Vulnerabilities > CVE-2019-15807 - Memory Leak vulnerability in multiple products
Attack vector
LOCAL Attack complexity
HIGH Privileges required
LOW Confidentiality impact
NONE Integrity impact
NONE Availability impact
HIGH Summary
In the Linux kernel before 5.1.13, there is a memory leak in drivers/scsi/libsas/sas_expander.c when SAS expander discovery fails. This will cause a BUG and denial of service.
Vulnerable Configurations
Common Weakness Enumeration (CWE)
Nessus
NASL family SuSE Local Security Checks NASL id SUSE_SU-2019-2950-1.NASL description The SUSE Linux Enterprise 12 SP1 kernel was updated to receive various security and bugfixes. The following security bugs were fixed : CVE-2018-12207: Untrusted virtual machines on Intel CPUs could exploit a race condition in the Instruction Fetch Unit of the Intel CPU to cause a Machine Exception during Page Size Change, causing the CPU core to be non-functional. The Linux Kernel KVM hypervisor was adjusted to avoid page size changes in executable pages by splitting / merging huge pages into small pages as needed. More information can be found on https://www.suse.com/support/kb/doc/?id=7023735 CVE-2019-11135: Aborting an asynchronous TSX operation on Intel CPUs with Transactional Memory support could be used to facilitate sidechannel information leaks out of microarchitectural buffers, similar to the previously described last seen 2020-06-01 modified 2020-06-02 plugin id 130950 published 2019-11-13 reporter This script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/130950 title SUSE SLES12 Security Update : kernel (SUSE-SU-2019:2950-1) (SACK Panic) code # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from SUSE update advisory SUSE-SU-2019:2950-1. # The text itself is copyright (C) SUSE. # include("compat.inc"); if (description) { script_id(130950); script_version("1.2"); script_cvs_date("Date: 2019/12/12"); script_cve_id("CVE-2016-10906", "CVE-2017-18509", "CVE-2017-18551", "CVE-2017-18595", "CVE-2018-12207", "CVE-2018-20976", "CVE-2019-10207", "CVE-2019-10220", "CVE-2019-11135", "CVE-2019-11477", "CVE-2019-14814", "CVE-2019-14815", "CVE-2019-14816", "CVE-2019-14821", "CVE-2019-14835", "CVE-2019-15098", "CVE-2019-15118", "CVE-2019-15212", "CVE-2019-15215", "CVE-2019-15216", "CVE-2019-15217", "CVE-2019-15218", "CVE-2019-15219", "CVE-2019-15220", "CVE-2019-15221", "CVE-2019-15290", "CVE-2019-15291", "CVE-2019-15505", "CVE-2019-15807", "CVE-2019-15902", "CVE-2019-15926", "CVE-2019-15927", "CVE-2019-16232", "CVE-2019-16233", "CVE-2019-16234", "CVE-2019-16413", "CVE-2019-17055", "CVE-2019-17056", "CVE-2019-9456", "CVE-2019-9506"); script_name(english:"SUSE SLES12 Security Update : kernel (SUSE-SU-2019:2950-1) (SACK Panic)"); script_summary(english:"Checks rpm output for the updated packages."); script_set_attribute( attribute:"synopsis", value:"The remote SUSE host is missing one or more security updates." ); script_set_attribute( attribute:"description", value: "The SUSE Linux Enterprise 12 SP1 kernel was updated to receive various security and bugfixes. The following security bugs were fixed : CVE-2018-12207: Untrusted virtual machines on Intel CPUs could exploit a race condition in the Instruction Fetch Unit of the Intel CPU to cause a Machine Exception during Page Size Change, causing the CPU core to be non-functional. The Linux Kernel KVM hypervisor was adjusted to avoid page size changes in executable pages by splitting / merging huge pages into small pages as needed. More information can be found on https://www.suse.com/support/kb/doc/?id=7023735 CVE-2019-11135: Aborting an asynchronous TSX operation on Intel CPUs with Transactional Memory support could be used to facilitate sidechannel information leaks out of microarchitectural buffers, similar to the previously described 'Microarchitectural Data Sampling' attack. The Linux kernel was supplemented with the option to disable TSX operation altogether (requiring CPU Microcode updates on older systems) and better flushing of microarchitectural buffers (VERW). The set of options available is described in our TID at https://www.suse.com/support/kb/doc/?id=7024251 CVE-2019-16233: drivers/scsi/qla2xxx/qla_os.c did not check the alloc_workqueue return value, leading to a NULL pointer dereference. (bsc#1150457). CVE-2019-10220: Added sanity checks on the pathnames passed to the user space. (bsc#1144903). CVE-2019-16232: Fix a potential NULL pointer dereference in the Marwell libertas driver (bsc#1150465). CVE-2019-16234: iwlwifi pcie driver did not check the alloc_workqueue return value, leading to a NULL pointer dereference. (bsc#1150452). CVE-2019-17055: The AF_ISDN network module in the Linux kernel did not enforce CAP_NET_RAW, which meant that unprivileged users could create a raw socket (bnc#1152782). CVE-2019-17056: The AF_NFC network module did not enforce CAP_NET_RAW, which meant that unprivileged users could create a raw socket (bsc#1152788). CVE-2019-16413: The 9p filesystem did not protect i_size_write() properly, which caused an i_size_read() infinite loop and denial of service on SMP systems (bnc#1151347). CVE-2019-15902: A backporting issue was discovered that re-introduced the Spectre vulnerability it had aimed to eliminate. This occurred because the backport process depends on cherry picking specific commits, and because two (correctly ordered) code lines were swapped (bnc#1149376). CVE-2019-15291: Fixed a NULL pointer dereference issue that could be caused by a malicious USB device (bnc#11465). CVE-2019-15807: Fixed a memory leak in the SCSI module that could be abused to cause denial of service (bnc#1148938). CVE-2019-14821: An out-of-bounds access issue was fixed in the kernel's KVM hypervisor. An unprivileged host user or process with access to '/dev/kvm' device could use this flaw to crash the host kernel, resulting in a denial of service or potentially escalating privileges on the system (bnc#1151350). CVE-2019-15505: An out-of-bounds issue had been fixed that could be caused by crafted USB device traffic (bnc#1147122). CVE-2017-18595: A double free in allocate_trace_buffer was fixed (bnc#1149555). CVE-2019-14835: A buffer overflow flaw was found in the kernel's vhost functionality that translates virtqueue buffers to IOVs. A privileged guest user able to pass descriptors with invalid length to the host could use this flaw to increase their privileges on the host (bnc#1150112). CVE-2019-15216: A NULL pointer dereference was fixed that could be malicious USB device (bnc#1146361). CVE-2019-9456: An out-of-bounds write in the USB monitor driver has been fixed. This issue could lead to local escalation of privilege with System execution privileges needed. (bnc#1150025). CVE-2019-15926: An out-of-bounds access was fixed in the drivers/net/wireless/ath/ath6kl module. (bnc#1149527). CVE-2019-15927: An out-of-bounds access was fixed in the sound/usb/mixer module (bnc#1149522). CVE-2019-15219: A NULL pointer dereference was fixed that could be abused by a malicious USB device (bnc#1146524). CVE-2019-15220: A use-after-free issue was fixed that could be caused by a malicious USB device (bnc#1146526). CVE-2019-15221: A NULL pointer dereference was fixed that could be caused by a malicious USB device (bnc#1146529). CVE-2019-14814: A heap-based buffer overflow was fixed in the marvell wifi chip driver. That issue allowed local users to cause a denial of service (system crash) or possibly execute arbitrary code (bnc#1146512). CVE-2019-14815: A missing length check while parsing WMM IEs was fixed (bsc#1146512, bsc#1146514, bsc#1146516). CVE-2019-14816: A heap-based buffer overflow in the marvell wifi chip driver was fixed. Local users would have abused this issue to cause a denial of service (system crash) or possibly execute arbitrary code (bnc#1146516). CVE-2017-18509: An issue in net/ipv6 as fixed. By setting a specific socket option, an attacker could control a pointer in kernel land and cause an inet_csk_listen_stop general protection fault, or potentially execute arbitrary code under certain circumstances. The issue can be triggered as root (e.g., inside a default LXC container or with the CAP_NET_ADMIN capability) or after namespace unsharing. (bnc#1145477) CVE-2019-9506: The Bluetooth BR/EDR specification used to permit sufficiently low encryption key length and did not prevent an attacker from influencing the key length negotiation. This allowed practical brute-force attacks (aka 'KNOB') that could decrypt traffic and inject arbitrary ciphertext without the victim noticing (bnc#1137865). CVE-2019-15098: A NULL pointer dereference in drivers/net/wireless/ath was fixed (bnc#1146378). CVE-2019-15290: A NULL pointer dereference in ath6kl_usb_alloc_urb_from_pipe was fixed (bsc#1146378). CVE-2019-15212: A double-free issue was fixed in drivers/usb driver (bnc#1146391). CVE-2016-10906: A use-after-free issue was fixed in drivers/net/ethernet/arc (bnc#1146584). CVE-2019-15217: A a NULL pointer dereference issue caused by a malicious USB device was fixed in the drivers/media/usb/zr364xx driver (bnc#1146519). CVE-2019-15218: A NULL pointer dereference caused by a malicious USB device was fixed in the drivers/media/usb/siano driver (bnc#1146413). CVE-2019-15215: A use-after-free issue caused by a malicious USB device was fixed in the drivers/media/usb/cpia2 driver (bnc#1146425). CVE-2018-20976: A use-after-free issue was fixed in the fs/xfs driver (bnc#1146285). CVE-2017-18551: An out-of-bounds write was fixed in the drivers/i2c driver (bnc#1146163). CVE-2019-10207: Add checks for missing tty operations to prevent unprivileged user to execute 0x0 address (bsc#1142857 bsc#1123959) CVE-2019-15118: ALSA: usb-audio: Fix a stack-based buffer overflow bug in check_input_term leading to kernel stack exhaustion (bsc#1145922). The update package also includes non-security fixes. See advisory for details. Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues." ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.suse.com/show_bug.cgi?id=1117665" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.suse.com/show_bug.cgi?id=1123959" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.suse.com/show_bug.cgi?id=1137586" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.suse.com/show_bug.cgi?id=1137865" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.suse.com/show_bug.cgi?id=1137944" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.suse.com/show_bug.cgi?id=1139073" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.suse.com/show_bug.cgi?id=1139751" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.suse.com/show_bug.cgi?id=1142857" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.suse.com/show_bug.cgi?id=1144903" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.suse.com/show_bug.cgi?id=1145477" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.suse.com/show_bug.cgi?id=1145922" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.suse.com/show_bug.cgi?id=1146042" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.suse.com/show_bug.cgi?id=1146163" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.suse.com/show_bug.cgi?id=1146285" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.suse.com/show_bug.cgi?id=1146361" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.suse.com/show_bug.cgi?id=1146378" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.suse.com/show_bug.cgi?id=1146391" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.suse.com/show_bug.cgi?id=1146413" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.suse.com/show_bug.cgi?id=1146425" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.suse.com/show_bug.cgi?id=1146512" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.suse.com/show_bug.cgi?id=1146514" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.suse.com/show_bug.cgi?id=1146516" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.suse.com/show_bug.cgi?id=1146519" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.suse.com/show_bug.cgi?id=1146524" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.suse.com/show_bug.cgi?id=1146526" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.suse.com/show_bug.cgi?id=1146529" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.suse.com/show_bug.cgi?id=1146540" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.suse.com/show_bug.cgi?id=1146543" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.suse.com/show_bug.cgi?id=1146547" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.suse.com/show_bug.cgi?id=1146584" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.suse.com/show_bug.cgi?id=1146612" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.suse.com/show_bug.cgi?id=1147122" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.suse.com/show_bug.cgi?id=1148938" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.suse.com/show_bug.cgi?id=1149376" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.suse.com/show_bug.cgi?id=1149522" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.suse.com/show_bug.cgi?id=1149527" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.suse.com/show_bug.cgi?id=1149555" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.suse.com/show_bug.cgi?id=1150025" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.suse.com/show_bug.cgi?id=1150112" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.suse.com/show_bug.cgi?id=1150452" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.suse.com/show_bug.cgi?id=1150457" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.suse.com/show_bug.cgi?id=1150465" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.suse.com/show_bug.cgi?id=1151347" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.suse.com/show_bug.cgi?id=1151350" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.suse.com/show_bug.cgi?id=1152782" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.suse.com/show_bug.cgi?id=1152788" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.suse.com/show_bug.cgi?id=1153119" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.suse.com/show_bug.cgi?id=1155671" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.suse.com/show_bug.cgi?id=999278" ); script_set_attribute( attribute:"see_also", value:"https://www.suse.com/security/cve/CVE-2016-10906/" ); script_set_attribute( attribute:"see_also", value:"https://www.suse.com/security/cve/CVE-2017-18509/" ); script_set_attribute( attribute:"see_also", value:"https://www.suse.com/security/cve/CVE-2017-18551/" ); script_set_attribute( attribute:"see_also", value:"https://www.suse.com/security/cve/CVE-2017-18595/" ); script_set_attribute( attribute:"see_also", value:"https://www.suse.com/security/cve/CVE-2018-12207/" ); script_set_attribute( attribute:"see_also", value:"https://www.suse.com/security/cve/CVE-2018-20976/" ); script_set_attribute( attribute:"see_also", value:"https://www.suse.com/security/cve/CVE-2019-10207/" ); script_set_attribute( attribute:"see_also", value:"https://www.suse.com/security/cve/CVE-2019-10220/" ); script_set_attribute( attribute:"see_also", value:"https://www.suse.com/security/cve/CVE-2019-11135/" ); script_set_attribute( attribute:"see_also", value:"https://www.suse.com/security/cve/CVE-2019-11477/" ); script_set_attribute( attribute:"see_also", value:"https://www.suse.com/security/cve/CVE-2019-14814/" ); script_set_attribute( attribute:"see_also", value:"https://www.suse.com/security/cve/CVE-2019-14815/" ); script_set_attribute( attribute:"see_also", value:"https://www.suse.com/security/cve/CVE-2019-14816/" ); script_set_attribute( attribute:"see_also", value:"https://www.suse.com/security/cve/CVE-2019-14821/" ); script_set_attribute( attribute:"see_also", value:"https://www.suse.com/security/cve/CVE-2019-14835/" ); script_set_attribute( attribute:"see_also", value:"https://www.suse.com/security/cve/CVE-2019-15098/" ); script_set_attribute( attribute:"see_also", value:"https://www.suse.com/security/cve/CVE-2019-15118/" ); script_set_attribute( attribute:"see_also", value:"https://www.suse.com/security/cve/CVE-2019-15212/" ); script_set_attribute( attribute:"see_also", value:"https://www.suse.com/security/cve/CVE-2019-15215/" ); script_set_attribute( attribute:"see_also", value:"https://www.suse.com/security/cve/CVE-2019-15216/" ); script_set_attribute( attribute:"see_also", value:"https://www.suse.com/security/cve/CVE-2019-15217/" ); script_set_attribute( attribute:"see_also", value:"https://www.suse.com/security/cve/CVE-2019-15218/" ); script_set_attribute( attribute:"see_also", value:"https://www.suse.com/security/cve/CVE-2019-15219/" ); script_set_attribute( attribute:"see_also", value:"https://www.suse.com/security/cve/CVE-2019-15220/" ); script_set_attribute( attribute:"see_also", value:"https://www.suse.com/security/cve/CVE-2019-15221/" ); script_set_attribute( attribute:"see_also", value:"https://www.suse.com/security/cve/CVE-2019-15290/" ); script_set_attribute( attribute:"see_also", value:"https://www.suse.com/security/cve/CVE-2019-15291/" ); script_set_attribute( attribute:"see_also", value:"https://www.suse.com/security/cve/CVE-2019-15505/" ); script_set_attribute( attribute:"see_also", value:"https://www.suse.com/security/cve/CVE-2019-15807/" ); script_set_attribute( attribute:"see_also", value:"https://www.suse.com/security/cve/CVE-2019-15902/" ); script_set_attribute( attribute:"see_also", value:"https://www.suse.com/security/cve/CVE-2019-15926/" ); script_set_attribute( attribute:"see_also", value:"https://www.suse.com/security/cve/CVE-2019-15927/" ); script_set_attribute( attribute:"see_also", value:"https://www.suse.com/security/cve/CVE-2019-16232/" ); script_set_attribute( attribute:"see_also", value:"https://www.suse.com/security/cve/CVE-2019-16233/" ); script_set_attribute( attribute:"see_also", value:"https://www.suse.com/security/cve/CVE-2019-16234/" ); script_set_attribute( attribute:"see_also", value:"https://www.suse.com/security/cve/CVE-2019-16413/" ); script_set_attribute( attribute:"see_also", value:"https://www.suse.com/security/cve/CVE-2019-17055/" ); script_set_attribute( attribute:"see_also", value:"https://www.suse.com/security/cve/CVE-2019-17056/" ); script_set_attribute( attribute:"see_also", value:"https://www.suse.com/security/cve/CVE-2019-9456/" ); script_set_attribute( attribute:"see_also", value:"https://www.suse.com/security/cve/CVE-2019-9506/" ); script_set_attribute( attribute:"see_also", value:"https://www.suse.com/support/kb/doc/?id=7023735" ); script_set_attribute( attribute:"see_also", value:"https://www.suse.com/support/kb/doc/?id=7024251" ); # https://www.suse.com/support/update/announcement/2019/suse-su-20192950-1/ script_set_attribute( attribute:"see_also", value:"http://www.nessus.org/u?00e1d55f" ); script_set_attribute( attribute:"solution", value: "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or 'zypper patch'. Alternatively you can run the command listed for your product : SUSE Linux Enterprise Server for SAP 12-SP1:zypper in -t patch SUSE-SLE-SAP-12-SP1-2019-2950=1 SUSE Linux Enterprise Server 12-SP1-LTSS:zypper in -t patch SUSE-SLE-SERVER-12-SP1-2019-2950=1 SUSE Linux Enterprise Module for Public Cloud 12:zypper in -t patch SUSE-SLE-Module-Public-Cloud-12-2019-2950=1" ); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C"); script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C"); script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"); script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:kernel-default"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:kernel-default-base"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:kernel-default-base-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:kernel-default-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:kernel-default-debugsource"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:kernel-default-devel"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:kernel-default-man"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:kernel-syms"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:kernel-xen"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:kernel-xen-base"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:kernel-xen-base-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:kernel-xen-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:kernel-xen-debugsource"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:kernel-xen-devel"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:kgraft-patch-3_12_74-60_64_124-default"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:kgraft-patch-3_12_74-60_64_124-xen"); script_set_attribute(attribute:"cpe", value:"cpe:/o:novell:suse_linux:12"); script_set_attribute(attribute:"vuln_publication_date", value:"2019/06/19"); script_set_attribute(attribute:"patch_publication_date", value:"2019/11/12"); script_set_attribute(attribute:"plugin_publication_date", value:"2019/11/13"); script_set_attribute(attribute:"in_the_news", value:"true"); script_set_attribute(attribute:"generated_plugin", value:"current"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"SuSE Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/cpu", "Host/SuSE/release", "Host/SuSE/rpm-list"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/SuSE/release"); if (isnull(release) || release !~ "^(SLED|SLES)") audit(AUDIT_OS_NOT, "SUSE"); os_ver = pregmatch(pattern: "^(SLE(S|D)\d+)", string:release); if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "SUSE"); os_ver = os_ver[1]; if (! preg(pattern:"^(SLES12)$", string:os_ver)) audit(AUDIT_OS_NOT, "SUSE SLES12", "SUSE " + os_ver); if (!get_kb_item("Host/SuSE/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if (cpu !~ "^i[3-6]86$" && "x86_64" >!< cpu && "s390x" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "SUSE " + os_ver, cpu); sp = get_kb_item("Host/SuSE/patchlevel"); if (isnull(sp)) sp = "0"; if (os_ver == "SLES12" && (! preg(pattern:"^(1)$", string:sp))) audit(AUDIT_OS_NOT, "SLES12 SP1", os_ver + " SP" + sp); flag = 0; if (rpm_check(release:"SLES12", sp:"1", cpu:"x86_64", reference:"kernel-xen-3.12.74-60.64.124.1")) flag++; if (rpm_check(release:"SLES12", sp:"1", cpu:"x86_64", reference:"kernel-xen-base-3.12.74-60.64.124.1")) flag++; if (rpm_check(release:"SLES12", sp:"1", cpu:"x86_64", reference:"kernel-xen-base-debuginfo-3.12.74-60.64.124.1")) flag++; if (rpm_check(release:"SLES12", sp:"1", cpu:"x86_64", reference:"kernel-xen-debuginfo-3.12.74-60.64.124.1")) flag++; if (rpm_check(release:"SLES12", sp:"1", cpu:"x86_64", reference:"kernel-xen-debugsource-3.12.74-60.64.124.1")) flag++; if (rpm_check(release:"SLES12", sp:"1", cpu:"x86_64", reference:"kernel-xen-devel-3.12.74-60.64.124.1")) flag++; if (rpm_check(release:"SLES12", sp:"1", cpu:"x86_64", reference:"kgraft-patch-3_12_74-60_64_124-default-1-2.3.1")) flag++; if (rpm_check(release:"SLES12", sp:"1", cpu:"x86_64", reference:"kgraft-patch-3_12_74-60_64_124-xen-1-2.3.1")) flag++; if (rpm_check(release:"SLES12", sp:"1", cpu:"s390x", reference:"kernel-default-man-3.12.74-60.64.124.1")) flag++; if (rpm_check(release:"SLES12", sp:"1", reference:"kernel-default-3.12.74-60.64.124.1")) flag++; if (rpm_check(release:"SLES12", sp:"1", reference:"kernel-default-base-3.12.74-60.64.124.1")) flag++; if (rpm_check(release:"SLES12", sp:"1", reference:"kernel-default-base-debuginfo-3.12.74-60.64.124.1")) flag++; if (rpm_check(release:"SLES12", sp:"1", reference:"kernel-default-debuginfo-3.12.74-60.64.124.1")) flag++; if (rpm_check(release:"SLES12", sp:"1", reference:"kernel-default-debugsource-3.12.74-60.64.124.1")) flag++; if (rpm_check(release:"SLES12", sp:"1", reference:"kernel-default-devel-3.12.74-60.64.124.1")) flag++; if (rpm_check(release:"SLES12", sp:"1", reference:"kernel-syms-3.12.74-60.64.124.1")) flag++; if (flag) { if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get()); else security_hole(0); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "kernel"); }NASL family Debian Local Security Checks NASL id DEBIAN_DLA-1930.NASL description Several vulnerabilities have been discovered in the Linux kernel that may lead to a privilege escalation, denial of service or information leaks. CVE-2016-10905 A race condition was discovered in the GFS2 file-system implementation, which could lead to a use-after-free. On a system using GFS2, a local attacker could use this for denial of service (memory corruption or crash) or possibly for privilege escalation. CVE-2018-20976 It was discovered that the XFS file-system implementation did not correctly handle some mount failure conditions, which could lead to a use-after-free. The security impact of this is unclear. CVE-2018-21008 It was discovered that the rsi wifi driver did not correctly handle some failure conditions, which could lead to a use-after- free. The security impact of this is unclear. CVE-2019-0136 It was discovered that the wifi soft-MAC implementation (mac80211) did not properly authenticate Tunneled Direct Link Setup (TDLS) messages. A nearby attacker could use this for denial of service (loss of wifi connectivity). CVE-2019-9506 Daniele Antonioli, Nils Ole Tippenhauer, and Kasper Rasmussen discovered a weakness in the Bluetooth pairing protocols, dubbed the last seen 2020-06-01 modified 2020-06-02 plugin id 129361 published 2019-09-26 reporter This script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/129361 title Debian DLA-1930-1 : linux security update code # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Debian Security Advisory DLA-1930-1. The text # itself is copyright (C) Software in the Public Interest, Inc. # include("compat.inc"); if (description) { script_id(129361); script_version("1.2"); script_cvs_date("Date: 2019/12/23"); script_cve_id("CVE-2016-10905", "CVE-2018-20976", "CVE-2018-21008", "CVE-2019-0136", "CVE-2019-14814", "CVE-2019-14815", "CVE-2019-14816", "CVE-2019-14821", "CVE-2019-14835", "CVE-2019-15117", "CVE-2019-15118", "CVE-2019-15211", "CVE-2019-15212", "CVE-2019-15215", "CVE-2019-15218", "CVE-2019-15219", "CVE-2019-15220", "CVE-2019-15221", "CVE-2019-15292", "CVE-2019-15807", "CVE-2019-15917", "CVE-2019-15926", "CVE-2019-9506"); script_name(english:"Debian DLA-1930-1 : linux security update"); script_summary(english:"Checks dpkg output for the updated packages."); script_set_attribute( attribute:"synopsis", value:"The remote Debian host is missing a security update." ); script_set_attribute( attribute:"description", value: "Several vulnerabilities have been discovered in the Linux kernel that may lead to a privilege escalation, denial of service or information leaks. CVE-2016-10905 A race condition was discovered in the GFS2 file-system implementation, which could lead to a use-after-free. On a system using GFS2, a local attacker could use this for denial of service (memory corruption or crash) or possibly for privilege escalation. CVE-2018-20976 It was discovered that the XFS file-system implementation did not correctly handle some mount failure conditions, which could lead to a use-after-free. The security impact of this is unclear. CVE-2018-21008 It was discovered that the rsi wifi driver did not correctly handle some failure conditions, which could lead to a use-after- free. The security impact of this is unclear. CVE-2019-0136 It was discovered that the wifi soft-MAC implementation (mac80211) did not properly authenticate Tunneled Direct Link Setup (TDLS) messages. A nearby attacker could use this for denial of service (loss of wifi connectivity). CVE-2019-9506 Daniele Antonioli, Nils Ole Tippenhauer, and Kasper Rasmussen discovered a weakness in the Bluetooth pairing protocols, dubbed the 'KNOB attack'. An attacker that is nearby during pairing could use this to weaken the encryption used between the paired devices, and then to eavesdrop on and/or spoof communication between them. This update mitigates the attack by requiring a minimum encryption key length of 56 bits. CVE-2019-14814, CVE-2019-14815, CVE-2019-14816 Multiple bugs were discovered in the mwifiex wifi driver, which could lead to heap buffer overflows. A local user permitted to configure a device handled by this driver could probably use this for privilege escalation. CVE-2019-14821 Matt Delco reported a race condition in KVM's coalesced MMIO facility, which could lead to out-of-bounds access in the kernel. A local attacker permitted to access /dev/kvm could use this to cause a denial of service (memory corruption or crash) or possibly for privilege escalation. CVE-2019-14835 Peter Pi of Tencent Blade Team discovered a missing bounds check in vhost_net, the network back-end driver for KVM hosts, leading to a buffer overflow when the host begins live migration of a VM. An attacker in control of a VM could use this to cause a denial of service (memory corruption or crash) or possibly for privilege escalation on the host. CVE-2019-15117 Hui Peng and Mathias Payer reported a missing bounds check in the usb-audio driver's descriptor parsing code, leading to a buffer over-read. An attacker able to add USB devices could possibly use this to cause a denial of service (crash). CVE-2019-15118 Hui Peng and Mathias Payer reported unbounded recursion in the usb-audio driver's descriptor parsing code, leading to a stack overflow. An attacker able to add USB devices could use this to cause a denial of service (memory corruption or crash) or possibly for privilege escalation. CVE-2019-15211 The syzkaller tool found a bug in the radio-raremono driver that could lead to a use-after-free. An attacker able to add and remove USB devices could use this to cause a denial of service (memory corruption or crash) or possibly for privilege escalation. CVE-2019-15212 The syzkaller tool found that the rio500 driver does not work correctly if more than one device is bound to it. An attacker able to add USB devices could use this to cause a denial of service (memory corruption or crash) or possibly for privilege escalation. CVE-2019-15215 The syzkaller tool found a bug in the cpia2_usb driver that leads to a use-after-free. An attacker able to add and remove USB devices could use this to