Vulnerabilities > CVE-2019-2101 - Out-of-bounds Read vulnerability in multiple products

047910
CVSS 5.5 - MEDIUM
Attack vector
LOCAL
Attack complexity
LOW
Privileges required
LOW
Confidentiality impact
HIGH
Integrity impact
NONE
Availability impact
NONE
local
low complexity
google
debian
canonical
CWE-125
nessus

Summary

In uvc_parse_standard_control of uvc_driver.c, there is a possible out-of-bound read due to improper input validation. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation. Product: Android. Versions: Android kernel. Android ID: A-111760968.

Common Weakness Enumeration (CWE)

Common Attack Pattern Enumeration and Classification (CAPEC)

  • Overread Buffers
    An adversary attacks a target by providing input that causes an application to read beyond the boundary of a defined buffer. This typically occurs when a value influencing where to start or stop reading is set to reflect positions outside of the valid memory location of the buffer. This type of attack may result in exposure of sensitive information, a system crash, or arbitrary code execution.

Nessus

  • NASL familyUbuntu Local Security Checks
    NASL idUBUNTU_USN-4118-1.NASL
    descriptionIt was discovered that the alarmtimer implementation in the Linux kernel contained an integer overflow vulnerability. A local attacker could use this to cause a denial of service. (CVE-2018-13053) Wen Xu discovered that the XFS filesystem implementation in the Linux kernel did not properly track inode validations. An attacker could use this to construct a malicious XFS image that, when mounted, could cause a denial of service (system crash). (CVE-2018-13093) Wen Xu discovered that the f2fs file system implementation in the Linux kernel did not properly validate metadata. An attacker could use this to construct a malicious f2fs image that, when mounted, could cause a denial of service (system crash). (CVE-2018-13096, CVE-2018-13097, CVE-2018-13098, CVE-2018-13099, CVE-2018-13100, CVE-2018-14614, CVE-2018-14615, CVE-2018-14616) Wen Xu and Po-Ning Tseng discovered that btrfs file system implementation in the Linux kernel did not properly validate metadata. An attacker could use this to construct a malicious btrfs image that, when mounted, could cause a denial of service (system crash). (CVE-2018-14609, CVE-2018-14610, CVE-2018-14611, CVE-2018-14612, CVE-2018-14613) Wen Xu discovered that the HFS+ filesystem implementation in the Linux kernel did not properly handle malformed catalog data in some situations. An attacker could use this to construct a malicious HFS+ image that, when mounted, could cause a denial of service (system crash). (CVE-2018-14617) Vasily Averin and Pavel Tikhomirov discovered that the cleancache subsystem of the Linux kernel did not properly initialize new files in some situations. A local attacker could use this to expose sensitive information. (CVE-2018-16862) Hui Peng and Mathias Payer discovered that the Option USB High Speed driver in the Linux kernel did not properly validate metadata received from the device. A physically proximate attacker could use this to cause a denial of service (system crash). (CVE-2018-19985) Hui Peng and Mathias Payer discovered that the USB subsystem in the Linux kernel did not properly handle size checks when handling an extra USB descriptor. A physically proximate attacker could use this to cause a denial of service (system crash). (CVE-2018-20169) Zhipeng Xie discovered that an infinite loop could triggered in the CFS Linux kernel process scheduler. A local attacker could possibly use this to cause a denial of service. (CVE-2018-20784) It was discovered that a use-after-free error existed in the block layer subsystem of the Linux kernel when certain failure conditions occurred. A local attacker could possibly use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2018-20856) Eli Biham and Lior Neumann discovered that the Bluetooth implementation in the Linux kernel did not properly validate elliptic curve parameters during Diffie-Hellman key exchange in some situations. An attacker could use this to expose sensitive information. (CVE-2018-5383) It was discovered that the Intel wifi device driver in the Linux kernel did not properly validate certain Tunneled Direct Link Setup (TDLS). A physically proximate attacker could use this to cause a denial of service (wifi disconnect). (CVE-2019-0136) It was discovered that a heap buffer overflow existed in the Marvell Wireless LAN device driver for the Linux kernel. An attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2019-10126) It was discovered that the Bluetooth UART implementation in the Linux kernel did not properly check for missing tty operations. A local attacker could use this to cause a denial of service. (CVE-2019-10207) Amit Klein and Benny Pinkas discovered that the Linux kernel did not sufficiently randomize IP ID values generated for connectionless networking protocols. A remote attacker could use this to track particular Linux devices. (CVE-2019-10638) Amit Klein and Benny Pinkas discovered that the location of kernel addresses could exposed by the implementation of connection-less network protocols in the Linux kernel. A remote attacker could possibly use this to assist in the exploitation of another vulnerability in the Linux kernel. (CVE-2019-10639) Adam Zabrocki discovered that the Intel i915 kernel mode graphics driver in the Linux kernel did not properly restrict mmap() ranges in some situations. A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2019-11085) It was discovered that an integer overflow existed in the Linux kernel when reference counting pages, leading to potential use-after-free issues. A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2019-11487) Jann Horn discovered that a race condition existed in the Linux kernel when performing core dumps. A local attacker could use this to cause a denial of service (system crash) or expose sensitive information. (CVE-2019-11599) It was discovered that a NULL pointer dereference vulnerability existed in the LSI Logic MegaRAID driver in the Linux kernel. A local attacker could use this to cause a denial of service (system crash). (CVE-2019-11810) It was discovered that a race condition leading to a use-after-free existed in the Reliable Datagram Sockets (RDS) protocol implementation in the Linux kernel. The RDS protocol is blacklisted by default in Ubuntu. If enabled, a local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2019-11815) It was discovered that the ext4 file system implementation in the Linux kernel did not properly zero out memory in some situations. A local attacker could use this to expose sensitive information (kernel memory). (CVE-2019-11833) It was discovered that the Bluetooth Human Interface Device Protocol (HIDP) implementation in the Linux kernel did not properly verify strings were NULL terminated in certain situations. A local attacker could use this to expose sensitive information (kernel memory). (CVE-2019-11884) It was discovered that a NULL pointer dereference vulnerabilty existed in the Near-field communication (NFC) implementation in the Linux kernel. An attacker could use this to cause a denial of service (system crash). (CVE-2019-12818) It was discovered that the MDIO bus devices subsystem in the Linux kernel improperly dropped a device reference in an error condition, leading to a use-after-free. An attacker could use this to cause a denial of service (system crash). (CVE-2019-12819) It was discovered that a NULL pointer dereference vulnerability existed in the Near-field communication (NFC) implementation in the Linux kernel. A local attacker could use this to cause a denial of service (system crash). (CVE-2019-12984) Jann Horn discovered a use-after-free vulnerability in the Linux kernel when accessing LDT entries in some situations. A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2019-13233) Jann Horn discovered that the ptrace implementation in the Linux kernel did not properly record credentials in some situations. A local attacker could use this to cause a denial of service (system crash) or possibly gain administrative privileges. (CVE-2019-13272) It was discovered that the GTCO tablet input driver in the Linux kernel did not properly bounds check the initial HID report sent by the device. A physically proximate attacker could use to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2019-13631) It was discovered that the floppy driver in the Linux kernel did not properly validate meta data, leading to a buffer overread. A local attacker could use this to cause a denial of service (system crash). (CVE-2019-14283) It was discovered that the floppy driver in the Linux kernel did not properly validate ioctl() calls, leading to a division-by-zero. A local attacker could use this to cause a denial of service (system crash). (CVE-2019-14284) Tuba Yavuz discovered that a race condition existed in the DesignWare USB3 DRD Controller device driver in the Linux kernel. A physically proximate attacker could use this to cause a denial of service. (CVE-2019-14763) It was discovered that an out-of-bounds read existed in the QLogic QEDI iSCSI Initiator Driver in the Linux kernel. A local attacker could possibly use this to expose sensitive information (kernel memory). (CVE-2019-15090) It was discovered that the Raremono AM/FM/SW radio device driver in the Linux kernel did not properly allocate memory, leading to a use-after-free. A physically proximate attacker could use this to cause a denial of service or possibly execute arbitrary code. (CVE-2019-15211) It was discovered at a double-free error existed in the USB Rio 500 device driver for the Linux kernel. A physically proximate attacker could use this to cause a denial of service. (CVE-2019-15212) It was discovered that a race condition existed in the Advanced Linux Sound Architecture (ALSA) subsystem of the Linux kernel, leading to a potential use-after-free. A physically proximate attacker could use this to cause a denial of service (system crash) pro possibly execute arbitrary code. (CVE-2019-15214) It was discovered that a race condition existed in the CPiA2 video4linux device driver for the Linux kernel, leading to a use-after-free. A physically proximate attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2019-15215) It was discovered that a race condition existed in the Softmac USB Prism54 device driver in the Linux kernel. A physically proximate attacker could use this to cause a denial of service (system crash). (CVE-2019-15220) It was discovered that a use-after-free vulnerability existed in the Appletalk implementation in the Linux kernel if an error occurs during initialization. A local attacker could use this to cause a denial of service (system crash). (CVE-2019-15292) It was discovered that the Empia EM28xx DVB USB device driver implementation in the Linux kernel contained a use-after-free vulnerability when disconnecting the device. An attacker could use this to cause a denial of service (system crash). (CVE-2019-2024) It was discovered that the USB video device class implementation in the Linux kernel did not properly validate control bits, resulting in an out of bounds buffer read. A local attacker could use this to possibly expose sensitive information (kernel memory). (CVE-2019-2101) It was discovered that the Marvell Wireless LAN device driver in the Linux kernel did not properly validate the BSS descriptor. A local attacker could possibly use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2019-3846) Jason Wang discovered that an infinite loop vulnerability existed in the virtio net driver in the Linux kernel. A local attacker in a guest VM could possibly use this to cause a denial of service in the host system. (CVE-2019-3900) Daniele Antonioli, Nils Ole Tippenhauer, and Kasper B. Rasmussen discovered that the Bluetooth protocol BR/EDR specification did not properly require sufficiently strong encryption key lengths. A physicall proximate attacker could use this to expose sensitive information. (CVE-2019-9506) It was discovered that the Appletalk IP encapsulation driver in the Linux kernel did not properly prevent kernel addresses from being copied to user space. A local attacker with the CAP_NET_ADMIN capability could use this to expose sensitive information. (CVE-2018-20511) It was discovered that a race condition existed in the USB YUREX device driver in the Linux kernel. A physically proximate attacker could use this to cause a denial of service (system crash). (CVE-2019-15216) It was discovered that the Siano USB MDTV receiver device driver in the Linux kernel made improper assumptions about the device characteristics. A physically proximate attacker could use this cause a denial of service (system crash). (CVE-2019-15218) It was discovered that the Line 6 POD USB device driver in the Linux kernel did not properly validate data size information from the device. A physically proximate attacker could use this to cause a denial of service (system crash). (CVE-2019-15221) Muyu Yu discovered that the CAN implementation in the Linux kernel in some situations did not properly restrict the field size when processing outgoing frames. A local attacker with CAP_NET_ADMIN privileges could use this to execute arbitrary code. (CVE-2019-3701) Vladis Dronov discovered that the debug interface for the Linux kernel
    last seen2020-06-01
    modified2020-06-02
    plugin id128478
    published2019-09-03
    reporterUbuntu Security Notice (C) 2019 Canonical, Inc. / NASL script (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/128478
    titleUbuntu 16.04 LTS / 18.04 LTS : linux-aws vulnerabilities (USN-4118-1)
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were
    # extracted from Ubuntu Security Notice USN-4118-1. The text 
    # itself is copyright (C) Canonical, Inc. See 
    # <http://www.ubuntu.com/usn/>. Ubuntu(R) is a registered 
    # trademark of Canonical, Inc.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(128478);
      script_version("1.4");
      script_cvs_date("Date: 2019/10/24 11:30:51");
    
