Vulnerabilities > CVE-2018-18021 - Improper Input Validation vulnerability in multiple products

047910
CVSS 7.1 - HIGH
Attack vector
LOCAL
Attack complexity
LOW
Privileges required
LOW
Confidentiality impact
NONE
Integrity impact
HIGH
Availability impact
HIGH
local
low complexity
linux
debian
canonical
CWE-20
nessus

Summary

arch/arm64/kvm/guest.c in KVM in the Linux kernel before 4.18.12 on the arm64 platform mishandles the KVM_SET_ON_REG ioctl. This is exploitable by attackers who can create virtual machines. An attacker can arbitrarily redirect the hypervisor flow of control (with full register control). An attacker can also cause a denial of service (hypervisor panic) via an illegal exception return. This occurs because of insufficient restrictions on userspace access to the core register file, and because PSTATE.M validation does not prevent unintended execution modes.

Vulnerable Configurations

Part Description Count
OS
Linux
3708
OS
Debian
1
OS
Canonical
2

Common Weakness Enumeration (CWE)

Common Attack Pattern Enumeration and Classification (CAPEC)

  • Buffer Overflow via Environment Variables
    This attack pattern involves causing a buffer overflow through manipulation of environment variables. Once the attacker finds that they can modify an environment variable, they may try to overflow associated buffers. This attack leverages implicit trust often placed in environment variables.
  • Server Side Include (SSI) Injection
    An attacker can use Server Side Include (SSI) Injection to send code to a web application that then gets executed by the web server. Doing so enables the attacker to achieve similar results to Cross Site Scripting, viz., arbitrary code execution and information disclosure, albeit on a more limited scale, since the SSI directives are nowhere near as powerful as a full-fledged scripting language. Nonetheless, the attacker can conveniently gain access to sensitive files, such as password files, and execute shell commands.
  • Cross Zone Scripting
    An attacker is able to cause a victim to load content into their web-browser that bypasses security zone controls and gain access to increased privileges to execute scripting code or other web objects such as unsigned ActiveX controls or applets. This is a privilege elevation attack targeted at zone-based web-browser security. In a zone-based model, pages belong to one of a set of zones corresponding to the level of privilege assigned to that page. Pages in an untrusted zone would have a lesser level of access to the system and/or be restricted in the types of executable content it was allowed to invoke. In a cross-zone scripting attack, a page that should be assigned to a less privileged zone is granted the privileges of a more trusted zone. This can be accomplished by exploiting bugs in the browser, exploiting incorrect configuration in the zone controls, through a cross-site scripting attack that causes the attackers' content to be treated as coming from a more trusted page, or by leveraging some piece of system functionality that is accessible from both the trusted and less trusted zone. This attack differs from "Restful Privilege Escalation" in that the latter correlates to the inadequate securing of RESTful access methods (such as HTTP DELETE) on the server, while cross-zone scripting attacks the concept of security zones as implemented by a browser.
  • Cross Site Scripting through Log Files
    An attacker may leverage a system weakness where logs are susceptible to log injection to insert scripts into the system's logs. If these logs are later viewed by an administrator through a thin administrative interface and the log data is not properly HTML encoded before being written to the page, the attackers' scripts stored in the log will be executed in the administrative interface with potentially serious consequences. This attack pattern is really a combination of two other attack patterns: log injection and stored cross site scripting.
  • Command Line Execution through SQL Injection
    An attacker uses standard SQL injection methods to inject data into the command line for execution. This could be done directly through misuse of directives such as MSSQL_xp_cmdshell or indirectly through injection of data into the database that would be interpreted as shell commands. Sometime later, an unscrupulous backend application (or could be part of the functionality of the same application) fetches the injected data stored in the database and uses this data as command line arguments without performing proper validation. The malicious data escapes that data plane by spawning new commands to be executed on the host.

Nessus

  • NASL familyUbuntu Local Security Checks
    NASL idUBUNTU_USN-3931-1.NASL
    descriptionM. Vefa Bicakci and Andy Lutomirski discovered that the kernel did not properly set up all arguments to an error handler callback used when running as a paravirtualized guest. An unprivileged attacker in a paravirtualized guest VM could use this to cause a denial of service (guest VM crash). (CVE-2018-14678) It was discovered that the KVM implementation in the Linux kernel on ARM 64bit processors did not properly handle some ioctls. An attacker with the privilege to create KVM-based virtual machines could use this to cause a denial of service (host system crash) or execute arbitrary code in the host. (CVE-2018-18021) Mathias Payer and Hui Peng discovered a use-after-free vulnerability in the Advanced Linux Sound Architecture (ALSA) subsystem. A physically proximate attacker could use this to cause a denial of service (system crash). (CVE-2018-19824) Shlomi Oberman, Yuli Shapiro, and Ran Menscher discovered an information leak in the Bluetooth implementation of the Linux kernel. An attacker within Bluetooth range could use this to expose sensitive information (kernel memory). (CVE-2019-3459, CVE-2019-3460) Jann Horn discovered that the KVM implementation in the Linux kernel contained a use-after-free vulnerability. An attacker in a guest VM with access to /dev/kvm could use this to cause a denial of service (guest VM crash). (CVE-2019-6974) Jim Mattson and Felix Wilhelm discovered a use-after-free vulnerability in the KVM subsystem of the Linux kernel, when using nested virtual machines. A local attacker in a guest VM could use this to cause a denial of service (system crash) or possibly execute arbitrary code in the host system. (CVE-2019-7221) Felix Wilhelm discovered that an information leak vulnerability existed in the KVM subsystem of the Linux kernel, when nested virtualization is used. A local attacker could use this to expose sensitive information (host system memory to a guest VM). (CVE-2019-7222) Jann Horn discovered that the eBPF implementation in the Linux kernel was insufficiently hardened against Spectre V1 attacks. A local attacker could use this to expose sensitive information. (CVE-2019-7308) It was discovered that a use-after-free vulnerability existed in the user- space API for crypto (af_alg) implementation in the Linux kernel. A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2019-8912) It was discovered that the Linux kernel did not properly deallocate memory when handling certain errors while reading files. A local attacker could use this to cause a denial of service (excessive memory consumption). (CVE-2019-8980) Jann Horn discovered that the mmap implementation in the Linux kernel did not properly check for the mmap minimum address in some situations. A local attacker could use this to assist exploiting a kernel NULL pointer dereference vulnerability. (CVE-2019-9213). Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id123678
    published2019-04-03
    reporterUbuntu Security Notice (C) 2019-2020 Canonical, Inc. / NASL script (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/123678
    titleUbuntu 18.04 LTS : linux, linux-aws, linux-gcp, linux-kvm, linux-oem, linux-oracle, (USN-3931-1)
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were
    # extracted from Ubuntu Security Notice USN-3931-1. The text 
    # itself is copyright (C) Canonical, Inc. See 
    # <http://www.ubuntu.com/usn/>. Ubuntu(R) is a registered 
    # trademark of Canonical, Inc.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(123678);
      script_version("1.6");
      script_cvs_date("Date: 2020/01/27");
    
      script_cve_id("CVE-2018-14678", "CVE-2018-18021", "CVE-2018-19824", "CVE-2019-3459", "CVE-2019-3460", "CVE-2019-6974", "CVE-2019-7221", "CVE-2019-7222", "CVE-2019-7308", "CVE-2019-8912", "CVE-2019-8980", "CVE-2019-9213");
      script_xref(name:"USN", value:"3931-1");
    
      script_name(english:"Ubuntu 18.04 LTS : linux, linux-aws, linux-gcp, linux-kvm, linux-oem, linux-oracle, (USN-3931-1)");
      script_summary(english:"Checks dpkg output for updated packages.");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:
    "The remote Ubuntu host is missing one or more security-related
    patches."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "M. Vefa Bicakci and Andy Lutomirski discovered that the kernel did not
    properly set up all arguments to an error handler callback used when
    running as a paravirtualized guest. An unprivileged attacker in a
    paravirtualized guest VM could use this to cause a denial of service
    (guest VM crash). (CVE-2018-14678)
    
    It was discovered that the KVM implementation in the Linux kernel on
    ARM 64bit processors did not properly handle some ioctls. An attacker
    with the privilege to create KVM-based virtual machines could use this
    to cause a denial of service (host system crash) or execute arbitrary
    code in the host. (CVE-2018-18021)
    
    Mathias Payer and Hui Peng discovered a use-after-free vulnerability
    in the Advanced Linux Sound Architecture (ALSA) subsystem. A
    physically proximate attacker could use this to cause a denial of
    service (system crash). (CVE-2018-19824)
    
    Shlomi Oberman, Yuli Shapiro, and Ran Menscher discovered an
    information leak in the Bluetooth implementation of the Linux kernel.
    An attacker within Bluetooth range could use this to expose sensitive
    information (kernel memory). (CVE-2019-3459, CVE-2019-3460)
    
    Jann Horn discovered that the KVM implementation in the Linux kernel
    contained a use-after-free vulnerability. An attacker in a guest VM
    with access to /dev/kvm could use this to cause a denial of service
    (guest VM crash). (CVE-2019-6974)
    
    Jim Mattson and Felix Wilhelm discovered a use-after-free
    vulnerability in the KVM subsystem of the Linux kernel, when using
    nested virtual machines. A local attacker in a guest VM could use this
    to cause a denial of service (system crash) or possibly execute
    arbitrary code in the host system. (CVE-2019-7221)
    
    Felix Wilhelm discovered that an information leak vulnerability
    existed in the KVM subsystem of the Linux kernel, when nested
    virtualization is used. A local attacker could use this to expose
    sensitive information (host system memory to a guest VM).
    (CVE-2019-7222)
    
    Jann Horn discovered that the eBPF implementation in the Linux kernel
    was insufficiently hardened against Spectre V1 attacks. A local
    attacker could use this to expose sensitive information.
    (CVE-2019-7308)
    
    It was discovered that a use-after-free vulnerability existed in the
    user- space API for crypto (af_alg) implementation in the Linux
    kernel. A local attacker could use this to cause a denial of service
    (system crash) or possibly execute arbitrary code. (CVE-2019-8912)
    
    It was discovered that the Linux kernel did not properly deallocate
    memory when handling certain errors while reading files. A local
    attacker could use this to cause a denial of service (excessive memory
    consumption). (CVE-2019-8980)
    
    Jann Horn discovered that the mmap implementation in the Linux kernel
    did not properly check for the mmap minimum address in some
    situations. A local attacker could use this to assist exploiting a
    kernel NULL pointer dereference vulnerability. (CVE-2019-9213).
    
    Note that Tenable Network Security has extracted the preceding
    description block directly from the Ubuntu security advisory. Tenable
    has attempted to automatically clean and format it as much as possible
    without introducing additional issues."
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://usn.ubuntu.com/3931-1/"
      );
      script_set_attribute(attribute:"solution", value:"Update the affected packages.");
      script_set_cvss_base_vector("CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C");
      script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:C");
      script_set_cvss3_base_vector("CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H");
      script_set_cvss3_temporal_vector("CVSS:3.0/E:F/RL:O/RC:C");
      script_set_attribute(attribute:"cvss_score_source", value:"CVE-2019-8912");
      script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"true");
      script_set_attribute(attribute:"metasploit_name", value:'Reliable Datagram Sockets (RDS) rds_atomic_free_op NULL pointer dereference Privilege Escalation');
      script_set_attribute(attribute:"exploit_framework_metasploit", value:"true");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-4.15-aws");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-4.15-gcp");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-4.15-generic");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-4.15-generic-lpae");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-4.15-kvm");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-4.15-lowlatency");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-4.15-oem");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-4.15-oracle");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-4.15-raspi2");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-4.15-snapdragon");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-aws");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-gcp");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-generic");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-generic-lpae");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-gke");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-kvm");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-lowlatency");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-oem");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-oracle");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-raspi2");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-snapdragon");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-virtual");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:canonical:ubuntu_linux:18.04:-:lts");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2018/07/28");
      script_set_attribute(attribute:"patch_publication_date", value:"2019/04/02");
      script_set_attribute(attribute:"plugin_publication_date", value:"2019/04/03");
      script_set_attribute(attribute:"generated_plugin", value:"current");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"Ubuntu Security Notice (C) 2019-2020 Canonical, Inc. / NASL script (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.");
      script_family(english:"Ubuntu Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl", "linux_alt_patch_detect.nasl");
      script_require_keys("Host/cpu", "Host/Ubuntu", "Host/Ubuntu/release", "Host/Debian/dpkg-l");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("ubuntu.inc");
    include("ksplice.inc");
    
    if ( ! get_kb_item("Host/local_checks_enabled") ) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    release = get_kb_item("Host/Ubuntu/release");
    if ( isnull(release) ) audit(AUDIT_OS_NOT, "Ubuntu");
    release = chomp(release);
    if (! preg(pattern:"^(18\.04)$", string:release)) audit(AUDIT_OS_NOT, "Ubuntu 18.04", "Ubuntu " + release);
    if ( ! get_kb_item("Host/Debian/dpkg-l") ) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    cpu = get_kb_item("Host/cpu");
    if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
    if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Ubuntu", cpu);
    
    if (get_one_kb_item("Host/ksplice/kernel-cves"))
    {
      rm_kb_item(name:"Host/uptrack-uname-r");
      cve_list = make_list("CVE-2018-14678", "CVE-2018-18021", "CVE-2018-19824", "CVE-2019-3459", "CVE-2019-3460", "CVE-2019-6974", "CVE-2019-7221", "CVE-2019-7222", "CVE-2019-7308", "CVE-2019-8912", "CVE-2019-8980", "CVE-2019-9213");
      if (ksplice_cves_check(cve_list))
      {
        audit(AUDIT_PATCH_INSTALLED, "KSplice hotfix for USN-3931-1");
      }
      else
      {
        _ubuntu_report = ksplice_reporting_text();
      }
    }
    
    flag = 0;
    
    if (ubuntu_check(osver:"18.04", pkgname:"linux-image-4.15.0-1010-oracle", pkgver:"4.15.0-1010.12")) flag++;
    if (ubuntu_check(osver:"18.04", pkgname:"linux-image-4.15.0-1029-gcp", pkgver:"4.15.0-1029.31")) flag++;
    if (ubuntu_check(osver:"18.04", pkgname:"linux-image-4.15.0-1031-kvm", pkgver:"4.15.0-1031.31")) flag++;
    if (ubuntu_check(osver:"18.04", pkgname:"linux-image-4.15.0-1033-raspi2", pkgver:"4.15.0-1033.35")) flag++;
    if (ubuntu_check(osver:"18.04", pkgname:"linux-image-4.15.0-1035-aws", pkgver:"4.15.0-1035.37")) flag++;
    if (ubuntu_check(osver:"18.04", pkgname:"linux-image-4.15.0-1035-oem", pkgver:"4.15.0-1035.40")) flag++;
    if (ubuntu_check(osver:"18.04", pkgname:"linux-image-4.15.0-47-generic", pkgver:"4.15.0-47.50")) flag++;
    if (ubuntu_check(osver:"18.04", pkgname:"linux-image-4.15.0-47-generic-lpae", pkgver:"4.15.0-47.50")) flag++;
    if (ubuntu_check(osver:"18.04", pkgname:"linux-image-4.15.0-47-lowlatency", pkgver:"4.15.0-47.50")) flag++;
    if (ubuntu_check(osver:"18.04", pkgname:"linux-image-4.15.0-47-snapdragon", pkgver:"4.15.0-47.50")) flag++;
    if (ubuntu_check(osver:"18.04", pkgname:"linux-image-aws", pkgver:"4.15.0.1035.34")) flag++;
    if (ubuntu_check(osver:"18.04", pkgname:"linux-image-gcp", pkgver:"4.15.0.1029.31")) flag++;
    if (ubuntu_check(osver:"18.04", pkgname:"linux-image-generic", pkgver:"4.15.0.47.49")) flag++;
    if (ubuntu_check(osver:"18.04", pkgname:"linux-image-generic-lpae", pkgver:"4.15.0.47.49")) flag++;
    if (ubuntu_check(osver:"18.04", pkgname:"linux-image-gke", pkgver:"4.15.0.1029.31")) flag++;
    if (ubuntu_check(osver:"18.04", pkgname:"linux-image-kvm", pkgver:"4.15.0.1031.31")) flag++;
    if (ubuntu_check(osver:"18.04", pkgname:"linux-image-lowlatency", pkgver:"4.15.0.47.49")) flag++;
    if (ubuntu_check(osver:"18.04", pkgname:"linux-image-oem", pkgver:"4.15.0.1035.40")) flag++;
    if (ubuntu_check(osver:"18.04", pkgname:"linux-image-oracle", pkgver:"4.15.0.1010.13")) flag++;
    if (ubuntu_check(osver:"18.04", pkgname:"linux-image-raspi2", pkgver:"4.15.0.1033.31")) flag++;
    if (ubuntu_check(osver:"18.04", pkgname:"linux-image-snapdragon", pkgver:"4.15.0.47.49")) flag++;
    if (ubuntu_check(osver:"18.04", pkgname:"linux-image-virtual", pkgver:"4.15.0.47.49")) flag++;
    
    if (flag)
    {
      security_report_v4(
        port       : 0,
        severity   : SECURITY_HOLE,
        extra      : ubuntu_report_get()
      );
      exit(0);
    }
    else
    {
      tested = ubuntu_pkg_tests_get();
      if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
      else audit(AUDIT_PACKAGE_NOT_INSTALLED, "linux-image-4.15-aws / linux-image-4.15-gcp / etc");
    }
    
