Vulnerabilities > CVE-2019-3016 - Race Condition vulnerability in Linux Kernel

047910
CVSS 4.7 - MEDIUM
Attack vector
LOCAL
Attack complexity
HIGH
Privileges required
LOW
Confidentiality impact
HIGH
Integrity impact
NONE
Availability impact
NONE
local
high complexity
linux
CWE-362
nessus

Summary

In a Linux KVM guest that has PV TLB enabled, a process in the guest kernel may be able to read memory locations from another process in the same guest. This problem is limit to the host running linux kernel 4.10 with a guest running linux kernel 4.16 or later. The problem mainly affects AMD processors but Intel CPUs cannot be ruled out.

Vulnerable Configurations

Part Description Count
OS
Linux
1627

Common Attack Pattern Enumeration and Classification (CAPEC)

  • Leveraging Race Conditions
    This attack targets a race condition occurring when multiple processes access and manipulate the same resource concurrently and the outcome of the execution depends on the particular order in which the access takes place. The attacker can leverage a race condition by "running the race", modifying the resource and modifying the normal execution flow. For instance a race condition can occur while accessing a file, the attacker can trick the system by replacing the original file with his version and cause the system to read the malicious file.
  • Leveraging Time-of-Check and Time-of-Use (TOCTOU) Race Conditions
    This attack targets a race condition occurring between the time of check (state) for a resource and the time of use of a resource. The typical example is the file access. The attacker can leverage a file access race condition by "running the race", meaning that he would modify the resource between the first time the target program accesses the file and the time the target program uses the file. During that period of time, the attacker could do something such as replace the file and cause an escalation of privilege.

Nessus

  • NASL familyHuawei Local Security Checks
    NASL idEULEROS_SA-2020-1292.NASL
    descriptionAccording to the versions of the kernel packages installed, the EulerOS installation on the remote host is affected by the following vulnerabilities : - In the Linux kernel 5.0.21, mounting a crafted ext4 filesystem image, performing some operations, and unmounting can lead to a use-after-free in ext4_put_super in fs/ext4/super.c, related to dump_orphan_list in fs/ext4/super.c.(CVE-2019-19447 ) - In the Linux kernel 5.4.0-rc2, there is a use-after-free (read) in the __blk_add_trace function in kernel/trace/blktrace.c (which is used to fill out a blk_io_trace structure and place it in a per-cpu sub-buffer).(CVE-2019-19768) - ext4_protect_reserved_inode in fs/ext4/block_validity.c in the Linux kernel through 5.5.3 allows attackers to cause a denial of service (soft lockup) via a crafted journal size.(CVE-2020-8992) - An issue was discovered in the Linux kernel through 5.5.6. set_fdc in drivers/block/floppy.c leads to a wait_til_ready out-of-bounds read because the FDC index is not checked for errors before assigning it, aka CID-2e90ca68b0d2.(CVE-2020-9383) - In the Linux kernel before 5.3.11, sound/core/timer.c has a use-after-free caused by erroneous code refactoring, aka CID-e7af6307a8a5. This is related to snd_timer_open and snd_timer_close_locked. The timeri variable was originally intended to be for a newly created timer instance, but was used for a different purpose after refactoring.(CVE-2019-19807) - Kernel: kvm: nVMX: L2 guest may trick the L0 hypervisor to access sensitive L1 resources(CVE-2020-2732) - There is a use-after-free vulnerability in the Linux kernel through 5.5.2 in the n_tty_receive_buf_common function in drivers/tty/n_tty.c.(CVE-2020-8648) - There is a use-after-free vulnerability in the Linux kernel through 5.5.2 in the vgacon_invert_region function in drivers/video/console/vgacon.c.(CVE-2020-8649) - There is a use-after-free vulnerability in the Linux kernel through 5.5.2 in the vc_do_resize function in drivers/tty/vt/vt.c.(CVE-2020-8647) - fs/namei.c in the Linux kernel before 5.5 has a may_create_in_sticky use-after-free, which allows local users to cause a denial of service (OOPS) or possibly obtain sensitive information from kernel memory, aka CID-d0cb50185ae9. One attack vector may be an open system call for a UNIX domain socket, if the socket is being moved to a new parent directory and its old parent directory is being removed.(CVE-2020-8428) - In a Linux KVM guest that has PV TLB enabled, a process in the guest kernel may be able to read memory locations from another process in the same guest. This problem is limit to the host running linux kernel 4.10 with a guest running linux kernel 4.16 or later. The problem mainly affects AMD processors but Intel CPUs cannot be ruled out.(CVE-2019-3016) Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-05-03
    modified2020-03-23
    plugin id134784
    published2020-03-23
    reporterThis script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/134784
    titleEulerOS 2.0 SP8 : kernel (EulerOS-SA-2020-1292)
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(134784);
      script_version("1.3");
      script_set_attribute(attribute:"plugin_modification_date", value:"2020/05/01");
    
      script_cve_id(
        "CVE-2019-19447",
        "CVE-2019-19768",
        "CVE-2019-19807",
        "CVE-2019-3016",
        "CVE-2020-2732",
        "CVE-2020-8428",
        "CVE-2020-8647",
        "CVE-2020-8648",
        "CVE-2020-8649",
        "CVE-2020-8992",
        "CVE-2020-9383"
      );
    
      script_name(english:"EulerOS 2.0 SP8 : kernel (EulerOS-SA-2020-1292)");
      script_summary(english:"Checks the rpm output for the updated packages.");
    
      script_set_attribute(attribute:"synopsis", value:
    "The remote EulerOS host is missing multiple security updates.");
      script_set_attribute(attribute:"description", value:
    "According to the versions of the kernel packages installed, the
    EulerOS installation on the remote host is affected by the following
    vulnerabilities :
    
      - In the Linux kernel 5.0.21, mounting a crafted ext4
        filesystem image, performing some operations, and
        unmounting can lead to a use-after-free in
        ext4_put_super in fs/ext4/super.c, related to
        dump_orphan_list in fs/ext4/super.c.(CVE-2019-19447 )
    
      - In the Linux kernel 5.4.0-rc2, there is a
        use-after-free (read) in the __blk_add_trace function
        in kernel/trace/blktrace.c (which is used to fill out a
        blk_io_trace structure and place it in a per-cpu
        sub-buffer).(CVE-2019-19768)
    
      - ext4_protect_reserved_inode in fs/ext4/block_validity.c
        in the Linux kernel through 5.5.3 allows attackers to
        cause a denial of service (soft lockup) via a crafted
        journal size.(CVE-2020-8992)
    
      - An issue was discovered in the Linux kernel through
        5.5.6. set_fdc in drivers/block/floppy.c leads to a
        wait_til_ready out-of-bounds read because the FDC index
        is not checked for errors before assigning it, aka
        CID-2e90ca68b0d2.(CVE-2020-9383)
    
      - In the Linux kernel before 5.3.11, sound/core/timer.c
        has a use-after-free caused by erroneous code
        refactoring, aka CID-e7af6307a8a5. This is related to
        snd_timer_open and snd_timer_close_locked. The timeri
        variable was originally intended to be for a newly
        created timer instance, but was used for a different
        purpose after refactoring.(CVE-2019-19807)
    
      - Kernel: kvm: nVMX: L2 guest may trick the L0 hypervisor
        to access sensitive L1 resources(CVE-2020-2732)
    
      - There is a use-after-free vulnerability in the Linux
        kernel through 5.5.2 in the n_tty_receive_buf_common
        function in drivers/tty/n_tty.c.(CVE-2020-8648)
    
      - There is a use-after-free vulnerability in the Linux
        kernel through 5.5.2 in the vgacon_invert_region
        function in
        drivers/video/console/vgacon.c.(CVE-2020-8649)
    
      - There is a use-after-free vulnerability in the Linux
        kernel through 5.5.2 in the vc_do_resize function in
        drivers/tty/vt/vt.c.(CVE-2020-8647)
    
      - fs/namei.c in the Linux kernel before 5.5 has a
        may_create_in_sticky use-after-free, which allows local
        users to cause a denial of service (OOPS) or possibly
        obtain sensitive information from kernel memory, aka
        CID-d0cb50185ae9. One attack vector may be an open
        system call for a UNIX domain socket, if the socket is
        being moved to a new parent directory and its old
        parent directory is being removed.(CVE-2020-8428)
    
      - In a Linux KVM guest that has PV TLB enabled, a process
        in the guest kernel may be able to read memory
        locations from another process in the same guest. This
        problem is limit to the host running linux kernel 4.10
        with a guest running linux kernel 4.16 or later. The
        problem mainly affects AMD processors but Intel CPUs
        cannot be ruled out.(CVE-2019-3016)
    
