Vulnerabilities > CVE-2018-5848 - Integer Overflow or Wraparound vulnerability in multiple products

047910
CVSS 7.8 - HIGH
Attack vector
LOCAL
Attack complexity
LOW
Privileges required
LOW
Confidentiality impact
HIGH
Integrity impact
HIGH
Availability impact
HIGH
local
low complexity
google
redhat
debian
CWE-190
nessus

Summary

In the function wmi_set_ie(), the length validation code does not handle unsigned integer overflow properly. As a result, a large value of the 'ie_len' argument can cause a buffer overflow in all Android releases from CAF (Android for MSM, Firefox OS for MSM, QRD Android) using the Linux Kernel.

Common Weakness Enumeration (CWE)

Common Attack Pattern Enumeration and Classification (CAPEC)

  • Forced Integer Overflow
    This attack forces an integer variable to go out of range. The integer variable is often used as an offset such as size of memory allocation or similarly. The attacker would typically control the value of such variable and try to get it out of range. For instance the integer in question is incremented past the maximum possible value, it may wrap to become a very small, or negative number, therefore providing a very incorrect value which can lead to unexpected behavior. At worst the attacker can execute arbitrary code.

Nessus

  • NASL familyNewStart CGSL Local Security Checks
    NASL idNEWSTART_CGSL_NS-SA-2019-0070_KERNEL.NASL
    descriptionThe remote NewStart CGSL host, running version CORE 5.04 / MAIN 5.04, has kernel packages installed that are affected by multiple vulnerabilities: - Integer overflow in the aio_setup_single_vector function in fs/aio.c in the Linux kernel 4.0 allows local users to cause a denial of service or possibly have unspecified other impact via a large AIO iovec. NOTE: this vulnerability exists because of a CVE-2012-6701 regression. (CVE-2015-8830) - A weakness was found in the Linux ASLR implementation. Any user able to running 32-bit applications in a x86 machine can disable ASLR by setting the RLIMIT_STACK resource to unlimited. (CVE-2016-3672) - The xc2028_set_config function in drivers/media/tuners/tuner-xc2028.c in the Linux kernel before 4.6 allows local users to gain privileges or cause a denial of service (use-after-free) via vectors involving omission of the firmware name from a certain data structure. Due to the nature of the flaw, privilege escalation cannot be fully ruled out, although we believe it is unlikely. (CVE-2016-7913) - Use-after-free vulnerability in the snd_pcm_info() function in the ALSA subsystem in the Linux kernel allows attackers to induce a kernel memory corruption and possibly crash or lock up a system. Due to the nature of the flaw, a privilege escalation cannot be fully ruled out, although we believe it is unlikely. (CVE-2017-0861) - A reachable assertion failure flaw was found in the Linux kernel built with KVM virtualisation(CONFIG_KVM) support with Virtual Function I/O feature (CONFIG_VFIO) enabled. This failure could occur if a malicious guest device sent a virtual interrupt (guest IRQ) with a larger (>1024) index value. (CVE-2017-1000252) - Linux kernel Virtualization Module (CONFIG_KVM) for the Intel processor family (CONFIG_KVM_INTEL) is vulnerable to a DoS issue. It could occur if a guest was to flood the I/O port 0x80 with write requests. A guest user could use this flaw to crash the host kernel resulting in DoS. (CVE-2017-1000407) - A flaw was found in the processing of incoming L2CAP bluetooth commands. Uninitialized stack variables can be sent to an attacker leaking data in kernel address space. (CVE-2017-1000410) - A race condition was found in the Linux kernel before version 4.11-rc1 in
    last seen2020-06-01
    modified2020-06-02
    plugin id127272
    published2019-08-12
    reporterThis script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/127272
    titleNewStart CGSL CORE 5.04 / MAIN 5.04 : kernel Multiple Vulnerabilities (NS-SA-2019-0070)
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    
    # The descriptive text and package checks in this plugin were
    # extracted from ZTE advisory NS-SA-2019-0070. The text
    # itself is copyright (C) ZTE, Inc.
    
    include("compat.inc");
    
    if (description)
    {
      script_id(127272);
      script_version("1.2");
      script_cvs_date("Date: 2019/09/24 11:01:33");
    
      script_cve_id(
        "CVE-2015-8830",
        "CVE-2016-3672",
        "CVE-2016-7913",
        "CVE-2017-0861",
        "CVE-2017-9725",
        "CVE-2017-10661",
        "CVE-2017-12154",
        "CVE-2017-12190",
        "CVE-2017-13305",
        "CVE-2017-15129",
        "CVE-2017-15265",
        "CVE-2017-15274",
        "CVE-2017-17448",
        "CVE-2017-17449",
        "CVE-2017-17558",
        "CVE-2017-17805",
        "CVE-2017-18017",
        "CVE-2017-18203",
        "CVE-2017-18208",
        "CVE-2017-1000252",
        "CVE-2017-1000407",
        "CVE-2017-1000410",
        "CVE-2018-1120",
        "CVE-2018-1130",
        "CVE-2018-3646",
        "CVE-2018-5344",
        "CVE-2018-5750",
        "CVE-2018-5803",
        "CVE-2018-5848",
        "CVE-2018-7566",
        "CVE-2018-9568",
        "CVE-2018-17972",
        "CVE-2018-18397",
        "CVE-2018-18690",
        "CVE-2018-1000004",
        "CVE-2018-1000026"
      );
      script_bugtraq_id(102329);
    
      script_name(english:"NewStart CGSL CORE 5.04 / MAIN 5.04 : kernel Multiple Vulnerabilities (NS-SA-2019-0070)");
    
      script_set_attribute(attribute:"synopsis", value:
    "The remote machine is affected by multiple vulnerabilities.");
      script_set_attribute(attribute:"description", value:
    "The remote NewStart CGSL host, running version CORE 5.04 / MAIN 5.04, has kernel packages installed that are affected by
    multiple vulnerabilities:
    
      - Integer overflow in the aio_setup_single_vector function
        in fs/aio.c in the Linux kernel 4.0 allows local users
        to cause a denial of service or possibly have
        unspecified other impact via a large AIO iovec. NOTE:
        this vulnerability exists because of a CVE-2012-6701
        regression. (CVE-2015-8830)
    
      - A weakness was found in the Linux ASLR implementation.
        Any user able to running 32-bit applications in a x86
        machine can disable ASLR by setting the RLIMIT_STACK
        resource to unlimited. (CVE-2016-3672)
    
      - The xc2028_set_config function in
        drivers/media/tuners/tuner-xc2028.c in the Linux kernel
        before 4.6 allows local users to gain privileges or
        cause a denial of service (use-after-free) via vectors
        involving omission of the firmware name from a certain
        data structure. Due to the nature of the flaw, privilege
        escalation cannot be fully ruled out, although we
        believe it is unlikely. (CVE-2016-7913)
    
      - Use-after-free vulnerability in the snd_pcm_info()
        function in the ALSA subsystem in the Linux kernel
        allows attackers to induce a kernel memory corruption
        and possibly crash or lock up a system. Due to the
        nature of the flaw, a privilege escalation cannot be
        fully ruled out, although we believe it is unlikely.
        (CVE-2017-0861)
    
      - A reachable assertion failure flaw was found in the
        Linux kernel built with KVM virtualisation(CONFIG_KVM)
        support with Virtual Function I/O feature (CONFIG_VFIO)
        enabled. This failure could occur if a malicious guest
        device sent a virtual interrupt (guest IRQ) with a
        larger (>1024) index value. (CVE-2017-1000252)
    
      - Linux kernel Virtualization Module (CONFIG_KVM) for the
        Intel processor family (CONFIG_KVM_INTEL) is vulnerable
        to a DoS issue. It could occur if a guest was to flood
        the I/O port 0x80 with write requests. A guest user
        could use this flaw to crash the host kernel resulting
        in DoS. (CVE-2017-1000407)
    
      - A flaw was found in the processing of incoming L2CAP
        bluetooth commands. Uninitialized stack variables can be
        sent to an attacker leaking data in kernel address
        space. (CVE-2017-1000410)
    
      - A race condition was found in the Linux kernel before
        version 4.11-rc1 in 'fs/timerfd.c' file which allows a
        local user to cause a kernel list corruption or use-
        after-free via simultaneous operations with a file
        descriptor which leverage improper 'might_cancel'
        queuing. An unprivileged local user could use this flaw
        to cause a denial of service of the system. Due to the
        nature of the flaw, privilege escalation cannot be fully
        ruled out, although we believe it is unlikely.
        (CVE-2017-10661)
    
      - Linux kernel built with the KVM visualization support
        (CONFIG_KVM), with nested visualization (nVMX) feature
        enabled (nested=1), is vulnerable to a crash due to
        disabled external interrupts. As L2 guest could access
        (r/w) hardware CR8 register of the host(L0). In a nested
        visualization setup, L2 guest user could use this flaw
        to potentially crash the host(L0) resulting in DoS.
        (CVE-2017-12154)
    
      - It was found that in the Linux kernel through v4.14-rc5,
        bio_map_user_iov() and bio_unmap_user() in 'block/bio.c'
        do unbalanced pages refcounting if IO vector has small
        consecutive buffers belonging to the same page.
        bio_add_pc_page() merges them into one, but the page
        reference is never dropped, causing a memory leak and
        possible system lockup due to out-of-memory condition.
        (CVE-2017-12190)
    
      - A flaw was found in the Linux kernel's implementation of
        valid_master_desc() in which a memory buffer would be
        compared to a userspace value with an incorrect size of
        comparison. By bruteforcing the comparison, an attacker
        could determine what was in memory after the description
        and possibly obtain sensitive information from kernel
        memory. (CVE-2017-13305)
    
      - A use-after-free vulnerability was found in a network
        namespaces code affecting the Linux kernel since
        v4.0-rc1 through v4.15-rc5. The function
        get_net_ns_by_id() does not check for the net::count
        value after it has found a peer network in netns_ids idr
        which could lead to double free and memory corruption.
        This vulnerability could allow an unprivileged local
        user to induce kernel memory corruption on the system,
        leading to a crash. Due to the nature of the flaw,
        privilege escalation cannot be fully ruled out, although
        it is thought to be unlikely. (CVE-2017-15129)
    
      - A use-after-free vulnerability was found when issuing an
        ioctl to a sound device. This could allow a user to
        exploit a race condition and create memory corruption or
        possibly privilege escalation. (CVE-2017-15265)
    
      - A flaw was found in the implementation of associative
        arrays where the add_key systemcall and KEYCTL_UPDATE
        operations allowed for a NULL payload with a nonzero
        length. When accessing the payload within this length
        parameters value, an unprivileged user could trivially
        cause a NULL pointer dereference (kernel oops).
        (CVE-2017-15274)
    
      - The net/netfilter/nfnetlink_cthelper.c function in the
        Linux kernel through 4.14.4 does not require the
        CAP_NET_ADMIN capability for new, get, and del
        operations. This allows local users to bypass intended
        access restrictions because the nfnl_cthelper_list data
        structure is shared across all net namespaces.
        (CVE-2017-17448)
    
      - The __netlink_deliver_tap_skb function in
        net/netlink/af_netlink.c in the Linux kernel, through
        4.14.4, does not restrict observations of Netlink
        messages to a single net namespace, when CONFIG_NLMON is
        enabled. This allows local users to obtain sensitive
        information by leveraging the CAP_NET_ADMIN capability
        to sniff an nlmon interface for all Netlink activity on
        the system. (CVE-2017-17449)
    
      - The usb_destroy_configuration() function, in
        'drivers/usb/core/config.c' in the USB core subsystem,
        in the Linux kernel through 4.14.5 does not consider the
        maximum number of configurations and interfaces before
        attempting to release resources. This allows local users
        to cause a denial of service, due to out-of-bounds write
        access, or possibly have unspecified other impact via a
        crafted USB device. Due to the nature of the flaw,
        privilege escalation cannot be fully ruled out, although
        we believe it is unlikely. (CVE-2017-17558)
    
      - The Salsa20 encryption algorithm in the Linux kernel,
        before 4.14.8, does not correctly handle zero-length
        inputs. This allows a local attacker the ability to use
        the AF_ALG-based skcipher interface to cause a denial of
        service (uninitialized-memory free and kernel crash) or
        have an unspecified other impact by executing a crafted
        sequence of system calls that use the blkcipher_walk
        API. Both the generic implementation
        (crypto/salsa20_generic.c) and x86 implementation
        (arch/x86/crypto/salsa20_glue.c) of Salsa20 are
        vulnerable. (CVE-2017-17805)
    
