Vulnerabilities > CVE-2018-14678 - Improper Initialization vulnerability in multiple products
Attack vector
LOCAL Attack complexity
LOW Privileges required
LOW Confidentiality impact
HIGH Integrity impact
HIGH Availability impact
HIGH Summary
An issue was discovered in the Linux kernel through 4.17.11, as used in Xen through 4.11.x. The xen_failsafe_callback entry point in arch/x86/entry/entry_64.S does not properly maintain RBX, which allows local users to cause a denial of service (uninitialized memory usage and system crash). Within Xen, 64-bit x86 PV Linux guest OS users can trigger a guest OS crash or possibly gain privileges.
Vulnerable Configurations
Common Weakness Enumeration (CWE)
Common Attack Pattern Enumeration and Classification (CAPEC)
- Leveraging Race Conditions This attack targets a race condition occurring when multiple processes access and manipulate the same resource concurrently and the outcome of the execution depends on the particular order in which the access takes place. The attacker can leverage a race condition by "running the race", modifying the resource and modifying the normal execution flow. For instance a race condition can occur while accessing a file, the attacker can trick the system by replacing the original file with his version and cause the system to read the malicious file.
- Leveraging Time-of-Check and Time-of-Use (TOCTOU) Race Conditions This attack targets a race condition occurring between the time of check (state) for a resource and the time of use of a resource. The typical example is the file access. The attacker can leverage a file access race condition by "running the race", meaning that he would modify the resource between the first time the target program accesses the file and the time the target program uses the file. During that period of time, the attacker could do something such as replace the file and cause an escalation of privilege.
Nessus
NASL family Ubuntu Local Security Checks NASL id UBUNTU_USN-3931-1.NASL description M. Vefa Bicakci and Andy Lutomirski discovered that the kernel did not properly set up all arguments to an error handler callback used when running as a paravirtualized guest. An unprivileged attacker in a paravirtualized guest VM could use this to cause a denial of service (guest VM crash). (CVE-2018-14678) It was discovered that the KVM implementation in the Linux kernel on ARM 64bit processors did not properly handle some ioctls. An attacker with the privilege to create KVM-based virtual machines could use this to cause a denial of service (host system crash) or execute arbitrary code in the host. (CVE-2018-18021) Mathias Payer and Hui Peng discovered a use-after-free vulnerability in the Advanced Linux Sound Architecture (ALSA) subsystem. A physically proximate attacker could use this to cause a denial of service (system crash). (CVE-2018-19824) Shlomi Oberman, Yuli Shapiro, and Ran Menscher discovered an information leak in the Bluetooth implementation of the Linux kernel. An attacker within Bluetooth range could use this to expose sensitive information (kernel memory). (CVE-2019-3459, CVE-2019-3460) Jann Horn discovered that the KVM implementation in the Linux kernel contained a use-after-free vulnerability. An attacker in a guest VM with access to /dev/kvm could use this to cause a denial of service (guest VM crash). (CVE-2019-6974) Jim Mattson and Felix Wilhelm discovered a use-after-free vulnerability in the KVM subsystem of the Linux kernel, when using nested virtual machines. A local attacker in a guest VM could use this to cause a denial of service (system crash) or possibly execute arbitrary code in the host system. (CVE-2019-7221) Felix Wilhelm discovered that an information leak vulnerability existed in the KVM subsystem of the Linux kernel, when nested virtualization is used. A local attacker could use this to expose sensitive information (host system memory to a guest VM). (CVE-2019-7222) Jann Horn discovered that the eBPF implementation in the Linux kernel was insufficiently hardened against Spectre V1 attacks. A local attacker could use this to expose sensitive information. (CVE-2019-7308) It was discovered that a use-after-free vulnerability existed in the user- space API for crypto (af_alg) implementation in the Linux kernel. A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2019-8912) It was discovered that the Linux kernel did not properly deallocate memory when handling certain errors while reading files. A local attacker could use this to cause a denial of service (excessive memory consumption). (CVE-2019-8980) Jann Horn discovered that the mmap implementation in the Linux kernel did not properly check for the mmap minimum address in some situations. A local attacker could use this to assist exploiting a kernel NULL pointer dereference vulnerability. (CVE-2019-9213). Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-01 modified 2020-06-02 plugin id 123678 published 2019-04-03 reporter Ubuntu Security Notice (C) 2019-2020 Canonical, Inc. / NASL script (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/123678 title Ubuntu 18.04 LTS : linux, linux-aws, linux-gcp, linux-kvm, linux-oem, linux-oracle, (USN-3931-1) code # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Ubuntu Security Notice USN-3931-1. The text # itself is copyright (C) Canonical, Inc. See # <http://www.ubuntu.com/usn/>. Ubuntu(R) is a registered # trademark of Canonical, Inc. # include("compat.inc"); if (description) { script_id(123678); script_version("1.6"); script_cvs_date("Date: 2020/01/27"); script_cve_id("CVE-2018-14678", "CVE-2018-18021", "CVE-2018-19824", "CVE-2019-3459", "CVE-2019-3460", "CVE-2019-6974", "CVE-2019-7221", "CVE-2019-7222", "CVE-2019-7308", "CVE-2019-8912", "CVE-2019-8980", "CVE-2019-9213"); script_xref(name:"USN", value:"3931-1"); script_name(english:"Ubuntu 18.04 LTS : linux, linux-aws, linux-gcp, linux-kvm, linux-oem, linux-oracle, (USN-3931-1)"); script_summary(english:"Checks dpkg output for updated packages."); script_set_attribute( attribute:"synopsis", value: "The remote Ubuntu host is missing one or more security-related patches." ); script_set_attribute( attribute:"description", value: "M. Vefa Bicakci and Andy Lutomirski discovered that the kernel did not properly set up all arguments to an error handler callback used when running as a paravirtualized guest. An unprivileged attacker in a paravirtualized guest VM could use this to cause a denial of service (guest VM crash). (CVE-2018-14678) It was discovered that the KVM implementation in the Linux kernel on ARM 64bit processors did not properly handle some ioctls. An attacker with the privilege to create KVM-based virtual machines could use this to cause a denial of service (host system crash) or execute arbitrary code in the host. (CVE-2018-18021) Mathias Payer and Hui Peng discovered a use-after-free vulnerability in the Advanced Linux Sound Architecture (ALSA) subsystem. A physically proximate attacker could use this to cause a denial of service (system crash). (CVE-2018-19824) Shlomi Oberman, Yuli Shapiro, and Ran Menscher discovered an information leak in the Bluetooth implementation of the Linux kernel. An attacker within Bluetooth range could use this to expose sensitive information (kernel memory). (CVE-2019-3459, CVE-2019-3460) Jann Horn discovered that the KVM implementation