Vulnerabilities > CVE-2019-9162 - Out-of-bounds Write vulnerability in multiple products

047910
CVSS 4.6 - MEDIUM
Attack vector
LOCAL
Attack complexity
LOW
Privileges required
NONE
Confidentiality impact
PARTIAL
Integrity impact
PARTIAL
Availability impact
PARTIAL
local
low complexity
linux
netapp
canonical
CWE-787
nessus
exploit available

Summary

In the Linux kernel before 4.20.12, net/ipv4/netfilter/nf_nat_snmp_basic_main.c in the SNMP NAT module has insufficient ASN.1 length checks (aka an array index error), making out-of-bounds read and write operations possible, leading to an OOPS or local privilege escalation. This affects snmp_version and snmp_helper.

Common Weakness Enumeration (CWE)

Exploit-Db

fileexploits/linux/dos/46477.txt
idEDB-ID:46477
last seen2019-03-01
modified2019-03-01
platformlinux
port
published2019-03-01
reporterExploit-DB
sourcehttps://www.exploit-db.com/download/46477
titleLinux < 4.14.103 / < 4.19.25 - Out-of-Bounds Read and Write in SNMP NAT Module
typedos

Nessus

  • NASL familyUbuntu Local Security Checks
    NASL idUBUNTU_USN-3930-1.NASL
    descriptionMathias Payer and Hui Peng discovered a use-after-free vulnerability in the Advanced Linux Sound Architecture (ALSA) subsystem. A physically proximate attacker could use this to cause a denial of service (system crash). (CVE-2018-19824) Shlomi Oberman, Yuli Shapiro, and Ran Menscher discovered an information leak in the Bluetooth implementation of the Linux kernel. An attacker within Bluetooth range could use this to expose sensitive information (kernel memory). (CVE-2019-3459, CVE-2019-3460) Jann Horn discovered that the KVM implementation in the Linux kernel contained a use-after-free vulnerability. An attacker in a guest VM with access to /dev/kvm could use this to cause a denial of service (guest VM crash). (CVE-2019-6974) Jim Mattson and Felix Wilhelm discovered a use-after-free vulnerability in the KVM subsystem of the Linux kernel, when using nested virtual machines. A local attacker in a guest VM could use this to cause a denial of service (system crash) or possibly execute arbitrary code in the host system. (CVE-2019-7221) Felix Wilhelm discovered that an information leak vulnerability existed in the KVM subsystem of the Linux kernel, when nested virtualization is used. A local attacker could use this to expose sensitive information (host system memory to a guest VM). (CVE-2019-7222) Jann Horn discovered that the eBPF implementation in the Linux kernel was insufficiently hardened against Spectre V1 attacks. A local attacker could use this to expose sensitive information. (CVE-2019-7308) It was discovered that a use-after-free vulnerability existed in the user- space API for crypto (af_alg) implementation in the Linux kernel. A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2019-8912) Jakub Jirasek discovered a use-after-free vulnerability in the SCTP implementation in the Linux kernel. A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2019-8956) It was discovered that the Linux kernel did not properly deallocate memory when handling certain errors while reading files. A local attacker could use this to cause a denial of service (excessive memory consumption). (CVE-2019-8980) It was discovered that a use-after-free vulnerability existed in the IPMI implementation in the Linux kernel. A local attacker with access to the IPMI character device files could use this to cause a denial of service (system crash). (CVE-2019-9003) Jann Horn discovered that the SNMP NAT implementation in the Linux kernel performed insufficient ASN.1 length checks. An attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2019-9162) Jann Horn discovered that the mmap implementation in the Linux kernel did not properly check for the mmap minimum address in some situations. A local attacker could use this to assist exploiting a kernel NULL pointer dereference vulnerability. (CVE-2019-9213). Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id123676
    published2019-04-03
    reporterUbuntu Security Notice (C) 2019-2020 Canonical, Inc. / NASL script (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/123676
    titleUbuntu 18.10 : linux, linux-aws, linux-azure, linux-gcp, linux-kvm, linux-raspi2 (USN-3930-1)
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were
    # extracted from Ubuntu Security Notice USN-3930-1. The text 
    # itself is copyright (C) Canonical, Inc. See 
    # <http://www.ubuntu.com/usn/>. Ubuntu(R) is a registered 
    # trademark of Canonical, Inc.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(123676);
      script_version("1.6");
      script_cvs_date("Date: 2020/01/27");
    