      - The tcpmss_mangle_packet function in
        net/netfilter/xt_TCPMSS.c in the Linux kernel before
        4.11, and 4.9.x before 4.9.36, allows remote attackers
        to cause a denial of service (use-after-free and memory
        corruption) or possibly have unspecified other impact by
        leveraging the presence of xt_TCPMSS in an iptables
        action. Due to the nature of the flaw, privilege
        escalation cannot be fully ruled out, although we
        believe it is unlikely. (CVE-2017-18017)
    
      - The Linux kernel, before version 4.14.3, is vulnerable
        to a denial of service in
        drivers/md/dm.c:dm_get_from_kobject() which can be
        caused by local users leveraging a race condition with
        __dm_destroy() during creation and removal of DM
        devices. Only privileged local users (with CAP_SYS_ADMIN
        capability) can directly perform the ioctl operations
        for dm device creation and removal and this would
        typically be outside the direct control of the
        unprivileged attacker. (CVE-2017-18203)
    
      - The madvise_willneed function in the Linux kernel allows
        local users to cause a denial of service (infinite loop)
        by triggering use of MADVISE_WILLNEED for a DAX mapping.
        (CVE-2017-18208)
    
      - A flaw was found where the kernel truncated the value
        used to indicate the size of a buffer which it would
        later become zero using an untruncated value. This can
        corrupt memory outside of the original allocation.
        (CVE-2017-9725)
    
      - In the Linux kernel versions 4.12, 3.10, 2.6, and
        possibly earlier, a race condition vulnerability exists
        in the sound system allowing for a potential deadlock
        and memory corruption due to use-after-free condition
        and thus denial of service. Due to the nature of the
        flaw, privilege escalation cannot be fully ruled out,
        although we believe it is unlikely. (CVE-2018-1000004)
    
      - Improper validation in the bnx2x network card driver of
        the Linux kernel version 4.15 can allow for denial of
        service (DoS) attacks via a packet with a gso_size
        larger than ~9700 bytes. Untrusted guest VMs can exploit
        this vulnerability in the host machine, causing a crash
        in the network card. (CVE-2018-1000026)
    
      - By mmap()ing a FUSE-backed file onto a process's memory
        containing command line arguments (or environment
        strings), an attacker can cause utilities from psutils
        or procps (such as ps, w) or any other program which
        makes a read() call to the /proc//cmdline (or
        /proc//environ) files to block indefinitely (denial
        of service) or for some controlled time (as a
        synchronization primitive for other attacks).
        (CVE-2018-1120)
    
      - A null pointer dereference in dccp_write_xmit() function
        in net/dccp/output.c in the Linux kernel allows a local
        user to cause a denial of service by a number of certain
        crafted system calls. (CVE-2018-1130)
    
      - An issue was discovered in the proc_pid_stack function
        in fs/proc/base.c in the Linux kernel. An attacker with
        a local account can trick the stack unwinder code to
        leak stack contents to userspace. The fix allows only
        root to inspect the kernel stack of an arbitrary task.
        (CVE-2018-17972)
    
      - A flaw was found in the Linux kernel with files on tmpfs
        and hugetlbfs. An attacker is able to bypass file
        permissions on filesystems mounted with tmpfs/hugetlbs
        to modify a file and possibly disrupt normal system
        behavior. At this time there is an understanding there
        is no crash or privilege escalation but the impact of
        modifications on these filesystems of files in
        production systems may have adverse affects.
        (CVE-2018-18397)
    
      - In the Linux kernel before 4.17, a local attacker able
        to set attributes on an xfs filesystem could make this
        filesystem non-operational until the next mount by
        triggering an unchecked error condition during an xfs
        attribute change, because xfs_attr_shortform_addname in
        fs/xfs/libxfs/xfs_attr.c mishandles ATTR_REPLACE
        operations with conversion of an attr from short to long
        form. (CVE-2018-18690)
    
      - Modern operating systems implement virtualization of
        physical memory to efficiently use available system
        resources and provide inter-domain protection through
        access control and isolation. The L1TF issue was found
        in the way the x86 microprocessor designs have
        implemented speculative execution of instructions (a
        commonly used performance optimization) in combination
        with handling of page-faults caused by terminated
        virtual to physical address resolving process. As a
        result, an unprivileged attacker could use this flaw to
        read privileged memory of the kernel or other processes
        and/or cross guest/host boundaries to read host memory
        by conducting targeted cache side-channel attacks.
        (CVE-2018-3646)
    
      - A flaw was found in the Linux kernel's handling of
        loopback devices. An attacker, who has permissions to
        setup loopback disks, may create a denial of service or
        other unspecified actions. (CVE-2018-5344)
    
      - The acpi_smbus_hc_add function in drivers/acpi/sbshc.c
        in the Linux kernel, through 4.14.15, allows local users
        to obtain sensitive address information by reading dmesg
        data from an SBS HC printk call. (CVE-2018-5750)
    
      - An error in the _sctp_make_chunk() function
        (net/sctp/sm_make_chunk.c) when handling SCTP, packet
        length can be exploited by a malicious local user to
        cause a kernel crash and a DoS. (CVE-2018-5803)
    
      - In the function wmi_set_ie() in the Linux kernel the
        length validation code does not handle unsigned integer
        overflow properly. As a result, a large value of the
        ie_len argument can cause a buffer overflow and thus a
        memory corruption leading to a system crash or other or
        unspecified impact. Due to the nature of the flaw,
        privilege escalation cannot be fully ruled out, although
        we believe it is unlikely. (CVE-2018-5848)
    
      - ALSA sequencer core initializes the event pool on demand
        by invoking snd_seq_pool_init() when the first write
        happens and the pool is empty. A user can reset the pool
        size manually via ioctl concurrently, and this may lead
        to UAF or out-of-bound access. (CVE-2018-7566)
    
      - A possible memory corruption due to a type confusion was
        found in the Linux kernel in the sk_clone_lock()
        function in the net/core/sock.c. The possibility of
        local escalation of privileges cannot be fully ruled out
        for a local unprivileged attacker. (CVE-2018-9568)
    
    Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version
    number.");
      script_set_attribute(attribute:"see_also", value:"http://security.gd-linux.com/notice/NS-SA-2019-0070");
      script_set_attribute(attribute:"solution", value:
    "Upgrade the vulnerable CGSL kernel packages. Note that updated packages may not be available yet. Please contact ZTE for
    more information.");
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C");
      script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
      script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H");
      script_set_cvss3_temporal_vector("CVSS:3.0/E:P/RL:O/RC:C");
      script_set_attribute(attribute:"cvss_score_source", value:"CVE-2017-18017");
      script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"true");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2016/04/27");
      script_set_attribute(attribute:"patch_publication_date", value:"2019/07/17");
      script_set_attribute(attribute:"plugin_publication_date", value:"2019/08/12");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_family(english:"NewStart CGSL Local Security Checks");
    
      script_copyright(english:"This script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/ZTE-CGSL/release", "Host/ZTE-CGSL/rpm-list", "Host/cpu");
    
      exit(0);
    }
    
    include("audit.inc");
    include("global_settings.inc");
    include("rpm.inc");
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    
    release = get_kb_item("Host/ZTE-CGSL/release");
    if (isnull(release) || release !~ "^CGSL (MAIN|CORE)") audit(AUDIT_OS_NOT, "NewStart Carrier Grade Server Linux");
    
    if (release !~ "CGSL CORE 5.04" &&
        release !~ "CGSL MAIN 5.04")
      audit(AUDIT_OS_NOT, 'NewStart CGSL CORE 5.04 / NewStart CGSL MAIN 5.04');
    
    if (!get_kb_item("Host/ZTE-CGSL/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    cpu = get_kb_item("Host/cpu");
    if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
    if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "NewStart Carrier Grade Server Linux", cpu);
    
    flag = 0;
    
    pkgs = {
      "CGSL CORE 5.04": [
        "kernel-3.10.0-693.21.1.el7.cgslv5_4.12.322.gc3912fd.lite",
        "kernel-abi-whitelists-3.10.0-693.21.1.el7.cgslv5_4.12.322.gc3912fd.lite",
        "kernel-core-3.10.0-693.21.1.el7.cgslv5_4.12.322.gc3912fd.lite",
        "kernel-debug-core-3.10.0-693.21.1.el7.cgslv5_4.12.322.gc3912fd.lite",
        "kernel-debug-debuginfo-3.10.0-693.21.1.el7.cgslv5_4.12.322.gc3912fd.lite",
        "kernel-debug-devel-3.10.0-693.21.1.el7.cgslv5_4.12.322.gc3912fd.lite",
        "kernel-debug-modules-3.10.0-693.21.1.el7.cgslv5_4.12.322.gc3912fd.lite",
        "kernel-debuginfo-3.10.0-693.21.1.el7.cgslv5_4.12.322.gc3912fd.lite",
        "kernel-debuginfo-common-x86_64-3.10.0-693.21.1.el7.cgslv5_4.12.322.gc3912fd.lite",
        "kernel-devel-3.10.0-693.21.1.el7.cgslv5_4.12.322.gc3912fd.lite",
        "kernel-doc-3.10.0-693.21.1.el7.cgslv5_4.12.322.gc3912fd.lite",
        "kernel-headers-3.10.0-693.21.1.el7.cgslv5_4.12.322.gc3912fd.lite",
        "kernel-modules-3.10.0-693.21.1.el7.cgslv5_4.12.322.gc3912fd.lite",
        "kernel-tools-3.10.0-693.21.1.el7.cgslv5_4.12.322.gc3912fd.lite",
        "kernel-tools-debuginfo-3.10.0-693.21.1.el7.cgslv5_4.12.322.gc3912fd.lite",
        "kernel-tools-libs-3.10.0-693.21.1.el7.cgslv5_4.12.322.gc3912fd.lite",
        "kernel-tools-libs-devel-3.10.0-693.21.1.el7.cgslv5_4.12.322.gc3912fd.lite",
        "perf-3.10.0-693.21.1.el7.cgslv5_4.12.322.gc3912fd.lite",
        "perf-debuginfo-3.10.0-693.21.1.el7.cgslv5_4.12.322.gc3912fd.lite",
        "python-perf-3.10.0-693.21.1.el7.cgslv5_4.12.322.gc3912fd.lite",
        "python-perf-debuginfo-3.10.0-693.21.1.el7.cgslv5_4.12.322.gc3912fd.lite"
      ],
      "CGSL MAIN 5.04": [
        "kernel-3.10.0-693.21.1.el7.cgslv5_4.12.319.g46331d9",
        "kernel-abi-whitelists-3.10.0-693.21.1.el7.cgslv5_4.12.319.g46331d9",
        "kernel-debug-3.10.0-693.21.1.el7.cgslv5_4.12.319.g46331d9",
        "kernel-debug-debuginfo-3.10.0-693.21.1.el7.cgslv5_4.12.319.g46331d9",
        "kernel-debug-devel-3.10.0-693.21.1.el7.cgslv5_4.12.319.g46331d9",
        "kernel-debuginfo-3.10.0-693.21.1.el7.cgslv5_4.12.319.g46331d9",
        "kernel-debuginfo-common-x86_64-3.10.0-693.21.1.el7.cgslv5_4.12.319.g46331d9",
        "kernel-devel-3.10.0-693.21.1.el7.cgslv5_4.12.319.g46331d9",
        "kernel-doc-3.10.0-693.21.1.el7.cgslv5_4.12.319.g46331d9",
        "kernel-headers-3.10.0-693.21.1.el7.cgslv5_4.12.319.g46331d9",
        "kernel-tools-3.10.0-693.21.1.el7.cgslv5_4.12.319.g46331d9",
        "kernel-tools-debuginfo-3.10.0-693.21.1.el7.cgslv5_4.12.319.g46331d9",
        "kernel-tools-libs-3.10.0-693.21.1.el7.cgslv5_4.12.319.g46331d9",
        "kernel-tools-libs-devel-3.10.0-693.21.1.el7.cgslv5_4.12.319.g46331d9",
        "perf-3.10.0-693.21.1.el7.cgslv5_4.12.319.g46331d9",
        "perf-debuginfo-3.10.0-693.21.1.el7.cgslv5_4.12.319.g46331d9",
        "python-perf-3.10.0-693.21.1.el7.cgslv5_4.12.319.g46331d9",
        "python-perf-debuginfo-3.10.0-693.21.1.el7.cgslv5_4.12.319.g46331d9"
      ]
    };
    pkg_list = pkgs[release];
    
    foreach (pkg in pkg_list)
      if (rpm_check(release:"ZTE " + release, reference:pkg)) flag++;
    
    if (flag)
    {
      security_report_v4(
        port       : 0,
        severity   : SECURITY_HOLE,
        extra      : rpm_report_get()
      );
      exit(0);
    }
    else
    {
      tested = pkg_tests_get();
      if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
      else audit(AUDIT_PACKAGE_NOT_INSTALLED, "kernel");
    }
    
