Vulnerabilities > CVE-2018-11506 - Out-of-bounds Write vulnerability in multiple products
Attack vector
LOCAL Attack complexity
LOW Privileges required
LOW Confidentiality impact
HIGH Integrity impact
HIGH Availability impact
HIGH Summary
The sr_do_ioctl function in drivers/scsi/sr_ioctl.c in the Linux kernel through 4.16.12 allows local users to cause a denial of service (stack-based buffer overflow) or possibly have unspecified other impact because sense buffers have different sizes at the CDROM layer and the SCSI layer, as demonstrated by a CDROMREADMODE2 ioctl call.
Vulnerable Configurations
Common Weakness Enumeration (CWE)
Nessus
NASL family Fedora Local Security Checks NASL id FEDORA_2018-E8F793BBFC.NASL description The v4.16.13 update contains important fixes Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-05 modified 2018-06-06 plugin id 110329 published 2018-06-06 reporter This script is Copyright (C) 2018-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/110329 title Fedora 27 : kernel (2018-e8f793bbfc) code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Fedora Security Advisory FEDORA-2018-e8f793bbfc. # include("compat.inc"); if (description) { script_id(110329); script_version("1.6"); script_set_attribute(attribute:"plugin_modification_date", value:"2020/06/04"); script_cve_id("CVE-2018-11506"); script_xref(name:"FEDORA", value:"2018-e8f793bbfc"); script_name(english:"Fedora 27 : kernel (2018-e8f793bbfc)"); script_summary(english:"Checks rpm output for the updated package."); script_set_attribute( attribute:"synopsis", value:"The remote Fedora host is missing a security update." ); script_set_attribute( attribute:"description", value: "The v4.16.13 update contains important fixes Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues." ); script_set_attribute( attribute:"see_also", value:"https://bodhi.fedoraproject.org/updates/FEDORA-2018-e8f793bbfc" ); script_set_attribute( attribute:"solution", value:"Update the affected kernel package." ); script_set_cvss_base_vector("CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C"); script_set_cvss3_base_vector("CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fedoraproject:fedora:kernel"); script_set_attribute(attribute:"cpe", value:"cpe:/o:fedoraproject:fedora:27"); script_set_attribute(attribute:"vuln_publication_date", value:"2018/05/28"); script_set_attribute(attribute:"patch_publication_date", value:"2018/06/05"); script_set_attribute(attribute:"plugin_publication_date", value:"2018/06/06"); script_set_attribute(attribute:"generated_plugin", value:"current"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2018-2020 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"Fedora Local Security Checks"); script_dependencies("ssh_get_info.nasl", "linux_alt_patch_detect.nasl"); script_require_keys("Host/local_checks_enabled", "Host/RedHat/release", "Host/RedHat/rpm-list"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); include("ksplice.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/RedHat/release"); if (isnull(release) || "Fedora" >!< release) audit(AUDIT_OS_NOT, "Fedora"); os_ver = pregmatch(pattern: "Fedora.*release ([0-9]+)", string:release); if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Fedora"); os_ver = os_ver[1]; if (! preg(pattern:"^27([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Fedora 27", "Fedora " + os_ver); if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Fedora", cpu); if (get_one_kb_item("Host/ksplice/kernel-cves")) { rm_kb_item(name:"Host/uptrack-uname-r"); cve_list = make_list("CVE-2018-11506"); if (ksplice_cves_check(cve_list)) { audit(AUDIT_PATCH_INSTALLED, "KSplice hotfix for FEDORA-2018-e8f793bbfc"); } else { __rpm_report = ksplice_reporting_text(); } } flag = 0; if (rpm_check(release:"FC27", reference:"kernel-4.16.13-200.fc27")) flag++; if (flag) { security_report_v4( port : 0, severity : SECURITY_HOLE, extra : rpm_report_get() ); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "kernel"); }
