Vulnerabilities > CVE-2018-5848 - Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in multiple products
Attack vector
LOCAL Attack complexity
LOW Privileges required
NONE Confidentiality impact
PARTIAL Integrity impact
PARTIAL Availability impact
PARTIAL Summary
In the function wmi_set_ie(), the length validation code does not handle unsigned integer overflow properly. As a result, a large value of the 'ie_len' argument can cause a buffer overflow in all Android releases from CAF (Android for MSM, Firefox OS for MSM, QRD Android) using the Linux Kernel.
Vulnerable Configurations
| Part | Description | Count |
|---|---|---|
| OS | 1 | |
| OS | 3 | |
| OS | 1 | |
| Application | 1 |
Common Weakness Enumeration (CWE)
Common Attack Pattern Enumeration and Classification (CAPEC)
- Buffer Overflow via Environment Variables This attack pattern involves causing a buffer overflow through manipulation of environment variables. Once the attacker finds that they can modify an environment variable, they may try to overflow associated buffers. This attack leverages implicit trust often placed in environment variables.
- Overflow Buffers Buffer Overflow attacks target improper or missing bounds checking on buffer operations, typically triggered by input injected by an attacker. As a consequence, an attacker is able to write past the boundaries of allocated buffer regions in memory, causing a program crash or potentially redirection of execution as per the attackers' choice.
- Client-side Injection-induced Buffer Overflow This type of attack exploits a buffer overflow vulnerability in targeted client software through injection of malicious content from a custom-built hostile service.
- Filter Failure through Buffer Overflow In this attack, the idea is to cause an active filter to fail by causing an oversized transaction. An attacker may try to feed overly long input strings to the program in an attempt to overwhelm the filter (by causing a buffer overflow) and hoping that the filter does not fail securely (i.e. the user input is let into the system unfiltered).
- MIME Conversion An attacker exploits a weakness in the MIME conversion routine to cause a buffer overflow and gain control over the mail server machine. The MIME system is designed to allow various different information formats to be interpreted and sent via e-mail. Attack points exist when data are converted to MIME compatible format and back.
Nessus
NASL family NewStart CGSL Local Security Checks NASL id NEWSTART_CGSL_NS-SA-2019-0070_KERNEL.NASL description The remote NewStart CGSL host, running version CORE 5.04 / MAIN 5.04, has kernel packages installed that are affected by multiple vulnerabilities: - Integer overflow in the aio_setup_single_vector function in fs/aio.c in the Linux kernel 4.0 allows local users to cause a denial of service or possibly have unspecified other impact via a large AIO iovec. NOTE: this vulnerability exists because of a CVE-2012-6701 regression. (CVE-2015-8830) - A weakness was found in the Linux ASLR implementation. Any user able to running 32-bit applications in a x86 machine can disable ASLR by setting the RLIMIT_STACK resource to unlimited. (CVE-2016-3672) - The xc2028_set_config function in drivers/media/tuners/tuner-xc2028.c in the Linux kernel before 4.6 allows local users to gain privileges or cause a denial of service (use-after-free) via vectors involving omission of the firmware name from a certain data structure. Due to the nature of the flaw, privilege escalation cannot be fully ruled out, although we believe it is unlikely. (CVE-2016-7913) - Use-after-free vulnerability in the snd_pcm_info() function in the ALSA subsystem in the Linux kernel allows attackers to induce a kernel memory corruption and possibly crash or lock up a system. Due to the nature of the flaw, a privilege escalation cannot be fully ruled out, although we believe it is unlikely. (CVE-2017-0861) - A reachable assertion failure flaw was found in the Linux kernel built with KVM virtualisation(CONFIG_KVM) support with Virtual Function I/O feature (CONFIG_VFIO) enabled. This failure could occur if a malicious guest device sent a virtual interrupt (guest IRQ) with a larger (>1024) index value. (CVE-2017-1000252) - Linux kernel Virtualization Module (CONFIG_KVM) for the Intel processor family (CONFIG_KVM_INTEL) is vulnerable to a DoS issue. It could occur if a guest was to flood the I/O port 0x80 with write requests. A guest user could use this flaw to crash the host kernel resulting in DoS. (CVE-2017-1000407) - A flaw was found in the processing of incoming L2CAP bluetooth commands. Uninitialized stack variables can be sent to an attacker leaking data in kernel address space. (CVE-2017-1000410) - A race condition was found in the Linux kernel before version 4.11-rc1 in last seen 2020-06-01 modified 2020-06-02 plugin id 127272 published 2019-08-12 reporter This script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/127272 title NewStart CGSL CORE 5.04 / MAIN 5.04 : kernel Multiple Vulnerabilities (NS-SA-2019-0070) code # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from ZTE advisory NS-SA-2019-0070. The text # itself is copyright (C) ZTE, Inc. include("compat.inc"); if (description) { script_id(127272); script_version("1.2"); script_cvs_date("Date: 2019/09/24 11:01:33"); script_cve_id( "CVE-2015-8830", "CVE-2016-3672", "CVE-2016-7913", "CVE-2017-0861", "CVE-2017-9725", "CVE-2017-10661", "CVE-2017-12154", "CVE-2017-12190", "CVE-2017-13305", "CVE-2017-15129", "CVE-2017-15265", "CVE-2017-15274", "CVE-2017-17448", "CVE-2017-17449", "CVE-2017-17558", "CVE-2017-17805", "CVE-2017-18017", "CVE-2017-18203", "CVE-2017-18208", "CVE-2017-1000252", "CVE-2017-1000407", "CVE-2017-1000410", "CVE-2018-1120", "CVE-2018-1130", "CVE-2018-3646", "CVE-2018-5344", "CVE-2018-5750", "CVE-2018-5803", "CVE-2018-5848", "CVE-2018-7566", "CVE-2018-9568", "CVE-2018-17972", "CVE-2018-18397", "CVE-2018-18690", "CVE-2018-1000004", "CVE-2018-1000026" ); script_bugtraq_id(102329); script_name(english:"NewStart CGSL CORE 5.04 / MAIN 5.04 : kernel Multiple Vulnerabilities (NS-SA-2019-0070)"); script_set_attribute(attribute:"synopsis", value: "The remote machine is affected by multiple vulnerabilities."); script_set_attribute(attribute:"description", value: "The remote NewStart CGSL host, running version CORE 5.04 / MAIN 5.04, has kernel packages installed that are affected by multiple vulnerabilities: - Integer overflow in the aio_setup_single_vector function in fs/aio.c in the Linux kernel 4.0 allows local users to cause a denial of service or possibly have unspecified other impact via a large AIO iovec. NOTE: this vulnerability exists because of a CVE-2012-6701 regression. (CVE-2015-8830) - A weakness was found in the Linux ASLR implementation. Any user able to running 32-bit applications in a x86 machine can disable ASLR by setting the RLIMIT_STACK resource to unlimited. (CVE-2016-3672) - The xc2028_set_config function in drivers/media/tuners/tuner-xc2028.c in the Linux kernel before 4.6 allows local users to gain privileges or cause a denial of service (use-after-free) via vectors involving omission of the firmware name from a certain data structure. Due to the nature of the flaw, privilege escalation cannot be fully ruled out, although we believe it is unlikely. (CVE-2016-7913) - Use-after-free vulnerability in the snd_pcm_info() function in the ALSA subsystem in the Linux kernel allows attackers to induce a kernel memory corruption and possibly crash or lock up a system. Due to the nature of the flaw, a privilege escalation cannot be fully ruled out, although we believe it is unlikely. (CVE-2017-0861) - A reachable assertion failure flaw was found in the Linux kernel built with KVM virtualisation(CONFIG_KVM) support with Virtual Function I/O feature (CONFIG_VFIO) enabled. This failure could occur if a malicious guest device sent a virtual interrupt (guest IRQ) with a larger (>1024) index value. (CVE-2017-1000252) - Linux kernel Virtualization Module (CONFIG_KVM) for the Intel processor family (CONFIG_KVM_INTEL) is vulnerable to a DoS issue. It could occur if a guest was to flood the I/O port 0x80 with write requests. A guest user could use this flaw to crash the host kernel resulting in DoS. (CVE-2017-1000407) - A flaw was found in the processing of incoming L2CAP bluetooth commands. Uninitialized stack variables can be sent to an attacker leaking data in kernel address space. (CVE-2017-1000410) - A race condition was found in the Linux kernel before version 4.11-rc1 in 'fs/timerfd.c' file which allows a local user to cause a kernel list corruption or use- after-free via simultaneous operations with a file descriptor which leverage improper 'might_cancel' queuing. An unprivileged local user could use this flaw to cause a denial of service of the system. Due to the nature of the flaw, privilege escalation cannot be fully ruled out, although we believe it is unlikely. (CVE-2017-10661) - Linux kernel built with the KVM visualization support (CONFIG_KVM), with nested visualization (nVMX) feature enabled (nested=1), is vulnerable to a crash due to disabled external interrupts. As L2 guest could access (r/w) hardware CR8 register of the host(L0). In a nested visualization setup, L2 guest user could use this flaw to potentially crash the host(L0) resulting in DoS. (CVE-2017-12154) - It was found that in the Linux kernel through v4.14-rc5, bio_map_user_iov() and bio_unmap_user() in 'block/bio.c' do unbalanced pages refcounting if IO vector has small consecutive buffers belonging to the same page. bio_add_pc_page() merges them into one, but the page reference is never dropped, causing a memory leak and possible system lockup due to out-of-memory condition. (CVE-2017-12190) - A flaw was found in the Linux kernel's implementation of valid_master_desc() in which a memory buffer would be compared to a userspace value with an incorrect size of comparison. By bruteforcing the comparison, an attacker could determine what was in memory after the description and possibly obtain sensitive information from kernel memory. (CVE-2017-13305) - A use-after-free vulnerability was found in a network namespaces code affecting the Linux kernel since v4.0-rc1 through v4.15-rc5. The function get_net_ns_by_id() does not check for the net::count value after it has found a peer network in netns_ids idr which could lead to double free and memory corruption. This vulnerability could allow an unprivileged local user to induce kernel memory corruption on the system, leading to a crash. Due to the nature of the flaw, privilege escalation cannot be fully ruled out, although it is thought to be unlikely. (CVE-2017-15129) - A use-after-free vulnerability was found when issuing an ioctl to a sound device. This could allow a user to exploit a race condition and create memory corruption or possibly privilege escalation. (CVE-2017-15265) - A flaw was found in the implementation of associative arrays where the add_key systemcall and KEYCTL_UPDATE operations allowed for a NULL payload with a nonzero length. When accessing the payload within this length parameters value, an unprivileged user could trivially cause a NULL pointer dereference (kernel oops). (CVE-2017-15274) - The net/netfilter/nfnetlink_cthelper.c function in the Linux kernel through 4.14.4 does not require the CAP_NET_ADMIN capability for new, get, and del operations. This allows local users to bypass intended access restrictions because the nfnl_cthelper_list data structure is shared across all net namespaces. (CVE-2017-17448) - The __netlink_deliver_tap_skb function in net/netlink/af_netlink.c in the Linux kernel, through 