cause a denial of service (memory corruption or crash) or possibly for privilege escalation. CVE-2019-15218 The syzkaller tool found that the smsusb driver did not validate that USB devices have the expected endpoints, potentially leading to a NULL pointer dereference. An attacker able to add USB devices could use this to cause a denial of service (BUG/oops). CVE-2019-15219 The syzkaller tool found that a device initialisation error in the sisusbvga driver could lead to a NULL pointer dereference. An attacker able to add USB devices could use this to cause a denial of service (BUG/oops). CVE-2019-15220 The syzkaller tool found a race condition in the p54usb driver which could lead to a use-after-free. An attacker able to add and remove USB devices could use this to cause a denial of service (memory corruption or crash) or possibly for privilege escalation. CVE-2019-15221 The syzkaller tool found that the line6 driver did not validate USB devices' maximum packet sizes, which could lead to a heap buffer overrun. An attacker able to add USB devices could use this to cause a denial of service (memory corruption or crash) or possibly for privilege escalation. CVE-2019-15292 The Hulk Robot tool found missing error checks in the Appletalk protocol implementation, which could lead to a use-after-free. The security impact of this is unclear. CVE-2019-15807 Jian Luo reported that the Serial Attached SCSI library (libsas) did not correctly handle failure to discover devices beyond a SAS expander. This could lead to a resource leak and crash (BUG). The security impact of this is unclear. CVE-2019-15917 The syzkaller tool found a race condition in code supporting UART-attached Bluetooth adapters, which could lead to a use- after-free. A local user with access to a pty device or other suitable tty device could use this to cause a denial of service (memory corruption or crash) or possibly for privilege escalation. CVE-2019-15926 It was found that the ath6kl wifi driver did not consistently validate traffic class numbers in received control packets, leading to out-of-bounds memory accesses. A nearby attacker on the same wifi network could use this to cause a denial of service (memory corruption or crash) or possibly for privilege escalation. For Debian 8 'Jessie', these problems have been fixed in version 3.16.74-1. We recommend that you upgrade your linux packages. NOTE: Tenable Network Security has extracted the preceding description block directly from the DLA security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues." ); script_set_attribute( attribute:"see_also", value:"https://lists.debian.org/debian-lts-announce/2019/09/msg00025.html" ); script_set_attribute( attribute:"see_also", value:"https://packages.debian.org/source/jessie/linux" ); script_set_attribute(attribute:"solution", value:"Upgrade the affected packages."); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C"); script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C"); script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"); script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:linux-compiler-gcc-4.8-arm"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:linux-compiler-gcc-4.8-x86"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:linux-compiler-gcc-4.9-x86"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:linux-doc-3.16"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:linux-headers-3.16.0-9-586"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:linux-headers-3.16.0-9-686-pae"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:linux-headers-3.16.0-9-all"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:linux-headers-3.16.0-9-all-amd64"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:linux-headers-3.16.0-9-all-armel"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:linux-headers-3.16.0-9-all-armhf"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:linux-headers-3.16.0-9-all-i386"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:linux-headers-3.16.0-9-amd64"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:linux-headers-3.16.0-9-armmp"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:linux-headers-3.16.0-9-armmp-lpae"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:linux-headers-3.16.0-9-common"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:linux-headers-3.16.0-9-ixp4xx"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:linux-headers-3.16.0-9-kirkwood"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:linux-headers-3.16.0-9-orion5x"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:linux-headers-3.16.0-9-versatile"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:linux-image-3.16.0-9-586"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:linux-image-3.16.0-9-686-pae"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:linux-image-3.16.0-9-686-pae-dbg"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:linux-image-3.16.0-9-amd64"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:linux-image-3.16.0-9-amd64-dbg"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:linux-image-3.16.0-9-armmp"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:linux-image-3.16.0-9-armmp-lpae"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:linux-image-3.16.0-9-ixp4xx"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:linux-image-3.16.0-9-kirkwood"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:linux-image-3.16.0-9-orion5x"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:linux-image-3.16.0-9-versatile"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:linux-libc-dev"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:linux-manual-3.16"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:linux-source-3.16"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:linux-support-3.16.0-9"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:xen-linux-system-3.16.0-9-amd64"); script_set_attribute(attribute:"cpe", value:"cpe:/o:debian:debian_linux:8.0"); script_set_attribute(attribute:"vuln_publication_date", value:"2019/06/13"); script_set_attribute(attribute:"patch_publication_date", value:"2019/09/25"); script_set_attribute(attribute:"plugin_publication_date", value:"2019/09/26"); script_set_attribute(attribute:"generated_plugin", value:"current"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"Debian Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/Debian/release", "Host/Debian/dpkg-l"); exit(0); } include("audit.inc"); include("debian_package.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); if (!get_kb_item("Host/Debian/release")) audit(AUDIT_OS_NOT, "Debian"); if (!get_kb_item("Host/Debian/dpkg-l")) audit(AUDIT_PACKAGE_LIST_MISSING); flag = 0; if (deb_check(release:"8.0", prefix:"linux-compiler-gcc-4.8-arm", reference:"3.16.74-1")) flag++; if (deb_check(release:"8.0", prefix:"linux-compiler-gcc-4.8-x86", reference:"3.16.74-1")) flag++; if (deb_check(release:"8.0", prefix:"linux-compiler-gcc-4.9-x86", reference:"3.16.74-1")) flag++; if (deb_check(release:"8.0", prefix:"linux-doc-3.16", reference:"3.16.74-1")) flag++; if (deb_check(release:"8.0", prefix:"linux-headers-3.16.0-9-586", reference:"3.16.74-1")) flag++; if (deb_check(release:"8.0", prefix:"linux-headers-3.16.0-9-686-pae", reference:"3.16.74-1")) flag++; if (deb_check(release:"8.0", prefix:"linux-headers-3.16.0-9-all", reference:"3.16.74-1")) flag++; if (deb_check(release:"8.0", prefix:"linux-headers-3.16.0-9-all-amd64", reference:"3.16.74-1")) flag++; if (deb_check(release:"8.0", prefix:"linux-headers-3.16.0-9-all-armel", reference:"3.16.74-1")) flag++; if (deb_check(release:"8.0", prefix:"linux-headers-3.16.0-9-all-armhf", reference:"3.16.74-1")) flag++; if (deb_check(release:"8.0", prefix:"linux-headers-3.16.0-9-all-i386", reference:"3.16.74-1")) flag++; if (deb_check(release:"8.0", prefix:"linux-headers-3.16.0-9-amd64", reference:"3.16.74-1")) flag++; if (deb_check(release:"8.0", prefix:"linux-headers-3.16.0-9-armmp", reference:"3.16.74-1")) flag++; if (deb_check(release:"8.0", prefix:"linux-headers-3.16.0-9-armmp-lpae", reference:"3.16.74-1")) flag++; if (deb_check(release:"8.0", prefix:"linux-headers-3.16.0-9-common", reference:"3.16.74-1")) flag++; if (deb_check(release:"8.0", prefix:"linux-headers-3.16.0-9-ixp4xx", reference:"3.16.74-1")) flag++; if (deb_check(release:"8.0", prefix:"linux-headers-3.16.0-9-kirkwood", reference:"3.16.74-1")) flag++; if (deb_check(release:"8.0", prefix:"linux-headers-3.16.0-9-orion5x", reference:"3.16.74-1")) flag++; if (deb_check(release:"8.0", prefix:"linux-headers-3.16.0-9-versatile", reference:"3.16.74-1")) flag++; if (deb_check(release:"8.0", prefix:"linux-image-3.16.0-9-586", reference:"3.16.74-1")) flag++; if (deb_check(release:"8.0", prefix:"linux-image-3.16.0-9-686-pae", reference:"3.16.74-1")) flag++; if (deb_check(release:"8.0", prefix:"linux-image-3.16.0-9-686-pae-dbg", reference:"3.16.74-1")) flag++; if (deb_check(release:"8.0", prefix:"linux-image-3.16.0-9-amd64", reference:"3.16.74-1")) flag++; if (deb_check(release:"8.0", prefix:"linux-image-3.16.0-9-amd64-dbg", reference:"3.16.74-1")) flag++; if (deb_check(release:"8.0", prefix:"linux-image-3.16.0-9-armmp", reference:"3.16.74-1")) flag++; if (deb_check(release:"8.0", prefix:"linux-image-3.16.0-9-armmp-lpae", reference:"3.16.74-1")) flag++; if (deb_check(release:"8.0", prefix:"linux-image-3.16.0-9-ixp4xx", reference:"3.16.74-1")) flag++; if (deb_check(release:"8.0", prefix:"linux-image-3.16.0-9-kirkwood", reference:"3.16.74-1")) flag++; if (deb_check(release:"8.0", prefix:"linux-image-3.16.0-9-orion5x", reference:"3.16.74-1")) flag++; if (deb_check(release:"8.0", prefix:"linux-image-3.16.0-9-versatile", reference:"3.16.74-1")) flag++; if (deb_check(release:"8.0", prefix:"linux-libc-dev", reference:"3.16.74-1")) flag++; if (deb_check(release:"8.0", prefix:"linux-manual-3.16", reference:"3.16.74-1")) flag++; if (deb_check(release:"8.0", prefix:"linux-source-3.16", reference:"3.16.74-1")) flag++; if (deb_check(release:"8.0", prefix:"linux-support-3.16.0-9", reference:"3.16.74-1")) flag++; if (deb_check(release:"8.0", prefix:"xen-linux-system-3.16.0-9-amd64", reference:"3.16.74-1")) flag++; if (flag) { if (report_verbosity > 0) security_hole(port:0, extra:deb_report_get()); else security_hole(0); exit(0); } else audit(AUDIT_HOST_NOT, "affected");NASL family Huawei Local Security Checks NASL id EULEROS_SA-2019-2201.NASL description According to the versions of the kernel packages installed, the EulerOS installation on the remote host is affected by the following vulnerabilities : - The kernel package contains the Linux kernel (vmlinuz), the core of any Linux operating system. The kernel handles the basic functions of the operating system: memory allocation, process allocation, device input and output, etc.Security Fix(es):An issue was discovered in the Linux kernel before 5.2.3. Out of bounds access exists in the functions ath6kl_wmi_pstream_timeout_event_rx and ath6kl_wmi_cac_event_rx in the file driverset/wireless/ath/ath6kl/wmi.c.(CVE-2019-15926)An issue was discovered in the Linux kernel before 5.0.6. There is a memory leak issue when idr_alloc() fails in genl_register_family() in netetlink/genetlink.c.(CVE-2019-15921)An issue was discovered in the Linux kernel before 4.20.2. An out-of-bounds access exists in the function build_audio_procunit in the file sound/usb/mixer.c.(CVE-2019-15927)An issue was discovered in the Linux kernel before 5.0.9. There is a use-after-free in atalk_proc_exit, related to net/appletalk/atalk_proc.c, net/appletalk/ddp.c, and net/appletalk/sysctl_net_atalk.c.(CVE-2019-15292)An issue was discovered in fs/xfs/xfs_super.c in the Linux kernel before 4.18. A use after free exists, related to xfs_fs_fill_super failure.(CVE-2018-20976)In the Linux kernel before 5.1.13, there is a memory leak in drivers/scsi/libsas/sas_expander.c when SAS expander discovery fails. This will cause a BUG and denial of service.(CVE-2019-15807)A vulnerability was found in Linux kernel last seen 2020-05-08 modified 2019-11-08 plugin id 130663 published 2019-11-08 reporter This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/130663 title EulerOS 2.0 SP5 : kernel (EulerOS-SA-2019-2201) code # # (C) Tenable Network Security, Inc. # include("compat.inc"); if (description) { script_id(130663); script_version("1.5"); script_set_attribute(attribute:"plugin_modification_date", value:"2020/05/07"); script_cve_id( "CVE-2018-10853", "CVE-2018-1128", "CVE-2018-20976", "CVE-2018-7492", "CVE-2019-10140", "CVE-2019-10142", "CVE-2019-10207", "CVE-2019-10638", "CVE-2019-1125", "CVE-2019-12818", "CVE-2019-14814", "CVE-2019-14815", "CVE-2019-14816", "CVE-2019-14821", "CVE-2019-14835", "CVE-2019-15098", "CVE-2019-15099", "CVE-2019-15118", "CVE-2019-15218", "CVE-2019-15219", "CVE-2019-15220", "CVE-2019-15221", "CVE-2019-15239", "CVE-2019-15292", "CVE-2019-15505", "CVE-2019-15538", "CVE-2019-15807", "CVE-2019-15921", "CVE-2019-15924", "CVE-2019-15926", "CVE-2019-15927", "CVE-2019-16233", "CVE-2019-16413", "CVE-2019-17052", "CVE-2019-17053", "CVE-2019-17054", "CVE-2019-17055", "CVE-2019-17056" ); script_name(english:"EulerOS 2.0 SP5 : kernel (EulerOS-SA-2019-2201)"); script_summary(english:"Checks the rpm output for the updated packages."); script_set_attribute(attribute:"synopsis", value: "The remote EulerOS host is missing multiple security updates."); script_set_attribute(attribute:"description", value: "According to the versions of the kernel packages installed, the EulerOS installation on the remote host is affected by the following vulnerabilities : - The kernel package contains the Linux kernel (vmlinuz), the core of any Linux operating system. The kernel handles the basic functions of the operating system: memory allocation, process allocation, device input and output, etc.Security Fix(es):An issue was discovered in the Linux kernel before 5.2.3. Out of bounds access exists in the functions ath6kl_wmi_pstream_timeout_event_rx and ath6kl_wmi_cac_event_rx in the file driverset/wireless/ath/ath6kl/wmi.c.(CVE-2019-15926)An issue was discovered in the Linux kernel before 5.0.6. There is a memory leak issue when idr_alloc() fails in genl_register_family() in netetlink/genetlink.c.(CVE-2019-15921)An issue was discovered in the Linux kernel before 4.20.2. An out-of-bounds access exists in the function build_audio_procunit in the file sound/usb/mixer.c.(CVE-2019-15927)An issue was discovered in the Linux kernel before 5.0.9. There is a use-after-free in atalk_proc_exit, related to net/appletalk/atalk_proc.c, net/appletalk/ddp.c, and net/appletalk/sysctl_net_atalk.c.(CVE-2019-15292)An issue was discovered in fs/xfs/xfs_super.c in the Linux kernel before 4.18. A use after free exists, related to xfs_fs_fill_super failure.(CVE-2018-20976)In the Linux kernel before 5.1.13, there is a memory leak in drivers/scsi/libsas/sas_expander.c when SAS expander discovery fails. This will cause a BUG and denial of service.