Vulnerabilities > CVE-2019-11139 - Improper Check for Unusual or Exceptional Conditions vulnerability in multiple products
Attack vector
LOCAL Attack complexity
LOW Privileges required
HIGH Confidentiality impact
NONE Integrity impact
NONE Availability impact
HIGH Summary
Improper conditions check in the voltage modulation interface for some Intel(R) Xeon(R) Scalable Processors may allow a privileged user to potentially enable denial of service via local access.
Vulnerable Configurations
Common Weakness Enumeration (CWE)
Nessus
NASL family FreeBSD Local Security Checks NASL id FREEBSD_PKG_FBE10A8A05A111EA9DFAF8B156AC3FF9.NASL description Starting with version 1.26, the devcpu-data port/package includes updates and mitigations for the following technical and security advisories (depending on CPU model). Intel TSX Updates (TAA) CVE-2019-11135 Voltage Modulation Vulnerability CVE-2019-11139 MD_CLEAR Operations CVE-2018-12126 CVE-2018-12127 CVE-2018-12130 CVE-2018-11091 TA Indirect Sharing CVE-2017-5715 EGETKEY CVE-2018-12126 CVE-2018-12127 CVE-2018-12130 CVE-2018-11091 JCC SKX102 Erratum Updated microcode includes mitigations for CPU issues, but may also cause a performance regression due to the JCC erratum mitigation. Please visit http://www.intel.com/benchmarks for further information. Please visit http://www.intel.com/security for detailed information on these advisories as well as a list of CPUs that are affected. Operating a CPU without the latest microcode may result in erratic or unpredictable behavior, including system crashes and lock ups. Certain issues listed in this advisory may result in the leakage of privileged system information to unprivileged users. Please refer to the security advisories listed above for detailed information. last seen 2020-06-01 modified 2020-06-02 plugin id 131297 published 2019-11-26 reporter This script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/131297 title FreeBSD : FreeBSD -- Intel CPU Microcode Update (fbe10a8a-05a1-11ea-9dfa-f8b156ac3ff9) (MFBDS/RIDL/ZombieLoad) (MLPDS/RIDL) (MSBDS/Fallout) (Spectre) code # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from the FreeBSD VuXML database : # # Copyright 2003-2019 Jacques Vidrine and contributors # # Redistribution and use in source (VuXML) and 'compiled' forms (SGML, # HTML, PDF, PostScript, RTF and so forth) with or without modification, # are permitted provided that the following conditions are met: # 1. Redistributions of source code (VuXML) must retain the above # copyright notice, this list of conditions and the following # disclaimer as the first lines of this file unmodified. # 2. Redistributions in compiled form (transformed to other DTDs, # published online in any format, converted to PDF, PostScript, # RTF and other formats) must reproduce the above copyright # notice, this list of conditions and the following disclaimer # in the documentation and/or other materials provided with the # distribution. # # THIS DOCUMENTATION IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS "AS IS" # AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, # THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR # PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS # BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, # OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT # OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR # BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, # WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE # OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS DOCUMENTATION, # EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. # include("compat.inc"); if (description) { script_id(131297); script_version("1.2"); script_cvs_date("Date: 2019/12/09"); script_cve_id("CVE-2017-5715", "CVE-2018-11091", "CVE-2018-12126", "CVE-2018-12127", "CVE-2018-12130", "CVE-2019-11135", "CVE-2019-11139"); script_xref(name:"FreeBSD", value:"SA-19:26.mcu"); script_name(english:"FreeBSD : FreeBSD -- Intel CPU Microcode Update (fbe10a8a-05a1-11ea-9dfa-f8b156ac3ff9) (MFBDS/RIDL/ZombieLoad) (MLPDS/RIDL) (MSBDS/Fallout) (Spectre)"); script_summary(english:"Checks for updated packages in pkg_info output"); script_set_attribute( attribute:"synopsis", value: "The remote FreeBSD host is missing one or more security-related updates." ); script_set_attribute( attribute:"description", value: "Starting with version 1.26, the devcpu-data port/package includes updates and mitigations for the following technical and security advisories (depending on CPU model). Intel TSX Updates (TAA) CVE-2019-11135 Voltage Modulation Vulnerability CVE-2019-11139 MD_CLEAR Operations CVE-2018-12126 CVE-2018-12127 CVE-2018-12130 CVE-2018-11091 TA Indirect Sharing CVE-2017-5715 EGETKEY CVE-2018-12126 CVE-2018-12127 CVE-2018-12130 CVE-2018-11091 JCC SKX102 Erratum Updated microcode includes mitigations for CPU issues, but may also cause a performance regression due to the JCC erratum mitigation. Please visit http://www.intel.com/benchmarks for further information. Please visit http://www.intel.com/security for detailed information on these advisories as well as a list of CPUs that are affected. Operating a CPU without the latest microcode may result in erratic or unpredictable behavior, including system crashes and lock ups. Certain issues listed in this advisory may result in the leakage of privileged system information to unprivileged users. Please refer to the security advisories listed above for detailed information." ); # https://vuxml.freebsd.org/freebsd/fbe10a8a-05a1-11ea-9dfa-f8b156ac3ff9.html script_set_attribute( attribute:"see_also", value:"http://www.nessus.org/u?516d0c37" ); script_set_attribute(attribute:"solution", value:"Update the affected packages."); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:S/C:C/I:C/A:C"); script_set_cvss_temporal_vector("CVSS2#E:H/RL:OF/RC:C"); script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H"); script_set_cvss3_temporal_vector("CVSS:3.0/E:H/RL:O/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"exploited_by_malware", value:"true"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:freebsd:freebsd:FreeBSD"); script_set_attribute(attribute:"cpe", value:"cpe:/o:freebsd:freebsd"); script_set_attribute(attribute:"vuln_publication_date", value:"2019/11/14"); script_set_attribute(attribute:"patch_publication_date", value:"2019/11/25"); script_set_attribute(attribute:"plugin_publication_date", value:"2019/11/26"); script_set_attribute(attribute:"in_the_news", value:"true"); script_set_attribute(attribute:"generated_plugin", value:"current"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"FreeBSD Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/FreeBSD/release", "Host/FreeBSD/pkg_info", "Settings/ParanoidReport"); exit(0); } include("audit.inc"); include("freebsd_package.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); if (!get_kb_item("Host/FreeBSD/release")) audit(AUDIT_OS_NOT, "FreeBSD"); if (!get_kb_item("Host/FreeBSD/pkg_info")) audit(AUDIT_PACKAGE_LIST_MISSING); if (report_paranoia < 2) audit(AUDIT_PARANOID); flag = 0; if (pkg_test(save_report:TRUE, pkg:"FreeBSD>=12.1<12.1_1")) flag++; if (pkg_test(save_report:TRUE, pkg:"FreeBSD>=12.0<12.0_12")) flag++; if (pkg_test(save_report:TRUE, pkg:"FreeBSD>=11.3<11.3_5")) flag++; if (flag) { if (report_verbosity > 0) security_hole(port:0, extra:pkg_report_get()); else security_hole(0); exit(0); } else audit(AUDIT_HOST_NOT, "affected");
NASL family Ubuntu Local Security Checks NASL id UBUNTU_USN-4182-3.NASL description USN-4182-1 provided updated Intel Processor Microcode. A regression was discovered that caused some Skylake processors to hang after a warm reboot. This update reverts the microcode for that specific processor family. We apologize for the inconvenience. Original advisory details : Stephan van Schaik, Alyssa Milburn, Sebastian Osterlund, Pietro Frigo, Kaveh Razavi, Herbert Bos, Cristiano Giuffrida, Giorgi Maisuradze, Moritz Lipp, Michael Schwarz, Daniel Gruss, and Jo Van Bulck discovered that Intel processors using Transactional Synchronization Extensions (TSX) could expose memory contents previously stored in microarchitectural buffers to a malicious process that is executing on the same CPU core. A local attacker could use this to expose sensitive information. (CVE-2019-11135) It was discovered that certain Intel Xeon processors did not properly restrict access to a voltage modulation interface. A local privileged attacker could use this to cause a denial of service (system crash). (CVE-2019-11139). Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-01 modified 2020-06-02 plugin id 131694 published 2019-12-04 reporter Ubuntu Security Notice (C) 2019 Canonical, Inc. / NASL script (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/131694 title Ubuntu 16.04 LTS / 18.04 LTS / 19.04 / 19.10 : intel-microcode regression (USN-4182-3) code # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Ubuntu Security Notice USN-4182-3. The text # itself is copyright (C) Canonical, Inc. See # <http://www.ubuntu.com/usn/>. Ubuntu(R) is a registered # trademark of Canonical, Inc. # include("compat.inc"); if (description) { script_id(131694); script_version("1.3"); script_cvs_date("Date: 2019/12/13"); script_cve_id("CVE-2019-11135", "CVE-2019-11139"); script_xref(name:"USN", value:"4182-3"); script_name(english:"Ubuntu 16.04 LTS / 18.04 LTS / 19.04 / 19.10 : intel-microcode regression (USN-4182-3)"); script_summary(english:"Checks dpkg output for updated package."); script_set_attribute( attribute:"synopsis", value:"The remote Ubuntu host is missing a security-related patch." ); script_set_attribute( attribute:"description", value: "USN-4182-1 provided updated Intel Processor Microcode. A regression was discovered that caused some Skylake processors to hang after a warm reboot. This update reverts the microcode for that specific processor family. We apologize for the inconvenience. Original advisory details : Stephan van Schaik, Alyssa Milburn, Sebastian Osterlund, Pietro Frigo, Kaveh Razavi, Herbert Bos, Cristiano Giuffrida, Giorgi Maisuradze, Moritz Lipp, Michael Schwarz, Daniel Gruss, and Jo Van Bulck discovered that Intel processors using Transactional Synchronization Extensions (TSX) could expose memory contents previously stored in microarchitectural buffers to a malicious process that is executing on the same CPU core. A local attacker could use this to expose sensitive information. (CVE-2019-11135) It was discovered that certain Intel Xeon processors did not properly restrict access to a voltage modulation interface. A local privileged attacker could use this to cause a denial of service (system crash). (CVE-2019-11139). Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues." ); script_set_attribute( attribute:"see_also", value:"https://usn.ubuntu.com/4182-3/" ); script_set_attribute( attribute:"solution", value:"Update the affected intel-microcode package." ); script_set_cvss_base_vector("CVSS2#AV:L/AC:L/Au:N/C:P/I:N/A:N"); script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C"); script_set_cvss3_base_vector("CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N"); script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C"); script_set_attribute(attribute:"cvss_score_source", value:"CVE-2019-11135"); script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:intel-microcode"); script_set_attribute(attribute:"cpe", value:"cpe:/o:canonical:ubuntu_linux:16.04"); script_set_attribute(attribute:"cpe", value:"cpe:/o:canonical:ubuntu_linux:18.04:-:lts"); script_set_attribute(attribute:"cpe", value:"cpe:/o:canonical:ubuntu_linux:19.04"); script_set_attribute(attribute:"cpe", value:"cpe:/o:canonical:ubuntu_linux:19.10"); script_set_attribute(attribute:"vuln_publication_date", value:"2019/11/14"); script_set_attribute(attribute:"patch_publication_date", value:"2019/12/04"); script_set_attribute(attribute:"plugin_publication_date", value:"2019/12/04"); script_set_attribute(attribute:"generated_plugin", value:"current"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"Ubuntu Security Notice (C) 2019 Canonical, Inc. / NASL script (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"Ubuntu Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/cpu", "Host/Ubuntu", "Host/Ubuntu/release", "Host/Debian/dpkg-l"); exit(0); } include("audit.inc"); include("ubuntu.inc"); include("misc_func.inc"); if ( ! get_kb_item("Host/local_checks_enabled") ) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/Ubuntu/release"); if ( isnull(release) ) audit(AUDIT_OS_NOT, "Ubuntu"); release = chomp(release); if (! preg(pattern:"^(16\.04|18\.04|19\.04|19\.10)$", string:release)) audit(AUDIT_OS_NOT, "Ubuntu 16.04 / 18.04 / 19.04 / 19.10", "Ubuntu " + release); if ( ! get_kb_item("Host/Debian/dpkg-l") ) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Ubuntu", cpu); flag = 0; if (ubuntu_check(osver:"16.04", pkgname:"intel-microcode", pkgver:"3.20191115.1ubuntu0.16.04.2")) flag++; if (ubuntu_check(osver:"18.04", pkgname:"intel-microcode", pkgver:"3.20191115.1ubuntu0.18.04.2")) flag++; if (ubuntu_check(osver:"19.04", pkgname:"intel-microcode", pkgver:"3.20191115.1ubuntu0.19.04.2")) flag++; if (ubuntu_check(osver:"19.10", pkgname:"intel-microcode", pkgver:"3.20191115.1ubuntu0.19.10.2")) flag++; if (flag) { security_report_v4( port : 0, severity : SECURITY_NOTE, extra : ubuntu_report_get() ); exit(0); } else { tested = ubuntu_pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "intel-microcode"); }
NASL family Ubuntu Local Security Checks NASL id UBUNTU_USN-4182-1.NASL description Stephan van Schaik, Alyssa Milburn, Sebastian Osterlund, Pietro Frigo, Kaveh Razavi, Herbert Bos, Cristiano Giuffrida, Giorgi Maisuradze, Moritz Lipp, Michael Schwarz, Daniel Gruss, and Jo Van Bulck discovered that Intel processors using Transactional Synchronization Extensions (TSX) could expose memory contents previously stored in microarchitectural buffers to a malicious process that is executing on the same CPU core. A local attacker could use this to expose sensitive information. (CVE-2019-11135) It was discovered that certain Intel Xeon processors did not properly restrict access to a voltage modulation interface. A local privileged attacker could use this to cause a denial of service (system crash). (CVE-2019-11139). Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-01 modified 2020-06-02 plugin id 130962 published 2019-11-13 reporter Ubuntu Security Notice (C) 2019 Canonical, Inc. / NASL script (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/130962 title Ubuntu 16.04 LTS / 18.04 LTS / 19.04 / 19.10 : intel-microcode update (USN-4182-1) code # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Ubuntu Security Notice USN-4182-1. The text # itself is copyright (C) Canonical, Inc. See # <http://www.ubuntu.com/usn/>. Ubuntu(R) is a registered # trademark of Canonical, Inc. # include("compat.inc"); if (description) { script_id(130962); script_version("1.5"); script_cvs_date("Date: 2019/12/13"); script_cve_id("CVE-2019-11135", "CVE-2019-11139"); script_xref(name:"USN", value:"4182-1"); script_name(english:"Ubuntu 16.04 LTS / 18.04 LTS / 19.04 / 19.10 : intel-microcode update (USN-4182-1)"); script_summary(english:"Checks dpkg output for updated package."); script_set_attribute( attribute:"synopsis", value:"The remote Ubuntu host is missing a security-related patch." ); script_set_attribute( attribute:"description", value: "Stephan van Schaik, Alyssa Milburn, Sebastian Osterlund, Pietro Frigo, Kaveh Razavi, Herbert Bos, Cristiano Giuffrida, Giorgi Maisuradze, Moritz Lipp, Michael Schwarz, Daniel Gruss, and Jo Van Bulck discovered that Intel processors using Transactional Synchronization Extensions (TSX) could expose memory contents previously stored in microarchitectural buffers to a malicious process that is executing on the same CPU core. A local attacker could use this to expose sensitive information. (CVE-2019-11135) It was discovered that certain Intel Xeon processors did not properly restrict access to a voltage modulation interface. A local privileged attacker could use this to cause a denial of service (system crash). (CVE-2019-11139). Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues." ); script_set_attribute( attribute:"see_also", value:"https://usn.ubuntu.com/4182-1/" ); script_set_attribute( attribute:"solution", value:"Update the affected intel-microcode package." ); script_set_cvss_base_vector("CVSS2#AV:L/AC:L/Au:N/C:P/I:N/A:N"); script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C"); script_set_cvss3_base_vector("CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N"); script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C"); script_set_attribute(attribute:"cvss_score_source", value:"CVE-2019-11135"); script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:intel-microcode"); script_set_attribute(attribute:"cpe", value:"cpe:/o:canonical:ubuntu_linux:16.04"); script_set_attribute(attribute:"cpe", value:"cpe:/o:canonical:ubuntu_linux:18.04:-:lts"); script_set_attribute(attribute:"cpe", value:"cpe:/o:canonical:ubuntu_linux:19.04"); script_set_attribute(attribute:"cpe", value:"cpe:/o:canonical:ubuntu_linux:19.10"); script_set_attribute(attribute:"vuln_publication_date", value:"2019/11/14"); script_set_attribute(attribute:"patch_publication_date", value:"2019/11/12"); script_set_attribute(attribute:"plugin_publication_date", value:"2019/11/13"); script_set_attribute(attribute:"generated_plugin", value:"current"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"Ubuntu Security Notice (C) 2019 Canonical, Inc. / NASL script (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"Ubuntu Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/cpu", "Host/Ubuntu", "Host/Ubuntu/release", "Host/Debian/dpkg-l"); exit(0); } include("audit.inc"); include("ubuntu.inc"); include("misc_func.inc"); if ( ! get_kb_item("Host/local_checks_enabled") ) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/Ubuntu/release"); if ( isnull(release) ) audit(AUDIT_OS_NOT, "Ubuntu"); release = chomp(release); if (! preg(pattern:"^(16\.04|18\.04|19\.04|19\.10)$", string:release)) audit(AUDIT_OS_NOT, "Ubuntu 16.04 / 18.04 / 19.04 / 19.10", "Ubuntu " + release); if ( ! get_kb_item("Host/Debian/dpkg-l") ) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Ubuntu", cpu); flag = 0; if (ubuntu_check(osver:"16.04", pkgname:"intel-microcode", pkgver:"3.20191112-0ubuntu0.16.04.2")) flag++; if (ubuntu_check(osver:"18.04", pkgname:"intel-microcode", pkgver:"3.20191112-0ubuntu0.18.04.2")) flag++; if (ubuntu_check(osver:"19.04", pkgname:"intel-microcode", pkgver:"3.20191112-0ubuntu0.19.04.2")) flag++; if (ubuntu_check(osver:"19.10", pkgname:"intel-microcode", pkgver:"3.20191112-0ubuntu0.19.10.2")) flag++; if (flag) { security_report_v4( port : 0, severity : SECURITY_NOTE, extra : ubuntu_report_get() ); exit(0); } else { tested = ubuntu_pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "intel-microcode"); }
NASL family SuSE Local Security Checks NASL id SUSE_SU-2019-2987-1.NASL description This update for ucode-intel fixes the following issues : Updated to 20191112 official security release (bsc#1155988) Includes security fixes for : - CVE-2019-11135: Added feature allowing to disable TSX RTM (bsc#1139073) - CVE-2019-11139: A CPU microcode only fix for Voltage modulation issues (bsc#1141035) Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-01 modified 2020-06-02 plugin id 131122 published 2019-11-18 reporter This script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/131122 title SUSE SLED15 / SLES15 Security Update : ucode-intel (SUSE-SU-2019:2987-1) code # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from SUSE update advisory SUSE-SU-2019:2987-1. # The text itself is copyright (C) SUSE. # include("compat.inc"); if (description) { script_id(131122); script_version("1.5"); script_cvs_date("Date: 2019/12/13"); script_cve_id("CVE-2019-11135", "CVE-2019-11139"); script_name(english:"SUSE SLED15 / SLES15 Security Update : ucode-intel (SUSE-SU-2019:2987-1)"); script_summary(english:"Checks rpm output for the updated package."); script_set_attribute( attribute:"synopsis", value:"The remote SUSE host is missing one or more security updates." ); script_set_attribute( attribute:"description", value: "This update for ucode-intel fixes the following issues : Updated to 20191112 official security release (bsc#1155988) Includes security fixes for : - CVE-2019-11135: Added feature allowing to disable TSX RTM (bsc#1139073) - CVE-2019-11139: A CPU microcode only fix for Voltage modulation issues (bsc#1141035) Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues." ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.suse.com/show_bug.cgi?id=1139073" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.suse.com/show_bug.cgi?id=1141035" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.suse.com/show_bug.cgi?id=1155988" ); script_set_attribute( attribute:"see_also", value:"https://www.suse.com/security/cve/CVE-2019-11135/" ); script_set_attribute( attribute:"see_also", value:"https://www.suse.com/security/cve/CVE-2019-11139/" ); # https://www.suse.com/support/update/announcement/2019/suse-su-20192987-1/ script_set_attribute( attribute:"see_also", value:"http://www.nessus.org/u?040b3f09" ); script_set_attribute( attribute:"solution", value: "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or 'zypper patch'. Alternatively you can run the command listed for your product : SUSE Linux Enterprise Module for Basesystem 15-SP1:zypper in -t patch SUSE-SLE-Module-Basesystem-15-SP1-2019-2987=1" ); script_set_cvss_base_vector("CVSS2#AV:L/AC:L/Au:N/C:P/I:N/A:N"); script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C"); script_set_cvss3_base_vector("CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N"); script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C"); script_set_attribute(attribute:"cvss_score_source", value:"CVE-2019-11135"); script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:ucode-intel"); script_set_attribute(attribute:"cpe", value:"cpe:/o:novell:suse_linux:15"); script_set_attribute(attribute:"vuln_publication_date", value:"2019/11/14"); script_set_attribute(attribute:"patch_publication_date", value:"2019/11/15"); script_set_attribute(attribute:"plugin_publication_date", value:"2019/11/18"); script_set_attribute(attribute:"generated_plugin", value:"current"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"SuSE Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/cpu", "Host/SuSE/release", "Host/SuSE/rpm-list"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/SuSE/release"); if (isnull(release) || release !~ "^(SLED|SLES)") audit(AUDIT_OS_NOT, "SUSE"); os_ver = pregmatch(pattern: "^(SLE(S|D)\d+)", string:release); if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "SUSE"); os_ver = os_ver[1]; if (! preg(pattern:"^(SLED15|SLES15)$", string:os_ver)) audit(AUDIT_OS_NOT, "SUSE SLED15 / SLES15", "SUSE " + os_ver); if (!get_kb_item("Host/SuSE/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if (cpu !~ "^i[3-6]86$" && "x86_64" >!< cpu && "s390x" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "SUSE " + os_ver, cpu); if (cpu >!< "x86_64") audit(AUDIT_ARCH_NOT, "x86_64", cpu); sp = get_kb_item("Host/SuSE/patchlevel"); if (isnull(sp)) sp = "0"; if (os_ver == "SLES15" && (! preg(pattern:"^(1)$", string:sp))) audit(AUDIT_OS_NOT, "SLES15 SP1", os_ver + " SP" + sp); if (os_ver == "SLED15" && (! preg(pattern:"^(1)$", string:sp))) audit(AUDIT_OS_NOT, "SLED15 SP1", os_ver + " SP" + sp); flag = 0; if (rpm_check(release:"SLES15", sp:"1", cpu:"x86_64", reference:"ucode-intel-20191112a-3.13.2")) flag++; if (rpm_check(release:"SLED15", sp:"1", cpu:"x86_64", reference:"ucode-intel-20191112a-3.13.2")) flag++; if (flag) { if (report_verbosity > 0) security_note(port:0, extra:rpm_report_get()); else security_note(0); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "ucode-intel"); }
NASL family SuSE Local Security Checks NASL id SUSE_SU-2019-3091-1.NASL description This update for ucode-intel to version fixes the following issues : Updated to 20191115 official security release (bsc#1157004 and bsc#1155988) Includes security fixes for : - CVE-2019-11135: Added feature allowing to disable TSX RTM (bsc#1139073) - CVE-2019-11139: A CPU microcode only fix for Voltage modulation issues (bsc#1141035) Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-01 modified 2020-06-02 plugin id 131552 published 2019-12-03 reporter This script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/131552 title SUSE SLES12 Security Update : ucode-intel (SUSE-SU-2019:3091-1) code # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from SUSE update advisory SUSE-SU-2019:3091-1. # The text itself is copyright (C) SUSE. # include("compat.inc"); if (description) { script_id(131552); script_version("1.3"); script_cvs_date("Date: 2019/12/13"); script_cve_id("CVE-2019-11135", "CVE-2019-11139"); script_name(english:"SUSE SLES12 Security Update : ucode-intel (SUSE-SU-2019:3091-1)"); script_summary(english:"Checks rpm output for the updated packages."); script_set_attribute( attribute:"synopsis", value:"The remote SUSE host is missing one or more security updates." ); script_set_attribute( attribute:"description", value: "This update for ucode-intel to version fixes the following issues : Updated to 20191115 official security release (bsc#1157004 and bsc#1155988) Includes security fixes for : - CVE-2019-11135: Added feature allowing to disable TSX RTM (bsc#1139073) - CVE-2019-11139: A CPU microcode only fix for Voltage modulation issues (bsc#1141035) Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues." ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.suse.com/show_bug.cgi?id=1139073" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.suse.com/show_bug.cgi?id=1141035" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.suse.com/show_bug.cgi?id=1155988" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.suse.com/show_bug.cgi?id=1157004" ); script_set_attribute( attribute:"see_also", value:"https://www.suse.com/security/cve/CVE-2019-11135/" ); script_set_attribute( attribute:"see_also", value:"https://www.suse.com/security/cve/CVE-2019-11139/" ); # https://www.suse.com/support/update/announcement/2019/suse-su-20193091-1/ script_set_attribute( attribute:"see_also", value:"http://www.nessus.org/u?cd283a9a" ); script_set_attribute( attribute:"solution", value: "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or 'zypper patch'. Alternatively you can run the command listed for your product : SUSE Linux Enterprise Server 12-SP5:zypper in -t patch SUSE-SLE-SERVER-12-SP5-2019-3091=1" ); script_set_cvss_base_vector("CVSS2#AV:L/AC:L/Au:N/C:P/I:N/A:N"); script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C"); script_set_cvss3_base_vector("CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N"); script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C"); script_set_attribute(attribute:"cvss_score_source", value:"CVE-2019-11135"); script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:ucode-intel"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:ucode-intel-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:ucode-intel-debugsource"); script_set_attribute(attribute:"cpe", value:"cpe:/o:novell:suse_linux:12"); script_set_attribute(attribute:"vuln_publication_date", value:"2019/11/14"); script_set_attribute(attribute:"patch_publication_date", value:"2019/11/28"); script_set_attribute(attribute:"plugin_publication_date", value:"2019/12/03"); script_set_attribute(attribute:"generated_plugin", value:"current"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"SuSE Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/cpu", "Host/SuSE/release", "Host/SuSE/rpm-list"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/SuSE/release"); if (isnull(release) || release !~ "^(SLED|SLES)") audit(AUDIT_OS_NOT, "SUSE"); os_ver = pregmatch(pattern: "^(SLE(S|D)\d+)", string:release); if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "SUSE"); os_ver = os_ver[1]; if (! preg(pattern:"^(SLES12)$", string:os_ver)) audit(AUDIT_OS_NOT, "SUSE SLES12", "SUSE " + os_ver); if (!get_kb_item("Host/SuSE/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if (cpu !~ "^i[3-6]86$" && "x86_64" >!< cpu && "s390x" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "SUSE " + os_ver, cpu); if (cpu >!< "x86_64") audit(AUDIT_ARCH_NOT, "x86_64", cpu); sp = get_kb_item("Host/SuSE/patchlevel"); if (isnull(sp)) sp = "0"; if (os_ver == "SLES12" && (! preg(pattern:"^(5)$", string:sp))) audit(AUDIT_OS_NOT, "SLES12 SP5", os_ver + " SP" + sp); flag = 0; if (rpm_check(release:"SLES12", sp:"5", cpu:"x86_64", reference:"ucode-intel-20191115-3.3.1")) flag++; if (rpm_check(release:"SLES12", sp:"5", cpu:"x86_64", reference:"ucode-intel-debuginfo-20191115-3.3.1")) flag++; if (rpm_check(release:"SLES12", sp:"5", cpu:"x86_64", reference:"ucode-intel-debugsource-20191115-3.3.1")) flag++; if (flag) { if (report_verbosity > 0) security_note(port:0, extra:rpm_report_get()); else security_note(0); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "ucode-intel"); }
NASL family Amazon Linux Local Security Checks NASL id AL2_ALAS-2019-1364.NASL description This security update is only applicable to EC2 Bare Metal instance types using Intel processors. Intel has released microcode updates for certain Intel CPUs. After installing the updated microcode_ctl package, the microcode will be automatically activated on next boot. Improper conditions check in the voltage modulation interface for some Intel Xeon Scalable Processors may allow a privileged user to potentially enable denial of service via local access.(CVE-2019-11139) TSX Asynchronous Abort condition on some CPUs utilizing speculative execution may allow an authenticated user to potentially enable information disclosure via a side channel with local access.(CVE-2019-11135) last seen 2020-06-01 modified 2020-06-02 plugin id 131082 published 2019-11-18 reporter This script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/131082 title Amazon Linux 2 : microcode_ctl / kernel (ALAS-2019-1364) code # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Amazon Linux 2 Security Advisory ALAS-2019-1364. # include("compat.inc"); if (description) { script_id(131082); script_version("1.5"); script_cvs_date("Date: 2019/12/13"); script_cve_id("CVE-2019-11135", "CVE-2019-11139"); script_xref(name:"ALAS", value:"2019-1364"); script_name(english:"Amazon Linux 2 : microcode_ctl / kernel (ALAS-2019-1364)"); script_summary(english:"Checks rpm output for the updated packages"); script_set_attribute( attribute:"synopsis", value:"The remote Amazon Linux 2 host is missing a security update." ); script_set_attribute( attribute:"description", value: "This security update is only applicable to EC2 Bare Metal instance types using Intel processors. Intel has released microcode updates for certain Intel CPUs. After installing the updated microcode_ctl package, the microcode will be automatically activated on next boot. Improper conditions check in the voltage modulation interface for some Intel Xeon Scalable Processors may allow a privileged user to potentially enable denial of service via local access.(CVE-2019-11139) TSX Asynchronous Abort condition on some CPUs utilizing speculative execution may allow an authenticated user to potentially enable information disclosure via a side channel with local access.