      script_cve_id("CVE-2018-19824", "CVE-2019-3459", "CVE-2019-3460", "CVE-2019-6974", "CVE-2019-7221", "CVE-2019-7222", "CVE-2019-7308", "CVE-2019-8912", "CVE-2019-8956", "CVE-2019-8980", "CVE-2019-9003", "CVE-2019-9162", "CVE-2019-9213");
      script_xref(name:"USN", value:"3930-1");
    
      script_name(english:"Ubuntu 18.10 : linux, linux-aws, linux-azure, linux-gcp, linux-kvm, linux-raspi2 (USN-3930-1)");
      script_summary(english:"Checks dpkg output for updated packages.");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:
    "The remote Ubuntu host is missing one or more security-related
    patches."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "Mathias Payer and Hui Peng discovered a use-after-free vulnerability
    in the Advanced Linux Sound Architecture (ALSA) subsystem. A
    physically proximate attacker could use this to cause a denial of
    service (system crash). (CVE-2018-19824)
    
    Shlomi Oberman, Yuli Shapiro, and Ran Menscher discovered an
    information leak in the Bluetooth implementation of the Linux kernel.
    An attacker within Bluetooth range could use this to expose sensitive
    information (kernel memory). (CVE-2019-3459, CVE-2019-3460)
    
    Jann Horn discovered that the KVM implementation in the Linux kernel
    contained a use-after-free vulnerability. An attacker in a guest VM
    with access to /dev/kvm could use this to cause a denial of service
    (guest VM crash). (CVE-2019-6974)
    
    Jim Mattson and Felix Wilhelm discovered a use-after-free
    vulnerability in the KVM subsystem of the Linux kernel, when using
    nested virtual machines. A local attacker in a guest VM could use this
    to cause a denial of service (system crash) or possibly execute
    arbitrary code in the host system. (CVE-2019-7221)
    
    Felix Wilhelm discovered that an information leak vulnerability
    existed in the KVM subsystem of the Linux kernel, when nested
    virtualization is used. A local attacker could use this to expose
    sensitive information (host system memory to a guest VM).
    (CVE-2019-7222)
    
    Jann Horn discovered that the eBPF implementation in the Linux kernel
    was insufficiently hardened against Spectre V1 attacks. A local
    attacker could use this to expose sensitive information.
    (CVE-2019-7308)
    
    It was discovered that a use-after-free vulnerability existed in the
    user- space API for crypto (af_alg) implementation in the Linux
    kernel. A local attacker could use this to cause a denial of service
    (system crash) or possibly execute arbitrary code. (CVE-2019-8912)
    
    Jakub Jirasek discovered a use-after-free vulnerability in the SCTP
    implementation in the Linux kernel. A local attacker could use this to
    cause a denial of service (system crash) or possibly execute arbitrary
    code. (CVE-2019-8956)
    
    It was discovered that the Linux kernel did not properly deallocate
    memory when handling certain errors while reading files. A local
    attacker could use this to cause a denial of service (excessive memory
    consumption). (CVE-2019-8980)
    
    It was discovered that a use-after-free vulnerability existed in the
    IPMI implementation in the Linux kernel. A local attacker with access
    to the IPMI character device files could use this to cause a denial of
    service (system crash). (CVE-2019-9003)
    
    Jann Horn discovered that the SNMP NAT implementation in the Linux
    kernel performed insufficient ASN.1 length checks. An attacker could
    use this to cause a denial of service (system crash) or possibly
    execute arbitrary code. (CVE-2019-9162)
    
    Jann Horn discovered that the mmap implementation in the Linux kernel
    did not properly check for the mmap minimum address in some
    situations. A local attacker could use this to assist exploiting a
    kernel NULL pointer dereference vulnerability. (CVE-2019-9213).
    