in the Linux kernel contained a use-after-free vulnerability. An attacker in a guest VM with access to /dev/kvm could use this to cause a denial of service (guest VM crash). (CVE-2019-6974) Jim Mattson and Felix Wilhelm discovered a use-after-free vulnerability in the KVM subsystem of the Linux kernel, when using nested virtual machines. A local attacker in a guest VM could use this to cause a denial of service (system crash) or possibly execute arbitrary code in the host system. (CVE-2019-7221) Felix Wilhelm discovered that an information leak vulnerability existed in the KVM subsystem of the Linux kernel, when nested virtualization is used. A local attacker could use this to expose sensitive information (host system memory to a guest VM). (CVE-2019-7222) Jann Horn discovered that the eBPF implementation in the Linux kernel was insufficiently hardened against Spectre V1 attacks. A local attacker could use this to expose sensitive information. (CVE-2019-7308) It was discovered that a use-after-free vulnerability existed in the user- space API for crypto (af_alg) implementation in the Linux kernel. A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2019-8912) It was discovered that the Linux kernel did not properly deallocate memory when handling certain errors while reading files. A local attacker could use this to cause a denial of service (excessive memory consumption). (CVE-2019-8980) Jann Horn discovered that the mmap implementation in the Linux kernel did not properly check for the mmap minimum address in some situations. A local attacker could use this to assist exploiting a kernel NULL pointer dereference vulnerability. (CVE-2019-9213). Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues." ); script_set_attribute( attribute:"see_also", value:"https://usn.ubuntu.com/3931-1/" ); script_set_attribute(attribute:"solution", value:"Update the affected packages."); script_set_cvss_base_vector("CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C"); script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:C"); script_set_cvss3_base_vector("CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"); script_set_cvss3_temporal_vector("CVSS:3.0/E:F/RL:O/RC:C"); script_set_attribute(attribute:"cvss_score_source", value:"CVE-2019-8912"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"metasploit_name", value:'Reliable Datagram Sockets (RDS) rds_atomic_free_op NULL pointer dereference Privilege Escalation'); script_set_attribute(attribute:"exploit_framework_metasploit", value:"true"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-4.15-aws"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-4.15-gcp"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-4.15-generic"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-4.15-generic-lpae"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-4.15-kvm"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-4.15-lowlatency"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-4.15-oem"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-4.15-oracle"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-4.15-raspi2"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-4.15-snapdragon"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-aws"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-gcp"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-generic"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-generic-lpae"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-gke"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-kvm"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-lowlatency"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-oem"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-oracle"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-raspi2"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-snapdragon"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-virtual"); script_set_attribute(attribute:"cpe", value:"cpe:/o:canonical:ubuntu_linux:18.04:-:lts"); script_set_attribute(attribute:"vuln_publication_date", value:"2018/07/28"); script_set_attribute(attribute:"patch_publication_date", value:"2019/04/02"); script_set_attribute(attribute:"plugin_publication_date", value:"2019/04/03"); script_set_attribute(attribute:"generated_plugin", value:"current"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"Ubuntu Security Notice (C) 2019-2020 Canonical, Inc. / NASL script (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"Ubuntu Local Security Checks"); script_dependencies("ssh_get_info.nasl", "linux_alt_patch_detect.nasl"); script_require_keys("Host/cpu", "Host/Ubuntu", "Host/Ubuntu/release", "Host/Debian/dpkg-l"); exit(0); } include("audit.inc"); include("ubuntu.inc"); include("ksplice.inc"); if ( ! get_kb_item("Host/local_checks_enabled") ) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/Ubuntu/release"); if ( isnull(release) ) audit(AUDIT_OS_NOT, "Ubuntu"); release = chomp(release); if (! preg(pattern:"^(18\.04)$", string:release)) audit(AUDIT_OS_NOT, "Ubuntu 18.04", "Ubuntu " + release); if ( ! get_kb_item("Host/Debian/dpkg-l") ) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Ubuntu", cpu); if (get_one_kb_item("Host/ksplice/kernel-cves")) { rm_kb_item(name:"Host/uptrack-uname-r"); cve_list = make_list("CVE-2018-14678", "CVE-2018-18021", "CVE-2018-19824", "CVE-2019-3459", "CVE-2019-3460", "CVE-2019-6974", "CVE-2019-7221", "CVE-2019-7222", "CVE-2019-7308", "CVE-2019-8912", "CVE-2019-8980", "CVE-2019-9213"); if (ksplice_cves_check(cve_list)) { audit(AUDIT_PATCH_INSTALLED, "KSplice hotfix for USN-3931-1"); } else { _ubuntu_report = ksplice_reporting_text(); } } flag = 0; if (ubuntu_check(osver:"18.04", pkgname:"linux-image-4.15.0-1010-oracle", pkgver:"4.15.0-1010.12")) flag++; if (ubuntu_check(osver:"18.04", pkgname:"linux-image-4.15.0-1029-gcp", pkgver:"4.15.0-1029.31")) flag++; if (ubuntu_check(osver:"18.04", pkgname:"linux-image-4.15.0-1031-kvm", pkgver:"4.15.0-1031.31")) flag++; if (ubuntu_check(osver:"18.04", pkgname:"linux-image-4.15.0-1033-raspi2", pkgver:"4.15.0-1033.35")) flag++; if (ubuntu_check(osver:"18.04", pkgname:"linux-image-4.15.0-1035-aws", pkgver:"4.15.0-1035.37")) flag++; if (ubuntu_check(osver:"18.04", pkgname:"linux-image-4.15.0-1035-oem", pkgver:"4.15.0-1035.40")) flag++; if (ubuntu_check(osver:"18.04", pkgname:"linux-image-4.15.0-47-generic", pkgver:"4.15.0-47.50")) flag++; if (ubuntu_check(osver:"18.04", pkgname:"linux-image-4.15.0-47-generic-lpae", pkgver:"4.15.0-47.50")) flag++; if (ubuntu_check(osver:"18.04", pkgname:"linux-image-4.15.0-47-lowlatency", pkgver:"4.15.0-47.50")) flag++; if (ubuntu_check(osver:"18.04", pkgname:"linux-image-4.15.0-47-snapdragon", pkgver:"4.15.0-47.50")) flag++; if (ubuntu_check(osver:"18.04", pkgname:"linux-image-aws", pkgver:"4.15.0.1035.34")) flag++; if (ubuntu_check(osver:"18.04", pkgname:"linux-image-gcp", pkgver:"4.15.0.1029.31")) flag++; if (ubuntu_check(osver:"18.04", pkgname:"linux-image-generic", pkgver:"4.15.0.47.49")) flag++; if (ubuntu_check(osver:"18.04", pkgname:"linux-image-generic-lpae", pkgver:"4.15.0.47.49")) flag++; if (ubuntu_check(osver:"18.04", pkgname:"linux-image-gke", pkgver:"4.15.0.1029.31")) flag++; if (ubuntu_check(osver:"18.04", pkgname:"linux-image-kvm", pkgver:"4.15.0.1031.31")) flag++; if (ubuntu_check(osver:"18.04", pkgname:"linux-image-lowlatency", pkgver:"4.15.0.47.49")) flag++; if (ubuntu_check(osver:"18.04", pkgname:"linux-image-oem", pkgver:"4.15.0.1035.40")) flag++; if (ubuntu_check(osver:"18.04", pkgname:"linux-image-oracle", pkgver:"4.15.0.1010.13")) flag++; if (ubuntu_check(osver:"18.04", pkgname:"linux-image-raspi2", pkgver:"4.15.0.1033.31")) flag++; if (ubuntu_check(osver:"18.04", pkgname:"linux-image-snapdragon", pkgver:"4.15.0.47.49")) flag++; if (ubuntu_check(osver:"18.04", pkgname:"linux-image-virtual", pkgver:"4.15.0.47.49")) flag++; if (flag) { security_report_v4( port : 0, severity : SECURITY_HOLE, extra : ubuntu_report_get() ); exit(0); } else { tested = ubuntu_pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "linux-image-4.15-aws / linux-image-4.15-gcp / etc"); }