    Note that Tenable Network Security has extracted the preceding
    description block directly from the EulerOS security advisory. Tenable
    has attempted to automatically clean and format it as much as possible
    without introducing additional issues.");
      # https://developer.huaweicloud.com/ict/en/site-euleros/euleros/security-advisories/EulerOS-SA-2020-1292
      script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?bb4d37a7");
      script_set_attribute(attribute:"solution", value:
    "Update the affected kernel packages.");
      script_set_cvss_base_vector("CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C");
      script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
      script_set_cvss3_base_vector("CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H");
      script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
      script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
    
      script_set_attribute(attribute:"patch_publication_date", value:"2020/03/23");
      script_set_attribute(attribute:"plugin_publication_date", value:"2020/03/23");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:bpftool");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:kernel");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:kernel-devel");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:kernel-headers");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:kernel-source");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:kernel-tools");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:kernel-tools-libs");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:perf");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:python-perf");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:python3-perf");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:huawei:euleros:2.0");
      script_set_attribute(attribute:"generated_plugin", value:"current");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_family(english:"Huawei Local Security Checks");
    
      script_copyright(english:"This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/EulerOS/release", "Host/EulerOS/rpm-list", "Host/EulerOS/sp");
      script_exclude_keys("Host/EulerOS/uvp_version");
    
      exit(0);
    }
    
    include("audit.inc");
    include("global_settings.inc");
    include("rpm.inc");
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    
    release = get_kb_item("Host/EulerOS/release");
    if (isnull(release) || release !~ "^EulerOS") audit(AUDIT_OS_NOT, "EulerOS");
    if (release !~ "^EulerOS release 2\.0(\D|$)") audit(AUDIT_OS_NOT, "EulerOS 2.0");
    
    sp = get_kb_item("Host/EulerOS/sp");
    if (isnull(sp) || sp !~ "^(8)$") audit(AUDIT_OS_NOT, "EulerOS 2.0 SP8");
    
    uvp = get_kb_item("Host/EulerOS/uvp_version");
    if (!empty_or_null(uvp)) audit(AUDIT_OS_NOT, "EulerOS 2.0 SP8", "EulerOS UVP " + uvp);
    
    if (!get_kb_item("Host/EulerOS/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    cpu = get_kb_item("Host/cpu");
    if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
    if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$" && "aarch64" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "EulerOS", cpu);
    if ("aarch64" >!< cpu) audit(AUDIT_ARCH_NOT, "aarch64", cpu);
    
    flag = 0;
    
    pkgs = ["bpftool-4.19.36-vhulk1907.1.0.h702.eulerosv2r8",
            "kernel-4.19.36-vhulk1907.1.0.h702.eulerosv2r8",
            "kernel-devel-4.19.36-vhulk1907.1.0.h702.eulerosv2r8",
            "kernel-headers-4.19.36-vhulk1907.1.0.h702.eulerosv2r8",
            "kernel-source-4.19.36-vhulk1907.1.0.h702.eulerosv2r8",
            "kernel-tools-4.19.36-vhulk1907.1.0.h702.eulerosv2r8",
            "kernel-tools-libs-4.19.36-vhulk1907.1.0.h702.eulerosv2r8",
            "perf-4.19.36-vhulk1907.1.0.h702.eulerosv2r8",
            "python-perf-4.19.36-vhulk1907.1.0.h702.eulerosv2r8",
            "python3-perf-4.19.36-vhulk1907.1.0.h702.eulerosv2r8"];
    
    foreach (pkg in pkgs)
      if (rpm_check(release:"EulerOS-2.0", sp:"8", reference:pkg)) flag++;
    
    if (flag)
    {
      security_report_v4(
        port       : 0,
        severity   : SECURITY_HOLE,
        extra      : rpm_report_get()
      );
      exit(0);
    }
    else
    {
      tested = pkg_tests_get();
      if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
      else audit(AUDIT_PACKAGE_NOT_INSTALLED, "kernel");
    }
    
  • NASL familyHuawei Local Security Checks
    NASL idEULEROS_SA-2020-1536.NASL
    descriptionAccording to the versions of the kernel packages installed, the EulerOS Virtualization for ARM 64 installation on the remote host is affected by the following vulnerabilities : - In the Linux kernel before 5.2.9, there is an info-leak bug that can be caused by a malicious USB device in the drivers/net/can/usb/peak_usb/pcan_usb_pro.c driver, aka CID-ead16e53c2f0.(CVE-2019-19536) - In the Linux kernel before 5.2.9, there is an info-leak bug that can be caused by a malicious USB device in the drivers/net/can/usb/peak_usb/pcan_usb_fd.c driver, aka CID-30a8beeb3042.(CVE-2019-19535) - vcs_write in drivers/tty/vt/vc_screen.c in the Linux kernel through 5.3.13 does not prevent write access to vcsu devices, aka CID-0c9acb1af77a.(CVE-2019-19252) - In the AppleTalk subsystem in the Linux kernel before 5.1, there is a potential NULL pointer dereference because register_snap_client may return NULL. This will lead to denial of service in net/appletalk/aarp.c and net/appletalk/ddp.c, as demonstrated by unregister_snap_client, aka CID-9804501fa122.(CVE-2019-19227) - A memory leak in the adis_update_scan_mode() function in drivers/iio/imu/adis_buffer.c in the Linux kernel before 5.3.9 allows attackers to cause a denial of service (memory consumption), aka CID-ab612b1daf41.(CVE-2019-19060) - In the Linux kernel before 5.3.11, there is an info-leak bug that can be caused by a malicious USB device in the drivers/net/can/usb/peak_usb/pcan_usb_core.c driver, aka CID-f7a1337f0d29.(CVE-2019-19534) - In the Linux kernel before 5.3.11, there is a use-after-free bug that can be caused by a malicious USB device in the drivers/net/can/usb/mcba_usb.c driver, aka CID-4d6636498c41.(CVE-2019-19529) - In the Linux kernel before 5.3.9, there is a use-after-free bug that can be caused by a malicious USB device in the drivers/nfc/pn533/usb.c driver, aka CID-6af3aa57a098.(CVE-2019-19526) - In the Linux kernel before 5.3.6, there is a use-after-free bug that can be caused by a malicious USB device in the drivers/net/ieee802154/atusb.c driver, aka CID-7fd25e6fc035.(CVE-2019-19525) - In the Linux kernel before 5.3.9, there are multiple out-of-bounds write bugs that can be caused by a malicious USB device in the Linux kernel HID drivers, aka CID-d9d4b1e46d95. This affects drivers/hid/hid-axff.c, drivers/hid/hid-dr.c, drivers/hid/hid-emsff.c, drivers/hid/hid-gaff.c, drivers/hid/hid-holtekff.c, drivers/hid/hid-lg2ff.c, drivers/hid/hid-lg3ff.c, drivers/hid/hid-lg4ff.c, drivers/hid/hid-lgff.c, drivers/hid/hid-logitech-hidpp.c, drivers/hid/hid-microsoft.c, drivers/hid/hid-sony.c, drivers/hid/hid-tmff.c, and drivers/hid/hid-zpff.c.(CVE-2019-19532) - In the Linux kernel before 5.2.10, there is a use-after-free bug that can be caused by a malicious USB device in the drivers/hid/usbhid/hiddev.c driver, aka CID-9c09b214f30e.(CVE-2019-19527) - ** DISPUTED ** The Linux kernel through 5.0.7, when CONFIG_IA32_AOUT is enabled and ia32_aout is loaded, allows local users to bypass ASLR on setuid a.out programs (if any exist) because install_exec_creds() is called too late in load_aout_binary() in fs/binfmt_aout.c, and thus the ptrace_may_access() check has a race condition when reading /proc/pid/stat. NOTE: the software maintainer disputes that this is a vulnerability because ASLR for a.out format executables has never been supported.(CVE-2019-11191) - In the Linux kernel before 5.3.12, there is a use-after-free bug that can be caused by a malicious USB device in the drivers/input/ff-memless.c driver, aka CID-fa3a5a1880c9.(CVE-2019-19524) - drivers/net/wireless/marvell/libertas/if_sdio.c in the Linux kernel 5.2.14 does not check the alloc_workqueue return value, leading to a NULL pointer dereference.(CVE-2019-16232) - drivers/net/fjes/fjes_main.c in the Linux kernel 5.2.14 does not check the alloc_workqueue return value, leading to a NULL pointer dereference.(CVE-2019-16231) - ** DISPUTED ** drivers/gpu/drm/amd/amdkfd/kfd_interrupt.c in the Linux kernel 5.2.14 does not check the alloc_workqueue return value, leading to a NULL pointer dereference. NOTE: The security community disputes this issues as not being serious enough to be deserving a CVE id.(CVE-2019-16229) - Linux kernel CIFS implementation, version 4.9.0 is vulnerable to a relative paths injection in directory entry lists.(CVE-2019-10220) - A heap overflow flaw was found in the Linux kernel, all versions 3.x.x and 4.x.x before 4.18.0, in Marvell WiFi chip driver. The vulnerability allows a remote attacker to cause a system crash, resulting in a denial of service, or execute arbitrary code. The highest threat with this vulnerability is with the availability of the system. If code execution occurs, the code will run with the permissions of root. This will affect both confidentiality and integrity of files on the system.(CVE-2019-14901) - The Linux kernel before 5.4.2 mishandles ext4_expand_extra_isize, as demonstrated by use-after-free errors in __ext4_expand_extra_isize and ext4_xattr_set_entry, related to fs/ext4/inode.c and fs/ext4/super.c, aka CID-4ea99936a163.(CVE-2019-19767) - A heap-based buffer overflow was discovered in the Linux kernel, all versions 3.x.x and 4.x.x before 4.18.0, in Marvell WiFi chip driver. The flaw could occur when the station attempts a connection negotiation during the handling of the remote devices country settings. This could allow the remote device to cause a denial of service (system crash) or possibly execute arbitrary code.(CVE-2019-14895) - Linux Kernel could allow a local authenticated attacker to obtain sensitive information, caused by a Transaction Asynchronous Abort (TAA) h/w issue in KVM. By sending a specially-crafted request, an attacker could exploit this vulnerability to obtain sensitive information, and use this information to launch further attacks against the affected system.(CVE-2019-19338) - TSX Asynchronous Abort condition on some CPUs utilizing speculative execution may allow an authenticated user to potentially enable information disclosure via a side channel with local access.(CVE-2019-11135) - An out-of-bounds memory write issue was found in the Linux Kernel, version 3.13 through 5.4, in the way the Linux kernel
    last seen2020-05-08
    modified2020-05-01
    plugin id136239
    published2020-05-01
    reporterThis script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/136239
    titleEulerOS Virtualization for ARM 64 3.0.2.0 : kernel (EulerOS-SA-2020-1536)
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(136239);
      script_version("1.2");
      script_set_attribute(attribute:"plugin_modification_date", value:"2020/05/07");
    
