Vulnerabilities > CVE-2018-13100 - Divide By Zero vulnerability in Linux Kernel

047910
CVSS 4.3 - MEDIUM
Attack vector
NETWORK
Attack complexity
MEDIUM
Privileges required
NONE
Confidentiality impact
NONE
Integrity impact
NONE
Availability impact
PARTIAL
network
linux
debian
CWE-369
nessus

Summary

An issue was discovered in fs/f2fs/super.c in the Linux kernel through 4.17.3, which does not properly validate secs_per_zone in a corrupted f2fs image, as demonstrated by a divide-by-zero error.

Vulnerable Configurations

Part Description Count
OS
Linux
2942
OS
Debian
1

Common Weakness Enumeration (CWE)

Nessus

  • NASL familyUbuntu Local Security Checks
    NASL idUBUNTU_USN-4118-1.NASL
    descriptionIt was discovered that the alarmtimer implementation in the Linux kernel contained an integer overflow vulnerability. A local attacker could use this to cause a denial of service. (CVE-2018-13053) Wen Xu discovered that the XFS filesystem implementation in the Linux kernel did not properly track inode validations. An attacker could use this to construct a malicious XFS image that, when mounted, could cause a denial of service (system crash). (CVE-2018-13093) Wen Xu discovered that the f2fs file system implementation in the Linux kernel did not properly validate metadata. An attacker could use this to construct a malicious f2fs image that, when mounted, could cause a denial of service (system crash). (CVE-2018-13096, CVE-2018-13097, CVE-2018-13098, CVE-2018-13099, CVE-2018-13100, CVE-2018-14614, CVE-2018-14615, CVE-2018-14616) Wen Xu and Po-Ning Tseng discovered that btrfs file system implementation in the Linux kernel did not properly validate metadata. An attacker could use this to construct a malicious btrfs image that, when mounted, could cause a denial of service (system crash). (CVE-2018-14609, CVE-2018-14610, CVE-2018-14611, CVE-2018-14612, CVE-2018-14613) Wen Xu discovered that the HFS+ filesystem implementation in the Linux kernel did not properly handle malformed catalog data in some situations. An attacker could use this to construct a malicious HFS+ image that, when mounted, could cause a denial of service (system crash). (CVE-2018-14617) Vasily Averin and Pavel Tikhomirov discovered that the cleancache subsystem of the Linux kernel did not properly initialize new files in some situations. A local attacker could use this to expose sensitive information. (CVE-2018-16862) Hui Peng and Mathias Payer discovered that the Option USB High Speed driver in the Linux kernel did not properly validate metadata received from the device. A physically proximate attacker could use this to cause a denial of service (system crash). (CVE-2018-19985) Hui Peng and Mathias Payer discovered that the USB subsystem in the Linux kernel did not properly handle size checks when handling an extra USB descriptor. A physically proximate attacker could use this to cause a denial of service (system crash). (CVE-2018-20169) Zhipeng Xie discovered that an infinite loop could triggered in the CFS Linux kernel process scheduler. A local attacker could possibly use this to cause a denial of service. (CVE-2018-20784) It was discovered that a use-after-free error existed in the block layer subsystem of the Linux kernel when certain failure conditions occurred. A local attacker could possibly use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2018-20856) Eli Biham and Lior Neumann discovered that the Bluetooth implementation in the Linux kernel did not properly validate elliptic curve parameters during Diffie-Hellman key exchange in some situations. An attacker could use this to expose sensitive information. (CVE-2018-5383) It was discovered that the Intel wifi device driver in the Linux kernel did not properly validate certain Tunneled Direct Link Setup (TDLS). A physically proximate attacker could use this to cause a denial of service (wifi disconnect). (CVE-2019-0136) It was discovered that a heap buffer overflow existed in the Marvell Wireless LAN device driver for the Linux kernel. An attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2019-10126) It was discovered that the Bluetooth UART implementation in the Linux kernel did not properly check for missing tty operations. A local attacker could use this to cause a denial of service. (CVE-2019-10207) Amit Klein and Benny Pinkas discovered that the Linux kernel did not sufficiently randomize IP ID values generated for connectionless networking protocols. A remote attacker could use this to track particular Linux devices. (CVE-2019-10638) Amit Klein and Benny Pinkas discovered that the location of kernel addresses could exposed by the implementation of connection-less network protocols in the Linux kernel. A remote attacker could possibly use this to assist in the exploitation of another vulnerability in the Linux kernel. (CVE-2019-10639) Adam Zabrocki discovered that the Intel i915 kernel mode graphics driver in the Linux kernel did not properly restrict mmap() ranges in some situations. A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2019-11085) It was discovered that an integer overflow existed in the Linux kernel when reference counting pages, leading to potential use-after-free issues. A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2019-11487) Jann Horn discovered that a race condition existed in the Linux kernel when performing core dumps. A local attacker could use this to cause a denial of service (system crash) or expose sensitive information. (CVE-2019-11599) It was discovered that a NULL pointer dereference vulnerability existed in the LSI Logic MegaRAID driver in the Linux kernel. A local attacker could use this to cause a denial of service (system crash). (CVE-2019-11810) It was discovered that a race condition leading to a use-after-free existed in the Reliable Datagram Sockets (RDS) protocol implementation in the Linux kernel. The RDS protocol is blacklisted by default in Ubuntu. If enabled, a local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2019-11815) It was discovered that the ext4 file system implementation in the Linux kernel did not properly zero out memory in some situations. A local attacker could use this to expose sensitive information (kernel memory). (CVE-2019-11833) It was discovered that the Bluetooth Human Interface Device Protocol (HIDP) implementation in the Linux kernel did not properly verify strings were NULL terminated in certain situations. A local attacker could use this to expose sensitive information (kernel memory). (CVE-2019-11884) It was discovered that a NULL pointer dereference vulnerabilty existed in the Near-field communication (NFC) implementation in the Linux kernel. An attacker could use this to cause a denial of service (system crash). (CVE-2019-12818) It was discovered that the MDIO bus devices subsystem in the Linux kernel improperly dropped a device reference in an error condition, leading to a use-after-free. An attacker could use this to cause a denial of service (system crash). (CVE-2019-12819) It was discovered that a NULL pointer dereference vulnerability existed in the Near-field communication (NFC) implementation in the Linux kernel. A local attacker could use this to cause a denial of service (system crash). (CVE-2019-12984) Jann Horn discovered a use-after-free vulnerability in the Linux kernel when accessing LDT entries in some situations. A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2019-13233) Jann Horn discovered that the ptrace implementation in the Linux kernel did not properly record credentials in some situations. A local attacker could use this to cause a denial of service (system crash) or possibly gain administrative privileges. (CVE-2019-13272) It was discovered that the GTCO tablet input driver in the Linux kernel did not properly bounds check the initial HID report sent by the device. A physically proximate attacker could use to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2019-13631) It was discovered that the floppy driver in the Linux kernel did not properly validate meta data, leading to a buffer overread. A local attacker could use this to cause a denial of service (system crash). (CVE-2019-14283) It was discovered that the floppy driver in the Linux kernel did not properly validate ioctl() calls, leading to a division-by-zero. A local attacker could use this to cause a denial of service (system crash). (CVE-2019-14284) Tuba Yavuz discovered that a race condition existed in the DesignWare USB3 DRD Controller device driver in the Linux kernel. A physically proximate attacker could use this to cause a denial of service. (CVE-2019-14763) It was discovered that an out-of-bounds read existed in the QLogic QEDI iSCSI Initiator Driver in the Linux kernel. A local attacker could possibly use this to expose sensitive information (kernel memory). (CVE-2019-15090) It was discovered that the Raremono AM/FM/SW radio device driver in the Linux kernel did not properly allocate memory, leading to a use-after-free. A physically proximate attacker could use this to cause a denial of service or possibly execute arbitrary code. (CVE-2019-15211) It was discovered at a double-free error existed in the USB Rio 500 device driver for the Linux kernel. A physically proximate attacker could use this to cause a denial of service. (CVE-2019-15212) It was discovered that a race condition existed in the Advanced Linux Sound Architecture (ALSA) subsystem of the Linux kernel, leading to a potential use-after-free. A physically proximate attacker could use this to cause a denial of service (system crash) pro possibly execute arbitrary code. (CVE-2019-15214) It was discovered that a race condition existed in the CPiA2 video4linux device driver for the Linux kernel, leading to a use-after-free. A physically proximate attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2019-15215) It was discovered that a race condition existed in the Softmac USB Prism54 device driver in the Linux kernel. A physically proximate attacker could use this to cause a denial of service (system crash). (CVE-2019-15220) It was discovered that a use-after-free vulnerability existed in the Appletalk implementation in the Linux kernel if an error occurs during initialization. A local attacker could use this to cause a denial of service (system crash). (CVE-2019-15292) It was discovered that the Empia EM28xx DVB USB device driver implementation in the Linux kernel contained a use-after-free vulnerability when disconnecting the device. An attacker could use this to cause a denial of service (system crash). (CVE-2019-2024) It was discovered that the USB video device class implementation in the Linux kernel did not properly validate control bits, resulting in an out of bounds buffer read. A local attacker could use this to possibly expose sensitive information (kernel memory). (CVE-2019-2101) It was discovered that the Marvell Wireless LAN device driver in the Linux kernel did not properly validate the BSS descriptor. A local attacker could possibly use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2019-3846) Jason Wang discovered that an infinite loop vulnerability existed in the virtio net driver in the Linux kernel. A local attacker in a guest VM could possibly use this to cause a denial of service in the host system. (CVE-2019-3900) Daniele Antonioli, Nils Ole Tippenhauer, and Kasper B. Rasmussen discovered that the Bluetooth protocol BR/EDR specification did not properly require sufficiently strong encryption key lengths. A physicall proximate attacker could use this to expose sensitive information. (CVE-2019-9506) It was discovered that the Appletalk IP encapsulation driver in the Linux kernel did not properly prevent kernel addresses from being copied to user space. A local attacker with the CAP_NET_ADMIN capability could use this to expose sensitive information. (CVE-2018-20511) It was discovered that a race condition existed in the USB YUREX device driver in the Linux kernel. A physically proximate attacker could use this to cause a denial of service (system crash). (CVE-2019-15216) It was discovered that the Siano USB MDTV receiver device driver in the Linux kernel made improper assumptions about the device characteristics. A physically proximate attacker could use this cause a denial of service (system crash). (CVE-2019-15218) It was discovered that the Line 6 POD USB device driver in the Linux kernel did not properly validate data size information from the device. A physically proximate attacker could use this to cause a denial of service (system crash). (CVE-2019-15221) Muyu Yu discovered that the CAN implementation in the Linux kernel in some situations did not properly restrict the field size when processing outgoing frames. A local attacker with CAP_NET_ADMIN privileges could use this to execute arbitrary code. (CVE-2019-3701) Vladis Dronov discovered that the debug interface for the Linux kernel
    last seen2020-06-01
    modified2020-06-02
    plugin id128478
    published2019-09-03
    reporterUbuntu Security Notice (C) 2019 Canonical, Inc. / NASL script (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/128478
    titleUbuntu 16.04 LTS / 18.04 LTS : linux-aws vulnerabilities (USN-4118-1)
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were
    # extracted from Ubuntu Security Notice USN-4118-1. The text 
    # itself is copyright (C) Canonical, Inc. See 
    # <http://www.ubuntu.com/usn/>. Ubuntu(R) is a registered 
    # trademark of Canonical, Inc.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(128478);
      script_version("1.4");
      script_cvs_date("Date: 2019/10/24 11:30:51");
    
      script_cve_id("CVE-2018-13053", "CVE-2018-13093", "CVE-2018-13096", "CVE-2018-13097", "CVE-2018-13098", "CVE-2018-13099", "CVE-2018-13100", "CVE-2018-14609", "CVE-2018-14610", "CVE-2018-14611", "CVE-2018-14612", "CVE-2018-14613", "CVE-2018-14614", "CVE-2018-14615", "CVE-2018-14616", "CVE-2018-14617", "CVE-2018-16862", "CVE-2018-19985", "CVE-2018-20169", "CVE-2018-20511", "CVE-2018-20784", "CVE-2018-20856", "CVE-2018-5383", "CVE-2019-0136", "CVE-2019-10126", "CVE-2019-10207", "CVE-2019-10638", "CVE-2019-10639", "CVE-2019-11085", "CVE-2019-11487", "CVE-2019-11599", "CVE-2019-11810", "CVE-2019-11815", "CVE-2019-11833", "CVE-2019-11884", "CVE-2019-12818", "CVE-2019-12819", "CVE-2019-12984", "CVE-2019-13233", "CVE-2019-13272", "CVE-2019-13631", "CVE-2019-14283", "CVE-2019-14284", "CVE-2019-14763", "CVE-2019-15090", "CVE-2019-15211", "CVE-2019-15212", "CVE-2019-15214", "CVE-2019-15215", "CVE-2019-15216", "CVE-2019-15218", "CVE-2019-15220", "CVE-2019-15221", "CVE-2019-15292", "CVE-2019-2024", "CVE-2019-2101", "CVE-2019-3701", "CVE-2019-3819", "CVE-2019-3846", "CVE-2019-3900", "CVE-2019-9506");
      script_xref(name:"USN", value:"4118-1");
    
      script_name(english:"Ubuntu 16.04 LTS / 18.04 LTS : linux-aws vulnerabilities (USN-4118-1)");
      script_summary(english:"Checks dpkg output for updated packages.");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:
    "The remote Ubuntu host is missing one or more security-related
    patches."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "It was discovered that the alarmtimer implementation in the Linux
    kernel contained an integer overflow vulnerability. A local attacker
    could use this to cause a denial of service. (CVE-2018-13053)
    