(CVE-2019-11135)" ); script_set_attribute( attribute:"see_also", value:"https://alas.aws.amazon.com/AL2/ALAS-2019-1364.html" ); script_set_attribute( attribute:"solution", value: "Run 'yum update microcode_ctl' to update your system. Run 'yum update kernel' and reboot to update your system." ); script_set_cvss_base_vector("CVSS2#AV:L/AC:L/Au:N/C:P/I:N/A:N"); script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C"); script_set_cvss3_base_vector("CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N"); script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C"); script_set_attribute(attribute:"cvss_score_source", value:"CVE-2019-11135"); script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:kernel"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:kernel-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:kernel-debuginfo-common-x86_64"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:kernel-devel"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:kernel-headers"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:kernel-tools"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:kernel-tools-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:kernel-tools-devel"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:microcode_ctl"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:microcode_ctl-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:perf"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:perf-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:python-perf"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:python-perf-debuginfo"); script_set_attribute(attribute:"cpe", value:"cpe:/o:amazon:linux:2"); script_set_attribute(attribute:"vuln_publication_date", value:"2019/11/14"); script_set_attribute(attribute:"patch_publication_date", value:"2019/11/16"); script_set_attribute(attribute:"plugin_publication_date", value:"2019/11/18"); script_set_attribute(attribute:"generated_plugin", value:"current"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"Amazon Linux Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/AmazonLinux/release", "Host/AmazonLinux/rpm-list"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/AmazonLinux/release"); if (isnull(release) || !strlen(release)) audit(AUDIT_OS_NOT, "Amazon Linux"); os_ver = pregmatch(pattern: "^AL(A|\d)", string:release); if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Amazon Linux"); os_ver = os_ver[1]; if (os_ver != "2") { if (os_ver == 'A') os_ver = 'AMI'; audit(AUDIT_OS_NOT, "Amazon Linux 2", "Amazon Linux " + os_ver); } if (!get_kb_item("Host/AmazonLinux/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); flag = 0; if (rpm_check(release:"AL2", cpu:"x86_64", reference:"kernel-4.14.152-127.182.amzn2")) flag++; if (rpm_check(release:"AL2", cpu:"x86_64", reference:"kernel-debuginfo-4.14.152-127.182.amzn2")) flag++; if (rpm_check(release:"AL2", cpu:"x86_64", reference:"kernel-debuginfo-common-x86_64-4.14.152-127.182.amzn2")) flag++; if (rpm_check(release:"AL2", cpu:"x86_64", reference:"kernel-devel-4.14.152-127.182.amzn2")) flag++; if (rpm_check(release:"AL2", reference:"kernel-headers-4.14.152-127.182.amzn2")) flag++; if (rpm_check(release:"AL2", cpu:"x86_64", reference:"kernel-tools-4.14.152-127.182.amzn2")) flag++; if (rpm_check(release:"AL2", cpu:"x86_64", reference:"kernel-tools-debuginfo-4.14.152-127.182.amzn2")) flag++; if (rpm_check(release:"AL2", cpu:"x86_64", reference:"kernel-tools-devel-4.14.152-127.182.amzn2")) flag++; if (rpm_check(release:"AL2", reference:"microcode_ctl-2.1-47.amzn2.0.4")) flag++; if (rpm_check(release:"AL2", reference:"microcode_ctl-debuginfo-2.1-47.amzn2.0.4")) flag++; if (rpm_check(release:"AL2", cpu:"x86_64", reference:"perf-4.14.152-127.182.amzn2")) flag++; if (rpm_check(release:"AL2", cpu:"x86_64", reference:"perf-debuginfo-4.14.152-127.182.amzn2")) flag++; if (rpm_check(release:"AL2", cpu:"x86_64", reference:"python-perf-4.14.152-127.182.amzn2")) flag++; if (rpm_check(release:"AL2", cpu:"x86_64", reference:"python-perf-debuginfo-4.14.152-127.182.amzn2")) flag++; if (flag) { if (report_verbosity > 0) security_note(port:0, extra:rpm_report_get()); else security_note(0); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "kernel / kernel-debuginfo / kernel-debuginfo-common-x86_64 / etc"); }
NASL family SuSE Local Security Checks NASL id SUSE_SU-2019-2988-1.NASL description This update for ucode-intel fixes the following issues : Updated to 20191112 official security release (bsc#1155988) Includes security fixes for : - CVE-2019-11135: Added feature allowing to disable TSX RTM (bsc#1139073) - CVE-2019-11139: A CPU microcode only fix for Voltage modulation issues (bsc#1141035) Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-01 modified 2020-06-02 plugin id 131123 published 2019-11-18 reporter This script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/131123 title SUSE SLED12 / SLES12 Security Update : ucode-intel (SUSE-SU-2019:2988-1) code # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from SUSE update advisory SUSE-SU-2019:2988-1. # The text itself is copyright (C) SUSE. # include("compat.inc"); if (description) { script_id(131123); script_version("1.5"); script_cvs_date("Date: 2019/12/13"); script_cve_id("CVE-2019-11135", "CVE-2019-11139"); script_name(english:"SUSE SLED12 / SLES12 Security Update : ucode-intel (SUSE-SU-2019:2988-1)"); script_summary(english:"Checks rpm output for the updated packages."); script_set_attribute( attribute:"synopsis", value:"The remote SUSE host is missing one or more security updates." ); script_set_attribute( attribute:"description", value: "This update for ucode-intel fixes the following issues : Updated to 20191112 official security release (bsc#1155988) Includes security fixes for : - CVE-2019-11135: Added feature allowing to disable TSX RTM (bsc#1139073) - CVE-2019-11139: A CPU microcode only fix for Voltage modulation issues (bsc#1141035) Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues." ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.suse.com/show_bug.cgi?id=1139073" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.suse.com/show_bug.cgi?id=1141035" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.suse.com/show_bug.cgi?id=1155988" ); script_set_attribute( attribute:"see_also", value:"https://www.suse.com/security/cve/CVE-2019-11135/" ); script_set_attribute( attribute:"see_also", value:"https://www.suse.com/security/cve/CVE-2019-11139/" ); # https://www.suse.com/support/update/announcement/2019/suse-su-20192988-1/ script_set_attribute( attribute:"see_also", value:"http://www.nessus.org/u?b8084be6" ); script_set_attribute( attribute:"solution", value: "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or 'zypper patch'. Alternatively you can run the command listed for your product : SUSE OpenStack Cloud Crowbar 8:zypper in -t patch SUSE-OpenStack-Cloud-Crowbar-8-2019-2988=1 SUSE OpenStack Cloud 8:zypper in -t patch SUSE-OpenStack-Cloud-8-2019-2988=1 SUSE OpenStack Cloud 7:zypper in -t patch SUSE-OpenStack-Cloud-7-2019-2988=1 SUSE Linux Enterprise Server for SAP 12-SP3:zypper in -t patch SUSE-SLE-SAP-12-SP3-2019-2988=1 SUSE Linux Enterprise Server for SAP 12-SP2:zypper in -t patch SUSE-SLE-SAP-12-SP2-2019-2988=1 SUSE Linux Enterprise Server for SAP 12-SP1:zypper in -t patch SUSE-SLE-SAP-12-SP1-2019-2988=1 SUSE Linux Enterprise Server 12-SP4:zypper in -t patch SUSE-SLE-SERVER-12-SP4-2019-2988=1 SUSE Linux Enterprise Server 12-SP3-LTSS:zypper in -t patch SUSE-SLE-SERVER-12-SP3-2019-2988=1 SUSE Linux Enterprise Server 12-SP3-BCL:zypper in -t patch SUSE-SLE-SERVER-12-SP3-BCL-2019-2988=1 SUSE Linux Enterprise Server 12-SP2-LTSS:zypper in -t patch SUSE-SLE-SERVER-12-SP2-2019-2988=1 SUSE Linux Enterprise Server 12-SP2-BCL:zypper in -t patch SUSE-SLE-SERVER-12-SP2-BCL-2019-2988=1 SUSE Linux Enterprise Server 12-SP1-LTSS:zypper in -t patch SUSE-SLE-SERVER-12-SP1-2019-2988=1 SUSE Linux Enterprise Desktop 12-SP4:zypper in -t patch SUSE-SLE-DESKTOP-12-SP4-2019-2988=1 SUSE Enterprise Storage 5:zypper in -t patch SUSE-Storage-5-2019-2988=1 SUSE CaaS Platform 3.0 : To install this update, use the SUSE CaaS Platform Velum dashboard. It will inform you if it detects new updates and let you then trigger updating of the complete cluster in a controlled way. HPE Helion Openstack 8:zypper in -t patch HPE-Helion-OpenStack-8-2019-2988=1" ); script_set_cvss_base_vector("CVSS2#AV:L/AC:L/Au:N/C:P/I:N/A:N"); script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C"); script_set_cvss3_base_vector("CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N"); script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C"); script_set_attribute(attribute:"cvss_score_source", value:"CVE-2019-11135"); script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:ucode-intel"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:ucode-intel-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:ucode-intel-debugsource"); script_set_attribute(attribute:"cpe", value:"cpe:/o:novell:suse_linux:12"); script_set_attribute(attribute:"vuln_publication_date", value:"2019/11/14"); script_set_attribute(attribute:"patch_publication_date", value:"2019/11/15"); script_set_attribute(attribute:"plugin_publication_date", value:"2019/11/18"); script_set_attribute(attribute:"generated_plugin", value:"current"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"SuSE Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/cpu", "Host/SuSE/release", "Host/SuSE/rpm-list"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/SuSE/release"); if (isnull(release) || release !~ "^(SLED|SLES)") audit(AUDIT_OS_NOT, "SUSE"); os_ver = pregmatch(pattern: "^(SLE(S|D)\d+)", string:release); if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "SUSE"); os_ver = os_ver[1]; if (! preg(pattern:"^(SLED12|SLES12)$", string:os_ver)) audit(AUDIT_OS_NOT, "SUSE SLED12 / SLES12", "SUSE " + os_ver); if (!get_kb_item("Host/SuSE/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if (cpu !~ "^i[3-6]86$" && "x86_64" >!< cpu && "s390x" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "SUSE " + os_ver, cpu); if (cpu >!< "x86_64") audit(AUDIT_ARCH_NOT, "x86_64", cpu); sp = get_kb_item("Host/SuSE/patchlevel"); if (isnull(sp)) sp = "0"; if (os_ver == "SLES12" && (! preg(pattern:"^(1|2|3|4)$", string:sp))) audit(AUDIT_OS_NOT, "SLES12 SP1/2/3/4", os_ver + " SP" + sp); if (os_ver == "SLED12" && (! preg(pattern:"^(4)$", string:sp))) audit(AUDIT_OS_NOT, "SLED12 SP4", os_ver + " SP" + sp); flag = 0; if (rpm_check(release:"SLES12", sp:"1", cpu:"x86_64", reference:"ucode-intel-20191112a-13.56.1")) flag++; if (rpm_check(release:"SLES12", sp:"1", cpu:"x86_64", reference:"ucode-intel-debuginfo-20191112a-13.56.1")) flag++; if (rpm_check(release:"SLES12", sp:"1", cpu:"x86_64", reference:"ucode-intel-debugsource-20191112a-13.56.1")) flag++; if (rpm_check(release:"SLES12", sp:"4", cpu:"x86_64", reference:"ucode-intel-20191112a-13.56.1")) flag++; if (rpm_check(release:"SLES12", sp:"4", cpu:"x86_64", reference:"ucode-intel-debuginfo-20191112a-13.56.1")) flag++; if (rpm_check(release:"SLES12", sp:"4", cpu:"x86_64", reference:"ucode-intel-debugsource-20191112a-13.56.1")) flag++; if (rpm_check(release:"SLES12", sp:"3", cpu:"x86_64", reference:"ucode-intel-20191112a-13.56.1")) flag++; if (rpm_check(release:"SLES12", sp:"3", cpu:"x86_64", reference:"ucode-intel-debuginfo-20191112a-13.56.1")) flag++; if (rpm_check(release:"SLES12", sp:"3", cpu:"x86_64", reference:"ucode-intel-debugsource-20191112a-13.56.1")) flag++; if (rpm_check(release:"SLES12", sp:"3", cpu:"x86_64", reference:"ucode-intel-20191112a-13.56.1")) flag++; if (rpm_check(release:"SLES12", sp:"3", cpu:"x86_64", reference:"ucode-intel-debuginfo-20191112a-13.56.1")) flag++; if (rpm_check(release:"SLES12", sp:"3", cpu:"x86_64", reference:"ucode-intel-debugsource-20191112a-13.56.1")) flag++; if (rpm_check(release:"SLES12", sp:"2", cpu:"x86_64", reference:"ucode-intel-20191112a-13.56.1")) flag++; if (rpm_check(release:"SLES12", sp:"2", cpu:"x86_64", reference:"ucode-intel-debuginfo-20191112a-13.56.1")) flag++; if (rpm_check(release:"SLES12", sp:"2", cpu:"x86_64", reference:"ucode-intel-debugsource-20191112a-13.56.1")) flag++; if (rpm_check(release:"SLES12", sp:"2", cpu:"x86_64", reference:"ucode-intel-20191112a-13.56.1")) flag++; if (rpm_check(release:"SLES12", sp:"2", cpu:"x86_64", reference:"ucode-intel-debuginfo-20191112a-13.56.1")) flag++; if (rpm_check(release:"SLES12", sp:"2", cpu:"x86_64", reference:"ucode-intel-debugsource-20191112a-13.56.1")) flag++; if (rpm_check(release:"SLED12", sp:"4", cpu:"x86_64", reference:"ucode-intel-20191112a-13.56.1")) flag++; if (rpm_check(release:"SLED12", sp:"4", cpu:"x86_64", reference:"ucode-intel-debuginfo-20191112a-13.56.1")) flag++; if (rpm_check(release:"SLED12", sp:"4", cpu:"x86_64", reference:"ucode-intel-debugsource-20191112a-13.56.1")) flag++; if (flag) { if (report_verbosity > 0) security_note(port:0, extra:rpm_report_get()); else security_note(0); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "ucode-intel"); }
