Vulnerabilities > CVE-2019-19377 - Use After Free vulnerability in multiple products

047910
CVSS 7.8 - HIGH
Attack vector
LOCAL
Attack complexity
LOW
Privileges required
NONE
Confidentiality impact
HIGH
Integrity impact
HIGH
Availability impact
HIGH
local
low complexity
linux
netapp
CWE-416
nessus

Summary

In the Linux kernel 5.0.21, mounting a crafted btrfs filesystem image, performing some operations, and unmounting can lead to a use-after-free in btrfs_queue_work in fs/btrfs/async-thread.c.

Vulnerable Configurations

Part Description Count
OS
Linux
3507
Application
Netapp
3
Hardware
Netapp
1

Common Weakness Enumeration (CWE)

Nessus

  • NASL familyHuawei Local Security Checks
    NASL idEULEROS_SA-2020-1592.NASL
    descriptionAccording to the versions of the kernel packages installed, the EulerOS installation on the remote host is affected by the following vulnerabilities : - A flaw was found in the Linux kernel
    last seen2020-06-11
    modified2020-05-26
    plugin id136870
    published2020-05-26
    reporterThis script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/136870
    titleEulerOS 2.0 SP8 : kernel (EulerOS-SA-2020-1592)
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(136870);
      script_version("1.5");
      script_set_attribute(attribute:"plugin_modification_date", value:"2020/06/10");
    
      script_cve_id(
        "CVE-2019-19377",
        "CVE-2019-19462",
        "CVE-2020-10711",
        "CVE-2020-10720",
        "CVE-2020-10942",
        "CVE-2020-11884",
        "CVE-2020-12114",
        "CVE-2020-12464",
        "CVE-2020-12465",
        "CVE-2020-12652",
        "CVE-2020-12653",
        "CVE-2020-12654",
        "CVE-2020-12655",
        "CVE-2020-12656",
        "CVE-2020-12657",
        "CVE-2020-12659",
        "CVE-2020-12769",
        "CVE-2020-12770",
        "CVE-2020-12771",
        "CVE-2020-12826"
      );
    
      script_name(english:"EulerOS 2.0 SP8 : kernel (EulerOS-SA-2020-1592)");
      script_summary(english:"Checks the rpm output for the updated packages.");
    
      script_set_attribute(attribute:"synopsis", value:
    "The remote EulerOS host is missing multiple security updates.");
      script_set_attribute(attribute:"description", value:
    "According to the versions of the kernel packages installed, the
    EulerOS installation on the remote host is affected by the following
    vulnerabilities :
    
      - A flaw was found in the Linux kernel's implementation
        of GRO. This flaw allows an attacker with local access
        to crash the system.(CVE-2020-10720)
    
      - A NULL pointer dereference flaw was found in the Linux
        kernel's SELinux subsystem. This flaw occurs while
        importing the Commercial IP Security Option (CIPSO)
        protocol's category bitmap into the SELinux extensible
        bitmap via the' ebitmap_netlbl_import' routine. While
        processing the CIPSO restricted bitmap tag in the
        'cipso_v4_parsetag_rbm' routine, it sets the security
        attribute to indicate that the category bitmap is
        present, even if it has not been allocated. This issue
        leads to a NULL pointer dereference issue while
        importing the same category bitmap into SELinux. This
        flaw allows a remote network user to crash the system
        kernel, resulting in a denial of
        service.(CVE-2020-10711)
    
      - A signal access-control issue was discovered in the
        Linux kernel before 5.6.5, aka CID-7395ea4e65c2.
        Because exec_id in include/linux/sched.h is only 32
        bits, an integer overflow can interfere with a
        do_notify_parent protection mechanism. A child process
        can send an arbitrary signal to a parent process in a
        different security domain. Exploitation limitations
        include the amount of elapsed time before an integer
        overflow occurs, and the lack of scenarios where
        signals to a parent process present a substantial
        operational threat.(CVE-2020-12826)
    
      - An issue was discovered in the Linux kernel before
        5.4.17. drivers/spi/spi-dw.c allows attackers to cause
        a panic via concurrent calls to dw_spi_irq and
        dw_spi_transfer_one, aka
        CID-19b61392c5a8.(CVE-2020-12769)
    