      script_cve_id("CVE-2018-13053", "CVE-2018-13093", "CVE-2018-13096", "CVE-2018-13097", "CVE-2018-13098", "CVE-2018-13099", "CVE-2018-13100", "CVE-2018-14609", "CVE-2018-14610", "CVE-2018-14611", "CVE-2018-14612", "CVE-2018-14613", "CVE-2018-14614", "CVE-2018-14615", "CVE-2018-14616", "CVE-2018-14617", "CVE-2018-16862", "CVE-2018-19985", "CVE-2018-20169", "CVE-2018-20511", "CVE-2018-20784", "CVE-2018-20856", "CVE-2018-5383", "CVE-2019-0136", "CVE-2019-10126", "CVE-2019-10207", "CVE-2019-10638", "CVE-2019-10639", "CVE-2019-11085", "CVE-2019-11487", "CVE-2019-11599", "CVE-2019-11810", "CVE-2019-11815", "CVE-2019-11833", "CVE-2019-11884", "CVE-2019-12818", "CVE-2019-12819", "CVE-2019-12984", "CVE-2019-13233", "CVE-2019-13272", "CVE-2019-13631", "CVE-2019-14283", "CVE-2019-14284", "CVE-2019-14763", "CVE-2019-15090", "CVE-2019-15211", "CVE-2019-15212", "CVE-2019-15214", "CVE-2019-15215", "CVE-2019-15216", "CVE-2019-15218", "CVE-2019-15220", "CVE-2019-15221", "CVE-2019-15292", "CVE-2019-2024", "CVE-2019-2101", "CVE-2019-3701", "CVE-2019-3819", "CVE-2019-3846", "CVE-2019-3900", "CVE-2019-9506");
      script_xref(name:"USN", value:"4118-1");
    
      script_name(english:"Ubuntu 16.04 LTS / 18.04 LTS : linux-aws vulnerabilities (USN-4118-1)");
      script_summary(english:"Checks dpkg output for updated packages.");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:
    "The remote Ubuntu host is missing one or more security-related
    patches."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "It was discovered that the alarmtimer implementation in the Linux
    kernel contained an integer overflow vulnerability. A local attacker
    could use this to cause a denial of service. (CVE-2018-13053)
    
    Wen Xu discovered that the XFS filesystem implementation in the Linux
    kernel did not properly track inode validations. An attacker could use
    this to construct a malicious XFS image that, when mounted, could
    cause a denial of service (system crash). (CVE-2018-13093)
    
    Wen Xu discovered that the f2fs file system implementation in the
    Linux kernel did not properly validate metadata. An attacker could use
    this to construct a malicious f2fs image that, when mounted, could
    cause a denial of service (system crash). (CVE-2018-13096,
    CVE-2018-13097, CVE-2018-13098, CVE-2018-13099, CVE-2018-13100,
    CVE-2018-14614, CVE-2018-14615, CVE-2018-14616)
    
    Wen Xu and Po-Ning Tseng discovered that btrfs file system
    implementation in the Linux kernel did not properly validate metadata.
    An attacker could use this to construct a malicious btrfs image that,
    when mounted, could cause a denial of service (system crash).
    (CVE-2018-14609, CVE-2018-14610, CVE-2018-14611, CVE-2018-14612,
    CVE-2018-14613)
    
    Wen Xu discovered that the HFS+ filesystem implementation in the Linux
    kernel did not properly handle malformed catalog data in some
    situations. An attacker could use this to construct a malicious HFS+
    image that, when mounted, could cause a denial of service (system
    crash). (CVE-2018-14617)
    
    Vasily Averin and Pavel Tikhomirov discovered that the cleancache
    subsystem of the Linux kernel did not properly initialize new files in
    some situations. A local attacker could use this to expose sensitive
    information. (CVE-2018-16862)
    
    Hui Peng and Mathias Payer discovered that the Option USB High Speed
    driver in the Linux kernel did not properly validate metadata received
    from the device. A physically proximate attacker could use this to
    cause a denial of service (system crash). (CVE-2018-19985)
    
    Hui Peng and Mathias Payer discovered that the USB subsystem in the
    Linux kernel did not properly handle size checks when handling an
    extra USB descriptor. A physically proximate attacker could use this
    to cause a denial of service (system crash). (CVE-2018-20169)
    
    Zhipeng Xie discovered that an infinite loop could triggered in the
    CFS Linux kernel process scheduler. A local attacker could possibly
    use this to cause a denial of service. (CVE-2018-20784)
    
    It was discovered that a use-after-free error existed in the block
    layer subsystem of the Linux kernel when certain failure conditions
    occurred. A local attacker could possibly use this to cause a denial
    of service (system crash) or possibly execute arbitrary code.
    (CVE-2018-20856)
    
    Eli Biham and Lior Neumann discovered that the Bluetooth
    implementation in the Linux kernel did not properly validate elliptic
    curve parameters during Diffie-Hellman key exchange in some
    situations. An attacker could use this to expose sensitive
    information. (CVE-2018-5383)
    
    It was discovered that the Intel wifi device driver in the Linux
    kernel did not properly validate certain Tunneled Direct Link Setup
    (TDLS). A physically proximate attacker could use this to cause a
    denial of service (wifi disconnect). (CVE-2019-0136)
    
    It was discovered that a heap buffer overflow existed in the Marvell
    Wireless LAN device driver for the Linux kernel. An attacker could use
    this to cause a denial of service (system crash) or possibly execute
    arbitrary code. (CVE-2019-10126)
    
    It was discovered that the Bluetooth UART implementation in the Linux
    kernel did not properly check for missing tty operations. A local
    attacker could use this to cause a denial of service. (CVE-2019-10207)
    
    Amit Klein and Benny Pinkas discovered that the Linux kernel did not
    sufficiently randomize IP ID values generated for connectionless
    networking protocols. A remote attacker could use this to track
    particular Linux devices. (CVE-2019-10638)
    
    Amit Klein and Benny Pinkas discovered that the location of kernel
    addresses could exposed by the implementation of connection-less
    network protocols in the Linux kernel. A remote attacker could
    possibly use this to assist in the exploitation of another
    vulnerability in the Linux kernel. (CVE-2019-10639)
    
    Adam Zabrocki discovered that the Intel i915 kernel mode graphics
    driver in the Linux kernel did not properly restrict mmap() ranges in
    some situations. A local attacker could use this to cause a denial of
    service (system crash) or possibly execute arbitrary code.
    (CVE-2019-11085)
    
    It was discovered that an integer overflow existed in the Linux kernel
    when reference counting pages, leading to potential use-after-free
    issues. A local attacker could use this to cause a denial of service
    (system crash) or possibly execute arbitrary code. (CVE-2019-11487)
    
    Jann Horn discovered that a race condition existed in the Linux kernel
    when performing core dumps. A local attacker could use this to cause a
    denial of service (system crash) or expose sensitive information.
    (CVE-2019-11599)
    
    It was discovered that a NULL pointer dereference vulnerability
    existed in the LSI Logic MegaRAID driver in the Linux kernel. A local
    attacker could use this to cause a denial of service (system crash).
    (CVE-2019-11810)
    
    It was discovered that a race condition leading to a use-after-free
    existed in the Reliable Datagram Sockets (RDS) protocol implementation
    in the Linux kernel. The RDS protocol is blacklisted by default in
    Ubuntu. If enabled, a local attacker could use this to cause a denial
    of service (system crash) or possibly execute arbitrary code.
    (CVE-2019-11815)
    
    It was discovered that the ext4 file system implementation in the
    Linux kernel did not properly zero out memory in some situations. A
    local attacker could use this to expose sensitive information (kernel
    memory). (CVE-2019-11833)
    
    It was discovered that the Bluetooth Human Interface Device Protocol
    (HIDP) implementation in the Linux kernel did not properly verify
    strings were NULL terminated in certain situations. A local attacker
    could use this to expose sensitive information (kernel memory).
    (CVE-2019-11884)
    
    It was discovered that a NULL pointer dereference vulnerabilty existed
    in the Near-field communication (NFC) implementation in the Linux
    kernel. An attacker could use this to cause a denial of service
    (system crash). (CVE-2019-12818)
    
    It was discovered that the MDIO bus devices subsystem in the Linux
    kernel improperly dropped a device reference in an error condition,
    leading to a use-after-free. An attacker could use this to cause a
    denial of service (system crash). (CVE-2019-12819)
    
    It was discovered that a NULL pointer dereference vulnerability
    existed in the Near-field communication (NFC) implementation in the
    Linux kernel. A local attacker could use this to cause a denial of
    service (system crash). (CVE-2019-12984)
    
    Jann Horn discovered a use-after-free vulnerability in the Linux
    kernel when accessing LDT entries in some situations. A local attacker
    could use this to cause a denial of service (system crash) or possibly
    execute arbitrary code. (CVE-2019-13233)
    
    Jann Horn discovered that the ptrace implementation in the Linux
    kernel did not properly record credentials in some situations. A local
    attacker could use this to cause a denial of service (system crash) or
    possibly gain administrative privileges. (CVE-2019-13272)
    
