Vulnerabilities > CVE-2018-14611 - Use After Free vulnerability in Linux Kernel

047910
CVSS 7.1 - HIGH
Attack vector
NETWORK
Attack complexity
MEDIUM
Privileges required
NONE
Confidentiality impact
NONE
Integrity impact
NONE
Availability impact
COMPLETE
network
linux
debian
CWE-416
nessus

Summary

An issue was discovered in the Linux kernel through 4.17.10. There is a use-after-free in try_merge_free_space() when mounting a crafted btrfs image, because of a lack of chunk type flag checks in btrfs_check_chunk_valid in fs/btrfs/volumes.c.

Vulnerable Configurations

Part Description Count
OS
Linux
2949
OS
Debian
1

Common Weakness Enumeration (CWE)

Nessus

  • NASL familyUbuntu Local Security Checks
    NASL idUBUNTU_USN-4118-1.NASL
    descriptionIt was discovered that the alarmtimer implementation in the Linux kernel contained an integer overflow vulnerability. A local attacker could use this to cause a denial of service. (CVE-2018-13053) Wen Xu discovered that the XFS filesystem implementation in the Linux kernel did not properly track inode validations. An attacker could use this to construct a malicious XFS image that, when mounted, could cause a denial of service (system crash). (CVE-2018-13093) Wen Xu discovered that the f2fs file system implementation in the Linux kernel did not properly validate metadata. An attacker could use this to construct a malicious f2fs image that, when mounted, could cause a denial of service (system crash). (CVE-2018-13096, CVE-2018-13097, CVE-2018-13098, CVE-2018-13099, CVE-2018-13100, CVE-2018-14614, CVE-2018-14615, CVE-2018-14616) Wen Xu and Po-Ning Tseng discovered that btrfs file system implementation in the Linux kernel did not properly validate metadata. An attacker could use this to construct a malicious btrfs image that, when mounted, could cause a denial of service (system crash). (CVE-2018-14609, CVE-2018-14610, CVE-2018-14611, CVE-2018-14612, CVE-2018-14613) Wen Xu discovered that the HFS+ filesystem implementation in the Linux kernel did not properly handle malformed catalog data in some situations. An attacker could use this to construct a malicious HFS+ image that, when mounted, could cause a denial of service (system crash). (CVE-2018-14617) Vasily Averin and Pavel Tikhomirov discovered that the cleancache subsystem of the Linux kernel did not properly initialize new files in some situations. A local attacker could use this to expose sensitive information. (CVE-2018-16862) Hui Peng and Mathias Payer discovered that the Option USB High Speed driver in the Linux kernel did not properly validate metadata received from the device. A physically proximate attacker could use this to cause a denial of service (system crash). (CVE-2018-19985) Hui Peng and Mathias Payer discovered that the USB subsystem in the Linux kernel did not properly handle size checks when handling an extra USB descriptor. A physically proximate attacker could use this to cause a denial of service (system crash). (CVE-2018-20169) Zhipeng Xie discovered that an infinite loop could triggered in the CFS Linux kernel process scheduler. A local attacker could possibly use this to cause a denial of service. (CVE-2018-20784) It was discovered that a use-after-free error existed in the block layer subsystem of the Linux kernel when certain failure conditions occurred. A local attacker could possibly use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2018-20856) Eli Biham and Lior Neumann discovered that the Bluetooth implementation in the Linux kernel did not properly validate elliptic curve parameters during Diffie-Hellman key exchange in some situations. An attacker could use this to expose sensitive information. (CVE-2018-5383) It was discovered that the Intel wifi device driver in the Linux kernel did not properly validate certain Tunneled Direct Link Setup (TDLS). A physically proximate attacker could use this to cause a denial of service (wifi disconnect). (CVE-2019-0136) It was discovered that a heap buffer overflow existed in the Marvell Wireless LAN device driver for the Linux kernel. An attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2019-10126) It was discovered that the Bluetooth UART implementation in the Linux kernel did not properly check for missing tty operations. A local attacker could use this to cause a denial of service. (CVE-2019-10207) Amit Klein and Benny Pinkas discovered that the Linux kernel did not sufficiently randomize IP ID values generated for connectionless networking protocols. A remote attacker could use this to track particular Linux devices. (CVE-2019-10638) Amit Klein and Benny Pinkas discovered that the location of kernel addresses could exposed by the implementation of connection-less network protocols in the Linux kernel. A remote attacker could possibly use this to assist in the exploitation of another vulnerability in the Linux kernel. (CVE-2019-10639) Adam Zabrocki discovered that the Intel i915 kernel mode graphics driver in the Linux kernel did not properly restrict mmap() ranges in some situations. A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2019-11085) It was discovered that an integer overflow existed in the Linux kernel when reference counting pages, leading to potential use-after-free issues. A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2019-11487) Jann Horn discovered that a race condition existed in the Linux kernel when performing core dumps. A local attacker could use this to cause a denial of service (system crash) or expose sensitive information. (CVE-2019-11599) It was discovered that a NULL pointer dereference vulnerability existed in the LSI Logic MegaRAID driver in the Linux kernel. A local attacker could use this to cause a denial of service (system crash). (CVE-2019-11810) It was discovered that a race condition leading to a use-after-free existed in the Reliable Datagram Sockets (RDS) protocol implementation in the Linux kernel. The RDS protocol is blacklisted by default in Ubuntu. If enabled, a local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2019-11815) It was discovered that the ext4 file system implementation in the Linux kernel did not properly zero out memory in some situations. A local attacker could use this to expose sensitive information (kernel memory). (CVE-2019-11833) It was discovered that the Bluetooth Human Interface Device Protocol (HIDP) implementation in the Linux kernel did not properly verify strings were NULL terminated in certain situations. A local attacker could use this to expose sensitive information (kernel memory). (CVE-2019-11884) It was discovered that a NULL pointer dereference vulnerabilty existed in the Near-field communication (NFC) implementation in the Linux kernel. An attacker could use this to cause a denial of service (system crash). (CVE-2019-12818) It was discovered that the MDIO bus devices subsystem in the Linux kernel improperly dropped a device reference in an error condition, leading to a use-after-free. An attacker could use this to cause a denial of service (system crash). (CVE-2019-12819) It was discovered that a NULL pointer dereference vulnerability existed in the Near-field communication (NFC) implementation in the Linux kernel. A local attacker could use this to cause a denial of service (system crash). (CVE-2019-12984) Jann Horn discovered a use-after-free vulnerability in the Linux kernel when accessing LDT entries in some situations. A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2019-13233) Jann Horn discovered that the ptrace implementation in the Linux kernel did not properly record credentials in some situations. A local attacker could use this to cause a denial of service (system crash) or possibly gain administrative privileges. (CVE-2019-13272) It was discovered that the GTCO tablet input driver in the Linux kernel did not properly bounds check the initial HID report sent by the device. A physically proximate attacker could use to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2019-13631) It was discovered that the floppy driver in the Linux kernel did not properly validate meta data, leading to a buffer overread. A local attacker could use this to cause a denial of service (system crash). (CVE-2019-14283) It was discovered that the floppy driver in the Linux kernel did not properly validate ioctl() calls, leading to a division-by-zero. A local attacker could use this to cause a denial of service (system crash). (CVE-2019-14284) Tuba Yavuz discovered that a race condition existed in the DesignWare USB3 DRD Controller device driver in the Linux kernel. A physically proximate attacker could use this to cause a denial of service. (CVE-2019-14763) It was discovered that an out-of-bounds read existed in the QLogic QEDI iSCSI Initiator Driver in the Linux kernel. A local attacker could possibly use this to expose sensitive information (kernel memory). (CVE-2019-15090) It was discovered that the Raremono AM/FM/SW radio device driver in the Linux kernel did not properly allocate memory, leading to a use-after-free. A physically proximate attacker could use this to cause a denial of service or possibly execute arbitrary code. (CVE-2019-15211) It was discovered at a double-free error existed in the USB Rio 500 device driver for the Linux kernel. A physically proximate attacker could use this to cause a denial of service. (CVE-2019-15212) It was discovered that a race condition existed in the Advanced Linux Sound Architecture (ALSA) subsystem of the Linux kernel, leading to a potential use-after-free. A physically proximate attacker could use this to cause a denial of service (system crash) pro possibly execute arbitrary code. (CVE-2019-15214) It was discovered that a race condition existed in the CPiA2 video4linux device driver for the Linux kernel, leading to a use-after-free. A physically proximate attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2019-15215) It was discovered that a race condition existed in the Softmac USB Prism54 device driver in the Linux kernel. A physically proximate attacker could use this to cause a denial of service (system crash). (CVE-2019-15220) It was discovered that a use-after-free vulnerability existed in the Appletalk implementation in the Linux kernel if an error occurs during initialization. A local attacker could use this to cause a denial of service (system crash). (CVE-2019-15292) It was discovered that the Empia EM28xx DVB USB device driver implementation in the Linux kernel contained a use-after-free vulnerability when disconnecting the device. An attacker could use this to cause a denial of service (system crash). (CVE-2019-2024) It was discovered that the USB video device class implementation in the Linux kernel did not properly validate control bits, resulting in an out of bounds buffer read. A local attacker could use this to possibly expose sensitive information (kernel memory). (CVE-2019-2101) It was discovered that the Marvell Wireless LAN device driver in the Linux kernel did not properly validate the BSS descriptor. A local attacker could possibly use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2019-3846) Jason Wang discovered that an infinite loop vulnerability existed in the virtio net driver in the Linux kernel. A local attacker in a guest VM could possibly use this to cause a denial of service in the host system. (CVE-2019-3900) Daniele Antonioli, Nils Ole Tippenhauer, and Kasper B. Rasmussen discovered that the Bluetooth protocol BR/EDR specification did not properly require sufficiently strong encryption key lengths. A physicall proximate attacker could use this to expose sensitive information. (CVE-2019-9506) It was discovered that the Appletalk IP encapsulation driver in the Linux kernel did not properly prevent kernel addresses from being copied to user space. A local attacker with the CAP_NET_ADMIN capability could use this to expose sensitive information. (CVE-2018-20511) It was discovered that a race condition existed in the USB YUREX device driver in the Linux kernel. A physically proximate attacker could use this to cause a denial of service (system crash). (CVE-2019-15216) It was discovered that the Siano USB MDTV receiver device driver in the Linux kernel made improper assumptions about the device characteristics. A physically proximate attacker could use this cause a denial of service (system crash). (CVE-2019-15218) It was discovered that the Line 6 POD USB device driver in the Linux kernel did not properly validate data size information from the device. A physically proximate attacker could use this to cause a denial of service (system crash). (CVE-2019-15221) Muyu Yu discovered that the CAN implementation in the Linux kernel in some situations did not properly restrict the field size when processing outgoing frames. A local attacker with CAP_NET_ADMIN privileges could use this to execute arbitrary code. (CVE-2019-3701) Vladis Dronov discovered that the debug interface for the Linux kernel
    last seen2020-06-01
    modified2020-06-02
    plugin id128478
    published2019-09-03
    reporterUbuntu Security Notice (C) 2019 Canonical, Inc. / NASL script (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/128478
    titleUbuntu 16.04 LTS / 18.04 LTS : linux-aws vulnerabilities (USN-4118-1)
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were
    # extracted from Ubuntu Security Notice USN-4118-1. The text 
    # itself is copyright (C) Canonical, Inc. See 
    # <http://www.ubuntu.com/usn/>. Ubuntu(R) is a registered 
    # trademark of Canonical, Inc.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(128478);
      script_version("1.4");
      script_cvs_date("Date: 2019/10/24 11:30:51");
    
      script_cve_id("CVE-2018-13053", "CVE-2018-13093", "CVE-2018-13096", "CVE-2018-13097", "CVE-2018-13098", "CVE-2018-13099", "CVE-2018-13100", "CVE-2018-14609", "CVE-2018-14610", "CVE-2018-14611", "CVE-2018-14612", "CVE-2018-14613", "CVE-2018-14614", "CVE-2018-14615", "CVE-2018-14616", "CVE-2018-14617", "CVE-2018-16862", "CVE-2018-19985", "CVE-2018-20169", "CVE-2018-20511", "CVE-2018-20784", "CVE-2018-20856", "CVE-2018-5383", "CVE-2019-0136", "CVE-2019-10126", "CVE-2019-10207", "CVE-2019-10638", "CVE-2019-10639", "CVE-2019-11085", "CVE-2019-11487", "CVE-2019-11599", "CVE-2019-11810", "CVE-2019-11815", "CVE-2019-11833", "CVE-2019-11884", "CVE-2019-12818", "CVE-2019-12819", "CVE-2019-12984", "CVE-2019-13233", "CVE-2019-13272", "CVE-2019-13631", "CVE-2019-14283", "CVE-2019-14284", "CVE-2019-14763", "CVE-2019-15090", "CVE-2019-15211", "CVE-2019-15212", "CVE-2019-15214", "CVE-2019-15215", "CVE-2019-15216", "CVE-2019-15218", "CVE-2019-15220", "CVE-2019-15221", "CVE-2019-15292", "CVE-2019-2024", "CVE-2019-2101", "CVE-2019-3701", "CVE-2019-3819", "CVE-2019-3846", "CVE-2019-3900", "CVE-2019-9506");
      script_xref(name:"USN", value:"4118-1");
    
      script_name(english:"Ubuntu 16.04 LTS / 18.04 LTS : linux-aws vulnerabilities (USN-4118-1)");
      script_summary(english:"Checks dpkg output for updated packages.");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:
    "The remote Ubuntu host is missing one or more security-related
    patches."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "It was discovered that the alarmtimer implementation in the Linux
    kernel contained an integer overflow vulnerability. A local attacker
    could use this to cause a denial of service. (CVE-2018-13053)
    
    Wen Xu discovered that the XFS filesystem implementation in the Linux
    kernel did not properly track inode validations. An attacker could use
    this to construct a malicious XFS image that, when mounted, could
    cause a denial of service (system crash). (CVE-2018-13093)
    
    Wen Xu discovered that the f2fs file system implementation in the
    Linux kernel did not properly validate metadata. An attacker could use
    this to construct a malicious f2fs image that, when mounted, could
    cause a denial of service (system crash). (CVE-2018-13096,
    CVE-2018-13097, CVE-2018-13098, CVE-2018-13099, CVE-2018-13100,
    CVE-2018-14614, CVE-2018-14615, CVE-2018-14616)
    
    Wen Xu and Po-Ning Tseng discovered that btrfs file system
    implementation in the Linux kernel did not properly validate metadata.
    An attacker could use this to construct a malicious btrfs image that,
    when mounted, could cause a denial of service (system crash).
    (CVE-2018-14609, CVE-2018-14610, CVE-2018-14611, CVE-2018-14612,
    CVE-2018-14613)
    
    Wen Xu discovered that the HFS+ filesystem implementation in the Linux
    kernel did not properly handle malformed catalog data in some
    situations. An attacker could use this to construct a malicious HFS+
    image that, when mounted, could cause a denial of service (system
    crash). (CVE-2018-14617)
    
    Vasily Averin and Pavel Tikhomirov discovered that the cleancache
    subsystem of the Linux kernel did not properly initialize new files in
    some situations. A local attacker could use this to expose sensitive
    information. (CVE-2018-16862)
    
    Hui Peng and Mathias Payer discovered that the Option USB High Speed
    driver in the Linux kernel did not properly validate metadata received
    from the device. A physically proximate attacker could use this to
    cause a denial of service (system crash). (CVE-2018-19985)
    
    Hui Peng and Mathias Payer discovered that the USB subsystem in the
    Linux kernel did not properly handle size checks when handling an
    extra USB descriptor. A physically proximate attacker could use this
    to cause a denial of service (system crash). (CVE-2018-20169)
    
    Zhipeng Xie discovered that an infinite loop could triggered in the
    CFS Linux kernel process scheduler. A local attacker could possibly
    use this to cause a denial of service. (CVE-2018-20784)
    
    It was discovered that a use-after-free error existed in the block
    layer subsystem of the Linux kernel when certain failure conditions
    occurred. A local attacker could possibly use this to cause a denial
    of service (system crash) or possibly execute arbitrary code.
    (CVE-2018-20856)
    
    Eli Biham and Lior Neumann discovered that the Bluetooth
    implementation in the Linux kernel did not properly validate elliptic
    curve parameters during Diffie-Hellman key exchange in some
    situations. An attacker could use this to expose sensitive
    information. (CVE-2018-5383)
    
    It was discovered that the Intel wifi device driver in the Linux
    kernel did not properly validate certain Tunneled Direct Link Setup
    (TDLS). A physically proximate attacker could use this to cause a
    denial of service (wifi disconnect). (CVE-2019-0136)
    
