Vulnerabilities > CVE-2018-3620 - Information Exposure Through Discrepancy vulnerability in Intel products
Attack vector
LOCAL Attack complexity
HIGH Privileges required
LOW Confidentiality impact
HIGH Integrity impact
NONE Availability impact
NONE Summary
Systems with microprocessors utilizing speculative execution and address translations may allow unauthorized disclosure of information residing in the L1 data cache to an attacker with local user access via a terminal page fault and a side-channel analysis.
Vulnerable Configurations
Common Weakness Enumeration (CWE)
Nessus
NASL family Scientific Linux Local Security Checks NASL id SL_20180814_KERNEL_ON_SL7_X.NASL description Security Fix(es) : - Modern operating systems implement virtualization of physical memory to efficiently use available system resources and provide inter-domain protection through access control and isolation. The L1TF issue was found in the way the x86 microprocessor designs have implemented speculative execution of instructions (a commonly used performance optimisation) in combination with handling of page-faults caused by terminated virtual to physical address resolving process. As a result, an unprivileged attacker could use this flaw to read privileged memory of the kernel or other processes and/or cross guest/host boundaries to read host memory by conducting targeted cache side-channel attacks. (CVE-2018-3620, CVE-2018-3646) - An industry-wide issue was found in the way many modern microprocessor designs have implemented speculative execution of instructions past bounds check. The flaw relies on the presence of a precisely-defined instruction sequence in the privileged code and the fact that memory writes occur to an address which depends on the untrusted value. Such writes cause an update into the microprocessor last seen 2020-03-18 modified 2018-08-16 plugin id 111778 published 2018-08-16 reporter This script is Copyright (C) 2018-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/111778 title Scientific Linux Security Update : kernel on SL7.x x86_64 (20180814) (Foreshadow) code # # (C) Tenable Network Security, Inc. # # The descriptive text is (C) Scientific Linux. # include("compat.inc"); if (description) { script_id(111778); script_version("1.4"); script_set_attribute(attribute:"plugin_modification_date", value:"2020/02/24"); script_cve_id("CVE-2017-13215", "CVE-2018-10675", "CVE-2018-3620", "CVE-2018-3646", "CVE-2018-3693", "CVE-2018-5390", "CVE-2018-7566"); script_name(english:"Scientific Linux Security Update : kernel on SL7.x x86_64 (20180814) (Foreshadow)"); script_summary(english:"Checks rpm output for the updated packages"); script_set_attribute( attribute:"synopsis", value: "The remote Scientific Linux host is missing one or more security updates." ); script_set_attribute( attribute:"description", value: "Security Fix(es) : - Modern operating systems implement virtualization of physical memory to efficiently use available system resources and provide inter-domain protection through access control and isolation. The L1TF issue was found in the way the x86 microprocessor designs have implemented speculative execution of instructions (a commonly used performance optimisation) in combination with handling of page-faults caused by terminated virtual to physical address resolving process. As a result, an unprivileged attacker could use this flaw to read privileged memory of the kernel or other processes and/or cross guest/host boundaries to read host memory by conducting targeted cache side-channel attacks. (CVE-2018-3620, CVE-2018-3646) - An industry-wide issue was found in the way many modern microprocessor designs have implemented speculative execution of instructions past bounds check. The flaw relies on the presence of a precisely-defined instruction sequence in the privileged code and the fact that memory writes occur to an address which depends on the untrusted value. Such writes cause an update into the microprocessor's data cache even for speculatively executed instructions that never actually commit (retire). As a result, an unprivileged attacker could use this flaw to influence speculative execution and/or read privileged memory by conducting targeted cache side- channel attacks. (CVE-2018-3693) - A flaw named SegmentSmack was found in the way the Linux kernel handled specially crafted TCP packets. A remote attacker could use this flaw to trigger time and calculation expensive calls to tcp_collapse_ofo_queue() and tcp_prune_ofo_queue() functions by sending specially modified packets within ongoing TCP sessions which could lead to a CPU saturation and hence a denial of service on the system. Maintaining the denial of service condition requires continuous two-way TCP sessions to a reachable open port, thus the attacks cannot be performed using spoofed IP addresses. (CVE-2018-5390) - kernel: crypto: privilege escalation in skcipher_recvmsg function (CVE-2017-13215) - kernel: mm: use-after-free in do_get_mempolicy function allows local DoS or other unspecified impact (CVE-2018-10675) - kernel: race condition in snd_seq_write() may lead to UAF or OOB access (CVE-2018-7566)" ); # https://listserv.fnal.gov/scripts/wa.exe?A2=ind1808&L=scientific-linux-errata&F=&S=&P=847 script_set_attribute( attribute:"see_also", value:"http://www.nessus.org/u?e6645d58" ); script_set_attribute(attribute:"solution", value:"Update the affected packages."); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:C"); script_set_cvss3_base_vector("CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fermilab:scientific_linux:kernel"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fermilab:scientific_linux:kernel-abi-whitelists"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fermilab:scientific_linux:kernel-debug"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fermilab:scientific_linux:kernel-debug-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fermilab:scientific_linux:kernel-debug-devel"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fermilab:scientific_linux:kernel-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fermilab:scientific_linux:kernel-debuginfo-common-x86_64"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fermilab:scientific_linux:kernel-devel"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fermilab:scientific_linux:kernel-doc"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fermilab:scientific_linux:kernel-headers"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fermilab:scientific_linux:kernel-tools"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fermilab:scientific_linux:kernel-tools-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fermilab:scientific_linux:kernel-tools-libs"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fermilab:scientific_linux:kernel-tools-libs-devel"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fermilab:scientific_linux:perf"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fermilab:scientific_linux:perf-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fermilab:scientific_linux:python-perf"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fermilab:scientific_linux:python-perf-debuginfo"); script_set_attribute(attribute:"cpe", value:"x-cpe:/o:fermilab:scientific_linux"); script_set_attribute(attribute:"vuln_publication_date", value:"2018/01/12"); script_set_attribute(attribute:"patch_publication_date", value:"2018/08/14"); script_set_attribute(attribute:"plugin_publication_date", value:"2018/08/16"); script_set_attribute(attribute:"in_the_news", value:"true"); script_set_attribute(attribute:"generated_plugin", value:"current"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2018-2020 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"Scientific Linux Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/cpu", "Host/RedHat/release", "Host/RedHat/rpm-list"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("misc_func.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/RedHat/release"); if (isnull(release) || "Scientific Linux " >!< release) audit(AUDIT_HOST_NOT, "running Scientific Linux"); os_ver = pregmatch(pattern: "Scientific Linux.*release ([0-9]+(\.[0-9]+)?)", string:release); if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Scientific Linux"); os_ver = os_ver[1]; if (! preg(pattern:"^7([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Scientific Linux 7.x", "Scientific Linux " + os_ver); if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if (cpu >!< "x86_64" && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Scientific Linux", cpu); flag = 0; if (rpm_check(release:"SL7", cpu:"x86_64", reference:"kernel-3.10.0-862.11.6.el7")) flag++; if (rpm_check(release:"SL7", reference:"kernel-abi-whitelists-3.10.0-862.11.6.el7")) flag++; if (rpm_check(release:"SL7", cpu:"x86_64", reference:"kernel-debug-3.10.0-862.11.6.el7")) flag++; if (rpm_check(release:"SL7", cpu:"x86_64", reference:"kernel-debug-debuginfo-3.10.0-862.11.6.el7")) flag++; if (rpm_check(release:"SL7", cpu:"x86_64", reference:"kernel-debug-devel-3.10.0-862.11.6.el7")) flag++; if (rpm_check(release:"SL7", cpu:"x86_64", reference:"kernel-debuginfo-3.10.0-862.11.6.el7")) flag++; if (rpm_check(release:"SL7", cpu:"x86_64", reference:"kernel-debuginfo-common-x86_64-3.10.0-862.11.6.el7")) flag++; if (rpm_check(release:"SL7", cpu:"x86_64", reference:"kernel-devel-3.10.0-862.11.6.el7")) flag++; if (rpm_check(release:"SL7", reference:"kernel-doc-3.10.0-862.11.6.el7")) flag++; if (rpm_check(release:"SL7", cpu:"x86_64", reference:"kernel-headers-3.10.0-862.11.6.el7")) flag++; if (rpm_check(release:"SL7", cpu:"x86_64", reference:"kernel-tools-3.10.0-862.11.6.el7")) flag++; if (rpm_check(release:"SL7", cpu:"x86_64", reference:"kernel-tools-debuginfo-3.10.0-862.11.6.el7")) flag++; if (rpm_check(release:"SL7", cpu:"x86_64", reference:"kernel-tools-libs-3.10.0-862.11.6.el7")) flag++; if (rpm_check(release:"SL7", cpu:"x86_64", reference:"kernel-tools-libs-devel-3.10.0-862.11.6.el7")) flag++; if (rpm_check(release:"SL7", cpu:"x86_64", reference:"perf-3.10.0-862.11.6.el7")) flag++; if (rpm_check(release:"SL7", cpu:"x86_64", reference:"perf-debuginfo-3.10.0-862.11.6.el7")) flag++; if (rpm_check(release:"SL7", cpu:"x86_64", reference:"python-perf-3.10.0-862.11.6.el7")) flag++; if (rpm_check(release:"SL7", cpu:"x86_64", reference:"python-perf-debuginfo-3.10.0-862.11.6.el7")) flag++; if (flag) { security_report_v4( port : 0, severity : SECURITY_HOLE, extra : rpm_report_get() ); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "kernel / kernel-abi-whitelists / kernel-debug / etc"); }
NASL family Red Hat Local Security Checks NASL id REDHAT-RHSA-2018-2387.NASL description An update for kernel is now available for Red Hat Enterprise Linux 7.4 Extended Update Support. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. The kernel packages contain the Linux kernel, the core of any Linux operating system. Security Fix(es) : * Modern operating systems implement virtualization of physical memory to efficiently use available system resources and provide inter-domain protection through access control and isolation. The L1TF issue was found in the way the x86 microprocessor designs have implemented speculative execution of instructions (a commonly used performance optimisation) in combination with handling of page-faults caused by terminated virtual to physical address resolving process. As a result, an unprivileged attacker could use this flaw to read privileged memory of the kernel or other processes and/or cross guest/host boundaries to read host memory by conducting targeted cache side-channel attacks. (CVE-2018-3620, CVE-2018-3646) * An industry-wide issue was found in the way many modern microprocessor designs have implemented speculative execution of Load & Store instructions (a commonly used performance optimization). It relies on the presence of a precisely-defined instruction sequence in the privileged code as well as the fact that memory read from address to which a recent memory write has occurred may see an older value and subsequently cause an update into the microprocessor last seen 2020-06-01 modified 2020-06-02 plugin id 111728 published 2018-08-15 reporter This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/111728 title RHEL 7 : kernel (RHSA-2018:2387) (Foreshadow) (Spectre) code # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Red Hat Security Advisory RHSA-2018:2387. The text # itself is copyright (C) Red Hat, Inc. # include("compat.inc"); if (description) { script_id(111728); script_version("1.10"); script_cvs_date("Date: 2019/10/24 15:35:45"); script_cve_id("CVE-2018-3620", "CVE-2018-3639", "CVE-2018-3646"); script_xref(name:"RHSA", value:"2018:2387"); script_name(english:"RHEL 7 : kernel (RHSA-2018:2387) (Foreshadow) (Spectre)"); script_summary(english:"Checks the rpm output for the updated packages"); script_set_attribute( attribute:"synopsis", value:"The remote Red Hat host is missing one or more security updates." ); script_set_attribute( attribute:"description", value: "An update for kernel is now available for Red Hat Enterprise Linux 7.4 Extended Update Support. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. The kernel packages contain the Linux kernel, the core of any Linux operating system. Security Fix(es) : * Modern operating systems implement virtualization of physical memory to efficiently use available system resources and provide inter-domain protection through access control and isolation. The L1TF issue was found in the way the x86 microprocessor designs have implemented speculative execution of instructions (a commonly used performance optimisation) in combination with handling of page-faults caused by terminated virtual to physical address resolving process. As a result, an unprivileged attacker could use this flaw to read privileged memory of the kernel or other processes and/or cross guest/host boundaries to read host memory by conducting targeted cache side-channel attacks. (CVE-2018-3620, CVE-2018-3646) * An industry-wide issue was found in the way many modern microprocessor designs have implemented speculative execution of Load & Store instructions (a commonly used performance optimization). It relies on the presence of a precisely-defined instruction sequence in the privileged code as well as the fact that memory read from address to which a recent memory write has occurred may see an older value and subsequently cause an update into the microprocessor's data cache even for speculatively executed instructions that never actually commit (retire). As a result, an unprivileged attacker could use this flaw to read privileged memory by conducting targeted cache side-channel attacks. (CVE-2018-3639) Red Hat would like to thank Intel OSSIRT (Intel.com) for reporting CVE-2018-3620 and CVE-2018-3646 and Ken Johnson (Microsoft Security Response Center) and Jann Horn (Google Project Zero) for reporting CVE-2018-3639. Bug Fix(es) : * Previously, configurations with the little-endian variant of IBM Power Systems CPU architectures and Hard Disk Drives (HDD) designed according to Nonvolatile Memory Express (NVMe) open standards, experienced crashes during shutdown or reboot due to race conditions of CPUs. As a consequence, the sysfs pseudo file system threw a stack trace report about an attempt to create a duplicate entry in sysfs. This update modifies the source code so that the irq_dispose_mapping() function is called first and the msi_bitmap_free_hwirqs() function is called afterwards. As a result, the race condition no longer appears in the described scenario. (BZ#1570510) * When switching from the indirect branch speculation (IBRS) feature to the retpolines feature, the IBRS state of some CPUs was sometimes not handled correctly. Consequently, some CPUs were left with the IBRS Model-Specific Register (MSR) bit set to 1, which could lead to performance issues. With this update, the underlying source code has been fixed to clear the IBRS MSR bits correctly, thus fixing the bug. (BZ#1586147) * During a balloon reset, page pointers were not correctly initialized after unmapping the memory. Consequently, on the VMware ESXi hypervisor with 'Fault Tolerance' and 'ballooning' enabled, the following messages repeatedly occurred in the kernel log : [3014611.640148] WARNING: at mm/vmalloc.c:1491 __vunmap+0xd3/0x100() [3014611.640269] Trying to vfree() nonexistent vm area (ffffc90000697000) With this update, the underlying source code has been fixed to initialize page pointers properly. As a result, the mm/vmalloc.c warnings no longer occur under the described circumstances. (BZ#1595600)" ); script_set_attribute( attribute:"see_also", value:"https://access.redhat.com/security/vulnerabilities/L1TF" ); script_set_attribute( attribute:"see_also", value:"https://access.redhat.com/errata/RHSA-2018:2387" ); script_set_attribute( attribute:"see_also", value:"https://access.redhat.com/security/cve/cve-2018-3620" ); script_set_attribute( attribute:"see_also", value:"https://access.redhat.com/security/cve/cve-2018-3639" ); script_set_attribute( attribute:"see_also", value:"https://access.redhat.com/security/cve/cve-2018-3646" ); script_set_attribute(attribute:"solution", value:"Update the affected packages."); script_set_cvss_base_vector("CVSS2#AV:L/AC:L/Au:N/C:C/I:N/A:N"); script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C"); script_set_cvss3_base_vector("CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:N"); script_set_cvss3_temporal_vector("CVSS:3.0/E:P/RL:O/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:kernel"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:kernel-abi-whitelists"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:kernel-debug"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:kernel-debug-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:kernel-debug-devel"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:kernel-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:kernel-debuginfo-common-s390x"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:kernel-debuginfo-common-x86_64"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:kernel-devel"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:kernel-doc"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:kernel-headers"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:kernel-kdump"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:kernel-kdump-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:kernel-kdump-devel"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:kernel-tools"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:kernel-tools-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:kernel-tools-libs"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:kernel-tools-libs-devel"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:perf"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:perf-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:python-perf"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:python-perf-debuginfo"); script_set_attribute(attribute:"cpe", value:"cpe:/o:redhat:enterprise_linux:7.4"); script_set_attribute(attribute:"vuln_publication_date", value:"2018/05/22"); script_set_attribute(attribute:"patch_publication_date", value:"2018/08/14"); script_set_attribute(attribute:"plugin_publication_date", value:"2018/08/15"); script_set_attribute(attribute:"in_the_news", value:"true"); script_set_attribute(attribute:"generated_plugin", value:"current"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"Red Hat Local Security Checks"); script_dependencies("ssh_get_info.nasl", "linux_alt_patch_detect.nasl"); script_require_keys("Host/local_checks_enabled", "Host/RedHat/release", "Host/RedHat/rpm-list", "Host/cpu"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("misc_func.inc"); include("rpm.inc"); include("ksplice.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/RedHat/release"); if (isnull(release) || "Red Hat" >!< release) audit(AUDIT_OS_NOT, "Red Hat"); os_ver = pregmatch(pattern: "Red Hat Enterprise Linux.*release ([0-9]+(\.[0-9]+)?)", string:release); if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Red Hat"); os_ver = os_ver[1]; if (! preg(pattern:"^7\.4([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Red Hat 7.4", "Red Hat " + os_ver); if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$" && "s390" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Red Hat", cpu); if (get_one_kb_item("Host/ksplice/kernel-cves")) { rm_kb_item(name:"Host/uptrack-uname-r"); cve_list = make_list("CVE-2018-3620", "CVE-2018-3639", "CVE-2018-3646"); if (ksplice_cves_check(cve_list)) { audit(AUDIT_PATCH_INSTALLED, "KSplice hotfix for RHSA-2018:2387"); } else { __rpm_report = ksplice_reporting_text(); } } yum_updateinfo = get_kb_item("Host/RedHat/yum-updateinfo"); if (!empty_or_null(yum_updateinfo)) { rhsa = "RHSA-2018:2387"; yum_report = redhat_generate_yum_updateinfo_report(rhsa:rhsa); if (!empty_or_null(yum_report)) { security_report_v4( port : 0, severity : SECURITY_WARNING, extra : yum_report ); exit(0); } else { audit_message = "affected by Red Hat security advisory " + rhsa; audit(AUDIT_OS_NOT, audit_message); } } else { flag = 0; if (rpm_check(release:"RHEL7", sp:"4", cpu:"s390x", reference:"kernel-3.10.0-693.37.4.el7")) flag++; if (rpm_check(release:"RHEL7", sp:"4", cpu:"x86_64", reference:"kernel-3.10.0-693.37.4.el7")) flag++; if (rpm_check(release:"RHEL7", sp:"4", reference:"kernel-abi-whitelists-3.10.0-693.37.4.el7")) flag++; if (rpm_check(release:"RHEL7", sp:"4", cpu:"s390x", reference:"kernel-debug-3.10.0-693.37.4.el7")) flag++; if (rpm_check(release:"RHEL7", sp:"4", cpu:"x86_64", reference:"kernel-debug-3.10.0-693.37.4.el7")) flag++; if (rpm_check(release:"RHEL7", sp:"4", cpu:"s390x", reference:"kernel-debug-debuginfo-3.10.0-693.37.4.el7")) flag++; if (rpm_check(release:"RHEL7", sp:"4", cpu:"x86_64", reference:"kernel-debug-debuginfo-3.10.0-693.37.4.el7")) flag++; if (rpm_check(release:"RHEL7", sp:"4", cpu:"s390x", reference:"kernel-debug-devel-3.10.0-693.37.4.el7")) flag++; if (rpm_check(release:"RHEL7", sp:"4", cpu:"x86_64", reference:"kernel-debug-devel-3.10.0-693.37.4.el7")) flag++; if (rpm_check(release:"RHEL7", sp:"4", cpu:"s390x", reference:"kernel-debuginfo-3.10.0-693.37.4.el7")) flag++; if (rpm_check(release:"RHEL7", sp:"4", cpu:"x86_64", reference:"kernel-debuginfo-3.10.0-693.37.4.el7")) flag++; if (rpm_check(release:"RHEL7", sp:"4", cpu:"s390x", reference:"kernel-debuginfo-common-s390x-3.10.0-693.37.4.el7")) flag++; if (rpm_check(release:"RHEL7", sp:"4", cpu:"x86_64", reference:"kernel-debuginfo-common-x86_64-3.10.0-693.37.4.el7")) flag++; if (rpm_check(release:"RHEL7", sp:"4", cpu:"s390x", reference:"kernel-devel-3.10.0-693.37.4.el7")) flag++; if (rpm_check(release:"RHEL7", sp:"4", cpu:"x86_64", reference:"kernel-devel-3.10.0-693.37.4.el7")) flag++; if (rpm_check(release:"RHEL7", sp:"4", reference:"kernel-doc-3.10.0-693.37.4.el7")) flag++; if (rpm_check(release:"RHEL7", sp:"4", cpu:"s390x", reference:"kernel-headers-3.10.0-693.37.4.el7")) flag++; if (rpm_check(release:"RHEL7", sp:"4", cpu:"x86_64", reference:"kernel-headers-3.10.0-693.37.4.el7")) flag++; if (rpm_check(release:"RHEL7", sp:"4", cpu:"s390x", reference:"kernel-kdump-3.10.0-693.37.4.el7")) flag++; if (rpm_check(release:"RHEL7", sp:"4", cpu:"s390x", reference:"kernel-kdump-debuginfo-3.10.0-693.37.4.el7")) flag++; if (rpm_check(release:"RHEL7", sp:"4", cpu:"s390x", reference:"kernel-kdump-devel-3.10.0-693.37.4.el7")) flag++; if (rpm_check(release:"RHEL7", sp:"4", cpu:"x86_64", reference:"kernel-tools-3.10.0-693.37.4.el7")) flag++; if (rpm_check(release:"RHEL7", sp:"4", cpu:"x86_64", reference:"kernel-tools-debuginfo-3.10.0-693.37.4.el7")) flag++; if (rpm_check(release:"RHEL7", sp:"4", cpu:"x86_64", reference:"kernel-tools-libs-3.10.0-693.37.4.el7")) flag++; if (rpm_check(release:"RHEL7", sp:"4", cpu:"x86_64", reference:"kernel-tools-libs-devel-3.10.0-693.37.4.el7")) flag++; if (rpm_check(release:"RHEL7", sp:"4", cpu:"s390x", reference:"perf-3.10.0-693.37.4.el7")) flag++; if (rpm_check(release:"RHEL7", sp:"4", cpu:"x86_64", reference:"perf-3.10.0-693.37.4.el7")) flag++; if (rpm_check(release:"RHEL7", sp:"4", cpu:"s390x", reference:"perf-debuginfo-3.10.0-693.37.4.el7")) flag++; if (rpm_check(release:"RHEL7", sp:"4", cpu:"x86_64", reference:"perf-debuginfo-3.10.0-693.37.4.el7")) flag++; if (rpm_check(release:"RHEL7", sp:"4", cpu:"s390x", reference:"python-perf-3.10.0-693.37.4.el7")) flag++; if (rpm_check(release:"RHEL7", sp:"4", cpu:"x86_64", reference:"python-perf-3.10.0-693.37.4.el7")) flag++; if (rpm_check(release:"RHEL7", sp:"4", cpu:"s390x", reference:"python-perf-debuginfo-3.10.0-693.37.4.el7")) flag++; if (rpm_check(release:"RHEL7", sp:"4", cpu:"x86_64", reference:"python-perf-debuginfo-3.10.0-693.37.4.el7")) flag++; if (flag) { security_report_v4( port : 0, severity : SECURITY_WARNING, extra : rpm_report_get() + redhat_report_package_caveat() ); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "kernel / kernel-abi-whitelists / kernel-debug / etc"); } }
NASL family Slackware Local Security Checks NASL id SLACKWARE_SSA_2018-240-01.NASL description New kernel packages are available for Slackware 14.2 to mitigate security issues. last seen 2020-06-01 modified 2020-06-02 plugin id 112180 published 2018-08-29 reporter This script is Copyright (C) 2018 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/112180 title Slackware 14.2 : Slackware 14.2 kernel (SSA:2018-240-01) (Foreshadow) code # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Slackware Security Advisory 2018-240-01. The text # itself is copyright (C) Slackware Linux, Inc. # include("compat.inc"); if (description) { script_id(112180); script_version("1.2"); script_cvs_date("Date: 2018/09/04 13:20:08"); script_cve_id("CVE-2018-3546", "CVE-2018-3615", "CVE-2018-3620"); script_xref(name:"SSA", value:"2018-240-01"); script_name(english:"Slackware 14.2 : Slackware 14.2 kernel (SSA:2018-240-01) (Foreshadow)"); script_summary(english:"Checks for updated packages in /var/log/packages"); script_set_attribute( attribute:"synopsis", value:"The remote Slackware host is missing a security update." ); script_set_attribute( attribute:"description", value: "New kernel packages are available for Slackware 14.2 to mitigate security issues." ); # http://www.slackware.com/security/viewer.php?l=slackware-security&y=2018&m=slackware-security.715570 script_set_attribute( attribute:"see_also", value:"http://www.nessus.org/u?b5e7f267" ); script_set_attribute(attribute:"solution", value:"Update the affected packages."); script_set_cvss_base_vector("CVSS2#AV:L/AC:M/Au:N/C:C/I:P/A:N"); script_set_cvss3_base_vector("CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:L/A:N"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:slackware:slackware_linux:kernel-firmware"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:slackware:slackware_linux:kernel-generic"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:slackware:slackware_linux:kernel-generic-smp"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:slackware:slackware_linux:kernel-headers"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:slackware:slackware_linux:kernel-huge"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:slackware:slackware_linux:kernel-huge-smp"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:slackware:slackware_linux:kernel-modules"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:slackware:slackware_linux:kernel-modules-smp"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:slackware:slackware_linux:kernel-source"); script_set_attribute(attribute:"cpe", value:"cpe:/o:slackware:slackware_linux:14.2"); script_set_attribute(attribute:"patch_publication_date", value:"2018/08/28"); script_set_attribute(attribute:"in_the_news", value:"true"); script_set_attribute(attribute:"plugin_publication_date", value:"2018/08/29"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2018 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"Slackware Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/Slackware/release", "Host/Slackware/packages"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("slackware.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); if (!get_kb_item("Host/Slackware/release")) audit(AUDIT_OS_NOT, "Slackware"); if (!get_kb_item("Host/Slackware/packages")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Slackware", cpu); flag = 0; if (slackware_check(osver:"14.2", pkgname:"kernel-firmware", pkgver:"20180825_fea76a0", pkgarch:"noarch", pkgnum:"1")) flag++; if (slackware_check(osver:"14.2", pkgname:"kernel-generic", pkgver:"4.4.153", pkgarch:"i586", pkgnum:"1")) flag++; if (slackware_check(osver:"14.2", pkgname:"kernel-generic-smp", pkgver:"4.4.153_smp", pkgarch:"i686", pkgnum:"1")) flag++; if (slackware_check(osver:"14.2", pkgname:"kernel-headers", pkgver:"4.4.153_smp", pkgarch:"x86", pkgnum:"1")) flag++; if (slackware_check(osver:"14.2", pkgname:"kernel-huge", pkgver:"4.4.153", pkgarch:"i586", pkgnum:"1")) flag++; if (slackware_check(osver:"14.2", pkgname:"kernel-huge-smp", pkgver:"4.4.153_smp", pkgarch:"i686", pkgnum:"1")) flag++; if (slackware_check(osver:"14.2", pkgname:"kernel-modules", pkgver:"4.4.153", pkgarch:"i586", pkgnum:"1")) flag++; if (slackware_check(osver:"14.2", pkgname:"kernel-modules-smp", pkgver:"4.4.153_smp", pkgarch:"i686", pkgnum:"1")) flag++; if (slackware_check(osver:"14.2", pkgname:"kernel-source", pkgver:"4.4.153_smp", pkgarch:"noarch", pkgnum:"1")) flag++; if (slackware_check(osver:"14.2", arch:"x86_64", pkgname:"kernel-firmware", pkgver:"20180825_fea76a0", pkgarch:"noarch", pkgnum:"1")) flag++; if (slackware_check(osver:"14.2", arch:"x86_64", pkgname:"kernel-generic", pkgver:"4.4.153", pkgarch:"x86_64", pkgnum:"1")) flag++; if (slackware_check(osver:"14.2", arch:"x86_64", pkgname:"kernel-headers", pkgver:"4.4.153", pkgarch:"x86", pkgnum:"1")) flag++; if (slackware_check(osver:"14.2", arch:"x86_64", pkgname:"kernel-huge", pkgver:"4.4.153", pkgarch:"x86_64", pkgnum:"1")) flag++; if (slackware_check(osver:"14.2", arch:"x86_64", pkgname:"kernel-modules", pkgver:"4.4.153", pkgarch:"x86_64", pkgnum:"1")) flag++; if (slackware_check(osver:"14.2", arch:"x86_64", pkgname:"kernel-source", pkgver:"4.4.153", pkgarch:"noarch", pkgnum:"1")) flag++; if (flag) { if (report_verbosity > 0) security_warning(port:0, extra:slackware_report_get()); else security_warning(0); exit(0); } else audit(AUDIT_HOST_NOT, "affected");