    It was discovered that the GTCO tablet input driver in the Linux
    kernel did not properly bounds check the initial HID report sent by
    the device. A physically proximate attacker could use to cause a
    denial of service (system crash) or possibly execute arbitrary code.
    (CVE-2019-13631)
    
    It was discovered that the floppy driver in the Linux kernel did not
    properly validate meta data, leading to a buffer overread. A local
    attacker could use this to cause a denial of service (system crash).
    (CVE-2019-14283)
    
    It was discovered that the floppy driver in the Linux kernel did not
    properly validate ioctl() calls, leading to a division-by-zero. A
    local attacker could use this to cause a denial of service (system
    crash). (CVE-2019-14284)
    
    Tuba Yavuz discovered that a race condition existed in the DesignWare
    USB3 DRD Controller device driver in the Linux kernel. A physically
    proximate attacker could use this to cause a denial of service.
    (CVE-2019-14763)
    
    It was discovered that an out-of-bounds read existed in the QLogic
    QEDI iSCSI Initiator Driver in the Linux kernel. A local attacker
    could possibly use this to expose sensitive information (kernel
    memory). (CVE-2019-15090)
    
    It was discovered that the Raremono AM/FM/SW radio device driver in
    the Linux kernel did not properly allocate memory, leading to a
    use-after-free. A physically proximate attacker could use this to
    cause a denial of service or possibly execute arbitrary code.
    (CVE-2019-15211)
    
    It was discovered at a double-free error existed in the USB Rio 500
    device driver for the Linux kernel. A physically proximate attacker
    could use this to cause a denial of service. (CVE-2019-15212)
    
    It was discovered that a race condition existed in the Advanced Linux
    Sound Architecture (ALSA) subsystem of the Linux kernel, leading to a
    potential use-after-free. A physically proximate attacker could use
    this to cause a denial of service (system crash) pro possibly execute
    arbitrary code. (CVE-2019-15214)
    
    It was discovered that a race condition existed in the CPiA2
    video4linux device driver for the Linux kernel, leading to a
    use-after-free. A physically proximate attacker could use this to
    cause a denial of service (system crash) or possibly execute arbitrary
    code. (CVE-2019-15215)
    
    It was discovered that a race condition existed in the Softmac USB
    Prism54 device driver in the Linux kernel. A physically proximate
    attacker could use this to cause a denial of service (system crash).
    (CVE-2019-15220)
    
    It was discovered that a use-after-free vulnerability existed in the
    Appletalk implementation in the Linux kernel if an error occurs during
    initialization. A local attacker could use this to cause a denial of
    service (system crash). (CVE-2019-15292)
    
    It was discovered that the Empia EM28xx DVB USB device driver
    implementation in the Linux kernel contained a use-after-free
    vulnerability when disconnecting the device. An attacker could use
    this to cause a denial of service (system crash). (CVE-2019-2024)
    
    It was discovered that the USB video device class implementation in
    the Linux kernel did not properly validate control bits, resulting in
    an out of bounds buffer read. A local attacker could use this to
    possibly expose sensitive information (kernel memory). (CVE-2019-2101)
    
    It was discovered that the Marvell Wireless LAN device driver in the
    Linux kernel did not properly validate the BSS descriptor. A local
    attacker could possibly use this to cause a denial of service (system
    crash) or possibly execute arbitrary code. (CVE-2019-3846)
    
    Jason Wang discovered that an infinite loop vulnerability existed in
    the virtio net driver in the Linux kernel. A local attacker in a guest
    VM could possibly use this to cause a denial of service in the host
    system. (CVE-2019-3900)
    
    Daniele Antonioli, Nils Ole Tippenhauer, and Kasper B. Rasmussen
    discovered that the Bluetooth protocol BR/EDR specification did not
    properly require sufficiently strong encryption key lengths. A
    physicall proximate attacker could use this to expose sensitive
    information. (CVE-2019-9506)
    
    It was discovered that the Appletalk IP encapsulation driver in the
    Linux kernel did not properly prevent kernel addresses from being
    copied to user space. A local attacker with the CAP_NET_ADMIN
    capability could use this to expose sensitive information.
    (CVE-2018-20511)
    
    It was discovered that a race condition existed in the USB YUREX
    device driver in the Linux kernel. A physically proximate attacker
    could use this to cause a denial of service (system crash).
    (CVE-2019-15216)
    
    It was discovered that the Siano USB MDTV receiver device driver in
    the Linux kernel made improper assumptions about the device
    characteristics. A physically proximate attacker could use this cause
    a denial of service (system crash). (CVE-2019-15218)
    
    It was discovered that the Line 6 POD USB device driver in the Linux
    kernel did not properly validate data size information from the
    device. A physically proximate attacker could use this to cause a
    denial of service (system crash). (CVE-2019-15221)
    
    Muyu Yu discovered that the CAN implementation in the Linux kernel in
    some situations did not properly restrict the field size when
    processing outgoing frames. A local attacker with CAP_NET_ADMIN
    privileges could use this to execute arbitrary code. (CVE-2019-3701)
    
    Vladis Dronov discovered that the debug interface for the Linux
    kernel's HID subsystem did not properly validate passed parameters in
    some situations. A local privileged attacker could use this to cause a
    denial of service (infinite loop). (CVE-2019-3819).
    
    Note that Tenable Network Security has extracted the preceding
    description block directly from the Ubuntu security advisory. Tenable
    has attempted to automatically clean and format it as much as possible
    without introducing additional issues."
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://usn.ubuntu.com/4118-1/"
      );
      script_set_attribute(
        attribute:"solution", 
        value:
    "Update the affected linux-image-4.15-aws, linux-image-aws and / or
    linux-image-aws-hwe packages."
      );
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C");
      script_set_cvss_temporal_vector("CVSS2#E:H/RL:OF/RC:C");
      script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H");
      script_set_cvss3_temporal_vector("CVSS:3.0/E:H/RL:O/RC:C");
      script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"true");
      script_set_attribute(attribute:"exploited_by_malware", value:"true");
      script_set_attribute(attribute:"metasploit_name", value:'Linux Polkit pkexec helper PTRACE_TRACEME local root exploit');
      script_set_attribute(attribute:"exploit_framework_metasploit", value:"true");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-4.15-aws");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-aws");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-aws-hwe");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:canonical:ubuntu_linux:16.04");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:canonical:ubuntu_linux:18.04:-:lts");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2018/07/02");
      script_set_attribute(attribute:"patch_publication_date", value:"2019/09/02");
      script_set_attribute(attribute:"plugin_publication_date", value:"2019/09/03");
      script_set_attribute(attribute:"generated_plugin", value:"current");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"Ubuntu Security Notice (C) 2019 Canonical, Inc. / NASL script (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.");
      script_family(english:"Ubuntu Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl", "linux_alt_patch_detect.nasl");
      script_require_keys("Host/cpu", "Host/Ubuntu", "Host/Ubuntu/release", "Host/Debian/dpkg-l");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("ubuntu.inc");
    include("ksplice.inc");
    
    if ( ! get_kb_item("Host/local_checks_enabled") ) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    release = get_kb_item("Host/Ubuntu/release");
    if ( isnull(release) ) audit(AUDIT_OS_NOT, "Ubuntu");
    release = chomp(release);
    if (! preg(pattern:"^(16\.04|18\.04)$", string:release)) audit(AUDIT_OS_NOT, "Ubuntu 16.04 / 18.04", "Ubuntu " + release);
    if ( ! get_kb_item("Host/Debian/dpkg-l") ) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    cpu = get_kb_item("Host/cpu");
    if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
    if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Ubuntu", cpu);
    
    if (get_one_kb_item("Host/ksplice/kernel-cves"))
    {
      rm_kb_item(name:"Host/uptrack-uname-r");
      cve_list = make_list("CVE-2018-13053", "CVE-2018-13093", "CVE-2018-13096", "CVE-2018-13097", "CVE-2018-13098", "CVE-2018-13099", "CVE-2018-13100", "CVE-2018-14609", "CVE-2018-14610", "CVE-2018-14611", "CVE-2018-14612", "CVE-2018-14613", "CVE-2018-14614", "CVE-2018-14615", "CVE-2018-14616", "CVE-2018-14617", "CVE-2018-16862", "CVE-2018-19985", "CVE-2018-20169", "CVE-2018-20511", "CVE-2018-20784", "CVE-2018-20856", "CVE-2018-5383", "CVE-2019-0136", "CVE-2019-10126", "CVE-2019-10207", "CVE-2019-10638", "CVE-2019-10639", "CVE-2019-11085", "CVE-2019-11487", "CVE-2019-11599", "CVE-2019-11810", "CVE-2019-11815", "CVE-2019-11833", "CVE-2019-11884", "CVE-2019-12818", "CVE-2019-12819", "CVE-2019-12984", "CVE-2019-13233", "CVE-2019-13272", "CVE-2019-13631", "CVE-2019-14283", "CVE-2019-14284", "CVE-2019-14763", "CVE-2019-15090", "CVE-2019-15211", "CVE-2019-15212", "CVE-2019-15214", "CVE-2019-15215", "CVE-2019-15216", "CVE-2019-15218", "CVE-2019-15220", "CVE-2019-15221", "CVE-2019-15292", "CVE-2019-2024", "CVE-2019-2101", "CVE-2019-3701", "CVE-2019-3819", "CVE-2019-3846", "CVE-2019-3900", "CVE-2019-9506");
      if (ksplice_cves_check(cve_list))
      {
        audit(AUDIT_PATCH_INSTALLED, "KSplice hotfix for USN-4118-1");
      }
      else
      {
        _ubuntu_report = ksplice_reporting_text();
      }
    }
    
    flag = 0;
    
    if (ubuntu_check(osver:"16.04", pkgname:"linux-image-4.15.0-1047-aws", pkgver:"4.15.0-1047.49~16.04.1")) flag++;
    if (ubuntu_check(osver:"16.04", pkgname:"linux-image-aws-hwe", pkgver:"4.15.0.1047.47")) flag++;
    if (ubuntu_check(osver:"18.04", pkgname:"linux-image-4.15.0-1047-aws", pkgver:"4.15.0-1047.49")) flag++;
    if (ubuntu_check(osver:"18.04", pkgname:"linux-image-aws", pkgver:"4.15.0.1047.46")) flag++;
    
    if (flag)
    {
      security_report_v4(
        port       : 0,
        severity   : SECURITY_HOLE,
        extra      : ubuntu_report_get()
      );
      exit(0);
    }
    else
    {
      tested = ubuntu_pkg_tests_get();
      if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
      else audit(AUDIT_PACKAGE_NOT_INSTALLED, "linux-image-4.15-aws / linux-image-aws / linux-image-aws-hwe");
    }
    