    It was discovered that a heap buffer overflow existed in the Marvell
    Wireless LAN device driver for the Linux kernel. An attacker could use
    this to cause a denial of service (system crash) or possibly execute
    arbitrary code. (CVE-2019-10126)
    
    It was discovered that the Bluetooth UART implementation in the Linux
    kernel did not properly check for missing tty operations. A local
    attacker could use this to cause a denial of service. (CVE-2019-10207)
    
    Amit Klein and Benny Pinkas discovered that the Linux kernel did not
    sufficiently randomize IP ID values generated for connectionless
    networking protocols. A remote attacker could use this to track
    particular Linux devices. (CVE-2019-10638)
    
    Amit Klein and Benny Pinkas discovered that the location of kernel
    addresses could exposed by the implementation of connection-less
    network protocols in the Linux kernel. A remote attacker could
    possibly use this to assist in the exploitation of another
    vulnerability in the Linux kernel. (CVE-2019-10639)
    
    Adam Zabrocki discovered that the Intel i915 kernel mode graphics
    driver in the Linux kernel did not properly restrict mmap() ranges in
    some situations. A local attacker could use this to cause a denial of
    service (system crash) or possibly execute arbitrary code.
    (CVE-2019-11085)
    
    It was discovered that an integer overflow existed in the Linux kernel
    when reference counting pages, leading to potential use-after-free
    issues. A local attacker could use this to cause a denial of service
    (system crash) or possibly execute arbitrary code. (CVE-2019-11487)
    
    Jann Horn discovered that a race condition existed in the Linux kernel
    when performing core dumps. A local attacker could use this to cause a
    denial of service (system crash) or expose sensitive information.
    (CVE-2019-11599)
    
    It was discovered that a NULL pointer dereference vulnerability
    existed in the LSI Logic MegaRAID driver in the Linux kernel. A local
    attacker could use this to cause a denial of service (system crash).
    (CVE-2019-11810)
    
    It was discovered that a race condition leading to a use-after-free
    existed in the Reliable Datagram Sockets (RDS) protocol implementation
    in the Linux kernel. The RDS protocol is blacklisted by default in
    Ubuntu. If enabled, a local attacker could use this to cause a denial
    of service (system crash) or possibly execute arbitrary code.
    (CVE-2019-11815)
    
    It was discovered that the ext4 file system implementation in the
    Linux kernel did not properly zero out memory in some situations. A
    local attacker could use this to expose sensitive information (kernel
    memory). (CVE-2019-11833)
    
    It was discovered that the Bluetooth Human Interface Device Protocol
    (HIDP) implementation in the Linux kernel did not properly verify
    strings were NULL terminated in certain situations. A local attacker
    could use this to expose sensitive information (kernel memory).
    (CVE-2019-11884)
    
    It was discovered that a NULL pointer dereference vulnerabilty existed
    in the Near-field communication (NFC) implementation in the Linux
    kernel. An attacker could use this to cause a denial of service
    (system crash). (CVE-2019-12818)
    
    It was discovered that the MDIO bus devices subsystem in the Linux
    kernel improperly dropped a device reference in an error condition,
    leading to a use-after-free. An attacker could use this to cause a
    denial of service (system crash). (CVE-2019-12819)
    
    It was discovered that a NULL pointer dereference vulnerability
    existed in the Near-field communication (NFC) implementation in the
    Linux kernel. A local attacker could use this to cause a denial of
    service (system crash). (CVE-2019-12984)
    
    Jann Horn discovered a use-after-free vulnerability in the Linux
    kernel when accessing LDT entries in some situations. A local attacker
    could use this to cause a denial of service (system crash) or possibly
    execute arbitrary code. (CVE-2019-13233)
    
    Jann Horn discovered that the ptrace implementation in the Linux
    kernel did not properly record credentials in some situations. A local
    attacker could use this to cause a denial of service (system crash) or
    possibly gain administrative privileges. (CVE-2019-13272)
    
    It was discovered that the GTCO tablet input driver in the Linux
    kernel did not properly bounds check the initial HID report sent by
    the device. A physically proximate attacker could use to cause a
    denial of service (system crash) or possibly execute arbitrary code.
    (CVE-2019-13631)
    
    It was discovered that the floppy driver in the Linux kernel did not
    properly validate meta data, leading to a buffer overread. A local
    attacker could use this to cause a denial of service (system crash).
    (CVE-2019-14283)
    
    It was discovered that the floppy driver in the Linux kernel did not
    properly validate ioctl() calls, leading to a division-by-zero. A
    local attacker could use this to cause a denial of service (system
    crash). (CVE-2019-14284)
    
    Tuba Yavuz discovered that a race condition existed in the DesignWare
    USB3 DRD Controller device driver in the Linux kernel. A physically
    proximate attacker could use this to cause a denial of service.
    (CVE-2019-14763)
    
    It was discovered that an out-of-bounds read existed in the QLogic
    QEDI iSCSI Initiator Driver in the Linux kernel. A local attacker
    could possibly use this to expose sensitive information (kernel
    memory). (CVE-2019-15090)
    
    It was discovered that the Raremono AM/FM/SW radio device driver in
    the Linux kernel did not properly allocate memory, leading to a
    use-after-free. A physically proximate attacker could use this to
    cause a denial of service or possibly execute arbitrary code.
    (CVE-2019-15211)
    
    It was discovered at a double-free error existed in the USB Rio 500
    device driver for the Linux kernel. A physically proximate attacker
    could use this to cause a denial of service. (CVE-2019-15212)
    
    It was discovered that a race condition existed in the Advanced Linux
    Sound Architecture (ALSA) subsystem of the Linux kernel, leading to a
    potential use-after-free. A physically proximate attacker could use
    this to cause a denial of service (system crash) pro possibly execute
    arbitrary code. (CVE-2019-15214)
    
    It was discovered that a race condition existed in the CPiA2
    video4linux device driver for the Linux kernel, leading to a
    use-after-free. A physically proximate attacker could use this to
    cause a denial of service (system crash) or possibly execute arbitrary
    code. (CVE-2019-15215)
    
    It was discovered that a race condition existed in the Softmac USB
    Prism54 device driver in the Linux kernel. A physically proximate
    attacker could use this to cause a denial of service (system crash).
    (CVE-2019-15220)
    
    It was discovered that a use-after-free vulnerability existed in the
    Appletalk implementation in the Linux kernel if an error occurs during
    initialization. A local attacker could use this to cause a denial of
    service (system crash). (CVE-2019-15292)
    
    It was discovered that the Empia EM28xx DVB USB device driver
    implementation in the Linux kernel contained a use-after-free
    vulnerability when disconnecting the device. An attacker could use
    this to cause a denial of service (system crash). (CVE-2019-2024)
    
    It was discovered that the USB video device class implementation in
    the Linux kernel did not properly validate control bits, resulting in
    an out of bounds buffer read. A local attacker could use this to
    possibly expose sensitive information (kernel memory). (CVE-2019-2101)
    
    It was discovered that the Marvell Wireless LAN device driver in the
    Linux kernel did not properly validate the BSS descriptor. A local
    attacker could possibly use this to cause a denial of service (system
    crash) or possibly execute arbitrary code. (CVE-2019-3846)
    
    Jason Wang discovered that an infinite loop vulnerability existed in
    the virtio net driver in the Linux kernel. A local attacker in a guest
    VM could possibly use this to cause a denial of service in the host
    system. (CVE-2019-3900)
    
    Daniele Antonioli, Nils Ole Tippenhauer, and Kasper B. Rasmussen
    discovered that the Bluetooth protocol BR/EDR specification did not
    properly require sufficiently strong encryption key lengths. A
    physicall proximate attacker could use this to expose sensitive
    information. (CVE-2019-9506)
    
    It was discovered that the Appletalk IP encapsulation driver in the
    Linux kernel did not properly prevent kernel addresses from being
    copied to user space. A local attacker with the CAP_NET_ADMIN
    capability could use this to expose sensitive information.
    (CVE-2018-20511)
    
    It was discovered that a race condition existed in the USB YUREX
    device driver in the Linux kernel. A physically proximate attacker
    could use this to cause a denial of service (system crash).
    (CVE-2019-15216)
    
    It was discovered that the Siano USB MDTV receiver device driver in
    the Linux kernel made improper assumptions about the device
    characteristics. A physically proximate attacker could use this cause
    a denial of service (system crash). (CVE-2019-15218)
    
    It was discovered that the Line 6 POD USB device driver in the Linux
    kernel did not properly validate data size information from the
    device. A physically proximate attacker could use this to cause a
    denial of service (system crash). (CVE-2019-15221)
    
    Muyu Yu discovered that the CAN implementation in the Linux kernel in
    some situations did not properly restrict the field size when
    processing outgoing frames. A local attacker with CAP_NET_ADMIN
    privileges could use this to execute arbitrary code. (CVE-2019-3701)
    
    Vladis Dronov discovered that the debug interface for the Linux
    kernel's HID subsystem did not properly validate passed parameters in
    some situations. A local privileged attacker could use this to cause a
    denial of service (infinite loop). (CVE-2019-3819).
    
    Note that Tenable Network Security has extracted the preceding
    description block directly from the Ubuntu security advisory. Tenable
    has attempted to automatically clean and format it as much as possible
    without introducing additional issues."
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://usn.ubuntu.com/4118-1/"
      );
      script_set_attribute(
        attribute:"solution", 
        value:
    "Update the affected linux-image-4.15-aws, linux-image-aws and / or
    linux-image-aws-hwe packages."
      );
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C");
      script_set_cvss_temporal_vector("CVSS2#E:H/RL:OF/RC:C");
      script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H");
      script_set_cvss3_temporal_vector("CVSS:3.0/E:H/RL:O/RC:C");
      script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"true");
      script_set_attribute(attribute:"exploited_by_malware", value:"true");
      script_set_attribute(attribute:"metasploit_name", value:'Linux Polkit pkexec helper PTRACE_TRACEME local root exploit');
      script_set_attribute(attribute:"exploit_framework_metasploit", value:"true");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-4.15-aws");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-aws");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-aws-hwe");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:canonical:ubuntu_linux:16.04");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:canonical:ubuntu_linux:18.04:-:lts");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2018/07/02");
      script_set_attribute(attribute:"patch_publication_date", value:"2019/09/02");
      script_set_attribute(attribute:"plugin_publication_date", value:"2019/09/03");
      script_set_attribute(attribute:"generated_plugin", value:"current");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"Ubuntu Security Notice (C) 2019 Canonical, Inc. / NASL script (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.");
      script_family(english:"Ubuntu Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl", "linux_alt_patch_detect.nasl");
      script_require_keys("Host/cpu", "Host/Ubuntu", "Host/Ubuntu/release", "Host/Debian/dpkg-l");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("ubuntu.inc");
    include("ksplice.inc");
    
    if ( ! get_kb_item("Host/local_checks_enabled") ) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    release = get_kb_item("Host/Ubuntu/release");
    if ( isnull(release) ) audit(AUDIT_OS_NOT, "Ubuntu");
    release = chomp(release);
    if (! preg(pattern:"^(16\.04|18\.04)$", string:release)) audit(AUDIT_OS_NOT, "Ubuntu 16.04 / 18.04", "Ubuntu " + release);
    if ( ! get_kb_item("Host/Debian/dpkg-l") ) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    cpu = get_kb_item("Host/cpu");
    if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
    if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Ubuntu", cpu);
    
    if (get_one_kb_item("Host/ksplice/kernel-cves"))
    {
      rm_kb_item(name:"Host/uptrack-uname-r");
      cve_list = make_list("CVE-2018-13053", "CVE-2018-13093", "CVE-2018-13096", "CVE-2018-13097", "CVE-2018-13098", "CVE-2018-13099", "CVE-2018-13100", "CVE-2018-14609", "CVE-2018-14610", "CVE-2018-14611", "CVE-2018-14612", "CVE-2018-14613", "CVE-2018-14614", "CVE-2018-14615", "CVE-2018-14616", "CVE-2018-14617", "CVE-2018-16862", "CVE-2018-19985", "CVE-2018-20169", "CVE-2018-20511", "CVE-2018-20784", "CVE-2018-20856", "CVE-2018-5383", "CVE-2019-0136", "CVE-2019-10126", "CVE-2019-10207", "CVE-2019-10638", "CVE-2019-10639", "CVE-2019-11085", "CVE-2019-11487", "CVE-2019-11599", "CVE-2019-11810", "CVE-2019-11815", "CVE-2019-11833", "CVE-2019-11884", "CVE-2019-12818", "CVE-2019-12819", "CVE-2019-12984", "CVE-2019-13233", "CVE-2019-13272", "CVE-2019-13631", "CVE-2019-14283", "CVE-2019-14284", "CVE-2019-14763", "CVE-2019-15090", "CVE-2019-15211", "CVE-2019-15212", "CVE-2019-15214", "CVE-2019-15215", "CVE-2019-15216", "CVE-2019-15218", "CVE-2019-15220", "CVE-2019-15221", "CVE-2019-15292", "CVE-2019-2024", "CVE-2019-2101", "CVE-2019-3701", "CVE-2019-3819", "CVE-2019-3846", "CVE-2019-3900", "CVE-2019-9506");
      if (ksplice_cves_check(cve_list))
      {
        audit(AUDIT_PATCH_INSTALLED, "KSplice hotfix for USN-4118-1");
      }
      else
      {
        _ubuntu_report = ksplice_reporting_text();
      }
    }
    
    flag = 0;
    
    if (ubuntu_check(osver:"16.04", pkgname:"linux-image-4.15.0-1047-aws", pkgver:"4.15.0-1047.49~16.04.1")) flag++;
    if (ubuntu_check(osver:"16.04", pkgname:"linux-image-aws-hwe", pkgver:"4.15.0.1047.47")) flag++;
    if (ubuntu_check(osver:"18.04", pkgname:"linux-image-4.15.0-1047-aws", pkgver:"4.15.0-1047.49")) flag++;
    if (ubuntu_check(osver:"18.04", pkgname:"linux-image-aws", pkgver:"4.15.0.1047.46")) flag++;
    
    if (flag)
    {
      security_report_v4(
        port       : 0,
        severity   : SECURITY_HOLE,
        extra      : ubuntu_report_get()
      );
      exit(0);
    }
    else
    {
      tested = ubuntu_pkg_tests_get();
      if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
      else audit(AUDIT_PACKAGE_NOT_INSTALLED, "linux-image-4.15-aws / linux-image-aws / linux-image-aws-hwe");
    }
    
  • NASL familySlackware Local Security Checks
    NASL idSLACKWARE_SSA_2019-030-01.NASL
    descriptionNew kernel packages are available for Slackware 14.2 to fix security issues.
    last seen2020-03-17
    modified2019-01-31
    plugin id121505
    published2019-01-31
    reporterThis script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/121505
    titleSlackware 14.2 : Slackware 14.2 kernel (SSA:2019-030-01)
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were  
    # extracted from Slackware Security Advisory 2019-030-01. The text 
    # itself is copyright (C) Slackware Linux, Inc.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(121505);
      script_version("1.4");
      script_set_attribute(attribute:"plugin_modification_date", value:"2020/02/20");
    
      script_cve_id("CVE-2017-18241", "CVE-2017-18249", "CVE-2018-10880", "CVE-2018-1120", "CVE-2018-12896", "CVE-2018-13053", "CVE-2018-13096", "CVE-2018-13097", "CVE-2018-13099", "CVE-2018-13100", "CVE-2018-14610", "CVE-2018-14611", "CVE-2018-14612", "CVE-2018-14613", "CVE-2018-14614", "CVE-2018-14616", "CVE-2018-14633", "CVE-2018-16862", "CVE-2018-16884", "CVE-2018-17972", "CVE-2018-18021", "CVE-2018-18281", "CVE-2018-18690", "CVE-2018-18710", "CVE-2018-19824", "CVE-2018-19985", "CVE-2018-20169", "CVE-2018-20511", "CVE-2018-5848", "CVE-2018-7755", "CVE-2019-3701");
      script_xref(name:"SSA", value:"2019-030-01");
    
      script_name(english:"Slackware 14.2 : Slackware 14.2 kernel (SSA:2019-030-01)");
      script_summary(english:"Checks for updated packages in /var/log/packages");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote Slackware host is missing a security update."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "New kernel packages are available for Slackware 14.2 to fix security
    issues."
      );
      # http://www.slackware.com/security/viewer.php?l=slackware-security&y=2019&m=slackware-security.842527
      script_set_attribute(
        attribute:"see_also",
        value:"http://www.nessus.org/u?0db5ea06"
      );
      script_set_attribute(attribute:"solution", value:"Update the affected packages.");
      script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:C");
      script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
      script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:H");
      script_set_cvss3_temporal_vector("CVSS:3.0/E:P/RL:O/RC:C");
      script_set_attribute(attribute:"cvss_score_source", value:"CVE-2018-14633");
      script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"true");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:slackware:slackware_linux:kernel-firmware");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:slackware:slackware_linux:kernel-generic");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:slackware:slackware_linux:kernel-generic-smp");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:slackware:slackware_linux:kernel-headers");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:slackware:slackware_linux:kernel-huge");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:slackware:slackware_linux:kernel-huge-smp");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:slackware:slackware_linux:kernel-modules");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:slackware:slackware_linux:kernel-modules-smp");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:slackware:slackware_linux:kernel-source");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:slackware:slackware_linux:14.2");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2018/03/08");
      script_set_attribute(attribute:"patch_publication_date", value:"2019/01/30");
      script_set_attribute(attribute:"plugin_publication_date", value:"2019/01/31");
      script_set_attribute(attribute:"generated_plugin", value:"current");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.");
      script_family(english:"Slackware Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/Slackware/release", "Host/Slackware/packages");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("global_settings.inc");
    include("slackware.inc");
    