NASL family Debian Local Security Checks NASL id DEBIAN_DSA-4308.NASL description Several vulnerabilities have been discovered in the Linux kernel that may lead to a privilege escalation, denial of service or information leaks. - CVE-2018-6554 A memory leak in the irda_bind function in the irda subsystem was discovered. A local user can take advantage of this flaw to cause a denial of service (memory consumption). - CVE-2018-6555 A flaw was discovered in the irda_setsockopt function in the irda subsystem, allowing a local user to cause a denial of service (use-after-free and system crash). - CVE-2018-7755 Brian Belleville discovered a flaw in the fd_locked_ioctl function in the floppy driver in the Linux kernel. The floppy driver copies a kernel pointer to user memory in response to the FDGETPRM ioctl. A local user with access to a floppy drive device can take advantage of this flaw to discover the location kernel code and data. - CVE-2018-9363 It was discovered that the Bluetooth HIDP implementation did not correctly check the length of received report messages. A paired HIDP device could use this to cause a buffer overflow, leading to denial of service (memory corruption or crash) or potentially remote code execution. - CVE-2018-9516 It was discovered that the HID events interface in debugfs did not correctly limit the length of copies to user buffers. A local user with access to these files could use this to cause a denial of service (memory corruption or crash) or possibly for privilege escalation. However, by default debugfs is only accessible by the root user. - CVE-2018-10902 It was discovered that the rawmidi kernel driver does not protect against concurrent access which leads to a double-realloc (double free) flaw. A local attacker can take advantage of this issue for privilege escalation. - CVE-2018-10938 Yves Younan from Cisco reported that the Cipso IPv4 module did not correctly check the length of IPv4 options. On custom kernels with CONFIG_NETLABEL enabled, a remote attacker could use this to cause a denial of service (hang). - CVE-2018-13099 Wen Xu from SSLab at Gatech reported a use-after-free bug in the F2FS implementation. An attacker able to mount a crafted F2FS volume could use this to cause a denial of service (crash or memory corruption) or possibly for privilege escalation. - CVE-2018-14609 Wen Xu from SSLab at Gatech reported a potential NULL pointer dereference in the F2FS implementation. An attacker able to mount a crafted F2FS volume could use this to cause a denial of service (crash). - CVE-2018-14617 Wen Xu from SSLab at Gatech reported a potential NULL pointer dereference in the HFS+ implementation. An attacker able to mount a crafted HFS+ volume could use this to cause a denial of service (crash). - CVE-2018-14633 Vincent Pelletier discovered a stack-based buffer overflow flaw in the chap_server_compute_md5() function in the iSCSI target code. An unauthenticated remote attacker can take advantage of this flaw to cause a denial of service or possibly to get a non-authorized access to data exported by an iSCSI target. - CVE-2018-14678 M. Vefa Bicakci and Andy Lutomirski discovered a flaw in the kernel exit code used on amd64 systems running as Xen PV guests. A local user could use this to cause a denial of service (crash). - CVE-2018-14734 A use-after-free bug was discovered in the InfiniBand communication manager. A local user could use this to cause a denial of service (crash or memory corruption) or possible for privilege escalation. - CVE-2018-15572 Esmaiel Mohammadian Koruyeh, Khaled Khasawneh, Chengyu Song, and Nael Abu-Ghazaleh, from University of California, Riverside, reported a variant of Spectre variant 2, dubbed SpectreRSB. A local user may be able to use this to read sensitive information from processes owned by other users. - CVE-2018-15594 Nadav Amit reported that some indirect function calls used in paravirtualised guests were vulnerable to Spectre variant 2. A local user may be able to use this to read sensitive information from the kernel. - CVE-2018-16276 Jann Horn discovered that the yurex driver did not correctly limit the length of copies to user buffers. A local user with access to a yurex device node could use this to cause a denial of service (memory corruption or crash) or possibly for privilege escalation. - CVE-2018-16658 It was discovered that the cdrom driver does not correctly validate the parameter to the CDROM_DRIVE_STATUS ioctl. A user with access to a cdrom device could use this to read sensitive information from the kernel or to cause a denial of service (crash). - CVE-2018-17182 Jann Horn discovered that the vmacache_flush_all function mishandles sequence number overflows. A local user can take advantage of this flaw to trigger a use-after-free, causing a denial of service (crash or memory corruption) or privilege escalation. last seen 2020-06-01 modified 2020-06-02 plugin id 117862 published 2018-10-02 reporter This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/117862 title Debian DSA-4308-1 : linux - security update code # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Debian Security Advisory DSA-4308. The text # itself is copyright (C) Software in the Public Interest, Inc. # include("compat.inc"); if (description) { script_id(117862); script_version("1.7"); script_cvs_date("Date: 2019/07/15 14:20:30"); script_cve_id("CVE-2018-10902", "CVE-2018-10938", "CVE-2018-13099", "CVE-2018-14609", "CVE-2018-14617", "CVE-2018-14633", "CVE-2018-14678", "CVE-2018-14734", "CVE-2018-15572", "CVE-2018-15594", "CVE-2018-16276", "CVE-2018-16658", "CVE-2018-17182", "CVE-2018-6554", "CVE-2018-6555", "CVE-2018-7755", "CVE-2018-9363", "CVE-2018-9516"); script_xref(name:"DSA", value:"4308"); script_name(english:"Debian DSA-4308-1 : linux - security update"); script_summary(english:"Checks dpkg output for the updated package"); script_set_attribute( attribute:"synopsis", value:"The remote Debian host is missing a security-related update." ); script_set_attribute( attribute:"description", value: "Several vulnerabilities have been discovered in the Linux kernel that may lead to a privilege escalation, denial of service or information leaks. - CVE-2018-6554 A memory leak in the irda_bind function in the irda subsystem was discovered. A local user can take advantage of this flaw to cause a denial of service (memory consumption). - CVE-2018-6555 A flaw was discovered in the irda_setsockopt function in the irda subsystem, allowing a local user to cause a denial of service (use-after-free and system crash). - CVE-2018-7755 Brian Belleville discovered a flaw in the fd_locked_ioctl function in the floppy driver in the Linux kernel. The floppy driver copies a kernel pointer to user memory in response to the FDGETPRM ioctl. A local user with access to a floppy drive device can take advantage of this flaw to discover the location kernel code and data. - CVE-2018-9363 It was discovered that the Bluetooth HIDP implementation did not correctly check the length of received report messages. A paired HIDP device could use this to cause a buffer overflow, leading to denial of service (memory corruption or crash) or potentially remote code execution. - CVE-2018-9516 It was discovered that the HID events interface in debugfs did not correctly limit the length of copies to user buffers. A local user with access to these files could use this to cause a denial of service (memory corruption or crash) or possibly for privilege escalation. However, by default debugfs is only accessible by the root user. - CVE-2018-10902 It was discovered that the rawmidi kernel driver does not protect against concurrent access which leads to a double-realloc (double free) flaw. A local attacker can take advantage of this issue for privilege escalation. - CVE-2018-10938 Yves Younan from Cisco reported that the Cipso IPv4 module did not correctly check the length of IPv4 options. On custom kernels with CONFIG_NETLABEL enabled, a remote attacker could use this to cause a denial of service (hang). - CVE-2018-13099 Wen Xu from SSLab at Gatech reported a use-after-free bug in the F2FS implementation. An attacker able to mount a crafted F2FS volume could use this to cause a denial of service (crash or memory corruption) or possibly for privilege escalation. - CVE-2018-14609 Wen Xu from SSLab at Gatech reported a potential NULL pointer dereference in the F2FS implementation. An attacker able to mount a crafted F2FS volume could use this to cause a denial of service (crash). - CVE-2018-14617 Wen Xu from SSLab at Gatech reported a potential NULL pointer dereference in the HFS+ implementation. An attacker able to mount a crafted HFS+ volume could use this to cause a denial of service (crash). - CVE-2018-14633 Vincent Pelletier discovered a stack-based buffer overflow flaw in the chap_server_compute_md5() function in the iSCSI target code. An unauthenticated remote attacker can take advantage of this flaw to cause a denial of service or possibly to get a non-authorized access to data exported by an iSCSI target. - CVE-2018-14678 M. Vefa Bicakci and Andy Lutomirski discovered a flaw in the kernel exit code used on amd64 systems running as Xen PV guests. A local user could use this to cause a denial of service (crash). - CVE-2018-14734 A use-after-free bug was discovered in the InfiniBand communication manager. A local user could use this to cause a denial of service (crash or memory corruption) or possible for privilege escalation. - CVE-2018-15572 Esmaiel Mohammadian Koruyeh, Khaled Khasawneh, Chengyu Song, and Nael Abu-Ghazaleh, from University of California, Riverside, reported a variant of Spectre variant 2, dubbed SpectreRSB. A local user may be able to use this to read sensitive information from processes owned by other users. - CVE-2018-15594 Nadav Amit reported that some indirect function calls used in paravirtualised guests were vulnerable to Spectre variant 2. A local user may be able to use this to read sensitive information from the kernel. - CVE-2018-16276 Jann Horn discovered that the yurex driver did not correctly limit the length of copies to user buffers. A local user with access to a yurex device node could use this to cause a denial of service (memory corruption or crash) or possibly for privilege escalation. - CVE-2018-16658 It was discovered that the cdrom driver does not correctly validate the parameter to the CDROM_DRIVE_STATUS ioctl. A user with access to a cdrom device could use this to read sensitive information from the kernel or to cause a denial of service (crash). - CVE-2018-17182 Jann Horn discovered that the vmacache_flush_all function mishandles sequence number overflows. A local user can take advantage of this flaw to trigger a use-after-free, causing a denial of service (crash or memory corruption) or privilege escalation." ); script_set_attribute( attribute:"see_also", value:"https://security-tracker.debian.org/tracker/CVE-2018-6554" ); script_set_attribute( attribute:"see_also", value:"https://security-tracker.debian.org/tracker/CVE-2018-6555" ); script_set_attribute( attribute:"see_also", value:"https://security-tracker.debian.org/tracker/CVE-2018-7755" ); script_set_attribute( attribute:"see_also", value:"https://security-tracker.debian.org/tracker/CVE-2018-9363" ); script_set_attribute( attribute:"see_also", value:"https://security-tracker.debian.org/tracker/CVE-2018-9516" ); script_set_attribute( attribute:"see_also", value:"https://security-tracker.debian.org/tracker/CVE-2018-10902" ); script_set_attribute( attribute:"see_also", value:"https://security-tracker.debian.org/tracker/CVE-2018-10938" ); script_set_attribute( attribute:"see_also", value:"https://security-tracker.debian.org/tracker/CVE-2018-13099" ); script_set_attribute( attribute:"see_also", value:"https://security-tracker.debian.org/tracker/CVE-2018-14609" ); script_set_attribute( attribute:"see_also", value:"https://security-tracker.debian.org/tracker/CVE-2018-14617" ); script_set_attribute( attribute:"see_also", value:"https://security-tracker.debian.org/tracker/CVE-2018-14633" ); script_set_attribute( attribute:"see_also", value:"https://security-tracker.debian.org/tracker/CVE-2018-14678" ); script_set_attribute( attribute:"see_also", value:"https://security-tracker.debian.org/tracker/CVE-2018-14734" ); script_set_attribute( attribute:"see_also", value:"https://security-tracker.debian.org/tracker/CVE-2018-15572" ); script_set_attribute( attribute:"see_also", value:"https://security-tracker.debian.org/tracker/CVE-2018-15594" ); script_set_attribute( attribute:"see_also", value:"https://security-tracker.debian.org/tracker/CVE-2018-16276" ); script_set_attribute( attribute:"see_also", value:"https://security-tracker.debian.org/tracker/CVE-2018-16658" ); script_set_attribute( attribute:"see_also", value:"https://security-tracker.debian.org/tracker/CVE-2018-17182" ); script_set_attribute( attribute:"see_also", value:"https://security-tracker.debian.org/tracker/source-package/linux" ); script_set_attribute( attribute:"see_also", value:"https://packages.debian.org/source/stretch/linux" ); script_set_attribute( attribute:"see_also", value:"https://www.debian.org/security/2018/dsa-4308" ); script_set_attribute( attribute:"solution", value: "Upgrade the linux packages. For the stable distribution (stretch), these problems have been fixed in version 4.9.110-3+deb9u5." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:C"); script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C"); script_set_cvss3_base_vector("CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"); script_set_cvss3_temporal_vector("CVSS:3.0/E:P/RL:O/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:linux"); script_set_attribute(attribute:"cpe", value:"cpe:/o:debian:debian_linux:9.0"); script_set_attribute(attribute:"vuln_publication_date", value:"2018/03/08"); script_set_attribute(attribute:"patch_publication_date", value:"2018/10/01"); script_set_attribute(attribute:"plugin_publication_date", value:"2018/10/02"); script_set_attribute(attribute:"generated_plugin", value:"current"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"Debian Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/Debian/release", "Host/Debian/dpkg-l"); exit(0); } include("audit.inc"); include("debian_package.