NASL family F5 Networks Local Security Checks NASL id F5_BIGIP_SOL95275140.NASL description Systems with microprocessors utilizing speculative execution and address translations may allow unauthorized disclosure of information residing in the L1 data cache to an attacker with local user access via a terminal page fault and a side-channel analysis. (CVE-2018-3620 also known as Foreshadow-NG) Impact For products with None in the Versions known to be vulnerable column, there is no impact. BIG-IP CVE-2018-3620 requires an attacker who is capable of providing and running binary code of their choosing on the BIG-IP platform. This raises a high bar for attackers attempting to target BIG-IP systems over a network and would require an additional, unpatched, user-space remote code execution vulnerability to exploit these new issues. The only administrative roles on a BIG-IP system allowed to execute binary code or exploitable analogs, such as JavaScript, are the Administrator, Resource Administrator, Manager, and iRules Manager roles. The Administrator and Resource Administrator users already have nearly complete access to the system and all secrets on the system that are not protected by hardware based encryption. The Manager and iRules Manager roles do have more restricted access to the system, but have the ability to install new iRulesLX code. A malicious authorized Manager or iRules Manager can install malicious binary code to exploit these information leaks and gain more privileged access. F5 recommends limiting access to these roles to trusted employees. Enterprise Manager CVE-2018-3620 requires an attacker who is capable of providing and running binary code of their choosing on the Enterprise Manager platform. This raises a high bar for attackers attempting to target the Enterprise Manager system over a network and would require an additional, un-patched, user-space remote code execution vulnerability to exploit these new issues. BIG-IQ CVE-2018-3620 requires an attacker who is capable of providing and running binary code of their choosing on the BIG-IQplatform. This raises a high bar for attackers attempting to target the BIG-IQ system over a network and would require an additional, un-patched, user-space remote code execution vulnerability to exploit these new issues. F5 iWorkflow CVE-2018-3620 requires an attacker who is capable of providing and running binary code of their choosing on the F5 iWorkflowplatform. This raises a high bar for attackers attempting to target the F5 iWorkflow system over a network and would require an additional, un-patched, user-space remote code execution vulnerability to exploit these new issues. Traffix SDC An unprivileged attacker can use this vulnerability to read privileged memory of the kernel or other processes and/or cross guest/host boundaries to read host memory by conducting targeted cache side-channel attacks. last seen 2020-03-17 modified 2019-05-29 plugin id 125485 published 2019-05-29 reporter This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/125485 title F5 Networks BIG-IP : OS Kernel and SMM mode L1 Terminal Fault vulnerability (K95275140) (Foreshadow) code # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from F5 Networks BIG-IP Solution K95275140. # # The text description of this plugin is (C) F5 Networks. # include("compat.inc"); if (description) { script_id(125485); script_version("1.4"); script_set_attribute(attribute:"plugin_modification_date", value:"2020/03/09"); script_cve_id("CVE-2018-3620"); script_name(english:"F5 Networks BIG-IP : OS Kernel and SMM mode L1 Terminal Fault vulnerability (K95275140) (Foreshadow)"); script_summary(english:"Checks the BIG-IP version."); script_set_attribute( attribute:"synopsis", value:"The remote device is missing a vendor-supplied security patch." ); script_set_attribute( attribute:"description", value: "Systems with microprocessors utilizing speculative execution and address translations may allow unauthorized disclosure of information residing in the L1 data cache to an attacker with local user access via a terminal page fault and a side-channel analysis. (CVE-2018-3620 also known as Foreshadow-NG) Impact For products with None in the Versions known to be vulnerable column, there is no impact. BIG-IP CVE-2018-3620 requires an attacker who is capable of providing and running binary code of their choosing on the BIG-IP platform. This raises a high bar for attackers attempting to target BIG-IP systems over a network and would require an additional, unpatched, user-space remote code execution vulnerability to exploit these new issues. The only administrative roles on a BIG-IP system allowed to execute binary code or exploitable analogs, such as JavaScript, are the Administrator, Resource Administrator, Manager, and iRules Manager roles. The Administrator and Resource Administrator users already have nearly complete access to the system and all secrets on the system that are not protected by hardware based encryption. The Manager and iRules Manager roles do have more restricted access to the system, but have the ability to install new iRulesLX code. A malicious authorized Manager or iRules Manager can install malicious binary code to exploit these information leaks and gain more privileged access. F5 recommends limiting access to these roles to trusted employees. Enterprise Manager CVE-2018-3620 requires an attacker who is capable of providing and running binary code of their choosing on the Enterprise Manager platform. This raises a high bar for attackers attempting to target the Enterprise Manager system over a network and would require an additional, un-patched, user-space remote code execution vulnerability to exploit these new issues. BIG-IQ CVE-2018-3620 requires an attacker who is capable of providing and running binary code of their choosing on the BIG-IQplatform. This raises a high bar for attackers attempting to target the BIG-IQ system over a network and would require an additional, un-patched, user-space remote code execution vulnerability to exploit these new issues. F5 iWorkflow CVE-2018-3620 requires an attacker who is capable of providing and running binary code of their choosing on the F5 iWorkflowplatform. This raises a high bar for attackers attempting to target the F5 iWorkflow system over a network and would require an additional, un-patched, user-space remote code execution vulnerability to exploit these new issues. Traffix SDC An unprivileged attacker can use this vulnerability to read privileged memory of the kernel or other processes and/or cross guest/host boundaries to read host memory by conducting targeted cache side-channel attacks." ); script_set_attribute( attribute:"see_also", value:"https://support.f5.com/csp/article/K95275140" ); script_set_attribute( attribute:"solution", value: "Upgrade to one of the non-vulnerable versions listed in the F5 Solution K95275140." ); script_set_cvss_base_vector("CVSS2#AV:L/AC:M/Au:N/C:C/I:N/A:N"); script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C"); script_set_cvss3_base_vector("CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:N"); script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"cpe:/a:f5:big-ip_access_policy_manager"); script_set_attribute(attribute:"cpe", value:"cpe:/a:f5:big-ip_advanced_firewall_manager"); script_set_attribute(attribute:"cpe", value:"cpe:/a:f5:big-ip_application_acceleration_manager"); script_set_attribute(attribute:"cpe", value:"cpe:/a:f5:big-ip_application_security_manager"); script_set_attribute(attribute:"cpe", value:"cpe:/a:f5:big-ip_application_visibility_and_reporting"); script_set_attribute(attribute:"cpe", value:"cpe:/a:f5:big-ip_global_traffic_manager"); script_set_attribute(attribute:"cpe", value:"cpe:/a:f5:big-ip_link_controller"); script_set_attribute(attribute:"cpe", value:"cpe:/a:f5:big-ip_local_traffic_manager"); script_set_attribute(attribute:"cpe", value:"cpe:/a:f5:big-ip_policy_enforcement_manager"); script_set_attribute(attribute:"cpe", value:"cpe:/a:f5:big-ip_webaccelerator"); script_set_attribute(attribute:"cpe", value:"cpe:/h:f5:big-ip"); script_set_attribute(attribute:"vuln_publication_date", value:"2018/08/14"); script_set_attribute(attribute:"patch_publication_date", value:"2018/10/05"); script_set_attribute(attribute:"plugin_publication_date", value:"2019/05/29"); script_set_attribute(attribute:"in_the_news", value:"true"); script_set_attribute(attribute:"generated_plugin", value:"current"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"F5 Networks Local Security Checks"); script_dependencies("f5_bigip_detect.nbin"); script_require_keys("Host/local_checks_enabled", "Host/BIG-IP/hotfix", "Host/BIG-IP/modules", "Host/BIG-IP/version"); exit(0); } include("f5_func.inc"); if ( ! get_kb_item("Host/local_checks_enabled") ) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); version = get_kb_item("Host/BIG-IP/version"); if ( ! version ) audit(AUDIT_OS_NOT, "F5 Networks BIG-IP"); if ( isnull(get_kb_item("Host/BIG-IP/hotfix")) ) audit(AUDIT_KB_MISSING, "Host/BIG-IP/hotfix"); if ( ! get_kb_item("Host/BIG-IP/modules") ) audit(AUDIT_KB_MISSING, "Host/BIG-IP/modules"); sol = "K95275140"; vmatrix = make_array(); # AFM vmatrix["AFM"] = make_array(); vmatrix["AFM"]["affected" ] = make_list("14.0.0","13.0.0-13.1.1","12.1.0-12.1.3","11.2.1-11.6.3"); vmatrix["AFM"]["unaffected"] = make_list("15.0.0"); # AM vmatrix["AM"] = make_array(); vmatrix["AM"]["affected" ] = make_list("14.0.0","13.0.0-13.1.1","12.1.0-12.1.3","11.2.1-11.6.3"); vmatrix["AM"]["unaffected"] = make_list("15.0.0"); # APM vmatrix["APM"] = make_array(); vmatrix["APM"]["affected" ] = make_list("14.0.0","13.0.0-13.1.1","12.1.0-12.1.3","11.2.1-11.6.3"); vmatrix["APM"]["unaffected"] = make_list("15.0.0"); # ASM vmatrix["ASM"] = make_array(); vmatrix["ASM"]["affected" ] = make_list("14.0.0","13.0.0-13.1.1","12.1.0-12.1.3","11.2.1-11.6.3"); vmatrix["ASM"]["unaffected"] = make_list("15.0.0"); # AVR vmatrix["AVR"] = make_array(); vmatrix["AVR"]["affected" ] = make_list("14.0.0","13.0.0-13.1.1","12.1.0-12.1.3","11.2.1-11.6.3"); vmatrix["AVR"]["unaffected"] = make_list("15.0.0"); # GTM vmatrix["GTM"] = make_array(); vmatrix["GTM"]["affected" ] = make_list("14.0.0","13.0.0-13.1.1","12.1.0-12.1.3","11.2.1-11.6.3"); vmatrix["GTM"]["unaffected"] = make_list("15.0.0"); # LC vmatrix["LC"] = make_array(); vmatrix["LC"]["affected" ] = make_list("14.0.0","13.0.0-13.1.1","12.1.0-12.1.3","11.2.1-11.6.3"); vmatrix["LC"]["unaffected"] = make_list("15.0.0"); # LTM vmatrix["LTM"] = make_array(); vmatrix["LTM"]["affected" ] = make_list("14.0.0","13.0.0-13.1.1","12.1.0-12.1.3","11.2.1-11.6.3"); vmatrix["LTM"]["unaffected"] = make_list("15.0.0"); # PEM vmatrix["PEM"] = make_array(); vmatrix["PEM"]["affected" ] = make_list("14.0.0","13.0.0-13.1.1","12.1.0-12.1.3","11.2.1-11.6.3"); vmatrix["PEM"]["unaffected"] = make_list("15.0.0"); # WAM vmatrix["WAM"] = make_array(); vmatrix["WAM"]["affected" ] = make_list("14.0.0","13.0.0-13.1.1","12.1.0-12.1.3","11.2.1-11.6.3"); vmatrix["WAM"]["unaffected"] = make_list("15.0.0"); if (bigip_is_affected(vmatrix:vmatrix, sol:sol)) { if (report_verbosity > 0) security_warning(port:0, extra:bigip_report_get()); else security_warning(0); exit(0); } else { tested = bigip_get_tested_modules(); audit_extra = "For BIG-IP module(s) " + tested + ","; if (tested) audit(AUDIT_INST_VER_NOT_VULN, audit_extra, version); else audit(AUDIT_HOST_NOT, "running any of the affected modules"); }
NASL family Debian Local Security Checks NASL id DEBIAN_DSA-4274.NASL description This update provides mitigations for the last seen 2020-06-01 modified 2020-06-02 plugin id 111797 published 2018-08-17 reporter This script is Copyright (C) 2018 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/111797 title Debian DSA-4274-1 : xen - security update (Foreshadow) code # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Debian Security Advisory DSA-4274. The text # itself is copyright (C) Software in the Public Interest, Inc. # include("compat.inc"); if (description) { script_id(111797); script_version("1.5"); script_cvs_date("Date: 2018/11/13 12:30:47"); script_cve_id("CVE-2018-3620", "CVE-2018-3646"); script_xref(name:"DSA", value:"4274"); script_name(english:"Debian DSA-4274-1 : xen - security update (Foreshadow)"); script_summary(english:"Checks dpkg output for the updated package"); script_set_attribute( attribute:"synopsis", value:"The remote Debian host is missing a security-related update." ); script_set_attribute( attribute:"description", value: "This update provides mitigations for the 'L1 Terminal Fault'vulnerability affecting a range of Intel CPUs. For additional information please refer to https://xenbits.xen.org/xsa/advisory-273.html. The microcode updates mentioned there are not yet available in a form distributable by Debian. In addition two denial of service vulnerabilities have been fixed (XSA-268 and XSA-269)." ); script_set_attribute( attribute:"see_also", value:"https://xenbits.xen.org/xsa/advisory-273.html" ); script_set_attribute( attribute:"see_also", value:"https://security-tracker.debian.org/tracker/source-package/xen" ); script_set_attribute( attribute:"see_also", value:"https://packages.debian.org/source/stretch/xen" ); script_set_attribute( attribute:"see_also", value:"https://www.debian.org/security/2018/dsa-4274" ); script_set_attribute( attribute:"solution", value: "Upgrade the xen packages. For the stable distribution (stretch), these problems have been fixed in version 4.8.4+xsa273+shim4.10.1+xsa273-1+deb9u10." ); script_set_cvss_base_vector("CVSS2#AV:L/AC:M/Au:N/C:C/I:N/A:N"); script_set_cvss3_base_vector("CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:N"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:xen"); script_set_attribute(attribute:"cpe", value:"cpe:/o:debian:debian_linux:9.0"); script_set_attribute(attribute:"patch_publication_date", value:"2018/08/16"); script_set_attribute(attribute:"in_the_news", value:"true"); script_set_attribute(attribute:"plugin_publication_date", value:"2018/08/17"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2018 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"Debian Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/Debian/release", "Host/Debian/dpkg-l"); exit(0); } include("audit.inc"); include("debian_package.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); if (!get_kb_item("Host/Debian/release")) audit(AUDIT_OS_NOT, "Debian"); if (!get_kb_item("Host/Debian/dpkg-l")) audit(AUDIT_PACKAGE_LIST_MISSING); flag = 0; if (deb_check(release:"9.0", prefix:"libxen-4.8", reference:"4.8.4+xsa273+shim4.10.1+xsa273-1+deb9u10")) flag++; if (deb_check(release:"9.0", prefix:"libxen-dev", reference:"4.8.4+xsa273+shim4.10.1+xsa273-1+deb9u10")) flag++; if (deb_check(release:"9.0", prefix:"libxenstore3.0", reference:"4.8.4+xsa273+shim4.10.1+xsa273-1+deb9u10")) flag++; if (deb_check(release:"9.0", prefix:"xen-hypervisor-4.8-amd64", reference:"4.8.4+xsa273+shim4.10.1+xsa273-1+deb9u10")) flag++; if (deb_check(release:"9.0", prefix:"xen-hypervisor-4.8-arm64", reference:"4.8.4+xsa273+shim4.10.1+xsa273-1+deb9u10")) flag++; if (deb_check(release:"9.0", prefix:"xen-hypervisor-4.8-armhf", reference:"4.8.4+xsa273+shim4.10.1+xsa273-1+deb9u10")) flag++; if (deb_check(release:"9.0", prefix:"xen-system-amd64", reference:"4.8.4+xsa273+shim4.10.1+xsa273-1+deb9u10")) flag++; if (deb_check(release:"9.0", prefix:"xen-system-arm64", reference:"4.8.4+xsa273+shim4.10.1+xsa273-1+deb9u10")) flag++; if (deb_check(release:"9.0", prefix:"xen-system-armhf", reference:"4.8.4+xsa273+shim4.10.1+xsa273-1+deb9u10")) flag++; if (deb_check(release:"9.0", prefix:"xen-utils-4.8", reference:"4.8.4+xsa273+shim4.10.1+xsa273-1+deb9u10")) flag++; if (deb_check(release:"9.0", prefix:"xen-utils-common", reference:"4.8.4+xsa273+shim4.10.1+xsa273-1+deb9u10")) flag++; if (deb_check(release:"9.0", prefix:"xenstore-utils", reference:"4.8.4+xsa273+shim4.10.1+xsa273-1+deb9u10")) flag++; if (flag) { if (report_verbosity > 0) security_warning(port:0, extra:deb_report_get()); else security_warning(0); exit(0); } else audit(AUDIT_HOST_NOT, "affected");
NASL family Debian Local Security Checks NASL id DEBIAN_DLA-1481.NASL description Multiple researchers have discovered a vulnerability in the way the Intel processor designs have implemented speculative execution of instructions in combination with handling of page-faults. This flaw could allow an attacker controlling an unprivileged process to read memory from arbitrary (non-user controlled) addresses, including from the kernel and all other processes running on the system or cross guest/host boundaries to read host memory. To fully resolve these vulnerabilities it is also necessary to install updated CPU microcode (only available in Debian non-free). Common server class CPUs are covered in the update released as DLA 1446-1. For Debian 8 last seen 2020-06-01 modified 2020-06-02 plugin id 112168 published 2018-08-29 reporter This script is Copyright (C) 2018 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/112168 title Debian DLA-1481-1 : linux-4.9 security update (Foreshadow) code # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Debian Security Advisory DLA-1481-1. The text # itself is copyright (C) Software in the Public Interest, Inc. # include("compat.inc"); if (description) { script_id(112168); script_version("1.2"); script_cvs_date("Date: 2018/08/31 12:25:01"); script_cve_id("CVE-2018-3620", "CVE-2018-3646"); script_name(english:"Debian DLA-1481-1 : linux-4.9 security update (Foreshadow)"); script_summary(english:"Checks dpkg output for the updated packages."); script_set_attribute( attribute:"synopsis", value:"The remote Debian host is missing a security update." ); script_set_attribute( attribute:"description", value: "Multiple researchers have discovered a vulnerability in the way the Intel processor designs have implemented speculative execution of instructions in combination with handling of page-faults. This flaw could allow an attacker controlling an unprivileged process to read memory from arbitrary (non-user controlled) addresses, including from the kernel and all other processes running on the system or cross guest/host boundaries to read host memory. To fully resolve these vulnerabilities it is also necessary to install updated CPU microcode (only available in Debian non-free). Common server class CPUs are covered in the update released as DLA 1446-1. For Debian 8 'Jessie', these problems have been fixed in version 4.9.110-3+deb9u4~deb8u1. We recommend that you upgrade your linux-4.9 packages. NOTE: Tenable Network Security has extracted the preceding description block directly from the DLA security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues." ); script_set_attribute( attribute:"see_also", value:"https://lists.debian.org/debian-lts-announce/2018/08/msg00029.html" ); script_set_attribute( attribute:"see_also", value:"https://packages.debian.org/source/jessie/linux-4.9" ); script_set_attribute(attribute:"solution", value:"Upgrade the affected packages."); script_set_cvss_base_vector("CVSS2#AV:L/AC:M/Au:N/C:C/I:N/A:N"); script_set_cvss3_base_vector("CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:N"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:linux-compiler-gcc-4.9-arm"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:linux-doc-4.9"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:linux-headers-4.9.0-0.bpo.7-686"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:linux-headers-4.9.0-0.bpo.7-686-pae"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:linux-headers-4.9.0-0.bpo.7-all"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:linux-headers-4.9.0-0.bpo.7-all-amd64"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:linux-headers-4.9.0-0.bpo.7-all-armel"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:linux-headers-4.9.0-0.bpo.7-all-armhf"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:linux-headers-4.9.0-0.bpo.7-all-i386"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:linux-headers-4.9.0-0.bpo.7-amd64"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:linux-headers-4.9.0-0.bpo.7-armmp"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:linux-headers-4.9.0-0.bpo.7-armmp-lpae"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:linux-headers-4.9.0-0.bpo.7-common"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:linux-headers-4.9.0-0.bpo.7-common-rt"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:linux-headers-4.9.0-0.bpo.7-marvell"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:linux-headers-4.9.0-0.bpo.7-rt-686-pae"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:linux-headers-4.9.0-0.bpo.7-rt-amd64"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:linux-image-4.9.0-0.bpo.7-686"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:linux-image-4.9.0-0.bpo.7-686-pae"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:linux-image-4.9.0-0.bpo.7-686-pae-dbg"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:linux-image-4.9.0-0.bpo.7-amd64"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:linux-image-4.9.0-0.bpo.7-amd64-dbg"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:linux-image-4.9.0-0.bpo.7-armmp"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:linux-image-4.9.0-0.bpo.7-armmp-lpae"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:linux-image-4.9.0-0.bpo.7-marvell"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:linux-image-4.9.0-0.bpo.7-rt-686-pae"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:linux-image-4.9.0-0.bpo.7-rt-686-pae-dbg"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:linux-image-4.9.0-0.bpo.7-rt-amd64"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:linux-image-4.9.0-0.bpo.7-rt-amd64-dbg"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:linux-kbuild-4.9"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:linux-manual-4.9"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:linux-perf-4.9"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:linux-source-4.9"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:linux-support-4.9.0-0.bpo.7"); script_set_attribute(attribute:"cpe", value:"cpe:/o:debian:debian_linux:8.0"); script_set_attribute(attribute:"patch_publication_date", value:"2018/08/28"); script_set_attribute(attribute:"in_the_news", value:"true"); script_set_attribute(attribute:"plugin_publication_date", value:"2018/08/29"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2018 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"Debian Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/Debian/release", "Host/Debian/dpkg-l"); exit(0); } include("audit.inc"); include("debian_package.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); if (!get_kb_item("Host/Debian/release")) audit(AUDIT_OS_NOT, "Debian"); if (!get_kb_item("Host/Debian/dpkg-l")) audit(AUDIT_PACKAGE_LIST_MISSING); flag = 0; if (deb_check(release:"8.0", prefix:"linux-compiler-gcc-4.9-arm", reference:"4.9.110-3+deb9u4~deb8u1")) flag++; if (deb_check(release:"8.0", prefix:"linux-doc-4.9", reference:"4.9.110-3+deb9u4~deb8u1")) flag++; if (deb_check(release:"8.0", prefix:"linux-headers-4.9.0-0.bpo.7-686", reference:"4.9.110-3+deb9u4~deb8u1")) flag++; if (deb_check(release:"8.0", prefix:"linux-headers-4.9.0-0.bpo.7-686-pae", reference:"4.9.110-3+deb9u4~deb8u1")) flag++; if (deb_check(release:"8.0", prefix:"linux-headers-4.9.0-0.bpo.7-all", reference:"4.9.110-3+deb9u4~deb8u1")) flag++; if (deb_check(release:"8.0", prefix:"linux-headers-4.9.0-0.bpo.7-all-amd64", reference:"4.9.110-3+deb9u4~deb8u1")) flag++; if (deb_check(release:"8.0", prefix:"linux-headers-4.9.0-0.bpo.7-all-armel", reference:"4.9.110-3+deb9u4~deb8u1")) flag++; if (deb_check(release:"8.0", prefix:"linux-headers-4.9.0-0.bpo.7-all-armhf", reference:"4.9.110-3+deb9u4~deb8u1")) flag++; if (deb_check(release:"8.0", prefix:"linux-headers-4.9.0-0.bpo.7-all-i386", reference:"4.9.110-3+deb9u4~deb8u1")) flag++; if (deb_check(release:"8.0", prefix:"linux-headers-4.9.0-0.bpo.7-amd64", reference:"4.9.110-3+deb9u4~deb8u1")) flag++; if (deb_check(release:"8.0", prefix:"linux-headers-4.9.0-0.bpo.7-armmp", reference:"4.9.110-3+deb9u4~deb8u1")) flag++; if (deb_check(release:"8.0", prefix:"linux-headers-4.9.0-0.bpo.7-armmp-lpae", reference:"4.9.110-3+deb9u4~deb8u1")) flag++; if (deb_check(release:"8.0", prefix:"linux-headers-4.9.0-0.bpo.7-common", reference:"4.9.110-3+deb9u4~deb8u1")) flag++; if (deb_check(release:"8.0", prefix:"linux-headers-4.9.0-0.bpo.7-common-rt", reference:"4.9.110-3+deb9u4~deb8u1")) flag++; if (deb_check(release:"8.0", prefix:"linux-headers-4.9.0-0.bpo.7-marvell", reference:"4.9.110-3+deb9u4~deb8u1")) flag++; if (deb_check(release:"8.0", prefix:"linux-headers-4.9.0-0.bpo.7-rt-686-pae", reference:"4.9.110-3+deb9u4~deb8u1")) flag++; if (deb_check(release:"8.0", prefix:"linux-headers-4.9.0-0.bpo.7-rt-amd64", reference:"4.9.110-3+deb9u4~deb8u1")) flag++; if (deb_check(release:"8.0", prefix:"linux-image-4.9.0-0.bpo.7-686", reference:"4.9.110-3+deb9u4~deb8u1")) flag++; if (deb_check(release:"8.0", prefix:"linux-image-4.9.0-0.bpo.7-686-pae", reference:"4.9.110-3+deb9u4~deb8u1")) flag++; if (deb_check(release:"8.0", prefix:"linux-image-4.9.0-0.bpo.7-686-pae-dbg", reference:"4.9.110-3+deb9u4~deb8u1")) flag++; if (deb_check(release:"8.0", prefix:"linux-image-4.9.0-0.bpo.7-amd64", reference:"4.9.110-3+deb9u4~deb8u1")) flag++; if (deb_check(release:"8.0", prefix:"linux-image-4.9.0-0.bpo.7-amd64-dbg", reference:"4.9.110-3+deb9u4~deb8u1")) flag++; if (deb_check(release:"8.0", prefix:"linux-image-4.9.0-0.bpo.7-armmp", reference:"4.9.110-3+deb9u4~deb8u1")) flag++; if (deb_check(release:"8.0", prefix:"linux-image-4.9.0-0.bpo.7-armmp-lpae", reference:"4.9.110-3+deb9u4~deb8u1")) flag++; if (deb_check(release:"8.0", prefix:"linux-image-4.9.0-0.bpo.7-marvell", reference:"4.9.110-3+deb9u4~deb8u1")) flag++; if (deb_check(release:"8.0", prefix:"linux-image-4.9.0-0.bpo.7-rt-686-pae", reference:"4.9.110-3+deb9u4~deb8u1")) flag++; if (deb_check(release:"8.0", prefix:"linux-image-4.9.0-0.bpo.7-rt-686-pae-dbg", reference:"4.9.110-3+deb9u4~deb8u1")) flag++; if (deb_check(release:"8.0", prefix:"linux-image-4.9.0-0.bpo.7-rt-amd64", reference:"4.9.110-3+deb9u4~deb8u1")) flag++; if (deb_check(release:"8.0", prefix:"linux-image-4.9.0-0.bpo.7-rt-amd64-dbg", reference:"4.9.110-3+deb9u4~deb8u1")) flag++; if (deb_check(release:"8.0", prefix:"linux-kbuild-4.9", reference:"4.9.110-3+deb9u4~deb8u1")) flag++; if (deb_check(release:"8.0", prefix:"linux-manual-4.9", reference:"4.9.110-3+deb9u4~deb8u1")) flag++; if (deb_check(release:"8.0", prefix:"linux-perf-4.9", reference:"4.9.110-3+deb9u4~deb8u1")) flag++; if (deb_check(release:"8.0", prefix:"linux-source-4.9", reference:"4.9.110-3+deb9u4~deb8u1")) flag++; if (deb_check(release:"8.0", prefix:"linux-support-4.9.0-0.bpo.7", reference:"4.9.110-3+deb9u4~deb8u1")) flag++; if (flag) { if (report_verbosity > 0) security_warning(port:0, extra:deb_report_get()); else security_warning(0); exit(0); } else audit(AUDIT_HOST_NOT, "affected");
