Vulnerabilities > CVE-2019-19807 - Use After Free vulnerability in multiple products

047910
CVSS 7.8 - HIGH
Attack vector
LOCAL
Attack complexity
LOW
Privileges required
LOW
Confidentiality impact
HIGH
Integrity impact
HIGH
Availability impact
HIGH
local
low complexity
linux
canonical
CWE-416
nessus

Summary

In the Linux kernel before 5.3.11, sound/core/timer.c has a use-after-free caused by erroneous code refactoring, aka CID-e7af6307a8a5. This is related to snd_timer_open and snd_timer_close_locked. The timeri variable was originally intended to be for a newly created timer instance, but was used for a different purpose after refactoring.

Common Weakness Enumeration (CWE)

Nessus

  • NASL familyHuawei Local Security Checks
    NASL idEULEROS_SA-2020-1368.NASL
    descriptionAccording to the versions of the kernel packages installed, the EulerOS Virtualization for ARM 64 installation on the remote host is affected by the following vulnerabilities : - In the Linux kernel 5.0.21, mounting a crafted ext4 filesystem image, performing some operations, and unmounting can lead to a use-after-free in ext4_put_super in fs/ext4/super.c, related to dump_orphan_list in fs/ext4/super.c.(CVE-2019-19447) - A flaw was found in the way KVM hypervisor handled instruction emulation for the L2 guest when nested(=1) virtualization is enabled. In the instruction emulation, the L2 guest could trick the L0 hypervisor into accessing sensitive bits of the L1 hypervisor. An L2 guest could use this flaw to potentially access information of the L1 hypervisor.(CVE-2020-2732) - In the Linux kernel before 5.3.11, sound/core/timer.c has a use-after-free caused by erroneous code refactoring, aka CID-e7af6307a8a5. This is related to snd_timer_open and snd_timer_close_locked. The timeri variable was originally intended to be for a newly created timer instance, but was used for a different purpose after refactoring.(CVE-2019-19807) - In the Linux kernel 5.4.0-rc2, there is a use-after-free (read) in the __blk_add_trace function in kernel/trace/blktrace.c (which is used to fill out a blk_io_trace structure and place it in a per-cpu sub-buffer).(CVE-2019-19768) Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-04-07
    modified2020-04-02
    plugin id135155
    published2020-04-02
    reporterThis script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/135155
    titleEulerOS Virtualization for ARM 64 3.0.6.0 : kernel (EulerOS-SA-2020-1368)
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(135155);
      script_version("1.2");
      script_set_attribute(attribute:"plugin_modification_date", value:"2020/04/06");
    
      script_cve_id(
        "CVE-2019-19447",
        "CVE-2019-19768",
        "CVE-2019-19807",
        "CVE-2020-2732"
      );
    
      script_name(english:"EulerOS Virtualization for ARM 64 3.0.6.0 : kernel (EulerOS-SA-2020-1368)");
      script_summary(english:"Checks the rpm output for the updated packages.");
    
      script_set_attribute(attribute:"synopsis", value:
    "The remote EulerOS Virtualization for ARM 64 host is missing multiple security
    updates.");
      script_set_attribute(attribute:"description", value:
    "According to the versions of the kernel packages installed, the
    EulerOS Virtualization for ARM 64 installation on the remote host is
    affected by the following vulnerabilities :
    
      - In the Linux kernel 5.0.21, mounting a crafted ext4
        filesystem image, performing some operations, and
        unmounting can lead to a use-after-free in
        ext4_put_super in fs/ext4/super.c, related to
        dump_orphan_list in fs/ext4/super.c.(CVE-2019-19447)
    
      - A flaw was found in the way KVM hypervisor handled
        instruction emulation for the L2 guest when nested(=1)
        virtualization is enabled. In the instruction
        emulation, the L2 guest could trick the L0 hypervisor
        into accessing sensitive bits of the L1 hypervisor. An
        L2 guest could use this flaw to potentially access
        information of the L1 hypervisor.(CVE-2020-2732)
    
      - In the Linux kernel before 5.3.11, sound/core/timer.c
        has a use-after-free caused by erroneous code
        refactoring, aka CID-e7af6307a8a5. This is related to
        snd_timer_open and snd_timer_close_locked. The timeri
        variable was originally intended to be for a newly
        created timer instance, but was used for a different
        purpose after refactoring.(CVE-2019-19807)
    
      - In the Linux kernel 5.4.0-rc2, there is a
        use-after-free (read) in the __blk_add_trace function
        in kernel/trace/blktrace.c (which is used to fill out a
        blk_io_trace structure and place it in a per-cpu
        sub-buffer).(CVE-2019-19768)
    
    Note that Tenable Network Security has extracted the preceding
    description block directly from the EulerOS security advisory. Tenable
    has attempted to automatically clean and format it as much as possible
    without introducing additional issues.");
      # https://developer.huaweicloud.com/ict/en/site-euleros/euleros/security-advisories/EulerOS-SA-2020-1368
      script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?cd76e5b1");
      script_set_attribute(attribute:"solution", value:
    "Update the affected kernel packages.");
      script_set_cvss_base_vector("CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C");
      script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
      script_set_cvss3_base_vector("CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H");
      script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
      script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
    
      script_set_attribute(attribute:"patch_publication_date", value:"2020/04/02");
      script_set_attribute(attribute:"plugin_publication_date", value:"2020/04/02");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:kernel");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:kernel-devel");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:kernel-headers");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:kernel-tools");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:kernel-tools-libs");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:kernel-tools-libs-devel");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:perf");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:python-perf");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:python3-perf");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:huawei:euleros:uvp:3.0.6.0");
      script_set_attribute(attribute:"generated_plugin", value:"current");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_family(english:"Huawei Local Security Checks");
    
      script_copyright(english:"This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/cpu", "Host/EulerOS/release", "Host/EulerOS/rpm-list", "Host/EulerOS/uvp_version");
    
      exit(0);
    }
    
    include("audit.inc");
    include("global_settings.inc");
    include("rpm.inc");
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    
    release = get_kb_item("Host/EulerOS/release");
    if (isnull(release) || release !~ "^EulerOS") audit(AUDIT_OS_NOT, "EulerOS");
    uvp = get_kb_item("Host/EulerOS/uvp_version");
    if (uvp != "3.0.6.0") audit(AUDIT_OS_NOT, "EulerOS Virtualization 3.0.6.0");
    if (!get_kb_item("Host/EulerOS/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    cpu = get_kb_item("Host/cpu");
    if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
    if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$" && "aarch64" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "EulerOS", cpu);
    if ("aarch64" >!< cpu) audit(AUDIT_ARCH_NOT, "aarch64", cpu);
    
    flag = 0;
    
    pkgs = ["kernel-4.19.36-vhulk1907.1.0.h702.eulerosv2r8",
            "kernel-devel-4.19.36-vhulk1907.1.0.h702.eulerosv2r8",
            "kernel-headers-4.19.36-vhulk1907.1.0.h702.eulerosv2r8",
            "kernel-tools-4.19.36-vhulk1907.1.0.h702.eulerosv2r8",
            "kernel-tools-libs-4.19.36-vhulk1907.1.0.h702.eulerosv2r8",
            "kernel-tools-libs-devel-4.19.36-vhulk1907.1.0.h702.eulerosv2r8",
            "perf-4.19.36-vhulk1907.1.0.h702.eulerosv2r8",
            "python-perf-4.19.36-vhulk1907.1.0.h702.eulerosv2r8",
            "python3-perf-4.19.36-vhulk1907.1.0.h702.eulerosv2r8"];
    
    foreach (pkg in pkgs)
      if (rpm_check(release:"EulerOS-2.0", reference:pkg)) flag++;
    
    if (flag)
    {
      security_report_v4(
        port       : 0,
        severity   : SECURITY_HOLE,
        extra      : rpm_report_get()
      );
      exit(0);
    }
    else
    {
      tested = pkg_tests_get();
      if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
      else audit(AUDIT_PACKAGE_NOT_INSTALLED, "kernel");
    }
    