(CVE-2019-15807)A vulnerability was found in Linux kernel's, versions up to 3.10, implementation of overlayfs. An attacker with local access can create a denial of service situation via NULL pointer dereference in ovl_posix_acl_create function in fs/overlayfs/dir.c. This can allow attackers with ability to create directories on overlayfs to crash the kernel creating a denial of service (DOS).(CVE-2019-10140)In the Linux kernel, a certain net/ipv4/tcp_output.c change, which was properly incorporated into 4.16.12, was incorrectly backported to the earlier longterm kernels, introducing a new vulnerability that was potentially more severe than the issue that was intended to be fixed by backporting. Specifically, by adding to a write queue between disconnection and re-connection, a local attacker can trigger multiple use-after-free conditions. This can result in a kernel crash, or potentially in privilege escalation.(CVE-2019-15239)check_input_term in sound/usb/mixer.c in the Linux kernel through 5.2.9 mishandles recursion, leading to kernel stack exhaustion.(CVE-2019-15118)drivers et/wireless/ath/ath10k/usb.c in the Linux kernel through 5.2.8 has a NULL pointer dereference via an incomplete address in an endpoint descriptor.(CVE-2019-15099)drivers et/wireless/ath/ath6kl/usb.c in the Linux kernel through 5.2.9 has a NULL pointer dereference via an incomplete address in an endpoint descriptor.(CVE-2019-15098)A flaw was found in the Linux kernel's Bluetooth implementation of UART. An attacker with local access and write permissions to the Bluetooth hardware could use this flaw to issue a specially crafted ioctl function call and cause the system to crash.(CVE-2019-10207)It was found that cephx authentication protocol did not verify ceph clients correctly and was vulnerable to replay attack. Any attacker having access to ceph cluster network who is able to sniff packets on network can use this vulnerability to authenticate with ceph service and perform actions allowed by ceph service. Ceph branches master, mimic, luminous and jewel are believed to be vulnerable.(CVE-2018-1128)ax25_create in net/ax25/af_ax25.c in the AF_AX25 network module in the Linux kernel through 5.3.2 does not enforce CAP_NET_RAW, which means that unprivileged users can create a raw socket, aka CID-0614e2b73768.(CVE-2019-17052)ieee802154_create in net/ieee802154/socket.c in the AF_IEEE802154 network module in the Linux kernel through 5.3.2 does not enforce CAP_NET_RAW, which means that unprivileged users can create a raw socket, aka CID-e69dbd4619e7.(CVE-2019-17053)atalk_create in net/appletalk/ddp.c in the AF_APPLETALK network module in the Linux kernel through 5.3.2 does not enforce CAP_NET_RAW, which means that unprivileged users can create a raw socket, aka CID-6cc03e8aa36c.(CVE-2019-17054)base_sock_create in drivers/isdn/mISDN/socket.c in the AF_ISDN network module in the Linux kernel through 5.3.2 does not enforce CAP_NET_RAW, which means that unprivileged users can create a raw socket, aka CID-b91ee4aa2a21.(CVE-2019-17055)llcp_sock_create in net fc/llcp_sock.c in the AF_NFC network module in the Linux kernel through 5.3.2 does not enforce CAP_NET_RAW, which means that unprivileged users can create a raw socket, aka CID-3a359798b176.(CVE-2019-17056)A flaw was found in the Linux kernel's freescale hypervisor manager implementation, kernel versions 5.0.x up to, excluding 5.0.17. A parameter passed to an ioctl was incorrectly validated and used in size calculations for the page size calculation. An attacker can use this flaw to crash the system, corrupt memory, or create other adverse security affects.(CVE-2019-10142)drivers/media/usb/dvb-usb/techn isat-usb2.c in the Linux kernel through 5.2.9 has an out-of-bounds read via crafted USB device traffic (which may be remote via usbip or usbredir).(CVE-2019-15505)An issue was discovered in the Linux kernel before 5.0.4. The 9p filesystem did not protect i_size_write() properly, which causes an i_size_read() infinite loop and denial of service on SMP systems.(CVE-2019-16413)An issue was discovered in xfs_setattr_nonsize in fs/xfs/xfs_iops.c in the Linux kernel through 5.2.9. XFS partially wedges when a chgrp fails on account of being out of disk quota. xfs_setattr_nonsize is failing to unlock the ILOCK after the xfs_qm_vop_chown_reserve call fails. This is primarily a local DoS attack vector, but it might result as well in remote DoS if the XFS filesystem is exported for instance via NFS.(CVE-2019-15538)A buffer overflow flaw was found, in versions from 2.6.34 to 5.2.x, in the way Linux kernel's vhost functionality that translates virtqueue buffers to IOVs, logged the buffer descriptors during migration. A privileged guest user able to pass descriptors with invalid length to the host when migration is underway, could use this flaw to increase their privileges on the host.(CVE-2019-14835)An out-of-bounds access issue was found in the Linux kernel, all versions through 5.3, in the way Linux kernel's KVM hypervisor implements the Coalesced MMIO write operation. It operates on an MMIO ring buffer 'struct kvm_coalesced_mmio' object, wherein write indices 'ring->first' and 'ring->last' value could be supplied by a host user-space process. An unprivileged host user or process with access to '/dev/kvm' device could use this flaw to crash the host kernel, resulting in a denial of service or potentially escalating privileges on the system.(CVE-2019-14821)An information disclosure vulnerability exists when certain central processing units (CPU) speculatively access memory, aka 'Windows Kernel Information Disclosure Vulnerability'. (CVE-2019-1125)drivers/scsi/qla2xxx/qla_os.c in the Linux kernel 5.2.14 does not check the alloc_workqueue return value, leading to a NULL pointer dereference.(CVE-2019-16233)An issue was discovered in the Linux kernel before 5.0.11. fm10k_init_module in drivers et/ethernet/intel/fm10k/fm10k_main.c has a NULL pointer dereference because there is no -ENOMEM upon an alloc_workqueue failure.(CVE-2019-15924)An issue was discovered in the Linux kernel before 5.2.1. There is a use-after-free caused by a malicious USB device in the drivers et/wireless/intersil/p54/p54usb.c driver.(CVE-2019-15220 )In the Linux kernel before 5.1.7, a device can be tracked by an attacker using the IP ID values the kernel produces for connection-less protocols (e.g., UDP and ICMP). When such traffic is sent to multiple destination IP addresses, it is possible to obtain hash collisions (of indices to the counter array) and thereby obtain the hashing key (via enumeration). An attack may be conducted by hosting a crafted web page that uses WebRTC or gQUIC to force UDP traffic to attacker-controlled IP addresses.(CVE-2019-10638)There is heap-based buffer overflow in Linux kernel, all versions up to, excluding 5.3, in the marvell wifi chip driver in Linux kernel, that allows local users to cause a denial of service(system crash) or possibly execute arbitrary code.( CVE-2019-14814)** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided.( CVE-2019-14815)There is heap-based buffer overflow in kernel, all versions up to, excluding 5.3, in the marvell wifi chip driver in Linux kernel, that allows local users to cause a denial of service(system crash) or possibly execute arbitrary code.( CVE-2019-14816)A flaw was found in the way Linux kernel KVM hypervisor emulated instructions such as sgdt/sidt/fxsave/fxrstor. It did not check current privilege(CPL) level while emulating unprivileged instructions. An unprivileged guest user/process could use this flaw to potentially escalate privileges inside guest.(CVE-2018-10853)A NULL pointer dereference was found in the net/rds/rdma.c __rds_rdma_map() function in the Linux kernel before 4.14.7 allowing local attackers to cause a system panic and a denial-of-service, related to RDS_GET_MR and RDS_GET_MR_FOR_DEST.(CVE-2018-7492)An issue was discovered in the Linux kernel before 4.20.15. The nfc_llcp_build_tlv function in net fc/llcp_commands.c may return NULL. If the caller does not check for this, it will trigger a NULL pointer dereference. This will cause denial of service. This affects nfc_llcp_build_gb in netfc/llcp_core.c.(CVE-2019-12818)An issue was discovered in the Linux kernel before 5.1.8. There is a NULL pointer dereference caused by a malicious USB device in the drivers/media/usb/siano/smsusb.c driver.(CVE-2019-15218)An issue was discovered in the Linux kernel before 5.1.8. There is a NULL pointer dereference caused by a malicious USB device in the drivers/usb/misc/sisusbvga/sisusb.c driver.(CVE-2019-15219)An issue was discovered in the Linux kernel before 5.1.17. There is a NULL pointer dereference caused by a malicious USB device in the sound/usb/line6/pcm.c driver.(CVE-2019-15221) Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues."); # https://developer.huaweicloud.com/ict/en/site-euleros/euleros/security-advisories/EulerOS-SA-2019-2201 script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?b3a7512b"); script_set_attribute(attribute:"solution", value: "Update the affected kernel packages."); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C"); script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C"); script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"); script_set_cvss3_temporal_vector("CVSS:3.0/E:P/RL:O/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"patch_publication_date", value:"2019/10/28"); script_set_attribute(attribute:"plugin_publication_date", value:"2019/11/08"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:kernel"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:kernel-devel"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:kernel-headers"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:kernel-tools"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:kernel-tools-libs"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:perf"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:python-perf"); script_set_attribute(attribute:"cpe", value:"cpe:/o:huawei:euleros:2.0"); script_set_attribute(attribute:"generated_plugin", value:"current"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_family(english:"Huawei Local Security Checks"); script_copyright(english:"This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof."); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/EulerOS/release", "Host/EulerOS/rpm-list", "Host/EulerOS/sp"); script_exclude_keys("Host/EulerOS/uvp_version"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/EulerOS/release"); if (isnull(release) || release !~ "^EulerOS") audit(AUDIT_OS_NOT, "EulerOS"); if (release !~ "^EulerOS release 2\.0(\D|$)") audit(AUDIT_OS_NOT, "EulerOS 2.0"); sp = get_kb_item("Host/EulerOS/sp"); if (isnull(sp) || sp !~ "^(5)$") audit(AUDIT_OS_NOT, "EulerOS 2.0 SP5"); uvp = get_kb_item("Host/EulerOS/uvp_version"); if (!empty_or_null(uvp)) audit(AUDIT_OS_NOT, "EulerOS 2.0 SP5", "EulerOS UVP " + uvp); if (!get_kb_item("Host/EulerOS/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$" && "aarch64" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "EulerOS", cpu); if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_ARCH_NOT, "i686 / x86_64", cpu); flag = 0; pkgs = ["kernel-3.10.0-862.14.1.2.h291.eulerosv2r7", "kernel-devel-3.10.0-862.14.1.2.h291.eulerosv2r7", "kernel-headers-3.10.0-862.14.1.2.h291.eulerosv2r7", "kernel-tools-3.10.0-862.14.1.2.h291.eulerosv2r7", "kernel-tools-libs-3.10.0-862.14.1.2.h291.eulerosv2r7", "perf-3.10.0-862.14.1.2.h291.eulerosv2r7", "python-perf-3.10.0-862.14.1.2.h291.eulerosv2r7"]; foreach (pkg in pkgs) if (rpm_check(release:"EulerOS-2.0", sp:"5", reference:pkg)) flag++; if (flag) { security_report_v4( port : 0, severity : SECURITY_HOLE, extra : rpm_report_get() ); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "kernel"); }NASL family Oracle Linux Local Security Checks NASL id ORACLELINUX_ELSA-2020-5511.NASL description Description of changes: kernel-uek [3.8.13-118.42.1.el7uek] - scsi: libsas: delete sas port if expander discover failed (Jason Yan) [Orabug: 30580688] {CVE-2019-15807} last seen 2020-06-01 modified 2020-06-02 plugin id 132945 published 2020-01-16 reporter This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/132945 title Oracle Linux 6 / 7 : Unbreakable Enterprise kernel (ELSA-2020-5511) code # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Oracle Linux Security Advisory ELSA-2020-5511. # include("compat.inc"); if (description) { script_id(132945); script_version("1.2"); script_cvs_date("Date: 2020/01/21"); script_cve_id("CVE-2019-15807"); script_name(english:"Oracle Linux 6 / 7 : Unbreakable Enterprise kernel (ELSA-2020-5511)"); script_summary(english:"Checks rpm output for the updated packages"); script_set_attribute( attribute:"synopsis", value:"The remote Oracle Linux host is missing one or more security updates." ); script_set_attribute( attribute:"description", value: "Description of changes: kernel-uek [3.8.13-118.42.1.el7uek] - scsi: libsas: delete sas port if expander discover failed (Jason Yan) [Orabug: 30580688] {CVE-2019-15807}" ); script_set_attribute( attribute:"see_also", value:"https://oss.oracle.com/pipermail/el-errata/2020-January/009515.html" ); script_set_attribute( attribute:"see_also", value:"https://oss.oracle.com/pipermail/el-errata/2020-January/009516.html" ); script_set_attribute( attribute:"solution", value:"Update the affected unbreakable enterprise kernel packages." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:C"); script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C"); script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"); script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:dtrace-modules-3.8.13-118.42.1.el6uek"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:dtrace-modules-3.8.13-118.42.1.el7uek"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:kernel-uek"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:kernel-uek-debug"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:kernel-uek-debug-devel"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:kernel-uek-devel"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:kernel-uek-doc"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:kernel-uek-firmware"); script_set_attribute(attribute:"cpe", value:"cpe:/o:oracle:linux:6"); script_set_attribute(attribute:"cpe", value:"cpe:/o:oracle:linux:7"); script_set_attribute(attribute:"vuln_publication_date", value:"2019/08/29"); script_set_attribute(attribute:"patch_publication_date", value:"2020/01/15"); script_set_attribute(attribute:"plugin_publication_date", value:"2020/01/16"); script_set_attribute(attribute:"generated_plugin", value:"current"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"Oracle Linux Local Security Checks"); script_dependencies("ssh_get_info.nasl", "linux_alt_patch_detect.nasl"); script_require_keys("Host/local_checks_enabled", "Host/OracleLinux", "Host/RedHat/release", "Host/RedHat/rpm-list"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); include("ksplice.