Vulnerabilities > CVE-2018-5703 - Out-of-bounds Write vulnerability in Linux Kernel

#%NASL_MIN_LEVEL 80502
#
# (C) Tenable Network Security, Inc.
#
# The descriptive text and package checks in this plugin were  
# extracted from Fedora Security Advisory FEDORA-2018-2bce10900e.
#

include("compat.inc");

if (description)
{
  script_id(108307);
  script_version("1.4");
  script_set_attribute(attribute:"plugin_modification_date", value:"2020/06/04");

  script_cve_id("CVE-2018-1065", "CVE-2018-5703", "CVE-2018-5803", "CVE-2018-7757");
  script_xref(name:"FEDORA", value:"2018-2bce10900e");

  script_name(english:"Fedora 27 : kernel (2018-2bce10900e)");
  script_summary(english:"Checks rpm output for the updated package.");

  script_set_attribute(
    attribute:"synopsis", 
    value:"The remote Fedora host is missing a security update."
  );
  script_set_attribute(
    attribute:"description", 
    value:
"The 4.15.8 update contains a number of important fixes across the
tree.

Note that Tenable Network Security has extracted the preceding
description block directly from the Fedora update system website.
Tenable has attempted to automatically clean and format it as much as
possible without introducing additional issues."
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://bodhi.fedoraproject.org/updates/FEDORA-2018-2bce10900e"
  );
  script_set_attribute(
    attribute:"solution", 
    value:"Update the affected kernel package."
  );
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fedoraproject:fedora:kernel");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:fedoraproject:fedora:27");

  script_set_attribute(attribute:"vuln_publication_date", value:"2018/01/16");
  script_set_attribute(attribute:"patch_publication_date", value:"2018/03/13");
  script_set_attribute(attribute:"plugin_publication_date", value:"2018/03/14");
  script_set_attribute(attribute:"generated_plugin", value:"current");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_copyright(english:"This script is Copyright (C) 2018-2020 and is owned by Tenable, Inc. or an Affiliate thereof.");
  script_family(english:"Fedora Local Security Checks");

  script_dependencies("ssh_get_info.nasl", "linux_alt_patch_detect.nasl");
  script_require_keys("Host/local_checks_enabled", "Host/RedHat/release", "Host/RedHat/rpm-list");

  exit(0);
}


include("audit.inc");
include("global_settings.inc");
include("rpm.inc");
include("ksplice.inc");


if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
release = get_kb_item("Host/RedHat/release");
if (isnull(release) || "Fedora" >!< release) audit(AUDIT_OS_NOT, "Fedora");
os_ver = pregmatch(pattern: "Fedora.*release ([0-9]+)", string:release);
if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Fedora");
os_ver = os_ver[1];
if (! preg(pattern:"^27([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Fedora 27", "Fedora " + os_ver);

if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);


cpu = get_kb_item("Host/cpu");
if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Fedora", cpu);

if (get_one_kb_item("Host/ksplice/kernel-cves"))
{
  rm_kb_item(name:"Host/uptrack-uname-r");
  cve_list = make_list("CVE-2018-1065", "CVE-2018-5703", "CVE-2018-5803", "CVE-2018-7757");
  if (ksplice_cves_check(cve_list))
  {
    audit(AUDIT_PATCH_INSTALLED, "KSplice hotfix for FEDORA-2018-2bce10900e");
  }
  else
  {
    __rpm_report = ksplice_reporting_text();
  }
}

flag = 0;
if (rpm_check(release:"FC27", reference:"kernel-4.15.8-300.fc27")) flag++;


if (flag)
{
  security_report_v4(
    port       : 0,
    severity   : SECURITY_HOLE,
    extra      : rpm_report_get()
  );
  exit(0);
}
else
{
  tested = pkg_tests_get();
  if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
  else audit(AUDIT_PACKAGE_NOT_INSTALLED, "kernel");
}

#
# (C) Tenable Network Security, Inc.
#

include("compat.inc");

if (description)
{
  script_id(125101);
  script_version("1.5");
  script_set_attribute(attribute:"plugin_modification_date", value:"2020/03/19");

  script_cve_id(
    "CVE-2013-7281",
    "CVE-2014-0206",
    "CVE-2014-2706",
    "CVE-2014-9090",
    "CVE-2015-8966",
    "CVE-2016-2187",
    "CVE-2016-2384",
    "CVE-2016-2543",
    "CVE-2016-4569",
    "CVE-2016-5342",
    "CVE-2016-8632",
    "CVE-2017-11176",
    "CVE-2017-12154",
    "CVE-2017-16646",
    "CVE-2017-16649",
    "CVE-2018-12714",
    "CVE-2018-13095",
    "CVE-2018-14634",
    "CVE-2018-5703",
    "CVE-2018-7755"
  );
  script_bugtraq_id(
    64747,
    66591,
    68176,
    71250
  );

  script_name(english:"EulerOS Virtualization for ARM 64 3.0.1.0 : kernel (EulerOS-SA-2019-1513)");
  script_summary(english:"Checks the rpm output for the updated packages.");

  script_set_attribute(attribute:"synopsis", value:
"The remote EulerOS Virtualization for ARM 64 host is missing multiple security
updates.");
  script_set_attribute(attribute:"description", value:
"According to the versions of the kernel packages installed, the
EulerOS Virtualization for ARM 64 installation on the remote host is
affected by the following vulnerabilities :