  • NASL familyHuawei Local Security Checks
    NASL idEULEROS_SA-2020-1292.NASL
    descriptionAccording to the versions of the kernel packages installed, the EulerOS installation on the remote host is affected by the following vulnerabilities : - In the Linux kernel 5.0.21, mounting a crafted ext4 filesystem image, performing some operations, and unmounting can lead to a use-after-free in ext4_put_super in fs/ext4/super.c, related to dump_orphan_list in fs/ext4/super.c.(CVE-2019-19447 ) - In the Linux kernel 5.4.0-rc2, there is a use-after-free (read) in the __blk_add_trace function in kernel/trace/blktrace.c (which is used to fill out a blk_io_trace structure and place it in a per-cpu sub-buffer).(CVE-2019-19768) - ext4_protect_reserved_inode in fs/ext4/block_validity.c in the Linux kernel through 5.5.3 allows attackers to cause a denial of service (soft lockup) via a crafted journal size.(CVE-2020-8992) - An issue was discovered in the Linux kernel through 5.5.6. set_fdc in drivers/block/floppy.c leads to a wait_til_ready out-of-bounds read because the FDC index is not checked for errors before assigning it, aka CID-2e90ca68b0d2.(CVE-2020-9383) - In the Linux kernel before 5.3.11, sound/core/timer.c has a use-after-free caused by erroneous code refactoring, aka CID-e7af6307a8a5. This is related to snd_timer_open and snd_timer_close_locked. The timeri variable was originally intended to be for a newly created timer instance, but was used for a different purpose after refactoring.(CVE-2019-19807) - Kernel: kvm: nVMX: L2 guest may trick the L0 hypervisor to access sensitive L1 resources(CVE-2020-2732) - There is a use-after-free vulnerability in the Linux kernel through 5.5.2 in the n_tty_receive_buf_common function in drivers/tty/n_tty.c.(CVE-2020-8648) - There is a use-after-free vulnerability in the Linux kernel through 5.5.2 in the vgacon_invert_region function in drivers/video/console/vgacon.c.(CVE-2020-8649) - There is a use-after-free vulnerability in the Linux kernel through 5.5.2 in the vc_do_resize function in drivers/tty/vt/vt.c.(CVE-2020-8647) - fs/namei.c in the Linux kernel before 5.5 has a may_create_in_sticky use-after-free, which allows local users to cause a denial of service (OOPS) or possibly obtain sensitive information from kernel memory, aka CID-d0cb50185ae9. One attack vector may be an open system call for a UNIX domain socket, if the socket is being moved to a new parent directory and its old parent directory is being removed.(CVE-2020-8428) - In a Linux KVM guest that has PV TLB enabled, a process in the guest kernel may be able to read memory locations from another process in the same guest. This problem is limit to the host running linux kernel 4.10 with a guest running linux kernel 4.16 or later. The problem mainly affects AMD processors but Intel CPUs cannot be ruled out.(CVE-2019-3016) Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-05-03
    modified2020-03-23
    plugin id134784
    published2020-03-23
    reporterThis script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/134784
    titleEulerOS 2.0 SP8 : kernel (EulerOS-SA-2020-1292)
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(134784);
      script_version("1.3");
      script_set_attribute(attribute:"plugin_modification_date", value:"2020/05/01");
    
      script_cve_id(
        "CVE-2019-19447",
        "CVE-2019-19768",
        "CVE-2019-19807",
        "CVE-2019-3016",
        "CVE-2020-2732",
        "CVE-2020-8428",
        "CVE-2020-8647",
        "CVE-2020-8648",
        "CVE-2020-8649",
        "CVE-2020-8992",
        "CVE-2020-9383"
      );
    
      script_name(english:"EulerOS 2.0 SP8 : kernel (EulerOS-SA-2020-1292)");
      script_summary(english:"Checks the rpm output for the updated packages.");
    
      script_set_attribute(attribute:"synopsis", value:
    "The remote EulerOS host is missing multiple security updates.");
      script_set_attribute(attribute:"description", value:
    "According to the versions of the kernel packages installed, the
    EulerOS installation on the remote host is affected by the following
    vulnerabilities :
    
      - In the Linux kernel 5.0.21, mounting a crafted ext4
        filesystem image, performing some operations, and
        unmounting can lead to a use-after-free in
        ext4_put_super in fs/ext4/super.c, related to
        dump_orphan_list in fs/ext4/super.c.(CVE-2019-19447 )
    
      - In the Linux kernel 5.4.0-rc2, there is a
        use-after-free (read) in the __blk_add_trace function
        in kernel/trace/blktrace.c (which is used to fill out a
        blk_io_trace structure and place it in a per-cpu
        sub-buffer).(CVE-2019-19768)
    
      - ext4_protect_reserved_inode in fs/ext4/block_validity.c
        in the Linux kernel through 5.5.3 allows attackers to
        cause a denial of service (soft lockup) via a crafted
        journal size.(CVE-2020-8992)
    
      - An issue was discovered in the Linux kernel through
        5.5.6. set_fdc in drivers/block/floppy.c leads to a
        wait_til_ready out-of-bounds read because the FDC index
        is not checked for errors before assigning it, aka
        CID-2e90ca68b0d2.(CVE-2020-9383)
    
      - In the Linux kernel before 5.3.11, sound/core/timer.c
        has a use-after-free caused by erroneous code
        refactoring, aka CID-e7af6307a8a5. This is related to
        snd_timer_open and snd_timer_close_locked. The timeri
        variable was originally intended to be for a newly
        created timer instance, but was used for a different
        purpose after refactoring.(CVE-2019-19807)
    
      - Kernel: kvm: nVMX: L2 guest may trick the L0 hypervisor
        to access sensitive L1 resources(CVE-2020-2732)
    
      - There is a use-after-free vulnerability in the Linux
        kernel through 5.5.2 in the n_tty_receive_buf_common
        function in drivers/tty/n_tty.c.(CVE-2020-8648)
    
      - There is a use-after-free vulnerability in the Linux
        kernel through 5.5.2 in the vgacon_invert_region
        function in
        drivers/video/console/vgacon.c.(CVE-2020-8649)
    
      - There is a use-after-free vulnerability in the Linux
        kernel through 5.5.2 in the vc_do_resize function in
        drivers/tty/vt/vt.c.(CVE-2020-8647)
    
      - fs/namei.c in the Linux kernel before 5.5 has a
        may_create_in_sticky use-after-free, which allows local
        users to cause a denial of service (OOPS) or possibly
        obtain sensitive information from kernel memory, aka
        CID-d0cb50185ae9. One attack vector may be an open
        system call for a UNIX domain socket, if the socket is
        being moved to a new parent directory and its old
        parent directory is being removed.(CVE-2020-8428)
    
      - In a Linux KVM guest that has PV TLB enabled, a process
        in the guest kernel may be able to read memory
        locations from another process in the same guest. This
        problem is limit to the host running linux kernel 4.10
        with a guest running linux kernel 4.16 or later. The
        problem mainly affects AMD processors but Intel CPUs
        cannot be ruled out.(CVE-2019-3016)
    
    Note that Tenable Network Security has extracted the preceding
    description block directly from the EulerOS security advisory. Tenable
    has attempted to automatically clean and format it as much as possible
    without introducing additional issues.");
      # https://developer.huaweicloud.com/ict/en/site-euleros/euleros/security-advisories/EulerOS-SA-2020-1292
      script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?bb4d37a7");
      script_set_attribute(attribute:"solution", value:
    "Update the affected kernel packages.");
      script_set_cvss_base_vector("CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C");
      script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
      script_set_cvss3_base_vector("CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H");
      script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
      script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
    
      script_set_attribute(attribute:"patch_publication_date", value:"2020/03/23");
      script_set_attribute(attribute:"plugin_publication_date", value:"2020/03/23");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:bpftool");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:kernel");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:kernel-devel");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:kernel-headers");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:kernel-source");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:kernel-tools");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:kernel-tools-libs");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:perf");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:python-perf");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:python3-perf");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:huawei:euleros:2.0");
      script_set_attribute(attribute:"generated_plugin", value:"current");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_family(english:"Huawei Local Security Checks");
    
      script_copyright(english:"This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/EulerOS/release", "Host/EulerOS/rpm-list", "Host/EulerOS/sp");
      script_exclude_keys("Host/EulerOS/uvp_version");
    
      exit(0);
    }
    
    include("audit.inc");
    include("global_settings.inc");
    include("rpm.inc");
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    
    release = get_kb_item("Host/EulerOS/release");
    if (isnull(release) || release !~ "^EulerOS") audit(AUDIT_OS_NOT, "EulerOS");
    if (release !~ "^EulerOS release 2\.0(\D|$)") audit(AUDIT_OS_NOT, "EulerOS 2.0");
    
    sp = get_kb_item("Host/EulerOS/sp");
    if (isnull(sp) || sp !~ "^(8)$") audit(AUDIT_OS_NOT, "EulerOS 2.0 SP8");
    
    uvp = get_kb_item("Host/EulerOS/uvp_version");
    if (!empty_or_null(uvp)) audit(AUDIT_OS_NOT, "EulerOS 2.0 SP8", "EulerOS UVP " + uvp);
    
    if (!get_kb_item("Host/EulerOS/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    cpu = get_kb_item("Host/cpu");
    if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
    if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$" && "aarch64" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "EulerOS", cpu);
    if ("aarch64" >!< cpu) audit(AUDIT_ARCH_NOT, "aarch64", cpu);
    
    flag = 0;
    