NASL family Debian Local Security Checks NASL id DEBIAN_DLA-1423.NASL description Linux 4.9 has been packaged for Debian 8 as linux-4.9. This provides a supported upgrade path for systems that currently use kernel packages from the last seen 2020-06-01 modified 2020-06-02 plugin id 111165 published 2018-07-20 reporter This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/111165 title Debian DLA-1423-1 : linux-4.9 new package (Spectre) code # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Debian Security Advisory DLA-1423-1. The text # itself is copyright (C) Software in the Public Interest, Inc. # include("compat.inc"); if (description) { script_id(111165); script_version("1.7"); script_cvs_date("Date: 2019/07/15 14:20:30"); script_cve_id("CVE-2017-18255", "CVE-2017-5753", "CVE-2018-1000204", "CVE-2018-10021", "CVE-2018-10087", "CVE-2018-10124", "CVE-2018-10853", "CVE-2018-10876", "CVE-2018-10877", "CVE-2018-10878", "CVE-2018-10879", "CVE-2018-10880", "CVE-2018-10881", "CVE-2018-10882", "CVE-2018-10883", "CVE-2018-10940", "CVE-2018-1118", "CVE-2018-1120", "CVE-2018-1130", "CVE-2018-11506", "CVE-2018-12233", "CVE-2018-3639", "CVE-2018-5814"); script_name(english:"Debian DLA-1423-1 : linux-4.9 new package (Spectre)"); script_summary(english:"Checks dpkg output for the updated packages."); script_set_attribute( attribute:"synopsis", value:"The remote Debian host is missing a security update." ); script_set_attribute( attribute:"description", value: "Linux 4.9 has been packaged for Debian 8 as linux-4.9. This provides a supported upgrade path for systems that currently use kernel packages from the 'jessie-backports' suite. There is no need to upgrade systems using Linux 3.16, as that kernel version will also continue to be supported in the LTS period. This backport does not include the following binary packages : hyperv-daemons libcpupower1 libcpupower-dev libusbip-dev linux-compiler-gcc-4.9-x86 linux-cpupower linux-libc-dev usbip Older versions of most of those are built from other source packages in Debian 8. Several vulnerabilities have been discovered in the Linux kernel that may lead to a privilege escalation, denial of service or information leaks. CVE-2017-5753 Further instances of code that was vulnerable to Spectre variant 1 (bounds-check bypass) have been mitigated. CVE-2017-18255 It was discovered that the performance events subsystem did not properly validate the value of the kernel.perf_cpu_time_max_percent sysctl. Setting a large value could have an unspecified security impact. However, only a privileged user can set this sysctl. CVE-2018-1118 The syzbot software found that the vhost driver did not initialise message buffers which would later be read by user processes. A user with access to the /dev/vhost-net device could use this to read sensitive information from the kernel or other users' processes. CVE-2018-1120 Qualys reported that a user able to mount FUSE filesystems can create a process such that when another process attempting to read its command line will be blocked for an arbitrarily long time. This could be used for denial of service, or to aid in exploiting a race condition in the other program. CVE-2018-1130 The syzbot software found that the DCCP implementation of sendmsg() does not check the socket state, potentially leading to a NULL pointer dereference. A local user could use this to cause a denial of service (crash). CVE-2018-3639 Multiple researchers have discovered that Speculative Store Bypass (SSB), a feature implemented in many processors, could be used to read sensitive information from another context. In particular, code in a software sandbox may be able to read sensitive information from outside the sandbox. This issue is also known as Spectre variant 4. This update allows the issue to be mitigated on some x86 processors by disabling SSB. This requires an update to the processor's microcode, which is non-free. It may be included in an update to the system BIOS or UEFI firmware, or in a future update to the intel-microcode or amd64-microcode packages. Disabling SSB can reduce performance significantly, so by default it is only done in tasks that use the seccomp feature. Applications that require this mitigation should request it explicitly through the prctl() system call. Users can control where the mitigation is enabled with the spec_store_bypass_disable kernel parameter. CVE-2018-5814 Jakub Jirasek reported race conditions in the USB/IP host driver. A malicious client could use this to cause a denial of service (crash or memory corruption), and possibly to execute code, on a USB/IP