  • NASL familyAmazon Linux Local Security Checks
    NASL idAL2_ALAS-2018-1100.NASL
    descriptionAn issue was discovered in the proc_pid_stack function in fs/proc/base.c in the Linux kernel. An attacker with a local account can trick the stack unwinder code to leak stack contents to userspace. The fix allows only root to inspect the kernel stack of an arbitrary task.(CVE-2018-17972) A vulnerability was discovered in the Linux kernel that allows an attacker to escalate privileges with using a 64-bit ARM architecture. A local attacker with permission to create KVM-based virtual machines can both panic the hypervisor by triggering an illegal exception return (resulting in a DoS) and to redirect execution elsewhere within the hypervisor with full register control, instead of causing a return to the guest.(CVE-2018-18021)
    last seen2020-06-01
    modified2020-06-02
    plugin id118832
    published2018-11-09
    reporterThis script is Copyright (C) 2018 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/118832
    titleAmazon Linux 2 : kernel (ALAS-2018-1100)
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were
    # extracted from Amazon Linux 2 Security Advisory ALAS-2018-1100.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(118832);
      script_version("1.3");
      script_cvs_date("Date: 2018/12/07  9:46:53");
    
      script_cve_id("CVE-2018-17972", "CVE-2018-18021");
      script_xref(name:"ALAS", value:"2018-1100");
    
      script_name(english:"Amazon Linux 2 : kernel (ALAS-2018-1100)");
      script_summary(english:"Checks rpm output for the updated packages");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote Amazon Linux 2 host is missing a security update."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "An issue was discovered in the proc_pid_stack function in
    fs/proc/base.c in the Linux kernel. An attacker with a local account
    can trick the stack unwinder code to leak stack contents to userspace.
    The fix allows only root to inspect the kernel stack of an arbitrary
    task.(CVE-2018-17972)
    
    A vulnerability was discovered in the Linux kernel that allows an
    attacker to escalate privileges with using a 64-bit ARM architecture.
    A local attacker with permission to create KVM-based virtual machines
    can both panic the hypervisor by triggering an illegal exception
    return (resulting in a DoS) and to redirect execution elsewhere within
    the hypervisor with full register control, instead of causing a return
    to the guest.(CVE-2018-18021)"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://alas.aws.amazon.com/AL2/ALAS-2018-1100.html"
      );
      script_set_attribute(
        attribute:"solution", 
        value:
    "Run 'yum update kernel' and reboot your instance to update your
    system."
      );
      script_set_cvss_base_vector("CVSS2#AV:L/AC:L/Au:N/C:C/I:N/A:N");
      script_set_cvss3_base_vector("CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:kernel");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:kernel-debuginfo");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:kernel-debuginfo-common-x86_64");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:kernel-devel");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:kernel-headers");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:kernel-tools");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:kernel-tools-debuginfo");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:kernel-tools-devel");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:perf");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:perf-debuginfo");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:python-perf");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:python-perf-debuginfo");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:amazon:linux:2");
    
      script_set_attribute(attribute:"patch_publication_date", value:"2018/11/08");
      script_set_attribute(attribute:"plugin_publication_date", value:"2018/11/09");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2018 and is owned by Tenable, Inc. or an Affiliate thereof.");
      script_family(english:"Amazon Linux Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/AmazonLinux/release", "Host/AmazonLinux/rpm-list");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("global_settings.inc");
    include("rpm.inc");
    
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    
    release = get_kb_item("Host/AmazonLinux/release");
    if (isnull(release) || !strlen(release)) audit(AUDIT_OS_NOT, "Amazon Linux");
    os_ver = pregmatch(pattern: "^AL(A|\d)", string:release);
    if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Amazon Linux");
    os_ver = os_ver[1];
    if (os_ver != "2")
    {
      if (os_ver == 'A') os_ver = 'AMI';
      audit(AUDIT_OS_NOT, "Amazon Linux 2", "Amazon Linux " + os_ver);
    }
    
    if (!get_kb_item("Host/AmazonLinux/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    
    flag = 0;
    if (rpm_check(release:"AL2", cpu:"x86_64", reference:"kernel-4.14.77-80.57.amzn2")) flag++;
    if (rpm_check(release:"AL2", cpu:"x86_64", reference:"kernel-debuginfo-4.14.77-80.57.amzn2")) flag++;
    if (rpm_check(release:"AL2", cpu:"x86_64", reference:"kernel-debuginfo-common-x86_64-4.14.77-80.57.amzn2")) flag++;
    if (rpm_check(release:"AL2", cpu:"x86_64", reference:"kernel-devel-4.14.77-80.57.amzn2")) flag++;
    if (rpm_check(release:"AL2", reference:"kernel-headers-4.14.77-80.57.amzn2")) flag++;
    if (rpm_check(release:"AL2", cpu:"x86_64", reference:"kernel-tools-4.14.77-80.57.amzn2")) flag++;
    if (rpm_check(release:"AL2", cpu:"x86_64", reference:"kernel-tools-debuginfo-4.14.77-80.57.amzn2")) flag++;
    if (rpm_check(release:"AL2", cpu:"x86_64", reference:"kernel-tools-devel-4.14.77-80.57.amzn2")) flag++;
    if (rpm_check(release:"AL2", cpu:"x86_64", reference:"perf-4.14.77-80.57.amzn2")) flag++;
    if (rpm_check(release:"AL2", cpu:"x86_64", reference:"perf-debuginfo-4.14.77-80.57.amzn2")) flag++;
    if (rpm_check(release:"AL2", cpu:"x86_64", reference:"python-perf-4.14.77-80.57.amzn2")) flag++;
    if (rpm_check(release:"AL2", cpu:"x86_64", reference:"python-perf-debuginfo-4.14.77-80.57.amzn2")) flag++;
    
    if (flag)
    {
      if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get());
      else security_warning(0);
      exit(0);
    }
    else
    {
      tested = pkg_tests_get();
      if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
      else audit(AUDIT_PACKAGE_NOT_INSTALLED, "kernel / kernel-debuginfo / kernel-debuginfo-common-x86_64 / etc");
    }
    
  • NASL familySlackware Local Security Checks
    NASL idSLACKWARE_SSA_2019-030-01.NASL
    descriptionNew kernel packages are available for Slackware 14.2 to fix security issues.
    last seen2020-03-17
    modified2019-01-31
    plugin id121505
    published2019-01-31
    reporterThis script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/121505
    titleSlackware 14.2 : Slackware 14.2 kernel (SSA:2019-030-01)
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were  
    # extracted from Slackware Security Advisory 2019-030-01. The text 
    # itself is copyright (C) Slackware Linux, Inc.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(121505);
      script_version("1.4");
      script_set_attribute(attribute:"plugin_modification_date", value:"2020/02/20");
    
      script_cve_id("CVE-2017-18241", "CVE-2017-18249", "CVE-2018-10880", "CVE-2018-1120", "CVE-2018-12896", "CVE-2018-13053", "CVE-2018-13096", "CVE-2018-13097", "CVE-2018-13099", "CVE-2018-13100", "CVE-2018-14610", "CVE-2018-14611", "CVE-2018-14612", "CVE-2018-14613", "CVE-2018-14614", "CVE-2018-14616", "CVE-2018-14633", "CVE-2018-16862", "CVE-2018-16884", "CVE-2018-17972", "CVE-2018-18021", "CVE-2018-18281", "CVE-2018-18690", "CVE-2018-18710", "CVE-2018-19824", "CVE-2018-19985", "CVE-2018-20169", "CVE-2018-20511", "CVE-2018-5848", "CVE-2018-7755", "CVE-2019-3701");
      script_xref(name:"SSA", value:"2019-030-01");
    
      script_name(english:"Slackware 14.2 : Slackware 14.2 kernel (SSA:2019-030-01)");
      script_summary(english:"Checks for updated packages in /var/log/packages");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote Slackware host is missing a security update."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "New kernel packages are available for Slackware 14.2 to fix security
    issues."
      );
      # http://www.slackware.com/security/viewer.php?l=slackware-security&y=2019&m=slackware-security.842527
      script_set_attribute(
        attribute:"see_also",
        value:"http://www.nessus.org/u?0db5ea06"
      );
      script_set_attribute(attribute:"solution", value:"Update the affected packages.");
      script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:C");
      script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
      script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:H");
      script_set_cvss3_temporal_vector("CVSS:3.0/E:P/RL:O/RC:C");
      script_set_attribute(attribute:"cvss_score_source", value:"CVE-2018-14633");
      script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"true");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:slackware:slackware_linux:kernel-firmware");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:slackware:slackware_linux:kernel-generic");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:slackware:slackware_linux:kernel-generic-smp");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:slackware:slackware_linux:kernel-headers");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:slackware:slackware_linux:kernel-huge");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:slackware:slackware_linux:kernel-huge-smp");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:slackware:slackware_linux:kernel-modules");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:slackware:slackware_linux:kernel-modules-smp");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:slackware:slackware_linux:kernel-source");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:slackware:slackware_linux:14.2");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2018/03/08");
      script_set_attribute(attribute:"patch_publication_date", value:"2019/01/30");
      script_set_attribute(attribute:"plugin_publication_date", value:"2019/01/31");
      script_set_attribute(attribute:"generated_plugin", value:"current");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.");
      script_family(english:"Slackware Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/Slackware/release", "Host/Slackware/packages");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("global_settings.inc");
    include("slackware.inc");
    
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    if (!get_kb_item("Host/Slackware/release")) audit(AUDIT_OS_NOT, "Slackware");
    if (!get_kb_item("Host/Slackware/packages")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    
    cpu = get_kb_item("Host/cpu");
    if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
    if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Slackware", cpu);
    
    
    flag = 0;
    if (slackware_check(osver:"14.2", pkgname:"kernel-firmware", pkgver:"20190118_a8b75ca", pkgarch:"noarch", pkgnum:"1")) flag++;
    if (slackware_check(osver:"14.2", pkgname:"kernel-generic", pkgver:"4.4.172", pkgarch:"i586", pkgnum:"1")) flag++;
    if (slackware_check(osver:"14.2", pkgname:"kernel-generic-smp", pkgver:"4.4.172_smp", pkgarch:"i686", pkgnum:"1")) flag++;
    if (slackware_check(osver:"14.2", pkgname:"kernel-headers", pkgver:"4.4.172_smp", pkgarch:"x86", pkgnum:"1")) flag++;
    if (slackware_check(osver:"14.2", pkgname:"kernel-huge", pkgver:"4.4.172", pkgarch:"i586", pkgnum:"1")) flag++;
    if (slackware_check(osver:"14.2", pkgname:"kernel-huge-smp", pkgver:"4.4.172_smp", pkgarch:"i686", pkgnum:"1")) flag++;
    if (slackware_check(osver:"14.2", pkgname:"kernel-modules", pkgver:"4.4.172", pkgarch:"i586", pkgnum:"1")) flag++;
    if (slackware_check(osver:"14.2", pkgname:"kernel-modules-smp", pkgver:"4.4.172_smp", pkgarch:"i686", pkgnum:"1")) flag++;
    if (slackware_check(osver:"14.2", pkgname:"kernel-source", pkgver:"4.4.172_smp", pkgarch:"noarch", pkgnum:"1")) flag++;
    if (slackware_check(osver:"14.2", arch:"x86_64", pkgname:"kernel-firmware", pkgver:"20190118_a8b75ca", pkgarch:"noarch", pkgnum:"1")) flag++;
    if (slackware_check(osver:"14.2", arch:"x86_64", pkgname:"kernel-generic", pkgver:"4.4.172", pkgarch:"x86_64", pkgnum:"1")) flag++;
    if (slackware_check(osver:"14.2", arch:"x86_64", pkgname:"kernel-headers", pkgver:"4.4.172", pkgarch:"x86", pkgnum:"1")) flag++;
    if (slackware_check(osver:"14.2", arch:"x86_64", pkgname:"kernel-huge", pkgver:"4.4.172", pkgarch:"x86_64", pkgnum:"1")) flag++;
    if (slackware_check(osver:"14.2", arch:"x86_64", pkgname:"kernel-modules", pkgver:"4.4.172", pkgarch:"x86_64", pkgnum:"1")) flag++;
    if (slackware_check(osver:"14.2", arch:"x86_64", pkgname:"kernel-source", pkgver:"4.4.172", pkgarch:"noarch", pkgnum:"1")) flag++;
    
    
    if (flag)
    {
      if (report_verbosity > 0) security_hole(port:0, extra:slackware_report_get());
      else security_hole(0);
      exit(0);
    }
    else audit(AUDIT_HOST_NOT, "affected");
    