    pkgs = ["bpftool-4.19.36-vhulk1907.1.0.h702.eulerosv2r8",
            "kernel-4.19.36-vhulk1907.1.0.h702.eulerosv2r8",
            "kernel-devel-4.19.36-vhulk1907.1.0.h702.eulerosv2r8",
            "kernel-headers-4.19.36-vhulk1907.1.0.h702.eulerosv2r8",
            "kernel-source-4.19.36-vhulk1907.1.0.h702.eulerosv2r8",
            "kernel-tools-4.19.36-vhulk1907.1.0.h702.eulerosv2r8",
            "kernel-tools-libs-4.19.36-vhulk1907.1.0.h702.eulerosv2r8",
            "perf-4.19.36-vhulk1907.1.0.h702.eulerosv2r8",
            "python-perf-4.19.36-vhulk1907.1.0.h702.eulerosv2r8",
            "python3-perf-4.19.36-vhulk1907.1.0.h702.eulerosv2r8"];
    
    foreach (pkg in pkgs)
      if (rpm_check(release:"EulerOS-2.0", sp:"8", reference:pkg)) flag++;
    
    if (flag)
    {
      security_report_v4(
        port       : 0,
        severity   : SECURITY_HOLE,
        extra      : rpm_report_get()
      );
      exit(0);
    }
    else
    {
      tested = pkg_tests_get();
      if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
      else audit(AUDIT_PACKAGE_NOT_INSTALLED, "kernel");
    }
    
  • NASL familyUbuntu Local Security Checks
    NASL idUBUNTU_USN-4227-1.NASL
    descriptionIt was discovered that a heap-based buffer overflow existed in the Marvell WiFi-Ex Driver for the Linux kernel. A physically proximate attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2019-14895, CVE-2019-14901) It was discovered that a heap-based buffer overflow existed in the Marvell Libertas WLAN Driver for the Linux kernel. A physically proximate attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2019-14896, CVE-2019-14897) It was discovered that the Fujitsu ES network device driver for the Linux kernel did not properly check for errors in some situations, leading to a NULL pointer dereference. A local attacker could use this to cause a denial of service. (CVE-2019-16231) It was discovered that the QLogic Fibre Channel driver in the Linux kernel did not properly check for error, leading to a NULL pointer dereference. A local attacker could possibly use this to cause a denial of service (system crash). (CVE-2019-16233) Anthony Steinhauser discovered that the Linux kernel did not properly perform Spectre_RSB mitigations to all processors for PowerPC architecture systems in some situations. A local attacker could use this to expose sensitive information. (CVE-2019-18660) It was discovered that the Mellanox Technologies Innova driver in the Linux kernel did not properly deallocate memory in certain failure conditions. A local attacker could use this to cause a denial of service (kernel memory exhaustion). (CVE-2019-19045) It was discovered that Geschwister Schneider USB CAN interface driver in the Linux kernel did not properly deallocate memory in certain failure conditions. A physically proximate attacker could use this to cause a denial of service (kernel memory exhaustion). (CVE-2019-19052) It was discovered that the AMD Display Engine Driver in the Linux kernel did not properly deallocate memory in certain error conditions. A local attack could use this to cause a denial of service (memory exhaustion). (CVE-2019-19083) It was discovered that the driver for memoryless force-feedback input devices in the Linux kernel contained a use-after-free vulnerability. A physically proximate attacker could possibly use this to cause a denial of service (system crash) or execute arbitrary code. (CVE-2019-19524) It was discovered that the Microchip CAN BUS Analyzer driver in the Linux kernel contained a use-after-free vulnerability on device disconnect. A physically proximate attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2019-19529) It was discovered that the PEAK-System Technik USB driver in the Linux kernel did not properly sanitize memory before sending it to the device. A physically proximate attacker could use this to expose sensitive information (kernel memory). (CVE-2019-19534) Tristan Madani discovered that the ALSA timer implementation in the Linux kernel contained a use-after-free vulnerability. A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2019-19807). Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id132691
    published2020-01-07
    reporterUbuntu Security Notice (C) 2020 Canonical, Inc. / NASL script (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/132691
    titleUbuntu 16.04 LTS / 18.04 LTS : linux, linux-aws, linux-aws-hwe, linux-azure, linux-gcp, linux-gke-4.15, (USN-4227-1)
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were
    # extracted from Ubuntu Security Notice USN-4227-1. The text 
    # itself is copyright (C) Canonical, Inc. See 
    # <http://www.ubuntu.com/usn/>. Ubuntu(R) is a registered 
    # trademark of Canonical, Inc.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(132691);
      script_version("1.2");
      script_cvs_date("Date: 2020/01/09");
    
      script_cve_id("CVE-2019-14895", "CVE-2019-14896", "CVE-2019-14897", "CVE-2019-14901", "CVE-2019-16231", "CVE-2019-16233", "CVE-2019-18660", "CVE-2019-19045", "CVE-2019-19052", "CVE-2019-19083", "CVE-2019-19524", "CVE-2019-19529", "CVE-2019-19534", "CVE-2019-19807");
      script_xref(name:"USN", value:"4227-1");
    
      script_name(english:"Ubuntu 16.04 LTS / 18.04 LTS : linux, linux-aws, linux-aws-hwe, linux-azure, linux-gcp, linux-gke-4.15, (USN-4227-1)");
      script_summary(english:"Checks dpkg output for updated packages.");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:
    "The remote Ubuntu host is missing one or more security-related
    patches."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "It was discovered that a heap-based buffer overflow existed in the
    Marvell WiFi-Ex Driver for the Linux kernel. A physically proximate
    attacker could use this to cause a denial of service (system crash) or
    possibly execute arbitrary code. (CVE-2019-14895, CVE-2019-14901)
    
    It was discovered that a heap-based buffer overflow existed in the
    Marvell Libertas WLAN Driver for the Linux kernel. A physically
    proximate attacker could use this to cause a denial of service (system
    crash) or possibly execute arbitrary code. (CVE-2019-14896,
    CVE-2019-14897)
    
    It was discovered that the Fujitsu ES network device driver for the
    Linux kernel did not properly check for errors in some situations,
    leading to a NULL pointer dereference. A local attacker could use this
    to cause a denial of service. (CVE-2019-16231)
    
    It was discovered that the QLogic Fibre Channel driver in the Linux
    kernel did not properly check for error, leading to a NULL pointer
    dereference. A local attacker could possibly use this to cause a
    denial of service (system crash). (CVE-2019-16233)
    
    Anthony Steinhauser discovered that the Linux kernel did not properly
    perform Spectre_RSB mitigations to all processors for PowerPC
    architecture systems in some situations. A local attacker could use
    this to expose sensitive information. (CVE-2019-18660)
    
    It was discovered that the Mellanox Technologies Innova driver in the
    Linux kernel did not properly deallocate memory in certain failure
    conditions. A local attacker could use this to cause a denial of
    service (kernel memory exhaustion). (CVE-2019-19045)
    
    It was discovered that Geschwister Schneider USB CAN interface driver
    in the Linux kernel did not properly deallocate memory in certain
    failure conditions. A physically proximate attacker could use this to
    cause a denial of service (kernel memory exhaustion). (CVE-2019-19052)
    
    It was discovered that the AMD Display Engine Driver in the Linux
    kernel did not properly deallocate memory in certain error conditions.
    A local attack could use this to cause a denial of service (memory
    exhaustion). (CVE-2019-19083)
    
    It was discovered that the driver for memoryless force-feedback input
    devices in the Linux kernel contained a use-after-free vulnerability.
    A physically proximate attacker could possibly use this to cause a
    denial of service (system crash) or execute arbitrary code.
    (CVE-2019-19524)
    
    It was discovered that the Microchip CAN BUS Analyzer driver in the
    Linux kernel contained a use-after-free vulnerability on device
    disconnect. A physically proximate attacker could use this to cause a
    denial of service (system crash) or possibly execute arbitrary code.
    (CVE-2019-19529)
    
    It was discovered that the PEAK-System Technik USB driver in the Linux
    kernel did not properly sanitize memory before sending it to the
    device. A physically proximate attacker could use this to expose
    sensitive information (kernel memory). (CVE-2019-19534)
    
    Tristan Madani discovered that the ALSA timer implementation in the
    Linux kernel contained a use-after-free vulnerability. A local
    attacker could use this to cause a denial of service (system crash) or
    possibly execute arbitrary code. (CVE-2019-19807).
    
