Vulnerabilities > CVE-2018-10901

047910
CVSS 7.8 - HIGH
Attack vector
LOCAL
Attack complexity
LOW
Privileges required
LOW
Confidentiality impact
HIGH
Integrity impact
HIGH
Availability impact
HIGH
local
low complexity
linux
redhat
nessus

Summary

A flaw was found in Linux kernel's KVM virtualization subsystem. The VMX code does not restore the GDT.LIMIT to the previous host value, but instead sets it to 64KB. With a corrupted GDT limit a host's userspace code has an ability to place malicious entries in the GDT, particularly to the per-cpu variables. An attacker can use this to escalate their privileges.

Vulnerable Configurations

Part Description Count
OS
Linux
1247
OS
Redhat
6

Nessus

  • NASL familyAmazon Linux Local Security Checks
    NASL idALA_ALAS-2018-1023.NASL
    descriptionA weakness was found in the Linux kernel
    last seen2020-06-01
    modified2020-06-02
    plugin id110197
    published2018-05-30
    reporterThis script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/110197
    titleAmazon Linux AMI : kernel (ALAS-2018-1023)
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were
    # extracted from Amazon Linux AMI Security Advisory ALAS-2018-1023.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(110197);
      script_version("1.7");
      script_cvs_date("Date: 2019/07/10 16:04:12");
    
      script_cve_id("CVE-2017-13215", "CVE-2017-16939", "CVE-2018-1000199", "CVE-2018-10675", "CVE-2018-1068", "CVE-2018-1087", "CVE-2018-10901", "CVE-2018-1091", "CVE-2018-1108", "CVE-2018-7995", "CVE-2018-8897");
      script_xref(name:"ALAS", value:"2018-1023");
    
      script_name(english:"Amazon Linux AMI : kernel (ALAS-2018-1023)");
      script_summary(english:"Checks rpm output for the updated packages");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote Amazon Linux AMI host is missing a security update."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "A weakness was found in the Linux kernel's implementation of random
    seed data. Programs, early in the boot sequence, could use the data
    allocated for the seed before it was sufficiently generated.
    (CVE-2018-1108)
    
    A flaw was found in the way the Linux kernel handled exceptions
    delivered after a stack switch operation via Mov SS or Pop SS
    instructions. During the stack switch operation, the processor did not
    deliver interrupts and exceptions, rather they are delivered once the
    first instruction after the stack switch is executed. An unprivileged
    system user could use this flaw to crash the system kernel resulting
    in the denial of service. (CVE-2018-8897)
    
    A flaw was found in the Linux kernel's implementation of 32-bit
    syscall interface for bridging. This allowed a privileged user to
    arbitrarily write to a limited range of kernel memory. (CVE-2018-1068)
    
    The Linux kernel is vulerable to a use-after-free flaw when
    Transformation User configuration interface(CONFIG_XFRM_USER)
    compile-time configuration were enabled. This vulnerability occurs
    while closing a xfrm netlink socket in xfrm_dump_policy_done. A
    user/process could abuse this flaw to potentially escalate their
    privileges on a system. (CVE-2017-16939)
    
    A flaw was found in the Linux kernel where a crash can be triggered
    from unprivileged userspace during core dump on a POWER system with a
    certain configuration. This is due to a missing processor feature
    check and an erroneous use of transactional memory (TM) instructions
    in the core dump path leading to a denial of service.(CVE-2018-1091)
    
    An address corruption flaw was discovered in the Linux kernel built
    with hardware breakpoint (CONFIG_HAVE_HW_BREAKPOINT) support. While
    modifying a h/w breakpoint via 'modify_user_hw_breakpoint' routine, an
    unprivileged user/process could use this flaw to crash the system
    kernel resulting in DoS OR to potentially escalate privileges on a the
    system.(CVE-2018-1000199)
    
    A flaw was found in the way the Linux kernel's KVM hypervisor handled
    exceptions delivered after a stack switch operation via Mov SS or Pop
    SS instructions. During the stack switch operation, the processor did
    not deliver interrupts and exceptions, rather they are delivered once
    the first instruction after the stack switch is executed. An
    unprivileged KVM guest user could use this flaw to crash the guest or,
    potentially, escalate their privileges in the guest.(CVE-2018-1087)
    
    A flaw was found in the Linux kernel's skcipher component, which
    affects the skcipher_recvmsg function. Attackers using a specific
    input can lead to a privilege escalation.(CVE-2017-13215)
    
    The do_get_mempolicy() function in mm/mempolicy.c in the Linux kernel
    allows local users to hit a use-after-free bug via crafted system
    calls and thus cause a denial of service (DoS) or possibly have
    unspecified other impact. Due to the nature of the flaw, privilege
    escalation cannot be fully ruled out.(CVE-2018-10675)
    
    A flaw was found in Linux kernel's KVM virtualization subsystem. The
    VMX code does not restore the GDT.LIMIT to the previous host value,
    but instead sets it to 64KB. With a corrupted GDT limit a host's
    userspace code has an ability to place malicious entries in the GDT,
    particularly to the per-cpu variables. An attacker can use this to
    escalate their privileges.(CVE-2018-10901)
    