server. CVE-2018-10021 A physically present attacker who unplugs a SAS cable can cause a denial of service (memory leak and WARN). CVE-2018-10087, CVE-2018-10124 zhongjiang found that the wait4() and kill() system call implementations did not check for the invalid pid value of INT_MIN. If a user passed this value, the behaviour of the code was formally undefined and might have had a security impact. CVE-2018-10853 Andy Lutomirski and Mika Penttilä reported that KVM for x86 processors did not perform a necessary privilege check when emulating certain instructions. This could be used by an unprivileged user in a guest VM to escalate their privileges within the guest. CVE-2018-10876, CVE-2018-10877, CVE-2018-10878, CVE-2018-10879, CVE-2018-10880, CVE-2018-10881, CVE-2018-10882, CVE-2018-10883 Wen Xu at SSLab, Gatech, reported that crafted ext4 filesystem images could trigger a crash or memory corruption. A local user able to mount arbitrary filesystems, or an attacker providing filesystems to be mounted, could use this for denial of service or possibly for privilege escalation. CVE-2018-10940 Dan Carpenter reported that the optical disc driver (cdrom) does not correctly validate the parameter to the CDROM_MEDIA_CHANGED ioctl. A user with access to a cdrom device could use this to cause a denial of service (crash). CVE-2018-11506 Piotr Gabriel Kosinski and Daniel Shapira reported that the SCSI optical disc driver (sr) did not allocate a sufficiently large buffer for sense data. A user with access to a SCSI optical disc device that can produce more than 64 bytes of sense data could use this to cause a denial of service (crash or memory corruption), and possibly for privilege escalation. CVE-2018-12233 Shankara Pailoor reported that a crafted JFS filesystem image could trigger a denial of service (memory corruption). This could possibly also be used for privilege escalation. CVE-2018-1000204 The syzbot software found that the SCSI generic driver (sg) would in some circumstances allow reading data from uninitialised buffers, which could include sensitive information from the kernel or other tasks. However, only privileged users with the CAP_SYS_ADMIN or CAP_SYS_RAWIO capability were allowed to do this, so this has little or no security impact. For Debian 8 'Jessie', these problems have been fixed in version 4.9.110-1~deb8u1. This update additionally fixes Debian bugs #860900, #872907, #892057, #896775, #897590, and #898137; and includes many more bug fixes from stable updates 4.9.89-4.9.110 inclusive. We recommend that you upgrade your linux-4.9 packages. NOTE: Tenable Network Security has extracted the preceding description block directly from the DLA security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues." ); script_set_attribute( attribute:"see_also", value:"https://lists.debian.org/debian-lts-announce/2018/07/msg00020.html" ); script_set_attribute( attribute:"see_also", value:"https://packages.debian.org/source/jessie/linux-4.9" ); script_set_attribute(attribute:"solution", value:"Upgrade the affected packages."); script_set_cvss_base_vector("CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C"); script_set_cvss_temporal_vector("CVSS2#E:H/RL:ND/RC:ND"); script_set_cvss3_base_vector("CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"); script_set_cvss3_temporal_vector("CVSS:3.0/E:H/RL:X/RC:X"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"exploited_by_malware", value:"true"); script_set_attribute(attribute:"exploit_framework_canvas", value:"true"); script_set_attribute(attribute:"canvas_package", value:'CANVAS'); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:linux-compiler-gcc-4.9-arm"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:linux-doc-4.9"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:linux-headers-4.9.0-0.bpo.7-686"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:linux-headers-4.9.0-0.bpo.7-686-pae"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:linux-headers-4.9.0-0.bpo.7-all"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:linux-headers-4.9.0-0.bpo.7-all-amd64"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:linux-headers-4.9.0-0.bpo.7-all-armel"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:linux-headers-4.9.0-0.bpo.7-all-armhf"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