    Wen Xu discovered that the XFS filesystem implementation in the Linux
    kernel did not properly track inode validations. An attacker could use
    this to construct a malicious XFS image that, when mounted, could
    cause a denial of service (system crash). (CVE-2018-13093)
    
    Wen Xu discovered that the f2fs file system implementation in the
    Linux kernel did not properly validate metadata. An attacker could use
    this to construct a malicious f2fs image that, when mounted, could
    cause a denial of service (system crash). (CVE-2018-13096,
    CVE-2018-13097, CVE-2018-13098, CVE-2018-13099, CVE-2018-13100,
    CVE-2018-14614, CVE-2018-14615, CVE-2018-14616)
    
    Wen Xu and Po-Ning Tseng discovered that btrfs file system
    implementation in the Linux kernel did not properly validate metadata.
    An attacker could use this to construct a malicious btrfs image that,
    when mounted, could cause a denial of service (system crash).
    (CVE-2018-14609, CVE-2018-14610, CVE-2018-14611, CVE-2018-14612,
    CVE-2018-14613)
    
    Wen Xu discovered that the HFS+ filesystem implementation in the Linux
    kernel did not properly handle malformed catalog data in some
    situations. An attacker could use this to construct a malicious HFS+
    image that, when mounted, could cause a denial of service (system
    crash). (CVE-2018-14617)
    
    Vasily Averin and Pavel Tikhomirov discovered that the cleancache
    subsystem of the Linux kernel did not properly initialize new files in
    some situations. A local attacker could use this to expose sensitive
    information. (CVE-2018-16862)
    
    Hui Peng and Mathias Payer discovered that the Option USB High Speed
    driver in the Linux kernel did not properly validate metadata received
    from the device. A physically proximate attacker could use this to
    cause a denial of service (system crash). (CVE-2018-19985)
    
    Hui Peng and Mathias Payer discovered that the USB subsystem in the
    Linux kernel did not properly handle size checks when handling an
    extra USB descriptor. A physically proximate attacker could use this
    to cause a denial of service (system crash). (CVE-2018-20169)
    
    Zhipeng Xie discovered that an infinite loop could triggered in the
    CFS Linux kernel process scheduler. A local attacker could possibly
    use this to cause a denial of service. (CVE-2018-20784)
    
    It was discovered that a use-after-free error existed in the block
    layer subsystem of the Linux kernel when certain failure conditions
    occurred. A local attacker could possibly use this to cause a denial
    of service (system crash) or possibly execute arbitrary code.
    (CVE-2018-20856)
    
    Eli Biham and Lior Neumann discovered that the Bluetooth
    implementation in the Linux kernel did not properly validate elliptic
    curve parameters during Diffie-Hellman key exchange in some
    situations. An attacker could use this to expose sensitive
    information. (CVE-2018-5383)
    
    It was discovered that the Intel wifi device driver in the Linux
    kernel did not properly validate certain Tunneled Direct Link Setup
    (TDLS). A physically proximate attacker could use this to cause a
    denial of service (wifi disconnect). (CVE-2019-0136)
    
    It was discovered that a heap buffer overflow existed in the Marvell
    Wireless LAN device driver for the Linux kernel. An attacker could use
    this to cause a denial of service (system crash) or possibly execute
    arbitrary code. (CVE-2019-10126)
    
    It was discovered that the Bluetooth UART implementation in the Linux
    kernel did not properly check for missing tty operations. A local
    attacker could use this to cause a denial of service. (CVE-2019-10207)
    
    Amit Klein and Benny Pinkas discovered that the Linux kernel did not
    sufficiently randomize IP ID values generated for connectionless
    networking protocols. A remote attacker could use this to track
    particular Linux devices. (CVE-2019-10638)
    
    Amit Klein and Benny Pinkas discovered that the location of kernel
    addresses could exposed by the implementation of connection-less
    network protocols in the Linux kernel. A remote attacker could
    possibly use this to assist in the exploitation of another
    vulnerability in the Linux kernel. (CVE-2019-10639)
    
    Adam Zabrocki discovered that the Intel i915 kernel mode graphics
    driver in the Linux kernel did not properly restrict mmap() ranges in
    some situations. A local attacker could use this to cause a denial of
    service (system crash) or possibly execute arbitrary code.
    (CVE-2019-11085)
    
    It was discovered that an integer overflow existed in the Linux kernel
    when reference counting pages, leading to potential use-after-free
    issues. A local attacker could use this to cause a denial of service
    (system crash) or possibly execute arbitrary code. (CVE-2019-11487)
    
    Jann Horn discovered that a race condition existed in the Linux kernel
    when performing core dumps. A local attacker could use this to cause a
    denial of service (system crash) or expose sensitive information.
    (CVE-2019-11599)
    
    It was discovered that a NULL pointer dereference vulnerability
    existed in the LSI Logic MegaRAID driver in the Linux kernel. A local
    attacker could use this to cause a denial of service (system crash).
    (CVE-2019-11810)
    
    It was discovered that a race condition leading to a use-after-free
    existed in the Reliable Datagram Sockets (RDS) protocol implementation
    in the Linux kernel. The RDS protocol is blacklisted by default in
    Ubuntu. If enabled, a local attacker could use this to cause a denial
    of service (system crash) or possibly execute arbitrary code.
    (CVE-2019-11815)
    
    It was discovered that the ext4 file system implementation in the
    Linux kernel did not properly zero out memory in some situations. A
    local attacker could use this to expose sensitive information (kernel
    memory). (CVE-2019-11833)
    
    It was discovered that the Bluetooth Human Interface Device Protocol
    (HIDP) implementation in the Linux kernel did not properly verify
    strings were NULL terminated in certain situations. A local attacker
    could use this to expose sensitive information (kernel memory).
    (CVE-2019-11884)
    
    It was discovered that a NULL pointer dereference vulnerabilty existed
    in the Near-field communication (NFC) implementation in the Linux
    kernel. An attacker could use this to cause a denial of service
    (system crash). (CVE-2019-12818)
    
    It was discovered that the MDIO bus devices subsystem in the Linux
    kernel improperly dropped a device reference in an error condition,
    leading to a use-after-free. An attacker could use this to cause a
    denial of service (system crash). (CVE-2019-12819)
    
    It was discovered that a NULL pointer dereference vulnerability
    existed in the Near-field communication (NFC) implementation in the
    Linux kernel. A local attacker could use this to cause a denial of
    service (system crash). (CVE-2019-12984)
    
    Jann Horn discovered a use-after-free vulnerability in the Linux
    kernel when accessing LDT entries in some situations. A local attacker
    could use this to cause a denial of service (system crash) or possibly
    execute arbitrary code. (CVE-2019-13233)
    
    Jann Horn discovered that the ptrace implementation in the Linux
    kernel did not properly record credentials in some situations. A local
    attacker could use this to cause a denial of service (system crash) or
    possibly gain administrative privileges. (CVE-2019-13272)
    
    It was discovered that the GTCO tablet input driver in the Linux
    kernel did not properly bounds check the initial HID report sent by
    the device. A physically proximate attacker could use to cause a
    denial of service (system crash) or possibly execute arbitrary code.
    (CVE-2019-13631)
    
    It was discovered that the floppy driver in the Linux kernel did not
    properly validate meta data, leading to a buffer overread. A local
    attacker could use this to cause a denial of service (system crash).
    (CVE-2019-14283)
    
    It was discovered that the floppy driver in the Linux kernel did not
    properly validate ioctl() calls, leading to a division-by-zero. A
    local attacker could use this to cause a denial of service (system
    crash). (CVE-2019-14284)
    
    Tuba Yavuz discovered that a race condition existed in the DesignWare
    USB3 DRD Controller device driver in the Linux kernel. A physically
    proximate attacker could use this to cause a denial of service.
    (CVE-2019-14763)
    
    It was discovered that an out-of-bounds read existed in the QLogic
    QEDI iSCSI Initiator Driver in the Linux kernel. A local attacker
    could possibly use this to expose sensitive information (kernel
    memory). (CVE-2019-15090)
    
    It was discovered that the Raremono AM/FM/SW radio device driver in
    the Linux kernel did not properly allocate memory, leading to a
    use-after-free. A physically proximate attacker could use this to
    cause a denial of service or possibly execute arbitrary code.
    (CVE-2019-15211)
    
    It was discovered at a double-free error existed in the USB Rio 500
    device driver for the Linux kernel. A physically proximate attacker
    could use this to cause a denial of service. (CVE-2019-15212)
    
    It was discovered that a race condition existed in the Advanced Linux
    Sound Architecture (ALSA) subsystem of the Linux kernel, leading to a
    potential use-after-free. A physically proximate attacker could use
    this to cause a denial of service (system crash) pro possibly execute
    arbitrary code. (CVE-2019-15214)
    
    It was discovered that a race condition existed in the CPiA2
    video4linux device driver for the Linux kernel, leading to a
    use-after-free. A physically proximate attacker could use this to
    cause a denial of service (system crash) or possibly execute arbitrary
    code. (CVE-2019-15215)
    
    It was discovered that a race condition existed in the Softmac USB
    Prism54 device driver in the Linux kernel. A physically proximate
    attacker could use this to cause a denial of service (system crash).
    (CVE-2019-15220)
    
    It was discovered that a use-after-free vulnerability existed in the
    Appletalk implementation in the Linux kernel if an error occurs during
    initialization. A local attacker could use this to cause a denial of
    service (system crash). (CVE-2019-15292)
    
    It was discovered that the Empia EM28xx DVB USB device driver
    implementation in the Linux kernel contained a use-after-free
    vulnerability when disconnecting the device. An attacker could use
    this to cause a denial of service (system crash). (CVE-2019-2024)
    
    It was discovered that the USB video device class implementation in
    the Linux kernel did not properly validate control bits, resulting in
    an out of bounds buffer read. A local attacker could use this to
    possibly expose sensitive information (kernel memory). (CVE-2019-2101)
    
    It was discovered that the Marvell Wireless LAN device driver in the
    Linux kernel did not properly validate the BSS descriptor. A local
    attacker could possibly use this to cause a denial of service (system
    crash) or possibly execute arbitrary code. (CVE-2019-3846)
    
    Jason Wang discovered that an infinite loop vulnerability existed in
    the virtio net driver in the Linux kernel. A local attacker in a guest
    VM could possibly use this to cause a denial of service in the host
    system. (CVE-2019-3900)
    
    Daniele Antonioli, Nils Ole Tippenhauer, and Kasper B. Rasmussen
    discovered that the Bluetooth protocol BR/EDR specification did not
    properly require sufficiently strong encryption key lengths. A
    physicall proximate attacker could use this to expose sensitive
    information. (CVE-2019-9506)
    
    It was discovered that the Appletalk IP encapsulation driver in the
    Linux kernel did not properly prevent kernel addresses from being
    copied to user space. A local attacker with the CAP_NET_ADMIN
    capability could use this to expose sensitive information.
    (CVE-2018-20511)
    
    It was discovered that a race condition existed in the USB YUREX
    device driver in the Linux kernel. A physically proximate attacker
    could use this to cause a denial of service (system crash).
    (CVE-2019-15216)
    
    It was discovered that the Siano USB MDTV receiver device driver in
    the Linux kernel made improper assumptions about the device
    characteristics. A physically proximate attacker could use this cause
    a denial of service (system crash). (CVE-2019-15218)
    
    It was discovered that the Line 6 POD USB device driver in the Linux
    kernel did not properly validate data size information from the
    device. A physically proximate attacker could use this to cause a
    denial of service (system crash). (CVE-2019-15221)
    
    Muyu Yu discovered that the CAN implementation in the Linux kernel in
    some situations did not properly restrict the field size when
    processing outgoing frames. A local attacker with CAP_NET_ADMIN
    privileges could use this to execute arbitrary code. (CVE-2019-3701)
    
    Vladis Dronov discovered that the debug interface for the Linux
    kernel's HID subsystem did not properly validate passed parameters in
    some situations. A local privileged attacker could use this to cause a
    denial of service (infinite loop). (CVE-2019-3819).
    