  • NASL familyDebian Local Security Checks
    NASL idDEBIAN_DLA-1862.NASL
    descriptionSeveral vulnerabilities have been discovered in the Linux kernel that may lead to a privilege escalation, denial of service or information leaks. CVE-2019-2101 Andrey Konovalov discovered that the USB Video Class driver (uvcvideo) did not consistently handle a type field in device descriptors, which could result in a heap buffer overflow. This could be used for denial of service or possibly for privilege escalation. CVE-2019-10639 Amit Klein and Benny Pinkas discovered that the generation of IP packet IDs used a weak hash function that incorporated a kernel virtual address. In Linux 3.16 this hash function is not used for IP IDs but is used for other purposes in the network stack. In custom kernel configurations that enable kASLR, this might weaken kASLR. CVE-2019-13272 Jann Horn discovered that the ptrace subsystem in the Linux kernel mishandles the management of the credentials of a process that wants to create a ptrace relationship, allowing a local user to obtain root privileges under certain scenarios. For Debian 8
    last seen2020-06-01
    modified2020-06-02
    plugin id126964
    published2019-07-24
    reporterThis script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/126964
    titleDebian DLA-1862-1 : linux security update
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were
    # extracted from Debian Security Advisory DLA-1862-1. The text
    # itself is copyright (C) Software in the Public Interest, Inc.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(126964);
      script_version("1.6");
      script_cvs_date("Date: 2019/10/24 11:30:51");
    
      script_cve_id("CVE-2019-10639", "CVE-2019-13272", "CVE-2019-2101");
    
      script_name(english:"Debian DLA-1862-1 : linux security update");
      script_summary(english:"Checks dpkg output for the updated packages.");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote Debian host is missing a security update."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "Several vulnerabilities have been discovered in the Linux kernel that
    may lead to a privilege escalation, denial of service or information
    leaks.
    
    CVE-2019-2101
    
    Andrey Konovalov discovered that the USB Video Class driver (uvcvideo)
    did not consistently handle a type field in device descriptors, which
    could result in a heap buffer overflow. This could be used for denial
    of service or possibly for privilege escalation.
    
    CVE-2019-10639
    
    Amit Klein and Benny Pinkas discovered that the generation of IP
    packet IDs used a weak hash function that incorporated a kernel
    virtual address. In Linux 3.16 this hash function is not used for IP
    IDs but is used for other purposes in the network stack. In custom
    kernel configurations that enable kASLR, this might weaken kASLR.
    
    CVE-2019-13272
    
    Jann Horn discovered that the ptrace subsystem in the Linux kernel
    mishandles the management of the credentials of a process that wants
    to create a ptrace relationship, allowing a local user to obtain root
    privileges under certain scenarios.
    
    For Debian 8 'Jessie', these problems have been fixed in version
    3.16.70-1. This update also fixes a regression introduced by the
    original fix for CVE-2019-11478 (#930904), and includes other fixes
    from upstream stable updates.
    
    We recommend that you upgrade your linux and linux-latest packages.
    You will need to use 'apt-get upgrade --with-new-pkgs' or 'apt
    upgrade' as the binary package names have changed.
    
    We recommend that you upgrade your linux packages.
    
    NOTE: Tenable Network Security has extracted the preceding description
    block directly from the DLA security advisory. Tenable has attempted
    to automatically clean and format it as much as possible without
    introducing additional issues."
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://lists.debian.org/debian-lts-announce/2019/07/msg00022.html"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://packages.debian.org/source/jessie/linux"
      );
      script_set_attribute(attribute:"solution", value:"Upgrade the affected packages.");
      script_set_cvss_base_vector("CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C");
      script_set_cvss_temporal_vector("CVSS2#E:H/RL:OF/RC:C");
      script_set_cvss3_base_vector("CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H");
      script_set_cvss3_temporal_vector("CVSS:3.0/E:H/RL:O/RC:C");
      script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"true");
      script_set_attribute(attribute:"exploited_by_malware", value:"true");
      script_set_attribute(attribute:"metasploit_name", value:'Linux Polkit pkexec helper PTRACE_TRACEME local root exploit');
      script_set_attribute(attribute:"exploit_framework_metasploit", value:"true");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:linux-compiler-gcc-4.8-arm");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:linux-compiler-gcc-4.8-x86");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:linux-compiler-gcc-4.9-x86");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:linux-doc-3.16");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:linux-headers-3.16.0-9-586");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:linux-headers-3.16.0-9-686-pae");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:linux-headers-3.16.0-9-all");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:linux-headers-3.16.0-9-all-amd64");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:linux-headers-3.16.0-9-all-armel");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:linux-headers-3.16.0-9-all-armhf");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:linux-headers-3.16.0-9-all-i386");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:linux-headers-3.16.0-9-amd64");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:linux-headers-3.16.0-9-armmp");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:linux-headers-3.16.0-9-armmp-lpae");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:linux-headers-3.16.0-9-common");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:linux-headers-3.16.0-9-ixp4xx");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:linux-headers-3.16.0-9-kirkwood");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:linux-headers-3.16.0-9-orion5x");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:linux-headers-3.16.0-9-versatile");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:linux-image-3.16.0-9-586");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:linux-image-3.16.0-9-686-pae");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:linux-image-3.16.0-9-686-pae-dbg");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:linux-image-3.16.0-9-amd64");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:linux-image-3.16.0-9-amd64-dbg");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:linux-image-3.16.0-9-armmp");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:linux-image-3.16.0-9-armmp-lpae");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:linux-image-3.16.0-9-ixp4xx");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:linux-image-3.16.0-9-kirkwood");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:linux-image-3.16.0-9-orion5x");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:linux-image-3.16.0-9-versatile");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:linux-libc-dev");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:linux-manual-3.16");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:linux-source-3.16");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:linux-support-3.16.0-9");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:xen-linux-system-3.16.0-9-amd64");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:debian:debian_linux:8.0");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2019/06/07");
      script_set_attribute(attribute:"patch_publication_date", value:"2019/07/23");
      script_set_attribute(attribute:"plugin_publication_date", value:"2019/07/24");
      script_set_attribute(attribute:"generated_plugin", value:"current");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.");
      script_family(english:"Debian Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/Debian/release", "Host/Debian/dpkg-l");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("debian_package.inc");
    
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    if (!get_kb_item("Host/Debian/release")) audit(AUDIT_OS_NOT, "Debian");
    if (!get_kb_item("Host/Debian/dpkg-l")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    
    flag = 0;
    if (deb_check(release:"8.0", prefix:"linux-compiler-gcc-4.8-arm", reference:"3.16.70-1")) flag++;
    if (deb_check(release:"8.0", prefix:"linux-compiler-gcc-4.8-x86", reference:"3.16.70-1")) flag++;
    if (deb_check(release:"8.0", prefix:"linux-compiler-gcc-4.9-x86", reference:"3.16.70-1")) flag++;
    if (deb_check(release:"8.0", prefix:"linux-doc-3.16", reference:"3.16.70-1")) flag++;
    if (deb_check(release:"8.0", prefix:"linux-headers-3.16.0-9-586", reference:"3.16.70-1")) flag++;
    if (deb_check(release:"8.0", prefix:"linux-headers-3.16.0-9-686-pae", reference:"3.16.70-1")) flag++;
    if (deb_check(release:"8.0", prefix:"linux-headers-3.16.0-9-all", reference:"3.16.70-1")) flag++;
    if (deb_check(release:"8.0", prefix:"linux-headers-3.16.0-9-all-amd64", reference:"3.16.70-1")) flag++;
    if (deb_check(release:"8.0", prefix:"linux-headers-3.16.0-9-all-armel", reference:"3.16.70-1")) flag++;
    if (deb_check(release:"8.0", prefix:"linux-headers-3.16.0-9-all-armhf", reference:"3.16.70-1")) flag++;
    if (deb_check(release:"8.0", prefix:"linux-headers-3.16.0-9-all-i386", reference:"3.16.70-1")) flag++;
    if (deb_check(release:"8.0", prefix:"linux-headers-3.16.0-9-amd64", reference:"3.16.70-1")) flag++;
    if (deb_check(release:"8.0", prefix:"linux-headers-3.16.0-9-armmp", reference:"3.16.70-1")) flag++;
    if (deb_check(release:"8.0", prefix:"linux-headers-3.16.0-9-armmp-lpae", reference:"3.16.70-1")) flag++;
    if (deb_check(release:"8.0", prefix:"linux-headers-3.16.0-9-common", reference:"3.16.70-1")) flag++;
    if (deb_check(release:"8.0", prefix:"linux-headers-3.16.0-9-ixp4xx", reference:"3.16.70-1")) flag++;
    if (deb_check(release:"8.0", prefix:"linux-headers-3.16.0-9-kirkwood", reference:"3.16.70-1")) flag++;
    if (deb_check(release:"8.0", prefix:"linux-headers-3.16.0-9-orion5x", reference:"3.16.70-1")) flag++;
    if (deb_check(release:"8.0", prefix:"linux-headers-3.16.0-9-versatile", reference:"3.16.70-1")) flag++;
    if (deb_check(release:"8.0", prefix:"linux-image-3.16.0-9-586", reference:"3.16.70-1")) flag++;
    if (deb_check(release:"8.0", prefix:"linux-image-3.16.0-9-686-pae", reference:"3.16.70-1")) flag++;
    if (deb_check(release:"8.0", prefix:"linux-image-3.16.0-9-686-pae-dbg", reference:"3.16.70-1")) flag++;
    if (deb_check(release:"8.0", prefix:"linux-image-3.16.0-9-amd64", reference:"3.16.70-1")) flag++;
    if (deb_check(release:"8.0", prefix:"linux-image-3.16.0-9-amd64-dbg", reference:"3.16.70-1")) flag++;
    if (deb_check(release:"8.0", prefix:"linux-image-3.16.0-9-armmp", reference:"3.16.70-1")) flag++;
    if (deb_check(release:"8.0", prefix:"linux-image-3.16.0-9-armmp-lpae", reference:"3.16.70-1")) flag++;
    if (deb_check(release:"8.0", prefix:"linux-image-3.16.0-9-ixp4xx", reference:"3.16.70-1")) flag++;
    if (deb_check(release:"8.0", prefix:"linux-image-3.16.0-9-kirkwood", reference:"3.16.70-1")) flag++;
    if (deb_check(release:"8.0", prefix:"linux-image-3.16.0-9-orion5x", reference:"3.16.70-1")) flag++;
    if (deb_check(release:"8.0", prefix:"linux-image-3.16.0-9-versatile", reference:"3.16.70-1")) flag++;
    if (deb_check(release:"8.0", prefix:"linux-libc-dev", reference:"3.16.70-1")) flag++;
    if (deb_check(release:"8.0", prefix:"linux-manual-3.16", reference:"3.16.70-1")) flag++;
    if (deb_check(release:"8.0", prefix:"linux-source-3.16", reference:"3.16.70-1")) flag++;
    if (deb_check(release:"8.0", prefix:"linux-support-3.16.0-9", reference:"3.16.70-1")) flag++;
    if (deb_check(release:"8.0", prefix:"xen-linux-system-3.16.0-9-amd64", reference:"3.16.70-1")) flag++;
    
    if (flag)
    {
      if (report_verbosity > 0) security_hole(port:0, extra:deb_report_get());
      else security_hole(0);
      exit(0);
    }
    else audit(AUDIT_HOST_NOT, "affected");
    