      script_cve_id(
        "CVE-2019-10220",
        "CVE-2019-11135",
        "CVE-2019-11191",
        "CVE-2019-14895",
        "CVE-2019-14896",
        "CVE-2019-14897",
        "CVE-2019-14901",
        "CVE-2019-16229",
        "CVE-2019-16231",
        "CVE-2019-16232",
        "CVE-2019-19036",
        "CVE-2019-19037",
        "CVE-2019-19039",
        "CVE-2019-19060",
        "CVE-2019-19227",
        "CVE-2019-19252",
        "CVE-2019-19332",
        "CVE-2019-19338",
        "CVE-2019-19447",
        "CVE-2019-19524",
        "CVE-2019-19525",
        "CVE-2019-19526",
        "CVE-2019-19527",
        "CVE-2019-19529",
        "CVE-2019-19532",
        "CVE-2019-19534",
        "CVE-2019-19535",
        "CVE-2019-19536",
        "CVE-2019-19767",
        "CVE-2019-19768",
        "CVE-2019-19770",
        "CVE-2019-19807",
        "CVE-2019-19815",
        "CVE-2019-19922",
        "CVE-2019-19947",
        "CVE-2019-20095",
        "CVE-2019-20096",
        "CVE-2019-20636",
        "CVE-2019-3016",
        "CVE-2019-5108",
        "CVE-2020-0067",
        "CVE-2020-11494",
        "CVE-2020-11565",
        "CVE-2020-11608",
        "CVE-2020-11609",
        "CVE-2020-11668",
        "CVE-2020-11669",
        "CVE-2020-1749",
        "CVE-2020-2732",
        "CVE-2020-8428",
        "CVE-2020-8647",
        "CVE-2020-8648",
        "CVE-2020-8649",
        "CVE-2020-9383"
      );
    
      script_name(english:"EulerOS Virtualization for ARM 64 3.0.2.0 : kernel (EulerOS-SA-2020-1536)");
      script_summary(english:"Checks the rpm output for the updated packages.");
    
      script_set_attribute(attribute:"synopsis", value:
    "The remote EulerOS Virtualization for ARM 64 host is missing multiple security
    updates.");
      script_set_attribute(attribute:"description", value:
    "According to the versions of the kernel packages installed, the
    EulerOS Virtualization for ARM 64 installation on the remote host is
    affected by the following vulnerabilities :
    
      - In the Linux kernel before 5.2.9, there is an info-leak
        bug that can be caused by a malicious USB device in the
        drivers/net/can/usb/peak_usb/pcan_usb_pro.c driver, aka
        CID-ead16e53c2f0.(CVE-2019-19536)
    
      - In the Linux kernel before 5.2.9, there is an info-leak
        bug that can be caused by a malicious USB device in the
        drivers/net/can/usb/peak_usb/pcan_usb_fd.c driver, aka
        CID-30a8beeb3042.(CVE-2019-19535)
    
      - vcs_write in drivers/tty/vt/vc_screen.c in the Linux
        kernel through 5.3.13 does not prevent write access to
        vcsu devices, aka CID-0c9acb1af77a.(CVE-2019-19252)
    
      - In the AppleTalk subsystem in the Linux kernel before
        5.1, there is a potential NULL pointer dereference
        because register_snap_client may return NULL. This will
        lead to denial of service in net/appletalk/aarp.c and
        net/appletalk/ddp.c, as demonstrated by
        unregister_snap_client, aka
        CID-9804501fa122.(CVE-2019-19227)
    
      - A memory leak in the adis_update_scan_mode() function
        in drivers/iio/imu/adis_buffer.c in the Linux kernel
        before 5.3.9 allows attackers to cause a denial of
        service (memory consumption), aka
        CID-ab612b1daf41.(CVE-2019-19060)
    
      - In the Linux kernel before 5.3.11, there is an
        info-leak bug that can be caused by a malicious USB
        device in the
        drivers/net/can/usb/peak_usb/pcan_usb_core.c driver,
        aka CID-f7a1337f0d29.(CVE-2019-19534)
    
      - In the Linux kernel before 5.3.11, there is a
        use-after-free bug that can be caused by a malicious
        USB device in the drivers/net/can/usb/mcba_usb.c
        driver, aka CID-4d6636498c41.(CVE-2019-19529)
    
      - In the Linux kernel before 5.3.9, there is a
        use-after-free bug that can be caused by a malicious
        USB device in the drivers/nfc/pn533/usb.c driver, aka
        CID-6af3aa57a098.(CVE-2019-19526)
    
      - In the Linux kernel before 5.3.6, there is a
        use-after-free bug that can be caused by a malicious
        USB device in the drivers/net/ieee802154/atusb.c
        driver, aka CID-7fd25e6fc035.(CVE-2019-19525)
    
      - In the Linux kernel before 5.3.9, there are multiple
        out-of-bounds write bugs that can be caused by a
        malicious USB device in the Linux kernel HID drivers,
        aka CID-d9d4b1e46d95. This affects
        drivers/hid/hid-axff.c, drivers/hid/hid-dr.c,
        drivers/hid/hid-emsff.c, drivers/hid/hid-gaff.c,
        drivers/hid/hid-holtekff.c, drivers/hid/hid-lg2ff.c,
        drivers/hid/hid-lg3ff.c, drivers/hid/hid-lg4ff.c,
        drivers/hid/hid-lgff.c,
        drivers/hid/hid-logitech-hidpp.c,
        drivers/hid/hid-microsoft.c, drivers/hid/hid-sony.c,
        drivers/hid/hid-tmff.c, and
        drivers/hid/hid-zpff.c.(CVE-2019-19532)
    
      - In the Linux kernel before 5.2.10, there is a
        use-after-free bug that can be caused by a malicious
        USB device in the drivers/hid/usbhid/hiddev.c driver,
        aka CID-9c09b214f30e.(CVE-2019-19527)
    
      - ** DISPUTED ** The Linux kernel through 5.0.7, when
        CONFIG_IA32_AOUT is enabled and ia32_aout is loaded,
        allows local users to bypass ASLR on setuid a.out
        programs (if any exist) because install_exec_creds() is
        called too late in load_aout_binary() in
        fs/binfmt_aout.c, and thus the ptrace_may_access()
        check has a race condition when reading /proc/pid/stat.
        NOTE: the software maintainer disputes that this is a
        vulnerability because ASLR for a.out format executables
        has never been supported.(CVE-2019-11191)
    
      - In the Linux kernel before 5.3.12, there is a
        use-after-free bug that can be caused by a malicious
        USB device in the drivers/input/ff-memless.c driver,
        aka CID-fa3a5a1880c9.(CVE-2019-19524)
    
      - drivers/net/wireless/marvell/libertas/if_sdio.c in the
        Linux kernel 5.2.14 does not check the alloc_workqueue
        return value, leading to a NULL pointer
        dereference.(CVE-2019-16232)
    
      - drivers/net/fjes/fjes_main.c in the Linux kernel 5.2.14
        does not check the alloc_workqueue return value,
        leading to a NULL pointer dereference.(CVE-2019-16231)
    
      - ** DISPUTED **
        drivers/gpu/drm/amd/amdkfd/kfd_interrupt.c in the Linux
        kernel 5.2.14 does not check the alloc_workqueue return
        value, leading to a NULL pointer dereference. NOTE: The
        security community disputes this issues as not being
        serious enough to be deserving a CVE
        id.(CVE-2019-16229)
    
      - Linux kernel CIFS implementation, version 4.9.0 is
        vulnerable to a relative paths injection in directory
        entry lists.(CVE-2019-10220)
    
      - A heap overflow flaw was found in the Linux kernel, all
        versions 3.x.x and 4.x.x before 4.18.0, in Marvell WiFi
        chip driver. The vulnerability allows a remote attacker
        to cause a system crash, resulting in a denial of
        service, or execute arbitrary code. The highest threat
        with this vulnerability is with the availability of the
        system. If code execution occurs, the code will run
        with the permissions of root. This will affect both
        confidentiality and integrity of files on the
        system.(CVE-2019-14901)
    
      - The Linux kernel before 5.4.2 mishandles
        ext4_expand_extra_isize, as demonstrated by
        use-after-free errors in __ext4_expand_extra_isize and
        ext4_xattr_set_entry, related to fs/ext4/inode.c and
        fs/ext4/super.c, aka CID-4ea99936a163.(CVE-2019-19767)
    
      - A heap-based buffer overflow was discovered in the
        Linux kernel, all versions 3.x.x and 4.x.x before
        4.18.0, in Marvell WiFi chip driver. The flaw could
        occur when the station attempts a connection
        negotiation during the handling of the remote devices
        country settings. This could allow the remote device to
        cause a denial of service (system crash) or possibly
        execute arbitrary code.(CVE-2019-14895)
    
      - Linux Kernel could allow a local authenticated attacker
        to obtain sensitive information, caused by a
        Transaction Asynchronous Abort (TAA) h/w issue in KVM.
        By sending a specially-crafted request, an attacker
        could exploit this vulnerability to obtain sensitive
        information, and use this information to launch further
        attacks against the affected system.(CVE-2019-19338)
    
      - TSX Asynchronous Abort condition on some CPUs utilizing
        speculative execution may allow an authenticated user
        to potentially enable information disclosure via a side
        channel with local access.(CVE-2019-11135)
    
      - An out-of-bounds memory write issue was found in the
        Linux Kernel, version 3.13 through 5.4, in the way the
        Linux kernel's KVM hypervisor handled the
        'KVM_GET_EMULATED_CPUID' ioctl(2) request to get CPUID
        features emulated by the KVM hypervisor. A user or
        process able to access the '/dev/kvm' device could use
        this flaw to crash the system, resulting in a denial of
        service.(CVE-2019-19332)
    
      - kernel/sched/fair.c in the Linux kernel before 5.3.9,
        when cpu.cfs_quota_us is used (e.g., with Kubernetes),
        allows attackers to cause a denial of service against
        non-cpu-bound applications by generating a workload
        that triggers unwanted slice expiration, aka
        CID-de53fd7aedb1. (In other words, although this slice
        expiration would typically be seen with benign
        workloads, it is possible that an attacker could
        calculate how many stray requests are required to force
        an entire Kubernetes cluster into a low-performance
        state caused by slice expiration, and ensure that a
        DDoS attack sent that number of stray requests. An
        attack does not affect the stability of the kernel it
        only causes mismanagement of application
        execution.)(CVE-2019-19922)
    
      - A stack-based buffer overflow was found in the Linux
        kernel, version kernel-2.6.32, in Marvell WiFi chip
        driver. An attacker is able to cause a denial of
        service (system crash) or, possibly execute arbitrary
        code, when a STA works in IBSS mode (allows connecting
        stations together without the use of an AP) and
        connects to another STA.(CVE-2019-14897)
    