      - An issue was discovered in the Linux kernel through
        5.6.11. sg_write lacks an sg_remove_request call in a
        certain failure case, aka
        CID-83c6f2390040.(CVE-2020-12770)
    
      - An issue was discovered in the Linux kernel through
        5.6.11. btree_gc_coalesce in drivers/md/bcache/btree.c
        has a deadlock if a coalescing operation
        fails.(CVE-2020-12771)
    
      - The __mptctl_ioctl function in
        drivers/message/fusion/mptctl.c in the Linux kernel
        before 5.4.14 allows local users to hold an incorrect
        lock during the ioctl operation and trigger a race
        condition, i.e., a 'double fetch' vulnerability, aka
        CID-28d76df18f0a. NOTE: the vendor states 'The security
        impact of this bug is not as bad as it could have been
        because these operations are all privileged and root
        already has enormous destructive
        power.'(CVE-2020-12652)
    
      - An issue was discovered in xfs_agf_verify in
        fs/xfs/libxfs/xfs_alloc.c in the Linux kernel through
        5.6.10. Attackers may trigger a sync of excessive
        duration via an XFS v5 image with crafted metadata, aka
        CID-d0c7feaf8767.(CVE-2020-12655)
    
      - A pivot_root race condition in fs amespace.c in the
        Linux kernel 4.4.x before 4.4.221, 4.9.x before
        4.9.221, 4.14.x before 4.14.178, 4.19.x before
        4.19.119, and 5.x before 5.3 allows local users to
        cause a denial of service (panic) by corrupting a
        mountpoint reference counter.(CVE-2020-12114)
    
      - An issue was discovered in the Linux kernel before
        5.6.5. There is a use-after-free in block/bfq-iosched.c
        related to bfq_idle_slice_timer_body.(CVE-2020-12657)
    
      - usb_sg_cancel in drivers/usb/core/message.c in the
        Linux kernel before 5.6.8 has a use-after-free because
        a transfer occurs without a reference, aka
        CID-056ad39ee925.(CVE-2020-12464)
    
      - An issue was found in Linux kernel before 5.5.4. The
        mwifiex_cmd_append_vsie_tlv() function in drivers
        et/wireless/marvell/mwifiex/scan.c allows local users
        to gain privileges or cause a denial of service because
        of an incorrect memcpy and buffer overflow, aka
        CID-b70261a288ea.(CVE-2020-12653)
    
      - gss_mech_free in net/sunrpc/auth_gss/gss_mech_switch.c
        in the rpcsec_gss_krb5 implementation in the Linux
        kernel through 5.6.10 lacks certain domain_release
        calls, leading to a memory leak.(CVE-2020-12656)
    
      - An issue was discovered in the Linux kernel before
        5.6.7. xdp_umem_reg in net/xdp/xdp_umem.c has an
        out-of-bounds write (by a user with the CAP_NET_ADMIN
        capability) because of a lack of headroom
        validation.(CVE-2020-12659)
    
      - An array overflow was discovered in mt76_add_fragment
        in drivers et/wireless/mediatek/mt76/dma.c in the Linux
        kernel before 5.5.10, aka CID-b102f0c522cf. An
        oversized packet with too many rx fragments can corrupt
        memory of adjacent pages.(CVE-2020-12465)
    
      - An issue was found in Linux kernel before 5.5.4.
        mwifiex_ret_wmm_get_status() in drivers
        et/wireless/marvell/mwifiex/wmm.c allows a remote AP to
        trigger a heap-based buffer overflow because of an
        incorrect memcpy, aka CID-3a9b153c5591.(CVE-2020-12654)
    
      - In the Linux kernel through 5.6.7 on the s390 platform,
        code execution may occur because of a race condition,
        as demonstrated by code in enable_sacf_uaccess in
        arch/s390/lib/uaccess.c that fails to protect against a
        concurrent page table upgrade, aka CID-3f777e19d171. A
        crash could also occur.(CVE-2020-11884)
    
      - relay_open in kernel/relay.c in the Linux kernel
        through 5.4.1 allows local users to cause a denial of
        service (such as relay blockage) by triggering a NULL
        alloc_percpu result.(CVE-2019-19462)
    
      - In the Linux kernel 5.0.21, mounting a crafted btrfs
        filesystem image, performing some operations, and
        unmounting can lead to a use-after-free in
        btrfs_queue_work in
        fs/btrfs/async-thread.c.(CVE-2019-19377)
    