  • NASL familyAmazon Linux Local Security Checks
    NASL idALA_ALAS-2018-1100.NASL
    descriptionAn issue was discovered in the proc_pid_stack function in fs/proc/base.c in the Linux kernel. An attacker with a local account can trick the stack unwinder code to leak stack contents to userspace. The fix allows only root to inspect the kernel stack of an arbitrary task.(CVE-2018-17972) A vulnerability was discovered in the Linux kernel that allows an attacker to escalate privileges with using a 64-bit ARM architecture. A local attacker with permission to create KVM-based virtual machines can both panic the hypervisor by triggering an illegal exception return (resulting in a DoS) and to redirect execution elsewhere within the hypervisor with full register control, instead of causing a return to the guest.(CVE-2018-18021)
    last seen2020-06-01
    modified2020-06-02
    plugin id118804
    published2018-11-08
    reporterThis script is Copyright (C) 2018 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/118804
    titleAmazon Linux AMI : kernel (ALAS-2018-1100)
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were
    # extracted from Amazon Linux AMI Security Advisory ALAS-2018-1100.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(118804);
      script_version("1.3");
      script_cvs_date("Date: 2018/12/07  9:46:53");
    
      script_cve_id("CVE-2018-17972", "CVE-2018-18021");
      script_xref(name:"ALAS", value:"2018-1100");
    
      script_name(english:"Amazon Linux AMI : kernel (ALAS-2018-1100)");
      script_summary(english:"Checks rpm output for the updated packages");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote Amazon Linux AMI host is missing a security update."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "An issue was discovered in the proc_pid_stack function in
    fs/proc/base.c in the Linux kernel. An attacker with a local account
    can trick the stack unwinder code to leak stack contents to userspace.
    The fix allows only root to inspect the kernel stack of an arbitrary
    task.(CVE-2018-17972)
    
    A vulnerability was discovered in the Linux kernel that allows an
    attacker to escalate privileges with using a 64-bit ARM architecture.
    A local attacker with permission to create KVM-based virtual machines
    can both panic the hypervisor by triggering an illegal exception
    return (resulting in a DoS) and to redirect execution elsewhere within
    the hypervisor with full register control, instead of causing a return
    to the guest.(CVE-2018-18021)"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://alas.aws.amazon.com/ALAS-2018-1100.html"
      );
      script_set_attribute(
        attribute:"solution", 
        value:"Run 'yum update kernel' to update your system."
      );
      script_set_cvss_base_vector("CVSS2#AV:L/AC:L/Au:N/C:C/I:N/A:N");
      script_set_cvss3_base_vector("CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:kernel");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:kernel-debuginfo");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:kernel-debuginfo-common-i686");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:kernel-debuginfo-common-x86_64");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:kernel-devel");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:kernel-headers");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:kernel-tools");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:kernel-tools-debuginfo");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:kernel-tools-devel");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:perf");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:perf-debuginfo");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:amazon:linux");
    
      script_set_attribute(attribute:"patch_publication_date", value:"2018/11/08");
      script_set_attribute(attribute:"plugin_publication_date", value:"2018/11/08");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2018 and is owned by Tenable, Inc. or an Affiliate thereof.");
      script_family(english:"Amazon Linux Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/AmazonLinux/release", "Host/AmazonLinux/rpm-list");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("global_settings.inc");
    include("rpm.inc");
    
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    
    release = get_kb_item("Host/AmazonLinux/release");
    if (isnull(release) || !strlen(release)) audit(AUDIT_OS_NOT, "Amazon Linux");
    os_ver = pregmatch(pattern: "^AL(A|\d)", string:release);
    if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Amazon Linux");
    os_ver = os_ver[1];
    if (os_ver != "A")
    {
      if (os_ver == 'A') os_ver = 'AMI';
      audit(AUDIT_OS_NOT, "Amazon Linux AMI", "Amazon Linux " + os_ver);
    }
    
    if (!get_kb_item("Host/AmazonLinux/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    
    flag = 0;
    if (rpm_check(release:"ALA", reference:"kernel-4.14.77-69.57.amzn1")) flag++;
    if (rpm_check(release:"ALA", reference:"kernel-debuginfo-4.14.77-69.57.amzn1")) flag++;
    if (rpm_check(release:"ALA", cpu:"i686", reference:"kernel-debuginfo-common-i686-4.14.77-69.57.amzn1")) flag++;
    if (rpm_check(release:"ALA", cpu:"x86_64", reference:"kernel-debuginfo-common-x86_64-4.14.77-69.57.amzn1")) flag++;
    if (rpm_check(release:"ALA", reference:"kernel-devel-4.14.77-69.57.amzn1")) flag++;
    if (rpm_check(release:"ALA", reference:"kernel-headers-4.14.77-69.57.amzn1")) flag++;
    if (rpm_check(release:"ALA", reference:"kernel-tools-4.14.77-69.57.amzn1")) flag++;
    if (rpm_check(release:"ALA", reference:"kernel-tools-debuginfo-4.14.77-69.57.amzn1")) flag++;
    if (rpm_check(release:"ALA", reference:"kernel-tools-devel-4.14.77-69.57.amzn1")) flag++;
    if (rpm_check(release:"ALA", reference:"perf-4.14.77-69.57.amzn1")) flag++;
    if (rpm_check(release:"ALA", reference:"perf-debuginfo-4.14.77-69.57.amzn1")) flag++;
    
    if (flag)
    {
      if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get());
      else security_warning(0);
      exit(0);
    }
    else
    {
      tested = pkg_tests_get();
      if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
      else audit(AUDIT_PACKAGE_NOT_INSTALLED, "kernel / kernel-debuginfo / kernel-debuginfo-common-i686 / etc");
    }
    
  • NASL familyFedora Local Security Checks
    NASL idFEDORA_2018-DDBACA855E.NASL
    descriptionThe 4.18.12 update contains a number of important fixes across the tree. Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-05
    modified2019-01-03
    plugin id120848
    published2019-01-03
    reporterThis script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/120848
    titleFedora 28 : kernel / kernel-headers (2018-ddbaca855e)
    code
    #%NASL_MIN_LEVEL 80502
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were  
    # extracted from Fedora Security Advisory FEDORA-2018-ddbaca855e.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(120848);
      script_version("1.5");
      script_set_attribute(attribute:"plugin_modification_date", value:"2020/06/04");
    
      script_cve_id("CVE-2018-18021");
      script_xref(name:"FEDORA", value:"2018-ddbaca855e");
    
      script_name(english:"Fedora 28 : kernel / kernel-headers (2018-ddbaca855e)");
      script_summary(english:"Checks rpm output for the updated packages.");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote Fedora host is missing one or more security updates."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "The 4.18.12 update contains a number of important fixes across the
    tree.
    
    Note that Tenable Network Security has extracted the preceding
    description block directly from the Fedora update system website.
    Tenable has attempted to automatically clean and format it as much as
    possible without introducing additional issues."
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bodhi.fedoraproject.org/updates/FEDORA-2018-ddbaca855e"
      );
      script_set_attribute(
        attribute:"solution", 
        value:"Update the affected kernel and / or kernel-headers packages."
      );
      script_set_cvss_base_vector("CVSS2#AV:L/AC:L/Au:N/C:N/I:P/A:P");
      script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
      script_set_cvss3_base_vector("CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H");
      script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
      script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fedoraproject:fedora:kernel");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fedoraproject:fedora:kernel-headers");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:fedoraproject:fedora:28");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2018/10/07");
      script_set_attribute(attribute:"patch_publication_date", value:"2018/10/09");
      script_set_attribute(attribute:"plugin_publication_date", value:"2019/01/03");
      script_set_attribute(attribute:"generated_plugin", value:"current");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.");
      script_family(english:"Fedora Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl", "linux_alt_patch_detect.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/RedHat/release", "Host/RedHat/rpm-list");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("global_settings.inc");
    include("rpm.inc");
    include("ksplice.inc");
    
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    release = get_kb_item("Host/RedHat/release");
    if (isnull(release) || "Fedora" >!< release) audit(AUDIT_OS_NOT, "Fedora");
    os_ver = pregmatch(pattern: "Fedora.*release ([0-9]+)", string:release);
    if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Fedora");
    os_ver = os_ver[1];
    if (! preg(pattern:"^28([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Fedora 28", "Fedora " + os_ver);
    
    if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    
    cpu = get_kb_item("Host/cpu");
    if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
    if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Fedora", cpu);
    
    if (get_one_kb_item("Host/ksplice/kernel-cves"))
    {
      rm_kb_item(name:"Host/uptrack-uname-r");
      cve_list = make_list("CVE-2018-18021");
      if (ksplice_cves_check(cve_list))
      {
        audit(AUDIT_PATCH_INSTALLED, "KSplice hotfix for FEDORA-2018-ddbaca855e");
      }
      else
      {
        __rpm_report = ksplice_reporting_text();
      }
    }
    
    flag = 0;
    if (rpm_check(release:"FC28", reference:"kernel-4.18.12-200.fc28")) flag++;
    if (rpm_check(release:"FC28", reference:"kernel-headers-4.18.12-200.fc28")) flag++;
    
    
    if (flag)
    {
      security_report_v4(
        port       : 0,
        severity   : SECURITY_NOTE,
        extra      : rpm_report_get()
      );
      exit(0);
    }
    else
    {
      tested = pkg_tests_get();
      if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
      else audit(AUDIT_PACKAGE_NOT_INSTALLED, "kernel / kernel-headers");
    }
    
  • NASL familyFedora Local Security Checks
    NASL idFEDORA_2018-94315E9A6B.NASL
    descriptionThe 4.18.12 update contains a number of important fixes across the tree ---- The 4.18.11 update contains a number of important fixes across the tree Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-05
    modified2018-10-11
    plugin id118047
    published2018-10-11
    reporterThis script is Copyright (C) 2018-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/118047
    titleFedora 27 : kernel / kernel-headers (2018-94315e9a6b)
    code
    #%NASL_MIN_LEVEL 80502
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were  
    # extracted from Fedora Security Advisory FEDORA-2018-94315e9a6b.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(118047);
      script_version("1.5");
      script_set_attribute(attribute:"plugin_modification_date", value:"2020/06/04");
    
      script_cve_id("CVE-2018-18021");
      script_xref(name:"FEDORA", value:"2018-94315e9a6b");
    
      script_name(english:"Fedora 27 : kernel / kernel-headers (2018-94315e9a6b)");
      script_summary(english:"Checks rpm output for the updated packages.");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote Fedora host is missing one or more security updates."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "The 4.18.12 update contains a number of important fixes across the
    tree
    
    ----
    
    The 4.18.11 update contains a number of important fixes across the
    tree
    
    Note that Tenable Network Security has extracted the preceding
    description block directly from the Fedora update system website.
    Tenable has attempted to automatically clean and format it as much as
    possible without introducing additional issues."
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bodhi.fedoraproject.org/updates/FEDORA-2018-94315e9a6b"
      );
      script_set_attribute(
        attribute:"solution", 
        value:"Update the affected kernel and / or kernel-headers packages."
      );
      script_set_cvss_base_vector("CVSS2#AV:L/AC:L/Au:N/C:N/I:P/A:P");
      script_set_cvss3_base_vector("CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fedoraproject:fedora:kernel");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fedoraproject:fedora:kernel-headers");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:fedoraproject:fedora:27");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2018/10/07");
      script_set_attribute(attribute:"patch_publication_date", value:"2018/10/10");
      script_set_attribute(attribute:"plugin_publication_date", value:"2018/10/11");
      script_set_attribute(attribute:"generated_plugin", value:"current");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2018-2020 and is owned by Tenable, Inc. or an Affiliate thereof.");
      script_family(english:"Fedora Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl", "linux_alt_patch_detect.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/RedHat/release", "Host/RedHat/rpm-list");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("global_settings.inc");
    include("rpm.inc");
    include("ksplice.inc");
    
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    release = get_kb_item("Host/RedHat/release");
    if (isnull(release) || "Fedora" >!< release) audit(AUDIT_OS_NOT, "Fedora");
    os_ver = pregmatch(pattern: "Fedora.*release ([0-9]+)", string:release);
    if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Fedora");
    os_ver = os_ver[1];
    if (! preg(pattern:"^27([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Fedora 27", "Fedora " + os_ver);
    
    if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    
    cpu = get_kb_item("Host/cpu");
    if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
    if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Fedora", cpu);
    
    if (get_one_kb_item("Host/ksplice/kernel-cves"))
    {
      rm_kb_item(name:"Host/uptrack-uname-r");
      cve_list = make_list("CVE-2018-18021");
      if (ksplice_cves_check(cve_list))
      {
        audit(AUDIT_PATCH_INSTALLED, "KSplice hotfix for FEDORA-2018-94315e9a6b");
      }
      else
      {
        __rpm_report = ksplice_reporting_text();
      }
    }
    
    flag = 0;
    if (rpm_check(release:"FC27", reference:"kernel-4.18.12-100.fc27")) flag++;
    if (rpm_check(release:"FC27", reference:"kernel-headers-4.18.12-100.fc27")) flag++;
    
    
    if (flag)
    {
      security_report_v4(
        port       : 0,
        severity   : SECURITY_NOTE,
        extra      : rpm_report_get()
      );
      exit(0);
    }
    else
    {
      tested = pkg_tests_get();
      if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
      else audit(AUDIT_PACKAGE_NOT_INSTALLED, "kernel / kernel-headers");
    }
    