4.14.4, does not restrict observations of Netlink messages to a single net namespace, when CONFIG_NLMON is enabled. This allows local users to obtain sensitive information by leveraging the CAP_NET_ADMIN capability to sniff an nlmon interface for all Netlink activity on the system. (CVE-2017-17449) - The usb_destroy_configuration() function, in 'drivers/usb/core/config.c' in the USB core subsystem, in the Linux kernel through 4.14.5 does not consider the maximum number of configurations and interfaces before attempting to release resources. This allows local users to cause a denial of service, due to out-of-bounds write access, or possibly have unspecified other impact via a crafted USB device. Due to the nature of the flaw, privilege escalation cannot be fully ruled out, although we believe it is unlikely. (CVE-2017-17558) - The Salsa20 encryption algorithm in the Linux kernel, before 4.14.8, does not correctly handle zero-length inputs. This allows a local attacker the ability to use the AF_ALG-based skcipher interface to cause a denial of service (uninitialized-memory free and kernel crash) or have an unspecified other impact by executing a crafted sequence of system calls that use the blkcipher_walk API. Both the generic implementation (crypto/salsa20_generic.c) and x86 implementation (arch/x86/crypto/salsa20_glue.c) of Salsa20 are vulnerable. (CVE-2017-17805) - The tcpmss_mangle_packet function in net/netfilter/xt_TCPMSS.c in the Linux kernel before 4.11, and 4.9.x before 4.9.36, allows remote attackers to cause a denial of service (use-after-free and memory corruption) or possibly have unspecified other impact by leveraging the presence of xt_TCPMSS in an iptables action. Due to the nature of the flaw, privilege escalation cannot be fully ruled out, although we believe it is unlikely. (CVE-2017-18017) - The Linux kernel, before version 4.14.3, is vulnerable to a denial of service in drivers/md/dm.c:dm_get_from_kobject() which can be caused by local users leveraging a race condition with __dm_destroy() during creation and removal of DM devices. Only privileged local users (with CAP_SYS_ADMIN capability) can directly perform the ioctl operations for dm device creation and removal and this would typically be outside the direct control of the unprivileged attacker. (CVE-2017-18203) - The madvise_willneed function in the Linux kernel allows local users to cause a denial of service (infinite loop) by triggering use of MADVISE_WILLNEED for a DAX mapping. (CVE-2017-18208) - A flaw was found where the kernel truncated the value used to indicate the size of a buffer which it would later become zero using an untruncated value. This can corrupt memory outside of the original allocation. (CVE-2017-9725) - In the Linux kernel versions 4.12, 3.10, 2.6, and possibly earlier, a race condition vulnerability exists in the sound system allowing for a potential deadlock and memory corruption due to use-after-free condition and thus denial of service. Due to the nature of the flaw, privilege escalation cannot be fully ruled out, although we believe it is unlikely. (CVE-2018-1000004) - Improper validation in the bnx2x network card driver of the Linux kernel version 4.15 can allow for denial of service (DoS) attacks via a packet with a gso_size larger than ~9700 bytes. Untrusted guest VMs can exploit this vulnerability in the host machine, causing a crash in the network card. (CVE-2018-1000026) - By mmap()ing a FUSE-backed file onto a process's memory containing command line arguments (or environment strings), an attacker can cause utilities from psutils or procps (such as ps, w) or any other program which makes a read() call to the /proc//cmdline (or /proc//environ) files to block indefinitely (denial of service) or for some controlled time (as a synchronization primitive for other attacks). (CVE-2018-1120) - A null pointer dereference in dccp_write_xmit() function in net/dccp/output.c in the Linux kernel allows a local user to cause a denial of service by a number of certain crafted system calls. (CVE-2018-1130) - An issue was discovered in the proc_pid_stack function in fs/proc/base.c in the Linux kernel. An attacker with a local account can trick the stack unwinder code to leak stack contents to userspace. The fix allows only root to inspect the kernel stack of an arbitrary task. (CVE-2018-17972) - A flaw was found in the Linux kernel with files on tmpfs and hugetlbfs. An attacker is able to bypass file permissions on filesystems mounted with tmpfs/hugetlbs to modify a file and possibly disrupt normal system behavior. At this time there is an understanding there is no crash or privilege escalation but the impact of modifications on these filesystems of files in production systems may have adverse affects. (CVE-2018-18397) - In the Linux kernel before 4.17, a local attacker able to set attributes on an xfs filesystem could make this filesystem non-operational until the next mount by triggering an unchecked error condition during an xfs attribute change, because xfs_attr_shortform_addname in fs/xfs/libxfs/xfs_attr.c mishandles ATTR_REPLACE operations with conversion of an attr from short to long form. (CVE-2018-18690) - Modern operating systems implement virtualization of physical memory to efficiently use available system resources and provide inter-domain protection through access control and isolation. The L1TF issue was found in the way the x86 microprocessor designs have implemented speculative execution of instructions (a commonly used performance optimization) in combination with handling of page-faults caused by terminated virtual to physical address resolving process. As a result, an unprivileged attacker could use this flaw to read privileged memory of the kernel or other processes and/or cross guest/host boundaries to read host memory by conducting targeted cache side-channel attacks. (CVE-2018-3646) - A flaw was found in the Linux kernel's handling of loopback devices. An attacker, who has permissions to setup loopback disks, may create a denial of service or other unspecified actions. (CVE-2018-5344) - The acpi_smbus_hc_add function in drivers/acpi/sbshc.c in the Linux kernel, through 4.14.15, allows local users to obtain sensitive address information by reading dmesg data from an SBS HC printk call. (CVE-2018-5750) - An error in the _sctp_make_chunk() function (net/sctp/sm_make_chunk.c) when handling SCTP, packet length can be exploited by a malicious local user to cause a kernel crash and a DoS. (CVE-2018-5803) - In the function wmi_set_ie() in the Linux kernel the length validation code does not handle unsigned integer overflow properly. As a result, a large value of the ie_len argument can cause a buffer overflow and thus a memory corruption leading to a system crash or other or unspecified impact. Due to the nature of the flaw, privilege escalation cannot be fully ruled out, although we believe it is unlikely. (CVE-2018-5848) - ALSA sequencer core initializes the event pool on demand by invoking snd_seq_pool_init() when the first write happens and the pool is empty. A user can reset the pool size manually via ioctl concurrently, and this may lead to UAF or out-of-bound access. (CVE-2018-7566) - A possible memory corruption due to a type confusion was found in the Linux kernel in the sk_clone_lock() function in the net/core/sock.c. The possibility of local escalation of privileges cannot be fully ruled out for a local unprivileged attacker. (CVE-2018-9568) Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number."); script_set_attribute(attribute:"see_also", value:"http://security.gd-linux.com/notice/NS-SA-2019-0070"); script_set_attribute(attribute:"solution", value: "Upgrade the vulnerable CGSL kernel packages. Note that updated packages may not be available yet. Please contact ZTE for more information."); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C"); script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C"); script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"); script_set_cvss3_temporal_vector("CVSS:3.0/E:P/RL:O/RC:C"); script_set_attribute(attribute:"cvss_score_source", value:"CVE-2017-18017"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"vuln_publication_date", value:"2016/04/27"); script_set_attribute(attribute:"patch_publication_date", value:"2019/07/17"); script_set_attribute(attribute:"plugin_publication_date", value:"2019/08/12"); script_set_attribute(attribute:"plugin_type", value:"local"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_family(english:"NewStart CGSL Local Security Checks"); script_copyright(english:"This script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/ZTE-CGSL/release", "Host/ZTE-CGSL/rpm-list", "Host/cpu"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/ZTE-CGSL/release"); if (isnull(release) || release !~ "^CGSL (MAIN|CORE)") audit(AUDIT_OS_NOT, "NewStart Carrier Grade Server Linux"); if (release !~ "CGSL CORE 5.04" && release !~ "CGSL MAIN 5.04") audit(AUDIT_OS_NOT, 'NewStart CGSL CORE 5.04 / NewStart CGSL MAIN 5.04'); if (!get_kb_item("Host/ZTE-CGSL/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "NewStart Carrier Grade Server Linux", cpu); flag = 0; pkgs = { "CGSL CORE 5.04": [ "kernel-3.10.0-693.21.1.el7.cgslv5_4.12.322.gc3912fd.lite", "kernel-abi-whitelists-3.10.0-693.21.1.el7.cgslv5_4.12.322.gc3912fd.lite", "kernel-core-3.10.0-693.21.1.el7.cgslv5_4.12.322.gc3912fd.lite", "kernel-debug-core-3.10.0-693.21.1.el7.cgslv5_4.12.322.gc3912fd.lite", "kernel-debug-debuginfo-3.10.0-693.21.1.el7.cgslv5_4.12.322.gc3912fd.lite", "kernel-debug-devel-3.10.0-693.21.1.el7.cgslv5_4.12.322.gc3912fd.lite", "kernel-debug-modules-3.10.0-693.21.1.el7.cgslv5_4.12.322.gc3912fd.lite", "kernel-debuginfo-3.10.0-693.21.1.el7.cgslv5_4.12.322.gc3912fd.lite", "kernel-debuginfo-common-x86_64-3.10.0-693.21.1.el7.cgslv5_4.12.322.gc3912fd.lite", "kernel-devel-3.10.0-693.21.1.el7.cgslv5_4.12.322.gc3912fd.lite", "kernel-doc-3.10.0-693.21.1.el7.cgslv5_4.12.322.gc3912fd.lite", "kernel-headers-3.10.0-693.21.1.el7.cgslv5_4.12.322.gc3912fd.lite", "kernel-modules-3.10.0-693.21.1.el7.cgslv5_4.12.322.gc3912fd.lite", "kernel-tools-3.10.0-693.21.1.el7.cgslv5_4.12.322.gc3912fd.lite", "kernel-tools-debuginfo-3.10.0-693.21.1.el7.cgslv5_4.12.322.gc3912fd.lite", "kernel-tools-libs-3.10.0-693.21.1.el7.cgslv5_4.12.322.gc3912fd.lite", "kernel-tools-libs-devel-3.10.0-693.21.1.el7.cgslv5_4.12.322.gc3912fd.lite", "perf-3.10.0-693.21.1.el7.cgslv5_4.12.322.gc3912fd.lite", "perf-debuginfo-3.10.0-693.21.1.el7.cgslv5_4.12.322.gc3912fd.lite", "python-perf-3.10.0-693.21.1.el7.cgslv5_4.12.322.gc3912fd.lite", "python-perf-debuginfo-3.10.0-693.21.1.el7.cgslv5_4.12.322.gc3912fd.lite" ], "CGSL MAIN 5.04": [ "kernel-3.10.0-693.21.1.el7.cgslv5_4.12.319.g46331d9", "kernel-abi-whitelists-3.10.0-693.21.1.el7.cgslv5_4.12.319.g46331d9", "kernel-debug-3.10.0-693.21.1.el7.cgslv5_4.12.319.g46331d9", "kernel-debug-debuginfo-3.10.0-693.21.1.el7.cgslv5_4.12.319.g46331d9", "kernel-debug-devel-3.10.0-693.21.1.el7.cgslv5_4.12.319.g46331d9", "kernel-debuginfo-3.10.0-693.21.1.el7.cgslv5_4.12.319.g46331d9", "kernel-debuginfo-common-x86_64-3.10.0-693.21.1.el7.cgslv5_4.12.319.g46331d9", "kernel-devel-3.10.0-693.21.1.el7.cgslv5_4.12.319.g46331d9", "kernel-doc-3.10.0-693.21.1.el7.cgslv5_4.12.319.g46331d9", "kernel-headers-3.10.0-693.21.1.el7.cgslv5_4.12.319.g46331d9", "kernel-tools-3.10.0-693.21.1.el7.cgslv5_4.12.319.g46331d9", "kernel-tools-debuginfo-3.10.0-693.21.1.el7.cgslv5_4.12.319.g46331d9", "kernel-tools-libs-3.10.0-693.21.1.el7.cgslv5_4.12.319.g46331d9", "kernel-tools-libs-devel-3.10.0-693.21.1.el7.cgslv5_4.12.319.g46331d9", "perf-3.10.0-693.21.1.el7.cgslv5_4.12.319.g46331d9", "perf-debuginfo-3.10.0-693.21.1.el7.cgslv5_4.12.319.g46331d9", "python-perf-3.10.0-693.21.1.el7.cgslv5_4.12.319.g46331d9", "python-perf-debuginfo-3.10.0-693.21.1.el7.cgslv5_4.12.319.g46331d9" ] }; pkg_list = pkgs[release]; foreach (pkg in pkg_list) if (rpm_check(release:"ZTE " + release, reference:pkg)) flag++; if (flag) { security_report_v4( port : 0, severity : SECURITY_HOLE, extra : rpm_report_get() ); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "kernel"); }NASL family SuSE Local Security Checks NASL id SUSE_SU-2018-1761-1.NASL description The SUSE Linux Enterprise 12 SP1 LTSS kernel was updated to receive various security and bugfixes. The following security bugs were fixed : - CVE-2018-3665: Prevent disclosure of FPU registers (including XMM and AVX registers) between processes. These registers might contain encryption keys when doing SSE accelerated AES enc/decryption (bsc#1087086) - CVE-2018-5848: In the function wmi_set_ie(), the length validation code did not handle unsigned integer overflow properly. As a result, a large value of the last seen 2020-06-01 modified 2020-06-02 plugin id 110636 published 2018-06-21 reporter This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/110636 title SUSE SLES12 Security Update : kernel (SUSE-SU-2018:1761-1) code # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from SUSE update advisory SUSE-SU-2018:1761-1. # The text itself is copyright (C) SUSE. # include("compat.inc"); if (description) { script_id(110636); script_version("1.4"); script_cvs_date("Date: 2019/09/10 13:51:48"); script_cve_id("CVE-2017-13305", "CVE-2018-1000204", "CVE-2018-1092", "CVE-2018-1093", "CVE-2018-1094", "CVE-2018-1130", "CVE-2018-3665", "CVE-2018-5803", "CVE-2018-5848", "CVE-2018-7492"); script_name(english:"SUSE SLES12 Security Update : kernel (SUSE-SU-2018:1761-1)"); script_summary(english:"Checks rpm output for the updated packages."); script_set_attribute( attribute:"synopsis", value:"The remote SUSE host is missing one or more security updates." ); script_set_attribute( attribute:"description", value: "The SUSE Linux Enterprise 12 SP1 LTSS kernel was updated to receive various security and bugfixes. The following security bugs were fixed : - CVE-2018-3665: Prevent disclosure of FPU registers (including XMM and AVX registers) between processes. These registers might contain encryption keys when doing SSE accelerated AES enc/decryption (bsc#1087086) - CVE-2018-5848: In the function wmi_set_ie(), the length validation code did not handle unsigned integer overflow properly. As a result, a large value of the 'ie_len' argument could have caused a buffer overflow (bnc#1097356) - CVE-2018-1000204: Prevent infoleak caused by incorrect handling of the SG_IO ioctl (bsc#1096728) - CVE-2017-13305: Prevent information disclosure vulnerability in encrypted-keys (bsc#1094353) - CVE-2018-1094: The ext4_fill_super function did not always initialize the crc32c checksum driver, which allowed attackers to cause a denial of service (ext4_xattr_inode_hash NULL pointer dereference and system crash) via a crafted ext4 image (bsc#1087007). - CVE-2018-1093: The ext4_valid_block_bitmap function allowed attackers to cause a denial of service (out-of-bounds read and system crash) via a crafted ext4 image because balloc.c and ialloc.c do not validate bitmap block numbers (bsc#1087095). - CVE-2018-1092: The ext4_iget function mishandled the case of a root directory with a zero i_links_count, which allowed attackers to cause a denial of service (ext4_process_freed_data NULL pointer dereference and OOPS) via a crafted ext4 image (bsc#1087012). - CVE-2018-1130: NULL pointer dereference in dccp_write_xmit() function that allowed a local user to cause a denial of service by a number of certain crafted system calls (bsc#1092904) - CVE-2018-5803: Prevent error in the '_sctp_make_chunk()' function when handling SCTP packets length that could have been exploited to cause a kernel crash (bnc#1083900) - CVE-2018-7492: Prevent NULL pointer dereference in the net/rds/rdma.c __rds_rdma_map() function that allowed local attackers to cause a system panic and a denial-of-service, related to RDS_GET_MR and RDS_GET_MR_FOR_DEST (bsc#1082962) The update package also includes non-security fixes. See advisory for details. Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues." ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.suse.com/show_bug.cgi?id=1038553" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.suse.com/show_bug.cgi?id=1046610" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.suse.com/show_bug.cgi?id=1079152" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.suse.com/show_bug.cgi?id=1082962" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.suse.com/show_bug.cgi?id=1083382" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.suse.com/show_bug.cgi?id=1083900" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.suse.com/show_bug.cgi?id=1087007" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.suse.com/show_bug.cgi?id=1087012" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.suse.com/show_bug.cgi?id=1087082" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.suse.com/show_bug.cgi?id=1087086" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.suse.com/show_bug.cgi?id=1087095" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.suse.com/show_bug.cgi?id=1092813" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.suse.com/show_bug.cgi?id=1092904" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.suse.com/show_bug.cgi?id=1094033" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.suse.com/show_bug.cgi?id=1094353" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.suse.com/show_bug.cgi?id=1094823" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.suse.com/show_bug.cgi?id=1096140" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.suse.com/show_bug.cgi?id=1096242" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.suse.com/show_bug.cgi?id=1096281" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.suse.com/show_bug.cgi?id=1096480" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.suse.com/show_bug.cgi?id=1096728" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.suse.com/show_bug.cgi?id=1097356" ); script_set_attribute( attribute:"see_also", value:"https://www.suse.com/security/cve/CVE-2017-13305/" ); script_set_attribute( attribute:"see_also", value:"https://www.suse.com/security/cve/CVE-2018-1000204/" ); script_set_attribute( attribute:"see_also", value:"https://www.suse.com/security/cve/CVE-2018-1092/" ); script_set_attribute( attribute:"see_also", value:"https://www.suse.com/security/cve/CVE-2018-1093/" ); script_set_attribute( attribute:"see_also", value:"https://www.suse.com/security/cve/CVE-2018-1094/" ); script_set_attribute( attribute:"see_also", value:"https://www.suse.com/security/cve/CVE-2018-1130/" ); script_set_attribute( attribute:"see_also", value:"https://www.suse.com/security/cve/CVE-2018-3665/" ); script_set_attribute( attribute:"see_also", value:"https://www.suse.com/security/cve/CVE-2018-5803/" ); script_set_attribute( attribute:"see_also", value:"https://www.suse.com/security/cve/CVE-2018-5848/" ); script_set_attribute( attribute:"see_also", value:"https://www.suse.com/security/cve/CVE-2018-7492/" ); # https://www.suse.com/support/update/announcement/2018/suse-su-20181761-1/ script_set_attribute( attribute:"see_also", value:"http://www.nessus.org/u?33239d58" ); script_set_attribute( attribute:"solution", value: "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or 'zypper patch'. Alternatively you can run the command listed for your product : SUSE Linux Enterprise Server for SAP 12-SP1:zypper in -t patch SUSE-SLE-SAP-12-SP1-2018-1183=1 SUSE Linux Enterprise Server 12-SP1-LTSS:zypper in -t patch SUSE-SLE-SERVER-12-SP1-2018-1183=1 SUSE Linux Enterprise Module for Public Cloud 12:zypper in -t patch SUSE-SLE-Module-Public-Cloud-12-2018-1183=1" ); script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:N/I:N/A:C"); script_set_cvss3_base_vector("CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:kernel-default"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:kernel-default-base"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:kernel-default-base-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:kernel-default-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:kernel-default-debugsource"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:kernel-default-devel"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:kernel-default-man"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:kernel-syms"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:kernel-xen"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:kernel-xen-base"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:kernel-xen-base-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:kernel-xen-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:kernel-xen-debugsource"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:kernel-xen-devel"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:kgraft-patch-3_12_74-60_64_96-default"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:kgraft-patch-3_12_74-60_64_96-xen"); script_set_attribute(attribute:"cpe", value:"cpe:/o:novell:suse_linux:12"); script_set_attribute(attribute:"vuln_publication_date", value:"2018/02/26"); script_set_attribute(attribute:"patch_publication_date", value:"2018/06/20"); script_set_attribute(attribute:"plugin_publication_date", value:"2018/06/21"); script_set_attribute(attribute:"generated_plugin", value:"current"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"SuSE Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/cpu", "Host/SuSE/release", "Host/SuSE/rpm-list"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/SuSE/release"); if (isnull(release) || release !~ "^(SLED|SLES)") audit(AUDIT_OS_NOT, "SUSE"); os_ver = pregmatch(pattern: "^(SLE(S|D)\d+)", string:release); if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "SUSE"); os_ver = os_ver[1]; if (! preg(pattern:"^(SLES12)$", string:os_ver)) audit(AUDIT_OS_NOT, "SUSE SLES12", "SUSE " + os_ver); if (!get_kb_item("Host/SuSE/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if (cpu !~ "^i[3-6]86$" && "x86_64" >!