      - A heap-based buffer overflow vulnerability was found in
        the Linux kernel, version kernel-2.6.32, in Marvell
        WiFi chip driver. A remote attacker could cause a
        denial of service (system crash) or, possibly execute
        arbitrary code, when the lbs_ibss_join_existing
        function is called after a STA connects to an
        AP.(CVE-2019-14896)
    
      - In the Linux kernel through 5.4.6, there are
        information leaks of uninitialized memory to a USB
        device in the
        drivers/net/can/usb/kvaser_usb/kvaser_usb_leaf.c
        driver, aka CID-da2311a6385c.(CVE-2019-19947)
    
      - In the Linux kernel before 5.1, there is a memory leak
        in __feat_register_sp() in net/dccp/feat.c, which may
        cause denial of service, aka
        CID-1d3ff0950e2b.(CVE-2019-20096)
    
      - mwifiex_tm_cmd in
        drivers/net/wireless/marvell/mwifiex/cfg80211.c in the
        Linux kernel before 5.1.6 has some error-handling cases
        that did not free allocated hostcmd memory, aka
        CID-003b686ace82. This will cause a memory leak and
        denial of service.(CVE-2019-20095)
    
      - An exploitable denial-of-service vulnerability exists
        in the Linux kernel prior to mainline 5.3. An attacker
        could exploit this vulnerability by triggering AP to
        send IAPP location updates for stations before the
        required authentication process has completed. This
        could lead to different denial-of-service scenarios,
        either by causing CAM table attacks, or by leading to
        traffic flapping if faking already existing clients in
        other nearby APs of the same wireless infrastructure.
        An attacker can forge Authentication and Association
        Request packets to trigger this
        vulnerability.(CVE-2019-5108)
    
      - In a Linux KVM guest that has PV TLB enabled, a process
        in the guest kernel may be able to read memory
        locations from another process in the same guest. This
        problem is limit to the host running linux kernel 4.10
        with a guest running linux kernel 4.16 or later. The
        problem mainly affects AMD processors but Intel CPUs
        cannot be ruled out.(CVE-2019-3016)
    
      - fs/namei.c in the Linux kernel before 5.5 has a
        may_create_in_sticky use-after-free, which allows local
        users to cause a denial of service (OOPS) or possibly
        obtain sensitive information from kernel memory, aka
        CID-d0cb50185ae9. One attack vector may be an open
        system call for a UNIX domain socket, if the socket is
        being moved to a new parent directory and its old
        parent directory is being removed.(CVE-2020-8428)
    
      - There is a use-after-free vulnerability in the Linux
        kernel through 5.5.2 in the n_tty_receive_buf_common
        function in drivers/tty/n_tty.c.(CVE-2020-8648)
    
      - An issue was discovered in the Linux kernel through
        5.5.6. set_fdc in drivers/block/floppy.c leads to a
        wait_til_ready out-of-bounds read because the FDC index
        is not checked for errors before assigning it, aka
        CID-2e90ca68b0d2.(CVE-2020-9383)
    
      - There is a use-after-free vulnerability in the Linux
        kernel through 5.5.2 in the vgacon_invert_region
        function in
        drivers/video/console/vgacon.c.(CVE-2020-8649)
    
      - There is a use-after-free vulnerability in the Linux
        kernel through 5.5.2 in the vc_do_resize function in
        drivers/tty/vt/vt.c.(CVE-2020-8647)
    
      - In the Linux kernel 5.0.21, mounting a crafted ext4
        filesystem image, performing some operations, and
        unmounting can lead to a use-after-free in
        ext4_put_super in fs/ext4/super.c, related to
        dump_orphan_list in fs/ext4/super.c.(CVE-2019-19447)
    
      - A flaw was discovered in the way that the KVM
        hypervisor handled instruction emulation for an L2
        guest when nested virtualisation is enabled. Under some
        circumstances, an L2 guest may trick the L0 guest into
        accessing sensitive L1 resources that should be
        inaccessible to the L2 guest.(CVE-2020-2732)
    
      - In the Linux kernel before 5.3.11, sound/core/timer.c
        has a use-after-free caused by erroneous code
        refactoring, aka CID-e7af6307a8a5. This is related to
        snd_timer_open and snd_timer_close_locked. The timeri
        variable was originally intended to be for a newly
        created timer instance, but was used for a different
        purpose after refactoring.(CVE-2019-19807)
    
      - In the Linux kernel 5.4.0-rc2, there is a
        use-after-free (read) in the __blk_add_trace function
        in kernel/trace/blktrace.c (which is used to fill out a
        blk_io_trace structure and place it in a per-cpu
        sub-buffer).(CVE-2019-19768)
    
      - In the Linux kernel 5.0.21, mounting a crafted f2fs
        filesystem image can cause a NULL pointer dereference
        in f2fs_recover_fsync_data in fs/f2fs/recovery.c. This
        is related to F2FS_P_SB in
        fs/f2fs/f2fs.h.(CVE-2019-19815)
    
      - ** DISPUTED ** __btrfs_free_extent in
        fs/btrfs/extent-tree.c in the Linux kernel through
        5.3.12 calls btrfs_print_leaf in a certain ENOENT case,
        which allows local users to obtain potentially
        sensitive information about register values via the
        dmesg program. NOTE: The BTRFS development team
        disputes this issues as not being a vulnerability
        because '1) The kernel provide facilities to restrict
        access to dmesg - dmesg_restrict=1 sysctl option. So
        it's really up to the system administrator to judge
        whether dmesg access shall be disallowed or not. 2)
        WARN/WARN_ON are widely used macros in the linux
        kernel. If this CVE is considered valid this would mean
        there are literally thousands CVE lurking in the kernel
        - something which clearly is not the
        case.'(CVE-2019-19039)
    
      - ext4_empty_dir in fs/ext4/namei.c in the Linux kernel
        through 5.3.12 allows a NULL pointer dereference
        because ext4_read_dirblock(inode,0,DIRENT_HTREE) can be
        zero.(CVE-2019-19037)
    
      - btrfs_root_node in fs/btrfs/ctree.c in the Linux kernel
        through 5.3.12 allows a NULL pointer dereference
        because rcu_dereference(root->node) can be
        zero.(CVE-2019-19036)
    
      - In the Linux kernel 4.19.83, there is a use-after-free
        (read) in the debugfs_remove function in
        fs/debugfs/inode.c (which is used to remove a file or
        directory in debugfs that was previously created with a
        call to another debugfs function such as
        debugfs_create_file).(CVE-2019-19770)
    
      - An issue was discovered in slc_bump in
        drivers/net/can/slcan.c in the Linux kernel through
        5.6.2. It allows attackers to read uninitialized
        can_frame data, potentially containing sensitive
        information from kernel stack memory, if the
        configuration lacks CONFIG_INIT_STACK_ALL, aka
        CID-b9258a2cece4.(CVE-2020-11494)
    
      - An issue was discovered in the Linux kernel through
        5.6.2. mpol_parse_str in mm/mempolicy.c has a
        stack-based out-of-bounds write because an empty
        nodelist is mishandled during mount option parsing, aka
        CID-aa9f7d5172fa.(CVE-2020-11565)
    
      - A flaw was found in the Linux kernel's implementation
        of some networking protocols in IPsec, such as VXLAN
        and GENEVE tunnels over IPv6. When an encrypted tunnel
        is created between two hosts, the kernel isn't
        correctly routing tunneled data over the encrypted link
        rather sending the data unencrypted. This would allow
        anyone in between the two endpoints to read the traffic
        unencrypted. The main threat from this vulnerability is
        to data confidentiality.(CVE-2020-1749)
    
      - An issue was discovered in the stv06xx subsystem in the
        Linux kernel before 5.6.1.
        drivers/media/usb/gspca/stv06xx/stv06xx.c and
        drivers/media/usb/gspca/stv06xx/stv06xx_pb0100.c
        mishandle invalid descriptors, as demonstrated by a
        NULL pointer dereference, aka
        CID-485b06aadb93.(CVE-2020-11609)
    
      - An issue was discovered in the Linux kernel before
        5.6.1. drivers/media/usb/gspca/ov519.c allows NULL
        pointer dereferences in ov511_mode_init_regs and
        ov518_mode_init_regs when there are zero endpoints, aka
        CID-998912346c0d.(CVE-2020-11608)
    
      - In the Linux kernel before 5.4.12,
        drivers/input/input.c has out-of-bounds writes via a
        crafted keycode table, as demonstrated by
        input_set_keycode, aka
        CID-cb222aed03d7.(CVE-2019-20636)
    
      - In the Linux kernel before 5.6.1,
        drivers/media/usb/gspca/xirlink_cit.c (aka the Xirlink
        camera USB driver) mishandles invalid descriptors, aka
        CID-a246b4d54770.(CVE-2020-11668)
    
      - An issue was discovered in the Linux kernel through
        5.6.2. mpol_parse_str in mm/mempolicy.c has a
        stack-based out-of-bounds write because an empty
        nodelist is mishandled during mount option parsing, aka
        CID-aa9f7d5172fa.(CVE-2020-0067)
    
      - An issue was discovered in the Linux kernel before 5.2
        on the powerpc platform.
        arch/powerpc/kernel/idle_book3s.S does not have
        save/restore functionality for PNV_POWERSAVE_AMR,
        PNV_POWERSAVE_UAMOR, and PNV_POWERSAVE_AMOR, aka
        CID-53a712bae5dd.(CVE-2020-11669)
    
