Vulnerabilities > CVE-2019-9162 - Out-of-bounds Write vulnerability in multiple products
Attack vector
LOCAL Attack complexity
LOW Privileges required
LOW Confidentiality impact
HIGH Integrity impact
HIGH Availability impact
HIGH Summary
In the Linux kernel before 4.20.12, net/ipv4/netfilter/nf_nat_snmp_basic_main.c in the SNMP NAT module has insufficient ASN.1 length checks (aka an array index error), making out-of-bounds read and write operations possible, leading to an OOPS or local privilege escalation. This affects snmp_version and snmp_helper.
Vulnerable Configurations
Common Weakness Enumeration (CWE)
Exploit-Db
| file | exploits/linux/dos/46477.txt |
| id | EDB-ID:46477 |
| last seen | 2019-03-01 |
| modified | 2019-03-01 |
| platform | linux |
| port | |
| published | 2019-03-01 |
| reporter | Exploit-DB |
| source | https://www.exploit-db.com/download/46477 |
| title | Linux < 4.14.103 / < 4.19.25 - Out-of-Bounds Read and Write in SNMP NAT Module |
| type | dos |
Nessus
NASL family Ubuntu Local Security Checks NASL id UBUNTU_USN-3930-1.NASL description Mathias Payer and Hui Peng discovered a use-after-free vulnerability in the Advanced Linux Sound Architecture (ALSA) subsystem. A physically proximate attacker could use this to cause a denial of service (system crash). (CVE-2018-19824) Shlomi Oberman, Yuli Shapiro, and Ran Menscher discovered an information leak in the Bluetooth implementation of the Linux kernel. An attacker within Bluetooth range could use this to expose sensitive information (kernel memory). (CVE-2019-3459, CVE-2019-3460) Jann Horn discovered that the KVM implementation in the Linux kernel contained a use-after-free vulnerability. An attacker in a guest VM with access to /dev/kvm could use this to cause a denial of service (guest VM crash). (CVE-2019-6974) Jim Mattson and Felix Wilhelm discovered a use-after-free vulnerability in the KVM subsystem of the Linux kernel, when using nested virtual machines. A local attacker in a guest VM could use this to cause a denial of service (system crash) or possibly execute arbitrary code in the host system. (CVE-2019-7221) Felix Wilhelm discovered that an information leak vulnerability existed in the KVM subsystem of the Linux kernel, when nested virtualization is used. A local attacker could use this to expose sensitive information (host system memory to a guest VM). (CVE-2019-7222) Jann Horn discovered that the eBPF implementation in the Linux kernel was insufficiently hardened against Spectre V1 attacks. A local attacker could use this to expose sensitive information. (CVE-2019-7308) It was discovered that a use-after-free vulnerability existed in the user- space API for crypto (af_alg) implementation in the Linux kernel. A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2019-8912) Jakub Jirasek discovered a use-after-free vulnerability in the SCTP implementation in the Linux kernel. A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2019-8956) It was discovered that the Linux kernel did not properly deallocate memory when handling certain errors while reading files. A local attacker could use this to cause a denial of service (excessive memory consumption). (CVE-2019-8980) It was discovered that a use-after-free vulnerability existed in the IPMI implementation in the Linux kernel. A local attacker with access to the IPMI character device files could use this to cause a denial of service (system crash). (CVE-2019-9003) Jann Horn discovered that the SNMP NAT implementation in the Linux kernel performed insufficient ASN.1 length checks. An attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2019-9162) Jann Horn discovered that the mmap implementation in the Linux kernel did not properly check for the mmap minimum address in some situations. A local attacker could use this to assist exploiting a kernel NULL pointer dereference vulnerability. (CVE-2019-9213). Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-01 modified 2020-06-02 plugin id 123676 published 2019-04-03 reporter Ubuntu Security Notice (C) 2019-2020 Canonical, Inc. / NASL script (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/123676 title Ubuntu 18.10 : linux, linux-aws, linux-azure, linux-gcp, linux-kvm, linux-raspi2 (USN-3930-1) code # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Ubuntu Security Notice USN-3930-1. The text # itself is copyright (C) Canonical, Inc. See # <http://www.ubuntu.com/usn/>. Ubuntu(R) is a registered # trademark of Canonical, Inc. # include("compat.inc"); if (description) { script_id(123676); script_version("1.6"); script_cvs_date("Date: 2020/01/27"); script_cve_id("CVE-2018-19824", "CVE-2019-3459", "CVE-2019-3460", "CVE-2019-6974", "CVE-2019-7221", "CVE-2019-7222", "CVE-2019-7308", "CVE-2019-8912", "CVE-2019-8956", "CVE-2019-8980", "CVE-2019-9003", "CVE-2019-9162", "CVE-2019-9213"); script_xref(name:"USN", value:"3930-1"); script_name(english:"Ubuntu 18.10 : linux, linux-aws, linux-azure, linux-gcp, linux-kvm, linux-raspi2 (USN-3930-1)"); script_summary(english:"Checks dpkg output for updated packages."); script_set_attribute( attribute:"synopsis", value: "The remote Ubuntu host is missing one or more security-related patches." ); script_set_attribute( attribute:"description", value: "Mathias Payer and Hui Peng discovered a use-after-free vulnerability in the Advanced Linux Sound Architecture (ALSA) subsystem. A physically proximate attacker could use this to cause a denial of service (system crash). (CVE-2018-19824) Shlomi Oberman, Yuli Shapiro, and Ran Menscher discovered an information leak in the Bluetooth implementation of the Linux kernel. An attacker within Bluetooth range could use this to expose sensitive information (kernel memory). (CVE-2019-3459, CVE-2019-3460) Jann Horn discovered that the KVM implementation in the Linux kernel contained a use-after-free vulnerability. An attacker in a guest VM with access to /dev/kvm could