< cpu && "s390x" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "SUSE " + os_ver, cpu); sp = get_kb_item("Host/SuSE/patchlevel"); if (isnull(sp)) sp = "0"; if (os_ver == "SLES12" && (! preg(pattern:"^(1)$", string:sp))) audit(AUDIT_OS_NOT, "SLES12 SP1", os_ver + " SP" + sp); flag = 0; if (rpm_check(release:"SLES12", sp:"1", cpu:"x86_64", reference:"kernel-xen-3.12.74-60.64.96.1")) flag++; if (rpm_check(release:"SLES12", sp:"1", cpu:"x86_64", reference:"kernel-xen-base-3.12.74-60.64.96.1")) flag++; if (rpm_check(release:"SLES12", sp:"1", cpu:"x86_64", reference:"kernel-xen-base-debuginfo-3.12.74-60.64.96.1")) flag++; if (rpm_check(release:"SLES12", sp:"1", cpu:"x86_64", reference:"kernel-xen-debuginfo-3.12.74-60.64.96.1")) flag++; if (rpm_check(release:"SLES12", sp:"1", cpu:"x86_64", reference:"kernel-xen-debugsource-3.12.74-60.64.96.1")) flag++; if (rpm_check(release:"SLES12", sp:"1", cpu:"x86_64", reference:"kernel-xen-devel-3.12.74-60.64.96.1")) flag++; if (rpm_check(release:"SLES12", sp:"1", cpu:"x86_64", reference:"kgraft-patch-3_12_74-60_64_96-default-1-2.3.1")) flag++; if (rpm_check(release:"SLES12", sp:"1", cpu:"x86_64", reference:"kgraft-patch-3_12_74-60_64_96-xen-1-2.3.1")) flag++; if (rpm_check(release:"SLES12", sp:"1", cpu:"s390x", reference:"kernel-default-man-3.12.74-60.64.96.1")) flag++; if (rpm_check(release:"SLES12", sp:"1", reference:"kernel-default-3.12.74-60.64.96.1")) flag++; if (rpm_check(release:"SLES12", sp:"1", reference:"kernel-default-base-3.12.74-60.64.96.1")) flag++; if (rpm_check(release:"SLES12", sp:"1", reference:"kernel-default-base-debuginfo-3.12.74-60.64.96.1")) flag++; if (rpm_check(release:"SLES12", sp:"1", reference:"kernel-default-debuginfo-3.12.74-60.64.96.1")) flag++; if (rpm_check(release:"SLES12", sp:"1", reference:"kernel-default-debugsource-3.12.74-60.64.96.1")) flag++; if (rpm_check(release:"SLES12", sp:"1", reference:"kernel-default-devel-3.12.74-60.64.96.1")) flag++; if (rpm_check(release:"SLES12", sp:"1", reference:"kernel-syms-3.12.74-60.64.96.1")) flag++; if (flag) { if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get()); else security_hole(0); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "kernel"); }NASL family SuSE Local Security Checks NASL id SUSE_SU-2018-1762-1.NASL description The SUSE Linux Enterprise 12 GA LTSS kernel was updated to receive various security and bugfixes. The following security bugs were fixed : - CVE-2018-3665: Prevent disclosure of FPU registers (including XMM and AVX registers) between processes. These registers might contain encryption keys when doing SSE accelerated AES enc/decryption (bsc#1087086) - CVE-2018-5848: In the function wmi_set_ie(), the length validation code did not handle unsigned integer overflow properly. As a result, a large value of the last seen 2020-06-01 modified 2020-06-02 plugin id 110637 published 2018-06-21 reporter This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/110637 title SUSE SLES12 Security Update : kernel (SUSE-SU-2018:1762-1) code # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from SUSE update advisory SUSE-SU-2018:1762-1. # The text itself is copyright (C) SUSE. # include("compat.inc"); if (description) { script_id(110637); script_version("1.4"); script_cvs_date("Date: 2019/09/10 13:51:48"); script_cve_id("CVE-2017-13305", "CVE-2018-1000204", "CVE-2018-1092", "CVE-2018-1093", "CVE-2018-1094", "CVE-2018-1130", "CVE-2018-3665", "CVE-2018-5803", "CVE-2018-5848", "CVE-2018-7492"); script_name(english:"SUSE SLES12 Security Update : kernel (SUSE-SU-2018:1762-1)"); script_summary(english:"Checks rpm output for the updated packages."); script_set_attribute( attribute:"synopsis", value:"The remote SUSE host is missing one or more security updates." ); script_set_attribute( attribute:"description", value: "The SUSE Linux Enterprise 12 GA LTSS kernel was updated to receive various security and bugfixes. The following security bugs were fixed : - CVE-2018-3665: Prevent disclosure of FPU registers (including XMM and AVX registers) between processes. These registers might contain encryption keys when doing SSE accelerated AES enc/decryption (bsc#1087086) - CVE-2018-5848: In the function wmi_set_ie(), the length validation code did not handle unsigned integer overflow properly. As a result, a large value of the 'ie_len' argument could have caused a buffer overflow (bnc#1097356) - CVE-2018-1000204: Prevent infoleak caused by incorrect handling of the SG_IO ioctl (bsc#1096728) - CVE-2017-13305: Prevent information disclosure vulnerability in encrypted-keys (bsc#1094353) - CVE-2018-1094: The ext4_fill_super function did not always initialize the crc32c checksum driver, which allowed attackers to cause a denial of service (ext4_xattr_inode_hash NULL pointer dereference and system crash) via a crafted ext4 image (bsc#1087007) - CVE-2018-1093: The ext4_valid_block_bitmap function allowed attackers to cause a denial of service (out-of-bounds read and system crash) via a crafted ext4 image because balloc.c and ialloc.c do not validate bitmap block numbers (bsc#1087095) - CVE-2018-1092: The ext4_iget function mishandled the case of a root directory with a zero i_links_count, which allowed attackers to cause a denial of service (ext4_process_freed_data NULL pointer dereference and OOPS) via a crafted ext4 image (bsc#1087012) - CVE-2018-1130: NULL pointer dereference in dccp_write_xmit() function that allowed a local user to cause a denial of service by a number of certain crafted system calls (bsc#1092904) - CVE-2018-5803: Prevent error in the '_sctp_make_chunk()' function when handling SCTP packets length that could have been exploited to cause a kernel crash (bnc#1083900) - CVE-2018-7492: Prevent NULL pointer dereference in the net/rds/rdma.c __rds_rdma_map() function that allowed local attackers to cause a system panic and a denial-of-service, related to RDS_GET_MR and RDS_GET_MR_FOR_DEST (bsc#1082962) The update package also includes non-security fixes. See advisory for details. Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues." ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.suse.com/show_bug.cgi?id=1046610" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.suse.com/show_bug.cgi?id=1079152" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.suse.com/show_bug.cgi?id=1082962" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.suse.com/show_bug.cgi?id=1083900" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.suse.com/show_bug.cgi?id=1087007" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.suse.com/show_bug.cgi?id=1087012" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.suse.com/show_bug.cgi?id=1087082" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.suse.com/show_bug.cgi?id=1087086" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.suse.com/show_bug.cgi?id=1087095" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.suse.com/show_bug.cgi?id=1092552" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.suse.com/show_bug.cgi?id=1092813" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.suse.com/show_bug.cgi?id=1092904" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.suse.com/show_bug.cgi?id=1094033" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.suse.com/show_bug.cgi?id=1094353" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.suse.com/show_bug.cgi?id=1094823" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.suse.com/show_bug.cgi?id=1096140" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.suse.com/show_bug.cgi?id=1096242" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.suse.com/show_bug.cgi?id=1096281" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.suse.com/show_bug.cgi?id=1096480" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.suse.com/show_bug.cgi?id=1096728" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.suse.com/show_bug.cgi?id=1097356" ); script_set_attribute( attribute:"see_also", value:"https://www.suse.com/security/cve/CVE-2017-13305/" ); script_set_attribute( attribute:"see_also", value:"https://www.suse.com/security/cve/CVE-2018-1000204/" ); script_set_attribute( attribute:"see_also", value:"https://www.suse.com/security/cve/CVE-2018-1092/" ); script_set_attribute( attribute:"see_also", value:"https://www.suse.com/security/cve/CVE-2018-1093/" ); script_set_attribute( attribute:"see_also", value:"https://www.suse.com/security/cve/CVE-2018-1094/" ); script_set_attribute( attribute:"see_also", value:"https://www.suse.com/security/cve/CVE-2018-1130/" ); script_set_attribute( attribute:"see_also", value:"https://www.suse.com/security/cve/CVE-2018-3665/" ); script_set_attribute( attribute:"see_also", value:"https://www.suse.com/security/cve/CVE-2018-5803/" ); script_set_attribute( attribute:"see_also", value:"https://www.suse.com/security/cve/CVE-2018-5848/" ); script_set_attribute( attribute:"see_also", value:"https://www.suse.com/security/cve/CVE-2018-7492/" ); # https://www.suse.com/support/update/announcement/2018/suse-su-20181762-1/ script_set_attribute( attribute:"see_also", value:"http://www.nessus.org/u?9713a18f" ); script_set_attribute( attribute:"solution", value: "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or 'zypper patch'. Alternatively you can run the command listed for your product : SUSE Linux Enterprise Server 12-LTSS:zypper in -t patch SUSE-SLE-SERVER-12-2018-1184=1 SUSE Linux Enterprise Module for Public Cloud 12:zypper in -t patch SUSE-SLE-Module-Public-Cloud-12-2018-1184=1" ); script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:N/I:N/A:C"); script_set_cvss3_base_vector("CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:kernel-default"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:kernel-default-base"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:kernel-default-base-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:kernel-default-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:kernel-default-debugsource"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:kernel-default-devel"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:kernel-default-man"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:kernel-syms"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:kernel-xen"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:kernel-xen-base"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:kernel-xen-base-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:kernel-xen-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:kernel-xen-debugsource"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:kernel-xen-devel"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:kgraft-patch-3_12_61-52_136-default"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:kgraft-patch-3_12_61-52_136-xen"); script_set_attribute(attribute:"cpe", value:"cpe:/o:novell:suse_linux:12"); script_set_attribute(attribute:"vuln_publication_date", value:"2018/02/26"); script_set_attribute(attribute:"patch_publication_date", value:"2018/06/20"); script_set_attribute(attribute:"plugin_publication_date", value:"2018/06/21"); script_set_attribute(attribute:"generated_plugin", value:"current"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"SuSE Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/cpu", "Host/SuSE/release", "Host/SuSE/rpm-list"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/SuSE/release"); if (isnull(release) || release !~ "^(SLED|SLES)") audit(AUDIT_OS_NOT, "SUSE"); os_ver = pregmatch(pattern: "^(SLE(S|D)\d+)", string:release); if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "SUSE"); os_ver = os_ver[1]; if (! preg(pattern:"^(SLES12)$", string:os_ver)) audit(AUDIT_OS_NOT, "SUSE SLES12", "SUSE " + os_ver); if (!get_kb_item("Host/SuSE/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if (cpu !~ "^i[3-6]86$" && "x86_64" >!