    Note that Tenable Network Security has extracted the preceding
    description block directly from the Ubuntu security advisory. Tenable
    has attempted to automatically clean and format it as much as possible
    without introducing additional issues."
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://usn.ubuntu.com/3930-1/"
      );
      script_set_attribute(attribute:"solution", value:"Update the affected packages.");
      script_set_cvss_base_vector("CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C");
      script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:C");
      script_set_cvss3_base_vector("CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H");
      script_set_cvss3_temporal_vector("CVSS:3.0/E:F/RL:O/RC:C");
      script_set_attribute(attribute:"cvss_score_source", value:"CVE-2019-8956");
      script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"true");
      script_set_attribute(attribute:"metasploit_name", value:'Reliable Datagram Sockets (RDS) rds_atomic_free_op NULL pointer dereference Privilege Escalation');
      script_set_attribute(attribute:"exploit_framework_metasploit", value:"true");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-4.18-aws");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-4.18-azure");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-4.18-gcp");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-4.18-generic");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-4.18-generic-lpae");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-4.18-kvm");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-4.18-lowlatency");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-4.18-raspi2");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-4.18-snapdragon");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-aws");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-azure");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-gcp");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-generic");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-generic-lpae");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-gke");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-kvm");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-lowlatency");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-raspi2");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-snapdragon");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-virtual");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:canonical:ubuntu_linux:18.10");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2018/12/03");
      script_set_attribute(attribute:"patch_publication_date", value:"2019/04/02");
      script_set_attribute(attribute:"plugin_publication_date", value:"2019/04/03");
      script_set_attribute(attribute:"generated_plugin", value:"current");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"Ubuntu Security Notice (C) 2019-2020 Canonical, Inc. / NASL script (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.");
      script_family(english:"Ubuntu Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl", "linux_alt_patch_detect.nasl");
      script_require_keys("Host/cpu", "Host/Ubuntu", "Host/Ubuntu/release", "Host/Debian/dpkg-l");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("ubuntu.inc");
    include("ksplice.inc");
    
    if ( ! get_kb_item("Host/local_checks_enabled") ) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    release = get_kb_item("Host/Ubuntu/release");
    if ( isnull(release) ) audit(AUDIT_OS_NOT, "Ubuntu");
    release = chomp(release);
    if (! preg(pattern:"^(18\.10)$", string:release)) audit(AUDIT_OS_NOT, "Ubuntu 18.10", "Ubuntu " + release);
    if ( ! get_kb_item("Host/Debian/dpkg-l") ) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    cpu = get_kb_item("Host/cpu");
    if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
    if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Ubuntu", cpu);
    
    if (get_one_kb_item("Host/ksplice/kernel-cves"))
    {
      rm_kb_item(name:"Host/uptrack-uname-r");
      cve_list = make_list("CVE-2018-19824", "CVE-2019-3459", "CVE-2019-3460", "CVE-2019-6974", "CVE-2019-7221", "CVE-2019-7222", "CVE-2019-7308", "CVE-2019-8912", "CVE-2019-8956", "CVE-2019-8980", "CVE-2019-9003", "CVE-2019-9162", "CVE-2019-9213");
      if (ksplice_cves_check(cve_list))
      {
        audit(AUDIT_PATCH_INSTALLED, "KSplice hotfix for USN-3930-1");
      }
      else
      {
        _ubuntu_report = ksplice_reporting_text();
      }
    }
    
    flag = 0;
    