    A race condition in the store_int_with_restart() function in
    arch/x86/kernel/cpu/mcheck/mce.c in the Linux kernel allows local
    users to cause a denial of service (panic) by leveraging root access
    to write to the check_interval file in a
    /sys/devices/system/machinecheck/machinecheck<cpu number> directory.
    (CVE-2018-7995)"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://alas.aws.amazon.com/ALAS-2018-1023.html"
      );
      script_set_attribute(
        attribute:"solution", 
        value:
    "Run 'yum update kernel' then reboot the instance to update your
    system."
      );
      script_set_cvss_base_vector("CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C");
      script_set_cvss_temporal_vector("CVSS2#E:H/RL:OF/RC:C");
      script_set_cvss3_base_vector("CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H");
      script_set_cvss3_temporal_vector("CVSS:3.0/E:H/RL:O/RC:C");
      script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"true");
      script_set_attribute(attribute:"exploited_by_malware", value:"true");
      script_set_attribute(attribute:"metasploit_name", value:'Microsoft Windows POP/MOV SS Local Privilege Elevation Vulnerability');
      script_set_attribute(attribute:"exploit_framework_metasploit", value:"true");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:kernel");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:kernel-debuginfo");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:kernel-debuginfo-common-i686");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:kernel-debuginfo-common-x86_64");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:kernel-devel");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:kernel-headers");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:kernel-tools");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:kernel-tools-debuginfo");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:kernel-tools-devel");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:perf");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:perf-debuginfo");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:amazon:linux");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2017/11/24");
      script_set_attribute(attribute:"patch_publication_date", value:"2019/01/25");
      script_set_attribute(attribute:"plugin_publication_date", value:"2018/05/30");
      script_set_attribute(attribute:"generated_plugin", value:"current");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");
      script_family(english:"Amazon Linux Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/AmazonLinux/release", "Host/AmazonLinux/rpm-list");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("global_settings.inc");
    include("rpm.inc");
    
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    
    release = get_kb_item("Host/AmazonLinux/release");
    if (isnull(release) || !strlen(release)) audit(AUDIT_OS_NOT, "Amazon Linux");
    os_ver = pregmatch(pattern: "^AL(A|\d)", string:release);
    if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Amazon Linux");
    os_ver = os_ver[1];
    if (os_ver != "A")
    {
      if (os_ver == 'A') os_ver = 'AMI';
      audit(AUDIT_OS_NOT, "Amazon Linux AMI", "Amazon Linux " + os_ver);
    }
    
    if (!get_kb_item("Host/AmazonLinux/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    
    flag = 0;
    if (rpm_check(release:"ALA", reference:"kernel-4.14.42-52.37.amzn1")) flag++;
    if (rpm_check(release:"ALA", reference:"kernel-debuginfo-4.14.42-52.37.amzn1")) flag++;
    if (rpm_check(release:"ALA", cpu:"i686", reference:"kernel-debuginfo-common-i686-4.14.42-52.37.amzn1")) flag++;
    if (rpm_check(release:"ALA", cpu:"x86_64", reference:"kernel-debuginfo-common-x86_64-4.14.42-52.37.amzn1")) flag++;
    if (rpm_check(release:"ALA", reference:"kernel-devel-4.14.42-52.37.amzn1")) flag++;
    if (rpm_check(release:"ALA", reference:"kernel-headers-4.14.42-52.37.amzn1")) flag++;
    if (rpm_check(release:"ALA", reference:"kernel-tools-4.14.42-52.37.amzn1")) flag++;
    if (rpm_check(release:"ALA", reference:"kernel-tools-debuginfo-4.14.42-52.37.amzn1")) flag++;
    if (rpm_check(release:"ALA", reference:"kernel-tools-devel-4.14.42-52.37.amzn1")) flag++;
    if (rpm_check(release:"ALA", reference:"perf-4.14.42-52.37.amzn1")) flag++;
    if (rpm_check(release:"ALA", reference:"perf-debuginfo-4.14.42-52.37.amzn1")) flag++;
    
    if (flag)
    {
      if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());
      else security_hole(0);
      exit(0);
    }
    else
    {
      tested = pkg_tests_get();
      if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
      else audit(AUDIT_PACKAGE_NOT_INSTALLED, "kernel / kernel-debuginfo / kernel-debuginfo-common-i686 / etc");
    }
    
  • NASL familyNewStart CGSL Local Security Checks
    NASL idNEWSTART_CGSL_NS-SA-2019-0143_KERNEL.NASL
    descriptionThe remote NewStart CGSL host, running version MAIN 4.05, has kernel packages installed that are affected by multiple vulnerabilities: - A flaw was found in the Linux kernel
    last seen2020-03-18
    modified2019-08-12
    plugin id127408
    published2019-08-12
    reporterThis script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/127408
    titleNewStart CGSL MAIN 4.05 : kernel Multiple Vulnerabilities (NS-SA-2019-0143)
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    
    
    # The descriptive text and package checks in this plugin were
    # extracted from ZTE advisory NS-SA-2019-0143. The text
    # itself is copyright (C) ZTE, Inc.
    