  • NASL familyOracle Linux Local Security Checks
    NASL idORACLELINUX_ELSA-2018-4270.NASL
    descriptionDescription of changes: [4.14.35-1818.4.5.el7uek] - x86/intel/spectre_v2: Remove unnecessary retp_compiler() test (Boris Ostrovsky) [Orabug: 28814574] - x86/intel/spectre_v4: Deprecate spec_store_bypass_disable=userspace (Boris Ostrovsky) [Orabug: 28814574] - x86/speculation: x86_spec_ctrl_set needs to be called unconditionally (Boris Ostrovsky) [Orabug: 28814574] - x86/speculation: Drop unused DISABLE_IBRS_CLOBBER macro (Boris Ostrovsky) [Orabug: 28814574] - x86/intel/spectre_v4: Keep SPEC_CTRL_SSBD when IBRS is in use (Boris Ostrovsky) [Orabug: 28814574] [4.14.35-1818.4.4.el7uek] - ocfs2: fix ocfs2 read block panic (Junxiao Bi) [Orabug: 28821391] - scsi: sg: mitigate read/write abuse (Jann Horn) [Orabug: 28824731] {CVE-2017-13168} - hugetlbfs: introduce truncation/fault mutex to avoid races (Mike Kravetz) [Orabug: 28776542] - rds: MPRDS messages delivered out of order (Ka-Cheong Poon) [Orabug: 28838051] - x86/bugs: rework x86_spec_ctrl_set to make its changes explicit (Daniel Jordan) [Orabug: 28270952] - x86/bugs: rename ssbd_ibrs_selected to ssbd_userspace_selected (Daniel Jordan) [Orabug: 28270952] - x86/bugs: x86_spec_ctrl_set may not disable IBRS on kernel idle (Daniel Jordan) [Orabug: 28270952] - x86/bugs: always use x86_spec_ctrl_base or _priv when setting spec ctrl MSR (Daniel Jordan) [Orabug: 28270952] - iommu: turn on iommu=pt by default (Tushar Dave) [Orabug: 28111039] - vhost/scsi: Use common handling code in request queue handler (Bijan Mottahedeh) [Orabug: 28775556] - vhost/scsi: Extract common handling code from control queue handler (Bijan Mottahedeh) [Orabug: 28775556] - vhost/scsi: Respond to control queue operations (Bijan Mottahedeh) [Orabug: 28775556] [4.14.35-1818.4.3.el7uek] - Fix error code in nfs_lookup_verify_inode() (Lance Shelton) [Orabug: 28807515] - x86/speculation: Retpoline should always be available on Skylake (Alexandre Chartre) [Orabug: 28801830] - x86/bugs: ssbd_ibrs_selected called prematurely (Daniel Jordan) [Orabug: 28802799] - net/mlx4_core: print firmware version during driver loading (Qing Huang) [Orabug: 28809382] - hugetlbfs: dirty pages as they are added to pagecache (Mike Kravetz) [Orabug: 28813999] [4.14.35-1818.4.2.el7uek] - infiniband: fix a possible use-after-free bug (Cong Wang) [Orabug: 28774511] {CVE-2018-14734} - nfs: fix a deadlock in nfs client initialization (Scott Mayhew) [Orabug: 28775910] - x86/speculation: Unconditionally fill RSB on context switch (Alejandro Jimenez) [Orabug: 28631576] {CVE-2018-15572} - bnxt_re: Implement the shutdown hook of the L2-RoCE driver interface (Somnath Kotur) [Orabug: 28539344] - rds: RDS (tcp) hangs on sendto() to unresponding address (Ka-Cheong Poon) [Orabug: 28762597] - uek-rpm: aarch64 some XGENE drivers must be be modules (Tom Saeger) [Orabug: 28769119] - arm64: KVM: Sanitize PSTATE.M when being set from userspace (Marc Zyngier) [Orabug: 28762424] {CVE-2018-18021} - arm64: KVM: Tighten guest core register access from userspace (Dave Martin) [Orabug: 28762424] {CVE-2018-18021} - iommu/amd: Clear memory encryption mask from physical address (Singh, Brijesh) [Orabug: 28770185] [4.14.35-1818.4.1.el7uek] - mm: get rid of vmacache_flush_all() entirely (Linus Torvalds) [Orabug: 28700955] {CVE-2018-17182} - Btrfs: fix log replay failure after unlink and link combination (Filipe Manana) [Orabug: 27941939] - x86/speculation: Add sysfs entry to enable/disable retpoline (Alexandre Chartre) [Orabug: 28753851] - x86/speculation: Allow IBRS firmware to be enabled when IBRS is disabled (Alexandre Chartre) [Orabug: 28753851] - x86/speculation: Remove unnecessary retpoline alternatives (Alexandre Chartre) [Orabug: 28753851] - x86/speculation: Use static key to enable/disable retpoline (Alexandre Chartre) [Orabug: 28753851] - bnxt_en: Fix memory fault in bnxt_ethtool_init() (Vasundhara Volam) [Orabug: 28632641] - IB/core: Initialize relaxed_pd properly (Yuval Shaia) [Orabug: 28197305] [4.14.35-1818.4.0.el7uek] - e1000e: Fix link check race condition (Benjamin Poirier) [Orabug: 28489384] - Revert
    last seen2020-06-01
    modified2020-06-02
    plugin id118861
    published2018-11-11
    reporterThis script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/118861
    titleOracle Linux 7 : Unbreakable Enterprise kernel (ELSA-2018-4270)
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were
    # extracted from Oracle Linux Security Advisory ELSA-2018-4270.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(118861);
      script_version("1.9");
      script_cvs_date("Date: 2019/09/27 13:00:39");
    
      script_cve_id("CVE-2017-13168", "CVE-2018-14610", "CVE-2018-14611", "CVE-2018-14734", "CVE-2018-15572", "CVE-2018-17182", "CVE-2018-18021");
    
      script_name(english:"Oracle Linux 7 : Unbreakable Enterprise kernel (ELSA-2018-4270)");
      script_summary(english:"Checks rpm output for the updated packages");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote Oracle Linux host is missing one or more security updates."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "Description of changes:
    
    [4.14.35-1818.4.5.el7uek]
    - x86/intel/spectre_v2: Remove unnecessary retp_compiler() test (Boris 
    Ostrovsky)  [Orabug: 28814574]
    - x86/intel/spectre_v4: Deprecate spec_store_bypass_disable=userspace 
    (Boris Ostrovsky)  [Orabug: 28814574]
    - x86/speculation: x86_spec_ctrl_set needs to be called unconditionally 
    (Boris Ostrovsky)  [Orabug: 28814574]
    - x86/speculation: Drop unused DISABLE_IBRS_CLOBBER macro (Boris 
    Ostrovsky)  [Orabug: 28814574]
    - x86/intel/spectre_v4: Keep SPEC_CTRL_SSBD when IBRS is in use (Boris 
    Ostrovsky)  [Orabug: 28814574]
    
    [4.14.35-1818.4.4.el7uek]
    - ocfs2: fix ocfs2 read block panic (Junxiao Bi)  [Orabug: 28821391]
    - scsi: sg: mitigate read/write abuse (Jann Horn)  [Orabug: 28824731] 
    {CVE-2017-13168}
    - hugetlbfs: introduce truncation/fault mutex to avoid races (Mike 
    Kravetz)  [Orabug: 28776542]
    - rds: MPRDS messages delivered out of order (Ka-Cheong Poon)  [Orabug: 
    28838051]
    - x86/bugs: rework x86_spec_ctrl_set to make its changes explicit 
    (Daniel Jordan)  [Orabug: 28270952]
    - x86/bugs: rename ssbd_ibrs_selected to ssbd_userspace_selected (Daniel 
    Jordan)  [Orabug: 28270952]
    - x86/bugs: x86_spec_ctrl_set may not disable IBRS on kernel idle 
    (Daniel Jordan)  [Orabug: 28270952]
    - x86/bugs: always use x86_spec_ctrl_base or _priv when setting spec 
    ctrl MSR (Daniel Jordan)  [Orabug: 28270952]
    - iommu: turn on iommu=pt by default (Tushar Dave)  [Orabug: 28111039]
    - vhost/scsi: Use common handling code in request queue handler (Bijan 
    Mottahedeh)  [Orabug: 28775556]
    - vhost/scsi: Extract common handling code from control queue handler 
    (Bijan Mottahedeh)  [Orabug: 28775556]
    - vhost/scsi: Respond to control queue operations (Bijan Mottahedeh) 
    [Orabug: 28775556]
    
    [4.14.35-1818.4.3.el7uek]
    - Fix error code in nfs_lookup_verify_inode() (Lance Shelton)  [Orabug: 
    28807515]
    - x86/speculation: Retpoline should always be available on Skylake 
    (Alexandre Chartre)  [Orabug: 28801830]
    - x86/bugs: ssbd_ibrs_selected called prematurely (Daniel Jordan) 
    [Orabug: 28802799]
    - net/mlx4_core: print firmware version during driver loading (Qing 
    Huang)  [Orabug: 28809382]
    - hugetlbfs: dirty pages as they are added to pagecache (Mike Kravetz) 
    [Orabug: 28813999]
    
    [4.14.35-1818.4.2.el7uek]
    - infiniband: fix a possible use-after-free bug (Cong Wang)  [Orabug: 
    28774511]  {CVE-2018-14734}
    - nfs: fix a deadlock in nfs client initialization (Scott Mayhew) 
    [Orabug: 28775910]
    - x86/speculation: Unconditionally fill RSB on context switch (Alejandro 
    Jimenez)  [Orabug: 28631576]  {CVE-2018-15572}
    - bnxt_re: Implement the shutdown hook of the L2-RoCE driver interface 
    (Somnath Kotur)  [Orabug: 28539344]
    - rds: RDS (tcp) hangs on sendto() to unresponding address (Ka-Cheong 
    Poon)  [Orabug: 28762597]
    - uek-rpm: aarch64 some XGENE drivers must be be modules (Tom Saeger) 
    [Orabug: 28769119]
    - arm64: KVM: Sanitize PSTATE.M when being set from userspace (Marc 
    Zyngier)  [Orabug: 28762424]  {CVE-2018-18021}
    - arm64: KVM: Tighten guest core register access from userspace (Dave 
    Martin)  [Orabug: 28762424]  {CVE-2018-18021}
    - iommu/amd: Clear memory encryption mask from physical address (Singh, 
    Brijesh)  [Orabug: 28770185]
    
    [4.14.35-1818.4.1.el7uek]
    - mm: get rid of vmacache_flush_all() entirely (Linus Torvalds) 
    [Orabug: 28700955]  {CVE-2018-17182}
    - Btrfs: fix log replay failure after unlink and link combination 
    (Filipe Manana)  [Orabug: 27941939]
    - x86/speculation: Add sysfs entry to enable/disable retpoline 
    (Alexandre Chartre)  [Orabug: 28753851]
    - x86/speculation: Allow IBRS firmware to be enabled when IBRS is 
    disabled (Alexandre Chartre)  [Orabug: 28753851]
    - x86/speculation: Remove unnecessary retpoline alternatives (Alexandre 
    Chartre)  [Orabug: 28753851]
    - x86/speculation: Use static key to enable/disable retpoline (Alexandre 
    Chartre)  [Orabug: 28753851]
    - bnxt_en: Fix memory fault in bnxt_ethtool_init() (Vasundhara Volam) 
    [Orabug: 28632641]
    - IB/core: Initialize relaxed_pd properly (Yuval Shaia)  [Orabug: 28197305]
    
    [4.14.35-1818.4.0.el7uek]
    - e1000e: Fix link check race condition (Benjamin Poirier)  [Orabug: 
    28489384]
    - Revert 'e1000e: Separate signaling for link check/link up' (Benjamin 
    Poirier)  [Orabug: 28489384]
    - e1000e: Avoid missed interrupts following ICR read (Benjamin Poirier) 
    [Orabug: 28489384]
    - e1000e: Fix queue interrupt re-raising in Other interrupt (Benjamin 
    Poirier)  [Orabug: 28489384]
    - Partial revert 'e1000e: Avoid receiver overrun interrupt bursts' 
    (Benjamin Poirier)  [Orabug: 28489384]
    - e1000e: Remove Other from EIAC (Benjamin Poirier)  [Orabug: 28489384]
    - btrfs: validate type when reading a chunk (Gu Jinxiang)  [Orabug: 
    28700851]  {CVE-2018-14611}
    - btrfs: Check that each block group has corresponding chunk at mount 
    time (Qu Wenruo)  [Orabug: 28700872]  {CVE-2018-14610}
    - net: rds: Use address family to designate IPv4 or IPv6 addresses 
    (H&aring kon Bugge)  [Orabug: 28720069]
    - net: rds: Fix blank at eol in af_rds.c (H&aring kon Bugge)  [Orabug: 28720069]"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://oss.oracle.com/pipermail/el-errata/2018-November/008249.html"
      );
      script_set_attribute(
        attribute:"solution", 
        value:"Update the affected unbreakable enterprise kernel packages."
      );
      script_set_cvss_base_vector("CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C");
      script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
      script_set_cvss3_base_vector("CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H");
      script_set_cvss3_temporal_vector("CVSS:3.0/E:P/RL:O/RC:C");
      script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"true");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:kernel-uek");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:kernel-uek-debug");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:kernel-uek-debug-devel");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:kernel-uek-devel");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:kernel-uek-doc");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:kernel-uek-tools");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:oracle:linux:7");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2017/12/06");
      script_set_attribute(attribute:"patch_publication_date", value:"2018/11/09");
      script_set_attribute(attribute:"plugin_publication_date", value:"2018/11/11");
      script_set_attribute(attribute:"generated_plugin", value:"current");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");
      script_family(english:"Oracle Linux Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl", "linux_alt_patch_detect.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/OracleLinux", "Host/RedHat/release", "Host/RedHat/rpm-list");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("global_settings.inc");
    include("rpm.inc");
    include("ksplice.inc");
    
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    if (!get_kb_item("Host/OracleLinux")) audit(AUDIT_OS_NOT, "Oracle Linux");
    release = get_kb_item("Host/RedHat/release");
    if (isnull(release) || !pregmatch(pattern: "Oracle (?:Linux Server|Enterprise Linux)", string:release)) audit(AUDIT_OS_NOT, "Oracle Linux");
    os_ver = pregmatch(pattern: "Oracle (?:Linux Server|Enterprise Linux) .*release ([0-9]+(\.[0-9]+)?)", string:release);
    if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Oracle Linux");
    os_ver = os_ver[1];
    if (! preg(pattern:"^7([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Oracle Linux 7", "Oracle Linux " + os_ver);
    
    if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    cpu = get_kb_item("Host/cpu");
    if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
    if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Oracle Linux", cpu);
    if ("x86_64" >!< cpu) audit(AUDIT_ARCH_NOT, "x86_64", cpu);
    
    if (get_one_kb_item("Host/ksplice/kernel-cves"))
    {
      rm_kb_item(name:"Host/uptrack-uname-r");
      cve_list = make_list("CVE-2017-13168", "CVE-2018-14610", "CVE-2018-14611", "CVE-2018-14734", "CVE-2018-15572", "CVE-2018-17182", "CVE-2018-18021");  
      if (ksplice_cves_check(cve_list))
      {
        audit(AUDIT_PATCH_INSTALLED, "KSplice hotfix for ELSA-2018-4270");
      }
      else
      {
        __rpm_report = ksplice_reporting_text();
      }
    }
    
    kernel_major_minor = get_kb_item("Host/uname/major_minor");
    if (empty_or_null(kernel_major_minor)) exit(1, "Unable to determine kernel major-minor level.");
    expected_kernel_major_minor = "4.14";
    if (kernel_major_minor != expected_kernel_major_minor)
      audit(AUDIT_OS_NOT, "running kernel level " + expected_kernel_major_minor + ", it is running kernel level " + kernel_major_minor);
    
    flag = 0;
    if (rpm_exists(release:"EL7", rpm:"kernel-uek-4.14.35") && rpm_check(release:"EL7", cpu:"x86_64", reference:"kernel-uek-4.14.35-1818.4.5.el7uek")) flag++;
    if (rpm_exists(release:"EL7", rpm:"kernel-uek-debug-4.14.35") && rpm_check(release:"EL7", cpu:"x86_64", reference:"kernel-uek-debug-4.14.35-1818.4.5.el7uek")) flag++;
    if (rpm_exists(release:"EL7", rpm:"kernel-uek-debug-devel-4.14.35") && rpm_check(release:"EL7", cpu:"x86_64", reference:"kernel-uek-debug-devel-4.14.35-1818.4.5.el7uek")) flag++;
    if (rpm_exists(release:"EL7", rpm:"kernel-uek-devel-4.14.35") && rpm_check(release:"EL7", cpu:"x86_64", reference:"kernel-uek-devel-4.14.35-1818.4.5.el7uek")) flag++;
    if (rpm_exists(release:"EL7", rpm:"kernel-uek-doc-4.14.35") && rpm_check(release:"EL7", cpu:"x86_64", reference:"kernel-uek-doc-4.14.35-1818.4.5.el7uek")) flag++;
    if (rpm_exists(release:"EL7", rpm:"kernel-uek-tools-4.14.35") && rpm_check(release:"EL7", cpu:"x86_64", reference:"kernel-uek-tools-4.14.35-1818.4.5.el7uek")) flag++;
    
    
    if (flag)
    {
      if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());
      else security_hole(0);
      exit(0);
    }
    else
    {
      tested = pkg_tests_get();
      if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
      else audit(AUDIT_PACKAGE_NOT_INSTALLED, "affected kernel");
    }
    