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); if (!get_kb_item("Host/OracleLinux")) audit(AUDIT_OS_NOT, "Oracle Linux"); release = get_kb_item("Host/RedHat/release"); if (isnull(release) || !pregmatch(pattern: "Oracle (?:Linux Server|Enterprise Linux)", string:release)) audit(AUDIT_OS_NOT, "Oracle Linux"); os_ver = pregmatch(pattern: "Oracle (?:Linux Server|Enterprise Linux) .*release ([0-9]+(\.[0-9]+)?)", string:release); if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Oracle Linux"); os_ver = os_ver[1]; if (! preg(pattern:"^(6|7)([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Oracle Linux 6 / 7", "Oracle Linux " + os_ver); if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Oracle Linux", cpu); if ("x86_64" >!< cpu) audit(AUDIT_ARCH_NOT, "x86_64", cpu); if (get_one_kb_item("Host/ksplice/kernel-cves")) { rm_kb_item(name:"Host/uptrack-uname-r"); cve_list = make_list("CVE-2019-15807"); if (ksplice_cves_check(cve_list)) { audit(AUDIT_PATCH_INSTALLED, "KSplice hotfix for ELSA-2020-5511"); } else { __rpm_report = ksplice_reporting_text(); } } kernel_major_minor = get_kb_item("Host/uname/major_minor"); if (empty_or_null(kernel_major_minor)) exit(1, "Unable to determine kernel major-minor level."); expected_kernel_major_minor = "3.8"; if (kernel_major_minor != expected_kernel_major_minor) audit(AUDIT_OS_NOT, "running kernel level " + expected_kernel_major_minor + ", it is running kernel level " + kernel_major_minor); flag = 0; if (rpm_check(release:"EL6", cpu:"x86_64", reference:"dtrace-modules-3.8.13-118.42.1.el6uek-0.4.5-3.el6")) flag++; if (rpm_exists(release:"EL6", rpm:"kernel-uek-3.8.13") && rpm_check(release:"EL6", cpu:"x86_64", reference:"kernel-uek-3.8.13-118.42.1.el6uek")) flag++; if (rpm_exists(release:"EL6", rpm:"kernel-uek-debug-3.8.13") && rpm_check(release:"EL6", cpu:"x86_64", reference:"kernel-uek-debug-3.8.13-118.42.1.el6uek")) flag++; if (rpm_exists(release:"EL6", rpm:"kernel-uek-debug-devel-3.8.13") && rpm_check(release:"EL6", cpu:"x86_64", reference:"kernel-uek-debug-devel-3.8.13-118.42.1.el6uek")) flag++; if (rpm_exists(release:"EL6", rpm:"kernel-uek-devel-3.8.13") && rpm_check(release:"EL6", cpu:"x86_64", reference:"kernel-uek-devel-3.8.13-118.42.1.el6uek")) flag++; if (rpm_exists(release:"EL6", rpm:"kernel-uek-doc-3.8.13") && rpm_check(release:"EL6", cpu:"x86_64", reference:"kernel-uek-doc-3.8.13-118.42.1.el6uek")) flag++; if (rpm_exists(release:"EL6", rpm:"kernel-uek-firmware-3.8.13") && rpm_check(release:"EL6", cpu:"x86_64", reference:"kernel-uek-firmware-3.8.13-118.42.1.el6uek")) flag++; if (rpm_check(release:"EL7", cpu:"x86_64", reference:"dtrace-modules-3.8.13-118.42.1.el7uek-0.4.5-3.el7")) flag++; if (rpm_exists(release:"EL7", rpm:"kernel-uek-3.8.13") && rpm_check(release:"EL7", cpu:"x86_64", reference:"kernel-uek-3.8.13-118.42.1.el7uek")) flag++; if (rpm_exists(release:"EL7", rpm:"kernel-uek-debug-3.8.13") && rpm_check(release:"EL7", cpu:"x86_64", reference:"kernel-uek-debug-3.8.13-118.42.1.el7uek")) flag++; if (rpm_exists(release:"EL7", rpm:"kernel-uek-debug-devel-3.8.13") && rpm_check(release:"EL7", cpu:"x86_64", reference:"kernel-uek-debug-devel-3.8.13-118.42.1.el7uek")) flag++; if (rpm_exists(release:"EL7", rpm:"kernel-uek-devel-3.8.13") && rpm_check(release:"EL7", cpu:"x86_64", reference:"kernel-uek-devel-3.8.13-118.42.1.el7uek")) flag++; if (rpm_exists(release:"EL7", rpm:"kernel-uek-doc-3.8.13") && rpm_check(release:"EL7", cpu:"x86_64", reference:"kernel-uek-doc-3.8.13-118.42.1.el7uek")) flag++; if (rpm_exists(release:"EL7", rpm:"kernel-uek-firmware-3.8.13") && rpm_check(release:"EL7", cpu:"x86_64", reference:"kernel-uek-firmware-3.8.13-118.42.1.el7uek")) flag++; if (flag) { if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get()); else security_hole(0); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "affected kernel"); }NASL family Huawei Local Security Checks NASL id EULEROS_SA-2020-1186.NASL description According to the versions of the kernel packages installed, the EulerOS installation on the remote host is affected by the following vulnerabilities : - The kernel package contains the Linux kernel (vmlinuz), the core of any Linux operating system. The kernel handles the basic functions of the operating system: memory allocation, process allocation, device input and output, etc.Security Fix(es):Heap-based buffer overflow in the udf_load_logicalvol function in fs/udf/super.c in the Linux kernel before 3.4.5 allows remote attackers to cause a denial of service (system crash) or possibly have unspecified other impact via a crafted UDF filesystem.(CVE-2012-3400)The mmc_ioctl_cdrom_read_data function in drivers/cdrom/cdrom.c in the Linux kernel through 3.10 allows local users to obtain sensitive information from kernel memory via a read operation on a malfunctioning CD-ROM drive.(CVE-2013-2164)The sctp_sf_do_5_2_4_dupcook function in net/sctp/sm_statefuns.c in the SCTP implementation in the Linux kernel before 3.8.5 does not properly handle associations during the processing of a duplicate COOKIE ECHO chunk, which allows remote attackers to cause a denial of service (NULL pointer dereference and system crash) or possibly have unspecified other impact via crafted SCTP traffic.(CVE-2013-2206)The (1) get_user and (2) put_user API functions in the Linux kernel before 3.5.5 on the v6k and v7 ARM platforms do not validate certain addresses, which allows attackers to read or modify the contents of arbitrary kernel memory locations via a crafted application, as exploited in the wild against Android devices in October and November 2013.(CVE-2013-6282)An issue was discovered in the Linux kernel before 4.20. There is a race condition in smp_task_timedout() and smp_task_done() in drivers/scsi/libsas/sas_expander.c, leading to a use-after-free.(CVE-2018-20836)The Siemens R3964 line discipline driver in drivers/tty/n_r3964.c in the Linux kernel before 5.0.8 has multiple race conditions.(CVE-2019-11486)The Linux kernel before 5.1-rc5 allows page->_refcount reference count overflow, with resultant use-after-free issues, if about 140 GiB of RAM exists. This is related to fs/fuse/dev.c, fs/pipe.c, fs/splice.c, include/linux/mm.h, include/linux/pipe_fs_i.h, kernel/trace/trace.c, mm/gup.c, and mm/hugetlb.c. It can occur with FUSE requests.(CVE-2019-11487)The coredump implementation in the Linux kernel before 5.0.10 does not use locking or other mechanisms to prevent vma layout or vma flags changes while it runs, which allows local users to obtain sensitive information, cause a denial of service, or possibly have unspecified other impact by triggering a race condition with mmget_not_zero or get_task_mm calls. This is related to fs/userfaultfd.c, mm/mmap.c, fs/proc/task_mmu.c, and drivers/infiniband/core/uverbs_main.c.(CVE-2019-11599)A n issue was discovered in the Linux kernel before 5.0.7. A NULL pointer dereference can occur when megasas_create_frame_pool() fails in megasas_alloc_cmds() in drivers/scsi/megaraid/megaraid_sas_base.c. This causes a Denial of Service, related to a use-after-free.(CVE-2019-11810)An issue was discovered in the Linux kernel before 5.0.4. There is a use-after-free upon attempted read access to /proc/ioports after the ipmi_si module is removed, related to drivers/char/ipmi/ipmi_si_intf.c, drivers/char/ipmi/ipmi_si_mem_io.c, and drivers/char/ipmi/ipmi_si_port_io.c.(CVE-2019-11811)A flaw was found in the Linux kernel last seen 2020-05-03 modified 2020-03-11 plugin id 134387 published 2020-03-11 reporter This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/134387 title EulerOS 2.0 SP8 : kernel (EulerOS-SA-2020-1186) code # # (C) Tenable Network Security, Inc. # include("compat.inc"); if (description) { script_id(134387); script_version("1.5"); script_set_attribute(attribute:"plugin_modification_date", value:"2020/05/01"); script_cve_id( "CVE-2012-3400", "CVE-2013-2164", "CVE-2013-2206", "CVE-2013-6282", "CVE-2018-16880", "CVE-2018-20836", "CVE-2019-11486", "CVE-2019-11487", "CVE-2019-11599", "CVE-2019-11810", "CVE-2019-11811", "CVE-2019-11815", "CVE-2019-11833", "CVE-2019-12378", "CVE-2019-12380", "CVE-2019-12381", "CVE-2019-12382", "CVE-2019-12455", "CVE-2019-12456", "CVE-2019-12614", "CVE-2019-12615", "CVE-2019-13233", "CVE-2019-13272", "CVE-2019-13631", "CVE-2019-14283", "CVE-2019-15118", "CVE-2019-15211", "CVE-2019-15214", "CVE-2019-15218", "CVE-2019-15219", "CVE-2019-15220", "CVE-2019-15221", "CVE-2019-15292", "CVE-2019-15538", "CVE-2019-15666", "CVE-2019-15807", "CVE-2019-15917", "CVE-2019-15919", "CVE-2019-15920", "CVE-2019-15925", "CVE-2019-16413", "CVE-2019-18805", "CVE-2019-3701", "CVE-2019-3819", "CVE-2019-3846", "CVE-2019-3882", "CVE-2019-3900", "CVE-2019-5489", "CVE-2019-8956", "CVE-2019-9455" ); script_bugtraq_id( 54279, 60375, 60715, 63734 ); script_name(english:"EulerOS 2.0 SP8 : kernel (EulerOS-SA-2020-1186)"); script_summary(english:"Checks the rpm output for the updated packages."); script_set_attribute(attribute:"synopsis", value: "The remote EulerOS host is missing multiple security updates."); script_set_attribute(attribute:"description", value: "According to the versions of the kernel packages installed, the EulerOS installation on the remote host is affected by the following vulnerabilities : - The kernel package contains the Linux kernel (vmlinuz), the core of any Linux operating system. The kernel handles the basic functions of the operating system: memory allocation, process allocation, device input and output, etc.Security Fix(es):Heap-based buffer overflow in the udf_load_logicalvol function in fs/udf/super.c in the Linux kernel before 3.4.5 allows remote attackers to cause a denial of service (system crash) or possibly have unspecified other impact via a crafted UDF filesystem.(CVE-2012-3400)The mmc_ioctl_cdrom_read_data function in drivers/cdrom/cdrom.c in the Linux kernel through 3.10 allows local users to obtain sensitive information from kernel memory via a read operation on a malfunctioning CD-ROM drive.(CVE-2013-2164)The sctp_sf_do_5_2_4_dupcook function in net/sctp/sm_statefuns.c in the SCTP implementation in the Linux kernel before 3.8.5 does not properly handle associations during the processing of a duplicate COOKIE ECHO chunk, which allows remote attackers to cause a denial of service (NULL pointer dereference and system crash) or possibly have unspecified other impact via crafted SCTP traffic.(CVE-2013-2206)The (1) get_user and (2) put_user API functions in the Linux kernel before 3.5.5 on the v6k and v7 ARM platforms do not validate certain addresses, which allows attackers to read or modify the contents of arbitrary kernel memory locations via a crafted application, as exploited in the wild against Android devices in October and November 2013.(CVE-2013-6282)An issue was discovered in the Linux kernel before 4.20. There is a race condition in smp_task_timedout() and smp_task_done() in drivers/scsi/libsas/sas_expander.c, leading to a use-after-free.(CVE-2018-20836)The Siemens R3964 line discipline driver in drivers/tty/n_r3964.c in the Linux kernel before 5.0.8 has multiple race conditions.(CVE-2019-11486)The Linux kernel before 5.1-rc5 allows page->_refcount reference count overflow, with resultant use-after-free issues, if about 140 GiB of RAM exists. This is related to fs/fuse/dev.c, fs/pipe.c, fs/splice.c, include/linux/mm.h, include/linux/pipe_fs_i.h, kernel/trace/trace.c, mm/gup.c, and mm/hugetlb.c. It can occur with FUSE requests.(CVE-2019-11487)The coredump implementation in the Linux kernel before 5.0.10 does not use locking or other mechanisms to prevent vma layout or vma flags changes while it runs, which allows local users to obtain sensitive information, cause a denial of service, or possibly have unspecified other impact by triggering a race condition with mmget_not_zero or get_task_mm calls. This is related to fs/userfaultfd.c, mm/mmap.c, fs/proc/task_mmu.c, and drivers/infiniband/core/uverbs_main.c.(CVE-2019-11599)A n issue was discovered in the Linux kernel before 5.0.7. A NULL pointer dereference can occur when megasas_create_frame_pool() fails in megasas_alloc_cmds() in drivers/scsi/megaraid/megaraid_sas_base.c. This causes a Denial of Service, related to a use-after-free.(CVE-2019-11810)An issue was discovered in the Linux kernel before 5.0.4. There is a use-after-free upon attempted read access to /proc/ioports after the ipmi_si module is removed, related to drivers/char/ipmi/ipmi_si_intf.c, drivers/char/ipmi/ipmi_si_mem_io.c, and drivers/char/ipmi/ipmi_si_port_io.c.(CVE-2019-11811)A flaw was found in the Linux kernel's handle_rx() function in the [vhost_net] driver. A malicious virtual guest, under specific conditions, can trigger an out-of-bounds write in a kmalloc-8 slab on a virtual host which may lead to a kernel memory corruption and a system panic. Due to the nature of the flaw, privilege escalation cannot be fully ruled out. Versions from v4.16 and newer are vulnerable.(CVE-2018-16880)An issue was discovered in rds_tcp_kill_sock in net/rds/tcp.c in the Linux kernel before 5.0.8. There is a race condition leading to a use-after-free, related to net namespace cleanup.(CVE-2019-11815)A flaw was found in the Linux kernel in the function hid_debug_events_read() in drivers/hid/hid-debug.c file which may enter an infinite loop with certain parameters passed from a userspace. A local privileged user ('root') can cause a system lock up and a denial of service. Versions from v4.18 and newer are vulnerable.(CVE-2019-3819)A flaw was found in the Linux kernel's vfio interface implementation that permits violation of the user's locked memory limit. If a device is bound to a vfio driver, such as vfio-pci, and the local attacker is administratively granted ownership of the device, it may cause a system memory exhaustion and thus a denial of service (DoS). Versions 3.10, 4.14 and 4.18 are vulnerable.(CVE-2019-3882)An infinite loop issue was found in the vhost_net kernel module in Linux Kernel up to and including v5.1-rc6, while handling incoming packets in handle_rx(). It could occur if one end sends packets faster than the other end can process them. A guest user, maybe remote one, could use this flaw to stall the vhost_net kernel thread, resulting in a DoS scenario.(CVE-2019-3900)In the Linux Kernel before versions 4.20.8 and 4.19.21 a use-after-free error in the 'sctp_sendmsg()' function (net/sctp/socket.c) when handling SCTP_SENDALL flag can be exploited to corrupt memory.(CVE-2019-8956)A flaw was found in the Linux kernel's implementation of ext4 extent management. The kernel doesn't correctly initialize memory regions in the extent tree block which may be exported to a local user to obtain sensitive information by reading empty/uninitialized data from the filesystem.(CVE-2019-11833)An issue was discovered in drm_load_edid_firmware in drivers/gpu/drm/drm_edid_load.c in the Linux kernel through 5.1.5. There is an unchecked kstrdup of fwstr, which might allow an attacker to cause a denial of service (NULL pointer dereference and system crash). NOTE: The vendor disputes this issues as not being a vulnerability because kstrdup() returning NULL is handled sufficiently and there is no chance for a NULL pointer dereference.