    
    include('compat.inc');
    
    if (description)
    {
      script_id(127408);
      script_version("1.4");
      script_set_attribute(attribute:"plugin_modification_date", value:"2020/02/20");
    
      script_cve_id(
        "CVE-2016-9555",
        "CVE-2017-5753",
        "CVE-2017-5754",
        "CVE-2017-7308",
        "CVE-2017-8824",
        "CVE-2017-13166",
        "CVE-2017-1000112",
        "CVE-2018-3639",
        "CVE-2018-3693",
        "CVE-2018-5390",
        "CVE-2018-5391",
        "CVE-2018-10675",
        "CVE-2018-10901",
        "CVE-2018-14634"
      );
      script_bugtraq_id(
        102371,
        102378,
        104976,
        105407,
        106128
      );
    
      script_name(english:"NewStart CGSL MAIN 4.05 : kernel Multiple Vulnerabilities (NS-SA-2019-0143)");
    
      script_set_attribute(attribute:"synopsis", value:
    "The remote machine is affected by multiple vulnerabilities.");
      script_set_attribute(attribute:"description", value:
    "The remote NewStart CGSL host, running version MAIN 4.05, has kernel packages installed that are affected by multiple
    vulnerabilities:
    
      - A flaw was found in the Linux kernel's implementation of
        the SCTP protocol. A remote attacker could trigger an
        out-of-bounds read with an offset of up to 64kB
        potentially causing the system to crash. (CVE-2016-9555)
    
      - An exploitable memory corruption flaw was found in the
        Linux kernel. The append path can be erroneously
        switched from UFO to non-UFO in ip_ufo_append_data()
        when building an UFO packet with MSG_MORE option. If
        unprivileged user namespaces are available, this flaw
        can be exploited to gain root privileges.
        (CVE-2017-1000112)
    
      - A bug in the 32-bit compatibility layer of the ioctl
        handling code of the v4l2 video driver in the Linux
        kernel has been found. A memory protection mechanism
        ensuring that user-provided buffers always point to a
        userspace memory were disabled, allowing destination
        address to be in a kernel space. This flaw could be
        exploited by an attacker to overwrite a kernel memory
        from an unprivileged userspace process, leading to
        privilege escalation. (CVE-2017-13166)
    
      - An industry-wide issue was found in the way many modern
        microprocessor designs have implemented speculative
        execution of instructions (a commonly used performance
        optimization). There are three primary variants of the
        issue which differ in the way the speculative execution
        can be exploited. Variant CVE-2017-5753 triggers the
        speculative execution by performing a bounds-check
        bypass. It relies on the presence of a precisely-defined
        instruction sequence in the privileged code as well as
        the fact that memory accesses may cause allocation into
        the microprocessor's data cache even for speculatively
        executed instructions that never actually commit
        (retire). As a result, an unprivileged attacker could
        use this flaw to cross the syscall boundary and read
        privileged memory by conducting targeted cache side-
        channel attacks. (CVE-2017-5753)
    
      - An industry-wide issue was found in the way many modern
        microprocessor designs have implemented speculative
        execution of instructions (a commonly used performance
        optimization). There are three primary variants of the
        issue which differ in the way the speculative execution
        can be exploited. Variant CVE-2017-5754 relies on the
        fact that, on impacted microprocessors, during
        speculative execution of instruction permission faults,
        exception generation triggered by a faulting access is
        suppressed until the retirement of the whole instruction
        block. In a combination with the fact that memory
        accesses may populate the cache even when the block is
        being dropped and never committed (executed), an
        unprivileged local attacker could use this flaw to read
        privileged (kernel space) memory by conducting targeted
        cache side-channel attacks. Note: CVE-2017-5754 affects
        Intel x86-64 microprocessors. AMD x86-64 microprocessors
        are not affected by this issue. (CVE-2017-5754)
    
      - It was found that the packet_set_ring() function of the
        Linux kernel's networking implementation did not
        properly validate certain block-size data. A local
        attacker with CAP_NET_RAW capability could use this flaw
        to trigger a buffer overflow resulting in a system crash
        or a privilege escalation. (CVE-2017-7308)
    
      - A use-after-free vulnerability was found in DCCP socket
        code affecting the Linux kernel since 2.6.16. This
        vulnerability could allow an attacker to their escalate
        privileges. (CVE-2017-8824)
    
      - The do_get_mempolicy() function in mm/mempolicy.c in the
        Linux kernel allows local users to hit a use-after-free
        bug via crafted system calls and thus cause a denial of
        service (DoS) or possibly have unspecified other impact.
        Due to the nature of the flaw, privilege escalation
        cannot be fully ruled out. (CVE-2018-10675)
    
      - A flaw was found in Linux kernel's KVM virtualization
        subsystem. The VMX code does not restore the GDT.LIMIT
        to the previous host value, but instead sets it to 64KB.
        With a corrupted GDT limit a host's userspace code has
        an ability to place malicious entries in the GDT,
        particularly to the per-cpu variables. An attacker can
        use this to escalate their privileges. (CVE-2018-10901)
    
      - An integer overflow flaw was found in the Linux kernel's
        create_elf_tables() function. An unprivileged local user
        with access to SUID (or otherwise privileged) binary
        could use this flaw to escalate their privileges on the
        system. (CVE-2018-14634)
    
      - An industry-wide issue was found in the way many modern
        microprocessor designs have implemented speculative
        execution of Load & Store instructions (a commonly used
        performance optimization). It relies on the presence of
        a precisely-defined instruction sequence in the
        privileged code as well as the fact that memory read
        from address to which a recent memory write has occurred
        may see an older value and subsequently cause an update
        into the microprocessor's data cache even for
        speculatively executed instructions that never actually
        commit (retire). As a result, an unprivileged attacker
        could use this flaw to read privileged memory by
        conducting targeted cache side-channel attacks.
        (CVE-2018-3639)
    