      - In the Linux kernel before 5.5.8, get_raw_socket in
        drivers/vhost et.c lacks validation of an sk_family
        field, which might allow attackers to trigger kernel
        stack corruption via crafted system
        calls.(CVE-2020-10942)
    
    Note that Tenable Network Security has extracted the preceding
    description block directly from the EulerOS security advisory. Tenable
    has attempted to automatically clean and format it as much as possible
    without introducing additional issues.");
      # https://developer.huaweicloud.com/ict/en/site-euleros/euleros/security-advisories/EulerOS-SA-2020-1592
      script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?966bca8a");
      script_set_attribute(attribute:"solution", value:
    "Update the affected kernel packages.");
      script_set_cvss_base_vector("CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C");
      script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
      script_set_cvss3_base_vector("CVSS:3.0/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H");
      script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
      script_set_attribute(attribute:"cvss_score_source", value:"CVE-2020-12659");
      script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
    
      script_set_attribute(attribute:"patch_publication_date", value:"2020/05/28");
      script_set_attribute(attribute:"plugin_publication_date", value:"2020/05/26");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:bpftool");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:kernel");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:kernel-devel");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:kernel-headers");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:kernel-source");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:kernel-tools");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:kernel-tools-libs");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:perf");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:python-perf");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:python3-perf");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:huawei:euleros:2.0");
      script_set_attribute(attribute:"generated_plugin", value:"current");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_family(english:"Huawei Local Security Checks");
    
      script_copyright(english:"This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/EulerOS/release", "Host/EulerOS/rpm-list", "Host/EulerOS/sp");
      script_exclude_keys("Host/EulerOS/uvp_version");
    
      exit(0);
    }
    
    include("audit.inc");
    include("global_settings.inc");
    include("rpm.inc");
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    
    release = get_kb_item("Host/EulerOS/release");
    if (isnull(release) || release !~ "^EulerOS") audit(AUDIT_OS_NOT, "EulerOS");
    if (release !~ "^EulerOS release 2\.0(\D|$)") audit(AUDIT_OS_NOT, "EulerOS 2.0");
    
    sp = get_kb_item("Host/EulerOS/sp");
    if (isnull(sp) || sp !~ "^(8)$") audit(AUDIT_OS_NOT, "EulerOS 2.0 SP8");
    
    uvp = get_kb_item("Host/EulerOS/uvp_version");
    if (!empty_or_null(uvp)) audit(AUDIT_OS_NOT, "EulerOS 2.0 SP8", "EulerOS UVP " + uvp);
    
    if (!get_kb_item("Host/EulerOS/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    cpu = get_kb_item("Host/cpu");
    if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
    if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$" && "aarch64" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "EulerOS", cpu);
    if ("aarch64" >!< cpu) audit(AUDIT_ARCH_NOT, "aarch64", cpu);
    
    flag = 0;
    
    pkgs = ["bpftool-4.19.36-vhulk1907.1.0.h748.eulerosv2r8",
            "kernel-4.19.36-vhulk1907.1.0.h748.eulerosv2r8",
            "kernel-devel-4.19.36-vhulk1907.1.0.h748.eulerosv2r8",
            "kernel-headers-4.19.36-vhulk1907.1.0.h748.eulerosv2r8",
            "kernel-source-4.19.36-vhulk1907.1.0.h748.eulerosv2r8",
            "kernel-tools-4.19.36-vhulk1907.1.0.h748.eulerosv2r8",
            "kernel-tools-libs-4.19.36-vhulk1907.1.0.h748.eulerosv2r8",
            "perf-4.19.36-vhulk1907.1.0.h748.eulerosv2r8",
            "python-perf-4.19.36-vhulk1907.1.0.h748.eulerosv2r8",
            "python3-perf-4.19.36-vhulk1907.1.0.h748.eulerosv2r8"];
    
    foreach (pkg in pkgs)
      if (rpm_check(release:"EulerOS-2.0", sp:"8", reference:pkg)) flag++;
    
    if (flag)
    {
      security_report_v4(
        port       : 0,
        severity   : SECURITY_HOLE,
        extra      : rpm_report_get()
      );
      exit(0);
    }
    else
    {
      tested = pkg_tests_get();
      if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
      else audit(AUDIT_PACKAGE_NOT_INSTALLED, "kernel");
    }
    