(CVE-2019-12382)An issue was discovered in the efi subsystem in the Linux kernel through 5.1.5. phys_efi_set_virtual_address_map in arch/x86/platform/efi/efi.c and efi_call_phys_prolog in arch/x86/platform/efi/efi_64.c mishandle memory allocation failures. NOTE: This id is disputed as not being an issue because ?All the code touched by the referenced commit runs only at boot, before any user processes are started. Therefore, there is no possibility for an unprivileged user to control it.(CVE-2019-12380)An issue was discovered in the Linux kernel before 5.2.3. An out of bounds access exists in the function hclge_tm_schd_mode_vnet_base_cfg in the file drivers et/ethernet/hisilicon/hns3/hns3pf/hclge_tm.c.(CVE-2019- 15925)An issue was discovered in dlpar_parse_cc_property in arch/powerpc/platforms/pseries/dlpar.c in the Linux kernel through 5.1.6. There is an unchecked kstrdup of prop-i1/4zname, which might allow an attacker to cause a denial of service (NULL pointer dereference and system crash).(CVE-2019-12614)An issue was discovered in net/ipv4/sysctl_net_ipv4.c in the Linux kernel before 5.0.11. There is a net/ipv4/tcp_input.c signed integer overflow in tcp_ack_update_rtt() when userspace writes a very large integer to /proc/syset/ipv4/tcp_min_rtt_wlen, leading to a denial of service or possibly unspecified other impact, aka CID-19fad20d15a6.(CVE-2019-18805)A flaw was found in the way PTRACE_TRACEME functionality was handled in the Linux kernel. The kernel's implementation of ptrace can inadvertently grant elevated permissions to an attacker who can then abuse the relationship between the tracer and the process being traced. This flaw could allow a local, unprivileged user to increase their privileges on the system or cause a denial of service.(CVE-2019-13272)An issue was discovered in ip6_ra_control in net/ipv6/ipv6_sockglue.c in the Linux kernel through 5.1.5. There is an unchecked kmalloc of new_ra, which might allow an attacker to cause a denial of service (NULL pointer dereference and system crash). NOTE: This has been disputed as not an issue.(CVE-2019-12378)An issue was discovered in ip_ra_control in net/ipv4/ip_sockglue.c in the Linux kernel through 5.1.5. There is an unchecked kmalloc of new_ra, which might allow an attacker to cause a denial of service (NULL pointer dereference and system crash). NOTE: this is disputed because new_ra is never used if it is NULL.(CVE-2019-12381)An issue was discovered in sunxi_divs_clk_setup in drivers/clk/sunxi/clk-sunxi.c in the Linux kernel through 5.1.5. There is an unchecked kstrndup of derived_name, which might allow an attacker to cause a denial of service (NULL pointer dereference and system crash). NOTE: This id is disputed as not being an issue because 'The memory allocation that was not checked is part of a code that only runs at boot time, before user processes are started. Therefore, there is no possibility for an unprivileged user to control it, and no denial of service.'.(CVE-2019-12455)An issue was discovered in the MPT3COMMAND case in _ctl_ioctl_main in drivers/scsi/mpt3sas/mpt3sas_ctl.c in the Linux kernel through 5.1.5. It allows local users to cause a denial of service or possibly have unspecified other impact by changing the value of ioc_number between two kernel reads of that value, aka a ''double fetch'' vulnerability. NOTE: a third party reports that this is unexploitable because the doubly fetched value is not used.(CVE-2019-12456)An issue was discovered in get_vdev_port_node_info in arch/sparc/kernel/mdesc.c in the Linux kernel through 5.1.6. There is an unchecked kstrdup_const of node_info-i1/4zvdev_port.name, which might allow an attacker to cause a denial of service (NULL pointer dereference and system crash).(CVE-2019-12615)In parse_hid_report_descriptor in drivers/input/tablet/gtco.c in the Linux kernel through 5.2.1, a malicious USB device can send an HID report that triggers an out-of-bounds write during generation of debugging messages.(CVE-2019-13631)A vulnerability was found in the Linux kernelaEURtms floppy disk driver implementation. A local attacker with access to the floppy device could call set_geometry in drivers/block/floppy.c, which does not validate the sect and head fields, causing an integer overflow and out-of-bounds read. This flaw may crash the system or allow an attacker to gather information causing subsequent successful attacks.(CVE-2019-14283)check_input_term in sound/usb/mixer.c in the Linux kernel through 5.2.9 mishandles recursion, leading to kernel stack exhaustion.(CVE-2019-15118)An issue was discovered in the Linux kernel before 5.2.6. There is a use-after-free caused by a malicious USB device in the drivers/media/v4l2-core/v4l2-dev.c driver because drivers/media/radio/radio-raremono.c does not properly allocate memory.(CVE-2019-15211)An issue was discovered in the Linux kernel before 5.0.10. There is a use-after-free in the sound subsystem because card disconnection causes certain data structures to be deleted too early. This is related to sound/core/init.c and sound/core/info.c.(CVE-2019-15214)An issue was discovered in the Linux kernel before 5.1.8. There is a NULL pointer dereference caused by a malicious USB device in the drivers/media/usb/siano/smsusb.c driver.(CVE-2019-15218)An issue was discovered in the Linux kernel before 5.1.8. There is a NULL pointer dereference caused by a malicious USB device in the drivers/usb/misc/sisusbvga/sisusb.c driver.(CVE-2019-15219)An issue was discovered in the Linux kernel before 5.2.1. There is a use-after-free caused by a malicious USB device in the driverset/wireless/intersil/p54/p54usb.c driver.(CVE-2019-15220)An issue was discovered in the Linux kernel before 5.1.17. There is a NULL pointer dereference caused by a malicious USB device in the sound/usb/line6/pcm.c driver.(CVE-2019-15221)An issue was discovered in the Linux kernel before 5.0.9. There is a use-after-free in atalk_proc_exit, related to net/appletalk/atalk_proc.c, net/appletalk/ddp.c, and net/appletalk/sysctl_net_atalk.c.(CVE-2019-15292)An issue was discovered in xfs_setattr_nonsize in fs/xfs/xfs_iops.c in the Linux kernel through 5.2.9. XFS partially wedges when a chgrp fails on account of being out of disk quota. xfs_setattr_nonsize is failing to unlock the ILOCK after the xfs_qm_vop_chown_reserve call fails. This is primarily a local DoS attack vector, but it might result as well in remote DoS if the XFS filesystem is exported for instance via NFS.(CVE-2019-15538)An issue was discovered in the Linux kernel before 5.0.19. There is an out-of-bounds array access in __xfrm_policy_unlink, which will cause denial of service, because verify_newpolicy_info in net/xfrm/xfrm_user.c mishandles directory validation.(CVE-2019-15666)In the Linux kernel before 5.1.13, there is a memory leak in drivers/scsi/libsas/sas_expander.c when SAS expander discovery fails. This will cause a BUG and denial of service.(CVE-2019-15807)An issue was discovered in the Linux kernel before 5.0.5. There is a use-after-free issue when hci_uart_register_dev() fails in hci_uart_set_proto() in drivers/bluetooth/hci_ldisc.c.(CVE-2019-15917)An issue was discovered in the Linux kernel before 5.0.10. SMB2_write in fs/cifs/smb2pdu.c has a use-after-free.(CVE-2019-15919)An issue was discovered in the Linux kernel before 5.0.10. SMB2_read in fs/cifs/smb2pdu.c has a use-after-free. NOTE: this was not fixed correctly in 5.0.10 see the 5.0.11 ChangeLog, which documents a memory leak.(CVE-2019-15920)An issue was discovered in the Linux kernel before 5.0.4. The 9p filesystem did not protect i_size_write() properly, which causes an i_size_read() infinite loop and denial of service on SMP systems.(CVE-2019-16413)An issue was discovered in can_can_gw_rcv in net/can/gw.c in the Linux kernel through 4.19.13. The CAN frame modification rules allow bitwise logical operations that can be also applied to the can_dlc field. Because of a missing check, the CAN drivers may write arbitrary content beyond the data registers in the CAN controller's I/O memory when processing can-gw manipulated outgoing frames. This is related to cgw_csum_xor_rel. An unprivileged user can trigger a system crash (general protection fault).(CVE-2019-3701)A flaw was found in the Linux kernel's Marvell wifi chip driver. A heap overflow in mwifiex_update_bss_desc_with_ie function in marvell/mwifiex/scan.c allows remote attackers to cause a denial of service(system crash) or execute arbitrary code.(CVE-2019-3846)A new software page cache side channel attack scenario was discovered in operating systems that implement the very common 'page cache' caching mechanism. A malicious user/process could use 'in memory' page-cache knowledge to infer access timings to shared memory and gain knowledge which can be used to reduce effectiveness of cryptographic strength by monitoring algorithmic behavior, infer access patterns of memory to determine code paths taken, and exfiltrate data to a blinded attacker through page-granularity access times as a side-channel.(CVE-2019-5489)In the Android kernel in the video driver there is a kernel pointer leak due to a WARN_ON statement. This could lead to local information disclosure with System execution privileges needed. User interaction is not needed for exploitation.(CVE-2019-9455)A vulnerability was found in the arch/x86/lib/insn-eval.c function in the Linux kernel. An attacker could corrupt the memory due to a flaw in use-after-free access to an LDT entry caused by a race condition between modify_ldt() and a #BR exception for an MPX bounds violation.(CVE-2019-13233) Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues."); # https://developer.huaweicloud.com/ict/en/site-euleros/euleros/security-advisories/EulerOS-SA-2020-1186 script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?6d22916d"); script_set_attribute(attribute:"solution", value: "Update the affected kernel packages."); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C"); script_set_cvss_temporal_vector("CVSS2#E:H/RL:OF/RC:C"); script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"); script_set_cvss3_temporal_vector("CVSS:3.0/E:H/RL:O/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"exploited_by_malware", value:"true"); script_set_attribute(attribute:"metasploit_name", value:'Android get_user/put_user Exploit'); script_set_attribute(attribute:"exploit_framework_metasploit", value:"true"); script_set_attribute(attribute:"patch_publication_date", value:"2020/03/11"); script_set_attribute(attribute:"plugin_publication_date", value:"2020/03/11"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:bpftool"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:kernel"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:kernel-devel"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:kernel-headers"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:kernel-source"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:kernel-tools"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:kernel-tools-libs"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:perf"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:python-perf"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:python3-perf"); script_set_attribute(attribute:"cpe", value:"cpe:/o:huawei:euleros:2.0"); script_set_attribute(attribute:"generated_plugin", value:"current"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_family(english:"Huawei Local Security Checks"); script_copyright(english:"This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof."); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/EulerOS/release", "Host/EulerOS/rpm-list", "Host/EulerOS/sp"); script_exclude_keys("Host/EulerOS/uvp_version"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/EulerOS/release"); if (isnull(release) || release !~ "^EulerOS") audit(AUDIT_OS_NOT, "EulerOS"); if (release !~ "^EulerOS release 2\.0(\D|$)") audit(AUDIT_OS_NOT, "EulerOS 2.0"); sp = get_kb_item("Host/EulerOS/sp"); if (isnull(sp) || sp !~ "^(8)$") audit(AUDIT_OS_NOT, "EulerOS 2.0 SP8"); uvp = get_kb_item("Host/EulerOS/uvp_version"); if (!empty_or_null(uvp)) audit(AUDIT_OS_NOT, "EulerOS 2.0 SP8", "EulerOS UVP " + uvp); if (!get_kb_item("Host/EulerOS/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$" && "aarch64" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "EulerOS", cpu); if ("aarch64" >!< cpu) audit(AUDIT_ARCH_NOT, "aarch64", cpu); flag = 0; pkgs = ["bpftool-4.19.36-vhulk1907.1.0.h361.eulerosv2r8", "kernel-4.19.36-vhulk1907.1.0.h361.eulerosv2r8", "kernel-devel-4.19.36-vhulk1907.1.0.h361.eulerosv2r8", "kernel-headers-4.19.36-vhulk1907.1.0.h361.eulerosv2r8", "kernel-source-4.19.36-vhulk1907.1.0.h361.eulerosv2r8", "kernel-tools-4.19.36-vhulk1907.1.0.h361.eulerosv2r8", "kernel-tools-libs-4.19.36-vhulk1907.1.0.h361.eulerosv2r8", "perf-4.19.36-vhulk1907.1.0.h361.eulerosv2r8", "python-perf-4.19.36-vhulk1907.1.0.h361.eulerosv2r8", "python3-perf-4.19.36-vhulk1907.1.0.h361.eulerosv2r8"]; foreach (pkg in pkgs) if (rpm_check(release:"EulerOS-2.0", sp:"8", reference:pkg)) flag++; if (flag) { security_report_v4( port : 0, severity : SECURITY_HOLE, extra : rpm_report_get() ); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "kernel"); }NASL family Huawei Local Security Checks NASL id EULEROS_SA-2020-1269.NASL description According to the versions of the kernel packages installed, the EulerOS Virtualization installation on the remote host is affected by the following vulnerabilities : - In the tun subsystem in the Linux kernel before 4.13.14, dev_get_valid_name is not called before register_netdevice. This allows local users to cause a denial of service (NULL pointer dereference and panic) via an ioctl(TUNSETIFF) call with a dev name containing a / character. This is similar to CVE-2013-4343.(CVE-2018-7191) - A memory leak in the crypto_report() function in crypto/crypto_user_base.c in the Linux kernel through 5.3.11 allows attackers to cause a denial of service (memory consumption) by triggering crypto_report_alg() failures, aka CID-ffdde5932042.(CVE-2019-19062) - An issue was discovered in net/ipv4/sysctl_net_ipv4.c in the Linux kernel before 5.0.11. There is a net/ipv4/tcp_input.c signed integer overflow in tcp_ack_update_rtt() when userspace writes a very large integer to /proc/sys/net/ipv4/tcp_min_rtt_wlen, leading to a denial of service or possibly unspecified other impact, aka CID-19fad20d15a6.(CVE-2019-18805) - In the Linux kernel before 5.0, a memory leak exists in sit_init_net() in net/ipv6/sit.c when register_netdev() fails to register sitn->fb_tunnel_dev, which may cause denial of service, aka CID-07f12b26e21a.(CVE-2019-16994) - An issue was discovered in the Linux kernel before 5.0.6. There is a memory leak issue when idr_alloc() fails in genl_register_family() in net/netlink/genetlink.c.(CVE-2019-15921) - In the Linux kernel before 5.1.13, there is a memory leak in drivers/scsi/libsas/sas_expander.c when SAS expander discovery fails. This will cause a BUG and denial of service.