  • NASL familyUbuntu Local Security Checks
    NASL idUBUNTU_USN-3821-1.NASL
    descriptionWen Xu discovered that the ext4 filesystem implementation in the Linux kernel did not properly ensure that xattr information remained in inode bodies. An attacker could use this to construct a malicious ext4 image that, when mounted, could cause a denial of service (system crash). (CVE-2018-10880) It was discovered that the alarmtimer implementation in the Linux kernel contained an integer overflow vulnerability. A local attacker could use this to cause a denial of service. (CVE-2018-13053) Wen Xu discovered that the f2fs filesystem implementation in the Linux kernel did not properly validate metadata. An attacker could use this to construct a malicious f2fs image that, when mounted, could cause a denial of service (system crash). (CVE-2018-13096) Wen Xu and Po-Ning Tseng discovered that the btrfs filesystem implementation in the Linux kernel did not properly handle relocations in some situations. An attacker could use this to construct a malicious btrfs image that, when mounted, could cause a denial of service (system crash). (CVE-2018-14609) Wen Xu discovered that the HFS+ filesystem implementation in the Linux kernel did not properly handle malformed catalog data in some situations. An attacker could use this to construct a malicious HFS+ image that, when mounted, could cause a denial of service (system crash). (CVE-2018-14617) Jann Horn discovered that the procfs file system implementation in the Linux kernel did not properly restrict the ability to inspect the kernel stack of an arbitrary task. A local attacker could use this to expose sensitive information. (CVE-2018-17972) It was discovered that the KVM implementation in the Linux kernel on ARM 64bit processors did not properly handle some ioctls. An attacker with the privilege to create KVM-based virtual machines could use this to cause a denial of service (host system crash) or execute arbitrary code in the host. (CVE-2018-18021). Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id118971
    published2018-11-15
    reporterUbuntu Security Notice (C) 2018-2019 Canonical, Inc. / NASL script (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/118971
    titleUbuntu 16.04 LTS : linux, linux-aws, linux-kvm, linux-raspi2, linux-snapdragon vulnerabilities (USN-3821-1)
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were
    # extracted from Ubuntu Security Notice USN-3821-1. The text 
    # itself is copyright (C) Canonical, Inc. See 
    # <http://www.ubuntu.com/usn/>. Ubuntu(R) is a registered 
    # trademark of Canonical, Inc.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(118971);
      script_version("1.4");
      script_cvs_date("Date: 2019/09/18 12:31:49");
    
      script_cve_id("CVE-2018-10880", "CVE-2018-13053", "CVE-2018-13096", "CVE-2018-14609", "CVE-2018-14617", "CVE-2018-17972", "CVE-2018-18021");
      script_xref(name:"USN", value:"3821-1");
    
      script_name(english:"Ubuntu 16.04 LTS : linux, linux-aws, linux-kvm, linux-raspi2, linux-snapdragon vulnerabilities (USN-3821-1)");
      script_summary(english:"Checks dpkg output for updated packages.");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:
    "The remote Ubuntu host is missing one or more security-related
    patches."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "Wen Xu discovered that the ext4 filesystem implementation in the Linux
    kernel did not properly ensure that xattr information remained in
    inode bodies. An attacker could use this to construct a malicious ext4
    image that, when mounted, could cause a denial of service (system
    crash). (CVE-2018-10880)
    
    It was discovered that the alarmtimer implementation in the Linux
    kernel contained an integer overflow vulnerability. A local attacker
    could use this to cause a denial of service. (CVE-2018-13053)
    
    Wen Xu discovered that the f2fs filesystem implementation in the Linux
    kernel did not properly validate metadata. An attacker could use this
    to construct a malicious f2fs image that, when mounted, could cause a
    denial of service (system crash). (CVE-2018-13096)
    
    Wen Xu and Po-Ning Tseng discovered that the btrfs filesystem
    implementation in the Linux kernel did not properly handle relocations
    in some situations. An attacker could use this to construct a
    malicious btrfs image that, when mounted, could cause a denial of
    service (system crash). (CVE-2018-14609)
    
    Wen Xu discovered that the HFS+ filesystem implementation in the Linux
    kernel did not properly handle malformed catalog data in some
    situations. An attacker could use this to construct a malicious HFS+
    image that, when mounted, could cause a denial of service (system
    crash). (CVE-2018-14617)
    
    Jann Horn discovered that the procfs file system implementation in the
    Linux kernel did not properly restrict the ability to inspect the
    kernel stack of an arbitrary task. A local attacker could use this to
    expose sensitive information. (CVE-2018-17972)
    
    It was discovered that the KVM implementation in the Linux kernel on
    ARM 64bit processors did not properly handle some ioctls. An attacker
    with the privilege to create KVM-based virtual machines could use this
    to cause a denial of service (host system crash) or execute arbitrary
    code in the host. (CVE-2018-18021).
    
    Note that Tenable Network Security has extracted the preceding
    description block directly from the Ubuntu security advisory. Tenable
    has attempted to automatically clean and format it as much as possible
    without introducing additional issues."
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://usn.ubuntu.com/3821-1/"
      );
      script_set_attribute(attribute:"solution", value:"Update the affected packages.");
      script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:N/I:N/A:C");
      script_set_cvss3_base_vector("CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-4.4-aws");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-4.4-generic");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-4.4-generic-lpae");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-4.4-kvm");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-4.4-lowlatency");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-4.4-raspi2");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-4.4-snapdragon");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-aws");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-generic");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-generic-lpae");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-kvm");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-lowlatency");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-raspi2");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-snapdragon");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:canonical:ubuntu_linux:16.04");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2018/07/02");
      script_set_attribute(attribute:"patch_publication_date", value:"2018/11/14");
      script_set_attribute(attribute:"plugin_publication_date", value:"2018/11/15");
      script_set_attribute(attribute:"generated_plugin", value:"current");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"Ubuntu Security Notice (C) 2018-2019 Canonical, Inc. / NASL script (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");
      script_family(english:"Ubuntu Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl", "linux_alt_patch_detect.nasl");
      script_require_keys("Host/cpu", "Host/Ubuntu", "Host/Ubuntu/release", "Host/Debian/dpkg-l");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("ubuntu.inc");
    include("ksplice.inc");
    
    if ( ! get_kb_item("Host/local_checks_enabled") ) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    release = get_kb_item("Host/Ubuntu/release");
    if ( isnull(release) ) audit(AUDIT_OS_NOT, "Ubuntu");
    release = chomp(release);
    if (! preg(pattern:"^(16\.04)$", string:release)) audit(AUDIT_OS_NOT, "Ubuntu 16.04", "Ubuntu " + release);
    if ( ! get_kb_item("Host/Debian/dpkg-l") ) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    cpu = get_kb_item("Host/cpu");
    if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
    if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Ubuntu", cpu);
    
    if (get_one_kb_item("Host/ksplice/kernel-cves"))
    {
      rm_kb_item(name:"Host/uptrack-uname-r");
      cve_list = make_list("CVE-2018-10880", "CVE-2018-13053", "CVE-2018-13096", "CVE-2018-14609", "CVE-2018-14617", "CVE-2018-17972", "CVE-2018-18021");
      if (ksplice_cves_check(cve_list))
      {
        audit(AUDIT_PATCH_INSTALLED, "KSplice hotfix for USN-3821-1");
      }
      else
      {
        _ubuntu_report = ksplice_reporting_text();
      }
    }
    
    flag = 0;
    
    if (ubuntu_check(osver:"16.04", pkgname:"linux-image-4.4.0-1037-kvm", pkgver:"4.4.0-1037.43")) flag++;
    if (ubuntu_check(osver:"16.04", pkgname:"linux-image-4.4.0-1072-aws", pkgver:"4.4.0-1072.82")) flag++;
    if (ubuntu_check(osver:"16.04", pkgname:"linux-image-4.4.0-1100-raspi2", pkgver:"4.4.0-1100.108")) flag++;
    if (ubuntu_check(osver:"16.04", pkgname:"linux-image-4.4.0-1104-snapdragon", pkgver:"4.4.0-1104.109")) flag++;
    if (ubuntu_check(osver:"16.04", pkgname:"linux-image-4.4.0-139-generic", pkgver:"4.4.0-139.165")) flag++;
    if (ubuntu_check(osver:"16.04", pkgname:"linux-image-4.4.0-139-generic-lpae", pkgver:"4.4.0-139.165")) flag++;
    if (ubuntu_check(osver:"16.04", pkgname:"linux-image-4.4.0-139-lowlatency", pkgver:"4.4.0-139.165")) flag++;
    if (ubuntu_check(osver:"16.04", pkgname:"linux-image-aws", pkgver:"4.4.0.1072.74")) flag++;
    if (ubuntu_check(osver:"16.04", pkgname:"linux-image-generic", pkgver:"4.4.0.139.145")) flag++;
    if (ubuntu_check(osver:"16.04", pkgname:"linux-image-generic-lpae", pkgver:"4.4.0.139.145")) flag++;
    if (ubuntu_check(osver:"16.04", pkgname:"linux-image-kvm", pkgver:"4.4.0.1037.36")) flag++;
    if (ubuntu_check(osver:"16.04", pkgname:"linux-image-lowlatency", pkgver:"4.4.0.139.145")) flag++;
    if (ubuntu_check(osver:"16.04", pkgname:"linux-image-raspi2", pkgver:"4.4.0.1100.100")) flag++;
    if (ubuntu_check(osver:"16.04", pkgname:"linux-image-snapdragon", pkgver:"4.4.0.1104.96")) flag++;
    
    if (flag)
    {
      security_report_v4(
        port       : 0,
        severity   : SECURITY_HOLE,
        extra      : ubuntu_report_get()
      );
      exit(0);
    }
    else
    {
      tested = ubuntu_pkg_tests_get();
      if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
      else audit(AUDIT_PACKAGE_NOT_INSTALLED, "linux-image-4.4-aws / linux-image-4.4-generic / etc");
    }
    
  • NASL familyUbuntu Local Security Checks
    NASL idUBUNTU_USN-3821-2.NASL
    descriptionUSN-3821-1 fixed vulnerabilities in the Linux kernel for Ubuntu 16.04 LTS. This update provides the corresponding updates for the Linux Hardware Enablement (HWE) kernel from Ubuntu 16.04 LTS for Ubuntu 14.04 LTS. Wen Xu discovered that the ext4 filesystem implementation in the Linux kernel did not properly ensure that xattr information remained in inode bodies. An attacker could use this to construct a malicious ext4 image that, when mounted, could cause a denial of service (system crash). (CVE-2018-10880) It was discovered that the alarmtimer implementation in the Linux kernel contained an integer overflow vulnerability. A local attacker could use this to cause a denial of service. (CVE-2018-13053) Wen Xu discovered that the f2fs filesystem implementation in the Linux kernel did not properly validate metadata. An attacker could use this to construct a malicious f2fs image that, when mounted, could cause a denial of service (system crash). (CVE-2018-13096) Wen Xu and Po-Ning Tseng discovered that the btrfs filesystem implementation in the Linux kernel did not properly handle relocations in some situations. An attacker could use this to construct a malicious btrfs image that, when mounted, could cause a denial of service (system crash). (CVE-2018-14609) Wen Xu discovered that the HFS+ filesystem implementation in the Linux kernel did not properly handle malformed catalog data in some situations. An attacker could use this to construct a malicious HFS+ image that, when mounted, could cause a denial of service (system crash). (CVE-2018-14617) Jann Horn discovered that the procfs file system implementation in the Linux kernel did not properly restrict the ability to inspect the kernel stack of an arbitrary task. A local attacker could use this to expose sensitive information. (CVE-2018-17972) It was discovered that the KVM implementation in the Linux kernel on ARM 64bit processors did not properly handle some ioctls. An attacker with the privilege to create KVM-based virtual machines could use this to cause a denial of service (host system crash) or execute arbitrary code in the host. (CVE-2018-18021). Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id118972
    published2018-11-15
    reporterUbuntu Security Notice (C) 2018-2019 Canonical, Inc. / NASL script (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/118972
    titleUbuntu 14.04 LTS : linux-lts-xenial, linux-aws vulnerabilities (USN-3821-2)
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were
    # extracted from Ubuntu Security Notice USN-3821-2. The text 
    # itself is copyright (C) Canonical, Inc. See 
    # <http://www.ubuntu.com/usn/>. Ubuntu(R) is a registered 
    # trademark of Canonical, Inc.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(118972);
      script_version("1.4");
      script_cvs_date("Date: 2019/09/18 12:31:49");
    
      script_cve_id("CVE-2018-10880", "CVE-2018-13053", "CVE-2018-13096", "CVE-2018-14609", "CVE-2018-14617", "CVE-2018-17972", "CVE-2018-18021");
      script_xref(name:"USN", value:"3821-2");
    
      script_name(english:"Ubuntu 14.04 LTS : linux-lts-xenial, linux-aws vulnerabilities (USN-3821-2)");
      script_summary(english:"Checks dpkg output for updated packages.");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:
    "The remote Ubuntu host is missing one or more security-related
    patches."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "USN-3821-1 fixed vulnerabilities in the Linux kernel for Ubuntu 16.04
    LTS. This update provides the corresponding updates for the Linux
    Hardware Enablement (HWE) kernel from Ubuntu 16.04 LTS for Ubuntu
    14.04 LTS.
    
    Wen Xu discovered that the ext4 filesystem implementation in the Linux
    kernel did not properly ensure that xattr information remained in
    inode bodies. An attacker could use this to construct a malicious ext4
    image that, when mounted, could cause a denial of service (system
    crash). (CVE-2018-10880)
    
    It was discovered that the alarmtimer implementation in the Linux
    kernel contained an integer overflow vulnerability. A local attacker
    could use this to cause a denial of service. (CVE-2018-13053)
    
    Wen Xu discovered that the f2fs filesystem implementation in the Linux
    kernel did not properly validate metadata. An attacker could use this
    to construct a malicious f2fs image that, when mounted, could cause a
    denial of service (system crash). (CVE-2018-13096)
    
    Wen Xu and Po-Ning Tseng discovered that the btrfs filesystem
    implementation in the Linux kernel did not properly handle relocations
    in some situations. An attacker could use this to construct a
    malicious btrfs image that, when mounted, could cause a denial of
    service (system crash). (CVE-2018-14609)
    
    Wen Xu discovered that the HFS+ filesystem implementation in the Linux
    kernel did not properly handle malformed catalog data in some
    situations. An attacker could use this to construct a malicious HFS+
    image that, when mounted, could cause a denial of service (system
    crash). (CVE-2018-14617)
    
    Jann Horn discovered that the procfs file system implementation in the
    Linux kernel did not properly restrict the ability to inspect the
    kernel stack of an arbitrary task. A local attacker could use this to
    expose sensitive information. (CVE-2018-17972)
    
    It was discovered that the KVM implementation in the Linux kernel on
    ARM 64bit processors did not properly handle some ioctls. An attacker
    with the privilege to create KVM-based virtual machines could use this
    to cause a denial of service (host system crash) or execute arbitrary
    code in the host. (CVE-2018-18021).
    