  • NASL familyOracle Linux Local Security Checks
    NASL idORACLELINUX_ELSA-2020-5714.NASL
    descriptionDescription of changes: [5.4.17-2011.3.2.1.el8uek] - x86/speculation: Add Ivy Bridge to affected list (Josh Poimboeuf) [Orabug: 31352779] {CVE-2020-0543} - x86/speculation: Add SRBDS vulnerability and mitigation documentation (Mark Gross) [Orabug: 31352779] {CVE-2020-0543} - x86/speculation: Add Special Register Buffer Data Sampling (SRBDS) mitigation (Mark Gross) [Orabug: 31352779] {CVE-2020-0543} - x86/cpu: Add
    last seen2020-06-13
    modified2020-06-10
    plugin id137290
    published2020-06-10
    reporterThis script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/137290
    titleOracle Linux 7 / 8 : Unbreakable Enterprise kernel (ELSA-2020-5714)
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were
    # extracted from Oracle Linux Security Advisory ELSA-2020-5714.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(137290);
      script_version("1.2");
      script_set_attribute(attribute:"plugin_modification_date", value:"2020/06/12");
    
      script_cve_id("CVE-2019-19377", "CVE-2020-0543", "CVE-2020-12464", "CVE-2020-12465", "CVE-2020-12653", "CVE-2020-12654", "CVE-2020-12657", "CVE-2020-12659", "CVE-2020-12768");
    
      script_name(english:"Oracle Linux 7 / 8 : Unbreakable Enterprise kernel (ELSA-2020-5714)");
      script_summary(english:"Checks rpm output for the updated packages");
    
      script_set_attribute(
        attribute:"synopsis",
        value:"The remote Oracle Linux host is missing one or more security updates."
      );
      script_set_attribute(
        attribute:"description",
        value:
    "Description of changes:
    
    [5.4.17-2011.3.2.1.el8uek]
    - x86/speculation: Add Ivy Bridge to affected list (Josh Poimboeuf)  [Orabug: 31352779]  {CVE-2020-0543}
    - x86/speculation: Add SRBDS vulnerability and mitigation documentation (Mark Gross)  [Orabug: 31352779]  {CVE-2020-0543}
    - x86/speculation: Add Special Register Buffer Data Sampling (SRBDS) mitigation (Mark Gross)  [Orabug: 31352779]  {CVE-2020-0543}
    - x86/cpu: Add 'table' argument to cpu_matches() (Mark Gross)  [Orabug: 31352779]  {CVE-2020-0543}
    - x86/cpu: Add a steppings field to struct x86_cpu_id (Mark Gross)  [Orabug: 31352779]  {CVE-2020-0543}
    - x86/speculation/spectre_v2: Exclude Zhaoxin CPUs from SPECTRE_V2 (Tony W Wang-oc)  [Orabug: 31352779]  {CVE-2020-0543}
    
    [5.4.17-2011.3.2.el8uek]
    - USB: core: Fix free-while-in-use bug in the USB S-Glibrary (Alan Stern)  [Orabug: 31350962]  {CVE-2020-12464}
    - mt76: fix array overflow on receiving too many fragments for a packet (Felix Fietkau)  [Orabug: 31350952]  {CVE-2020-12465}
    - mwifiex: Fix possible buffer overflows in mwifiex_cmd_append_vsie_tlv() (Qing Xu)  [Orabug: 31350929]  {CVE-2020-12653}
    - block, bfq: fix use-after-free in bfq_idle_slice_timer_body (Zhiqiang Liu)  [Orabug: 31350910]  {CVE-2020-12657}
    - xsk: Add missing check on user-supplied headroom size (Magnus Karlsson)  [Orabug: 31350732]  {CVE-2020-12659}
    - mwifiex: Fix possible buffer overflows in mwifiex_ret_wmm_get_status() (Qing Xu)  [Orabug: 31350513]  {CVE-2020-12654}
    - xen/manage: enable C_A_D to force reboot (Dongli Zhang)  [Orabug: 31387411]
    - KVM: x86: Fixes posted interrupt check for IRQs delivery modes (Suravee Suthikulpanit)  [Orabug: 31316437]
    - Revert 'Revert 'nvme_fc: add module to ops template to allow module references'' (James Smart)  [Orabug: 31377552]
    - uek-rpm: Move grub boot menu update to posttrans stage. (Somasundaram Krishnasamy)  [Orabug: 31358097]
    - KVM: SVM: Fix potential memory leak in svm_cpu_init() (Miaohe Lin)  [Orabug: 31350455]  {CVE-2020-12768}
    
