Vulnerabilities > CVE-2019-15807 - Memory Leak vulnerability in multiple products

047910
CVSS 4.7 - MEDIUM
Attack vector
LOCAL
Attack complexity
HIGH
Privileges required
LOW
Confidentiality impact
NONE
Integrity impact
NONE
Availability impact
HIGH
local
high complexity
linux
redhat
debian
CWE-401
nessus

Summary

In the Linux kernel before 5.1.13, there is a memory leak in drivers/scsi/libsas/sas_expander.c when SAS expander discovery fails. This will cause a BUG and denial of service.

Vulnerable Configurations

Part Description Count
OS
Linux
4126
OS
Redhat
2
OS
Debian
1

Nessus

  • NASL familySuSE Local Security Checks
    NASL idSUSE_SU-2019-2950-1.NASL
    descriptionThe SUSE Linux Enterprise 12 SP1 kernel was updated to receive various security and bugfixes. The following security bugs were fixed : CVE-2018-12207: Untrusted virtual machines on Intel CPUs could exploit a race condition in the Instruction Fetch Unit of the Intel CPU to cause a Machine Exception during Page Size Change, causing the CPU core to be non-functional. The Linux Kernel KVM hypervisor was adjusted to avoid page size changes in executable pages by splitting / merging huge pages into small pages as needed. More information can be found on https://www.suse.com/support/kb/doc/?id=7023735 CVE-2019-11135: Aborting an asynchronous TSX operation on Intel CPUs with Transactional Memory support could be used to facilitate sidechannel information leaks out of microarchitectural buffers, similar to the previously described
    last seen2020-06-01
    modified2020-06-02
    plugin id130950
    published2019-11-13
    reporterThis script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/130950
    titleSUSE SLES12 Security Update : kernel (SUSE-SU-2019:2950-1) (SACK Panic)
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were
    # extracted from SUSE update advisory SUSE-SU-2019:2950-1.
    # The text itself is copyright (C) SUSE.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(130950);
      script_version("1.2");
      script_cvs_date("Date: 2019/12/12");
    
      script_cve_id("CVE-2016-10906", "CVE-2017-18509", "CVE-2017-18551", "CVE-2017-18595", "CVE-2018-12207", "CVE-2018-20976", "CVE-2019-10207", "CVE-2019-10220", "CVE-2019-11135", "CVE-2019-11477", "CVE-2019-14814", "CVE-2019-14815", "CVE-2019-14816", "CVE-2019-14821", "CVE-2019-14835", "CVE-2019-15098", "CVE-2019-15118", "CVE-2019-15212", "CVE-2019-15215", "CVE-2019-15216", "CVE-2019-15217", "CVE-2019-15218", "CVE-2019-15219", "CVE-2019-15220", "CVE-2019-15221", "CVE-2019-15290", "CVE-2019-15291", "CVE-2019-15505", "CVE-2019-15807", "CVE-2019-15902", "CVE-2019-15926", "CVE-2019-15927", "CVE-2019-16232", "CVE-2019-16233", "CVE-2019-16234", "CVE-2019-16413", "CVE-2019-17055", "CVE-2019-17056", "CVE-2019-9456", "CVE-2019-9506");
    
      script_name(english:"SUSE SLES12 Security Update : kernel (SUSE-SU-2019:2950-1) (SACK Panic)");
      script_summary(english:"Checks rpm output for the updated packages.");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote SUSE host is missing one or more security updates."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "The SUSE Linux Enterprise 12 SP1 kernel was updated to receive various
    security and bugfixes.
    
    The following security bugs were fixed :
    
    CVE-2018-12207: Untrusted virtual machines on Intel CPUs could exploit
    a race condition in the Instruction Fetch Unit of the Intel CPU to
    cause a Machine Exception during Page Size Change, causing the CPU
    core to be non-functional.
    
    The Linux Kernel KVM hypervisor was adjusted to avoid page size
    changes in executable pages by splitting / merging huge pages into
    small pages as needed. More information can be found on
    https://www.suse.com/support/kb/doc/?id=7023735 CVE-2019-11135:
    Aborting an asynchronous TSX operation on Intel CPUs with
    Transactional Memory support could be used to facilitate sidechannel
    information leaks out of microarchitectural buffers, similar to the
    previously described 'Microarchitectural Data Sampling' attack.
    
    The Linux kernel was supplemented with the option to disable TSX
    operation altogether (requiring CPU Microcode updates on older
    systems) and better flushing of microarchitectural buffers (VERW).
    
    The set of options available is described in our TID at
    https://www.suse.com/support/kb/doc/?id=7024251 CVE-2019-16233:
    drivers/scsi/qla2xxx/qla_os.c did not check the alloc_workqueue return
    value, leading to a NULL pointer dereference. (bsc#1150457).
    
    CVE-2019-10220: Added sanity checks on the pathnames passed to the
    user space. (bsc#1144903).
    
    CVE-2019-16232: Fix a potential NULL pointer dereference in the
    Marwell libertas driver (bsc#1150465).
    
    CVE-2019-16234: iwlwifi pcie driver did not check the alloc_workqueue
    return value, leading to a NULL pointer dereference. (bsc#1150452).
    
    CVE-2019-17055: The AF_ISDN network module in the Linux kernel did not
    enforce CAP_NET_RAW, which meant that unprivileged users could create
    a raw socket (bnc#1152782).
    
    CVE-2019-17056: The AF_NFC network module did not enforce CAP_NET_RAW,
    which meant that unprivileged users could create a raw socket
    (bsc#1152788).
    
    CVE-2019-16413: The 9p filesystem did not protect i_size_write()
    properly, which caused an i_size_read() infinite loop and denial of
    service on SMP systems (bnc#1151347).
    
    CVE-2019-15902: A backporting issue was discovered that re-introduced
    the Spectre vulnerability it had aimed to eliminate. This occurred
    because the backport process depends on cherry picking specific
    commits, and because two (correctly ordered) code lines were swapped
    (bnc#1149376).
    
    CVE-2019-15291: Fixed a NULL pointer dereference issue that could be
    caused by a malicious USB device (bnc#11465).
    
    CVE-2019-15807: Fixed a memory leak in the SCSI module that could be
    abused to cause denial of service (bnc#1148938).
    
    CVE-2019-14821: An out-of-bounds access issue was fixed in the
    kernel's KVM hypervisor. An unprivileged host user or process with
    access to '/dev/kvm' device could use this flaw to crash the host
    kernel, resulting in a denial of service or potentially escalating
    privileges on the system (bnc#1151350).
    
    CVE-2019-15505: An out-of-bounds issue had been fixed that could be
    caused by crafted USB device traffic (bnc#1147122).
    
    CVE-2017-18595: A double free in allocate_trace_buffer was fixed
    (bnc#1149555).
    
    CVE-2019-14835: A buffer overflow flaw was found in the kernel's vhost
    functionality that translates virtqueue buffers to IOVs. A privileged
    guest user able to pass descriptors with invalid length to the host
    could use this flaw to increase their privileges on the host
    (bnc#1150112).
    
    CVE-2019-15216: A NULL pointer dereference was fixed that could be
    malicious USB device (bnc#1146361).
    
    CVE-2019-9456: An out-of-bounds write in the USB monitor driver has
    been fixed. This issue could lead to local escalation of privilege
    with System execution privileges needed. (bnc#1150025).
    
    CVE-2019-15926: An out-of-bounds access was fixed in the
    drivers/net/wireless/ath/ath6kl module. (bnc#1149527).
    
    CVE-2019-15927: An out-of-bounds access was fixed in the
    sound/usb/mixer module (bnc#1149522).
    
    CVE-2019-15219: A NULL pointer dereference was fixed that could be
    abused by a malicious USB device (bnc#1146524).
    
    CVE-2019-15220: A use-after-free issue was fixed that could be caused
    by a malicious USB device (bnc#1146526).
    
    CVE-2019-15221: A NULL pointer dereference was fixed that could be
    caused by a malicious USB device (bnc#1146529).
    
    CVE-2019-14814: A heap-based buffer overflow was fixed in the marvell
    wifi chip driver. That issue allowed local users to cause a denial of
    service (system crash) or possibly execute arbitrary code
    (bnc#1146512).
    
    CVE-2019-14815: A missing length check while parsing WMM IEs was fixed
    (bsc#1146512, bsc#1146514, bsc#1146516).
    
    CVE-2019-14816: A heap-based buffer overflow in the marvell wifi chip
    driver was fixed. Local users would have abused this issue to cause a
    denial of service (system crash) or possibly execute arbitrary code
    (bnc#1146516).
    
    CVE-2017-18509: An issue in net/ipv6 as fixed. By setting a specific
    socket option, an attacker could control a pointer in kernel land and
    cause an inet_csk_listen_stop general protection fault, or potentially
    execute arbitrary code under certain circumstances. The issue can be
    triggered as root (e.g., inside a default LXC container or with the
    CAP_NET_ADMIN capability) or after namespace unsharing. (bnc#1145477)
    
    CVE-2019-9506: The Bluetooth BR/EDR specification used to permit
    sufficiently low encryption key length and did not prevent an attacker
    from influencing the key length negotiation. This allowed practical
    brute-force attacks (aka 'KNOB') that could decrypt traffic and inject
    arbitrary ciphertext without the victim noticing (bnc#1137865).
    
    CVE-2019-15098: A NULL pointer dereference in drivers/net/wireless/ath
    was fixed (bnc#1146378).
    
    CVE-2019-15290: A NULL pointer dereference in
    ath6kl_usb_alloc_urb_from_pipe was fixed (bsc#1146378).
    
    CVE-2019-15212: A double-free issue was fixed in drivers/usb driver
    (bnc#1146391).
    
    CVE-2016-10906: A use-after-free issue was fixed in
    drivers/net/ethernet/arc (bnc#1146584).
    
    CVE-2019-15217: A a NULL pointer dereference issue caused by a
    malicious USB device was fixed in the drivers/media/usb/zr364xx driver
    (bnc#1146519).
    
    CVE-2019-15218: A NULL pointer dereference caused by a malicious USB
    device was fixed in the drivers/media/usb/siano driver (bnc#1146413).
    
    CVE-2019-15215: A use-after-free issue caused by a malicious USB
    device was fixed in the drivers/media/usb/cpia2 driver (bnc#1146425).
    
    CVE-2018-20976: A use-after-free issue was fixed in the fs/xfs driver
    (bnc#1146285).
    
    CVE-2017-18551: An out-of-bounds write was fixed in the drivers/i2c
    driver (bnc#1146163).
    
    CVE-2019-10207: Add checks for missing tty operations to prevent
    unprivileged user to execute 0x0 address (bsc#1142857 bsc#1123959)
    
    CVE-2019-15118: ALSA: usb-audio: Fix a stack-based buffer overflow bug
    in check_input_term leading to kernel stack exhaustion (bsc#1145922).
    
    The update package also includes non-security fixes. See advisory for
    details.
    
    Note that Tenable Network Security has extracted the preceding
    description block directly from the SUSE security advisory. Tenable
    has attempted to automatically clean and format it as much as possible
    without introducing additional issues."
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1117665"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1123959"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1137586"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1137865"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1137944"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1139073"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1139751"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1142857"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1144903"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1145477"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1145922"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1146042"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1146163"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1146285"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1146361"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1146378"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1146391"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1146413"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1146425"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1146512"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1146514"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1146516"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1146519"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1146524"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1146526"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1146529"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1146540"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1146543"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1146547"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1146584"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1146612"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1147122"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1148938"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1149376"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1149522"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1149527"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1149555"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1150025"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1150112"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1150452"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1150457"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1150465"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1151347"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1151350"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1152782"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1152788"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1153119"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1155671"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=999278"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://www.suse.com/security/cve/CVE-2016-10906/"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://www.suse.com/security/cve/CVE-2017-18509/"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://www.suse.com/security/cve/CVE-2017-18551/"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://www.suse.com/security/cve/CVE-2017-18595/"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://www.suse.com/security/cve/CVE-2018-12207/"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://www.suse.com/security/cve/CVE-2018-20976/"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://www.suse.com/security/cve/CVE-2019-10207/"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://www.suse.com/security/cve/CVE-2019-10220/"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://www.suse.com/security/cve/CVE-2019-11135/"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://www.suse.com/security/cve/CVE-2019-11477/"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://www.suse.com/security/cve/CVE-2019-14814/"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://www.suse.com/security/cve/CVE-2019-14815/"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://www.suse.com/security/cve/CVE-2019-14816/"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://www.suse.com/security/cve/CVE-2019-14821/"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://www.suse.com/security/cve/CVE-2019-14835/"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://www.suse.com/security/cve/CVE-2019-15098/"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://www.suse.com/security/cve/CVE-2019-15118/"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://www.suse.com/security/cve/CVE-2019-15212/"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://www.suse.com/security/cve/CVE-2019-15215/"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://www.suse.com/security/cve/CVE-2019-15216/"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://www.suse.com/security/cve/CVE-2019-15217/"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://www.suse.com/security/cve/CVE-2019-15218/"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://www.suse.com/security/cve/CVE-2019-15219/"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://www.suse.com/security/cve/CVE-2019-15220/"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://www.suse.com/security/cve/CVE-2019-15221/"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://www.suse.com/security/cve/CVE-2019-15290/"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://www.suse.com/security/cve/CVE-2019-15291/"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://www.suse.com/security/cve/CVE-2019-15505/"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://www.suse.com/security/cve/CVE-2019-15807/"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://www.suse.com/security/cve/CVE-2019-15902/"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://www.suse.com/security/cve/CVE-2019-15926/"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://www.suse.com/security/cve/CVE-2019-15927/"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://www.suse.com/security/cve/CVE-2019-16232/"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://www.suse.com/security/cve/CVE-2019-16233/"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://www.suse.com/security/cve/CVE-2019-16234/"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://www.suse.com/security/cve/CVE-2019-16413/"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://www.suse.com/security/cve/CVE-2019-17055/"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://www.suse.com/security/cve/CVE-2019-17056/"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://www.suse.com/security/cve/CVE-2019-9456/"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://www.suse.com/security/cve/CVE-2019-9506/"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://www.suse.com/support/kb/doc/?id=7023735"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://www.suse.com/support/kb/doc/?id=7024251"
      );
      # https://www.suse.com/support/update/announcement/2019/suse-su-20192950-1/
      script_set_attribute(
        attribute:"see_also",
        value:"http://www.nessus.org/u?00e1d55f"
      );
      script_set_attribute(
        attribute:"solution", 
        value:
    "To install this SUSE Security Update use the SUSE recommended
    installation methods like YaST online_update or 'zypper patch'.
    