      - An industry-wide issue was found in the way many modern
        microprocessor designs have implemented speculative
        execution of instructions past bounds check. The flaw
        relies on the presence of a precisely-defined
        instruction sequence in the privileged code and the fact
        that memory writes occur to an address which depends on
        the untrusted value. Such writes cause an update into
        the microprocessor's data cache even for speculatively
        executed instructions that never actually commit
        (retire). As a result, an unprivileged attacker could
        use this flaw to influence speculative execution and/or
        read privileged memory by conducting targeted cache
        side-channel attacks. (CVE-2018-3693)
    
      - A flaw named SegmentSmack was found in the way the Linux
        kernel handled specially crafted TCP packets. A remote
        attacker could use this flaw to trigger time and
        calculation expensive calls to tcp_collapse_ofo_queue()
        and tcp_prune_ofo_queue() functions by sending specially
        modified packets within ongoing TCP sessions which could
        lead to a CPU saturation and hence a denial of service
        on the system. Maintaining the denial of service
        condition requires continuous two-way TCP sessions to a
        reachable open port, thus the attacks cannot be
        performed using spoofed IP addresses. (CVE-2018-5390)
    
      - A flaw named FragmentSmack was found in the way the
        Linux kernel handled reassembly of fragmented IPv4 and
        IPv6 packets. A remote attacker could use this flaw to
        trigger time and calculation expensive fragment
        reassembly algorithm by sending specially crafted
        packets which could lead to a CPU saturation and hence a
        denial of service on the system. (CVE-2018-5391)
    
    Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version
    number.");
      script_set_attribute(attribute:"see_also", value:"http://security.gd-linux.com/notice/NS-SA-2019-0143");
      script_set_attribute(attribute:"solution", value:
    "Upgrade the vulnerable CGSL kernel packages. Note that updated packages may not be available yet. Please contact ZTE for
    more information.");
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C");
      script_set_cvss_temporal_vector("CVSS2#E:H/RL:OF/RC:C");
      script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H");
      script_set_cvss3_temporal_vector("CVSS:3.0/E:H/RL:O/RC:C");
      script_set_attribute(attribute:"cvss_score_source", value:"CVE-2016-9555");
    
      script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"true");
      script_set_attribute(attribute:"exploit_framework_core", value:"true");
      script_set_attribute(attribute:"exploited_by_malware", value:"true");
      script_set_attribute(attribute:"metasploit_name", value:'AF_PACKET packet_set_ring Privilege Escalation');
      script_set_attribute(attribute:"exploit_framework_metasploit", value:"true");
      script_set_attribute(attribute:"exploit_framework_canvas", value:"true");
      script_set_attribute(attribute:"canvas_package", value:'CANVAS');
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2016/11/28");
      script_set_attribute(attribute:"patch_publication_date", value:"2019/07/17");
      script_set_attribute(attribute:"plugin_publication_date", value:"2019/08/12");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_family(english:"NewStart CGSL Local Security Checks");
    
      script_copyright(english:"This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/ZTE-CGSL/release", "Host/ZTE-CGSL/rpm-list", "Host/cpu");
    
      exit(0);
    }
    
    include("audit.inc");
    include("global_settings.inc");
    include("rpm.inc");
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    
    release = get_kb_item("Host/ZTE-CGSL/release");
    if (isnull(release) || release !~ "^CGSL (MAIN|CORE)") audit(AUDIT_OS_NOT, "NewStart Carrier Grade Server Linux");
    
    if (release !~ "CGSL MAIN 4.05")
      audit(AUDIT_OS_NOT, 'NewStart CGSL MAIN 4.05');
    
    if (!get_kb_item("Host/ZTE-CGSL/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    cpu = get_kb_item("Host/cpu");
    if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
    if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "NewStart Carrier Grade Server Linux", cpu);
    
    flag = 0;
    
    pkgs = {
      "CGSL MAIN 4.05": [
        "kernel-2.6.32-642.13.1.el6.cgsl7763",
        "kernel-abi-whitelists-2.6.32-642.13.1.el6.cgsl7763",
        "kernel-debug-2.6.32-642.13.1.el6.cgsl7763",
        "kernel-debug-debuginfo-2.6.32-642.13.1.el6.cgsl7763",
        "kernel-debug-devel-2.6.32-642.13.1.el6.cgsl7763",
        "kernel-debuginfo-2.6.32-642.13.1.el6.cgsl7763",
        "kernel-debuginfo-common-x86_64-2.6.32-642.13.1.el6.cgsl7763",
        "kernel-devel-2.6.32-642.13.1.el6.cgsl7763",
        "kernel-doc-2.6.32-642.13.1.el6.cgsl7763",
        "kernel-firmware-2.6.32-642.13.1.el6.cgsl7763",
        "kernel-headers-2.6.32-642.13.1.el6.cgsl7763",
        "perf-2.6.32-642.13.1.el6.cgsl7763",
        "perf-debuginfo-2.6.32-642.13.1.el6.cgsl7763",
        "python-perf-2.6.32-642.13.1.el6.cgsl7763",
        "python-perf-debuginfo-2.6.32-642.13.1.el6.cgsl7763"
      ]
    };
    pkg_list = pkgs[release];
    
    foreach (pkg in pkg_list)
      if (rpm_check(release:"ZTE " + release, reference:pkg)) flag++;
    
    if (flag)
    {
      security_report_v4(
        port       : 0,
        severity   : SECURITY_HOLE,
        extra      : rpm_report_get()
      );
      exit(0);
    }
    else
    {
      tested = pkg_tests_get();
      if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
      else audit(AUDIT_PACKAGE_NOT_INSTALLED, "kernel");
    }
    