    [5.4.17-2011.3.1.el8uek]
    - intel_idle: Use ACPI _CST for processor models without C-state tables (Rafael J. Wysocki)  [Orabug: 31332120]
    - ACPI: processor: Export acpi_processor_evaluate_cst() (Rafael J. Wysocki)  [Orabug: 31332120]
    - ACPI: processor: Clean up acpi_processor_evaluate_cst() (Rafael J. Wysocki)  [Orabug: 31332120]
    - ACPI: processor: Introduce acpi_processor_evaluate_cst() (Rafael J. Wysocki)  [Orabug: 31332120]
    - ACPI: processor: Export function to claim _CST control (Rafael J. Wysocki)  [Orabug: 31332120]
    - rds: ib: Fix dysfunctional long address resolve timeout (H&aring kon Bugge)  [Orabug: 31302704]
    - KVM: x86: Revert 'KVM: X86: Fix fpu state crash in kvm guest' (Sean Christopherson)  [Orabug: 31333676]
    - KVM: x86: Ensure guest's FPU state is loaded when accessing for emulation (Sean Christopherson)  [Orabug: 31333676]
    - KVM: x86: Handle TIF_NEED_FPU_LOAD in kvm_{load,put}_guest_fpu() (Sean Christopherson)  [Orabug: 31333676]
    - net: dsa: Do not leave DSA master with NULL netdev_ops (Florian Fainelli)  [Orabug: 30456791]
    - Revert 'dsa: disable module unloading for ARM64' (Allen Pais)  [Orabug: 30456791]
    
    [5.4.17-2011.3.0.el8uek]
    - NFSv4.0: nfs4_do_fsinfo() should not do implicit lease renewals (Robert Milkowski)  [Orabug: 31304406]
    - NFSv4: try lease recovery on NFS4ERR_EXPIRED (Robert Milkowski)  [Orabug: 31304406]
    - btrfs: Don't submit any btree write bio if the fs has errors (Qu Wenruo)  [Orabug: 31265336]  {CVE-2019-19377} {CVE-2019-19377}"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://oss.oracle.com/pipermail/el-errata/2020-June/010019.html"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://oss.oracle.com/pipermail/el-errata/2020-June/010021.html"
      );
      script_set_attribute(
        attribute:"solution",
        value:"Update the affected unbreakable enterprise kernel packages."
      );
      script_set_cvss_base_vector("CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C");
      script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
      script_set_cvss3_base_vector("CVSS:3.0/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H");
      script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
      script_set_attribute(attribute:"cvss_score_source", value:"CVE-2020-12659");
      script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:kernel-uek");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:kernel-uek-debug");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:kernel-uek-debug-devel");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:kernel-uek-devel");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:kernel-uek-doc");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:kernel-uek-tools");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:oracle:linux:7");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:oracle:linux:8");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2019/11/29");
      script_set_attribute(attribute:"patch_publication_date", value:"2020/06/09");
      script_set_attribute(attribute:"plugin_publication_date", value:"2020/06/10");
      script_set_attribute(attribute:"generated_plugin", value:"current");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.");
      script_family(english:"Oracle Linux Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl", "linux_alt_patch_detect.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/OracleLinux", "Host/RedHat/release", "Host/RedHat/rpm-list");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("global_settings.inc");
    include("rpm.inc");
    include("ksplice.inc");
    
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    if (!get_kb_item("Host/OracleLinux")) audit(AUDIT_OS_NOT, "Oracle Linux");
    release = get_kb_item("Host/RedHat/release");
    if (isnull(release) || !pregmatch(pattern: "Oracle (?:Linux Server|Enterprise Linux)", string:release)) audit(AUDIT_OS_NOT, "Oracle Linux");
    os_ver = pregmatch(pattern: "Oracle (?:Linux Server|Enterprise Linux) .*release ([0-9]+(\.[0-9]+)?)", string:release);
    if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Oracle Linux");
    os_ver = os_ver[1];
    if (! preg(pattern:"^(7|8)([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Oracle Linux 7 / 8", "Oracle Linux " + os_ver);
    