    Alternatively you can run the command listed for your product :
    
    SUSE Linux Enterprise Server for SAP 12-SP1:zypper in -t patch
    SUSE-SLE-SAP-12-SP1-2019-2950=1
    
    SUSE Linux Enterprise Server 12-SP1-LTSS:zypper in -t patch
    SUSE-SLE-SERVER-12-SP1-2019-2950=1
    
    SUSE Linux Enterprise Module for Public Cloud 12:zypper in -t patch
    SUSE-SLE-Module-Public-Cloud-12-2019-2950=1"
      );
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C");
      script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
      script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H");
      script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
      script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:kernel-default");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:kernel-default-base");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:kernel-default-base-debuginfo");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:kernel-default-debuginfo");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:kernel-default-debugsource");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:kernel-default-devel");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:kernel-default-man");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:kernel-syms");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:kernel-xen");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:kernel-xen-base");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:kernel-xen-base-debuginfo");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:kernel-xen-debuginfo");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:kernel-xen-debugsource");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:kernel-xen-devel");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:kgraft-patch-3_12_74-60_64_124-default");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:kgraft-patch-3_12_74-60_64_124-xen");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:novell:suse_linux:12");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2019/06/19");
      script_set_attribute(attribute:"patch_publication_date", value:"2019/11/12");
      script_set_attribute(attribute:"plugin_publication_date", value:"2019/11/13");
      script_set_attribute(attribute:"in_the_news", value:"true");
      script_set_attribute(attribute:"generated_plugin", value:"current");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.");
      script_family(english:"SuSE Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/cpu", "Host/SuSE/release", "Host/SuSE/rpm-list");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("global_settings.inc");
    include("rpm.inc");
    
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    release = get_kb_item("Host/SuSE/release");
    if (isnull(release) || release !~ "^(SLED|SLES)") audit(AUDIT_OS_NOT, "SUSE");
    os_ver = pregmatch(pattern: "^(SLE(S|D)\d+)", string:release);
    if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "SUSE");
    os_ver = os_ver[1];
    if (! preg(pattern:"^(SLES12)$", string:os_ver)) audit(AUDIT_OS_NOT, "SUSE SLES12", "SUSE " + os_ver);
    
    if (!get_kb_item("Host/SuSE/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    cpu = get_kb_item("Host/cpu");
    if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
    if (cpu !~ "^i[3-6]86$" && "x86_64" >!< cpu && "s390x" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "SUSE " + os_ver, cpu);
    
    sp = get_kb_item("Host/SuSE/patchlevel");
    if (isnull(sp)) sp = "0";
    if (os_ver == "SLES12" && (! preg(pattern:"^(1)$", string:sp))) audit(AUDIT_OS_NOT, "SLES12 SP1", os_ver + " SP" + sp);
    
    
    flag = 0;
    if (rpm_check(release:"SLES12", sp:"1", cpu:"x86_64", reference:"kernel-xen-3.12.74-60.64.124.1")) flag++;
    if (rpm_check(release:"SLES12", sp:"1", cpu:"x86_64", reference:"kernel-xen-base-3.12.74-60.64.124.1")) flag++;
    if (rpm_check(release:"SLES12", sp:"1", cpu:"x86_64", reference:"kernel-xen-base-debuginfo-3.12.74-60.64.124.1")) flag++;
    if (rpm_check(release:"SLES12", sp:"1", cpu:"x86_64", reference:"kernel-xen-debuginfo-3.12.74-60.64.124.1")) flag++;
    if (rpm_check(release:"SLES12", sp:"1", cpu:"x86_64", reference:"kernel-xen-debugsource-3.12.74-60.64.124.1")) flag++;
    if (rpm_check(release:"SLES12", sp:"1", cpu:"x86_64", reference:"kernel-xen-devel-3.12.74-60.64.124.1")) flag++;
    if (rpm_check(release:"SLES12", sp:"1", cpu:"x86_64", reference:"kgraft-patch-3_12_74-60_64_124-default-1-2.3.1")) flag++;
    if (rpm_check(release:"SLES12", sp:"1", cpu:"x86_64", reference:"kgraft-patch-3_12_74-60_64_124-xen-1-2.3.1")) flag++;
    if (rpm_check(release:"SLES12", sp:"1", cpu:"s390x", reference:"kernel-default-man-3.12.74-60.64.124.1")) flag++;
    if (rpm_check(release:"SLES12", sp:"1", reference:"kernel-default-3.12.74-60.64.124.1")) flag++;
    if (rpm_check(release:"SLES12", sp:"1", reference:"kernel-default-base-3.12.74-60.64.124.1")) flag++;
    if (rpm_check(release:"SLES12", sp:"1", reference:"kernel-default-base-debuginfo-3.12.74-60.64.124.1")) flag++;
    if (rpm_check(release:"SLES12", sp:"1", reference:"kernel-default-debuginfo-3.12.74-60.64.124.1")) flag++;
    if (rpm_check(release:"SLES12", sp:"1", reference:"kernel-default-debugsource-3.12.74-60.64.124.1")) flag++;
    if (rpm_check(release:"SLES12", sp:"1", reference:"kernel-default-devel-3.12.74-60.64.124.1")) flag++;
    if (rpm_check(release:"SLES12", sp:"1", reference:"kernel-syms-3.12.74-60.64.124.1")) flag++;
    
    
    if (flag)
    {
      if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());
      else security_hole(0);
      exit(0);
    }
    else
    {
      tested = pkg_tests_get();
      if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
      else audit(AUDIT_PACKAGE_NOT_INSTALLED, "kernel");
    }
    
  • NASL familyDebian Local Security Checks
    NASL idDEBIAN_DLA-1930.NASL
    descriptionSeveral vulnerabilities have been discovered in the Linux kernel that may lead to a privilege escalation, denial of service or information leaks. CVE-2016-10905 A race condition was discovered in the GFS2 file-system implementation, which could lead to a use-after-free. On a system using GFS2, a local attacker could use this for denial of service (memory corruption or crash) or possibly for privilege escalation. CVE-2018-20976 It was discovered that the XFS file-system implementation did not correctly handle some mount failure conditions, which could lead to a use-after-free. The security impact of this is unclear. CVE-2018-21008 It was discovered that the rsi wifi driver did not correctly handle some failure conditions, which could lead to a use-after- free. The security impact of this is unclear. CVE-2019-0136 It was discovered that the wifi soft-MAC implementation (mac80211) did not properly authenticate Tunneled Direct Link Setup (TDLS) messages. A nearby attacker could use this for denial of service (loss of wifi connectivity). CVE-2019-9506 Daniele Antonioli, Nils Ole Tippenhauer, and Kasper Rasmussen discovered a weakness in the Bluetooth pairing protocols, dubbed the
    last seen2020-06-01
    modified2020-06-02
    plugin id129361
    published2019-09-26
    reporterThis script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/129361
    titleDebian DLA-1930-1 : linux security update
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were
    # extracted from Debian Security Advisory DLA-1930-1. The text
    # itself is copyright (C) Software in the Public Interest, Inc.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(129361);
      script_version("1.2");
      script_cvs_date("Date: 2019/12/23");
    
      script_cve_id("CVE-2016-10905", "CVE-2018-20976", "CVE-2018-21008", "CVE-2019-0136", "CVE-2019-14814", "CVE-2019-14815", "CVE-2019-14816", "CVE-2019-14821", "CVE-2019-14835", "CVE-2019-15117", "CVE-2019-15118", "CVE-2019-15211", "CVE-2019-15212", "CVE-2019-15215", "CVE-2019-15218", "CVE-2019-15219", "CVE-2019-15220", "CVE-2019-15221", "CVE-2019-15292", "CVE-2019-15807", "CVE-2019-15917", "CVE-2019-15926", "CVE-2019-9506");
    
      script_name(english:"Debian DLA-1930-1 : linux security update");
      script_summary(english:"Checks dpkg output for the updated packages.");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote Debian host is missing a security update."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "Several vulnerabilities have been discovered in the Linux kernel that
    may lead to a privilege escalation, denial of service or information
    leaks.
    
    CVE-2016-10905
    
    A race condition was discovered in the GFS2 file-system
    implementation, which could lead to a use-after-free. On a system
    using GFS2, a local attacker could use this for denial of service
    (memory corruption or crash) or possibly for privilege escalation.
    
    CVE-2018-20976
    
    It was discovered that the XFS file-system implementation did not
    correctly handle some mount failure conditions, which could lead to a
    use-after-free. The security impact of this is unclear.
    
    CVE-2018-21008
    
    It was discovered that the rsi wifi driver did not correctly handle
    some failure conditions, which could lead to a use-after- free. The
    security impact of this is unclear.
    
    CVE-2019-0136
    
    It was discovered that the wifi soft-MAC implementation (mac80211) did
    not properly authenticate Tunneled Direct Link Setup (TDLS) messages.
    A nearby attacker could use this for denial of service (loss of wifi
    connectivity).
    
    CVE-2019-9506
    
    Daniele Antonioli, Nils Ole Tippenhauer, and Kasper Rasmussen
    discovered a weakness in the Bluetooth pairing protocols, dubbed the
    'KNOB attack'. An attacker that is nearby during pairing could use
    this to weaken the encryption used between the paired devices, and
    then to eavesdrop on and/or spoof communication between them.
    
    This update mitigates the attack by requiring a minimum
    encryption key length of 56 bits.
    
    CVE-2019-14814, CVE-2019-14815, CVE-2019-14816
    
    Multiple bugs were discovered in the mwifiex wifi driver, which could
    lead to heap buffer overflows. A local user permitted to configure a
    device handled by this driver could probably use this for privilege
    escalation.
    
    CVE-2019-14821
    
    Matt Delco reported a race condition in KVM's coalesced MMIO facility,
    which could lead to out-of-bounds access in the kernel. A local
    attacker permitted to access /dev/kvm could use this to cause a denial
    of service (memory corruption or crash) or possibly for privilege
    escalation.
    
    CVE-2019-14835
    
    Peter Pi of Tencent Blade Team discovered a missing bounds check in
    vhost_net, the network back-end driver for KVM hosts, leading to a
    buffer overflow when the host begins live migration of a VM. An
    attacker in control of a VM could use this to cause a denial of
    service (memory corruption or crash) or possibly for privilege
    escalation on the host.
    
    CVE-2019-15117
    
    Hui Peng and Mathias Payer reported a missing bounds check in the
    usb-audio driver's descriptor parsing code, leading to a buffer
    over-read. An attacker able to add USB devices could possibly use this
    to cause a denial of service (crash).
    
    CVE-2019-15118
    
    Hui Peng and Mathias Payer reported unbounded recursion in the
    usb-audio driver's descriptor parsing code, leading to a stack
    overflow. An attacker able to add USB devices could use this to cause
    a denial of service (memory corruption or crash) or possibly for
    privilege escalation.
    
    CVE-2019-15211
    
    The syzkaller tool found a bug in the radio-raremono driver that could
    lead to a use-after-free. An attacker able to add and remove USB
    devices could use this to cause a denial of service (memory corruption
    or crash) or possibly for privilege escalation.
    
    CVE-2019-15212
    
    The syzkaller tool found that the rio500 driver does not work
    correctly if more than one device is bound to it. An attacker able to
    add USB devices could use this to cause a denial of service (memory
    corruption or crash) or possibly for privilege escalation.
    
    CVE-2019-15215
    
    The syzkaller tool found a bug in the cpia2_usb driver that leads to a
    use-after-free. An attacker able to add and remove USB devices could
    use this to cause a denial of service (memory corruption or crash) or
    possibly for privilege escalation.
    
    CVE-2019-15218
    
    The syzkaller tool found that the smsusb driver did not validate that
    USB devices have the expected endpoints, potentially leading to a NULL pointer dereference. An attacker able to add USB devices could use
    this to cause a denial of service (BUG/oops).
    
    CVE-2019-15219
    
    The syzkaller tool found that a device initialisation error in the
    sisusbvga driver could lead to a NULL pointer dereference. An attacker
    able to add USB devices could use this to cause a denial of service
    (BUG/oops).
    
    CVE-2019-15220
    
    The syzkaller tool found a race condition in the p54usb driver which
    could lead to a use-after-free. An attacker able to add and remove USB
    devices could use this to cause a denial of service (memory corruption
    or crash) or possibly for privilege escalation.
    
    CVE-2019-15221
    
    The syzkaller tool found that the line6 driver did not validate USB
    devices' maximum packet sizes, which could lead to a heap buffer
    overrun. An attacker able to add USB devices could use this to cause a
    denial of service (memory corruption or crash) or possibly for
    privilege escalation.
    
    CVE-2019-15292
    
    The Hulk Robot tool found missing error checks in the Appletalk
    protocol implementation, which could lead to a use-after-free. The
    security impact of this is unclear.
    
    CVE-2019-15807
    
    Jian Luo reported that the Serial Attached SCSI library (libsas) did
    not correctly handle failure to discover devices beyond a SAS
    expander. This could lead to a resource leak and crash (BUG). The
    security impact of this is unclear.
    
    CVE-2019-15917
    
    The syzkaller tool found a race condition in code supporting
    UART-attached Bluetooth adapters, which could lead to a use-
    after-free. A local user with access to a pty device or other suitable
    tty device could use this to cause a denial of service (memory
    corruption or crash) or possibly for privilege escalation.
    
    CVE-2019-15926
    
    It was found that the ath6kl wifi driver did not consistently validate
    traffic class numbers in received control packets, leading to
    out-of-bounds memory accesses. A nearby attacker on the same wifi
    network could use this to cause a denial of service (memory corruption
    or crash) or possibly for privilege escalation.
    
    For Debian 8 'Jessie', these problems have been fixed in version
    3.16.74-1.
    
    We recommend that you upgrade your linux packages.
    