  • NASL familySuSE Local Security Checks
    NASL idSUSE_SU-2018-1761-1.NASL
    descriptionThe SUSE Linux Enterprise 12 SP1 LTSS kernel was updated to receive various security and bugfixes. The following security bugs were fixed : - CVE-2018-3665: Prevent disclosure of FPU registers (including XMM and AVX registers) between processes. These registers might contain encryption keys when doing SSE accelerated AES enc/decryption (bsc#1087086) - CVE-2018-5848: In the function wmi_set_ie(), the length validation code did not handle unsigned integer overflow properly. As a result, a large value of the
    last seen2020-06-01
    modified2020-06-02
    plugin id110636
    published2018-06-21
    reporterThis script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/110636
    titleSUSE SLES12 Security Update : kernel (SUSE-SU-2018:1761-1)
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were
    # extracted from SUSE update advisory SUSE-SU-2018:1761-1.
    # The text itself is copyright (C) SUSE.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(110636);
      script_version("1.4");
      script_cvs_date("Date: 2019/09/10 13:51:48");
    
      script_cve_id("CVE-2017-13305", "CVE-2018-1000204", "CVE-2018-1092", "CVE-2018-1093", "CVE-2018-1094", "CVE-2018-1130", "CVE-2018-3665", "CVE-2018-5803", "CVE-2018-5848", "CVE-2018-7492");
    
      script_name(english:"SUSE SLES12 Security Update : kernel (SUSE-SU-2018:1761-1)");
      script_summary(english:"Checks rpm output for the updated packages.");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote SUSE host is missing one or more security updates."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "The SUSE Linux Enterprise 12 SP1 LTSS kernel was updated to receive
    various security and bugfixes. The following security bugs were 
    fixed :
    
      - CVE-2018-3665: Prevent disclosure of FPU registers
        (including XMM and AVX registers) between processes.
        These registers might contain encryption keys when doing
        SSE accelerated AES enc/decryption (bsc#1087086)
    
      - CVE-2018-5848: In the function wmi_set_ie(), the length
        validation code did not handle unsigned integer overflow
        properly. As a result, a large value of the 'ie_len'
        argument could have caused a buffer overflow
        (bnc#1097356)
    
      - CVE-2018-1000204: Prevent infoleak caused by incorrect
        handling of the SG_IO ioctl (bsc#1096728)
    
      - CVE-2017-13305: Prevent information disclosure
        vulnerability in encrypted-keys (bsc#1094353)
    
      - CVE-2018-1094: The ext4_fill_super function did not
        always initialize the crc32c checksum driver, which
        allowed attackers to cause a denial of service
        (ext4_xattr_inode_hash NULL pointer dereference and
        system crash) via a crafted ext4 image (bsc#1087007).
    
      - CVE-2018-1093: The ext4_valid_block_bitmap function
        allowed attackers to cause a denial of service
        (out-of-bounds read and system crash) via a crafted ext4
        image because balloc.c and ialloc.c do not validate
        bitmap block numbers (bsc#1087095).
    
      - CVE-2018-1092: The ext4_iget function mishandled the
        case of a root directory with a zero i_links_count,
        which allowed attackers to cause a denial of service
        (ext4_process_freed_data NULL pointer dereference and
        OOPS) via a crafted ext4 image (bsc#1087012).
    
      - CVE-2018-1130: NULL pointer dereference in
        dccp_write_xmit() function that allowed a local user to
        cause a denial of service by a number of certain crafted
        system calls (bsc#1092904)
    
      - CVE-2018-5803: Prevent error in the '_sctp_make_chunk()'
        function when handling SCTP packets length that could
        have been exploited to cause a kernel crash
        (bnc#1083900)
    
      - CVE-2018-7492: Prevent NULL pointer dereference in the
        net/rds/rdma.c __rds_rdma_map() function that allowed
        local attackers to cause a system panic and a
        denial-of-service, related to RDS_GET_MR and
        RDS_GET_MR_FOR_DEST (bsc#1082962)
    
    The update package also includes non-security fixes. See advisory for
    details.
    
    Note that Tenable Network Security has extracted the preceding
    description block directly from the SUSE security advisory. Tenable
    has attempted to automatically clean and format it as much as possible
    without introducing additional issues."
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1038553"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1046610"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1079152"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1082962"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1083382"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1083900"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1087007"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1087012"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1087082"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1087086"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1087095"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1092813"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1092904"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1094033"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1094353"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1094823"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1096140"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1096242"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1096281"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1096480"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1096728"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1097356"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://www.suse.com/security/cve/CVE-2017-13305/"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://www.suse.com/security/cve/CVE-2018-1000204/"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://www.suse.com/security/cve/CVE-2018-1092/"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://www.suse.com/security/cve/CVE-2018-1093/"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://www.suse.com/security/cve/CVE-2018-1094/"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://www.suse.com/security/cve/CVE-2018-1130/"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://www.suse.com/security/cve/CVE-2018-3665/"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://www.suse.com/security/cve/CVE-2018-5803/"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://www.suse.com/security/cve/CVE-2018-5848/"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://www.suse.com/security/cve/CVE-2018-7492/"
      );
      # https://www.suse.com/support/update/announcement/2018/suse-su-20181761-1/
      script_set_attribute(
        attribute:"see_also",
        value:"http://www.nessus.org/u?33239d58"
      );
      script_set_attribute(
        attribute:"solution", 
        value:
    "To install this SUSE Security Update use the SUSE recommended
    installation methods like YaST online_update or 'zypper patch'.
    
    Alternatively you can run the command listed for your product :
    
    SUSE Linux Enterprise Server for SAP 12-SP1:zypper in -t patch
    SUSE-SLE-SAP-12-SP1-2018-1183=1
    
    SUSE Linux Enterprise Server 12-SP1-LTSS:zypper in -t patch
    SUSE-SLE-SERVER-12-SP1-2018-1183=1
    
    SUSE Linux Enterprise Module for Public Cloud 12:zypper in -t patch
    SUSE-SLE-Module-Public-Cloud-12-2018-1183=1"
      );
      script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:N/I:N/A:C");
      script_set_cvss3_base_vector("CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:kernel-default");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:kernel-default-base");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:kernel-default-base-debuginfo");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:kernel-default-debuginfo");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:kernel-default-debugsource");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:kernel-default-devel");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:kernel-default-man");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:kernel-syms");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:kernel-xen");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:kernel-xen-base");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:kernel-xen-base-debuginfo");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:kernel-xen-debuginfo");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:kernel-xen-debugsource");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:kernel-xen-devel");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:kgraft-patch-3_12_74-60_64_96-default");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:kgraft-patch-3_12_74-60_64_96-xen");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:novell:suse_linux:12");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2018/02/26");
      script_set_attribute(attribute:"patch_publication_date", value:"2018/06/20");
      script_set_attribute(attribute:"plugin_publication_date", value:"2018/06/21");
      script_set_attribute(attribute:"generated_plugin", value:"current");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");
      script_family(english:"SuSE Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/cpu", "Host/SuSE/release", "Host/SuSE/rpm-list");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("global_settings.inc");
    include("rpm.inc");
    
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    release = get_kb_item("Host/SuSE/release");
    if (isnull(release) || release !~ "^(SLED|SLES)") audit(AUDIT_OS_NOT, "SUSE");
    os_ver = pregmatch(pattern: "^(SLE(S|D)\d+)", string:release);
    if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "SUSE");
    os_ver = os_ver[1];
    if (! preg(pattern:"^(SLES12)$", string:os_ver)) audit(AUDIT_OS_NOT, "SUSE SLES12", "SUSE " + os_ver);
    
    if (!get_kb_item("Host/SuSE/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    cpu = get_kb_item("Host/cpu");
    if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
    if (cpu !~ "^i[3-6]86$" && "x86_64" >!< cpu && "s390x" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "SUSE " + os_ver, cpu);
    
    sp = get_kb_item("Host/SuSE/patchlevel");
    if (isnull(sp)) sp = "0";
    if (os_ver == "SLES12" && (! preg(pattern:"^(1)$", string:sp))) audit(AUDIT_OS_NOT, "SLES12 SP1", os_ver + " SP" + sp);
    
    
    flag = 0;
    if (rpm_check(release:"SLES12", sp:"1", cpu:"x86_64", reference:"kernel-xen-3.12.74-60.64.96.1")) flag++;
    if (rpm_check(release:"SLES12", sp:"1", cpu:"x86_64", reference:"kernel-xen-base-3.12.74-60.64.96.1")) flag++;
    if (rpm_check(release:"SLES12", sp:"1", cpu:"x86_64", reference:"kernel-xen-base-debuginfo-3.12.74-60.64.96.1")) flag++;
    if (rpm_check(release:"SLES12", sp:"1", cpu:"x86_64", reference:"kernel-xen-debuginfo-3.12.74-60.64.96.1")) flag++;
    if (rpm_check(release:"SLES12", sp:"1", cpu:"x86_64", reference:"kernel-xen-debugsource-3.12.74-60.64.96.1")) flag++;
    if (rpm_check(release:"SLES12", sp:"1", cpu:"x86_64", reference:"kernel-xen-devel-3.12.74-60.64.96.1")) flag++;
    if (rpm_check(release:"SLES12", sp:"1", cpu:"x86_64", reference:"kgraft-patch-3_12_74-60_64_96-default-1-2.3.1")) flag++;
    if (rpm_check(release:"SLES12", sp:"1", cpu:"x86_64", reference:"kgraft-patch-3_12_74-60_64_96-xen-1-2.3.1")) flag++;
    if (rpm_check(release:"SLES12", sp:"1", cpu:"s390x", reference:"kernel-default-man-3.12.74-60.64.96.1")) flag++;
    if (rpm_check(release:"SLES12", sp:"1", reference:"kernel-default-3.12.74-60.64.96.1")) flag++;
    if (rpm_check(release:"SLES12", sp:"1", reference:"kernel-default-base-3.12.74-60.64.96.1")) flag++;
    if (rpm_check(release:"SLES12", sp:"1", reference:"kernel-default-base-debuginfo-3.12.74-60.64.96.1")) flag++;
    if (rpm_check(release:"SLES12", sp:"1", reference:"kernel-default-debuginfo-3.12.74-60.64.96.1")) flag++;
    if (rpm_check(release:"SLES12", sp:"1", reference:"kernel-default-debugsource-3.12.74-60.64.96.1")) flag++;
    if (rpm_check(release:"SLES12", sp:"1", reference:"kernel-default-devel-3.12.74-60.64.96.1")) flag++;
    if (rpm_check(release:"SLES12", sp:"1", reference:"kernel-syms-3.12.74-60.64.96.1")) flag++;
    
    
    if (flag)
    {
      if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());
      else security_hole(0);
      exit(0);
    }
    else
    {
      tested = pkg_tests_get();
      if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
      else audit(AUDIT_PACKAGE_NOT_INSTALLED, "kernel");
    }
    