    if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    cpu = get_kb_item("Host/cpu");
    if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
    if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Oracle Linux", cpu);
    if ("x86_64" >!< cpu) audit(AUDIT_ARCH_NOT, "x86_64", cpu);
    
    if (get_one_kb_item("Host/ksplice/kernel-cves"))
    {
      rm_kb_item(name:"Host/uptrack-uname-r");
      cve_list = make_list("CVE-2019-19377", "CVE-2020-0543", "CVE-2020-12464", "CVE-2020-12465", "CVE-2020-12653", "CVE-2020-12654", "CVE-2020-12657", "CVE-2020-12659", "CVE-2020-12768");  
      if (ksplice_cves_check(cve_list))
      {
        audit(AUDIT_PATCH_INSTALLED, "KSplice hotfix for ELSA-2020-5714");
      }
      else
      {
        __rpm_report = ksplice_reporting_text();
      }
    }
    
    kernel_major_minor = get_kb_item("Host/uname/major_minor");
    if (empty_or_null(kernel_major_minor)) exit(1, "Unable to determine kernel major-minor level.");
    expected_kernel_major_minor = "5.4";
    if (kernel_major_minor != expected_kernel_major_minor)
      audit(AUDIT_OS_NOT, "running kernel level " + expected_kernel_major_minor + ", it is running kernel level " + kernel_major_minor);
    
    flag = 0;
    if (rpm_exists(release:"EL7", rpm:"kernel-uek-5.4.17") && rpm_check(release:"EL7", cpu:"x86_64", reference:"kernel-uek-5.4.17-2011.3.2.1.el7uek")) flag++;
    if (rpm_exists(release:"EL7", rpm:"kernel-uek-debug-5.4.17") && rpm_check(release:"EL7", cpu:"x86_64", reference:"kernel-uek-debug-5.4.17-2011.3.2.1.el7uek")) flag++;
    if (rpm_exists(release:"EL7", rpm:"kernel-uek-debug-devel-5.4.17") && rpm_check(release:"EL7", cpu:"x86_64", reference:"kernel-uek-debug-devel-5.4.17-2011.3.2.1.el7uek")) flag++;
    if (rpm_exists(release:"EL7", rpm:"kernel-uek-devel-5.4.17") && rpm_check(release:"EL7", cpu:"x86_64", reference:"kernel-uek-devel-5.4.17-2011.3.2.1.el7uek")) flag++;
    if (rpm_exists(release:"EL7", rpm:"kernel-uek-doc-5.4.17") && rpm_check(release:"EL7", cpu:"x86_64", reference:"kernel-uek-doc-5.4.17-2011.3.2.1.el7uek")) flag++;
    if (rpm_exists(release:"EL7", rpm:"kernel-uek-tools-5.4.17") && rpm_check(release:"EL7", cpu:"x86_64", reference:"kernel-uek-tools-5.4.17-2011.3.2.1.el7uek")) flag++;
    
    if (rpm_exists(release:"EL8", rpm:"kernel-uek-5.4.17") && rpm_check(release:"EL8", cpu:"x86_64", reference:"kernel-uek-5.4.17-2011.3.2.1.el8uek")) flag++;
    if (rpm_exists(release:"EL8", rpm:"kernel-uek-debug-5.4.17") && rpm_check(release:"EL8", cpu:"x86_64", reference:"kernel-uek-debug-5.4.17-2011.3.2.1.el8uek")) flag++;
    if (rpm_exists(release:"EL8", rpm:"kernel-uek-debug-devel-5.4.17") && rpm_check(release:"EL8", cpu:"x86_64", reference:"kernel-uek-debug-devel-5.4.17-2011.3.2.1.el8uek")) flag++;
    if (rpm_exists(release:"EL8", rpm:"kernel-uek-devel-5.4.17") && rpm_check(release:"EL8", cpu:"x86_64", reference:"kernel-uek-devel-5.4.17-2011.3.2.1.el8uek")) flag++;
    if (rpm_exists(release:"EL8", rpm:"kernel-uek-doc-5.4.17") && rpm_check(release:"EL8", cpu:"x86_64", reference:"kernel-uek-doc-5.4.17-2011.3.2.1.el8uek")) flag++;
    
    
    if (flag)
    {
      if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());
      else security_hole(0);
      exit(0);
    }
    else
    {
      tested = pkg_tests_get();
      if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
      else audit(AUDIT_PACKAGE_NOT_INSTALLED, "affected kernel");
    }
    