    NOTE: Tenable Network Security has extracted the preceding description
    block directly from the DLA security advisory. Tenable has attempted
    to automatically clean and format it as much as possible without
    introducing additional issues."
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://lists.debian.org/debian-lts-announce/2019/09/msg00025.html"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://packages.debian.org/source/jessie/linux"
      );
      script_set_attribute(attribute:"solution", value:"Upgrade the affected packages.");
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C");
      script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
      script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H");
      script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
      script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:linux-compiler-gcc-4.8-arm");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:linux-compiler-gcc-4.8-x86");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:linux-compiler-gcc-4.9-x86");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:linux-doc-3.16");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:linux-headers-3.16.0-9-586");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:linux-headers-3.16.0-9-686-pae");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:linux-headers-3.16.0-9-all");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:linux-headers-3.16.0-9-all-amd64");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:linux-headers-3.16.0-9-all-armel");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:linux-headers-3.16.0-9-all-armhf");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:linux-headers-3.16.0-9-all-i386");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:linux-headers-3.16.0-9-amd64");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:linux-headers-3.16.0-9-armmp");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:linux-headers-3.16.0-9-armmp-lpae");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:linux-headers-3.16.0-9-common");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:linux-headers-3.16.0-9-ixp4xx");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:linux-headers-3.16.0-9-kirkwood");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:linux-headers-3.16.0-9-orion5x");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:linux-headers-3.16.0-9-versatile");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:linux-image-3.16.0-9-586");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:linux-image-3.16.0-9-686-pae");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:linux-image-3.16.0-9-686-pae-dbg");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:linux-image-3.16.0-9-amd64");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:linux-image-3.16.0-9-amd64-dbg");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:linux-image-3.16.0-9-armmp");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:linux-image-3.16.0-9-armmp-lpae");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:linux-image-3.16.0-9-ixp4xx");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:linux-image-3.16.0-9-kirkwood");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:linux-image-3.16.0-9-orion5x");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:linux-image-3.16.0-9-versatile");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:linux-libc-dev");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:linux-manual-3.16");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:linux-source-3.16");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:linux-support-3.16.0-9");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:xen-linux-system-3.16.0-9-amd64");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:debian:debian_linux:8.0");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2019/06/13");
      script_set_attribute(attribute:"patch_publication_date", value:"2019/09/25");
      script_set_attribute(attribute:"plugin_publication_date", value:"2019/09/26");
      script_set_attribute(attribute:"generated_plugin", value:"current");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.");
      script_family(english:"Debian Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/Debian/release", "Host/Debian/dpkg-l");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("debian_package.inc");
    
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    if (!get_kb_item("Host/Debian/release")) audit(AUDIT_OS_NOT, "Debian");
    if (!get_kb_item("Host/Debian/dpkg-l")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    
    flag = 0;
    if (deb_check(release:"8.0", prefix:"linux-compiler-gcc-4.8-arm", reference:"3.16.74-1")) flag++;
    if (deb_check(release:"8.0", prefix:"linux-compiler-gcc-4.8-x86", reference:"3.16.74-1")) flag++;
    if (deb_check(release:"8.0", prefix:"linux-compiler-gcc-4.9-x86", reference:"3.16.74-1")) flag++;
    if (deb_check(release:"8.0", prefix:"linux-doc-3.16", reference:"3.16.74-1")) flag++;
    if (deb_check(release:"8.0", prefix:"linux-headers-3.16.0-9-586", reference:"3.16.74-1")) flag++;
    if (deb_check(release:"8.0", prefix:"linux-headers-3.16.0-9-686-pae", reference:"3.16.74-1")) flag++;
    if (deb_check(release:"8.0", prefix:"linux-headers-3.16.0-9-all", reference:"3.16.74-1")) flag++;
    if (deb_check(release:"8.0", prefix:"linux-headers-3.16.0-9-all-amd64", reference:"3.16.74-1")) flag++;
    if (deb_check(release:"8.0", prefix:"linux-headers-3.16.0-9-all-armel", reference:"3.16.74-1")) flag++;
    if (deb_check(release:"8.0", prefix:"linux-headers-3.16.0-9-all-armhf", reference:"3.16.74-1")) flag++;
    if (deb_check(release:"8.0", prefix:"linux-headers-3.16.0-9-all-i386", reference:"3.16.74-1")) flag++;
    if (deb_check(release:"8.0", prefix:"linux-headers-3.16.0-9-amd64", reference:"3.16.74-1")) flag++;
    if (deb_check(release:"8.0", prefix:"linux-headers-3.16.0-9-armmp", reference:"3.16.74-1")) flag++;
    if (deb_check(release:"8.0", prefix:"linux-headers-3.16.0-9-armmp-lpae", reference:"3.16.74-1")) flag++;
    if (deb_check(release:"8.0", prefix:"linux-headers-3.16.0-9-common", reference:"3.16.74-1")) flag++;
    if (deb_check(release:"8.0", prefix:"linux-headers-3.16.0-9-ixp4xx", reference:"3.16.74-1")) flag++;
    if (deb_check(release:"8.0", prefix:"linux-headers-3.16.0-9-kirkwood", reference:"3.16.74-1")) flag++;
    if (deb_check(release:"8.0", prefix:"linux-headers-3.16.0-9-orion5x", reference:"3.16.74-1")) flag++;
    if (deb_check(release:"8.0", prefix:"linux-headers-3.16.0-9-versatile", reference:"3.16.74-1")) flag++;
    if (deb_check(release:"8.0", prefix:"linux-image-3.16.0-9-586", reference:"3.16.74-1")) flag++;
    if (deb_check(release:"8.0", prefix:"linux-image-3.16.0-9-686-pae", reference:"3.16.74-1")) flag++;
    if (deb_check(release:"8.0", prefix:"linux-image-3.16.0-9-686-pae-dbg", reference:"3.16.74-1")) flag++;
    if (deb_check(release:"8.0", prefix:"linux-image-3.16.0-9-amd64", reference:"3.16.74-1")) flag++;
    if (deb_check(release:"8.0", prefix:"linux-image-3.16.0-9-amd64-dbg", reference:"3.16.74-1")) flag++;
    if (deb_check(release:"8.0", prefix:"linux-image-3.16.0-9-armmp", reference:"3.16.74-1")) flag++;
    if (deb_check(release:"8.0", prefix:"linux-image-3.16.0-9-armmp-lpae", reference:"3.16.74-1")) flag++;
    if (deb_check(release:"8.0", prefix:"linux-image-3.16.0-9-ixp4xx", reference:"3.16.74-1")) flag++;
    if (deb_check(release:"8.0", prefix:"linux-image-3.16.0-9-kirkwood", reference:"3.16.74-1")) flag++;
    if (deb_check(release:"8.0", prefix:"linux-image-3.16.0-9-orion5x", reference:"3.16.74-1")) flag++;
    if (deb_check(release:"8.0", prefix:"linux-image-3.16.0-9-versatile", reference:"3.16.74-1")) flag++;
    if (deb_check(release:"8.0", prefix:"linux-libc-dev", reference:"3.16.74-1")) flag++;
    if (deb_check(release:"8.0", prefix:"linux-manual-3.16", reference:"3.16.74-1")) flag++;
    if (deb_check(release:"8.0", prefix:"linux-source-3.16", reference:"3.16.74-1")) flag++;
    if (deb_check(release:"8.0", prefix:"linux-support-3.16.0-9", reference:"3.16.74-1")) flag++;
    if (deb_check(release:"8.0", prefix:"xen-linux-system-3.16.0-9-amd64", reference:"3.16.74-1")) flag++;
    
    if (flag)
    {
      if (report_verbosity > 0) security_hole(port:0, extra:deb_report_get());
      else security_hole(0);
      exit(0);
    }
    else audit(AUDIT_HOST_NOT, "affected");
    
  • NASL familyHuawei Local Security Checks
    NASL idEULEROS_SA-2019-2201.NASL
    descriptionAccording to the versions of the kernel packages installed, the EulerOS installation on the remote host is affected by the following vulnerabilities : - The kernel package contains the Linux kernel (vmlinuz), the core of any Linux operating system. The kernel handles the basic functions of the operating system: memory allocation, process allocation, device input and output, etc.Security Fix(es):An issue was discovered in the Linux kernel before 5.2.3. Out of bounds access exists in the functions ath6kl_wmi_pstream_timeout_event_rx and ath6kl_wmi_cac_event_rx in the file driverset/wireless/ath/ath6kl/wmi.c.(CVE-2019-15926)An issue was discovered in the Linux kernel before 5.0.6. There is a memory leak issue when idr_alloc() fails in genl_register_family() in netetlink/genetlink.c.(CVE-2019-15921)An issue was discovered in the Linux kernel before 4.20.2. An out-of-bounds access exists in the function build_audio_procunit in the file sound/usb/mixer.c.(CVE-2019-15927)An issue was discovered in the Linux kernel before 5.0.9. There is a use-after-free in atalk_proc_exit, related to net/appletalk/atalk_proc.c, net/appletalk/ddp.c, and net/appletalk/sysctl_net_atalk.c.(CVE-2019-15292)An issue was discovered in fs/xfs/xfs_super.c in the Linux kernel before 4.18. A use after free exists, related to xfs_fs_fill_super failure.(CVE-2018-20976)In the Linux kernel before 5.1.13, there is a memory leak in drivers/scsi/libsas/sas_expander.c when SAS expander discovery fails. This will cause a BUG and denial of service.(CVE-2019-15807)A vulnerability was found in Linux kernel
    last seen2020-05-08
    modified2019-11-08
    plugin id130663
    published2019-11-08
    reporterThis script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/130663
    titleEulerOS 2.0 SP5 : kernel (EulerOS-SA-2019-2201)
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(130663);
      script_version("1.5");
      script_set_attribute(attribute:"plugin_modification_date", value:"2020/05/07");
    
      script_cve_id(
        "CVE-2018-10853",
        "CVE-2018-1128",
        "CVE-2018-20976",
        "CVE-2018-7492",
        "CVE-2019-10140",
        "CVE-2019-10142",
        "CVE-2019-10207",
        "CVE-2019-10638",
        "CVE-2019-1125",
        "CVE-2019-12818",
        "CVE-2019-14814",
        "CVE-2019-14815",
        "CVE-2019-14816",
        "CVE-2019-14821",
        "CVE-2019-14835",
        "CVE-2019-15098",
        "CVE-2019-15099",
        "CVE-2019-15118",
        "CVE-2019-15218",
        "CVE-2019-15219",
        "CVE-2019-15220",
        "CVE-2019-15221",
        "CVE-2019-15239",
        "CVE-2019-15292",
        "CVE-2019-15505",
        "CVE-2019-15538",
        "CVE-2019-15807",
        "CVE-2019-15921",
        "CVE-2019-15924",
        "CVE-2019-15926",
        "CVE-2019-15927",
        "CVE-2019-16233",
        "CVE-2019-16413",
        "CVE-2019-17052",
        "CVE-2019-17053",
        "CVE-2019-17054",
        "CVE-2019-17055",
        "CVE-2019-17056"
      );
    
      script_name(english:"EulerOS 2.0 SP5 : kernel (EulerOS-SA-2019-2201)");
      script_summary(english:"Checks the rpm output for the updated packages.");
    
      script_set_attribute(attribute:"synopsis", value:
    "The remote EulerOS host is missing multiple security updates.");
      script_set_attribute(attribute:"description", value:
    "According to the versions of the kernel packages installed, the
    EulerOS installation on the remote host is affected by the following
    vulnerabilities :
    