    if (ubuntu_check(osver:"18.10", pkgname:"linux-image-4.18.0-1008-gcp", pkgver:"4.18.0-1008.9")) flag++;
    if (ubuntu_check(osver:"18.10", pkgname:"linux-image-4.18.0-1009-kvm", pkgver:"4.18.0-1009.9")) flag++;
    if (ubuntu_check(osver:"18.10", pkgname:"linux-image-4.18.0-1011-raspi2", pkgver:"4.18.0-1011.13")) flag++;
    if (ubuntu_check(osver:"18.10", pkgname:"linux-image-4.18.0-1012-aws", pkgver:"4.18.0-1012.14")) flag++;
    if (ubuntu_check(osver:"18.10", pkgname:"linux-image-4.18.0-1014-azure", pkgver:"4.18.0-1014.14")) flag++;
    if (ubuntu_check(osver:"18.10", pkgname:"linux-image-4.18.0-17-generic", pkgver:"4.18.0-17.18")) flag++;
    if (ubuntu_check(osver:"18.10", pkgname:"linux-image-4.18.0-17-generic-lpae", pkgver:"4.18.0-17.18")) flag++;
    if (ubuntu_check(osver:"18.10", pkgname:"linux-image-4.18.0-17-lowlatency", pkgver:"4.18.0-17.18")) flag++;
    if (ubuntu_check(osver:"18.10", pkgname:"linux-image-4.18.0-17-snapdragon", pkgver:"4.18.0-17.18")) flag++;
    if (ubuntu_check(osver:"18.10", pkgname:"linux-image-aws", pkgver:"4.18.0.1012.12")) flag++;
    if (ubuntu_check(osver:"18.10", pkgname:"linux-image-azure", pkgver:"4.18.0.1014.15")) flag++;
    if (ubuntu_check(osver:"18.10", pkgname:"linux-image-gcp", pkgver:"4.18.0.1008.8")) flag++;
    if (ubuntu_check(osver:"18.10", pkgname:"linux-image-generic", pkgver:"4.18.0.17.18")) flag++;
    if (ubuntu_check(osver:"18.10", pkgname:"linux-image-generic-lpae", pkgver:"4.18.0.17.18")) flag++;
    if (ubuntu_check(osver:"18.10", pkgname:"linux-image-gke", pkgver:"4.18.0.1008.8")) flag++;
    if (ubuntu_check(osver:"18.10", pkgname:"linux-image-kvm", pkgver:"4.18.0.1009.9")) flag++;
    if (ubuntu_check(osver:"18.10", pkgname:"linux-image-lowlatency", pkgver:"4.18.0.17.18")) flag++;
    if (ubuntu_check(osver:"18.10", pkgname:"linux-image-raspi2", pkgver:"4.18.0.1011.8")) flag++;
    if (ubuntu_check(osver:"18.10", pkgname:"linux-image-snapdragon", pkgver:"4.18.0.17.18")) flag++;
    if (ubuntu_check(osver:"18.10", pkgname:"linux-image-virtual", pkgver:"4.18.0.17.18")) flag++;
    
    if (flag)
    {
      security_report_v4(
        port       : 0,
        severity   : SECURITY_HOLE,
        extra      : ubuntu_report_get()
      );
      exit(0);
    }
    else
    {
      tested = ubuntu_pkg_tests_get();
      if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
      else audit(AUDIT_PACKAGE_NOT_INSTALLED, "linux-image-4.18-aws / linux-image-4.18-azure / etc");
    }
    