(CVE-2019-15807) - An issue was discovered in xfs_setattr_nonsize in fs/xfs/xfs_iops.c in the Linux kernel through 5.2.9. XFS partially wedges when a chgrp fails on account of being out of disk quota. xfs_setattr_nonsize is failing to unlock the ILOCK after the xfs_qm_vop_chown_reserve call fails. This is primarily a local DoS attack vector, but it might result as well in remote DoS if the XFS filesystem is exported for instance via NFS.(CVE-2019-15538) - An out-of-bounds access issue was found in the Linux kernel, all versions through 5.3, in the way Linux kernel last seen 2020-03-26 modified 2020-03-20 plugin id 134735 published 2020-03-20 reporter This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/134735 title EulerOS Virtualization 3.0.2.2 : kernel (EulerOS-SA-2020-1269) NASL family SuSE Local Security Checks NASL id SUSE_SU-2019-2984-1.NASL description The SUSE Linux Enterprise 12 SP2 kernel was updated to receive various security and bugfixes. The following security bugs were fixed : CVE-2018-12207: Untrusted virtual machines on Intel CPUs could exploit a race condition in the Instruction Fetch Unit of the Intel CPU to cause a Machine Exception during Page Size Change, causing the CPU core to be non-functional. The Linux Kernel kvm hypervisor was adjusted to avoid page size changes in executable pages by splitting / merging huge pages into small pages as needed. More information can be found on https://www.suse.com/support/kb/doc/?id=7023735 CVE-2019-16995: Fix a memory leak in hsr_dev_finalize() if hsr_add_port failed to add a port, which may have caused denial of service (bsc#1152685). CVE-2019-11135: Aborting an asynchronous TSX operation on Intel CPUs with Transactional Memory support could be used to facilitate sidechannel information leaks out of microarchitectural buffers, similar to the previously described last seen 2020-06-01 modified 2020-06-02 plugin id 131120 published 2019-11-18 reporter This script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/131120 title SUSE SLES12 Security Update : kernel (SUSE-SU-2019:2984-1) NASL family Oracle Linux Local Security Checks NASL id ORACLELINUX_ELSA-2020-5508.NASL description Description of changes: [4.1.12-124.35.1.el7uek] - ixgbe: protect TX timestamping from API misuse (Manjunath Patil) [Orabug: 30275491] - block: init flush rq ref count to 1 (Josef Bacik) [Orabug: 30360559] - block: fix NULL pointer dereference in blk_mq_rq_timed_out() (Yufen Yu) [Orabug: 30360559] - blk-mq: Remove generation seqeunce (Keith Busch) [Orabug: 30360559] - scsi: libsas: delete sas port if expander discover failed (Jason Yan) [Orabug: 30580687] {CVE-2019-15807} - scsi: qla2xxx: fix a potential NULL pointer dereference (Allen Pais) [Orabug: 30618784] {CVE-2019-16233} - printk: Default console logging level should be set to 4 (Boris Ostrovsky) [Orabug: 30657070] [4.1.12-124.34.2.el7uek] - scsi: lpfc: Remove lpfc_enable_pbde as module parameter (James Smart) [Orabug: 30569875] - scsi: lpfc: Make PBDE optimizations configurable (James Smart) [Orabug: 30569875] - scsi: lpfc: Update driver version to 11.4.0.8 and Copyright updates (Ketan Mukadam) [Orabug: 30569875] - scsi: lpfc: Fix ELS abort on SLI-3 adapters (James Smart) [Orabug: 30569875] - scsi: lpfc: Correct race with abort on completion path (James Smart) [Orabug: 30569875] - scsi: lpfc: update manufacturer attribute to reflect Broadcom (James Smart) [Orabug: 30569875] [Orabug: 29212758] - scsi: lpfc: Enable Management features for IF_TYPE=6 (James Smart) [Orabug: 30569875] [Orabug: 29212758] - scsi: lpfc: Correct topology type reporting on G7 adapters (James Smart) [Orabug: 30569875] [Orabug: 29212758] - scsi: lpfc: Correct invalid EQ doorbell write on if_type=6 (James Smart) [Orabug: 30569875] - scsi: lpfc: Fix driver not setting dpp bits correctly in doorbell word (James Smart) [Orabug: 30569875] - scsi: lpfc: Enhance log messages when reporting CQE errors (James Smart) [Orabug: 30569875] - scsi: lpfc: Fix frequency of Release WQE CQEs (James Smart) [Orabug: 30569875] - scsi: lpfc: Code cleanup for 128byte wqe data type (James Smart) [Orabug: 30569875] - scsi: lpfc: use __raw_writeX on DPP copies (James Smart) [Orabug: 30569875] - scsi: lpfc: Add embedded data pointers for enhanced performance (James Smart) [Orabug: 30569875] - scsi: lpfc: Enable fw download on if_type=6 devices (James Smart) [Orabug: 30569875] - scsi: lpfc: Add if_type=6 support for cycling valid bits (James Smart) [Orabug: 30569875] - scsi: lpfc: Add 64G link speed support (James Smart) [Orabug: 30569875] - scsi: lpfc: Add PCI Ids for if_type=6 hardware (James Smart) [Orabug: 30569875] - scsi: lpfc: Add push-to-adapter support to sli4 (James Smart) [Orabug: 30569875] - scsi: lpfc: Add SLI-4 if_type=6 support to the code base (James Smart) [Orabug: 30569875] - scsi: lpfc: Rework sli4 doorbell infrastructure (James Smart) [Orabug: 30569875] - scsi: lpfc: Rework lpfc to allow different sli4 cq and eq handlers (James Smart) [Orabug: 30569875] - x86/bugs: use check_bugs instead of microcode_late_select_mitigation (Mihai Carabas) [Orabug: 30332499] - x86/bugs: spec_ctrl_mutex taken in stop_machine context (Mihai Carabas) [Orabug: 30332499] - x86/microcode: moved cpu feature late eval to stop_machine (Mihai Carabas) [Orabug: 30332499] - x86/cpu: Re-apply forced caps every time CPU caps are re-read (Andy Lutomirski) [Orabug: 30332499] - x86/microcode/intel: Check microcode revision before updating sibling threads (Ashok Raj) [Orabug: 30332499] - tracing: Fix possible double free on failure of allocating trace buffer (Steven Rostedt (VMware)) [Orabug: 30633873] {CVE-2017-18595} last seen 2020-06-01 modified 2020-06-02 plugin id 132762 published 2020-01-10 reporter This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/132762 title Oracle Linux 6 / 7 : Unbreakable Enterprise kernel (ELSA-2020-5508) NASL family NewStart CGSL Local Security Checks NASL id NEWSTART_CGSL_NS-SA-2019-0266_KERNEL-RT.NASL description The remote NewStart CGSL host, running version CORE 5.04 / MAIN 5.04, has kernel-rt packages installed that are affected by multiple vulnerabilities: - The bnep_sock_ioctl function in net/bluetooth/bnep/sock.c in the Linux kernel before 2.6.39 does not ensure that a certain device field ends with a last seen 2020-06-01 modified 2020-06-02 plugin id 132499 published 2019-12-31 reporter This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/132499 title NewStart CGSL CORE 5.04 / MAIN 5.04 : kernel-rt Multiple Vulnerabilities (NS-SA-2019-0266) NASL family Oracle Linux Local Security Checks NASL id ORACLELINUX_ELSA-2020-5512.NASL description Description of changes: [2.6.39-400.318.1.el6uek] - x86/speculation: Determine swapgs before alternative instructions are set (Patrick Colp) [Orabug: 30379640] - scsi: libsas: delete sas port if expander discover failed (Jason Yan) [Orabug: 30580689] {CVE-2019-15807} last seen 2020-06-01 modified 2020-06-02 plugin id 132946 published 2020-01-16 reporter This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/132946 title Oracle Linux 6 : Unbreakable Enterprise kernel (ELSA-2020-5512) NASL family Debian Local Security Checks NASL id DEBIAN_DLA-1919.NASL description Several vulnerabilities have been discovered in the Linux kernel that may lead to a privilege escalation, denial of service or information leaks. This updated advisory text mentions the additional non-security changes and notes the need to install new binary packages. CVE-2019-0136 It was discovered that the wifi soft-MAC implementation (mac80211) did not properly authenticate Tunneled Direct Link Setup (TDLS) messages. A nearby attacker could use this for denial of service (loss of wifi connectivity). CVE-2019-9506 Daniele Antonioli, Nils Ole Tippenhauer, and Kasper Rasmussen discovered a weakness in the Bluetooth pairing protocols, dubbed the last seen 2020-04-01 modified 2019-09-16 plugin id 128779 published 2019-09-16 reporter This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/128779 title Debian DLA-1919-2 : linux-4.9 security update NASL family NewStart CGSL Local Security Checks NASL id NEWSTART_CGSL_NS-SA-2019-0264_KERNEL.NASL description The remote NewStart CGSL host, running version CORE 5.04 / MAIN 5.04, has kernel packages installed that are affected by multiple vulnerabilities: - The bnep_sock_ioctl function in net/bluetooth/bnep/sock.c in the Linux kernel before 2.6.39 does not ensure that a certain device field ends with a last seen 2020-06-01 modified 2020-06-02 plugin id 132490 published 2019-12-31 reporter This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/132490 title NewStart CGSL CORE 5.04 / MAIN 5.04 : kernel Multiple Vulnerabilities (NS-SA-2019-0264) NASL family SuSE Local Security Checks NASL id SUSE_SU-2019-2949-1.NASL description The SUSE Linux Enterprise 12-SP3 kernel was updated to receive various security and bugfixes. The following security bugs were fixed : CVE-2018-12207: Untrusted virtual machines on Intel CPUs could exploit a race condition in the Instruction Fetch Unit of the Intel CPU to cause a Machine Exception during Page Size Change, causing the CPU core to be non-functional. The Linux Kernel kvm hypervisor was adjusted to avoid page size changes in executable pages by splitting / merging huge pages into small pages as needed. More information can be found on https://www.suse.com/support/kb/doc/?id=7023735 CVE-2019-16995: Fix a memory leak in hsr_dev_finalize() if hsr_add_port failed to add a port, which may have caused denial of service (bsc#1152685). CVE-2019-11135: Aborting an asynchronous TSX operation on Intel CPUs with Transactional Memory support could be used to facilitate sidechannel information leaks out of microarchitectural buffers, similar to the previously described last seen 2020-06-01 modified 2020-06-02 plugin id 130949 published 2019-11-13 reporter This script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/130949 title SUSE SLES12 Security Update : kernel (SUSE-SU-2019:2949-1) NASL family Huawei Local Security Checks NASL id EULEROS_SA-2019-2353.NASL description According to the versions of the kernel packages installed, the EulerOS installation on the remote host is affected by the following vulnerabilities : - The kernel package contains the Linux kernel (vmlinuz), the core of any Linux operating system. The kernel handles the basic functions of the operating system: memory allocation, process allocation, device input and output, etc.Security Fix(es):The yam_ioctl function in drivers et/hamradio/yam.c in the Linux kernel before 3.12.8 does not initialize a certain structure member, which allows local users to obtain sensitive information from kernel memory by leveraging the CAP_NET_ADMIN capability for an SIOCYAMGCFG ioctl call.(CVE-2014-1446)The VFS subsystem in the Linux kernel 3.x provides an incomplete set of requirements for setattr operations that underspecifies removing extended privilege attributes, which allows local users to cause a denial of service (capability stripping) via a failed invocation of a system call, as demonstrated by using chown to remove a capability from the ping or Wireshark dumpcap program.(CVE-2015-1350)A certain backport in the TCP Fast Open implementation for the Linux kernel before 3.18 does not properly maintain a count value, which allow local users to cause a denial of service (system crash) via the Fast Open feature, as demonstrated by visiting the chrome://flags/#enable-tcp-fast-open URL when using certain 3.10.x through 3.16.x kernel builds, including longterm-maintenance releases and ckt (aka Canonical Kernel Team) builds.(CVE-2015-3332)The hub_activate function in drivers/usb/core/hub.c in the Linux kernel before 4.3.5 does not properly maintain a hub-interface data structure, which allows physically proximate attackers to cause a denial of service (invalid memory access and system crash) or possibly have unspecified other impact by unplugging a USB hub device.(CVE-2015-8816)In the Linux kernel before 4.1.4, a buffer overflow occurs when checking userspace params in drivers/media/dvb-frontends/cx24116.c. The maximum size for a DiSEqC command is 6, according to the userspace API. However, the code allows larger values such as 23.(CVE-2015-9289)The create_fixed_stream_quirk function in sound/usb/quirks.c in the snd-usb-audio driver in the Linux kernel before 4.5.1 allows physically proximate attackers to cause a denial of service (NULL pointer dereference or double free, and system crash) via a crafted endpoints value in a USB device descriptor.(CVE-2016-2184)The ati_remote2_probe function in drivers/input/misc/ati_remote2.c in the Linux kernel before 4.5.1 allows physically proximate attackers to cause a denial of service (NULL pointer dereference and system crash) via a crafted endpoints value in a USB device descriptor.(CVE-2016-2185)The powermate_probe function in drivers/input/misc/powermate.c in the Linux kernel before 4.5.1 allows physically proximate attackers to cause a denial of service (NULL pointer dereference and system crash) via a crafted endpoints value in a USB device descriptor.(CVE-2016-2186)The gtco_probe function in drivers/input/tablet/gtco.c in the Linux kernel through 4.5.2 allows physically proximate attackers to cause a denial of service (NULL pointer dereference and system crash) via a crafted endpoints value in a USB device descriptor.(CVE-2016-2187)Double free vulnerability in the snd_usbmidi_create function in sound/usb/midi.c in the Linux kernel before 4.5 allows physically proximate attackers to cause a denial of service (panic) or possibly have unspecified other impact via vectors involving an invalid USB descriptor.(CVE-2016-2384)The treo_attach function in drivers/usb/serial/visor.c in the Linux kernel before 4.5 allows physically proximate attackers to cause a denial of service (NULL pointer dereference and system crash) or possibly have unspecified other impact by inserting a USB device that lacks a (1) bulk-in or (2) interrupt-in endpoint.(CVE-2016-2782)The acm_probe function in drivers/usb/class/cdc-acm.c in the Linux kernel before 4.5.1 allows physically proximate attackers to cause a denial of service (NULL pointer dereference and system crash) via a USB device without both a control and a data endpoint descriptor.(CVE-2016-3138)The wacom_probe function in drivers/input/tablet/wacom_sys.c in the Linux kernel before 3.17 allows physically proximate attackers to cause a denial of service (NULL pointer dereference and system crash) via a crafted endpoints value in a USB device descriptor.(CVE-2016-3139)The digi_port_init function in drivers/usb/serial/digi_acceleport.c in the Linux kernel before 4.5.1 allows physically proximate attackers to cause a denial of service (NULL pointer dereference and system crash) via a crafted endpoints value in a USB device descriptor.(CVE-2016-3140)The ims_pcu_parse_cdc_data function in drivers/input/misc/ims-pcu.c in the Linux kernel before 4.5.1 allows physically proximate attackers to cause a denial of service (system crash) via a USB device without both a master and a slave interface.