  • NASL familyUbuntu Local Security Checks
    NASL idUBUNTU_USN-4094-1.NASL
    descriptionIt was discovered that the alarmtimer implementation in the Linux kernel contained an integer overflow vulnerability. A local attacker could use this to cause a denial of service. (CVE-2018-13053) Wen Xu discovered that the XFS filesystem implementation in the Linux kernel did not properly track inode validations. An attacker could use this to construct a malicious XFS image that, when mounted, could cause a denial of service (system crash). (CVE-2018-13093) Wen Xu discovered that the f2fs file system implementation in the Linux kernel did not properly validate metadata. An attacker could use this to construct a malicious f2fs image that, when mounted, could cause a denial of service (system crash). (CVE-2018-13097, CVE-2018-13099, CVE-2018-13100, CVE-2018-14614, CVE-2018-14616, CVE-2018-13096, CVE-2018-13098, CVE-2018-14615) Wen Xu and Po-Ning Tseng discovered that btrfs file system implementation in the Linux kernel did not properly validate metadata. An attacker could use this to construct a malicious btrfs image that, when mounted, could cause a denial of service (system crash). (CVE-2018-14610, CVE-2018-14611, CVE-2018-14612, CVE-2018-14613, CVE-2018-14609) Wen Xu discovered that the HFS+ filesystem implementation in the Linux kernel did not properly handle malformed catalog data in some situations. An attacker could use this to construct a malicious HFS+ image that, when mounted, could cause a denial of service (system crash). (CVE-2018-14617) Vasily Averin and Pavel Tikhomirov discovered that the cleancache subsystem of the Linux kernel did not properly initialize new files in some situations. A local attacker could use this to expose sensitive information. (CVE-2018-16862) Hui Peng and Mathias Payer discovered that the USB subsystem in the Linux kernel did not properly handle size checks when handling an extra USB descriptor. A physically proximate attacker could use this to cause a denial of service (system crash). (CVE-2018-20169) It was discovered that a use-after-free error existed in the block layer subsystem of the Linux kernel when certain failure conditions occurred. A local attacker could possibly use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2018-20856) Eli Biham and Lior Neumann discovered that the Bluetooth implementation in the Linux kernel did not properly validate elliptic curve parameters during Diffie-Hellman key exchange in some situations. An attacker could use this to expose sensitive information. (CVE-2018-5383) It was discovered that a heap buffer overflow existed in the Marvell Wireless LAN device driver for the Linux kernel. An attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2019-10126) Andrei Vlad Lutas and Dan Lutas discovered that some x86 processors incorrectly handle SWAPGS instructions during speculative execution. A local attacker could use this to expose sensitive information (kernel memory). (CVE-2019-1125) It was discovered that the PowerPC dlpar implementation in the Linux kernel did not properly check for allocation errors in some situations. A local attacker could possibly use this to cause a denial of service (system crash). (CVE-2019-12614) It was discovered that a NULL pointer dereference vulnerabilty existed in the Near-field communication (NFC) implementation in the Linux kernel. An attacker could use this to cause a denial of service (system crash). (CVE-2019-12818) It was discovered that the MDIO bus devices subsystem in the Linux kernel improperly dropped a device reference in an error condition, leading to a use-after-free. An attacker could use this to cause a denial of service (system crash). (CVE-2019-12819) It was discovered that a NULL pointer dereference vulnerability existed in the Near-field communication (NFC) implementation in the Linux kernel. A local attacker could use this to cause a denial of service (system crash). (CVE-2019-12984) Jann Horn discovered a use-after-free vulnerability in the Linux kernel when accessing LDT entries in some situations. A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2019-13233) Jann Horn discovered that the ptrace implementation in the Linux kernel did not properly record credentials in some situations. A local attacker could use this to cause a denial of service (system crash) or possibly gain administrative privileges. (CVE-2019-13272) It was discovered that the Empia EM28xx DVB USB device driver implementation in the Linux kernel contained a use-after-free vulnerability when disconnecting the device. An attacker could use this to cause a denial of service (system crash). (CVE-2019-2024) It was discovered that the USB video device class implementation in the Linux kernel did not properly validate control bits, resulting in an out of bounds buffer read. A local attacker could use this to possibly expose sensitive information (kernel memory). (CVE-2019-2101) It was discovered that the Marvell Wireless LAN device driver in the Linux kernel did not properly validate the BSS descriptor. A local attacker could possibly use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2019-3846) It was discovered that the Appletalk IP encapsulation driver in the Linux kernel did not properly prevent kernel addresses from being copied to user space. A local attacker with the CAP_NET_ADMIN capability could use this to expose sensitive information. (CVE-2018-20511). Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id127889
    published2019-08-14
    reporterUbuntu Security Notice (C) 2019-2020 Canonical, Inc. / NASL script (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/127889
    titleUbuntu 16.04 LTS / 18.04 LTS : linux, linux-hwe, linux-azure, linux-gcp, linux-gke-4.15, linux-kvm, (USN-4094-1)
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were
    # extracted from Ubuntu Security Notice USN-4094-1. The text 
    # itself is copyright (C) Canonical, Inc. See 
    # <http://www.ubuntu.com/usn/>. Ubuntu(R) is a registered 
    # trademark of Canonical, Inc.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(127889);
      script_version("1.5");
      script_cvs_date("Date: 2020/01/02");
    
      script_cve_id("CVE-2018-13053", "CVE-2018-13093", "CVE-2018-13096", "CVE-2018-13097", "CVE-2018-13098", "CVE-2018-13099", "CVE-2018-13100", "CVE-2018-14609", "CVE-2018-14610", "CVE-2018-14611", "CVE-2018-14612", "CVE-2018-14613", "CVE-2018-14614", "CVE-2018-14615", "CVE-2018-14616", "CVE-2018-14617", "CVE-2018-16862", "CVE-2018-20169", "CVE-2018-20511", "CVE-2018-20856", "CVE-2018-5383", "CVE-2019-10126", "CVE-2019-1125", "CVE-2019-12614", "CVE-2019-12818", "CVE-2019-12819", "CVE-2019-12984", "CVE-2019-13233", "CVE-2019-13272", "CVE-2019-2024", "CVE-2019-2101", "CVE-2019-3846");
      script_xref(name:"USN", value:"4094-1");
    
      script_name(english:"Ubuntu 16.04 LTS / 18.04 LTS : linux, linux-hwe, linux-azure, linux-gcp, linux-gke-4.15, linux-kvm, (USN-4094-1)");
      script_summary(english:"Checks dpkg output for updated packages.");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:
    "The remote Ubuntu host is missing one or more security-related
    patches."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "It was discovered that the alarmtimer implementation in the Linux
    kernel contained an integer overflow vulnerability. A local attacker
    could use this to cause a denial of service. (CVE-2018-13053)
    
    Wen Xu discovered that the XFS filesystem implementation in the Linux
    kernel did not properly track inode validations. An attacker could use
    this to construct a malicious XFS image that, when mounted, could
    cause a denial of service (system crash). (CVE-2018-13093)
    
    Wen Xu discovered that the f2fs file system implementation in the
    Linux kernel did not properly validate metadata. An attacker could use
    this to construct a malicious f2fs image that, when mounted, could
    cause a denial of service (system crash). (CVE-2018-13097,
    CVE-2018-13099, CVE-2018-13100, CVE-2018-14614, CVE-2018-14616,
    CVE-2018-13096, CVE-2018-13098, CVE-2018-14615)
    
    Wen Xu and Po-Ning Tseng discovered that btrfs file system
    implementation in the Linux kernel did not properly validate metadata.
    An attacker could use this to construct a malicious btrfs image that,
    when mounted, could cause a denial of service (system crash).
    (CVE-2018-14610, CVE-2018-14611, CVE-2018-14612, CVE-2018-14613,
    CVE-2018-14609)
    
    Wen Xu discovered that the HFS+ filesystem implementation in the Linux
    kernel did not properly handle malformed catalog data in some
    situations. An attacker could use this to construct a malicious HFS+
    image that, when mounted, could cause a denial of service (system
    crash). (CVE-2018-14617)
    
    Vasily Averin and Pavel Tikhomirov discovered that the cleancache
    subsystem of the Linux kernel did not properly initialize new files in
    some situations. A local attacker could use this to expose sensitive
    information. (CVE-2018-16862)
    
    Hui Peng and Mathias Payer discovered that the USB subsystem in the
    Linux kernel did not properly handle size checks when handling an
    extra USB descriptor. A physically proximate attacker could use this
    to cause a denial of service (system crash). (CVE-2018-20169)
    
    It was discovered that a use-after-free error existed in the block
    layer subsystem of the Linux kernel when certain failure conditions
    occurred. A local attacker could possibly use this to cause a denial
    of service (system crash) or possibly execute arbitrary code.
    (CVE-2018-20856)
    
    Eli Biham and Lior Neumann discovered that the Bluetooth
    implementation in the Linux kernel did not properly validate elliptic
    curve parameters during Diffie-Hellman key exchange in some
    situations. An attacker could use this to expose sensitive
    information. (CVE-2018-5383)
    
    It was discovered that a heap buffer overflow existed in the Marvell
    Wireless LAN device driver for the Linux kernel. An attacker could use
    this to cause a denial of service (system crash) or possibly execute
    arbitrary code. (CVE-2019-10126)
    