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); if (!get_kb_item("Host/Debian/release")) audit(AUDIT_OS_NOT, "Debian"); if (!get_kb_item("Host/Debian/dpkg-l")) audit(AUDIT_PACKAGE_LIST_MISSING); flag = 0; if (deb_check(release:"9.0", prefix:"hyperv-daemons", reference:"4.9.110-3+deb9u5")) flag++; if (deb_check(release:"9.0", prefix:"libcpupower-dev", reference:"4.9.110-3+deb9u5")) flag++; if (deb_check(release:"9.0", prefix:"libcpupower1", reference:"4.9.110-3+deb9u5")) flag++; if (deb_check(release:"9.0", prefix:"libusbip-dev", reference:"4.9.110-3+deb9u5")) flag++; if (deb_check(release:"9.0", prefix:"linux-compiler-gcc-6-arm", reference:"4.9.110-3+deb9u5")) flag++; if (deb_check(release:"9.0", prefix:"linux-compiler-gcc-6-s390", reference:"4.9.110-3+deb9u5")) flag++; if (deb_check(release:"9.0", prefix:"linux-compiler-gcc-6-x86", reference:"4.9.110-3+deb9u5")) flag++; if (deb_check(release:"9.0", prefix:"linux-cpupower", reference:"4.9.110-3+deb9u5")) flag++; if (deb_check(release:"9.0", prefix:"linux-doc-4.9", reference:"4.9.110-3+deb9u5")) flag++; if (deb_check(release:"9.0", prefix:"linux-headers-4.9.0-9-4kc-malta", reference:"4.9.110-3+deb9u5")) flag++; if (deb_check(release:"9.0", prefix:"linux-headers-4.9.0-9-5kc-malta", reference:"4.9.110-3+deb9u5")) flag++; if (deb_check(release:"9.0", prefix:"linux-headers-4.9.0-9-686", reference:"4.9.110-3+deb9u5")) flag++; if (deb_check(release:"9.0", prefix:"linux-headers-4.9.0-9-686-pae", reference:"4.9.110-3+deb9u5")) flag++; if (deb_check(release:"9.0", prefix:"linux-headers-4.9.0-9-all", reference:"4.9.110-3+deb9u5")) flag++; if (deb_check(release:"9.0", prefix:"linux-headers-4.9.0-9-all-amd64", reference:"4.9.110-3+deb9u5")) flag++; if (deb_check(release:"9.0", prefix:"linux-headers-4.9.0-9-all-arm64", reference:"4.9.110-3+deb9u5")) flag++; if (deb_check(release:"9.0", prefix:"linux-headers-4.9.0-9-all-armel", reference:"4.9.110-3+deb9u5")) flag++; if (deb_check(release:"9.0", prefix:"linux-headers-4.9.0-9-all-armhf", reference:"4.9.110-3+deb9u5")) flag++; if (deb_check(release:"9.0", prefix:"linux-headers-4.9.0-9-all-i386", reference:"4.9.110-3+deb9u5")) flag++; if (deb_check(release:"9.0", prefix:"linux-headers-4.9.0-9-all-mips", reference:"4.9.110-3+deb9u5")) flag++; if (deb_check(release:"9.0", prefix:"linux-headers-4.9.0-9-all-mips64el", reference:"4.9.110-3+deb9u5")) flag++; if (deb_check(release:"9.0", prefix:"linux-headers-4.9.0-9-all-mipsel", reference:"4.9.110-3+deb9u5")) flag++; if (deb_check(release:"9.0", prefix:"linux-headers-4.9.0-9-all-ppc64el", reference:"4.9.110-3+deb9u5")) flag++; if (deb_check(release:"9.0", prefix:"linux-headers-4.9.0-9-all-s390x", reference:"4.9.110-3+deb9u5")) flag++; if (deb_check(release:"9.0", prefix:"linux-headers-4.9.0-9-amd64", reference:"4.9.110-3+deb9u5")) flag++; if (deb_check(release:"9.0", prefix:"linux-headers-4.9.0-9-arm64", reference:"4.9.110-3+deb9u5")) flag++; if (deb_check(release:"9.0", prefix:"linux-headers-4.9.0-9-armmp", reference:"4.9.110-3+deb9u5")) flag++; if (deb_check(release:"9.0", prefix:"linux-headers-4.9.0-9-armmp-lpae", reference:"4.9.110-3+deb9u5")) flag++; if (deb_check(release:"9.0", prefix:"linux-headers-4.9.0-9-common", reference:"4.9.110-3+deb9u5")) flag++; if (deb_check(release:"9.0", prefix:"linux-headers-4.9.0-9-common-rt", reference:"4.9.110-3+deb9u5")) flag++; if (deb_check(release:"9.0", prefix:"linux-headers-4.9.0-9-loongson-3", reference:"4.9.110-3+deb9u5")) flag++; if (deb_check(release:"9.0", prefix:"linux-headers-4.9.0-9-marvell", reference:"4.9.110-3+deb9u5")) flag++; if (deb_check(release:"9.0", prefix:"linux-headers-4.9.0-9-octeon", reference:"4.9.110-3+deb9u5")) flag++; if (deb_check(release:"9.0", prefix:"linux-headers-4.9.0-9-powerpc64le", reference:"4.9.110-3+deb9u5")) flag++; if (deb_check(release:"9.0", prefix:"linux-headers-4.9.0-9-rt-686-pae", reference:"4.9.110-3+deb9u5")) flag++; if (deb_check(release:"9.0", prefix:"linux-headers-4.9.0-9-rt-amd64", reference:"4.9.110-3+deb9u5")) flag++; if (deb_check(release:"9.0", prefix:"linux-headers-4.9.0-9-s390x", reference:"4.9.110-3+deb9u5")) flag++; if (deb_check(release:"9.0", prefix:"linux-image-4.9.0-9-4kc-malta", reference:"4.9.110-3+deb9u5")) flag++; if (deb_check(release:"9.0", prefix:"linux-image-4.9.0-9-4kc-malta-dbg", reference:"4.9.110-3+deb9u5")) flag++; if (deb_check(release:"9.0", prefix:"linux-image-4.9.0-9-5kc-malta", reference:"4.9.110-3+deb9u5")) flag++; if (deb_check(release:"9.0", prefix:"linux-image-4.9.0-9-5kc-malta-dbg", reference:"4.9.110-3+deb9u5")) flag++; if (deb_check(release:"9.0", prefix:"linux-image-4.9.0-9-686", reference:"4.9.110-3+deb9u5")) flag++; if (deb_check(release:"9.0", prefix:"linux-image-4.9.0-9-686-dbg", reference:"4.9.110-3+deb9u5")) flag++; if (deb_check(release:"9.0", prefix:"linux-image-4.9.0-9-686-pae", reference:"4.9.110-3+deb9u5")) flag++; if (deb_check(release:"9.0", prefix:"linux-image-4.9.0-9-686-pae-dbg", reference:"4.9.110-3+deb9u5")) flag++; if (deb_check(release:"9.0", prefix:"linux-image-4.9.0-9-amd64", reference:"4.9.110-3+deb9u5")) flag++; if (deb_check(release:"9.0", prefix:"linux-image-4.9.0-9-amd64-dbg", reference:"4.9.110-3+deb9u5")) flag++; if (deb_check(release:"9.0", prefix:"linux-image-4.9.0-9-arm64", reference:"4.9.110-3+deb9u5")) flag++; if (deb_check(release:"9.0", prefix:"linux-image-4.9.0-9-arm64-dbg", reference:"4.9.110-3+deb9u5")) flag++; if (deb_check(release:"9.0", prefix:"linux-image-4.9.0-9-armmp", reference:"4.9.110-3+deb9u5")) flag++; if (deb_check(release:"9.0", prefix:"linux-image-4.9.0-9-armmp-dbg", reference:"4.9.110-3+deb9u5")) flag++; if (deb_check(release:"9.0", prefix:"linux-image-4.9.0-9-armmp-lpae", reference:"4.9.110-3+deb9u5")) flag++; if (deb_check(release:"9.0", prefix:"linux-image-4.9.0-9-armmp-lpae-dbg", reference:"4.9.110-3+deb9u5")) flag++; if (deb_check(release:"9.0", prefix:"linux-image-4.9.0-9-loongson-3", reference:"4.9.110-3+deb9u5")) flag++; if (deb_check(release:"9.0", prefix:"linux-image-4.9.0-9-loongson-3-dbg", reference:"4.9.110-3+deb9u5")) flag++; if (deb_check(release:"9.0", prefix:"linux-image-4.9.0-9-marvell", reference:"4.9.110-3+deb9u5")) flag++; if (deb_check(release:"9.0", prefix:"linux-image-4.9.0-9-marvell-dbg", reference:"4.9.110-3+deb9u5")) flag++; if (deb_check(release:"9.0", prefix:"linux-image-4.9.0-9-octeon", reference:"4.9.110-3+deb9u5")) flag++; if (deb_check(release:"9.0", prefix:"linux-image-4.9.0-9-octeon-dbg", reference:"4.9.110-3+deb9u5")) flag++; if (deb_check(release:"9.0", prefix:"linux-image-4.9.0-9-powerpc64le", reference:"4.9.110-3+deb9u5")) flag++; if (deb_check(release:"9.0", prefix:"linux-image-4.9.0-9-powerpc64le-dbg", reference:"4.9.110-3+deb9u5")) flag++; if (deb_check(release:"9.0", prefix:"linux-image-4.9.0-9-rt-686-pae", reference:"4.9.110-3+deb9u5")) flag++; if (deb_check(release:"9.0", prefix:"linux-image-4.9.0-9-rt-686-pae-dbg", reference:"4.9.110-3+deb9u5")) flag++; if (deb_check(release:"9.0", prefix:"linux-image-4.9.0-9-rt-amd64", reference:"4.9.110-3+deb9u5")) flag++; if (deb_check(release:"9.0", prefix:"linux-image-4.9.0-9-rt-amd64-dbg", reference:"4.9.110-3+deb9u5")) flag++; if (deb_check(release:"9.0", prefix:"linux-image-4.9.0-9-s390x", reference:"4.9.110-3+deb9u5")) flag++; if (deb_check(release:"9.0", prefix:"linux-image-4.9.0-9-s390x-dbg", reference:"4.9.110-3+deb9u5")) flag++; if (deb_check(release:"9.0", prefix:"linux-kbuild-4.9", reference:"4.9.110-3+deb9u5")) flag++; if (deb_check(release:"9.0", prefix:"linux-libc-dev", reference:"4.9.110-3+deb9u5")) flag++; if (deb_check(release:"9.0", prefix:"linux-manual-4.9", reference:"4.9.110-3+deb9u5")) flag++; if (deb_check(release:"9.0", prefix:"linux-perf-4.9", reference:"4.9.110-3+deb9u5")) flag++; if (deb_check(release:"9.0", prefix:"linux-source-4.9", reference:"4.9.110-3+deb9u5")) flag++; if (deb_check(release:"9.0", prefix:"linux-support-4.9.0-9", reference:"4.9.110-3+deb9u5")) flag++; if (deb_check(release:"9.0", prefix:"usbip", reference:"4.9.110-3+deb9u5")) flag++; if (flag) { if (report_verbosity > 0) security_hole(port:0, extra:deb_report_get()); else security_hole(0); exit(0); } else audit(AUDIT_HOST_NOT, "affected");
NASL family Oracle Linux Local Security Checks NASL id ORACLELINUX_ELSA-2018-4210.NASL description Description of changes: [4.1.12-124.19.1.el7uek] - x86/entry/64: Ensure %ebx handling correct in xen_failsafe_callback (George Kennedy) [Orabug: 28402927] {CVE-2018-14678} - x86/speculation/l1tf: Increase l1tf memory limit for Nehalem+ (Andi Kleen) [Orabug: 28488808] {CVE-2018-3620} - x86/speculation/l1tf: Suggest what to do on systems with too much RAM (Vlastimil Babka) [Orabug: 28488808] {CVE-2018-3620} - x86/speculation/l1tf: Fix off-by-one error when warning that system has too much RAM (Vlastimil Babka) [Orabug: 28488808] {CVE-2018-3620} - x86/speculation/l1tf: Fix overflow in l1tf_pfn_limit() on 32bit (Vlastimil Babka) [Orabug: 28488808] {CVE-2018-3620} - x86/speculation/l1tf: Exempt zeroed PTEs from inversion (Sean Christopherson) [Orabug: 28488808] {CVE-2018-3620} - x86/l1tf: Fix build error seen if CONFIG_KVM_INTEL is disabled (Guenter Roeck) [Orabug: 28488808] {CVE-2018-3620} - x86/spectre: Add missing family 6 check to microcode check (Andi Kleen) [Orabug: 28488808] {CVE-2018-3620} - KVM: x86: SVM: Call x86_spec_ctrl_set_guest/host() with interrupts disabled (Thomas Gleixner) [Orabug: 28488808] {CVE-2018-3646} - x86/microcode: Allow late microcode loading with SMT disabled (Josh Poimboeuf) [Orabug: 28488808] {CVE-2018-3620} - x86/microcode: Do not upload microcode if CPUs are offline (Ashok Raj) [Orabug: 28488808] {CVE-2018-3620} last seen 2020-06-01 modified 2020-06-02 plugin id 117378 published 2018-09-10 reporter This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/117378 title Oracle Linux 6 / 7 : Unbreakable Enterprise kernel (ELSA-2018-4210) (Foreshadow) NASL family Oracle Linux Local Security Checks NASL id ORACLELINUX_ELSA-2018-4242.NASL description Description of changes: [4.14.35-1818.3.3.el7uek] - net: net_failover: fix typo in net_failover_slave_register() (Liran Alon) [Orabug: 28122110] - virtio_net: Extend virtio to use VF datapath when available (Sridhar Samudrala) [Orabug: 28122110] - virtio_net: Introduce VIRTIO_NET_F_STANDBY feature bit (Sridhar Samudrala) [Orabug: 28122110] - net: Introduce net_failover driver (Sridhar Samudrala) [Orabug: 28122110] - net: Introduce generic failover module (Sridhar Samudrala) [Orabug: 28122110] - IB/ipoib: Improve filtering log message (Yuval Shaia) [Orabug: 28655435] - IB/ipoib: Fix wrong update of arp_blocked counter (Yuval Shaia) [Orabug: 28655435] - IB/ipoib: Update RX counters after ACL filtering (Yuval Shaia) [Orabug: 28655435] - IB/ipoib: Filter RX packets before adding pseudo header (Yuval Shaia) [Orabug: 28655435] - dm crypt: add middle-endian variant of plain64 IV (Konrad Rzeszutek Wilk) [Orabug: 28604629] - uek-rpm: Disable deprecated CONFIG_ACPI_PROCFS_POWER (Victor Erminpour) [Orabug: 28644322] - net/rds: Fix call to sleeping function in a non-sleeping context (Hå kon Bugge) [Orabug: 28657397] - cdrom: Fix info leak/OOB read in cdrom_ioctl_drive_status (Scott Bauer) [Orabug: 28664499] {CVE-2018-16658} - ACPICA: acpi: acpica: fix acpi operand cache leak in nseval.c (Seunghun Han) [Orabug: 28664576] {CVE-2017-13695} - usb: xhci: do not create and register shared_hcd when USB3.0 is disabled (Tung Nguyen) [Orabug: 28677854] [4.14.35-1818.3.2.el7uek] - hwmon: (k10temp) Display both Tctl and Tdie (Guenter Roeck) [Orabug: 28143470] - hwmon: (k10temp) Use API function to access System Management Network (Guenter Roeck) [Orabug: 28143470] - hwmon: (k10temp) Fix reading critical temperature register (Guenter Roeck) [Orabug: 28143470] - hwmon: (k10temp) Add temperature offset for Ryzen 2700X (Guenter Roeck) [Orabug: 28143470] - hwmon: (k10temp) Add support for temperature offsets (Guenter Roeck) [Orabug: 28143470] - hwmon: (k10temp) Add support for family 17h (Guenter Roeck) [Orabug: 28143470] - hwmon: (k10temp) Move chip specific code into probe function (Guenter Roeck) [Orabug: 28143470] - net/rds: make the source code clean (Zhu Yanjun) [Orabug: 28607913] - net/rds: Use rdma_read_gids to get connection SGID/DGID in IPv6 (Zhu Yanjun) [Orabug: 28607913] - net/rds: Use rdma_read_gids to read connection GIDs (Parav Pandit) [Orabug: 28607913] - posix-timers: Sanitize overrun handling (Thomas Gleixner) [Orabug: 28642970] {CVE-2018-12896} - crypto: ccp - Add support for new CCP/PSP device ID (Tom Lendacky) [Orabug: 28584386] - crypto: ccp - Support register differences between PSP devices (Tom Lendacky) [Orabug: 28584386] - crypto: ccp - Remove unused #defines (Tom Lendacky) [Orabug: 28584386] - crypto: ccp - Add psp enabled message when initialization succeeds (Tom Lendacky) [Orabug: 28584386] - crypto: ccp - Fix command completion detection race (Tom Lendacky) [Orabug: 28584386] - iommu/amd: Add support for IOMMU XT mode (Suravee Suthikulpanit) [Orabug: 28584386] - iommu/amd: Add support for higher 64-bit IOMMU Control Register (Suravee Suthikulpanit) [Orabug: 28584386] - x86: irq_remapping: Move irq remapping mode enum (Suravee Suthikulpanit) [Orabug: 28584386] - x86/CPU/AMD: Fix LLC ID bit-shift calculation (Suravee Suthikulpanit) [Orabug: 28584386] - x86/CPU/AMD: Derive CPU topology from CPUID function 0xB when available (Suravee Suthikulpanit) [Orabug: 28584386] - x86/CPU/AMD: Calculate last level cache ID from number of sharing threads (Suravee Suthikulpanit) [Orabug: 28584386] - x86/CPU: Rename intel_cacheinfo.c to cacheinfo.c (Borislav Petkov) [Orabug: 28584386] - perf/events/amd/uncore: Fix amd_uncore_llc ID to use pre-defined cpu_llc_id (Suravee Suthikulpanit) [Orabug: 28584386] - x86/CPU/AMD: Have smp_num_siblings and cpu_llc_id always be present (Borislav Petkov) [Orabug: 28584386] [4.14.35-1818.3.1.el7uek] - arm64: vdso: fix clock_getres for 4GiB-aligned res (Mark Rutland) [Orabug: 28603375] - locking/qrwlock: Prevent slowpath writers getting held up by fastpath (Will Deacon) [Orabug: 28605196] - locking/qrwlock, arm64: Move rwlock implementation over to qrwlocks (Will Deacon) [Orabug: 28605196] - locking/qrwlock: Use atomic_cond_read_acquire() when spinning in qrwlock (Will Deacon) [Orabug: 28605196] - locking/atomic: Add atomic_cond_read_acquire() (Will Deacon) [Orabug: 28605196] - rds: CVE-2018-7492: Fix NULL pointer dereference in __rds_rdma_map (Hå kon Bugge) [Orabug: 