    Note that Tenable Network Security has extracted the preceding
    description block directly from the Ubuntu security advisory. Tenable
    has attempted to automatically clean and format it as much as possible
    without introducing additional issues."
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://usn.ubuntu.com/4118-1/"
      );
      script_set_attribute(
        attribute:"solution", 
        value:
    "Update the affected linux-image-4.15-aws, linux-image-aws and / or
    linux-image-aws-hwe packages."
      );
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C");
      script_set_cvss_temporal_vector("CVSS2#E:H/RL:OF/RC:C");
      script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H");
      script_set_cvss3_temporal_vector("CVSS:3.0/E:H/RL:O/RC:C");
      script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"true");
      script_set_attribute(attribute:"exploited_by_malware", value:"true");
      script_set_attribute(attribute:"metasploit_name", value:'Linux Polkit pkexec helper PTRACE_TRACEME local root exploit');
      script_set_attribute(attribute:"exploit_framework_metasploit", value:"true");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-4.15-aws");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-aws");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-aws-hwe");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:canonical:ubuntu_linux:16.04");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:canonical:ubuntu_linux:18.04:-:lts");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2018/07/02");
      script_set_attribute(attribute:"patch_publication_date", value:"2019/09/02");
      script_set_attribute(attribute:"plugin_publication_date", value:"2019/09/03");
      script_set_attribute(attribute:"generated_plugin", value:"current");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"Ubuntu Security Notice (C) 2019 Canonical, Inc. / NASL script (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.");
      script_family(english:"Ubuntu Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl", "linux_alt_patch_detect.nasl");
      script_require_keys("Host/cpu", "Host/Ubuntu", "Host/Ubuntu/release", "Host/Debian/dpkg-l");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("ubuntu.inc");
    include("ksplice.inc");
    
    if ( ! get_kb_item("Host/local_checks_enabled") ) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    release = get_kb_item("Host/Ubuntu/release");
    if ( isnull(release) ) audit(AUDIT_OS_NOT, "Ubuntu");
    release = chomp(release);
    if (! preg(pattern:"^(16\.04|18\.04)$", string:release)) audit(AUDIT_OS_NOT, "Ubuntu 16.04 / 18.04", "Ubuntu " + release);
    if ( ! get_kb_item("Host/Debian/dpkg-l") ) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    cpu = get_kb_item("Host/cpu");
    if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
    if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Ubuntu", cpu);
    
    if (get_one_kb_item("Host/ksplice/kernel-cves"))
    {
      rm_kb_item(name:"Host/uptrack-uname-r");
      cve_list = make_list("CVE-2018-13053", "CVE-2018-13093", "CVE-2018-13096", "CVE-2018-13097", "CVE-2018-13098", "CVE-2018-13099", "CVE-2018-13100", "CVE-2018-14609", "CVE-2018-14610", "CVE-2018-14611", "CVE-2018-14612", "CVE-2018-14613", "CVE-2018-14614", "CVE-2018-14615", "CVE-2018-14616", "CVE-2018-14617", "CVE-2018-16862", "CVE-2018-19985", "CVE-2018-20169", "CVE-2018-20511", "CVE-2018-20784", "CVE-2018-20856", "CVE-2018-5383", "CVE-2019-0136", "CVE-2019-10126", "CVE-2019-10207", "CVE-2019-10638", "CVE-2019-10639", "CVE-2019-11085", "CVE-2019-11487", "CVE-2019-11599", "CVE-2019-11810", "CVE-2019-11815", "CVE-2019-11833", "CVE-2019-11884", "CVE-2019-12818", "CVE-2019-12819", "CVE-2019-12984", "CVE-2019-13233", "CVE-2019-13272", "CVE-2019-13631", "CVE-2019-14283", "CVE-2019-14284", "CVE-2019-14763", "CVE-2019-15090", "CVE-2019-15211", "CVE-2019-15212", "CVE-2019-15214", "CVE-2019-15215", "CVE-2019-15216", "CVE-2019-15218", "CVE-2019-15220", "CVE-2019-15221", "CVE-2019-15292", "CVE-2019-2024", "CVE-2019-2101", "CVE-2019-3701", "CVE-2019-3819", "CVE-2019-3846", "CVE-2019-3900", "CVE-2019-9506");
      if (ksplice_cves_check(cve_list))
      {
        audit(AUDIT_PATCH_INSTALLED, "KSplice hotfix for USN-4118-1");
      }
      else
      {
        _ubuntu_report = ksplice_reporting_text();
      }
    }
    
    flag = 0;
    
    if (ubuntu_check(osver:"16.04", pkgname:"linux-image-4.15.0-1047-aws", pkgver:"4.15.0-1047.49~16.04.1")) flag++;
    if (ubuntu_check(osver:"16.04", pkgname:"linux-image-aws-hwe", pkgver:"4.15.0.1047.47")) flag++;
    if (ubuntu_check(osver:"18.04", pkgname:"linux-image-4.15.0-1047-aws", pkgver:"4.15.0-1047.49")) flag++;
    if (ubuntu_check(osver:"18.04", pkgname:"linux-image-aws", pkgver:"4.15.0.1047.46")) flag++;
    
    if (flag)
    {
      security_report_v4(
        port       : 0,
        severity   : SECURITY_HOLE,
        extra      : ubuntu_report_get()
      );
      exit(0);
    }
    else
    {
      tested = ubuntu_pkg_tests_get();
      if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
      else audit(AUDIT_PACKAGE_NOT_INSTALLED, "linux-image-4.15-aws / linux-image-aws / linux-image-aws-hwe");
    }
    
  • NASL familySlackware Local Security Checks
    NASL idSLACKWARE_SSA_2019-030-01.NASL
    descriptionNew kernel packages are available for Slackware 14.2 to fix security issues.
    last seen2020-03-17
    modified2019-01-31
    plugin id121505
    published2019-01-31
    reporterThis script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/121505
    titleSlackware 14.2 : Slackware 14.2 kernel (SSA:2019-030-01)
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were  
    # extracted from Slackware Security Advisory 2019-030-01. The text 
    # itself is copyright (C) Slackware Linux, Inc.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(121505);
      script_version("1.4");
      script_set_attribute(attribute:"plugin_modification_date", value:"2020/02/20");
    
      script_cve_id("CVE-2017-18241", "CVE-2017-18249", "CVE-2018-10880", "CVE-2018-1120", "CVE-2018-12896", "CVE-2018-13053", "CVE-2018-13096", "CVE-2018-13097", "CVE-2018-13099", "CVE-2018-13100", "CVE-2018-14610", "CVE-2018-14611", "CVE-2018-14612", "CVE-2018-14613", "CVE-2018-14614", "CVE-2018-14616", "CVE-2018-14633", "CVE-2018-16862", "CVE-2018-16884", "CVE-2018-17972", "CVE-2018-18021", "CVE-2018-18281", "CVE-2018-18690", "CVE-2018-18710", "CVE-2018-19824", "CVE-2018-19985", "CVE-2018-20169", "CVE-2018-20511", "CVE-2018-5848", "CVE-2018-7755", "CVE-2019-3701");
      script_xref(name:"SSA", value:"2019-030-01");
    
      script_name(english:"Slackware 14.2 : Slackware 14.2 kernel (SSA:2019-030-01)");
      script_summary(english:"Checks for updated packages in /var/log/packages");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote Slackware host is missing a security update."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "New kernel packages are available for Slackware 14.2 to fix security
    issues."
      );
      # http://www.slackware.com/security/viewer.php?l=slackware-security&y=2019&m=slackware-security.842527
      script_set_attribute(
        attribute:"see_also",
        value:"http://www.nessus.org/u?0db5ea06"
      );
      script_set_attribute(attribute:"solution", value:"Update the affected packages.");
      script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:C");
      script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
      script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:H");
      script_set_cvss3_temporal_vector("CVSS:3.0/E:P/RL:O/RC:C");
      script_set_attribute(attribute:"cvss_score_source", value:"CVE-2018-14633");
      script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"true");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:slackware:slackware_linux:kernel-firmware");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:slackware:slackware_linux:kernel-generic");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:slackware:slackware_linux:kernel-generic-smp");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:slackware:slackware_linux:kernel-headers");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:slackware:slackware_linux:kernel-huge");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:slackware:slackware_linux:kernel-huge-smp");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:slackware:slackware_linux:kernel-modules");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:slackware:slackware_linux:kernel-modules-smp");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:slackware:slackware_linux:kernel-source");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:slackware:slackware_linux:14.2");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2018/03/08");
      script_set_attribute(attribute:"patch_publication_date", value:"2019/01/30");
      script_set_attribute(attribute:"plugin_publication_date", value:"2019/01/31");
      script_set_attribute(attribute:"generated_plugin", value:"current");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.");
      script_family(english:"Slackware Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/Slackware/release", "Host/Slackware/packages");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("global_settings.inc");
    include("slackware.inc");
    
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    if (!get_kb_item("Host/Slackware/release")) audit(AUDIT_OS_NOT, "Slackware");
    if (!get_kb_item("Host/Slackware/packages")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    
    cpu = get_kb_item("Host/cpu");
    if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
    if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Slackware", cpu);
    
    
    flag = 0;
    if (slackware_check(osver:"14.2", pkgname:"kernel-firmware", pkgver:"20190118_a8b75ca", pkgarch:"noarch", pkgnum:"1")) flag++;
    if (slackware_check(osver:"14.2", pkgname:"kernel-generic", pkgver:"4.4.172", pkgarch:"i586", pkgnum:"1")) flag++;
    if (slackware_check(osver:"14.2", pkgname:"kernel-generic-smp", pkgver:"4.4.172_smp", pkgarch:"i686", pkgnum:"1")) flag++;
    if (slackware_check(osver:"14.2", pkgname:"kernel-headers", pkgver:"4.4.172_smp", pkgarch:"x86", pkgnum:"1")) flag++;
    if (slackware_check(osver:"14.2", pkgname:"kernel-huge", pkgver:"4.4.172", pkgarch:"i586", pkgnum:"1")) flag++;
    if (slackware_check(osver:"14.2", pkgname:"kernel-huge-smp", pkgver:"4.4.172_smp", pkgarch:"i686", pkgnum:"1")) flag++;
    if (slackware_check(osver:"14.2", pkgname:"kernel-modules", pkgver:"4.4.172", pkgarch:"i586", pkgnum:"1")) flag++;
    if (slackware_check(osver:"14.2", pkgname:"kernel-modules-smp", pkgver:"4.4.172_smp", pkgarch:"i686", pkgnum:"1")) flag++;
    if (slackware_check(osver:"14.2", pkgname:"kernel-source", pkgver:"4.4.172_smp", pkgarch:"noarch", pkgnum:"1")) flag++;
    if (slackware_check(osver:"14.2", arch:"x86_64", pkgname:"kernel-firmware", pkgver:"20190118_a8b75ca", pkgarch:"noarch", pkgnum:"1")) flag++;
    if (slackware_check(osver:"14.2", arch:"x86_64", pkgname:"kernel-generic", pkgver:"4.4.172", pkgarch:"x86_64", pkgnum:"1")) flag++;
    if (slackware_check(osver:"14.2", arch:"x86_64", pkgname:"kernel-headers", pkgver:"4.4.172", pkgarch:"x86", pkgnum:"1")) flag++;
    if (slackware_check(osver:"14.2", arch:"x86_64", pkgname:"kernel-huge", pkgver:"4.4.172", pkgarch:"x86_64", pkgnum:"1")) flag++;
    if (slackware_check(osver:"14.2", arch:"x86_64", pkgname:"kernel-modules", pkgver:"4.4.172", pkgarch:"x86_64", pkgnum:"1")) flag++;
    if (slackware_check(osver:"14.2", arch:"x86_64", pkgname:"kernel-source", pkgver:"4.4.172", pkgarch:"noarch", pkgnum:"1")) flag++;
    
    
    if (flag)
    {
      if (report_verbosity > 0) security_hole(port:0, extra:slackware_report_get());
      else security_hole(0);
      exit(0);
    }
    else audit(AUDIT_HOST_NOT, "affected");
    