< cpu && "s390x" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "SUSE " + os_ver, cpu); sp = get_kb_item("Host/SuSE/patchlevel"); if (isnull(sp)) sp = "0"; if (os_ver == "SLES12" && (! preg(pattern:"^(0)$", string:sp))) audit(AUDIT_OS_NOT, "SLES12 SP0", os_ver + " SP" + sp); flag = 0; if (rpm_check(release:"SLES12", sp:"0", cpu:"x86_64", reference:"kernel-xen-3.12.61-52.136.1")) flag++; if (rpm_check(release:"SLES12", sp:"0", cpu:"x86_64", reference:"kernel-xen-base-3.12.61-52.136.1")) flag++; if (rpm_check(release:"SLES12", sp:"0", cpu:"x86_64", reference:"kernel-xen-base-debuginfo-3.12.61-52.136.1")) flag++; if (rpm_check(release:"SLES12", sp:"0", cpu:"x86_64", reference:"kernel-xen-debuginfo-3.12.61-52.136.1")) flag++; if (rpm_check(release:"SLES12", sp:"0", cpu:"x86_64", reference:"kernel-xen-debugsource-3.12.61-52.136.1")) flag++; if (rpm_check(release:"SLES12", sp:"0", cpu:"x86_64", reference:"kernel-xen-devel-3.12.61-52.136.1")) flag++; if (rpm_check(release:"SLES12", sp:"0", cpu:"x86_64", reference:"kgraft-patch-3_12_61-52_136-default-1-1.3.1")) flag++; if (rpm_check(release:"SLES12", sp:"0", cpu:"x86_64", reference:"kgraft-patch-3_12_61-52_136-xen-1-1.3.1")) flag++; if (rpm_check(release:"SLES12", sp:"0", cpu:"s390x", reference:"kernel-default-man-3.12.61-52.136.1")) flag++; if (rpm_check(release:"SLES12", sp:"0", reference:"kernel-default-3.12.61-52.136.1")) flag++; if (rpm_check(release:"SLES12", sp:"0", reference:"kernel-default-base-3.12.61-52.136.1")) flag++; if (rpm_check(release:"SLES12", sp:"0", reference:"kernel-default-base-debuginfo-3.12.61-52.136.1")) flag++; if (rpm_check(release:"SLES12", sp:"0", reference:"kernel-default-debuginfo-3.12.61-52.136.1")) flag++; if (rpm_check(release:"SLES12", sp:"0", reference:"kernel-default-debugsource-3.12.61-52.136.1")) flag++; if (rpm_check(release:"SLES12", sp:"0", reference:"kernel-default-devel-3.12.61-52.136.1")) flag++; if (rpm_check(release:"SLES12", sp:"0", reference:"kernel-syms-3.12.61-52.136.1")) flag++; if (flag) { if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get()); else security_hole(0); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "kernel"); }NASL family SuSE Local Security Checks NASL id SUSE_SU-2018-1855-1.NASL description The SUSE Linux Enterprise 12 SP2 LTSS kernel was updated receive various security and bugfixes. The following security bugs were fixed : - CVE-2018-5848: In the function wmi_set_ie(), the length validation code did not handle unsigned integer overflow properly. As a result, a large value of the last seen 2020-06-01 modified 2020-06-02 plugin id 110838 published 2018-07-02 reporter This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/110838 title SUSE SLES12 Security Update : kernel (SUSE-SU-2018:1855-1) NASL family Scientific Linux Local Security Checks NASL id SL_20181030_KERNEL_ON_SL7_X.NASL description Security Fix(es) : - A flaw named FragmentSmack was found in the way the Linux kernel handled reassembly of fragmented IPv4 and IPv6 packets. A remote attacker could use this flaw to trigger time and calculation expensive fragment reassembly algorithm by sending specially crafted packets which could lead to a CPU saturation and hence a denial of service on the system. (CVE-2018-5391) - kernel: out-of-bounds access in the show_timer function in kernel/time /posix-timers.c (CVE-2017-18344) - kernel: Integer overflow in udl_fb_mmap() can allow attackers to execute code in kernel space (CVE-2018-8781) - kernel: MIDI driver race condition leads to a double-free (CVE-2018-10902) - kernel: Missing check in inode_init_owner() does not clear SGID bit on non-directories for non-members (CVE-2018-13405) - kernel: AIO write triggers integer overflow in some protocols (CVE-2015-8830) - kernel: Use-after-free in snd_pcm_info function in ALSA subsystem potentially leads to privilege escalation (CVE-2017-0861) - kernel: Handling of might_cancel queueing is not properly pretected against race (CVE-2017-10661) - kernel: Salsa20 encryption algorithm does not correctly handle zero- length inputs allowing local attackers to cause denial of service (CVE-2017-17805) - kernel: Inifinite loop vulnerability in madvise_willneed() function allows local denial of service (CVE-2017-18208) - kernel: fuse-backed file mmap-ed onto process cmdline arguments causes denial of service (CVE-2018-1120) - kernel: a NULL pointer dereference in dccp_write_xmit() leads to a system crash (CVE-2018-1130) - kernel: drivers/block/loop.c mishandles lo_release serialization allowing denial of service (CVE-2018-5344) - kernel: Missing length check of payload in _sctp_make_chunk() function allows denial of service (CVE-2018-5803) - kernel: buffer overflow in drivers/net/wireless/ath/wil6210/wmi.c:wmi_set_ie() may lead to memory corruption (CVE-2018-5848) - kernel: out-of-bound write in ext4_init_block_bitmap function with a crafted ext4 image (CVE-2018-10878) - kernel: Improper validation in bnx2x network card driver can allow for denial of service attacks via crafted packet (CVE-2018-1000026) - kernel: Information leak when handling NM entries containing NUL (CVE-2016-4913) - kernel: Mishandling mutex within libsas allowing local Denial of Service (CVE-2017-18232) - kernel: NULL pointer dereference in ext4_process_freed_data() when mounting crafted ext4 image (CVE-2018-1092) - kernel: NULL pointer dereference in ext4_xattr_inode_hash() causes crash with crafted ext4 image (CVE-2018-1094) - kernel: vhost: Information disclosure in vhost/vhost.c:vhost_new_msg() (CVE-2018-1118) - kernel: Denial of service in resv_map_release function in mm/hugetlb.c (CVE-2018-7740) - kernel: Memory leak in the sas_smp_get_phy_events function in drivers/scsi/libsas/sas_expander.c (CVE-2018-7757) - kernel: Invalid pointer dereference in xfs_ilock_attr_map_shared() when mounting crafted xfs image allowing denial of service (CVE-2018-10322) - kernel: use-after-free detected in ext4_xattr_set_entry with a crafted file (CVE-2018-10879) - kernel: out-of-bound access in ext4_get_group_info() when mounting and operating a crafted ext4 image (CVE-2018-10881) - kernel: stack-out-of-bounds write in jbd2_journal_dirty_metadata function (CVE-2018-10883) - kernel: incorrect memory bounds check in drivers/cdrom/cdrom.c (CVE-2018-10940) last seen 2020-03-18 modified 2018-11-27 plugin id 119187 published 2018-11-27 reporter This script is Copyright (C) 2018-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/119187 title Scientific Linux Security Update : kernel on SL7.x x86_64 (20181030) NASL family Huawei Local Security Checks NASL id EULEROS_SA-2019-1538.NASL description According to the versions of the kernel packages installed, the EulerOS Virtualization for ARM 64 installation on the remote host is affected by the following vulnerabilities : - The walk_hugetlb_range() function in last seen 2020-03-19 modified 2019-05-14 plugin id 124991 published 2019-05-14 reporter This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/124991 title EulerOS Virtualization for ARM 64 3.0.1.0 : kernel (EulerOS-SA-2019-1538) NASL family SuSE Local Security Checks NASL id SUSE_SU-2018-4127-1.NASL description This update for the Linux Kernel 4.4.103-92_56 fixes one issue. The following security issue was fixed : CVE-2018-5848: Fixed an unsigned integer overflow in wmi_set_ie. This could lead to a buffer overflow (bsc#1097356). Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-03-28 modified 2018-12-18 plugin id 119740 published 2018-12-18 reporter This script is Copyright (C) 2018-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/119740 title SUSE SLES12 Security Update : kernel (SUSE-SU-2018:4127-1) NASL family Slackware Local Security Checks NASL id SLACKWARE_SSA_2019-030-01.NASL description New kernel packages are available for Slackware 14.2 to fix security issues. last seen 2020-03-17 modified 2019-01-31 plugin id 121505 published 2019-01-31 reporter This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/121505 title Slackware 14.2 : Slackware 14.2 kernel (SSA:2019-030-01) NASL family Red Hat Local Security Checks NASL id REDHAT-RHSA-2018-3083.NASL description An update for kernel is now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. The kernel packages contain the Linux kernel, the core of any Linux operating system. Security Fix(es) : * A flaw named FragmentSmack was found in the way the Linux kernel handled reassembly of fragmented IPv4 and IPv6 packets. A remote attacker could use this flaw to trigger time and calculation expensive fragment reassembly algorithm by sending specially crafted packets which could lead to a CPU saturation and hence a denial of service on the system. (CVE-2018-5391) * kernel: out-of-bounds access in the show_timer function in kernel/time/ posix-timers.c (CVE-2017-18344) * kernel: Integer overflow in udl_fb_mmap() can allow attackers to execute code in kernel space (CVE-2018-8781) * kernel: MIDI driver race condition leads to a double-free (CVE-2018-10902) * kernel: Missing check in inode_init_owner() does not clear SGID bit on non-directories for non-members (CVE-2018-13405) * kernel: AIO write triggers integer overflow in some protocols (CVE-2015-8830) * kernel: Use-after-free in snd_pcm_info function in ALSA subsystem potentially leads to privilege escalation (CVE-2017-0861) * kernel: Handling of might_cancel queueing is not properly pretected against race (CVE-2017-10661) * kernel: Salsa20 encryption algorithm does not correctly handle zero-length inputs allowing local attackers to cause denial of service (CVE-2017-17805) * kernel: Inifinite loop vulnerability in madvise_willneed() function allows local denial of service (CVE-2017-18208) * kernel: fuse-backed file mmap-ed onto process cmdline arguments causes denial of service (CVE-2018-1120) * kernel: a NULL pointer dereference in dccp_write_xmit() leads to a system crash (CVE-2018-1130) * kernel: drivers/block/loop.c mishandles lo_release serialization allowing denial of service (CVE-2018-5344) * kernel: Missing length check of payload in _sctp_make_chunk() function allows denial of service (CVE-2018-5803) * kernel: buffer overflow in drivers/net/wireless/ath/wil6210/ wmi.c:wmi_set_ie() may lead to memory corruption (CVE-2018-5848) * kernel: out-of-bound write in ext4_init_block_bitmap function with a crafted ext4 image (CVE-2018-10878) * kernel: Improper validation in bnx2x network card driver can allow for denial of service attacks via crafted packet (CVE-2018-1000026) * kernel: Information leak when handling NM entries containing NUL (CVE-2016-4913) * kernel: Mishandling mutex within libsas allowing local Denial of Service (CVE-2017-18232) * kernel: NULL pointer dereference in ext4_process_freed_data() when mounting crafted ext4 image (CVE-2018-1092) * kernel: NULL pointer dereference in ext4_xattr_inode_hash() causes crash with crafted ext4 image (CVE-2018-1094) * kernel: vhost: Information disclosure in vhost/vhost.c:vhost_new_msg() (CVE-2018-1118) * kernel: Denial of service in resv_map_release function in mm/hugetlb.c (CVE-2018-7740) * kernel: Memory leak in the sas_smp_get_phy_events function in drivers/scsi/ libsas/sas_expander.c (CVE-2018-7757) * kernel: Invalid pointer dereference in xfs_ilock_attr_map_shared() when mounting crafted xfs image allowing denial of service (CVE-2018-10322) * kernel: use-after-free detected in ext4_xattr_set_entry with a crafted file (CVE-2018-10879) * kernel: out-of-bound access in ext4_get_group_info() when mounting and operating a crafted ext4 image (CVE-2018-10881) * kernel: stack-out-of-bounds write in jbd2_journal_dirty_metadata function (CVE-2018-10883) * kernel: incorrect memory bounds check in drivers/cdrom/cdrom.c (CVE-2018-10940) Red Hat would like to thank Juha-Matti Tilli (Aalto University - Department of Communications and Networking and Nokia Bell Labs) for reporting CVE-2018-5391; Trend Micro Zero Day Initiative for reporting CVE-2018-10902; Qualys Research Labs for reporting CVE-2018-1120; Evgenii Shatokhin (Virtuozzo Team) for reporting CVE-2018-1130; and Wen Xu for reporting CVE-2018-1092 and CVE-2018-1094. last seen 2020-06-01 modified 2020-06-02 plugin id 118525 published 2018-10-31 reporter This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/118525 title RHEL 7 : kernel (RHSA-2018:3083) NASL family SuSE Local Security Checks NASL id SUSE_SU-2018-4153-1.NASL description This update for the Linux Kernel 3.12.74-60_64_88 fixes several issues. The following security issues were fixed : CVE-2018-9568: Prevent possible memory corruption due to type confusion in sk_clone_lock. This could lead to local privilege escalation (bsc#1118319). CVE-2018-5848: Fixed an unsigned integer overflow in wmi_set_ie. This could lead to a buffer overflow (bsc#1097356). Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-03-28 modified 2018-12-18 plugin id 119744 published 2018-12-18 reporter This script is Copyright (C) 2018-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/119744 title SUSE SLES12 Security Update : kernel (SUSE-SU-2018:4153-1) NASL family SuSE Local Security Checks NASL id SUSE_SU-2018-4195-1.NASL description This update for the Linux Kernel 3.12.61-52_111 fixes several issues. The following security issues were fixed : CVE-2018-9568: Prevent possible memory corruption due to type confusion in sk_clone_lock. This could lead to local privilege escalation (bsc#1118319). CVE-2018-5848: Fixed an unsigned integer overflow in wmi_set_ie. This could lead to a buffer overflow (bsc#1097356). Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-03-28 modified 2018-12-20 plugin id 119809 published 2018-12-20 reporter This script is Copyright (C) 2018-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/119809 title SUSE SLES12 Security Update : kernel (SUSE-SU-2018:4195-1) NASL family SuSE Local Security Checks NASL id SUSE_SU-2018-4157-1.NASL description This update for the Linux Kernel 3.12.74-60_64_93 fixes several issues. The following security issues were fixed : CVE-2018-9568: Prevent possible memory corruption due to type confusion in sk_clone_lock. This could lead to local privilege escalation (bsc#1118319). CVE-2018-5848: Fixed an unsigned integer overflow in wmi_set_ie. This could lead to a buffer overflow (bsc#1097356). Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-03-28 modified 2018-12-18 plugin id 119746 published 2018-12-18 reporter This script is Copyright (C) 2018-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/119746 title SUSE SLES12 Security Update : kernel (SUSE-SU-2018:4157-1) NASL family Debian Local Security Checks NASL id DEBIAN_DLA-1715.NASL description Several vulnerabilities have been discovered in the Linux kernel that may lead to a privilege escalation, denial of service or information leaks. CVE-2017-18249 A race condition was discovered in the disk space allocator of F2FS. A user with access to an F2FS volume could use this to cause a denial of service or other security impact. CVE-2018-1128, CVE-2018-1129 The cephx authentication protocol used by Ceph was susceptible to replay attacks, and calculated signatures incorrectly. These vulnerabilities in the server required changes to authentication that are incompatible with existing clients. The kernel last seen 2020-06-01 modified 2020-06-02 plugin id 122879 published 2019-03-18 reporter This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/122879 title Debian DLA-1715-1 : linux-4.9 security update (Spectre) NASL family Oracle Linux Local Security Checks NASL id ORACLELINUX_ELSA-2018-3083.NASL description From Red Hat Security Advisory 2018:3083 : An update for kernel is now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. The kernel packages contain the Linux kernel, the core of any Linux operating system. Security Fix(es) : * A flaw named FragmentSmack was found in the way the Linux kernel handled reassembly of fragmented IPv4 and IPv6 packets. A remote attacker could use this flaw to trigger time and calculation expensive fragment reassembly algorithm by sending specially crafted packets which could lead to a CPU saturation and hence a denial of service on the system. (CVE-2018-5391) * kernel: out-of-bounds access in the show_timer function in kernel/time/ posix-timers.c (CVE-2017-18344) * kernel: Integer overflow in udl_fb_mmap() can allow attackers to execute code in kernel space (CVE-2018-8781) * kernel: MIDI driver race condition leads to a double-free (CVE-2018-10902) * kernel: Missing check in inode_init_owner() does not clear SGID bit on non-directories for non-members (CVE-2018-13405) * kernel: AIO write triggers integer overflow in some protocols (CVE-2015-8830) * kernel: Use-after-free in snd_pcm_info function in ALSA subsystem potentially leads to privilege escalation (CVE-2017-0861) * kernel: Handling of might_cancel queueing is not properly pretected against race (CVE-2017-10661) * kernel: Salsa20 encryption algorithm does not correctly handle zero-length inputs allowing local attackers to cause denial of service (CVE-2017-17805) * kernel: Inifinite loop vulnerability in madvise_willneed() function allows local denial of service (CVE-2017-18208) * kernel: fuse-backed file mmap-ed onto process cmdline arguments causes denial of service (CVE-2018-1120) * kernel: a NULL pointer dereference in dccp_write_xmit() leads to a system crash (CVE-2018-1130) * kernel: drivers/block/loop.c mishandles lo_release serialization allowing denial of service (CVE-2018-5344) * kernel: Missing length check of payload in _sctp_make_chunk() function allows denial of service (CVE-2018-5803) * kernel: buffer overflow in drivers/net/wireless/ath/wil6210/ wmi.c:wmi_set_ie() may lead to memory corruption (CVE-2018-5848) * kernel: out-of-bound write in ext4_init_block_bitmap function with a crafted ext4 image (CVE-2018-10878) * kernel: Improper validation in bnx2x network card driver can allow for denial of service attacks via crafted packet (CVE-2018-1000026) * kernel: Information leak when handling NM entries containing NUL (CVE-2016-4913) * kernel: Mishandling mutex within libsas allowing local Denial of Service (CVE-2017-18232) * kernel: NULL pointer dereference in ext4_process_freed_data() when mounting crafted ext4 image (CVE-2018-1092) * kernel: NULL pointer dereference in ext4_xattr_inode_hash() causes crash with crafted ext4 image (CVE-2018-1094) * kernel: vhost: Information disclosure in vhost/vhost.c:vhost_new_msg() (CVE-2018-1118) * kernel: Denial of service in resv_map_release function in mm/hugetlb.c (CVE-2018-7740) * kernel: Memory leak in the sas_smp_get_phy_events function in drivers/scsi/ libsas/sas_expander.c (CVE-2018-7757) * kernel: Invalid pointer dereference in xfs_ilock_attr_map_shared() when mounting crafted xfs image allowing denial of service (CVE-2018-10322) * kernel: use-after-free detected in ext4_xattr_set_entry with a crafted file (CVE-2018-10879) * kernel: out-of-bound access in ext4_get_group_info() when mounting and operating a crafted ext4 image (CVE-2018-10881) * kernel: stack-out-of-bounds write in jbd2_journal_dirty_metadata function (CVE-2018-10883) * kernel: incorrect memory bounds check in drivers/cdrom/cdrom.c (CVE-2018-10940) Red Hat would like to thank Juha-Matti Tilli (Aalto University - Department of Communications and Networking and Nokia Bell Labs) for reporting CVE-2018-5391; Trend Micro Zero Day Initiative for reporting CVE-2018-10902; Qualys Research Labs for reporting CVE-2018-1120; Evgenii Shatokhin (Virtuozzo Team) for reporting CVE-2018-1130; and Wen Xu for reporting CVE-2018-1092 and CVE-2018-1094. last seen 2020-06-01 modified 2020-06-02 plugin id 118770 published 2018-11-07 reporter This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/118770 title Oracle Linux 7 : kernel (ELSA-2018-3083) NASL family SuSE Local Security Checks NASL id SUSE_SU-2018-1772-1.NASL description The SUSE Linux Enterprise 12 SP3 kernel was updated to 4.4.136 to receive various security and bugfixes. The following security bugs were fixed : - CVE-2018-5848: In the function wmi_set_ie(), the length validation code did not handle unsigned integer overflow properly. As a result, a large value of the last seen 2020-06-01 modified 2020-06-02 plugin id 110660 published 2018-06-22 reporter This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/110660 title SUSE SLED12 / SLES12 Security Update : kernel (SUSE-SU-2018:1772-1) NASL family Oracle Linux Local Security Checks NASL id ORACLELINUX_ELSA-2018-4304.NASL description Description of changes: [4.14.35-1818.5.4.el7uek] - RDS: NULL pointer dereference in rds_atomic_free_op (Mohamed Ghannam) [Orabug: 28020694] {CVE-2018-5333} - x86/speculation: Make enhanced IBRS the default spectre v2 mitigation (Alejandro Jimenez) [Orabug: 28474853] - x86/speculation: Enable enhanced IBRS usage (Alejandro Jimenez) [Orabug: 28474853] - x86/speculation: functions for supporting enhanced IBRS (Alejandro Jimenez) [Orabug: 28474853] - KVM: x86: Expose CLDEMOTE CPU feature to guest VM (Jingqi Liu) [Orabug: 28938290] - x86/cpufeatures: Enumerate cldemote instruction (Fenghua Yu) [Orabug: 28938290] - libiscsi: Fix NULL pointer dereference in iscsi_eh_session_reset (Fred Herard) [Orabug: 28946206] - wil6210: missing length check in wmi_set_ie (Lior David) [Orabug: 28951267] {CVE-2018-5848} - floppy: Do not copy a kernel pointer to user memory in FDGETPRM ioctl (Andy Whitcroft) [Orabug: 28956546] {CVE-2018-7755} {CVE-2018-7755} [4.14.35-1818.5.3.el7uek] - hugetlbfs: use truncate mutex to prevent pmd sharing race (Mike Kravetz) [Orabug: 28896279] - xfs: enhance dinode verifier (Eric Sandeen) [Orabug: 28943579] {CVE-2018-10322} - xfs: move inode fork verifiers to xfs_dinode_verify (Darrick J. Wong) [Orabug: 28943579] {CVE-2018-10322} [4.14.35-1818.5.2.el7uek] - rds: crash at rds_ib_inc_copy_to_user+104 due to NULL ptr reference (Venkat Venkatsubra) [Orabug: 28748049] - kdump/vmcore: support encrypted old memory with SME enabled (Lianbo Jiang) [Orabug: 28796835] - amd_iommu: remap the device table of IOMMU with the memory encryption mask for kdump (Lianbo Jiang) [Orabug: 28796835] - kexec: allocate unencrypted control pages for kdump in case SME is enabled (Lianbo Jiang) [Orabug: 28796835] - x86/ioremap: add a function ioremap_encrypted() to remap kdump old memory (Lianbo Jiang) [Orabug: 28796835] - net/rds: Fix endless RNR situation (Venkat Venkatsubra) [Orabug: 28857013] - Btrfs: fix xattr loss after power failure (Filipe Manana) [Orabug: 28893942] - xen/balloon: Support xend-based toolstack (Boris Ostrovsky) [Orabug: 28901032] - Btrfs: fix file data corruption after cloning a range and fsync (Filipe Manana) [Orabug: 28905635] - xen-blkfront: fix kernel panic with negotiate_mq error path (Manjunath Patil) - cdrom: fix improper type cast, which can leat to information leak. (Young_X) [Orabug: 28929755] {CVE-2018-16658} {CVE-2018-10940} {CVE-2018-18710} - sched/fair: Use a recently used CPU as an idle candidate and the basis for SIS (Mel Gorman) [Orabug: 28940633] - sched/fair: Move select_task_rq_fair() slow-path into its own function (Brendan Jackman) [Orabug: 28940633] - certs: Add Oracle last seen 2020-04-30 modified 2018-12-13 plugin id 119638 published 2018-12-13 reporter This script is Copyright (C) 2018-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/119638 title Oracle Linux 7 : Unbreakable Enterprise kernel (ELSA-2018-4304) NASL family SuSE Local Security Checks NASL id SUSE_SU-2018-1855-2.NASL description The SUSE Linux Enterprise 12 SP2 LTSS kernel was updated receive various security and bugfixes. The following security bugs were fixed : CVE-2018-5848: In the function wmi_set_ie(), the length validation code did not handle unsigned integer overflow properly. As a result, a large value of the last seen 2020-06-01 modified 2020-06-02 plugin id 118272 published 2018-10-22 reporter This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/118272 title SUSE SLES12 Security Update : kernel (SUSE-SU-2018:1855-2) NASL family Oracle Linux Local Security Checks NASL id ORACLELINUX_ELSA-2019-4509.NASL description Description of changes: [4.14.35-1844.1.3.el7uek] - net: rds: fix rds_ib_sysctl_max_recv_allocation error (Zhu Yanjun) [Orabug: 29003422] - nfs: don last seen 2020-03-18 modified 2019-01-16 plugin id 121201 published 2019-01-16 reporter This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/121201 title Oracle Linux 7 : Unbreakable Enterprise kernel (ELSA-2019-4509) NASL family Debian Local Security Checks NASL id DEBIAN_DLA-1731.NASL description The linux update issued as DLA-1731-1 caused a regression in the vmxnet3 (VMware virtual