28565429] {CVE-2018-7492} - irqchip/irq-bcm2836: Add support for DT interrupt polarity (Stefan Wahren) [Orabug: 28596168] - dt-bindings/bcm2836-l1-intc: Add interrupt polarity support (Stefan Wahren) [Orabug: 28596168] - dt-bindings/bcm283x: Define polarity of per-cpu interrupts (Stefan Wahren) [Orabug: 28596168] - x86/spec_ctrl: Only set SPEC_CTRL_IBRS_FIRMWARE if IBRS is actually in use (Patrick Colp) [Orabug: 28610695] [4.14.35-1818.2.2.el7uek] - x86/xen: Calculate __max_logical_packages on PV domains (Prarit Bhargava) [Orabug: 28476586] - x86/entry/64: Remove %ebx handling from error_entry/exit (Andy Lutomirski) [Orabug: 28402921] {CVE-2018-14678} - x86/pti: Don last seen 2020-06-01 modified 2020-06-02 plugin id 118053 published 2018-10-11 reporter This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/118053 title Oracle Linux 7 : Unbreakable Enterprise kernel (ELSA-2018-4242) (Foreshadow) NASL family SuSE Local Security Checks NASL id SUSE_SU-2018-3084-1.NASL description The SUSE Linux Enterprise 12 SP2 LTSS kernel was updated to receive various security and bugfixes. CVE-2018-10853: A flaw was found in the way the KVM hypervisor emulated instructions such as sgdt/sidt/fxsave/fxrstor. It did not check current privilege(CPL) level while emulating unprivileged instructions. An unprivileged guest user/process could use this flaw to potentially escalate privileges inside guest (bnc#1097104). CVE-2018-10876: A flaw was found in Linux kernel in the ext4 filesystem code. A use-after-free is possible in ext4_ext_remove_space() function when mounting and operating a crafted ext4 image. (bnc#1099811) CVE-2018-10877: Linux kernel ext4 filesystem is vulnerable to an out-of-bound access in the ext4_ext_drop_refs() function when operating on a crafted ext4 filesystem image. (bnc#1099846) CVE-2018-10878: A flaw was found in the Linux kernel last seen 2020-06-01 modified 2020-06-02 plugin id 118034 published 2018-10-10 reporter This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/118034 title SUSE SLES12 Security Update : kernel (SUSE-SU-2018:3084-1) NASL family OracleVM Local Security Checks NASL id ORACLEVM_OVMSA-2018-0254.NASL description The remote OracleVM system is missing necessary patches to address critical security updates : Oracle VM Security Advisory OVMSA-2018-0254 The following updated rpms for Oracle VM 3.4 have been uploaded to the Unbreakable Linux Network : x86_64: kernel-uek-4.1.12-124.19.1.el6uek.x86_64.rpm kernel-uek-firmware-4.1.12-124.19.1.el6uek.noarch.rpm SRPMS : Description of changes : - x86/entry/64: Ensure %ebx handling correct in xen_failsafe_callback (George Kennedy) [Orabug: 28402927] (CVE-2018-14678) - x86/speculation/l1tf: Increase l1tf memory limit for Nehalem+ (Andi Kleen) [Orabug: 28488808] (CVE-2018-3620) - x86/speculation/l1tf: Suggest what to do on systems with too much RAM (Vlastimil Babka) [Orabug: 28488808] (CVE-2018-3620) - x86/speculation/l1tf: Fix off-by-one error when warning that system has too much RAM (Vlastimil Babka) [Orabug: 28488808] (CVE-2018-3620) - x86/speculation/l1tf: Fix overflow in l1tf_pfn_limit on 32bit (Vlastimil Babka) [Orabug: 28488808] (CVE-2018-3620) - x86/speculation/l1tf: Exempt zeroed PTEs from inversion (Sean Christopherson) [Orabug: 28488808] (CVE-2018-3620) - x86/l1tf: Fix build error seen if CONFIG_KVM_INTEL is disabled (Guenter Roeck) [Orabug: 28488808] (CVE-2018-3620) - x86/spectre: Add missing family 6 check to microcode check (Andi Kleen) [Orabug: 28488808] (CVE-2018-3620) - KVM: x86: SVM: Call x86_spec_ctrl_set_guest/host with interrupts disabled (Thomas Gleixner) [Orabug: 28488808] (CVE-2018-3646) - x86/microcode: Allow late microcode loading with SMT disabled (Josh Poimboeuf) [Orabug: 28488808] (CVE-2018-3620) - x86/microcode: Do not upload microcode if CPUs are offline (Ashok Raj) [Orabug: 28488808] (CVE-2018-3620) last seen 2020-06-01 modified 2020-06-02 plugin id 117377 published 2018-09-10 reporter This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/117377 title OracleVM 3.4 : Unbreakable / etc (OVMSA-2018-0254) (Foreshadow) NASL family Debian Local Security Checks NASL id DEBIAN_DLA-1531.NASL description Several vulnerabilities have been discovered in the Linux kernel that may lead to a privilege escalation, denial of service or information leaks. CVE-2018-6554 A memory leak in the irda_bind function in the irda subsystem was discovered. A local user can take advantage of this flaw to cause a denial of service (memory consumption). CVE-2018-6555 A flaw was discovered in the irda_setsockopt function in the irda subsystem, allowing a local user to cause a denial of service (use-after-free and system crash). CVE-2018-7755 Brian Belleville discovered a flaw in the fd_locked_ioctl function in the floppy driver in the Linux kernel. The floppy driver copies a kernel pointer to user memory in response to the FDGETPRM ioctl. A local user with access to a floppy drive device can take advantage of this flaw to discover the location kernel code and data. CVE-2018-9363 It was discovered that the Bluetooth HIDP implementation did not correctly check the length of received report messages. A paired HIDP device could use this to cause a buffer overflow, leading to denial of service (memory corruption or crash) or potentially remote code execution. CVE-2018-9516 It was discovered that the HID events interface in debugfs did not correctly limit the length of copies to user buffers. A local user with access to these files could use this to cause a denial of service (memory corruption or crash) or possibly for privilege escalation. However, by default debugfs is only accessible by the root user. CVE-2018-10902 It was discovered that the rawmidi kernel driver does not protect against concurrent access which leads to a double-realloc (double free) flaw. A local attacker can take advantage of this issue for privilege escalation. CVE-2018-10938 Yves Younan from Cisco reported that the Cipso IPv4 module did not correctly check the length of IPv4 options. On custom kernels with CONFIG_NETLABEL enabled, a remote attacker could use this to cause a denial of service (hang). CVE-2018-13099 Wen Xu from SSLab at Gatech reported a use-after-free bug in the F2FS implementation. An attacker able to mount a crafted F2FS volume could use this to cause a denial of service (crash or memory corruption) or possibly for privilege escalation. CVE-2018-14609 Wen Xu from SSLab at Gatech reported a potential NULL pointer dereference in the F2FS implementation. An attacker able to mount arbitrary F2FS volumes could use this to cause a denial of service (crash). CVE-2018-14617 Wen Xu from SSLab at Gatech reported a potential NULL pointer dereference in the HFS+ implementation. An attacker able to mount arbitrary HFS+ volumes could use this to cause a denial of service (crash). CVE-2018-14633 Vincent Pelletier discovered a stack-based buffer overflow flaw in the chap_server_compute_md5() function in the iSCSI target code. An unauthenticated remote attacker can take advantage of this flaw to cause a denial of service or possibly to get a non-authorized access to data exported by an iSCSI target. CVE-2018-14678 M. Vefa Bicakci and Andy Lutomirski discovered a flaw in the kernel exit code used on amd64 systems running as Xen PV guests. A local user could use this to cause a denial of service (crash). CVE-2018-14734 A