  • NASL familyUbuntu Local Security Checks
    NASL idUBUNTU_USN-4094-1.NASL
    descriptionIt was discovered that the alarmtimer implementation in the Linux kernel contained an integer overflow vulnerability. A local attacker could use this to cause a denial of service. (CVE-2018-13053) Wen Xu discovered that the XFS filesystem implementation in the Linux kernel did not properly track inode validations. An attacker could use this to construct a malicious XFS image that, when mounted, could cause a denial of service (system crash). (CVE-2018-13093) Wen Xu discovered that the f2fs file system implementation in the Linux kernel did not properly validate metadata. An attacker could use this to construct a malicious f2fs image that, when mounted, could cause a denial of service (system crash). (CVE-2018-13097, CVE-2018-13099, CVE-2018-13100, CVE-2018-14614, CVE-2018-14616, CVE-2018-13096, CVE-2018-13098, CVE-2018-14615) Wen Xu and Po-Ning Tseng discovered that btrfs file system implementation in the Linux kernel did not properly validate metadata. An attacker could use this to construct a malicious btrfs image that, when mounted, could cause a denial of service (system crash). (CVE-2018-14610, CVE-2018-14611, CVE-2018-14612, CVE-2018-14613, CVE-2018-14609) Wen Xu discovered that the HFS+ filesystem implementation in the Linux kernel did not properly handle malformed catalog data in some situations. An attacker could use this to construct a malicious HFS+ image that, when mounted, could cause a denial of service (system crash). (CVE-2018-14617) Vasily Averin and Pavel Tikhomirov discovered that the cleancache subsystem of the Linux kernel did not properly initialize new files in some situations. A local attacker could use this to expose sensitive information. (CVE-2018-16862) Hui Peng and Mathias Payer discovered that the USB subsystem in the Linux kernel did not properly handle size checks when handling an extra USB descriptor. A physically proximate attacker could use this to cause a denial of service (system crash). (CVE-2018-20169) It was discovered that a use-after-free error existed in the block layer subsystem of the Linux kernel when certain failure conditions occurred. A local attacker could possibly use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2018-20856) Eli Biham and Lior Neumann discovered that the Bluetooth implementation in the Linux kernel did not properly validate elliptic curve parameters during Diffie-Hellman key exchange in some situations. An attacker could use this to expose sensitive information. (CVE-2018-5383) It was discovered that a heap buffer overflow existed in the Marvell Wireless LAN device driver for the Linux kernel. An attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2019-10126) Andrei Vlad Lutas and Dan Lutas discovered that some x86 processors incorrectly handle SWAPGS instructions during speculative execution. A local attacker could use this to expose sensitive information (kernel memory). (CVE-2019-1125) It was discovered that the PowerPC dlpar implementation in the Linux kernel did not properly check for allocation errors in some situations. A local attacker could possibly use this to cause a denial of service (system crash). (CVE-2019-12614) It was discovered that a NULL pointer dereference vulnerabilty existed in the Near-field communication (NFC) implementation in the Linux kernel. An attacker could use this to cause a denial of service (system crash). (CVE-2019-12818) It was discovered that the MDIO bus devices subsystem in the Linux kernel improperly dropped a device reference in an error condition, leading to a use-after-free. An attacker could use this to cause a denial of service (system crash). (CVE-2019-12819) It was discovered that a NULL pointer dereference vulnerability existed in the Near-field communication (NFC) implementation in the Linux kernel. A local attacker could use this to cause a denial of service (system crash). (CVE-2019-12984) Jann Horn discovered a use-after-free vulnerability in the Linux kernel when accessing LDT entries in some situations. A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2019-13233) Jann Horn discovered that the ptrace implementation in the Linux kernel did not properly record credentials in some situations. A local attacker could use this to cause a denial of service (system crash) or possibly gain administrative privileges. (CVE-2019-13272) It was discovered that the Empia EM28xx DVB USB device driver implementation in the Linux kernel contained a use-after-free vulnerability when disconnecting the device. An attacker could use this to cause a denial of service (system crash). (CVE-2019-2024) It was discovered that the USB video device class implementation in the Linux kernel did not properly validate control bits, resulting in an out of bounds buffer read. A local attacker could use this to possibly expose sensitive information (kernel memory). (CVE-2019-2101) It was discovered that the Marvell Wireless LAN device driver in the Linux kernel did not properly validate the BSS descriptor. A local attacker could possibly use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2019-3846) It was discovered that the Appletalk IP encapsulation driver in the Linux kernel did not properly prevent kernel addresses from being copied to user space. A local attacker with the CAP_NET_ADMIN capability could use this to expose sensitive information. (CVE-2018-20511). Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id127889
    published2019-08-14
    reporterUbuntu Security Notice (C) 2019-2020 Canonical, Inc. / NASL script (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/127889
    titleUbuntu 16.04 LTS / 18.04 LTS : linux, linux-hwe, linux-azure, linux-gcp, linux-gke-4.15, linux-kvm, (USN-4094-1)
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were
    # extracted from Ubuntu Security Notice USN-4094-1. The text 
    # itself is copyright (C) Canonical, Inc. See 
    # <http://www.ubuntu.com/usn/>. Ubuntu(R) is a registered 
    # trademark of Canonical, Inc.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(127889);
      script_version("1.5");
      script_cvs_date("Date: 2020/01/02");
    
      script_cve_id("CVE-2018-13053", "CVE-2018-13093", "CVE-2018-13096", "CVE-2018-13097", "CVE-2018-13098", "CVE-2018-13099", "CVE-2018-13100", "CVE-2018-14609", "CVE-2018-14610", "CVE-2018-14611", "CVE-2018-14612", "CVE-2018-14613", "CVE-2018-14614", "CVE-2018-14615", "CVE-2018-14616", "CVE-2018-14617", "CVE-2018-16862", "CVE-2018-20169", "CVE-2018-20511", "CVE-2018-20856", "CVE-2018-5383", "CVE-2019-10126", "CVE-2019-1125", "CVE-2019-12614", "CVE-2019-12818", "CVE-2019-12819", "CVE-2019-12984", "CVE-2019-13233", "CVE-2019-13272", "CVE-2019-2024", "CVE-2019-2101", "CVE-2019-3846");
      script_xref(name:"USN", value:"4094-1");
    
      script_name(english:"Ubuntu 16.04 LTS / 18.04 LTS : linux, linux-hwe, linux-azure, linux-gcp, linux-gke-4.15, linux-kvm, (USN-4094-1)");
      script_summary(english:"Checks dpkg output for updated packages.");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:
    "The remote Ubuntu host is missing one or more security-related
    patches."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "It was discovered that the alarmtimer implementation in the Linux
    kernel contained an integer overflow vulnerability. A local attacker
    could use this to cause a denial of service. (CVE-2018-13053)
    
    Wen Xu discovered that the XFS filesystem implementation in the Linux
    kernel did not properly track inode validations. An attacker could use
    this to construct a malicious XFS image that, when mounted, could
    cause a denial of service (system crash). (CVE-2018-13093)
    
    Wen Xu discovered that the f2fs file system implementation in the
    Linux kernel did not properly validate metadata. An attacker could use
    this to construct a malicious f2fs image that, when mounted, could
    cause a denial of service (system crash). (CVE-2018-13097,
    CVE-2018-13099, CVE-2018-13100, CVE-2018-14614, CVE-2018-14616,
    CVE-2018-13096, CVE-2018-13098, CVE-2018-14615)
    
    Wen Xu and Po-Ning Tseng discovered that btrfs file system
    implementation in the Linux kernel did not properly validate metadata.
    An attacker could use this to construct a malicious btrfs image that,
    when mounted, could cause a denial of service (system crash).
    (CVE-2018-14610, CVE-2018-14611, CVE-2018-14612, CVE-2018-14613,
    CVE-2018-14609)
    
    Wen Xu discovered that the HFS+ filesystem implementation in the Linux
    kernel did not properly handle malformed catalog data in some
    situations. An attacker could use this to construct a malicious HFS+
    image that, when mounted, could cause a denial of service (system
    crash). (CVE-2018-14617)
    
    Vasily Averin and Pavel Tikhomirov discovered that the cleancache
    subsystem of the Linux kernel did not properly initialize new files in
    some situations. A local attacker could use this to expose sensitive
    information. (CVE-2018-16862)
    
    Hui Peng and Mathias Payer discovered that the USB subsystem in the
    Linux kernel did not properly handle size checks when handling an
    extra USB descriptor. A physically proximate attacker could use this
    to cause a denial of service (system crash). (CVE-2018-20169)
    
    It was discovered that a use-after-free error existed in the block
    layer subsystem of the Linux kernel when certain failure conditions
    occurred. A local attacker could possibly use this to cause a denial
    of service (system crash) or possibly execute arbitrary code.
    (CVE-2018-20856)
    
    Eli Biham and Lior Neumann discovered that the Bluetooth
    implementation in the Linux kernel did not properly validate elliptic
    curve parameters during Diffie-Hellman key exchange in some
    situations. An attacker could use this to expose sensitive
    information. (CVE-2018-5383)
    
    It was discovered that a heap buffer overflow existed in the Marvell
    Wireless LAN device driver for the Linux kernel. An attacker could use
    this to cause a denial of service (system crash) or possibly execute
    arbitrary code. (CVE-2019-10126)
    
    Andrei Vlad Lutas and Dan Lutas discovered that some x86 processors
    incorrectly handle SWAPGS instructions during speculative execution. A
    local attacker could use this to expose sensitive information (kernel
    memory). (CVE-2019-1125)
    
    It was discovered that the PowerPC dlpar implementation in the Linux
    kernel did not properly check for allocation errors in some
    situations. A local attacker could possibly use this to cause a denial
    of service (system crash). (CVE-2019-12614)
    
    It was discovered that a NULL pointer dereference vulnerabilty existed
    in the Near-field communication (NFC) implementation in the Linux
    kernel. An attacker could use this to cause a denial of service
    (system crash). (CVE-2019-12818)
    
    It was discovered that the MDIO bus devices subsystem in the Linux
    kernel improperly dropped a device reference in an error condition,
    leading to a use-after-free. An attacker could use this to cause a
    denial of service (system crash). (CVE-2019-12819)
    
    It was discovered that a NULL pointer dereference vulnerability
    existed in the Near-field communication (NFC) implementation in the
    Linux kernel. A local attacker could use this to cause a denial of
    service (system crash). (CVE-2019-12984)
    
    Jann Horn discovered a use-after-free vulnerability in the Linux
    kernel when accessing LDT entries in some situations. A local attacker
    could use this to cause a denial of service (system crash) or possibly
    execute arbitrary code. (CVE-2019-13233)
    
    Jann Horn discovered that the ptrace implementation in the Linux
    kernel did not properly record credentials in some situations. A local
    attacker could use this to cause a denial of service (system crash) or
    possibly gain administrative privileges. (CVE-2019-13272)
    
    It was discovered that the Empia EM28xx DVB USB device driver
    implementation in the Linux kernel contained a use-after-free
    vulnerability when disconnecting the device. An attacker could use
    this to cause a denial of service (system crash). (CVE-2019-2024)
    
    It was discovered that the USB video device class implementation in
    the Linux kernel did not properly validate control bits, resulting in
    an out of bounds buffer read. A local attacker could use this to
    possibly expose sensitive information (kernel memory). (CVE-2019-2101)
    
    It was discovered that the Marvell Wireless LAN device driver in the
    Linux kernel did not properly validate the BSS descriptor. A local
    attacker could possibly use this to cause a denial of service (system
    crash) or possibly execute arbitrary code. (CVE-2019-3846)
    
    It was discovered that the Appletalk IP encapsulation driver in the
    Linux kernel did not properly prevent kernel addresses from being
    copied to user space. A local attacker with the CAP_NET_ADMIN
    capability could use this to expose sensitive information.
    (CVE-2018-20511).
    