:linux-headers-4.9.0-0.bpo.7-all-i386"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:linux-headers-4.9.0-0.bpo.7-amd64"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:linux-headers-4.9.0-0.bpo.7-armmp"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:linux-headers-4.9.0-0.bpo.7-armmp-lpae"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:linux-headers-4.9.0-0.bpo.7-common"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:linux-headers-4.9.0-0.bpo.7-common-rt"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:linux-headers-4.9.0-0.bpo.7-marvell"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:linux-headers-4.9.0-0.bpo.7-rt-686-pae"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:linux-headers-4.9.0-0.bpo.7-rt-amd64"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:linux-image-4.9.0-0.bpo.7-686"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:linux-image-4.9.0-0.bpo.7-686-pae"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:linux-image-4.9.0-0.bpo.7-686-pae-dbg"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:linux-image-4.9.0-0.bpo.7-amd64"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:linux-image-4.9.0-0.bpo.7-amd64-dbg"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:linux-image-4.9.0-0.bpo.7-armmp"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:linux-image-4.9.0-0.bpo.7-armmp-lpae"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:linux-image-4.9.0-0.bpo.7-marvell"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:linux-image-4.9.0-0.bpo.7-rt-686-pae"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:linux-image-4.9.0-0.bpo.7-rt-686-pae-dbg"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:linux-image-4.9.0-0.bpo.7-rt-amd64"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:linux-image-4.9.0-0.bpo.7-rt-amd64-dbg"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:linux-kbuild-4.9"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:linux-manual-4.9"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:linux-perf-4.9"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:linux-source-4.9"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:linux-support-4.9.0-0.bpo.7"); script_set_attribute(attribute:"cpe", value:"cpe:/o:debian:debian_linux:8.0"); script_set_attribute(attribute:"vuln_publication_date", value:"2018/01/04"); script_set_attribute(attribute:"patch_publication_date", value:"2018/07/18"); script_set_attribute(attribute:"plugin_publication_date", value:"2018/07/20"); script_set_attribute(attribute:"in_the_news", value:"true"); script_set_attribute(attribute:"generated_plugin", value:"current"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"Debian Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/Debian/release", "Host/Debian/dpkg-l"); exit(0); } include("audit.inc"); include("debian_package.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); if (!get_kb_item("Host/Debian/release")) audit(AUDIT_OS_NOT, "Debian"); if (!get_kb_item("Host/Debian/dpkg-l")) audit(AUDIT_PACKAGE_LIST_MISSING); flag = 0; if (deb_check(release:"8.0", prefix:"linux-compiler-gcc-4.9-arm", reference:"4.9.110-1~deb8u1")) flag++; if (deb_check(release:"8.0", prefix:"linux-doc-4.9", reference:"4.9.110-1~deb8u1")) flag++; if (deb_check(release:"8.0", prefix:"linux-headers-4.9.0-0.bpo.7-686", reference:"4.9.110-1~deb8u1")) flag++; if (deb_check(release:"8.0", prefix:"linux-headers-4.9.0-0.bpo.7-686-pae", reference:"4.9.110-1~deb8u1")) flag++; if (deb_check(release:"8.0", prefix:"linux-headers-4.9.0-0.bpo.7-all", reference:"4.9.110-1~deb8u1")) flag++; if (deb_check(release:"8.0", prefix:"linux-headers-4.9.0-0.bpo.7-all-amd64", reference:"4.9.110-1~deb8u1")) flag++; if (deb_check(release:"8.0", prefix:"linux-headers-4.9.0-0.bpo.7-all-armel", reference:"4.9.110-1~deb8u1")) flag++; if (deb_check(release:"8.0", prefix:"linux-headers-4.9.0-0.bpo.7-all-armhf", reference:"4.9.110-1~deb8u1")) flag++; if (deb_check(release:"8.0", prefix:"linux-headers-4.9.0-0.bpo.7-all-i386", reference:"4.9.110-1~deb8u1")) flag++; if (deb_check(release:"8.0", prefix:"linux-headers-4.9.0-0.bpo.7-amd64", reference:"4.9.110-1~deb8u1")) flag++; if (deb_check(release:"8.0", prefix:"linux-headers-4.9.0-0.bpo.7-armmp", reference:"4.9.110-1~deb8u1")) flag++; if (deb_check(release:"8.0", prefix:"linux-headers-4.9.0-0.bpo.7-armmp-lpae", reference:"4.9.110-1~deb8u1")) flag++; if (deb_check(release:"8.0", prefix:"linux-headers-4.9.0-0.bpo.7-common", reference:"4.9.110-1~deb8u1")) flag++; if (deb_check(release:"8.0", prefix:"linux-headers-4.9.0-0.bpo.7-common-rt", reference:"4.9.110-1~deb8u1")) flag++; if (deb_check(release:"8.0", prefix:"linux-headers-4.9.0-0.bpo.7-marvell", reference:"4.9.110-1~deb8u1")) flag++; if (deb_check(release:"8.0", prefix:"linux-headers-4.9.0-0.bpo.7-rt-686-pae", reference:"4.9.110-1~deb8u1")) flag++; if (deb_check(release:"8.0", prefix:"linux-headers-4.9.0-0.bpo.7-rt-amd64", reference:"4.9.110-1~deb8u1")) flag++; if (deb_check(release:"8.0", prefix:"linux-image-4.9.0-0.bpo.7-686", reference:"4.9.110-1~deb8u1")) flag++; if (deb_check(release:"8.0", prefix:"linux-image-4.9.0-0.bpo.7-686-pae", reference:"4.9.110-1~deb8u1")) flag++; if (deb_check(release:"8.0", prefix:"linux-image-4.9.0-0.bpo.7-686-pae-dbg", reference:"4.9.110-1~deb8u1")) flag++; if (deb_check(release:"8.0", prefix:"linux-image-4.9.0-0.bpo.7-amd64", reference:"4.9.110-1~deb8u1")) flag++; if (deb_check(release:"8.0", prefix:"linux-image-4.9.0-0.bpo.7-amd64-dbg", reference:"4.9.110-1~deb8u1")) flag++; if (deb_check(release:"8.0", prefix:"linux-image-4.9.0-0.bpo.7-armmp", reference:"4.9.110-1~deb8u1")) flag++; if (deb_check(release:"8.0", prefix:"linux-image-4.9.0-0.bpo.7-armmp-lpae", reference:"4.9.110-1~deb8u1")) flag++; if (deb_check(release:"8.0", prefix:"linux-image-4.9.0-0.bpo.7-marvell", reference:"4.9.110-1~deb8u1")) flag++; if (deb_check(release:"8.0", prefix:"linux-image-4.9.0-0.bpo.7-rt-686-pae", reference:"4.9.110-1~deb8u1")) flag++; if (deb_check(release:"8.0", prefix:"linux-image-4.9.0-0.bpo.7-rt-686-pae-dbg", reference:"4.9.110-1~deb8u1")) flag++; if (deb_check(release:"8.0", prefix:"linux-image-4.9.0-0.bpo.7-rt-amd64", reference:"4.9.110-1~deb8u1")) flag++; if (deb_check(release:"8.0", prefix:"linux-image-4.9.0-0.bpo.7-rt-amd64-dbg", reference:"4.9.110-1~deb8u1")) flag++; if (deb_check(release:"8.0", prefix:"linux-kbuild-4.9", reference:"4.9.110-1~deb8u1")) flag++; if (deb_check(release:"8.0", prefix:"linux-manual-4.9", reference:"4.9.110-1~deb8u1")) flag++; if (deb_check(release:"8.0", prefix:"linux-perf-4.9", reference:"4.9.110-1~deb8u1")) flag++; if (deb_check(release:"8.0", prefix:"linux-source-4.9", reference:"4.9.110-1~deb8u1")) flag++; if (deb_check(release:"8.0", prefix:"linux-support-4.9.0-0.bpo.7", reference:"4.9.110-1~deb8u1")) flag++; if (flag) { if (report_verbosity > 0) security_hole(port:0, extra:deb_report_get()); else security_hole(0); exit(0); } else audit(AUDIT_HOST_NOT, "affected");
NASL family Ubuntu Local Security Checks NASL id UBUNTU_USN-3752-2.NASL description USN-3752-1 fixed vulnerabilities in the Linux kernel for Ubuntu 18.04 LTS. This update provides the corresponding updates for the Linux Hardware Enablement (HWE) kernel from Ubuntu 18.04 LTS for Ubuntu 16.04 LTS. It was discovered that, when attempting to handle an out-of-memory situation, a NULL pointer dereference could be triggered in the Linux kernel in some circumstances. A local attacker could use this to cause a denial of service (system crash). (CVE-2018-1000200) Wen Xu discovered that the XFS filesystem implementation in the Linux kernel did not properly validate meta-data information. An attacker could use this to construct a malicious xfs image that, when mounted, could cause a denial of service (system crash). (CVE-2018-10323) Wen Xu discovered that the XFS filesystem implementation in the Linux kernel did not properly validate xattr information. An attacker could use this to construct a malicious xfs image that, when mounted, could cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2018-10840) Wen Xu discovered that the ext4 filesystem implementation in the Linux kernel did not properly keep meta-data information consistent in some situations. An attacker could use this to construct a malicious ext4 image that, when mounted, could cause a denial of service (system crash). (CVE-2018-10881) Wen Xu discovered that the ext4 filesystem implementation in the Linux kernel did not properly handle corrupted meta data in some situations. An attacker could use this to specially craft an ext4 filesystem that caused a denial of