  • NASL familyCentOS Local Security Checks
    NASL idCENTOS_RHSA-2018-2390.NASL
    descriptionAn update for kernel is now available for Red Hat Enterprise Linux 6. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. [Updated 16th August 2018] The original errata text was missing reference to CVE-2018-5390 fix. We have updated the errata text to correct this issue. No changes have been made to the packages. The kernel packages contain the Linux kernel, the core of any Linux operating system. Security Fix(es) : * Modern operating systems implement virtualization of physical memory to efficiently use available system resources and provide inter-domain protection through access control and isolation. The L1TF issue was found in the way the x86 microprocessor designs have implemented speculative execution of instructions (a commonly used performance optimisation) in combination with handling of page-faults caused by terminated virtual to physical address resolving process. As a result, an unprivileged attacker could use this flaw to read privileged memory of the kernel or other processes and/or cross guest/host boundaries to read host memory by conducting targeted cache side-channel attacks. (CVE-2018-3620, CVE-2018-3646) * An industry-wide issue was found in the way many modern microprocessor designs have implemented speculative execution of instructions past bounds check. The flaw relies on the presence of a precisely-defined instruction sequence in the privileged code and the fact that memory writes occur to an address which depends on the untrusted value. Such writes cause an update into the microprocessor
    last seen2020-06-01
    modified2020-06-02
    plugin id111704
    published2018-08-15
    reporterThis script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/111704
    titleCentOS 6 : kernel (CESA-2018:2390) (Foreshadow)
  • NASL familyRed Hat Local Security Checks
    NASL idREDHAT-RHSA-2018-2393.NASL
    descriptionAn update for kernel is now available for Red Hat Enterprise Linux 6.5 Advanced Update Support. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. The kernel packages contain the Linux kernel, the core of any Linux operating system. Security Fix(es) : * Modern operating systems implement virtualization of physical memory to efficiently use available system resources and provide inter-domain protection through access control and isolation. The L1TF issue was found in the way the x86 microprocessor designs have implemented speculative execution of instructions (a commonly used performance optimisation) in combination with handling of page-faults caused by terminated virtual to physical address resolving process. As a result, an unprivileged attacker could use this flaw to read privileged memory of the kernel or other processes and/or cross guest/host boundaries to read host memory by conducting targeted cache side-channel attacks. (CVE-2018-3620, CVE-2018-3646) * kernel: kvm: vmx: host GDT limit corruption (CVE-2018-10901) For more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section. Red Hat would like to thank Intel OSSIRT (Intel.com) for reporting CVE-2018-3620 and CVE-2018-3646 and Vegard Nossum (Oracle Corporation) for reporting CVE-2018-10901.
    last seen2020-06-01
    modified2020-06-02
    plugin id111734
    published2018-08-15
    reporterThis script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/111734
    titleRHEL 6 : kernel (RHSA-2018:2393) (Foreshadow)
  • NASL familyRed Hat Local Security Checks
    NASL idREDHAT-RHSA-2018-2390.NASL
    descriptionAn update for kernel is now available for Red Hat Enterprise Linux 6. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. [Updated 16th August 2018] The original errata text was missing reference to CVE-2018-5390 fix. We have updated the errata text to correct this issue. No changes have been made to the packages. The kernel packages contain the Linux kernel, the core of any Linux operating system. Security Fix(es) : * Modern operating systems implement virtualization of physical memory to efficiently use available system resources and provide inter-domain protection through access control and isolation. The L1TF issue was found in the way the x86 microprocessor designs have implemented speculative execution of instructions (a commonly used performance optimisation) in combination with handling of page-faults caused by terminated virtual to physical address resolving process. As a result, an unprivileged attacker could use this flaw to read privileged memory of the kernel or other processes and/or cross guest/host boundaries to read host memory by conducting targeted cache side-channel attacks. (CVE-2018-3620, CVE-2018-3646) * An industry-wide issue was found in the way many modern microprocessor designs have implemented speculative execution of instructions past bounds check. The flaw relies on the presence of a precisely-defined instruction sequence in the privileged code and the fact that memory writes occur to an address which depends on the untrusted value. Such writes cause an update into the microprocessor
    last seen2020-06-01
    modified2020-06-02
    plugin id111731
    published2018-08-15
    reporterThis script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/111731
    titleRHEL 6 : kernel (RHSA-2018:2390) (Foreshadow)
  • NASL familyScientific Linux Local Security Checks
    NASL idSL_20180814_KERNEL_ON_SL6_X.NASL