    Note that Tenable Network Security has extracted the preceding
    description block directly from the Ubuntu security advisory. Tenable
    has attempted to automatically clean and format it as much as possible
    without introducing additional issues."
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://usn.ubuntu.com/4094-1/"
      );
      script_set_attribute(attribute:"solution", value:"Update the affected packages.");
      script_set_cvss_base_vector("CVSS2#AV:A/AC:L/Au:N/C:C/I:C/A:C");
      script_set_cvss_temporal_vector("CVSS2#E:H/RL:OF/RC:C");
      script_set_cvss3_base_vector("CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H");
      script_set_cvss3_temporal_vector("CVSS:3.0/E:H/RL:O/RC:C");
      script_set_attribute(attribute:"cvss_score_source", value:"CVE-2019-3846");
      script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"true");
      script_set_attribute(attribute:"exploited_by_malware", value:"true");
      script_set_attribute(attribute:"metasploit_name", value:'Linux Polkit pkexec helper PTRACE_TRACEME local root exploit');
      script_set_attribute(attribute:"exploit_framework_metasploit", value:"true");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-4.15-azure");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-4.15-gcp");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-4.15-generic");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-4.15-generic-lpae");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-4.15-gke");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-4.15-kvm");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-4.15-lowlatency");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-4.15-oem");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-4.15-oracle");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-4.15-raspi2");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-4.15-snapdragon");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-azure");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-gcp");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-generic");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-generic-hwe-16.04");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-generic-lpae");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-generic-lpae-hwe-16.04");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-gke");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-gke-4.15");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-kvm");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-lowlatency");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-lowlatency-hwe-16.04");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-oem");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-oracle");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-raspi2");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-snapdragon");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-virtual");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-virtual-hwe-16.04");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:canonical:ubuntu_linux:16.04");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:canonical:ubuntu_linux:18.04:-:lts");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2018/07/02");
      script_set_attribute(attribute:"patch_publication_date", value:"2019/08/13");
      script_set_attribute(attribute:"plugin_publication_date", value:"2019/08/14");
      script_set_attribute(attribute:"generated_plugin", value:"current");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"Ubuntu Security Notice (C) 2019-2020 Canonical, Inc. / NASL script (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.");
      script_family(english:"Ubuntu Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl", "linux_alt_patch_detect.nasl");
      script_require_keys("Host/cpu", "Host/Ubuntu", "Host/Ubuntu/release", "Host/Debian/dpkg-l");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("ubuntu.inc");
    include("ksplice.inc");
    
    if ( ! get_kb_item("Host/local_checks_enabled") ) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    release = get_kb_item("Host/Ubuntu/release");
    if ( isnull(release) ) audit(AUDIT_OS_NOT, "Ubuntu");
    release = chomp(release);
    if (! preg(pattern:"^(16\.04|18\.04)$", string:release)) audit(AUDIT_OS_NOT, "Ubuntu 16.04 / 18.04", "Ubuntu " + release);
    if ( ! get_kb_item("Host/Debian/dpkg-l") ) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    cpu = get_kb_item("Host/cpu");
    if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
    if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Ubuntu", cpu);
    
    if (get_one_kb_item("Host/ksplice/kernel-cves"))
    {
      rm_kb_item(name:"Host/uptrack-uname-r");
      cve_list = make_list("CVE-2018-13053", "CVE-2018-13093", "CVE-2018-13096", "CVE-2018-13097", "CVE-2018-13098", "CVE-2018-13099", "CVE-2018-13100", "CVE-2018-14609", "CVE-2018-14610", "CVE-2018-14611", "CVE-2018-14612", "CVE-2018-14613", "CVE-2018-14614", "CVE-2018-14615", "CVE-2018-14616", "CVE-2018-14617", "CVE-2018-16862", "CVE-2018-20169", "CVE-2018-20511", "CVE-2018-20856", "CVE-2018-5383", "CVE-2019-10126", "CVE-2019-1125", "CVE-2019-12614", "CVE-2019-12818", "CVE-2019-12819", "CVE-2019-12984", "CVE-2019-13233", "CVE-2019-13272", "CVE-2019-2024", "CVE-2019-2101", "CVE-2019-3846");
      if (ksplice_cves_check(cve_list))
      {
        audit(AUDIT_PATCH_INSTALLED, "KSplice hotfix for USN-4094-1");
      }
      else
      {
        _ubuntu_report = ksplice_reporting_text();
      }
    }
    
    flag = 0;
    
    if (ubuntu_check(osver:"16.04", pkgname:"linux-image-4.15.0-1021-oracle", pkgver:"4.15.0-1021.23~16.04.1")) flag++;
    if (ubuntu_check(osver:"16.04", pkgname:"linux-image-4.15.0-1040-gcp", pkgver:"4.15.0-1040.42~16.04.1")) flag++;
    if (ubuntu_check(osver:"16.04", pkgname:"linux-image-4.15.0-1055-azure", pkgver:"4.15.0-1055.60")) flag++;
    if (ubuntu_check(osver:"16.04", pkgname:"linux-image-4.15.0-58-generic", pkgver:"4.15.0-58.64~16.04.1")) flag++;
    if (ubuntu_check(osver:"16.04", pkgname:"linux-image-4.15.0-58-generic-lpae", pkgver:"4.15.0-58.64~16.04.1")) flag++;
    if (ubuntu_check(osver:"16.04", pkgname:"linux-image-4.15.0-58-lowlatency", pkgver:"4.15.0-58.64~16.04.1")) flag++;
    if (ubuntu_check(osver:"16.04", pkgname:"linux-image-azure", pkgver:"4.15.0.1055.58")) flag++;
    if (ubuntu_check(osver:"16.04", pkgname:"linux-image-gcp", pkgver:"4.15.0.1040.54")) flag++;
    if (ubuntu_check(osver:"16.04", pkgname:"linux-image-generic-hwe-16.04", pkgver:"4.15.0.58.79")) flag++;
    if (ubuntu_check(osver:"16.04", pkgname:"linux-image-generic-lpae-hwe-16.04", pkgver:"4.15.0.58.79")) flag++;
    if (ubuntu_check(osver:"16.04", pkgname:"linux-image-gke", pkgver:"4.15.0.1040.54")) flag++;
    if (ubuntu_check(osver:"16.04", pkgname:"linux-image-lowlatency-hwe-16.04", pkgver:"4.15.0.58.79")) flag++;
    if (ubuntu_check(osver:"16.04", pkgname:"linux-image-oem", pkgver:"4.15.0.58.79")) flag++;
    if (ubuntu_check(osver:"16.04", pkgname:"linux-image-oracle", pkgver:"4.15.0.1021.15")) flag++;
    if (ubuntu_check(osver:"16.04", pkgname:"linux-image-virtual-hwe-16.04", pkgver:"4.15.0.58.79")) flag++;
    if (ubuntu_check(osver:"18.04", pkgname:"linux-image-4.15.0-1021-oracle", pkgver:"4.15.0-1021.23")) flag++;
    if (ubuntu_check(osver:"18.04", pkgname:"linux-image-4.15.0-1040-gcp", pkgver:"4.15.0-1040.42")) flag++;
    if (ubuntu_check(osver:"18.04", pkgname:"linux-image-4.15.0-1040-gke", pkgver:"4.15.0-1040.42")) flag++;
    if (ubuntu_check(osver:"18.04", pkgname:"linux-image-4.15.0-1042-kvm", pkgver:"4.15.0-1042.42")) flag++;
    if (ubuntu_check(osver:"18.04", pkgname:"linux-image-4.15.0-1043-raspi2", pkgver:"4.15.0-1043.46")) flag++;
    if (ubuntu_check(osver:"18.04", pkgname:"linux-image-4.15.0-1050-oem", pkgver:"4.15.0-1050.57")) flag++;
    if (ubuntu_check(osver:"18.04", pkgname:"linux-image-4.15.0-1060-snapdragon", pkgver:"4.15.0-1060.66")) flag++;
    if (ubuntu_check(osver:"18.04", pkgname:"linux-image-4.15.0-58-generic", pkgver:"4.15.0-58.64")) flag++;
    if (ubuntu_check(osver:"18.04", pkgname:"linux-image-4.15.0-58-generic-lpae", pkgver:"4.15.0-58.64")) flag++;
    if (ubuntu_check(osver:"18.04", pkgname:"linux-image-4.15.0-58-lowlatency", pkgver:"4.15.0-58.64")) flag++;
    if (ubuntu_check(osver:"18.04", pkgname:"linux-image-gcp", pkgver:"4.15.0.1040.42")) flag++;
    if (ubuntu_check(osver:"18.04", pkgname:"linux-image-generic", pkgver:"4.15.0.58.60")) flag++;
    if (ubuntu_check(osver:"18.04", pkgname:"linux-image-generic-lpae", pkgver:"4.15.0.58.60")) flag++;
    if (ubuntu_check(osver:"18.04", pkgname:"linux-image-gke", pkgver:"4.15.0.1040.43")) flag++;
    if (ubuntu_check(osver:"18.04", pkgname:"linux-image-gke-4.15", pkgver:"4.15.0.1040.43")) flag++;
    if (ubuntu_check(osver:"18.04", pkgname:"linux-image-kvm", pkgver:"4.15.0.1042.42")) flag++;
    if (ubuntu_check(osver:"18.04", pkgname:"linux-image-lowlatency", pkgver:"4.15.0.58.60")) flag++;
    if (ubuntu_check(osver:"18.04", pkgname:"linux-image-oem", pkgver:"4.15.0.1050.54")) flag++;
    if (ubuntu_check(osver:"18.04", pkgname:"linux-image-oracle", pkgver:"4.15.0.1021.24")) flag++;
    if (ubuntu_check(osver:"18.04", pkgname:"linux-image-raspi2", pkgver:"4.15.0.1043.41")) flag++;
    if (ubuntu_check(osver:"18.04", pkgname:"linux-image-snapdragon", pkgver:"4.15.0.1060.63")) flag++;
    if (ubuntu_check(osver:"18.04", pkgname:"linux-image-virtual", pkgver:"4.15.0.58.60")) flag++;
    
    if (flag)
    {
      security_report_v4(
        port       : 0,
        severity   : SECURITY_HOLE,
        extra      : ubuntu_report_get()
      );
      exit(0);
    }
    else
    {
      tested = ubuntu_pkg_tests_get();
      if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
      else audit(AUDIT_PACKAGE_NOT_INSTALLED, "linux-image-4.15-azure / linux-image-4.15-gcp / etc");
    }
    
  • NASL familyDebian Local Security Checks
    NASL idDEBIAN_DLA-1715.NASL
    descriptionSeveral vulnerabilities have been discovered in the Linux kernel that may lead to a privilege escalation, denial of service or information leaks. CVE-2017-18249 A race condition was discovered in the disk space allocator of F2FS. A user with access to an F2FS volume could use this to cause a denial of service or other security impact. CVE-2018-1128, CVE-2018-1129 The cephx authentication protocol used by Ceph was susceptible to replay attacks, and calculated signatures incorrectly. These vulnerabilities in the server required changes to authentication that are incompatible with existing clients. The kernel
    last seen2020-06-01
    modified2020-06-02
    plugin id122879
    published2019-03-18
    reporterThis script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/122879
    titleDebian DLA-1715-1 : linux-4.9 security update (Spectre)
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were
    # extracted from Debian Security Advisory DLA-1715-1. The text
    # itself is copyright (C) Software in the Public Interest, Inc.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(122879);
      script_version("1.4");
      script_cvs_date("Date: 2020/02/05");
    
      script_cve_id("CVE-2017-18249", "CVE-2018-1128", "CVE-2018-1129", "CVE-2018-12896", "CVE-2018-13053", "CVE-2018-13096", "CVE-2018-13097", "CVE-2018-13100", "CVE-2018-13406", "CVE-2018-14610", "CVE-2018-14611", "CVE-2018-14612", "CVE-2018-14613", "CVE-2018-14614", "CVE-2018-14616", "CVE-2018-15471", "CVE-2018-16862", "CVE-2018-17972", "CVE-2018-18281", "CVE-2018-18690", "CVE-2018-18710", "CVE-2018-19407", "CVE-2018-3639", "CVE-2018-5391", "CVE-2018-5848", "CVE-2018-6554");
    
      script_name(english:"Debian DLA-1715-1 : linux-4.9 security update (Spectre)");
      script_summary(english:"Checks dpkg output for the updated packages.");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote Debian host is missing a security update."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "Several vulnerabilities have been discovered in the Linux kernel that
    may lead to a privilege escalation, denial of service or information
    leaks.
    
