", sp:"4", reference:"kernel-abi-whitelists-3.10.0-693.25.2.el7")) flag++;
  if (rpm_check(release:"RHEL7", sp:"4", cpu:"s390x", reference:"kernel-debug-3.10.0-693.25.2.el7")) flag++;
  if (rpm_check(release:"RHEL7", sp:"4", cpu:"x86_64", reference:"kernel-debug-3.10.0-693.25.2.el7")) flag++;
  if (rpm_check(release:"RHEL7", sp:"4", cpu:"s390x", reference:"kernel-debug-debuginfo-3.10.0-693.25.2.el7")) flag++;
  if (rpm_check(release:"RHEL7", sp:"4", cpu:"x86_64", reference:"kernel-debug-debuginfo-3.10.0-693.25.2.el7")) flag++;
  if (rpm_check(release:"RHEL7", sp:"4", cpu:"s390x", reference:"kernel-debug-devel-3.10.0-693.25.2.el7")) flag++;
  if (rpm_check(release:"RHEL7", sp:"4", cpu:"x86_64", reference:"kernel-debug-devel-3.10.0-693.25.2.el7")) flag++;
  if (rpm_check(release:"RHEL7", sp:"4", cpu:"s390x", reference:"kernel-debuginfo-3.10.0-693.25.2.el7")) flag++;
  if (rpm_check(release:"RHEL7", sp:"4", cpu:"x86_64", reference:"kernel-debuginfo-3.10.0-693.25.2.el7")) flag++;
  if (rpm_check(release:"RHEL7", sp:"4", cpu:"s390x", reference:"kernel-debuginfo-common-s390x-3.10.0-693.25.2.el7")) flag++;
  if (rpm_check(release:"RHEL7", sp:"4", cpu:"x86_64", reference:"kernel-debuginfo-common-x86_64-3.10.0-693.25.2.el7")) flag++;
  if (rpm_check(release:"RHEL7", sp:"4", cpu:"s390x", reference:"kernel-devel-3.10.0-693.25.2.el7")) flag++;
  if (rpm_check(release:"RHEL7", sp:"4", cpu:"x86_64", reference:"kernel-devel-3.10.0-693.25.2.el7")) flag++;
  if (rpm_check(release:"RHEL7", sp:"4", reference:"kernel-doc-3.10.0-693.25.2.el7")) flag++;
  if (rpm_check(release:"RHEL7", sp:"4", cpu:"s390x", reference:"kernel-headers-3.10.0-693.25.2.el7")) flag++;
  if (rpm_check(release:"RHEL7", sp:"4", cpu:"x86_64", reference:"kernel-headers-3.10.0-693.25.2.el7")) flag++;
  if (rpm_check(release:"RHEL7", sp:"4", cpu:"s390x", reference:"kernel-kdump-3.10.0-693.25.2.el7")) flag++;
  if (rpm_check(release:"RHEL7", sp:"4", cpu:"s390x", reference:"kernel-kdump-debuginfo-3.10.0-693.25.2.el7")) flag++;
  if (rpm_check(release:"RHEL7", sp:"4", cpu:"s390x", reference:"kernel-kdump-devel-3.10.0-693.25.2.el7")) flag++;
  if (rpm_check(release:"RHEL7", sp:"4", cpu:"x86_64", reference:"kernel-tools-3.10.0-693.25.2.el7")) flag++;
  if (rpm_check(release:"RHEL7", sp:"4", cpu:"x86_64", reference:"kernel-tools-debuginfo-3.10.0-693.25.2.el7")) flag++;
  if (rpm_check(release:"RHEL7", sp:"4", cpu:"x86_64", reference:"kernel-tools-libs-3.10.0-693.25.2.el7")) flag++;
  if (rpm_check(release:"RHEL7", sp:"4", cpu:"x86_64", reference:"kernel-tools-libs-devel-3.10.0-693.25.2.el7")) flag++;
  if (rpm_check(release:"RHEL7", sp:"4", cpu:"s390x", reference:"perf-3.10.0-693.25.2.el7")) flag++;
  if (rpm_check(release:"RHEL7", sp:"4", cpu:"x86_64", reference:"perf-3.10.0-693.25.2.el7")) flag++;
  if (rpm_check(release:"RHEL7", sp:"4", cpu:"s390x", reference:"perf-debuginfo-3.10.0-693.25.2.el7")) flag++;
  if (rpm_check(release:"RHEL7", sp:"4", cpu:"x86_64", reference:"perf-debuginfo-3.10.0-693.25.2.el7")) flag++;
  if (rpm_check(release:"RHEL7", sp:"4", cpu:"s390x", reference:"python-perf-3.10.0-693.25.2.el7")) flag++;
  if (rpm_check(release:"RHEL7", sp:"4", cpu:"x86_64", reference:"python-perf-3.10.0-693.25.2.el7")) flag++;
  if (rpm_check(release:"RHEL7", sp:"4", cpu:"s390x", reference:"python-perf-debuginfo-3.10.0-693.25.2.el7")) flag++;
  if (rpm_check(release:"RHEL7", sp:"4", cpu:"x86_64", reference:"python-perf-debuginfo-3.10.0-693.25.2.el7")) flag++;

  if (flag)
  {
    security_report_v4(
      port       : 0,
      severity   : SECURITY_HOLE,
      extra      : rpm_report_get() + redhat_report_package_caveat()
    );
    exit(0);
  }
  else
  {
    tested = pkg_tests_get();
    if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
    else audit(AUDIT_PACKAGE_NOT_INSTALLED, "kernel / kernel-abi-whitelists / kernel-debug / etc");
  }
}