    Note that Tenable Network Security has extracted the preceding
    description block directly from the EulerOS security advisory. Tenable
    has attempted to automatically clean and format it as much as possible
    without introducing additional issues.");
      # https://developer.huaweicloud.com/ict/en/site-euleros/euleros/security-advisories/EulerOS-SA-2020-1536
      script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?a90e7d8e");
      script_set_attribute(attribute:"solution", value:
    "Update the affected kernel packages.");
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C");
      script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
      script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H");
      script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
      script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
    
      script_set_attribute(attribute:"patch_publication_date", value:"2020/04/30");
      script_set_attribute(attribute:"plugin_publication_date", value:"2020/05/01");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:kernel");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:kernel-devel");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:kernel-headers");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:kernel-tools");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:kernel-tools-libs");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:kernel-tools-libs-devel");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:perf");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:python-perf");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:huawei:euleros:uvp:3.0.2.0");
      script_set_attribute(attribute:"generated_plugin", value:"current");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_family(english:"Huawei Local Security Checks");
    
      script_copyright(english:"This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/cpu", "Host/EulerOS/release", "Host/EulerOS/rpm-list", "Host/EulerOS/uvp_version");
    
      exit(0);
    }
    
    include("audit.inc");
    include("global_settings.inc");
    include("rpm.inc");
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    
    release = get_kb_item("Host/EulerOS/release");
    if (isnull(release) || release !~ "^EulerOS") audit(AUDIT_OS_NOT, "EulerOS");
    uvp = get_kb_item("Host/EulerOS/uvp_version");
    if (uvp != "3.0.2.0") audit(AUDIT_OS_NOT, "EulerOS Virtualization 3.0.2.0");
    if (!get_kb_item("Host/EulerOS/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    cpu = get_kb_item("Host/cpu");
    if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
    if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$" && "aarch64" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "EulerOS", cpu);
    if ("aarch64" >!< cpu) audit(AUDIT_ARCH_NOT, "aarch64", cpu);
    
    flag = 0;
    
    pkgs = ["kernel-4.19.36-vhulk1907.1.0.h729",
            "kernel-devel-4.19.36-vhulk1907.1.0.h729",
            "kernel-headers-4.19.36-vhulk1907.1.0.h729",
            "kernel-tools-4.19.36-vhulk1907.1.0.h729",
            "kernel-tools-libs-4.19.36-vhulk1907.1.0.h729",
            "kernel-tools-libs-devel-4.19.36-vhulk1907.1.0.h729",
            "perf-4.19.36-vhulk1907.1.0.h729",
            "python-perf-4.19.36-vhulk1907.1.0.h729"];
    
    foreach (pkg in pkgs)
      if (rpm_check(release:"EulerOS-2.0", reference:pkg)) flag++;
    
    if (flag)
    {
      security_report_v4(
        port       : 0,
        severity   : SECURITY_HOLE,
        extra      : rpm_report_get()
      );
      exit(0);
    }
    else
    {
      tested = pkg_tests_get();
      if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
      else audit(AUDIT_PACKAGE_NOT_INSTALLED, "kernel");
    }
    
  • NASL familyUbuntu Local Security Checks
    NASL idUBUNTU_USN-4300-1.NASL
    descriptionIt was discovered that the KVM implementation in the Linux kernel, when paravirtual TLB flushes are enabled in guests, the hypervisor in some situations could miss deferred TLB flushes or otherwise mishandle them. An attacker in a guest VM could use this to expose sensitive information (read memory from another guest VM). (CVE-2019-3016) Paulo Bonzini discovered that the KVM hypervisor implementation in the Linux kernel could improperly let a nested (level 2) guest access the resources of a parent (level 1) guest in certain situations. An attacker could use this to expose sensitive information. (CVE-2020-2732) It was discovered that the Afatech AF9005 DVB-T USB device driver in the Linux kernel did not properly deallocate memory in certain error conditions. A local attacker could possibly use this to cause a denial of service (kernel memory exhaustion). (CVE-2019-18809) It was discovered that the Intel(R) XL710 Ethernet Controller device driver in the Linux kernel did not properly deallocate memory in certain error conditions. A local attacker could possibly use this to cause a denial of service (kernel memory exhaustion). (CVE-2019-19043) It was discovered that the RPMSG character device interface in the Linux kernel did not properly deallocate memory in certain error conditions. A local attacker could possibly use this to cause a denial of service (kernel memory exhaustion). (CVE-2019-19053) It was discovered that the Marvell Wi-Fi device driver in the Linux kernel did not properly deallocate memory in certain error conditions. A local attacker could use this to possibly cause a denial of service (kernel memory exhaustion). (CVE-2019-19056) It was discovered that the Intel(R) Wi-Fi device driver in the Linux kernel device driver in the Linux kernel did not properly deallocate memory in certain error conditions. A local attacker could possibly use this to cause a denial of service (kernel memory exhaustion). (CVE-2019-19058, CVE-2019-19059) It was discovered that the Serial Peripheral Interface (SPI) driver in the Linux kernel device driver in the Linux kernel did not properly deallocate memory in certain error conditions. A local attacker could possibly use this to cause a denial of service (kernel memory exhaustion). (CVE-2019-19064) It was discovered that the Brocade BFA Fibre Channel device driver in the Linux kernel did not properly deallocate memory in certain error conditions. A local attacker could possibly use this to cause a denial of service (kernel memory exhaustion). (CVE-2019-19066) It was discovered that the Realtek RTL8xxx USB Wi-Fi device driver in the Linux kernel did not properly deallocate memory in certain error conditions. A local attacker could possibly use this to cause a denial of service (kernel memory exhaustion). (CVE-2019-19068). Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-04-16
    modified2020-03-18
    plugin id134658
    published2020-03-18
    reporterUbuntu Security Notice (C) 2020 Canonical, Inc. / NASL script (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/134658
    titleUbuntu 18.04 LTS / 19.10 : linux, linux-aws, linux-gcp, linux-gcp-5.3, linux-gke-5.3, linux-hwe, (USN-4300-1)
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were
    # extracted from Ubuntu Security Notice USN-4300-1. The text 
    # itself is copyright (C) Canonical, Inc. See 
    # <http://www.ubuntu.com/usn/>. Ubuntu(R) is a registered 
    # trademark of Canonical, Inc.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(134658);
      script_version("1.3");
      script_set_attribute(attribute:"plugin_modification_date", value:"2020/04/14");
    
      script_cve_id("CVE-2019-18809", "CVE-2019-19043", "CVE-2019-19053", "CVE-2019-19056", "CVE-2019-19058", "CVE-2019-19059", "CVE-2019-19064", "CVE-2019-19066", "CVE-2019-19068", "CVE-2019-3016", "CVE-2020-2732");
      script_xref(name:"USN", value:"4300-1");
    
      script_name(english:"Ubuntu 18.04 LTS / 19.10 : linux, linux-aws, linux-gcp, linux-gcp-5.3, linux-gke-5.3, linux-hwe, (USN-4300-1)");
      script_summary(english:"Checks dpkg output for updated packages.");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:
    "The remote Ubuntu host is missing one or more security-related
    patches."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "It was discovered that the KVM implementation in the Linux kernel,
    when paravirtual TLB flushes are enabled in guests, the hypervisor in
    some situations could miss deferred TLB flushes or otherwise mishandle
    them. An attacker in a guest VM could use this to expose sensitive
    information (read memory from another guest VM). (CVE-2019-3016)
    
    Paulo Bonzini discovered that the KVM hypervisor implementation in the
    Linux kernel could improperly let a nested (level 2) guest access the
    resources of a parent (level 1) guest in certain situations. An
    attacker could use this to expose sensitive information.
    (CVE-2020-2732)
    
    It was discovered that the Afatech AF9005 DVB-T USB device driver in
    the Linux kernel did not properly deallocate memory in certain error
    conditions. A local attacker could possibly use this to cause a denial
    of service (kernel memory exhaustion). (CVE-2019-18809)
    
    It was discovered that the Intel(R) XL710 Ethernet Controller device
    driver in the Linux kernel did not properly deallocate memory in
    certain error conditions. A local attacker could possibly use this to
    cause a denial of service (kernel memory exhaustion). (CVE-2019-19043)
    
    It was discovered that the RPMSG character device interface in the
    Linux kernel did not properly deallocate memory in certain error
    conditions. A local attacker could possibly use this to cause a denial
    of service (kernel memory exhaustion). (CVE-2019-19053)
    
    It was discovered that the Marvell Wi-Fi device driver in the Linux
    kernel did not properly deallocate memory in certain error conditions.
    A local attacker could use this to possibly cause a denial of service
    (kernel memory exhaustion). (CVE-2019-19056)
    
    It was discovered that the Intel(R) Wi-Fi device driver in the Linux
    kernel device driver in the Linux kernel did not properly deallocate
    memory in certain error conditions. A local attacker could possibly
    use this to cause a denial of service (kernel memory exhaustion).
    (CVE-2019-19058, CVE-2019-19059)
    
    It was discovered that the Serial Peripheral Interface (SPI) driver in
    the Linux kernel device driver in the Linux kernel did not properly
    deallocate memory in certain error conditions. A local attacker could
    possibly use this to cause a denial of service (kernel memory
    exhaustion). (CVE-2019-19064)
    
    It was discovered that the Brocade BFA Fibre Channel device driver in
    the Linux kernel did not properly deallocate memory in certain error
    conditions. A local attacker could possibly use this to cause a denial
    of service (kernel memory exhaustion). (CVE-2019-19066)
    
    It was discovered that the Realtek RTL8xxx USB Wi-Fi device driver in
    the Linux kernel did not properly deallocate memory in certain error
    conditions. A local attacker could possibly use this to cause a denial
    of service (kernel memory exhaustion). (CVE-2019-19068).
    