    Note that Tenable Network Security has extracted the preceding
    description block directly from the Ubuntu security advisory. Tenable
    has attempted to automatically clean and format it as much as possible
    without introducing additional issues."
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://usn.ubuntu.com/4227-1/"
      );
      script_set_attribute(attribute:"solution", value:"Update the affected packages.");
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C");
      script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
      script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H");
      script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
      script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-4.15-aws");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-4.15-azure");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-4.15-gcp");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-4.15-generic");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-4.15-generic-lpae");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-4.15-gke");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-4.15-kvm");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-4.15-lowlatency");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-4.15-oem");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-4.15-oracle");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-4.15-raspi2");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-4.15-snapdragon");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-aws");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-aws-hwe");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-aws-lts-18.04");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-azure");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-azure-edge");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-gcp");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-generic");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-generic-hwe-16.04");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-generic-lpae");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-generic-lpae-hwe-16.04");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-gke");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-gke-4.15");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-kvm");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-lowlatency");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-lowlatency-hwe-16.04");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-oem");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-oracle");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-oracle-lts-18.04");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-raspi2");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-snapdragon");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-virtual");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-virtual-hwe-16.04");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:canonical:ubuntu_linux:16.04");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:canonical:ubuntu_linux:18.04:-:lts");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2019/09/11");
      script_set_attribute(attribute:"patch_publication_date", value:"2020/01/07");
      script_set_attribute(attribute:"plugin_publication_date", value:"2020/01/07");
      script_set_attribute(attribute:"generated_plugin", value:"current");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"Ubuntu Security Notice (C) 2020 Canonical, Inc. / NASL script (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.");
      script_family(english:"Ubuntu Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl", "linux_alt_patch_detect.nasl");
      script_require_keys("Host/cpu", "Host/Ubuntu", "Host/Ubuntu/release", "Host/Debian/dpkg-l");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("ubuntu.inc");
    include("ksplice.inc");
    
    if ( ! get_kb_item("Host/local_checks_enabled") ) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    release = get_kb_item("Host/Ubuntu/release");
    if ( isnull(release) ) audit(AUDIT_OS_NOT, "Ubuntu");
    release = chomp(release);
    if (! preg(pattern:"^(16\.04|18\.04)$", string:release)) audit(AUDIT_OS_NOT, "Ubuntu 16.04 / 18.04", "Ubuntu " + release);
    if ( ! get_kb_item("Host/Debian/dpkg-l") ) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    cpu = get_kb_item("Host/cpu");
    if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
    if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Ubuntu", cpu);
    
    if (get_one_kb_item("Host/ksplice/kernel-cves"))
    {
      rm_kb_item(name:"Host/uptrack-uname-r");
      cve_list = make_list("CVE-2019-14895", "CVE-2019-14896", "CVE-2019-14897", "CVE-2019-14901", "CVE-2019-16231", "CVE-2019-16233", "CVE-2019-18660", "CVE-2019-19045", "CVE-2019-19052", "CVE-2019-19083", "CVE-2019-19524", "CVE-2019-19529", "CVE-2019-19534", "CVE-2019-19807");
      if (ksplice_cves_check(cve_list))
      {
        audit(AUDIT_PATCH_INSTALLED, "KSplice hotfix for USN-4227-1");
      }
      else
      {
        _ubuntu_report = ksplice_reporting_text();
      }
    }
    
    flag = 0;
    
    if (ubuntu_check(osver:"16.04", pkgname:"linux-image-4.15.0-1031-oracle", pkgver:"4.15.0-1031.34~16.04.1")) flag++;
    if (ubuntu_check(osver:"16.04", pkgname:"linux-image-4.15.0-1052-gcp", pkgver:"4.15.0-1052.56")) flag++;
    if (ubuntu_check(osver:"16.04", pkgname:"linux-image-4.15.0-1057-aws", pkgver:"4.15.0-1057.59~16.04.1")) flag++;
    if (ubuntu_check(osver:"16.04", pkgname:"linux-image-4.15.0-1066-azure", pkgver:"4.15.0-1066.71")) flag++;
    if (ubuntu_check(osver:"16.04", pkgname:"linux-image-4.15.0-74-generic", pkgver:"4.15.0-74.83~16.04.1")) flag++;
    if (ubuntu_check(osver:"16.04", pkgname:"linux-image-4.15.0-74-generic-lpae", pkgver:"4.15.0-74.83~16.04.1")) flag++;
    if (ubuntu_check(osver:"16.04", pkgname:"linux-image-4.15.0-74-lowlatency", pkgver:"4.15.0-74.83~16.04.1")) flag++;
    if (ubuntu_check(osver:"16.04", pkgname:"linux-image-aws-hwe", pkgver:"4.15.0.1057.57")) flag++;
    if (ubuntu_check(osver:"16.04", pkgname:"linux-image-azure", pkgver:"4.15.0.1066.69")) flag++;
    if (ubuntu_check(osver:"16.04", pkgname:"linux-image-azure-edge", pkgver:"4.15.0.1066.69")) flag++;
    if (ubuntu_check(osver:"16.04", pkgname:"linux-image-gcp", pkgver:"4.15.0.1052.66")) flag++;
    if (ubuntu_check(osver:"16.04", pkgname:"linux-image-generic-hwe-16.04", pkgver:"4.15.0.74.94")) flag++;
    if (ubuntu_check(osver:"16.04", pkgname:"linux-image-generic-lpae-hwe-16.04", pkgver:"4.15.0.74.94")) flag++;
    if (ubuntu_check(osver:"16.04", pkgname:"linux-image-gke", pkgver:"4.15.0.1052.66")) flag++;
    if (ubuntu_check(osver:"16.04", pkgname:"linux-image-lowlatency-hwe-16.04", pkgver:"4.15.0.74.94")) flag++;
    if (ubuntu_check(osver:"16.04", pkgname:"linux-image-oem", pkgver:"4.15.0.74.94")) flag++;
    if (ubuntu_check(osver:"16.04", pkgname:"linux-image-oracle", pkgver:"4.15.0.1031.24")) flag++;
    if (ubuntu_check(osver:"16.04", pkgname:"linux-image-virtual-hwe-16.04", pkgver:"4.15.0.74.94")) flag++;
    if (ubuntu_check(osver:"18.04", pkgname:"linux-image-4.15.0-1031-oracle", pkgver:"4.15.0-1031.34")) flag++;
    if (ubuntu_check(osver:"18.04", pkgname:"linux-image-4.15.0-1050-gke", pkgver:"4.15.0-1050.53")) flag++;
    if (ubuntu_check(osver:"18.04", pkgname:"linux-image-4.15.0-1052-kvm", pkgver:"4.15.0-1052.52")) flag++;
    if (ubuntu_check(osver:"18.04", pkgname:"linux-image-4.15.0-1053-raspi2", pkgver:"4.15.0-1053.57")) flag++;
    if (ubuntu_check(osver:"18.04", pkgname:"linux-image-4.15.0-1057-aws", pkgver:"4.15.0-1057.59")) flag++;
    if (ubuntu_check(osver:"18.04", pkgname:"linux-image-4.15.0-1066-oem", pkgver:"4.15.0-1066.76")) flag++;
    if (ubuntu_check(osver:"18.04", pkgname:"linux-image-4.15.0-1070-snapdragon", pkgver:"4.15.0-1070.77")) flag++;
    if (ubuntu_check(osver:"18.04", pkgname:"linux-image-4.15.0-74-generic", pkgver:"4.15.0-74.84")) flag++;
    if (ubuntu_check(osver:"18.04", pkgname:"linux-image-4.15.0-74-generic-lpae", pkgver:"4.15.0-74.84")) flag++;
    if (ubuntu_check(osver:"18.04", pkgname:"linux-image-4.15.0-74-lowlatency", pkgver:"4.15.0-74.84")) flag++;
    if (ubuntu_check(osver:"18.04", pkgname:"linux-image-aws", pkgver:"4.15.0.1057.58")) flag++;
    if (ubuntu_check(osver:"18.04", pkgname:"linux-image-aws-lts-18.04", pkgver:"4.15.0.1057.58")) flag++;
    if (ubuntu_check(osver:"18.04", pkgname:"linux-image-generic", pkgver:"4.15.0.74.76")) flag++;
    if (ubuntu_check(osver:"18.04", pkgname:"linux-image-generic-lpae", pkgver:"4.15.0.74.76")) flag++;
    if (ubuntu_check(osver:"18.04", pkgname:"linux-image-gke", pkgver:"4.15.0.1050.53")) flag++;
    if (ubuntu_check(osver:"18.04", pkgname:"linux-image-gke-4.15", pkgver:"4.15.0.1050.53")) flag++;
    if (ubuntu_check(osver:"18.04", pkgname:"linux-image-kvm", pkgver:"4.15.0.1052.52")) flag++;
    if (ubuntu_check(osver:"18.04", pkgname:"linux-image-lowlatency", pkgver:"4.15.0.74.76")) flag++;
    if (ubuntu_check(osver:"18.04", pkgname:"linux-image-oem", pkgver:"4.15.0.1066.70")) flag++;
    if (ubuntu_check(osver:"18.04", pkgname:"linux-image-oracle", pkgver:"4.15.0.1031.36")) flag++;
    if (ubuntu_check(osver:"18.04", pkgname:"linux-image-oracle-lts-18.04", pkgver:"4.15.0.1031.36")) flag++;
    if (ubuntu_check(osver:"18.04", pkgname:"linux-image-raspi2", pkgver:"4.15.0.1053.51")) flag++;
    if (ubuntu_check(osver:"18.04", pkgname:"linux-image-snapdragon", pkgver:"4.15.0.1070.73")) flag++;
    if (ubuntu_check(osver:"18.04", pkgname:"linux-image-virtual", pkgver:"4.15.0.74.76")) flag++;
    
    if (flag)
    {
      security_report_v4(
        port       : 0,
        severity   : SECURITY_HOLE,
        extra      : ubuntu_report_get()
      );
      exit(0);
    }
    else
    {
      tested = ubuntu_pkg_tests_get();
      if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
      else audit(AUDIT_PACKAGE_NOT_INSTALLED, "linux-image-4.15-aws / linux-image-4.15-azure / etc");
    }
    