    descriptionSecurity Fix(es) : - Modern operating systems implement virtualization of physical memory to efficiently use available system resources and provide inter-domain protection through access control and isolation. The L1TF issue was found in the way the x86 microprocessor designs have implemented speculative execution of instructions (a commonly used performance optimisation) in combination with handling of page-faults caused by terminated virtual to physical address resolving process. As a result, an unprivileged attacker could use this flaw to read privileged memory of the kernel or other processes and/or cross guest/host boundaries to read host memory by conducting targeted cache side-channel attacks. (CVE-2018-3620, CVE-2018-3646) - An industry-wide issue was found in the way many modern microprocessor designs have implemented speculative execution of instructions past bounds check. The flaw relies on the presence of a precisely-defined instruction sequence in the privileged code and the fact that memory writes occur to an address which depends on the untrusted value. Such writes cause an update into the microprocessor
    last seen2020-03-18
    modified2018-08-16
    plugin id111777
    published2018-08-16
    reporterThis script is Copyright (C) 2018-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/111777
    titleScientific Linux Security Update : kernel on SL6.x i386/x86_64 (20180814) (Foreshadow)
  • NASL familyJunos Local Security Checks
    NASL idJUNIPER_SPACE_JSA10917_184R1.NASL
    descriptionAccording to its self-reported version number, the remote Junos Space version is 18.4.x prior to 18.4R1. It is, therefore, affected by multiple vulnerabilities : - An integer overflow issue exists in procps-ng. This is related to CVE-2018-1124. (CVE-2018-1126) - A directory traversal issue exits in reposync, a part of yum-utils.tory configuration files. If an attacker controls a repository, they may be able to copy files outside of the destination directory on the targeted system via path traversal. (CVE-2018-10897) - An integer overflow flaw was found in the Linux kernel
    last seen2020-06-01
    modified2020-06-02
    plugin id121068
    published2019-01-10
    reporterThis script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/121068
    titleJuniper Junos Space 18.4.x < 18.4R1 Multiple Vulnerabilities (JSA10917)
  • NASL familyVirtuozzo Local Security Checks
    NASL idVIRTUOZZO_VZA-2018-055.NASL
    descriptionAccording to the versions of the cpupools / cpupools-features / etc packages installed, the Virtuozzo installation on the remote host is affected by the following vulnerabilities : - Modern operating systems implement virtualization of physical memory to efficiently use available system resources and provide inter-domain protection through access control and isolation. The L1TF issue was found in the way the x86 microprocessor designs have implemented speculative execution of instructions (a commonly used performance optimisation) in combination with handling of page-faults caused by terminated virtual to physical address resolving process. As a result, an unprivileged attacker could use this flaw to read privileged memory of the kernel or other processes and/or cross guest/host boundaries to read host memory by conducting targeted cache side-channel attacks. - An industry-wide issue was found in the way many modern microprocessor designs have implemented speculative execution of instructions past bounds check. The flaw relies on the presence of a precisely-defined instruction sequence in the privileged code and the fact that memory writes occur to an address which depends on the untrusted value. Such writes cause an update into the microprocessor
    last seen2020-06-01
    modified2020-06-02
    plugin id112018
    published2018-08-20
    reporterThis script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/112018
    titleVirtuozzo 6 : cpupools / cpupools-features / etc (VZA-2018-055)
  • NASL familyRed Hat Local Security Checks
    NASL idREDHAT-RHSA-2018-2394.NASL
    descriptionAn update for kernel is now available for Red Hat Enterprise Linux 6.4 Advanced Update Support. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. The kernel packages contain the Linux kernel, the core of any Linux operating system. Security Fix(es) : * Modern operating systems implement virtualization of physical memory to efficiently use available system resources and provide inter-domain protection through access control and isolation. The L1TF issue was found in the way the x86 microprocessor designs have implemented speculative execution of instructions (a commonly used performance optimisation) in combination with handling of page-faults caused by terminated virtual to physical address resolving process. As a result, an unprivileged attacker could use this flaw to read privileged memory of the kernel or other processes and/or cross guest/host boundaries to read host memory by conducting targeted cache side-channel attacks. (CVE-2018-3620, CVE-2018-3646) * An industry-wide issue was found in the way many modern microprocessor designs have implemented speculative execution of Load & Store instructions (a commonly used performance optimization). It relies on the presence of a precisely-defined instruction sequence in the privileged code as well as the fact that memory read from address to which a recent memory write has occurred may see an older value and subsequently cause an update into the microprocessor
    last seen2020-06-01
    modified2020-06-02
    plugin id111735
    published2018-08-15
    reporterThis script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/111735
    titleRHEL 6 : kernel (RHSA-2018:2394) (Foreshadow) (Spectre)
  • NASL familyAmazon Linux Local Security Checks
    NASL idAL2_ALAS-2018-994.NASL