NASL family Debian Local Security Checks NASL id DEBIAN_DSA-4565.NASL description This update ships updated CPU microcode for some types of Intel CPUs. In particular it provides mitigations for the TAA (TSX Asynchronous Abort) vulnerability. For affected CPUs, to fully mitigate the vulnerability it is also necessary to update the Linux kernel packages as released in DSA 4564-1. last seen 2020-06-01 modified 2020-06-02 plugin id 130983 published 2019-11-14 reporter This script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/130983 title Debian DSA-4565-1 : intel-microcode - security update code # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Debian Security Advisory DSA-4565. The text # itself is copyright (C) Software in the Public Interest, Inc. # include("compat.inc"); if (description) { script_id(130983); script_version("1.5"); script_cvs_date("Date: 2019/12/13"); script_cve_id("CVE-2019-11135", "CVE-2019-11139"); script_xref(name:"DSA", value:"4565"); script_name(english:"Debian DSA-4565-1 : intel-microcode - security update"); script_summary(english:"Checks dpkg output for the updated package"); script_set_attribute( attribute:"synopsis", value:"The remote Debian host is missing a security-related update." ); script_set_attribute( attribute:"description", value: "This update ships updated CPU microcode for some types of Intel CPUs. In particular it provides mitigations for the TAA (TSX Asynchronous Abort) vulnerability. For affected CPUs, to fully mitigate the vulnerability it is also necessary to update the Linux kernel packages as released in DSA 4564-1." ); # https://security-tracker.debian.org/tracker/source-package/intel-microcode script_set_attribute( attribute:"see_also", value:"http://www.nessus.org/u?019586d4" ); script_set_attribute( attribute:"see_also", value:"https://packages.debian.org/source/stretch/intel-microcode" ); script_set_attribute( attribute:"see_also", value:"https://packages.debian.org/source/buster/intel-microcode" ); script_set_attribute( attribute:"see_also", value:"https://www.debian.org/security/2019/dsa-4565" ); script_set_attribute( attribute:"solution", value: "Upgrade the intel-microcode packages. For the oldstable distribution (stretch), these problems have been fixed in version 3.20191112.1~deb9u1. For the stable distribution (buster), these problems have been fixed in version 3.20191112.1~deb10u1." ); script_set_cvss_base_vector("CVSS2#AV:L/AC:L/Au:N/C:P/I:N/A:N"); script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C"); script_set_cvss3_base_vector("CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N"); script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C"); script_set_attribute(attribute:"cvss_score_source", value:"CVE-2019-11135"); script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:intel-microcode"); script_set_attribute(attribute:"cpe", value:"cpe:/o:debian:debian_linux:10.0"); script_set_attribute(attribute:"cpe", value:"cpe:/o:debian:debian_linux:9.0"); script_set_attribute(attribute:"vuln_publication_date", value:"2019/11/14"); script_set_attribute(attribute:"patch_publication_date", value:"2019/11/13"); script_set_attribute(attribute:"plugin_publication_date", value:"2019/11/14"); script_set_attribute(attribute:"generated_plugin", value:"current"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"Debian Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/Debian/release", "Host/Debian/dpkg-l"); exit(0); } include("audit.inc"); include("debian_package.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); if (!get_kb_item("Host/Debian/release")) audit(AUDIT_OS_NOT, "Debian"); if (!get_kb_item("Host/Debian/dpkg-l")) audit(AUDIT_PACKAGE_LIST_MISSING); flag = 0; if (deb_check(release:"10.0", prefix:"intel-microcode", reference:"3.20191112.1~deb10u1")) flag++; if (deb_check(release:"9.0", prefix:"intel-microcode", reference:"3.20191112.1~deb9u1")) flag++; if (flag) { if (report_verbosity > 0) security_note(port:0, extra:deb_report_get()); else security_note(0); exit(0); } else audit(AUDIT_HOST_NOT, "affected");
NASL family Fedora Local Security Checks NASL id FEDORA_2019-68D7F68507.NASL description The 5.3.11 stable kernel update contains a number of important security updates across the tree, including mitigations for the most recent hardware issues disclosed on Nov 12. Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-01 modified 2020-06-02 plugin id 130920 published 2019-11-13 reporter This script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/130920 title Fedora 31 : 2:microcode_ctl / kernel / kernel-headers / kernel-tools (2019-68d7f68507) code # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Fedora Security Advisory FEDORA-2019-68d7f68507. # include("compat.inc"); if (description) { script_id(130920); script_version("1.4"); script_cvs_date("Date: 2019/12/12"); script_cve_id("CVE-2018-12207", "CVE-2019-0117", "CVE-2019-0154", "CVE-2019-0155", "CVE-2019-11135", "CVE-2019-11139"); script_xref(name:"FEDORA", value:"2019-68d7f68507"); script_name(english:"Fedora 31 : 2:microcode_ctl / kernel / kernel-headers / kernel-tools (2019-68d7f68507)"); script_summary(english:"Checks rpm output for the updated packages."); script_set_attribute( attribute:"synopsis", value:"The remote Fedora host is missing one or more security updates." ); script_set_attribute( attribute:"description", value: "The 5.3.11 stable kernel update contains a number of important security updates across the tree, including mitigations for the most recent hardware issues disclosed on Nov 12. Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues." ); script_set_attribute( attribute:"see_also", value:"https://bodhi.fedoraproject.org/updates/FEDORA-2019-68d7f68507" ); script_set_attribute(attribute:"solution", value:"Update the affected packages."); script_set_cvss_base_vector("CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C"); script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C"); script_set_cvss3_base_vector("CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"); script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fedoraproject:fedora:2:microcode_ctl"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fedoraproject:fedora:kernel"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fedoraproject:fedora:kernel-headers"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fedoraproject:fedora:kernel-tools"); script_set_attribute(attribute:"cpe", value:"cpe:/o:fedoraproject:fedora:31"); script_set_attribute(attribute:"vuln_publication_date", value:"2019/11/14"); script_set_attribute(attribute:"patch_publication_date", value:"2019/11/13"); script_set_attribute(attribute:"plugin_publication_date", value:"2019/11/13"); script_set_attribute(attribute:"generated_plugin", value:"current"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"Fedora Local Security Checks"); script_dependencies("ssh_get_info.nasl", "linux_alt_patch_detect.nasl"); script_require_keys("Host/local_checks_enabled", "Host/RedHat/release", "Host/RedHat/rpm-list"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); include("ksplice.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/RedHat/release"); if (isnull(release) || "Fedora" >!< release) audit(AUDIT_OS_NOT, "Fedora"); os_ver = pregmatch(pattern: "Fedora.*release ([0-9]+)", string:release); if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Fedora"); os_ver = os_ver[1]; if (! preg(pattern:"^31([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Fedora 31", "Fedora " + os_ver); if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Fedora", cpu); if (get_one_kb_item("Host/ksplice/kernel-cves")) { rm_kb_item(name:"Host/uptrack-uname-r"); cve_list = make_list("CVE-2018-12207", "CVE-2019-0117", "CVE-2019-0154", "CVE-2019-0155", "CVE-2019-11135", "CVE-2019-11139"); if (ksplice_cves_check(cve_list)) { audit(AUDIT_PATCH_INSTALLED, "KSplice hotfix for FEDORA-2019-68d7f68507"); } else { __rpm_report = ksplice_reporting_text(); } } flag = 0; if (rpm_check(release:"FC31", reference:"microcode_ctl-2.1-33.fc31", epoch:"2")) flag++; if (rpm_check(release:"FC31", reference:"kernel-5.3.11-300.fc31")) flag++; if (rpm_check(release:"FC31", reference:"kernel-headers-5.3.11-300.fc31")) flag++; if (rpm_check(release:"FC31", reference:"kernel-tools-5.3.11-300.fc31")) flag++; if (flag) { security_report_v4( port : 0, severity : SECURITY_HOLE, extra : rpm_report_get() ); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "2:microcode_ctl / kernel / kernel-headers / kernel-tools"); }