    CVE-2017-18249
    
    A race condition was discovered in the disk space allocator of F2FS. A
    user with access to an F2FS volume could use this to cause a denial of
    service or other security impact.
    
    CVE-2018-1128, CVE-2018-1129
    
    The cephx authentication protocol used by Ceph was susceptible to
    replay attacks, and calculated signatures incorrectly. These
    vulnerabilities in the server required changes to authentication that
    are incompatible with existing clients. The kernel's client code has
    now been updated to be compatible with the fixed server.
    
    CVE-2018-3639 (SSB)
    
    Multiple researchers have discovered that Speculative Store Bypass
    (SSB), a feature implemented in many processors, could be used to read
    sensitive information from another context. In particular, code in a
    software sandbox may be able to read sensitive information from
    outside the sandbox. This issue is also known as Spectre variant 4.
    
    This update adds a further mitigation for this issue in the
    eBPF (Extended Berkeley Packet Filter) implementation.
    
    CVE-2018-5391 (FragmentSmack)
    
    Juha-Matti Tilli discovered a flaw in the way the Linux kernel handled
    reassembly of fragmented IPv4 and IPv6 packets. A remote attacker can
    take advantage of this flaw to trigger time and calculation expensive
    fragment reassembly algorithms by sending specially crafted packets,
    leading to remote denial of service.
    
    This was previously mitigated by reducing the default limits
    on memory usage for incomplete fragmented packets. This
    update replaces that mitigation with a more complete fix.
    
    CVE-2018-5848
    
    The wil6210 wifi driver did not properly validate lengths in scan and
    connection requests, leading to a possible buffer overflow. On systems
    using this driver, a local user with the CAP_NET_ADMIN capability
    could use this for denial of service (memory corruption or crash) or
    potentially for privilege escalation.
    
    CVE-2018-12896, CVE-2018-13053
    
    Team OWL337 reported possible integer overflows in the POSIX timer
    implementation. These might have some security impact.
    
    CVE-2018-13096, CVE-2018-13097, CVE-2018-13100, CVE-2018-14614,
    CVE-2018-14616
    
    Wen Xu from SSLab at Gatech reported that crafted F2FS volumes could
    trigger a crash (BUG, Oops, or division by zero) and/or out-of-bounds
    memory access. An attacker able to mount such a volume could use this
    to cause a denial of service or possibly for privilege escalation.
    
    CVE-2018-13406
    
    Dr Silvio Cesare of InfoSect reported a potential integer overflow in
    the uvesafb driver. A user with permission to access such a device
    might be able to use this for denial of service or privilege
    escalation.
    
    CVE-2018-14610, CVE-2018-14611, CVE-2018-14612, CVE-2018-14613
    
    Wen Xu from SSLab at Gatech reported that crafted Btrfs volumes could
    trigger a crash (Oops) and/or out-of-bounds memory access. An attacker
    able to mount such a volume could use this to cause a denial of
    service or possibly for privilege escalation.
    
    CVE-2018-15471 ((XSA-270)
    
    Felix Wilhelm of Google Project Zero discovered a flaw in the hash
    handling of the xen-netback Linux kernel module. A malicious or buggy
    frontend may cause the (usually privileged) backend to make out of
    bounds memory accesses, potentially resulting in privilege escalation,
    denial of service, or information leaks.
    
    https://xenbits.xen.org/xsa/advisory-270.html
    
    CVE-2018-16862
    
    Vasily Averin and Pavel Tikhomirov from Virtuozzo Kernel Team
    discovered that the cleancache memory management feature did not
    invalidate cached data for deleted files. On Xen guests using the tmem
    driver, local users could potentially read data from other users'
    deleted files if they were able to create new files on the same
    volume.
    
    CVE-2018-17972
    
    Jann Horn reported that the /proc/*/stack files in procfs leaked
    sensitive data from the kernel. These files are now only readable by
    users with the CAP_SYS_ADMIN capability (usually only root)
    
    CVE-2018-18281
    
    Jann Horn reported a race condition in the virtual memory manager that
    can result in a process briefly having access to memory after it is
    freed and reallocated. A local user could possibly exploit this for
    denial of service (memory corruption) or for privilege escalation.
    
    CVE-2018-18690
    
    Kanda Motohiro reported that XFS did not correctly handle some xattr
    (extended attribute) writes that require changing the disk format of
    the xattr. A user with access to an XFS volume could use this for
    denial of service.
    
    CVE-2018-18710
    
    It was discovered that the cdrom driver does not correctly validate
    the parameter to the CDROM_SELECT_DISC ioctl. A user with access to a
    cdrom device could use this to read sensitive information from the
    kernel or to cause a denial of service (crash).
    
    CVE-2018-19407
    
    Wei Wu reported a potential crash (Oops) in the KVM implementation for
    x86 processors. A user with access to /dev/kvm could use this for
    denial of service.
    
    For Debian 8 'Jessie', these problems have been fixed in version
    4.9.144-3.1~deb8u1. This version also includes fixes for Debian bugs
    #890034, #896911, #907581, #915229, and #915231; and other fixes
    included in upstream stable updates.
    
    We recommend that you upgrade your linux-4.9 packages.
    
    NOTE: Tenable Network Security has extracted the preceding description
    block directly from the DLA security advisory. Tenable has attempted
    to automatically clean and format it as much as possible without
    introducing additional issues."
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://lists.debian.org/debian-lts-announce/2019/03/msg00017.html"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://packages.debian.org/source/jessie/linux-4.9"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://xenbits.xen.org/xsa/advisory-270.html"
      );
      script_set_attribute(attribute:"solution", value:"Upgrade the affected packages.");
      script_set_cvss_base_vector("CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C");
      script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
      script_set_cvss3_base_vector("CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H");
      script_set_cvss3_temporal_vector("CVSS:3.0/E:P/RL:O/RC:C");
      script_set_attribute(attribute:"cvss_score_source", value:"CVE-2018-13406");
      script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"true");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:linux-compiler-gcc-4.9-arm");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:linux-doc-4.9");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:linux-headers-4.9.0-0.bpo.7-686");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:linux-headers-4.9.0-0.bpo.7-686-pae");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:linux-headers-4.9.0-0.bpo.7-all");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:linux-headers-4.9.0-0.bpo.7-all-amd64");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:linux-headers-4.9.0-0.bpo.7-all-armel");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:linux-headers-4.9.0-0.bpo.7-all-armhf");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:linux-headers-4.9.0-0.bpo.7-all-i386");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:linux-headers-4.9.0-0.bpo.7-amd64");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:linux-headers-4.9.0-0.bpo.7-armmp");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:linux-headers-4.9.0-0.bpo.7-armmp-lpae");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:linux-headers-4.9.0-0.bpo.7-common");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:linux-headers-4.9.0-0.bpo.7-common-rt");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:linux-headers-4.9.0-0.bpo.7-marvell");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:linux-headers-4.9.0-0.bpo.7-rt-686-pae");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:linux-headers-4.9.0-0.bpo.7-rt-amd64");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:linux-image-4.9.0-0.bpo.7-686");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:linux-image-4.9.0-0.bpo.7-686-pae");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:linux-image-4.9.0-0.bpo.7-686-pae-dbg");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:linux-image-4.9.0-0.bpo.7-amd64");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:linux-image-4.9.0-0.bpo.7-amd64-dbg");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:linux-image-4.9.0-0.bpo.7-armmp");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:linux-image-4.9.0-0.bpo.7-armmp-lpae");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:linux-image-4.9.0-0.bpo.7-marvell");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:linux-image-4.9.0-0.bpo.7-rt-686-pae");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:linux-image-4.9.0-0.bpo.7-rt-686-pae-dbg");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:linux-image-4.9.0-0.bpo.7-rt-amd64");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:linux-image-4.9.0-0.bpo.7-rt-amd64-dbg");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:linux-kbuild-4.9");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:linux-manual-4.9");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:linux-perf-4.9");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:linux-source-4.9");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:linux-support-4.9.0-0.bpo.7");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:debian:debian_linux:8.0");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2018/03/26");
      script_set_attribute(attribute:"patch_publication_date", value:"2019/03/15");
      script_set_attribute(attribute:"plugin_publication_date", value:"2019/03/18");
      script_set_attribute(attribute:"in_the_news", value:"true");
      script_set_attribute(attribute:"generated_plugin", value:"current");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.");
      script_family(english:"Debian Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/Debian/release", "Host/Debian/dpkg-l");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("debian_package.inc");
    