  • NASL familySuSE Local Security Checks
    NASL idSUSE_SU-2018-1762-1.NASL
    descriptionThe SUSE Linux Enterprise 12 GA LTSS kernel was updated to receive various security and bugfixes. The following security bugs were fixed : - CVE-2018-3665: Prevent disclosure of FPU registers (including XMM and AVX registers) between processes. These registers might contain encryption keys when doing SSE accelerated AES enc/decryption (bsc#1087086) - CVE-2018-5848: In the function wmi_set_ie(), the length validation code did not handle unsigned integer overflow properly. As a result, a large value of the
    last seen2020-06-01
    modified2020-06-02
    plugin id110637
    published2018-06-21
    reporterThis script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/110637
    titleSUSE SLES12 Security Update : kernel (SUSE-SU-2018:1762-1)
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were
    # extracted from SUSE update advisory SUSE-SU-2018:1762-1.
    # The text itself is copyright (C) SUSE.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(110637);
      script_version("1.4");
      script_cvs_date("Date: 2019/09/10 13:51:48");
    
      script_cve_id("CVE-2017-13305", "CVE-2018-1000204", "CVE-2018-1092", "CVE-2018-1093", "CVE-2018-1094", "CVE-2018-1130", "CVE-2018-3665", "CVE-2018-5803", "CVE-2018-5848", "CVE-2018-7492");
    
      script_name(english:"SUSE SLES12 Security Update : kernel (SUSE-SU-2018:1762-1)");
      script_summary(english:"Checks rpm output for the updated packages.");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote SUSE host is missing one or more security updates."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "The SUSE Linux Enterprise 12 GA LTSS kernel was updated to receive
    various security and bugfixes. The following security bugs were 
    fixed :
    
      - CVE-2018-3665: Prevent disclosure of FPU registers
        (including XMM and AVX registers) between processes.
        These registers might contain encryption keys when doing
        SSE accelerated AES enc/decryption (bsc#1087086)
    
      - CVE-2018-5848: In the function wmi_set_ie(), the length
        validation code did not handle unsigned integer overflow
        properly. As a result, a large value of the 'ie_len'
        argument could have caused a buffer overflow
        (bnc#1097356)
    
      - CVE-2018-1000204: Prevent infoleak caused by incorrect
        handling of the SG_IO ioctl (bsc#1096728)
    
      - CVE-2017-13305: Prevent information disclosure
        vulnerability in encrypted-keys (bsc#1094353)
    
      - CVE-2018-1094: The ext4_fill_super function did not
        always initialize the crc32c checksum driver, which
        allowed attackers to cause a denial of service
        (ext4_xattr_inode_hash NULL pointer dereference and
        system crash) via a crafted ext4 image (bsc#1087007)
    
      - CVE-2018-1093: The ext4_valid_block_bitmap function
        allowed attackers to cause a denial of service
        (out-of-bounds read and system crash) via a crafted ext4
        image because balloc.c and ialloc.c do not validate
        bitmap block numbers (bsc#1087095)
    
      - CVE-2018-1092: The ext4_iget function mishandled the
        case of a root directory with a zero i_links_count,
        which allowed attackers to cause a denial of service
        (ext4_process_freed_data NULL pointer dereference and
        OOPS) via a crafted ext4 image (bsc#1087012)
    
      - CVE-2018-1130: NULL pointer dereference in
        dccp_write_xmit() function that allowed a local user to
        cause a denial of service by a number of certain crafted
        system calls (bsc#1092904)
    
      - CVE-2018-5803: Prevent error in the '_sctp_make_chunk()'
        function when handling SCTP packets length that could
        have been exploited to cause a kernel crash
        (bnc#1083900)
    
      - CVE-2018-7492: Prevent NULL pointer dereference in the
        net/rds/rdma.c __rds_rdma_map() function that allowed
        local attackers to cause a system panic and a
        denial-of-service, related to RDS_GET_MR and
        RDS_GET_MR_FOR_DEST (bsc#1082962)
    
    The update package also includes non-security fixes. See advisory for
    details.
    
    Note that Tenable Network Security has extracted the preceding
    description block directly from the SUSE security advisory. Tenable
    has attempted to automatically clean and format it as much as possible
    without introducing additional issues."
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1046610"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1079152"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1082962"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1083900"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1087007"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1087012"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1087082"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1087086"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1087095"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1092552"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1092813"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1092904"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1094033"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1094353"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1094823"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1096140"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1096242"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1096281"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1096480"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1096728"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1097356"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://www.suse.com/security/cve/CVE-2017-13305/"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://www.suse.com/security/cve/CVE-2018-1000204/"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://www.suse.com/security/cve/CVE-2018-1092/"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://www.suse.com/security/cve/CVE-2018-1093/"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://www.suse.com/security/cve/CVE-2018-1094/"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://www.suse.com/security/cve/CVE-2018-1130/"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://www.suse.com/security/cve/CVE-2018-3665/"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://www.suse.com/security/cve/CVE-2018-5803/"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://www.suse.com/security/cve/CVE-2018-5848/"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://www.suse.com/security/cve/CVE-2018-7492/"
      );
      # https://www.suse.com/support/update/announcement/2018/suse-su-20181762-1/
      script_set_attribute(
        attribute:"see_also",
        value:"http://www.nessus.org/u?9713a18f"
      );
      script_set_attribute(
        attribute:"solution", 
        value:
    "To install this SUSE Security Update use the SUSE recommended
    installation methods like YaST online_update or 'zypper patch'.
    
    Alternatively you can run the command listed for your product :
    
    SUSE Linux Enterprise Server 12-LTSS:zypper in -t patch
    SUSE-SLE-SERVER-12-2018-1184=1
    
    SUSE Linux Enterprise Module for Public Cloud 12:zypper in -t patch
    SUSE-SLE-Module-Public-Cloud-12-2018-1184=1"
      );
      script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:N/I:N/A:C");
      script_set_cvss3_base_vector("CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:kernel-default");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:kernel-default-base");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:kernel-default-base-debuginfo");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:kernel-default-debuginfo");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:kernel-default-debugsource");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:kernel-default-devel");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:kernel-default-man");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:kernel-syms");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:kernel-xen");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:kernel-xen-base");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:kernel-xen-base-debuginfo");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:kernel-xen-debuginfo");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:kernel-xen-debugsource");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:kernel-xen-devel");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:kgraft-patch-3_12_61-52_136-default");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:kgraft-patch-3_12_61-52_136-xen");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:novell:suse_linux:12");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2018/02/26");
      script_set_attribute(attribute:"patch_publication_date", value:"2018/06/20");
      script_set_attribute(attribute:"plugin_publication_date", value:"2018/06/21");
      script_set_attribute(attribute:"generated_plugin", value:"current");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");
      script_family(english:"SuSE Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/cpu", "Host/SuSE/release", "Host/SuSE/rpm-list");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("global_settings.inc");
    include("rpm.inc");
    
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    release = get_kb_item("Host/SuSE/release");
    if (isnull(release) || release !~ "^(SLED|SLES)") audit(AUDIT_OS_NOT, "SUSE");
    os_ver = pregmatch(pattern: "^(SLE(S|D)\d+)", string:release);
    if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "SUSE");
    os_ver = os_ver[1];
    if (! preg(pattern:"^(SLES12)$", string:os_ver)) audit(AUDIT_OS_NOT, "SUSE SLES12", "SUSE " + os_ver);
    
    if (!get_kb_item("Host/SuSE/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    cpu = get_kb_item("Host/cpu");
    if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
    if (cpu !~ "^i[3-6]86$" && "x86_64" >!< cpu && "s390x" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "SUSE " + os_ver, cpu);
    
    sp = get_kb_item("Host/SuSE/patchlevel");
    if (isnull(sp)) sp = "0";
    if (os_ver == "SLES12" && (! preg(pattern:"^(0)$", string:sp))) audit(AUDIT_OS_NOT, "SLES12 SP0", os_ver + " SP" + sp);
    
    
    flag = 0;
    if (rpm_check(release:"SLES12", sp:"0", cpu:"x86_64", reference:"kernel-xen-3.12.61-52.136.1")) flag++;
    if (rpm_check(release:"SLES12", sp:"0", cpu:"x86_64", reference:"kernel-xen-base-3.12.61-52.136.1")) flag++;
    if (rpm_check(release:"SLES12", sp:"0", cpu:"x86_64", reference:"kernel-xen-base-debuginfo-3.12.61-52.136.1")) flag++;
    if (rpm_check(release:"SLES12", sp:"0", cpu:"x86_64", reference:"kernel-xen-debuginfo-3.12.61-52.136.1")) flag++;
    if (rpm_check(release:"SLES12", sp:"0", cpu:"x86_64", reference:"kernel-xen-debugsource-3.12.61-52.136.1")) flag++;
    if (rpm_check(release:"SLES12", sp:"0", cpu:"x86_64", reference:"kernel-xen-devel-3.12.61-52.136.1")) flag++;
    if (rpm_check(release:"SLES12", sp:"0", cpu:"x86_64", reference:"kgraft-patch-3_12_61-52_136-default-1-1.3.1")) flag++;
    if (rpm_check(release:"SLES12", sp:"0", cpu:"x86_64", reference:"kgraft-patch-3_12_61-52_136-xen-1-1.3.1")) flag++;
    if (rpm_check(release:"SLES12", sp:"0", cpu:"s390x", reference:"kernel-default-man-3.12.61-52.136.1")) flag++;
    if (rpm_check(release:"SLES12", sp:"0", reference:"kernel-default-3.12.61-52.136.1")) flag++;
    if (rpm_check(release:"SLES12", sp:"0", reference:"kernel-default-base-3.12.61-52.136.1")) flag++;
    if (rpm_check(release:"SLES12", sp:"0", reference:"kernel-default-base-debuginfo-3.12.61-52.136.1")) flag++;
    if (rpm_check(release:"SLES12", sp:"0", reference:"kernel-default-debuginfo-3.12.61-52.136.1")) flag++;
    if (rpm_check(release:"SLES12", sp:"0", reference:"kernel-default-debugsource-3.12.61-52.136.1")) flag++;
    if (rpm_check(release:"SLES12", sp:"0", reference:"kernel-default-devel-3.12.61-52.136.1")) flag++;
    if (rpm_check(release:"SLES12", sp:"0", reference:"kernel-syms-3.12.61-52.136.1")) flag++;
    
    
    if (flag)
    {
      if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());
      else security_hole(0);
      exit(0);
    }
    else
    {
      tested = pkg_tests_get();
      if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
      else audit(AUDIT_PACKAGE_NOT_INSTALLED, "kernel");
    }
    