    descriptionRace condition in the store_int_with_restart() function in cpu/mcheck/mce.c : A race condition in the store_int_with_restart() function in arch/x86/kernel/cpu/mcheck/mce.c in the Linux kernel allows local users to cause a denial of service (panic) by leveraging root access to write to the check_interval file in a /sys/devices/system/machinecheck/machinecheck<cpu number> directory. (CVE-2018-7995) Out-of-bounds write via userland offsets in ebt_entry struct in netfilter/ebtables.c : A flaw was found in the Linux kernel
    last seen2020-06-01
    modified2020-06-02
    plugin id109177
    published2018-04-20
    reporterThis script is Copyright (C) 2018 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/109177
    titleAmazon Linux 2 : kernel (ALAS-2018-994)
  • NASL familyRed Hat Local Security Checks
    NASL idREDHAT-RHSA-2018-2391.NASL
    descriptionAn update for kernel is now available for Red Hat Enterprise Linux 6.7 Extended Update Support. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. The kernel packages contain the Linux kernel, the core of any Linux operating system. Security Fix(es) : * Modern operating systems implement virtualization of physical memory to efficiently use available system resources and provide inter-domain protection through access control and isolation. The L1TF issue was found in the way the x86 microprocessor designs have implemented speculative execution of instructions (a commonly used performance optimisation) in combination with handling of page-faults caused by terminated virtual to physical address resolving process. As a result, an unprivileged attacker could use this flaw to read privileged memory of the kernel or other processes and/or cross guest/host boundaries to read host memory by conducting targeted cache side-channel attacks. (CVE-2018-3620, CVE-2018-3646) * kernel: kvm: vmx: host GDT limit corruption (CVE-2018-10901) For more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section. Red Hat would like to thank Intel OSSIRT (Intel.com) for reporting CVE-2018-3620 and CVE-2018-3646 and Vegard Nossum (Oracle Corporation) for reporting CVE-2018-10901.
    last seen2020-06-01
    modified2020-06-02
    plugin id111732
    published2018-08-15
    reporterThis script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/111732
    titleRHEL 6 : kernel (RHSA-2018:2391) (Foreshadow)
  • NASL familyOracle Linux Local Security Checks
    NASL idORACLELINUX_ELSA-2018-2390.NASL
    descriptionFrom Red Hat Security Advisory 2018:2390 : An update for kernel is now available for Red Hat Enterprise Linux 6. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. [Updated 16th August 2018] The original errata text was missing reference to CVE-2018-5390 fix. We have updated the errata text to correct this issue. No changes have been made to the packages. The kernel packages contain the Linux kernel, the core of any Linux operating system. Security Fix(es) : * Modern operating systems implement virtualization of physical memory to efficiently use available system resources and provide inter-domain protection through access control and isolation. The L1TF issue was found in the way the x86 microprocessor designs have implemented speculative execution of instructions (a commonly used performance optimisation) in combination with handling of page-faults caused by terminated virtual to physical address resolving process. As a result, an unprivileged attacker could use this flaw to read privileged memory of the kernel or other processes and/or cross guest/host boundaries to read host memory by conducting targeted cache side-channel attacks. (CVE-2018-3620, CVE-2018-3646) * An industry-wide issue was found in the way many modern microprocessor designs have implemented speculative execution of instructions past bounds check. The flaw relies on the presence of a precisely-defined instruction sequence in the privileged code and the fact that memory writes occur to an address which depends on the untrusted value. Such writes cause an update into the microprocessor
    last seen2020-06-01
    modified2020-06-02
    plugin id111724
    published2018-08-15
    reporterThis script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/111724
    titleOracle Linux 6 : kernel (ELSA-2018-2390) (Foreshadow)
  • NASL familyRed Hat Local Security Checks
    NASL idREDHAT-RHSA-2018-2392.NASL
    descriptionAn update for kernel is now available for Red Hat Enterprise Linux 6.6 Advanced Update Support and Red Hat Enterprise Linux 6.6 Telco Extended Update Support. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. The kernel packages contain the Linux kernel, the core of any Linux operating system. Security Fix(es) : * Modern operating systems implement virtualization of physical memory to efficiently use available system resources and provide inter-domain protection through access control and isolation. The L1TF issue was found in the way the x86 microprocessor designs have implemented speculative execution of instructions (a commonly used performance optimisation) in combination with handling of page-faults caused by terminated virtual to physical address resolving process. As a result, an unprivileged attacker could use this flaw to read privileged memory of the kernel or other processes and/or cross guest/host boundaries to read host memory by conducting targeted cache side-channel attacks. (CVE-2018-3620, CVE-2018-3646) * kernel: kvm: vmx: host GDT limit corruption (CVE-2018-10901) For more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section. Red Hat would like to thank Intel OSSIRT (Intel.com) for reporting CVE-2018-3620 and CVE-2018-3646 and Vegard Nossum (Oracle Corporation) for reporting CVE-2018-10901.
    last seen2020-06-01
    modified2020-06-02
    plugin id111733
    published2018-08-15
    reporterThis script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/111733
    titleRHEL 6 : kernel (RHSA-2018:2392) (Foreshadow)