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    if (!get_kb_item("Host/Debian/release")) audit(AUDIT_OS_NOT, "Debian");
    if (!get_kb_item("Host/Debian/dpkg-l")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    
    flag = 0;
    if (deb_check(release:"8.0", prefix:"linux-compiler-gcc-4.9-arm", reference:"4.9.144-3.1~deb8u1")) flag++;
    if (deb_check(release:"8.0", prefix:"linux-doc-4.9", reference:"4.9.144-3.1~deb8u1")) flag++;
    if (deb_check(release:"8.0", prefix:"linux-headers-4.9.0-0.bpo.7-686", reference:"4.9.144-3.1~deb8u1")) flag++;
    if (deb_check(release:"8.0", prefix:"linux-headers-4.9.0-0.bpo.7-686-pae", reference:"4.9.144-3.1~deb8u1")) flag++;
    if (deb_check(release:"8.0", prefix:"linux-headers-4.9.0-0.bpo.7-all", reference:"4.9.144-3.1~deb8u1")) flag++;
    if (deb_check(release:"8.0", prefix:"linux-headers-4.9.0-0.bpo.7-all-amd64", reference:"4.9.144-3.1~deb8u1")) flag++;
    if (deb_check(release:"8.0", prefix:"linux-headers-4.9.0-0.bpo.7-all-armel", reference:"4.9.144-3.1~deb8u1")) flag++;
    if (deb_check(release:"8.0", prefix:"linux-headers-4.9.0-0.bpo.7-all-armhf", reference:"4.9.144-3.1~deb8u1")) flag++;
    if (deb_check(release:"8.0", prefix:"linux-headers-4.9.0-0.bpo.7-all-i386", reference:"4.9.144-3.1~deb8u1")) flag++;
    if (deb_check(release:"8.0", prefix:"linux-headers-4.9.0-0.bpo.7-amd64", reference:"4.9.144-3.1~deb8u1")) flag++;
    if (deb_check(release:"8.0", prefix:"linux-headers-4.9.0-0.bpo.7-armmp", reference:"4.9.144-3.1~deb8u1")) flag++;
    if (deb_check(release:"8.0", prefix:"linux-headers-4.9.0-0.bpo.7-armmp-lpae", reference:"4.9.144-3.1~deb8u1")) flag++;
    if (deb_check(release:"8.0", prefix:"linux-headers-4.9.0-0.bpo.7-common", reference:"4.9.144-3.1~deb8u1")) flag++;
    if (deb_check(release:"8.0", prefix:"linux-headers-4.9.0-0.bpo.7-common-rt", reference:"4.9.144-3.1~deb8u1")) flag++;
    if (deb_check(release:"8.0", prefix:"linux-headers-4.9.0-0.bpo.7-marvell", reference:"4.9.144-3.1~deb8u1")) flag++;
    if (deb_check(release:"8.0", prefix:"linux-headers-4.9.0-0.bpo.7-rt-686-pae", reference:"4.9.144-3.1~deb8u1")) flag++;
    if (deb_check(release:"8.0", prefix:"linux-headers-4.9.0-0.bpo.7-rt-amd64", reference:"4.9.144-3.1~deb8u1")) flag++;
    if (deb_check(release:"8.0", prefix:"linux-image-4.9.0-0.bpo.7-686", reference:"4.9.144-3.1~deb8u1")) flag++;
    if (deb_check(release:"8.0", prefix:"linux-image-4.9.0-0.bpo.7-686-pae", reference:"4.9.144-3.1~deb8u1")) flag++;
    if (deb_check(release:"8.0", prefix:"linux-image-4.9.0-0.bpo.7-686-pae-dbg", reference:"4.9.144-3.1~deb8u1")) flag++;
    if (deb_check(release:"8.0", prefix:"linux-image-4.9.0-0.bpo.7-amd64", reference:"4.9.144-3.1~deb8u1")) flag++;
    if (deb_check(release:"8.0", prefix:"linux-image-4.9.0-0.bpo.7-amd64-dbg", reference:"4.9.144-3.1~deb8u1")) flag++;
    if (deb_check(release:"8.0", prefix:"linux-image-4.9.0-0.bpo.7-armmp", reference:"4.9.144-3.1~deb8u1")) flag++;
    if (deb_check(release:"8.0", prefix:"linux-image-4.9.0-0.bpo.7-armmp-lpae", reference:"4.9.144-3.1~deb8u1")) flag++;
    if (deb_check(release:"8.0", prefix:"linux-image-4.9.0-0.bpo.7-marvell", reference:"4.9.144-3.1~deb8u1")) flag++;
    if (deb_check(release:"8.0", prefix:"linux-image-4.9.0-0.bpo.7-rt-686-pae", reference:"4.9.144-3.1~deb8u1")) flag++;
    if (deb_check(release:"8.0", prefix:"linux-image-4.9.0-0.bpo.7-rt-686-pae-dbg", reference:"4.9.144-3.1~deb8u1")) flag++;
    if (deb_check(release:"8.0", prefix:"linux-image-4.9.0-0.bpo.7-rt-amd64", reference:"4.9.144-3.1~deb8u1")) flag++;
    if (deb_check(release:"8.0", prefix:"linux-image-4.9.0-0.bpo.7-rt-amd64-dbg", reference:"4.9.144-3.1~deb8u1")) flag++;
    if (deb_check(release:"8.0", prefix:"linux-kbuild-4.9", reference:"4.9.144-3.1~deb8u1")) flag++;
    if (deb_check(release:"8.0", prefix:"linux-manual-4.9", reference:"4.9.144-3.1~deb8u1")) flag++;
    if (deb_check(release:"8.0", prefix:"linux-perf-4.9", reference:"4.9.144-3.1~deb8u1")) flag++;
    if (deb_check(release:"8.0", prefix:"linux-source-4.9", reference:"4.9.144-3.1~deb8u1")) flag++;
    if (deb_check(release:"8.0", prefix:"linux-support-4.9.0-0.bpo.7", reference:"4.9.144-3.1~deb8u1")) flag++;
    
    if (flag)
    {
      if (report_verbosity > 0) security_hole(port:0, extra:deb_report_get());
      else security_hole(0);
      exit(0);
    }
    else audit(AUDIT_HOST_NOT, "affected");
    
  • NASL familyHuawei Local Security Checks
    NASL idEULEROS_SA-2019-1484.NASL
    descriptionAccording to the versions of the kernel packages installed, the EulerOS Virtualization for ARM 64 installation on the remote host is affected by the following vulnerabilities : - In the Linux kernel, Hisilicon Network Subsystem (HNS) does not consider the ETH_SS_PRIV_FLAGS case when retrieving sset_count data. This allows local users to cause a denial of service (buffer overflow and memory corruption) or possibly have unspecified other impacts.(CVE-2017-18222i1/4%0 - A flaw was found in the way the Linux kernel
    last seen2020-03-19
    modified2019-05-13
    plugin id124808
    published2019-05-13
    reporterThis script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/124808
    titleEulerOS Virtualization for ARM 64 3.0.1.0 : kernel (EulerOS-SA-2019-1484)
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(124808);
      script_version("1.5");
      script_set_attribute(attribute:"plugin_modification_date", value:"2020/03/19");
    
      script_cve_id(
        "CVE-2013-7266",
        "CVE-2014-2672",
        "CVE-2014-2678",
        "CVE-2014-8086",
        "CVE-2015-0569",
        "CVE-2015-2150",
        "CVE-2015-3331",
        "CVE-2015-5307",
        "CVE-2015-5366",
        "CVE-2016-4440",
        "CVE-2016-7117",
        "CVE-2016-7914",
        "CVE-2017-1000410",
        "CVE-2017-17052",
        "CVE-2017-18222",
        "CVE-2017-6214",
        "CVE-2018-10087",
        "CVE-2018-10878",
        "CVE-2018-13100",
        "CVE-2018-18690"
      );
      script_bugtraq_id(
        64743,
        66492,
        66543,
        70376,
        73014,
        74235,
        75510
      );
    
      script_name(english:"EulerOS Virtualization for ARM 64 3.0.1.0 : kernel (EulerOS-SA-2019-1484)");
      script_summary(english:"Checks the rpm output for the updated packages.");
    
      script_set_attribute(attribute:"synopsis", value:
    "The remote EulerOS Virtualization for ARM 64 host is missing multiple security
    updates.");
      script_set_attribute(attribute:"description", value:
    "According to the versions of the kernel packages installed, the
    EulerOS Virtualization for ARM 64 installation on the remote host is
    affected by the following vulnerabilities :
    
      - In the Linux kernel, Hisilicon Network Subsystem (HNS)
        does not consider the ETH_SS_PRIV_FLAGS case when
        retrieving sset_count data. This allows local users to
        cause a denial of service (buffer overflow and memory
        corruption) or possibly have unspecified other
        impacts.(CVE-2017-18222i1/4%0
    
      - A flaw was found in the way the Linux kernel's
        networking implementation handled UDP packets with
        incorrect checksum values. A remote attacker could
        potentially use this flaw to trigger an infinite loop
        in the kernel, resulting in a denial of service on the
        system, or cause a denial of service in applications
        using the edge triggered epoll
        functionality.(CVE-2015-5366i1/4%0
    
      - A use-after-free vulnerability was found in the
        kernel's socket recvmmsg subsystem. This may allow
        remote attackers to corrupt memory and may allow
        execution of arbitrary code. This corruption takes
        place during the error handling routines within
        __sys_recvmmsg() function.(CVE-2016-7117i1/4%0
    
      - arch/x86/kvm/vmx.c in the Linux kernel through 4.6.3
        mishandles the APICv on/off state, which allows guest
        OS users to obtain direct APIC MSR access on the host
        OS, and consequently cause a denial of service (host OS
        crash) or possibly execute arbitrary code on the host
        OS, via x2APIC mode.(CVE-2016-4440i1/4%0
    
      - In the Linux kernel before 4.17, a local attacker able
        to set attributes on an xfs filesystem could make this
        filesystem non-operational until the next mount by
        triggering an unchecked error condition during an xfs
        attribute change, because xfs_attr_shortform_addname in
        fs/xfs/libxfs/xfs_attr.c mishandles ATTR_REPLACE
        operations with conversion of an attr from short to
        long form.(CVE-2018-18690i1/4%0
    
      - A flaw was found in the Linux kernel's ext4 filesystem.
        A local user can cause an out-of-bounds write and a
        denial of service or unspecified other impact is
        possible by mounting and operating a crafted ext4
        filesystem image.(CVE-2018-10878i1/4%0
    
      - Xen 3.3.x through 4.5.x and the Linux kernel through
        3.19.1 do not properly restrict access to PCI command
        registers, which might allow local guest OS users to
        cause a denial of service (non-maskable interrupt and
        host crash) by disabling the (1) memory or (2) I/O
        decoding for a PCI Express device and then accessing
        the device, which triggers an Unsupported Request (UR)
        response.(CVE-2015-2150i1/4%0
    
      - The assoc_array_insert_into_terminal_node() function in
        'lib/assoc_array.c' in the Linux kernel before 4.5.3
        does not check whether a slot is a leaf, which allows
        local users to obtain sensitive information from kernel
        memory or cause a denial of service (invalid pointer
        dereference and out-of-bounds read) via an application
        that uses associative-array data
        structures.(CVE-2016-7914i1/4%0
    
      - It was found that the x86 ISA (Instruction Set
        Architecture) is prone to a denial of service attack
        inside a virtualized environment in the form of an
        infinite loop in the microcode due to the way
        (sequential) delivering of benign exceptions such as
        #AC (alignment check exception) is handled. A
        privileged user inside a guest could use this flaw to
        create denial of service conditions on the host
        kernel.(CVE-2015-5307i1/4%0
    
      - An issue was discovered in fs/f2fs/super.c in the Linux
        kernel, which does not properly validate secs_per_zone
        in a corrupted f2fs image. This may lead to a
        divide-by-zero error and a system
        crash.(CVE-2018-13100i1/4%0
    
      - The mISDN_sock_recvmsg function in
        drivers/isdn/mISDN/socket.c in the Linux kernel before
        3.12.4 does not ensure that a certain length value is
        consistent with the size of an associated data
        structure, which allows local users to obtain sensitive
        information from kernel memory via a (1) recvfrom, (2)
        recvmmsg, or (3) recvmsg system call.(CVE-2013-7266i1/4%0
    
      - A NULL pointer dereference flaw was found in the
        rds_iw_laddr_check() function in the Linux kernel's
        implementation of Reliable Datagram Sockets (RDS). A
        local, unprivileged user could use this flaw to crash
        the system.(CVE-2014-2678i1/4%0
    
      - A flaw was found in the Linux kernel's handling of
        packets with the URG flag. Applications using the
        splice() and tcp_splice_read() functionality could
        allow a remote attacker to force the kernel to enter a
        condition in which it could loop
        indefinitely.(CVE-2017-6214i1/4%0
    
      - The kernel_wait4 function in kernel/exit.c in the Linux
        kernel before 4.13, when an unspecified architecture
        and compiler is used, might allow local users to cause
        a denial of service by triggering an attempted use of
        the -INT_MIN value.(CVE-2018-10087i1/4%0
    
      - Heap-based buffer overflow in the private wireless
        extensions IOCTL implementation in wlan_hdd_wext.c in
        the WLAN (aka Wi-Fi) driver for the Linux kernel 3.x
        and 4.x, as used in Qualcomm Innovation Center (QuIC)
        Android contributions for MSM devices and other
        products, allows attackers to gain privileges via a
        crafted application that establishes a packet
        filter.(CVE-2015-0569i1/4%0
    
      - A race condition flaw was found in the Linux kernel's
        ext4 file system implementation that allowed a local,
        unprivileged user to crash the system by simultaneously
        writing to a file and toggling the O_DIRECT flag using
        fcntl(F_SETFL) on that file.(CVE-2014-8086i1/4%0
    
      - The mm_init function in kernel/fork.c in the Linux
        kernel before 4.12.10 does not clear the -i1/4zexe_file
        member of a new process's mm_struct, allowing a local
        attacker to achieve a use-after-free condition and to
        induce a kernel memory corruption on the system,
        leading to a crash or possibly have unspecified other
        impact by running a specially crafted program. Due to
        the nature of the flaw, privilege escalation cannot be
        fully ruled out, although we feel it is
        unlikely.(CVE-2017-17052i1/4%0
    
      - A buffer overflow flaw was found in the way the Linux
        kernel's Intel AES-NI instructions optimized version of
        the RFC4106 GCM mode decryption functionality handled
        fragmented packets. A remote attacker could use this
        flaw to crash, or potentially escalate their privileges
        on, a system over a connection with an active AES-GCM
        mode IPSec security association.(CVE-2015-3331i1/4%0
    