network adapter) driver. This update corrects that regression, and an earlier regression in the CIFS network filesystem implementation introduced in DLA-1422-1. For reference the original advisory text follows. Several vulnerabilities have been discovered in the Linux kernel that may lead to a privilege escalation, denial of service or information leaks. CVE-2016-10741 A race condition was discovered in XFS that would result in a crash (BUG). A local user permitted to write to an XFS volume could use this for denial of service. CVE-2017-5753 Further instances of code that was vulnerable to Spectre variant 1 (bounds-check bypass) have been mitigated. CVE-2017-13305 A memory over-read was discovered in the keys subsystem last seen 2020-06-01 modified 2020-06-02 plugin id 123420 published 2019-03-28 reporter This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/123420 title Debian DLA-1731-2 : linux regression update (Spectre) NASL family Red Hat Local Security Checks NASL id REDHAT-RHSA-2018-3096.NASL description An update for kernel-rt is now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. The kernel-rt packages provide the Real Time Linux Kernel, which enables fine-tuning for systems with extremely high determinism requirements. Security Fix(es) : * A flaw named FragmentSmack was found in the way the Linux kernel handled reassembly of fragmented IPv4 and IPv6 packets. A remote attacker could use this flaw to trigger time and calculation expensive fragment reassembly algorithm by sending specially crafted packets which could lead to a CPU saturation and hence a denial of service on the system. (CVE-2018-5391) * kernel: out-of-bounds access in the show_timer function in kernel/time/ posix-timers.c (CVE-2017-18344) * kernel: Integer overflow in udl_fb_mmap() can allow attackers to execute code in kernel space (CVE-2018-8781) * kernel: MIDI driver race condition leads to a double-free (CVE-2018-10902) * kernel: Missing check in inode_init_owner() does not clear SGID bit on non-directories for non-members (CVE-2018-13405) * kernel: AIO write triggers integer overflow in some protocols (CVE-2015-8830) * kernel: Use-after-free in snd_pcm_info function in ALSA subsystem potentially leads to privilege escalation (CVE-2017-0861) * kernel: Handling of might_cancel queueing is not properly pretected against race (CVE-2017-10661) * kernel: Salsa20 encryption algorithm does not correctly handle zero-length inputs allowing local attackers to cause denial of service (CVE-2017-17805) * kernel: Inifinite loop vulnerability in madvise_willneed() function allows local denial of service (CVE-2017-18208) * kernel: fuse-backed file mmap-ed onto process cmdline arguments causes denial of service (CVE-2018-1120) * kernel: a NULL pointer dereference in dccp_write_xmit() leads to a system crash (CVE-2018-1130) * kernel: drivers/block/loop.c mishandles lo_release serialization allowing denial of service (CVE-2018-5344) * kernel: Missing length check of payload in _sctp_make_chunk() function allows denial of service (CVE-2018-5803) * kernel: buffer overflow in drivers/net/wireless/ath/wil6210/ wmi.c:wmi_set_ie() may lead to memory corruption (CVE-2018-5848) * kernel: out-of-bound write in ext4_init_block_bitmap function with a crafted ext4 image (CVE-2018-10878) * kernel: Improper validation in bnx2x network card driver can allow for denial of service attacks via crafted packet (CVE-2018-1000026) * kernel: Information leak when handling NM entries containing NUL (CVE-2016-4913) * kernel: Mishandling mutex within libsas allowing local Denial of Service (CVE-2017-18232) * kernel: NULL pointer dereference in ext4_process_freed_data() when mounting crafted ext4 image (CVE-2018-1092) * kernel: NULL pointer dereference in ext4_xattr_inode_hash() causes crash with crafted ext4 image (CVE-2018-1094) * kernel: vhost: Information disclosure in vhost.c:vhost_new_msg() (CVE-2018-1118) * kernel: Denial of service in resv_map_release function in mm/hugetlb.c (CVE-2018-7740) * kernel: Memory leak in the sas_smp_get_phy_events function in drivers/scsi/ libsas/sas_expander.c (CVE-2018-7757) * kernel: Invalid pointer dereference in xfs_ilock_attr_map_shared() when mounting crafted xfs image allowing denial of service (CVE-2018-10322) * kernel: use-after-free detected in ext4_xattr_set_entry with a crafted file (CVE-2018-10879) * kernel: out-of-bound access in ext4_get_group_info() when mounting and operating a crafted ext4 image (CVE-2018-10881) * kernel: stack-out-of-bounds write in jbd2_journal_dirty_metadata function (CVE-2018-10883) * kernel: incorrect memory bounds check in drivers/cdrom/cdrom.c (CVE-2018-10940) Red Hat would like to thank Juha-Matti Tilli (Aalto University - Department of Communications and Networking and Nokia Bell Labs) for reporting CVE-2018-5391; Trend Micro Zero Day Initiative for reporting CVE-2018-10902; Qualys Research Labs for reporting CVE-2018-1120; Evgenii Shatokhin (Virtuozzo Team) for reporting CVE-2018-1130; and Wen Xu for reporting CVE-2018-1092 and CVE-2018-1094. last seen 2020-06-01 modified 2020-06-02 plugin id 118528 published 2018-10-31 reporter This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/118528 title RHEL 7 : kernel-rt (RHSA-2018:3096) NASL family SuSE Local Security Checks NASL id OPENSUSE-2018-762.NASL description The openSUSE Leap 15 kernel was updated to receive various security and bugfixes. The following security bugs were fixed : - CVE-2018-13406: An integer overflow in the uvesafb_setcmap function could have result in local attackers being able to crash the kernel or potentially elevate privileges because kmalloc_array is not used (bnc#1100418) - CVE-2018-13053: The alarm_timer_nsleep function had an integer overflow via a large relative timeout because ktime_add_safe was not used (bnc#1099924) - CVE-2018-9385: Prevent overread of the last seen 2020-06-05 modified 2018-07-30 plugin id 111414 published 2018-07-30 reporter This script is Copyright (C) 2018-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/111414 title openSUSE Security Update : the Linux Kernel (openSUSE-2018-762) (Spectre) NASL family OracleVM Local Security Checks NASL id ORACLEVM_OVMSA-2019-0002.NASL description The remote OracleVM system is missing necessary patches to address critical security updates : - rds: congestion updates can be missed when kernel low on memory (Mukesh Kacker) [Orabug: 28425811] - net/rds: ib: Fix endless RNR Retries caused by memory allocation failures (Venkat Venkatsubra) [Orabug: 28127993] - net: rds: fix excess initialization of the recv SGEs (Zhu Yanjun) [Orabug: 29004503] - xhci: fix usb2 resume timing and races. (Mathias Nyman) [Orabug: 29028940] - xhci: Fix a race in usb2 LPM resume, blocking U3 for usb2 devices (Mathias Nyman) [Orabug: 29028940] - userfaultfd: check VM_MAYWRITE was set after verifying the uffd is registered (Andrea Arcangeli) [Orabug: 29163750] (CVE-2018-18397) - userfaultfd: shmem/hugetlbfs: only allow to register VM_MAYWRITE vmas (Andrea Arcangeli) [Orabug: 29163750] (CVE-2018-18397) - x86/apic/x2apic: set affinity of a single interrupt to one cpu (Jianchao Wang) [Orabug: 29196396] - xen/blkback: rework validate_io_op (Dongli Zhang) [Orabug: 29199843] - xen/blkback: optimize validate_io_op to filter BLKIF_OP_RESERVED_1 operation (Dongli Zhang) [Orabug: 29199843] - xen/blkback: do not BUG for invalid blkif_request from frontend (Dongli Zhang) [Orabug: 29199843] - net/rds: WARNING: at net/rds/recv.c:222 rds_recv_hs_exthdrs+0xf8/0x1e0 (Venkat Venkatsubra) [Orabug: 29201779] - xen-netback: wake up xenvif_dealloc_kthread when it should stop (Dongli Zhang) [Orabug: 29217927] - Revert last seen 2020-03-18 modified 2019-02-06 plugin id 121605 published 2019-02-06 reporter This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/121605 title OracleVM 3.4 : Unbreakable / etc (OVMSA-2019-0002) NASL family SuSE Local Security Checks NASL id OPENSUSE-2018-656.NASL description The openSUSE Leap 42.3 was updated to 4.4.138 to receive various security and bugfixes. The following security bugs were fixed : - CVE-2018-3639: Systems with microprocessors utilizing speculative execution and speculative execution of memory reads before the addresses of all prior memory writes are known may allow unauthorized disclosure of information to an attacker with local user access via a side-channel analysis, aka Speculative Store Bypass (SSB), Variant 4 (bsc#1085308 bsc#1087082) This update improves the previous Spectre Variant 4 fixes and also mitigates them on the ARM architecture. - CVE-2018-3665: The FPU state and registers of x86 CPUs were saved and restored in a lazy fashion, which opened its disclosure by speculative side channel attacks. This has been fixed by replacing the lazy save/restore by eager saving and restoring (bnc#1087086) - CVE-2018-5848: In the function wmi_set_ie(), the length validation code did not handle unsigned integer overflow properly. As a result, a large value of the last seen 2020-06-05 modified 2018-06-22 plugin id 110658 published 2018-06-22 reporter This script is Copyright (C) 2018-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/110658 title openSUSE Security Update : the Linux Kernel (openSUSE-2018-656) (Spectre) NASL family SuSE Local Security Checks NASL id SUSE_SU-2018-2092-1.NASL description The SUSE Linux Enterprise 15 kernel was updated to receive various security and bugfixes. The following new feature was added : - NVDIMM memory error notification (ACPI 6.2) The following security bugs were fixed : - CVE-2018-13406: An integer overflow in the uvesafb_setcmap function could have result in local attackers being able to crash the kernel or potentially elevate privileges because kmalloc_array is not used (bnc#1100418) - CVE-2018-13053: The alarm_timer_nsleep function had an integer overflow via a large relative timeout because ktime_add_safe was not used (bnc#1099924) - CVE-2018-9385: Prevent overread of the last seen 2020-03-21 modified 2019-01-02 plugin id 120067 published 2019-01-02 reporter This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/120067 title SUSE SLED15 / SLES15 Security Update : kernel (SUSE-SU-2018:2092-1) (Spectre) NASL family Huawei Local Security Checks NASL id EULEROS_SA-2019-1259.NASL description According to the versions of the kernel packages installed, the EulerOS Virtualization installation on the remote host is affected by the following vulnerabilities : - An issue was discovered in can_can_gw_rcv in net/can/gw.c in the Linux kernel through 4.19.13. The CAN frame modification rules allow bitwise logical operations that can be also applied to the can_dlc field. Because of a missing check, the CAN drivers may write arbitrary content beyond the data registers in the CAN controller last seen 2020-03-19 modified 2019-04-04 plugin id 123727 published 2019-04-04 reporter This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/123727 title EulerOS Virtualization 2.5.3 : kernel (EulerOS-SA-2019-1259) NASL family Red Hat Local Security Checks NASL id REDHAT-RHSA-2018-2948.NASL description An update for kernel-alt is now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. The kernel-alt packages provide the Linux kernel version 4.x. Security Fix(es) : * An industry-wide issue was found in the way many modern microprocessor designs have implemented speculative execution of Load & Store instructions (a commonly used performance optimization). It relies on the presence of a precisely-defined instruction sequence in the privileged code as well as the fact that memory read from address to which a recent memory write has occurred may see an older value and subsequently cause an update into