    Note that Tenable Network Security has extracted the preceding
    description block directly from the Ubuntu security advisory. Tenable
    has attempted to automatically clean and format it as much as possible
    without introducing additional issues."
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://usn.ubuntu.com/3821-2/"
      );
      script_set_attribute(attribute:"solution", value:"Update the affected packages.");
      script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:N/I:N/A:C");
      script_set_cvss3_base_vector("CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-4.4-aws");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-4.4-generic");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-4.4-generic-lpae");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-4.4-lowlatency");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-aws");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-generic-lpae-lts-xenial");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-generic-lts-xenial");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-lowlatency-lts-xenial");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:canonical:ubuntu_linux:14.04");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2018/07/02");
      script_set_attribute(attribute:"patch_publication_date", value:"2018/11/14");
      script_set_attribute(attribute:"plugin_publication_date", value:"2018/11/15");
      script_set_attribute(attribute:"generated_plugin", value:"current");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"Ubuntu Security Notice (C) 2018-2019 Canonical, Inc. / NASL script (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");
      script_family(english:"Ubuntu Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl", "linux_alt_patch_detect.nasl");
      script_require_keys("Host/cpu", "Host/Ubuntu", "Host/Ubuntu/release", "Host/Debian/dpkg-l");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("ubuntu.inc");
    include("ksplice.inc");
    
    if ( ! get_kb_item("Host/local_checks_enabled") ) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    release = get_kb_item("Host/Ubuntu/release");
    if ( isnull(release) ) audit(AUDIT_OS_NOT, "Ubuntu");
    release = chomp(release);
    if (! preg(pattern:"^(14\.04)$", string:release)) audit(AUDIT_OS_NOT, "Ubuntu 14.04", "Ubuntu " + release);
    if ( ! get_kb_item("Host/Debian/dpkg-l") ) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    cpu = get_kb_item("Host/cpu");
    if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
    if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Ubuntu", cpu);
    
    if (get_one_kb_item("Host/ksplice/kernel-cves"))
    {
      rm_kb_item(name:"Host/uptrack-uname-r");
      cve_list = make_list("CVE-2018-10880", "CVE-2018-13053", "CVE-2018-13096", "CVE-2018-14609", "CVE-2018-14617", "CVE-2018-17972", "CVE-2018-18021");
      if (ksplice_cves_check(cve_list))
      {
        audit(AUDIT_PATCH_INSTALLED, "KSplice hotfix for USN-3821-2");
      }
      else
      {
        _ubuntu_report = ksplice_reporting_text();
      }
    }
    
    flag = 0;
    
    if (ubuntu_check(osver:"14.04", pkgname:"linux-image-4.4.0-1034-aws", pkgver:"4.4.0-1034.37")) flag++;
    if (ubuntu_check(osver:"14.04", pkgname:"linux-image-4.4.0-139-generic", pkgver:"4.4.0-139.165~14.04.1")) flag++;
    if (ubuntu_check(osver:"14.04", pkgname:"linux-image-4.4.0-139-generic-lpae", pkgver:"4.4.0-139.165~14.04.1")) flag++;
    if (ubuntu_check(osver:"14.04", pkgname:"linux-image-4.4.0-139-lowlatency", pkgver:"4.4.0-139.165~14.04.1")) flag++;
    if (ubuntu_check(osver:"14.04", pkgname:"linux-image-aws", pkgver:"4.4.0.1034.34")) flag++;
    if (ubuntu_check(osver:"14.04", pkgname:"linux-image-generic-lpae-lts-xenial", pkgver:"4.4.0.139.119")) flag++;
    if (ubuntu_check(osver:"14.04", pkgname:"linux-image-generic-lts-xenial", pkgver:"4.4.0.139.119")) flag++;
    if (ubuntu_check(osver:"14.04", pkgname:"linux-image-lowlatency-lts-xenial", pkgver:"4.4.0.139.119")) flag++;
    
    if (flag)
    {
      security_report_v4(
        port       : 0,
        severity   : SECURITY_HOLE,
        extra      : ubuntu_report_get()
      );
      exit(0);
    }
    else
    {
      tested = ubuntu_pkg_tests_get();
      if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
      else audit(AUDIT_PACKAGE_NOT_INSTALLED, "linux-image-4.4-aws / linux-image-4.4-generic / etc");
    }
    
  • NASL familyRed Hat Local Security Checks
    NASL idREDHAT-RHSA-2018-3656.NASL
    descriptionAn update for kernel-alt is now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. The kernel-alt packages provide the Linux kernel version 4.x. Security Fix(es) : * kernel: Use-after-free in the vmacache_flush_all function resulting in a possible privilege escalation (CVE-2018-17182) * kernel: Privilege escalation on arm64 via KVM hypervisor (CVE-2018-18021) For more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section. Bug Fix(es) : These updated kernel packages include also numerous bug fixes. Space precludes documenting all of the bug fixes in this advisory. See the descriptions in the related Knowledge Article: https://access.redhat.com/articles/3714391
    last seen2020-06-01
    modified2020-06-02
    plugin id119170
    published2018-11-27
    reporterThis script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/119170
    titleRHEL 7 : kernel-alt (RHSA-2018:3656)
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were  
    # extracted from Red Hat Security Advisory RHSA-2018:3656. The text 
    # itself is copyright (C) Red Hat, Inc.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(119170);
      script_version("1.9");
      script_cvs_date("Date: 2019/10/24 15:35:46");
    
      script_cve_id("CVE-2018-17182", "CVE-2018-18021");
      script_xref(name:"RHSA", value:"2018:3656");
    
      script_name(english:"RHEL 7 : kernel-alt (RHSA-2018:3656)");
      script_summary(english:"Checks the rpm output for the updated packages");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote Red Hat host is missing one or more security updates."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "An update for kernel-alt is now available for Red Hat Enterprise Linux
    7.
    
    Red Hat Product Security has rated this update as having a security
    impact of Important. A Common Vulnerability Scoring System (CVSS) base
    score, which gives a detailed severity rating, is available for each
    vulnerability from the CVE link(s) in the References section.
    
    The kernel-alt packages provide the Linux kernel version 4.x.
    
    Security Fix(es) :
    
    * kernel: Use-after-free in the vmacache_flush_all function resulting
    in a possible privilege escalation (CVE-2018-17182)
    
    * kernel: Privilege escalation on arm64 via KVM hypervisor
    (CVE-2018-18021)
    
    For more details about the security issue(s), including the impact, a
    CVSS score, and other related information, refer to the CVE page(s)
    listed in the References section.
    
    Bug Fix(es) :
    
    These updated kernel packages include also numerous bug fixes. Space
    precludes documenting all of the bug fixes in this advisory. See the
    descriptions in the related Knowledge Article:
    https://access.redhat.com/articles/3714391"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://access.redhat.com/articles/3714391"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://access.redhat.com/errata/RHSA-2018:3656"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://access.redhat.com/security/cve/cve-2018-17182"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://access.redhat.com/security/cve/cve-2018-18021"
      );
      script_set_attribute(attribute:"solution", value:"Update the affected packages.");
      script_set_cvss_base_vector("CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C");
      script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
      script_set_cvss3_base_vector("CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H");
      script_set_cvss3_temporal_vector("CVSS:3.0/E:P/RL:O/RC:C");
      script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"true");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:kernel");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:kernel-abi-whitelists");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:kernel-debug");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:kernel-debug-debuginfo");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:kernel-debug-devel");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:kernel-debuginfo");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:kernel-debuginfo-common-s390x");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:kernel-devel");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:kernel-doc");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:kernel-headers");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:kernel-kdump");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:kernel-kdump-debuginfo");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:kernel-kdump-devel");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:perf");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:perf-debuginfo");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:python-perf");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:python-perf-debuginfo");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:redhat:enterprise_linux:7");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2018/09/19");
      script_set_attribute(attribute:"patch_publication_date", value:"2018/11/26");
      script_set_attribute(attribute:"plugin_publication_date", value:"2018/11/27");
      script_set_attribute(attribute:"generated_plugin", value:"current");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");
      script_family(english:"Red Hat Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl", "linux_alt_patch_detect.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/RedHat/release", "Host/RedHat/rpm-list", "Host/cpu");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("global_settings.inc");
    include("misc_func.inc");
    include("rpm.inc");
    include("ksplice.inc");
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    release = get_kb_item("Host/RedHat/release");
    if (isnull(release) || "Red Hat" >!< release) audit(AUDIT_OS_NOT, "Red Hat");
    os_ver = pregmatch(pattern: "Red Hat Enterprise Linux.*release ([0-9]+(\.[0-9]+)?)", string:release);
    if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Red Hat");
    os_ver = os_ver[1];
    if (! preg(pattern:"^7([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Red Hat 7.x", "Red Hat " + os_ver);
    
    if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    cpu = get_kb_item("Host/cpu");
    if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
    if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$" && "s390" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Red Hat", cpu);
    
    if (get_one_kb_item("Host/ksplice/kernel-cves"))
    {
      rm_kb_item(name:"Host/uptrack-uname-r");
      cve_list = make_list("CVE-2018-17182", "CVE-2018-18021");
      if (ksplice_cves_check(cve_list))
      {
        audit(AUDIT_PATCH_INSTALLED, "KSplice hotfix for RHSA-2018:3656");
      }
      else
      {
        __rpm_report = ksplice_reporting_text();
      }
    }
    
    yum_updateinfo = get_kb_item("Host/RedHat/yum-updateinfo");
    if (!empty_or_null(yum_updateinfo)) 
    {
      rhsa = "RHSA-2018:3656";
      yum_report = redhat_generate_yum_updateinfo_report(rhsa:rhsa);
      if (!empty_or_null(yum_report))
      {
        security_report_v4(
          port       : 0,
          severity   : SECURITY_HOLE,
          extra      : yum_report 
        );
        exit(0);
      }
      else
      {
        audit_message = "affected by Red Hat security advisory " + rhsa;
        audit(AUDIT_OS_NOT, audit_message);
      }
    }
    else
    {
      flag = 0;
      if (rpm_check(release:"RHEL7", cpu:"s390x", reference:"kernel-4.14.0-115.2.2.el7a")) flag++;
      if (rpm_check(release:"RHEL7", reference:"kernel-abi-whitelists-4.14.0-115.2.2.el7a")) flag++;
      if (rpm_check(release:"RHEL7", cpu:"s390x", reference:"kernel-debug-4.14.0-115.2.2.el7a")) flag++;
      if (rpm_check(release:"RHEL7", cpu:"s390x", reference:"kernel-debug-debuginfo-4.14.0-115.2.2.el7a")) flag++;
      if (rpm_check(release:"RHEL7", cpu:"s390x", reference:"kernel-debug-devel-4.14.0-115.2.2.el7a")) flag++;
      if (rpm_check(release:"RHEL7", cpu:"s390x", reference:"kernel-debuginfo-4.14.0-115.2.2.el7a")) flag++;
      if (rpm_check(release:"RHEL7", cpu:"s390x", reference:"kernel-debuginfo-common-s390x-4.14.0-115.2.2.el7a")) flag++;
      if (rpm_check(release:"RHEL7", cpu:"s390x", reference:"kernel-devel-4.14.0-115.2.2.el7a")) flag++;
      if (rpm_check(release:"RHEL7", reference:"kernel-doc-4.14.0-115.2.2.el7a")) flag++;
      if (rpm_check(release:"RHEL7", cpu:"s390x", reference:"kernel-headers-4.14.0-115.2.2.el7a")) flag++;
      if (rpm_check(release:"RHEL7", cpu:"s390x", reference:"kernel-kdump-4.14.0-115.2.2.el7a")) flag++;
      if (rpm_check(release:"RHEL7", cpu:"s390x", reference:"kernel-kdump-debuginfo-4.14.0-115.2.2.el7a")) flag++;
      if (rpm_check(release:"RHEL7", cpu:"s390x", reference:"kernel-kdump-devel-4.14.0-115.2.2.el7a")) flag++;
      if (rpm_check(release:"RHEL7", cpu:"s390x", reference:"perf-4.14.0-115.2.2.el7a")) flag++;
      if (rpm_check(release:"RHEL7", cpu:"s390x", reference:"perf-debuginfo-4.14.0-115.2.2.el7a")) flag++;
      if (rpm_check(release:"RHEL7", cpu:"s390x", reference:"python-perf-4.14.0-115.2.2.el7a")) flag++;
      if (rpm_check(release:"RHEL7", cpu:"s390x", reference:"python-perf-debuginfo-4.14.0-115.2.2.el7a")) flag++;
    
      if (flag)
      {
        security_report_v4(
          port       : 0,
          severity   : SECURITY_HOLE,
          extra      : rpm_report_get() + redhat_report_package_caveat()
        );
        exit(0);
      }
      else
      {
        tested = pkg_tests_get();
        if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
        else audit(AUDIT_PACKAGE_NOT_INSTALLED, "kernel / kernel-abi-whitelists / kernel-debug / etc");
      }
    }
    
  • NASL familyHuawei Local Security Checks
    NASL idEULEROS_SA-2019-1536.NASL
    descriptionAccording to the versions of the kernel packages installed, the EulerOS Virtualization for ARM 64 installation on the remote host is affected by the following vulnerabilities : - The offset2lib patch as used in the Linux Kernel contains a vulnerability that allows a PIE binary to be execve()
    last seen2020-03-19
    modified2019-05-14
    plugin id124989
    published2019-05-14
    reporterThis script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/124989
    titleEulerOS Virtualization for ARM 64 3.0.1.0 : kernel (EulerOS-SA-2019-1536)
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(124989);
      script_version("1.6");
      script_set_attribute(attribute:"plugin_modification_date", value:"2020/03/19");
    
      script_cve_id(
        "CVE-2013-7263",
        "CVE-2013-7445",
        "CVE-2013-7446",
        "CVE-2014-4611",
        "CVE-2014-5471",
        "CVE-2014-9914",
        "CVE-2015-0571",
        "CVE-2015-8104",
        "CVE-2015-8950",
        "CVE-2016-2550",
        "CVE-2016-2847",
        "CVE-2016-4557",
        "CVE-2016-9178",
        "CVE-2017-1000370",
        "CVE-2017-10661",
        "CVE-2017-14991",
        "CVE-2017-17558",
        "CVE-2017-9150",
        "CVE-2018-10940",
        "CVE-2018-18021"
      );
      script_bugtraq_id(
        64686,
        68218,
        69396
      );
    
      script_name(english:"EulerOS Virtualization for ARM 64 3.0.1.0 : kernel (EulerOS-SA-2019-1536)");
      script_summary(english:"Checks the rpm output for the updated packages.");
    
      script_set_attribute(attribute:"synopsis", value:
    "The remote EulerOS Virtualization for ARM 64 host is missing multiple security
    updates.");
      script_set_attribute(attribute:"description", value:
    "According to the versions of the kernel packages installed, the
    EulerOS Virtualization for ARM 64 installation on the remote host is
    affected by the following vulnerabilities :
    
      - The offset2lib patch as used in the Linux Kernel
        contains a vulnerability that allows a PIE binary to be
        execve()'ed with 1GB of arguments or environmental
        strings then the stack occupies the address 0x80000000
        and the PIE binary is mapped above 0x40000000
        nullifying the protection of the offset2lib patch. This
        affects Linux Kernel version 4.11.5 and earlier. This
        is a different issue than CVE-2017-1000371. This issue
        appears to be limited to i386 based
        systems.(CVE-2017-1000370i1/4%0
    
      - Integer overflow in the LZ4 algorithm implementation,
        as used in Yann Collet LZ4 before r118 and in the
        lz4_uncompress function in lib/lz4/lz4_decompress.c in
        the Linux kernel before 3.15.2, on 32-bit platforms
        might allow context-dependent attackers to cause a
        denial of service (memory corruption) or possibly have
        unspecified other impact via a crafted Literal Run that
        would be improperly handled by programs not complying
        with an API limitation, a different vulnerability than
        CVE-2014-4715.(CVE-2014-4611i1/4%0
    