use this to cause a denial of service (guest VM crash). (CVE-2019-6974) Jim Mattson and Felix Wilhelm discovered a use-after-free vulnerability in the KVM subsystem of the Linux kernel, when using nested virtual machines. A local attacker in a guest VM could use this to cause a denial of service (system crash) or possibly execute arbitrary code in the host system. (CVE-2019-7221) Felix Wilhelm discovered that an information leak vulnerability existed in the KVM subsystem of the Linux kernel, when nested virtualization is used. A local attacker could use this to expose sensitive information (host system memory to a guest VM). (CVE-2019-7222) Jann Horn discovered that the eBPF implementation in the Linux kernel was insufficiently hardened against Spectre V1 attacks. A local attacker could use this to expose sensitive information. (CVE-2019-7308) It was discovered that a use-after-free vulnerability existed in the user- space API for crypto (af_alg) implementation in the Linux kernel. A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2019-8912) Jakub Jirasek discovered a use-after-free vulnerability in the SCTP implementation in the Linux kernel. A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2019-8956) It was discovered that the Linux kernel did not properly deallocate memory when handling certain errors while reading files. A local attacker could use this to cause a denial of service (excessive memory consumption). (CVE-2019-8980) It was discovered that a use-after-free vulnerability existed in the IPMI implementation in the Linux kernel. A local attacker with access to the IPMI character device files could use this to cause a denial of service (system crash). (CVE-2019-9003) Jann Horn discovered that the SNMP NAT implementation in the Linux kernel performed insufficient ASN.1 length checks. An attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2019-9162) Jann Horn discovered that the mmap implementation in the Linux kernel did not properly check for the mmap minimum address in some situations. A local attacker could use this to assist exploiting a kernel NULL pointer dereference vulnerability. (CVE-2019-9213). Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues." ); script_set_attribute( attribute:"see_also", value:"https://usn.ubuntu.com/3930-1/" ); script_set_attribute(attribute:"solution", value:"Update the affected packages."); script_set_cvss_base_vector("CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C"); script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:C"); script_set_cvss3_base_vector("CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"); script_set_cvss3_temporal_vector("CVSS:3.0/E:F/RL:O/RC:C"); script_set_attribute(attribute:"cvss_score_source", value:"CVE-2019-8956"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"metasploit_name", value:'Reliable Datagram Sockets (RDS) rds_atomic_free_op NULL pointer dereference Privilege Escalation'); script_set_attribute(attribute:"exploit_framework_metasploit", value:"true"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-4.18-aws"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-4.18-azure"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-4.18-gcp"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-4.18-generic"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-4.18-generic-lpae"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-4.18-kvm"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-4.18-lowlatency"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-4.18-raspi2"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-4.18-snapdragon"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-aws"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-azure"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-gcp"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-generic"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-generic-lpae"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-gke"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-kvm"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-lowlatency"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-raspi2"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-snapdragon"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-virtual"); script_set_attribute(attribute:"cpe", value:"cpe:/o:canonical:ubuntu_linux:18.10"); script_set_attribute(attribute:"vuln_publication_date", value:"2018/12/03"); script_set_attribute(attribute:"patch_publication_date", value:"2019/04/02"); script_set_attribute(attribute:"plugin_publication_date", value:"2019/04/03"); script_set_attribute(attribute:"generated_plugin", value:"current"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"Ubuntu Security Notice (C) 2019-2020 Canonical, Inc. / NASL script (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"Ubuntu Local Security Checks"); script_dependencies("ssh_get_info.nasl", "linux_alt_patch_detect.nasl"); script_require_keys("Host/cpu", "Host/Ubuntu", "Host/Ubuntu/release", "Host/Debian/dpkg-l"); exit(0); } include("audit.inc"); include("ubuntu.inc"); include("ksplice.inc"); if ( ! get_kb_item("Host/local_checks_enabled") ) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/Ubuntu/release"); if ( isnull(release) ) audit(AUDIT_OS_NOT, "Ubuntu"); release = chomp(release); if (! preg(pattern:"^(18\.10)$", string:release)) audit(AUDIT_OS_NOT, "Ubuntu 18.10", "Ubuntu " + release); if ( ! get_kb_item("Host/Debian/dpkg-l") ) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Ubuntu", cpu); if (get_one_kb_item("Host/ksplice/kernel-cves")) { rm_kb_item(name:"Host/uptrack-uname-r"); cve_list = make_list("CVE-2018-19824", "CVE-2019-3459", "CVE-2019-3460", "CVE-2019-6974", "CVE-2019-7221", "CVE-2019-7222", "CVE-2019-7308", "CVE-2019-8912", "CVE-2019-8956", "CVE-2019-8980", "CVE-2019-9003", "CVE-2019-9162", "CVE-2019-9213"); if (ksplice_cves_check(cve_list)) { audit(AUDIT_PATCH_INSTALLED, "KSplice hotfix for USN-3930-1"); } else { _ubuntu_report = ksplice_reporting_text(); } } flag = 0; if (ubuntu_check(osver:"18.10", pkgname:"linux-image-4.18.0-1008-gcp", pkgver:"4.18.0-1008.9")) flag++; if (ubuntu_check(osver:"18.10", pkgname:"linux-image-4.18.0-1009-kvm", pkgver:"4.18.0-1009.9")) flag++; if (ubuntu_check(osver:"18.10", pkgname:"linux-image-4.18.0-1011-raspi2", pkgver:"4.18.0-1011.13")) flag++; if (ubuntu_check(osver:"18.10", pkgname:"linux-image-4.18.0-1012-aws", pkgver:"4.18.0-1012.14")) flag++; if (ubuntu_check(osver:"18.10", pkgname:"linux-image-4.18.0-1014-azure", pkgver:"4.18.0-1014.14")) flag++; if (ubuntu_check(osver:"18.10", pkgname:"linux-image-4.18.0-17-generic", pkgver:"4.18.0-17.18")) flag++; if (ubuntu_check(osver:"18.10", pkgname:"linux-image-4.18.0-17-generic-lpae", pkgver:"4.18.0-17.18")) flag++; if (ubuntu_check(osver:"18.10", pkgname:"linux-image-4.18.0-17-lowlatency", pkgver:"4.18.0-17.18")) flag++; if (ubuntu_check(osver:"18.10", pkgname:"linux-image-4.18.0-17-snapdragon", pkgver:"4.18.0-17.18")) flag++; if (ubuntu_check(osver:"18.10", pkgname:"linux-image-aws", pkgver:"4.18.0.1012.12")) flag++; if (ubuntu_check(osver:"18.10", pkgname:"linux-image-azure", pkgver:"4.18.0.1014.15")) flag++; if (ubuntu_check(osver:"18.10", pkgname:"linux-image-gcp", pkgver:"4.18.0.1008.8")) flag++; if (ubuntu_check(osver:"18.10", pkgname:"linux-image-generic", pkgver:"4.18.0.17.18")) flag++; if (ubuntu_check(osver:"18.10", pkgname:"linux-image-generic-lpae", pkgver:"4.18.0.17.18")) flag++; if (ubuntu_check(osver:"18.10", pkgname:"linux-image-gke", pkgver:"4.18.0.1008.8")) flag++; if (ubuntu_check(osver:"18.10", pkgname:"linux-image-kvm", pkgver:"4.18.0.1009.9")) flag++; if (ubuntu_check(osver:"18.10", pkgname:"linux-image-lowlatency", pkgver:"4.18.0.17.18")) flag++; if (ubuntu_check(osver:"18.10", pkgname:"linux-image-raspi2", pkgver:"4.18.0.1011.8")) flag++; if (ubuntu_check(osver:"18.10", pkgname:"linux-image-snapdragon", pkgver:"4.18.0.17.18")) flag++; if (ubuntu_check(osver:"18.10", pkgname:"linux-image-virtual", pkgver:"4.18.0.17.18")) flag++; if (flag) { security_report_v4( port : 0, severity : SECURITY_HOLE, extra : ubuntu_report_get() ); exit(0); } else { tested = ubuntu_pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "linux-image-4.18-aws / linux-image-4.18-azure / etc"); }NASL family Ubuntu Local Security Checks NASL id UBUNTU_USN-3930-2.NASL description USN-3930-1 fixed vulnerabilities in the Linux kernel for Ubuntu 18.10. This update provides the corresponding updates for the Linux Hardware Enablement (HWE) kernel from Ubuntu 18.10 for Ubuntu 18.04 LTS. Mathias Payer and Hui Peng discovered a use-after-free vulnerability in the Advanced Linux Sound Architecture (ALSA) subsystem. A physically proximate attacker could use this to cause a denial of service (system crash). (CVE-2018-19824) Shlomi Oberman, Yuli Shapiro, and Ran Menscher discovered an information leak in the Bluetooth implementation of the Linux kernel. An attacker within Bluetooth range could use this to expose sensitive information (kernel memory). (CVE-2019-3459, CVE-2019-3460) Jann Horn discovered that the KVM implementation in the Linux kernel contained a use-after-free vulnerability. An attacker in a guest VM with access to /dev/kvm could use this to cause a denial of service (guest VM crash). (CVE-2019-6974) Jim Mattson and Felix Wilhelm discovered a use-after-free vulnerability in the KVM subsystem of the Linux kernel, when using nested virtual machines. A local attacker in a guest VM could use this to cause a denial of service (system crash) or possibly execute arbitrary code in the host system. (CVE-2019-7221) Felix Wilhelm discovered that an information leak vulnerability existed in the KVM subsystem of the Linux kernel, when nested virtualization is used. A local attacker could use this to expose sensitive information (host system memory to a guest VM). (CVE-2019-7222) Jann Horn discovered that the eBPF implementation in the Linux kernel was insufficiently hardened against Spectre V1 attacks. A local attacker could use this to expose sensitive information. (CVE-2019-7308) It was discovered that a use-after-free vulnerability existed in the user- space API for crypto (af_alg) implementation in the Linux kernel. A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2019-8912) Jakub Jirasek discovered a use-after-free vulnerability in the SCTP implementation in the Linux kernel. A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2019-8956) It was discovered that the Linux kernel did not properly deallocate memory when handling certain errors while reading files. A local attacker could use this to cause a denial of service (excessive memory consumption). (CVE-2019-8980) It was discovered that a use-after-free vulnerability existed in the IPMI implementation in the Linux kernel. A local attacker with access to the IPMI character device files could use this to cause a denial of service (system crash). (CVE-2019-9003) Jann Horn discovered that the SNMP NAT implementation in the Linux kernel performed insufficient ASN.1 length checks. An attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2019-9162) Jann Horn discovered that the mmap implementation in the Linux kernel did not properly check for the mmap minimum address in some situations. A local attacker could use this to assist exploiting a kernel NULL pointer dereference vulnerability. (CVE-2019-9213). Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-01 modified 2020-06-02 plugin id 123677 published 2019-04-03 reporter Ubuntu Security Notice (C) 2019-2020 Canonical, Inc. / NASL script (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/123677 title Ubuntu 18.04 LTS : linux-hwe, linux-azure vulnerabilities (USN-3930-2) code # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Ubuntu Security Notice USN-3930-2. The text # itself is copyright (C) Canonical, Inc. See # <http://www.ubuntu.com/usn/>. Ubuntu(R) is a registered # trademark of Canonical, Inc. # include("compat.inc"); if (description) { script_id(123677); script_version("1.6"); script_cvs_date("Date: 2020/01/27"); script_cve_id("CVE-2018-19824", "CVE-2019-3459", "CVE-2019-3460", "CVE-2019-6974", "CVE-2019-7221", "CVE-2019-7222", "CVE-2019-7308", "CVE-2019-8912", "CVE-2019-8956", "CVE-2019-8980", "CVE-2019-9003", "CVE-2019-9162", "CVE-2019-9213"); script_xref(name:"USN", value:"3930-2"); script_name(english:"Ubuntu 18.04 LTS : linux-hwe, linux-azure vulnerabilities (USN-3930-2)"); script_summary(english:"Checks dpkg output for updated packages."); script_set_attribute( attribute:"synopsis", value: "The remote Ubuntu host is missing one or more security-related patches." ); script_set_attribute( attribute:"description", value: "USN-3930-1 fixed vulnerabilities in the Linux kernel for Ubuntu 18.10. This update provides the corresponding updates for the Linux Hardware Enablement (HWE) kernel from Ubuntu 18.10 for Ubuntu 18.04 LTS. Mathias Payer and Hui Peng discovered a use-after-free vulnerability in the Advanced Linux Sound Architecture (ALSA) subsystem. A physically proximate attacker could use this to cause a denial of service (system crash). (CVE-2018-19824) Shlomi Oberman, Yuli Shapiro, and Ran Menscher discovered an information leak in the Bluetooth implementation of the Linux kernel. An attacker within Bluetooth range could use this to expose sensitive information (kernel memory). (CVE-2019-3459, CVE-2019-3460) Jann Horn discovered that the KVM implementation in the Linux kernel contained a use-after-free vulnerability. An attacker in a guest VM with access to /dev/kvm could use this to cause a denial of service (guest VM crash). (CVE-2019-6974) Jim Mattson and Felix Wilhelm discovered a use-after-free vulnerability in the KVM subsystem of the Linux kernel, when using nested virtual machines. A local attacker in a guest VM could use this to cause a denial of service (system crash) or possibly execute arbitrary code in the host system. (CVE-2019-7221) Felix Wilhelm discovered that an information leak vulnerability existed in the KVM subsystem of the Linux kernel, when nested virtualization is used. A local attacker could use this to expose sensitive information (host system memory to a guest VM). (CVE-2019-7222) Jann Horn discovered that the eBPF implementation in the Linux kernel was insufficiently hardened against Spectre V1 attacks. A local attacker could use this to expose sensitive information. (CVE-2019-7308) It was discovered that a use-after-free vulnerability existed in the user- space API for crypto (af_alg) implementation in the Linux kernel. A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2019-8912) Jakub Jirasek discovered a use-after-free vulnerability in the SCTP implementation in the Linux kernel. A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2019-8956) It was discovered that the Linux kernel did not properly deallocate memory when handling certain errors while reading files. A local attacker could use this to cause a denial of service (excessive memory consumption). (CVE-2019-8980) It was discovered that a use-after-free vulnerability existed in the IPMI implementation in the Linux kernel. A local attacker with access to the IPMI character device files could use this to cause a denial of service (system crash). (CVE-2019-9003) Jann Horn discovered that the SNMP NAT implementation in the Linux kernel performed insufficient ASN.1 length checks. An attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2019-9162) Jann Horn discovered that the mmap implementation in the Linux kernel did not properly check for the mmap minimum address in some situations. A local attacker could use this to assist exploiting a kernel NULL pointer dereference vulnerability. (CVE-2019-9213). Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues." ); script_set_attribute( attribute:"see_also", value:"https://usn.ubuntu.com/3930-2/" ); script_set_attribute(attribute:"solution", value:"Update the affected packages."); script_set_cvss_base_vector("CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C"); script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:C"); script_set_cvss3_base_vector("CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"); script_set_cvss3_temporal_vector("CVSS:3.0/E:F/RL:O/RC:C"); script_set_attribute(attribute:"cvss_score_source", value:"CVE-2019-8956"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"metasploit_name", value:'Reliable Datagram Sockets (RDS) rds_atomic_free_op NULL pointer dereference Privilege Escalation'); script_set_attribute(attribute:"exploit_framework_metasploit", value:"true"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-4.18-azure"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-4.18-generic"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-4.18-generic-lpae"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-4.18-lowlatency"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-4.18-snapdragon"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-azure"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-generic-hwe-18.04"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-generic-lpae-hwe-18.04"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-lowlatency-hwe-18.04"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-snapdragon-hwe-18.04"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-virtual-hwe-18.04"); script_set_attribute(attribute:"cpe", value:"cpe:/o:canonical:ubuntu_linux:18.04:-:lts"); script_set_attribute(attribute:"vuln_publication_date", value:"2018/12/03"); script_set_attribute(attribute:"patch_publication_date", value:"2019/04/02"); script_set_attribute(attribute:"plugin_publication_date", value:"2019/04/03"); script_set_attribute(attribute:"generated_plugin", value:"current"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"Ubuntu