the microprocessor last seen 2020-06-01 modified 2020-06-02 plugin id 118513 published 2018-10-31 reporter This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/118513 title RHEL 7 : kernel-alt (RHSA-2018:2948) (Spectre) NASL family CentOS Local Security Checks NASL id CENTOS_RHSA-2018-3083.NASL description An update for kernel is now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. The kernel packages contain the Linux kernel, the core of any Linux operating system. Security Fix(es) : * A flaw named FragmentSmack was found in the way the Linux kernel handled reassembly of fragmented IPv4 and IPv6 packets. A remote attacker could use this flaw to trigger time and calculation expensive fragment reassembly algorithm by sending specially crafted packets which could lead to a CPU saturation and hence a denial of service on the system. (CVE-2018-5391) * kernel: out-of-bounds access in the show_timer function in kernel/time/ posix-timers.c (CVE-2017-18344) * kernel: Integer overflow in udl_fb_mmap() can allow attackers to execute code in kernel space (CVE-2018-8781) * kernel: MIDI driver race condition leads to a double-free (CVE-2018-10902) * kernel: Missing check in inode_init_owner() does not clear SGID bit on non-directories for non-members (CVE-2018-13405) * kernel: AIO write triggers integer overflow in some protocols (CVE-2015-8830) * kernel: Use-after-free in snd_pcm_info function in ALSA subsystem potentially leads to privilege escalation (CVE-2017-0861) * kernel: Handling of might_cancel queueing is not properly pretected against race (CVE-2017-10661) * kernel: Salsa20 encryption algorithm does not correctly handle zero-length inputs allowing local attackers to cause denial of service (CVE-2017-17805) * kernel: Inifinite loop vulnerability in madvise_willneed() function allows local denial of service (CVE-2017-18208) * kernel: fuse-backed file mmap-ed onto process cmdline arguments causes denial of service (CVE-2018-1120) * kernel: a NULL pointer dereference in dccp_write_xmit() leads to a system crash (CVE-2018-1130) * kernel: drivers/block/loop.c mishandles lo_release serialization allowing denial of service (CVE-2018-5344) * kernel: Missing length check of payload in _sctp_make_chunk() function allows denial of service (CVE-2018-5803) * kernel: buffer overflow in drivers/net/wireless/ath/wil6210/ wmi.c:wmi_set_ie() may lead to memory corruption (CVE-2018-5848) * kernel: out-of-bound write in ext4_init_block_bitmap function with a crafted ext4 image (CVE-2018-10878) * kernel: Improper validation in bnx2x network card driver can allow for denial of service attacks via crafted packet (CVE-2018-1000026) * kernel: Information leak when handling NM entries containing NUL (CVE-2016-4913) * kernel: Mishandling mutex within libsas allowing local Denial of Service (CVE-2017-18232) * kernel: NULL pointer dereference in ext4_process_freed_data() when mounting crafted ext4 image (CVE-2018-1092) * kernel: NULL pointer dereference in ext4_xattr_inode_hash() causes crash with crafted ext4 image (CVE-2018-1094) * kernel: vhost: Information disclosure in vhost/vhost.c:vhost_new_msg() (CVE-2018-1118) * kernel: Denial of service in resv_map_release function in mm/hugetlb.c (CVE-2018-7740) * kernel: Memory leak in the sas_smp_get_phy_events function in drivers/scsi/ libsas/sas_expander.c (CVE-2018-7757) * kernel: Invalid pointer dereference in xfs_ilock_attr_map_shared() when mounting crafted xfs image allowing denial of service (CVE-2018-10322) * kernel: use-after-free detected in ext4_xattr_set_entry with a crafted file (CVE-2018-10879) * kernel: out-of-bound access in ext4_get_group_info() when mounting and operating a crafted ext4 image (CVE-2018-10881) * kernel: stack-out-of-bounds write in jbd2_journal_dirty_metadata function (CVE-2018-10883) * kernel: incorrect memory bounds check in drivers/cdrom/cdrom.c (CVE-2018-10940) Red Hat would like to thank Juha-Matti Tilli (Aalto University - Department of Communications and Networking and Nokia Bell Labs) for reporting CVE-2018-5391; Trend Micro Zero Day Initiative for reporting CVE-2018-10902; Qualys Research Labs for reporting CVE-2018-1120; Evgenii Shatokhin (Virtuozzo Team) for reporting CVE-2018-1130; and Wen Xu for reporting CVE-2018-1092 and CVE-2018-1094. last seen 2020-06-01 modified 2020-06-02 plugin id 118990 published 2018-11-16 reporter This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/118990 title CentOS 7 : kernel (CESA-2018:3083) NASL family Huawei Local Security Checks NASL id EULEROS_SA-2018-1432.NASL description According to the versions of the kernel packages installed, the EulerOS installation on the remote host is affected by the following vulnerabilities : - In the Linux Kernel before version 4.15.8, 4.14.25, 4.9.87, 4.4.121, 4.1.51, and 3.2.102, an error in the last seen 2020-05-06 modified 2018-12-28 plugin id 119921 published 2018-12-28 reporter This script is Copyright (C) 2018-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/119921 title EulerOS 2.0 SP2 : kernel (EulerOS-SA-2018-1432) NASL family Oracle Linux Local Security Checks NASL id ORACLELINUX_ELSA-2019-4316.NASL description Description of changes: kernel-uek [3.8.13-118.29.1.el7uek] - Copy secure_boot flag in boot params across kexec reboot (Dave Young) [Orabug: 22066352] {CVE-2015-7837} - ipv6: tcp: add rcu locking in tcp_v6_send_synack() (Eric Dumazet) [Orabug: 25059183] {CVE-2016-3841} - ipv6: add complete rcu protection around np->opt (Eric Dumazet) [Orabug: 25059183] {CVE-2016-3841} - scsi: qla2xxx: Fix an integer overflow in sysfs code (Dan Carpenter) [Orabug: 28220420] {CVE-2017-14051} - ext4: fail ext4_iget for root directory if unallocated (Theodore Ts last seen 2020-03-18 modified 2019-01-07 plugin id 120977 published 2019-01-07 reporter This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/120977 title Oracle Linux 6 / 7 : Unbreakable Enterprise kernel (ELSA-2019-4316) NASL family SuSE Local Security Checks NASL id OPENSUSE-2019-536.NASL description The openSUSE Leap 15 kernel was updated to receive various security and bugfixes. The following security bugs were fixed : - CVE-2018-13406: An integer overflow in the uvesafb_setcmap function could have result in local attackers being able to crash the kernel or potentially elevate privileges because kmalloc_array is not used (bnc#1100418) - CVE-2018-13053: The alarm_timer_nsleep function had an integer overflow via a large relative timeout because ktime_add_safe was not used (bnc#1099924) - CVE-2018-9385: Prevent overread of the last seen 2020-06-01 modified 2020-06-02 plugin id 123226 published 2019-03-27 reporter This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/123226 title openSUSE Security Update : the Linux Kernel (openSUSE-2019-536) (Spectre) NASL family NewStart CGSL Local Security Checks NASL id NEWSTART_CGSL_NS-SA-2019-0074_KERNEL-RT.NASL description The remote NewStart CGSL host, running version CORE 5.04 / MAIN 5.04, has kernel-rt packages installed that are affected by multiple vulnerabilities: - Integer overflow in the aio_setup_single_vector function in fs/aio.c in the Linux kernel 4.0 allows local users to cause a denial of service or possibly have unspecified other impact via a large AIO iovec. NOTE: this vulnerability exists because of a CVE-2012-6701 regression. (CVE-2015-8830) - A weakness was found in the Linux ASLR implementation. Any user able to running 32-bit applications in a x86 machine can disable ASLR by setting the RLIMIT_STACK resource to unlimited. (CVE-2016-3672) - The xc2028_set_config function in drivers/media/tuners/tuner-xc2028.c in the Linux kernel before 4.6 allows local users to gain privileges or cause a denial of service (use-after-free) via vectors involving omission of the firmware name from a certain data structure. Due to the nature of the flaw, privilege escalation cannot be fully ruled out, although we believe it is unlikely. (CVE-2016-7913) - Use-after-free vulnerability in the snd_pcm_info() function in the ALSA subsystem in the Linux kernel allows attackers to induce a kernel memory corruption and possibly crash or lock up a system. Due to the nature of the flaw, a privilege escalation cannot be fully ruled out, although we believe it is unlikely. (CVE-2017-0861) - A reachable assertion failure flaw was found in the Linux kernel built with KVM virtualisation(CONFIG_KVM) support with Virtual Function I/O feature (CONFIG_VFIO) enabled. This failure could occur if a malicious guest device sent a virtual interrupt (guest IRQ) with a larger (>1024) index value. (CVE-2017-1000252) - Linux kernel Virtualization Module (CONFIG_KVM) for the Intel processor family (CONFIG_KVM_INTEL) is vulnerable to a DoS issue. It could occur if a guest was to flood the I/O port 0x80 with write requests. A guest user could use this flaw to crash the host kernel resulting in DoS. (CVE-2017-1000407) - A flaw was found in the processing of incoming L2CAP bluetooth commands. Uninitialized stack variables can be sent to an attacker leaking data in kernel address space. (CVE-2017-1000410) - A race condition was found in the Linux kernel before version 4.11-rc1 in last seen 2020-06-01 modified 2020-06-02 plugin id 127281 published 2019-08-12 reporter This script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/127281 title NewStart CGSL CORE 5.04 / MAIN 5.04 : kernel-rt Multiple Vulnerabilities (NS-SA-2019-0074) NASL family Huawei Local Security Checks NASL id EULEROS_SA-2019-1156.NASL description According to the versions of the kernel packages installed, the EulerOS installation on the remote host is affected by the following vulnerabilities : - An issue was discovered in the Linux kernel through 4.19. An information leak in cdrom_ioctl_select_disc in drivers/cdrom/cdrom.c could be used by local attackers to read kernel memory because a cast from unsigned long to int interferes with bounds checking. This is similar to CVE-2018-10940 and CVE-2018-16658.(CVE-2018-18710) - A flaw was found in mmap in the Linux kernel allowing the process to map a null page. This allows attackers to abuse this mechanism to turn null pointer dereferences into workable exploits.(CVE-2019-9213) - The Linux kernel does not properly initialize memory in messages passed between virtual guests and the host operating system in the vhost/vhost.c:vhost_new_msg() function. This can allow local privileged users to read some kernel memory contents when reading from the /dev/vhost-net device file.(CVE-2018-1118) - It was found that the raw midi kernel driver does not protect against concurrent access which leads to a double realloc (double free) in snd_rawmidi_input_params() and snd_rawmidi_output_status() which are part of snd_rawmidi_ioctl() handler in rawmidi.c file. A malicious local attacker could possibly use this for privilege escalation.(CVE-2018-10902) - A flaw was discovered in the Linux kernel last seen 2020-05-06 modified 2019-04-02 plugin id 123630 published 2019-04-02 reporter This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/123630 title EulerOS 2.0 SP5 : kernel (EulerOS-SA-2019-1156)
Redhat
| advisories |
| ||||||||||||
| rpms |
|
References
- https://access.redhat.com/errata/RHSA-2018:2948
- https://access.redhat.com/errata/RHSA-2018:3083
- https://access.redhat.com/errata/RHSA-2018:3096
- https://lists.debian.org/debian-lts-announce/2019/03/msg00017.html
- https://lists.debian.org/debian-lts-announce/2019/03/msg00034.html
- https://lists.debian.org/debian-lts-announce/2019/04/msg00004.html
- https://source.android.com/security/bulletin/pixel/2018-05-01
- https://www.codeaurora.org/security-bulletin/2018/05/11/may-2018-code-aurora-security-bulletin-2