  • NASL familyUbuntu Local Security Checks
    NASL idUBUNTU_USN-3930-2.NASL
    descriptionUSN-3930-1 fixed vulnerabilities in the Linux kernel for Ubuntu 18.10. This update provides the corresponding updates for the Linux Hardware Enablement (HWE) kernel from Ubuntu 18.10 for Ubuntu 18.04 LTS. Mathias Payer and Hui Peng discovered a use-after-free vulnerability in the Advanced Linux Sound Architecture (ALSA) subsystem. A physically proximate attacker could use this to cause a denial of service (system crash). (CVE-2018-19824) Shlomi Oberman, Yuli Shapiro, and Ran Menscher discovered an information leak in the Bluetooth implementation of the Linux kernel. An attacker within Bluetooth range could use this to expose sensitive information (kernel memory). (CVE-2019-3459, CVE-2019-3460) Jann Horn discovered that the KVM implementation in the Linux kernel contained a use-after-free vulnerability. An attacker in a guest VM with access to /dev/kvm could use this to cause a denial of service (guest VM crash). (CVE-2019-6974) Jim Mattson and Felix Wilhelm discovered a use-after-free vulnerability in the KVM subsystem of the Linux kernel, when using nested virtual machines. A local attacker in a guest VM could use this to cause a denial of service (system crash) or possibly execute arbitrary code in the host system. (CVE-2019-7221) Felix Wilhelm discovered that an information leak vulnerability existed in the KVM subsystem of the Linux kernel, when nested virtualization is used. A local attacker could use this to expose sensitive information (host system memory to a guest VM). (CVE-2019-7222) Jann Horn discovered that the eBPF implementation in the Linux kernel was insufficiently hardened against Spectre V1 attacks. A local attacker could use this to expose sensitive information. (CVE-2019-7308) It was discovered that a use-after-free vulnerability existed in the user- space API for crypto (af_alg) implementation in the Linux kernel. A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2019-8912) Jakub Jirasek discovered a use-after-free vulnerability in the SCTP implementation in the Linux kernel. A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2019-8956) It was discovered that the Linux kernel did not properly deallocate memory when handling certain errors while reading files. A local attacker could use this to cause a denial of service (excessive memory consumption). (CVE-2019-8980) It was discovered that a use-after-free vulnerability existed in the IPMI implementation in the Linux kernel. A local attacker with access to the IPMI character device files could use this to cause a denial of service (system crash). (CVE-2019-9003) Jann Horn discovered that the SNMP NAT implementation in the Linux kernel performed insufficient ASN.1 length checks. An attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2019-9162) Jann Horn discovered that the mmap implementation in the Linux kernel did not properly check for the mmap minimum address in some situations. A local attacker could use this to assist exploiting a kernel NULL pointer dereference vulnerability. (CVE-2019-9213). Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id123677
    published2019-04-03
    reporterUbuntu Security Notice (C) 2019-2020 Canonical, Inc. / NASL script (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/123677
    titleUbuntu 18.04 LTS : linux-hwe, linux-azure vulnerabilities (USN-3930-2)
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were
    # extracted from Ubuntu Security Notice USN-3930-2. The text 
    # itself is copyright (C) Canonical, Inc. See 
    # <http://www.ubuntu.com/usn/>. Ubuntu(R) is a registered 
    # trademark of Canonical, Inc.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(123677);
      script_version("1.6");
      script_cvs_date("Date: 2020/01/27");
    
      script_cve_id("CVE-2018-19824", "CVE-2019-3459", "CVE-2019-3460", "CVE-2019-6974", "CVE-2019-7221", "CVE-2019-7222", "CVE-2019-7308", "CVE-2019-8912", "CVE-2019-8956", "CVE-2019-8980", "CVE-2019-9003", "CVE-2019-9162", "CVE-2019-9213");
      script_xref(name:"USN", value:"3930-2");
    
      script_name(english:"Ubuntu 18.04 LTS : linux-hwe, linux-azure vulnerabilities (USN-3930-2)");
      script_summary(english:"Checks dpkg output for updated packages.");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:
    "The remote Ubuntu host is missing one or more security-related
    patches."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "USN-3930-1 fixed vulnerabilities in the Linux kernel for Ubuntu 18.10.
    This update provides the corresponding updates for the Linux Hardware
    Enablement (HWE) kernel from Ubuntu 18.10 for Ubuntu 18.04 LTS.
    
    Mathias Payer and Hui Peng discovered a use-after-free vulnerability
    in the Advanced Linux Sound Architecture (ALSA) subsystem. A
    physically proximate attacker could use this to cause a denial of
    service (system crash). (CVE-2018-19824)
    
    Shlomi Oberman, Yuli Shapiro, and Ran Menscher discovered an
    information leak in the Bluetooth implementation of the Linux kernel.
    An attacker within Bluetooth range could use this to expose sensitive
    information (kernel memory). (CVE-2019-3459, CVE-2019-3460)
    
    Jann Horn discovered that the KVM implementation in the Linux kernel
    contained a use-after-free vulnerability. An attacker in a guest VM
    with access to /dev/kvm could use this to cause a denial of service
    (guest VM crash). (CVE-2019-6974)
    
    Jim Mattson and Felix Wilhelm discovered a use-after-free
    vulnerability in the KVM subsystem of the Linux kernel, when using
    nested virtual machines. A local attacker in a guest VM could use this
    to cause a denial of service (system crash) or possibly execute
    arbitrary code in the host system. (CVE-2019-7221)
    