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    if (!get_kb_item("Host/Slackware/release")) audit(AUDIT_OS_NOT, "Slackware");
    if (!get_kb_item("Host/Slackware/packages")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    
    cpu = get_kb_item("Host/cpu");
    if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
    if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Slackware", cpu);
    
    
    flag = 0;
    if (slackware_check(osver:"14.2", pkgname:"kernel-firmware", pkgver:"20190118_a8b75ca", pkgarch:"noarch", pkgnum:"1")) flag++;
    if (slackware_check(osver:"14.2", pkgname:"kernel-generic", pkgver:"4.4.172", pkgarch:"i586", pkgnum:"1")) flag++;
    if (slackware_check(osver:"14.2", pkgname:"kernel-generic-smp", pkgver:"4.4.172_smp", pkgarch:"i686", pkgnum:"1")) flag++;
    if (slackware_check(osver:"14.2", pkgname:"kernel-headers", pkgver:"4.4.172_smp", pkgarch:"x86", pkgnum:"1")) flag++;
    if (slackware_check(osver:"14.2", pkgname:"kernel-huge", pkgver:"4.4.172", pkgarch:"i586", pkgnum:"1")) flag++;
    if (slackware_check(osver:"14.2", pkgname:"kernel-huge-smp", pkgver:"4.4.172_smp", pkgarch:"i686", pkgnum:"1")) flag++;
    if (slackware_check(osver:"14.2", pkgname:"kernel-modules", pkgver:"4.4.172", pkgarch:"i586", pkgnum:"1")) flag++;
    if (slackware_check(osver:"14.2", pkgname:"kernel-modules-smp", pkgver:"4.4.172_smp", pkgarch:"i686", pkgnum:"1")) flag++;
    if (slackware_check(osver:"14.2", pkgname:"kernel-source", pkgver:"4.4.172_smp", pkgarch:"noarch", pkgnum:"1")) flag++;
    if (slackware_check(osver:"14.2", arch:"x86_64", pkgname:"kernel-firmware", pkgver:"20190118_a8b75ca", pkgarch:"noarch", pkgnum:"1")) flag++;
    if (slackware_check(osver:"14.2", arch:"x86_64", pkgname:"kernel-generic", pkgver:"4.4.172", pkgarch:"x86_64", pkgnum:"1")) flag++;
    if (slackware_check(osver:"14.2", arch:"x86_64", pkgname:"kernel-headers", pkgver:"4.4.172", pkgarch:"x86", pkgnum:"1")) flag++;
    if (slackware_check(osver:"14.2", arch:"x86_64", pkgname:"kernel-huge", pkgver:"4.4.172", pkgarch:"x86_64", pkgnum:"1")) flag++;
    if (slackware_check(osver:"14.2", arch:"x86_64", pkgname:"kernel-modules", pkgver:"4.4.172", pkgarch:"x86_64", pkgnum:"1")) flag++;
    if (slackware_check(osver:"14.2", arch:"x86_64", pkgname:"kernel-source", pkgver:"4.4.172", pkgarch:"noarch", pkgnum:"1")) flag++;
    
    
    if (flag)
    {
      if (report_verbosity > 0) security_hole(port:0, extra:slackware_report_get());
      else security_hole(0);
      exit(0);
    }
    else audit(AUDIT_HOST_NOT, "affected");
    
  • NASL familyUbuntu Local Security Checks
    NASL idUBUNTU_USN-4094-1.NASL
    descriptionIt was discovered that the alarmtimer implementation in the Linux kernel contained an integer overflow vulnerability. A local attacker could use this to cause a denial of service. (CVE-2018-13053) Wen Xu discovered that the XFS filesystem implementation in the Linux kernel did not properly track inode validations. An attacker could use this to construct a malicious XFS image that, when mounted, could cause a denial of service (system crash). (CVE-2018-13093) Wen Xu discovered that the f2fs file system implementation in the Linux kernel did not properly validate metadata. An attacker could use this to construct a malicious f2fs image that, when mounted, could cause a denial of service (system crash). (CVE-2018-13097, CVE-2018-13099, CVE-2018-13100, CVE-2018-14614, CVE-2018-14616, CVE-2018-13096, CVE-2018-13098, CVE-2018-14615) Wen Xu and Po-Ning Tseng discovered that btrfs file system implementation in the Linux kernel did not properly validate metadata. An attacker could use this to construct a malicious btrfs image that, when mounted, could cause a denial of service (system crash). (CVE-2018-14610, CVE-2018-14611, CVE-2018-14612, CVE-2018-14613, CVE-2018-14609) Wen Xu discovered that the HFS+ filesystem implementation in the Linux kernel did not properly handle malformed catalog data in some situations. An attacker could use this to construct a malicious HFS+ image that, when mounted, could cause a denial of service (system crash). (CVE-2018-14617) Vasily Averin and Pavel Tikhomirov discovered that the cleancache subsystem of the Linux kernel did not properly initialize new files in some situations. A local attacker could use this to expose sensitive information. (CVE-2018-16862) Hui Peng and Mathias Payer discovered that the USB subsystem in the Linux kernel did not properly handle size checks when handling an extra USB descriptor. A physically proximate attacker could use this to cause a denial of service (system crash). (CVE-2018-20169) It was discovered that a use-after-free error existed in the block layer subsystem of the Linux kernel when certain failure conditions occurred. A local attacker could possibly use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2018-20856) Eli Biham and Lior Neumann discovered that the Bluetooth implementation in the Linux kernel did not properly validate elliptic curve parameters during Diffie-Hellman key exchange in some situations. An attacker could use this to expose sensitive information. (CVE-2018-5383) It was discovered that a heap buffer overflow existed in the Marvell Wireless LAN device driver for the Linux kernel. An attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2019-10126) Andrei Vlad Lutas and Dan Lutas discovered that some x86 processors incorrectly handle SWAPGS instructions during speculative execution. A local attacker could use this to expose sensitive information (kernel memory). (CVE-2019-1125) It was discovered that the PowerPC dlpar implementation in the Linux kernel did not properly check for allocation errors in some situations. A local attacker could possibly use this to cause a denial of service (system crash). (CVE-2019-12614) It was discovered that a NULL pointer dereference vulnerabilty existed in the Near-field communication (NFC) implementation in the Linux kernel. An attacker could use this to cause a denial of service (system crash). (CVE-2019-12818) It was discovered that the MDIO bus devices subsystem in the Linux kernel improperly dropped a device reference in an error condition, leading to a use-after-free. An attacker could use this to cause a denial of service (system crash). (CVE-2019-12819) It was discovered that a NULL pointer dereference vulnerability existed in the Near-field communication (NFC) implementation in the Linux kernel. A local attacker could use this to cause a denial of service (system crash). (CVE-2019-12984) Jann Horn discovered a use-after-free vulnerability in the Linux kernel when accessing LDT entries in some situations. A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2019-13233) Jann Horn discovered that the ptrace implementation in the Linux kernel did not properly record credentials in some situations. A local attacker could use this to cause a denial of service (system crash) or possibly gain administrative privileges. (CVE-2019-13272) It was discovered that the Empia EM28xx DVB USB device driver implementation in the Linux kernel contained a use-after-free vulnerability when disconnecting the device. An attacker could use this to cause a denial of service (system crash). (CVE-2019-2024) It was discovered that the USB video device class implementation in the Linux kernel did not properly validate control bits, resulting in an out of bounds buffer read. A local attacker could use this to possibly expose sensitive information (kernel memory). (CVE-2019-2101) It was discovered that the Marvell Wireless LAN device driver in the Linux kernel did not properly validate the BSS descriptor. A local attacker could possibly use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2019-3846) It was discovered that the Appletalk IP encapsulation driver in the Linux kernel did not properly prevent kernel addresses from being copied to user space. A local attacker with the CAP_NET_ADMIN capability could use this to expose sensitive information. (CVE-2018-20511). Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id127889
    published2019-08-14
    reporterUbuntu Security Notice (C) 2019-2020 Canonical, Inc. / NASL script (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/127889
    titleUbuntu 16.04 LTS / 18.04 LTS : linux, linux-hwe, linux-azure, linux-gcp, linux-gke-4.15, linux-kvm, (USN-4094-1)
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were
    # extracted from Ubuntu Security Notice USN-4094-1. The text 
    # itself is copyright (C) Canonical, Inc. See 
    # <http://www.ubuntu.com/usn/>. Ubuntu(R) is a registered 
    # trademark of Canonical, Inc.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(127889);
      script_version("1.5");
      script_cvs_date("Date: 2020/01/02");
    
      script_cve_id("CVE-2018-13053", "CVE-2018-13093", "CVE-2018-13096", "CVE-2018-13097", "CVE-2018-13098", "CVE-2018-13099", "CVE-2018-13100", "CVE-2018-14609", "CVE-2018-14610", "CVE-2018-14611", "CVE-2018-14612", "CVE-2018-14613", "CVE-2018-14614", "CVE-2018-14615", "CVE-2018-14616", "CVE-2018-14617", "CVE-2018-16862", "CVE-2018-20169", "CVE-2018-20511", "CVE-2018-20856", "CVE-2018-5383", "CVE-2019-10126", "CVE-2019-1125", "CVE-2019-12614", "CVE-2019-12818", "CVE-2019-12819", "CVE-2019-12984", "CVE-2019-13233", "CVE-2019-13272", "CVE-2019-2024", "CVE-2019-2101", "CVE-2019-3846");
      script_xref(name:"USN", value:"4094-1");
    
      script_name(english:"Ubuntu 16.04 LTS / 18.04 LTS : linux, linux-hwe, linux-azure, linux-gcp, linux-gke-4.15, linux-kvm, (USN-4094-1)");
      script_summary(english:"Checks dpkg output for updated packages.");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:
    "The remote Ubuntu host is missing one or more security-related
    patches."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "It was discovered that the alarmtimer implementation in the Linux
    kernel contained an integer overflow vulnerability. A local attacker
    could use this to cause a denial of service. (CVE-2018-13053)
    
    Wen Xu discovered that the XFS filesystem implementation in the Linux
    kernel did not properly track inode validations. An attacker could use
    this to construct a malicious XFS image that, when mounted, could
    cause a denial of service (system crash). (CVE-2018-13093)
    
    Wen Xu discovered that the f2fs file system implementation in the
    Linux kernel did not properly validate metadata. An attacker could use
    this to construct a malicious f2fs image that, when mounted, could
    cause a denial of service (system crash). (CVE-2018-13097,
    CVE-2018-13099, CVE-2018-13100, CVE-2018-14614, CVE-2018-14616,
    CVE-2018-13096, CVE-2018-13098, CVE-2018-14615)
    
    Wen Xu and Po-Ning Tseng discovered that btrfs file system
    implementation in the Linux kernel did not properly validate metadata.
    An attacker could use this to construct a malicious btrfs image that,
    when mounted, could cause a denial of service (system crash).
    (CVE-2018-14610, CVE-2018-14611, CVE-2018-14612, CVE-2018-14613,
    CVE-2018-14609)
    
    Wen Xu discovered that the HFS+ filesystem implementation in the Linux
    kernel did not properly handle malformed catalog data in some
    situations. An attacker could use this to construct a malicious HFS+
    image that, when mounted, could cause a denial of service (system
    crash). (CVE-2018-14617)
    
    Vasily Averin and Pavel Tikhomirov discovered that the cleancache
    subsystem of the Linux kernel did not properly initialize new files in
    some situations. A local attacker could use this to expose sensitive
    information. (CVE-2018-16862)
    
    Hui Peng and Mathias Payer discovered that the USB subsystem in the
    Linux kernel did not properly handle size checks when handling an
    extra USB descriptor. A physically proximate attacker could use this
    to cause a denial of service (system crash). (CVE-2018-20169)
    
    It was discovered that a use-after-free error existed in the block
    layer subsystem of the Linux kernel when certain failure conditions
    occurred. A local attacker could possibly use this to cause a denial
    of service (system crash) or possibly execute arbitrary code.
    (CVE-2018-20856)
    
    Eli Biham and Lior Neumann discovered that the Bluetooth
    implementation in the Linux kernel did not properly validate elliptic
    curve parameters during Diffie-Hellman key exchange in some
    situations. An attacker could use this to expose sensitive
    information. (CVE-2018-5383)
    
    It was discovered that a heap buffer overflow existed in the Marvell
    Wireless LAN device driver for the Linux kernel. An attacker could use
    this to cause a denial of service (system crash) or possibly execute
    arbitrary code. (CVE-2019-10126)
    
    Andrei Vlad Lutas and Dan Lutas discovered that some x86 processors
    incorrectly handle SWAPGS instructions during speculative execution. A
    local attacker could use this to expose sensitive information (kernel
    memory). (CVE-2019-1125)
    
    It was discovered that the PowerPC dlpar implementation in the Linux
    kernel did not properly check for allocation errors in some
    situations. A local attacker could possibly use this to cause a denial
    of service (system crash). (CVE-2019-12614)
    
    It was discovered that a NULL pointer dereference vulnerabilty existed
    in the Near-field communication (NFC) implementation in the Linux
    kernel. An attacker could use this to cause a denial of service
    (system crash). (CVE-2019-12818)
    
    It was discovered that the MDIO bus devices subsystem in the Linux
    kernel improperly dropped a device reference in an error condition,
    leading to a use-after-free. An attacker could use this to cause a
    denial of service (system crash). (CVE-2019-12819)
    
    It was discovered that a NULL pointer dereference vulnerability
    existed in the Near-field communication (NFC) implementation in the
    Linux kernel. A local attacker could use this to cause a denial of
    service (system crash). (CVE-2019-12984)
    
    Jann Horn discovered a use-after-free vulnerability in the Linux
    kernel when accessing LDT entries in some situations. A local attacker
    could use this to cause a denial of service (system crash) or possibly
    execute arbitrary code. (CVE-2019-13233)
    
    Jann Horn discovered that the ptrace implementation in the Linux
    kernel did not properly record credentials in some situations. A local
    attacker could use this to cause a denial of service (system crash) or
    possibly gain administrative privileges. (CVE-2019-13272)
    
    It was discovered that the Empia EM28xx DVB USB device driver
    implementation in the Linux kernel contained a use-after-free
    vulnerability when disconnecting the device. An attacker could use
    this to cause a denial of service (system crash). (CVE-2019-2024)
    
    It was discovered that the USB video device class implementation in
    the Linux kernel did not properly validate control bits, resulting in
    an out of bounds buffer read. A local attacker could use this to
    possibly expose sensitive information (kernel memory). (CVE-2019-2101)
    
    It was discovered that the Marvell Wireless LAN device driver in the
    Linux kernel did not properly validate the BSS descriptor. A local
    attacker could possibly use this to cause a denial of service (system
    crash) or possibly execute arbitrary code. (CVE-2019-3846)
    
    It was discovered that the Appletalk IP encapsulation driver in the
    Linux kernel did not properly prevent kernel addresses from being
    copied to user space. A local attacker with the CAP_NET_ADMIN
    capability could use this to expose sensitive information.
    (CVE-2018-20511).
    