      - The kernel package contains the Linux kernel (vmlinuz),
        the core of any Linux operating system. The kernel
        handles the basic functions of the operating system:
        memory allocation, process allocation, device input and
        output, etc.Security Fix(es):An issue was discovered in
        the Linux kernel before 5.2.3. Out of bounds access
        exists in the functions
        ath6kl_wmi_pstream_timeout_event_rx and
        ath6kl_wmi_cac_event_rx in the file
        driverset/wireless/ath/ath6kl/wmi.c.(CVE-2019-15926)An
        issue was discovered in the Linux kernel before 5.0.6.
        There is a memory leak issue when idr_alloc() fails in
        genl_register_family() in
        netetlink/genetlink.c.(CVE-2019-15921)An issue was
        discovered in the Linux kernel before 4.20.2. An
        out-of-bounds access exists in the function
        build_audio_procunit in the file
        sound/usb/mixer.c.(CVE-2019-15927)An issue was
        discovered in the Linux kernel before 5.0.9. There is a
        use-after-free in atalk_proc_exit, related to
        net/appletalk/atalk_proc.c, net/appletalk/ddp.c, and
        net/appletalk/sysctl_net_atalk.c.(CVE-2019-15292)An
        issue was discovered in fs/xfs/xfs_super.c in the Linux
        kernel before 4.18. A use after free exists, related to
        xfs_fs_fill_super failure.(CVE-2018-20976)In the Linux
        kernel before 5.1.13, there is a memory leak in
        drivers/scsi/libsas/sas_expander.c when SAS expander
        discovery fails. This will cause a BUG and denial of
        service.(CVE-2019-15807)A vulnerability was found in
        Linux kernel's, versions up to 3.10, implementation of
        overlayfs. An attacker with local access can create a
        denial of service situation via NULL pointer
        dereference in ovl_posix_acl_create function in
        fs/overlayfs/dir.c. This can allow attackers with
        ability to create directories on overlayfs to crash the
        kernel creating a denial of service
        (DOS).(CVE-2019-10140)In the Linux kernel, a certain
        net/ipv4/tcp_output.c change, which was properly
        incorporated into 4.16.12, was incorrectly backported
        to the earlier longterm kernels, introducing a new
        vulnerability that was potentially more severe than the
        issue that was intended to be fixed by backporting.
        Specifically, by adding to a write queue between
        disconnection and re-connection, a local attacker can
        trigger multiple use-after-free conditions. This can
        result in a kernel crash, or potentially in privilege
        escalation.(CVE-2019-15239)check_input_term in
        sound/usb/mixer.c in the Linux kernel through 5.2.9
        mishandles recursion, leading to kernel stack
        exhaustion.(CVE-2019-15118)drivers
        et/wireless/ath/ath10k/usb.c in the Linux kernel
        through 5.2.8 has a NULL pointer dereference via an
        incomplete address in an endpoint
        descriptor.(CVE-2019-15099)drivers
        et/wireless/ath/ath6kl/usb.c in the Linux kernel
        through 5.2.9 has a NULL pointer dereference via an
        incomplete address in an endpoint
        descriptor.(CVE-2019-15098)A flaw was found in the
        Linux kernel's Bluetooth implementation of UART. An
        attacker with local access and write permissions to the
        Bluetooth hardware could use this flaw to issue a
        specially crafted ioctl function call and cause the
        system to crash.(CVE-2019-10207)It was found that cephx
        authentication protocol did not verify ceph clients
        correctly and was vulnerable to replay attack. Any
        attacker having access to ceph cluster network who is
        able to sniff packets on network can use this
        vulnerability to authenticate with ceph service and
        perform actions allowed by ceph service. Ceph branches
        master, mimic, luminous and jewel are believed to be
        vulnerable.(CVE-2018-1128)ax25_create in
        net/ax25/af_ax25.c in the AF_AX25 network module in the
        Linux kernel through 5.3.2 does not enforce
        CAP_NET_RAW, which means that unprivileged users can
        create a raw socket, aka
        CID-0614e2b73768.(CVE-2019-17052)ieee802154_create in
        net/ieee802154/socket.c in the AF_IEEE802154 network
        module in the Linux kernel through 5.3.2 does not
        enforce CAP_NET_RAW, which means that unprivileged
        users can create a raw socket, aka
        CID-e69dbd4619e7.(CVE-2019-17053)atalk_create in
        net/appletalk/ddp.c in the AF_APPLETALK network module
        in the Linux kernel through 5.3.2 does not enforce
        CAP_NET_RAW, which means that unprivileged users can
        create a raw socket, aka
        CID-6cc03e8aa36c.(CVE-2019-17054)base_sock_create in
        drivers/isdn/mISDN/socket.c in the AF_ISDN network
        module in the Linux kernel through 5.3.2 does not
        enforce CAP_NET_RAW, which means that unprivileged
        users can create a raw socket, aka
        CID-b91ee4aa2a21.(CVE-2019-17055)llcp_sock_create in
        net fc/llcp_sock.c in the AF_NFC network module in the
        Linux kernel through 5.3.2 does not enforce
        CAP_NET_RAW, which means that unprivileged users can
        create a raw socket, aka
        CID-3a359798b176.(CVE-2019-17056)A flaw was found in
        the Linux kernel's freescale hypervisor manager
        implementation, kernel versions 5.0.x up to, excluding
        5.0.17. A parameter passed to an ioctl was incorrectly
        validated and used in size calculations for the page
        size calculation. An attacker can use this flaw to
        crash the system, corrupt memory, or create other
        adverse security
        affects.(CVE-2019-10142)drivers/media/usb/dvb-usb/techn
        isat-usb2.c in the Linux kernel through 5.2.9 has an
        out-of-bounds read via crafted USB device traffic
        (which may be remote via usbip or
        usbredir).(CVE-2019-15505)An issue was discovered in
        the Linux kernel before 5.0.4. The 9p filesystem did
        not protect i_size_write() properly, which causes an
        i_size_read() infinite loop and denial of service on
        SMP systems.(CVE-2019-16413)An issue was discovered in
        xfs_setattr_nonsize in fs/xfs/xfs_iops.c in the Linux
        kernel through 5.2.9. XFS partially wedges when a chgrp
        fails on account of being out of disk quota.
        xfs_setattr_nonsize is failing to unlock the ILOCK
        after the xfs_qm_vop_chown_reserve call fails. This is
        primarily a local DoS attack vector, but it might
        result as well in remote DoS if the XFS filesystem is
        exported for instance via NFS.(CVE-2019-15538)A buffer
        overflow flaw was found, in versions from 2.6.34 to
        5.2.x, in the way Linux kernel's vhost functionality
        that translates virtqueue buffers to IOVs, logged the
        buffer descriptors during migration. A privileged guest
        user able to pass descriptors with invalid length to
        the host when migration is underway, could use this
        flaw to increase their privileges on the
        host.(CVE-2019-14835)An out-of-bounds access issue was
        found in the Linux kernel, all versions through 5.3, in
        the way Linux kernel's KVM hypervisor implements the
        Coalesced MMIO write operation. It operates on an MMIO
        ring buffer 'struct kvm_coalesced_mmio' object, wherein
        write indices 'ring->first' and 'ring->last' value
        could be supplied by a host user-space process. An
        unprivileged host user or process with access to
        '/dev/kvm' device could use this flaw to crash the host
        kernel, resulting in a denial of service or potentially
        escalating privileges on the system.(CVE-2019-14821)An
        information disclosure vulnerability exists when
        certain central processing units (CPU) speculatively
        access memory, aka 'Windows Kernel Information
        Disclosure Vulnerability'.
        (CVE-2019-1125)drivers/scsi/qla2xxx/qla_os.c in the
        Linux kernel 5.2.14 does not check the alloc_workqueue
        return value, leading to a NULL pointer
        dereference.(CVE-2019-16233)An issue was discovered in
        the Linux kernel before 5.0.11. fm10k_init_module in
        drivers et/ethernet/intel/fm10k/fm10k_main.c has a NULL
        pointer dereference because there is no -ENOMEM upon an
        alloc_workqueue failure.(CVE-2019-15924)An issue was
        discovered in the Linux kernel before 5.2.1. There is a
        use-after-free caused by a malicious USB device in the
        drivers et/wireless/intersil/p54/p54usb.c
        driver.(CVE-2019-15220 )In the Linux kernel before
        5.1.7, a device can be tracked by an attacker using the
        IP ID values the kernel produces for connection-less
        protocols (e.g., UDP and ICMP). When such traffic is
        sent to multiple destination IP addresses, it is
        possible to obtain hash collisions (of indices to the
        counter array) and thereby obtain the hashing key (via
        enumeration). An attack may be conducted by hosting a
        crafted web page that uses WebRTC or gQUIC to force UDP
        traffic to attacker-controlled IP
        addresses.(CVE-2019-10638)There is heap-based buffer
        overflow in Linux kernel, all versions up to, excluding
        5.3, in the marvell wifi chip driver in Linux kernel,
        that allows local users to cause a denial of
        service(system crash) or possibly execute arbitrary
        code.( CVE-2019-14814)** RESERVED ** This candidate has
        been reserved by an organization or individual that
        will use it when announcing a new security problem.
        When the candidate has been publicized, the details for
        this candidate will be provided.( CVE-2019-14815)There
        is heap-based buffer overflow in kernel, all versions
        up to, excluding 5.3, in the marvell wifi chip driver
        in Linux kernel, that allows local users to cause a
        denial of service(system crash) or possibly execute
        arbitrary code.( CVE-2019-14816)A flaw was found in the
        way Linux kernel KVM hypervisor emulated instructions
        such as sgdt/sidt/fxsave/fxrstor. It did not check
        current privilege(CPL) level while emulating
        unprivileged instructions. An unprivileged guest
        user/process could use this flaw to potentially
        escalate privileges inside guest.(CVE-2018-10853)A NULL
        pointer dereference was found in the net/rds/rdma.c
        __rds_rdma_map() function in the Linux kernel before
        4.14.7 allowing local attackers to cause a system panic
        and a denial-of-service, related to RDS_GET_MR and
        RDS_GET_MR_FOR_DEST.(CVE-2018-7492)An issue was
        discovered in the Linux kernel before 4.20.15. The
        nfc_llcp_build_tlv function in net fc/llcp_commands.c
        may return NULL. If the caller does not check for this,
        it will trigger a NULL pointer dereference. This will
        cause denial of service. This affects nfc_llcp_build_gb
        in netfc/llcp_core.c.(CVE-2019-12818)An issue was
        discovered in the Linux kernel before 5.1.8. There is a
        NULL pointer dereference caused by a malicious USB
        device in the drivers/media/usb/siano/smsusb.c
        driver.(CVE-2019-15218)An issue was discovered in the
        Linux kernel before 5.1.8. There is a NULL pointer
        dereference caused by a malicious USB device in the
        drivers/usb/misc/sisusbvga/sisusb.c
        driver.(CVE-2019-15219)An issue was discovered in the
        Linux kernel before 5.1.17. There is a NULL pointer
        dereference caused by a malicious USB device in the
        sound/usb/line6/pcm.c driver.(CVE-2019-15221)
    
    Note that Tenable Network Security has extracted the preceding
    description block directly from the EulerOS security advisory. Tenable
    has attempted to automatically clean and format it as much as possible
    without introducing additional issues.");
      # https://developer.huaweicloud.com/ict/en/site-euleros/euleros/security-advisories/EulerOS-SA-2019-2201
      script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?b3a7512b");
      script_set_attribute(attribute:"solution", value:
    "Update the affected kernel packages.");
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C");
      script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
      script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H");
      script_set_cvss3_temporal_vector("CVSS:3.0/E:P/RL:O/RC:C");
      script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"true");
    
      script_set_attribute(attribute:"patch_publication_date", value:"2019/10/28");
      script_set_attribute(attribute:"plugin_publication_date", value:"2019/11/08");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:kernel");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:kernel-devel");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:kernel-headers");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:kernel-tools");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:kernel-tools-libs");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:perf");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:python-perf");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:huawei:euleros:2.0");
      script_set_attribute(attribute:"generated_plugin", value:"current");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_family(english:"Huawei Local Security Checks");
    
      script_copyright(english:"This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/EulerOS/release", "Host/EulerOS/rpm-list", "Host/EulerOS/sp");
      script_exclude_keys("Host/EulerOS/uvp_version");
    
      exit(0);
    }
    
    include("audit.inc");
    include("global_settings.inc");
    include("rpm.inc");
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    
    release = get_kb_item("Host/EulerOS/release");
    if (isnull(release) || release !~ "^EulerOS") audit(AUDIT_OS_NOT, "EulerOS");
    if (release !~ "^EulerOS release 2\.0(\D|$)") audit(AUDIT_OS_NOT, "EulerOS 2.0");
    
    sp = get_kb_item("Host/EulerOS/sp");
    if (isnull(sp) || sp !~ "^(5)$") audit(AUDIT_OS_NOT, "EulerOS 2.0 SP5");
    
    uvp = get_kb_item("Host/EulerOS/uvp_version");
    if (!empty_or_null(uvp)) audit(AUDIT_OS_NOT, "EulerOS 2.0 SP5", "EulerOS UVP " + uvp);
    
    if (!get_kb_item("Host/EulerOS/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    cpu = get_kb_item("Host/cpu");
    if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
    if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$" && "aarch64" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "EulerOS", cpu);
    if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_ARCH_NOT, "i686 / x86_64", cpu);
    
    flag = 0;
    
    pkgs = ["kernel-3.10.0-862.14.1.2.h291.eulerosv2r7",
            "kernel-devel-3.10.0-862.14.1.2.h291.eulerosv2r7",
            "kernel-headers-3.10.0-862.14.1.2.h291.eulerosv2r7",
            "kernel-tools-3.10.0-862.14.1.2.h291.eulerosv2r7",
            "kernel-tools-libs-3.10.0-862.14.1.2.h291.eulerosv2r7",
            "perf-3.10.0-862.14.1.2.h291.eulerosv2r7",
            "python-perf-3.10.0-862.14.1.2.h291.eulerosv2r7"];
    
    foreach (pkg in pkgs)
      if (rpm_check(release:"EulerOS-2.0", sp:"5", reference:pkg)) flag++;
    
    if (flag)
    {
      security_report_v4(
        port       : 0,
        severity   : SECURITY_HOLE,
        extra      : rpm_report_get()
      );
      exit(0);
    }
    else
    {
      tested = pkg_tests_get();
      if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
      else audit(AUDIT_PACKAGE_NOT_INSTALLED, "kernel");
    }
    
  • NASL familyOracle Linux Local Security Checks
    NASL idORACLELINUX_ELSA-2020-5511.NASL
    descriptionDescription of changes: kernel-uek [3.8.13-118.42.1.el7uek] - scsi: libsas: delete sas port if expander discover failed (Jason Yan) [Orabug: 30580688] {CVE-2019-15807}
    last seen2020-06-01
    modified2020-06-02
    plugin id132945
    published2020-01-16
    reporterThis script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/132945
    titleOracle Linux 6 / 7 : Unbreakable Enterprise kernel (ELSA-2020-5511)
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were
    # extracted from Oracle Linux Security Advisory ELSA-2020-5511.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(132945);
      script_version("1.2");
      script_cvs_date("Date: 2020/01/21");
    
      script_cve_id("CVE-2019-15807");
    
      script_name(english:"Oracle Linux 6 / 7 : Unbreakable Enterprise kernel (ELSA-2020-5511)");
      script_summary(english:"Checks rpm output for the updated packages");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote Oracle Linux host is missing one or more security updates."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "Description of changes:
    
    kernel-uek
    [3.8.13-118.42.1.el7uek]
    - scsi: libsas: delete sas port if expander discover failed (Jason Yan) 
    [Orabug: 30580688] {CVE-2019-15807}"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://oss.oracle.com/pipermail/el-errata/2020-January/009515.html"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://oss.oracle.com/pipermail/el-errata/2020-January/009516.html"
      );
      script_set_attribute(
        attribute:"solution", 
        value:"Update the affected unbreakable enterprise kernel packages."
      );
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:C");
      script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
      script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H");
      script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
      script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:dtrace-modules-3.8.13-118.42.1.el6uek");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:dtrace-modules-3.8.13-118.42.1.el7uek");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:kernel-uek");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:kernel-uek-debug");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:kernel-uek-debug-devel");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:kernel-uek-devel");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:kernel-uek-doc");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:kernel-uek-firmware");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:oracle:linux:6");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:oracle:linux:7");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2019/08/29");
      script_set_attribute(attribute:"patch_publication_date", value:"2020/01/15");
      script_set_attribute(attribute:"plugin_publication_date", value:"2020/01/16");
      script_set_attribute(attribute:"generated_plugin", value:"current");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.");
      script_family(english:"Oracle Linux Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl", "linux_alt_patch_detect.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/OracleLinux", "Host/RedHat/release", "Host/RedHat/rpm-list");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("global_settings.inc");
    include("rpm.inc");
    include("ksplice.inc");
    
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    if (!get_kb_item("Host/OracleLinux")) audit(AUDIT_OS_NOT, "Oracle Linux");
    release = get_kb_item("Host/RedHat/release");
    if (isnull(release) || !pregmatch(pattern: "Oracle (?:Linux Server|Enterprise Linux)", string:release)) audit(AUDIT_OS_NOT, "Oracle Linux");
    os_ver = pregmatch(pattern: "Oracle (?:Linux Server|Enterprise Linux) .*release ([0-9]+(\.[0-9]+)?)", string:release);
    if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Oracle Linux");
    os_ver = os_ver[1];
    if (! preg(pattern:"^(6|7)([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Oracle Linux 6 / 7", "Oracle Linux " + os_ver);
    
    if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    cpu = get_kb_item("Host/cpu");
    if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
    if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Oracle Linux", cpu);
    if ("x86_64" >!< cpu) audit(AUDIT_ARCH_NOT, "x86_64", cpu);
    
    if (get_one_kb_item("Host/ksplice/kernel-cves"))
    {
      rm_kb_item(name:"Host/uptrack-uname-r");
      cve_list = make_list("CVE-2019-15807");  
      if (ksplice_cves_check(cve_list))
      {
        audit(AUDIT_PATCH_INSTALLED, "KSplice hotfix for ELSA-2020-5511");
      }
      else
      {
        __rpm_report = ksplice_reporting_text();
      }
    }
    
    kernel_major_minor = get_kb_item("Host/uname/major_minor");
    if (empty_or_null(kernel_major_minor)) exit(1, "Unable to determine kernel major-minor level.");
    expected_kernel_major_minor = "3.8";
    if (kernel_major_minor != expected_kernel_major_minor)
      audit(AUDIT_OS_NOT, "running kernel level " + expected_kernel_major_minor + ", it is running kernel level " + kernel_major_minor);
    
    flag = 0;
    if (rpm_check(release:"EL6", cpu:"x86_64", reference:"dtrace-modules-3.8.13-118.42.1.el6uek-0.4.5-3.el6")) flag++;
    if (rpm_exists(release:"EL6", rpm:"kernel-uek-3.8.13") && rpm_check(release:"EL6", cpu:"x86_64", reference:"kernel-uek-3.8.13-118.42.1.el6uek")) flag++;
    if (rpm_exists(release:"EL6", rpm:"kernel-uek-debug-3.8.13") && rpm_check(release:"EL6", cpu:"x86_64", reference:"kernel-uek-debug-3.8.13-118.42.1.el6uek")) flag++;
    if (rpm_exists(release:"EL6", rpm:"kernel-uek-debug-devel-3.8.13") && rpm_check(release:"EL6", cpu:"x86_64", reference:"kernel-uek-debug-devel-3.8.13-118.42.1.el6uek")) flag++;
    if (rpm_exists(release:"EL6", rpm:"kernel-uek-devel-3.8.13") && rpm_check(release:"EL6", cpu:"x86_64", reference:"kernel-uek-devel-3.8.13-118.42.1.el6uek")) flag++;
    if (rpm_exists(release:"EL6", rpm:"kernel-uek-doc-3.8.13") && rpm_check(release:"EL6", cpu:"x86_64", reference:"kernel-uek-doc-3.8.13-118.42.1.el6uek")) flag++;
    if (rpm_exists(release:"EL6", rpm:"kernel-uek-firmware-3.8.13") && rpm_check(release:"EL6", cpu:"x86_64", reference:"kernel-uek-firmware-3.8.13-118.42.1.el6uek")) flag++;
    
    if (rpm_check(release:"EL7", cpu:"x86_64", reference:"dtrace-modules-3.8.13-118.42.1.el7uek-0.4.5-3.el7")) flag++;
    if (rpm_exists(release:"EL7", rpm:"kernel-uek-3.8.13") && rpm_check(release:"EL7", cpu:"x86_64", reference:"kernel-uek-3.8.13-118.42.1.el7uek")) flag++;
    if (rpm_exists(release:"EL7", rpm:"kernel-uek-debug-3.8.13") && rpm_check(release:"EL7", cpu:"x86_64", reference:"kernel-uek-debug-3.8.13-118.42.1.el7uek")) flag++;
    if (rpm_exists(release:"EL7", rpm:"kernel-uek-debug-devel-3.8.13") && rpm_check(release:"EL7", cpu:"x86_64", reference:"kernel-uek-debug-devel-3.8.13-118.42.1.el7uek")) flag++;
    if (rpm_exists(release:"EL7", rpm:"kernel-uek-devel-3.8.13") && rpm_check(release:"EL7", cpu:"x86_64", reference:"kernel-uek-devel-3.8.13-118.42.1.el7uek")) flag++;
    if (rpm_exists(release:"EL7", rpm:"kernel-uek-doc-3.8.13") && rpm_check(release:"EL7", cpu:"x86_64", reference:"kernel-uek-doc-3.8.13-118.42.1.el7uek")) flag++;
    if (rpm_exists(release:"EL7", rpm:"kernel-uek-firmware-3.8.13") && rpm_check(release:"EL7", cpu:"x86_64", reference:"kernel-uek-firmware-3.8.13-118.42.1.el7uek")) flag++;
    
    
    if (flag)
    {
      if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());
      else security_hole(0);
      exit(0);
    }
    else
    {
      tested = pkg_tests_get();
      if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
      else audit(AUDIT_PACKAGE_NOT_INSTALLED, "affected kernel");
    }
    