      - A flaw was found in the processing of incoming L2CAP
        bluetooth commands. Uninitialized stack variables can
        be sent to an attacker leaking data in kernel address
        space.(CVE-2017-1000410i1/4%0
    
      - It was found that a remote attacker could use a race
        condition flaw in the ath_tx_aggr_sleep() function to
        crash the system by creating large network traffic on
        the system's Atheros 9k wireless network
        adapter.(CVE-2014-2672i1/4%0
    
    Note that Tenable Network Security has extracted the preceding
    description block directly from the EulerOS security advisory. Tenable
    has attempted to automatically clean and format it as much as possible
    without introducing additional issues.");
      # https://developer.huaweicloud.com/ict/en/site-euleros/euleros/security-advisories/EulerOS-SA-2019-1484
      script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?afeb6657");
      script_set_attribute(attribute:"solution", value:
    "Update the affected kernel packages.");
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C");
      script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
      script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H");
      script_set_cvss3_temporal_vector("CVSS:3.0/E:P/RL:O/RC:C");
      script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"true");
    
      script_set_attribute(attribute:"patch_publication_date", value:"2019/05/09");
      script_set_attribute(attribute:"plugin_publication_date", value:"2019/05/13");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:kernel");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:kernel-devel");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:kernel-headers");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:kernel-tools");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:kernel-tools-libs");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:kernel-tools-libs-devel");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:perf");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:python-perf");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:huawei:euleros:uvp:3.0.1.0");
      script_set_attribute(attribute:"generated_plugin", value:"current");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_family(english:"Huawei Local Security Checks");
    
      script_copyright(english:"This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/cpu", "Host/EulerOS/release", "Host/EulerOS/rpm-list", "Host/EulerOS/uvp_version");
    
      exit(0);
    }
    
    include("audit.inc");
    include("global_settings.inc");
    include("rpm.inc");
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    
    release = get_kb_item("Host/EulerOS/release");
    if (isnull(release) || release !~ "^EulerOS") audit(AUDIT_OS_NOT, "EulerOS");
    uvp = get_kb_item("Host/EulerOS/uvp_version");
    if (uvp != "3.0.1.0") audit(AUDIT_OS_NOT, "EulerOS Virtualization 3.0.1.0");
    if (!get_kb_item("Host/EulerOS/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    cpu = get_kb_item("Host/cpu");
    if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
    if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$" && "aarch64" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "EulerOS", cpu);
    if ("aarch64" >!< cpu) audit(AUDIT_ARCH_NOT, "aarch64", cpu);
    
    flag = 0;
    
    pkgs = ["kernel-4.19.28-1.2.117",
            "kernel-devel-4.19.28-1.2.117",
            "kernel-headers-4.19.28-1.2.117",
            "kernel-tools-4.19.28-1.2.117",
            "kernel-tools-libs-4.19.28-1.2.117",
            "kernel-tools-libs-devel-4.19.28-1.2.117",
            "perf-4.19.28-1.2.117",
            "python-perf-4.19.28-1.2.117"];
    
    foreach (pkg in pkgs)
      if (rpm_check(release:"EulerOS-2.0", reference:pkg)) flag++;
    
    if (flag)
    {
      security_report_v4(
        port       : 0,
        severity   : SECURITY_HOLE,
        extra      : rpm_report_get()
      );
      exit(0);
    }
    else
    {
      tested = pkg_tests_get();
      if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
      else audit(AUDIT_PACKAGE_NOT_INSTALLED, "kernel");
    }
    
  • NASL familyUbuntu Local Security Checks
    NASL idUBUNTU_USN-3932-2.NASL
    descriptionUSN-3932-1 fixed vulnerabilities in the Linux kernel for Ubuntu 16.04 LTS. This update provides the corresponding updates for the Linux Hardware Enablement (HWE) kernel from Ubuntu 16.04 LTS for Ubuntu 14.04 LTS. It was discovered that a race condition existed in the f2fs file system implementation in the Linux kernel. A local attacker could use this to cause a denial of service. (CVE-2017-18249) Wen Xu discovered that the f2fs file system implementation in the Linux kernel did not properly validate metadata. An attacker could use this to construct a malicious f2fs image that, when mounted, could cause a denial of service (system crash). (CVE-2018-13097, CVE-2018-13099, CVE-2018-13100, CVE-2018-14614, CVE-2018-14616) Wen Xu and Po-Ning Tseng discovered that btrfs file system implementation in the Linux kernel did not properly validate metadata. An attacker could use this to construct a malicious btrfs image that, when mounted, could cause a denial of service (system crash). (CVE-2018-14610, CVE-2018-14611, CVE-2018-14612, CVE-2018-14613) Vasily Averin and Evgenii Shatokhin discovered that a use-after-free vulnerability existed in the NFS41+ subsystem when multiple network namespaces are in use. A local attacker in a container could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2018-16884) It was discovered that a use-after-free vulnerability existed in the PPP over L2TP implementation in the Linux kernel. A privileged local attacker could use this to possibly execute arbitrary code. (CVE-2018-9517) Shlomi Oberman, Yuli Shapiro, and Ran Menscher discovered an information leak in the Bluetooth implementation of the Linux kernel. An attacker within Bluetooth range could use this to expose sensitive information (kernel memory). (CVE-2019-3459, CVE-2019-3460) Jann Horn discovered that the KVM implementation in the Linux kernel contained a use-after-free vulnerability. An attacker in a guest VM with access to /dev/kvm could use this to cause a denial of service (guest VM crash). (CVE-2019-6974) Jim Mattson and Felix Wilhelm discovered a use-after-free vulnerability in the KVM subsystem of the Linux kernel, when using nested virtual machines. A local attacker in a guest VM could use this to cause a denial of service (system crash) or possibly execute arbitrary code in the host system. (CVE-2019-7221) Felix Wilhelm discovered that an information leak vulnerability existed in the KVM subsystem of the Linux kernel, when nested virtualization is used. A local attacker could use this to expose sensitive information (host system memory to a guest VM). (CVE-2019-7222) Jann Horn discovered that the mmap implementation in the Linux kernel did not properly check for the mmap minimum address in some situations. A local attacker could use this to assist exploiting a kernel NULL pointer dereference vulnerability. (CVE-2019-9213) Muyu Yu discovered that the CAN implementation in the Linux kernel in some situations did not properly restrict the field size when processing outgoing frames. A local attacker with CAP_NET_ADMIN privileges could use this to execute arbitrary code. (CVE-2019-3701) Vladis Dronov discovered that the debug interface for the Linux kernel
    last seen2020-06-01
    modified2020-06-02
    plugin id123681
    published2019-04-03
    reporterUbuntu Security Notice (C) 2019-2020 Canonical, Inc. / NASL script (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/123681
    titleUbuntu 14.04 LTS : linux-lts-xenial, linux-aws vulnerabilities (USN-3932-2)
  • NASL familyUbuntu Local Security Checks
    NASL idUBUNTU_USN-3932-1.NASL
    descriptionIt was discovered that a race condition existed in the f2fs file system implementation in the Linux kernel. A local attacker could use this to cause a denial of service. (CVE-2017-18249) Wen Xu discovered that the f2fs file system implementation in the Linux kernel did not properly validate metadata. An attacker could use this to construct a malicious f2fs image that, when mounted, could cause a denial of service (system crash). (CVE-2018-13097, CVE-2018-13099, CVE-2018-13100, CVE-2018-14614, CVE-2018-14616) Wen Xu and Po-Ning Tseng discovered that btrfs file system implementation in the Linux kernel did not properly validate metadata. An attacker could use this to construct a malicious btrfs image that, when mounted, could cause a denial of service (system crash). (CVE-2018-14610, CVE-2018-14611, CVE-2018-14612, CVE-2018-14613) Vasily Averin and Evgenii Shatokhin discovered that a use-after-free vulnerability existed in the NFS41+ subsystem when multiple network namespaces are in use. A local attacker in a container could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2018-16884) It was discovered that a use-after-free vulnerability existed in the PPP over L2TP implementation in the Linux kernel. A privileged local attacker could use this to possibly execute arbitrary code. (CVE-2018-9517) Shlomi Oberman, Yuli Shapiro, and Ran Menscher discovered an information leak in the Bluetooth implementation of the Linux kernel. An attacker within Bluetooth range could use this to expose sensitive information (kernel memory). (CVE-2019-3459, CVE-2019-3460) Jann Horn discovered that the KVM implementation in the Linux kernel contained a use-after-free vulnerability. An attacker in a guest VM with access to /dev/kvm could use this to cause a denial of service (guest VM crash). (CVE-2019-6974) Jim Mattson and Felix Wilhelm discovered a use-after-free vulnerability in the KVM subsystem of the Linux kernel, when using nested virtual machines. A local attacker in a guest VM could use this to cause a denial of service (system crash) or possibly execute arbitrary code in the host system. (CVE-2019-7221) Felix Wilhelm discovered that an information leak vulnerability existed in the KVM subsystem of the Linux kernel, when nested virtualization is used. A local attacker could use this to expose sensitive information (host system memory to a guest VM). (CVE-2019-7222) Jann Horn discovered that the mmap implementation in the Linux kernel did not properly check for the mmap minimum address in some situations. A local attacker could use this to assist exploiting a kernel NULL pointer dereference vulnerability. (CVE-2019-9213) Muyu Yu discovered that the CAN implementation in the Linux kernel in some situations did not properly restrict the field size when processing outgoing frames. A local attacker with CAP_NET_ADMIN privileges could use this to execute arbitrary code. (CVE-2019-3701) Vladis Dronov discovered that the debug interface for the Linux kernel
    last seen2020-06-01
    modified2020-06-02
    plugin id123680
    published2019-04-03
    reporterUbuntu Security Notice (C) 2019-2020 Canonical, Inc. / NASL script (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/123680
    titleUbuntu 16.04 LTS : linux, linux-aws, linux-kvm, linux-raspi2, linux-snapdragon vulnerabilities (USN-3932-1)
  • NASL familySuSE Local Security Checks
    NASL idOPENSUSE-2018-1184.NASL
    descriptionThe openSUSE Leap 42.3 kernel was updated to 4.4.159 to receive various security and bugfixes. The following security bugs were fixed : - CVE-2018-13096: A denial of service (out-of-bounds memory access and BUG) can occur upon encountering an abnormal bitmap size when mounting a crafted f2fs image (bnc#1100062). - CVE-2018-13097: There is an out-of-bounds read or a divide-by-zero error for an incorrect user_block_count in a corrupted f2fs image, leading to a denial of service (BUG) (bnc#1100061). - CVE-2018-13098: A denial of service (slab out-of-bounds read and BUG) can occur for a modified f2fs filesystem image in which FI_EXTRA_ATTR is set in an inode (bnc#1100060). - CVE-2018-13099: A denial of service (out-of-bounds memory access and BUG) can occur for a modified f2fs filesystem image in which an inline inode contains an invalid reserved blkaddr (bnc#1100059). - CVE-2018-13100: An issue was discovered in fs/f2fs/super.c which did not properly validate secs_per_zone in a corrupted f2fs image, as demonstrated by a divide-by-zero error (bnc#1100056). - CVE-2018-14613: There is an invalid pointer dereference in io_ctl_map_page() when mounting and operating a crafted btrfs image, because of a lack of block group item validation in check_leaf_item in fs/btrfs/tree-checker.c (bnc#1102896). - CVE-2018-14617: There is a NULL pointer dereference and panic in hfsplus_lookup() in fs/hfsplus/dir.c when opening a file (that is purportedly a hard link) in an hfs+ filesystem that has malformed catalog data, and is mounted read-only without a metadata directory (bnc#1102870). - CVE-2018-14633: A security flaw was found in the chap_server_compute_md5() function in the ISCSI target code in the Linux kernel in a way an authentication request from an ISCSI initiator is processed. An unauthenticated remote attacker can cause a stack-based buffer overflow and smash up to 17 bytes of the stack. The attack requires the iSCSI target to be enabled on the victim host. Depending on how the target
    last seen2020-06-05
    modified2018-10-18
    plugin id118194
    published2018-10-18
    reporterThis script is Copyright (C) 2018-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/118194
    titleopenSUSE Security Update : the Linux Kernel (openSUSE-2018-1184)