    Note that Tenable Network Security has extracted the preceding
    description block directly from the Ubuntu security advisory. Tenable
    has attempted to automatically clean and format it as much as possible
    without introducing additional issues."
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://usn.ubuntu.com/4300-1/"
      );
      script_set_attribute(attribute:"solution", value:"Update the affected packages.");
      script_set_cvss_base_vector("CVSS2#AV:A/AC:M/Au:S/C:P/I:N/A:N");
      script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
      script_set_cvss3_base_vector("CVSS:3.0/AV:A/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N");
      script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
      script_set_attribute(attribute:"cvss_score_source", value:"CVE-2020-2732");
      script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-5.3-aws");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-5.3-gcp");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-5.3-generic");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-5.3-generic-lpae");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-5.3-gke");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-5.3-kvm");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-5.3-lowlatency");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-5.3-oracle");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-5.3-raspi2");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-5.3-snapdragon");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-aws");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-gcp");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-gcp-edge");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-generic");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-generic-hwe-18.04");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-generic-lpae");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-generic-lpae-hwe-18.04");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-gke");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-gke-5.3");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-kvm");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-lowlatency");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-lowlatency-hwe-18.04");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-oracle");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-raspi2");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-raspi2-hwe-18.04");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-snapdragon");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-snapdragon-hwe-18.04");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-virtual");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-virtual-hwe-18.04");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:canonical:ubuntu_linux:18.04:-:lts");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:canonical:ubuntu_linux:19.10");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2019/11/07");
      script_set_attribute(attribute:"patch_publication_date", value:"2020/03/16");
      script_set_attribute(attribute:"plugin_publication_date", value:"2020/03/18");
      script_set_attribute(attribute:"generated_plugin", value:"current");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"Ubuntu Security Notice (C) 2020 Canonical, Inc. / NASL script (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.");
      script_family(english:"Ubuntu Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl", "linux_alt_patch_detect.nasl");
      script_require_keys("Host/cpu", "Host/Ubuntu", "Host/Ubuntu/release", "Host/Debian/dpkg-l");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("ubuntu.inc");
    include("ksplice.inc");
    
    if ( ! get_kb_item("Host/local_checks_enabled") ) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    release = get_kb_item("Host/Ubuntu/release");
    if ( isnull(release) ) audit(AUDIT_OS_NOT, "Ubuntu");
    release = chomp(release);
    if (! preg(pattern:"^(18\.04|19\.10)$", string:release)) audit(AUDIT_OS_NOT, "Ubuntu 18.04 / 19.10", "Ubuntu " + release);
    if ( ! get_kb_item("Host/Debian/dpkg-l") ) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    cpu = get_kb_item("Host/cpu");
    if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
    if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Ubuntu", cpu);
    
    if (get_one_kb_item("Host/ksplice/kernel-cves"))
    {
      rm_kb_item(name:"Host/uptrack-uname-r");
      cve_list = make_list("CVE-2019-18809", "CVE-2019-19043", "CVE-2019-19053", "CVE-2019-19056", "CVE-2019-19058", "CVE-2019-19059", "CVE-2019-19064", "CVE-2019-19066", "CVE-2019-19068", "CVE-2019-3016", "CVE-2020-2732");
      if (ksplice_cves_check(cve_list))
      {
        audit(AUDIT_PATCH_INSTALLED, "KSplice hotfix for USN-4300-1");
      }
      else
      {
        _ubuntu_report = ksplice_reporting_text();
      }
    }
    
    flag = 0;
    
    if (ubuntu_check(osver:"18.04", pkgname:"linux-image-5.3.0-1014-gcp", pkgver:"5.3.0-1014.15~18.04.1")) flag++;
    if (ubuntu_check(osver:"18.04", pkgname:"linux-image-5.3.0-1014-gke", pkgver:"5.3.0-1014.15~18.04.1")) flag++;
    if (ubuntu_check(osver:"18.04", pkgname:"linux-image-5.3.0-1019-raspi2", pkgver:"5.3.0-1019.21~18.04.1")) flag++;
    if (ubuntu_check(osver:"18.04", pkgname:"linux-image-5.3.0-42-generic", pkgver:"5.3.0-42.34~18.04.1")) flag++;
    if (ubuntu_check(osver:"18.04", pkgname:"linux-image-5.3.0-42-generic-lpae", pkgver:"5.3.0-42.34~18.04.1")) flag++;
    if (ubuntu_check(osver:"18.04", pkgname:"linux-image-5.3.0-42-lowlatency", pkgver:"5.3.0-42.34~18.04.1")) flag++;
    if (ubuntu_check(osver:"18.04", pkgname:"linux-image-gcp-edge", pkgver:"5.3.0.1014.13")) flag++;
    if (ubuntu_check(osver:"18.04", pkgname:"linux-image-generic-hwe-18.04", pkgver:"5.3.0.42.99")) flag++;
    if (ubuntu_check(osver:"18.04", pkgname:"linux-image-generic-lpae-hwe-18.04", pkgver:"5.3.0.42.99")) flag++;
    if (ubuntu_check(osver:"18.04", pkgname:"linux-image-gke-5.3", pkgver:"5.3.0.1014.4")) flag++;
    if (ubuntu_check(osver:"18.04", pkgname:"linux-image-lowlatency-hwe-18.04", pkgver:"5.3.0.42.99")) flag++;
    if (ubuntu_check(osver:"18.04", pkgname:"linux-image-raspi2-hwe-18.04", pkgver:"5.3.0.1019.8")) flag++;
    if (ubuntu_check(osver:"18.04", pkgname:"linux-image-snapdragon-hwe-18.04", pkgver:"5.3.0.42.99")) flag++;
    if (ubuntu_check(osver:"18.04", pkgname:"linux-image-virtual-hwe-18.04", pkgver:"5.3.0.42.99")) flag++;
    if (ubuntu_check(osver:"19.10", pkgname:"linux-image-5.3.0-1011-oracle", pkgver:"5.3.0-1011.12")) flag++;
    if (ubuntu_check(osver:"19.10", pkgname:"linux-image-5.3.0-1012-kvm", pkgver:"5.3.0-1012.13")) flag++;
    if (ubuntu_check(osver:"19.10", pkgname:"linux-image-5.3.0-1013-aws", pkgver:"5.3.0-1013.14")) flag++;
    if (ubuntu_check(osver:"19.10", pkgname:"linux-image-5.3.0-1014-gcp", pkgver:"5.3.0-1014.15")) flag++;
    if (ubuntu_check(osver:"19.10", pkgname:"linux-image-5.3.0-1019-raspi2", pkgver:"5.3.0-1019.21")) flag++;
    if (ubuntu_check(osver:"19.10", pkgname:"linux-image-5.3.0-42-generic", pkgver:"5.3.0-42.34")) flag++;
    if (ubuntu_check(osver:"19.10", pkgname:"linux-image-5.3.0-42-generic-lpae", pkgver:"5.3.0-42.34")) flag++;
    if (ubuntu_check(osver:"19.10", pkgname:"linux-image-5.3.0-42-lowlatency", pkgver:"5.3.0-42.34")) flag++;
    if (ubuntu_check(osver:"19.10", pkgname:"linux-image-5.3.0-42-snapdragon", pkgver:"5.3.0-42.34")) flag++;
    if (ubuntu_check(osver:"19.10", pkgname:"linux-image-aws", pkgver:"5.3.0.1013.15")) flag++;
    if (ubuntu_check(osver:"19.10", pkgname:"linux-image-gcp", pkgver:"5.3.0.1014.15")) flag++;
    if (ubuntu_check(osver:"19.10", pkgname:"linux-image-generic", pkgver:"5.3.0.42.36")) flag++;
    if (ubuntu_check(osver:"19.10", pkgname:"linux-image-generic-lpae", pkgver:"5.3.0.42.36")) flag++;
    if (ubuntu_check(osver:"19.10", pkgname:"linux-image-gke", pkgver:"5.3.0.1014.15")) flag++;
    if (ubuntu_check(osver:"19.10", pkgname:"linux-image-kvm", pkgver:"5.3.0.1012.14")) flag++;
    if (ubuntu_check(osver:"19.10", pkgname:"linux-image-lowlatency", pkgver:"5.3.0.42.36")) flag++;
    if (ubuntu_check(osver:"19.10", pkgname:"linux-image-oracle", pkgver:"5.3.0.1011.12")) flag++;
    if (ubuntu_check(osver:"19.10", pkgname:"linux-image-raspi2", pkgver:"5.3.0.1019.16")) flag++;
    if (ubuntu_check(osver:"19.10", pkgname:"linux-image-snapdragon", pkgver:"5.3.0.42.36")) flag++;
    if (ubuntu_check(osver:"19.10", pkgname:"linux-image-virtual", pkgver:"5.3.0.42.36")) flag++;
    
    if (flag)
    {
      security_report_v4(
        port       : 0,
        severity   : SECURITY_NOTE,
        extra      : ubuntu_report_get()
      );
      exit(0);
    }
    else
    {
      tested = ubuntu_pkg_tests_get();
      if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
      else audit(AUDIT_PACKAGE_NOT_INSTALLED, "linux-image-5.3-aws / linux-image-5.3-gcp / linux-image-5.3-generic / etc");
    }
    
  • NASL familyOracle Linux Local Security Checks
    NASL idORACLELINUX_ELSA-2020-5526.NASL
    descriptionDescription of changes: [4.14.35-1902.10.4.el7uek] - kvm: Don
    last seen2020-06-01
    modified2020-06-02
    plugin id133381
    published2020-01-31
    reporterThis script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/133381
    titleOracle Linux 7 : Unbreakable Enterprise kernel (ELSA-2020-5526)
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were
    # extracted from Oracle Linux Security Advisory ELSA-2020-5526.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(133381);
      script_version("1.4");
      script_cvs_date("Date: 2020/02/12");
    
      script_cve_id("CVE-2019-3016");
    
      script_name(english:"Oracle Linux 7 : Unbreakable Enterprise kernel (ELSA-2020-5526)");
      script_summary(english:"Checks rpm output for the updated packages");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote Oracle Linux host is missing one or more security updates."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "Description of changes:
    
    [4.14.35-1902.10.4.el7uek]
    - kvm: Don't reference vcpu->arch.st in arch-independent code (Boris Ostrovsky)  [Orabug: 30489861]
    - kvm: fix compile on s390 part 2 (Christian Borntraeger)  [Orabug: 30489861]
    - kvm: fix compilation on s390 (Paolo Bonzini)  [Orabug: 30489861]
    - kvm: fix compilation on aarch64 (Paolo Bonzini)  [Orabug: 30489861]
    