  • NASL familyHuawei Local Security Checks
    NASL idEULEROS_SA-2020-1186.NASL
    descriptionAccording to the versions of the kernel packages installed, the EulerOS installation on the remote host is affected by the following vulnerabilities : - The kernel package contains the Linux kernel (vmlinuz), the core of any Linux operating system. The kernel handles the basic functions of the operating system: memory allocation, process allocation, device input and output, etc.Security Fix(es):Heap-based buffer overflow in the udf_load_logicalvol function in fs/udf/super.c in the Linux kernel before 3.4.5 allows remote attackers to cause a denial of service (system crash) or possibly have unspecified other impact via a crafted UDF filesystem.(CVE-2012-3400)The mmc_ioctl_cdrom_read_data function in drivers/cdrom/cdrom.c in the Linux kernel through 3.10 allows local users to obtain sensitive information from kernel memory via a read operation on a malfunctioning CD-ROM drive.(CVE-2013-2164)The sctp_sf_do_5_2_4_dupcook function in net/sctp/sm_statefuns.c in the SCTP implementation in the Linux kernel before 3.8.5 does not properly handle associations during the processing of a duplicate COOKIE ECHO chunk, which allows remote attackers to cause a denial of service (NULL pointer dereference and system crash) or possibly have unspecified other impact via crafted SCTP traffic.(CVE-2013-2206)The (1) get_user and (2) put_user API functions in the Linux kernel before 3.5.5 on the v6k and v7 ARM platforms do not validate certain addresses, which allows attackers to read or modify the contents of arbitrary kernel memory locations via a crafted application, as exploited in the wild against Android devices in October and November 2013.(CVE-2013-6282)An issue was discovered in the Linux kernel before 4.20. There is a race condition in smp_task_timedout() and smp_task_done() in drivers/scsi/libsas/sas_expander.c, leading to a use-after-free.(CVE-2018-20836)The Siemens R3964 line discipline driver in drivers/tty/n_r3964.c in the Linux kernel before 5.0.8 has multiple race conditions.(CVE-2019-11486)The Linux kernel before 5.1-rc5 allows page->_refcount reference count overflow, with resultant use-after-free issues, if about 140 GiB of RAM exists. This is related to fs/fuse/dev.c, fs/pipe.c, fs/splice.c, include/linux/mm.h, include/linux/pipe_fs_i.h, kernel/trace/trace.c, mm/gup.c, and mm/hugetlb.c. It can occur with FUSE requests.(CVE-2019-11487)The coredump implementation in the Linux kernel before 5.0.10 does not use locking or other mechanisms to prevent vma layout or vma flags changes while it runs, which allows local users to obtain sensitive information, cause a denial of service, or possibly have unspecified other impact by triggering a race condition with mmget_not_zero or get_task_mm calls. This is related to fs/userfaultfd.c, mm/mmap.c, fs/proc/task_mmu.c, and drivers/infiniband/core/uverbs_main.c.(CVE-2019-11599)A n issue was discovered in the Linux kernel before 5.0.7. A NULL pointer dereference can occur when megasas_create_frame_pool() fails in megasas_alloc_cmds() in drivers/scsi/megaraid/megaraid_sas_base.c. This causes a Denial of Service, related to a use-after-free.(CVE-2019-11810)An issue was discovered in the Linux kernel before 5.0.4. There is a use-after-free upon attempted read access to /proc/ioports after the ipmi_si module is removed, related to drivers/char/ipmi/ipmi_si_intf.c, drivers/char/ipmi/ipmi_si_mem_io.c, and drivers/char/ipmi/ipmi_si_port_io.c.(CVE-2019-11811)A flaw was found in the Linux kernel
    last seen2020-05-03
    modified2020-03-11
    plugin id134387
    published2020-03-11
    reporterThis script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/134387
    titleEulerOS 2.0 SP8 : kernel (EulerOS-SA-2020-1186)
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(134387);
      script_version("1.5");
      script_set_attribute(attribute:"plugin_modification_date", value:"2020/05/01");
    
      script_cve_id(
        "CVE-2012-3400",
        "CVE-2013-2164",
        "CVE-2013-2206",
        "CVE-2013-6282",
        "CVE-2018-16880",
        "CVE-2018-20836",
        "CVE-2019-11486",
        "CVE-2019-11487",
        "CVE-2019-11599",
        "CVE-2019-11810",
        "CVE-2019-11811",
        "CVE-2019-11815",
        "CVE-2019-11833",
        "CVE-2019-12378",
        "CVE-2019-12380",
        "CVE-2019-12381",
        "CVE-2019-12382",
        "CVE-2019-12455",
        "CVE-2019-12456",
        "CVE-2019-12614",
        "CVE-2019-12615",
        "CVE-2019-13233",
        "CVE-2019-13272",
        "CVE-2019-13631",
        "CVE-2019-14283",
        "CVE-2019-15118",
        "CVE-2019-15211",
        "CVE-2019-15214",
        "CVE-2019-15218",
        "CVE-2019-15219",
        "CVE-2019-15220",
        "CVE-2019-15221",
        "CVE-2019-15292",
        "CVE-2019-15538",
        "CVE-2019-15666",
        "CVE-2019-15807",
        "CVE-2019-15917",
        "CVE-2019-15919",
        "CVE-2019-15920",
        "CVE-2019-15925",
        "CVE-2019-16413",
        "CVE-2019-18805",
        "CVE-2019-3701",
        "CVE-2019-3819",
        "CVE-2019-3846",
        "CVE-2019-3882",
        "CVE-2019-3900",
        "CVE-2019-5489",
        "CVE-2019-8956",
        "CVE-2019-9455"
      );
      script_bugtraq_id(
        54279,
        60375,
        60715,
        63734
      );
    
      script_name(english:"EulerOS 2.0 SP8 : kernel (EulerOS-SA-2020-1186)");
      script_summary(english:"Checks the rpm output for the updated packages.");
    
      script_set_attribute(attribute:"synopsis", value:
    "The remote EulerOS host is missing multiple security updates.");
      script_set_attribute(attribute:"description", value:
    "According to the versions of the kernel packages installed, the
    EulerOS installation on the remote host is affected by the following
    vulnerabilities :
    