    Note that Tenable Network Security has extracted the preceding
    description block directly from the Ubuntu security advisory. Tenable
    has attempted to automatically clean and format it as much as possible
    without introducing additional issues."
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://usn.ubuntu.com/4094-1/"
      );
      script_set_attribute(attribute:"solution", value:"Update the affected packages.");
      script_set_cvss_base_vector("CVSS2#AV:A/AC:L/Au:N/C:C/I:C/A:C");
      script_set_cvss_temporal_vector("CVSS2#E:H/RL:OF/RC:C");
      script_set_cvss3_base_vector("CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H");
      script_set_cvss3_temporal_vector("CVSS:3.0/E:H/RL:O/RC:C");
      script_set_attribute(attribute:"cvss_score_source", value:"CVE-2019-3846");
      script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"true");
      script_set_attribute(attribute:"exploited_by_malware", value:"true");
      script_set_attribute(attribute:"metasploit_name", value:'Linux Polkit pkexec helper PTRACE_TRACEME local root exploit');
      script_set_attribute(attribute:"exploit_framework_metasploit", value:"true");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-4.15-azure");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-4.15-gcp");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-4.15-generic");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-4.15-generic-lpae");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-4.15-gke");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-4.15-kvm");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-4.15-lowlatency");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-4.15-oem");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-4.15-oracle");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-4.15-raspi2");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-4.15-snapdragon");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-azure");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-gcp");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-generic");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-generic-hwe-16.04");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-generic-lpae");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-generic-lpae-hwe-16.04");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-gke");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-gke-4.15");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-kvm");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-lowlatency");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-lowlatency-hwe-16.04");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-oem");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-oracle");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-raspi2");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-snapdragon");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-virtual");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-virtual-hwe-16.04");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:canonical:ubuntu_linux:16.04");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:canonical:ubuntu_linux:18.04:-:lts");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2018/07/02");
      script_set_attribute(attribute:"patch_publication_date", value:"2019/08/13");
      script_set_attribute(attribute:"plugin_publication_date", value:"2019/08/14");
      script_set_attribute(attribute:"generated_plugin", value:"current");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"Ubuntu Security Notice (C) 2019-2020 Canonical, Inc. / NASL script (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.");
      script_family(english:"Ubuntu Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl", "linux_alt_patch_detect.nasl");
      script_require_keys("Host/cpu", "Host/Ubuntu", "Host/Ubuntu/release", "Host/Debian/dpkg-l");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("ubuntu.inc");
    include("ksplice.inc");
    
    if ( ! get_kb_item("Host/local_checks_enabled") ) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    release = get_kb_item("Host/Ubuntu/release");
    if ( isnull(release) ) audit(AUDIT_OS_NOT, "Ubuntu");
    release = chomp(release);
    if (! preg(pattern:"^(16\.04|18\.04)$", string:release)) audit(AUDIT_OS_NOT, "Ubuntu 16.04 / 18.04", "Ubuntu " + release);
    if ( ! get_kb_item("Host/Debian/dpkg-l") ) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    cpu = get_kb_item("Host/cpu");
    if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
    if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Ubuntu", cpu);
    
    if (get_one_kb_item("Host/ksplice/kernel-cves"))
    {
      rm_kb_item(name:"Host/uptrack-uname-r");
      cve_list = make_list("CVE-2018-13053", "CVE-2018-13093", "CVE-2018-13096", "CVE-2018-13097", "CVE-2018-13098", "CVE-2018-13099", "CVE-2018-13100", "CVE-2018-14609", "CVE-2018-14610", "CVE-2018-14611", "CVE-2018-14612", "CVE-2018-14613", "CVE-2018-14614", "CVE-2018-14615", "CVE-2018-14616", "CVE-2018-14617", "CVE-2018-16862", "CVE-2018-20169", "CVE-2018-20511", "CVE-2018-20856", "CVE-2018-5383", "CVE-2019-10126", "CVE-2019-1125", "CVE-2019-12614", "CVE-2019-12818", "CVE-2019-12819", "CVE-2019-12984", "CVE-2019-13233", "CVE-2019-13272", "CVE-2019-2024", "CVE-2019-2101", "CVE-2019-3846");
      if (ksplice_cves_check(cve_list))
      {
        audit(AUDIT_PATCH_INSTALLED, "KSplice hotfix for USN-4094-1");
      }
      else
      {
        _ubuntu_report = ksplice_reporting_text();
      }
    }
    
    flag = 0;
    
    if (ubuntu_check(osver:"16.04", pkgname:"linux-image-4.15.0-1021-oracle", pkgver:"4.15.0-1021.23~16.04.1")) flag++;
    if (ubuntu_check(osver:"16.04", pkgname:"linux-image-4.15.0-1040-gcp", pkgver:"4.15.0-1040.42~16.04.1")) flag++;
    if (ubuntu_check(osver:"16.04", pkgname:"linux-image-4.15.0-1055-azure", pkgver:"4.15.0-1055.60")) flag++;
    if (ubuntu_check(osver:"16.04", pkgname:"linux-image-4.15.0-58-generic", pkgver:"4.15.0-58.64~16.04.1")) flag++;
    if (ubuntu_check(osver:"16.04", pkgname:"linux-image-4.15.0-58-generic-lpae", pkgver:"4.15.0-58.64~16.04.1")) flag++;
    if (ubuntu_check(osver:"16.04", pkgname:"linux-image-4.15.0-58-lowlatency", pkgver:"4.15.0-58.64~16.04.1")) flag++;
    if (ubuntu_check(osver:"16.04", pkgname:"linux-image-azure", pkgver:"4.15.0.1055.58")) flag++;
    if (ubuntu_check(osver:"16.04", pkgname:"linux-image-gcp", pkgver:"4.15.0.1040.54")) flag++;
    if (ubuntu_check(osver:"16.04", pkgname:"linux-image-generic-hwe-16.04", pkgver:"4.15.0.58.79")) flag++;
    if (ubuntu_check(osver:"16.04", pkgname:"linux-image-generic-lpae-hwe-16.04", pkgver:"4.15.0.58.79")) flag++;
    if (ubuntu_check(osver:"16.04", pkgname:"linux-image-gke", pkgver:"4.15.0.1040.54")) flag++;
    if (ubuntu_check(osver:"16.04", pkgname:"linux-image-lowlatency-hwe-16.04", pkgver:"4.15.0.58.79")) flag++;
    if (ubuntu_check(osver:"16.04", pkgname:"linux-image-oem", pkgver:"4.15.0.58.79")) flag++;
    if (ubuntu_check(osver:"16.04", pkgname:"linux-image-oracle", pkgver:"4.15.0.1021.15")) flag++;
    if (ubuntu_check(osver:"16.04", pkgname:"linux-image-virtual-hwe-16.04", pkgver:"4.15.0.58.79")) flag++;
    if (ubuntu_check(osver:"18.04", pkgname:"linux-image-4.15.0-1021-oracle", pkgver:"4.15.0-1021.23")) flag++;
    if (ubuntu_check(osver:"18.04", pkgname:"linux-image-4.15.0-1040-gcp", pkgver:"4.15.0-1040.42")) flag++;
    if (ubuntu_check(osver:"18.04", pkgname:"linux-image-4.15.0-1040-gke", pkgver:"4.15.0-1040.42")) flag++;
    if (ubuntu_check(osver:"18.04", pkgname:"linux-image-4.15.0-1042-kvm", pkgver:"4.15.0-1042.42")) flag++;
    if (ubuntu_check(osver:"18.04", pkgname:"linux-image-4.15.0-1043-raspi2", pkgver:"4.15.0-1043.46")) flag++;
    if (ubuntu_check(osver:"18.04", pkgname:"linux-image-4.15.0-1050-oem", pkgver:"4.15.0-1050.57")) flag++;
    if (ubuntu_check(osver:"18.04", pkgname:"linux-image-4.15.0-1060-snapdragon", pkgver:"4.15.0-1060.66")) flag++;
    if (ubuntu_check(osver:"18.04", pkgname:"linux-image-4.15.0-58-generic", pkgver:"4.15.0-58.64")) flag++;
    if (ubuntu_check(osver:"18.04", pkgname:"linux-image-4.15.0-58-generic-lpae", pkgver:"4.15.0-58.64")) flag++;
    if (ubuntu_check(osver:"18.04", pkgname:"linux-image-4.15.0-58-lowlatency", pkgver:"4.15.0-58.64")) flag++;
    if (ubuntu_check(osver:"18.04", pkgname:"linux-image-gcp", pkgver:"4.15.0.1040.42")) flag++;
    if (ubuntu_check(osver:"18.04", pkgname:"linux-image-generic", pkgver:"4.15.0.58.60")) flag++;
    if (ubuntu_check(osver:"18.04", pkgname:"linux-image-generic-lpae", pkgver:"4.15.0.58.60")) flag++;
    if (ubuntu_check(osver:"18.04", pkgname:"linux-image-gke", pkgver:"4.15.0.1040.43")) flag++;
    if (ubuntu_check(osver:"18.04", pkgname:"linux-image-gke-4.15", pkgver:"4.15.0.1040.43")) flag++;
    if (ubuntu_check(osver:"18.04", pkgname:"linux-image-kvm", pkgver:"4.15.0.1042.42")) flag++;
    if (ubuntu_check(osver:"18.04", pkgname:"linux-image-lowlatency", pkgver:"4.15.0.58.60")) flag++;
    if (ubuntu_check(osver:"18.04", pkgname:"linux-image-oem", pkgver:"4.15.0.1050.54")) flag++;
    if (ubuntu_check(osver:"18.04", pkgname:"linux-image-oracle", pkgver:"4.15.0.1021.24")) flag++;
    if (ubuntu_check(osver:"18.04", pkgname:"linux-image-raspi2", pkgver:"4.15.0.1043.41")) flag++;
    if (ubuntu_check(osver:"18.04", pkgname:"linux-image-snapdragon", pkgver:"4.15.0.1060.63")) flag++;
    if (ubuntu_check(osver:"18.04", pkgname:"linux-image-virtual", pkgver:"4.15.0.58.60")) flag++;
    
    if (flag)
    {
      security_report_v4(
        port       : 0,
        severity   : SECURITY_HOLE,
        extra      : ubuntu_report_get()
      );
      exit(0);
    }
    else
    {
      tested = ubuntu_pkg_tests_get();
      if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
      else audit(AUDIT_PACKAGE_NOT_INSTALLED, "linux-image-4.15-azure / linux-image-4.15-gcp / etc");
    }
    
  • NASL familyOracle Linux Local Security Checks
    NASL idORACLELINUX_ELSA-2018-4270.NASL
    descriptionDescription of changes: [4.14.35-1818.4.5.el7uek] - x86/intel/spectre_v2: Remove unnecessary retp_compiler() test (Boris Ostrovsky) [Orabug: 28814574] - x86/intel/spectre_v4: Deprecate spec_store_bypass_disable=userspace (Boris Ostrovsky) [Orabug: 28814574] - x86/speculation: x86_spec_ctrl_set needs to be called unconditionally (Boris Ostrovsky) [Orabug: 28814574] - x86/speculation: Drop unused DISABLE_IBRS_CLOBBER macro (Boris Ostrovsky) [Orabug: 28814574] - x86/intel/spectre_v4: Keep SPEC_CTRL_SSBD when IBRS is in use (Boris Ostrovsky) [Orabug: 28814574] [4.14.35-1818.4.4.el7uek] - ocfs2: fix ocfs2 read block panic (Junxiao Bi) [Orabug: 28821391] - scsi: sg: mitigate read/write abuse (Jann Horn) [Orabug: 28824731] {CVE-2017-13168} - hugetlbfs: introduce truncation/fault mutex to avoid races (Mike Kravetz) [Orabug: 28776542] - rds: MPRDS messages delivered out of order (Ka-Cheong Poon) [Orabug: 28838051] - x86/bugs: rework x86_spec_ctrl_set to make its changes explicit (Daniel Jordan) [Orabug: 28270952] - x86/bugs: rename ssbd_ibrs_selected to ssbd_userspace_selected (Daniel Jordan) [Orabug: 28270952] - x86/bugs: x86_spec_ctrl_set may not disable IBRS on kernel idle (Daniel Jordan) [Orabug: 28270952] - x86/bugs: always use x86_spec_ctrl_base or _priv when setting spec ctrl MSR (Daniel Jordan) [Orabug: 28270952] - iommu: turn on iommu=pt by default (Tushar Dave) [Orabug: 28111039] - vhost/scsi: Use common handling code in request queue handler (Bijan Mottahedeh) [Orabug: 28775556] - vhost/scsi: Extract common handling code from control queue handler (Bijan Mottahedeh) [Orabug: 28775556] - vhost/scsi: Respond to control queue operations (Bijan Mottahedeh) [Orabug: 28775556] [4.14.35-1818.4.3.el7uek] - Fix error code in nfs_lookup_verify_inode() (Lance Shelton) [Orabug: 28807515] - x86/speculation: Retpoline should always be available on Skylake (Alexandre Chartre) [Orabug: 28801830] - x86/bugs: ssbd_ibrs_selected called prematurely (Daniel Jordan) [Orabug: 28802799] - net/mlx4_core: print firmware version during driver loading (Qing Huang) [Orabug: 28809382] - hugetlbfs: dirty pages as they are added to pagecache (Mike Kravetz) [Orabug: 28813999] [4.14.35-1818.4.2.el7uek] - infiniband: fix a possible use-after-free bug (Cong Wang) [Orabug: 28774511] {CVE-2018-14734} - nfs: fix a deadlock in nfs client initialization (Scott Mayhew) [Orabug: 28775910] - x86/speculation: Unconditionally fill RSB on context switch (Alejandro Jimenez) [Orabug: 28631576] {CVE-2018-15572} - bnxt_re: Implement the shutdown hook of the L2-RoCE driver interface (Somnath Kotur) [Orabug: 28539344] - rds: RDS (tcp) hangs on sendto() to unresponding address (Ka-Cheong Poon) [Orabug: 28762597] - uek-rpm: aarch64 some XGENE drivers must be be modules (Tom Saeger) [Orabug: 28769119] - arm64: KVM: Sanitize PSTATE.M when being set from userspace (Marc Zyngier) [Orabug: 28762424] {CVE-2018-18021} - arm64: KVM: Tighten guest core register access from userspace (Dave Martin) [Orabug: 28762424] {CVE-2018-18021} - iommu/amd: Clear memory encryption mask from physical address (Singh, Brijesh) [Orabug: 28770185] [4.14.35-1818.4.1.el7uek] - mm: get rid of vmacache_flush_all() entirely (Linus Torvalds) [Orabug: 28700955] {CVE-2018-17182} - Btrfs: fix log replay failure after unlink and link combination (Filipe Manana) [Orabug: 27941939] - x86/speculation: Add sysfs entry to enable/disable retpoline (Alexandre Chartre) [Orabug: 28753851] - x86/speculation: Allow IBRS firmware to be enabled when IBRS is disabled (Alexandre Chartre) [Orabug: 28753851] - x86/speculation: Remove unnecessary retpoline alternatives (Alexandre Chartre) [Orabug: 28753851] - x86/speculation: Use static key to enable/disable retpoline (Alexandre Chartre) [Orabug: 28753851] - bnxt_en: Fix memory fault in bnxt_ethtool_init() (Vasundhara Volam) [Orabug: 28632641] - IB/core: Initialize relaxed_pd properly (Yuval Shaia) [Orabug: 28197305] [4.14.35-1818.4.0.el7uek] - e1000e: Fix link check race condition (Benjamin Poirier) [Orabug: 28489384] - Revert
    last seen2020-06-01
    modified2020-06-02
    plugin id118861
    published2018-11-11
    reporterThis script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/118861
    titleOracle Linux 7 : Unbreakable Enterprise kernel (ELSA-2018-4270)
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were
    # extracted from Oracle Linux Security Advisory ELSA-2018-4270.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(118861);
      script_version("1.9");
      script_cvs_date("Date: 2019/09/27 13:00:39");
    
      script_cve_id("CVE-2017-13168", "CVE-2018-14610", "CVE-2018-14611", "CVE-2018-14734", "CVE-2018-15572", "CVE-2018-17182", "CVE-2018-18021");
    
      script_name(english:"Oracle Linux 7 : Unbreakable Enterprise kernel (ELSA-2018-4270)");
      script_summary(english:"Checks rpm output for the updated packages");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote Oracle Linux host is missing one or more security updates."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "Description of changes:
    
    [4.14.35-1818.4.5.el7uek]
    - x86/intel/spectre_v2: Remove unnecessary retp_compiler() test (Boris 
    Ostrovsky)  [Orabug: 28814574]
    - x86/intel/spectre_v4: Deprecate spec_store_bypass_disable=userspace 
    (Boris Ostrovsky)  [Orabug: 28814574]
    - x86/speculation: x86_spec_ctrl_set needs to be called unconditionally 
    (Boris Ostrovsky)  [Orabug: 28814574]
    - x86/speculation: Drop unused DISABLE_IBRS_CLOBBER macro (Boris 
    Ostrovsky)  [Orabug: 28814574]
    - x86/intel/spectre_v4: Keep SPEC_CTRL_SSBD when IBRS is in use (Boris 
    Ostrovsky)  [Orabug: 28814574]
    