    [4.14.35-1902.10.3.el7uek]
    - x86/KVM: Clean up host's steal time structure (Boris Ostrovsky)  [Orabug: 30489861]  {CVE-2019-3016} {CVE-2019-3016}
    - x86/KVM: Make sure KVM_VCPU_FLUSH_TLB flag is not missed (Boris Ostrovsky)  [Orabug: 30489861]  {CVE-2019-3016} {CVE-2019-3016}
    - x86/kvm: Cache gfn to pfn translation (Boris Ostrovsky)  [Orabug: 30489861]  {CVE-2019-3016} {CVE-2019-3016}
    - x86/kvm: Introduce kvm_(un)map_gfn() (Boris Ostrovsky)  [Orabug: 30489861]  {CVE-2019-3016} {CVE-2019-3016}
    - x86/kvm: Be careful not to clear KVM_VCPU_FLUSH_TLB bit (Boris Ostrovsky)  [Orabug: 30489861]  {CVE-2019-3016} {CVE-2019-3016}
    - KVM: Properly check if 'page' is valid in kvm_vcpu_unmap (KarimAllah Ahmed)  [Orabug: 30489861]
    - KVM: Introduce a new guest mapping API (KarimAllah Ahmed)  [Orabug: 30489861]
    - KVM: x86: svm: make sure NMI is injected after nmi_singlestep (Vitaly Kuznetsov)  [Orabug: 30714532]"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://oss.oracle.com/pipermail/el-errata/2020-January/009565.html"
      );
      script_set_attribute(
        attribute:"solution", 
        value:"Update the affected unbreakable enterprise kernel packages."
      );
      script_set_cvss_base_vector("CVSS2#AV:L/AC:M/Au:N/C:P/I:N/A:N");
      script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
      script_set_cvss3_base_vector("CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N");
      script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
      script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:kernel-uek");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:kernel-uek-debug");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:kernel-uek-debug-devel");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:kernel-uek-devel");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:kernel-uek-doc");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:kernel-uek-tools");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:oracle:linux:7");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2020/01/31");
      script_set_attribute(attribute:"patch_publication_date", value:"2020/01/30");
      script_set_attribute(attribute:"plugin_publication_date", value:"2020/01/31");
      script_set_attribute(attribute:"generated_plugin", value:"current");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.");
      script_family(english:"Oracle Linux Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl", "linux_alt_patch_detect.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/OracleLinux", "Host/RedHat/release", "Host/RedHat/rpm-list");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("global_settings.inc");
    include("rpm.inc");
    include("ksplice.inc");
    
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    if (!get_kb_item("Host/OracleLinux")) audit(AUDIT_OS_NOT, "Oracle Linux");
    release = get_kb_item("Host/RedHat/release");
    if (isnull(release) || !pregmatch(pattern: "Oracle (?:Linux Server|Enterprise Linux)", string:release)) audit(AUDIT_OS_NOT, "Oracle Linux");
    os_ver = pregmatch(pattern: "Oracle (?:Linux Server|Enterprise Linux) .*release ([0-9]+(\.[0-9]+)?)", string:release);
    if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Oracle Linux");
    os_ver = os_ver[1];
    if (! preg(pattern:"^7([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Oracle Linux 7", "Oracle Linux " + os_ver);
    
    if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    cpu = get_kb_item("Host/cpu");
    if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
    if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Oracle Linux", cpu);
    if ("x86_64" >!< cpu) audit(AUDIT_ARCH_NOT, "x86_64", cpu);
    
    if (get_one_kb_item("Host/ksplice/kernel-cves"))
    {
      rm_kb_item(name:"Host/uptrack-uname-r");
      cve_list = make_list("CVE-2019-3016");  
      if (ksplice_cves_check(cve_list))
      {
        audit(AUDIT_PATCH_INSTALLED, "KSplice hotfix for ELSA-2020-5526");
      }
      else
      {
        __rpm_report = ksplice_reporting_text();
      }
    }
    
    kernel_major_minor = get_kb_item("Host/uname/major_minor");
    if (empty_or_null(kernel_major_minor)) exit(1, "Unable to determine kernel major-minor level.");
    expected_kernel_major_minor = "4.14";
    if (kernel_major_minor != expected_kernel_major_minor)
      audit(AUDIT_OS_NOT, "running kernel level " + expected_kernel_major_minor + ", it is running kernel level " + kernel_major_minor);
    
    flag = 0;
    if (rpm_exists(release:"EL7", rpm:"kernel-uek-4.14.35") && rpm_check(release:"EL7", cpu:"x86_64", reference:"kernel-uek-4.14.35-1902.10.4.el7uek")) flag++;
    if (rpm_exists(release:"EL7", rpm:"kernel-uek-debug-4.14.35") && rpm_check(release:"EL7", cpu:"x86_64", reference:"kernel-uek-debug-4.14.35-1902.10.4.el7uek")) flag++;
    if (rpm_exists(release:"EL7", rpm:"kernel-uek-debug-devel-4.14.35") && rpm_check(release:"EL7", cpu:"x86_64", reference:"kernel-uek-debug-devel-4.14.35-1902.10.4.el7uek")) flag++;
    if (rpm_exists(release:"EL7", rpm:"kernel-uek-devel-4.14.35") && rpm_check(release:"EL7", cpu:"x86_64", reference:"kernel-uek-devel-4.14.35-1902.10.4.el7uek")) flag++;
    if (rpm_exists(release:"EL7", rpm:"kernel-uek-doc-4.14.35") && rpm_check(release:"EL7", cpu:"x86_64", reference:"kernel-uek-doc-4.14.35-1902.10.4.el7uek")) flag++;
    if (rpm_exists(release:"EL7", rpm:"kernel-uek-tools-4.14.35") && rpm_check(release:"EL7", cpu:"x86_64", reference:"kernel-uek-tools-4.14.35-1902.10.4.el7uek")) flag++;
    
    
    if (flag)
    {
      if (report_verbosity > 0) security_note(port:0, extra:rpm_report_get());
      else security_note(0);
      exit(0);
    }
    else
    {
      tested = pkg_tests_get();
      if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
      else audit(AUDIT_PACKAGE_NOT_INSTALLED, "affected kernel");
    }
    
  • NASL familyHuawei Local Security Checks
    NASL idEULEROS_SA-2020-1342.NASL
    descriptionAccording to the versions of the kernel packages installed, the EulerOS Virtualization for ARM 64 installation on the remote host is affected by the following vulnerabilities : - A heap-based buffer overflow was discovered in the Linux kernel
    last seen2020-04-07
    modified2020-04-02
    plugin id135129
    published2020-04-02
    reporterThis script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/135129
    titleEulerOS Virtualization for ARM 64 3.0.6.0 : kernel (EulerOS-SA-2020-1342)
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(135129);
      script_version("1.2");
      script_set_attribute(attribute:"plugin_modification_date", value:"2020/04/06");
    
      script_cve_id(
        "CVE-2019-11135",
        "CVE-2019-14895",
        "CVE-2019-14896",
        "CVE-2019-14897",
        "CVE-2019-19332",
        "CVE-2019-19338",
        "CVE-2019-19922",
        "CVE-2019-19947",
        "CVE-2019-20095",
        "CVE-2019-20096",
        "CVE-2019-3016",
        "CVE-2019-5108",
        "CVE-2020-8428",
        "CVE-2020-8647",
        "CVE-2020-8648",
        "CVE-2020-8649",
        "CVE-2020-9383"
      );
    
      script_name(english:"EulerOS Virtualization for ARM 64 3.0.6.0 : kernel (EulerOS-SA-2020-1342)");
      script_summary(english:"Checks the rpm output for the updated packages.");
    
      script_set_attribute(attribute:"synopsis", value:
    "The remote EulerOS Virtualization for ARM 64 host is missing multiple security
    updates.");
      script_set_attribute(attribute:"description", value:
    "According to the versions of the kernel packages installed, the
    EulerOS Virtualization for ARM 64 installation on the remote host is
    affected by the following vulnerabilities :
    
      - A heap-based buffer overflow was discovered in the
        Linux kernel's Marvell WiFi chip driver. The flaw could
        occur when the station attempts a connection
        negotiation during the handling of the remote devices
        country settings. This could allow the remote device to
        cause a denial of service (system crash) or possibly
        execute arbitrary code.(CVE-2019-14895)
    
      - A flaw was found in the fix for CVE-2019-11135, the way
        Intel CPUs handle speculative execution of instructions
        when a TSX Asynchronous Abort (TAA) error occurs. When
        a guest is running on a host CPU affected by the TAA
        flaw (TAA_NO=0), but is not affected by the MDS issue
        (MDS_NO=1), the guest was to clear the affected buffers
        by using a VERW instruction mechanism. But when the
        MDS_NO=1 bit was exported to the guests, the guests did
        not use the VERW mechanism to clear the affected
        buffers. This issue affects guests running on Cascade
        Lake CPUs and requires that host has 'TSX' enabled.
        Confidentiality of data is the highest threat
        associated with this vulnerability.(CVE-2019-19338)
    
      - A flaw was found in the way Intel CPUs handle
        speculative execution of instructions when the TSX
        Asynchronous Abort (TAA) error occurs. A local
        authenticated attacker with the ability to monitor
        execution times could infer the TSX memory state by
        comparing abort execution times. This could allow
        information disclosure via this observed side-channel
        for any TSX transaction being executed while an
        attacker is able to observe abort timing. Intel's
        Transactional Synchronisation Extensions (TSX) are set
        of instructions which enable transactional memory
        support to improve performance of the multi-threaded
        applications, in the lock-protected critical sections.
        The CPU executes instructions in the critical-sections
        as transactions, while ensuring their atomic state.
        When such transaction execution is unsuccessful, the
        processor cannot ensure atomic updates to the
        transaction memory, so the processor rolls back or
        aborts such transaction execution. While TSX
        Asynchronous Abort (TAA) is pending, CPU may continue
        to read data from architectural buffers and pass it to
        the dependent speculative operations. This may cause
        information leakage via speculative side-channel means,
        which is quite similar to the Microarchitectural Data
        Sampling (MDS) issue.(CVE-2019-11135)
    
      - An out-of-bounds memory write issue was found in the
        way the Linux kernel's KVM hypervisor handled the
        'KVM_GET_EMULATED_CPUID' ioctl(2) request to get CPUID
        features emulated by the KVM hypervisor. A user or
        process able to access the '/dev/kvm' device could use
        this flaw to crash the system, resulting in a denial of
        service.(CVE-2019-19332)
    