      - The replace_map_fd_with_map_ptr function in
        kernel/bpf/verifier.c in the Linux kernel before 4.5.5
        does not properly maintain an fd data structure, which
        allows local users to gain privileges or cause a denial
        of service (use-after-free) via crafted BPF
        instructions that reference an incorrect file
        descriptor.(CVE-2016-4557i1/4%0
    
      - The usb_destroy_configuration() function, in
        'drivers/usb/core/config.c' in the USB core subsystem,
        in the Linux kernel through 4.14.5 does not consider
        the maximum number of configurations and interfaces
        before attempting to release resources. This allows
        local users to cause a denial of service, due to
        out-of-bounds write access, or possibly have
        unspecified other impact via a crafted USB device. Due
        to the nature of the flaw, privilege escalation cannot
        be fully ruled out, although we believe it is
        unlikely.(CVE-2017-17558i1/4%0
    
      - The cdrom_ioctl_media_changed function in
        drivers/cdrom/cdrom.c in the Linux kernel before 4.16.6
        allows local attackers to use a incorrect bounds check
        in the CDROM driver CDROM_MEDIA_CHANGED ioctl to read
        out kernel memory.(CVE-2018-10940i1/4%0
    
      - It was found that the parse_rock_ridge_inode_internal()
        function of the Linux kernel's ISOFS implementation did
        not correctly check relocated directories when
        processing Rock Ridge child link (CL) tags. An attacker
        with physical access to the system could use a
        specially crafted ISO image to crash the system or,
        potentially, escalate their privileges on the
        system.(CVE-2014-5471i1/4%0
    
      - A flaw was found in the Linux kernel's implementation
        of Unix sockets. A server polling for client-socket
        data could put the peer socket on a wait list the peer
        socket could then close the connection, making the
        reference on the wait list no longer valid. This could
        lead to bypassing the permissions on a Unix socket and
        packets being injected into the stream, and could also
        panic the machine (denial of service).(CVE-2013-7446i1/4%0
    
      - The do_check function in kernel/bpf/verifier.c in the
        Linux kernel before 4.11.1 does not make the
        allow_ptr_leaks value available for restricting the
        output of the print_bpf_insn function, which allows
        local users to obtain sensitive address information via
        crafted bpf system calls.(CVE-2017-9150i1/4%0
    
      - The WLAN (aka Wi-Fi) driver for the Linux kernel 3.x
        and 4.x, as used in Qualcomm Innovation Center (QuIC)
        Android contributions for MSM devices and other
        products, does not verify authorization for private SET
        IOCTL calls, which allows attackers to gain privileges
        via a crafted application, related to
        wlan_hdd_hostapd.c and
        wlan_hdd_wext.c.(CVE-2015-0571i1/4%0
    
      - arch/arm64/kvm/guest.c in KVM in the Linux kernel
        before 4.18.12 on the arm64 platform mishandles the
        KVM_SET_ON_REG ioctl. This is exploitable by attackers
        who can create virtual machines. An attacker can
        arbitrarily redirect the hypervisor flow of control
        (with full register control). An attacker can also
        cause a denial of service (hypervisor panic) via an
        illegal exception return. This occurs because of
        insufficient restrictions on userspace access to the
        core register file, and because PSTATE.M validation
        does not prevent unintended execution
        modes.(CVE-2018-18021i1/4%0
    
      - A resource-exhaustion vulnerability was found in the
        kernel, where an unprivileged process could allocate
        and accumulate far more file descriptors than the
        process' limit. A local, unauthenticated user could
        exploit this flaw by sending file descriptors over a
        Unix socket and then closing them to keep the process'
        fd count low, thereby creating kernel-memory or
        file-descriptors exhaustion (denial of
        service).(CVE-2016-2550i1/4%0
    
      - The Linux kernel before 3.12.4 updates certain length
        values before ensuring that associated data structures
        have been initialized, which allows local users to
        obtain sensitive information from kernel stack memory
        via a (1) recvfrom, (2) recvmmsg, or (3) recvmsg system
        call, related to net/ipv4/ping.c, net/ipv4/raw.c,
        net/ipv4/udp.c, net/ipv6/raw.c, and
        net/ipv6/udp.c.(CVE-2013-7263i1/4%0
    
      - It is possible for a single process to cause an OOM
        condition by filling large pipes with data that are
        never read. A typical process filling 4096 pipes with 1
        MB of data will use 4 GB of memory and there can be
        multiple such processes, up to a
        per-user-limit.(CVE-2016-2847i1/4%0
    
      - The __get_user_asm_ex macro in
        arch/x86/include/asm/uaccess.h in the Linux kernel
        before 4.7.5 does not initialize a certain integer
        variable, which allows local users to obtain sensitive
        information from kernel stack memory by triggering
        failure of a get_user_ex call.(CVE-2016-9178i1/4%0
    
      - It was found that the x86 ISA (Instruction Set
        Architecture) is prone to a denial of service attack
        inside a virtualized environment in the form of an
        infinite loop in the microcode due to the way
        (sequential) delivering of benign exceptions such as
        #DB (debug exception) is handled. A privileged user
        inside a guest could use this flaw to create denial of
        service conditions on the host kernel.(CVE-2015-8104i1/4%0
    
      - The Direct Rendering Manager (DRM) subsystem in the
        Linux kernel through 4.x mishandles requests for
        Graphics Execution Manager (GEM) objects, which allows
        context-dependent attackers to cause a denial of
        service (memory consumption) via an application that
        processes graphics data, as demonstrated by JavaScript
        code that creates many CANVAS elements for rendering by
        Chrome or Firefox.(CVE-2013-7445i1/4%0
    
      - A flaw was found in the Linux kernel which does not
        initialize certain data structures used by DMA transfer
        on ARM64 based systems. This could allow local users to
        obtain sensitive information from kernel memory by
        triggering a dma_mmap call and reconstructing the
        data.(CVE-2015-8950i1/4%0
    
      - A race condition was found in the Linux kernel before
        version 4.11-rc1 in 'fs/timerfd.c' file which allows a
        local user to cause a kernel list corruption or
        use-after-free via simultaneous operations with a file
        descriptor which leverage improper 'might_cancel'
        queuing. An unprivileged local user could use this flaw
        to cause a denial of service of the system. Due to the
        nature of the flaw, privilege escalation cannot be
        fully ruled out, although we believe it is
        unlikely.(CVE-2017-10661i1/4%0
    
      - The sg_ioctl() function in 'drivers/scsi/sg.c' in the
        Linux kernel, from version 4.12-rc1 to 4.14-rc2, allows
        local users to obtain sensitive information from
        uninitialized kernel heap-memory locations via an
        SG_GET_REQUEST_TABLE ioctl call for
        '/dev/sg0'.(CVE-2017-14991i1/4%0
    
      - A race condition in the ip4_datagram_release_cb
        function in net/ipv4/datagram.c in the Linux kernel
        allows local users to gain privileges or cause a denial
        of service (use-after-free) by leveraging incorrect
        expectations about locking during multithreaded access
        to internal data structures for IPv4 UDP
        sockets.(CVE-2014-9914i1/4%0
    
    Note that Tenable Network Security has extracted the preceding
    description block directly from the EulerOS security advisory. Tenable
    has attempted to automatically clean and format it as much as possible
    without introducing additional issues.");
      # https://developer.huaweicloud.com/ict/en/site-euleros/euleros/security-advisories/EulerOS-SA-2019-1536
      script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?4db9b001");
      script_set_attribute(attribute:"solution", value:
    "Update the affected kernel packages.");
      script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C");
      script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:C");
      script_set_cvss3_base_vector("CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H");
      script_set_cvss3_temporal_vector("CVSS:3.0/E:F/RL:O/RC:C");
      script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"true");
      script_set_attribute(attribute:"metasploit_name", value:'Linux BPF doubleput UAF Privilege Escalation');
      script_set_attribute(attribute:"exploit_framework_metasploit", value:"true");
    
      script_set_attribute(attribute:"patch_publication_date", value:"2019/05/09");
      script_set_attribute(attribute:"plugin_publication_date", value:"2019/05/14");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:kernel");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:kernel-devel");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:kernel-headers");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:kernel-tools");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:kernel-tools-libs");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:kernel-tools-libs-devel");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:perf");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:python-perf");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:huawei:euleros:uvp:3.0.1.0");
      script_set_attribute(attribute:"generated_plugin", value:"current");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_family(english:"Huawei Local Security Checks");
    
      script_copyright(english:"This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/cpu", "Host/EulerOS/release", "Host/EulerOS/rpm-list", "Host/EulerOS/uvp_version");
    
      exit(0);
    }
    
    include("audit.inc");
    include("global_settings.inc");
    include("rpm.inc");
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    
    release = get_kb_item("Host/EulerOS/release");
    if (isnull(release) || release !~ "^EulerOS") audit(AUDIT_OS_NOT, "EulerOS");
    uvp = get_kb_item("Host/EulerOS/uvp_version");
    if (uvp != "3.0.1.0") audit(AUDIT_OS_NOT, "EulerOS Virtualization 3.0.1.0");
    if (!get_kb_item("Host/EulerOS/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    cpu = get_kb_item("Host/cpu");
    if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
    if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$" && "aarch64" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "EulerOS", cpu);
    if ("aarch64" >!< cpu) audit(AUDIT_ARCH_NOT, "aarch64", cpu);
    
    flag = 0;
    
    pkgs = ["kernel-4.19.28-1.2.117",
            "kernel-devel-4.19.28-1.2.117",
            "kernel-headers-4.19.28-1.2.117",
            "kernel-tools-4.19.28-1.2.117",
            "kernel-tools-libs-4.19.28-1.2.117",
            "kernel-tools-libs-devel-4.19.28-1.2.117",
            "perf-4.19.28-1.2.117",
            "python-perf-4.19.28-1.2.117"];
    
    foreach (pkg in pkgs)
      if (rpm_check(release:"EulerOS-2.0", reference:pkg)) flag++;
    
    if (flag)
    {
      security_report_v4(
        port       : 0,
        severity   : SECURITY_HOLE,
        extra      : rpm_report_get()
      );
      exit(0);
    }
    else
    {
      tested = pkg_tests_get();
      if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
      else audit(AUDIT_PACKAGE_NOT_INSTALLED, "kernel");
    }
    
  • NASL familyDebian Local Security Checks
    NASL idDEBIAN_DSA-4313.NASL
    descriptionSeveral vulnerabilities have been discovered in the Linux kernel that may lead to a privilege escalation, denial of service or information leaks. - CVE-2018-15471 (XSA-270) Felix Wilhelm of Google Project Zero discovered a flaw in the hash handling of the xen-netback Linux kernel module. A malicious or buggy frontend may cause the (usually privileged) backend to make out of bounds memory accesses, potentially resulting in privilege escalation, denial of service, or information leaks. - CVE-2018-18021 It was discovered that the KVM subsystem on the arm64 platform does not properly handle the KVM_SET_ON_REG ioctl. An attacker who can create KVM based virtual machines can take advantage of this flaw for denial of service (hypervisor panic) or privilege escalation (arbitrarily redirect the hypervisor flow of control with full register control).
    last seen2020-06-01
    modified2020-06-02
    plugin id118023
    published2018-10-10
    reporterThis script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/118023
    titleDebian DSA-4313-1 : linux - security update
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were  
    # extracted from Debian Security Advisory DSA-4313. The text 
    # itself is copyright (C) Software in the Public Interest, Inc.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(118023);
      script_version("1.5");
      script_cvs_date("Date: 2019/07/15 14:20:30");
    
      script_cve_id("CVE-2018-15471", "CVE-2018-18021");
      script_xref(name:"DSA", value:"4313");
    
      script_name(english:"Debian DSA-4313-1 : linux - security update");
      script_summary(english:"Checks dpkg output for the updated package");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote Debian host is missing a security-related update."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "Several vulnerabilities have been discovered in the Linux kernel that
    may lead to a privilege escalation, denial of service or information
    leaks.
    
      - CVE-2018-15471 (XSA-270)
        Felix Wilhelm of Google Project Zero discovered a flaw
        in the hash handling of the xen-netback Linux kernel
        module. A malicious or buggy frontend may cause the
        (usually privileged) backend to make out of bounds
        memory accesses, potentially resulting in privilege
        escalation, denial of service, or information leaks.
    
      - CVE-2018-18021
        It was discovered that the KVM subsystem on the arm64
        platform does not properly handle the KVM_SET_ON_REG
        ioctl. An attacker who can create KVM based virtual
        machines can take advantage of this flaw for denial of
        service (hypervisor panic) or privilege escalation
        (arbitrarily redirect the hypervisor flow of control
        with full register control)."
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://security-tracker.debian.org/tracker/CVE-2018-15471"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://security-tracker.debian.org/tracker/CVE-2018-18021"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://security-tracker.debian.org/tracker/source-package/linux"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://packages.debian.org/source/stretch/linux"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://www.debian.org/security/2018/dsa-4313"
      );
      script_set_attribute(
        attribute:"solution", 
        value:
    "Upgrade the linux packages.
    
    For the stable distribution (stretch), these problems have been fixed
    in version 4.9.110-3+deb9u6."
      );
      script_set_cvss_base_vector("CVSS2#AV:L/AC:L/Au:S/C:C/I:C/A:C");
      script_set_cvss3_base_vector("CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:linux");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:debian:debian_linux:9.0");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2018/08/17");
      script_set_attribute(attribute:"patch_publication_date", value:"2018/10/08");
      script_set_attribute(attribute:"plugin_publication_date", value:"2018/10/10");
      script_set_attribute(attribute:"generated_plugin", value:"current");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");
      script_family(english:"Debian Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/Debian/release", "Host/Debian/dpkg-l");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("debian_package.inc");
    