NASL family Amazon Linux Local Security Checks NASL id ALA_ALAS-2019-1318.NASL description This security update is only applicable to EC2 Bare Metal instance types using Intel processors. Intel has released microcode updates for certain Intel CPUs. After installing the updated microcode_ctl package, the microcode will be automatically activated on next boot. Improper conditions check in the voltage modulation interface for some Intel Xeon Scalable Processors may allow a privileged user to potentially enable denial of service via local access.(CVE-2019-11139) TSX Asynchronous Abort condition on some CPUs utilizing speculative execution may allow an authenticated user to potentially enable information disclosure via a side channel with local access.(CVE-2019-11135) last seen 2020-06-01 modified 2020-06-02 plugin id 131083 published 2019-11-18 reporter This script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/131083 title Amazon Linux AMI : microcode_ctl / kernel (ALAS-2019-1318) code # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Amazon Linux AMI Security Advisory ALAS-2019-1318. # include("compat.inc"); if (description) { script_id(131083); script_version("1.5"); script_cvs_date("Date: 2019/12/13"); script_cve_id("CVE-2019-11135", "CVE-2019-11139"); script_xref(name:"ALAS", value:"2019-1318"); script_name(english:"Amazon Linux AMI : microcode_ctl / kernel (ALAS-2019-1318)"); script_summary(english:"Checks rpm output for the updated packages"); script_set_attribute( attribute:"synopsis", value:"The remote Amazon Linux AMI host is missing a security update." ); script_set_attribute( attribute:"description", value: "This security update is only applicable to EC2 Bare Metal instance types using Intel processors. Intel has released microcode updates for certain Intel CPUs. After installing the updated microcode_ctl package, the microcode will be automatically activated on next boot. Improper conditions check in the voltage modulation interface for some Intel Xeon Scalable Processors may allow a privileged user to potentially enable denial of service via local access.(CVE-2019-11139) TSX Asynchronous Abort condition on some CPUs utilizing speculative execution may allow an authenticated user to potentially enable information disclosure via a side channel with local access.(CVE-2019-11135)" ); script_set_attribute( attribute:"see_also", value:"https://alas.aws.amazon.com/ALAS-2019-1318.html" ); script_set_attribute( attribute:"solution", value: "Run 'yum update microcode_ctl' to update your system. Run 'yum update kernel' and reboot to update your system." ); script_set_cvss_base_vector("CVSS2#AV:L/AC:L/Au:N/C:P/I:N/A:N"); script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C"); script_set_cvss3_base_vector("CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N"); script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C"); script_set_attribute(attribute:"cvss_score_source", value:"CVE-2019-11135"); script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:kernel"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:kernel-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:kernel-debuginfo-common-i686"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:kernel-debuginfo-common-x86_64"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:kernel-devel"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:kernel-headers"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:kernel-tools"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:kernel-tools-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:kernel-tools-devel"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:microcode_ctl"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:microcode_ctl-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:perf"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:perf-debuginfo"); script_set_attribute(attribute:"cpe", value:"cpe:/o:amazon:linux"); script_set_attribute(attribute:"vuln_publication_date", value:"2019/11/14"); script_set_attribute(attribute:"patch_publication_date", value:"2019/11/16"); script_set_attribute(attribute:"plugin_publication_date", value:"2019/11/18"); script_set_attribute(attribute:"generated_plugin", value:"current"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"Amazon Linux Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/AmazonLinux/release", "Host/AmazonLinux/rpm-list"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/AmazonLinux/release"); if (isnull(release) || !strlen(release)) audit(AUDIT_OS_NOT, "Amazon Linux"); os_ver = pregmatch(pattern: "^AL(A|\d)", string:release); if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Amazon Linux"); os_ver = os_ver[1]; if (os_ver != "A") { if (os_ver == 'A') os_ver = 'AMI'; audit(AUDIT_OS_NOT, "Amazon Linux AMI", "Amazon Linux " + os_ver); } if (!get_kb_item("Host/AmazonLinux/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); flag = 0; if (rpm_check(release:"ALA", reference:"kernel-4.14.152-98.182.amzn1")) flag++; if (rpm_check(release:"ALA", reference:"kernel-debuginfo-4.14.152-98.182.amzn1")) flag++; if (rpm_check(release:"ALA", cpu:"i686", reference:"kernel-debuginfo-common-i686-4.14.152-98.182.amzn1")) flag++; if (rpm_check(release:"ALA", cpu:"x86_64", reference:"kernel-debuginfo-common-x86_64-4.14.152-98.182.amzn1")) flag++; if (rpm_check(release:"ALA", reference:"kernel-devel-4.14.152-98.182.amzn1")) flag++; if (rpm_check(release:"ALA", reference:"kernel-headers-4.14.152-98.182.amzn1")) flag++; if (rpm_check(release:"ALA", reference:"kernel-tools-4.14.152-98.182.amzn1")) flag++; if (rpm_check(release:"ALA", reference:"kernel-tools-debuginfo-4.14.152-98.182.amzn1")) flag++; if (rpm_check(release:"ALA", reference:"kernel-tools-devel-4.14.152-98.182.amzn1")) flag++; if (rpm_check(release:"ALA", reference:"microcode_ctl-2.1-47.36.amzn1")) flag++; if (rpm_check(release:"ALA", reference:"microcode_ctl-debuginfo-2.1-47.36.amzn1")) flag++; if (rpm_check(release:"ALA", reference:"perf-4.14.152-98.182.amzn1")) flag++; if (rpm_check(release:"ALA", reference:"perf-debuginfo-4.14.152-98.182.amzn1")) flag++; if (flag) { if (report_verbosity > 0) security_note(port:0, extra:rpm_report_get()); else security_note(0); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "kernel / kernel-debuginfo / kernel-debuginfo-common-i686 / etc"); }
NASL family SuSE Local Security Checks NASL id OPENSUSE-2019-2504.NASL description This update for ucode-intel fixes the following issues : - Updated to 20191112 security release (bsc#1155988) - Processor Identifier Version Products - Model Stepping F-MO-S/PI Old->New - ---- new platforms ---------------------------------------- - CML-U62 A0 6-a6-0/80 000000c6 Core Gen10 Mobile - CNL-U D0 6-66-3/80 0000002a Core Gen8 Mobile - SKX-SP B1 6-55-3/97 01000150 Xeon Scalable - ICL U/Y D1 6-7e-5/80 00000046 Core Gen10 Mobile - ---- updated platforms ------------------------------------ - SKL U/Y D0 6-4e-3/c0 000000cc->000000d4 Core Gen6 Mobile - SKL H/S/E3 R0/N0 6-5e-3/36 000000cc->000000d4 Core Gen6 - AML-Y22 H0 6-8e-9/10 000000b4->000000c6 Core Gen8 Mobile - KBL-U/Y H0 6-8e-9/c0 000000b4->000000c6 Core Gen7 Mobile - CFL-U43e D0 6-8e-a/c0 000000b4->000000c6 Core Gen8 Mobile - WHL-U W0 6-8e-b/d0 000000b8->000000c6 Core Gen8 Mobile - AML-Y V0 6-8e-c/94 000000b8->000000c6 Core Gen10 Mobile - CML-U42 V0 6-8e-c/94 000000b8->000000c6 Core Gen10 Mobile - WHL-U V0 6-8e-c/94 000000b8->000000c6 Core Gen8 Mobile - KBL-G/X H0 6-9e-9/2a 000000b4->000000c6 Core Gen7/Gen8 - KBL-H/S/E3 B0 6-9e-9/2a 000000b4->000000c6 Core Gen7; Xeon E3 v6 - CFL-H/S/E3 U0 6-9e-a/22 000000b4->000000c6 Core Gen8 Desktop, Mobile, Xeon E - CFL-S B0 6-9e-b/02 000000b4->000000c6 Core Gen8 - CFL-H R0 6-9e-d/22 000000b8->000000c6 Core Gen9 Mobile - Includes security fixes for : - CVE-2019-11135: Added feature allowing to disable TSX RTM (bsc#1139073) - CVE-2019-11139: A CPU microcode only fix for Voltage modulation issues (bsc#1141035) This update was imported from the SUSE:SLE-15:Update update project. last seen 2020-06-01 modified 2020-06-02 plugin id 131058 published 2019-11-15 reporter This script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/131058 title openSUSE Security Update : ucode-intel (openSUSE-2019-2504) code # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from openSUSE Security Update openSUSE-2019-2504. # # The text description of this plugin is (C) SUSE LLC. # include("compat.inc"); if (description) { script_id(131058); script_version("1.5"); script_cvs_date("Date: 2019/12/13"); script_cve_id("CVE-2019-11135", "CVE-2019-11139"); script_name(english:"openSUSE Security Update : ucode-intel (openSUSE-2019-2504)"); script_summary(english:"Check for the openSUSE-2019-2504 patch"); script_set_attribute( attribute:"synopsis", value:"The remote openSUSE host is missing a security update." ); script_set_attribute( attribute:"description", value: "This update for ucode-intel fixes the following issues : - Updated to 20191112 security release (bsc#1155988) - Processor Identifier Version Products - Model Stepping F-MO-S/PI Old->New - ---- new platforms ---------------------------------------- - CML-U62 A0 6-a6-0/80 000000c6 Core Gen10 Mobile - CNL-U D0 6-66-3/80 0000002a Core Gen8 Mobile - SKX-SP B1 6-55-3/97 01000150 Xeon Scalable - ICL U/Y D1 6-7e-5/80 00000046 Core Gen10 Mobile - ---- updated platforms ------------------------------------ - SKL U/Y D0 6-4e-3/c0 000000cc->000000d4 Core Gen6 Mobile - SKL H/S/E3 R0/N0 6-5e-3/36 000000cc->000000d4 Core Gen6 - AML-Y22 H0 6-8e-9/10 000000b4->000000c6 Core Gen8 Mobile - KBL-U/Y H0 6-8e-9/c0 000000b4->000000c6 Core Gen7 Mobile - CFL-U43e D0 6-8e-a/c0 000000b4->000000c6 Core Gen8 Mobile - WHL-U W0 6-8e-b/d0 000000b8->000000c6 Core Gen8 Mobile - AML-Y V0 6-8e-c/94 000000b8->000000c6 Core Gen10 Mobile - CML-U42 V0 6-8e-c/94 000000b8->000000c6 Core Gen10 Mobile - WHL-U V0 6-8e-c/94 000000b8->000000c6 Core Gen8 Mobile - KBL-G/X H0 6-9e-9/2a 000000b4->000000c6 Core Gen7/Gen8 - KBL-H/S/E3 B0 6-9e-9/2a 000000b4->000000c6 Core Gen7; Xeon E3 v6 - CFL-H/S/E3 U0 6-9e-a/22 000000b4->000000c6 Core Gen8 Desktop, Mobile, Xeon E - CFL-S B0 6-9e-b/02 000000b4->000000c6 Core Gen8 - CFL-H R0 6-9e-d/22 000000b8->000000c6 Core Gen9 Mobile - Includes security fixes for : - CVE-2019-11135: Added feature allowing to disable TSX RTM (bsc#1139073) - CVE-2019-11139: A CPU microcode only fix for Voltage modulation issues (bsc#1141035) This update was imported from the SUSE:SLE-15:Update update project." ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.opensuse.org/show_bug.cgi?id=1139073" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.opensuse.org/show_bug.cgi?id=1141035" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.opensuse.org/show_bug.cgi?id=1155988" ); script_set_attribute( attribute:"solution", value:"Update the affected ucode-intel package." ); script_set_cvss_base_vector("CVSS2#AV:L/AC:L/Au:N/C:P/I:N/A:N"); script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C"); script_set_cvss3_base_vector("CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N"); script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C"); script_set_attribute(attribute:"cvss_score_source", value:"CVE-2019-11135"); script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:ucode-intel"); script_set_attribute(attribute:"cpe", value:"cpe:/o:novell:opensuse:15.0"); script_set_attribute(attribute:"vuln_publication_date", value:"2019/11/14"); script_set_attribute(attribute:"patch_publication_date", value:"2019/11/14"); script_set_attribute(attribute:"plugin_publication_date", value:"2019/11/15"); script_set_attribute(attribute:"generated_plugin", value:"current"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"SuSE Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/SuSE/release", "Host/SuSE/rpm-list", "Host/cpu"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/SuSE/release"); if (isnull(release) || release =~ "^(SLED|SLES)") audit(AUDIT_OS_NOT, "openSUSE"); if (release !~ "^(SUSE15\.0)$") audit(AUDIT_OS_RELEASE_NOT, "openSUSE", "15.0", release); if (!get_kb_item("Host/SuSE/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); ourarch = get_kb_item("Host/cpu"); if (!ourarch) audit(AUDIT_UNKNOWN_ARCH); if (ourarch !~ "^(x86_64)$") audit(AUDIT_ARCH_NOT, "x86_64", ourarch); flag = 0; if ( rpm_check(release:"SUSE15.0", reference:"ucode-intel-20191112-lp150.2.30.1") ) flag++; if (flag) { if (report_verbosity > 0) security_note(port:0, extra:rpm_report_get()); else security_note(0); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "ucode-intel"); }