  - A flaw was found in the USB-MIDI Linux kernel driver: a
    double-free error could be triggered for the 'umidi'
    object. An attacker with physical access to the system
    could use this flaw to escalate their
    privileges.(CVE-2016-2384i1/4%0

  - A vulnerability was found in Linux kernel. There is an
    information leak in file 'sound/core/timer.c' of the
    latest mainline Linux kernel, the stack object
    aEURoetreadaEUR has a total size of 32 bytes. It contains a
    8-bytes padding, which is not initialized but sent to
    user via copy_to_user(), resulting a kernel
    leak.(CVE-2016-4569i1/4%0

  - The dgram_recvmsg function in net/ieee802154/dgram.c in
    the Linux kernel before 3.12.4 updates a certain length
    value without ensuring that an associated data
    structure has been initialized, which allows local
    users to obtain sensitive information from kernel stack
    memory via a (1) recvfrom, (2) recvmmsg, or (3) recvmsg
    system call.(CVE-2013-7281i1/4%0

  - The tcp_v6_syn_recv_sock function in
    net/ipv6/tcp_ipv6.c in the Linux kernel through 4.14.11
    allows attackers to cause a denial of service (slab
    out-of-bounds write) or possibly have unspecified other
    impact via vectors involving TLS.(CVE-2018-5703i1/4%0

  - An issue was discovered in the fd_locked_ioctl function
    in drivers/block/floppy.c in the Linux kernel. The
    floppy driver will copy a kernel pointer to user memory
    in response to the FDGETPRM ioctl. An attacker can send
    the FDGETPRM ioctl and use the obtained kernel pointer
    to discover the location of kernel code and data and
    bypass kernel security protections such as
    KASLR.(CVE-2018-7755i1/4%0

  - The usbnet_generic_cdc_bind function in
    drivers/net/usb/cdc_ether.c in the Linux kernel through
    4.13.11 allows local users to cause a denial of service
    (divide-by-zero error and system crash) or possibly
    have unspecified other impact via a crafted USB
    device.(CVE-2017-16649i1/4%0

  - Heap-based buffer overflow in the wcnss_wlan_write
    function in drivers/net/wireless/wcnss/wcnss_wlan.c in
    the wcnss_wlan device driver for the Linux kernel 3.x,
    as used in Qualcomm Innovation Center (QuIC) Android
    contributions for MSM devices and other products,
    allows attackers to cause a denial of service or
    possibly have unspecified other impact by writing to
    /dev/wcnss_wlan with an unexpected amount of
    data.(CVE-2016-5342i1/4%0

  - drivers/media/usb/dvb-usb/dib0700_devices.c in the
    Linux kernel through 4.13.11 allows local users to
    cause a denial of service (BUG and system crash) or
    possibly have unspecified other impact via a crafted
    USB device.(CVE-2017-16646i1/4%0

  - A flaw was found in the TIPC networking subsystem which
    could allow for memory corruption and possible
    privilege escalation. The flaw involves a system with
    an unusually low MTU (60) on networking devices
    configured as bearers for the TIPC protocol. An
    attacker could create a packet which will overwrite
    memory outside of allocated space and allow for
    privilege escalation.(CVE-2016-8632i1/4%0

  - An issue was discovered in the XFS filesystem in
    fs/xfs/libxfs/xfs_inode_buf.c in the Linux kernel. A
    denial of service due to the NULL pointer dereference
    can occur for a corrupted xfs image upon encountering
    an inode that is in extent format, but has more extents
    than fit in the inode fork.(CVE-2018-13095i1/4%0

  - Linux kernel built with the KVM visualization support
    (CONFIG_KVM), with nested visualization (nVMX) feature
    enabled (nested=1), is vulnerable to a crash due to
    disabled external interrupts. As L2 guest could access
    (r/w) hardware CR8 register of the host(L0). In a
    nested visualization setup, L2 guest user could use
    this flaw to potentially crash the host(L0) resulting
    in DoS.(CVE-2017-12154i1/4%0

  - The do_double_fault function in arch/x86/kernel/traps.c
    in the Linux kernel through 3.17.4 does not properly
    handle faults associated with the Stack Segment (SS)
    segment register, which allows local users to cause a
    denial of service (panic) via a modify_ldt system call,
    as demonstrated by sigreturn_32 in the
    linux-clock-tests test suite.(CVE-2014-9090i1/4%0

  - A race condition flaw was found in the way the Linux
    kernel's mac80211 subsystem implementation handled
    synchronization between TX and STA wake-up code paths.
    A remote attacker could use this flaw to crash the
    system.(CVE-2014-2706i1/4%0