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    if (!get_kb_item("Host/Debian/release")) audit(AUDIT_OS_NOT, "Debian");
    if (!get_kb_item("Host/Debian/dpkg-l")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    
    flag = 0;
    if (deb_check(release:"9.0", prefix:"hyperv-daemons", reference:"4.9.110-3+deb9u6")) flag++;
    if (deb_check(release:"9.0", prefix:"libcpupower-dev", reference:"4.9.110-3+deb9u6")) flag++;
    if (deb_check(release:"9.0", prefix:"libcpupower1", reference:"4.9.110-3+deb9u6")) flag++;
    if (deb_check(release:"9.0", prefix:"libusbip-dev", reference:"4.9.110-3+deb9u6")) flag++;
    if (deb_check(release:"9.0", prefix:"linux-compiler-gcc-6-arm", reference:"4.9.110-3+deb9u6")) flag++;
    if (deb_check(release:"9.0", prefix:"linux-compiler-gcc-6-s390", reference:"4.9.110-3+deb9u6")) flag++;
    if (deb_check(release:"9.0", prefix:"linux-compiler-gcc-6-x86", reference:"4.9.110-3+deb9u6")) flag++;
    if (deb_check(release:"9.0", prefix:"linux-cpupower", reference:"4.9.110-3+deb9u6")) flag++;
    if (deb_check(release:"9.0", prefix:"linux-doc-4.9", reference:"4.9.110-3+deb9u6")) flag++;
    if (deb_check(release:"9.0", prefix:"linux-headers-4.9.0-9-4kc-malta", reference:"4.9.110-3+deb9u6")) flag++;
    if (deb_check(release:"9.0", prefix:"linux-headers-4.9.0-9-5kc-malta", reference:"4.9.110-3+deb9u6")) flag++;
    if (deb_check(release:"9.0", prefix:"linux-headers-4.9.0-9-686", reference:"4.9.110-3+deb9u6")) flag++;
    if (deb_check(release:"9.0", prefix:"linux-headers-4.9.0-9-686-pae", reference:"4.9.110-3+deb9u6")) flag++;
    if (deb_check(release:"9.0", prefix:"linux-headers-4.9.0-9-all", reference:"4.9.110-3+deb9u6")) flag++;
    if (deb_check(release:"9.0", prefix:"linux-headers-4.9.0-9-all-amd64", reference:"4.9.110-3+deb9u6")) flag++;
    if (deb_check(release:"9.0", prefix:"linux-headers-4.9.0-9-all-arm64", reference:"4.9.110-3+deb9u6")) flag++;
    if (deb_check(release:"9.0", prefix:"linux-headers-4.9.0-9-all-armel", reference:"4.9.110-3+deb9u6")) flag++;
    if (deb_check(release:"9.0", prefix:"linux-headers-4.9.0-9-all-armhf", reference:"4.9.110-3+deb9u6")) flag++;
    if (deb_check(release:"9.0", prefix:"linux-headers-4.9.0-9-all-i386", reference:"4.9.110-3+deb9u6")) flag++;
    if (deb_check(release:"9.0", prefix:"linux-headers-4.9.0-9-all-mips", reference:"4.9.110-3+deb9u6")) flag++;
    if (deb_check(release:"9.0", prefix:"linux-headers-4.9.0-9-all-mips64el", reference:"4.9.110-3+deb9u6")) flag++;
    if (deb_check(release:"9.0", prefix:"linux-headers-4.9.0-9-all-mipsel", reference:"4.9.110-3+deb9u6")) flag++;
    if (deb_check(release:"9.0", prefix:"linux-headers-4.9.0-9-all-ppc64el", reference:"4.9.110-3+deb9u6")) flag++;
    if (deb_check(release:"9.0", prefix:"linux-headers-4.9.0-9-all-s390x", reference:"4.9.110-3+deb9u6")) flag++;
    if (deb_check(release:"9.0", prefix:"linux-headers-4.9.0-9-amd64", reference:"4.9.110-3+deb9u6")) flag++;
    if (deb_check(release:"9.0", prefix:"linux-headers-4.9.0-9-arm64", reference:"4.9.110-3+deb9u6")) flag++;
    if (deb_check(release:"9.0", prefix:"linux-headers-4.9.0-9-armmp", reference:"4.9.110-3+deb9u6")) flag++;
    if (deb_check(release:"9.0", prefix:"linux-headers-4.9.0-9-armmp-lpae", reference:"4.9.110-3+deb9u6")) flag++;
    if (deb_check(release:"9.0", prefix:"linux-headers-4.9.0-9-common", reference:"4.9.110-3+deb9u6")) flag++;
    if (deb_check(release:"9.0", prefix:"linux-headers-4.9.0-9-common-rt", reference:"4.9.110-3+deb9u6")) flag++;
    if (deb_check(release:"9.0", prefix:"linux-headers-4.9.0-9-loongson-3", reference:"4.9.110-3+deb9u6")) flag++;
    if (deb_check(release:"9.0", prefix:"linux-headers-4.9.0-9-marvell", reference:"4.9.110-3+deb9u6")) flag++;
    if (deb_check(release:"9.0", prefix:"linux-headers-4.9.0-9-octeon", reference:"4.9.110-3+deb9u6")) flag++;
    if (deb_check(release:"9.0", prefix:"linux-headers-4.9.0-9-powerpc64le", reference:"4.9.110-3+deb9u6")) flag++;
    if (deb_check(release:"9.0", prefix:"linux-headers-4.9.0-9-rt-686-pae", reference:"4.9.110-3+deb9u6")) flag++;
    if (deb_check(release:"9.0", prefix:"linux-headers-4.9.0-9-rt-amd64", reference:"4.9.110-3+deb9u6")) flag++;
    if (deb_check(release:"9.0", prefix:"linux-headers-4.9.0-9-s390x", reference:"4.9.110-3+deb9u6")) flag++;
    if (deb_check(release:"9.0", prefix:"linux-image-4.9.0-9-4kc-malta", reference:"4.9.110-3+deb9u6")) flag++;
    if (deb_check(release:"9.0", prefix:"linux-image-4.9.0-9-4kc-malta-dbg", reference:"4.9.110-3+deb9u6")) flag++;
    if (deb_check(release:"9.0", prefix:"linux-image-4.9.0-9-5kc-malta", reference:"4.9.110-3+deb9u6")) flag++;
    if (deb_check(release:"9.0", prefix:"linux-image-4.9.0-9-5kc-malta-dbg", reference:"4.9.110-3+deb9u6")) flag++;
    if (deb_check(release:"9.0", prefix:"linux-image-4.9.0-9-686", reference:"4.9.110-3+deb9u6")) flag++;
    if (deb_check(release:"9.0", prefix:"linux-image-4.9.0-9-686-dbg", reference:"4.9.110-3+deb9u6")) flag++;
    if (deb_check(release:"9.0", prefix:"linux-image-4.9.0-9-686-pae", reference:"4.9.110-3+deb9u6")) flag++;
    if (deb_check(release:"9.0", prefix:"linux-image-4.9.0-9-686-pae-dbg", reference:"4.9.110-3+deb9u6")) flag++;
    if (deb_check(release:"9.0", prefix:"linux-image-4.9.0-9-amd64", reference:"4.9.110-3+deb9u6")) flag++;
    if (deb_check(release:"9.0", prefix:"linux-image-4.9.0-9-amd64-dbg", reference:"4.9.110-3+deb9u6")) flag++;
    if (deb_check(release:"9.0", prefix:"linux-image-4.9.0-9-arm64", reference:"4.9.110-3+deb9u6")) flag++;
    if (deb_check(release:"9.0", prefix:"linux-image-4.9.0-9-arm64-dbg", reference:"4.9.110-3+deb9u6")) flag++;
    if (deb_check(release:"9.0", prefix:"linux-image-4.9.0-9-armmp", reference:"4.9.110-3+deb9u6")) flag++;
    if (deb_check(release:"9.0", prefix:"linux-image-4.9.0-9-armmp-dbg", reference:"4.9.110-3+deb9u6")) flag++;
    if (deb_check(release:"9.0", prefix:"linux-image-4.9.0-9-armmp-lpae", reference:"4.9.110-3+deb9u6")) flag++;
    if (deb_check(release:"9.0", prefix:"linux-image-4.9.0-9-armmp-lpae-dbg", reference:"4.9.110-3+deb9u6")) flag++;
    if (deb_check(release:"9.0", prefix:"linux-image-4.9.0-9-loongson-3", reference:"4.9.110-3+deb9u6")) flag++;
    if (deb_check(release:"9.0", prefix:"linux-image-4.9.0-9-loongson-3-dbg", reference:"4.9.110-3+deb9u6")) flag++;
    if (deb_check(release:"9.0", prefix:"linux-image-4.9.0-9-marvell", reference:"4.9.110-3+deb9u6")) flag++;
    if (deb_check(release:"9.0", prefix:"linux-image-4.9.0-9-marvell-dbg", reference:"4.9.110-3+deb9u6")) flag++;
    if (deb_check(release:"9.0", prefix:"linux-image-4.9.0-9-octeon", reference:"4.9.110-3+deb9u6")) flag++;
    if (deb_check(release:"9.0", prefix:"linux-image-4.9.0-9-octeon-dbg", reference:"4.9.110-3+deb9u6")) flag++;
    if (deb_check(release:"9.0", prefix:"linux-image-4.9.0-9-powerpc64le", reference:"4.9.110-3+deb9u6")) flag++;
    if (deb_check(release:"9.0", prefix:"linux-image-4.9.0-9-powerpc64le-dbg", reference:"4.9.110-3+deb9u6")) flag++;
    if (deb_check(release:"9.0", prefix:"linux-image-4.9.0-9-rt-686-pae", reference:"4.9.110-3+deb9u6")) flag++;
    if (deb_check(release:"9.0", prefix:"linux-image-4.9.0-9-rt-686-pae-dbg", reference:"4.9.110-3+deb9u6")) flag++;
    if (deb_check(release:"9.0", prefix:"linux-image-4.9.0-9-rt-amd64", reference:"4.9.110-3+deb9u6")) flag++;
    if (deb_check(release:"9.0", prefix:"linux-image-4.9.0-9-rt-amd64-dbg", reference:"4.9.110-3+deb9u6")) flag++;
    if (deb_check(release:"9.0", prefix:"linux-image-4.9.0-9-s390x", reference:"4.9.110-3+deb9u6")) flag++;
    if (deb_check(release:"9.0", prefix:"linux-image-4.9.0-9-s390x-dbg", reference:"4.9.110-3+deb9u6")) flag++;
    if (deb_check(release:"9.0", prefix:"linux-kbuild-4.9", reference:"4.9.110-3+deb9u6")) flag++;
    if (deb_check(release:"9.0", prefix:"linux-libc-dev", reference:"4.9.110-3+deb9u6")) flag++;
    if (deb_check(release:"9.0", prefix:"linux-manual-4.9", reference:"4.9.110-3+deb9u6")) flag++;
    if (deb_check(release:"9.0", prefix:"linux-perf-4.9", reference:"4.9.110-3+deb9u6")) flag++;
    if (deb_check(release:"9.0", prefix:"linux-source-4.9", reference:"4.9.110-3+deb9u6")) flag++;
    if (deb_check(release:"9.0", prefix:"linux-support-4.9.0-9", reference:"4.9.110-3+deb9u6")) flag++;
    if (deb_check(release:"9.0", prefix:"usbip", reference:"4.9.110-3+deb9u6")) flag++;
    
    if (flag)
    {
      if (report_verbosity > 0) security_warning(port:0, extra:deb_report_get());
      else security_warning(0);
      exit(0);
    }
    else audit(AUDIT_HOST_NOT, "affected");
    
  • NASL familyFedora Local Security Checks
    NASL idFEDORA_2018-F392AB8C84.NASL
    descriptionThe 4.18.12 update contains a number of important fixes across the tree Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-05
    modified2019-01-03
    plugin id120904
    published2019-01-03
    reporterThis script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/120904
    titleFedora 29 : kernel / kernel-headers (2018-f392ab8c84)
  • NASL familyUbuntu Local Security Checks
    NASL idUBUNTU_USN-3931-2.NASL
    descriptionUSN-3931-1 fixed vulnerabilities in the Linux kernel for Ubuntu 18.04 LTS. This update provides the corresponding updates for the Linux Hardware Enablement (HWE) kernel from Ubuntu 18.04 LTS for Ubuntu 16.04 LTS and for the Linux Azure kernel for Ubuntu 14.04 LTS. M. Vefa Bicakci and Andy Lutomirski discovered that the kernel did not properly set up all arguments to an error handler callback used when running as a paravirtualized guest. An unprivileged attacker in a paravirtualized guest VM could use this to cause a denial of service (guest VM crash). (CVE-2018-14678) It was discovered that the KVM implementation in the Linux kernel on ARM 64bit processors did not properly handle some ioctls. An attacker with the privilege to create KVM-based virtual machines could use this to cause a denial of service (host system crash) or execute arbitrary code in the host. (CVE-2018-18021) Mathias Payer and Hui Peng discovered a use-after-free vulnerability in the Advanced Linux Sound Architecture (ALSA) subsystem. A physically proximate attacker could use this to cause a denial of service (system crash). (CVE-2018-19824) Shlomi Oberman, Yuli Shapiro, and Ran Menscher discovered an information leak in the Bluetooth implementation of the Linux kernel. An attacker within Bluetooth range could use this to expose sensitive information (kernel memory). (CVE-2019-3459, CVE-2019-3460) Jann Horn discovered that the KVM implementation in the Linux kernel contained a use-after-free vulnerability. An attacker in a guest VM with access to /dev/kvm could use this to cause a denial of service (guest VM crash). (CVE-2019-6974) Jim Mattson and Felix Wilhelm discovered a use-after-free vulnerability in the KVM subsystem of the Linux kernel, when using nested virtual machines. A local attacker in a guest VM could use this to cause a denial of service (system crash) or possibly execute arbitrary code in the host system. (CVE-2019-7221) Felix Wilhelm discovered that an information leak vulnerability existed in the KVM subsystem of the Linux kernel, when nested virtualization is used. A local attacker could use this to expose sensitive information (host system memory to a guest VM). (CVE-2019-7222) Jann Horn discovered that the eBPF implementation in the Linux kernel was insufficiently hardened against Spectre V1 attacks. A local attacker could use this to expose sensitive information. (CVE-2019-7308) It was discovered that a use-after-free vulnerability existed in the user- space API for crypto (af_alg) implementation in the Linux kernel. A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2019-8912) It was discovered that the Linux kernel did not properly deallocate memory when handling certain errors while reading files. A local attacker could use this to cause a denial of service (excessive memory consumption). (CVE-2019-8980) Jann Horn discovered that the mmap implementation in the Linux kernel did not properly check for the mmap minimum address in some situations. A local attacker could use this to assist exploiting a kernel NULL pointer dereference vulnerability. (CVE-2019-9213). Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id123679
    published2019-04-03
    reporterUbuntu Security Notice (C) 2019-2020 Canonical, Inc. / NASL script (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/123679
    titleUbuntu 14.04 LTS / 16.04 LTS : linux-hwe, linux-aws-hwe, linux-azure, linux-gcp, linux-oracle (USN-3931-2)

Redhat

advisories
rhsa
idRHSA-2018:3656
rpms
  • kernel-0:4.14.0-115.2.2.el7a
  • kernel-abi-whitelists-0:4.14.0-115.2.2.el7a
  • kernel-bootwrapper-0:4.14.0-115.2.2.el7a
  • kernel-debug-0:4.14.0-115.2.2.el7a
  • kernel-debug-debuginfo-0:4.14.0-115.2.2.el7a
  • kernel-debug-devel-0:4.14.0-115.2.2.el7a
  • kernel-debuginfo-0:4.14.0-115.2.2.el7a
  • kernel-debuginfo-common-aarch64-0:4.14.0-115.2.2.el7a
  • kernel-debuginfo-common-ppc64le-0:4.14.0-115.2.2.el7a
  • kernel-debuginfo-common-s390x-0:4.14.0-115.2.2.el7a
  • kernel-devel-0:4.14.0-115.2.2.el7a
  • kernel-doc-0:4.14.0-115.2.2.el7a
  • kernel-headers-0:4.14.0-115.2.2.el7a
  • kernel-kdump-0:4.14.0-115.2.2.el7a
  • kernel-kdump-debuginfo-0:4.14.0-115.2.2.el7a
  • kernel-kdump-devel-0:4.14.0-115.2.2.el7a
  • kernel-tools-0:4.14.0-115.2.2.el7a
  • kernel-tools-debuginfo-0:4.14.0-115.2.2.el7a
  • kernel-tools-libs-0:4.14.0-115.2.2.el7a
  • kernel-tools-libs-devel-0:4.14.0-115.2.2.el7a
  • perf-0:4.14.0-115.2.2.el7a
  • perf-debuginfo-0:4.14.0-115.2.2.el7a
  • python-perf-0:4.14.0-115.2.2.el7a
  • python-perf-debuginfo-0:4.14.0-115.2.2.el7a

References