use-after-free bug was discovered in the InfiniBand communication manager. A local user could use this to cause a denial of service (crash or memory corruption) or possible for privilege escalation. CVE-2018-15572 Esmaiel Mohammadian Koruyeh, Khaled Khasawneh, Chengyu Song, and Nael Abu-Ghazaleh, from University of California, Riverside, reported a variant of Spectre variant 2, dubbed SpectreRSB. A local user may be able to use this to read sensitive information from processes owned by other users. CVE-2018-15594 Nadav Amit reported that some indirect function calls used in paravirtualised guests were vulnerable to Spectre variant 2. A local user may be able to use this to read sensitive information from the kernel. CVE-2018-16276 Jann Horn discovered that the yurex driver did not correctly limit the length of copies to user buffers. A local user with access to a yurex device node could use this to cause a denial of service (memory corruption or crash) or possibly for privilege escalation. CVE-2018-16658 It was discovered that the cdrom driver does not correctly validate the parameter to the CDROM_DRIVE_STATUS ioctl. A user with access to a cdrom device could use this to read sensitive information from the kernel or to cause a denial of service (crash). CVE-2018-17182 Jann Horn discovered that the vmacache_flush_all function mishandles sequence number overflows. A local user can take advantage of this flaw to trigger a use-after-free, causing a denial of service (crash or memory corruption) or privilege escalation. For Debian 8 last seen 2020-06-01 modified 2020-06-02 plugin id 117908 published 2018-10-04 reporter This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/117908 title Debian DLA-1531-1 : linux-4.9 security update NASL family Fedora Local Security Checks NASL id FEDORA_2018-49BDA79BD5.NASL description The 4.17.11 stable update contains a number of important fixes across the tree. Also of note, starting with this release, kernel-headers is built from a different srpm. The contents should be the same, but there were some benefits to breaking it from the kernel build. ---- The 4.17.10 stable kernel update contains a number of important fixes across the tree. Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-05 modified 2018-08-06 plugin id 111539 published 2018-08-06 reporter This script is Copyright (C) 2018-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/111539 title Fedora 27 : kernel / kernel-headers (2018-49bda79bd5) NASL family Fedora Local Security Checks NASL id FEDORA_2018-CC812838FB.NASL description The 4.17.11 stable update contains a number of important fixes across the tree. Also of note, starting with this release, kernel-headers is built from a different srpm. The contents should be the same, but there were some benefits to breaking it from the kernel build. ---- The 4.17.10 stable kernel update contains a number of important fixes across the tree. Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-05 modified 2019-01-03 plugin id 120794 published 2019-01-03 reporter This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/120794 title Fedora 28 : kernel / kernel-headers (2018-cc812838fb) NASL family Ubuntu Local Security Checks NASL id UBUNTU_USN-3931-2.NASL description USN-3931-1 fixed vulnerabilities in the Linux kernel for Ubuntu 18.04 LTS. This update provides the corresponding updates for the Linux Hardware Enablement (HWE) kernel from Ubuntu 18.04 LTS for Ubuntu 16.04 LTS and for the Linux Azure kernel for Ubuntu 14.04 LTS. M. Vefa Bicakci and Andy Lutomirski discovered that the kernel did not properly set up all arguments to an error handler callback used when running as a paravirtualized guest. An unprivileged attacker in a paravirtualized guest VM could use this to cause a denial of service (guest VM crash). (CVE-2018-14678) It was discovered that the KVM implementation in the Linux kernel on ARM 64bit processors did not properly handle some ioctls. An attacker with the privilege to create KVM-based virtual machines could use this to cause a denial of service (host system crash) or execute arbitrary code in the host. (CVE-2018-18021) Mathias Payer and Hui Peng discovered a use-after-free vulnerability in the Advanced Linux Sound Architecture (ALSA) subsystem. A physically proximate attacker could use this to cause a denial of service (system crash). (CVE-2018-19824) Shlomi Oberman, Yuli Shapiro, and Ran Menscher discovered an information leak in the Bluetooth implementation of the Linux kernel. An attacker within Bluetooth range could use this to expose sensitive information (kernel memory). (CVE-2019-3459, CVE-2019-3460) Jann Horn discovered that the KVM implementation in the Linux kernel contained a use-after-free vulnerability. An attacker in a guest VM with access to /dev/kvm could use this to cause a denial of service (guest VM crash). (CVE-2019-6974) Jim Mattson and Felix Wilhelm discovered a use-after-free vulnerability in the KVM subsystem of the Linux kernel, when using nested virtual machines. A local attacker in a guest VM could use this to cause a denial of service (system crash) or possibly execute arbitrary code in the host system. (CVE-2019-7221) Felix Wilhelm discovered that an information leak vulnerability existed in the KVM subsystem of the Linux kernel, when nested virtualization is used. A local attacker could use this to expose sensitive information (host system memory to a guest VM). (CVE-2019-7222) Jann Horn discovered that the eBPF implementation in the Linux kernel was insufficiently hardened against Spectre V1 attacks. A local attacker could use this to expose sensitive information. (CVE-2019-7308) It was discovered that a use-after-free vulnerability existed in the user- space API for crypto (af_alg) implementation in the Linux kernel. A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2019-8912) It was discovered that the Linux kernel did not properly deallocate memory when handling certain errors while reading files. A local attacker could use this to cause a denial of service (excessive memory consumption). (CVE-2019-8980) Jann Horn discovered that the mmap implementation in the Linux kernel did not properly check for the mmap minimum address in some situations. A local attacker could use this to assist exploiting a kernel NULL pointer dereference vulnerability. (CVE-2019-9213). Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-01 modified 2020-06-02 plugin id 123679 published 2019-04-03 reporter Ubuntu Security Notice (C) 2019-2020 Canonical, Inc. / NASL script (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/123679 title Ubuntu 14.04 LTS / 16.04 LTS : linux-hwe, linux-aws-hwe, linux-azure, linux-gcp, linux-oracle (USN-3931-2)
References
- http://www.securityfocus.com/bid/104924
- http://www.securitytracker.com/id/1041397
- https://lists.debian.org/debian-lts-announce/2018/10/msg00003.html
- https://usn.ubuntu.com/3931-1/
- https://usn.ubuntu.com/3931-2/
- https://www.debian.org/security/2018/dsa-4308
- https://xenbits.xen.org/xsa/advisory-274.html
- http://www.securityfocus.com/bid/104924
- https://xenbits.xen.org/xsa/advisory-274.html
- https://www.debian.org/security/2018/dsa-4308
- https://usn.ubuntu.com/3931-2/
- https://usn.ubuntu.com/3931-1/
- https://lists.debian.org/debian-lts-announce/2018/10/msg00003.html
- http://www.securitytracker.com/id/1041397