    Felix Wilhelm discovered that an information leak vulnerability
    existed in the KVM subsystem of the Linux kernel, when nested
    virtualization is used. A local attacker could use this to expose
    sensitive information (host system memory to a guest VM).
    (CVE-2019-7222)
    
    Jann Horn discovered that the eBPF implementation in the Linux kernel
    was insufficiently hardened against Spectre V1 attacks. A local
    attacker could use this to expose sensitive information.
    (CVE-2019-7308)
    
    It was discovered that a use-after-free vulnerability existed in the
    user- space API for crypto (af_alg) implementation in the Linux
    kernel. A local attacker could use this to cause a denial of service
    (system crash) or possibly execute arbitrary code. (CVE-2019-8912)
    
    Jakub Jirasek discovered a use-after-free vulnerability in the SCTP
    implementation in the Linux kernel. A local attacker could use this to
    cause a denial of service (system crash) or possibly execute arbitrary
    code. (CVE-2019-8956)
    
    It was discovered that the Linux kernel did not properly deallocate
    memory when handling certain errors while reading files. A local
    attacker could use this to cause a denial of service (excessive memory
    consumption). (CVE-2019-8980)
    
    It was discovered that a use-after-free vulnerability existed in the
    IPMI implementation in the Linux kernel. A local attacker with access
    to the IPMI character device files could use this to cause a denial of
    service (system crash). (CVE-2019-9003)
    
    Jann Horn discovered that the SNMP NAT implementation in the Linux
    kernel performed insufficient ASN.1 length checks. An attacker could
    use this to cause a denial of service (system crash) or possibly
    execute arbitrary code. (CVE-2019-9162)
    
    Jann Horn discovered that the mmap implementation in the Linux kernel
    did not properly check for the mmap minimum address in some
    situations. A local attacker could use this to assist exploiting a
    kernel NULL pointer dereference vulnerability. (CVE-2019-9213).
    
    Note that Tenable Network Security has extracted the preceding
    description block directly from the Ubuntu security advisory. Tenable
    has attempted to automatically clean and format it as much as possible
    without introducing additional issues."
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://usn.ubuntu.com/3930-2/"
      );
      script_set_attribute(attribute:"solution", value:"Update the affected packages.");
      script_set_cvss_base_vector("CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C");
      script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:C");
      script_set_cvss3_base_vector("CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H");
      script_set_cvss3_temporal_vector("CVSS:3.0/E:F/RL:O/RC:C");
      script_set_attribute(attribute:"cvss_score_source", value:"CVE-2019-8956");
      script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"true");
      script_set_attribute(attribute:"metasploit_name", value:'Reliable Datagram Sockets (RDS) rds_atomic_free_op NULL pointer dereference Privilege Escalation');
      script_set_attribute(attribute:"exploit_framework_metasploit", value:"true");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-4.18-azure");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-4.18-generic");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-4.18-generic-lpae");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-4.18-lowlatency");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-4.18-snapdragon");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-azure");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-generic-hwe-18.04");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-generic-lpae-hwe-18.04");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-lowlatency-hwe-18.04");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-snapdragon-hwe-18.04");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-virtual-hwe-18.04");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:canonical:ubuntu_linux:18.04:-:lts");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2018/12/03");
      script_set_attribute(attribute:"patch_publication_date", value:"2019/04/02");
      script_set_attribute(attribute:"plugin_publication_date", value:"2019/04/03");
      script_set_attribute(attribute:"generated_plugin", value:"current");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"Ubuntu Security Notice (C) 2019-2020 Canonical, Inc. / NASL script (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.");
      script_family(english:"Ubuntu Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl", "linux_alt_patch_detect.nasl");
      script_require_keys("Host/cpu", "Host/Ubuntu", "Host/Ubuntu/release", "Host/Debian/dpkg-l");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("ubuntu.inc");
    include("ksplice.inc");
    