    Andrei Vlad Lutas and Dan Lutas discovered that some x86 processors
    incorrectly handle SWAPGS instructions during speculative execution. A
    local attacker could use this to expose sensitive information (kernel
    memory). (CVE-2019-1125)
    
    It was discovered that the PowerPC dlpar implementation in the Linux
    kernel did not properly check for allocation errors in some
    situations. A local attacker could possibly use this to cause a denial
    of service (system crash). (CVE-2019-12614)
    
    It was discovered that a NULL pointer dereference vulnerabilty existed
    in the Near-field communication (NFC) implementation in the Linux
    kernel. An attacker could use this to cause a denial of service
    (system crash). (CVE-2019-12818)
    
    It was discovered that the MDIO bus devices subsystem in the Linux
    kernel improperly dropped a device reference in an error condition,
    leading to a use-after-free. An attacker could use this to cause a
    denial of service (system crash). (CVE-2019-12819)
    
    It was discovered that a NULL pointer dereference vulnerability
    existed in the Near-field communication (NFC) implementation in the
    Linux kernel. A local attacker could use this to cause a denial of
    service (system crash). (CVE-2019-12984)
    
    Jann Horn discovered a use-after-free vulnerability in the Linux
    kernel when accessing LDT entries in some situations. A local attacker
    could use this to cause a denial of service (system crash) or possibly
    execute arbitrary code. (CVE-2019-13233)
    
    Jann Horn discovered that the ptrace implementation in the Linux
    kernel did not properly record credentials in some situations. A local
    attacker could use this to cause a denial of service (system crash) or
    possibly gain administrative privileges. (CVE-2019-13272)
    
    It was discovered that the Empia EM28xx DVB USB device driver
    implementation in the Linux kernel contained a use-after-free
    vulnerability when disconnecting the device. An attacker could use
    this to cause a denial of service (system crash). (CVE-2019-2024)
    
    It was discovered that the USB video device class implementation in
    the Linux kernel did not properly validate control bits, resulting in
    an out of bounds buffer read. A local attacker could use this to
    possibly expose sensitive information (kernel memory). (CVE-2019-2101)
    
    It was discovered that the Marvell Wireless LAN device driver in the
    Linux kernel did not properly validate the BSS descriptor. A local
    attacker could possibly use this to cause a denial of service (system
    crash) or possibly execute arbitrary code. (CVE-2019-3846)
    
    It was discovered that the Appletalk IP encapsulation driver in the
    Linux kernel did not properly prevent kernel addresses from being
    copied to user space. A local attacker with the CAP_NET_ADMIN
    capability could use this to expose sensitive information.
    (CVE-2018-20511).
    
    Note that Tenable Network Security has extracted the preceding
    description block directly from the Ubuntu security advisory. Tenable
    has attempted to automatically clean and format it as much as possible
    without introducing additional issues."
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://usn.ubuntu.com/4094-1/"
      );
      script_set_attribute(attribute:"solution", value:"Update the affected packages.");
      script_set_cvss_base_vector("CVSS2#AV:A/AC:L/Au:N/C:C/I:C/A:C");
      script_set_cvss_temporal_vector("CVSS2#E:H/RL:OF/RC:C");
      script_set_cvss3_base_vector("CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H");
      script_set_cvss3_temporal_vector("CVSS:3.0/E:H/RL:O/RC:C");
      script_set_attribute(attribute:"cvss_score_source", value:"CVE-2019-3846");
      script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"true");
      script_set_attribute(attribute:"exploited_by_malware", value:"true");
      script_set_attribute(attribute:"metasploit_name", value:'Linux Polkit pkexec helper PTRACE_TRACEME local root exploit');
      script_set_attribute(attribute:"exploit_framework_metasploit", value:"true");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-4.15-azure");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-4.15-gcp");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-4.15-generic");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-4.15-generic-lpae");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-4.15-gke");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-4.15-kvm");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-4.15-lowlatency");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-4.15-oem");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-4.15-oracle");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-4.15-raspi2");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-4.15-snapdragon");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-azure");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-gcp");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-generic");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-generic-hwe-16.04");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-generic-lpae");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-generic-lpae-hwe-16.04");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-gke");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-gke-4.15");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-kvm");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-lowlatency");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-lowlatency-hwe-16.04");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-oem");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-oracle");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-raspi2");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-snapdragon");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-virtual");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-virtual-hwe-16.04");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:canonical:ubuntu_linux:16.04");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:canonical:ubuntu_linux:18.04:-:lts");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2018/07/02");
      script_set_attribute(attribute:"patch_publication_date", value:"2019/08/13");
      script_set_attribute(attribute:"plugin_publication_date", value:"2019/08/14");
      script_set_attribute(attribute:"generated_plugin", value:"current");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"Ubuntu Security Notice (C) 2019-2020 Canonical, Inc. / NASL script (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.");
      script_family(english:"Ubuntu Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl", "linux_alt_patch_detect.nasl");
      script_require_keys("Host/cpu", "Host/Ubuntu", "Host/Ubuntu/release", "Host/Debian/dpkg-l");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("ubuntu.inc");
    include("ksplice.inc");
    
    if ( ! get_kb_item("Host/local_checks_enabled") ) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    release = get_kb_item("Host/Ubuntu/release");
    if ( isnull(release) ) audit(AUDIT_OS_NOT, "Ubuntu");
    release = chomp(release);
    if (! preg(pattern:"^(16\.04|18\.04)$", string:release)) audit(AUDIT_OS_NOT, "Ubuntu 16.04 / 18.04", "Ubuntu " + release);
    if ( ! get_kb_item("Host/Debian/dpkg-l") ) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    cpu = get_kb_item("Host/cpu");
    if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
    if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Ubuntu", cpu);
    
    if (get_one_kb_item("Host/ksplice/kernel-cves"))
    {
      rm_kb_item(name:"Host/uptrack-uname-r");
      cve_list = make_list("CVE-2018-13053", "CVE-2018-13093", "CVE-2018-13096", "CVE-2018-13097", "CVE-2018-13098", "CVE-2018-13099", "CVE-2018-13100", "CVE-2018-14609", "CVE-2018-14610", "CVE-2018-14611", "CVE-2018-14612", "CVE-2018-14613", "CVE-2018-14614", "CVE-2018-14615", "CVE-2018-14616", "CVE-2018-14617", "CVE-2018-16862", "CVE-2018-20169", "CVE-2018-20511", "CVE-2018-20856", "CVE-2018-5383", "CVE-2019-10126", "CVE-2019-1125", "CVE-2019-12614", "CVE-2019-12818", "CVE-2019-12819", "CVE-2019-12984", "CVE-2019-13233", "CVE-2019-13272", "CVE-2019-2024", "CVE-2019-2101", "CVE-2019-3846");
      if (ksplice_cves_check(cve_list))
      {
        audit(AUDIT_PATCH_INSTALLED, "KSplice hotfix for USN-4094-1");
      }
      else
      {
        _ubuntu_report = ksplice_reporting_text();
      }
    }
    
    flag = 0;
    
    if (ubuntu_check(osver:"16.04", pkgname:"linux-image-4.15.0-1021-oracle", pkgver:"4.15.0-1021.23~16.04.1")) flag++;
    if (ubuntu_check(osver:"16.04", pkgname:"linux-image-4.15.0-1040-gcp", pkgver:"4.15.0-1040.42~16.04.1")) flag++;
    if (ubuntu_check(osver:"16.04", pkgname:"linux-image-4.15.0-1055-azure", pkgver:"4.15.0-1055.60")) flag++;
    if (ubuntu_check(osver:"16.04", pkgname:"linux-image-4.15.0-58-generic", pkgver:"4.15.0-58.64~16.04.1")) flag++;
    if (ubuntu_check(osver:"16.04", pkgname:"linux-image-4.15.0-58-generic-lpae", pkgver:"4.15.0-58.64~16.04.1")) flag++;
    if (ubuntu_check(osver:"16.04", pkgname:"linux-image-4.15.0-58-lowlatency", pkgver:"4.15.0-58.64~16.04.1")) flag++;
    if (ubuntu_check(osver:"16.04", pkgname:"linux-image-azure", pkgver:"4.15.0.1055.58")) flag++;
    if (ubuntu_check(osver:"16.04", pkgname:"linux-image-gcp", pkgver:"4.15.0.1040.54")) flag++;
    if (ubuntu_check(osver:"16.04", pkgname:"linux-image-generic-hwe-16.04", pkgver:"4.15.0.58.79")) flag++;
    if (ubuntu_check(osver:"16.04", pkgname:"linux-image-generic-lpae-hwe-16.04", pkgver:"4.15.0.58.79")) flag++;
    if (ubuntu_check(osver:"16.04", pkgname:"linux-image-gke", pkgver:"4.15.0.1040.54")) flag++;
    if (ubuntu_check(osver:"16.04", pkgname:"linux-image-lowlatency-hwe-16.04", pkgver:"4.15.0.58.79")) flag++;
    if (ubuntu_check(osver:"16.04", pkgname:"linux-image-oem", pkgver:"4.15.0.58.79")) flag++;
    if (ubuntu_check(osver:"16.04", pkgname:"linux-image-oracle", pkgver:"4.15.0.1021.15")) flag++;
    if (ubuntu_check(osver:"16.04", pkgname:"linux-image-virtual-hwe-16.04", pkgver:"4.15.0.58.79")) flag++;
    if (ubuntu_check(osver:"18.04", pkgname:"linux-image-4.15.0-1021-oracle", pkgver:"4.15.0-1021.23")) flag++;
    if (ubuntu_check(osver:"18.04", pkgname:"linux-image-4.15.0-1040-gcp", pkgver:"4.15.0-1040.42")) flag++;
    if (ubuntu_check(osver:"18.04", pkgname:"linux-image-4.15.0-1040-gke", pkgver:"4.15.0-1040.42")) flag++;
    if (ubuntu_check(osver:"18.04", pkgname:"linux-image-4.15.0-1042-kvm", pkgver:"4.15.0-1042.42")) flag++;
    if (ubuntu_check(osver:"18.04", pkgname:"linux-image-4.15.0-1043-raspi2", pkgver:"4.15.0-1043.46")) flag++;
    if (ubuntu_check(osver:"18.04", pkgname:"linux-image-4.15.0-1050-oem", pkgver:"4.15.0-1050.57")) flag++;
    if (ubuntu_check(osver:"18.04", pkgname:"linux-image-4.15.0-1060-snapdragon", pkgver:"4.15.0-1060.66")) flag++;
    if (ubuntu_check(osver:"18.04", pkgname:"linux-image-4.15.0-58-generic", pkgver:"4.15.0-58.64")) flag++;
    if (ubuntu_check(osver:"18.04", pkgname:"linux-image-4.15.0-58-generic-lpae", pkgver:"4.15.0-58.64")) flag++;
    if (ubuntu_check(osver:"18.04", pkgname:"linux-image-4.15.0-58-lowlatency", pkgver:"4.15.0-58.64")) flag++;
    if (ubuntu_check(osver:"18.04", pkgname:"linux-image-gcp", pkgver:"4.15.0.1040.42")) flag++;
    if (ubuntu_check(osver:"18.04", pkgname:"linux-image-generic", pkgver:"4.15.0.58.60")) flag++;
    if (ubuntu_check(osver:"18.04", pkgname:"linux-image-generic-lpae", pkgver:"4.15.0.58.60")) flag++;
    if (ubuntu_check(osver:"18.04", pkgname:"linux-image-gke", pkgver:"4.15.0.1040.43")) flag++;
    if (ubuntu_check(osver:"18.04", pkgname:"linux-image-gke-4.15", pkgver:"4.15.0.1040.43")) flag++;
    if (ubuntu_check(osver:"18.04", pkgname:"linux-image-kvm", pkgver:"4.15.0.1042.42")) flag++;
    if (ubuntu_check(osver:"18.04", pkgname:"linux-image-lowlatency", pkgver:"4.15.0.58.60")) flag++;
    if (ubuntu_check(osver:"18.04", pkgname:"linux-image-oem", pkgver:"4.15.0.1050.54")) flag++;
    if (ubuntu_check(osver:"18.04", pkgname:"linux-image-oracle", pkgver:"4.15.0.1021.24")) flag++;
    if (ubuntu_check(osver:"18.04", pkgname:"linux-image-raspi2", pkgver:"4.15.0.1043.41")) flag++;
    if (ubuntu_check(osver:"18.04", pkgname:"linux-image-snapdragon", pkgver:"4.15.0.1060.63")) flag++;
    if (ubuntu_check(osver:"18.04", pkgname:"linux-image-virtual", pkgver:"4.15.0.58.60")) flag++;
    