Security Notice (C) 2019-2020 Canonical, Inc. / NASL script (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"Ubuntu Local Security Checks"); script_dependencies("ssh_get_info.nasl", "linux_alt_patch_detect.nasl"); script_require_keys("Host/cpu", "Host/Ubuntu", "Host/Ubuntu/release", "Host/Debian/dpkg-l"); exit(0); } include("audit.inc"); include("ubuntu.inc"); include("ksplice.inc"); if ( ! get_kb_item("Host/local_checks_enabled") ) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/Ubuntu/release"); if ( isnull(release) ) audit(AUDIT_OS_NOT, "Ubuntu"); release = chomp(release); if (! preg(pattern:"^(18\.04)$", string:release)) audit(AUDIT_OS_NOT, "Ubuntu 18.04", "Ubuntu " + release); if ( ! get_kb_item("Host/Debian/dpkg-l") ) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Ubuntu", cpu); if (get_one_kb_item("Host/ksplice/kernel-cves")) { rm_kb_item(name:"Host/uptrack-uname-r"); cve_list = make_list("CVE-2018-19824", "CVE-2019-3459", "CVE-2019-3460", "CVE-2019-6974", "CVE-2019-7221", "CVE-2019-7222", "CVE-2019-7308", "CVE-2019-8912", "CVE-2019-8956", "CVE-2019-8980", "CVE-2019-9003", "CVE-2019-9162", "CVE-2019-9213"); if (ksplice_cves_check(cve_list)) { audit(AUDIT_PATCH_INSTALLED, "KSplice hotfix for USN-3930-2"); } else { _ubuntu_report = ksplice_reporting_text(); } } flag = 0; if (ubuntu_check(osver:"18.04", pkgname:"linux-image-4.18.0-1014-azure", pkgver:"4.18.0-1014.14~18.04.1")) flag++; if (ubuntu_check(osver:"18.04", pkgname:"linux-image-4.18.0-17-generic", pkgver:"4.18.0-17.18~18.04.1")) flag++; if (ubuntu_check(osver:"18.04", pkgname:"linux-image-4.18.0-17-generic-lpae", pkgver:"4.18.0-17.18~18.04.1")) flag++; if (ubuntu_check(osver:"18.04", pkgname:"linux-image-4.18.0-17-lowlatency", pkgver:"4.18.0-17.18~18.04.1")) flag++; if (ubuntu_check(osver:"18.04", pkgname:"linux-image-4.18.0-17-snapdragon", pkgver:"4.18.0-17.18~18.04.1")) flag++; if (ubuntu_check(osver:"18.04", pkgname:"linux-image-azure", pkgver:"4.18.0.1014.13")) flag++; if (ubuntu_check(osver:"18.04", pkgname:"linux-image-generic-hwe-18.04", pkgver:"4.18.0.17.67")) flag++; if (ubuntu_check(osver:"18.04", pkgname:"linux-image-generic-lpae-hwe-18.04", pkgver:"4.18.0.17.67")) flag++; if (ubuntu_check(osver:"18.04", pkgname:"linux-image-lowlatency-hwe-18.04", pkgver:"4.18.0.17.67")) flag++; if (ubuntu_check(osver:"18.04", pkgname:"linux-image-snapdragon-hwe-18.04", pkgver:"4.18.0.17.67")) flag++; if (ubuntu_check(osver:"18.04", pkgname:"linux-image-virtual-hwe-18.04", pkgver:"4.18.0.17.67")) flag++; if (flag) { security_report_v4( port : 0, severity : SECURITY_HOLE, extra : ubuntu_report_get() ); exit(0); } else { tested = ubuntu_pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "linux-image-4.18-azure / linux-image-4.18-generic / etc"); }NASL family Fedora Local Security Checks NASL id FEDORA_2019-7462ACF8BA.NASL description The 4.20.12 stable update contains a number of important fixes across the tree. Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-01 modified 2020-06-02 plugin id 122521 published 2019-03-01 reporter This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/122521 title Fedora 29 : kernel / kernel-headers (2019-7462acf8ba) code # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Fedora Security Advisory FEDORA-2019-7462acf8ba. # include("compat.inc"); if (description) { script_id(122521); script_version("1.5"); script_cvs_date("Date: 2020/02/07"); script_cve_id("CVE-2019-8980", "CVE-2019-9162"); script_xref(name:"FEDORA", value:"2019-7462acf8ba"); script_name(english:"Fedora 29 : kernel / kernel-headers (2019-7462acf8ba)"); script_summary(english:"Checks rpm output for the updated packages."); script_set_attribute( attribute:"synopsis", value:"The remote Fedora host is missing one or more security updates." ); script_set_attribute( attribute:"description", value: "The 4.20.12 stable update contains a number of important fixes across the tree. Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues." ); script_set_attribute( attribute:"see_also", value:"https://bodhi.fedoraproject.org/updates/FEDORA-2019-7462acf8ba" ); script_set_attribute( attribute:"solution", value:"Update the affected kernel and / or kernel-headers packages." ); script_set_cvss_base_vector("CVSS2#AV:L/AC:L/Au:N/C:P/I:P/A:P"); script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C"); script_set_cvss3_base_vector("CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"); script_set_cvss3_temporal_vector("CVSS:3.0/E:P/RL:O/RC:C"); script_set_attribute(attribute:"cvss_score_source", value:"CVE-2019-9162"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fedoraproject:fedora:kernel"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fedoraproject:fedora:kernel-headers"); script_set_attribute(attribute:"cpe", value:"cpe:/o:fedoraproject:fedora:29"); script_set_attribute(attribute:"vuln_publication_date", value:"2019/02/21"); script_set_attribute(attribute:"patch_publication_date", value:"2019/03/01"); script_set_attribute(attribute:"plugin_publication_date", value:"2019/03/01"); script_set_attribute(attribute:"generated_plugin", value:"current"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"Fedora Local Security Checks"); script_dependencies("ssh_get_info.nasl", "linux_alt_patch_detect.nasl"); script_require_keys("Host/local_checks_enabled", "Host/RedHat/release", "Host/RedHat/rpm-list"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); include("ksplice.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/RedHat/release"); if (isnull(release) || "Fedora" >!< release) audit(AUDIT_OS_NOT, "Fedora"); os_ver = pregmatch(pattern: "Fedora.