  - The snd_seq_ioctl_remove_events function in
    sound/core/seq/seq_clientmgr.c in the Linux kernel
    before 4.4.1 does not verify FIFO assignment before
    proceeding with FIFO clearing, which allows local users
    to cause a denial of service (NULL pointer dereference
    and OOPS) via a crafted ioctl call.(CVE-2016-2543i1/4%0

  - The gtco_probe function in drivers/input/tablet/gtco.c
    in the Linux kernel through 4.5.2 allows physically
    proximate attackers to cause a denial of service (NULL
    pointer dereference and system crash) via a crafted
    endpoints value in a USB device
    descriptor.(CVE-2016-2187i1/4%0

  - An integer overflow flaw was found in the Linux
    kernel's create_elf_tables() function. An unprivileged
    local user with access to SUID (or otherwise
    privileged) binary could use this flaw to escalate
    their privileges on the system.(CVE-2018-14634i1/4%0

  - A use-after-free flaw was found in the Netlink
    functionality of the Linux kernel networking subsystem.
    Due to the insufficient cleanup in the mq_notify
    function, a local attacker could potentially use this
    flaw to escalate their privileges on the
    system.(CVE-2017-11176i1/4%0

  - Array index error in the aio_read_events_ring function
    in fs/aio.c in the Linux kernel through 3.15.1 allows
    local users to obtain sensitive information from kernel
    memory via a large head value.(CVE-2014-0206i1/4%0

  - arch/arm/kernel/sys_oabi-compat.c in the Linux kernel
    before 4.4 allows local users to gain privileges via a
    crafted (1) F_OFD_GETLK, (2) F_OFD_SETLK, or (3)
    F_OFD_SETLKW command in an fcntl64 system
    call.(CVE-2015-8966i1/4%0

  - An issue was discovered in the Linux kernel through
    4.17.2. The filter parsing in
    kernel/trace/trace_events_filter.c could be called with
    no filter, which is an N=0 case when it expected at
    least one line to have been read, thus making the N-1
    index invalid. This allows attackers to cause a denial
    of service (slab out-of-bounds write) or possibly have
    unspecified other impact via crafted perf_event_open
    and mmap system calls.(CVE-2018-12714i1/4%0

Note that Tenable Network Security has extracted the preceding
description block directly from the EulerOS security advisory. Tenable
has attempted to automatically clean and format it as much as possible
without introducing additional issues.");
  # https://developer.huaweicloud.com/ict/en/site-euleros/euleros/security-advisories/EulerOS-SA-2019-1513
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?d2b096c1");
  script_set_attribute(attribute:"solution", value:
"Update the affected kernel packages.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C");
  script_set_cvss_temporal_vector("CVSS2#E:H/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:H/RL:O/RC:C");
  script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"true");
  script_set_attribute(attribute:"exploited_by_malware", value:"true");

  script_set_attribute(attribute:"patch_publication_date", value:"2019/05/09");
  script_set_attribute(attribute:"plugin_publication_date", value:"2019/05/15");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:kernel");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:kernel-devel");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:kernel-headers");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:kernel-tools");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:kernel-tools-libs");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:kernel-tools-libs-devel");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:perf");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:python-perf");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:huawei:euleros:uvp:3.0.1.0");
  script_set_attribute(attribute:"generated_plugin", value:"current");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Huawei Local Security Checks");

  script_copyright(english:"This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("ssh_get_info.nasl");
  script_require_keys("Host/local_checks_enabled", "Host/cpu", "Host/EulerOS/release", "Host/EulerOS/rpm-list", "Host/EulerOS/uvp_version");

  exit(0);
}

include("audit.inc");
include("global_settings.inc");
include("rpm.inc");

if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);

release = get_kb_item("Host/EulerOS/release");
if (isnull(release) || release !~ "^EulerOS") audit(AUDIT_OS_NOT, "EulerOS");
uvp = get_kb_item("Host/EulerOS/uvp_version");
if (uvp != "3.0.1.0") audit(AUDIT_OS_NOT, "EulerOS Virtualization 3.0.1.0");
if (!get_kb_item("Host/EulerOS/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);

cpu = get_kb_item("Host/cpu");
if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$" && "aarch64" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "EulerOS", cpu);
if ("aarch64" >!< cpu) audit(AUDIT_ARCH_NOT, "aarch64", cpu);

flag = 0;

pkgs = ["kernel-4.19.28-1.2.117",
        "kernel-devel-4.19.28-1.2.117",
        "kernel-headers-4.19.28-1.2.117",
        "kernel-tools-4.19.28-1.2.117",
        "kernel-tools-libs-4.19.28-1.2.117",
        "kernel-tools-libs-devel-4.19.28-1.2.117",
        "perf-4.19.28-1.2.117",
        "python-perf-4.19.28-1.2.117"];

foreach (pkg in pkgs)
  if (rpm_check(release:"EulerOS-2.0", reference:pkg)) flag++;

if (flag)
{
  security_report_v4(
    port       : 0,
    severity   : SECURITY_HOLE,
    extra      : rpm_report_get()
  );
  exit(0);
}
else
{
  tested = pkg_tests_get();
  if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
  else audit(AUDIT_PACKAGE_NOT_INSTALLED, "kernel");
}