    if (flag)
    {
      security_report_v4(
        port       : 0,
        severity   : SECURITY_HOLE,
        extra      : ubuntu_report_get()
      );
      exit(0);
    }
    else
    {
      tested = ubuntu_pkg_tests_get();
      if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
      else audit(AUDIT_PACKAGE_NOT_INSTALLED, "linux-image-4.15-azure / linux-image-4.15-gcp / etc");
    }
    
  • NASL familyHuawei Local Security Checks
    NASL idEULEROS_SA-2019-2353.NASL
    descriptionAccording to the versions of the kernel packages installed, the EulerOS installation on the remote host is affected by the following vulnerabilities : - The kernel package contains the Linux kernel (vmlinuz), the core of any Linux operating system. The kernel handles the basic functions of the operating system: memory allocation, process allocation, device input and output, etc.Security Fix(es):The yam_ioctl function in drivers et/hamradio/yam.c in the Linux kernel before 3.12.8 does not initialize a certain structure member, which allows local users to obtain sensitive information from kernel memory by leveraging the CAP_NET_ADMIN capability for an SIOCYAMGCFG ioctl call.(CVE-2014-1446)The VFS subsystem in the Linux kernel 3.x provides an incomplete set of requirements for setattr operations that underspecifies removing extended privilege attributes, which allows local users to cause a denial of service (capability stripping) via a failed invocation of a system call, as demonstrated by using chown to remove a capability from the ping or Wireshark dumpcap program.(CVE-2015-1350)A certain backport in the TCP Fast Open implementation for the Linux kernel before 3.18 does not properly maintain a count value, which allow local users to cause a denial of service (system crash) via the Fast Open feature, as demonstrated by visiting the chrome://flags/#enable-tcp-fast-open URL when using certain 3.10.x through 3.16.x kernel builds, including longterm-maintenance releases and ckt (aka Canonical Kernel Team) builds.(CVE-2015-3332)The hub_activate function in drivers/usb/core/hub.c in the Linux kernel before 4.3.5 does not properly maintain a hub-interface data structure, which allows physically proximate attackers to cause a denial of service (invalid memory access and system crash) or possibly have unspecified other impact by unplugging a USB hub device.(CVE-2015-8816)In the Linux kernel before 4.1.4, a buffer overflow occurs when checking userspace params in drivers/media/dvb-frontends/cx24116.c. The maximum size for a DiSEqC command is 6, according to the userspace API. However, the code allows larger values such as 23.(CVE-2015-9289)The create_fixed_stream_quirk function in sound/usb/quirks.c in the snd-usb-audio driver in the Linux kernel before 4.5.1 allows physically proximate attackers to cause a denial of service (NULL pointer dereference or double free, and system crash) via a crafted endpoints value in a USB device descriptor.(CVE-2016-2184)The ati_remote2_probe function in drivers/input/misc/ati_remote2.c in the Linux kernel before 4.5.1 allows physically proximate attackers to cause a denial of service (NULL pointer dereference and system crash) via a crafted endpoints value in a USB device descriptor.(CVE-2016-2185)The powermate_probe function in drivers/input/misc/powermate.c in the Linux kernel before 4.5.1 allows physically proximate attackers to cause a denial of service (NULL pointer dereference and system crash) via a crafted endpoints value in a USB device descriptor.(CVE-2016-2186)The gtco_probe function in drivers/input/tablet/gtco.c in the Linux kernel through 4.5.2 allows physically proximate attackers to cause a denial of service (NULL pointer dereference and system crash) via a crafted endpoints value in a USB device descriptor.(CVE-2016-2187)Double free vulnerability in the snd_usbmidi_create function in sound/usb/midi.c in the Linux kernel before 4.5 allows physically proximate attackers to cause a denial of service (panic) or possibly have unspecified other impact via vectors involving an invalid USB descriptor.(CVE-2016-2384)The treo_attach function in drivers/usb/serial/visor.c in the Linux kernel before 4.5 allows physically proximate attackers to cause a denial of service (NULL pointer dereference and system crash) or possibly have unspecified other impact by inserting a USB device that lacks a (1) bulk-in or (2) interrupt-in endpoint.(CVE-2016-2782)The acm_probe function in drivers/usb/class/cdc-acm.c in the Linux kernel before 4.5.1 allows physically proximate attackers to cause a denial of service (NULL pointer dereference and system crash) via a USB device without both a control and a data endpoint descriptor.(CVE-2016-3138)The wacom_probe function in drivers/input/tablet/wacom_sys.c in the Linux kernel before 3.17 allows physically proximate attackers to cause a denial of service (NULL pointer dereference and system crash) via a crafted endpoints value in a USB device descriptor.(CVE-2016-3139)The digi_port_init function in drivers/usb/serial/digi_acceleport.c in the Linux kernel before 4.5.1 allows physically proximate attackers to cause a denial of service (NULL pointer dereference and system crash) via a crafted endpoints value in a USB device descriptor.(CVE-2016-3140)The ims_pcu_parse_cdc_data function in drivers/input/misc/ims-pcu.c in the Linux kernel before 4.5.1 allows physically proximate attackers to cause a denial of service (system crash) via a USB device without both a master and a slave interface.(CVE-2016-3689)The snd_timer_user_params function in sound/core/timer.c in the Linux kernel through 4.6 does not initialize a certain data structure, which allows local users to obtain sensitive information from kernel stack memory via crafted use of the ALSA timer interface.(CVE-2016-4569)sound/core/timer.c in the Linux kernel through 4.6 does not initialize certain r1 data structures, which allows local users to obtain sensitive information from kernel stack memory via crafted use of the ALSA timer interface, related to the (1) snd_timer_user_ccallback and (2) snd_timer_user_tinterrupt functions.(CVE-2016-4578)The x25_negotiate_facilities function in net/x25/x25_facilities.c in the Linux kernel before 4.5.5 does not properly initialize a certain data structure, which allows attackers to obtain sensitive information from kernel stack memory via an X.25 Call Request.(CVE-2016-4580)The arcmsr_iop_message_xfer function in drivers/scsi/arcmsr/arcmsr_hba.c in the Linux kernel through 4.8.2 does not restrict a certain length field, which allows local users to gain privileges or cause a denial of service (heap-based buffer overflow) via an ARCMSR_MESSAGE_WRITE_WQBUFFER control code.(CVE-2016-7425)The Linux Kernel running on AMD64 systems will sometimes map the contents of PIE executable, the heap or ld.so to where the stack is mapped allowing attackers to more easily manipulate the stack. Linux Kernel version 4.11.5 is affected.(CVE-2017-1000379)In android for MSM, Firefox OS for MSM, QRD Android, with all Android releases from CAF using the Linux kernel, a buffer overread is observed in nl80211_set_station when user space application sends attribute NL80211_ATTR_LOCAL_MESH_POWER_MODE with data of size less than 4 bytes(CVE-2017-11089)An elevation of privilege vulnerability in the kernel sound timer. Product: Android. Versions: Android kernel. Android ID A-37240993.(CVE-2017-13167)In ashmem_ioctl of ashmem.c, there is an out-of-bounds write due to insufficient locking when accessing asma. This could lead to a local elevation of privilege enabling code execution as a privileged process with no additional execution privileges needed. User interaction is not needed for exploitation. Product: Android. Versions: Android kernel. Android ID: A-66954097.(CVE-2017-13216)A information disclosure vulnerability in the Upstream kernel encrypted-keys. Product: Android. Versions: Android kernel. Android ID: A-70526974.(CVE-2017-13305)An integer overflow in the qla2x00_sysfs_write_optrom_ctl function in drivers/scsi/qla2xxx/qla_attr.c in the Linux kernel through 4.12.10 allows local users to cause a denial of service (memory corruption and system crash) by leveraging root access.(CVE-2017-14051)The Serial Attached SCSI (SAS) implementation in the Linux kernel through 4.15.9 mishandles a mutex within libsas, which allows local users to cause a denial of service (deadlock) by triggering certain error-handling code.(CVE-2017-18232)An issue was discovered in net/ipv6/ip6mr.c in the Linux kernel before 4.11. By setting a specific socket option, an attacker can control a pointer in kernel land and cause an inet_csk_listen_stop general protection fault, or potentially execute arbitrary code under certain circumstances. The issue can be triggered as root (e.g., inside a default LXC container or with the CAP_NET_ADMIN capability) or after namespace unsharing. This occurs because sk_type and protocol are not checked in the appropriate part of the ip6_mroute_* functions. NOTE: this affects Linux distributions that use 4.9.x longterm kernels before 4.9.187.(CVE-2017-18509)An issue was discovered in drivers/i2c/i2c-core-smbus.c in the Linux kernel before 4.14.15. There is an out of bounds write in the function i2c_smbus_xfer_emulated.(CVE-2017-18551)An issue was discovered in the Linux kernel before 4.14.11. A double free may be caused by the function allocate_trace_buffer in the file kernel/trace/trace.c.(CVE-2017-18595)The vmw_surface_define_ioctl function in drivers/gpu/drm/vmwgfx/vmwgfx_surface.c in the Linux kernel through 4.10.5 does not check for a zero value of certain levels data, which allows local users to cause a denial of service (ZERO_SIZE_PTR dereference, and GPF and possibly panic) via a crafted ioctl call for a /dev/dri/renderD* device.