(CVE-2016-3689)The snd_timer_user_params function in sound/core/timer.c in the Linux kernel through 4.6 does not initialize a certain data structure, which allows local users to obtain sensitive information from kernel stack memory via crafted use of the ALSA timer interface.(CVE-2016-4569)sound/core/timer.c in the Linux kernel through 4.6 does not initialize certain r1 data structures, which allows local users to obtain sensitive information from kernel stack memory via crafted use of the ALSA timer interface, related to the (1) snd_timer_user_ccallback and (2) snd_timer_user_tinterrupt functions.(CVE-2016-4578)The x25_negotiate_facilities function in net/x25/x25_facilities.c in the Linux kernel before 4.5.5 does not properly initialize a certain data structure, which allows attackers to obtain sensitive information from kernel stack memory via an X.25 Call Request.(CVE-2016-4580)The arcmsr_iop_message_xfer function in drivers/scsi/arcmsr/arcmsr_hba.c in the Linux kernel through 4.8.2 does not restrict a certain length field, which allows local users to gain privileges or cause a denial of service (heap-based buffer overflow) via an ARCMSR_MESSAGE_WRITE_WQBUFFER control code.(CVE-2016-7425)The Linux Kernel running on AMD64 systems will sometimes map the contents of PIE executable, the heap or ld.so to where the stack is mapped allowing attackers to more easily manipulate the stack. Linux Kernel version 4.11.5 is affected.(CVE-2017-1000379)In android for MSM, Firefox OS for MSM, QRD Android, with all Android releases from CAF using the Linux kernel, a buffer overread is observed in nl80211_set_station when user space application sends attribute NL80211_ATTR_LOCAL_MESH_POWER_MODE with data of size less than 4 bytes(CVE-2017-11089)An elevation of privilege vulnerability in the kernel sound timer. Product: Android. Versions: Android kernel. Android ID A-37240993.(CVE-2017-13167)In ashmem_ioctl of ashmem.c, there is an out-of-bounds write due to insufficient locking when accessing asma. This could lead to a local elevation of privilege enabling code execution as a privileged process with no additional execution privileges needed. User interaction is not needed for exploitation. Product: Android. Versions: Android kernel. Android ID: A-66954097.(CVE-2017-13216)A information disclosure vulnerability in the Upstream kernel encrypted-keys. Product: Android. Versions: Android kernel. Android ID: A-70526974.(CVE-2017-13305)An integer overflow in the qla2x00_sysfs_write_optrom_ctl function in drivers/scsi/qla2xxx/qla_attr.c in the Linux kernel through 4.12.10 allows local users to cause a denial of service (memory corruption and system crash) by leveraging root access.(CVE-2017-14051)The Serial Attached SCSI (SAS) implementation in the Linux kernel through 4.15.9 mishandles a mutex within libsas, which allows local users to cause a denial of service (deadlock) by triggering certain error-handling code.(CVE-2017-18232)An issue was discovered in net/ipv6/ip6mr.c in the Linux kernel before 4.11. By setting a specific socket option, an attacker can control a pointer in kernel land and cause an inet_csk_listen_stop general protection fault, or potentially execute arbitrary code under certain circumstances. The issue can be triggered as root (e.g., inside a default LXC container or with the CAP_NET_ADMIN capability) or after namespace unsharing. This occurs because sk_type and protocol are not checked in the appropriate part of the ip6_mroute_* functions. NOTE: this affects Linux distributions that use 4.9.x longterm kernels before 4.9.187.(CVE-2017-18509)An issue was discovered in drivers/i2c/i2c-core-smbus.c in the Linux kernel before 4.14.15. There is an out of bounds write in the function i2c_smbus_xfer_emulated.(CVE-2017-18551)An issue was discovered in the Linux kernel before 4.14.11. A double free may be caused by the function allocate_trace_buffer in the file kernel/trace/trace.c.(CVE-2017-18595)The vmw_surface_define_ioctl function in drivers/gpu/drm/vmwgfx/vmwgfx_surface.c in the Linux kernel through 4.10.5 does not check for a zero value of certain levels data, which allows local users to cause a denial of service (ZERO_SIZE_PTR dereference, and GPF and possibly panic) via a crafted ioctl call for a /dev/dri/renderD* device.(CVE-2017-7261)The KEYS subsystem in the Linux kernel before 4.10.13 allows local users to cause a denial of service (memory consumption) via a series of KEY_REQKEY_DEFL_THREAD_KEYRING keyctl_set_reqkey_keyring calls.(CVE-2017-7472)The kernel_wait4 function in kernel/exit.c in the Linux kernel before 4.13, when an unspecified architecture and compiler is used, might allow local users to cause a denial of service by triggering an attempted use of the -INT_MIN value.(CVE-2018-10087)The kill_something_info function in kernel/signal.c in the Linux kernel before 4.13, when an unspecified architecture and compiler is used, might allow local users to cause a denial of service via an INT_MIN argument.(CVE-2018-10124)The xfs_dinode_verify function in fs/xfs/libxfs/xfs_inode_buf.c in the Linux kernel through 4.16.3 allows local users to cause a denial of service (xfs_ilock_attr_map_shared invalid pointer dereference) via a crafted xfs image.(CVE-2018-10322)The xfs_bmap_extents_to_btree function in fs/xfs/libxfs/xfs_bmap.c in the Linux kernel through 4.16.3 allows local users to cause a denial of service (xfs_bmapi_write NULL pointer dereference) via a crafted xfs image.(CVE-2018-10323)The do_get_mempolicy function in mm/mempolicy.c in the Linux kernel before 4.12.9 allows local users to cause a denial of service (use-after-free) or possibly have unspecified other impact via crafted system calls.(CVE-2018-10675)Linux kernel is vulnerable to a stack-out-of-bounds write in the ext4 filesystem code when mounting and writing to a crafted ext4 image in ext4_update_inline_data(). An attacker could use this to cause a system crash and a denial of service.(CVE-2018-10880)An issue was discovered in the Linux kernel through 4.17.3. An Integer Overflow in kernel/time/posix-timers.c in the POSIX timer code is caused by the way the overrun accounting works. Depending on interval and expiry time values, the overrun can be larger than INT_MAX, but the accounting is int based. This basically makes the accounting values, which are visible to user space via timer_getoverrun(2) and siginfo::si_overrun, random. For example, a local user can cause a denial of service (signed integer overflow) via crafted mmap, futex, timer_create, and timer_settime system calls.(CVE-2018-12896)An issue was discovered in the proc_pid_stack function in fs/proc/base.c in the Linux kernel through 4.18.11. It does not ensure that only root may inspect the kernel stack of an arbitrary task, allowing a local attacker to exploit racy stack unwinding and leak kernel task stack contents.(CVE-2018-17972)An issue was discovered in the Linux kernel through 4.19. An information leak in cdrom_ioctl_select_disc in drivers/cdrom/cdrom.c could be used by local attackers to read kernel memory because a cast from unsigned long to int interferes with bounds checking. This is similar to CVE-2018-10940 and CVE-2018-16658.(CVE-2018-18710 )An issue was discovered in the Linux kernel before 4.18.11. The ipddp_ioctl function in drivers et/appletalk/ipddp.c allows local users to obtain sensitive kernel address information by leveraging CAP_NET_ADMIN to read the ipddp_route dev and next fields via an SIOCFINDIPDDPRT ioctl call.(CVE-2018-20511)An issue was discovered in the Linux kernel before 4.18.7. In block/blk-core.c, there is an __blk_drain_queue() use-after-free because a certain error case is mishandled.(CVE-2018-20856)An issue was discovered in fs/xfs/xfs_super.c in the Linux kernel before 4.18. A use after free exists, related to xfs_fs_fill_super failure.(CVE-2018-20976)Systems with microprocessors utilizing speculative execution and branch prediction may allow unauthorized disclosure of information to an attacker with local user access via a speculative buffer overflow and side-channel analysis.(CVE-2018-3693)In the function sbusfb_ioctl_helper() in drivers/video/fbdev/sbuslib.c in the Linux kernel through 4.15, an integer signedness error allows arbitrary information leakage for the FBIOPUTCMAP_SPARC and FBIOGETCMAP_SPARC commands.(CVE-2018-6412)In nfc_llcp_build_sdreq_tlv of llcp_commands.c, there is a possible out of bounds write due to a missing bounds check. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation. Product: Android. Versions: Android kernel. Android ID: A-73083945.(CVE-2018-9518 )Insufficient access control in the Intel(R) PROSet/Wireless WiFi Software driver before version 21.10 may allow an unauthenticated user to potentially enable denial of service via adjacent access.(CVE-2019-0136)A vulnerability was found in Linux kernel last seen 2020-05-08 modified 2019-12-10 plugin id 131845 published 2019-12-10 reporter This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/131845 title EulerOS 2.0 SP2 : kernel (EulerOS-SA-2019-2353) NASL family Huawei Local Security Checks NASL id EULEROS_SA-2019-2274.NASL description According to the versions of the kernel packages installed, the EulerOS installation on the remote host is affected by the following vulnerabilities : - The kernel package contains the Linux kernel (vmlinuz), the core of any Linux operating system. The kernel handles the basic functions of the operating system: memory allocation, process allocation, device input and output, etc.Security Fix(es):Systems with microprocessors utilizing speculative execution and indirect branch prediction may allow unauthorized disclosure of information to an attacker with local user access via a side-channel analysis of the data cache.(CVE-2017-5754)The ip6gre_err function in net/ipv6/ip6_gre.c in the Linux kernel allows remote attackers to have unspecified impact via vectors involving GRE flags in an IPv6 packet, which trigger an out-of-bounds access.(CVE-2017-5897)The vmw_surface_define_ioctl function in drivers/gpu/drm/vmwgfx/vmwgfx_surface.c in the Linux kernel through 4.10.5 does not check for a zero value of certain levels data, which allows local users to cause a denial of service (ZERO_SIZE_PTR dereference, and GPF and possibly panic) via a crafted ioctl call for a /dev/dri/renderD* device.(CVE-2017-7261)The KEYS subsystem in the Linux kernel before 4.10.13 allows local users to cause a denial of service (memory consumption) via a series of KEY_REQKEY_DEFL_THREAD_KEYRING keyctl_set_reqkey_keyring calls.(CVE-2017-7472)A flaw was found in the Linux kernel before version 4.12 in the way the KVM module processed the trap flag(TF) bit in EFLAGS during emulation of the syscall instruction, which leads to a debug exception(#DB) being raised in the guest stack. A user/process inside a guest could use this flaw to potentially escalate their privileges inside the guest. Linux guests are not affected by this.(CVE-2017-7518)The kill_something_info function in kernel/signal.c in the Linux kernel before 4.13, when an unspecified architecture and compiler is used, might allow local users to cause a denial of service via an INT_MIN argument.(CVE-2018-10124)The xfs_bmap_extents_to_btree function in fs/xfs/libxfs/xfs_bmap.c in the Linux kernel through 4.16.3 allows local users to cause a denial of service (xfs_bmapi_write NULL pointer dereference) via a crafted xfs image.(CVE-2018-10323)The Linux kernel before version 4.11 is vulnerable to a NULL pointer dereference in fs/cifs/cifsencrypt.c:setup_ntlmv2_rsp() that allows an attacker controlling a CIFS server to kernel panic a client that has this server mounted, because an empty TargetInfo field in an NTLMSSP setup negotiation response is mishandled during session recovery.(CVE-2018-1066)The do_get_mempolicy function in mm/mempolicy.c in the Linux kernel before 4.12.9 allows local users to cause a denial of service (use-after-free) or possibly have unspecified other impact via crafted system calls.(CVE-2018-10675)An issue was discovered in fs/xfs/libxfs/xfs_attr_leaf.c in the Linux kernel through 4.17.3. An OOPS may occur for a corrupted xfs image after xfs_da_shrink_inode() is called with a NULL bp.(CVE-2018-13094)An issue was discovered in fs/xfs/xfs_super.c in the Linux kernel before 4.18. A use after free exists, related to xfs_fs_fill_super failure.(CVE-2018-20976)Systems with microprocessors utilizing speculative execution and branch prediction may allow unauthorized disclosure of information to an attacker with local user access via a speculative buffer overflow and side-channel analysis.(CVE-2018-3693)In the function sbusfb_ioctl_helper() in drivers/video/fbdev/sbuslib.c in the Linux kernel through 4.15, an integer signedness error allows arbitrary information leakage for the FBIOPUTCMAP_SPARC and FBIOGETCMAP_SPARC commands.(CVE-2018-6412)Race condition in the store_int_with_restart() function in arch/x86/kernel/cpu/mcheck/mce.c in the Linux kernel through 4.15.7 allows local users to cause a denial of service (panic) by leveraging root access to write to the check_interval file in a /sys/devices/system/machinecheck/machinecheck directory. NOTE: a third party has indicated that this report is not security relevant.(CVE-2018-7995)In the hidp_process_report in bluetooth, there is an integer overflow. This could lead to an out of bounds write with no additional execution privileges needed. User interaction is not needed for exploitation. Product: Android Versions: Android kernel Android ID: A-65853588 References: Upstream kernel.(CVE-2018-9363)In nfc_llcp_build_sdreq_tlv of llcp_commands.c, there is a possible out of bounds write due to a missing bounds check. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation. Product: Android. Versions: Android kernel. Android ID: A-73083945.(CVE-2018-9518)A vulnerability was found in Linux kernel last seen 2020-05-08 modified 2019-11-08 plugin id 130736 published 2019-11-08 reporter This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/130736 title EulerOS 2.0 SP3 : kernel (EulerOS-SA-2019-2274) NASL family PhotonOS Local Security Checks NASL id PHOTONOS_PHSA-2019-3_0-0026_LINUX.NASL description An update of the linux package has been released. last seen 2020-06-01 modified 2020-06-02 plugin id 128732 published 2019-09-12 reporter This script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/128732 title Photon OS 3.0: Linux PHSA-2019-3.0-0026
References
- https://cdn.kernel.org/pub/linux/kernel/v5.x/ChangeLog-5.1.13
- https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=3b0541791453fbe7f42867e310e0c9eb6295364d
- https://lists.debian.org/debian-lts-announce/2019/09/msg00014.html
- https://lists.debian.org/debian-lts-announce/2019/09/msg00015.html
- https://lists.debian.org/debian-lts-announce/2019/09/msg00025.html
- https://security.netapp.com/advisory/ntap-20191004-0001/
- https://support.f5.com/csp/article/K52136304?utm_source=f5support&%3Butm_medium=RSS