  • NASL familyHuawei Local Security Checks
    NASL idEULEROS_SA-2020-1606.NASL
    descriptionAccording to the versions of the kernel packages installed, the EulerOS installation on the remote host is affected by the following vulnerabilities : - In the Linux kernel 5.0.21, mounting a crafted btrfs filesystem image, performing some operations, and unmounting can lead to a use-after-free in btrfs_queue_work in fs/btrfs/async-thread.c.(CVE-2019-19377) - The fix for CVE-2019-11599, affecting the Linux kernel before 5.0.10 was not complete. A local user could use this flaw to obtain sensitive information, cause a denial of service, or possibly have other unspecified impacts by triggering a race condition with mmget_not_zero or get_task_mm calls.(CVE-2019-14898) - A pivot_root race condition in fs/namespace.c in the Linux kernel 4.4.x before 4.4.221, 4.9.x before 4.9.221, 4.14.x before 4.14.178, 4.19.x before 4.19.119, and 5.x before 5.3 allows local users to cause a denial of service (panic) by corrupting a mountpoint reference counter.(CVE-2020-12114) - usb_sg_cancel in drivers/usb/core/message.c in the Linux kernel before 5.6.8 has a use-after-free because a transfer occurs without a reference, aka CID-056ad39ee925.(CVE-2020-12464) - The __mptctl_ioctl function in drivers/message/fusion/mptctl.c in the Linux kernel before 5.4.14 allows local users to hold an incorrect lock during the ioctl operation and trigger a race condition, i.e., a
    last seen2020-06-06
    modified2020-06-02
    plugin id137024
    published2020-06-02
    reporterThis script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/137024
    titleEulerOS 2.0 SP5 : kernel (EulerOS-SA-2020-1606)
  • NASL familyUbuntu Local Security Checks
    NASL idUBUNTU_USN-4367-1.NASL
    descriptionIt was discovered that the btrfs implementation in the Linux kernel did not properly detect that a block was marked dirty in some situations. An attacker could use this to specially craft a file system image that, when unmounted, could cause a denial of service (system crash). (CVE-2019-19377) It was discovered that the linux kernel did not properly validate certain mount options to the tmpfs virtual memory file system. A local attacker with the ability to specify mount options could use this to cause a denial of service (system crash). (CVE-2020-11565) It was discovered that the block layer in the Linux kernel contained a race condition leading to a use-after-free vulnerability. A local attacker could possibly use this to cause a denial of service (system crash) or execute arbitrary code. (CVE-2020-12657). Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-05-31
    modified2020-05-20
    plugin id136732
    published2020-05-20
    reporterUbuntu Security Notice (C) 2020 Canonical, Inc. / NASL script (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/136732
    titleUbuntu 20.04 : linux, linux-aws, linux-gcp, linux-kvm, linux-oracle, linux-riscv (USN-4367-1)
  • NASL familyUbuntu Local Security Checks
    NASL idUBUNTU_USN-4367-2.NASL
    descriptionUSN-4367-1 fixed vulnerabilities in the 5.4 Linux kernel. Unfortunately, that update introduced a regression in overlayfs. This update corrects the problem. We apologize for the inconvenience. Original advisory details : It was discovered that the btrfs implementation in the Linux kernel did not properly detect that a block was marked dirty in some situations. An attacker could use this to specially craft a file system image that, when unmounted, could cause a denial of service (system crash). (CVE-2019-19377) It was discovered that the linux kernel did not properly validate certain mount options to the tmpfs virtual memory file system. A local attacker with the ability to specify mount options could use this to cause a denial of service (system crash). (CVE-2020-11565) It was discovered that the block layer in the Linux kernel contained a race condition leading to a use-after-free vulnerability. A local attacker could possibly use this to cause a denial of service (system crash) or execute arbitrary code. (CVE-2020-12657). Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-06
    modified2020-05-29
    plugin id136965
    published2020-05-29
    reporterUbuntu Security Notice (C) 2020 Canonical, Inc. / NASL script (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/136965
    titleUbuntu 20.04 : linux regression (USN-4367-2)
  • NASL familyUbuntu Local Security Checks
    NASL idUBUNTU_USN-4369-2.NASL