      - The kernel package contains the Linux kernel (vmlinuz),
        the core of any Linux operating system. The kernel
        handles the basic functions of the operating system:
        memory allocation, process allocation, device input and
        output, etc.Security Fix(es):Heap-based buffer overflow
        in the udf_load_logicalvol function in fs/udf/super.c
        in the Linux kernel before 3.4.5 allows remote
        attackers to cause a denial of service (system crash)
        or possibly have unspecified other impact via a crafted
        UDF filesystem.(CVE-2012-3400)The
        mmc_ioctl_cdrom_read_data function in
        drivers/cdrom/cdrom.c in the Linux kernel through 3.10
        allows local users to obtain sensitive information from
        kernel memory via a read operation on a malfunctioning
        CD-ROM drive.(CVE-2013-2164)The
        sctp_sf_do_5_2_4_dupcook function in
        net/sctp/sm_statefuns.c in the SCTP implementation in
        the Linux kernel before 3.8.5 does not properly handle
        associations during the processing of a duplicate
        COOKIE ECHO chunk, which allows remote attackers to
        cause a denial of service (NULL pointer dereference and
        system crash) or possibly have unspecified other impact
        via crafted SCTP traffic.(CVE-2013-2206)The (1)
        get_user and (2) put_user API functions in the Linux
        kernel before 3.5.5 on the v6k and v7 ARM platforms do
        not validate certain addresses, which allows attackers
        to read or modify the contents of arbitrary kernel
        memory locations via a crafted application, as
        exploited in the wild against Android devices in
        October and November 2013.(CVE-2013-6282)An issue was
        discovered in the Linux kernel before 4.20. There is a
        race condition in smp_task_timedout() and
        smp_task_done() in drivers/scsi/libsas/sas_expander.c,
        leading to a use-after-free.(CVE-2018-20836)The Siemens
        R3964 line discipline driver in drivers/tty/n_r3964.c
        in the Linux kernel before 5.0.8 has multiple race
        conditions.(CVE-2019-11486)The Linux kernel before
        5.1-rc5 allows page->_refcount reference count
        overflow, with resultant use-after-free issues, if
        about 140 GiB of RAM exists. This is related to
        fs/fuse/dev.c, fs/pipe.c, fs/splice.c,
        include/linux/mm.h, include/linux/pipe_fs_i.h,
        kernel/trace/trace.c, mm/gup.c, and mm/hugetlb.c. It
        can occur with FUSE requests.(CVE-2019-11487)The
        coredump implementation in the Linux kernel before
        5.0.10 does not use locking or other mechanisms to
        prevent vma layout or vma flags changes while it runs,
        which allows local users to obtain sensitive
        information, cause a denial of service, or possibly
        have unspecified other impact by triggering a race
        condition with mmget_not_zero or get_task_mm calls.
        This is related to fs/userfaultfd.c, mm/mmap.c,
        fs/proc/task_mmu.c, and
        drivers/infiniband/core/uverbs_main.c.(CVE-2019-11599)A
        n issue was discovered in the Linux kernel before
        5.0.7. A NULL pointer dereference can occur when
        megasas_create_frame_pool() fails in
        megasas_alloc_cmds() in
        drivers/scsi/megaraid/megaraid_sas_base.c. This causes
        a Denial of Service, related to a
        use-after-free.(CVE-2019-11810)An issue was discovered
        in the Linux kernel before 5.0.4. There is a
        use-after-free upon attempted read access to
        /proc/ioports after the ipmi_si module is removed,
        related to drivers/char/ipmi/ipmi_si_intf.c,
        drivers/char/ipmi/ipmi_si_mem_io.c, and
        drivers/char/ipmi/ipmi_si_port_io.c.(CVE-2019-11811)A
        flaw was found in the Linux kernel's handle_rx()
        function in the [vhost_net] driver. A malicious virtual
        guest, under specific conditions, can trigger an
        out-of-bounds write in a kmalloc-8 slab on a virtual
        host which may lead to a kernel memory corruption and a
        system panic. Due to the nature of the flaw, privilege
        escalation cannot be fully ruled out. Versions from
        v4.16 and newer are vulnerable.(CVE-2018-16880)An issue
        was discovered in rds_tcp_kill_sock in net/rds/tcp.c in
        the Linux kernel before 5.0.8. There is a race
        condition leading to a use-after-free, related to net
        namespace cleanup.(CVE-2019-11815)A flaw was found in
        the Linux kernel in the function
        hid_debug_events_read() in drivers/hid/hid-debug.c file
        which may enter an infinite loop with certain
        parameters passed from a userspace. A local privileged
        user ('root') can cause a system lock up and a denial
        of service. Versions from v4.18 and newer are
        vulnerable.(CVE-2019-3819)A flaw was found in the Linux
        kernel's vfio interface implementation that permits
        violation of the user's locked memory limit. If a
        device is bound to a vfio driver, such as vfio-pci, and
        the local attacker is administratively granted
        ownership of the device, it may cause a system memory
        exhaustion and thus a denial of service (DoS). Versions
        3.10, 4.14 and 4.18 are vulnerable.(CVE-2019-3882)An
        infinite loop issue was found in the vhost_net kernel
        module in Linux Kernel up to and including v5.1-rc6,
        while handling incoming packets in handle_rx(). It
        could occur if one end sends packets faster than the
        other end can process them. A guest user, maybe remote
        one, could use this flaw to stall the vhost_net kernel
        thread, resulting in a DoS scenario.(CVE-2019-3900)In
        the Linux Kernel before versions 4.20.8 and 4.19.21 a
        use-after-free error in the 'sctp_sendmsg()' function
        (net/sctp/socket.c) when handling SCTP_SENDALL flag can
        be exploited to corrupt memory.(CVE-2019-8956)A flaw
        was found in the Linux kernel's implementation of ext4
        extent management. The kernel doesn't correctly
        initialize memory regions in the extent tree block
        which may be exported to a local user to obtain
        sensitive information by reading empty/uninitialized
        data from the filesystem.(CVE-2019-11833)An issue was
        discovered in drm_load_edid_firmware in
        drivers/gpu/drm/drm_edid_load.c in the Linux kernel
        through 5.1.5. There is an unchecked kstrdup of fwstr,
        which might allow an attacker to cause a denial of
        service (NULL pointer dereference and system crash).
        NOTE: The vendor disputes this issues as not being a
        vulnerability because kstrdup() returning NULL is
        handled sufficiently and there is no chance for a NULL
        pointer dereference.(CVE-2019-12382)An issue was
        discovered in the efi subsystem in the Linux kernel
        through 5.1.5. phys_efi_set_virtual_address_map in
        arch/x86/platform/efi/efi.c and efi_call_phys_prolog in
        arch/x86/platform/efi/efi_64.c mishandle memory
        allocation failures. NOTE: This id is disputed as not
        being an issue because ?All the code touched by the
        referenced commit runs only at boot, before any user
        processes are started. Therefore, there is no
        possibility for an unprivileged user to control
        it.(CVE-2019-12380)An issue was discovered in the Linux
        kernel before 5.2.3. An out of bounds access exists in
        the function hclge_tm_schd_mode_vnet_base_cfg in the
        file drivers
        et/ethernet/hisilicon/hns3/hns3pf/hclge_tm.c.(CVE-2019-
        15925)An issue was discovered in
        dlpar_parse_cc_property in
        arch/powerpc/platforms/pseries/dlpar.c in the Linux
        kernel through 5.1.6. There is an unchecked kstrdup of
        prop-i1/4zname, which might allow an attacker to cause a
        denial of service (NULL pointer dereference and system
        crash).(CVE-2019-12614)An issue was discovered in
        net/ipv4/sysctl_net_ipv4.c in the Linux kernel before
        5.0.11. There is a net/ipv4/tcp_input.c signed integer
        overflow in tcp_ack_update_rtt() when userspace writes
        a very large integer to
        /proc/syset/ipv4/tcp_min_rtt_wlen, leading to a denial
        of service or possibly unspecified other impact, aka
        CID-19fad20d15a6.(CVE-2019-18805)A flaw was found in
        the way PTRACE_TRACEME functionality was handled in the
        Linux kernel. The kernel's implementation of ptrace can
        inadvertently grant elevated permissions to an attacker
        who can then abuse the relationship between the tracer
        and the process being traced. This flaw could allow a
        local, unprivileged user to increase their privileges
        on the system or cause a denial of
        service.(CVE-2019-13272)An issue was discovered in
        ip6_ra_control in net/ipv6/ipv6_sockglue.c in the Linux
        kernel through 5.1.5. There is an unchecked kmalloc of
        new_ra, which might allow an attacker to cause a denial
        of service (NULL pointer dereference and system crash).
        NOTE: This has been disputed as not an
        issue.(CVE-2019-12378)An issue was discovered in
        ip_ra_control in net/ipv4/ip_sockglue.c in the Linux
        kernel through 5.1.5. There is an unchecked kmalloc of
        new_ra, which might allow an attacker to cause a denial
        of service (NULL pointer dereference and system crash).
        NOTE: this is disputed because new_ra is never used if
        it is NULL.(CVE-2019-12381)An issue was discovered in
        sunxi_divs_clk_setup in drivers/clk/sunxi/clk-sunxi.c
        in the Linux kernel through 5.1.5. There is an
        unchecked kstrndup of derived_name, which might allow
        an attacker to cause a denial of service (NULL pointer
        dereference and system crash). NOTE: This id is
        disputed as not being an issue because 'The memory
        allocation that was not checked is part of a code that
        only runs at boot time, before user processes are
        started. Therefore, there is no possibility for an
        unprivileged user to control it, and no denial of
        service.'.(CVE-2019-12455)An issue was discovered in
        the MPT3COMMAND case in _ctl_ioctl_main in
        drivers/scsi/mpt3sas/mpt3sas_ctl.c in the Linux kernel
        through 5.1.5. It allows local users to cause a denial
        of service or possibly have unspecified other impact by
        changing the value of ioc_number between two kernel
        reads of that value, aka a ''double fetch''
        vulnerability. NOTE: a third party reports that this is
        unexploitable because the doubly fetched value is not
        used.(CVE-2019-12456)An issue was discovered in
        get_vdev_port_node_info in arch/sparc/kernel/mdesc.c in
        the Linux kernel through 5.1.6. There is an unchecked
        kstrdup_const of node_info-i1/4zvdev_port.name, which
        might allow an attacker to cause a denial of service
        (NULL pointer dereference and system
        crash).(CVE-2019-12615)In parse_hid_report_descriptor
        in drivers/input/tablet/gtco.c in the Linux kernel
        through 5.2.1, a malicious USB device can send an HID
        report that triggers an out-of-bounds write during
        generation of debugging messages.(CVE-2019-13631)A
        vulnerability was found in the Linux kernelaEURtms floppy
        disk driver implementation. A local attacker with
        access to the floppy device could call set_geometry in
        drivers/block/floppy.c, which does not validate the
        sect and head fields, causing an integer overflow and
        out-of-bounds read. This flaw may crash the system or
        allow an attacker to gather information causing
        subsequent successful
        attacks.(CVE-2019-14283)check_input_term in
        sound/usb/mixer.c in the Linux kernel through 5.2.9
        mishandles recursion, leading to kernel stack
        exhaustion.(CVE-2019-15118)An issue was discovered in
        the Linux kernel before 5.2.6. There is a
        use-after-free caused by a malicious USB device in the
        drivers/media/v4l2-core/v4l2-dev.c driver because
        drivers/media/radio/radio-raremono.c does not properly
        allocate memory.(CVE-2019-15211)An issue was discovered
        in the Linux kernel before 5.0.10. There is a
        use-after-free in the sound subsystem because card
        disconnection causes certain data structures to be
        deleted too early. This is related to sound/core/init.c
        and sound/core/info.c.(CVE-2019-15214)An issue was
        discovered in the Linux kernel before 5.1.8. There is a
        NULL pointer dereference caused by a malicious USB
        device in the drivers/media/usb/siano/smsusb.c
        driver.(CVE-2019-15218)An issue was discovered in the
        Linux kernel before 5.1.8. There is a NULL pointer
        dereference caused by a malicious USB device in the
        drivers/usb/misc/sisusbvga/sisusb.c
        driver.(CVE-2019-15219)An issue was discovered in the
        Linux kernel before 5.2.1. There is a use-after-free
        caused by a malicious USB device in the
        driverset/wireless/intersil/p54/p54usb.c
        driver.(CVE-2019-15220)An issue was discovered in the
        Linux kernel before 5.1.17. There is a NULL pointer
        dereference caused by a malicious USB device in the
        sound/usb/line6/pcm.c driver.(CVE-2019-15221)An issue
        was discovered in the Linux kernel before 5.0.9. There
        is a use-after-free in atalk_proc_exit, related to
        net/appletalk/atalk_proc.c, net/appletalk/ddp.c, and
        net/appletalk/sysctl_net_atalk.c.(CVE-2019-15292)An
        issue was discovered in xfs_setattr_nonsize in
        fs/xfs/xfs_iops.c in the Linux kernel through 5.2.9.
        XFS partially wedges when a chgrp fails on account of
        being out of disk quota. xfs_setattr_nonsize is failing
        to unlock the ILOCK after the xfs_qm_vop_chown_reserve
        call fails. This is primarily a local DoS attack
        vector, but it might result as well in remote DoS if
        the XFS filesystem is exported for instance via
        NFS.(CVE-2019-15538)An issue was discovered in the
        Linux kernel before 5.0.19. There is an out-of-bounds
        array access in __xfrm_policy_unlink, which will cause
        denial of service, because verify_newpolicy_info in
        net/xfrm/xfrm_user.c mishandles directory
        validation.(CVE-2019-15666)In the Linux kernel before
        5.1.13, there is a memory leak in
        drivers/scsi/libsas/sas_expander.c when SAS expander
        discovery fails. This will cause a BUG and denial of
        service.(CVE-2019-15807)An issue was discovered in the
        Linux kernel before 5.0.5. There is a use-after-free
        issue when hci_uart_register_dev() fails in
        hci_uart_set_proto() in
        drivers/bluetooth/hci_ldisc.c.(CVE-2019-15917)An issue
        was discovered in the Linux kernel before 5.0.10.
        SMB2_write in fs/cifs/smb2pdu.c has a
        use-after-free.(CVE-2019-15919)An issue was discovered
        in the Linux kernel before 5.0.10. SMB2_read in
        fs/cifs/smb2pdu.c has a use-after-free. NOTE: this was
        not fixed correctly in 5.0.10 see the 5.0.11 ChangeLog,
        which documents a memory leak.(CVE-2019-15920)An issue
        was discovered in the Linux kernel before 5.0.4. The 9p
        filesystem did not protect i_size_write() properly,
        which causes an i_size_read() infinite loop and denial
        of service on SMP systems.(CVE-2019-16413)An issue was
        discovered in can_can_gw_rcv in net/can/gw.c in the
        Linux kernel through 4.19.13. The CAN frame
        modification rules allow bitwise logical operations
        that can be also applied to the can_dlc field. Because
        of a missing check, the CAN drivers may write arbitrary
        content beyond the data registers in the CAN
        controller's I/O memory when processing can-gw
        manipulated outgoing frames. This is related to
        cgw_csum_xor_rel. An unprivileged user can trigger a
        system crash (general protection
        fault).(CVE-2019-3701)A flaw was found in the Linux
        kernel's Marvell wifi chip driver. A heap overflow in
        mwifiex_update_bss_desc_with_ie function in
        marvell/mwifiex/scan.c allows remote attackers to cause
        a denial of service(system crash) or execute arbitrary
        code.(CVE-2019-3846)A new software page cache side
        channel attack scenario was discovered in operating
        systems that implement the very common 'page cache'
        caching mechanism. A malicious user/process could use
        'in memory' page-cache knowledge to infer access
        timings to shared memory and gain knowledge which can
        be used to reduce effectiveness of cryptographic
        strength by monitoring algorithmic behavior, infer
        access patterns of memory to determine code paths
        taken, and exfiltrate data to a blinded attacker
        through page-granularity access times as a
        side-channel.(CVE-2019-5489)In the Android kernel in
        the video driver there is a kernel pointer leak due to
        a WARN_ON statement. This could lead to local
        information disclosure with System execution privileges
        needed. User interaction is not needed for
        exploitation.(CVE-2019-9455)A vulnerability was found
        in the arch/x86/lib/insn-eval.c function in the Linux
        kernel. An attacker could corrupt the memory due to a
        flaw in use-after-free access to an LDT entry caused by
        a race condition between modify_ldt() and a #BR
        exception for an MPX bounds violation.(CVE-2019-13233)
    
    Note that Tenable Network Security has extracted the preceding
    description block directly from the EulerOS security advisory. Tenable
    has attempted to automatically clean and format it as much as possible
    without introducing additional issues.");
      # https://developer.huaweicloud.com/ict/en/site-euleros/euleros/security-advisories/EulerOS-SA-2020-1186
      script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?6d22916d");
      script_set_attribute(attribute:"solution", value:
    "Update the affected kernel packages.");
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C");
      script_set_cvss_temporal_vector("CVSS2#E:H/RL:OF/RC:C");
      script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H");
      script_set_cvss3_temporal_vector("CVSS:3.0/E:H/RL:O/RC:C");
      script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"true");
      script_set_attribute(attribute:"exploited_by_malware", value:"true");
      script_set_attribute(attribute:"metasploit_name", value:'Android get_user/put_user Exploit');
      script_set_attribute(attribute:"exploit_framework_metasploit", value:"true");
    
      script_set_attribute(attribute:"patch_publication_date", value:"2020/03/11");
      script_set_attribute(attribute:"plugin_publication_date", value:"2020/03/11");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:bpftool");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:kernel");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:kernel-devel");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:kernel-headers");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:kernel-source");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:kernel-tools");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:kernel-tools-libs");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:perf");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:python-perf");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:python3-perf");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:huawei:euleros:2.0");
      script_set_attribute(attribute:"generated_plugin", value:"current");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_family(english:"Huawei Local Security Checks");
    
      script_copyright(english:"This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/EulerOS/release", "Host/EulerOS/rpm-list", "Host/EulerOS/sp");
      script_exclude_keys("Host/EulerOS/uvp_version");
    
      exit(0);
    }
    
    include("audit.inc");
    include("global_settings.inc");
    include("rpm.inc");
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    
    release = get_kb_item("Host/EulerOS/release");
    if (isnull(release) || release !~ "^EulerOS") audit(AUDIT_OS_NOT, "EulerOS");
    if (release !~ "^EulerOS release 2\.0(\D|$)") audit(AUDIT_OS_NOT, "EulerOS 2.0");
    
    sp = get_kb_item("Host/EulerOS/sp");
    if (isnull(sp) || sp !~ "^(8)$") audit(AUDIT_OS_NOT, "EulerOS 2.0 SP8");
    
    uvp = get_kb_item("Host/EulerOS/uvp_version");
    if (!empty_or_null(uvp)) audit(AUDIT_OS_NOT, "EulerOS 2.0 SP8", "EulerOS UVP " + uvp);
    
    if (!get_kb_item("Host/EulerOS/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    cpu = get_kb_item("Host/cpu");
    if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
    if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$" && "aarch64" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "EulerOS", cpu);
    if ("aarch64" >!< cpu) audit(AUDIT_ARCH_NOT, "aarch64", cpu);
    
    flag = 0;
    
    pkgs = ["bpftool-4.19.36-vhulk1907.1.0.h361.eulerosv2r8",
            "kernel-4.19.36-vhulk1907.1.0.h361.eulerosv2r8",
            "kernel-devel-4.19.36-vhulk1907.1.0.h361.eulerosv2r8",
            "kernel-headers-4.19.36-vhulk1907.1.0.h361.eulerosv2r8",
            "kernel-source-4.19.36-vhulk1907.1.0.h361.eulerosv2r8",
            "kernel-tools-4.19.36-vhulk1907.1.0.h361.eulerosv2r8",
            "kernel-tools-libs-4.19.36-vhulk1907.1.0.h361.eulerosv2r8",
            "perf-4.19.36-vhulk1907.1.0.h361.eulerosv2r8",
            "python-perf-4.19.36-vhulk1907.1.0.h361.eulerosv2r8",
            "python3-perf-4.19.36-vhulk1907.1.0.h361.eulerosv2r8"];
    
    foreach (pkg in pkgs)
      if (rpm_check(release:"EulerOS-2.0", sp:"8", reference:pkg)) flag++;
    
    if (flag)
    {
      security_report_v4(
        port       : 0,
        severity   : SECURITY_HOLE,
        extra      : rpm_report_get()
      );
      exit(0);
    }
    else
    {
      tested = pkg_tests_get();
      if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
      else audit(AUDIT_PACKAGE_NOT_INSTALLED, "kernel");
    }
    