    [4.14.35-1818.4.4.el7uek]
    - ocfs2: fix ocfs2 read block panic (Junxiao Bi)  [Orabug: 28821391]
    - scsi: sg: mitigate read/write abuse (Jann Horn)  [Orabug: 28824731] 
    {CVE-2017-13168}
    - hugetlbfs: introduce truncation/fault mutex to avoid races (Mike 
    Kravetz)  [Orabug: 28776542]
    - rds: MPRDS messages delivered out of order (Ka-Cheong Poon)  [Orabug: 
    28838051]
    - x86/bugs: rework x86_spec_ctrl_set to make its changes explicit 
    (Daniel Jordan)  [Orabug: 28270952]
    - x86/bugs: rename ssbd_ibrs_selected to ssbd_userspace_selected (Daniel 
    Jordan)  [Orabug: 28270952]
    - x86/bugs: x86_spec_ctrl_set may not disable IBRS on kernel idle 
    (Daniel Jordan)  [Orabug: 28270952]
    - x86/bugs: always use x86_spec_ctrl_base or _priv when setting spec 
    ctrl MSR (Daniel Jordan)  [Orabug: 28270952]
    - iommu: turn on iommu=pt by default (Tushar Dave)  [Orabug: 28111039]
    - vhost/scsi: Use common handling code in request queue handler (Bijan 
    Mottahedeh)  [Orabug: 28775556]
    - vhost/scsi: Extract common handling code from control queue handler 
    (Bijan Mottahedeh)  [Orabug: 28775556]
    - vhost/scsi: Respond to control queue operations (Bijan Mottahedeh) 
    [Orabug: 28775556]
    
    [4.14.35-1818.4.3.el7uek]
    - Fix error code in nfs_lookup_verify_inode() (Lance Shelton)  [Orabug: 
    28807515]
    - x86/speculation: Retpoline should always be available on Skylake 
    (Alexandre Chartre)  [Orabug: 28801830]
    - x86/bugs: ssbd_ibrs_selected called prematurely (Daniel Jordan) 
    [Orabug: 28802799]
    - net/mlx4_core: print firmware version during driver loading (Qing 
    Huang)  [Orabug: 28809382]
    - hugetlbfs: dirty pages as they are added to pagecache (Mike Kravetz) 
    [Orabug: 28813999]
    
    [4.14.35-1818.4.2.el7uek]
    - infiniband: fix a possible use-after-free bug (Cong Wang)  [Orabug: 
    28774511]  {CVE-2018-14734}
    - nfs: fix a deadlock in nfs client initialization (Scott Mayhew) 
    [Orabug: 28775910]
    - x86/speculation: Unconditionally fill RSB on context switch (Alejandro 
    Jimenez)  [Orabug: 28631576]  {CVE-2018-15572}
    - bnxt_re: Implement the shutdown hook of the L2-RoCE driver interface 
    (Somnath Kotur)  [Orabug: 28539344]
    - rds: RDS (tcp) hangs on sendto() to unresponding address (Ka-Cheong 
    Poon)  [Orabug: 28762597]
    - uek-rpm: aarch64 some XGENE drivers must be be modules (Tom Saeger) 
    [Orabug: 28769119]
    - arm64: KVM: Sanitize PSTATE.M when being set from userspace (Marc 
    Zyngier)  [Orabug: 28762424]  {CVE-2018-18021}
    - arm64: KVM: Tighten guest core register access from userspace (Dave 
    Martin)  [Orabug: 28762424]  {CVE-2018-18021}
    - iommu/amd: Clear memory encryption mask from physical address (Singh, 
    Brijesh)  [Orabug: 28770185]
    
    [4.14.35-1818.4.1.el7uek]
    - mm: get rid of vmacache_flush_all() entirely (Linus Torvalds) 
    [Orabug: 28700955]  {CVE-2018-17182}
    - Btrfs: fix log replay failure after unlink and link combination 
    (Filipe Manana)  [Orabug: 27941939]
    - x86/speculation: Add sysfs entry to enable/disable retpoline 
    (Alexandre Chartre)  [Orabug: 28753851]
    - x86/speculation: Allow IBRS firmware to be enabled when IBRS is 
    disabled (Alexandre Chartre)  [Orabug: 28753851]
    - x86/speculation: Remove unnecessary retpoline alternatives (Alexandre 
    Chartre)  [Orabug: 28753851]
    - x86/speculation: Use static key to enable/disable retpoline (Alexandre 
    Chartre)  [Orabug: 28753851]
    - bnxt_en: Fix memory fault in bnxt_ethtool_init() (Vasundhara Volam) 
    [Orabug: 28632641]
    - IB/core: Initialize relaxed_pd properly (Yuval Shaia)  [Orabug: 28197305]
    
    [4.14.35-1818.4.0.el7uek]
    - e1000e: Fix link check race condition (Benjamin Poirier)  [Orabug: 
    28489384]
    - Revert 'e1000e: Separate signaling for link check/link up' (Benjamin 
    Poirier)  [Orabug: 28489384]
    - e1000e: Avoid missed interrupts following ICR read (Benjamin Poirier) 
    [Orabug: 28489384]
    - e1000e: Fix queue interrupt re-raising in Other interrupt (Benjamin 
    Poirier)  [Orabug: 28489384]
    - Partial revert 'e1000e: Avoid receiver overrun interrupt bursts' 
    (Benjamin Poirier)  [Orabug: 28489384]
    - e1000e: Remove Other from EIAC (Benjamin Poirier)  [Orabug: 28489384]
    - btrfs: validate type when reading a chunk (Gu Jinxiang)  [Orabug: 
    28700851]  {CVE-2018-14611}
    - btrfs: Check that each block group has corresponding chunk at mount 
    time (Qu Wenruo)  [Orabug: 28700872]  {CVE-2018-14610}
    - net: rds: Use address family to designate IPv4 or IPv6 addresses 
    (H&aring kon Bugge)  [Orabug: 28720069]
    - net: rds: Fix blank at eol in af_rds.c (H&aring kon Bugge)  [Orabug: 28720069]"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://oss.oracle.com/pipermail/el-errata/2018-November/008249.html"
      );
      script_set_attribute(
        attribute:"solution", 
        value:"Update the affected unbreakable enterprise kernel packages."
      );
      script_set_cvss_base_vector("CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C");
      script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
      script_set_cvss3_base_vector("CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H");
      script_set_cvss3_temporal_vector("CVSS:3.0/E:P/RL:O/RC:C");
      script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"true");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:kernel-uek");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:kernel-uek-debug");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:kernel-uek-debug-devel");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:kernel-uek-devel");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:kernel-uek-doc");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:kernel-uek-tools");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:oracle:linux:7");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2017/12/06");
      script_set_attribute(attribute:"patch_publication_date", value:"2018/11/09");
      script_set_attribute(attribute:"plugin_publication_date", value:"2018/11/11");
      script_set_attribute(attribute:"generated_plugin", value:"current");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");
      script_family(english:"Oracle Linux Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl", "linux_alt_patch_detect.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/OracleLinux", "Host/RedHat/release", "Host/RedHat/rpm-list");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("global_settings.inc");
    include("rpm.inc");
    include("ksplice.inc");
    
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    if (!get_kb_item("Host/OracleLinux")) audit(AUDIT_OS_NOT, "Oracle Linux");
    release = get_kb_item("Host/RedHat/release");
    if (isnull(release) || !pregmatch(pattern: "Oracle (?:Linux Server|Enterprise Linux)", string:release)) audit(AUDIT_OS_NOT, "Oracle Linux");
    os_ver = pregmatch(pattern: "Oracle (?:Linux Server|Enterprise Linux) .*release ([0-9]+(\.[0-9]+)?)", string:release);
    if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Oracle Linux");
    os_ver = os_ver[1];
    if (! preg(pattern:"^7([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Oracle Linux 7", "Oracle Linux " + os_ver);
    
    if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    cpu = get_kb_item("Host/cpu");
    if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
    if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Oracle Linux", cpu);
    if ("x86_64" >!< cpu) audit(AUDIT_ARCH_NOT, "x86_64", cpu);
    
    if (get_one_kb_item("Host/ksplice/kernel-cves"))
    {
      rm_kb_item(name:"Host/uptrack-uname-r");
      cve_list = make_list("CVE-2017-13168", "CVE-2018-14610", "CVE-2018-14611", "CVE-2018-14734", "CVE-2018-15572", "CVE-2018-17182", "CVE-2018-18021");  
      if (ksplice_cves_check(cve_list))
      {
        audit(AUDIT_PATCH_INSTALLED, "KSplice hotfix for ELSA-2018-4270");
      }
      else
      {
        __rpm_report = ksplice_reporting_text();
      }
    }
    
    kernel_major_minor = get_kb_item("Host/uname/major_minor");
    if (empty_or_null(kernel_major_minor)) exit(1, "Unable to determine kernel major-minor level.");
    expected_kernel_major_minor = "4.14";
    if (kernel_major_minor != expected_kernel_major_minor)
      audit(AUDIT_OS_NOT, "running kernel level " + expected_kernel_major_minor + ", it is running kernel level " + kernel_major_minor);
    
    flag = 0;
    if (rpm_exists(release:"EL7", rpm:"kernel-uek-4.14.35") && rpm_check(release:"EL7", cpu:"x86_64", reference:"kernel-uek-4.14.35-1818.4.5.el7uek")) flag++;
    if (rpm_exists(release:"EL7", rpm:"kernel-uek-debug-4.14.35") && rpm_check(release:"EL7", cpu:"x86_64", reference:"kernel-uek-debug-4.14.35-1818.4.5.el7uek")) flag++;
    if (rpm_exists(release:"EL7", rpm:"kernel-uek-debug-devel-4.14.35") && rpm_check(release:"EL7", cpu:"x86_64", reference:"kernel-uek-debug-devel-4.14.35-1818.4.5.el7uek")) flag++;
    if (rpm_exists(release:"EL7", rpm:"kernel-uek-devel-4.14.35") && rpm_check(release:"EL7", cpu:"x86_64", reference:"kernel-uek-devel-4.14.35-1818.4.5.el7uek")) flag++;
    if (rpm_exists(release:"EL7", rpm:"kernel-uek-doc-4.14.35") && rpm_check(release:"EL7", cpu:"x86_64", reference:"kernel-uek-doc-4.14.35-1818.4.5.el7uek")) flag++;
    if (rpm_exists(release:"EL7", rpm:"kernel-uek-tools-4.14.35") && rpm_check(release:"EL7", cpu:"x86_64", reference:"kernel-uek-tools-4.14.35-1818.4.5.el7uek")) flag++;
    
    
    if (flag)
    {
      if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());
      else security_hole(0);
      exit(0);
    }
    else
    {
      tested = pkg_tests_get();
      if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
      else audit(AUDIT_PACKAGE_NOT_INSTALLED, "affected kernel");
    }
    
  • NASL familyDebian Local Security Checks
    NASL idDEBIAN_DLA-1715.NASL
    descriptionSeveral vulnerabilities have been discovered in the Linux kernel that may lead to a privilege escalation, denial of service or information leaks. CVE-2017-18249 A race condition was discovered in the disk space allocator of F2FS. A user with access to an F2FS volume could use this to cause a denial of service or other security impact. CVE-2018-1128, CVE-2018-1129 The cephx authentication protocol used by Ceph was susceptible to replay attacks, and calculated signatures incorrectly. These vulnerabilities in the server required changes to authentication that are incompatible with existing clients. The kernel
    last seen2020-06-01
    modified2020-06-02
    plugin id122879
    published2019-03-18
    reporterThis script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/122879
    titleDebian DLA-1715-1 : linux-4.9 security update (Spectre)
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were
    # extracted from Debian Security Advisory DLA-1715-1. The text
    # itself is copyright (C) Software in the Public Interest, Inc.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(122879);
      script_version("1.4");
      script_cvs_date("Date: 2020/02/05");
    
      script_cve_id("CVE-2017-18249", "CVE-2018-1128", "CVE-2018-1129", "CVE-2018-12896", "CVE-2018-13053", "CVE-2018-13096", "CVE-2018-13097", "CVE-2018-13100", "CVE-2018-13406", "CVE-2018-14610", "CVE-2018-14611", "CVE-2018-14612", "CVE-2018-14613", "CVE-2018-14614", "CVE-2018-14616", "CVE-2018-15471", "CVE-2018-16862", "CVE-2018-17972", "CVE-2018-18281", "CVE-2018-18690", "CVE-2018-18710", "CVE-2018-19407", "CVE-2018-3639", "CVE-2018-5391", "CVE-2018-5848", "CVE-2018-6554");
    
      script_name(english:"Debian DLA-1715-1 : linux-4.9 security update (Spectre)");
      script_summary(english:"Checks dpkg output for the updated packages.");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote Debian host is missing a security update."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "Several vulnerabilities have been discovered in the Linux kernel that
    may lead to a privilege escalation, denial of service or information
    leaks.
    
    CVE-2017-18249
    
    A race condition was discovered in the disk space allocator of F2FS. A
    user with access to an F2FS volume could use this to cause a denial of
    service or other security impact.
    
    CVE-2018-1128, CVE-2018-1129
    
    The cephx authentication protocol used by Ceph was susceptible to
    replay attacks, and calculated signatures incorrectly. These
    vulnerabilities in the server required changes to authentication that
    are incompatible with existing clients. The kernel's client code has
    now been updated to be compatible with the fixed server.
    
    CVE-2018-3639 (SSB)
    
    Multiple researchers have discovered that Speculative Store Bypass
    (SSB), a feature implemented in many processors, could be used to read
    sensitive information from another context. In particular, code in a
    software sandbox may be able to read sensitive information from
    outside the sandbox. This issue is also known as Spectre variant 4.
    
    This update adds a further mitigation for this issue in the
    eBPF (Extended Berkeley Packet Filter) implementation.
    
    CVE-2018-5391 (FragmentSmack)
    
    Juha-Matti Tilli discovered a flaw in the way the Linux kernel handled
    reassembly of fragmented IPv4 and IPv6 packets. A remote attacker can
    take advantage of this flaw to trigger time and calculation expensive
    fragment reassembly algorithms by sending specially crafted packets,
    leading to remote denial of service.
    
    This was previously mitigated by reducing the default limits
    on memory usage for incomplete fragmented packets. This
    update replaces that mitigation with a more complete fix.
    
    CVE-2018-5848
    
    The wil6210 wifi driver did not properly validate lengths in scan and
    connection requests, leading to a possible buffer overflow. On systems
    using this driver, a local user with the CAP_NET_ADMIN capability
    could use this for denial of service (memory corruption or crash) or
    potentially for privilege escalation.
    
    CVE-2018-12896, CVE-2018-13053
    
    Team OWL337 reported possible integer overflows in the POSIX timer
    implementation. These might have some security impact.
    
    CVE-2018-13096, CVE-2018-13097, CVE-2018-13100, CVE-2018-14614,
    CVE-2018-14616
    
    Wen Xu from SSLab at Gatech reported that crafted F2FS volumes could
    trigger a crash (BUG, Oops, or division by zero) and/or out-of-bounds
    memory access. An attacker able to mount such a volume could use this
    to cause a denial of service or possibly for privilege escalation.
    
    CVE-2018-13406
    
    Dr Silvio Cesare of InfoSect reported a potential integer overflow in
    the uvesafb driver. A user with permission to access such a device
    might be able to use this for denial of service or privilege
    escalation.
    
    CVE-2018-14610, CVE-2018-14611, CVE-2018-14612, CVE-2018-14613
    
    Wen Xu from SSLab at Gatech reported that crafted Btrfs volumes could
    trigger a crash (Oops) and/or out-of-bounds memory access. An attacker
    able to mount such a volume could use this to cause a denial of
    service or possibly for privilege escalation.
    
    CVE-2018-15471 ((XSA-270)
    
    Felix Wilhelm of Google Project Zero discovered a flaw in the hash
    handling of the xen-netback Linux kernel module. A malicious or buggy
    frontend may cause the (usually privileged) backend to make out of
    bounds memory accesses, potentially resulting in privilege escalation,
    denial of service, or information leaks.
    
    https://xenbits.xen.org/xsa/advisory-270.html
    
    CVE-2018-16862
    
    Vasily Averin and Pavel Tikhomirov from Virtuozzo Kernel Team
    discovered that the cleancache memory management feature did not
    invalidate cached data for deleted files. On Xen guests using the tmem
    driver, local users could potentially read data from other users'
    deleted files if they were able to create new files on the same
    volume.
    
    CVE-2018-17972
    
    Jann Horn reported that the /proc/*/stack files in procfs leaked
    sensitive data from the kernel. These files are now only readable by
    users with the CAP_SYS_ADMIN capability (usually only root)
    
    CVE-2018-18281
    
    Jann Horn reported a race condition in the virtual memory manager that
    can result in a process briefly having access to memory after it is
    freed and reallocated. A local user could possibly exploit this for
    denial of service (memory corruption) or for privilege escalation.
    
    CVE-2018-18690
    
    Kanda Motohiro reported that XFS did not correctly handle some xattr
    (extended attribute) writes that require changing the disk format of
    the xattr. A user with access to an XFS volume could use this for
    denial of service.
    