(CVE-2017-7261)The KEYS subsystem in the Linux kernel before 4.10.13 allows local users to cause a denial of service (memory consumption) via a series of KEY_REQKEY_DEFL_THREAD_KEYRING keyctl_set_reqkey_keyring calls.(CVE-2017-7472)The kernel_wait4 function in kernel/exit.c in the Linux kernel before 4.13, when an unspecified architecture and compiler is used, might allow local users to cause a denial of service by triggering an attempted use of the -INT_MIN value.(CVE-2018-10087)The kill_something_info function in kernel/signal.c in the Linux kernel before 4.13, when an unspecified architecture and compiler is used, might allow local users to cause a denial of service via an INT_MIN argument.(CVE-2018-10124)The xfs_dinode_verify function in fs/xfs/libxfs/xfs_inode_buf.c in the Linux kernel through 4.16.3 allows local users to cause a denial of service (xfs_ilock_attr_map_shared invalid pointer dereference) via a crafted xfs image.(CVE-2018-10322)The xfs_bmap_extents_to_btree function in fs/xfs/libxfs/xfs_bmap.c in the Linux kernel through 4.16.3 allows local users to cause a denial of service (xfs_bmapi_write NULL pointer dereference) via a crafted xfs image.(CVE-2018-10323)The do_get_mempolicy function in mm/mempolicy.c in the Linux kernel before 4.12.9 allows local users to cause a denial of service (use-after-free) or possibly have unspecified other impact via crafted system calls.(CVE-2018-10675)Linux kernel is vulnerable to a stack-out-of-bounds write in the ext4 filesystem code when mounting and writing to a crafted ext4 image in ext4_update_inline_data(). An attacker could use this to cause a system crash and a denial of service.(CVE-2018-10880)An issue was discovered in the Linux kernel through 4.17.3. An Integer Overflow in kernel/time/posix-timers.c in the POSIX timer code is caused by the way the overrun accounting works. Depending on interval and expiry time values, the overrun can be larger than INT_MAX, but the accounting is int based. This basically makes the accounting values, which are visible to user space via timer_getoverrun(2) and siginfo::si_overrun, random. For example, a local user can cause a denial of service (signed integer overflow) via crafted mmap, futex, timer_create, and timer_settime system calls.(CVE-2018-12896)An issue was discovered in the proc_pid_stack function in fs/proc/base.c in the Linux kernel through 4.18.11. It does not ensure that only root may inspect the kernel stack of an arbitrary task, allowing a local attacker to exploit racy stack unwinding and leak kernel task stack contents.(CVE-2018-17972)An issue was discovered in the Linux kernel through 4.19. An information leak in cdrom_ioctl_select_disc in drivers/cdrom/cdrom.c could be used by local attackers to read kernel memory because a cast from unsigned long to int interferes with bounds checking. This is similar to CVE-2018-10940 and CVE-2018-16658.(CVE-2018-18710 )An issue was discovered in the Linux kernel before 4.18.11. The ipddp_ioctl function in drivers et/appletalk/ipddp.c allows local users to obtain sensitive kernel address information by leveraging CAP_NET_ADMIN to read the ipddp_route dev and next fields via an SIOCFINDIPDDPRT ioctl call.(CVE-2018-20511)An issue was discovered in the Linux kernel before 4.18.7. In block/blk-core.c, there is an __blk_drain_queue() use-after-free because a certain error case is mishandled.(CVE-2018-20856)An issue was discovered in fs/xfs/xfs_super.c in the Linux kernel before 4.18. A use after free exists, related to xfs_fs_fill_super failure.(CVE-2018-20976)Systems with microprocessors utilizing speculative execution and branch prediction may allow unauthorized disclosure of information to an attacker with local user access via a speculative buffer overflow and side-channel analysis.(CVE-2018-3693)In the function sbusfb_ioctl_helper() in drivers/video/fbdev/sbuslib.c in the Linux kernel through 4.15, an integer signedness error allows arbitrary information leakage for the FBIOPUTCMAP_SPARC and FBIOGETCMAP_SPARC commands.(CVE-2018-6412)In nfc_llcp_build_sdreq_tlv of llcp_commands.c, there is a possible out of bounds write due to a missing bounds check. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation. Product: Android. Versions: Android kernel. Android ID: A-73083945.(CVE-2018-9518 )Insufficient access control in the Intel(R) PROSet/Wireless WiFi Software driver before version 21.10 may allow an unauthenticated user to potentially enable denial of service via adjacent access.(CVE-2019-0136)A vulnerability was found in Linux kernel
    last seen2020-05-08
    modified2019-12-10
    plugin id131845
    published2019-12-10
    reporterThis script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/131845
    titleEulerOS 2.0 SP2 : kernel (EulerOS-SA-2019-2353)
  • NASL familyHuawei Local Security Checks
    NASL idEULEROS_SA-2019-2274.NASL
    descriptionAccording to the versions of the kernel packages installed, the EulerOS installation on the remote host is affected by the following vulnerabilities : - The kernel package contains the Linux kernel (vmlinuz), the core of any Linux operating system. The kernel handles the basic functions of the operating system: memory allocation, process allocation, device input and output, etc.Security Fix(es):Systems with microprocessors utilizing speculative execution and indirect branch prediction may allow unauthorized disclosure of information to an attacker with local user access via a side-channel analysis of the data cache.(CVE-2017-5754)The ip6gre_err function in net/ipv6/ip6_gre.c in the Linux kernel allows remote attackers to have unspecified impact via vectors involving GRE flags in an IPv6 packet, which trigger an out-of-bounds access.(CVE-2017-5897)The vmw_surface_define_ioctl function in drivers/gpu/drm/vmwgfx/vmwgfx_surface.c in the Linux kernel through 4.10.5 does not check for a zero value of certain levels data, which allows local users to cause a denial of service (ZERO_SIZE_PTR dereference, and GPF and possibly panic) via a crafted ioctl call for a /dev/dri/renderD* device.(CVE-2017-7261)The KEYS subsystem in the Linux kernel before 4.10.13 allows local users to cause a denial of service (memory consumption) via a series of KEY_REQKEY_DEFL_THREAD_KEYRING keyctl_set_reqkey_keyring calls.(CVE-2017-7472)A flaw was found in the Linux kernel before version 4.12 in the way the KVM module processed the trap flag(TF) bit in EFLAGS during emulation of the syscall instruction, which leads to a debug exception(#DB) being raised in the guest stack. A user/process inside a guest could use this flaw to potentially escalate their privileges inside the guest. Linux guests are not affected by this.(CVE-2017-7518)The kill_something_info function in kernel/signal.c in the Linux kernel before 4.13, when an unspecified architecture and compiler is used, might allow local users to cause a denial of service via an INT_MIN argument.(CVE-2018-10124)The xfs_bmap_extents_to_btree function in fs/xfs/libxfs/xfs_bmap.c in the Linux kernel through 4.16.3 allows local users to cause a denial of service (xfs_bmapi_write NULL pointer dereference) via a crafted xfs image.(CVE-2018-10323)The Linux kernel before version 4.11 is vulnerable to a NULL pointer dereference in fs/cifs/cifsencrypt.c:setup_ntlmv2_rsp() that allows an attacker controlling a CIFS server to kernel panic a client that has this server mounted, because an empty TargetInfo field in an NTLMSSP setup negotiation response is mishandled during session recovery.(CVE-2018-1066)The do_get_mempolicy function in mm/mempolicy.c in the Linux kernel before 4.12.9 allows local users to cause a denial of service (use-after-free) or possibly have unspecified other impact via crafted system calls.(CVE-2018-10675)An issue was discovered in fs/xfs/libxfs/xfs_attr_leaf.c in the Linux kernel through 4.17.3. An OOPS may occur for a corrupted xfs image after xfs_da_shrink_inode() is called with a NULL bp.(CVE-2018-13094)An issue was discovered in fs/xfs/xfs_super.c in the Linux kernel before 4.18. A use after free exists, related to xfs_fs_fill_super failure.(CVE-2018-20976)Systems with microprocessors utilizing speculative execution and branch prediction may allow unauthorized disclosure of information to an attacker with local user access via a speculative buffer overflow and side-channel analysis.(CVE-2018-3693)In the function sbusfb_ioctl_helper() in drivers/video/fbdev/sbuslib.c in the Linux kernel through 4.15, an integer signedness error allows arbitrary information leakage for the FBIOPUTCMAP_SPARC and FBIOGETCMAP_SPARC commands.(CVE-2018-6412)Race condition in the store_int_with_restart() function in arch/x86/kernel/cpu/mcheck/mce.c in the Linux kernel through 4.15.7 allows local users to cause a denial of service (panic) by leveraging root access to write to the check_interval file in a /sys/devices/system/machinecheck/machinecheck directory. NOTE: a third party has indicated that this report is not security relevant.(CVE-2018-7995)In the hidp_process_report in bluetooth, there is an integer overflow. This could lead to an out of bounds write with no additional execution privileges needed. User interaction is not needed for exploitation. Product: Android Versions: Android kernel Android ID: A-65853588 References: Upstream kernel.(CVE-2018-9363)In nfc_llcp_build_sdreq_tlv of llcp_commands.c, there is a possible out of bounds write due to a missing bounds check. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation. Product: Android. Versions: Android kernel. Android ID: A-73083945.(CVE-2018-9518)A vulnerability was found in Linux kernel
    last seen2020-05-08
    modified2019-11-08
    plugin id130736
    published2019-11-08
    reporterThis script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/130736
    titleEulerOS 2.0 SP3 : kernel (EulerOS-SA-2019-2274)