  • NASL familyHuawei Local Security Checks
    NASL idEULEROS_SA-2020-1269.NASL
    descriptionAccording to the versions of the kernel packages installed, the EulerOS Virtualization installation on the remote host is affected by the following vulnerabilities : - In the tun subsystem in the Linux kernel before 4.13.14, dev_get_valid_name is not called before register_netdevice. This allows local users to cause a denial of service (NULL pointer dereference and panic) via an ioctl(TUNSETIFF) call with a dev name containing a / character. This is similar to CVE-2013-4343.(CVE-2018-7191) - A memory leak in the crypto_report() function in crypto/crypto_user_base.c in the Linux kernel through 5.3.11 allows attackers to cause a denial of service (memory consumption) by triggering crypto_report_alg() failures, aka CID-ffdde5932042.(CVE-2019-19062) - An issue was discovered in net/ipv4/sysctl_net_ipv4.c in the Linux kernel before 5.0.11. There is a net/ipv4/tcp_input.c signed integer overflow in tcp_ack_update_rtt() when userspace writes a very large integer to /proc/sys/net/ipv4/tcp_min_rtt_wlen, leading to a denial of service or possibly unspecified other impact, aka CID-19fad20d15a6.(CVE-2019-18805) - In the Linux kernel before 5.0, a memory leak exists in sit_init_net() in net/ipv6/sit.c when register_netdev() fails to register sitn->fb_tunnel_dev, which may cause denial of service, aka CID-07f12b26e21a.(CVE-2019-16994) - An issue was discovered in the Linux kernel before 5.0.6. There is a memory leak issue when idr_alloc() fails in genl_register_family() in net/netlink/genetlink.c.(CVE-2019-15921) - In the Linux kernel before 5.1.13, there is a memory leak in drivers/scsi/libsas/sas_expander.c when SAS expander discovery fails. This will cause a BUG and denial of service.(CVE-2019-15807) - An issue was discovered in xfs_setattr_nonsize in fs/xfs/xfs_iops.c in the Linux kernel through 5.2.9. XFS partially wedges when a chgrp fails on account of being out of disk quota. xfs_setattr_nonsize is failing to unlock the ILOCK after the xfs_qm_vop_chown_reserve call fails. This is primarily a local DoS attack vector, but it might result as well in remote DoS if the XFS filesystem is exported for instance via NFS.(CVE-2019-15538) - An out-of-bounds access issue was found in the Linux kernel, all versions through 5.3, in the way Linux kernel
    last seen2020-03-26
    modified2020-03-20
    plugin id134735
    published2020-03-20
    reporterThis script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/134735
    titleEulerOS Virtualization 3.0.2.2 : kernel (EulerOS-SA-2020-1269)
  • NASL familySuSE Local Security Checks
    NASL idSUSE_SU-2019-2984-1.NASL
    descriptionThe SUSE Linux Enterprise 12 SP2 kernel was updated to receive various security and bugfixes. The following security bugs were fixed : CVE-2018-12207: Untrusted virtual machines on Intel CPUs could exploit a race condition in the Instruction Fetch Unit of the Intel CPU to cause a Machine Exception during Page Size Change, causing the CPU core to be non-functional. The Linux Kernel kvm hypervisor was adjusted to avoid page size changes in executable pages by splitting / merging huge pages into small pages as needed. More information can be found on https://www.suse.com/support/kb/doc/?id=7023735 CVE-2019-16995: Fix a memory leak in hsr_dev_finalize() if hsr_add_port failed to add a port, which may have caused denial of service (bsc#1152685). CVE-2019-11135: Aborting an asynchronous TSX operation on Intel CPUs with Transactional Memory support could be used to facilitate sidechannel information leaks out of microarchitectural buffers, similar to the previously described
    last seen2020-06-01
    modified2020-06-02
    plugin id131120
    published2019-11-18
    reporterThis script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/131120
    titleSUSE SLES12 Security Update : kernel (SUSE-SU-2019:2984-1)
  • NASL familyOracle Linux Local Security Checks
    NASL idORACLELINUX_ELSA-2020-5508.NASL
    descriptionDescription of changes: [4.1.12-124.35.1.el7uek] - ixgbe: protect TX timestamping from API misuse (Manjunath Patil) [Orabug: 30275491] - block: init flush rq ref count to 1 (Josef Bacik) [Orabug: 30360559] - block: fix NULL pointer dereference in blk_mq_rq_timed_out() (Yufen Yu) [Orabug: 30360559] - blk-mq: Remove generation seqeunce (Keith Busch) [Orabug: 30360559] - scsi: libsas: delete sas port if expander discover failed (Jason Yan) [Orabug: 30580687] {CVE-2019-15807} - scsi: qla2xxx: fix a potential NULL pointer dereference (Allen Pais) [Orabug: 30618784] {CVE-2019-16233} - printk: Default console logging level should be set to 4 (Boris Ostrovsky) [Orabug: 30657070] [4.1.12-124.34.2.el7uek] - scsi: lpfc: Remove lpfc_enable_pbde as module parameter (James Smart) [Orabug: 30569875] - scsi: lpfc: Make PBDE optimizations configurable (James Smart) [Orabug: 30569875] - scsi: lpfc: Update driver version to 11.4.0.8 and Copyright updates (Ketan Mukadam) [Orabug: 30569875] - scsi: lpfc: Fix ELS abort on SLI-3 adapters (James Smart) [Orabug: 30569875] - scsi: lpfc: Correct race with abort on completion path (James Smart) [Orabug: 30569875] - scsi: lpfc: update manufacturer attribute to reflect Broadcom (James Smart) [Orabug: 30569875] [Orabug: 29212758] - scsi: lpfc: Enable Management features for IF_TYPE=6 (James Smart) [Orabug: 30569875] [Orabug: 29212758] - scsi: lpfc: Correct topology type reporting on G7 adapters (James Smart) [Orabug: 30569875] [Orabug: 29212758] - scsi: lpfc: Correct invalid EQ doorbell write on if_type=6 (James Smart) [Orabug: 30569875] - scsi: lpfc: Fix driver not setting dpp bits correctly in doorbell word (James Smart) [Orabug: 30569875] - scsi: lpfc: Enhance log messages when reporting CQE errors (James Smart) [Orabug: 30569875] - scsi: lpfc: Fix frequency of Release WQE CQEs (James Smart) [Orabug: 30569875] - scsi: lpfc: Code cleanup for 128byte wqe data type (James Smart) [Orabug: 30569875] - scsi: lpfc: use __raw_writeX on DPP copies (James Smart) [Orabug: 30569875] - scsi: lpfc: Add embedded data pointers for enhanced performance (James Smart) [Orabug: 30569875] - scsi: lpfc: Enable fw download on if_type=6 devices (James Smart) [Orabug: 30569875] - scsi: lpfc: Add if_type=6 support for cycling valid bits (James Smart) [Orabug: 30569875] - scsi: lpfc: Add 64G link speed support (James Smart) [Orabug: 30569875] - scsi: lpfc: Add PCI Ids for if_type=6 hardware (James Smart) [Orabug: 30569875] - scsi: lpfc: Add push-to-adapter support to sli4 (James Smart) [Orabug: 30569875] - scsi: lpfc: Add SLI-4 if_type=6 support to the code base (James Smart) [Orabug: 30569875] - scsi: lpfc: Rework sli4 doorbell infrastructure (James Smart) [Orabug: 30569875] - scsi: lpfc: Rework lpfc to allow different sli4 cq and eq handlers (James Smart) [Orabug: 30569875] - x86/bugs: use check_bugs instead of microcode_late_select_mitigation (Mihai Carabas) [Orabug: 30332499] - x86/bugs: spec_ctrl_mutex taken in stop_machine context (Mihai Carabas) [Orabug: 30332499] - x86/microcode: moved cpu feature late eval to stop_machine (Mihai Carabas) [Orabug: 30332499] - x86/cpu: Re-apply forced caps every time CPU caps are re-read (Andy Lutomirski) [Orabug: 30332499] - x86/microcode/intel: Check microcode revision before updating sibling threads (Ashok Raj) [Orabug: 30332499] - tracing: Fix possible double free on failure of allocating trace buffer (Steven Rostedt (VMware)) [Orabug: 30633873] {CVE-2017-18595}
    last seen2020-06-01
    modified2020-06-02
    plugin id132762
    published2020-01-10
    reporterThis script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/132762
    titleOracle Linux 6 / 7 : Unbreakable Enterprise kernel (ELSA-2020-5508)
  • NASL familyNewStart CGSL Local Security Checks
    NASL idNEWSTART_CGSL_NS-SA-2019-0266_KERNEL-RT.NASL
    descriptionThe remote NewStart CGSL host, running version CORE 5.04 / MAIN 5.04, has kernel-rt packages installed that are affected by multiple vulnerabilities: - The bnep_sock_ioctl function in net/bluetooth/bnep/sock.c in the Linux kernel before 2.6.39 does not ensure that a certain device field ends with a
    last seen2020-06-01
    modified2020-06-02
    plugin id132499
    published2019-12-31
    reporterThis script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/132499
    titleNewStart CGSL CORE 5.04 / MAIN 5.04 : kernel-rt Multiple Vulnerabilities (NS-SA-2019-0266)
  • NASL familyOracle Linux Local Security Checks
    NASL idORACLELINUX_ELSA-2020-5512.NASL
    descriptionDescription of changes: [2.6.39-400.318.1.el6uek] - x86/speculation: Determine swapgs before alternative instructions are set (Patrick Colp) [Orabug: 30379640] - scsi: libsas: delete sas port if expander discover failed (Jason Yan) [Orabug: 30580689] {CVE-2019-15807}
    last seen2020-06-01
    modified2020-06-02
    plugin id132946
    published2020-01-16
    reporterThis script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/132946
    titleOracle Linux 6 : Unbreakable Enterprise kernel (ELSA-2020-5512)
  • NASL familyDebian Local Security Checks
    NASL idDEBIAN_DLA-1919.NASL
    descriptionSeveral vulnerabilities have been discovered in the Linux kernel that may lead to a privilege escalation, denial of service or information leaks. This updated advisory text mentions the additional non-security changes and notes the need to install new binary packages. CVE-2019-0136 It was discovered that the wifi soft-MAC implementation (mac80211) did not properly authenticate Tunneled Direct Link Setup (TDLS) messages. A nearby attacker could use this for denial of service (loss of wifi connectivity). CVE-2019-9506 Daniele Antonioli, Nils Ole Tippenhauer, and Kasper Rasmussen discovered a weakness in the Bluetooth pairing protocols, dubbed the
    last seen2020-04-01
    modified2019-09-16
    plugin id128779
    published2019-09-16
    reporterThis script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/128779
    titleDebian DLA-1919-2 : linux-4.9 security update
  • NASL familyNewStart CGSL Local Security Checks
    NASL idNEWSTART_CGSL_NS-SA-2019-0264_KERNEL.NASL
    descriptionThe remote NewStart CGSL host, running version CORE 5.04 / MAIN 5.04, has kernel packages installed that are affected by multiple vulnerabilities: - The bnep_sock_ioctl function in net/bluetooth/bnep/sock.c in the Linux kernel before 2.6.39 does not ensure that a certain device field ends with a
    last seen2020-06-01
    modified2020-06-02
    plugin id132490
    published2019-12-31
    reporterThis script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/132490
    titleNewStart CGSL CORE 5.04 / MAIN 5.04 : kernel Multiple Vulnerabilities (NS-SA-2019-0264)
  • NASL familySuSE Local Security Checks
    NASL idSUSE_SU-2019-2949-1.NASL
    descriptionThe SUSE Linux Enterprise 12-SP3 kernel was updated to receive various security and bugfixes. The following security bugs were fixed : CVE-2018-12207: Untrusted virtual machines on Intel CPUs could exploit a race condition in the Instruction Fetch Unit of the Intel CPU to cause a Machine Exception during Page Size Change, causing the CPU core to be non-functional. The Linux Kernel kvm hypervisor was adjusted to avoid page size changes in executable pages by splitting / merging huge pages into small pages as needed. More information can be found on https://www.suse.com/support/kb/doc/?id=7023735 CVE-2019-16995: Fix a memory leak in hsr_dev_finalize() if hsr_add_port failed to add a port, which may have caused denial of service (bsc#1152685). CVE-2019-11135: Aborting an asynchronous TSX operation on Intel CPUs with Transactional Memory support could be used to facilitate sidechannel information leaks out of microarchitectural buffers, similar to the previously described
    last seen2020-06-01
    modified2020-06-02
    plugin id130949
    published2019-11-13
    reporterThis script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/130949
    titleSUSE SLES12 Security Update : kernel (SUSE-SU-2019:2949-1)
  • NASL familyHuawei Local Security Checks
    NASL idEULEROS_SA-2019-2353.NASL
    descriptionAccording to the versions of the kernel packages installed, the EulerOS installation on the remote host is affected by the following vulnerabilities : - The kernel package contains the Linux kernel (vmlinuz), the core of any Linux operating system. The kernel handles the basic functions of the operating system: memory allocation, process allocation, device input and output, etc.Security Fix(es):The yam_ioctl function in drivers et/hamradio/yam.c in the Linux kernel before 3.12.8 does not initialize a certain structure member, which allows local users to obtain sensitive information from kernel memory by leveraging the CAP_NET_ADMIN capability for an SIOCYAMGCFG ioctl call.(CVE-2014-1446)The VFS subsystem in the Linux kernel 3.x provides an incomplete set of requirements for setattr operations that underspecifies removing extended privilege attributes, which allows local users to cause a denial of service (capability stripping) via a failed invocation of a system call, as demonstrated by using chown to remove a capability from the ping or Wireshark dumpcap program.(CVE-2015-1350)A certain backport in the TCP Fast Open implementation for the Linux kernel before 3.18 does not properly maintain a count value, which allow local users to cause a denial of service (system crash) via the Fast Open feature, as demonstrated by visiting the chrome://flags/#enable-tcp-fast-open URL when using certain 3.10.x through 3.16.x kernel builds, including longterm-maintenance releases and ckt (aka Canonical Kernel Team) builds.(CVE-2015-3332)The hub_activate function in drivers/usb/core/hub.c in the Linux kernel before 4.3.5 does not properly maintain a hub-interface data structure, which allows physically proximate attackers to cause a denial of service (invalid memory access and system crash) or possibly have unspecified other impact by unplugging a USB hub device.(CVE-2015-8816)In the Linux kernel before 4.1.4, a buffer overflow occurs when checking userspace params in drivers/media/dvb-frontends/cx24116.c. The maximum size for a DiSEqC command is 6, according to the userspace API. However, the code allows larger values such as 23.(CVE-2015-9289)The create_fixed_stream_quirk function in sound/usb/quirks.c in the snd-usb-audio driver in the Linux kernel before 4.5.1 allows physically proximate attackers to cause a denial of service (NULL pointer dereference or double free, and system crash) via a crafted endpoints value in a USB device descriptor.(CVE-2016-2184)The ati_remote2_probe function in drivers/input/misc/ati_remote2.c in the Linux kernel before 4.5.1 allows physically proximate attackers to cause a denial of service (NULL pointer dereference and system crash) via a crafted endpoints value in a USB device descriptor.(CVE-2016-2185)The powermate_probe function in drivers/input/misc/powermate.c in the Linux kernel before 4.5.1 allows physically proximate attackers to cause a denial of service (NULL pointer dereference and system crash) via a crafted endpoints value in a USB device descriptor.(CVE-2016-2186)The gtco_probe function in drivers/input/tablet/gtco.c in the Linux kernel through 4.5.2 allows physically proximate attackers to cause a denial of service (NULL pointer dereference and system crash) via a crafted endpoints value in a USB device descriptor.(CVE-2016-2187)Double free vulnerability in the snd_usbmidi_create function in sound/usb/midi.c in the Linux kernel before 4.5 allows physically proximate attackers to cause a denial of service (panic) or possibly have unspecified other impact via vectors involving an invalid USB descriptor.