    descriptionUSN-4369-1 fixed vulnerabilities in the 5.3 Linux kernel. Unfortunately, that update introduced a regression in overlayfs. This update corrects the problem. We apologize for the inconvenience. Original advisory details : It was discovered that the btrfs implementation in the Linux kernel did not properly detect that a block was marked dirty in some situations. An attacker could use this to specially craft a file system image that, when unmounted, could cause a denial of service (system crash). (CVE-2019-19377) Tristan Madani discovered that the file locking implementation in the Linux kernel contained a race condition. A local attacker could possibly use this to cause a denial of service or expose sensitive information. (CVE-2019-19769) It was discovered that the Serial CAN interface driver in the Linux kernel did not properly initialize data. A local attacker could use this to expose sensitive information (kernel memory). (CVE-2020-11494) It was discovered that the linux kernel did not properly validate certain mount options to the tmpfs virtual memory file system. A local attacker with the ability to specify mount options could use this to cause a denial of service (system crash). (CVE-2020-11565) It was discovered that the OV51x USB Camera device driver in the Linux kernel did not properly validate device metadata. A physically proximate attacker could use this to cause a denial of service (system crash). (CVE-2020-11608) It was discovered that the STV06XX USB Camera device driver in the Linux kernel did not properly validate device metadata. A physically proximate attacker could use this to cause a denial of service (system crash). (CVE-2020-11609) It was discovered that the Xirlink C-It USB Camera device driver in the Linux kernel did not properly validate device metadata. A physically proximate attacker could use this to cause a denial of service (system crash). (CVE-2020-11668) It was discovered that the block layer in the Linux kernel contained a race condition leading to a use-after-free vulnerability. A local attacker could possibly use this to cause a denial of service (system crash) or execute arbitrary code. (CVE-2020-12657). Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-06
    modified2020-05-29
    plugin id136966
    published2020-05-29
    reporterUbuntu Security Notice (C) 2020 Canonical, Inc. / NASL script (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/136966
    titleUbuntu 18.04 LTS / 19.10 : linux, linux-raspi2, linux-raspi2-5.3 regression (USN-4369-2)
  • NASL familyUbuntu Local Security Checks
    NASL idUBUNTU_USN-4369-1.NASL
    descriptionIt was discovered that the btrfs implementation in the Linux kernel did not properly detect that a block was marked dirty in some situations. An attacker could use this to specially craft a file system image that, when unmounted, could cause a denial of service (system crash). (CVE-2019-19377) Tristan Madani discovered that the file locking implementation in the Linux kernel contained a race condition. A local attacker could possibly use this to cause a denial of service or expose sensitive information. (CVE-2019-19769) It was discovered that the Serial CAN interface driver in the Linux kernel did not properly initialize data. A local attacker could use this to expose sensitive information (kernel memory). (CVE-2020-11494) It was discovered that the linux kernel did not properly validate certain mount options to the tmpfs virtual memory file system. A local attacker with the ability to specify mount options could use this to cause a denial of service (system crash). (CVE-2020-11565) It was discovered that the OV51x USB Camera device driver in the Linux kernel did not properly validate device metadata. A physically proximate attacker could use this to cause a denial of service (system crash). (CVE-2020-11608) It was discovered that the STV06XX USB Camera device driver in the Linux kernel did not properly validate device metadata. A physically proximate attacker could use this to cause a denial of service (system crash). (CVE-2020-11609) It was discovered that the Xirlink C-It USB Camera device driver in the Linux kernel did not properly validate device metadata. A physically proximate attacker could use this to cause a denial of service (system crash). (CVE-2020-11668) It was discovered that the block layer in the Linux kernel contained a race condition leading to a use-after-free vulnerability. A local attacker could possibly use this to cause a denial of service (system crash) or execute arbitrary code. (CVE-2020-12657). Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-05-31
    modified2020-05-21
    plugin id136759
    published2020-05-21
    reporterUbuntu Security Notice (C) 2020 Canonical, Inc. / NASL script (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/136759
    titleUbuntu 18.04 LTS / 19.10 : linux, linux-aws, linux-aws-5.3, linux-gcp, linux-gcp-5.3, linux-gke-5.3, (USN-4369-1)