  • NASL familyHuawei Local Security Checks
    NASL idEULEROS_SA-2020-1536.NASL
    descriptionAccording to the versions of the kernel packages installed, the EulerOS Virtualization for ARM 64 installation on the remote host is affected by the following vulnerabilities : - In the Linux kernel before 5.2.9, there is an info-leak bug that can be caused by a malicious USB device in the drivers/net/can/usb/peak_usb/pcan_usb_pro.c driver, aka CID-ead16e53c2f0.(CVE-2019-19536) - In the Linux kernel before 5.2.9, there is an info-leak bug that can be caused by a malicious USB device in the drivers/net/can/usb/peak_usb/pcan_usb_fd.c driver, aka CID-30a8beeb3042.(CVE-2019-19535) - vcs_write in drivers/tty/vt/vc_screen.c in the Linux kernel through 5.3.13 does not prevent write access to vcsu devices, aka CID-0c9acb1af77a.(CVE-2019-19252) - In the AppleTalk subsystem in the Linux kernel before 5.1, there is a potential NULL pointer dereference because register_snap_client may return NULL. This will lead to denial of service in net/appletalk/aarp.c and net/appletalk/ddp.c, as demonstrated by unregister_snap_client, aka CID-9804501fa122.(CVE-2019-19227) - A memory leak in the adis_update_scan_mode() function in drivers/iio/imu/adis_buffer.c in the Linux kernel before 5.3.9 allows attackers to cause a denial of service (memory consumption), aka CID-ab612b1daf41.(CVE-2019-19060) - In the Linux kernel before 5.3.11, there is an info-leak bug that can be caused by a malicious USB device in the drivers/net/can/usb/peak_usb/pcan_usb_core.c driver, aka CID-f7a1337f0d29.(CVE-2019-19534) - In the Linux kernel before 5.3.11, there is a use-after-free bug that can be caused by a malicious USB device in the drivers/net/can/usb/mcba_usb.c driver, aka CID-4d6636498c41.(CVE-2019-19529) - In the Linux kernel before 5.3.9, there is a use-after-free bug that can be caused by a malicious USB device in the drivers/nfc/pn533/usb.c driver, aka CID-6af3aa57a098.(CVE-2019-19526) - In the Linux kernel before 5.3.6, there is a use-after-free bug that can be caused by a malicious USB device in the drivers/net/ieee802154/atusb.c driver, aka CID-7fd25e6fc035.(CVE-2019-19525) - In the Linux kernel before 5.3.9, there are multiple out-of-bounds write bugs that can be caused by a malicious USB device in the Linux kernel HID drivers, aka CID-d9d4b1e46d95. This affects drivers/hid/hid-axff.c, drivers/hid/hid-dr.c, drivers/hid/hid-emsff.c, drivers/hid/hid-gaff.c, drivers/hid/hid-holtekff.c, drivers/hid/hid-lg2ff.c, drivers/hid/hid-lg3ff.c, drivers/hid/hid-lg4ff.c, drivers/hid/hid-lgff.c, drivers/hid/hid-logitech-hidpp.c, drivers/hid/hid-microsoft.c, drivers/hid/hid-sony.c, drivers/hid/hid-tmff.c, and drivers/hid/hid-zpff.c.(CVE-2019-19532) - In the Linux kernel before 5.2.10, there is a use-after-free bug that can be caused by a malicious USB device in the drivers/hid/usbhid/hiddev.c driver, aka CID-9c09b214f30e.(CVE-2019-19527) - ** DISPUTED ** The Linux kernel through 5.0.7, when CONFIG_IA32_AOUT is enabled and ia32_aout is loaded, allows local users to bypass ASLR on setuid a.out programs (if any exist) because install_exec_creds() is called too late in load_aout_binary() in fs/binfmt_aout.c, and thus the ptrace_may_access() check has a race condition when reading /proc/pid/stat. NOTE: the software maintainer disputes that this is a vulnerability because ASLR for a.out format executables has never been supported.(CVE-2019-11191) - In the Linux kernel before 5.3.12, there is a use-after-free bug that can be caused by a malicious USB device in the drivers/input/ff-memless.c driver, aka CID-fa3a5a1880c9.(CVE-2019-19524) - drivers/net/wireless/marvell/libertas/if_sdio.c in the Linux kernel 5.2.14 does not check the alloc_workqueue return value, leading to a NULL pointer dereference.(CVE-2019-16232) - drivers/net/fjes/fjes_main.c in the Linux kernel 5.2.14 does not check the alloc_workqueue return value, leading to a NULL pointer dereference.(CVE-2019-16231) - ** DISPUTED ** drivers/gpu/drm/amd/amdkfd/kfd_interrupt.c in the Linux kernel 5.2.14 does not check the alloc_workqueue return value, leading to a NULL pointer dereference. NOTE: The security community disputes this issues as not being serious enough to be deserving a CVE id.(CVE-2019-16229) - Linux kernel CIFS implementation, version 4.9.0 is vulnerable to a relative paths injection in directory entry lists.(CVE-2019-10220) - A heap overflow flaw was found in the Linux kernel, all versions 3.x.x and 4.x.x before 4.18.0, in Marvell WiFi chip driver. The vulnerability allows a remote attacker to cause a system crash, resulting in a denial of service, or execute arbitrary code. The highest threat with this vulnerability is with the availability of the system. If code execution occurs, the code will run with the permissions of root. This will affect both confidentiality and integrity of files on the system.(CVE-2019-14901) - The Linux kernel before 5.4.2 mishandles ext4_expand_extra_isize, as demonstrated by use-after-free errors in __ext4_expand_extra_isize and ext4_xattr_set_entry, related to fs/ext4/inode.c and fs/ext4/super.c, aka CID-4ea99936a163.(CVE-2019-19767) - A heap-based buffer overflow was discovered in the Linux kernel, all versions 3.x.x and 4.x.x before 4.18.0, in Marvell WiFi chip driver. The flaw could occur when the station attempts a connection negotiation during the handling of the remote devices country settings. This could allow the remote device to cause a denial of service (system crash) or possibly execute arbitrary code.(CVE-2019-14895) - Linux Kernel could allow a local authenticated attacker to obtain sensitive information, caused by a Transaction Asynchronous Abort (TAA) h/w issue in KVM. By sending a specially-crafted request, an attacker could exploit this vulnerability to obtain sensitive information, and use this information to launch further attacks against the affected system.(CVE-2019-19338) - TSX Asynchronous Abort condition on some CPUs utilizing speculative execution may allow an authenticated user to potentially enable information disclosure via a side channel with local access.(CVE-2019-11135) - An out-of-bounds memory write issue was found in the Linux Kernel, version 3.13 through 5.4, in the way the Linux kernel
    last seen2020-05-08
    modified2020-05-01
    plugin id136239
    published2020-05-01
    reporterThis script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/136239
    titleEulerOS Virtualization for ARM 64 3.0.2.0 : kernel (EulerOS-SA-2020-1536)
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(136239);
      script_version("1.2");
      script_set_attribute(attribute:"plugin_modification_date", value:"2020/05/07");
    