*release ([0-9]+)", string:release); if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Fedora"); os_ver = os_ver[1]; if (! preg(pattern:"^29([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Fedora 29", "Fedora " + os_ver); if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Fedora", cpu); if (get_one_kb_item("Host/ksplice/kernel-cves")) { rm_kb_item(name:"Host/uptrack-uname-r"); cve_list = make_list("CVE-2019-8980", "CVE-2019-9162"); if (ksplice_cves_check(cve_list)) { audit(AUDIT_PATCH_INSTALLED, "KSplice hotfix for FEDORA-2019-7462acf8ba"); } else { __rpm_report = ksplice_reporting_text(); } } flag = 0; if (rpm_check(release:"FC29", reference:"kernel-4.20.12-200.fc29")) flag++; if (rpm_check(release:"FC29", reference:"kernel-headers-4.20.12-200.fc29")) flag++; if (flag) { security_report_v4( port : 0, severity : SECURITY_WARNING, extra : rpm_report_get() ); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "kernel / kernel-headers"); }NASL family Fedora Local Security Checks NASL id FEDORA_2019-196AB64D65.NASL description The 4.20.14 stable kernel update contains a number of important fixes across the tree. ---- The 4.20.13 stable kernel update contains a number of important fixes across the tree. ---- The 4.20.12 stable kernel update contains a number of important fixes across the tree. Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-01 modified 2020-06-02 plugin id 122769 published 2019-03-12 reporter This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/122769 title Fedora 28 : kernel / kernel-headers (2019-196ab64d65) code # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Fedora Security Advisory FEDORA-2019-196ab64d65. # include("compat.inc"); if (description) { script_id(122769); script_version("1.6"); script_cvs_date("Date: 2020/02/05"); script_cve_id("CVE-2019-8980", "CVE-2019-9162", "CVE-2019-9213"); script_xref(name:"FEDORA", value:"2019-196ab64d65"); script_name(english:"Fedora 28 : kernel / kernel-headers (2019-196ab64d65)"); script_summary(english:"Checks rpm output for the updated packages."); script_set_attribute( attribute:"synopsis", value:"The remote Fedora host is missing one or more security updates." ); script_set_attribute( attribute:"description", value: "The 4.20.14 stable kernel update contains a number of important fixes across the tree. ---- The 4.20.13 stable kernel update contains a number of important fixes across the tree. ---- The 4.20.12 stable kernel update contains a number of important fixes across the tree. Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues." ); script_set_attribute( attribute:"see_also", value:"https://bodhi.fedoraproject.org/updates/FEDORA-2019-196ab64d65" ); script_set_attribute( attribute:"solution", value:"Update the affected kernel and / or kernel-headers packages." ); script_set_cvss_base_vector("CVSS2#AV:L/AC:L/Au:N/C:P/I:P/A:P"); script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:C"); script_set_cvss3_base_vector("CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"); script_set_cvss3_temporal_vector("CVSS:3.0/E:F/RL:O/RC:C"); script_set_attribute(attribute:"cvss_score_source", value:"CVE-2019-9162"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"metasploit_name", value:'Reliable Datagram Sockets (RDS) rds_atomic_free_op NULL pointer dereference Privilege Escalation'); script_set_attribute(attribute:"exploit_framework_metasploit", value:"true"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fedoraproject:fedora:kernel"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fedoraproject:fedora:kernel-headers"); script_set_attribute(attribute:"cpe", value:"cpe:/o:fedoraproject:fedora:28"); script_set_attribute(attribute:"vuln_publication_date", value:"2019/02/21"); script_set_attribute(attribute:"patch_publication_date", value:"2019/03/11"); script_set_attribute(attribute:"plugin_publication_date", value:"2019/03/12"); script_set_attribute(attribute:"generated_plugin", value:"current"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"Fedora Local Security Checks"); script_dependencies("ssh_get_info.nasl", "linux_alt_patch_detect.nasl"); script_require_keys("Host/local_checks_enabled", "Host/RedHat/release", "Host/RedHat/rpm-list"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); include("ksplice.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/RedHat/release"); if (isnull(release) || "Fedora" >!< release) audit(AUDIT_OS_NOT, "Fedora"); os_ver = pregmatch(pattern: "Fedora.*release ([0-9]+)", string:release); if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Fedora"); os_ver = os_ver[1]; if (! preg(pattern:"^28([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Fedora 28", "Fedora " + os_ver); if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Fedora", cpu); if (get_one_kb_item("Host/ksplice/kernel-cves")) { rm_kb_item(name:"Host/uptrack-uname-r"); cve_list = make_list("CVE-2019-8980", "CVE-2019-9162", "CVE-2019-9213"); if (ksplice_cves_check(cve_list)) { audit(AUDIT_PATCH_INSTALLED, "KSplice hotfix for FEDORA-2019-196ab64d65"); } else { __rpm_report = ksplice_reporting_text(); } } flag = 0; if (rpm_check(release:"FC28", reference:"kernel-4.20.14-100.fc28")) flag++; if (rpm_check(release:"FC28", reference:"kernel-headers-4.20.14-100.fc28")) flag++; if (flag) { security_report_v4( port : 0, severity : SECURITY_WARNING, extra : rpm_report_get() ); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "kernel / kernel-headers"); }NASL family Huawei Local Security Checks NASL id EULEROS_SA-2019-1532.NASL description According to the versions of the kernel packages installed, the EulerOS Virtualization for ARM 64 installation on the remote host is affected by the following vulnerabilities : - A flaw was found in the way the Linux kernel last seen 2020-03-19 modified 2019-05-14 plugin id 124985 published 2019-05-14 reporter This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/124985 title EulerOS Virtualization for ARM 64 3.0.1.0 : kernel (EulerOS-SA-2019-1532) code # # (C) Tenable Network Security, Inc. # include("compat.inc"); if (description) { script_id(124985); script_version("1.8"); script_set_attribute(attribute:"plugin_modification_date", value:"2020/03/19"); script_cve_id( "CVE-2013-2894", "CVE-2013-2930", "CVE-2014-4652", "CVE-2014-8133", "CVE-2014-9644", "CVE-2015-6526", "CVE-2015-8215", "CVE-2016-4470", "CVE-2016-4565", "CVE-2016-4913", "CVE-2016-6198", "CVE-2016-7097", "CVE-2017-15274", "CVE-2017-16995", "CVE-2017-17864", "CVE-2017-6001", "CVE-2018-14610", "CVE-2018-7757", "CVE-2019-5489", "CVE-2019-9162" ); script_bugtraq_id( 62052, 64318, 68170, 71684, 72320 ); script_name(english:"EulerOS Virtualization for ARM 64 3.0.1.0 : kernel (EulerOS-SA-2019-1532)"); script_summary(english:"Checks the rpm output for the updated packages."); script_set_attribute(attribute:"synopsis", value: "The remote EulerOS Virtualization for ARM 64 host is missing multiple security updates."); script_set_attribute(attribute:"description", value: "According to the versions of the kernel packages installed, the EulerOS Virtualization for ARM 64 installation on the remote host is affected by the following vulnerabilities : - A flaw was found in the way the Linux kernel's perf subsystem retrieved userlevel stack traces on PowerPC systems. A local, unprivileged user could use this flaw to cause a denial of service on the system by creating a special stack layout that would force the perf_callchain_user_64() function into an infinite loop.(CVE-2015-6526i1/4%0 - A vulnerability was found in the Linux kernel. Payloads of NM entries are not supposed to contain NUL. When such entry is processed, only the part prior to the first NUL goes into the concatenation (i.e. the directory entry name being encoded by a bunch of NM entries). The process stops when the amount collected so far + the claimed amount in the current NM entry exceed 254. However, the value returned as the total length is the sum of *claimed* sizes, not the actual amount collected. And that's what will be passed to readdir() callback as the name length - 8Kb __copy_to_user() from a buffer allocated by __get_free_page().(CVE-2016-4913i1/4%0 - The perf_trace_event_perm function in kernel/trace/trace_event_perf.c in the Linux kernel before 3.12.2 does not properly restrict access to the perf subsystem, which allows local users to enable function tracing via a crafted application.(CVE-2013-2930i1/4%0 - The mincore() implementation in mm/mincore.c in the Linux kernel through 4.19.13 allowed local attackers to observe page cache access patterns of other processes on the same system, potentially allowing sniffing of secret information. (Fixing this affects the output of the fincore program.) Limited remote exploitation may be possible, as demonstrated by latency differences in accessing public files from an Apache HTTP Server.(CVE-2019-5489i1/4%0 - It was found that the espfix functionality could be bypassed by installing a 16-bit RW data segment into GDT instead of LDT (which espfix checks), and using that segment on the stack. A local, unprivileged user could potentially use this flaw to leak kernel stack addresses.(CVE-2014-8133i1/4%0 - An issue was discovered in the btrfs filesystem code in the Linux kernel. An out-of-bounds access is possible in write_extent_buffer() when mounting and operating a crafted btrfs image due to a lack of verification at mount time within the btrfs_read_block_groups() in fs/btrfs/extent-tree.c function. This could lead to a system crash and a denial of service.(CVE-2018-14610i1/4%0 - kernel/bpf/verifier.c in the Linux kernel through 4.14.8 mishandles states_equal comparisons between the pointer data type and the UNKNOWN_VALUE data type, which allows local users to obtain potentially sensitive address information, aka a 'pointer leak.'(CVE-2017-17864i1/4%0 - drivers/hid/hid-lenovo-tpkbd.c in the Human Interface Device (HID) subsystem in the Linux kernel through 3.11, when CONFIG_HID_LENOVO_TPKBD is enabled, allows physically proximate attackers to cause a denial of service (heap-based out-of-bounds write) via a crafted device.(CVE-2013-2894i1/4%0 - Memory leak in the sas_smp_get_phy_events function in drivers/scsi/libsas/sas_expander.c in the Linux kernel allows local users to cause a denial of service (kernel memory exhaustion) via multiple read accesses to files in the /sys/class/sas_phy directory.(CVE-2018-7757i1/4%0 - It was found that the original fix for CVE-2016-6786 was incomplete. There exist a race between two concurrent sys_perf_event_open() calls when both try and move the same pre-existing software group into a hardware context.(CVE-2017-6001i1/4%0 - In the Linux kernel before 4.20.12, net/ipv4/netfilter/nf_nat_snmp_basic_main.c in the SNMP NAT module has insufficient ASN.1 length checks (aka an array index error), making out-of-bounds read and write operations possible, leading to an OOPS or local privilege escalation. This affects snmp_version and snmp_helper.(CVE-2019-9162i1/4%0 - An information leak flaw was found in the way the Linux kernel's Advanced Linux Sound Architecture (ALSA) implementation handled access of the user control's state. A local, privileged user could use this flaw to leak kernel memory to user space.(CVE-2014-4652i1/4%0 - A flaw was found that the vfs_rename() function did not detect hard links on overlayfs. A local, unprivileged user could use the rename syscall on overlayfs on top of xfs to crash the system.(CVE-2016-6198i1/4%0 - It was found that when file permissions were modified via chmod and the user modifying them was not in the owning group or capable of CAP_FSETID, the setgid bit would be cleared. Setting a POSIX ACL via setxattr sets the file permissions as well as the new ACL, but doesn't clear the setgid bit in a similar way. This could allow a local user to gain group privileges via certain setgid applications.(CVE-2016-7097i1/4%0 - A flaw was found in the way the Linux kernel's Crypto subsystem handled automatic loading of kernel modules. A local user could use this flaw to load any installed kernel module, and thus increase the attack surface of the running kernel.