service (system crash) when mounted. (CVE-2018-1093) Jann Horn discovered that the Linux kernel last seen 2020-06-01 modified 2020-06-02 plugin id 112110 published 2018-08-24 reporter Ubuntu Security Notice (C) 2018-2019 Canonical, Inc. / NASL script (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/112110 title Ubuntu 16.04 LTS : linux-hwe vulnerabilities (USN-3752-2) NASL family Ubuntu Local Security Checks NASL id UBUNTU_USN-3752-3.NASL description It was discovered that, when attempting to handle an out-of-memory situation, a NULL pointer dereference could be triggered in the Linux kernel in some circumstances. A local attacker could use this to cause a denial of service (system crash). (CVE-2018-1000200) Wen Xu discovered that the XFS filesystem implementation in the Linux kernel did not properly validate meta-data information. An attacker could use this to construct a malicious xfs image that, when mounted, could cause a denial of service (system crash). (CVE-2018-10323) Wen Xu discovered that the XFS filesystem implementation in the Linux kernel did not properly validate xattr information. An attacker could use this to construct a malicious xfs image that, when mounted, could cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2018-10840) Wen Xu discovered that the ext4 filesystem implementation in the Linux kernel did not properly keep meta-data information consistent in some situations. An attacker could use this to construct a malicious ext4 image that, when mounted, could cause a denial of service (system crash). (CVE-2018-10881) Wen Xu discovered that the ext4 filesystem implementation in the Linux kernel did not properly handle corrupted meta data in some situations. An attacker could use this to specially craft an ext4 filesystem that caused a denial of service (system crash) when mounted. (CVE-2018-1093) Jann Horn discovered that the Linux kernel last seen 2020-06-01 modified 2020-06-02 plugin id 112189 published 2018-08-30 reporter Ubuntu Security Notice (C) 2018-2019 Canonical, Inc. / NASL script (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/112189 title Ubuntu 16.04 LTS / 18.04 LTS : linux-azure, linux-oem, linux-gcp vulnerabilities (USN-3752-3) NASL family Debian Local Security Checks NASL id DEBIAN_DLA-1422.NASL description The previous update to linux failed to build for the armhf (ARM EABI hard-float) architecture. This update corrects that. For all other architectures, there is no need to upgrade or reboot again. For reference, the relevant part of the original advisory text follows. Several vulnerabilities have been discovered in the Linux kernel that may lead to a privilege escalation, denial of service or information leaks. CVE-2017-5715 Multiple researchers have discovered a vulnerability in various processors supporting speculative execution, enabling an attacker controlling an unprivileged process to read memory from arbitrary addresses, including from the kernel and all other processes running on the system. This specific attack has been named Spectre variant 2 (branch target injection) and is mitigated for the x86 architecture (amd64 and i386) by using new microcoded features. This mitigation requires an update to the processor last seen 2020-06-01 modified 2020-06-02 plugin id 111082 published 2018-07-16 reporter This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/111082 title Debian DLA-1422-2 : linux security update (Spectre) NASL family Fedora Local Security Checks NASL id FEDORA_2018-93AF520878.NASL description The v4.16.13 update contains important fixes Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-05 modified 2019-01-03 plugin id 120627 published 2019-01-03 reporter This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/120627 title Fedora 28 : kernel (2018-93af520878) NASL family Huawei Local Security Checks NASL id EULEROS_SA-2019-1474.NASL description According to the versions of the kernel packages installed, the EulerOS Virtualization for ARM 64 installation on the remote host is affected by the following vulnerabilities : - The x25_negotiate_facilities function in net/x25/x25_facilities.c in the Linux kernel before 4.5.5 does not properly initialize a certain data structure, which allows attackers to obtain sensitive information from kernel stack memory via an X.25 Call Request.