      script_cve_id(
        "CVE-2019-10220",
        "CVE-2019-11135",
        "CVE-2019-11191",
        "CVE-2019-14895",
        "CVE-2019-14896",
        "CVE-2019-14897",
        "CVE-2019-14901",
        "CVE-2019-16229",
        "CVE-2019-16231",
        "CVE-2019-16232",
        "CVE-2019-19036",
        "CVE-2019-19037",
        "CVE-2019-19039",
        "CVE-2019-19060",
        "CVE-2019-19227",
        "CVE-2019-19252",
        "CVE-2019-19332",
        "CVE-2019-19338",
        "CVE-2019-19447",
        "CVE-2019-19524",
        "CVE-2019-19525",
        "CVE-2019-19526",
        "CVE-2019-19527",
        "CVE-2019-19529",
        "CVE-2019-19532",
        "CVE-2019-19534",
        "CVE-2019-19535",
        "CVE-2019-19536",
        "CVE-2019-19767",
        "CVE-2019-19768",
        "CVE-2019-19770",
        "CVE-2019-19807",
        "CVE-2019-19815",
        "CVE-2019-19922",
        "CVE-2019-19947",
        "CVE-2019-20095",
        "CVE-2019-20096",
        "CVE-2019-20636",
        "CVE-2019-3016",
        "CVE-2019-5108",
        "CVE-2020-0067",
        "CVE-2020-11494",
        "CVE-2020-11565",
        "CVE-2020-11608",
        "CVE-2020-11609",
        "CVE-2020-11668",
        "CVE-2020-11669",
        "CVE-2020-1749",
        "CVE-2020-2732",
        "CVE-2020-8428",
        "CVE-2020-8647",
        "CVE-2020-8648",
        "CVE-2020-8649",
        "CVE-2020-9383"
      );
    
      script_name(english:"EulerOS Virtualization for ARM 64 3.0.2.0 : kernel (EulerOS-SA-2020-1536)");
      script_summary(english:"Checks the rpm output for the updated packages.");
    
      script_set_attribute(attribute:"synopsis", value:
    "The remote EulerOS Virtualization for ARM 64 host is missing multiple security
    updates.");
      script_set_attribute(attribute:"description", value:
    "According to the versions of the kernel packages installed, the
    EulerOS Virtualization for ARM 64 installation on the remote host is
    affected by the following vulnerabilities :
    
      - In the Linux kernel before 5.2.9, there is an info-leak
        bug that can be caused by a malicious USB device in the
        drivers/net/can/usb/peak_usb/pcan_usb_pro.c driver, aka
        CID-ead16e53c2f0.(CVE-2019-19536)
    
      - In the Linux kernel before 5.2.9, there is an info-leak
        bug that can be caused by a malicious USB device in the
        drivers/net/can/usb/peak_usb/pcan_usb_fd.c driver, aka
        CID-30a8beeb3042.(CVE-2019-19535)
    
      - vcs_write in drivers/tty/vt/vc_screen.c in the Linux
        kernel through 5.3.13 does not prevent write access to
        vcsu devices, aka CID-0c9acb1af77a.(CVE-2019-19252)
    
      - In the AppleTalk subsystem in the Linux kernel before
        5.1, there is a potential NULL pointer dereference
        because register_snap_client may return NULL. This will
        lead to denial of service in net/appletalk/aarp.c and
        net/appletalk/ddp.c, as demonstrated by
        unregister_snap_client, aka
        CID-9804501fa122.(CVE-2019-19227)
    
      - A memory leak in the adis_update_scan_mode() function
        in drivers/iio/imu/adis_buffer.c in the Linux kernel
        before 5.3.9 allows attackers to cause a denial of
        service (memory consumption), aka
        CID-ab612b1daf41.(CVE-2019-19060)
    
      - In the Linux kernel before 5.3.11, there is an
        info-leak bug that can be caused by a malicious USB
        device in the
        drivers/net/can/usb/peak_usb/pcan_usb_core.c driver,
        aka CID-f7a1337f0d29.(CVE-2019-19534)
    
      - In the Linux kernel before 5.3.11, there is a
        use-after-free bug that can be caused by a malicious
        USB device in the drivers/net/can/usb/mcba_usb.c
        driver, aka CID-4d6636498c41.(CVE-2019-19529)
    
      - In the Linux kernel before 5.3.9, there is a
        use-after-free bug that can be caused by a malicious
        USB device in the drivers/nfc/pn533/usb.c driver, aka
        CID-6af3aa57a098.(CVE-2019-19526)
    
      - In the Linux kernel before 5.3.6, there is a
        use-after-free bug that can be caused by a malicious
        USB device in the drivers/net/ieee802154/atusb.c
        driver, aka CID-7fd25e6fc035.(CVE-2019-19525)
    
      - In the Linux kernel before 5.3.9, there are multiple
        out-of-bounds write bugs that can be caused by a
        malicious USB device in the Linux kernel HID drivers,
        aka CID-d9d4b1e46d95. This affects
        drivers/hid/hid-axff.c, drivers/hid/hid-dr.c,
        drivers/hid/hid-emsff.c, drivers/hid/hid-gaff.c,
        drivers/hid/hid-holtekff.c, drivers/hid/hid-lg2ff.c,
        drivers/hid/hid-lg3ff.c, drivers/hid/hid-lg4ff.c,
        drivers/hid/hid-lgff.c,
        drivers/hid/hid-logitech-hidpp.c,
        drivers/hid/hid-microsoft.c, drivers/hid/hid-sony.c,
        drivers/hid/hid-tmff.c, and
        drivers/hid/hid-zpff.c.(CVE-2019-19532)
    
      - In the Linux kernel before 5.2.10, there is a
        use-after-free bug that can be caused by a malicious
        USB device in the drivers/hid/usbhid/hiddev.c driver,
        aka CID-9c09b214f30e.(CVE-2019-19527)
    
      - ** DISPUTED ** The Linux kernel through 5.0.7, when
        CONFIG_IA32_AOUT is enabled and ia32_aout is loaded,
        allows local users to bypass ASLR on setuid a.out
        programs (if any exist) because install_exec_creds() is
        called too late in load_aout_binary() in
        fs/binfmt_aout.c, and thus the ptrace_may_access()
        check has a race condition when reading /proc/pid/stat.
        NOTE: the software maintainer disputes that this is a
        vulnerability because ASLR for a.out format executables
        has never been supported.(CVE-2019-11191)
    
      - In the Linux kernel before 5.3.12, there is a
        use-after-free bug that can be caused by a malicious
        USB device in the drivers/input/ff-memless.c driver,
        aka CID-fa3a5a1880c9.(CVE-2019-19524)
    
      - drivers/net/wireless/marvell/libertas/if_sdio.c in the
        Linux kernel 5.2.14 does not check the alloc_workqueue
        return value, leading to a NULL pointer
        dereference.(CVE-2019-16232)
    
      - drivers/net/fjes/fjes_main.c in the Linux kernel 5.2.14
        does not check the alloc_workqueue return value,
        leading to a NULL pointer dereference.(CVE-2019-16231)
    
      - ** DISPUTED **
        drivers/gpu/drm/amd/amdkfd/kfd_interrupt.c in the Linux
        kernel 5.2.14 does not check the alloc_workqueue return
        value, leading to a NULL pointer dereference. NOTE: The
        security community disputes this issues as not being
        serious enough to be deserving a CVE
        id.(CVE-2019-16229)
    
      - Linux kernel CIFS implementation, version 4.9.0 is
        vulnerable to a relative paths injection in directory
        entry lists.(CVE-2019-10220)
    
      - A heap overflow flaw was found in the Linux kernel, all
        versions 3.x.x and 4.x.x before 4.18.0, in Marvell WiFi
        chip driver. The vulnerability allows a remote attacker
        to cause a system crash, resulting in a denial of
        service, or execute arbitrary code. The highest threat
        with this vulnerability is with the availability of the
        system. If code execution occurs, the code will run
        with the permissions of root. This will affect both
        confidentiality and integrity of files on the
        system.(CVE-2019-14901)
    
      - The Linux kernel before 5.4.2 mishandles
        ext4_expand_extra_isize, as demonstrated by
        use-after-free errors in __ext4_expand_extra_isize and
        ext4_xattr_set_entry, related to fs/ext4/inode.c and
        fs/ext4/super.c, aka CID-4ea99936a163.(CVE-2019-19767)
    
      - A heap-based buffer overflow was discovered in the
        Linux kernel, all versions 3.x.x and 4.x.x before
        4.18.0, in Marvell WiFi chip driver. The flaw could
        occur when the station attempts a connection
        negotiation during the handling of the remote devices
        country settings. This could allow the remote device to
        cause a denial of service (system crash) or possibly
        execute arbitrary code.(CVE-2019-14895)
    
      - Linux Kernel could allow a local authenticated attacker
        to obtain sensitive information, caused by a
        Transaction Asynchronous Abort (TAA) h/w issue in KVM.
        By sending a specially-crafted request, an attacker
        could exploit this vulnerability to obtain sensitive
        information, and use this information to launch further
        attacks against the affected system.(CVE-2019-19338)
    
      - TSX Asynchronous Abort condition on some CPUs utilizing
        speculative execution may allow an authenticated user
        to potentially enable information disclosure via a side
        channel with local access.(CVE-2019-11135)
    