    if ( ! get_kb_item("Host/local_checks_enabled") ) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    release = get_kb_item("Host/Ubuntu/release");
    if ( isnull(release) ) audit(AUDIT_OS_NOT, "Ubuntu");
    release = chomp(release);
    if (! preg(pattern:"^(18\.04)$", string:release)) audit(AUDIT_OS_NOT, "Ubuntu 18.04", "Ubuntu " + release);
    if ( ! get_kb_item("Host/Debian/dpkg-l") ) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    cpu = get_kb_item("Host/cpu");
    if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
    if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Ubuntu", cpu);
    
    if (get_one_kb_item("Host/ksplice/kernel-cves"))
    {
      rm_kb_item(name:"Host/uptrack-uname-r");
      cve_list = make_list("CVE-2018-19824", "CVE-2019-3459", "CVE-2019-3460", "CVE-2019-6974", "CVE-2019-7221", "CVE-2019-7222", "CVE-2019-7308", "CVE-2019-8912", "CVE-2019-8956", "CVE-2019-8980", "CVE-2019-9003", "CVE-2019-9162", "CVE-2019-9213");
      if (ksplice_cves_check(cve_list))
      {
        audit(AUDIT_PATCH_INSTALLED, "KSplice hotfix for USN-3930-2");
      }
      else
      {
        _ubuntu_report = ksplice_reporting_text();
      }
    }
    
    flag = 0;
    
    if (ubuntu_check(osver:"18.04", pkgname:"linux-image-4.18.0-1014-azure", pkgver:"4.18.0-1014.14~18.04.1")) flag++;
    if (ubuntu_check(osver:"18.04", pkgname:"linux-image-4.18.0-17-generic", pkgver:"4.18.0-17.18~18.04.1")) flag++;
    if (ubuntu_check(osver:"18.04", pkgname:"linux-image-4.18.0-17-generic-lpae", pkgver:"4.18.0-17.18~18.04.1")) flag++;
    if (ubuntu_check(osver:"18.04", pkgname:"linux-image-4.18.0-17-lowlatency", pkgver:"4.18.0-17.18~18.04.1")) flag++;
    if (ubuntu_check(osver:"18.04", pkgname:"linux-image-4.18.0-17-snapdragon", pkgver:"4.18.0-17.18~18.04.1")) flag++;
    if (ubuntu_check(osver:"18.04", pkgname:"linux-image-azure", pkgver:"4.18.0.1014.13")) flag++;
    if (ubuntu_check(osver:"18.04", pkgname:"linux-image-generic-hwe-18.04", pkgver:"4.18.0.17.67")) flag++;
    if (ubuntu_check(osver:"18.04", pkgname:"linux-image-generic-lpae-hwe-18.04", pkgver:"4.18.0.17.67")) flag++;
    if (ubuntu_check(osver:"18.04", pkgname:"linux-image-lowlatency-hwe-18.04", pkgver:"4.18.0.17.67")) flag++;
    if (ubuntu_check(osver:"18.04", pkgname:"linux-image-snapdragon-hwe-18.04", pkgver:"4.18.0.17.67")) flag++;
    if (ubuntu_check(osver:"18.04", pkgname:"linux-image-virtual-hwe-18.04", pkgver:"4.18.0.17.67")) flag++;
    
    if (flag)
    {
      security_report_v4(
        port       : 0,
        severity   : SECURITY_HOLE,
        extra      : ubuntu_report_get()
      );
      exit(0);
    }
    else
    {
      tested = ubuntu_pkg_tests_get();
      if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
      else audit(AUDIT_PACKAGE_NOT_INSTALLED, "linux-image-4.18-azure / linux-image-4.18-generic / etc");
    }
    
  • NASL familyFedora Local Security Checks
    NASL idFEDORA_2019-7462ACF8BA.NASL
    descriptionThe 4.20.12 stable update contains a number of important fixes across the tree. Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id122521
    published2019-03-01
    reporterThis script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/122521
    titleFedora 29 : kernel / kernel-headers (2019-7462acf8ba)
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were  
    # extracted from Fedora Security Advisory FEDORA-2019-7462acf8ba.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(122521);
      script_version("1.5");
      script_cvs_date("Date: 2020/02/07");
    
      script_cve_id("CVE-2019-8980", "CVE-2019-9162");
      script_xref(name:"FEDORA", value:"2019-7462acf8ba");
    
      script_name(english:"Fedora 29 : kernel / kernel-headers (2019-7462acf8ba)");
      script_summary(english:"Checks rpm output for the updated packages.");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote Fedora host is missing one or more security updates."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "The 4.20.12 stable update contains a number of important fixes across
    the tree.
    