      - A flaw was found in the Linux kernel's scheduler, where
        it can allow attackers to cause a denial of service
        against non-CPU-bound applications by generating a
        workload that triggers unwanted scheduling slice
        expiration. A local attacker who can trigger a specific
        workload type could abuse this technique to trigger a
        system to be seen as degraded, and possibly trigger
        workload-rebalance in systems that use the
        slice-expiration metric as a measure of system
        health.(CVE-2019-19922)
    
      - A stack-based buffer overflow was found in the Linux
        kernel's Marvell WiFi chip driver. An attacker is able
        to cause a denial of service (system crash) or,
        possibly execute arbitrary code, when a STA works in
        IBSS mode (allows connecting stations together without
        the use of an AP) and connects to another
        STA.(CVE-2019-14897)
    
      - A heap-based buffer overflow vulnerability was found in
        the Linux kernel's Marvell WiFi chip driver. A remote
        attacker could cause a denial of service (system crash)
        or, possibly execute arbitrary code, when the
        lbs_ibss_join_existing function is called after a STA
        connects to an AP.(CVE-2019-14896)
    
      - A flaw was found in the Linux kernel in versions
        through 5.4.6, containing information leaks of
        uninitialized memory to a USB device. The latest
        findings show that the uninitialized memory allocation
        was not leading to an information leak, but was
        allocating the memory assigned with data on the next
        line and hence causing no violation..(CVE-2019-19947)
    
      - A flaw was found in the Linux kernel's implementation
        of the Datagram Congestion Control Protocol (DCCP). A
        local attacker with access to the system can create
        DCCP sockets to cause a memory leak and repeat this
        operation to exhaust all memory and panic the
        system.(CVE-2019-20096)
    
      - A flaw was found in the Linux kernel's mwifiex driver
        implementation when connecting to other WiFi devices in
        'Test Mode.' A kernel memory leak can occur if an error
        condition is met during the parameter negotiation. This
        issue can lead to a denial of service if multiple error
        conditions meeting the repeated connection attempts are
        attempted.(CVE-2019-20095)
    
      - A flaw was found in the Linux kernel's implementation
        of the WiFi station handoff code. An attacker within
        the radio range could use this flaw to deny a valid
        device from joining the access point.(CVE-2019-5108)
    
      - A flaw was found in the way Linux kernel's KVM
        hypervisor handled deferred TLB flush requests from
        guest. A race condition may occur between the guest
        issuing a deferred TLB flush request to KVM, and then
        KVM handling and acknowledging it. This may result in
        invalid address translations from TLB being used to
        access guest memory, leading to a potential information
        leakage issue. An attacker may use this flaw to access
        guest memory locations that it should not have access
        to.(CVE-2019-3016)
    
      - fs/namei.c in the Linux kernel before 5.5 has a
        may_create_in_sticky use-after-free, which allows local
        users to cause a denial of service (OOPS) or possibly
        obtain sensitive information from kernel memory, aka
        CID-d0cb50185ae9. One attack vector may be an open
        system call for a UNIX domain socket, if the socket is
        being moved to a new parent directory and its old
        parent directory is being removed.(CVE-2020-8428)
    
      - There is a use-after-free vulnerability in the Linux
        kernel through 5.5.2 in the n_tty_receive_buf_common
        function in drivers/tty/n_tty.c.(CVE-2020-8648)
    
      - An issue was discovered in the Linux kernel through
        5.5.6. set_fdc in drivers/block/floppy.c leads to a
        wait_til_ready out-of-bounds read because the FDC index
        is not checked for errors before assigning it, aka
        CID-2e90ca68b0d2.(CVE-2020-9383)
    
      - There is a use-after-free vulnerability in the Linux
        kernel through 5.5.2 in the vgacon_invert_region
        function in
        drivers/video/console/vgacon.c.(CVE-2020-8649)
    
      - There is a use-after-free vulnerability in the Linux
        kernel through 5.5.2 in the vc_do_resize function in
        drivers/tty/vt/vt.c.(CVE-2020-8647)
    
    Note that Tenable Network Security has extracted the preceding
    description block directly from the EulerOS security advisory. Tenable
    has attempted to automatically clean and format it as much as possible
    without introducing additional issues.");
      # https://developer.huaweicloud.com/ict/en/site-euleros/euleros/security-advisories/EulerOS-SA-2020-1342
      script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?3ae277fb");
      script_set_attribute(attribute:"solution", value:
    "Update the affected kernel packages.");
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C");
      script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
      script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H");
      script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
      script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
    
      script_set_attribute(attribute:"patch_publication_date", value:"2020/04/02");
      script_set_attribute(attribute:"plugin_publication_date", value:"2020/04/02");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:kernel");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:kernel-devel");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:kernel-headers");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:kernel-tools");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:kernel-tools-libs");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:kernel-tools-libs-devel");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:perf");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:python-perf");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:python3-perf");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:huawei:euleros:uvp:3.0.6.0");
      script_set_attribute(attribute:"generated_plugin", value:"current");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_family(english:"Huawei Local Security Checks");
    
      script_copyright(english:"This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/cpu", "Host/EulerOS/release", "Host/EulerOS/rpm-list", "Host/EulerOS/uvp_version");
    
      exit(0);
    }
    
    include("audit.inc");
    include("global_settings.inc");
    include("rpm.inc");
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    
    release = get_kb_item("Host/EulerOS/release");
    if (isnull(release) || release !~ "^EulerOS") audit(AUDIT_OS_NOT, "EulerOS");
    uvp = get_kb_item("Host/EulerOS/uvp_version");
    if (uvp != "3.0.6.0") audit(AUDIT_OS_NOT, "EulerOS Virtualization 3.0.6.0");
    if (!get_kb_item("Host/EulerOS/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    cpu = get_kb_item("Host/cpu");
    if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
    if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$" && "aarch64" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "EulerOS", cpu);
    if ("aarch64" >!< cpu) audit(AUDIT_ARCH_NOT, "aarch64", cpu);
    
    flag = 0;
    
    pkgs = ["kernel-4.19.36-vhulk1907.1.0.h697.eulerosv2r8",
            "kernel-devel-4.19.36-vhulk1907.1.0.h697.eulerosv2r8",
            "kernel-headers-4.19.36-vhulk1907.1.0.h697.eulerosv2r8",
            "kernel-tools-4.19.36-vhulk1907.1.0.h697.eulerosv2r8",
            "kernel-tools-libs-4.19.36-vhulk1907.1.0.h697.eulerosv2r8",
            "kernel-tools-libs-devel-4.19.36-vhulk1907.1.0.h697.eulerosv2r8",
            "perf-4.19.36-vhulk1907.1.0.h697.eulerosv2r8",
            "python-perf-4.19.36-vhulk1907.1.0.h697.eulerosv2r8",
            "python3-perf-4.19.36-vhulk1907.1.0.h697.eulerosv2r8"];
    
    foreach (pkg in pkgs)
      if (rpm_check(release:"EulerOS-2.0", reference:pkg)) flag++;
    
    if (flag)
    {
      security_report_v4(
        port       : 0,
        severity   : SECURITY_HOLE,
        extra      : rpm_report_get()
      );
      exit(0);
    }
    else
    {
      tested = pkg_tests_get();
      if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
      else audit(AUDIT_PACKAGE_NOT_INSTALLED, "kernel");
    }
    
  • NASL familyDebian Local Security Checks
    NASL idDEBIAN_DSA-4699.NASL
    descriptionSeveral vulnerabilities have been discovered in the Linux kernel that may lead to a privilege escalation, denial of service or information leaks. - CVE-2019-3016 It was discovered that the KVM implementation for x86 did not always perform TLB flushes when needed, if the paravirtualised TLB flush feature was enabled. This could lead to disclosure of sensitive information within a guest VM. - CVE-2019-19462 The syzkaller tool found a missing error check in the
    last seen2020-06-12
    modified2020-06-11
    plugin id137341
    published2020-06-11
    reporterThis script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/137341
    titleDebian DSA-4699-1 : linux - security update
  • NASL familyUbuntu Local Security Checks
    NASL idUBUNTU_USN-4301-1.NASL
    descriptionIt was discovered that the KVM implementation in the Linux kernel, when paravirtual TLB flushes are enabled in guests, the hypervisor in some situations could miss deferred TLB flushes or otherwise mishandle them. An attacker in a guest VM could use this to expose sensitive information (read memory from another guest VM). (CVE-2019-3016) Paulo Bonzini discovered that the KVM hypervisor implementation in the Linux kernel could improperly let a nested (level 2) guest access the resources of a parent (level 1) guest in certain situations. An attacker could use this to expose sensitive information. (CVE-2020-2732) It was discovered that the RPMSG character device interface in the Linux kernel did not properly deallocate memory in certain error conditions. A local attacker could possibly use this to cause a denial of service (kernel memory exhaustion). (CVE-2019-19053) It was discovered that the Marvell Wi-Fi device driver in the Linux kernel did not properly deallocate memory in certain error conditions. A local attacker could use this to possibly cause a denial of service (kernel memory exhaustion). (CVE-2019-19056) It was discovered that the Intel(R) Wi-Fi device driver in the Linux kernel device driver in the Linux kernel did not properly deallocate memory in certain error conditions. A local attacker could possibly use this to cause a denial of service (kernel memory exhaustion). (CVE-2019-19058, CVE-2019-19059) It was discovered that the Brocade BFA Fibre Channel device driver in the Linux kernel did not properly deallocate memory in certain error conditions. A local attacker could possibly use this to cause a denial of service (kernel memory exhaustion). (CVE-2019-19066) It was discovered that the Realtek RTL8xxx USB Wi-Fi device driver in the Linux kernel did not properly deallocate memory in certain error conditions. A local attacker could possibly use this to cause a denial of service (kernel memory exhaustion). (CVE-2019-19068). Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-04-16
    modified2020-03-18
    plugin id134659
    published2020-03-18
    reporterUbuntu Security Notice (C) 2020 Canonical, Inc. / NASL script (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/134659
    titleUbuntu 18.04 LTS : linux-aws-5.0, linux-gcp, linux-gke-5.0, linux-oracle-5.0 vulnerabilities (USN-4301-1)