  • NASL familySuSE Local Security Checks
    NASL idSUSE_SU-2018-1855-1.NASL
    descriptionThe SUSE Linux Enterprise 12 SP2 LTSS kernel was updated receive various security and bugfixes. The following security bugs were fixed : - CVE-2018-5848: In the function wmi_set_ie(), the length validation code did not handle unsigned integer overflow properly. As a result, a large value of the
    last seen2020-06-01
    modified2020-06-02
    plugin id110838
    published2018-07-02
    reporterThis script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/110838
    titleSUSE SLES12 Security Update : kernel (SUSE-SU-2018:1855-1)
  • NASL familyScientific Linux Local Security Checks
    NASL idSL_20181030_KERNEL_ON_SL7_X.NASL
    descriptionSecurity Fix(es) : - A flaw named FragmentSmack was found in the way the Linux kernel handled reassembly of fragmented IPv4 and IPv6 packets. A remote attacker could use this flaw to trigger time and calculation expensive fragment reassembly algorithm by sending specially crafted packets which could lead to a CPU saturation and hence a denial of service on the system. (CVE-2018-5391) - kernel: out-of-bounds access in the show_timer function in kernel/time /posix-timers.c (CVE-2017-18344) - kernel: Integer overflow in udl_fb_mmap() can allow attackers to execute code in kernel space (CVE-2018-8781) - kernel: MIDI driver race condition leads to a double-free (CVE-2018-10902) - kernel: Missing check in inode_init_owner() does not clear SGID bit on non-directories for non-members (CVE-2018-13405) - kernel: AIO write triggers integer overflow in some protocols (CVE-2015-8830) - kernel: Use-after-free in snd_pcm_info function in ALSA subsystem potentially leads to privilege escalation (CVE-2017-0861) - kernel: Handling of might_cancel queueing is not properly pretected against race (CVE-2017-10661) - kernel: Salsa20 encryption algorithm does not correctly handle zero- length inputs allowing local attackers to cause denial of service (CVE-2017-17805) - kernel: Inifinite loop vulnerability in madvise_willneed() function allows local denial of service (CVE-2017-18208) - kernel: fuse-backed file mmap-ed onto process cmdline arguments causes denial of service (CVE-2018-1120) - kernel: a NULL pointer dereference in dccp_write_xmit() leads to a system crash (CVE-2018-1130) - kernel: drivers/block/loop.c mishandles lo_release serialization allowing denial of service (CVE-2018-5344) - kernel: Missing length check of payload in _sctp_make_chunk() function allows denial of service (CVE-2018-5803) - kernel: buffer overflow in drivers/net/wireless/ath/wil6210/wmi.c:wmi_set_ie() may lead to memory corruption (CVE-2018-5848) - kernel: out-of-bound write in ext4_init_block_bitmap function with a crafted ext4 image (CVE-2018-10878) - kernel: Improper validation in bnx2x network card driver can allow for denial of service attacks via crafted packet (CVE-2018-1000026) - kernel: Information leak when handling NM entries containing NUL (CVE-2016-4913) - kernel: Mishandling mutex within libsas allowing local Denial of Service (CVE-2017-18232) - kernel: NULL pointer dereference in ext4_process_freed_data() when mounting crafted ext4 image (CVE-2018-1092) - kernel: NULL pointer dereference in ext4_xattr_inode_hash() causes crash with crafted ext4 image (CVE-2018-1094) - kernel: vhost: Information disclosure in vhost/vhost.c:vhost_new_msg() (CVE-2018-1118) - kernel: Denial of service in resv_map_release function in mm/hugetlb.c (CVE-2018-7740) - kernel: Memory leak in the sas_smp_get_phy_events function in drivers/scsi/libsas/sas_expander.c (CVE-2018-7757) - kernel: Invalid pointer dereference in xfs_ilock_attr_map_shared() when mounting crafted xfs image allowing denial of service (CVE-2018-10322) - kernel: use-after-free detected in ext4_xattr_set_entry with a crafted file (CVE-2018-10879) - kernel: out-of-bound access in ext4_get_group_info() when mounting and operating a crafted ext4 image (CVE-2018-10881) - kernel: stack-out-of-bounds write in jbd2_journal_dirty_metadata function (CVE-2018-10883) - kernel: incorrect memory bounds check in drivers/cdrom/cdrom.c (CVE-2018-10940)
    last seen2020-03-18
    modified2018-11-27
    plugin id119187
    published2018-11-27
    reporterThis script is Copyright (C) 2018-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/119187
    titleScientific Linux Security Update : kernel on SL7.x x86_64 (20181030)
  • NASL familyHuawei Local Security Checks
    NASL idEULEROS_SA-2019-1538.NASL
    descriptionAccording to the versions of the kernel packages installed, the EulerOS Virtualization for ARM 64 installation on the remote host is affected by the following vulnerabilities : - The walk_hugetlb_range() function in
    last seen2020-03-19
    modified2019-05-14
    plugin id124991
    published2019-05-14
    reporterThis script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/124991
    titleEulerOS Virtualization for ARM 64 3.0.1.0 : kernel (EulerOS-SA-2019-1538)
  • NASL familySuSE Local Security Checks
    NASL idSUSE_SU-2018-4127-1.NASL
    descriptionThis update for the Linux Kernel 4.4.103-92_56 fixes one issue. The following security issue was fixed : CVE-2018-5848: Fixed an unsigned integer overflow in wmi_set_ie. This could lead to a buffer overflow (bsc#1097356). Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-03-28
    modified2018-12-18
    plugin id119740
    published2018-12-18
    reporterThis script is Copyright (C) 2018-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/119740
    titleSUSE SLES12 Security Update : kernel (SUSE-SU-2018:4127-1)
  • NASL familySlackware Local Security Checks
    NASL idSLACKWARE_SSA_2019-030-01.NASL
    descriptionNew kernel packages are available for Slackware 14.2 to fix security issues.
    last seen2020-03-17
    modified2019-01-31
    plugin id121505
    published2019-01-31
    reporterThis script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/121505
    titleSlackware 14.2 : Slackware 14.2 kernel (SSA:2019-030-01)
  • NASL familyRed Hat Local Security Checks
    NASL idREDHAT-RHSA-2018-3083.NASL
    descriptionAn update for kernel is now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. The kernel packages contain the Linux kernel, the core of any Linux operating system. Security Fix(es) : * A flaw named FragmentSmack was found in the way the Linux kernel handled reassembly of fragmented IPv4 and IPv6 packets. A remote attacker could use this flaw to trigger time and calculation expensive fragment reassembly algorithm by sending specially crafted packets which could lead to a CPU saturation and hence a denial of service on the system. (CVE-2018-5391) * kernel: out-of-bounds access in the show_timer function in kernel/time/ posix-timers.c (CVE-2017-18344) * kernel: Integer overflow in udl_fb_mmap() can allow attackers to execute code in kernel space (CVE-2018-8781) * kernel: MIDI driver race condition leads to a double-free (CVE-2018-10902) * kernel: Missing check in inode_init_owner() does not clear SGID bit on non-directories for non-members (CVE-2018-13405) * kernel: AIO write triggers integer overflow in some protocols (CVE-2015-8830) * kernel: Use-after-free in snd_pcm_info function in ALSA subsystem potentially leads to privilege escalation (CVE-2017-0861) * kernel: Handling of might_cancel queueing is not properly pretected against race (CVE-2017-10661) * kernel: Salsa20 encryption algorithm does not correctly handle zero-length inputs allowing local attackers to cause denial of service (CVE-2017-17805) * kernel: Inifinite loop vulnerability in madvise_willneed() function allows local denial of service (CVE-2017-18208) * kernel: fuse-backed file mmap-ed onto process cmdline arguments causes denial of service (CVE-2018-1120) * kernel: a NULL pointer dereference in dccp_write_xmit() leads to a system crash (CVE-2018-1130) * kernel: drivers/block/loop.c mishandles lo_release serialization allowing denial of service (CVE-2018-5344) * kernel: Missing length check of payload in _sctp_make_chunk() function allows denial of service (CVE-2018-5803) * kernel: buffer overflow in drivers/net/wireless/ath/wil6210/ wmi.c:wmi_set_ie() may lead to memory corruption (CVE-2018-5848) * kernel: out-of-bound write in ext4_init_block_bitmap function with a crafted ext4 image (CVE-2018-10878) * kernel: Improper validation in bnx2x network card driver can allow for denial of service attacks via crafted packet (CVE-2018-1000026) * kernel: Information leak when handling NM entries containing NUL (CVE-2016-4913) * kernel: Mishandling mutex within libsas allowing local Denial of Service (CVE-2017-18232) * kernel: NULL pointer dereference in ext4_process_freed_data() when mounting crafted ext4 image (CVE-2018-1092) * kernel: NULL pointer dereference in ext4_xattr_inode_hash() causes crash with crafted ext4 image (CVE-2018-1094) * kernel: vhost: Information disclosure in vhost/vhost.c:vhost_new_msg() (CVE-2018-1118) * kernel: Denial of service in resv_map_release function in mm/hugetlb.c (CVE-2018-7740) * kernel: Memory leak in the sas_smp_get_phy_events function in drivers/scsi/ libsas/sas_expander.c (CVE-2018-7757) * kernel: Invalid pointer dereference in xfs_ilock_attr_map_shared() when mounting crafted xfs image allowing denial of service (CVE-2018-10322) * kernel: use-after-free detected in ext4_xattr_set_entry with a crafted file (CVE-2018-10879) * kernel: out-of-bound access in ext4_get_group_info() when mounting and operating a crafted ext4 image (CVE-2018-10881) * kernel: stack-out-of-bounds write in jbd2_journal_dirty_metadata function (CVE-2018-10883) * kernel: incorrect memory bounds check in drivers/cdrom/cdrom.c (CVE-2018-10940) Red Hat would like to thank Juha-Matti Tilli (Aalto University - Department of Communications and Networking and Nokia Bell Labs) for reporting CVE-2018-5391; Trend Micro Zero Day Initiative for reporting CVE-2018-10902; Qualys Research Labs for reporting CVE-2018-1120; Evgenii Shatokhin (Virtuozzo Team) for reporting CVE-2018-1130; and Wen Xu for reporting CVE-2018-1092 and CVE-2018-1094.
    last seen2020-06-01
    modified2020-06-02
    plugin id118525
    published2018-10-31
    reporterThis script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/118525
    titleRHEL 7 : kernel (RHSA-2018:3083)
  • NASL familySuSE Local Security Checks
    NASL idSUSE_SU-2018-4153-1.NASL
    descriptionThis update for the Linux Kernel 3.12.74-60_64_88 fixes several issues. The following security issues were fixed : CVE-2018-9568: Prevent possible memory corruption due to type confusion in sk_clone_lock. This could lead to local privilege escalation (bsc#1118319). CVE-2018-5848: Fixed an unsigned integer overflow in wmi_set_ie. This could lead to a buffer overflow (bsc#1097356). Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-03-28
    modified2018-12-18
    plugin id119744
    published2018-12-18
    reporterThis script is Copyright (C) 2018-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/119744
    titleSUSE SLES12 Security Update : kernel (SUSE-SU-2018:4153-1)
  • NASL familySuSE Local Security Checks
    NASL idSUSE_SU-2018-4195-1.NASL
    descriptionThis update for the Linux Kernel 3.12.61-52_111 fixes several issues. The following security issues were fixed : CVE-2018-9568: Prevent possible memory corruption due to type confusion in sk_clone_lock. This could lead to local privilege escalation (bsc#1118319). CVE-2018-5848: Fixed an unsigned integer overflow in wmi_set_ie. This could lead to a buffer overflow (bsc#1097356). Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-03-28
    modified2018-12-20
    plugin id119809
    published2018-12-20
    reporterThis script is Copyright (C) 2018-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/119809
    titleSUSE SLES12 Security Update : kernel (SUSE-SU-2018:4195-1)
  • NASL familySuSE Local Security Checks
    NASL idSUSE_SU-2018-4157-1.NASL
    descriptionThis update for the Linux Kernel 3.12.74-60_64_93 fixes several issues. The following security issues were fixed : CVE-2018-9568: Prevent possible memory corruption due to type confusion in sk_clone_lock. This could lead to local privilege escalation (bsc#1118319). CVE-2018-5848: Fixed an unsigned integer overflow in wmi_set_ie. This could lead to a buffer overflow (bsc#1097356). Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-03-28
    modified2018-12-18
    plugin id119746
    published2018-12-18
    reporterThis script is Copyright (C) 2018-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/119746
    titleSUSE SLES12 Security Update : kernel (SUSE-SU-2018:4157-1)
  • NASL familyDebian Local Security Checks
    NASL idDEBIAN_DLA-1715.NASL
    descriptionSeveral vulnerabilities have been discovered in the Linux kernel that may lead to a privilege escalation, denial of service or information leaks. CVE-2017-18249 A race condition was discovered in the disk space allocator of F2FS. A user with access to an F2FS volume could use this to cause a denial of service or other security impact. CVE-2018-1128, CVE-2018-1129 The cephx authentication protocol used by Ceph was susceptible to replay attacks, and calculated signatures incorrectly. These vulnerabilities in the server required changes to authentication that are incompatible with existing clients. The kernel
    last seen2020-06-01
    modified2020-06-02
    plugin id122879
    published2019-03-18
    reporterThis script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/122879
    titleDebian DLA-1715-1 : linux-4.9 security update (Spectre)
  • NASL familyOracle Linux Local Security Checks
    NASL idORACLELINUX_ELSA-2018-3083.NASL