      - An out-of-bounds memory write issue was found in the
        Linux Kernel, version 3.13 through 5.4, in the way the
        Linux kernel's KVM hypervisor handled the
        'KVM_GET_EMULATED_CPUID' ioctl(2) request to get CPUID
        features emulated by the KVM hypervisor. A user or
        process able to access the '/dev/kvm' device could use
        this flaw to crash the system, resulting in a denial of
        service.(CVE-2019-19332)
    
      - kernel/sched/fair.c in the Linux kernel before 5.3.9,
        when cpu.cfs_quota_us is used (e.g., with Kubernetes),
        allows attackers to cause a denial of service against
        non-cpu-bound applications by generating a workload
        that triggers unwanted slice expiration, aka
        CID-de53fd7aedb1. (In other words, although this slice
        expiration would typically be seen with benign
        workloads, it is possible that an attacker could
        calculate how many stray requests are required to force
        an entire Kubernetes cluster into a low-performance
        state caused by slice expiration, and ensure that a
        DDoS attack sent that number of stray requests. An
        attack does not affect the stability of the kernel it
        only causes mismanagement of application
        execution.)(CVE-2019-19922)
    
      - A stack-based buffer overflow was found in the Linux
        kernel, version kernel-2.6.32, in Marvell WiFi chip
        driver. An attacker is able to cause a denial of
        service (system crash) or, possibly execute arbitrary
        code, when a STA works in IBSS mode (allows connecting
        stations together without the use of an AP) and
        connects to another STA.(CVE-2019-14897)
    
      - A heap-based buffer overflow vulnerability was found in
        the Linux kernel, version kernel-2.6.32, in Marvell
        WiFi chip driver. A remote attacker could cause a
        denial of service (system crash) or, possibly execute
        arbitrary code, when the lbs_ibss_join_existing
        function is called after a STA connects to an
        AP.(CVE-2019-14896)
    
      - In the Linux kernel through 5.4.6, there are
        information leaks of uninitialized memory to a USB
        device in the
        drivers/net/can/usb/kvaser_usb/kvaser_usb_leaf.c
        driver, aka CID-da2311a6385c.(CVE-2019-19947)
    
      - In the Linux kernel before 5.1, there is a memory leak
        in __feat_register_sp() in net/dccp/feat.c, which may
        cause denial of service, aka
        CID-1d3ff0950e2b.(CVE-2019-20096)
    
      - mwifiex_tm_cmd in
        drivers/net/wireless/marvell/mwifiex/cfg80211.c in the
        Linux kernel before 5.1.6 has some error-handling cases
        that did not free allocated hostcmd memory, aka
        CID-003b686ace82. This will cause a memory leak and
        denial of service.(CVE-2019-20095)
    
      - An exploitable denial-of-service vulnerability exists
        in the Linux kernel prior to mainline 5.3. An attacker
        could exploit this vulnerability by triggering AP to
        send IAPP location updates for stations before the
        required authentication process has completed. This
        could lead to different denial-of-service scenarios,
        either by causing CAM table attacks, or by leading to
        traffic flapping if faking already existing clients in
        other nearby APs of the same wireless infrastructure.
        An attacker can forge Authentication and Association
        Request packets to trigger this
        vulnerability.(CVE-2019-5108)
    
      - In a Linux KVM guest that has PV TLB enabled, a process
        in the guest kernel may be able to read memory
        locations from another process in the same guest. This
        problem is limit to the host running linux kernel 4.10
        with a guest running linux kernel 4.16 or later. The
        problem mainly affects AMD processors but Intel CPUs
        cannot be ruled out.(CVE-2019-3016)
    
      - fs/namei.c in the Linux kernel before 5.5 has a
        may_create_in_sticky use-after-free, which allows local
        users to cause a denial of service (OOPS) or possibly
        obtain sensitive information from kernel memory, aka
        CID-d0cb50185ae9. One attack vector may be an open
        system call for a UNIX domain socket, if the socket is
        being moved to a new parent directory and its old
        parent directory is being removed.(CVE-2020-8428)
    
      - There is a use-after-free vulnerability in the Linux
        kernel through 5.5.2 in the n_tty_receive_buf_common
        function in drivers/tty/n_tty.c.(CVE-2020-8648)
    
      - An issue was discovered in the Linux kernel through
        5.5.6. set_fdc in drivers/block/floppy.c leads to a
        wait_til_ready out-of-bounds read because the FDC index
        is not checked for errors before assigning it, aka
        CID-2e90ca68b0d2.(CVE-2020-9383)
    
      - There is a use-after-free vulnerability in the Linux
        kernel through 5.5.2 in the vgacon_invert_region
        function in
        drivers/video/console/vgacon.c.(CVE-2020-8649)
    
      - There is a use-after-free vulnerability in the Linux
        kernel through 5.5.2 in the vc_do_resize function in
        drivers/tty/vt/vt.c.(CVE-2020-8647)
    
      - In the Linux kernel 5.0.21, mounting a crafted ext4
        filesystem image, performing some operations, and
        unmounting can lead to a use-after-free in
        ext4_put_super in fs/ext4/super.c, related to
        dump_orphan_list in fs/ext4/super.c.(CVE-2019-19447)
    
      - A flaw was discovered in the way that the KVM
        hypervisor handled instruction emulation for an L2
        guest when nested virtualisation is enabled. Under some
        circumstances, an L2 guest may trick the L0 guest into
        accessing sensitive L1 resources that should be
        inaccessible to the L2 guest.(CVE-2020-2732)
    
      - In the Linux kernel before 5.3.11, sound/core/timer.c
        has a use-after-free caused by erroneous code
        refactoring, aka CID-e7af6307a8a5. This is related to
        snd_timer_open and snd_timer_close_locked. The timeri
        variable was originally intended to be for a newly
        created timer instance, but was used for a different
        purpose after refactoring.(CVE-2019-19807)
    
      - In the Linux kernel 5.4.0-rc2, there is a
        use-after-free (read) in the __blk_add_trace function
        in kernel/trace/blktrace.c (which is used to fill out a
        blk_io_trace structure and place it in a per-cpu
        sub-buffer).(CVE-2019-19768)
    
      - In the Linux kernel 5.0.21, mounting a crafted f2fs
        filesystem image can cause a NULL pointer dereference
        in f2fs_recover_fsync_data in fs/f2fs/recovery.c. This
        is related to F2FS_P_SB in
        fs/f2fs/f2fs.h.(CVE-2019-19815)
    
      - ** DISPUTED ** __btrfs_free_extent in
        fs/btrfs/extent-tree.c in the Linux kernel through
        5.3.12 calls btrfs_print_leaf in a certain ENOENT case,
        which allows local users to obtain potentially
        sensitive information about register values via the
        dmesg program. NOTE: The BTRFS development team
        disputes this issues as not being a vulnerability
        because '1) The kernel provide facilities to restrict
        access to dmesg - dmesg_restrict=1 sysctl option. So
        it's really up to the system administrator to judge
        whether dmesg access shall be disallowed or not. 2)
        WARN/WARN_ON are widely used macros in the linux
        kernel. If this CVE is considered valid this would mean
        there are literally thousands CVE lurking in the kernel
        - something which clearly is not the
        case.'(CVE-2019-19039)
    
      - ext4_empty_dir in fs/ext4/namei.c in the Linux kernel
        through 5.3.12 allows a NULL pointer dereference
        because ext4_read_dirblock(inode,0,DIRENT_HTREE) can be
        zero.(CVE-2019-19037)
    
      - btrfs_root_node in fs/btrfs/ctree.c in the Linux kernel
        through 5.3.12 allows a NULL pointer dereference
        because rcu_dereference(root->node) can be
        zero.(CVE-2019-19036)
    
      - In the Linux kernel 4.19.83, there is a use-after-free
        (read) in the debugfs_remove function in
        fs/debugfs/inode.c (which is used to remove a file or
        directory in debugfs that was previously created with a
        call to another debugfs function such as
        debugfs_create_file).(CVE-2019-19770)
    
      - An issue was discovered in slc_bump in
        drivers/net/can/slcan.c in the Linux kernel through
        5.6.2. It allows attackers to read uninitialized
        can_frame data, potentially containing sensitive
        information from kernel stack memory, if the
        configuration lacks CONFIG_INIT_STACK_ALL, aka
        CID-b9258a2cece4.(CVE-2020-11494)
    
      - An issue was discovered in the Linux kernel through
        5.6.2. mpol_parse_str in mm/mempolicy.c has a
        stack-based out-of-bounds write because an empty
        nodelist is mishandled during mount option parsing, aka
        CID-aa9f7d5172fa.(CVE-2020-11565)
    
      - A flaw was found in the Linux kernel's implementation
        of some networking protocols in IPsec, such as VXLAN
        and GENEVE tunnels over IPv6. When an encrypted tunnel
        is created between two hosts, the kernel isn't
        correctly routing tunneled data over the encrypted link
        rather sending the data unencrypted. This would allow
        anyone in between the two endpoints to read the traffic
        unencrypted. The main threat from this vulnerability is
        to data confidentiality.(CVE-2020-1749)
    