NASL family Fedora Local Security Checks NASL id FEDORA_2019-7A3FC17778.NASL description The 5.3.11 stable kernel update contains a number of important security updates across the tree, including mitigations for the most recent hardware issues disclosed on Nov 12. ---- The 5.3.9 update contains a number of important fixes across the tree ---- Update to upstream 2.1-22. 20190618 Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-01 modified 2020-06-02 plugin id 130989 published 2019-11-14 reporter This script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/130989 title Fedora 29 : 2:microcode_ctl / kernel / kernel-headers / kernel-tools (2019-7a3fc17778) code # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Fedora Security Advisory FEDORA-2019-7a3fc17778. # include("compat.inc"); if (description) { script_id(130989); script_version("1.4"); script_cvs_date("Date: 2019/12/12"); script_cve_id("CVE-2018-12207", "CVE-2019-0117", "CVE-2019-0154", "CVE-2019-0155", "CVE-2019-11135", "CVE-2019-11139"); script_xref(name:"FEDORA", value:"2019-7a3fc17778"); script_name(english:"Fedora 29 : 2:microcode_ctl / kernel / kernel-headers / kernel-tools (2019-7a3fc17778)"); script_summary(english:"Checks rpm output for the updated packages."); script_set_attribute( attribute:"synopsis", value:"The remote Fedora host is missing one or more security updates." ); script_set_attribute( attribute:"description", value: "The 5.3.11 stable kernel update contains a number of important security updates across the tree, including mitigations for the most recent hardware issues disclosed on Nov 12. ---- The 5.3.9 update contains a number of important fixes across the tree ---- Update to upstream 2.1-22. 20190618 Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues." ); script_set_attribute( attribute:"see_also", value:"https://bodhi.fedoraproject.org/updates/FEDORA-2019-7a3fc17778" ); script_set_attribute(attribute:"solution", value:"Update the affected packages."); script_set_cvss_base_vector("CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C"); script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C"); script_set_cvss3_base_vector("CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"); script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fedoraproject:fedora:2:microcode_ctl"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fedoraproject:fedora:kernel"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fedoraproject:fedora:kernel-headers"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fedoraproject:fedora:kernel-tools"); script_set_attribute(attribute:"cpe", value:"cpe:/o:fedoraproject:fedora:29"); script_set_attribute(attribute:"vuln_publication_date", value:"2019/11/14"); script_set_attribute(attribute:"patch_publication_date", value:"2019/11/13"); script_set_attribute(attribute:"plugin_publication_date", value:"2019/11/14"); script_set_attribute(attribute:"generated_plugin", value:"current"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"Fedora Local Security Checks"); script_dependencies("ssh_get_info.nasl", "linux_alt_patch_detect.nasl"); script_require_keys("Host/local_checks_enabled", "Host/RedHat/release", "Host/RedHat/rpm-list"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); include("ksplice.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/RedHat/release"); if (isnull(release) || "Fedora" >!< release) audit(AUDIT_OS_NOT, "Fedora"); os_ver = pregmatch(pattern: "Fedora.*release ([0-9]+)", string:release); if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Fedora"); os_ver = os_ver[1]; if (! preg(pattern:"^29([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Fedora 29", "Fedora " + os_ver); if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Fedora", cpu); if (get_one_kb_item("Host/ksplice/kernel-cves")) { rm_kb_item(name:"Host/uptrack-uname-r"); cve_list = make_list("CVE-2018-12207", "CVE-2019-0117", "CVE-2019-0154", "CVE-2019-0155", "CVE-2019-11135", "CVE-2019-11139"); if (ksplice_cves_check(cve_list)) { audit(AUDIT_PATCH_INSTALLED, "KSplice hotfix for FEDORA-2019-7a3fc17778"); } else { __rpm_report = ksplice_reporting_text(); } } flag = 0; if (rpm_check(release:"FC29", reference:"microcode_ctl-2.1-33.fc29", epoch:"2")) flag++; if (rpm_check(release:"FC29", reference:"kernel-5.3.11-100.fc29")) flag++; if (rpm_check(release:"FC29", reference:"kernel-headers-5.3.11-100.fc29")) flag++; if (rpm_check(release:"FC29", reference:"kernel-tools-5.3.11-100.fc29")) flag++; if (flag) { security_report_v4( port : 0, severity : SECURITY_HOLE, extra : rpm_report_get() ); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "2:microcode_ctl / kernel / kernel-headers / kernel-tools"); }
NASL family SuSE Local Security Checks NASL id SUSE_SU-2019-2986-1.NASL description This update for ucode-intel fixes the following issues : Updated to 20191112 official security release (bsc#1155988) Includes security fixes for : - CVE-2019-11135: Added feature allowing to disable TSX RTM (bsc#1139073) - CVE-2019-11139: A CPU microcode only fix for Voltage modulation issues (bsc#1141035) Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-01 modified 2020-06-02 plugin id 131121 published 2019-11-18 reporter This script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/131121 title SUSE SLED15 / SLES15 Security Update : ucode-intel (SUSE-SU-2019:2986-1) code # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from SUSE update advisory SUSE-SU-2019:2986-1. # The text itself is copyright (C) SUSE. # include("compat.inc"); if (description) { script_id(131121); script_version("1.5"); script_cvs_date("Date: 2019/12/13"); script_cve_id("CVE-2019-11135", "CVE-2019-11139"); script_name(english:"SUSE SLED15 / SLES15 Security Update : ucode-intel (SUSE-SU-2019:2986-1)"); script_summary(english:"Checks rpm output for the updated package."); script_set_attribute( attribute:"synopsis", value:"The remote SUSE host is missing one or more security updates." ); script_set_attribute( attribute:"description", value: "This update for ucode-intel fixes the following issues : Updated to 20191112 official security release (bsc#1155988) Includes security fixes for : - CVE-2019-11135: Added feature allowing to disable TSX RTM (bsc#1139073) - CVE-2019-11139: A CPU microcode only fix for Voltage modulation issues (bsc#1141035) Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues." ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.suse.com/show_bug.cgi?id=1139073" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.suse.com/show_bug.cgi?id=1141035" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.suse.com/show_bug.cgi?id=1155988" ); script_set_attribute( attribute:"see_also", value:"https://www.suse.com/security/cve/CVE-2019-11135/" ); script_set_attribute( attribute:"see_also", value:"https://www.suse.com/security/cve/CVE-2019-11139/" ); # https://www.suse.com/support/update/announcement/2019/suse-su-20192986-1/ script_set_attribute( attribute:"see_also", value:"http://www.nessus.org/u?85ecd059" ); script_set_attribute( attribute:"solution", value: "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or 'zypper patch'. Alternatively you can run the command listed for your product : SUSE Linux Enterprise Module for Basesystem 15:zypper in -t patch SUSE-SLE-Module-Basesystem-15-2019-2986=1" ); script_set_cvss_base_vector("CVSS2#AV:L/AC:L/Au:N/C:P/I:N/A:N"); script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C"); script_set_cvss3_base_vector("CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N"); script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C"); script_set_attribute(attribute:"cvss_score_source", value:"CVE-2019-11135"); script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:ucode-intel"); script_set_attribute(attribute:"cpe", value:"cpe:/o:novell:suse_linux:15"); script_set_attribute(attribute:"vuln_publication_date", value:"2019/11/14"); script_set_attribute(attribute:"patch_publication_date", value:"2019/11/15"); script_set_attribute(attribute:"plugin_publication_date", value:"2019/11/18"); script_set_attribute(attribute:"generated_plugin", value:"current"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"SuSE Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/cpu", "Host/SuSE/release", "Host/SuSE/rpm-list"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/SuSE/release"); if (isnull(release) || release !~ "^(SLED|SLES)") audit(AUDIT_OS_NOT, "SUSE"); os_ver = pregmatch(pattern: "^(SLE(S|D)\d+)", string:release); if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "SUSE"); os_ver = os_ver[1]; if (! preg(pattern:"^(SLED15|SLES15)$", string:os_ver)) audit(AUDIT_OS_NOT, "SUSE SLED15 / SLES15", "SUSE " + os_ver); if (!get_kb_item("Host/SuSE/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if (cpu !~ "^i[3-6]86$" && "x86_64" >!< cpu && "s390x" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "SUSE " + os_ver, cpu); if (cpu >!< "x86_64") audit(AUDIT_ARCH_NOT, "x86_64", cpu); sp = get_kb_item("Host/SuSE/patchlevel"); if (isnull(sp)) sp = "0"; if (os_ver == "SLES15" && (! preg(pattern:"^(0)$", string:sp))) audit(AUDIT_OS_NOT, "SLES15 SP0", os_ver + " SP" + sp); if (os_ver == "SLED15" && (! preg(pattern:"^(0)$", string:sp))) audit(AUDIT_OS_NOT, "SLED15 SP0", os_ver + " SP" + sp); flag = 0; if (rpm_check(release:"SLES15", sp:"0", cpu:"x86_64", reference:"ucode-intel-20191112a-3.31.1")) flag++; if (rpm_check(release:"SLED15", sp:"0", cpu:"x86_64", reference:"ucode-intel-20191112a-3.31.1")) flag++; if (flag) { if (report_verbosity > 0) security_note(port:0, extra:rpm_report_get()); else security_note(0); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "ucode-intel"); }