    descriptionFrom Red Hat Security Advisory 2018:3083 : An update for kernel is now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. The kernel packages contain the Linux kernel, the core of any Linux operating system. Security Fix(es) : * A flaw named FragmentSmack was found in the way the Linux kernel handled reassembly of fragmented IPv4 and IPv6 packets. A remote attacker could use this flaw to trigger time and calculation expensive fragment reassembly algorithm by sending specially crafted packets which could lead to a CPU saturation and hence a denial of service on the system. (CVE-2018-5391) * kernel: out-of-bounds access in the show_timer function in kernel/time/ posix-timers.c (CVE-2017-18344) * kernel: Integer overflow in udl_fb_mmap() can allow attackers to execute code in kernel space (CVE-2018-8781) * kernel: MIDI driver race condition leads to a double-free (CVE-2018-10902) * kernel: Missing check in inode_init_owner() does not clear SGID bit on non-directories for non-members (CVE-2018-13405) * kernel: AIO write triggers integer overflow in some protocols (CVE-2015-8830) * kernel: Use-after-free in snd_pcm_info function in ALSA subsystem potentially leads to privilege escalation (CVE-2017-0861) * kernel: Handling of might_cancel queueing is not properly pretected against race (CVE-2017-10661) * kernel: Salsa20 encryption algorithm does not correctly handle zero-length inputs allowing local attackers to cause denial of service (CVE-2017-17805) * kernel: Inifinite loop vulnerability in madvise_willneed() function allows local denial of service (CVE-2017-18208) * kernel: fuse-backed file mmap-ed onto process cmdline arguments causes denial of service (CVE-2018-1120) * kernel: a NULL pointer dereference in dccp_write_xmit() leads to a system crash (CVE-2018-1130) * kernel: drivers/block/loop.c mishandles lo_release serialization allowing denial of service (CVE-2018-5344) * kernel: Missing length check of payload in _sctp_make_chunk() function allows denial of service (CVE-2018-5803) * kernel: buffer overflow in drivers/net/wireless/ath/wil6210/ wmi.c:wmi_set_ie() may lead to memory corruption (CVE-2018-5848) * kernel: out-of-bound write in ext4_init_block_bitmap function with a crafted ext4 image (CVE-2018-10878) * kernel: Improper validation in bnx2x network card driver can allow for denial of service attacks via crafted packet (CVE-2018-1000026) * kernel: Information leak when handling NM entries containing NUL (CVE-2016-4913) * kernel: Mishandling mutex within libsas allowing local Denial of Service (CVE-2017-18232) * kernel: NULL pointer dereference in ext4_process_freed_data() when mounting crafted ext4 image (CVE-2018-1092) * kernel: NULL pointer dereference in ext4_xattr_inode_hash() causes crash with crafted ext4 image (CVE-2018-1094) * kernel: vhost: Information disclosure in vhost/vhost.c:vhost_new_msg() (CVE-2018-1118) * kernel: Denial of service in resv_map_release function in mm/hugetlb.c (CVE-2018-7740) * kernel: Memory leak in the sas_smp_get_phy_events function in drivers/scsi/ libsas/sas_expander.c (CVE-2018-7757) * kernel: Invalid pointer dereference in xfs_ilock_attr_map_shared() when mounting crafted xfs image allowing denial of service (CVE-2018-10322) * kernel: use-after-free detected in ext4_xattr_set_entry with a crafted file (CVE-2018-10879) * kernel: out-of-bound access in ext4_get_group_info() when mounting and operating a crafted ext4 image (CVE-2018-10881) * kernel: stack-out-of-bounds write in jbd2_journal_dirty_metadata function (CVE-2018-10883) * kernel: incorrect memory bounds check in drivers/cdrom/cdrom.c (CVE-2018-10940) Red Hat would like to thank Juha-Matti Tilli (Aalto University - Department of Communications and Networking and Nokia Bell Labs) for reporting CVE-2018-5391; Trend Micro Zero Day Initiative for reporting CVE-2018-10902; Qualys Research Labs for reporting CVE-2018-1120; Evgenii Shatokhin (Virtuozzo Team) for reporting CVE-2018-1130; and Wen Xu for reporting CVE-2018-1092 and CVE-2018-1094.
    last seen2020-06-01
    modified2020-06-02
    plugin id118770
    published2018-11-07
    reporterThis script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/118770
    titleOracle Linux 7 : kernel (ELSA-2018-3083)
  • NASL familySuSE Local Security Checks
    NASL idSUSE_SU-2018-1772-1.NASL
    descriptionThe SUSE Linux Enterprise 12 SP3 kernel was updated to 4.4.136 to receive various security and bugfixes. The following security bugs were fixed : - CVE-2018-5848: In the function wmi_set_ie(), the length validation code did not handle unsigned integer overflow properly. As a result, a large value of the
    last seen2020-06-01
    modified2020-06-02
    plugin id110660
    published2018-06-22
    reporterThis script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/110660
    titleSUSE SLED12 / SLES12 Security Update : kernel (SUSE-SU-2018:1772-1)
  • NASL familyOracle Linux Local Security Checks
    NASL idORACLELINUX_ELSA-2018-4304.NASL
    descriptionDescription of changes: [4.14.35-1818.5.4.el7uek] - RDS: NULL pointer dereference in rds_atomic_free_op (Mohamed Ghannam) [Orabug: 28020694] {CVE-2018-5333} - x86/speculation: Make enhanced IBRS the default spectre v2 mitigation (Alejandro Jimenez) [Orabug: 28474853] - x86/speculation: Enable enhanced IBRS usage (Alejandro Jimenez) [Orabug: 28474853] - x86/speculation: functions for supporting enhanced IBRS (Alejandro Jimenez) [Orabug: 28474853] - KVM: x86: Expose CLDEMOTE CPU feature to guest VM (Jingqi Liu) [Orabug: 28938290] - x86/cpufeatures: Enumerate cldemote instruction (Fenghua Yu) [Orabug: 28938290] - libiscsi: Fix NULL pointer dereference in iscsi_eh_session_reset (Fred Herard) [Orabug: 28946206] - wil6210: missing length check in wmi_set_ie (Lior David) [Orabug: 28951267] {CVE-2018-5848} - floppy: Do not copy a kernel pointer to user memory in FDGETPRM ioctl (Andy Whitcroft) [Orabug: 28956546] {CVE-2018-7755} {CVE-2018-7755} [4.14.35-1818.5.3.el7uek] - hugetlbfs: use truncate mutex to prevent pmd sharing race (Mike Kravetz) [Orabug: 28896279] - xfs: enhance dinode verifier (Eric Sandeen) [Orabug: 28943579] {CVE-2018-10322} - xfs: move inode fork verifiers to xfs_dinode_verify (Darrick J. Wong) [Orabug: 28943579] {CVE-2018-10322} [4.14.35-1818.5.2.el7uek] - rds: crash at rds_ib_inc_copy_to_user+104 due to NULL ptr reference (Venkat Venkatsubra) [Orabug: 28748049] - kdump/vmcore: support encrypted old memory with SME enabled (Lianbo Jiang) [Orabug: 28796835] - amd_iommu: remap the device table of IOMMU with the memory encryption mask for kdump (Lianbo Jiang) [Orabug: 28796835] - kexec: allocate unencrypted control pages for kdump in case SME is enabled (Lianbo Jiang) [Orabug: 28796835] - x86/ioremap: add a function ioremap_encrypted() to remap kdump old memory (Lianbo Jiang) [Orabug: 28796835] - net/rds: Fix endless RNR situation (Venkat Venkatsubra) [Orabug: 28857013] - Btrfs: fix xattr loss after power failure (Filipe Manana) [Orabug: 28893942] - xen/balloon: Support xend-based toolstack (Boris Ostrovsky) [Orabug: 28901032] - Btrfs: fix file data corruption after cloning a range and fsync (Filipe Manana) [Orabug: 28905635] - xen-blkfront: fix kernel panic with negotiate_mq error path (Manjunath Patil) - cdrom: fix improper type cast, which can leat to information leak. (Young_X) [Orabug: 28929755] {CVE-2018-16658} {CVE-2018-10940} {CVE-2018-18710} - sched/fair: Use a recently used CPU as an idle candidate and the basis for SIS (Mel Gorman) [Orabug: 28940633] - sched/fair: Move select_task_rq_fair() slow-path into its own function (Brendan Jackman) [Orabug: 28940633] - certs: Add Oracle
    last seen2020-04-30
    modified2018-12-13
    plugin id119638
    published2018-12-13
    reporterThis script is Copyright (C) 2018-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/119638
    titleOracle Linux 7 : Unbreakable Enterprise kernel (ELSA-2018-4304)
  • NASL familySuSE Local Security Checks
    NASL idSUSE_SU-2018-1855-2.NASL
    descriptionThe SUSE Linux Enterprise 12 SP2 LTSS kernel was updated receive various security and bugfixes. The following security bugs were fixed : CVE-2018-5848: In the function wmi_set_ie(), the length validation code did not handle unsigned integer overflow properly. As a result, a large value of the
    last seen2020-06-01
    modified2020-06-02
    plugin id118272
    published2018-10-22
    reporterThis script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/118272
    titleSUSE SLES12 Security Update : kernel (SUSE-SU-2018:1855-2)
  • NASL familyOracle Linux Local Security Checks
    NASL idORACLELINUX_ELSA-2019-4509.NASL
    descriptionDescription of changes: [4.14.35-1844.1.3.el7uek] - net: rds: fix rds_ib_sysctl_max_recv_allocation error (Zhu Yanjun) [Orabug: 29003422] - nfs: don
    last seen2020-03-18
    modified2019-01-16
    plugin id121201
    published2019-01-16
    reporterThis script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/121201
    titleOracle Linux 7 : Unbreakable Enterprise kernel (ELSA-2019-4509)
  • NASL familyDebian Local Security Checks
    NASL idDEBIAN_DLA-1731.NASL
    descriptionThe linux update issued as DLA-1731-1 caused a regression in the vmxnet3 (VMware virtual network adapter) driver. This update corrects that regression, and an earlier regression in the CIFS network filesystem implementation introduced in DLA-1422-1. For reference the original advisory text follows. Several vulnerabilities have been discovered in the Linux kernel that may lead to a privilege escalation, denial of service or information leaks. CVE-2016-10741 A race condition was discovered in XFS that would result in a crash (BUG). A local user permitted to write to an XFS volume could use this for denial of service. CVE-2017-5753 Further instances of code that was vulnerable to Spectre variant 1 (bounds-check bypass) have been mitigated. CVE-2017-13305 A memory over-read was discovered in the keys subsystem
    last seen2020-06-01
    modified2020-06-02
    plugin id123420
    published2019-03-28
    reporterThis script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/123420
    titleDebian DLA-1731-2 : linux regression update (Spectre)
  • NASL familyRed Hat Local Security Checks
    NASL idREDHAT-RHSA-2018-3096.NASL
    descriptionAn update for kernel-rt is now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. The kernel-rt packages provide the Real Time Linux Kernel, which enables fine-tuning for systems with extremely high determinism requirements. Security Fix(es) : * A flaw named FragmentSmack was found in the way the Linux kernel handled reassembly of fragmented IPv4 and IPv6 packets. A remote attacker could use this flaw to trigger time and calculation expensive fragment reassembly algorithm by sending specially crafted packets which could lead to a CPU saturation and hence a denial of service on the system. (CVE-2018-5391) * kernel: out-of-bounds access in the show_timer function in kernel/time/ posix-timers.c (CVE-2017-18344) * kernel: Integer overflow in udl_fb_mmap() can allow attackers to execute code in kernel space (CVE-2018-8781) * kernel: MIDI driver race condition leads to a double-free (CVE-2018-10902) * kernel: Missing check in inode_init_owner() does not clear SGID bit on non-directories for non-members (CVE-2018-13405) * kernel: AIO write triggers integer overflow in some protocols (CVE-2015-8830) * kernel: Use-after-free in snd_pcm_info function in ALSA subsystem potentially leads to privilege escalation (CVE-2017-0861) * kernel: Handling of might_cancel queueing is not properly pretected against race (CVE-2017-10661) * kernel: Salsa20 encryption algorithm does not correctly handle zero-length inputs allowing local attackers to cause denial of service (CVE-2017-17805) * kernel: Inifinite loop vulnerability in madvise_willneed() function allows local denial of service (CVE-2017-18208) * kernel: fuse-backed file mmap-ed onto process cmdline arguments causes denial of service (CVE-2018-1120) * kernel: a NULL pointer dereference in dccp_write_xmit() leads to a system crash (CVE-2018-1130) * kernel: drivers/block/loop.c mishandles lo_release serialization allowing denial of service (CVE-2018-5344) * kernel: Missing length check of payload in _sctp_make_chunk() function allows denial of service (CVE-2018-5803) * kernel: buffer overflow in drivers/net/wireless/ath/wil6210/ wmi.c:wmi_set_ie() may lead to memory corruption (CVE-2018-5848) * kernel: out-of-bound write in ext4_init_block_bitmap function with a crafted ext4 image (CVE-2018-10878) * kernel: Improper validation in bnx2x network card driver can allow for denial of service attacks via crafted packet (CVE-2018-1000026) * kernel: Information leak when handling NM entries containing NUL (CVE-2016-4913) * kernel: Mishandling mutex within libsas allowing local Denial of Service (CVE-2017-18232) * kernel: NULL pointer dereference in ext4_process_freed_data() when mounting crafted ext4 image (CVE-2018-1092) * kernel: NULL pointer dereference in ext4_xattr_inode_hash() causes crash with crafted ext4 image (CVE-2018-1094) * kernel: vhost: Information disclosure in vhost.c:vhost_new_msg() (CVE-2018-1118) * kernel: Denial of service in resv_map_release function in mm/hugetlb.c (CVE-2018-7740) * kernel: Memory leak in the sas_smp_get_phy_events function in drivers/scsi/ libsas/sas_expander.c (CVE-2018-7757) * kernel: Invalid pointer dereference in xfs_ilock_attr_map_shared() when mounting crafted xfs image allowing denial of service (CVE-2018-10322) * kernel: use-after-free detected in ext4_xattr_set_entry with a crafted file (CVE-2018-10879) * kernel: out-of-bound access in ext4_get_group_info() when mounting and operating a crafted ext4 image (CVE-2018-10881) * kernel: stack-out-of-bounds write in jbd2_journal_dirty_metadata function (CVE-2018-10883) * kernel: incorrect memory bounds check in drivers/cdrom/cdrom.c (CVE-2018-10940) Red Hat would like to thank Juha-Matti Tilli (Aalto University - Department of Communications and Networking and Nokia Bell Labs) for reporting CVE-2018-5391; Trend Micro Zero Day Initiative for reporting CVE-2018-10902; Qualys Research Labs for reporting CVE-2018-1120; Evgenii Shatokhin (Virtuozzo Team) for reporting CVE-2018-1130; and Wen Xu for reporting CVE-2018-1092 and CVE-2018-1094.
    last seen2020-06-01
    modified2020-06-02
    plugin id118528
    published2018-10-31
    reporterThis script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/118528
    titleRHEL 7 : kernel-rt (RHSA-2018:3096)
  • NASL familySuSE Local Security Checks
    NASL idOPENSUSE-2018-762.NASL
    descriptionThe openSUSE Leap 15 kernel was updated to receive various security and bugfixes. The following security bugs were fixed : - CVE-2018-13406: An integer overflow in the uvesafb_setcmap function could have result in local attackers being able to crash the kernel or potentially elevate privileges because kmalloc_array is not used (bnc#1100418) - CVE-2018-13053: The alarm_timer_nsleep function had an integer overflow via a large relative timeout because ktime_add_safe was not used (bnc#1099924) - CVE-2018-9385: Prevent overread of the
    last seen2020-06-05
    modified2018-07-30
    plugin id111414
    published2018-07-30
    reporterThis script is Copyright (C) 2018-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/111414
    titleopenSUSE Security Update : the Linux Kernel (openSUSE-2018-762) (Spectre)
  • NASL familyOracleVM Local Security Checks
    NASL idORACLEVM_OVMSA-2019-0002.NASL
    descriptionThe remote OracleVM system is missing necessary patches to address critical security updates : - rds: congestion updates can be missed when kernel low on memory (Mukesh Kacker) [Orabug: 28425811] - net/rds: ib: Fix endless RNR Retries caused by memory allocation failures (Venkat Venkatsubra) [Orabug: 28127993] - net: rds: fix excess initialization of the recv SGEs (Zhu Yanjun) [Orabug: 29004503] - xhci: fix usb2 resume timing and races. (Mathias Nyman) [Orabug: 29028940] - xhci: Fix a race in usb2 LPM resume, blocking U3 for usb2 devices (Mathias Nyman) [Orabug: 29028940] - userfaultfd: check VM_MAYWRITE was set after verifying the uffd is registered (Andrea Arcangeli) [Orabug: 29163750] (CVE-2018-18397) - userfaultfd: shmem/hugetlbfs: only allow to register VM_MAYWRITE vmas (Andrea Arcangeli) [Orabug: 29163750] (CVE-2018-18397) - x86/apic/x2apic: set affinity of a single interrupt to one cpu (Jianchao Wang) [Orabug: 29196396] - xen/blkback: rework validate_io_op (Dongli Zhang) [Orabug: 29199843] - xen/blkback: optimize validate_io_op to filter BLKIF_OP_RESERVED_1 operation (Dongli Zhang) [Orabug: 29199843] - xen/blkback: do not BUG for invalid blkif_request from frontend (Dongli Zhang) [Orabug: 29199843] - net/rds: WARNING: at net/rds/recv.c:222 rds_recv_hs_exthdrs+0xf8/0x1e0 (Venkat Venkatsubra) [Orabug: 29201779] - xen-netback: wake up xenvif_dealloc_kthread when it should stop (Dongli Zhang) [Orabug: 29217927] - Revert
    last seen2020-03-18
    modified2019-02-06
    plugin id121605
    published2019-02-06