(CVE-2014-9644i1/4%0 - An arbitrary memory r/w access issue was found in the Linux kernel compiled with the eBPF bpf(2) system call (CONFIG_BPF_SYSCALL) support. The issue could occur due to calculation errors in the eBPF verifier module, triggered by user supplied malicious BPF program. An unprivileged user could use this flaw to escalate their privileges on a system. Setting parameter 'kernel.unprivileged_bpf_disabled=1' prevents such privilege escalation by restricting access to bpf(2) call.(CVE-2017-16995i1/4%0 - A flaw was found in the implementation of associative arrays where the add_key systemcall and KEYCTL_UPDATE operations allowed for a NULL payload with a nonzero length. When accessing the payload within this length parameters value, an unprivileged user could trivially cause a NULL pointer dereference (kernel oops).(CVE-2017-15274i1/4%0 - A flaw was found in the Linux kernel's keyring handling code: the key_reject_and_link() function could be forced to free an arbitrary memory block. An attacker could use this flaw to trigger a use-after-free condition on the system, potentially allowing for privilege escalation.(CVE-2016-4470i1/4%0 - A flaw was found in the way certain interfaces of the Linux kernel's Infiniband subsystem used write() as bi-directional ioctl() replacement, which could lead to insufficient memory security checks when being invoked using the splice() system call. A local unprivileged user on a system with either Infiniband hardware present or RDMA Userspace Connection Manager Access module explicitly loaded, could use this flaw to escalate their privileges on the system.(CVE-2016-4565i1/4%0 - It was found that the Linux kernel's IPv6 network stack did not properly validate the value of the MTU variable when it was set. A remote attacker could potentially use this flaw to disrupt a target system's networking (packet loss) by setting an invalid MTU value, for example, via a NetworkManager daemon that is processing router advertisement packets running on the target system.(CVE-2015-8215i1/4%0 Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues."); # https://developer.huaweicloud.com/ict/en/site-euleros/euleros/security-advisories/EulerOS-SA-2019-1532 script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?bf9dd973"); script_set_attribute(attribute:"solution", value: "Update the affected kernel packages."); script_set_cvss_base_vector("CVSS2#AV:N/AC:H/Au:N/C:C/I:C/A:C"); script_set_cvss_temporal_vector("CVSS2#E:H/RL:OF/RC:C"); script_set_cvss3_base_vector("CVSS:3.0/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H"); script_set_cvss3_temporal_vector("CVSS:3.0/E:H/RL:O/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"exploit_framework_core", value:"true"); script_set_attribute(attribute:"exploited_by_malware", value:"true"); script_set_attribute(attribute:"metasploit_name", value:'Linux BPF Sign Extension Local Privilege Escalation'); script_set_attribute(attribute:"exploit_framework_metasploit", value:"true"); script_set_attribute(attribute:"patch_publication_date", value:"2019/05/09"); script_set_attribute(attribute:"plugin_publication_date", value:"2019/05/14"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:kernel"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:kernel-devel"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:kernel-headers"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:kernel-tools"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:kernel-tools-libs"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:kernel-tools-libs-devel"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:perf"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:python-perf"); script_set_attribute(attribute:"cpe", value:"cpe:/o:huawei:euleros:uvp:3.0.1.0"); script_set_attribute(attribute:"generated_plugin", value:"current"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_family(english:"Huawei Local Security Checks"); script_copyright(english:"This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof."); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/cpu", "Host/EulerOS/release", "Host/EulerOS/rpm-list", "Host/EulerOS/uvp_version"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/EulerOS/release"); if (isnull(release) || release !~ "^EulerOS") audit(AUDIT_OS_NOT, "EulerOS"); uvp = get_kb_item("Host/EulerOS/uvp_version"); if (uvp != "3.0.1.0") audit(AUDIT_OS_NOT, "EulerOS Virtualization 3.0.1.0"); if (!get_kb_item("Host/EulerOS/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$" && "aarch64" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "EulerOS", cpu); if ("aarch64" >!< cpu) audit(AUDIT_ARCH_NOT, "aarch64", cpu); flag = 0; pkgs = ["kernel-4.19.28-1.2.117", "kernel-devel-4.19.28-1.2.117", "kernel-headers-4.19.28-1.2.117", "kernel-tools-4.19.28-1.2.117", "kernel-tools-libs-4.19.28-1.2.117", "kernel-tools-libs-devel-4.19.28-1.2.117", "perf-4.19.28-1.2.117", "python-perf-4.19.28-1.2.117"]; foreach (pkg in pkgs) if (rpm_check(release:"EulerOS-2.0", reference:pkg)) flag++; if (flag) { security_report_v4( port : 0, severity : SECURITY_HOLE, extra : rpm_report_get() ); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "kernel"); }
References
- https://github.com/torvalds/linux/commit/c4c07b4d6fa1f11880eab8e076d3d060ef3f55fc
- https://cdn.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.20.12
- https://cdn.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.19.25
- https://bugs.chromium.org/p/project-zero/issues/detail?id=1776
- http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=c4c07b4d6fa1f11880eab8e076d3d060ef3f55fc
- http://www.securityfocus.com/bid/107159
- https://www.exploit-db.com/exploits/46477/
- https://security.netapp.com/advisory/ntap-20190327-0002/
- https://usn.ubuntu.com/3930-2/
- https://usn.ubuntu.com/3930-1/
- https://support.f5.com/csp/article/K31864522