Redhat

advisories
  • rhsa
    idRHSA-2018:2390
  • rhsa
    idRHSA-2018:2391
  • rhsa
    idRHSA-2018:2392
  • rhsa
    idRHSA-2018:2393
  • rhsa
    idRHSA-2018:2394
rpms
  • kernel-0:2.6.32-754.3.5.el6
  • kernel-abi-whitelists-0:2.6.32-754.3.5.el6
  • kernel-bootwrapper-0:2.6.32-754.3.5.el6
  • kernel-debug-0:2.6.32-754.3.5.el6
  • kernel-debug-debuginfo-0:2.6.32-754.3.5.el6
  • kernel-debug-devel-0:2.6.32-754.3.5.el6
  • kernel-debuginfo-0:2.6.32-754.3.5.el6
  • kernel-debuginfo-common-i686-0:2.6.32-754.3.5.el6
  • kernel-debuginfo-common-ppc64-0:2.6.32-754.3.5.el6
  • kernel-debuginfo-common-s390x-0:2.6.32-754.3.5.el6
  • kernel-debuginfo-common-x86_64-0:2.6.32-754.3.5.el6
  • kernel-devel-0:2.6.32-754.3.5.el6
  • kernel-doc-0:2.6.32-754.3.5.el6
  • kernel-firmware-0:2.6.32-754.3.5.el6
  • kernel-headers-0:2.6.32-754.3.5.el6
  • kernel-kdump-0:2.6.32-754.3.5.el6
  • kernel-kdump-debuginfo-0:2.6.32-754.3.5.el6
  • kernel-kdump-devel-0:2.6.32-754.3.5.el6
  • perf-0:2.6.32-754.3.5.el6
  • perf-debuginfo-0:2.6.32-754.3.5.el6
  • python-perf-0:2.6.32-754.3.5.el6
  • python-perf-debuginfo-0:2.6.32-754.3.5.el6
  • kernel-0:2.6.32-573.60.4.el6
  • kernel-abi-whitelists-0:2.6.32-573.60.4.el6
  • kernel-bootwrapper-0:2.6.32-573.60.4.el6
  • kernel-debug-0:2.6.32-573.60.4.el6
  • kernel-debug-debuginfo-0:2.6.32-573.60.4.el6
  • kernel-debug-devel-0:2.6.32-573.60.4.el6
  • kernel-debuginfo-0:2.6.32-573.60.4.el6
  • kernel-debuginfo-common-i686-0:2.6.32-573.60.4.el6
  • kernel-debuginfo-common-ppc64-0:2.6.32-573.60.4.el6
  • kernel-debuginfo-common-s390x-0:2.6.32-573.60.4.el6
  • kernel-debuginfo-common-x86_64-0:2.6.32-573.60.4.el6
  • kernel-devel-0:2.6.32-573.60.4.el6
  • kernel-doc-0:2.6.32-573.60.4.el6
  • kernel-firmware-0:2.6.32-573.60.4.el6
  • kernel-headers-0:2.6.32-573.60.4.el6
  • kernel-kdump-0:2.6.32-573.60.4.el6
  • kernel-kdump-debuginfo-0:2.6.32-573.60.4.el6
  • kernel-kdump-devel-0:2.6.32-573.60.4.el6
  • perf-0:2.6.32-573.60.4.el6
  • perf-debuginfo-0:2.6.32-573.60.4.el6
  • python-perf-0:2.6.32-573.60.4.el6
  • python-perf-debuginfo-0:2.6.32-573.60.4.el6
  • kernel-0:2.6.32-504.72.4.el6
  • kernel-abi-whitelists-0:2.6.32-504.72.4.el6
  • kernel-debug-0:2.6.32-504.72.4.el6
  • kernel-debug-debuginfo-0:2.6.32-504.72.4.el6
  • kernel-debug-devel-0:2.6.32-504.72.4.el6
  • kernel-debuginfo-0:2.6.32-504.72.4.el6
  • kernel-debuginfo-common-x86_64-0:2.6.32-504.72.4.el6
  • kernel-devel-0:2.6.32-504.72.4.el6
  • kernel-doc-0:2.6.32-504.72.4.el6
  • kernel-firmware-0:2.6.32-504.72.4.el6
  • kernel-headers-0:2.6.32-504.72.4.el6
  • perf-0:2.6.32-504.72.4.el6
  • perf-debuginfo-0:2.6.32-504.72.4.el6
  • python-perf-0:2.6.32-504.72.4.el6
  • python-perf-debuginfo-0:2.6.32-504.72.4.el6
  • kernel-0:2.6.32-431.91.3.el6
  • kernel-abi-whitelists-0:2.6.32-431.91.3.el6
  • kernel-debug-0:2.6.32-431.91.3.el6
  • kernel-debug-debuginfo-0:2.6.32-431.91.3.el6
  • kernel-debug-devel-0:2.6.32-431.91.3.el6
  • kernel-debuginfo-0:2.6.32-431.91.3.el6
  • kernel-debuginfo-common-x86_64-0:2.6.32-431.91.3.el6
  • kernel-devel-0:2.6.32-431.91.3.el6
  • kernel-doc-0:2.6.32-431.91.3.el6
  • kernel-firmware-0:2.6.32-431.91.3.el6
  • kernel-headers-0:2.6.32-431.91.3.el6
  • perf-0:2.6.32-431.91.3.el6
  • perf-debuginfo-0:2.6.32-431.91.3.el6
  • python-perf-0:2.6.32-431.91.3.el6
  • python-perf-debuginfo-0:2.6.32-431.91.3.el6
  • kernel-0:2.6.32-358.91.4.el6
  • kernel-debug-0:2.6.32-358.91.4.el6
  • kernel-debug-debuginfo-0:2.6.32-358.91.4.el6
  • kernel-debug-devel-0:2.6.32-358.91.4.el6
  • kernel-debuginfo-0:2.6.32-358.91.4.el6
  • kernel-debuginfo-common-x86_64-0:2.6.32-358.91.4.el6
  • kernel-devel-0:2.6.32-358.91.4.el6
  • kernel-doc-0:2.6.32-358.91.4.el6
  • kernel-firmware-0:2.6.32-358.91.4.el6
  • kernel-headers-0:2.6.32-358.91.4.el6
  • perf-0:2.6.32-358.91.4.el6
  • perf-debuginfo-0:2.6.32-358.91.4.el6
  • python-perf-0:2.6.32-358.91.4.el6
  • python-perf-debuginfo-0:2.6.32-358.91.4.el6