    reporterThis script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/121605
    titleOracleVM 3.4 : Unbreakable / etc (OVMSA-2019-0002)
  • NASL familySuSE Local Security Checks
    NASL idOPENSUSE-2018-656.NASL
    descriptionThe openSUSE Leap 42.3 was updated to 4.4.138 to receive various security and bugfixes. The following security bugs were fixed : - CVE-2018-3639: Systems with microprocessors utilizing speculative execution and speculative execution of memory reads before the addresses of all prior memory writes are known may allow unauthorized disclosure of information to an attacker with local user access via a side-channel analysis, aka Speculative Store Bypass (SSB), Variant 4 (bsc#1085308 bsc#1087082) This update improves the previous Spectre Variant 4 fixes and also mitigates them on the ARM architecture. - CVE-2018-3665: The FPU state and registers of x86 CPUs were saved and restored in a lazy fashion, which opened its disclosure by speculative side channel attacks. This has been fixed by replacing the lazy save/restore by eager saving and restoring (bnc#1087086) - CVE-2018-5848: In the function wmi_set_ie(), the length validation code did not handle unsigned integer overflow properly. As a result, a large value of the
    last seen2020-06-05
    modified2018-06-22
    plugin id110658
    published2018-06-22
    reporterThis script is Copyright (C) 2018-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/110658
    titleopenSUSE Security Update : the Linux Kernel (openSUSE-2018-656) (Spectre)
  • NASL familySuSE Local Security Checks
    NASL idSUSE_SU-2018-2092-1.NASL
    descriptionThe SUSE Linux Enterprise 15 kernel was updated to receive various security and bugfixes. The following new feature was added : - NVDIMM memory error notification (ACPI 6.2) The following security bugs were fixed : - CVE-2018-13406: An integer overflow in the uvesafb_setcmap function could have result in local attackers being able to crash the kernel or potentially elevate privileges because kmalloc_array is not used (bnc#1100418) - CVE-2018-13053: The alarm_timer_nsleep function had an integer overflow via a large relative timeout because ktime_add_safe was not used (bnc#1099924) - CVE-2018-9385: Prevent overread of the
    last seen2020-03-21
    modified2019-01-02
    plugin id120067
    published2019-01-02
    reporterThis script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/120067
    titleSUSE SLED15 / SLES15 Security Update : kernel (SUSE-SU-2018:2092-1) (Spectre)
  • NASL familyHuawei Local Security Checks
    NASL idEULEROS_SA-2019-1259.NASL
    descriptionAccording to the versions of the kernel packages installed, the EulerOS Virtualization installation on the remote host is affected by the following vulnerabilities : - An issue was discovered in can_can_gw_rcv in net/can/gw.c in the Linux kernel through 4.19.13. The CAN frame modification rules allow bitwise logical operations that can be also applied to the can_dlc field. Because of a missing check, the CAN drivers may write arbitrary content beyond the data registers in the CAN controller
    last seen2020-03-19
    modified2019-04-04
    plugin id123727
    published2019-04-04
    reporterThis script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/123727
    titleEulerOS Virtualization 2.5.3 : kernel (EulerOS-SA-2019-1259)
  • NASL familyRed Hat Local Security Checks
    NASL idREDHAT-RHSA-2018-2948.NASL
    descriptionAn update for kernel-alt is now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. The kernel-alt packages provide the Linux kernel version 4.x. Security Fix(es) : * An industry-wide issue was found in the way many modern microprocessor designs have implemented speculative execution of Load & Store instructions (a commonly used performance optimization). It relies on the presence of a precisely-defined instruction sequence in the privileged code as well as the fact that memory read from address to which a recent memory write has occurred may see an older value and subsequently cause an update into the microprocessor
    last seen2020-06-01
    modified2020-06-02
    plugin id118513
    published2018-10-31
    reporterThis script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/118513
    titleRHEL 7 : kernel-alt (RHSA-2018:2948) (Spectre)
  • NASL familyCentOS Local Security Checks
    NASL idCENTOS_RHSA-2018-3083.NASL
    descriptionAn update for kernel is now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. The kernel packages contain the Linux kernel, the core of any Linux operating system. Security Fix(es) : * A flaw named FragmentSmack was found in the way the Linux kernel handled reassembly of fragmented IPv4 and IPv6 packets. A remote attacker could use this flaw to trigger time and calculation expensive fragment reassembly algorithm by sending specially crafted packets which could lead to a CPU saturation and hence a denial of service on the system. (CVE-2018-5391) * kernel: out-of-bounds access in the show_timer function in kernel/time/ posix-timers.c (CVE-2017-18344) * kernel: Integer overflow in udl_fb_mmap() can allow attackers to execute code in kernel space (CVE-2018-8781) * kernel: MIDI driver race condition leads to a double-free (CVE-2018-10902) * kernel: Missing check in inode_init_owner() does not clear SGID bit on non-directories for non-members (CVE-2018-13405) * kernel: AIO write triggers integer overflow in some protocols (CVE-2015-8830) * kernel: Use-after-free in snd_pcm_info function in ALSA subsystem potentially leads to privilege escalation (CVE-2017-0861) * kernel: Handling of might_cancel queueing is not properly pretected against race (CVE-2017-10661) * kernel: Salsa20 encryption algorithm does not correctly handle zero-length inputs allowing local attackers to cause denial of service (CVE-2017-17805) * kernel: Inifinite loop vulnerability in madvise_willneed() function allows local denial of service (CVE-2017-18208) * kernel: fuse-backed file mmap-ed onto process cmdline arguments causes denial of service (CVE-2018-1120) * kernel: a NULL pointer dereference in dccp_write_xmit() leads to a system crash (CVE-2018-1130) * kernel: drivers/block/loop.c mishandles lo_release serialization allowing denial of service (CVE-2018-5344) * kernel: Missing length check of payload in _sctp_make_chunk() function allows denial of service (CVE-2018-5803) * kernel: buffer overflow in drivers/net/wireless/ath/wil6210/ wmi.c:wmi_set_ie() may lead to memory corruption (CVE-2018-5848) * kernel: out-of-bound write in ext4_init_block_bitmap function with a crafted ext4 image (CVE-2018-10878) * kernel: Improper validation in bnx2x network card driver can allow for denial of service attacks via crafted packet (CVE-2018-1000026) * kernel: Information leak when handling NM entries containing NUL (CVE-2016-4913) * kernel: Mishandling mutex within libsas allowing local Denial of Service (CVE-2017-18232) * kernel: NULL pointer dereference in ext4_process_freed_data() when mounting crafted ext4 image (CVE-2018-1092) * kernel: NULL pointer dereference in ext4_xattr_inode_hash() causes crash with crafted ext4 image (CVE-2018-1094) * kernel: vhost: Information disclosure in vhost/vhost.c:vhost_new_msg() (CVE-2018-1118) * kernel: Denial of service in resv_map_release function in mm/hugetlb.c (CVE-2018-7740) * kernel: Memory leak in the sas_smp_get_phy_events function in drivers/scsi/ libsas/sas_expander.c (CVE-2018-7757) * kernel: Invalid pointer dereference in xfs_ilock_attr_map_shared() when mounting crafted xfs image allowing denial of service (CVE-2018-10322) * kernel: use-after-free detected in ext4_xattr_set_entry with a crafted file (CVE-2018-10879) * kernel: out-of-bound access in ext4_get_group_info() when mounting and operating a crafted ext4 image (CVE-2018-10881) * kernel: stack-out-of-bounds write in jbd2_journal_dirty_metadata function (CVE-2018-10883) * kernel: incorrect memory bounds check in drivers/cdrom/cdrom.c (CVE-2018-10940) Red Hat would like to thank Juha-Matti Tilli (Aalto University - Department of Communications and Networking and Nokia Bell Labs) for reporting CVE-2018-5391; Trend Micro Zero Day Initiative for reporting CVE-2018-10902; Qualys Research Labs for reporting CVE-2018-1120; Evgenii Shatokhin (Virtuozzo Team) for reporting CVE-2018-1130; and Wen Xu for reporting CVE-2018-1092 and CVE-2018-1094.
    last seen2020-06-01
    modified2020-06-02
    plugin id118990
    published2018-11-16
    reporterThis script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/118990
    titleCentOS 7 : kernel (CESA-2018:3083)
  • NASL familyHuawei Local Security Checks
    NASL idEULEROS_SA-2018-1432.NASL
    descriptionAccording to the versions of the kernel packages installed, the EulerOS installation on the remote host is affected by the following vulnerabilities : - In the Linux Kernel before version 4.15.8, 4.14.25, 4.9.87, 4.4.121, 4.1.51, and 3.2.102, an error in the
    last seen2020-05-06
    modified2018-12-28
    plugin id119921
    published2018-12-28
    reporterThis script is Copyright (C) 2018-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/119921
    titleEulerOS 2.0 SP2 : kernel (EulerOS-SA-2018-1432)
  • NASL familyOracle Linux Local Security Checks
    NASL idORACLELINUX_ELSA-2019-4316.NASL
    descriptionDescription of changes: kernel-uek [3.8.13-118.29.1.el7uek] - Copy secure_boot flag in boot params across kexec reboot (Dave Young) [Orabug: 22066352] {CVE-2015-7837} - ipv6: tcp: add rcu locking in tcp_v6_send_synack() (Eric Dumazet) [Orabug: 25059183] {CVE-2016-3841} - ipv6: add complete rcu protection around np->opt (Eric Dumazet) [Orabug: 25059183] {CVE-2016-3841} - scsi: qla2xxx: Fix an integer overflow in sysfs code (Dan Carpenter) [Orabug: 28220420] {CVE-2017-14051} - ext4: fail ext4_iget for root directory if unallocated (Theodore Ts
    last seen2020-03-18
    modified2019-01-07
    plugin id120977
    published2019-01-07
    reporterThis script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/120977
    titleOracle Linux 6 / 7 : Unbreakable Enterprise kernel (ELSA-2019-4316)
  • NASL familySuSE Local Security Checks
    NASL idOPENSUSE-2019-536.NASL
    descriptionThe openSUSE Leap 15 kernel was updated to receive various security and bugfixes. The following security bugs were fixed : - CVE-2018-13406: An integer overflow in the uvesafb_setcmap function could have result in local attackers being able to crash the kernel or potentially elevate privileges because kmalloc_array is not used (bnc#1100418) - CVE-2018-13053: The alarm_timer_nsleep function had an integer overflow via a large relative timeout because ktime_add_safe was not used (bnc#1099924) - CVE-2018-9385: Prevent overread of the
    last seen2020-06-01
    modified2020-06-02
    plugin id123226
    published2019-03-27
    reporterThis script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/123226
    titleopenSUSE Security Update : the Linux Kernel (openSUSE-2019-536) (Spectre)
  • NASL familyNewStart CGSL Local Security Checks
    NASL idNEWSTART_CGSL_NS-SA-2019-0074_KERNEL-RT.NASL
    descriptionThe remote NewStart CGSL host, running version CORE 5.04 / MAIN 5.04, has kernel-rt packages installed that are affected by multiple vulnerabilities: - Integer overflow in the aio_setup_single_vector function in fs/aio.c in the Linux kernel 4.0 allows local users to cause a denial of service or possibly have unspecified other impact via a large AIO iovec. NOTE: this vulnerability exists because of a CVE-2012-6701 regression. (CVE-2015-8830) - A weakness was found in the Linux ASLR implementation. Any user able to running 32-bit applications in a x86 machine can disable ASLR by setting the RLIMIT_STACK resource to unlimited. (CVE-2016-3672) - The xc2028_set_config function in drivers/media/tuners/tuner-xc2028.c in the Linux kernel before 4.6 allows local users to gain privileges or cause a denial of service (use-after-free) via vectors involving omission of the firmware name from a certain data structure. Due to the nature of the flaw, privilege escalation cannot be fully ruled out, although we believe it is unlikely. (CVE-2016-7913) - Use-after-free vulnerability in the snd_pcm_info() function in the ALSA subsystem in the Linux kernel allows attackers to induce a kernel memory corruption and possibly crash or lock up a system. Due to the nature of the flaw, a privilege escalation cannot be fully ruled out, although we believe it is unlikely. (CVE-2017-0861) - A reachable assertion failure flaw was found in the Linux kernel built with KVM virtualisation(CONFIG_KVM) support with Virtual Function I/O feature (CONFIG_VFIO) enabled. This failure could occur if a malicious guest device sent a virtual interrupt (guest IRQ) with a larger (>1024) index value. (CVE-2017-1000252) - Linux kernel Virtualization Module (CONFIG_KVM) for the Intel processor family (CONFIG_KVM_INTEL) is vulnerable to a DoS issue. It could occur if a guest was to flood the I/O port 0x80 with write requests. A guest user could use this flaw to crash the host kernel resulting in DoS. (CVE-2017-1000407) - A flaw was found in the processing of incoming L2CAP bluetooth commands. Uninitialized stack variables can be sent to an attacker leaking data in kernel address space. (CVE-2017-1000410) - A race condition was found in the Linux kernel before version 4.11-rc1 in
    last seen2020-06-01
    modified2020-06-02
    plugin id127281
    published2019-08-12
    reporterThis script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/127281
    titleNewStart CGSL CORE 5.04 / MAIN 5.04 : kernel-rt Multiple Vulnerabilities (NS-SA-2019-0074)
  • NASL familyHuawei Local Security Checks
    NASL idEULEROS_SA-2019-1156.NASL
    descriptionAccording to the versions of the kernel packages installed, the EulerOS installation on the remote host is affected by the following vulnerabilities : - An issue was discovered in the Linux kernel through 4.19. An information leak in cdrom_ioctl_select_disc in drivers/cdrom/cdrom.c could be used by local attackers to read kernel memory because a cast from unsigned long to int interferes with bounds checking. This is similar to CVE-2018-10940 and CVE-2018-16658.(CVE-2018-18710) - A flaw was found in mmap in the Linux kernel allowing the process to map a null page. This allows attackers to abuse this mechanism to turn null pointer dereferences into workable exploits.(CVE-2019-9213) - The Linux kernel does not properly initialize memory in messages passed between virtual guests and the host operating system in the vhost/vhost.c:vhost_new_msg() function. This can allow local privileged users to read some kernel memory contents when reading from the /dev/vhost-net device file.(CVE-2018-1118) - It was found that the raw midi kernel driver does not protect against concurrent access which leads to a double realloc (double free) in snd_rawmidi_input_params() and snd_rawmidi_output_status() which are part of snd_rawmidi_ioctl() handler in rawmidi.c file. A malicious local attacker could possibly use this for privilege escalation.(CVE-2018-10902) - A flaw was discovered in the Linux kernel
    last seen2020-05-06
    modified2019-04-02
    plugin id123630
    published2019-04-02
    reporterThis script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/123630
    titleEulerOS 2.0 SP5 : kernel (EulerOS-SA-2019-1156)