NASL family SuSE Local Security Checks NASL id OPENSUSE-2019-2509.NASL description This update for ucode-intel fixes the following issues : - Updated to 20191112 security release (bsc#1155988) - Processor Identifier Version Products - Model Stepping F-MO-S/PI Old->New - ---- new platforms ---------------------------------------- - CML-U62 A0 6-a6-0/80 000000c6 Core Gen10 Mobile - CNL-U D0 6-66-3/80 0000002a Core Gen8 Mobile - SKX-SP B1 6-55-3/97 01000150 Xeon Scalable - ICL U/Y D1 6-7e-5/80 00000046 Core Gen10 Mobile - ---- updated platforms ------------------------------------ - SKL U/Y D0 6-4e-3/c0 000000cc->000000d4 Core Gen6 Mobile - SKL H/S/E3 R0/N0 6-5e-3/36 000000cc->000000d4 Core Gen6 - AML-Y22 H0 6-8e-9/10 000000b4->000000c6 Core Gen8 Mobile - KBL-U/Y H0 6-8e-9/c0 000000b4->000000c6 Core Gen7 Mobile - CFL-U43e D0 6-8e-a/c0 000000b4->000000c6 Core Gen8 Mobile - WHL-U W0 6-8e-b/d0 000000b8->000000c6 Core Gen8 Mobile - AML-Y V0 6-8e-c/94 000000b8->000000c6 Core Gen10 Mobile - CML-U42 V0 6-8e-c/94 000000b8->000000c6 Core Gen10 Mobile - WHL-U V0 6-8e-c/94 000000b8->000000c6 Core Gen8 Mobile - KBL-G/X H0 6-9e-9/2a 000000b4->000000c6 Core Gen7/Gen8 - KBL-H/S/E3 B0 6-9e-9/2a 000000b4->000000c6 Core Gen7; Xeon E3 v6 - CFL-H/S/E3 U0 6-9e-a/22 000000b4->000000c6 Core Gen8 Desktop, Mobile, Xeon E - CFL-S B0 6-9e-b/02 000000b4->000000c6 Core Gen8 - CFL-H R0 6-9e-d/22 000000b8->000000c6 Core Gen9 Mobile - Includes security fixes for : - CVE-2019-11135: Added feature allowing to disable TSX RTM (bsc#1139073) - CVE-2019-11139: A CPU microcode only fix for Voltage modulation issues (bsc#1141035) This update was imported from the SUSE:SLE-15-SP1:Update update project. last seen 2020-06-01 modified 2020-06-02 plugin id 131063 published 2019-11-15 reporter This script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/131063 title openSUSE Security Update : ucode-intel (openSUSE-2019-2509) NASL family SuSE Local Security Checks NASL id SUSE_SU-2019-2959-1.NASL description This update for ucode-intel fixes the following issues : Updated to 20191112 security release (bsc#1155988) - Processor Identifier Version Products - Model Stepping F-MO-S/PI Old->New - ---- new platforms ---------------------------------------- - CML-U62 A0 6-a6-0/80 000000c6 Core Gen10 Mobile - CNL-U D0 6-66-3/80 0000002a Core Gen8 Mobile - SKX-SP B1 6-55-3/97 01000150 Xeon Scalable - ICL U/Y D1 6-7e-5/80 00000046 Core Gen10 Mobile - ---- updated platforms ------------------------------------ - SKL U/Y D0 6-4e-3/c0 000000cc->000000d4 Core Gen6 Mobile - SKL H/S/E3 R0/N0 6-5e-3/36 000000cc->000000d4 Core Gen6 - AML-Y22 H0 6-8e-9/10 000000b4->000000c6 Core Gen8 Mobile - KBL-U/Y H0 6-8e-9/c0 000000b4->000000c6 Core Gen7 Mobile - CFL-U43e D0 6-8e-a/c0 000000b4->000000c6 Core Gen8 Mobile - WHL-U W0 6-8e-b/d0 000000b8->000000c6 Core Gen8 Mobile - AML-Y V0 6-8e-c/94 000000b8->000000c6 Core Gen10 Mobile - CML-U42 V0 6-8e-c/94 000000b8->000000c6 Core Gen10 Mobile - WHL-U V0 6-8e-c/94 000000b8->000000c6 Core Gen8 Mobile - KBL-G/X H0 6-9e-9/2a 000000b4->000000c6 Core Gen7/Gen8 - KBL-H/S/E3 B0 6-9e-9/2a 000000b4->000000c6 Core Gen7; Xeon E3 v6 - CFL-H/S/E3 U0 6-9e-a/22 000000b4->000000c6 Core Gen8 Desktop, Mobile, Xeon E - CFL-S B0 6-9e-b/02 000000b4->000000c6 Core Gen8 - CFL-H R0 6-9e-d/22 000000b8->000000c6 Core Gen9 Mobile Includes security fixes for : - CVE-2019-11135: Added feature allowing to disable TSX RTM (bsc#1139073) - CVE-2019-11139: A CPU microcode only fix for Voltage modulation issues (bsc#1141035) requires coreutils for the %post script (bsc#1154043) Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-01 modified 2020-06-02 plugin id 130957 published 2019-11-13 reporter This script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/130957 title SUSE SLED12 / SLES12 Security Update : ucode-intel (SUSE-SU-2019:2959-1) NASL family SuSE Local Security Checks NASL id SUSE_SU-2019-2958-1.NASL description This update for ucode-intel fixes the following issues : Updated to 20191112 security release (bsc#1155988) - Processor Identifier Version Products - Model Stepping F-MO-S/PI Old->New - ---- new platforms ---------------------------------------- - CML-U62 A0 6-a6-0/80 000000c6 Core Gen10 Mobile - CNL-U D0 6-66-3/80 0000002a Core Gen8 Mobile - SKX-SP B1 6-55-3/97 01000150 Xeon Scalable - ICL U/Y D1 6-7e-5/80 00000046 Core Gen10 Mobile - ---- updated platforms ------------------------------------ - SKL U/Y D0 6-4e-3/c0 000000cc->000000d4 Core Gen6 Mobile - SKL H/S/E3 R0/N0 6-5e-3/36 000000cc->000000d4 Core Gen6 - AML-Y22 H0 6-8e-9/10 000000b4->000000c6 Core Gen8 Mobile - KBL-U/Y H0 6-8e-9/c0 000000b4->000000c6 Core Gen7 Mobile - CFL-U43e D0 6-8e-a/c0 000000b4->000000c6 Core Gen8 Mobile - WHL-U W0 6-8e-b/d0 000000b8->000000c6 Core Gen8 Mobile - AML-Y V0 6-8e-c/94 000000b8->000000c6 Core Gen10 Mobile - CML-U42 V0 6-8e-c/94 000000b8->000000c6 Core Gen10 Mobile - WHL-U V0 6-8e-c/94 000000b8->000000c6 Core Gen8 Mobile - KBL-G/X H0 6-9e-9/2a 000000b4->000000c6 Core Gen7/Gen8 - KBL-H/S/E3 B0 6-9e-9/2a 000000b4->000000c6 Core Gen7; Xeon E3 v6 - CFL-H/S/E3 U0 6-9e-a/22 000000b4->000000c6 Core Gen8 Desktop, Mobile, Xeon E - CFL-S B0 6-9e-b/02 000000b4->000000c6 Core Gen8 - CFL-H R0 6-9e-d/22 000000b8->000000c6 Core Gen9 Mobile Includes security fixes for : - CVE-2019-11135: Added feature allowing to disable TSX RTM (bsc#1139073) - CVE-2019-11139: A CPU microcode only fix for Voltage modulation issues (bsc#1141035) Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-01 modified 2020-06-02 plugin id 130956 published 2019-11-13 reporter This script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/130956 title SUSE SLED15 / SLES15 Security Update : ucode-intel (SUSE-SU-2019:2958-1) NASL family SuSE Local Security Checks NASL id SUSE_SU-2019-2957-1.NASL description This update for ucode-intel fixes the following issues : Updated to 20191112 security release (bsc#1155988) - Processor Identifier Version Products - Model Stepping F-MO-S/PI Old->New - ---- new platforms ---------------------------------------- - CML-U62 A0 6-a6-0/80 000000c6 Core Gen10 Mobile - CNL-U D0 6-66-3/80 0000002a Core Gen8 Mobile - SKX-SP B1 6-55-3/97 01000150 Xeon Scalable - ICL U/Y D1 6-7e-5/80 00000046 Core Gen10 Mobile - ---- updated platforms ------------------------------------ - SKL U/Y D0 6-4e-3/c0 000000cc->000000d4 Core Gen6 Mobile - SKL H/S/E3 R0/N0 6-5e-3/36 000000cc->000000d4 Core Gen6 - AML-Y22 H0 6-8e-9/10 000000b4->000000c6 Core Gen8 Mobile - KBL-U/Y H0 6-8e-9/c0 000000b4->000000c6 Core Gen7 Mobile - CFL-U43e D0 6-8e-a/c0 000000b4->000000c6 Core Gen8 Mobile - WHL-U W0 6-8e-b/d0 000000b8->000000c6 Core Gen8 Mobile - AML-Y V0 6-8e-c/94 000000b8->000000c6 Core Gen10 Mobile - CML-U42 V0 6-8e-c/94 000000b8->000000c6 Core Gen10 Mobile - WHL-U V0 6-8e-c/94 000000b8->000000c6 Core Gen8 Mobile - KBL-G/X H0 6-9e-9/2a 000000b4->000000c6 Core Gen7/Gen8 - KBL-H/S/E3 B0 6-9e-9/2a 000000b4->000000c6 Core Gen7; Xeon E3 v6 - CFL-H/S/E3 U0 6-9e-a/22 000000b4->000000c6 Core Gen8 Desktop, Mobile, Xeon E - CFL-S B0 6-9e-b/02 000000b4->000000c6 Core Gen8 - CFL-H R0 6-9e-d/22 000000b8->000000c6 Core Gen9 Mobile Includes security fixes for : - CVE-2019-11135: Added feature allowing to disable TSX RTM (bsc#1139073) - CVE-2019-11139: A CPU microcode only fix for Voltage modulation issues (bsc#1141035) Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-01 modified 2020-06-02 plugin id 130955 published 2019-11-13 reporter This script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/130955 title SUSE SLED15 / SLES15 Security Update : ucode-intel (SUSE-SU-2019:2957-1) NASL family SuSE Local Security Checks NASL id OPENSUSE-2019-2528.NASL description This update for ucode-intel fixes the following issues : - Updated to 20191112 official security release (bsc#1155988) - Includes security fixes for : - CVE-2019-11135: Added feature allowing to disable TSX RTM (bsc#1139073) - CVE-2019-11139: A CPU microcode only fix for Voltage modulation issues (bsc#1141035) This update was imported from the SUSE:SLE-15-SP1:Update update project. last seen 2020-06-01 modified 2020-06-02 plugin id 131156 published 2019-11-20 reporter This script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/131156 title openSUSE Security Update : ucode-intel (openSUSE-2019-2528) NASL family Debian Local Security Checks NASL id DEBIAN_DLA-2051.NASL description This update ships updated CPU microcode for some types of Intel CPUs. In particular it provides mitigations for the TAA (TSX Asynchronous Abort) vulnerability. For affected CPUs, to fully mitigate the vulnerability it is also necessary to update the Linux kernel packages as released in DLA 1989-1. For Debian 8 last seen 2020-06-01 modified 2020-06-02 plugin id 132513 published 2019-12-31 reporter This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/132513 title Debian DLA-2051-1 : intel-microcode security update NASL family SuSE Local Security Checks NASL id OPENSUSE-2019-2527.NASL description This update for ucode-intel fixes the following issues : - Updated to 20191112 official security release (bsc#1155988) - Includes security fixes for : - CVE-2019-11135: Added feature allowing to disable TSX RTM (bsc#1139073) - CVE-2019-11139: A CPU microcode only fix for Voltage modulation issues (bsc#1141035) This update was imported from the SUSE:SLE-15:Update update project. last seen 2020-06-01 modified 2020-06-02 plugin id 131155 published 2019-11-20 reporter This script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/131155 title openSUSE Security Update : ucode-intel (openSUSE-2019-2527)
References
- http://lists.opensuse.org/opensuse-security-announce/2019-11/msg00045.html
- http://lists.opensuse.org/opensuse-security-announce/2019-11/msg00045.html
- http://lists.opensuse.org/opensuse-security-announce/2019-11/msg00046.html
- http://lists.opensuse.org/opensuse-security-announce/2019-11/msg00046.html
- https://lists.debian.org/debian-lts-announce/2019/12/msg00035.html
- https://lists.debian.org/debian-lts-announce/2019/12/msg00035.html
- https://seclists.org/bugtraq/2019/Dec/28
- https://seclists.org/bugtraq/2019/Dec/28
- https://support.f5.com/csp/article/K42433061?utm_source=f5support&%3Butm_medium=RSS
- https://support.f5.com/csp/article/K42433061?utm_source=f5support&%3Butm_medium=RSS
- https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-hpesbhf03969en_us
- https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-hpesbhf03969en_us
- https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00271.html
- https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00271.html