(CVE-2016-2384)The treo_attach function in drivers/usb/serial/visor.c in the Linux kernel before 4.5 allows physically proximate attackers to cause a denial of service (NULL pointer dereference and system crash) or possibly have unspecified other impact by inserting a USB device that lacks a (1) bulk-in or (2) interrupt-in endpoint.(CVE-2016-2782)The acm_probe function in drivers/usb/class/cdc-acm.c in the Linux kernel before 4.5.1 allows physically proximate attackers to cause a denial of service (NULL pointer dereference and system crash) via a USB device without both a control and a data endpoint descriptor.(CVE-2016-3138)The wacom_probe function in drivers/input/tablet/wacom_sys.c in the Linux kernel before 3.17 allows physically proximate attackers to cause a denial of service (NULL pointer dereference and system crash) via a crafted endpoints value in a USB device descriptor.(CVE-2016-3139)The digi_port_init function in drivers/usb/serial/digi_acceleport.c in the Linux kernel before 4.5.1 allows physically proximate attackers to cause a denial of service (NULL pointer dereference and system crash) via a crafted endpoints value in a USB device descriptor.(CVE-2016-3140)The ims_pcu_parse_cdc_data function in drivers/input/misc/ims-pcu.c in the Linux kernel before 4.5.1 allows physically proximate attackers to cause a denial of service (system crash) via a USB device without both a master and a slave interface.(CVE-2016-3689)The snd_timer_user_params function in sound/core/timer.c in the Linux kernel through 4.6 does not initialize a certain data structure, which allows local users to obtain sensitive information from kernel stack memory via crafted use of the ALSA timer interface.(CVE-2016-4569)sound/core/timer.c in the Linux kernel through 4.6 does not initialize certain r1 data structures, which allows local users to obtain sensitive information from kernel stack memory via crafted use of the ALSA timer interface, related to the (1) snd_timer_user_ccallback and (2) snd_timer_user_tinterrupt functions.(CVE-2016-4578)The x25_negotiate_facilities function in net/x25/x25_facilities.c in the Linux kernel before 4.5.5 does not properly initialize a certain data structure, which allows attackers to obtain sensitive information from kernel stack memory via an X.25 Call Request.(CVE-2016-4580)The arcmsr_iop_message_xfer function in drivers/scsi/arcmsr/arcmsr_hba.c in the Linux kernel through 4.8.2 does not restrict a certain length field, which allows local users to gain privileges or cause a denial of service (heap-based buffer overflow) via an ARCMSR_MESSAGE_WRITE_WQBUFFER control code.(CVE-2016-7425)The Linux Kernel running on AMD64 systems will sometimes map the contents of PIE executable, the heap or ld.so to where the stack is mapped allowing attackers to more easily manipulate the stack. Linux Kernel version 4.11.5 is affected.(CVE-2017-1000379)In android for MSM, Firefox OS for MSM, QRD Android, with all Android releases from CAF using the Linux kernel, a buffer overread is observed in nl80211_set_station when user space application sends attribute NL80211_ATTR_LOCAL_MESH_POWER_MODE with data of size less than 4 bytes(CVE-2017-11089)An elevation of privilege vulnerability in the kernel sound timer. Product: Android. Versions: Android kernel. Android ID A-37240993.(CVE-2017-13167)In ashmem_ioctl of ashmem.c, there is an out-of-bounds write due to insufficient locking when accessing asma. This could lead to a local elevation of privilege enabling code execution as a privileged process with no additional execution privileges needed. User interaction is not needed for exploitation. Product: Android. Versions: Android kernel. Android ID: A-66954097.(CVE-2017-13216)A information disclosure vulnerability in the Upstream kernel encrypted-keys. Product: Android. Versions: Android kernel. Android ID: A-70526974.(CVE-2017-13305)An integer overflow in the qla2x00_sysfs_write_optrom_ctl function in drivers/scsi/qla2xxx/qla_attr.c in the Linux kernel through 4.12.10 allows local users to cause a denial of service (memory corruption and system crash) by leveraging root access.(CVE-2017-14051)The Serial Attached SCSI (SAS) implementation in the Linux kernel through 4.15.9 mishandles a mutex within libsas, which allows local users to cause a denial of service (deadlock) by triggering certain error-handling code.(CVE-2017-18232)An issue was discovered in net/ipv6/ip6mr.c in the Linux kernel before 4.11. By setting a specific socket option, an attacker can control a pointer in kernel land and cause an inet_csk_listen_stop general protection fault, or potentially execute arbitrary code under certain circumstances. The issue can be triggered as root (e.g., inside a default LXC container or with the CAP_NET_ADMIN capability) or after namespace unsharing. This occurs because sk_type and protocol are not checked in the appropriate part of the ip6_mroute_* functions. NOTE: this affects Linux distributions that use 4.9.x longterm kernels before 4.9.187.(CVE-2017-18509)An issue was discovered in drivers/i2c/i2c-core-smbus.c in the Linux kernel before 4.14.15. There is an out of bounds write in the function i2c_smbus_xfer_emulated.(CVE-2017-18551)An issue was discovered in the Linux kernel before 4.14.11. A double free may be caused by the function allocate_trace_buffer in the file kernel/trace/trace.c.(CVE-2017-18595)The vmw_surface_define_ioctl function in drivers/gpu/drm/vmwgfx/vmwgfx_surface.c in the Linux kernel through 4.10.5 does not check for a zero value of certain levels data, which allows local users to cause a denial of service (ZERO_SIZE_PTR dereference, and GPF and possibly panic) via a crafted ioctl call for a /dev/dri/renderD* device.(CVE-2017-7261)The KEYS subsystem in the Linux kernel before 4.10.13 allows local users to cause a denial of service (memory consumption) via a series of KEY_REQKEY_DEFL_THREAD_KEYRING keyctl_set_reqkey_keyring calls.(CVE-2017-7472)The kernel_wait4 function in kernel/exit.c in the Linux kernel before 4.13, when an unspecified architecture and compiler is used, might allow local users to cause a denial of service by triggering an attempted use of the -INT_MIN value.(CVE-2018-10087)The kill_something_info function in kernel/signal.c in the Linux kernel before 4.13, when an unspecified architecture and compiler is used, might allow local users to cause a denial of service via an INT_MIN argument.(CVE-2018-10124)The xfs_dinode_verify function in fs/xfs/libxfs/xfs_inode_buf.c in the Linux kernel through 4.16.3 allows local users to cause a denial of service (xfs_ilock_attr_map_shared invalid pointer dereference) via a crafted xfs image.(CVE-2018-10322)The xfs_bmap_extents_to_btree function in fs/xfs/libxfs/xfs_bmap.c in the Linux kernel through 4.16.3 allows local users to cause a denial of service (xfs_bmapi_write NULL pointer dereference) via a crafted xfs image.(CVE-2018-10323)The do_get_mempolicy function in mm/mempolicy.c in the Linux kernel before 4.12.9 allows local users to cause a denial of service (use-after-free) or possibly have unspecified other impact via crafted system calls.(CVE-2018-10675)Linux kernel is vulnerable to a stack-out-of-bounds write in the ext4 filesystem code when mounting and writing to a crafted ext4 image in ext4_update_inline_data(). An attacker could use this to cause a system crash and a denial of service.(CVE-2018-10880)An issue was discovered in the Linux kernel through 4.17.3. An Integer Overflow in kernel/time/posix-timers.c in the POSIX timer code is caused by the way the overrun accounting works. Depending on interval and expiry time values, the overrun can be larger than INT_MAX, but the accounting is int based. This basically makes the accounting values, which are visible to user space via timer_getoverrun(2) and siginfo::si_overrun, random. For example, a local user can cause a denial of service (signed integer overflow) via crafted mmap, futex, timer_create, and timer_settime system calls.(CVE-2018-12896)An issue was discovered in the proc_pid_stack function in fs/proc/base.c in the Linux kernel through 4.18.11. It does not ensure that only root may inspect the kernel stack of an arbitrary task, allowing a local attacker to exploit racy stack unwinding and leak kernel task stack contents.(CVE-2018-17972)An issue was discovered in the Linux kernel through 4.19. An information leak in cdrom_ioctl_select_disc in drivers/cdrom/cdrom.c could be used by local attackers to read kernel memory because a cast from unsigned long to int interferes with bounds checking. This is similar to CVE-2018-10940 and CVE-2018-16658.(CVE-2018-18710 )An issue was discovered in the Linux kernel before 4.18.11. The ipddp_ioctl function in drivers et/appletalk/ipddp.c allows local users to obtain sensitive kernel address information by leveraging CAP_NET_ADMIN to read the ipddp_route dev and next fields via an SIOCFINDIPDDPRT ioctl call.(CVE-2018-20511)An issue was discovered in the Linux kernel before 4.18.7. In block/blk-core.c, there is an __blk_drain_queue() use-after-free because a certain error case is mishandled.(CVE-2018-20856)An issue was discovered in fs/xfs/xfs_super.c in the Linux kernel before 4.18. A use after free exists, related to xfs_fs_fill_super failure.(CVE-2018-20976)Systems with microprocessors utilizing speculative execution and branch prediction may allow unauthorized disclosure of information to an attacker with local user access via a speculative buffer overflow and side-channel analysis.(CVE-2018-3693)In the function sbusfb_ioctl_helper() in drivers/video/fbdev/sbuslib.c in the Linux kernel through 4.15, an integer signedness error allows arbitrary information leakage for the FBIOPUTCMAP_SPARC and FBIOGETCMAP_SPARC commands.(CVE-2018-6412)In nfc_llcp_build_sdreq_tlv of llcp_commands.c, there is a possible out of bounds write due to a missing bounds check. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation. Product: Android. Versions: Android kernel. Android ID: A-73083945.(CVE-2018-9518 )Insufficient access control in the Intel(R) PROSet/Wireless WiFi Software driver before version 21.10 may allow an unauthenticated user to potentially enable denial of service via adjacent access.(CVE-2019-0136)A vulnerability was found in Linux kernel
    last seen2020-05-08
    modified2019-12-10
    plugin id131845
    published2019-12-10
    reporterThis script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/131845
    titleEulerOS 2.0 SP2 : kernel (EulerOS-SA-2019-2353)
  • NASL familyHuawei Local Security Checks
    NASL idEULEROS_SA-2019-2274.NASL
    descriptionAccording to the versions of the kernel packages installed, the EulerOS installation on the remote host is affected by the following vulnerabilities : - The kernel package contains the Linux kernel (vmlinuz), the core of any Linux operating system. The kernel handles the basic functions of the operating system: memory allocation, process allocation, device input and output, etc.Security Fix(es):Systems with microprocessors utilizing speculative execution and indirect branch prediction may allow unauthorized disclosure of information to an attacker with local user access via a side-channel analysis of the data cache.(CVE-2017-5754)The ip6gre_err function in net/ipv6/ip6_gre.c in the Linux kernel allows remote attackers to have unspecified impact via vectors involving GRE flags in an IPv6 packet, which trigger an out-of-bounds access.(CVE-2017-5897)The vmw_surface_define_ioctl function in drivers/gpu/drm/vmwgfx/vmwgfx_surface.c in the Linux kernel through 4.10.5 does not check for a zero value of certain levels data, which allows local users to cause a denial of service (ZERO_SIZE_PTR dereference, and GPF and possibly panic) via a crafted ioctl call for a /dev/dri/renderD* device.(CVE-2017-7261)The KEYS subsystem in the Linux kernel before 4.10.13 allows local users to cause a denial of service (memory consumption) via a series of KEY_REQKEY_DEFL_THREAD_KEYRING keyctl_set_reqkey_keyring calls.(CVE-2017-7472)A flaw was found in the Linux kernel before version 4.12 in the way the KVM module processed the trap flag(TF) bit in EFLAGS during emulation of the syscall instruction, which leads to a debug exception(#DB) being raised in the guest stack. A user/process inside a guest could use this flaw to potentially escalate their privileges inside the guest. Linux guests are not affected by this.(CVE-2017-7518)The kill_something_info function in kernel/signal.c in the Linux kernel before 4.13, when an unspecified architecture and compiler is used, might allow local users to cause a denial of service via an INT_MIN argument.(CVE-2018-10124)The xfs_bmap_extents_to_btree function in fs/xfs/libxfs/xfs_bmap.c in the Linux kernel through 4.16.3 allows local users to cause a denial of service (xfs_bmapi_write NULL pointer dereference) via a crafted xfs image.(CVE-2018-10323)The Linux kernel before version 4.11 is vulnerable to a NULL pointer dereference in fs/cifs/cifsencrypt.c:setup_ntlmv2_rsp() that allows an attacker controlling a CIFS server to kernel panic a client that has this server mounted, because an empty TargetInfo field in an NTLMSSP setup negotiation response is mishandled during session recovery.(CVE-2018-1066)The do_get_mempolicy function in mm/mempolicy.c in the Linux kernel before 4.12.9 allows local users to cause a denial of service (use-after-free) or possibly have unspecified other impact via crafted system calls.(CVE-2018-10675)An issue was discovered in fs/xfs/libxfs/xfs_attr_leaf.c in the Linux kernel through 4.17.3. An OOPS may occur for a corrupted xfs image after xfs_da_shrink_inode() is called with a NULL bp.(CVE-2018-13094)An issue was discovered in fs/xfs/xfs_super.c in the Linux kernel before 4.18. A use after free exists, related to xfs_fs_fill_super failure.(CVE-2018-20976)Systems with microprocessors utilizing speculative execution and branch prediction may allow unauthorized disclosure of information to an attacker with local user access via a speculative buffer overflow and side-channel analysis.(CVE-2018-3693)In the function sbusfb_ioctl_helper() in drivers/video/fbdev/sbuslib.c in the Linux kernel through 4.15, an integer signedness error allows arbitrary information leakage for the FBIOPUTCMAP_SPARC and FBIOGETCMAP_SPARC commands.(CVE-2018-6412)Race condition in the store_int_with_restart() function in arch/x86/kernel/cpu/mcheck/mce.c in the Linux kernel through 4.15.7 allows local users to cause a denial of service (panic) by leveraging root access to write to the check_interval file in a /sys/devices/system/machinecheck/machinecheck directory. NOTE: a third party has indicated that this report is not security relevant.(CVE-2018-7995)In the hidp_process_report in bluetooth, there is an integer overflow. This could lead to an out of bounds write with no additional execution privileges needed. User interaction is not needed for exploitation. Product: Android Versions: Android kernel Android ID: A-65853588 References: Upstream kernel.(CVE-2018-9363)In nfc_llcp_build_sdreq_tlv of llcp_commands.c, there is a possible out of bounds write due to a missing bounds check. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation. Product: Android. Versions: Android kernel. Android ID: A-73083945.(CVE-2018-9518)A vulnerability was found in Linux kernel
    last seen2020-05-08
    modified2019-11-08
    plugin id130736
    published2019-11-08
    reporterThis script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/130736
    titleEulerOS 2.0 SP3 : kernel (EulerOS-SA-2019-2274)
  • NASL familyPhotonOS Local Security Checks
    NASL idPHOTONOS_PHSA-2019-3_0-0026_LINUX.NASL
    descriptionAn update of the linux package has been released.
    last seen2020-06-01
    modified2020-06-02
    plugin id128732
    published2019-09-12
    reporterThis script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/128732
    titlePhoton OS 3.0: Linux PHSA-2019-3.0-0026