Redhat

advisories
  • rhsa
    idRHSA-2018:2948
  • rhsa
    idRHSA-2018:3083
  • rhsa
    idRHSA-2018:3096
rpms
  • kernel-0:4.14.0-115.el7a
  • kernel-abi-whitelists-0:4.14.0-115.el7a
  • kernel-bootwrapper-0:4.14.0-115.el7a
  • kernel-debug-0:4.14.0-115.el7a
  • kernel-debug-debuginfo-0:4.14.0-115.el7a
  • kernel-debug-devel-0:4.14.0-115.el7a
  • kernel-debuginfo-0:4.14.0-115.el7a
  • kernel-debuginfo-common-aarch64-0:4.14.0-115.el7a
  • kernel-debuginfo-common-ppc64le-0:4.14.0-115.el7a
  • kernel-debuginfo-common-s390x-0:4.14.0-115.el7a
  • kernel-devel-0:4.14.0-115.el7a
  • kernel-doc-0:4.14.0-115.el7a
  • kernel-headers-0:4.14.0-115.el7a
  • kernel-kdump-0:4.14.0-115.el7a
  • kernel-kdump-debuginfo-0:4.14.0-115.el7a
  • kernel-kdump-devel-0:4.14.0-115.el7a
  • kernel-tools-0:4.14.0-115.el7a
  • kernel-tools-debuginfo-0:4.14.0-115.el7a
  • kernel-tools-libs-0:4.14.0-115.el7a
  • kernel-tools-libs-devel-0:4.14.0-115.el7a
  • perf-0:4.14.0-115.el7a
  • perf-debuginfo-0:4.14.0-115.el7a
  • python-perf-0:4.14.0-115.el7a
  • python-perf-debuginfo-0:4.14.0-115.el7a
  • bpftool-0:3.10.0-957.el7
  • kernel-0:3.10.0-957.el7
  • kernel-abi-whitelists-0:3.10.0-957.el7
  • kernel-bootwrapper-0:3.10.0-957.el7
  • kernel-debug-0:3.10.0-957.el7
  • kernel-debug-debuginfo-0:3.10.0-957.el7
  • kernel-debug-devel-0:3.10.0-957.el7
  • kernel-debuginfo-0:3.10.0-957.el7
  • kernel-debuginfo-common-ppc64-0:3.10.0-957.el7
  • kernel-debuginfo-common-ppc64le-0:3.10.0-957.el7
  • kernel-debuginfo-common-s390x-0:3.10.0-957.el7
  • kernel-debuginfo-common-x86_64-0:3.10.0-957.el7
  • kernel-devel-0:3.10.0-957.el7
  • kernel-doc-0:3.10.0-957.el7
  • kernel-headers-0:3.10.0-957.el7
  • kernel-kdump-0:3.10.0-957.el7
  • kernel-kdump-debuginfo-0:3.10.0-957.el7
  • kernel-kdump-devel-0:3.10.0-957.el7
  • kernel-tools-0:3.10.0-957.el7
  • kernel-tools-debuginfo-0:3.10.0-957.el7
  • kernel-tools-libs-0:3.10.0-957.el7
  • kernel-tools-libs-devel-0:3.10.0-957.el7
  • perf-0:3.10.0-957.el7
  • perf-debuginfo-0:3.10.0-957.el7
  • python-perf-0:3.10.0-957.el7
  • python-perf-debuginfo-0:3.10.0-957.el7
  • kernel-rt-0:3.10.0-957.rt56.910.el7
  • kernel-rt-debug-0:3.10.0-957.rt56.910.el7
  • kernel-rt-debug-debuginfo-0:3.10.0-957.rt56.910.el7
  • kernel-rt-debug-devel-0:3.10.0-957.rt56.910.el7
  • kernel-rt-debug-kvm-0:3.10.0-957.rt56.910.el7
  • kernel-rt-debug-kvm-debuginfo-0:3.10.0-957.rt56.910.el7
  • kernel-rt-debuginfo-0:3.10.0-957.rt56.910.el7
  • kernel-rt-debuginfo-common-x86_64-0:3.10.0-957.rt56.910.el7
  • kernel-rt-devel-0:3.10.0-957.rt56.910.el7
  • kernel-rt-doc-0:3.10.0-957.rt56.910.el7
  • kernel-rt-kvm-0:3.10.0-957.rt56.910.el7
  • kernel-rt-kvm-debuginfo-0:3.10.0-957.rt56.910.el7
  • kernel-rt-trace-0:3.10.0-957.rt56.910.el7
  • kernel-rt-trace-debuginfo-0:3.10.0-957.rt56.910.el7
  • kernel-rt-trace-devel-0:3.10.0-957.rt56.910.el7
  • kernel-rt-trace-kvm-0:3.10.0-957.rt56.910.el7
  • kernel-rt-trace-kvm-debuginfo-0:3.10.0-957.rt56.910.el7