    CVE-2018-18710
    
    It was discovered that the cdrom driver does not correctly validate
    the parameter to the CDROM_SELECT_DISC ioctl. A user with access to a
    cdrom device could use this to read sensitive information from the
    kernel or to cause a denial of service (crash).
    
    CVE-2018-19407
    
    Wei Wu reported a potential crash (Oops) in the KVM implementation for
    x86 processors. A user with access to /dev/kvm could use this for
    denial of service.
    
    For Debian 8 'Jessie', these problems have been fixed in version
    4.9.144-3.1~deb8u1. This version also includes fixes for Debian bugs
    #890034, #896911, #907581, #915229, and #915231; and other fixes
    included in upstream stable updates.
    
    We recommend that you upgrade your linux-4.9 packages.
    
    NOTE: Tenable Network Security has extracted the preceding description
    block directly from the DLA security advisory. Tenable has attempted
    to automatically clean and format it as much as possible without
    introducing additional issues."
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://lists.debian.org/debian-lts-announce/2019/03/msg00017.html"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://packages.debian.org/source/jessie/linux-4.9"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://xenbits.xen.org/xsa/advisory-270.html"
      );
      script_set_attribute(attribute:"solution", value:"Upgrade the affected packages.");
      script_set_cvss_base_vector("CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C");
      script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
      script_set_cvss3_base_vector("CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H");
      script_set_cvss3_temporal_vector("CVSS:3.0/E:P/RL:O/RC:C");
      script_set_attribute(attribute:"cvss_score_source", value:"CVE-2018-13406");
      script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"true");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:linux-compiler-gcc-4.9-arm");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:linux-doc-4.9");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:linux-headers-4.9.0-0.bpo.7-686");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:linux-headers-4.9.0-0.bpo.7-686-pae");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:linux-headers-4.9.0-0.bpo.7-all");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:linux-headers-4.9.0-0.bpo.7-all-amd64");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:linux-headers-4.9.0-0.bpo.7-all-armel");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:linux-headers-4.9.0-0.bpo.7-all-armhf");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:linux-headers-4.9.0-0.bpo.7-all-i386");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:linux-headers-4.9.0-0.bpo.7-amd64");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:linux-headers-4.9.0-0.bpo.7-armmp");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:linux-headers-4.9.0-0.bpo.7-armmp-lpae");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:linux-headers-4.9.0-0.bpo.7-common");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:linux-headers-4.9.0-0.bpo.7-common-rt");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:linux-headers-4.9.0-0.bpo.7-marvell");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:linux-headers-4.9.0-0.bpo.7-rt-686-pae");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:linux-headers-4.9.0-0.bpo.7-rt-amd64");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:linux-image-4.9.0-0.bpo.7-686");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:linux-image-4.9.0-0.bpo.7-686-pae");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:linux-image-4.9.0-0.bpo.7-686-pae-dbg");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:linux-image-4.9.0-0.bpo.7-amd64");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:linux-image-4.9.0-0.bpo.7-amd64-dbg");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:linux-image-4.9.0-0.bpo.7-armmp");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:linux-image-4.9.0-0.bpo.7-armmp-lpae");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:linux-image-4.9.0-0.bpo.7-marvell");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:linux-image-4.9.0-0.bpo.7-rt-686-pae");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:linux-image-4.9.0-0.bpo.7-rt-686-pae-dbg");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:linux-image-4.9.0-0.bpo.7-rt-amd64");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:linux-image-4.9.0-0.bpo.7-rt-amd64-dbg");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:linux-kbuild-4.9");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:linux-manual-4.9");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:linux-perf-4.9");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:linux-source-4.9");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:linux-support-4.9.0-0.bpo.7");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:debian:debian_linux:8.0");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2018/03/26");
      script_set_attribute(attribute:"patch_publication_date", value:"2019/03/15");
      script_set_attribute(attribute:"plugin_publication_date", value:"2019/03/18");
      script_set_attribute(attribute:"in_the_news", value:"true");
      script_set_attribute(attribute:"generated_plugin", value:"current");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.");
      script_family(english:"Debian Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/Debian/release", "Host/Debian/dpkg-l");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("debian_package.inc");
    
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    if (!get_kb_item("Host/Debian/release")) audit(AUDIT_OS_NOT, "Debian");
    if (!get_kb_item("Host/Debian/dpkg-l")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    
    flag = 0;
    if (deb_check(release:"8.0", prefix:"linux-compiler-gcc-4.9-arm", reference:"4.9.144-3.1~deb8u1")) flag++;
    if (deb_check(release:"8.0", prefix:"linux-doc-4.9", reference:"4.9.144-3.1~deb8u1")) flag++;
    if (deb_check(release:"8.0", prefix:"linux-headers-4.9.0-0.bpo.7-686", reference:"4.9.144-3.1~deb8u1")) flag++;
    if (deb_check(release:"8.0", prefix:"linux-headers-4.9.0-0.bpo.7-686-pae", reference:"4.9.144-3.1~deb8u1")) flag++;
    if (deb_check(release:"8.0", prefix:"linux-headers-4.9.0-0.bpo.7-all", reference:"4.9.144-3.1~deb8u1")) flag++;
    if (deb_check(release:"8.0", prefix:"linux-headers-4.9.0-0.bpo.7-all-amd64", reference:"4.9.144-3.1~deb8u1")) flag++;
    if (deb_check(release:"8.0", prefix:"linux-headers-4.9.0-0.bpo.7-all-armel", reference:"4.9.144-3.1~deb8u1")) flag++;
    if (deb_check(release:"8.0", prefix:"linux-headers-4.9.0-0.bpo.7-all-armhf", reference:"4.9.144-3.1~deb8u1")) flag++;
    if (deb_check(release:"8.0", prefix:"linux-headers-4.9.0-0.bpo.7-all-i386", reference:"4.9.144-3.1~deb8u1")) flag++;
    if (deb_check(release:"8.0", prefix:"linux-headers-4.9.0-0.bpo.7-amd64", reference:"4.9.144-3.1~deb8u1")) flag++;
    if (deb_check(release:"8.0", prefix:"linux-headers-4.9.0-0.bpo.7-armmp", reference:"4.9.144-3.1~deb8u1")) flag++;
    if (deb_check(release:"8.0", prefix:"linux-headers-4.9.0-0.bpo.7-armmp-lpae", reference:"4.9.144-3.1~deb8u1")) flag++;
    if (deb_check(release:"8.0", prefix:"linux-headers-4.9.0-0.bpo.7-common", reference:"4.9.144-3.1~deb8u1")) flag++;
    if (deb_check(release:"8.0", prefix:"linux-headers-4.9.0-0.bpo.7-common-rt", reference:"4.9.144-3.1~deb8u1")) flag++;
    if (deb_check(release:"8.0", prefix:"linux-headers-4.9.0-0.bpo.7-marvell", reference:"4.9.144-3.1~deb8u1")) flag++;
    if (deb_check(release:"8.0", prefix:"linux-headers-4.9.0-0.bpo.7-rt-686-pae", reference:"4.9.144-3.1~deb8u1")) flag++;
    if (deb_check(release:"8.0", prefix:"linux-headers-4.9.0-0.bpo.7-rt-amd64", reference:"4.9.144-3.1~deb8u1")) flag++;
    if (deb_check(release:"8.0", prefix:"linux-image-4.9.0-0.bpo.7-686", reference:"4.9.144-3.1~deb8u1")) flag++;
    if (deb_check(release:"8.0", prefix:"linux-image-4.9.0-0.bpo.7-686-pae", reference:"4.9.144-3.1~deb8u1")) flag++;
    if (deb_check(release:"8.0", prefix:"linux-image-4.9.0-0.bpo.7-686-pae-dbg", reference:"4.9.144-3.1~deb8u1")) flag++;
    if (deb_check(release:"8.0", prefix:"linux-image-4.9.0-0.bpo.7-amd64", reference:"4.9.144-3.1~deb8u1")) flag++;
    if (deb_check(release:"8.0", prefix:"linux-image-4.9.0-0.bpo.7-amd64-dbg", reference:"4.9.144-3.1~deb8u1")) flag++;
    if (deb_check(release:"8.0", prefix:"linux-image-4.9.0-0.bpo.7-armmp", reference:"4.9.144-3.1~deb8u1")) flag++;
    if (deb_check(release:"8.0", prefix:"linux-image-4.9.0-0.bpo.7-armmp-lpae", reference:"4.9.144-3.1~deb8u1")) flag++;
    if (deb_check(release:"8.0", prefix:"linux-image-4.9.0-0.bpo.7-marvell", reference:"4.9.144-3.1~deb8u1")) flag++;
    if (deb_check(release:"8.0", prefix:"linux-image-4.9.0-0.bpo.7-rt-686-pae", reference:"4.9.144-3.1~deb8u1")) flag++;
    if (deb_check(release:"8.0", prefix:"linux-image-4.9.0-0.bpo.7-rt-686-pae-dbg", reference:"4.9.144-3.1~deb8u1")) flag++;
    if (deb_check(release:"8.0", prefix:"linux-image-4.9.0-0.bpo.7-rt-amd64", reference:"4.9.144-3.1~deb8u1")) flag++;
    if (deb_check(release:"8.0", prefix:"linux-image-4.9.0-0.bpo.7-rt-amd64-dbg", reference:"4.9.144-3.1~deb8u1")) flag++;
    if (deb_check(release:"8.0", prefix:"linux-kbuild-4.9", reference:"4.9.144-3.1~deb8u1")) flag++;
    if (deb_check(release:"8.0", prefix:"linux-manual-4.9", reference:"4.9.144-3.1~deb8u1")) flag++;
    if (deb_check(release:"8.0", prefix:"linux-perf-4.9", reference:"4.9.144-3.1~deb8u1")) flag++;
    if (deb_check(release:"8.0", prefix:"linux-source-4.9", reference:"4.9.144-3.1~deb8u1")) flag++;
    if (deb_check(release:"8.0", prefix:"linux-support-4.9.0-0.bpo.7", reference:"4.9.144-3.1~deb8u1")) flag++;
    
    if (flag)
    {
      if (report_verbosity > 0) security_hole(port:0, extra:deb_report_get());
      else security_hole(0);
      exit(0);
    }
    else audit(AUDIT_HOST_NOT, "affected");
    
  • NASL familyDebian Local Security Checks
    NASL idDEBIAN_DLA-2241.NASL
    descriptionThis update is now available for all supported architectures. For reference the original advisory text follows. Several vulnerabilities have been discovered in the Linux kernel that may lead to a privilege escalation, denial of service or information leaks. CVE-2015-8839 A race condition was found in the ext4 filesystem implementation. A local user could exploit this to cause a denial of service (filesystem corruption). CVE-2018-14610, CVE-2018-14611, CVE-2018-14612, CVE-2018-14613 Wen Xu from SSLab at Gatech reported that crafted Btrfs volumes could trigger a crash (Oops) and/or out-of-bounds memory access. An attacker able to mount such a volume could use this to cause a denial of service or possibly for privilege escalation. CVE-2019-5108 Mitchell Frank of Cisco discovered that when the IEEE 802.11 (WiFi) stack was used in AP mode with roaming, it would trigger roaming for a newly associated station before the station was authenticated. An attacker within range of the AP could use this to cause a denial of service, either by filling up a switching table or by redirecting traffic away from other stations. CVE-2019-19319 Jungyeon discovered that a crafted filesystem can cause the ext4 implementation to deallocate or reallocate journal blocks. A user permitted to mount filesystems could use this to cause a denial of service (crash), or possibly for privilege escalation. CVE-2019-19447 It was discovered that the ext4 filesystem driver did not safely handle unlinking of an inode that, due to filesystem corruption, already has a link count of 0. An attacker able to mount arbitrary ext4 volumes could use this to cause a denial of service (memory corruption or crash) or possibly for privilege escalation. CVE-2019-19768 Tristan Madani reported a race condition in the blktrace debug facility that could result in a use-after-free. A local user able to trigger removal of block devices could possibly use this to cause a denial of service (crash) or for privilege escalation. CVE-2019-20636 The syzbot tool found that the input subsystem did not fully validate keycode changes, which could result in a heap out-of-bounds write. A local user permitted to access the device node for an input or VT device could possibly use this to cause a denial of service (crash or memory corruption) or for privilege escalation. CVE-2020-0009 Jann Horn reported that the Android ashmem driver did not prevent read-only files from being memory-mapped and then remapped as read-write. However, Android drivers are not enabled in Debian kernel configurations. CVE-2020-0543 Researchers at VU Amsterdam discovered that on some Intel CPUs supporting the RDRAND and RDSEED instructions, part of a random value generated by these instructions may be used in a later speculative execution on any core of the same physical CPU. Depending on how these instructions are used by applications, a local user or VM guest could use this to obtain sensitive information such as cryptographic keys from other users or VMs. This vulnerability can be mitigated by a microcode update, either as part of system firmware (BIOS) or through the intel-microcode package in Debian
    last seen2020-06-13
    modified2020-06-10
    plugin id137283
    published2020-06-10
    reporterThis script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/137283
    titleDebian DLA-2241-2 : linux security update
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were
    # extracted from Debian Security Advisory DLA-2241-2. The text
    # itself is copyright (C) Software in the Public Interest, Inc.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(137283);
      script_version("1.3");
      script_set_attribute(attribute:"plugin_modification_date", value:"2020/06/12");
    
      script_cve_id("CVE-2015-8839", "CVE-2018-14610", "CVE-2018-14611", "CVE-2018-14612", "CVE-2018-14613", "CVE-2019-19319", "CVE-2019-19447", "CVE-2019-19768", "CVE-2019-20636", "CVE-2019-5108", "CVE-2020-0009", "CVE-2020-0543", "CVE-2020-10690", "CVE-2020-10751", "CVE-2020-10942", "CVE-2020-11494", "CVE-2020-11565", "CVE-2020-11608", "CVE-2020-11609", "CVE-2020-11668", "CVE-2020-12114", "CVE-2020-12464", "CVE-2020-12652", "CVE-2020-12653", "CVE-2020-12654", "CVE-2020-12769", "CVE-2020-12770", "CVE-2020-12826", "CVE-2020-13143", "CVE-2020-1749", "CVE-2020-2732", "CVE-2020-8647", "CVE-2020-8648", "CVE-2020-8649", "CVE-2020-9383");
    
      script_name(english:"Debian DLA-2241-2 : linux security update");
      script_summary(english:"Checks dpkg output for the updated packages.");
    
      script_set_attribute(
        attribute:"synopsis",
        value:"The remote Debian host is missing a security update."
      );
      script_set_attribute(
        attribute:"description",
        value:
    "This update is now available for all supported architectures. For
    reference the original advisory text follows.
    
    Several vulnerabilities have been discovered in the Linux kernel that
    may lead to a privilege escalation, denial of service or information
    leaks.
    
    CVE-2015-8839
    
    A race condition was found in the ext4 filesystem implementation. A
    local user could exploit this to cause a denial of service (filesystem
    corruption).
    
    CVE-2018-14610, CVE-2018-14611, CVE-2018-14612, CVE-2018-14613
    
    Wen Xu from SSLab at Gatech reported that crafted Btrfs volumes could
    trigger a crash (Oops) and/or out-of-bounds memory access. An attacker
    able to mount such a volume could use this to cause a denial of
    service or possibly for privilege escalation.
    
    CVE-2019-5108
    
    Mitchell Frank of Cisco discovered that when the IEEE 802.11 (WiFi)
    stack was used in AP mode with roaming, it would trigger roaming for a
    newly associated station before the station was authenticated. An
    attacker within range of the AP could use this to cause a denial of
    service, either by filling up a switching table or by redirecting
    traffic away from other stations.
    
    CVE-2019-19319
    
    Jungyeon discovered that a crafted filesystem can cause the ext4
    implementation to deallocate or reallocate journal blocks. A user
    permitted to mount filesystems could use this to cause a denial of
    service (crash), or possibly for privilege escalation.
    
    CVE-2019-19447
    
    It was discovered that the ext4 filesystem driver did not safely
    handle unlinking of an inode that, due to filesystem corruption,
    already has a link count of 0. An attacker able to mount arbitrary
    ext4 volumes could use this to cause a denial of service (memory
    corruption or crash) or possibly for privilege escalation.
    
    CVE-2019-19768
    
    Tristan Madani reported a race condition in the blktrace debug
    facility that could result in a use-after-free. A local user able to
    trigger removal of block devices could possibly use this to cause a
    denial of service (crash) or for privilege escalation.
    
    CVE-2019-20636
    
    The syzbot tool found that the input subsystem did not fully validate
    keycode changes, which could result in a heap out-of-bounds write. A
    local user permitted to access the device node for an input or VT
    device could possibly use this to cause a denial of service (crash or
    memory corruption) or for privilege escalation.
    