      - An issue was discovered in the stv06xx subsystem in the
        Linux kernel before 5.6.1.
        drivers/media/usb/gspca/stv06xx/stv06xx.c and
        drivers/media/usb/gspca/stv06xx/stv06xx_pb0100.c
        mishandle invalid descriptors, as demonstrated by a
        NULL pointer dereference, aka
        CID-485b06aadb93.(CVE-2020-11609)
    
      - An issue was discovered in the Linux kernel before
        5.6.1. drivers/media/usb/gspca/ov519.c allows NULL
        pointer dereferences in ov511_mode_init_regs and
        ov518_mode_init_regs when there are zero endpoints, aka
        CID-998912346c0d.(CVE-2020-11608)
    
      - In the Linux kernel before 5.4.12,
        drivers/input/input.c has out-of-bounds writes via a
        crafted keycode table, as demonstrated by
        input_set_keycode, aka
        CID-cb222aed03d7.(CVE-2019-20636)
    
      - In the Linux kernel before 5.6.1,
        drivers/media/usb/gspca/xirlink_cit.c (aka the Xirlink
        camera USB driver) mishandles invalid descriptors, aka
        CID-a246b4d54770.(CVE-2020-11668)
    
      - An issue was discovered in the Linux kernel through
        5.6.2. mpol_parse_str in mm/mempolicy.c has a
        stack-based out-of-bounds write because an empty
        nodelist is mishandled during mount option parsing, aka
        CID-aa9f7d5172fa.(CVE-2020-0067)
    
      - An issue was discovered in the Linux kernel before 5.2
        on the powerpc platform.
        arch/powerpc/kernel/idle_book3s.S does not have
        save/restore functionality for PNV_POWERSAVE_AMR,
        PNV_POWERSAVE_UAMOR, and PNV_POWERSAVE_AMOR, aka
        CID-53a712bae5dd.(CVE-2020-11669)
    
    Note that Tenable Network Security has extracted the preceding
    description block directly from the EulerOS security advisory. Tenable
    has attempted to automatically clean and format it as much as possible
    without introducing additional issues.");
      # https://developer.huaweicloud.com/ict/en/site-euleros/euleros/security-advisories/EulerOS-SA-2020-1536
      script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?a90e7d8e");
      script_set_attribute(attribute:"solution", value:
    "Update the affected kernel packages.");
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C");
      script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
      script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H");
      script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
      script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
    
      script_set_attribute(attribute:"patch_publication_date", value:"2020/04/30");
      script_set_attribute(attribute:"plugin_publication_date", value:"2020/05/01");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:kernel");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:kernel-devel");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:kernel-headers");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:kernel-tools");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:kernel-tools-libs");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:kernel-tools-libs-devel");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:perf");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:python-perf");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:huawei:euleros:uvp:3.0.2.0");
      script_set_attribute(attribute:"generated_plugin", value:"current");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_family(english:"Huawei Local Security Checks");
    
      script_copyright(english:"This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/cpu", "Host/EulerOS/release", "Host/EulerOS/rpm-list", "Host/EulerOS/uvp_version");
    
      exit(0);
    }
    
    include("audit.inc");
    include("global_settings.inc");
    include("rpm.inc");
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    
    release = get_kb_item("Host/EulerOS/release");
    if (isnull(release) || release !~ "^EulerOS") audit(AUDIT_OS_NOT, "EulerOS");
    uvp = get_kb_item("Host/EulerOS/uvp_version");
    if (uvp != "3.0.2.0") audit(AUDIT_OS_NOT, "EulerOS Virtualization 3.0.2.0");
    if (!get_kb_item("Host/EulerOS/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    cpu = get_kb_item("Host/cpu");
    if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
    if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$" && "aarch64" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "EulerOS", cpu);
    if ("aarch64" >!< cpu) audit(AUDIT_ARCH_NOT, "aarch64", cpu);
    
    flag = 0;
    
    pkgs = ["kernel-4.19.36-vhulk1907.1.0.h729",
            "kernel-devel-4.19.36-vhulk1907.1.0.h729",
            "kernel-headers-4.19.36-vhulk1907.1.0.h729",
            "kernel-tools-4.19.36-vhulk1907.1.0.h729",
            "kernel-tools-libs-4.19.36-vhulk1907.1.0.h729",
            "kernel-tools-libs-devel-4.19.36-vhulk1907.1.0.h729",
            "perf-4.19.36-vhulk1907.1.0.h729",
            "python-perf-4.19.36-vhulk1907.1.0.h729"];
    
    foreach (pkg in pkgs)
      if (rpm_check(release:"EulerOS-2.0", reference:pkg)) flag++;
    
    if (flag)
    {
      security_report_v4(
        port       : 0,
        severity   : SECURITY_HOLE,
        extra      : rpm_report_get()
      );
      exit(0);
    }
    else
    {
      tested = pkg_tests_get();
      if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
      else audit(AUDIT_PACKAGE_NOT_INSTALLED, "kernel");
    }
    
  • NASL familyUbuntu Local Security Checks
    NASL idUBUNTU_USN-4225-1.NASL
    descriptionIt was discovered that a heap-based buffer overflow existed in the Marvell WiFi-Ex Driver for the Linux kernel. A physically proximate attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2019-14895, CVE-2019-14901) It was discovered that a heap-based buffer overflow existed in the Marvell Libertas WLAN Driver for the Linux kernel. A physically proximate attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2019-14896, CVE-2019-14897) It was discovered that the Fujitsu ES network device driver for the Linux kernel did not properly check for errors in some situations, leading to a NULL pointer dereference. A local attacker could use this to cause a denial of service. (CVE-2019-16231) Anthony Steinhauser discovered that the Linux kernel did not properly perform Spectre_RSB mitigations to all processors for PowerPC architecture systems in some situations. A local attacker could use this to expose sensitive information. (CVE-2019-18660) It was discovered that the Broadcom V3D DRI driver in the Linux kernel did not properly deallocate memory in certain error conditions. A local attacker could possibly use this to cause a denial of service (kernel memory exhaustion). (CVE-2019-19044) It was discovered that the Mellanox Technologies Innova driver in the Linux kernel did not properly deallocate memory in certain failure conditions. A local attacker could use this to cause a denial of service (kernel memory exhaustion). (CVE-2019-19045) It was discovered that the Mellanox Technologies ConnectX driver in the Linux kernel did not properly deallocate memory in certain failure conditions. A local attacker could use this to cause a denial of service (kernel memory exhaustion). (CVE-2019-19047) It was discovered that the Intel WiMAX 2400 driver in the Linux kernel did not properly deallocate memory in certain situations. A local attacker could use this to cause a denial of service (kernel memory exhaustion). (CVE-2019-19051) It was discovered that Geschwister Schneider USB CAN interface driver in the Linux kernel did not properly deallocate memory in certain failure conditions. A physically proximate attacker could use this to cause a denial of service (kernel memory exhaustion). (CVE-2019-19052) It was discovered that the netlink-based 802.11 configuration interface in the Linux kernel did not deallocate memory in certain error conditions. A local attacker could possibly use this to cause a denial of service (kernel memory exhaustion). (CVE-2019-19055) It was discovered that the event tracing subsystem of the Linux kernel did not properly deallocate memory in certain error conditions. A local attacker could use this to cause a denial of service (kernel memory exhaustion). (CVE-2019-19072) It was discovered that the driver for memoryless force-feedback input devices in the Linux kernel contained a use-after-free vulnerability. A physically proximate attacker could possibly use this to cause a denial of service (system crash) or execute arbitrary code. (CVE-2019-19524) It was discovered that the Microchip CAN BUS Analyzer driver in the Linux kernel contained a use-after-free vulnerability on device disconnect. A physically proximate attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2019-19529) It was discovered that the PEAK-System Technik USB driver in the Linux kernel did not properly sanitize memory before sending it to the device. A physically proximate attacker could use this to expose sensitive information (kernel memory). (CVE-2019-19534) Tristan Madani discovered that the ALSA timer implementation in the Linux kernel contained a use-after-free vulnerability. A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2019-19807) It was discovered that the DesignWare USB3 controller driver in the Linux kernel did not properly deallocate memory in some error conditions. A local attacker could possibly use this to cause a denial of service (memory exhaustion). (CVE-2019-18813). Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id132689
    published2020-01-07
    reporterUbuntu Security Notice (C) 2020 Canonical, Inc. / NASL script (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/132689
    titleUbuntu 18.04 LTS / 19.10 : linux, linux-aws, linux-azure, linux-azure-5.3, linux-gcp, linux-gcp-5.3, (USN-4225-1)