NASL family Windows : Microsoft Bulletins NASL id SMB_NT_MS18_AUG_4343887.NASL description The remote Windows host is missing security update 4343887. It is, therefore, affected by multiple vulnerabilities : - An information disclosure vulnerability exists when the Windows kernel improperly handles objects in memory. An attacker who successfully exploited this vulnerability could obtain information to further compromise the users system. (CVE-2018-8341, CVE-2018-8348) - A remote code execution vulnerability exists when the Windows font library improperly handles specially crafted embedded fonts. An attacker who successfully exploited the vulnerability could take control of the affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. (CVE-2018-8344) - An elevation of privilege vulnerability exists in the Network Driver Interface Specification (NDIS) when ndis.sys fails to check the length of a buffer prior to copying memory to it. (CVE-2018-8343) - A remote code execution vulnerability exists in "Microsoft COM for Windows" when it fails to properly handle serialized objects. An attacker who successfully exploited the vulnerability could use a specially crafted file or script to perform actions. In an email attack scenario, an attacker could exploit the vulnerability by sending the specially crafted file to the user and convincing the user to open the file. (CVE-2018-8349) - A security feature bypass vulnerability exists when Microsoft Edge improperly handles redirect requests. The vulnerability allows Microsoft Edge to bypass Cross- Origin Resource Sharing (CORS) redirect restrictions, and to follow redirect requests that should otherwise be ignored. An attacker who successfully exploited the vulnerability could force the browser to send data that would otherwise be restricted to a destination website of the attacker last seen 2020-06-01 modified 2020-06-02 plugin id 111685 published 2018-08-14 reporter This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/111685 title KB4343887: Windows 10 Version 1607 and Windows Server 2016 August 2018 Security Update (Foreshadow) code # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from the Microsoft Security Updates API. The text # itself is copyright (C) Microsoft Corporation. # include("compat.inc"); if (description) { script_id(111685); script_version("1.18"); script_cvs_date("Date: 2019/12/18"); script_cve_id( "CVE-2018-3615", "CVE-2018-3620", "CVE-2018-3646", "CVE-2018-0952", "CVE-2018-8200", "CVE-2018-8204", "CVE-2018-8253", "CVE-2018-8266", "CVE-2018-8316", "CVE-2018-8339", "CVE-2018-8340", "CVE-2018-8341", "CVE-2018-8343", "CVE-2018-8344", "CVE-2018-8345", "CVE-2018-8347", "CVE-2018-8348", "CVE-2018-8349", "CVE-2018-8351", "CVE-2018-8353", "CVE-2018-8355", "CVE-2018-8357", "CVE-2018-8358", "CVE-2018-8360", "CVE-2018-8370", "CVE-2018-8371", "CVE-2018-8372", "CVE-2018-8373", "CVE-2018-8381", "CVE-2018-8385", "CVE-2018-8388", "CVE-2018-8389", "CVE-2018-8394", "CVE-2018-8398", "CVE-2018-8401", "CVE-2018-8403", "CVE-2018-8404", "CVE-2018-8405", "CVE-2018-8406" ); script_bugtraq_id( 104977, 104978, 104980, 104982, 104983, 104984, 104986, 104987, 104988, 104992, 104995, 104999, 105001, 105006, 105007, 105008, 105009, 105011, 105012, 105017, 105027, 105029, 105030, 105048 ); script_xref(name:"MSKB", value:"4343887"); script_xref(name:"MSFT", value:"MS18-4343887"); script_name(english:"KB4343887: Windows 10 Version 1607 and Windows Server 2016 August 2018 Security Update (Foreshadow)"); script_summary(english:"Checks for rollup."); script_set_attribute(attribute:"synopsis", value: "The remote Windows host is affected by multiple vulnerabilities."); script_set_attribute(attribute:"description", value: "The remote Windows host is missing security update 4343887. It is, therefore, affected by multiple vulnerabilities : - An information disclosure vulnerability exists when the Windows kernel improperly handles objects in memory. An attacker who successfully exploited this vulnerability could obtain information to further compromise the users system. (CVE-2018-8341, CVE-2018-8348) - A remote code execution vulnerability exists when the Windows font library improperly handles specially crafted embedded fonts. An attacker who successfully exploited the vulnerability could take control of the affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. (CVE-2018-8344) - An elevation of privilege vulnerability exists in the Network Driver Interface Specification (NDIS) when ndis.sys fails to check the length of a buffer prior to copying memory to it. (CVE-2018-8343) - A remote code execution vulnerability exists in "Microsoft COM for Windows" when it fails to properly handle serialized objects. An attacker who successfully exploited the vulnerability could use a specially crafted file or script to perform actions. In an email attack scenario, an attacker could exploit the vulnerability by sending the specially crafted file to the user and convincing the user to open the file. (CVE-2018-8349) - A security feature bypass vulnerability exists when Microsoft Edge improperly handles redirect requests. The vulnerability allows Microsoft Edge to bypass Cross- Origin Resource Sharing (CORS) redirect restrictions, and to follow redirect requests that should otherwise be ignored. An attacker who successfully exploited the vulnerability could force the browser to send data that would otherwise be restricted to a destination website of the attacker's choice. (CVE-2018-8358) - A security feature bypass vulnerability exists in Device Guard that could allow an attacker to inject malicious code into a Windows PowerShell session. An attacker who successfully exploited this vulnerability could inject code into a trusted PowerShell process to bypass the Device Guard Code Integrity policy on the local machine. (CVE-2018-8200, CVE-2018-8204) - A remote code execution vulnerability exists in the way the scripting engine handles objects in memory in Microsoft browsers. The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user. (CVE-2018-8355, CVE-2018-8372, CVE-2018-8385) - An elevation of privilege vulnerability exists in Microsoft Windows when the Windows kernel fails to properly handle parsing of certain symbolic links. An attacker who successfully exploited this vulnerability could potentially access privileged registry keys and thereby elevate permissions. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. (CVE-2018-8347) - A remote code execution vulnerability exists in Microsoft Windows that could allow remote code execution if a .LNK file is processed. An attacker who successfully exploited this vulnerability could gain the same user rights as the local user. (CVE-2018-8345) - A information disclosure vulnerability exists when WebAudio Library improperly handles audio requests. An attacker who has successfully exploited this vulnerability might be able to read privileged data across trust boundaries. In browsing scenarios, an attacker could convince a user to visit a malicious site and leverage the vulnerability to obtain privileged information from the browser process, such as sensitive data from other opened tabs. An attacker could also inject malicious code into advertising networks used by trusted sites or embed malicious code on a compromised, but trusted, site. The update addresses the vulnerability by correcting how the WebAudio Library handles audio requests. (CVE-2018-8370) - An elevation of privilege vulnerability exists in Windows when the Win32k component fails to properly handle objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. (CVE-2018-8404) - An elevation of privilege vulnerability exists in the Windows Installer when the Windows Installer fails to properly sanitize input leading to an insecure library loading behavior. A locally authenticated attacker could run arbitrary code with elevated system privileges. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. The security update addresses the vulnerability by correcting the input sanitization error to preclude unintended elevation. (CVE-2018-8339) - A security feature bypass vulnerability exists when Active Directory Federation Services (AD FS) improperly handles multi-factor authentication requests. (CVE-2018-8340) - A remote code execution vulnerability exists in the way that the Chakra scripting engine handles objects in memory in Microsoft Edge. The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user. (CVE-2018-8266, CVE-2018-8381) - An elevation of privilege vulnerability exists when Microsoft Cortana allows arbitrary website browsing on the lockscreen. An attacker who successfully exploited the vulnerability could steal browser stored passwords or log on to websites as another user. (CVE-2018-8253) - A remote code execution vulnerability exists when Internet Explorer improperly validates hyperlinks before loading executable libraries. An attacker who successfully exploited this vulnerability could take control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. (CVE-2018-8316) - An information disclosure vulnerability exists when the Windows GDI component improperly discloses the contents of its memory. An attacker who successfully exploited the vulnerability could obtain information to further compromise the users system. There are multiple ways an attacker could exploit the vulnerability, such as by convincing a user to open a specially crafted document, or by convincing a user to visit an untrusted webpage. The security update addresses the vulnerability by correcting how the Windows GDI component handles objects in memory. (CVE-2018-8394, CVE-2018-8398) - A remote code execution vulnerability exists in the way that Microsoft browsers access objects in memory. The vulnerability could corrupt memory in a way that could allow an attacker to execute arbitrary code in the context of the current user. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user. (CVE-2018-8403) - An information disclosure vulnerability exists when affected Microsoft browsers improperly allow cross-frame interaction. An attacker who successfully exploited this vulnerability could allow an attacker to obtain browser frame or window state from a different domain. For an attack to be successful, an attacker must persuade a user to open a malicious website from a secure website. This update addresses the vulnerability by denying permission to read the state of the object model, to which frames or windows on different domains should not have access. (CVE-2018-8351) - An elevation of privilege vulnerability exists in Microsoft browsers allowing sandbox escape. An attacker who successfully exploited the vulnerability could use the sandbox escape to elevate privileges on an affected system. This vulnerability by itself does not allow arbitrary code execution; however, it could allow arbitrary code to be run if the attacker uses it in combination with another vulnerability (such as a remote code execution vulnerability or another elevation of privilege vulnerability) that is capable of leveraging the elevated privileges when code execution is attempted. (CVE-2018-8357) - An Elevation of Privilege vulnerability exists when Diagnostics Hub Standard Collector allows file creation in arbitrary locations. (CVE-2018-0952) - A remote code execution vulnerability exists in the way that the scripting engine handles objects in memory in Internet Explorer. The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user. (CVE-2018-8353, CVE-2018-8371, CVE-2018-8373, CVE-2018-8389) - An elevation of privilege vulnerability exists when the DirectX Graphics Kernel (DXGKRNL) driver improperly handles objects in memory. An attacker who successfully exploited this vulnerability could run processes in an elevated context. (CVE-2018-8401, CVE-2018-8405, CVE-2018-8406) - An information disclosure vulnerability exists in Microsoft .NET Framework that could allow an attacker to access information in multi-tenant environments. The vulnerability is caused when .NET Framework is used in high-load/high-density network connections where content from one stream can blend into another stream. (CVE-2018-8360) - A spoofing vulnerability exists when Microsoft Edge improperly handles specific HTML content. An attacker who successfully exploited this vulnerability could trick a user into believing that the user was on a legitimate website. The specially crafted website could either spoof content or serve as a pivot to chain an attack with other vulnerabilities in web services. (CVE-2018-8388)"); # https://support.microsoft.com/en-us/help/4343887/windows-10-update-kb4343887 script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?93e63484"); # https://support.microsoft.com/en-us/help/4072698/windows-server-speculative-execution-side-channel-vulnerabilities-prot script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?8902cebb"); script_set_attribute(attribute:"solution", value: "Apply Cumulative Update KB4343887 as well as refer to the KB article for additional information."); script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C"); script_set_cvss_temporal_vector("CVSS2#E:H/RL:OF/RC:C"); script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"); script_set_cvss3_temporal_vector("CVSS:3.0/E:H/RL:O/RC:C"); script_set_attribute(attribute:"cvss_score_source", value:"CVE-2018-8344"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"exploit_framework_core", value:"true"); script_set_attribute(attribute:"exploited_by_malware", value:"true"); script_set_attribute(attribute:"vuln_publication_date", value:"2018/08/14"); script_set_attribute(attribute:"patch_publication_date", value:"2018/08/14"); script_set_attribute(attribute:"plugin_publication_date", value:"2018/08/14"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"cpe:/o:microsoft:windows"); script_set_attribute(attribute:"in_the_news", value:"true"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_family(english:"Windows : Microsoft Bulletins"); script_copyright(english:"This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_dependencies("smb_check_rollup.nasl", "smb_hotfixes.nasl", "ms_bulletin_checks_possible.nasl", 'microsoft_windows_env_vars.nasl'); script_require_keys("SMB/MS_Bulletin_Checks/Possible"); script_require_ports(139, 445, "Host/patch_management_checks"); exit(0); } include("audit.inc"); include("smb_hotfixes_fcheck.inc"); include("smb_hotfixes.inc"); include("smb_func.inc"); include("misc_func.inc"); include("smb_reg_query.inc"); get_kb_item_or_exit("SMB/MS_Bulletin_Checks/Possible"); bulletin = "MS18-08"; kbs = make_list('4343887'); productname = get_kb_item_or_exit("SMB/ProductName", exit_code:1); if (get_kb_item("Host/patch_management_checks")) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE); get_kb_item_or_exit("SMB/Registry/Enumerated"); get_kb_item_or_exit("SMB/WindowsVersion", exit_code:1); if (hotfix_check_sp_range(win10:'0') <= 0) audit(AUDIT_OS_SP_NOT_VULN); share = hotfix_get_systemdrive(as_share:TRUE, exit_on_fail:TRUE); if (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share); if ( smb_check_rollup(os:"10", sp:0, os_build:"14393", rollup_date:"08_2018", bulletin:bulletin, rollup_kb_list:[4343887]) ) { replace_kb_item(name:'SMB/Missing/'+bulletin, value:TRUE); hotfix_security_hole(); hotfix_check_fversion_end(); exit(0); } else { hotfix_check_fversion_end(); audit(AUDIT_HOST_NOT, hotfix_get_audit_report()); }
NASL family Amazon Linux Local Security Checks NASL id ALA_ALAS-2018-1058.NASL description Fixes for L1Terminal Fault security issues : L1 Terminal Fault-OS/ SMM : Systems with microprocessors utilizing speculative execution and address translations may allow unauthorized disclosure of information residing in the L1 data cache to an attacker with local user access via a terminal page fault and side-channel analysis.(CVE-2018-3620) L1 Terminal Fault-VMM : Systems with microprocessors utilizing speculative execution and address translations may allow unauthorized disclosure of information residing in the L1 data cache to an attacker with local user access with guest OS privilege via a terminal page fault and side-channel analysis.(CVE-2018-3646) L1 Terminal Fault-SGX : Systems with microprocessors utilizing speculative execution and Intel SGX may allow unauthorized disclosure of information residing in the L1 data cache from an enclave to an attacker with local user access via side-channel analysis. AWS is not affected by CVE-2018-3615 . There is no AWS products related to enclave systems like SGX.(CVE-2018-3615) Denial of service caused by a large number of IP fragments : A denial of service attack by exhausting resources on a networked host by sending a large number of IP fragments that can not be reassembled by the receiver.(CVE-2018-5391) last seen 2020-06-01 modified 2020-06-02 plugin id 111702 published 2018-08-15 reporter This script is Copyright (C) 2018 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/111702 title Amazon Linux AMI : kernel (ALAS-2018-1058) (Foreshadow) NASL family Huawei Local Security Checks NASL id EULEROS_SA-2018-1278.NASL description According to the versions of the kernel packages installed, the EulerOS installation on the remote host is affected by the following vulnerabilities : - Modern operating systems implement virtualization of physical memory to efficiently use available system resources and provide inter-domain protection through access control and isolation. The L1TF issue was found in the way the x86 microprocessor designs have implemented speculative execution of instructions (a commonly used performance optimisation) in combination with handling of page-faults caused by terminated virtual to physical address resolving process. As a result, an unprivileged attacker could use this flaw to read privileged memory of the kernel or other processes and/or cross guest/host boundaries to read host memory by conducting targeted cache side-channel attacks. (CVE-2018-3620, CVE-2018-3646) - A flaw named SegmentSmack was found in the way the Linux kernel handled specially crafted TCP packets. A remote attacker could use this flaw to trigger time and calculation expensive calls to tcp_collapse_ofo_queue() and tcp_prune_ofo_queue() functions by sending specially modified packets within ongoing TCP sessions which could lead to a CPU saturation and hence a denial of service on the system. Maintaining the denial of service condition requires continuous two-way TCP sessions to a reachable open port, thus the attacks cannot be performed using spoofed IP addresses. (CVE-2018-5390) - A flaw named FragmentSmack was found in the way the Linux kernel handled reassembly of fragmented IPv4 and IPv6 packets. A remote attacker could use this flaw to trigger time and calculation expensive fragment reassembly algorithm by sending specially crafted packets which could lead to a CPU saturation and hence a denial of service on the system.(CVE-2018-5391) Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-05-06 modified 2018-09-04 plugin id 112237 published 2018-09-04 reporter This script is Copyright (C) 2018-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/112237 title EulerOS 2.0 SP2 : kernel (EulerOS-SA-2018-1278) NASL family CentOS Local Security Checks NASL id CENTOS_RHSA-2018-2390.NASL description An update for kernel is now available for Red Hat Enterprise Linux 6. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. [Updated 16th August 2018] The original errata text was missing reference to CVE-2018-5390 fix. We have updated the errata text to correct this issue. No changes have been made to the packages. The kernel packages contain the Linux kernel, the core of any Linux operating system. Security Fix(es) : * Modern operating systems implement virtualization of physical memory to efficiently use available system resources and provide inter-domain protection through access control and isolation. The L1TF issue was found in the way the x86 microprocessor designs have implemented speculative execution of instructions (a commonly used performance optimisation) in combination with handling of page-faults caused by terminated virtual to physical address resolving process. As a result, an unprivileged attacker could use this flaw to read privileged memory of the kernel or other processes and/or cross guest/host boundaries to read host memory by conducting targeted cache side-channel attacks. (CVE-2018-3620, CVE-2018-3646) * An industry-wide issue was found in the way many modern microprocessor designs have implemented speculative execution of instructions past bounds check. The flaw relies on the presence of a precisely-defined instruction sequence in the privileged code and the fact that memory writes occur to an address which depends on the untrusted value. Such writes cause an update into the microprocessor last seen 2020-06-01 modified 2020-06-02 plugin id 111704 published 2018-08-15 reporter This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/111704 title CentOS 6 : kernel (CESA-2018:2390) (Foreshadow) NASL family Windows : Microsoft Bulletins NASL id SMB_NT_MS18_AUG_4343892.NASL description The remote Windows host is missing security update 4343892. It is, therefore, affected by multiple vulnerabilities : - A remote code execution vulnerability exists in the way that Microsoft browsers access objects in memory. The vulnerability could corrupt memory in a way that could allow an attacker to execute arbitrary code in the context of the current user. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user. (CVE-2018-8403) - An information disclosure vulnerability exists when the Windows kernel improperly handles objects in memory. An attacker who successfully exploited this vulnerability could obtain information to further compromise the users system. (CVE-2018-8341, CVE-2018-8348) - A remote code execution vulnerability exists when the Windows font library improperly handles specially crafted embedded fonts. An attacker who successfully exploited the vulnerability could take control of the affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. (CVE-2018-8344) - An elevation of privilege vulnerability exists in Windows when the Win32k component fails to properly handle objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. (CVE-2018-8404) - A remote code execution vulnerability exists when Internet Explorer improperly validates hyperlinks before loading executable libraries. An attacker who successfully exploited this vulnerability could take control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. (CVE-2018-8316) - A security feature bypass vulnerability exists in Device Guard that could allow an attacker to inject malicious code into a Windows PowerShell session. An attacker who successfully exploited this vulnerability could inject code into a trusted PowerShell process to bypass the Device Guard Code Integrity policy on the local machine. (CVE-2018-8200, CVE-2018-8204) - An Elevation of Privilege vulnerability exists when Diagnostics Hub Standard Collector allows file creation in arbitrary locations. (CVE-2018-0952) - A remote code execution vulnerability exists in the way the scripting engine handles objects in memory in Microsoft browsers. The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user. (CVE-2018-8355, CVE-2018-8372, CVE-2018-8385) - A remote code execution vulnerability exists in the way that the Chakra scripting engine handles objects in memory in Microsoft Edge. The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user. (CVE-2018-8266, CVE-2018-8381) - A remote code execution vulnerability exists in the way that the scripting engine handles objects in memory in Internet Explorer. The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user. (CVE-2018-8353, CVE-2018-8371, CVE-2018-8373, CVE-2018-8389) - A remote code execution vulnerability exists in Microsoft Windows that could allow remote code execution if a .LNK file is processed. An attacker who successfully exploited this vulnerability could gain the same user rights as the local user. (CVE-2018-8345) - An elevation of privilege vulnerability exists when the DirectX Graphics Kernel (DXGKRNL) driver improperly handles objects in memory. An attacker who successfully exploited this vulnerability could run processes in an elevated context. (CVE-2018-8401, CVE-2018-8405, CVE-2018-8406) - A information disclosure vulnerability exists when WebAudio Library improperly handles audio requests. An attacker who has successfully exploited this vulnerability might be able to read privileged data across trust boundaries. In browsing scenarios, an attacker could convince a user to visit a malicious site and leverage the vulnerability to obtain privileged information from the browser process, such as sensitive data from other opened tabs. An attacker could also inject malicious code into advertising networks used by trusted sites or embed malicious code on a compromised, but trusted, site. The update addresses the vulnerability by correcting how the WebAudio Library handles audio requests. (CVE-2018-8370) - An elevation of privilege vulnerability exists in the Network Driver Interface Specification (NDIS) when ndis.sys fails to check the length of a buffer prior to copying memory to it. (CVE-2018-8343) - An information disclosure vulnerability exists when the Windows GDI component improperly discloses the contents of its memory. An attacker who successfully exploited the vulnerability could obtain information to further compromise the users system. There are multiple ways an attacker could exploit the vulnerability, such as by convincing a user to open a specially crafted document, or by convincing a user to visit an untrusted webpage. The security update addresses the vulnerability by correcting how the Windows GDI component handles objects in memory. (CVE-2018-8394, CVE-2018-8398) - A remote code execution vulnerability exists in "Microsoft COM for Windows" when it fails to properly handle serialized objects. An attacker who successfully exploited the vulnerability could use a specially crafted file or script to perform actions. In an email attack scenario, an attacker could exploit the vulnerability by sending the specially crafted file to the user and convincing the user to open the file. (CVE-2018-8349) - An elevation of privilege vulnerability exists in the Windows Installer when the Windows Installer fails to properly sanitize input leading to an insecure library loading behavior. A locally authenticated attacker could run arbitrary code with elevated system privileges. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. The security update addresses the vulnerability by correcting the input sanitization error to preclude unintended elevation. (CVE-2018-8339) - An information disclosure vulnerability exists in Microsoft .NET Framework that could allow an attacker to access information in multi-tenant environments. The vulnerability is caused when .NET Framework is used in high-load/high-density network connections where content from one stream can blend into another stream. (CVE-2018-8360) - An information disclosure vulnerability exists when affected Microsoft browsers improperly allow cross-frame interaction. An attacker who successfully exploited this vulnerability could allow an attacker to obtain browser frame or window state from a different domain. For an attack to be successful, an attacker must persuade a user to open a malicious website from a secure website. This update addresses the vulnerability by denying permission to read the state of the object model, to which frames or windows on different domains should not have access. (CVE-2018-8351) - An elevation of privilege vulnerability exists in Microsoft browsers allowing sandbox escape. An attacker who successfully exploited the vulnerability could use the sandbox escape to elevate privileges on an affected system. This vulnerability by itself does not allow arbitrary code execution; however, it could allow arbitrary code to be run if the attacker uses it in combination with another vulnerability (such as a remote code execution vulnerability or another elevation of privilege vulnerability) that is capable of leveraging the elevated privileges when code execution is attempted. (CVE-2018-8357) last seen 2020-06-01 modified 2020-06-02 plugin id 111686 published 2018-08-14 reporter This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/111686 title KB4343892: Windows 10 August 2018 Security Update (Foreshadow) NASL family Red Hat Local Security Checks NASL id REDHAT-RHSA-2018-2393.NASL description An update for kernel is now available for Red Hat Enterprise Linux 6.5 Advanced Update Support. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. The kernel packages contain the Linux kernel, the core of any Linux operating system. Security Fix(es) : * Modern operating systems implement virtualization of physical memory to efficiently use available system resources and provide inter-domain protection through access control and isolation. The L1TF issue was found in the way the x86 microprocessor designs have implemented speculative execution of instructions (a commonly used performance optimisation) in combination with handling of page-faults caused by terminated virtual to physical address resolving process. As a result, an unprivileged attacker could use this flaw to read privileged memory of the kernel or other processes and/or cross guest/host boundaries to read host memory by conducting targeted cache side-channel attacks. (CVE-2018-3620, CVE-2018-3646) * kernel: kvm: vmx: host GDT limit corruption (CVE-2018-10901) For more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section. Red Hat would like to thank Intel OSSIRT (Intel.com) for reporting CVE-2018-3620 and CVE-2018-3646 and Vegard Nossum (Oracle Corporation) for reporting CVE-2018-10901. last seen 2020-06-01 modified 2020-06-02 plugin id 111734 published 2018-08-15 reporter This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/111734 title RHEL 6 : kernel (RHSA-2018:2393) (Foreshadow) NASL family Firewalls NASL id PFSENSE_SA-18_08.NASL description According to its self-reported version number, the remote pfSense install is a version 2.3.x prior or equal to 2.3.5-p2 or 2.4.x prior to 2.4.3-p1. It is, therefore, affected by multiple vulnerabilities: - Systems with microprocessors utilizing speculative execution and address translations may allow unauthorized disclosure of information residing in the L1 data cache to an attacker with local user access via a terminal page fault and a side-channel analysis. (CVE-2018-3620) - An authenticated command injection vulnerability exists in status_interfaces.php via dhcp_relinquish_lease() in pfSense before 2.4.4. This allows an authenticated WebGUI user with privileges for the affected page to execute commands in the context of the root user when submitting a request to relinquish a DHCP lease for an interface which is configured to obtain its address via DHCP. (CVE-2018-16055) - a denial of service vulnerability exists in the ip fragment reassembly code due to excessive system resource consumption. This issue can allow a remote attacker who is able to send arbitrary ip fragments to cause the machine to consume excessive resources. (CVE-2018-6923) last seen 2020-06-01 modified 2020-06-02 plugin id 119887 published 2018-12-27 reporter This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/119887 title pfSense 2.3.x <= 2.3.5-p2 / 2.4.x < 2.4.4 Multiple Vulnerabilities (SA-18_06 / SA-18_07 / SA-18_08) NASL family NewStart CGSL Local Security Checks NASL id NEWSTART_CGSL_NS-SA-2019-0044_KERNEL.NASL description The remote NewStart CGSL host, running version CORE 5.04 / MAIN 5.04, has kernel packages installed that are affected by multiple vulnerabilities: - A buffer overflow vulnerability due to a lack of input filtering of incoming fragmented datagrams was found in the IP-over-1394 driver [firewire-net] in a fragment handling code in the Linux kernel. The vulnerability exists since firewire supported IPv4, i.e. since version 2.6.31 (year 2009) till version v4.9-rc4. A maliciously formed fragment with a respectively large datagram offset would cause a memcpy() past the datagram buffer, which would cause a system panic or possible arbitrary code execution. The flaw requires [firewire-net] module to be loaded and is remotely exploitable from connected firewire devices, but not over a local network. (CVE-2016-8633) - A bug in the 32-bit compatibility layer of the ioctl handling code of the v4l2 video driver in the Linux kernel has been found. A memory protection mechanism ensuring that user-provided buffers always point to a userspace memory were disabled, allowing destination address to be in a kernel space. This flaw could be exploited by an attacker to overwrite a kernel memory from an unprivileged userspace process, leading to privilege escalation. (CVE-2017-13166) - The timer_create syscall implementation in kernel/time/posix-timers.c in the Linux kernel doesn last seen 2020-06-01 modified 2020-06-02 plugin id 127222 published 2019-08-12 reporter This script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/127222 title NewStart CGSL CORE 5.04 / MAIN 5.04 : kernel Multiple Vulnerabilities (NS-SA-2019-0044) NASL family Windows : Microsoft Bulletins NASL id SMB_NT_MS18_AUG_4343900.NASL description The remote Windows host is missing security update 4343899 or cumulative update 4343900. It is, therefore, affected by multiple vulnerabilities : - A remote code execution vulnerability exists in the way that Microsoft browsers access objects in memory. The vulnerability could corrupt memory in a way that could allow an attacker to execute arbitrary code in the context of the current user. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user. (CVE-2018-8403) - An information disclosure vulnerability exists when the Windows kernel improperly handles objects in memory. An attacker who successfully exploited this vulnerability could obtain information to further compromise the users system. (CVE-2018-8341, CVE-2018-8348) - An elevation of privilege vulnerability exists in the Network Driver Interface Specification (NDIS) when ndis.sys fails to check the length of a buffer prior to copying memory to it. (CVE-2018-8342, CVE-2018-8343) - A remote code execution vulnerability exists when Internet Explorer improperly validates hyperlinks before loading executable libraries. An attacker who successfully exploited this vulnerability could take control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. (CVE-2018-8316) - An information disclosure vulnerability exists when the Windows GDI component improperly discloses the contents of its memory. An attacker who successfully exploited the vulnerability could obtain information to further compromise the users system. There are multiple ways an attacker could exploit the vulnerability, such as by convincing a user to open a specially crafted document, or by convincing a user to visit an untrusted webpage. The security update addresses the vulnerability by correcting how the Windows GDI component handles objects in memory. (CVE-2018-8394, CVE-2018-8396, CVE-2018-8398) - A remote code execution vulnerability exists in the way the scripting engine handles objects in memory in Microsoft browsers. The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user. (CVE-2018-8355, CVE-2018-8372, CVE-2018-8385) - A remote code execution vulnerability exists in Microsoft Windows that could allow remote code execution if a .LNK file is processed. An attacker who successfully exploited this vulnerability could gain the same user rights as the local user. (CVE-2018-8345, CVE-2018-8346) - A remote code execution vulnerability exists in the way that the scripting engine handles objects in memory in Internet Explorer. The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user. (CVE-2018-8353, CVE-2018-8371, CVE-2018-8373, CVE-2018-8389) - A remote code execution vulnerability exists in the way that the Windows Graphics Device Interface (GDI) handles objects in the memory. An attacker who successfully exploited this vulnerability could take control of the affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. (CVE-2018-8397) - An elevation of privilege vulnerability exists in Windows when the Win32k component fails to properly handle objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. (CVE-2018-8404) - A remote code execution vulnerability exists in "Microsoft COM for Windows" when it fails to properly handle serialized objects. An attacker who successfully exploited the vulnerability could use a specially crafted file or script to perform actions. In an email attack scenario, an attacker could exploit the vulnerability by sending the specially crafted file to the user and convincing the user to open the file. (CVE-2018-8349) - An elevation of privilege vulnerability exists in the Windows Installer when the Windows Installer fails to properly sanitize input leading to an insecure library loading behavior. A locally authenticated attacker could run arbitrary code with elevated system privileges. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. The security update addresses the vulnerability by correcting the input sanitization error to preclude unintended elevation. (CVE-2018-8339) - An information disclosure vulnerability exists in Microsoft .NET Framework that could allow an attacker to access information in multi-tenant environments. The vulnerability is caused when .NET Framework is used in high-load/high-density network connections where content from one stream can blend into another stream. (CVE-2018-8360) - An information disclosure vulnerability exists when affected Microsoft browsers improperly allow cross-frame interaction. An attacker who successfully exploited this vulnerability could allow an attacker to obtain browser frame or window state from a different domain. For an attack to be successful, an attacker must persuade a user to open a malicious website from a secure website. This update addresses the vulnerability by denying permission to read the state of the object model, to which frames or windows on different domains should not have access. (CVE-2018-8351) - A remote code execution vulnerability exists when the Windows font library improperly handles specially crafted embedded fonts. An attacker who successfully exploited the vulnerability could take control of the affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. (CVE-2018-8344) last seen 2020-06-01 modified 2020-06-02 plugin id 111689 published 2018-08-14 reporter This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/111689 title KB4343899: Windows 7 and Windows Server 2008 R2 August 2018 Security Update (Foreshadow) NASL family Oracle Linux Local Security Checks NASL id ORACLELINUX_ELSA-2018-4210.NASL description Description of changes: [4.1.12-124.19.1.el7uek] - x86/entry/64: Ensure %ebx handling correct in xen_failsafe_callback (George Kennedy) [Orabug: 28402927] {CVE-2018-14678} - x86/speculation/l1tf: Increase l1tf memory limit for Nehalem+ (Andi Kleen) [Orabug: 28488808] {CVE-2018-3620} - x86/speculation/l1tf: Suggest what to do on systems with too much RAM (Vlastimil Babka) [Orabug: 28488808] {CVE-2018-3620} - x86/speculation/l1tf: Fix off-by-one error when warning that system has too much RAM (Vlastimil Babka) [Orabug: 28488808] {CVE-2018-3620} - x86/speculation/l1tf: Fix overflow in l1tf_pfn_limit() on 32bit (Vlastimil Babka) [Orabug: 28488808] {CVE-2018-3620} - x86/speculation/l1tf: Exempt zeroed PTEs from inversion (Sean Christopherson) [Orabug: 28488808] {CVE-2018-3620} - x86/l1tf: Fix build error seen if CONFIG_KVM_INTEL is disabled (Guenter Roeck) [Orabug: 28488808] {CVE-2018-3620} - x86/spectre: Add missing family 6 check to microcode check (Andi Kleen) [Orabug: 28488808] {CVE-2018-3620} - KVM: x86: SVM: Call x86_spec_ctrl_set_guest/host() with interrupts disabled (Thomas Gleixner) [Orabug: 28488808] {CVE-2018-3646} - x86/microcode: Allow late microcode loading with SMT disabled (Josh Poimboeuf) [Orabug: 28488808] {CVE-2018-3620} - x86/microcode: Do not upload microcode if CPUs are offline (Ashok Raj) [Orabug: 28488808] {CVE-2018-3620} last seen 2020-06-01 modified 2020-06-02 plugin id 117378 published 2018-09-10 reporter This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/117378 title Oracle Linux 6 / 7 : Unbreakable Enterprise kernel (ELSA-2018-4210) (Foreshadow) NASL family Misc. NASL id XEN_SERVER_XSA-273.NASL description According to its self-reported version number, the Xen hypervisor installed on the remote host is affected by a speculative execution side channel attack known as L1 Terminal Fault (L1TF). An attacker who successfully exploited L1TF may be able to read privileged data across trust boundaries. Note that Nessus has checked the changeset versions based on the xen.git change log. Nessus did not check guest hardware configurations or if patches were applied manually to the source code before a recompile and reinstall. last seen 2020-06-01 modified 2020-06-02 plugin id 112159 published 2018-08-28 reporter This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/112159 title Xen Project Speculative Execution Side Channel Vulnerability (XSA-273) (Foreshadow) NASL family Red Hat Local Security Checks NASL id REDHAT-RHSA-2018-2404.NASL description An update for rhev-hypervisor7 is now available for RHEV 3.X Hypervisor and Agents for Red Hat Enterprise Linux 6 and RHEV 3.X Hypervisor and Agents Extended Lifecycle Support for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. The rhev-hypervisor7 package provides a Red Hat Enterprise Virtualization Hypervisor ISO disk image. The Red Hat Enterprise Virtualization Hypervisor is a dedicated Kernel-based Virtual Machine (KVM) hypervisor. It includes everything necessary to run and manage virtual machines: A subset of the Red Hat Enterprise Linux operating environment and the Red Hat Enterprise Virtualization Agent. Security Fix(es) : * Modern operating systems implement virtualization of physical memory to efficiently use available system resources and provide inter-domain protection through access control and isolation. The L1TF issue was found in the way the x86 microprocessor designs have implemented speculative execution of instructions (a commonly used performance optimisation) in combination with handling of page-faults caused by terminated virtual to physical address resolving process. As a result, an unprivileged attacker could use this flaw to read privileged memory of the kernel or other processes and/or cross guest/host boundaries to read host memory by conducting targeted cache side-channel attacks. (CVE-2018-3620, CVE-2018-3646) Red Hat would like to thank Intel OSSIRT (Intel.com) for reporting these issues. last seen 2020-06-01 modified 2020-06-02 plugin id 112028 published 2018-08-21 reporter This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/112028 title RHEL 6 / 7 : Virtualization (RHSA-2018:2404) (Foreshadow) NASL family FreeBSD Local Security Checks NASL id FREEBSD_PKG_2310B814A65211E8805BA4BADB2F4699.NASL description On certain Intel 64-bit x86 systems there is a period of time during terminal fault handling where the CPU may use speculative execution to try to load data. The CPU may speculatively access the level 1 data cache (L1D). Data which would otherwise be protected may then be determined by using side channel methods. This issue affects bhyve on FreeBSD/amd64 systems. Impact : An attacker executing user code, or kernel code inside of a virtual machine, may be able to read secret data from the kernel or from another virtual machine. last seen 2020-06-01 modified 2020-06-02 plugin id 112069 published 2018-08-23 reporter This script is Copyright (C) 2018 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/112069 title FreeBSD : FreeBSD -- L1 Terminal Fault (L1TF) Kernel Information Disclosure (2310b814-a652-11e8-805b-a4badb2f4699) (Foreshadow) NASL family Red Hat Local Security Checks NASL id REDHAT-RHSA-2018-2384.NASL description An update for kernel is now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. The kernel packages contain the Linux kernel, the core of any Linux operating system. Security Fix(es) : * Modern operating systems implement virtualization of physical memory to efficiently use available system resources and provide inter-domain protection through access control and isolation. The L1TF issue was found in the way the x86 microprocessor designs have implemented speculative execution of instructions (a commonly used performance optimisation) in combination with handling of page-faults caused by terminated virtual to physical address resolving process. As a result, an unprivileged attacker could use this flaw to read privileged memory of the kernel or other processes and/or cross guest/host boundaries to read host memory by conducting targeted cache side-channel attacks. (CVE-2018-3620, CVE-2018-3646) * An industry-wide issue was found in the way many modern microprocessor designs have implemented speculative execution of instructions past bounds check. The flaw relies on the presence of a precisely-defined instruction sequence in the privileged code and the fact that memory writes occur to an address which depends on the untrusted value. Such writes cause an update into the microprocessor last seen 2020-06-01 modified 2020-06-02 plugin id 111727 published 2018-08-15 reporter This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/111727 title RHEL 7 : kernel (RHSA-2018:2384) (Foreshadow) NASL family Oracle Linux Local Security Checks NASL id ORACLELINUX_ELSA-2018-4214.NASL description Description of changes: [2.6.39-400.301.1.el6uek] - x86/speculation/l1tf: Fix overflow in l1tf_pfn_limit() on 32bit (Vlastimil Babka) [Orabug: 28505519] {CVE-2018-3620} - x86/speculation/l1tf: Exempt zeroed PTEs from inversion (Sean Christopherson) [Orabug: 28505519] {CVE-2018-3620} - x86/speculation/l1tf: Protect PAE swap entries against L1TF (Vlastimil Babka) [Orabug: 28505519] {CVE-2018-3620} - x86/speculation/l1tf: Extend 64bit swap file size limit (Vlastimil Babka) [Orabug: 28505519] {CVE-2018-3620} - mm, fremap: mitigate L1TF in remap_file_pages (Daniel Jordan) [Orabug: 28505519] {CVE-2018-3620} - x86/speculation: Don last seen 2020-06-01 modified 2020-06-02 plugin id 117513 published 2018-09-17 reporter This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/117513 title Oracle Linux 6 : Unbreakable Enterprise kernel (ELSA-2018-4214) (Foreshadow) NASL family Oracle Linux Local Security Checks NASL id ORACLELINUX_ELSA-2018-4242.NASL description Description of changes: [4.14.35-1818.3.3.el7uek] - net: net_failover: fix typo in net_failover_slave_register() (Liran Alon) [Orabug: 28122110] - virtio_net: Extend virtio to use VF datapath when available (Sridhar Samudrala) [Orabug: 28122110] - virtio_net: Introduce VIRTIO_NET_F_STANDBY feature bit (Sridhar Samudrala) [Orabug: 28122110] - net: Introduce net_failover driver (Sridhar Samudrala) [Orabug: 28122110] - net: Introduce generic failover module (Sridhar Samudrala) [Orabug: 28122110] - IB/ipoib: Improve filtering log message (Yuval Shaia) [Orabug: 28655435] - IB/ipoib: Fix wrong update of arp_blocked counter (Yuval Shaia) [Orabug: 28655435] - IB/ipoib: Update RX counters after ACL filtering (Yuval Shaia) [Orabug: 28655435] - IB/ipoib: Filter RX packets before adding pseudo header (Yuval Shaia) [Orabug: 28655435] - dm crypt: add middle-endian variant of plain64 IV (Konrad Rzeszutek Wilk) [Orabug: 28604629] - uek-rpm: Disable deprecated CONFIG_ACPI_PROCFS_POWER (Victor Erminpour) [Orabug: 28644322] - net/rds: Fix call to sleeping function in a non-sleeping context (Hå kon Bugge) [Orabug: 28657397] - cdrom: Fix info leak/OOB read in cdrom_ioctl_drive_status (Scott Bauer) [Orabug: 28664499] {CVE-2018-16658} - ACPICA: acpi: acpica: fix acpi operand cache leak in nseval.c (Seunghun Han) [Orabug: 28664576] {CVE-2017-13695} - usb: xhci: do not create and register shared_hcd when USB3.0 is disabled (Tung Nguyen) [Orabug: 28677854] [4.14.35-1818.3.2.el7uek] - hwmon: (k10temp) Display both Tctl and Tdie (Guenter Roeck) [Orabug: 28143470] - hwmon: (k10temp) Use API function to access System Management Network (Guenter Roeck) [Orabug: 28143470] - hwmon: (k10temp) Fix reading critical temperature register (Guenter Roeck) [Orabug: 28143470] - hwmon: (k10temp) Add temperature offset for Ryzen 2700X (Guenter Roeck) [Orabug: 28143470] - hwmon: (k10temp) Add support for temperature offsets (Guenter Roeck) [Orabug: 28143470] - hwmon: (k10temp) Add support for family 17h (Guenter Roeck) [Orabug: 28143470] - hwmon: (k10temp) Move chip specific code into probe function (Guenter Roeck) [Orabug: 28143470] - net/rds: make the source code clean (Zhu Yanjun) [Orabug: 28607913] - net/rds: Use rdma_read_gids to get connection SGID/DGID in IPv6 (Zhu Yanjun) [Orabug: 28607913] - net/rds: Use rdma_read_gids to read connection GIDs (Parav Pandit) [Orabug: 28607913] - posix-timers: Sanitize overrun handling (Thomas Gleixner) [Orabug: 28642970] {CVE-2018-12896} - crypto: ccp - Add support for new CCP/PSP device ID (Tom Lendacky) [Orabug: 28584386] - crypto: ccp - Support register differences between PSP devices (Tom Lendacky) [Orabug: 28584386] - crypto: ccp - Remove unused #defines (Tom Lendacky) [Orabug: 28584386] - crypto: ccp - Add psp enabled message when initialization succeeds (Tom Lendacky) [Orabug: 28584386] - crypto: ccp - Fix command completion detection race (Tom Lendacky) [Orabug: 28584386] - iommu/amd: Add support for IOMMU XT mode (Suravee Suthikulpanit) [Orabug: 28584386] - iommu/amd: Add support for higher 64-bit IOMMU Control Register (Suravee Suthikulpanit) [Orabug: 28584386] - x86: irq_remapping: Move irq remapping mode enum (Suravee Suthikulpanit) [Orabug: 28584386] - x86/CPU/AMD: Fix LLC ID bit-shift calculation (Suravee Suthikulpanit) [Orabug: 28584386] - x86/CPU/AMD: Derive CPU topology from CPUID function 0xB when available (Suravee Suthikulpanit) [Orabug: 28584386] - x86/CPU/AMD: Calculate last level cache ID from number of sharing threads (Suravee Suthikulpanit) [Orabug: 28584386] - x86/CPU: Rename intel_cacheinfo.c to cacheinfo.c (Borislav Petkov) [Orabug: 28584386] - perf/events/amd/uncore: Fix amd_uncore_llc ID to use pre-defined cpu_llc_id (Suravee Suthikulpanit) [Orabug: 28584386] - x86/CPU/AMD: Have smp_num_siblings and cpu_llc_id always be present (Borislav Petkov) [Orabug: 28584386] [4.14.35-1818.3.1.el7uek] - arm64: vdso: fix clock_getres for 4GiB-aligned res (Mark Rutland) [Orabug: 28603375] - locking/qrwlock: Prevent slowpath writers getting held up by fastpath (Will Deacon) [Orabug: 28605196] - locking/qrwlock, arm64: Move rwlock implementation over to qrwlocks (Will Deacon) [Orabug: 28605196] - locking/qrwlock: Use atomic_cond_read_acquire() when spinning in qrwlock (Will Deacon) [Orabug: 28605196] - locking/atomic: Add atomic_cond_read_acquire() (Will Deacon) [Orabug: 28605196] - rds: CVE-2018-7492: Fix NULL pointer dereference in __rds_rdma_map (Hå kon Bugge) [Orabug: 28565429] {CVE-2018-7492} - irqchip/irq-bcm2836: Add support for DT interrupt polarity (Stefan Wahren) [Orabug: 28596168] - dt-bindings/bcm2836-l1-intc: Add interrupt polarity support (Stefan Wahren) [Orabug: 28596168] - dt-bindings/bcm283x: Define polarity of per-cpu interrupts (Stefan Wahren) [Orabug: 28596168] - x86/spec_ctrl: Only set SPEC_CTRL_IBRS_FIRMWARE if IBRS is actually in use (Patrick Colp) [Orabug: 28610695] [4.14.35-1818.2.2.el7uek] - x86/xen: Calculate __max_logical_packages on PV domains (Prarit Bhargava) [Orabug: 28476586] - x86/entry/64: Remove %ebx handling from error_entry/exit (Andy Lutomirski) [Orabug: 28402921] {CVE-2018-14678} - x86/pti: Don last seen 2020-06-01 modified 2020-06-02 plugin id 118053 published 2018-10-11 reporter This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/118053 title Oracle Linux 7 : Unbreakable Enterprise kernel (ELSA-2018-4242) (Foreshadow) NASL family Fedora Local Security Checks NASL id FEDORA_2018-683DFDE81A.NASL description L1 Terminal Fault speculative side channel patch bundle [XSA-273, CVE-2018-3620, CVE-2018-3646] drop patches also in the bundle, which also includes Use of v2 grant tables may cause crash on ARM [XSA-268] (#1616081) x86: Incorrect MSR_DEBUGCTL handling lets guests enable BTS [XSA-269] (#1616077) oxenstored does not apply quota-maxentity [XSA-272] (#1616080) Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-05 modified 2019-01-03 plugin id 120490 published 2019-01-03 reporter This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/120490 title Fedora 28 : xen (2018-683dfde81a) (Foreshadow) NASL family Red Hat Local Security Checks NASL id REDHAT-RHSA-2018-2403.NASL description An update for redhat-release-virtualization-host and redhat-virtualization-host is now available for Red Hat Virtualization 4 for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. The redhat-virtualization-host packages provide the Red Hat Virtualization Host. These packages include redhat-release-virtualization-host, ovirt-node, and rhev-hypervisor. Red Hat Virtualization Hosts (RHVH) are installed using a special build of Red Hat Enterprise Linux with only the packages required to host virtual machines. RHVH features a Cockpit user interface for monitoring the host last seen 2020-06-01 modified 2020-06-02 plugin id 112027 published 2018-08-21 reporter This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/112027 title RHEL 7 : Virtualization (RHSA-2018:2403) (Foreshadow) NASL family Windows : Microsoft Bulletins NASL id SMB_NT_MS18_AUG_4343909.NASL description The remote Windows host is missing security update 4343909. It is, therefore, affected by multiple vulnerabilities : - An information disclosure vulnerability exists when the Windows kernel improperly handles objects in memory. An attacker who successfully exploited this vulnerability could obtain information to further compromise the users system. (CVE-2018-8341, CVE-2018-8348) - A remote code execution vulnerability exists when the Windows font library improperly handles specially crafted embedded fonts. An attacker who successfully exploited the vulnerability could take control of the affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. (CVE-2018-8344) - A remote code execution vulnerability exists when Microsoft Edge improperly accesses objects in memory. The vulnerability could corrupt memory in such a way that enables an attacker to execute arbitrary code in the context of the current user. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user. (CVE-2018-8377, CVE-2018-8387) - An elevation of privilege vulnerability exists in the Network Driver Interface Specification (NDIS) when ndis.sys fails to check the length of a buffer prior to copying memory to it. (CVE-2018-8343) - A remote code execution vulnerability exists in "Microsoft COM for Windows" when it fails to properly handle serialized objects. An attacker who successfully exploited the vulnerability could use a specially crafted file or script to perform actions. In an email attack scenario, an attacker could exploit the vulnerability by sending the specially crafted file to the user and convincing the user to open the file. (CVE-2018-8349) - An elevation of privilege vulnerability exists when the DirectX Graphics Kernel (DXGKRNL) driver improperly handles objects in memory. An attacker who successfully exploited this vulnerability could run processes in an elevated context. (CVE-2018-8400, CVE-2018-8401, CVE-2018-8405, CVE-2018-8406) - A remote code execution vulnerability exists in the way that the ChakraCore scripting engine handles objects in memory. The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user. (CVE-2018-8390) - A remote code execution vulnerability exists when the Windows Shell does not properly validate file paths. An attacker who successfully exploited this vulnerability could run arbitrary code in the context of the current user. If the current user is logged on as an administrator, an attacker could take control of the affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with elevated privileges. Users whose accounts are configured to have fewer privileges on the system could be less impacted than users who operate with administrative privileges. (CVE-2018-8414) - A spoofing vulnerability exists when Microsoft Edge does not properly parse HTTP content. An attacker who successfully exploited this vulnerability could trick a user by redirecting the user to a specially crafted website. The specially crafted website could either spoof content or serve as a pivot to chain an attack with other vulnerabilities in web services. (CVE-2018-8383) - A security feature bypass vulnerability exists in Device Guard that could allow an attacker to inject malicious code into a Windows PowerShell session. An attacker who successfully exploited this vulnerability could inject code into a trusted PowerShell process to bypass the Device Guard Code Integrity policy on the local machine. (CVE-2018-8200, CVE-2018-8204) - A remote code execution vulnerability exists in the way the scripting engine handles objects in memory in Microsoft browsers. The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user. (CVE-2018-8355, CVE-2018-8372, CVE-2018-8385) - An elevation of privilege vulnerability exists in Microsoft Windows when the Windows kernel fails to properly handle parsing of certain symbolic links. An attacker who successfully exploited this vulnerability could potentially access privileged registry keys and thereby elevate permissions. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. (CVE-2018-8347) - A remote code execution vulnerability exists when Microsoft Windows PDF Library improperly handles objects in memory. The vulnerability could corrupt memory in a way that enables an attacker to execute arbitrary code in the context of the current user. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user. If the current user is logged on with administrative user rights, an attacker could take control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. (CVE-2018-8350) - A remote code execution vulnerability exists in Microsoft Windows that could allow remote code execution if a .LNK file is processed. An attacker who successfully exploited this vulnerability could gain the same user rights as the local user. (CVE-2018-8345) - A information disclosure vulnerability exists when WebAudio Library improperly handles audio requests. An attacker who has successfully exploited this vulnerability might be able to read privileged data across trust boundaries. In browsing scenarios, an attacker could convince a user to visit a malicious site and leverage the vulnerability to obtain privileged information from the browser process, such as sensitive data from other opened tabs. An attacker could also inject malicious code into advertising networks used by trusted sites or embed malicious code on a compromised, but trusted, site. The update addresses the vulnerability by correcting how the WebAudio Library handles audio requests. (CVE-2018-8370) - An elevation of privilege vulnerability exists in the Windows Installer when the Windows Installer fails to properly sanitize input leading to an insecure library loading behavior. A locally authenticated attacker could run arbitrary code with elevated system privileges. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. The security update addresses the vulnerability by correcting the input sanitization error to preclude unintended elevation. (CVE-2018-8339) - A remote code execution vulnerability exists in the way that the Chakra scripting engine handles objects in memory in Microsoft Edge. The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user. (CVE-2018-8266, CVE-2018-8380, CVE-2018-8381) - A remote code execution vulnerability exists when Internet Explorer improperly validates hyperlinks before loading executable libraries. An attacker who successfully exploited this vulnerability could take control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. (CVE-2018-8316) - An elevation of privilege vulnerability exists in Windows when the Win32k component fails to properly handle objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. (CVE-2018-8399, CVE-2018-8404) - An information disclosure vulnerability exists when the Windows GDI component improperly discloses the contents of its memory. An attacker who successfully exploited the vulnerability could obtain information to further compromise the users system. There are multiple ways an attacker could exploit the vulnerability, such as by convincing a user to open a specially crafted document, or by convincing a user to visit an untrusted webpage. The security update addresses the vulnerability by correcting how the Windows GDI component handles objects in memory. (CVE-2018-8394, CVE-2018-8398) - A remote code execution vulnerability exists in the way that Microsoft browsers access objects in memory. The vulnerability could corrupt memory in a way that could allow an attacker to execute arbitrary code in the context of the current user. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user. (CVE-2018-8403) - An information disclosure vulnerability exists when affected Microsoft browsers improperly allow cross-frame interaction. An attacker who successfully exploited this vulnerability could allow an attacker to obtain browser frame or window state from a different domain. For an attack to be successful, an attacker must persuade a user to open a malicious website from a secure website. This update addresses the vulnerability by denying permission to read the state of the object model, to which frames or windows on different domains should not have access. (CVE-2018-8351) - An elevation of privilege vulnerability exists in Microsoft browsers allowing sandbox escape. An attacker who successfully exploited the vulnerability could use the sandbox escape to elevate privileges on an affected system. This vulnerability by itself does not allow arbitrary code execution; however, it could allow arbitrary code to be run if the attacker uses it in combination with another vulnerability (such as a remote code execution vulnerability or another elevation of privilege vulnerability) that is capable of leveraging the elevated privileges when code execution is attempted. (CVE-2018-8357) - An Elevation of Privilege vulnerability exists when Diagnostics Hub Standard Collector allows file creation in arbitrary locations. (CVE-2018-0952) - A remote code execution vulnerability exists in the way that the scripting engine handles objects in memory in Internet Explorer. The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user. (CVE-2018-8353, CVE-2018-8371, CVE-2018-8373, CVE-2018-8389) - An information disclosure vulnerability exists in Microsoft .NET Framework that could allow an attacker to access information in multi-tenant environments. The vulnerability is caused when .NET Framework is used in high-load/high-density network connections where content from one stream can blend into another stream. (CVE-2018-8360) - A spoofing vulnerability exists when Microsoft Edge improperly handles specific HTML content. An attacker who successfully exploited this vulnerability could trick a user into believing that the user was on a legitimate website. The specially crafted website could either spoof content or serve as a pivot to chain an attack with other vulnerabilities in web services. (CVE-2018-8388) last seen 2020-06-01 modified 2020-06-02 plugin id 111692 published 2018-08-14 reporter This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/111692 title KB4343909: Windows 10 Version 1803 and Windows Server Version 1803 August 2018 Security Update (Foreshadow) NASL family Windows : Microsoft Bulletins NASL id SMB_NT_MS18_AUG_4343901.NASL description The remote Windows host is missing security update 4343896 or cumulative update 4343901. It is, therefore, affected by multiple vulnerabilities : - A remote code execution vulnerability exists in the way that Microsoft browsers access objects in memory. The vulnerability could corrupt memory in a way that could allow an attacker to execute arbitrary code in the context of the current user. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user. (CVE-2018-8403) - An information disclosure vulnerability exists when the Windows kernel improperly handles objects in memory. An attacker who successfully exploited this vulnerability could obtain information to further compromise the users system. (CVE-2018-8341, CVE-2018-8348) - A remote code execution vulnerability exists when the Windows font library improperly handles specially crafted embedded fonts. An attacker who successfully exploited the vulnerability could take control of the affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. (CVE-2018-8344) - A remote code execution vulnerability exists in the way the scripting engine handles objects in memory in Microsoft browsers. The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user. (CVE-2018-8385) - An elevation of privilege vulnerability exists in Windows when the Win32k component fails to properly handle objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. (CVE-2018-8404) - A remote code execution vulnerability exists when Internet Explorer improperly validates hyperlinks before loading executable libraries. An attacker who successfully exploited this vulnerability could take control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. (CVE-2018-8316) - A remote code execution vulnerability exists in the way that the scripting engine handles objects in memory in Internet Explorer. The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user. (CVE-2018-8353, CVE-2018-8371, CVE-2018-8373, CVE-2018-8389) - A remote code execution vulnerability exists in Microsoft Windows that could allow remote code execution if a .LNK file is processed. An attacker who successfully exploited this vulnerability could gain the same user rights as the local user. (CVE-2018-8345) - An elevation of privilege vulnerability exists in the Network Driver Interface Specification (NDIS) when ndis.sys fails to check the length of a buffer prior to copying memory to it. (CVE-2018-8343) - An information disclosure vulnerability exists when the Windows GDI component improperly discloses the contents of its memory. An attacker who successfully exploited the vulnerability could obtain information to further compromise the users system. There are multiple ways an attacker could exploit the vulnerability, such as by convincing a user to open a specially crafted document, or by convincing a user to visit an untrusted webpage. The security update addresses the vulnerability by correcting how the Windows GDI component handles objects in memory. (CVE-2018-8394, CVE-2018-8398) - A remote code execution vulnerability exists in "Microsoft COM for Windows" when it fails to properly handle serialized objects. An attacker who successfully exploited the vulnerability could use a specially crafted file or script to perform actions. In an email attack scenario, an attacker could exploit the vulnerability by sending the specially crafted file to the user and convincing the user to open the file. (CVE-2018-8349) - An elevation of privilege vulnerability exists in the Windows Installer when the Windows Installer fails to properly sanitize input leading to an insecure library loading behavior. A locally authenticated attacker could run arbitrary code with elevated system privileges. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. The security update addresses the vulnerability by correcting the input sanitization error to preclude unintended elevation. (CVE-2018-8339) - An information disclosure vulnerability exists in Microsoft .NET Framework that could allow an attacker to access information in multi-tenant environments. The vulnerability is caused when .NET Framework is used in high-load/high-density network connections where content from one stream can blend into another stream. (CVE-2018-8360) - An information disclosure vulnerability exists when affected Microsoft browsers improperly allow cross-frame interaction. An attacker who successfully exploited this vulnerability could allow an attacker to obtain browser frame or window state from a different domain. For an attack to be successful, an attacker must persuade a user to open a malicious website from a secure website. This update addresses the vulnerability by denying permission to read the state of the object model, to which frames or windows on different domains should not have access. (CVE-2018-8351) last seen 2020-06-01 modified 2020-06-02 plugin id 111690 published 2018-08-14 reporter This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/111690 title KB4343896: Windows Server 2012 August 2018 Security Update (Foreshadow) NASL family SuSE Local Security Checks NASL id OPENSUSE-2019-618.NASL description The openSUSE Leap 15.0 kernel was updated to receive various security and bugfixes. The following security bugs were fixed : - CVE-2018-10853: A flaw was found in KVM in which certain instructions such as sgdt/sidt call segmented_write_std doesn last seen 2020-06-01 modified 2020-06-02 plugin id 123269 published 2019-03-27 reporter This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/123269 title openSUSE Security Update : the Linux Kernel (openSUSE-2019-618) (Foreshadow) NASL family Debian Local Security Checks NASL id DEBIAN_DSA-4279.NASL description Multiple researchers have discovered a vulnerability in the way the Intel processor designs have implemented speculative execution of instructions in combination with handling of page-faults. This flaw could allow an attacker controlling an unprivileged process to read memory from arbitrary (non-user controlled) addresses, including from the kernel and all other processes running on the system or cross guest/host boundaries to read host memory. To fully resolve these vulnerabilities it is also necessary to install updated CPU microcode (only available in Debian non-free). Common server class CPUs are covered in the update released as DSA 4273-1. last seen 2020-06-01 modified 2020-06-02 plugin id 111988 published 2018-08-20 reporter This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/111988 title Debian DSA-4279-1 : linux - security update (Foreshadow) NASL family Ubuntu Local Security Checks NASL id UBUNTU_USN-3740-1.NASL description It was discovered that memory present in the L1 data cache of an Intel CPU core may be exposed to a malicious process that is executing on the CPU core. This vulnerability is also known as L1 Terminal Fault (L1TF). A local attacker in a guest virtual machine could use this to expose sensitive information (memory from other guests or the host OS). (CVE-2018-3646) It was discovered that memory present in the L1 data cache of an Intel CPU core may be exposed to a malicious process that is executing on the CPU core. This vulnerability is also known as L1 Terminal Fault (L1TF). A local attacker could use this to expose sensitive information (memory from the kernel or other processes). (CVE-2018-3620) Juha-Matti Tilli discovered that the IP implementation in the Linux kernel performed algorithmically expensive operations in some situations when handling incoming packet fragments. A remote attacker could use this to cause a denial of service. (CVE-2018-5391). Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-01 modified 2020-06-02 plugin id 111749 published 2018-08-15 reporter Ubuntu Security Notice (C) 2018-2019 Canonical, Inc. / NASL script (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/111749 title Ubuntu 18.04 LTS : linux, linux-aws, linux-azure, linux-gcp, linux-kvm, linux-oem, and (USN-3740-1) (Foreshadow) NASL family SuSE Local Security Checks NASL id OPENSUSE-2018-885.NASL description The openSUSE Leap 42.3 kernel was updated to 4.4.143 to receive various security and bugfixes. The following security bugs were fixed : - CVE-2017-18344: The timer_create syscall implementation in kernel/time/posix-timers.c didn last seen 2020-06-05 modified 2018-08-20 plugin id 111997 published 2018-08-20 reporter This script is Copyright (C) 2018-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/111997 title openSUSE Security Update : the Linux Kernel (openSUSE-2018-885) (Foreshadow) NASL family Huawei Local Security Checks NASL id EULEROS_SA-2019-1515.NASL description According to the versions of the kernel packages installed, the EulerOS Virtualization installation on the remote host is affected by the following vulnerabilities : - A flaw was found where the kernel truncated the value used to indicate the size of a buffer which it would later become zero using an untruncated value. This can corrupt memory outside of the original allocation.(CVE-2017-9725) - An industry-wide issue was found in the way many modern microprocessor designs have implemented speculative execution of instructions (a commonly used performance optimization). There are three primary variants of the issue which differ in the way the speculative execution can be exploited. Variant CVE-2017-5753 triggers the speculative execution by performing a bounds-check bypass. It relies on the presence of a precisely-defined instruction sequence in the privileged code as well as the fact that memory accesses may cause allocation into the microprocessor last seen 2020-06-01 modified 2020-06-02 plugin id 124836 published 2019-05-13 reporter This script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/124836 title EulerOS Virtualization 3.0.1.0 : kernel (EulerOS-SA-2019-1515) NASL family Red Hat Local Security Checks NASL id REDHAT-RHSA-2018-2390.NASL description An update for kernel is now available for Red Hat Enterprise Linux 6. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. [Updated 16th August 2018] The original errata text was missing reference to CVE-2018-5390 fix. We have updated the errata text to correct this issue. No changes have been made to the packages. The kernel packages contain the Linux kernel, the core of any Linux operating system. Security Fix(es) : * Modern operating systems implement virtualization of physical memory to efficiently use available system resources and provide inter-domain protection through access control and isolation. The L1TF issue was found in the way the x86 microprocessor designs have implemented speculative execution of instructions (a commonly used performance optimisation) in combination with handling of page-faults caused by terminated virtual to physical address resolving process. As a result, an unprivileged attacker could use this flaw to read privileged memory of the kernel or other processes and/or cross guest/host boundaries to read host memory by conducting targeted cache side-channel attacks. (CVE-2018-3620, CVE-2018-3646) * An industry-wide issue was found in the way many modern microprocessor designs have implemented speculative execution of instructions past bounds check. The flaw relies on the presence of a precisely-defined instruction sequence in the privileged code and the fact that memory writes occur to an address which depends on the untrusted value. Such writes cause an update into the microprocessor last seen 2020-06-01 modified 2020-06-02 plugin id 111731 published 2018-08-15 reporter This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/111731 title RHEL 6 : kernel (RHSA-2018:2390) (Foreshadow) NASL family Ubuntu Local Security Checks NASL id UBUNTU_USN-3742-1.NASL description It was discovered that memory present in the L1 data cache of an Intel CPU core may be exposed to a malicious process that is executing on the CPU core. This vulnerability is also known as L1 Terminal Fault (L1TF). A local attacker in a guest virtual machine could use this to expose sensitive information (memory from other guests or the host OS). (CVE-2018-3646) It was discovered that memory present in the L1 data cache of an Intel CPU core may be exposed to a malicious process that is executing on the CPU core. This vulnerability is also known as L1 Terminal Fault (L1TF). A local attacker could use this to expose sensitive information (memory from the kernel or other processes). (CVE-2018-3620) Andrey Konovalov discovered an out-of-bounds read in the POSIX timers subsystem in the Linux kernel. A local attacker could use this to cause a denial of service (system crash) or expose sensitive information. (CVE-2017-18344) Juha-Matti Tilli discovered that the TCP implementation in the Linux kernel performed algorithmically expensive operations in some situations when handling incoming packets. A remote attacker could use this to cause a denial of service. (CVE-2018-5390) Juha-Matti Tilli discovered that the IP implementation in the Linux kernel performed algorithmically expensive operations in some situations when handling incoming packet fragments. A remote attacker could use this to cause a denial of service. (CVE-2018-5391). Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-01 modified 2020-06-02 plugin id 111753 published 2018-08-15 reporter Ubuntu Security Notice (C) 2018-2019 Canonical, Inc. / NASL script (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/111753 title Ubuntu 14.04 LTS : linux vulnerabilities (USN-3742-1) (Foreshadow) NASL family Windows : Microsoft Bulletins NASL id SMB_NT_MS18_AUG_WIN2008.NASL description The remote Windows host is missing security updates. It is, therefore, affected by multiple vulnerabilities : - Errors exist related to microprocessors utilizing speculative execution and L1 data cache that could allow information disclosure. (CVE-2018-3615, CVE-2018-3620, CVE-2018-3646) - A remote code execution vulnerability exists when the Windows font library improperly handles specially crafted embedded fonts. An attacker who successfully exploited the vulnerability could take control of the affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. (CVE-2018-8344) - A remote code execution vulnerability exists in the way the scripting engine handles objects in memory in Microsoft browsers. The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user. (CVE-2018-8385) - A remote code execution vulnerability exists in Microsoft Windows that could allow remote code execution if a .LNK file is processed. An attacker who successfully exploited this vulnerability could gain the same user rights as the local user. (CVE-2018-8345, CVE-2018-8346) - An information disclosure vulnerability exists when the Windows GDI component improperly discloses the contents of its memory. An attacker who successfully exploited the vulnerability could obtain information to further compromise the users system. There are multiple ways an attacker could exploit the vulnerability, such as by convincing a user to open a specially crafted document, or by convincing a user to visit an untrusted webpage. The security update addresses the vulnerability by correcting how the Windows GDI component handles objects in memory. (CVE-2018-8394, CVE-2018-8396, CVE-2018-8398) - A remote code execution vulnerability exists in the way that the Windows Graphics Device Interface (GDI) handles objects in the memory. An attacker who successfully exploited this vulnerability could take control of the affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. (CVE-2018-8397) - A remote code execution vulnerability exists in last seen 2020-06-01 modified 2020-06-02 plugin id 111700 published 2018-08-14 reporter This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/111700 title Security Updates for Windows Server 2008 (August 2018) (Foreshadow) NASL family Windows : Microsoft Bulletins NASL id SMB_NT_MS19_FEB_OOB_MICROCODE.NASL description The remote Windows host is missing a security update. It is, therefore, missing microcode updates to address the following vulnerabilities: - Spectre Variant 3a (CVE-2018-3640: Rogue System Register Read (RSRE)). - Spectre Variant 4 (CVE-2018-3639: Speculative Store Bypass (SSB)) - L1TF (CVE-2018-3620, CVE-2018-3646: L1 Terminal Fault) Note that Nessus did not actually test for these flaws nor checked the target processor architecture but instead, has relied on the version of mcupdate_GenuineIntel.dll to be latest for supported Windows release. last seen 2020-06-01 modified 2020-06-02 plugin id 122974 published 2019-03-20 reporter This script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/122974 title Security Updates for Windows 10 / Windows Server 2019 (February 2019) (Spectre) (Meltdown) (Foreshadow) NASL family SuSE Local Security Checks NASL id SUSE_SU-2018-2344-1.NASL description The SUSE Linux Enterprise 12 SP2 LTSS kernel was updated to receive various security and bugfixes. The following security bugs were fixed : - CVE-2018-3620: Local attackers on baremetal systems could use speculative code patterns on hyperthreaded processors to read data present in the L1 Datacache used by other hyperthreads on the same CPU core, potentially leaking sensitive data. (bnc#1087081). - CVE-2018-3646: Local attackers in virtualized guest systems could use speculative code patterns on hyperthreaded processors to read data present in the L1 Datacache used by other hyperthreads on the same CPU core, potentially leaking sensitive data, even from other virtual machines or the host system. (bnc#1089343). - CVE-2018-5390 aka last seen 2020-06-01 modified 2020-06-02 plugin id 111815 published 2018-08-17 reporter This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/111815 title SUSE SLES12 Security Update : kernel (SUSE-SU-2018:2344-1) (Foreshadow) NASL family Oracle Linux Local Security Checks NASL id ORACLELINUX_ELSA-2018-4195.NASL description The remote Oracle Linux host is missing a security update for the Unbreakable Enterprise kernel package(s). last seen 2020-06-01 modified 2020-06-02 plugin id 111725 published 2018-08-15 reporter This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/111725 title Oracle Linux 7 : Unbreakable Enterprise kernel (ELSA-2018-4195) (Foreshadow) NASL family Windows : Microsoft Bulletins NASL id SMB_NT_MS18_AUG_4343898.NASL description The remote Windows host is missing security update 4343888 or cumulative update 4343898. It is, therefore, affected by multiple vulnerabilities : - A remote code execution vulnerability exists in the way that Microsoft browsers access objects in memory. The vulnerability could corrupt memory in a way that could allow an attacker to execute arbitrary code in the context of the current user. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user. (CVE-2018-8403) - An information disclosure vulnerability exists in Microsoft .NET Framework that could allow an attacker to access information in multi-tenant environments. The vulnerability is caused when .NET Framework is used in high-load/high-density network connections where content from one stream can blend into another stream. (CVE-2018-8360) - An information disclosure vulnerability exists when the Windows kernel improperly handles objects in memory. An attacker who successfully exploited this vulnerability could obtain information to further compromise the users system. (CVE-2018-8341, CVE-2018-8348) - A remote code execution vulnerability exists when the Windows font library improperly handles specially crafted embedded fonts. An attacker who successfully exploited the vulnerability could take control of the affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. (CVE-2018-8344) - An elevation of privilege vulnerability exists in Windows when the Win32k component fails to properly handle objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. (CVE-2018-8404) - A remote code execution vulnerability exists when Internet Explorer improperly validates hyperlinks before loading executable libraries. An attacker who successfully exploited this vulnerability could take control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. (CVE-2018-8316) - A remote code execution vulnerability exists in the way the scripting engine handles objects in memory in Microsoft browsers. The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user. (CVE-2018-8355, CVE-2018-8372, CVE-2018-8385) - A remote code execution vulnerability exists in the way that the scripting engine handles objects in memory in Internet Explorer. The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user. (CVE-2018-8353, CVE-2018-8371, CVE-2018-8373, CVE-2018-8389) - A remote code execution vulnerability exists in Microsoft Windows that could allow remote code execution if a .LNK file is processed. An attacker who successfully exploited this vulnerability could gain the same user rights as the local user. (CVE-2018-8345) - An elevation of privilege vulnerability exists when the DirectX Graphics Kernel (DXGKRNL) driver improperly handles objects in memory. An attacker who successfully exploited this vulnerability could run processes in an elevated context. (CVE-2018-8405) - An elevation of privilege vulnerability exists in the Network Driver Interface Specification (NDIS) when ndis.sys fails to check the length of a buffer prior to copying memory to it. (CVE-2018-8343) - An information disclosure vulnerability exists when the Windows GDI component improperly discloses the contents of its memory. An attacker who successfully exploited the vulnerability could obtain information to further compromise the users system. There are multiple ways an attacker could exploit the vulnerability, such as by convincing a user to open a specially crafted document, or by convincing a user to visit an untrusted webpage. The security update addresses the vulnerability by correcting how the Windows GDI component handles objects in memory. (CVE-2018-8394, CVE-2018-8398) - A remote code execution vulnerability exists in "Microsoft COM for Windows" when it fails to properly handle serialized objects. An attacker who successfully exploited the vulnerability could use a specially crafted file or script to perform actions. In an email attack scenario, an attacker could exploit the vulnerability by sending the specially crafted file to the user and convincing the user to open the file. (CVE-2018-8349) - An elevation of privilege vulnerability exists in the Windows Installer when the Windows Installer fails to properly sanitize input leading to an insecure library loading behavior. A locally authenticated attacker could run arbitrary code with elevated system privileges. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. The security update addresses the vulnerability by correcting the input sanitization error to preclude unintended elevation. (CVE-2018-8339) - A security feature bypass vulnerability exists when Active Directory Federation Services (AD FS) improperly handles multi-factor authentication requests. (CVE-2018-8340) - An information disclosure vulnerability exists when affected Microsoft browsers improperly allow cross-frame interaction. An attacker who successfully exploited this vulnerability could allow an attacker to obtain browser frame or window state from a different domain. For an attack to be successful, an attacker must persuade a user to open a malicious website from a secure website. This update addresses the vulnerability by denying permission to read the state of the object model, to which frames or windows on different domains should not have access. (CVE-2018-8351) last seen 2020-06-01 modified 2020-06-02 plugin id 111688 published 2018-08-14 reporter This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/111688 title KB4343888: Windows 8.1 and Windows Server 2012 R2 August 2018 Security Update (Foreshadow) NASL family Scientific Linux Local Security Checks NASL id SL_20180814_KERNEL_ON_SL6_X.NASL description Security Fix(es) : - Modern operating systems implement virtualization of physical memory to efficiently use available system resources and provide inter-domain protection through access control and isolation. The L1TF issue was found in the way the x86 microprocessor designs have implemented speculative execution of instructions (a commonly used performance optimisation) in combination with handling of page-faults caused by terminated virtual to physical address resolving process. As a result, an unprivileged attacker could use this flaw to read privileged memory of the kernel or other processes and/or cross guest/host boundaries to read host memory by conducting targeted cache side-channel attacks. (CVE-2018-3620, CVE-2018-3646) - An industry-wide issue was found in the way many modern microprocessor designs have implemented speculative execution of instructions past bounds check. The flaw relies on the presence of a precisely-defined instruction sequence in the privileged code and the fact that memory writes occur to an address which depends on the untrusted value. Such writes cause an update into the microprocessor last seen 2020-03-18 modified 2018-08-16 plugin id 111777 published 2018-08-16 reporter This script is Copyright (C) 2018-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/111777 title Scientific Linux Security Update : kernel on SL6.x i386/x86_64 (20180814) (Foreshadow) NASL family SuSE Local Security Checks NASL id SUSE_SU-2018-2328-1.NASL description The SUSE Linux Enterprise 12 SP3 kernel was updated to 4.4.143 to receive various security and bugfixes. The following security bugs were fixed : - CVE-2018-5390 aka last seen 2020-06-01 modified 2020-06-02 plugin id 111746 published 2018-08-15 reporter This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/111746 title SUSE SLED12 / SLES12 Security Update : kernel (SUSE-SU-2018:2328-1) (Foreshadow) NASL family OracleVM Local Security Checks NASL id ORACLEVM_OVMSA-2018-0254.NASL description The remote OracleVM system is missing necessary patches to address critical security updates : Oracle VM Security Advisory OVMSA-2018-0254 The following updated rpms for Oracle VM 3.4 have been uploaded to the Unbreakable Linux Network : x86_64: kernel-uek-4.1.12-124.19.1.el6uek.x86_64.rpm kernel-uek-firmware-4.1.12-124.19.1.el6uek.noarch.rpm SRPMS : Description of changes : - x86/entry/64: Ensure %ebx handling correct in xen_failsafe_callback (George Kennedy) [Orabug: 28402927] (CVE-2018-14678) - x86/speculation/l1tf: Increase l1tf memory limit for Nehalem+ (Andi Kleen) [Orabug: 28488808] (CVE-2018-3620) - x86/speculation/l1tf: Suggest what to do on systems with too much RAM (Vlastimil Babka) [Orabug: 28488808] (CVE-2018-3620) - x86/speculation/l1tf: Fix off-by-one error when warning that system has too much RAM (Vlastimil Babka) [Orabug: 28488808] (CVE-2018-3620) - x86/speculation/l1tf: Fix overflow in l1tf_pfn_limit on 32bit (Vlastimil Babka) [Orabug: 28488808] (CVE-2018-3620) - x86/speculation/l1tf: Exempt zeroed PTEs from inversion (Sean Christopherson) [Orabug: 28488808] (CVE-2018-3620) - x86/l1tf: Fix build error seen if CONFIG_KVM_INTEL is disabled (Guenter Roeck) [Orabug: 28488808] (CVE-2018-3620) - x86/spectre: Add missing family 6 check to microcode check (Andi Kleen) [Orabug: 28488808] (CVE-2018-3620) - KVM: x86: SVM: Call x86_spec_ctrl_set_guest/host with interrupts disabled (Thomas Gleixner) [Orabug: 28488808] (CVE-2018-3646) - x86/microcode: Allow late microcode loading with SMT disabled (Josh Poimboeuf) [Orabug: 28488808] (CVE-2018-3620) - x86/microcode: Do not upload microcode if CPUs are offline (Ashok Raj) [Orabug: 28488808] (CVE-2018-3620) last seen 2020-06-01 modified 2020-06-02 plugin id 117377 published 2018-09-10 reporter This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/117377 title OracleVM 3.4 : Unbreakable / etc (OVMSA-2018-0254) (Foreshadow) NASL family Red Hat Local Security Checks NASL id REDHAT-RHSA-2018-2396.NASL description An update for kernel-rt is now available for Red Hat Enterprise MRG 2. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. The kernel-rt packages provide the Real Time Linux Kernel, which enables fine-tuning for systems with extremely high determinism requirements. Security Fix(es) : * Modern operating systems implement virtualization of physical memory to efficiently use available system resources and provide inter-domain protection through access control and isolation. The L1TF issue was found in the way the x86 microprocessor designs have implemented speculative execution of instructions (a commonly used performance optimisation) in combination with handling of page-faults caused by terminated virtual to physical address resolving process. As a result, an unprivileged attacker could use this flaw to read privileged memory of the kernel or other processes and/or cross guest/host boundaries to read host memory by conducting targeted cache side-channel attacks. (CVE-2018-3620, CVE-2018-3646) * An industry-wide issue was found in the way many modern microprocessor designs have implemented speculative execution of Load & Store instructions (a commonly used performance optimization). It relies on the presence of a precisely-defined instruction sequence in the privileged code as well as the fact that memory read from address to which a recent memory write has occurred may see an older value and subsequently cause an update into the microprocessor last seen 2020-06-01 modified 2020-06-02 plugin id 111775 published 2018-08-16 reporter This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/111775 title RHEL 6 : MRG (RHSA-2018:2396) (Foreshadow) (Spectre) NASL family Windows : Microsoft Bulletins NASL id SMB_NT_MS18_AUG_MICROCODE.NASL description The remote Windows host is missing a security update. It is, therefore, missing microcode updates to address Rogue System Register Read (RSRE), Speculative Store Bypass (SSB), L1 Terminal Fault (L1TF), and Branch Target Injection vulnerabilities. last seen 2020-06-01 modified 2020-06-02 plugin id 112116 published 2018-08-24 reporter This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/112116 title Security Updates for Windows 10 / Windows Server 2016 (August 2018) (Spectre) (Meltdown) (Foreshadow) NASL family Junos Local Security Checks NASL id JUNIPER_SPACE_JSA10917_184R1.NASL description According to its self-reported version number, the remote Junos Space version is 18.4.x prior to 18.4R1. It is, therefore, affected by multiple vulnerabilities : - An integer overflow issue exists in procps-ng. This is related to CVE-2018-1124. (CVE-2018-1126) - A directory traversal issue exits in reposync, a part of yum-utils.tory configuration files. If an attacker controls a repository, they may be able to copy files outside of the destination directory on the targeted system via path traversal. (CVE-2018-10897) - An integer overflow flaw was found in the Linux kernel last seen 2020-06-01 modified 2020-06-02 plugin id 121068 published 2019-01-10 reporter This script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/121068 title Juniper Junos Space 18.4.x < 18.4R1 Multiple Vulnerabilities (JSA10917) NASL family Virtuozzo Local Security Checks NASL id VIRTUOZZO_VZA-2018-055.NASL description According to the versions of the cpupools / cpupools-features / etc packages installed, the Virtuozzo installation on the remote host is affected by the following vulnerabilities : - Modern operating systems implement virtualization of physical memory to efficiently use available system resources and provide inter-domain protection through access control and isolation. The L1TF issue was found in the way the x86 microprocessor designs have implemented speculative execution of instructions (a commonly used performance optimisation) in combination with handling of page-faults caused by terminated virtual to physical address resolving process. As a result, an unprivileged attacker could use this flaw to read privileged memory of the kernel or other processes and/or cross guest/host boundaries to read host memory by conducting targeted cache side-channel attacks. - An industry-wide issue was found in the way many modern microprocessor designs have implemented speculative execution of instructions past bounds check. The flaw relies on the presence of a precisely-defined instruction sequence in the privileged code and the fact that memory writes occur to an address which depends on the untrusted value. Such writes cause an update into the microprocessor last seen 2020-06-01 modified 2020-06-02 plugin id 112018 published 2018-08-20 reporter This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/112018 title Virtuozzo 6 : cpupools / cpupools-features / etc (VZA-2018-055) NASL family OracleVM Local Security Checks NASL id ORACLEVM_OVMSA-2018-0272.NASL description The remote OracleVM system is missing necessary patches to address critical security updates : please see Oracle VM Security Advisory OVMSA-2018-0272 for details. last seen 2020-06-01 modified 2020-06-02 plugin id 118963 published 2018-11-15 reporter This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/118963 title OracleVM 3.2 : xen (OVMSA-2018-0272) (Foreshadow) (Spectre) NASL family Ubuntu Local Security Checks NASL id UBUNTU_USN-3741-3.NASL description USN-3741-1 introduced mitigations in the Linux kernel for Ubuntu 14.04 LTS to address L1 Terminal Fault (L1TF) vulnerabilities (CVE-2018-3620, CVE-2018-3646). Unfortunately, the update introduced regressions that caused kernel panics when booting in some environments as well as preventing Java applications from starting. This update fixes the problems. We apologize for the inconvenience. Original advisory details : It was discovered that memory present in the L1 data cache of an Intel CPU core may be exposed to a malicious process that is executing on the CPU core. This vulnerability is also known as L1 Terminal Fault (L1TF). A local attacker in a guest virtual machine could use this to expose sensitive information (memory from other guests or the host OS). (CVE-2018-3646) It was discovered that memory present in the L1 data cache of an Intel CPU core may be exposed to a malicious process that is executing on the CPU core. This vulnerability is also known as L1 Terminal Fault (L1TF). A local attacker could use this to expose sensitive information (memory from the kernel or other processes). (CVE-2018-3620) Juha-Matti Tilli discovered that the TCP implementation in the Linux kernel performed algorithmically expensive operations in some situations when handling incoming packets. A remote attacker could use this to cause a denial of service. (CVE-2018-5390) Juha-Matti Tilli discovered that the IP implementation in the Linux kernel performed algorithmically expensive operations in some situations when handling incoming packet fragments. A remote attacker could use this to cause a denial of service. (CVE-2018-5391). Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-01 modified 2020-06-02 plugin id 112017 published 2018-08-20 reporter Ubuntu Security Notice (C) 2018-2019 Canonical, Inc. / NASL script (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/112017 title Ubuntu 14.04 LTS : linux regressions (USN-3741-3) (Foreshadow) NASL family Ubuntu Local Security Checks NASL id UBUNTU_USN-3741-1.NASL description It was discovered that memory present in the L1 data cache of an Intel CPU core may be exposed to a malicious process that is executing on the CPU core. This vulnerability is also known as L1 Terminal Fault (L1TF). A local attacker in a guest virtual machine could use this to expose sensitive information (memory from other guests or the host OS). (CVE-2018-3646) It was discovered that memory present in the L1 data cache of an Intel CPU core may be exposed to a malicious process that is executing on the CPU core. This vulnerability is also known as L1 Terminal Fault (L1TF). A local attacker could use this to expose sensitive information (memory from the kernel or other processes). (CVE-2018-3620) Juha-Matti Tilli discovered that the TCP implementation in the Linux kernel performed algorithmically expensive operations in some situations when handling incoming packets. A remote attacker could use this to cause a denial of service. (CVE-2018-5390) Juha-Matti Tilli discovered that the IP implementation in the Linux kernel performed algorithmically expensive operations in some situations when handling incoming packet fragments. A remote attacker could use this to cause a denial of service. (CVE-2018-5391). Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-01 modified 2020-06-02 plugin id 111751 published 2018-08-15 reporter Ubuntu Security Notice (C) 2018-2019 Canonical, Inc. / NASL script (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/111751 title Ubuntu 16.04 LTS : linux, linux-aws, linux-kvm, linux-raspi2, linux-snapdragon vulnerabilities (USN-3741-1) (Foreshadow) NASL family Oracle Linux Local Security Checks NASL id ORACLELINUX_ELSA-2018-4245.NASL description Description of changes: kernel-uek [3.8.13-118.25.1.el7uek] - x86/spectre_v2: Don last seen 2020-06-01 modified 2020-06-02 plugin id 118055 published 2018-10-11 reporter This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/118055 title Oracle Linux 6 / 7 : Unbreakable Enterprise kernel (ELSA-2018-4245) (Foreshadow) NASL family Fedora Local Security Checks NASL id FEDORA_2018-915602DF63.NASL description L1 Terminal Fault speculative side channel patch bundle [XSA-273, CVE-2018-3620, CVE-2018-3646] drop patches also in the bundle, which also includes Use of v2 grant tables may cause crash on ARM [XSA-268] (#1616081) x86: Incorrect MSR_DEBUGCTL handling lets guests enable BTS [XSA-269] (#1616077) oxenstored does not apply quota-maxentity [XSA-272] (#1616080) Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-05 modified 2018-09-04 plugin id 112234 published 2018-09-04 reporter This script is Copyright (C) 2018-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/112234 title Fedora 27 : xen (2018-915602df63) (Foreshadow) NASL family OracleVM Local Security Checks NASL id ORACLEVM_OVMSA-2018-0282.NASL description The remote OracleVM system is missing necessary patches to address critical security updates : please see Oracle VM Security Advisory OVMSA-2018-0282 for details. last seen 2020-06-01 modified 2020-06-02 plugin id 119277 published 2018-11-29 reporter This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/119277 title OracleVM 3.4 : xen (OVMSA-2018-0282) (Foreshadow) (Spectre) NASL family SuSE Local Security Checks NASL id SUSE_SU-2018-2374-1.NASL description The SUSE Linux Enterprise 12 SP3 Azure kernel was updated to 4.4.143 to receive various security and bugfixes. The following security bugs were fixed : - CVE-2018-3620: Local attackers on baremetal systems could use speculative code patterns on hyperthreaded processors to read data present in the L1 Datacache used by other hyperthreads on the same CPU core, potentially leaking sensitive data. (bnc#1087081). - CVE-2018-3646: Local attackers in virtualized guest systems could use speculative code patterns on hyperthreaded processors to read data present in the L1 Datacache used by other hyperthreads on the same CPU core, potentially leaking sensitive data, even from other virtual machines or the host system. (bnc#1089343). - CVE-2018-5391: A flaw in the IP packet reassembly could be used by remote attackers to consume CPU time (bnc#1103097). - CVE-2018-5390: Linux kernel versions 4.9+ can be forced to make very expensive calls to tcp_collapse_ofo_queue() and tcp_prune_ofo_queue() for every incoming packet which can lead to a denial of service (bnc#1102340). - CVE-2018-14734: drivers/infiniband/core/ucma.c allowed ucma_leave_multicast to access a certain data structure after a cleanup step in ucma_process_join, which allowed attackers to cause a denial of service (use-after-free) (bnc#1103119). - CVE-2017-18344: The timer_create syscall implementation in kernel/time/posix-timers.c didn last seen 2020-06-01 modified 2020-06-02 plugin id 111837 published 2018-08-17 reporter This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/111837 title SUSE SLES12 Security Update : kernel (SUSE-SU-2018:2374-1) (Foreshadow) NASL family Red Hat Local Security Checks NASL id REDHAT-RHSA-2018-2395.NASL description An update for kernel-rt is now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. The kernel-rt packages provide the Real Time Linux Kernel, which enables fine-tuning for systems with extremely high determinism requirements. Security Fix(es) : * Modern operating systems implement virtualization of physical memory to efficiently use available system resources and provide inter-domain protection through access control and isolation. The L1TF issue was found in the way the x86 microprocessor designs have implemented speculative execution of instructions (a commonly used performance optimisation) in combination with handling of page-faults caused by terminated virtual to physical address resolving process. As a result, an unprivileged attacker could use this flaw to read privileged memory of the kernel or other processes and/or cross guest/host boundaries to read host memory by conducting targeted cache side-channel attacks. (CVE-2018-3620, CVE-2018-3646) * An industry-wide issue was found in the way many modern microprocessor designs have implemented speculative execution of instructions past bounds check. The flaw relies on the presence of a precisely-defined instruction sequence in the privileged code and the fact that memory writes occur to an address which depends on the untrusted value. Such writes cause an update into the microprocessor last seen 2020-06-01 modified 2020-06-02 plugin id 111736 published 2018-08-15 reporter This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/111736 title RHEL 7 : kernel-rt (RHSA-2018:2395) (Foreshadow) NASL family SuSE Local Security Checks NASL id SUSE_SU-2018-2380-1.NASL description The SUSE Linux Enterprise 15 kernel was updated to receive various security and bugfixes. The following security bugs were fixed : - CVE-2018-3620: Local attackers on baremetal systems could use speculative code patterns on hyperthreaded processors to read data present in the L1 Datacache used by other hyperthreads on the same CPU core, potentially leaking sensitive data. (bnc#1087081). - CVE-2018-3646: Local attackers in virtualized guest systems could use speculative code patterns on hyperthreaded processors to read data present in the L1 Datacache used by other hyperthreads on the same CPU core, potentially leaking sensitive data, even from other virtual machines or the host system. (bnc#1089343). - CVE-2018-5391 aka last seen 2020-03-19 modified 2019-01-02 plugin id 120082 published 2019-01-02 reporter This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/120082 title SUSE SLED15 / SLES15 Security Update : kernel (SUSE-SU-2018:2380-1) (Foreshadow) NASL family OracleVM Local Security Checks NASL id ORACLEVM_OVMSA-2018-0248.NASL description The remote OracleVM system is missing necessary patches to address critical security updates : please see Oracle VM Security Advisory OVMSA-2018-0248 for details. last seen 2020-06-01 modified 2020-06-02 plugin id 111992 published 2018-08-20 reporter This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/111992 title OracleVM 3.4 : xen (OVMSA-2018-0248) (Bunker Buster) (Foreshadow) (Meltdown) (POODLE) (Spectre) NASL family Red Hat Local Security Checks NASL id REDHAT-RHSA-2018-2394.NASL description An update for kernel is now available for Red Hat Enterprise Linux 6.4 Advanced Update Support. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. The kernel packages contain the Linux kernel, the core of any Linux operating system. Security Fix(es) : * Modern operating systems implement virtualization of physical memory to efficiently use available system resources and provide inter-domain protection through access control and isolation. The L1TF issue was found in the way the x86 microprocessor designs have implemented speculative execution of instructions (a commonly used performance optimisation) in combination with handling of page-faults caused by terminated virtual to physical address resolving process. As a result, an unprivileged attacker could use this flaw to read privileged memory of the kernel or other processes and/or cross guest/host boundaries to read host memory by conducting targeted cache side-channel attacks. (CVE-2018-3620, CVE-2018-3646) * An industry-wide issue was found in the way many modern microprocessor designs have implemented speculative execution of Load & Store instructions (a commonly used performance optimization). It relies on the presence of a precisely-defined instruction sequence in the privileged code as well as the fact that memory read from address to which a recent memory write has occurred may see an older value and subsequently cause an update into the microprocessor last seen 2020-06-01 modified 2020-06-02 plugin id 111735 published 2018-08-15 reporter This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/111735 title RHEL 6 : kernel (RHSA-2018:2394) (Foreshadow) (Spectre) NASL family PhotonOS Local Security Checks NASL id PHOTONOS_PHSA-2018-1_0-0180_LINUX.NASL description An update of the linux package has been released. last seen 2020-03-17 modified 2019-02-07 plugin id 121883 published 2019-02-07 reporter This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/121883 title Photon OS 1.0: Linux PHSA-2018-1.0-0180 NASL family SuSE Local Security Checks NASL id SUSE_SU-2018-2362-1.NASL description The SUSE Linux Enterprise 12 GA LTSS kernel was updated to receive various security and bugfixes. The following security bugs were fixed : - CVE-2018-13053: The alarm_timer_nsleep function in kernel/time/alarmtimer.c had an integer overflow via a large relative timeout because ktime_add_safe is not used (bnc#1099924). - CVE-2018-13405: The inode_init_owner function in fs/inode.c allowed local users to create files with an unintended group ownership, in a scenario where a directory is SGID to a certain group and is writable by a user who is not a member of that group. Here, the non-member can trigger creation of a plain file whose group ownership is that group. The intended behavior was that the non-member can trigger creation of a directory (but not a plain file) whose group ownership is that group. The non-member can escalate privileges by making the plain file executable and SGID (bnc#1100416). - CVE-2018-13406: An integer overflow in the uvesafb_setcmap function in drivers/video/fbdev/uvesafb.c could result in local attackers being able to crash the kernel or potentially elevate privileges because kmalloc_array is not used (bnc#1098016 bnc#1100418). - CVE-2018-14734: drivers/infiniband/core/ucma.c allowed ucma_leave_multicast to access a certain data structure after a cleanup step in ucma_process_join, which allowed attackers to cause a denial of service (use-after-free) (bnc#1103119). - CVE-2018-3620: Local attackers on baremetal systems could use speculative code patterns on hyperthreaded processors to read data present in the L1 Datacache used by other hyperthreads on the same CPU core, potentially leaking sensitive data. (bnc#1087081). - CVE-2018-3646: Local attackers in virtualized guest systems could use speculative code patterns on hyperthreaded processors to read data present in the L1 Datacache used by other hyperthreads on the same CPU core, potentially leaking sensitive data, even from other virtual machines or the host system. (bnc#1089343). The update package also includes non-security fixes. See advisory for details. Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-01 modified 2020-06-02 plugin id 111830 published 2018-08-17 reporter This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/111830 title SUSE SLES12 Security Update : kernel (SUSE-SU-2018:2362-1) (Foreshadow) NASL family Windows : Microsoft Bulletins NASL id SMB_NT_MS18_AUG_4343897.NASL description The remote Windows host is missing security update 4343897. It is, therefore, affected by multiple vulnerabilities : - An information disclosure vulnerability exists when the Windows kernel improperly handles objects in memory. An attacker who successfully exploited this vulnerability could obtain information to further compromise the users system. (CVE-2018-8341, CVE-2018-8348) - A remote code execution vulnerability exists when the Windows font library improperly handles specially crafted embedded fonts. An attacker who successfully exploited the vulnerability could take control of the affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. (CVE-2018-8344) - An elevation of privilege vulnerability exists in the Network Driver Interface Specification (NDIS) when ndis.sys fails to check the length of a buffer prior to copying memory to it. (CVE-2018-8343) - A remote code execution vulnerability exists in "Microsoft COM for Windows" when it fails to properly handle serialized objects. An attacker who successfully exploited the vulnerability could use a specially crafted file or script to perform actions. In an email attack scenario, an attacker could exploit the vulnerability by sending the specially crafted file to the user and convincing the user to open the file. (CVE-2018-8349) - An elevation of privilege vulnerability exists when the DirectX Graphics Kernel (DXGKRNL) driver improperly handles objects in memory. An attacker who successfully exploited this vulnerability could run processes in an elevated context. (CVE-2018-8400, CVE-2018-8401, CVE-2018-8405, CVE-2018-8406) - A remote code execution vulnerability exists in the way that the ChakraCore scripting engine handles objects in memory. The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user. (CVE-2018-8390) - A remote code execution vulnerability exists when the Windows Shell does not properly validate file paths. An attacker who successfully exploited this vulnerability could run arbitrary code in the context of the current user. If the current user is logged on as an administrator, an attacker could take control of the affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with elevated privileges. Users whose accounts are configured to have fewer privileges on the system could be less impacted than users who operate with administrative privileges. (CVE-2018-8414) - A security feature bypass vulnerability exists in Device Guard that could allow an attacker to inject malicious code into a Windows PowerShell session. An attacker who successfully exploited this vulnerability could inject code into a trusted PowerShell process to bypass the Device Guard Code Integrity policy on the local machine. (CVE-2018-8200, CVE-2018-8204) - A remote code execution vulnerability exists in the way the scripting engine handles objects in memory in Microsoft browsers. The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user. (CVE-2018-8355, CVE-2018-8372, CVE-2018-8385) - An elevation of privilege vulnerability exists in Microsoft Windows when the Windows kernel fails to properly handle parsing of certain symbolic links. An attacker who successfully exploited this vulnerability could potentially access privileged registry keys and thereby elevate permissions. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. (CVE-2018-8347) - A remote code execution vulnerability exists when Microsoft Windows PDF Library improperly handles objects in memory. The vulnerability could corrupt memory in a way that enables an attacker to execute arbitrary code in the context of the current user. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user. If the current user is logged on with administrative user rights, an attacker could take control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. (CVE-2018-8350) - A remote code execution vulnerability exists in Microsoft Windows that could allow remote code execution if a .LNK file is processed. An attacker who successfully exploited this vulnerability could gain the same user rights as the local user. (CVE-2018-8345) - A information disclosure vulnerability exists when WebAudio Library improperly handles audio requests. An attacker who has successfully exploited this vulnerability might be able to read privileged data across trust boundaries. In browsing scenarios, an attacker could convince a user to visit a malicious site and leverage the vulnerability to obtain privileged information from the browser process, such as sensitive data from other opened tabs. An attacker could also inject malicious code into advertising networks used by trusted sites or embed malicious code on a compromised, but trusted, site. The update addresses the vulnerability by correcting how the WebAudio Library handles audio requests. (CVE-2018-8370) - An elevation of privilege vulnerability exists in the Windows Installer when the Windows Installer fails to properly sanitize input leading to an insecure library loading behavior. A locally authenticated attacker could run arbitrary code with elevated system privileges. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. The security update addresses the vulnerability by correcting the input sanitization error to preclude unintended elevation. (CVE-2018-8339) - A remote code execution vulnerability exists in the way that the Chakra scripting engine handles objects in memory in Microsoft Edge. The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user. (CVE-2018-8266, CVE-2018-8381) - A remote code execution vulnerability exists when Internet Explorer improperly validates hyperlinks before loading executable libraries. An attacker who successfully exploited this vulnerability could take control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. (CVE-2018-8316) - An elevation of privilege vulnerability exists in Windows when the Win32k component fails to properly handle objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. (CVE-2018-8399, CVE-2018-8404) - An information disclosure vulnerability exists when the Windows GDI component improperly discloses the contents of its memory. An attacker who successfully exploited the vulnerability could obtain information to further compromise the users system. There are multiple ways an attacker could exploit the vulnerability, such as by convincing a user to open a specially crafted document, or by convincing a user to visit an untrusted webpage. The security update addresses the vulnerability by correcting how the Windows GDI component handles objects in memory. (CVE-2018-8394, CVE-2018-8398) - A remote code execution vulnerability exists in the way that Microsoft browsers access objects in memory. The vulnerability could corrupt memory in a way that could allow an attacker to execute arbitrary code in the context of the current user. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user. (CVE-2018-8403) - An information disclosure vulnerability exists when affected Microsoft browsers improperly allow cross-frame interaction. An attacker who successfully exploited this vulnerability could allow an attacker to obtain browser frame or window state from a different domain. For an attack to be successful, an attacker must persuade a user to open a malicious website from a secure website. This update addresses the vulnerability by denying permission to read the state of the object model, to which frames or windows on different domains should not have access. (CVE-2018-8351) - An elevation of privilege vulnerability exists in Microsoft browsers allowing sandbox escape. An attacker who successfully exploited the vulnerability could use the sandbox escape to elevate privileges on an affected system. This vulnerability by itself does not allow arbitrary code execution; however, it could allow arbitrary code to be run if the attacker uses it in combination with another vulnerability (such as a remote code execution vulnerability or another elevation of privilege vulnerability) that is capable of leveraging the elevated privileges when code execution is attempted. (CVE-2018-8357) - An Elevation of Privilege vulnerability exists when Diagnostics Hub Standard Collector allows file creation in arbitrary locations. (CVE-2018-0952) - A remote code execution vulnerability exists in the way that the scripting engine handles objects in memory in Internet Explorer. The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user. (CVE-2018-8353, CVE-2018-8371, CVE-2018-8373, CVE-2018-8389) - A remote code execution vulnerability exists when Microsoft Edge improperly accesses objects in memory. The vulnerability could corrupt memory in such a way that enables an attacker to execute arbitrary code in the context of the current user. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user. (CVE-2018-8377) - An information disclosure vulnerability exists in Microsoft .NET Framework that could allow an attacker to access information in multi-tenant environments. The vulnerability is caused when .NET Framework is used in high-load/high-density network connections where content from one stream can blend into another stream. (CVE-2018-8360) - A spoofing vulnerability exists when Microsoft Edge improperly handles specific HTML content. An attacker who successfully exploited this vulnerability could trick a user into believing that the user was on a legitimate website. The specially crafted website could either spoof content or serve as a pivot to chain an attack with other vulnerabilities in web services. (CVE-2018-8388) last seen 2020-06-01 modified 2020-06-02 plugin id 111687 published 2018-08-14 reporter This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/111687 title KB4343897: Windows 10 Version 1709 And Windows Server Version 1709 August 2018 Security Update (Foreshadow) NASL family Windows : Microsoft Bulletins NASL id SMB_NT_MS18_AUG_4343885.NASL description The remote Windows host is missing security update 4343885. It is, therefore, affected by multiple vulnerabilities : - An information disclosure vulnerability exists when the Windows kernel improperly handles objects in memory. An attacker who successfully exploited this vulnerability could obtain information to further compromise the users system. (CVE-2018-8341, CVE-2018-8348) - A remote code execution vulnerability exists when the Windows font library improperly handles specially crafted embedded fonts. An attacker who successfully exploited the vulnerability could take control of the affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. (CVE-2018-8344) - An elevation of privilege vulnerability exists in the Network Driver Interface Specification (NDIS) when ndis.sys fails to check the length of a buffer prior to copying memory to it. (CVE-2018-8343) - A remote code execution vulnerability exists in "Microsoft COM for Windows" when it fails to properly handle serialized objects. An attacker who successfully exploited the vulnerability could use a specially crafted file or script to perform actions. In an email attack scenario, an attacker could exploit the vulnerability by sending the specially crafted file to the user and convincing the user to open the file. (CVE-2018-8349) - A remote code execution vulnerability exists in the way that the ChakraCore scripting engine handles objects in memory. The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user. (CVE-2018-8390) - A remote code execution vulnerability exists when the Windows Shell does not properly validate file paths. An attacker who successfully exploited this vulnerability could run arbitrary code in the context of the current user. If the current user is logged on as an administrator, an attacker could take control of the affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with elevated privileges. Users whose accounts are configured to have fewer privileges on the system could be less impacted than users who operate with administrative privileges. (CVE-2018-8414) - A security feature bypass vulnerability exists in Device Guard that could allow an attacker to inject malicious code into a Windows PowerShell session. An attacker who successfully exploited this vulnerability could inject code into a trusted PowerShell process to bypass the Device Guard Code Integrity policy on the local machine. (CVE-2018-8200, CVE-2018-8204) - A remote code execution vulnerability exists in the way the scripting engine handles objects in memory in Microsoft browsers. The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user. (CVE-2018-8355, CVE-2018-8372, CVE-2018-8385) - An elevation of privilege vulnerability exists in Microsoft Windows when the Windows kernel fails to properly handle parsing of certain symbolic links. An attacker who successfully exploited this vulnerability could potentially access privileged registry keys and thereby elevate permissions. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. (CVE-2018-8347) - A remote code execution vulnerability exists when Microsoft Windows PDF Library improperly handles objects in memory. The vulnerability could corrupt memory in a way that enables an attacker to execute arbitrary code in the context of the current user. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user. If the current user is logged on with administrative user rights, an attacker could take control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. (CVE-2018-8350) - A remote code execution vulnerability exists in Microsoft Windows that could allow remote code execution if a .LNK file is processed. An attacker who successfully exploited this vulnerability could gain the same user rights as the local user. (CVE-2018-8345) - A information disclosure vulnerability exists when WebAudio Library improperly handles audio requests. An attacker who has successfully exploited this vulnerability might be able to read privileged data across trust boundaries. In browsing scenarios, an attacker could convince a user to visit a malicious site and leverage the vulnerability to obtain privileged information from the browser process, such as sensitive data from other opened tabs. An attacker could also inject malicious code into advertising networks used by trusted sites or embed malicious code on a compromised, but trusted, site. The update addresses the vulnerability by correcting how the WebAudio Library handles audio requests. (CVE-2018-8370) - An elevation of privilege vulnerability exists in the Windows Installer when the Windows Installer fails to properly sanitize input leading to an insecure library loading behavior. A locally authenticated attacker could run arbitrary code with elevated system privileges. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. The security update addresses the vulnerability by correcting the input sanitization error to preclude unintended elevation. (CVE-2018-8339) - A remote code execution vulnerability exists in the way that the Chakra scripting engine handles objects in memory in Microsoft Edge. The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user. (CVE-2018-8266, CVE-2018-8381) - A remote code execution vulnerability exists when Internet Explorer improperly validates hyperlinks before loading executable libraries. An attacker who successfully exploited this vulnerability could take control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. (CVE-2018-8316) - An elevation of privilege vulnerability exists in Windows when the Win32k component fails to properly handle objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. (CVE-2018-8399, CVE-2018-8404) - An information disclosure vulnerability exists when the Windows GDI component improperly discloses the contents of its memory. An attacker who successfully exploited the vulnerability could obtain information to further compromise the users system. There are multiple ways an attacker could exploit the vulnerability, such as by convincing a user to open a specially crafted document, or by convincing a user to visit an untrusted webpage. The security update addresses the vulnerability by correcting how the Windows GDI component handles objects in memory. (CVE-2018-8394, CVE-2018-8398) - A remote code execution vulnerability exists in the way that Microsoft browsers access objects in memory. The vulnerability could corrupt memory in a way that could allow an attacker to execute arbitrary code in the context of the current user. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user. (CVE-2018-8403) - An information disclosure vulnerability exists when affected Microsoft browsers improperly allow cross-frame interaction. An attacker who successfully exploited this vulnerability could allow an attacker to obtain browser frame or window state from a different domain. For an attack to be successful, an attacker must persuade a user to open a malicious website from a secure website. This update addresses the vulnerability by denying permission to read the state of the object model, to which frames or windows on different domains should not have access. (CVE-2018-8351) - An elevation of privilege vulnerability exists in Microsoft browsers allowing sandbox escape. An attacker who successfully exploited the vulnerability could use the sandbox escape to elevate privileges on an affected system. This vulnerability by itself does not allow arbitrary code execution; however, it could allow arbitrary code to be run if the attacker uses it in combination with another vulnerability (such as a remote code execution vulnerability or another elevation of privilege vulnerability) that is capable of leveraging the elevated privileges when code execution is attempted. (CVE-2018-8357) - An Elevation of Privilege vulnerability exists when Diagnostics Hub Standard Collector allows file creation in arbitrary locations. (CVE-2018-0952) - A remote code execution vulnerability exists in the way that the scripting engine handles objects in memory in Internet Explorer. The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user. (CVE-2018-8353, CVE-2018-8371, CVE-2018-8373, CVE-2018-8389) - An elevation of privilege vulnerability exists when the DirectX Graphics Kernel (DXGKRNL) driver improperly handles objects in memory. An attacker who successfully exploited this vulnerability could run processes in an elevated context. (CVE-2018-8401, CVE-2018-8405, CVE-2018-8406) - An information disclosure vulnerability exists in Microsoft .NET Framework that could allow an attacker to access information in multi-tenant environments. The vulnerability is caused when .NET Framework is used in high-load/high-density network connections where content from one stream can blend into another stream. (CVE-2018-8360) - A spoofing vulnerability exists when Microsoft Edge improperly handles specific HTML content. An attacker who successfully exploited this vulnerability could trick a user into believing that the user was on a legitimate website. The specially crafted website could either spoof content or serve as a pivot to chain an attack with other vulnerabilities in web services. (CVE-2018-8388) last seen 2020-06-01 modified 2020-06-02 plugin id 111684 published 2018-08-14 reporter This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/111684 title KB4343885: Windows 10 Version 1703 August 2018 Security Update (Foreshadow) NASL family SuSE Local Security Checks NASL id SUSE_SU-2018-2366-1.NASL description The SUSE Linux Enterprise 11 SP3 LTSS kernel was updated to receive various security and bugfixes. The following security bugs were fixed : - CVE-2016-8405: An information disclosure vulnerability in kernel components including the ION subsystem, Binder, USB driver and networking subsystem could enable a local malicious application to access data outside of its permission levels. (bnc#1099942). - CVE-2017-13305: A information disclosure vulnerability existed in the encrypted-keys handling. (bnc#1094353). - CVE-2018-1000204: A malformed SG_IO ioctl issued for a SCSI device could lead to a local kernel information leak manifesting in up to approximately 1000 memory pages copied to the userspace. The problem has limited scope as non-privileged users usually have no permissions to access SCSI device files. (bnc#1096728). - CVE-2018-1068: A flaw was found in the implementation of 32-bit syscall interface for bridging. This allowed a privileged user to arbitrarily write to a limited range of kernel memory (bnc#1085107). - CVE-2018-1130: A NULL pointer dereference in dccp_write_xmit() function in net/dccp/output.c allowed a local user to cause a denial of service by a number of certain crafted system calls (bnc#1092904). - CVE-2018-12233: In the ea_get function in fs/jfs/xattr.c a memory corruption bug in JFS can be triggered by calling setxattr twice with two different extended attribute names on the same file. This vulnerability can be triggered by an unprivileged user with the ability to create files and execute programs. A kmalloc call is incorrect, leading to slab-out-of-bounds in jfs_xattr (bnc#1097234). - CVE-2018-13053: The alarm_timer_nsleep function in kernel/time/alarmtimer.c had an integer overflow via a large relative timeout because ktime_add_safe is not used (bnc#1099924). - CVE-2018-13406: An integer overflow in the uvesafb_setcmap function in drivers/video/fbdev/uvesafb.c kernel could result in local attackers being able to crash the kernel or potentially elevate privileges because kmalloc_array is not used (bnc#1098016 1100418). - CVE-2018-3620: Local attackers on baremetal systems could use speculative code patterns on hyperthreaded processors to read data present in the L1 Datacache used by other hyperthreads on the same CPU core, potentially leaking sensitive data. (bnc#1087081). - CVE-2018-3646: Local attackers in virtualized guest systems could use speculative code patterns on hyperthreaded processors to read data present in the L1 Datacache used by other hyperthreads on the same CPU core, potentially leaking sensitive data, even from other virtual machines or the host system. (bnc#1089343). - CVE-2018-5803: An error in the last seen 2020-06-01 modified 2020-06-02 plugin id 111833 published 2018-08-17 reporter This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/111833 title SUSE SLES11 Security Update : kernel (SUSE-SU-2018:2366-1) (Foreshadow) NASL family Ubuntu Local Security Checks NASL id UBUNTU_USN-3741-2.NASL description USN-3741-1 fixed vulnerabilities in the Linux kernel for Ubuntu 16.04 LTS. This update provides the corresponding updates for the Linux Hardware Enablement (HWE) kernel from Ubuntu 16.04 LTS for Ubuntu 14.04 LTS. It was discovered that memory present in the L1 data cache of an Intel CPU core may be exposed to a malicious process that is executing on the CPU core. This vulnerability is also known as L1 Terminal Fault (L1TF). A local attacker in a guest virtual machine could use this to expose sensitive information (memory from other guests or the host OS). (CVE-2018-3646) It was discovered that memory present in the L1 data cache of an Intel CPU core may be exposed to a malicious process that is executing on the CPU core. This vulnerability is also known as L1 Terminal Fault (L1TF). A local attacker could use this to expose sensitive information (memory from the kernel or other processes). (CVE-2018-3620) Juha-Matti Tilli discovered that the TCP implementation in the Linux kernel performed algorithmically expensive operations in some situations when handling incoming packets. A remote attacker could use this to cause a denial of service. (CVE-2018-5390) Juha-Matti Tilli discovered that the IP implementation in the Linux kernel performed algorithmically expensive operations in some situations when handling incoming packet fragments. A remote attacker could use this to cause a denial of service. (CVE-2018-5391). Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-01 modified 2020-06-02 plugin id 111752 published 2018-08-15 reporter Ubuntu Security Notice (C) 2018-2019 Canonical, Inc. / NASL script (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/111752 title Ubuntu 14.04 LTS : linux-lts-xenial, linux-aws vulnerabilities (USN-3741-2) (Foreshadow) NASL family Red Hat Local Security Checks NASL id REDHAT-RHSA-2018-2389.NASL description An update for kernel is now available for Red Hat Enterprise Linux 7.2 Advanced Update Support, Red Hat Enterprise Linux 7.2 Telco Extended Update Support, and Red Hat Enterprise Linux 7.2 Update Services for SAP Solutions. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. The kernel packages contain the Linux kernel, the core of any Linux operating system. Security Fix(es) : * Modern operating systems implement virtualization of physical memory to efficiently use available system resources and provide inter-domain protection through access control and isolation. The L1TF issue was found in the way the x86 microprocessor designs have implemented speculative execution of instructions (a commonly used performance optimisation) in combination with handling of page-faults caused by terminated virtual to physical address resolving process. As a result, an unprivileged attacker could use this flaw to read privileged memory of the kernel or other processes and/or cross guest/host boundaries to read host memory by conducting targeted cache side-channel attacks. (CVE-2018-3620, CVE-2018-3646) Red Hat would like to thank Intel OSSIRT (Intel.com) for reporting these issues. last seen 2020-06-01 modified 2020-06-02 plugin id 111730 published 2018-08-15 reporter This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/111730 title RHEL 7 : kernel (RHSA-2018:2389) (Foreshadow) NASL family Misc. NASL id CITRIX_XENSERVER_CTX236548.NASL description The version of Citrix XenServer running on the remote host is missing a security hotfix. It is, therefore, affected by multiple vulnerabilities including L1 Terminal Fault (L1TF) and a local code execution vulnerability. last seen 2020-06-01 modified 2020-06-02 plugin id 111789 published 2018-08-16 reporter This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/111789 title Citrix XenServer Multiple Vulnerabilities (Foreshadow) (CTX236548) NASL family Red Hat Local Security Checks NASL id REDHAT-RHSA-2018-2402.NASL description An update for rhvm-appliance is now available for Red Hat Virtualization 4 for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. The RHV-M Virtual Appliance automates the process of installing and configuring the Red Hat Virtualization Manager. The appliance is available to download as an OVA file from the Customer Portal. Security Fix(es) : * Modern operating systems implement virtualization of physical memory to efficiently use available system resources and provide inter-domain protection through access control and isolation. The L1TF issue was found in the way the x86 microprocessor designs have implemented speculative execution of instructions (a commonly used performance optimisation) in combination with handling of page-faults caused by terminated virtual to physical address resolving process. As a result, an unprivileged attacker could use this flaw to read privileged memory of the kernel or other processes and/or cross guest/host boundaries to read host memory by conducting targeted cache side-channel attacks. (CVE-2018-3620, CVE-2018-3646) * A flaw named SegmentSmack was found in the way the Linux kernel handled specially crafted TCP packets. A remote attacker could use this flaw to trigger time and calculation expensive calls to tcp_collapse_ofo_queue() and tcp_prune_ofo_queue() functions by sending specially modified packets within ongoing TCP sessions which could lead to a CPU saturation and hence a denial of service on the system. Maintaining the denial of service condition requires continuous two-way TCP sessions to a reachable open port, thus the attacks cannot be performed using spoofed IP addresses. (CVE-2018-5390) Red Hat would like to thank Intel OSSIRT (Intel.com) for reporting CVE-2018-3620 and CVE-2018-3646 and Juha-Matti Tilli (Aalto University, Department of Communications and Networking and Nokia Bell Labs) for reporting CVE-2018-5390. last seen 2020-06-01 modified 2020-06-02 plugin id 112026 published 2018-08-21 reporter This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/112026 title RHEL 7 : Virtualization (RHSA-2018:2402) (Foreshadow) NASL family OracleVM Local Security Checks NASL id ORACLEVM_OVMSA-2018-0251.NASL description The remote OracleVM system is missing necessary patches to address critical security updates : - BUILDINFO: xen commit=18ec2b68e519646188fd26a05b2cd26ebd829035 - BUILDINFO: QEMU upstream commit=8bff6989bd0bafcc0ddf859c23ce6a2ff21a80ff - BUILDINFO: QEMU traditional commit=346fdd7edd73f8287d0d0a2bab9c67b71bc6b8ba - BUILDINFO: IPXE commit=9a93db3f0947484e30e753bbd61a10b17336e20e - BUILDINFO: SeaBIOS commit=7d9cbe613694924921ed1a6f8947d711c5832eee - Revert last seen 2020-06-01 modified 2020-06-02 plugin id 112024 published 2018-08-21 reporter This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/112024 title OracleVM 3.4 : xen (OVMSA-2018-0251) (Foreshadow) NASL family Red Hat Local Security Checks NASL id REDHAT-RHSA-2018-2391.NASL description An update for kernel is now available for Red Hat Enterprise Linux 6.7 Extended Update Support. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. The kernel packages contain the Linux kernel, the core of any Linux operating system. Security Fix(es) : * Modern operating systems implement virtualization of physical memory to efficiently use available system resources and provide inter-domain protection through access control and isolation. The L1TF issue was found in the way the x86 microprocessor designs have implemented speculative execution of instructions (a commonly used performance optimisation) in combination with handling of page-faults caused by terminated virtual to physical address resolving process. As a result, an unprivileged attacker could use this flaw to read privileged memory of the kernel or other processes and/or cross guest/host boundaries to read host memory by conducting targeted cache side-channel attacks. (CVE-2018-3620, CVE-2018-3646) * kernel: kvm: vmx: host GDT limit corruption (CVE-2018-10901) For more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section. Red Hat would like to thank Intel OSSIRT (Intel.com) for reporting CVE-2018-3620 and CVE-2018-3646 and Vegard Nossum (Oracle Corporation) for reporting CVE-2018-10901. last seen 2020-06-01 modified 2020-06-02 plugin id 111732 published 2018-08-15 reporter This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/111732 title RHEL 6 : kernel (RHSA-2018:2391) (Foreshadow) NASL family Windows : Microsoft Bulletins NASL id SMB_NT_MS19_MAR_OOB_MICROCODE.NASL description The remote Windows host is missing a security update. It is, therefore, missing microcode updates to address the following vulnerabilities: - Spectre Variant 3a (CVE-2018-3640: Rogue System Register Read (RSRE)). - Spectre Variant 4 (CVE-2018-3639: Speculative Store Bypass (SSB)) - L1TF (CVE-2018-3620, CVE-2018-3646: L1 Terminal Fault) Note that Nessus did not actually test for these flaws nor checked the target processor architecture but instead, has relied on the version of mcupdate_GenuineIntel.dll to be latest for supported Windows release. last seen 2020-06-01 modified 2020-06-02 plugin id 122975 published 2019-03-20 reporter This script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/122975 title Security Updates for Windows 10 / Windows Server 2016 / Windows Server 2019 (March 2019) (Spectre) (Meltdown) (Foreshadow) NASL family OracleVM Local Security Checks NASL id ORACLEVM_OVMSA-2018-0246.NASL description The remote OracleVM system is missing necessary patches to address critical security updates : - BUILDINFO: OVMF commit=173bf5c847e3ca8b42c11796ce048d8e2e916ff8 - BUILDINFO: xen commit=02cec92b3eb1612e37616b10400d82f1e3d8de85 - BUILDINFO: QEMU upstream commit=8bff6989bd0bafcc0ddf859c23ce6a2ff21a80ff - BUILDINFO: QEMU traditional commit=346fdd7edd73f8287d0d0a2bab9c67b71bc6b8ba - BUILDINFO: IPXE commit=9a93db3f0947484e30e753bbd61a10b17336e20e - BUILDINFO: SeaBIOS commit=7d9cbe613694924921ed1a6f8947d711c5832eee - l1tf: Utility to offline/online SMT siblings. (Ross Philipson) [Orabug: 28487050] (CVE-2018-3646) - x86/spec-ctrl: Introduce an option to control L1D_FLUSH for HVM guests (Andrew Cooper) [Orabug: 28487050] (CVE-2018-3620) (CVE-2018-3646) - x86/msr: Virtualise MSR_FLUSH_CMD for guests (Andrew Cooper) [Orabug: 28487050] (CVE-2018-3646) (CVE-2018-3646) - x86/spec-ctrl: CPUID/MSR definitions for L1D_FLUSH (Andrew Cooper) [Orabug: 28487050] (CVE-2018-3646) (CVE-2018-3646) - x86/spec-ctrl: Calculate safe PTE addresses for L1TF mitigations (Andrew Cooper) [Orabug: 28487050] (CVE-2018-3620) (CVE-2018-3646) - x86: command line option to avoid use of secondary hyper-threads (Jan Beulich) [Orabug: 28487050] (CVE-2018-3646) - cpupools: fix state when downing a CPU failed (Jan Beulich) [Orabug: 28487050] (CVE-2018-3646) last seen 2020-06-01 modified 2020-06-02 plugin id 111772 published 2018-08-16 reporter This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/111772 title OracleVM 3.4 : xen (OVMSA-2018-0246) (Foreshadow) NASL family Huawei Local Security Checks NASL id EULEROS_SA-2018-1279.NASL description According to the versions of the kernel packages installed, the EulerOS installation on the remote host is affected by the following vulnerabilities : - Modern operating systems implement virtualization of physical memory to efficiently use available system resources and provide inter-domain protection through access control and isolation. The L1TF issue was found in the way the x86 microprocessor designs have implemented speculative execution of instructions (a commonly used performance optimisation) in combination with handling of page-faults caused by terminated virtual to physical address resolving process. As a result, an unprivileged attacker could use this flaw to read privileged memory of the kernel or other processes and/or cross guest/host boundaries to read host memory by conducting targeted cache side-channel attacks. (CVE-2018-3620, CVE-2018-3646) - A flaw named SegmentSmack was found in the way the Linux kernel handled specially crafted TCP packets. A remote attacker could use this flaw to trigger time and calculation expensive calls to tcp_collapse_ofo_queue() and tcp_prune_ofo_queue() functions by sending specially modified packets within ongoing TCP sessions which could lead to a CPU saturation and hence a denial of service on the system. Maintaining the denial of service condition requires continuous two-way TCP sessions to a reachable open port, thus the attacks cannot be performed using spoofed IP addresses. (CVE-2018-5390) - A flaw named FragmentSmack was found in the way the Linux kernel handled reassembly of fragmented IPv4 and IPv6 packets. A remote attacker could use this flaw to trigger time and calculation expensive fragment reassembly algorithm by sending specially crafted packets which could lead to a CPU saturation and hence a denial of service on the system.(CVE-2018-5391) Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-05-06 modified 2018-09-04 plugin id 112238 published 2018-09-04 reporter This script is Copyright (C) 2018-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/112238 title EulerOS 2.0 SP3 : kernel (EulerOS-SA-2018-1279) NASL family Ubuntu Local Security Checks NASL id UBUNTU_USN-3740-2.NASL description USN-3740-1 fixed vulnerabilities in the Linux kernel for Ubuntu 18.04 LTS. This update provides the corresponding updates for the Linux Hardware Enablement (HWE) kernel from Ubuntu 18.04 LTS for Ubuntu 16.04 LTS. It was discovered that memory present in the L1 data cache of an Intel CPU core may be exposed to a malicious process that is executing on the CPU core. This vulnerability is also known as L1 Terminal Fault (L1TF). A local attacker in a guest virtual machine could use this to expose sensitive information (memory from other guests or the host OS). (CVE-2018-3646) It was discovered that memory present in the L1 data cache of an Intel CPU core may be exposed to a malicious process that is executing on the CPU core. This vulnerability is also known as L1 Terminal Fault (L1TF). A local attacker could use this to expose sensitive information (memory from the kernel or other processes). (CVE-2018-3620) Juha-Matti Tilli discovered that the IP implementation in the Linux kernel performed algorithmically expensive operations in some situations when handling incoming packet fragments. A remote attacker could use this to cause a denial of service. (CVE-2018-5391). Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-01 modified 2020-06-02 plugin id 111750 published 2018-08-15 reporter Ubuntu Security Notice (C) 2018-2019 Canonical, Inc. / NASL script (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/111750 title Ubuntu 16.04 LTS : linux-hwe, linux-azure, linux-gcp vulnerabilities (USN-3740-2) (Foreshadow) NASL family SuSE Local Security Checks NASL id OPENSUSE-2018-886.NASL description The openSUSE Leap 15.0 kernel was updated to receive various security and bugfixes. The following security bugs were fixed : - CVE-2018-10853: A flaw was found in KVM in which certain instructions such as sgdt/sidt call segmented_write_std doesn last seen 2020-06-05 modified 2018-08-17 plugin id 111812 published 2018-08-17 reporter This script is Copyright (C) 2018-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/111812 title openSUSE Security Update : the Linux Kernel (openSUSE-2018-886) (Foreshadow) NASL family OracleVM Local Security Checks NASL id ORACLEVM_OVMSA-2018-0247.NASL description The remote OracleVM system is missing necessary patches to address critical security updates : please see Oracle VM Security Advisory OVMSA-2018-0247 for details. last seen 2020-06-01 modified 2020-06-02 plugin id 111773 published 2018-08-16 reporter This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/111773 title OracleVM 3.4 : Unbreakable / etc (OVMSA-2018-0247) (Foreshadow) NASL family PhotonOS Local Security Checks NASL id PHOTONOS_PHSA-2018-1_0-0180.NASL description An update of 'ntp', 'linux', 'linux-esx' packages of Photon OS has been released. This kernel update mitigates the vulnerability CVE-2018-3620 commonly referred as L1 terminal fault (L1TF). last seen 2019-02-21 modified 2019-02-07 plugin id 112223 published 2018-08-31 reporter Tenable source https://www.tenable.com/plugins/index.php?view=single&id=112223 title Photon OS 1.0: Ntp / Linux PHSA-2018-1.0-0180 (deprecated) NASL family SuSE Local Security Checks NASL id SUSE_SU-2018-2384-1.NASL description The SUSE Linux Enterprise 12 SP1 LTSS kernel was updated to receive various security and bugfixes. The following security bugs were fixed : - CVE-2018-3620: Local attackers on baremetal systems could use speculative code patterns on hyperthreaded processors to read data present in the L1 Datacache used by other hyperthreads on the same CPU core, potentially leaking sensitive data. (bnc#1087081). - CVE-2018-3646: Local attackers in virtualized guest systems could use speculative code patterns on hyperthreaded processors to read data present in the L1 Datacache used by other hyperthreads on the same CPU core, potentially leaking sensitive data, even from other virtual machines or the host system. (bnc#1089343). - CVE-2018-14734: drivers/infiniband/core/ucma.c allowed ucma_leave_multicast to access a certain data structure after a cleanup step in ucma_process_join, which allowed attackers to cause a denial of service (use-after-free) (bnc#1103119). - CVE-2018-13053: The alarm_timer_nsleep function in kernel/time/alarmtimer.c had via a large relative timeout because ktime_add_safe is not used (bnc#1099924). - CVE-2018-13405: The inode_init_owner function in fs/inode.c allowed local users to create files with an unintended group ownership, in a scenario where a directory is SGID to a certain group and is writable by a user who is not a member of that group. Here, the non-member can trigger creation of a plain file whose group ownership is that group. The intended behavior was that the non-member can trigger creation of a directory (but not a plain file) whose group ownership is that group. The non-member can escalate privileges by making the plain file executable and SGID (bnc#1100416). - CVE-2018-13406: An integer overflow in the uvesafb_setcmap function in drivers/video/fbdev/uvesafb.c could result in local attackers being able to crash the kernel or potentially elevate privileges because kmalloc_array is not used (bnc#1098016 bnc#1100418). The update package also includes non-security fixes. See advisory for details. Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-01 modified 2020-06-02 plugin id 111838 published 2018-08-17 reporter This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/111838 title SUSE SLES12 Security Update : kernel (SUSE-SU-2018:2384-1) (Foreshadow) NASL family Fedora Local Security Checks NASL id FEDORA_2018-F8CBA144AE.NASL description The 4.17.14-202 build contains patches for the last seen 2020-06-05 modified 2019-01-03 plugin id 120927 published 2019-01-03 reporter This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/120927 title Fedora 28 : kernel / kernel-headers (2018-f8cba144ae) (Foreshadow) NASL family Misc. NASL id RANCHEROS_1_4_1.NASL description The remote host is running a version of RancherOS prior to v1.4.1, hence is exposed to multiple side-channel vulnerabilities: - Systems with microprocessors utilizing speculative execution and address translations may allow unauthorized disclosure of information residing in the L1 data cache to an attacker with local user access via a terminal page fault and a side-channel analysis. (CVE-2018-3620) - Systems with microprocessors utilizing speculative execution and speculative execution of memory reads before the addresses of all prior memory writes are known may allow unauthorized disclosure of information to an attacker with local user access via a side-channel analysis, aka Speculative Store Bypass (SSB), Variant 4. (CVE-2018-3639) last seen 2020-06-01 modified 2020-06-02 plugin id 132253 published 2019-12-19 reporter This script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/132253 title Security Updates for RancherOS Information Disclosure Vulnerabily NASL family PhotonOS Local Security Checks NASL id PHOTONOS_PHSA-2018-2_0-0088.NASL description An update of 'linux-aws', 'linux-secure', 'linux-esx', 'linux', 'ntp' packages of Photon OS has been released. This kernel update mitigates the vulnerability CVE-2018-3620 commonly referred as L1 terminal fault (L1TF). last seen 2019-02-21 modified 2019-02-07 plugin id 112222 published 2018-08-31 reporter Tenable source https://www.tenable.com/plugins/index.php?view=single&id=112222 title Photon OS 2.0: Ntp / Linux PHSA-2018-2.0-0088 (deprecated) NASL family CentOS Local Security Checks NASL id CENTOS_RHSA-2018-2384.NASL description An update for kernel is now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. The kernel packages contain the Linux kernel, the core of any Linux operating system. Security Fix(es) : * Modern operating systems implement virtualization of physical memory to efficiently use available system resources and provide inter-domain protection through access control and isolation. The L1TF issue was found in the way the x86 microprocessor designs have implemented speculative execution of instructions (a commonly used performance optimisation) in combination with handling of page-faults caused by terminated virtual to physical address resolving process. As a result, an unprivileged attacker could use this flaw to read privileged memory of the kernel or other processes and/or cross guest/host boundaries to read host memory by conducting targeted cache side-channel attacks. (CVE-2018-3620, CVE-2018-3646) * An industry-wide issue was found in the way many modern microprocessor designs have implemented speculative execution of instructions past bounds check. The flaw relies on the presence of a precisely-defined instruction sequence in the privileged code and the fact that memory writes occur to an address which depends on the untrusted value. Such writes cause an update into the microprocessor last seen 2020-06-01 modified 2020-06-02 plugin id 111703 published 2018-08-15 reporter This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/111703 title CentOS 7 : kernel (CESA-2018:2384) (Foreshadow) NASL family SuSE Local Security Checks NASL id SUSE_SU-2018-2332-1.NASL description The SUSE Linux Enterprise 11 SP4 kernel was updated to receive various security and bugfixes. The following security bugs were fixed : - CVE-2018-3620: Local attackers on baremetal systems could use speculative code patterns on hyperthreaded processors to read data present in the L1 Datacache used by other hyperthreads on the same CPU core, potentially leaking sensitive data. (bnc#1087081). - CVE-2018-3646: Local attackers in virtualized guest systems could use speculative code patterns on hyperthreaded processors to read data present in the L1 Datacache used by other hyperthreads on the same CPU core, potentially leaking sensitive data, even from other virtual machines or the host system. (bnc#1089343). - CVE-2018-1000204: A malformed SG_IO ioctl issued for a SCSI device could lead to a local kernel information leak manifesting in up to approximately 1000 memory pages copied to the userspace. The problem has limited scope as non-privileged users usually have no permissions to access SCSI device files. (bnc#1096728). - CVE-2018-13053: The alarm_timer_nsleep function in kernel/time/alarmtimer.c had an integer overflow via a large relative timeout because ktime_add_safe is not used (bnc#1099924). - CVE-2018-13406: An integer overflow in the uvesafb_setcmap function in drivers/video/fbdev/uvesafb.c could result in local attackers being able to crash the kernel or potentially elevate privileges because kmalloc_array is not used (bnc#1098016 bnc#1100418). - CVE-2016-8405: An information disclosure vulnerability in kernel components including the ION subsystem, Binder, USB driver and networking subsystem could enable a local malicious application to access data outside of its permission levels. (bnc#1099942). - CVE-2018-5814: Multiple race condition errors when handling probe, disconnect, and rebind operations could be exploited to trigger a use-after-free condition or a NULL pointer dereference by sending multiple USB over IP packets (bnc#1096480). - CVE-2018-12233: In the ea_get function in fs/jfs/xattr.c a memory corruption bug in JFS can be triggered by calling setxattr twice with two different extended attribute names on the same file. This vulnerability can be triggered by an unprivileged user with the ability to create files and execute programs. (bnc#1097234). - CVE-2017-13305: A information disclosure vulnerability in the Upstream kernel encrypted-keys. (bnc#1094353). - CVE-2018-1130: A NULL pointer dereference in dccp_write_xmit() function in net/dccp/output.c allowed a local user to cause a denial of service by a number of certain crafted system calls (bnc#1092904). - CVE-2018-1068: A flaw was found in the implementation of 32-bit syscall interface for bridging. This allowed a privileged user to arbitrarily write to a limited range of kernel memory (bnc#1085107). - CVE-2018-5803: An error in the last seen 2020-06-01 modified 2020-06-02 plugin id 111782 published 2018-08-16 reporter This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/111782 title SUSE SLES11 Security Update : kernel (SUSE-SU-2018:2332-1) (Foreshadow) NASL family Amazon Linux Local Security Checks NASL id AL2_ALAS-2018-1058.NASL description Fixes for L1Terminal Fault security issues : L1 Terminal Fault-OS/ SMM : Systems with microprocessors utilizing speculative execution and address translations may allow unauthorized disclosure of information residing in the L1 data cache to an attacker with local user access via a terminal page fault and side-channel analysis.(CVE-2018-3620) L1 Terminal Fault-VMM : Systems with microprocessors utilizing speculative execution and address translations may allow unauthorized disclosure of information residing in the L1 data cache to an attacker with local user access with guest OS privilege via a terminal page fault and side-channel analysis.(CVE-2018-3646) L1 Terminal Fault-SGX : Systems with microprocessors utilizing speculative execution and Intel SGX may allow unauthorized disclosure of information residing in the L1 data cache from an enclave to an attacker with local user access via side-channel analysis. AWS is not affected by CVE-2018-3615 . There is no AWS products related to enclave systems like SGX.(CVE-2018-3615) Denial of service caused by a large number of IP fragments : A denial of service attack by exhausting resources on a networked host by sending a large number of IP fragments that can not be reassembled by the receiver.(CVE-2018-5391) last seen 2020-06-01 modified 2020-06-02 plugin id 111701 published 2018-08-15 reporter This script is Copyright (C) 2018 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/111701 title Amazon Linux 2 : kernel (ALAS-2018-1058) (Foreshadow) NASL family Virtuozzo Local Security Checks NASL id VIRTUOZZO_VZA-2018-063.NASL description According to the versions of the OVMF / crit / criu / criu-devel / ksm-vz / etc packages installed, the Virtuozzo installation on the remote host is affected by the following vulnerabilities : - A flaw was found in the Linux kernel last seen 2020-06-01 modified 2020-06-02 plugin id 112206 published 2018-08-31 reporter This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/112206 title Virtuozzo 7 : OVMF / crit / criu / criu-devel / ksm-vz / etc (VZA-2018-063) NASL family Oracle Linux Local Security Checks NASL id ORACLELINUX_ELSA-2018-2384.NASL description From Red Hat Security Advisory 2018:2384 : An update for kernel is now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. The kernel packages contain the Linux kernel, the core of any Linux operating system. Security Fix(es) : * Modern operating systems implement virtualization of physical memory to efficiently use available system resources and provide inter-domain protection through access control and isolation. The L1TF issue was found in the way the x86 microprocessor designs have implemented speculative execution of instructions (a commonly used performance optimisation) in combination with handling of page-faults caused by terminated virtual to physical address resolving process. As a result, an unprivileged attacker could use this flaw to read privileged memory of the kernel or other processes and/or cross guest/host boundaries to read host memory by conducting targeted cache side-channel attacks. (CVE-2018-3620, CVE-2018-3646) * An industry-wide issue was found in the way many modern microprocessor designs have implemented speculative execution of instructions past bounds check. The flaw relies on the presence of a precisely-defined instruction sequence in the privileged code and the fact that memory writes occur to an address which depends on the untrusted value. Such writes cause an update into the microprocessor last seen 2020-06-01 modified 2020-06-02 plugin id 111723 published 2018-08-15 reporter This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/111723 title Oracle Linux 7 : kernel (ELSA-2018-2384) (Foreshadow) NASL family Misc. NASL id VMWARE_VCENTER_VMSA-2018-0021.NASL description The version of VMware vCenter Server Appliance installed on the remote host is 6.0, 6.5 or 6.7 and is, therefore, potentially affected by an information disclosure vulnerability. (CVE-2018-3620) last seen 2020-06-01 modified 2020-06-02 plugin id 112207 published 2018-08-31 reporter This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/112207 title VMware vCenter Server Appliance 6.0 / 6.5 / 6.7 Information Disclosure vulnerability (VMSA-2018-0021) NASL family Oracle Linux Local Security Checks NASL id ORACLELINUX_ELSA-2018-4215.NASL description Description of changes: kernel-uek [3.8.13-118.24.2.el7uek] - x86/speculation/l1tf: Fix overflow in l1tf_pfn_limit() on 32bit (Vlastimil Babka) [Orabug: 28505476] {CVE-2018-3620} - x86/speculation/l1tf: Protect PAE swap entries against L1TF (Vlastimil Babka) [Orabug: 28505476] {CVE-2018-3620} - x86/speculation/l1tf: Extend 64bit swap file size limit (Vlastimil Babka) [Orabug: 28505476] {CVE-2018-3620} - mm, fremap: mitigate L1TF in remap_file_pages (Daniel Jordan) [Orabug: 28505476] {CVE-2018-3620} - x86/speculation: Don last seen 2020-06-01 modified 2020-06-02 plugin id 117493 published 2018-09-14 reporter This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/117493 title Oracle Linux 6 / 7 : Unbreakable Enterprise kernel (ELSA-2018-4215) (Foreshadow) NASL family Misc. NASL id VMWARE_VSPHERE_DATA_PROTECTION_VMSA-2018-0021.NASL description The version of VMware vSphere Data Protection installed on the remote host is 6.x. It is, therefore, affected by an information disclosure vulnerability. last seen 2020-06-01 modified 2020-06-02 plugin id 112208 published 2018-08-31 reporter This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/112208 title VMware vSphere Data Protection 6.x Information Disclosure Vulnerability (VMSA-2018-0021 NASL family Gentoo Local Security Checks NASL id GENTOO_GLSA-201810-06.NASL description The remote host is affected by the vulnerability described in GLSA-201810-06 (Xen: Multiple vulnerabilities) Multiple vulnerabilities have been discovered in Xen. Please review the referenced CVE identifiers for details. Impact : A local attacker could cause a Denial of Service condition or disclose sensitive information. Workaround : There is no known workaround at this time. last seen 2020-06-01 modified 2020-06-02 plugin id 118506 published 2018-10-31 reporter This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/118506 title GLSA-201810-06 : Xen: Multiple vulnerabilities (Foreshadow) (Meltdown) (Spectre) NASL family Fedora Local Security Checks NASL id FEDORA_2018-1C80FEA1CD.NASL description The 4.17.14-102 build contains patches for the last seen 2020-06-05 modified 2018-08-16 plugin id 111767 published 2018-08-16 reporter This script is Copyright (C) 2018-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/111767 title Fedora 27 : kernel / kernel-headers (2018-1c80fea1cd) (Foreshadow) NASL family Huawei Local Security Checks NASL id EULEROS_SA-2018-1345.NASL description According to the versions of the kernel packages installed, the EulerOS Virtualization installation on the remote host is affected by the following vulnerabilities : - Modern operating systems implement virtualization of physical memory to efficiently use available system resources and provide inter-domain protection through access control and isolation. The L1TF issue was found in the way the x86 microprocessor designs have implemented speculative execution of instructions (a commonly used performance optimisation) in combination with handling of page-faults caused by terminated virtual to physical address resolving process. As a result, an unprivileged attacker could use this flaw to read privileged memory of the kernel or other processes and/or cross guest/host boundaries to read host memory by conducting targeted cache side-channel attacks. (CVE-2018-3646) - A flaw named SegmentSmack was found in the way the Linux kernel handled specially crafted TCP packets. A remote attacker could use this flaw to trigger time and calculation expensive calls to tcp_collapse_ofo_queue() and tcp_prune_ofo_queue() functions by sending specially modified packets within ongoing TCP sessions which could lead to a CPU saturation and hence a denial of service on the system. Maintaining the denial of service condition requires continuous two-way TCP sessions to a reachable open port, thus the attacks cannot be performed using spoofed IP addresses.(CVE-2018-5390) - Modern operating systems implement virtualization of physical memory to efficiently use available system resources and provide inter-domain protection through access control and isolation. The L1TF issue was found in the way the x86 microprocessor designs have implemented speculative execution of instructions (a commonly used performance optimization) in combination with handling of page-faults caused by terminated virtual to physical address resolving process. As a result, an unprivileged attacker could use this flaw to read privileged memory of the kernel or other processes and/or cross guest/host boundaries to read host memory by conducting targeted cache side-channel attacks.(CVE-2018-3620) Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-01 modified 2020-06-02 plugin id 118433 published 2018-10-26 reporter This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/118433 title EulerOS Virtualization 2.5.0 : kernel (EulerOS-SA-2018-1345) NASL family Oracle Linux Local Security Checks NASL id ORACLELINUX_ELSA-2018-4196.NASL description Description of changes: [4.1.12-124.18.5.el7uek] - inet: frag: enforce memory limits earlier (Eric Dumazet) [Orabug: 28450977] - x86/mm/pageattr.c: fix page prot mask (Mihai Carabas) [Orabug: 28492122] - x86/pgtable.h: fix PMD/PUD mask (Mihai Carabas) [Orabug: 28492122] - x86/asm: Add pud/pmd mask interfaces to handle large PAT bit (Toshi Kani) [Orabug: 28492122] [4.1.12-124.18.4.el7uek] - kvm/vmx: Don last seen 2020-06-01 modified 2020-06-02 plugin id 111726 published 2018-08-15 reporter This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/111726 title Oracle Linux 6 / 7 : Unbreakable Enterprise kernel (ELSA-2018-4196) (Foreshadow) NASL family Red Hat Local Security Checks NASL id REDHAT-RHSA-2018-2388.NASL description An update for kernel is now available for Red Hat Enterprise Linux 7.3 Extended Update Support. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. The kernel packages contain the Linux kernel, the core of any Linux operating system. Security Fix(es) : * Modern operating systems implement virtualization of physical memory to efficiently use available system resources and provide inter-domain protection through access control and isolation. The L1TF issue was found in the way the x86 microprocessor designs have implemented speculative execution of instructions (a commonly used performance optimisation) in combination with handling of page-faults caused by terminated virtual to physical address resolving process. As a result, an unprivileged attacker could use this flaw to read privileged memory of the kernel or other processes and/or cross guest/host boundaries to read host memory by conducting targeted cache side-channel attacks. (CVE-2018-3620, CVE-2018-3646) Red Hat would like to thank Intel OSSIRT (Intel.com) for reporting these issues. Bug Fix(es) : * Due to a bug in a CPU last seen 2020-06-01 modified 2020-06-02 plugin id 111729 published 2018-08-15 reporter This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/111729 title RHEL 7 : kernel (RHSA-2018:2388) (Foreshadow) NASL family Oracle Linux Local Security Checks NASL id ORACLELINUX_ELSA-2018-2390.NASL description From Red Hat Security Advisory 2018:2390 : An update for kernel is now available for Red Hat Enterprise Linux 6. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. [Updated 16th August 2018] The original errata text was missing reference to CVE-2018-5390 fix. We have updated the errata text to correct this issue. No changes have been made to the packages. The kernel packages contain the Linux kernel, the core of any Linux operating system. Security Fix(es) : * Modern operating systems implement virtualization of physical memory to efficiently use available system resources and provide inter-domain protection through access control and isolation. The L1TF issue was found in the way the x86 microprocessor designs have implemented speculative execution of instructions (a commonly used performance optimisation) in combination with handling of page-faults caused by terminated virtual to physical address resolving process. As a result, an unprivileged attacker could use this flaw to read privileged memory of the kernel or other processes and/or cross guest/host boundaries to read host memory by conducting targeted cache side-channel attacks. (CVE-2018-3620, CVE-2018-3646) * An industry-wide issue was found in the way many modern microprocessor designs have implemented speculative execution of instructions past bounds check. The flaw relies on the presence of a precisely-defined instruction sequence in the privileged code and the fact that memory writes occur to an address which depends on the untrusted value. Such writes cause an update into the microprocessor last seen 2020-06-01 modified 2020-06-02 plugin id 111724 published 2018-08-15 reporter This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/111724 title Oracle Linux 6 : kernel (ELSA-2018-2390) (Foreshadow) NASL family Red Hat Local Security Checks NASL id REDHAT-RHSA-2018-2392.NASL description An update for kernel is now available for Red Hat Enterprise Linux 6.6 Advanced Update Support and Red Hat Enterprise Linux 6.6 Telco Extended Update Support. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. The kernel packages contain the Linux kernel, the core of any Linux operating system. Security Fix(es) : * Modern operating systems implement virtualization of physical memory to efficiently use available system resources and provide inter-domain protection through access control and isolation. The L1TF issue was found in the way the x86 microprocessor designs have implemented speculative execution of instructions (a commonly used performance optimisation) in combination with handling of page-faults caused by terminated virtual to physical address resolving process. As a result, an unprivileged attacker could use this flaw to read privileged memory of the kernel or other processes and/or cross guest/host boundaries to read host memory by conducting targeted cache side-channel attacks. (CVE-2018-3620, CVE-2018-3646) * kernel: kvm: vmx: host GDT limit corruption (CVE-2018-10901) For more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section. Red Hat would like to thank Intel OSSIRT (Intel.com) for reporting CVE-2018-3620 and CVE-2018-3646 and Vegard Nossum (Oracle Corporation) for reporting CVE-2018-10901. last seen 2020-06-01 modified 2020-06-02 plugin id 111733 published 2018-08-15 reporter This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/111733 title RHEL 6 : kernel (RHSA-2018:2392) (Foreshadow) NASL family PhotonOS Local Security Checks NASL id PHOTONOS_PHSA-2018-2_0-0088_LINUX.NASL description An update of the linux package has been released. last seen 2020-03-17 modified 2019-02-07 plugin id 121989 published 2019-02-07 reporter This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/121989 title Photon OS 2.0: Linux PHSA-2018-2.0-0088 NASL family Debian Local Security Checks NASL id DEBIAN_DLA-1506.NASL description Security researchers identified speculative execution side-channel methods which have the potential to improperly gather sensitive data from multiple types of computing devices with different vendors’ processors and operating systems. This update requires an update to the intel-microcode package, which is non-free. It is related to DLA-1446-1 and adds more mitigations for additional types of Intel processors. For more information please also read the official Intel security advisories at : https://www.intel.com/content/www/us/en/security-center/advisory/intel -s a-00088.html https://www.intel.com/content/www/us/en/security-center/advisory/intel -s a-00115.html https://www.intel.com/content/www/us/en/security-center/advisory/intel -s a-00161.html For Debian 8 last seen 2020-06-01 modified 2020-06-02 plugin id 117502 published 2018-09-17 reporter This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/117502 title Debian DLA-1506-1 : intel-microcode security update (Foreshadow) (Spectre) NASL family Misc. NASL id VMWARE_VSPHERE_VREALIZE_AUTOMATION_VMSA-2018-0021.NASL description The version of VMware vRealize Automation installed on the remote host is 6.x or 7.x. It is, therefore, affected by an information disclosure vulnerability. last seen 2020-06-01 modified 2020-06-02 plugin id 112209 published 2018-08-31 reporter This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/112209 title VMware vRealize Automation 6.x / 7.x Information Disclosure Vulnerability (VMSA-2018-0021 NASL family OracleVM Local Security Checks NASL id ORACLEVM_OVMSA-2018-0271.NASL description The remote OracleVM system is missing necessary patches to address critical security updates : please see Oracle VM Security Advisory OVMSA-2018-0271 for details. last seen 2020-06-01 modified 2020-06-02 plugin id 118962 published 2018-11-15 reporter This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/118962 title OracleVM 3.3 : xen (OVMSA-2018-0271) (Foreshadow) (Spectre) NASL family Huawei Local Security Checks NASL id EULEROS_SA-2018-1323.NASL description According to the versions of the kernel packages installed, the EulerOS Virtualization installation on the remote host is affected by the following vulnerabilities : - Modern operating systems implement virtualization of physical memory to efficiently use available system resources and provide inter-domain protection through access control and isolation. The L1TF issue was found in the way the x86 microprocessor designs have implemented speculative execution of instructions (a commonly used performance optimisation) in combination with handling of page-faults caused by terminated virtual to physical address resolving process. As a result, an unprivileged attacker could use this flaw to read privileged memory of the kernel or other processes and/or cross guest/host boundaries to read host memory by conducting targeted cache side-channel attacks. (CVE-2018-3620, CVE-2018-3646) Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-01 modified 2020-06-02 plugin id 118411 published 2018-10-26 reporter This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/118411 title EulerOS Virtualization 2.5.1 : kernel (EulerOS-SA-2018-1323) NASL family SuSE Local Security Checks NASL id SUSE_SU-2018-2344-2.NASL description The SUSE Linux Enterprise 12 SP2 LTSS kernel was updated to receive various security and bugfixes. The following security bugs were fixed : CVE-2018-3620: Local attackers on baremetal systems could use speculative code patterns on hyperthreaded processors to read data present in the L1 Datacache used by other hyperthreads on the same CPU core, potentially leaking sensitive data. (bnc#1087081). CVE-2018-3646: Local attackers in virtualized guest systems could use speculative code patterns on hyperthreaded processors to read data present in the L1 Datacache used by other hyperthreads on the same CPU core, potentially leaking sensitive data, even from other virtual machines or the host system. (bnc#1089343). CVE-2018-5390 aka last seen 2020-06-01 modified 2020-06-02 plugin id 118283 published 2018-10-22 reporter This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/118283 title SUSE SLES12 Security Update : kernel (SUSE-SU-2018:2344-2) (Foreshadow)
Redhat
advisories |
| ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
rpms |
|
The Hacker News
id | THN:EF99982C6EC60931564882E926297F08 |
last seen | 2018-08-15 |
modified | 2018-08-15 |
published | 2018-08-15 |
reporter | The Hacker News |
source | https://thehackernews.com/2018/08/foreshadow-intel-processor-vulnerability.html |
title | Foreshadow Attacks — 3 New Intel CPU Side-Channel Flaws Discovered |
References
- http://support.lenovo.com/us/en/solutions/LEN-24163
- http://support.lenovo.com/us/en/solutions/LEN-24163
- http://www.huawei.com/en/psirt/security-advisories/huawei-sa-20180815-01-cpu-en
- http://www.huawei.com/en/psirt/security-advisories/huawei-sa-20180815-01-cpu-en
- http://www.securityfocus.com/bid/105080
- http://www.securityfocus.com/bid/105080
- http://www.securitytracker.com/id/1041451
- http://www.securitytracker.com/id/1041451
- http://www.vmware.com/security/advisories/VMSA-2018-0021.html
- http://www.vmware.com/security/advisories/VMSA-2018-0021.html
- http://xenbits.xen.org/xsa/advisory-273.html
- http://xenbits.xen.org/xsa/advisory-273.html
- https://access.redhat.com/errata/RHSA-2018:2384
- https://access.redhat.com/errata/RHSA-2018:2384
- https://access.redhat.com/errata/RHSA-2018:2387
- https://access.redhat.com/errata/RHSA-2018:2387
- https://access.redhat.com/errata/RHSA-2018:2388
- https://access.redhat.com/errata/RHSA-2018:2388
- https://access.redhat.com/errata/RHSA-2018:2389
- https://access.redhat.com/errata/RHSA-2018:2389
- https://access.redhat.com/errata/RHSA-2018:2390
- https://access.redhat.com/errata/RHSA-2018:2390
- https://access.redhat.com/errata/RHSA-2018:2391
- https://access.redhat.com/errata/RHSA-2018:2391
- https://access.redhat.com/errata/RHSA-2018:2392
- https://access.redhat.com/errata/RHSA-2018:2392
- https://access.redhat.com/errata/RHSA-2018:2393
- https://access.redhat.com/errata/RHSA-2018:2393
- https://access.redhat.com/errata/RHSA-2018:2394
- https://access.redhat.com/errata/RHSA-2018:2394
- https://access.redhat.com/errata/RHSA-2018:2395
- https://access.redhat.com/errata/RHSA-2018:2395
- https://access.redhat.com/errata/RHSA-2018:2396
- https://access.redhat.com/errata/RHSA-2018:2396
- https://access.redhat.com/errata/RHSA-2018:2402
- https://access.redhat.com/errata/RHSA-2018:2402
- https://access.redhat.com/errata/RHSA-2018:2403
- https://access.redhat.com/errata/RHSA-2018:2403
- https://access.redhat.com/errata/RHSA-2018:2404
- https://access.redhat.com/errata/RHSA-2018:2404
- https://access.redhat.com/errata/RHSA-2018:2602
- https://access.redhat.com/errata/RHSA-2018:2602
- https://access.redhat.com/errata/RHSA-2018:2603
- https://access.redhat.com/errata/RHSA-2018:2603
- https://cert-portal.siemens.com/productcert/pdf/ssa-254686.pdf
- https://cert-portal.siemens.com/productcert/pdf/ssa-254686.pdf
- https://cert-portal.siemens.com/productcert/pdf/ssa-608355.pdf
- https://cert-portal.siemens.com/productcert/pdf/ssa-608355.pdf
- https://foreshadowattack.eu/
- https://foreshadowattack.eu/
- https://help.ecostruxureit.com/display/public/UADCE725/Security+fixes+in+StruxureWare+Data+Center+Expert+v7.6.0
- https://help.ecostruxureit.com/display/public/UADCE725/Security+fixes+in+StruxureWare+Data+Center+Expert+v7.6.0
- https://lists.debian.org/debian-lts-announce/2018/08/msg00029.html
- https://lists.debian.org/debian-lts-announce/2018/08/msg00029.html
- https://lists.debian.org/debian-lts-announce/2018/09/msg00017.html
- https://lists.debian.org/debian-lts-announce/2018/09/msg00017.html
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/V4UWGORQWCENCIF2BHWUEF2ODBV75QS2/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/V4UWGORQWCENCIF2BHWUEF2ODBV75QS2/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/XRFKQWYV2H4BV75CUNGCGE5TNVQCLBGZ/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/XRFKQWYV2H4BV75CUNGCGE5TNVQCLBGZ/
- https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/ADV180018
- https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/ADV180018
- https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2018-0009
- https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2018-0009
- https://security.FreeBSD.org/advisories/FreeBSD-SA-18:09.l1tf.asc
- https://security.FreeBSD.org/advisories/FreeBSD-SA-18:09.l1tf.asc
- https://security.gentoo.org/glsa/201810-06
- https://security.gentoo.org/glsa/201810-06
- https://security.netapp.com/advisory/ntap-20180815-0001/
- https://security.netapp.com/advisory/ntap-20180815-0001/
- https://software.intel.com/security-software-guidance/software-guidance/l1-terminal-fault
- https://software.intel.com/security-software-guidance/software-guidance/l1-terminal-fault
- https://support.f5.com/csp/article/K95275140
- https://support.f5.com/csp/article/K95275140
- https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-hpesbhf03874en_us
- https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-hpesbhf03874en_us
- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180814-cpusidechannel
- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180814-cpusidechannel
- https://usn.ubuntu.com/3740-1/
- https://usn.ubuntu.com/3740-1/
- https://usn.ubuntu.com/3740-2/
- https://usn.ubuntu.com/3740-2/
- https://usn.ubuntu.com/3741-1/
- https://usn.ubuntu.com/3741-1/
- https://usn.ubuntu.com/3741-2/
- https://usn.ubuntu.com/3741-2/
- https://usn.ubuntu.com/3742-1/
- https://usn.ubuntu.com/3742-1/
- https://usn.ubuntu.com/3742-2/
- https://usn.ubuntu.com/3742-2/
- https://usn.ubuntu.com/3823-1/
- https://usn.ubuntu.com/3823-1/
- https://www.debian.org/security/2018/dsa-4274
- https://www.debian.org/security/2018/dsa-4274
- https://www.debian.org/security/2018/dsa-4279
- https://www.debian.org/security/2018/dsa-4279
- https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00161.html
- https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00161.html
- https://www.kb.cert.org/vuls/id/982149
- https://www.kb.cert.org/vuls/id/982149
- https://www.oracle.com/security-alerts/cpujul2020.html
- https://www.oracle.com/security-alerts/cpujul2020.html
- https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html
- https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html
- https://www.synology.com/support/security/Synology_SA_18_45
- https://www.synology.com/support/security/Synology_SA_18_45