    CVE-2020-0009
    
    Jann Horn reported that the Android ashmem driver did not prevent
    read-only files from being memory-mapped and then remapped as
    read-write. However, Android drivers are not enabled in Debian kernel
    configurations.
    
    CVE-2020-0543
    
    Researchers at VU Amsterdam discovered that on some Intel CPUs
    supporting the RDRAND and RDSEED instructions, part of a random value
    generated by these instructions may be used in a later speculative
    execution on any core of the same physical CPU. Depending on how these
    instructions are used by applications, a local user or VM guest could
    use this to obtain sensitive information such as cryptographic keys
    from other users or VMs.
    
    This vulnerability can be mitigated by a microcode update,
    either as part of system firmware (BIOS) or through the
    intel-microcode package in Debian's non-free archive
    section. This kernel update only provides reporting of the
    vulnerability and the option to disable the mitigation if it
    is not needed.
    
    CVE-2020-1749
    
    Xiumei Mu reported that some network protocols that can run on top of
    IPv6 would bypass the Transformation (XFRM) layer used by IPsec,
    IPcomp/IPcomp6, IPIP, and IPv6 Mobility. This could result in
    disclosure of information over the network, since it would not be
    encrypted or routed according to the system policy.
    
    CVE-2020-2732
    
    Paulo Bonzini discovered that the KVM implementation for Intel
    processors did not properly handle instruction emulation for L2 guests
    when nested virtualization is enabled. This could allow an L2 guest to
    cause privilege escalation, denial of service, or information leaks in
    the L1 guest.
    
    CVE-2020-8647, CVE-2020-8649
    
    The Hulk Robot tool found a potential MMIO out-of-bounds access in the
    vgacon driver. A local user permitted to access a virtual terminal
    (/dev/tty1 etc.) on a system using the vgacon driver could use this to
    cause a denial of service (crash or memory corruption) or possibly for
    privilege escalation.
    
    CVE-2020-8648
    
    The syzbot tool found a race condition in the the virtual terminal
    driver, which could result in a use-after-free. A local user permitted
    to access a virtual terminal could use this to cause a denial of
    service (crash or memory corruption) or possibly for privilege
    escalation.
    
    CVE-2020-9383
    
    Jordy Zomer reported an incorrect range check in the floppy driver
    which could lead to a static out-of-bounds access. A local user
    permitted to access a floppy drive could use this to cause a denial of
    service (crash or memory corruption) or possibly for privilege
    escalation.
    
    CVE-2020-10690
    
    It was discovered that the PTP hardware clock subsystem did not
    properly manage device lifetimes. Removing a PTP hardware clock from
    the system while a user process was using it could lead to a
    use-after-free. The security impact of this is unclear.
    
    CVE-2020-10751
    
    Dmitry Vyukov reported that the SELinux subsystem did not properly
    handle validating multiple messages, which could allow a privileged
    attacker to bypass SELinux netlink restrictions.
    
    CVE-2020-10942
    
    It was discovered that the vhost_net driver did not properly validate
    the type of sockets set as back-ends. A local user permitted to access
    /dev/vhost-net could use this to cause a stack corruption via crafted
    system calls, resulting in denial of service (crash) or possibly
    privilege escalation.
    
    CVE-2020-11494
    
    It was discovered that the slcan (serial line CAN) network driver did
    not fully initialise CAN headers for received packets, resulting in an
    information leak from the kernel to user-space or over the CAN
    network.
    
    CVE-2020-11565
    
    Entropy Moe reported that the shared memory filesystem (tmpfs) did not
    correctly handle an 'mpol' mount option specifying an empty node list,
    leading to a stack-based out-of-bounds write. If user namespaces are
    enabled, a local user could use this to cause a denial of service
    (crash) or possibly for privilege escalation.
    
    CVE-2020-11608, CVE-2020-11609, CVE-2020-11668
    
    It was discovered that the ov519, stv06xx, and xirlink_cit media
    drivers did not properly validate USB device descriptors. A physically
    present user with a specially constructed USB device could use this to
    cause a denial of service (crash) or possibly for privilege
    escalation.
    
    CVE-2020-12114
    
    Piotr Krysiuk discovered a race condition between the umount and
    pivot_root operations in the filesystem core (vfs). A local user with
    the CAP_SYS_ADMIN capability in any user namespace could use this to
    cause a denial of service (crash).
    
    CVE-2020-12464
    
    Kyungtae Kim reported a race condition in the USB core that can result
    in a use-after-free. It is not clear how this can be exploited, but it
    could result in a denial of service (crash or memory corruption) or
    privilege escalation.
    
    CVE-2020-12652
    
    Tom Hatskevich reported a bug in the mptfusion storage drivers. An
    ioctl handler fetched a parameter from user memory twice, creating a
    race condition which could result in incorrect locking of internal
    data structures. A local user permitted to access /dev/mptctl could
    use this to cause a denial of service (crash or memory corruption) or
    for privilege escalation.
    
    CVE-2020-12653
    
    It was discovered that the mwifiex WiFi driver did not sufficiently
    validate scan requests, resulting a potential heap buffer overflow. A
    local user with CAP_NET_ADMIN capability could use this to cause a
    denial of service (crash or memory corruption) or possibly for
    privilege escalation.
    
    CVE-2020-12654
    
    It was discovered that the mwifiex WiFi driver did not sufficiently
    validate WMM parameters received from an access point (AP), resulting
    a potential heap buffer overflow. A malicious AP could use this to
    cause a denial of service (crash or memory corruption) or possibly to
    execute code on a vulnerable system.
    
    CVE-2020-12769
    
    It was discovered that the spi-dw SPI host driver did not properly
    serialise access to its internal state. The security impact of this is
    unclear, and this driver is not included in Debian's binary packages.
    
    CVE-2020-12770
    
    It was discovered that the sg (SCSI generic) driver did not correctly
    release internal resources in a particular error case. A local user
    permitted to access an sg device could possibly use this to cause a
    denial of service (resource exhaustion).
    
    CVE-2020-12826
    
    Adam Zabrocki reported a weakness in the signal subsystem's permission
    checks. A parent process can choose an arbitary signal for a child
    process to send when it exits, but if the parent has executed a new
    program then the default SIGCHLD signal is sent. A local user
    permitted to run a program for several days could bypass this check,
    execute a setuid program, and then send an arbitrary signal to it.
    Depending on the setuid programs installed, this could have some
    security impact.
    
    CVE-2020-13143
    
    Kyungtae Kim reported a potential heap out-of-bounds write in the USB
    gadget subsystem. A local user permitted to write to the gadget
    configuration filesystem could use this to cause a denial of service
    (crash or memory corruption) or potentially for privilege escalation.
    
    For Debian 8 'Jessie', these problems have been fixed in version
    3.16.84-1.
    
    We recommend that you upgrade your linux packages.
    
    NOTE: Tenable Network Security has extracted the preceding description
    block directly from the DLA security advisory. Tenable has attempted
    to automatically clean and format it as much as possible without
    introducing additional issues."
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://lists.debian.org/debian-lts-announce/2020/06/msg00013.html"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://packages.debian.org/source/jessie/linux"
      );
      script_set_attribute(attribute:"solution", value:"Upgrade the affected packages.");
      script_set_cvss_base_vector("CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C");
      script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
      script_set_cvss3_base_vector("CVSS:3.0/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H");
      script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
      script_set_attribute(attribute:"cvss_score_source", value:"CVE-2020-12464");
      script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"true");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:linux-compiler-gcc-4.8-arm");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:linux-compiler-gcc-4.8-x86");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:linux-compiler-gcc-4.9-x86");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:linux-doc-3.16");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:linux-headers-3.16.0-9-586");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:linux-headers-3.16.0-9-686-pae");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:linux-headers-3.16.0-9-all");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:linux-headers-3.16.0-9-all-amd64");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:linux-headers-3.16.0-9-all-armel");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:linux-headers-3.16.0-9-all-armhf");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:linux-headers-3.16.0-9-all-i386");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:linux-headers-3.16.0-9-amd64");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:linux-headers-3.16.0-9-armmp");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:linux-headers-3.16.0-9-armmp-lpae");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:linux-headers-3.16.0-9-common");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:linux-headers-3.16.0-9-ixp4xx");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:linux-headers-3.16.0-9-kirkwood");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:linux-headers-3.16.0-9-orion5x");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:linux-headers-3.16.0-9-versatile");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:linux-image-3.16.0-9-586");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:linux-image-3.16.0-9-686-pae");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:linux-image-3.16.0-9-686-pae-dbg");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:linux-image-3.16.0-9-amd64");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:linux-image-3.16.0-9-amd64-dbg");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:linux-image-3.16.0-9-armmp");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:linux-image-3.16.0-9-armmp-lpae");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:linux-image-3.16.0-9-ixp4xx");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:linux-image-3.16.0-9-kirkwood");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:linux-image-3.16.0-9-orion5x");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:linux-image-3.16.0-9-versatile");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:linux-libc-dev");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:linux-manual-3.16");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:linux-source-3.16");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:linux-support-3.16.0-9");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:xen-linux-system-3.16.0-9-amd64");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:debian:debian_linux:8.0");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2016/05/02");
      script_set_attribute(attribute:"patch_publication_date", value:"2020/06/10");
      script_set_attribute(attribute:"plugin_publication_date", value:"2020/06/10");
      script_set_attribute(attribute:"generated_plugin", value:"current");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.");
      script_family(english:"Debian Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/Debian/release", "Host/Debian/dpkg-l");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("debian_package.inc");
    
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    if (!get_kb_item("Host/Debian/release")) audit(AUDIT_OS_NOT, "Debian");
    if (!get_kb_item("Host/Debian/dpkg-l")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    
    flag = 0;
    if (deb_check(release:"8.0", prefix:"linux-compiler-gcc-4.8-arm", reference:"3.16.84-1")) flag++;
    if (deb_check(release:"8.0", prefix:"linux-compiler-gcc-4.8-x86", reference:"3.16.84-1")) flag++;
    if (deb_check(release:"8.0", prefix:"linux-compiler-gcc-4.9-x86", reference:"3.16.84-1")) flag++;
    if (deb_check(release:"8.0", prefix:"linux-doc-3.16", reference:"3.16.84-1")) flag++;
    if (deb_check(release:"8.0", prefix:"linux-headers-3.16.0-9-586", reference:"3.16.84-1")) flag++;
    if (deb_check(release:"8.0", prefix:"linux-headers-3.16.0-9-686-pae", reference:"3.16.84-1")) flag++;
    if (deb_check(release:"8.0", prefix:"linux-headers-3.16.0-9-all", reference:"3.16.84-1")) flag++;
    if (deb_check(release:"8.0", prefix:"linux-headers-3.16.0-9-all-amd64", reference:"3.16.84-1")) flag++;
    if (deb_check(release:"8.0", prefix:"linux-headers-3.16.0-9-all-armel", reference:"3.16.84-1")) flag++;
    if (deb_check(release:"8.0", prefix:"linux-headers-3.16.0-9-all-armhf", reference:"3.16.84-1")) flag++;
    if (deb_check(release:"8.0", prefix:"linux-headers-3.16.0-9-all-i386", reference:"3.16.84-1")) flag++;
    if (deb_check(release:"8.0", prefix:"linux-headers-3.16.0-9-amd64", reference:"3.16.84-1")) flag++;
    if (deb_check(release:"8.0", prefix:"linux-headers-3.16.0-9-armmp", reference:"3.16.84-1")) flag++;
    if (deb_check(release:"8.0", prefix:"linux-headers-3.16.0-9-armmp-lpae", reference:"3.16.84-1")) flag++;
    if (deb_check(release:"8.0", prefix:"linux-headers-3.16.0-9-common", reference:"3.16.84-1")) flag++;
    if (deb_check(release:"8.0", prefix:"linux-headers-3.16.0-9-ixp4xx", reference:"3.16.84-1")) flag++;
    if (deb_check(release:"8.0", prefix:"linux-headers-3.16.0-9-kirkwood", reference:"3.16.84-1")) flag++;
    if (deb_check(release:"8.0", prefix:"linux-headers-3.16.0-9-orion5x", reference:"3.16.84-1")) flag++;
    if (deb_check(release:"8.0", prefix:"linux-headers-3.16.0-9-versatile", reference:"3.16.84-1")) flag++;
    if (deb_check(release:"8.0", prefix:"linux-image-3.16.0-9-586", reference:"3.16.84-1")) flag++;
    if (deb_check(release:"8.0", prefix:"linux-image-3.16.0-9-686-pae", reference:"3.16.84-1")) flag++;
    if (deb_check(release:"8.0", prefix:"linux-image-3.16.0-9-686-pae-dbg", reference:"3.16.84-1")) flag++;
    if (deb_check(release:"8.0", prefix:"linux-image-3.16.0-9-amd64", reference:"3.16.84-1")) flag++;
    if (deb_check(release:"8.0", prefix:"linux-image-3.16.0-9-amd64-dbg", reference:"3.16.84-1")) flag++;
    if (deb_check(release:"8.0", prefix:"linux-image-3.16.0-9-armmp", reference:"3.16.84-1")) flag++;
    if (deb_check(release:"8.0", prefix:"linux-image-3.16.0-9-armmp-lpae", reference:"3.16.84-1")) flag++;
    if (deb_check(release:"8.0", prefix:"linux-image-3.16.0-9-ixp4xx", reference:"3.16.84-1")) flag++;
    if (deb_check(release:"8.0", prefix:"linux-image-3.16.0-9-kirkwood", reference:"3.16.84-1")) flag++;
    if (deb_check(release:"8.0", prefix:"linux-image-3.16.0-9-orion5x", reference:"3.16.84-1")) flag++;
    if (deb_check(release:"8.0", prefix:"linux-image-3.16.0-9-versatile", reference:"3.16.84-1")) flag++;
    if (deb_check(release:"8.0", prefix:"linux-libc-dev", reference:"3.16.84-1")) flag++;
    if (deb_check(release:"8.0", prefix:"linux-manual-3.16", reference:"3.16.84-1")) flag++;
    if (deb_check(release:"8.0", prefix:"linux-source-3.16", reference:"3.16.84-1")) flag++;
    if (deb_check(release:"8.0", prefix:"linux-support-3.16.0-9", reference:"3.16.84-1")) flag++;
    if (deb_check(release:"8.0", prefix:"xen-linux-system-3.16.0-9-amd64", reference:"3.16.84-1")) flag++;
    
    if (flag)
    {
      if (report_verbosity > 0) security_hole(port:0, extra:deb_report_get());
      else security_hole(0);
      exit(0);
    }
    else audit(AUDIT_HOST_NOT, "affected");
    
  • NASL familyHuawei Local Security Checks
    NASL idEULEROS_SA-2019-1530.NASL
    descriptionAccording to the versions of the kernel packages installed, the EulerOS Virtualization for ARM 64 installation on the remote host is affected by the following vulnerabilities : - The acpi_smbus_hc_add function in drivers/acpi/sbshc.c in the Linux kernel through 4.14.15 allows local users to obtain sensitive address information by reading dmesg data from an SBS HC printk call.(CVE-2018-5750i1/4%0 - An issue was discovered in the btrfs filesystem code in the Linux kernel. A use-after-free is possible in try_merge_free_space() when mounting a crafted btrfs image due to a lack of chunk type flag checks in btrfs_check_chunk_valid() in the fs/btrfs/volumes.c function. This could lead to a denial of service or other unspecified impact.(CVE-2018-14611i1/4%0 - A flaw was found in the way the Linux kernel visor driver handles certain invalid USB device descriptors. The driver assumes that the device always has at least one bulk OUT endpoint. By using a specially crafted USB device (without a bulk OUT endpoint), an unprivileged user with physical access could trigger a kernel NULL-pointer dereference and cause a system panic (denial of service).(CVE-2015-7566i1/4%0 - It was found that the RFC 5961 challenge ACK rate limiting as implemented in the Linux kernel
    last seen2020-03-19
    modified2019-05-14
    plugin id124983
    published2019-05-14
    reporterThis script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/124983
    titleEulerOS Virtualization for ARM 64 3.0.1.0 : kernel (EulerOS-SA-2019-1530)
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(124983);
      script_version("1.20");
      script_set_attribute(attribute:"plugin_modification_date", value:"2020/03/19");
    
      script_cve_id(
        "CVE-2013-6380",
        "CVE-2014-4157",
        "CVE-2014-4654",
        "CVE-2014-9585",
        "CVE-2015-2041",
        "CVE-2015-7566",
        "CVE-2015-8956",
        "CVE-2016-5696",
        "CVE-2016-9588",
        "CVE-2017-14051",
        "CVE-2017-14106",
        "CVE-2017-15299",
        "CVE-2017-15868",
        "CVE-2017-16533",
        "CVE-2017-7616",
        "CVE-2017-9984",
        "CVE-2018-10880",
        "CVE-2018-13053",
        "CVE-2018-14611",
        "CVE-2018-5750"
      );
      script_bugtraq_id(
        63887,
        68083,
        68162,
        71990,
        72729
      );
    
      script_name(english:"EulerOS Virtualization for ARM 64 3.0.1.0 : kernel (EulerOS-SA-2019-1530)");
      script_summary(english:"Checks the rpm output for the updated packages.");
    
      script_set_attribute(attribute:"synopsis", value:
    "The remote EulerOS Virtualization for ARM 64 host is missing multiple security
    updates.");
      script_set_attribute(attribute:"description", value:
    "According to the versions of the kernel packages installed, the
    EulerOS Virtualization for ARM 64 installation on the remote host is
    affected by the following vulnerabilities :
    