(CVE-2016-4580i1/4%0 - A flaw was found in the Linux kernel last seen 2020-03-19 modified 2019-05-13 plugin id 124798 published 2019-05-13 reporter This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/124798 title EulerOS Virtualization for ARM 64 3.0.1.0 : kernel (EulerOS-SA-2019-1474) NASL family Red Hat Local Security Checks NASL id REDHAT-RHSA-2018-2948.NASL description An update for kernel-alt is now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. The kernel-alt packages provide the Linux kernel version 4.x. Security Fix(es) : * An industry-wide issue was found in the way many modern microprocessor designs have implemented speculative execution of Load & Store instructions (a commonly used performance optimization). It relies on the presence of a precisely-defined instruction sequence in the privileged code as well as the fact that memory read from address to which a recent memory write has occurred may see an older value and subsequently cause an update into the microprocessor last seen 2020-06-01 modified 2020-06-02 plugin id 118513 published 2018-10-31 reporter This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/118513 title RHEL 7 : kernel-alt (RHSA-2018:2948) (Spectre) NASL family Ubuntu Local Security Checks NASL id UBUNTU_USN-3752-1.NASL description It was discovered that, when attempting to handle an out-of-memory situation, a NULL pointer dereference could be triggered in the Linux kernel in some circumstances. A local attacker could use this to cause a denial of service (system crash). (CVE-2018-1000200) Wen Xu discovered that the XFS filesystem implementation in the Linux kernel did not properly validate meta-data information. An attacker could use this to construct a malicious xfs image that, when mounted, could cause a denial of service (system crash). (CVE-2018-10323) Wen Xu discovered that the XFS filesystem implementation in the Linux kernel did not properly validate xattr information. An attacker could use this to construct a malicious xfs image that, when mounted, could cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2018-10840) Wen Xu discovered that the ext4 filesystem implementation in the Linux kernel did not properly keep meta-data information consistent in some situations. An attacker could use this to construct a malicious ext4 image that, when mounted, could cause a denial of service (system crash). (CVE-2018-10881) Wen Xu discovered that the ext4 filesystem implementation in the Linux kernel did not properly handle corrupted meta data in some situations. An attacker could use this to specially craft an ext4 filesystem that caused a denial of service (system crash) when mounted. (CVE-2018-1093) Jann Horn discovered that the Linux kernel last seen 2020-06-01 modified 2020-06-02 plugin id 112109 published 2018-08-24 reporter Ubuntu Security Notice (C) 2018-2019 Canonical, Inc. / NASL script (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/112109 title Ubuntu 18.04 LTS : linux, linux-aws, linux-gcp, linux-kvm, linux-raspi2 vulnerabilities (USN-3752-1)
Redhat
advisories |
| ||||
rpms |
|
References
- http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=f7068114d45ec55996b9040e98111afa56e010fe
- http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=f7068114d45ec55996b9040e98111afa56e010fe
- https://access.redhat.com/errata/RHSA-2018:2948
- https://access.redhat.com/errata/RHSA-2018:2948
- https://github.com/torvalds/linux/commit/f7068114d45ec55996b9040e98111afa56e010fe
- https://github.com/torvalds/linux/commit/f7068114d45ec55996b9040e98111afa56e010fe
- https://lists.debian.org/debian-lts-announce/2018/07/msg00015.html
- https://lists.debian.org/debian-lts-announce/2018/07/msg00015.html
- https://lists.debian.org/debian-lts-announce/2018/07/msg00016.html
- https://lists.debian.org/debian-lts-announce/2018/07/msg00016.html
- https://lists.debian.org/debian-lts-announce/2018/07/msg00020.html
- https://lists.debian.org/debian-lts-announce/2018/07/msg00020.html
- https://twitter.com/efrmv/status/1001574894273007616
- https://twitter.com/efrmv/status/1001574894273007616
- https://usn.ubuntu.com/3752-1/
- https://usn.ubuntu.com/3752-1/
- https://usn.ubuntu.com/3752-2/
- https://usn.ubuntu.com/3752-2/
- https://usn.ubuntu.com/3752-3/
- https://usn.ubuntu.com/3752-3/