      - The acpi_smbus_hc_add function in drivers/acpi/sbshc.c
        in the Linux kernel through 4.14.15 allows local users
        to obtain sensitive address information by reading
        dmesg data from an SBS HC printk call.(CVE-2018-5750i1/4%0
    
      - An issue was discovered in the btrfs filesystem code in
        the Linux kernel. A use-after-free is possible in
        try_merge_free_space() when mounting a crafted btrfs
        image due to a lack of chunk type flag checks in
        btrfs_check_chunk_valid() in the fs/btrfs/volumes.c
        function. This could lead to a denial of service or
        other unspecified impact.(CVE-2018-14611i1/4%0
    
      - A flaw was found in the way the Linux kernel visor
        driver handles certain invalid USB device descriptors.
        The driver assumes that the device always has at least
        one bulk OUT endpoint. By using a specially crafted USB
        device (without a bulk OUT endpoint), an unprivileged
        user with physical access could trigger a kernel
        NULL-pointer dereference and cause a system panic
        (denial of service).(CVE-2015-7566i1/4%0
    
      - It was found that the RFC 5961 challenge ACK rate
        limiting as implemented in the Linux kernel's
        networking subsystem allowed an off-path attacker to
        leak certain information about a given connection by
        creating congestion on the global challenge ACK rate
        limit counter and then measuring the changes by probing
        packets. An off-path attacker could use this flaw to
        either terminate TCP connection and/or inject payload
        into non-secured TCP connection between two endpoints
        on the network.(CVE-2016-5696i1/4%0
    
      - It was found that the Bluebooth Network Encapsulation
        Protocol (BNEP) implementation did not validate the
        type of second socket passed to the BNEPCONNADD
        ioctl(), which could lead to memory corruption. A local
        user with the CAP_NET_ADMIN capability can use this for
        denial of service (crash or data corruption) or
        possibly for privilege escalation. Due to the nature of
        the flaw, privilege escalation cannot be fully ruled
        out, although we feel it is unlikely.(CVE-2017-15868i1/4%0
    
      - A vulnerability was found in the key management
        subsystem of the Linux kernel. An update on an
        uninstantiated key could cause a kernel panic, leading
        to denial of service (DoS).(CVE-2017-15299i1/4%0
    
      - The rfcomm_sock_bind function in
        net/bluetooth/rfcomm/sock.c in the Linux kernel before
        4.2 allows local users to obtain sensitive information
        or cause a denial of service (NULL pointer dereference)
        via vectors involving a bind system call on a Bluetooth
        RFCOMM socket.(CVE-2015-8956i1/4%0
    
      - arch/mips/include/asm/thread_info.h in the Linux kernel
        before 3.14.8 on the MIPS platform does not configure
        _TIF_SECCOMP checks on the fast system-call path, which
        allows local users to bypass intended PR_SET_SECCOMP
        restrictions by executing a crafted application without
        invoking a trace or audit subsystem.(CVE-2014-4157i1/4%0
    
      - A flaw was found in the Linux kernel's ext4 filesystem
        code. A stack-out-of-bounds write in
        ext4_update_inline_data() is possible when mounting and
        writing to a crafted ext4 image. An attacker could use
        this to cause a system crash and a denial of
        service.(CVE-2018-10880i1/4%0
    
      - The aac_send_raw_srb function in
        drivers/scsi/aacraid/commctrl.c in the Linux kernel
        through 3.12.1 does not properly validate a certain
        size value, which allows local users to cause a denial
        of service (invalid pointer dereference) or possibly
        have unspecified other impact via an
        FSACTL_SEND_RAW_SRB ioctl call that triggers a crafted
        SRB command.(CVE-2013-6380i1/4%0
    
      - Linux kernel built with the KVM visualization support
        (CONFIG_KVM), with nested visualization(nVMX) feature
        enabled(nested=1), is vulnerable to an uncaught
        exception issue. It could occur if an L2 guest was to
        throw an exception which is not handled by an L1
        guest.(CVE-2016-9588i1/4%0
    
      - A flaw was found in the alarm_timer_nsleep() function
        in kernel/time/alarmtimer.c in the Linux kernel. The
        ktime_add_safe() function is not used and an integer
        overflow can happen causing an alarm not to fire if
        using a large relative timeout.(CVE-2018-13053i1/4%0
    
      - net/llc/sysctl_net_llc.c in the Linux kernel before
        3.19 uses an incorrect data type in a sysctl table,
        which allows local users to obtain potentially
        sensitive information from kernel memory or possibly
        have unspecified other impact by accessing a sysctl
        entry.(CVE-2015-2041i1/4%0
    
      - Incorrect error handling in the set_mempolicy() and
        mbind() compat syscalls in 'mm/mempolicy.c' in the
        Linux kernel allows local users to obtain sensitive
        information from uninitialized stack data by triggering
        failure of a certain bitmap operation.(CVE-2017-7616i1/4%0
    
      - The snd_msnd_interrupt function in
        sound/isa/msnd/msnd_pinnacle.c in the Linux kernel
        through 4.11.7 allows local users to cause a denial of
        service (over-boundary access) or possibly have
        unspecified other impact by changing the value of a
        message queue head pointer between two kernel reads of
        that value, aka a 'double fetch'
        vulnerability.(CVE-2017-9984i1/4%0
    
      - An integer overflow was discovered in the
        qla2x00_sysfs_write_optrom_ctl function in
        drivers/scsi/qla2xxx/qla_attr.c in the Linux kernel
        through 4.12.10. This flaw allows local users to cause
        a denial of service (memory corruption and system
        crash) by leveraging root access.(CVE-2017-14051i1/4%0
    
      - A use-after-free flaw was found in the way the Linux
        kernel's Advanced Linux Sound Architecture (ALSA)
        implementation handled user controls. A local,
        privileged user could use this flaw to crash the
        system.(CVE-2014-4654i1/4%0
    
      - An information leak flaw was found in the way the Linux
        kernel's Virtual Dynamic Shared Object (vDSO)
        implementation performed address randomization. A
        local, unprivileged user could use this flaw to leak
        kernel memory addresses to user-space.(CVE-2014-9585i1/4%0
    
      - The usbhid_parse function in
        drivers/hid/usbhid/hid-core.c in the Linux kernel,
        before 4.13.8, allows local users to cause a denial of
        service (out-of-bounds read and system crash) or
        possibly have unspecified other impact via a crafted
        USB device.(CVE-2017-16533i1/4%0
    
      - A divide-by-zero vulnerability was found in the
        __tcp_select_window function in the Linux kernel. This
        can result in a kernel panic causing a local denial of
        service.(CVE-2017-14106i1/4%0
    
    Note that Tenable Network Security has extracted the preceding
    description block directly from the EulerOS security advisory. Tenable
    has attempted to automatically clean and format it as much as possible
    without introducing additional issues.");
      # https://developer.huaweicloud.com/ict/en/site-euleros/euleros/security-advisories/EulerOS-SA-2019-1530
      script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?1b19f2a9");
      script_set_attribute(attribute:"solution", value:
    "Update the affected kernel packages.");
      script_set_cvss_base_vector("CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C");
      script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
      script_set_cvss3_base_vector("CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H");
      script_set_cvss3_temporal_vector("CVSS:3.0/E:P/RL:O/RC:C");
      script_set_attribute(attribute:"cvss_score_source", value:"CVE-2017-9984");
      script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"true");
    
      script_set_attribute(attribute:"patch_publication_date", value:"2019/05/09");
      script_set_attribute(attribute:"plugin_publication_date", value:"2019/05/14");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:kernel");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:kernel-devel");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:kernel-headers");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:kernel-tools");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:kernel-tools-libs");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:kernel-tools-libs-devel");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:perf");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:python-perf");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:huawei:euleros:uvp:3.0.1.0");
      script_set_attribute(attribute:"generated_plugin", value:"current");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_family(english:"Huawei Local Security Checks");
    
      script_copyright(english:"This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/cpu", "Host/EulerOS/release", "Host/EulerOS/rpm-list", "Host/EulerOS/uvp_version");
    
      exit(0);
    }
    
    include("audit.inc");
    include("global_settings.inc");
    include("rpm.inc");
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    
    release = get_kb_item("Host/EulerOS/release");
    if (isnull(release) || release !~ "^EulerOS") audit(AUDIT_OS_NOT, "EulerOS");
    uvp = get_kb_item("Host/EulerOS/uvp_version");
    if (uvp != "3.0.1.0") audit(AUDIT_OS_NOT, "EulerOS Virtualization 3.0.1.0");
    if (!get_kb_item("Host/EulerOS/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    cpu = get_kb_item("Host/cpu");
    if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
    if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$" && "aarch64" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "EulerOS", cpu);
    if ("aarch64" >!< cpu) audit(AUDIT_ARCH_NOT, "aarch64", cpu);
    
    flag = 0;
    
    pkgs = ["kernel-4.19.28-1.2.117",
            "kernel-devel-4.19.28-1.2.117",
            "kernel-headers-4.19.28-1.2.117",
            "kernel-tools-4.19.28-1.2.117",
            "kernel-tools-libs-4.19.28-1.2.117",
            "kernel-tools-libs-devel-4.19.28-1.2.117",
            "perf-4.19.28-1.2.117",
            "python-perf-4.19.28-1.2.117"];
    
    foreach (pkg in pkgs)
      if (rpm_check(release:"EulerOS-2.0", reference:pkg)) flag++;
    
    if (flag)
    {
      security_report_v4(
        port       : 0,
        severity   : SECURITY_HOLE,
        extra      : rpm_report_get()
      );
      exit(0);
    }
    else
    {
      tested = pkg_tests_get();
      if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
      else audit(AUDIT_PACKAGE_NOT_INSTALLED, "kernel");
    }
    
  • NASL familyUbuntu Local Security Checks
    NASL idUBUNTU_USN-3932-2.NASL
    descriptionUSN-3932-1 fixed vulnerabilities in the Linux kernel for Ubuntu 16.04 LTS. This update provides the corresponding updates for the Linux Hardware Enablement (HWE) kernel from Ubuntu 16.04 LTS for Ubuntu 14.04 LTS. It was discovered that a race condition existed in the f2fs file system implementation in the Linux kernel. A local attacker could use this to cause a denial of service. (CVE-2017-18249) Wen Xu discovered that the f2fs file system implementation in the Linux kernel did not properly validate metadata. An attacker could use this to construct a malicious f2fs image that, when mounted, could cause a denial of service (system crash). (CVE-2018-13097, CVE-2018-13099, CVE-2018-13100, CVE-2018-14614, CVE-2018-14616) Wen Xu and Po-Ning Tseng discovered that btrfs file system implementation in the Linux kernel did not properly validate metadata. An attacker could use this to construct a malicious btrfs image that, when mounted, could cause a denial of service (system crash). (CVE-2018-14610, CVE-2018-14611, CVE-2018-14612, CVE-2018-14613) Vasily Averin and Evgenii Shatokhin discovered that a use-after-free vulnerability existed in the NFS41+ subsystem when multiple network namespaces are in use. A local attacker in a container could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2018-16884) It was discovered that a use-after-free vulnerability existed in the PPP over L2TP implementation in the Linux kernel. A privileged local attacker could use this to possibly execute arbitrary code. (CVE-2018-9517) Shlomi Oberman, Yuli Shapiro, and Ran Menscher discovered an information leak in the Bluetooth implementation of the Linux kernel. An attacker within Bluetooth range could use this to expose sensitive information (kernel memory). (CVE-2019-3459, CVE-2019-3460) Jann Horn discovered that the KVM implementation in the Linux kernel contained a use-after-free vulnerability. An attacker in a guest VM with access to /dev/kvm could use this to cause a denial of service (guest VM crash). (CVE-2019-6974) Jim Mattson and Felix Wilhelm discovered a use-after-free vulnerability in the KVM subsystem of the Linux kernel, when using nested virtual machines. A local attacker in a guest VM could use this to cause a denial of service (system crash) or possibly execute arbitrary code in the host system. (CVE-2019-7221) Felix Wilhelm discovered that an information leak vulnerability existed in the KVM subsystem of the Linux kernel, when nested virtualization is used. A local attacker could use this to expose sensitive information (host system memory to a guest VM). (CVE-2019-7222) Jann Horn discovered that the mmap implementation in the Linux kernel did not properly check for the mmap minimum address in some situations. A local attacker could use this to assist exploiting a kernel NULL pointer dereference vulnerability. (CVE-2019-9213) Muyu Yu discovered that the CAN implementation in the Linux kernel in some situations did not properly restrict the field size when processing outgoing frames. A local attacker with CAP_NET_ADMIN privileges could use this to execute arbitrary code. (CVE-2019-3701) Vladis Dronov discovered that the debug interface for the Linux kernel
    last seen2020-06-01
    modified2020-06-02
    plugin id123681
    published2019-04-03
    reporterUbuntu Security Notice (C) 2019-2020 Canonical, Inc. / NASL script (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/123681
    titleUbuntu 14.04 LTS : linux-lts-xenial, linux-aws vulnerabilities (USN-3932-2)
  • NASL familyUbuntu Local Security Checks
    NASL idUBUNTU_USN-3932-1.NASL
    descriptionIt was discovered that a race condition existed in the f2fs file system implementation in the Linux kernel. A local attacker could use this to cause a denial of service. (CVE-2017-18249) Wen Xu discovered that the f2fs file system implementation in the Linux kernel did not properly validate metadata. An attacker could use this to construct a malicious f2fs image that, when mounted, could cause a denial of service (system crash). (CVE-2018-13097, CVE-2018-13099, CVE-2018-13100, CVE-2018-14614, CVE-2018-14616) Wen Xu and Po-Ning Tseng discovered that btrfs file system implementation in the Linux kernel did not properly validate metadata. An attacker could use this to construct a malicious btrfs image that, when mounted, could cause a denial of service (system crash). (CVE-2018-14610, CVE-2018-14611, CVE-2018-14612, CVE-2018-14613) Vasily Averin and Evgenii Shatokhin discovered that a use-after-free vulnerability existed in the NFS41+ subsystem when multiple network namespaces are in use. A local attacker in a container could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2018-16884) It was discovered that a use-after-free vulnerability existed in the PPP over L2TP implementation in the Linux kernel. A privileged local attacker could use this to possibly execute arbitrary code. (CVE-2018-9517) Shlomi Oberman, Yuli Shapiro, and Ran Menscher discovered an information leak in the Bluetooth implementation of the Linux kernel. An attacker within Bluetooth range could use this to expose sensitive information (kernel memory). (CVE-2019-3459, CVE-2019-3460) Jann Horn discovered that the KVM implementation in the Linux kernel contained a use-after-free vulnerability. An attacker in a guest VM with access to /dev/kvm could use this to cause a denial of service (guest VM crash). (CVE-2019-6974) Jim Mattson and Felix Wilhelm discovered a use-after-free vulnerability in the KVM subsystem of the Linux kernel, when using nested virtual machines. A local attacker in a guest VM could use this to cause a denial of service (system crash) or possibly execute arbitrary code in the host system. (CVE-2019-7221) Felix Wilhelm discovered that an information leak vulnerability existed in the KVM subsystem of the Linux kernel, when nested virtualization is used. A local attacker could use this to expose sensitive information (host system memory to a guest VM). (CVE-2019-7222) Jann Horn discovered that the mmap implementation in the Linux kernel did not properly check for the mmap minimum address in some situations. A local attacker could use this to assist exploiting a kernel NULL pointer dereference vulnerability. (CVE-2019-9213) Muyu Yu discovered that the CAN implementation in the Linux kernel in some situations did not properly restrict the field size when processing outgoing frames. A local attacker with CAP_NET_ADMIN privileges could use this to execute arbitrary code. (CVE-2019-3701) Vladis Dronov discovered that the debug interface for the Linux kernel
    last seen2020-06-01
    modified2020-06-02
    plugin id123680
    published2019-04-03
    reporterUbuntu Security Notice (C) 2019-2020 Canonical, Inc. / NASL script (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/123680
    titleUbuntu 16.04 LTS : linux, linux-aws, linux-kvm, linux-raspi2, linux-snapdragon vulnerabilities (USN-3932-1)