    Note that Tenable Network Security has extracted the preceding
    description block directly from the Fedora update system website.
    Tenable has attempted to automatically clean and format it as much as
    possible without introducing additional issues."
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bodhi.fedoraproject.org/updates/FEDORA-2019-7462acf8ba"
      );
      script_set_attribute(
        attribute:"solution", 
        value:"Update the affected kernel and / or kernel-headers packages."
      );
      script_set_cvss_base_vector("CVSS2#AV:L/AC:L/Au:N/C:P/I:P/A:P");
      script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
      script_set_cvss3_base_vector("CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H");
      script_set_cvss3_temporal_vector("CVSS:3.0/E:P/RL:O/RC:C");
      script_set_attribute(attribute:"cvss_score_source", value:"CVE-2019-9162");
      script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"true");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fedoraproject:fedora:kernel");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fedoraproject:fedora:kernel-headers");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:fedoraproject:fedora:29");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2019/02/21");
      script_set_attribute(attribute:"patch_publication_date", value:"2019/03/01");
      script_set_attribute(attribute:"plugin_publication_date", value:"2019/03/01");
      script_set_attribute(attribute:"generated_plugin", value:"current");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.");
      script_family(english:"Fedora Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl", "linux_alt_patch_detect.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/RedHat/release", "Host/RedHat/rpm-list");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("global_settings.inc");
    include("rpm.inc");
    include("ksplice.inc");
    
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    release = get_kb_item("Host/RedHat/release");
    if (isnull(release) || "Fedora" >!< release) audit(AUDIT_OS_NOT, "Fedora");
    os_ver = pregmatch(pattern: "Fedora.*release ([0-9]+)", string:release);
    if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Fedora");
    os_ver = os_ver[1];
    if (! preg(pattern:"^29([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Fedora 29", "Fedora " + os_ver);
    
    if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    
    cpu = get_kb_item("Host/cpu");
    if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
    if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Fedora", cpu);
    
    if (get_one_kb_item("Host/ksplice/kernel-cves"))
    {
      rm_kb_item(name:"Host/uptrack-uname-r");
      cve_list = make_list("CVE-2019-8980", "CVE-2019-9162");
      if (ksplice_cves_check(cve_list))
      {
        audit(AUDIT_PATCH_INSTALLED, "KSplice hotfix for FEDORA-2019-7462acf8ba");
      }
      else
      {
        __rpm_report = ksplice_reporting_text();
      }
    }
    
    flag = 0;
    if (rpm_check(release:"FC29", reference:"kernel-4.20.12-200.fc29")) flag++;
    if (rpm_check(release:"FC29", reference:"kernel-headers-4.20.12-200.fc29")) flag++;
    
    
    if (flag)
    {
      security_report_v4(
        port       : 0,
        severity   : SECURITY_WARNING,
        extra      : rpm_report_get()
      );
      exit(0);
    }
    else
    {
      tested = pkg_tests_get();
      if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
      else audit(AUDIT_PACKAGE_NOT_INSTALLED, "kernel / kernel-headers");
    }
    
  • NASL familyFedora Local Security Checks
    NASL idFEDORA_2019-196AB64D65.NASL
    descriptionThe 4.20.14 stable kernel update contains a number of important fixes across the tree. ---- The 4.20.13 stable kernel update contains a number of important fixes across the tree. ---- The 4.20.12 stable kernel update contains a number of important fixes across the tree. Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id122769
    published2019-03-12
    reporterThis script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/122769
    titleFedora 28 : kernel / kernel-headers (2019-196ab64d65)
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were  
    # extracted from Fedora Security Advisory FEDORA-2019-196ab64d65.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(122769);
      script_version("1.6");
      script_cvs_date("Date: 2020/02/05");
    
      script_cve_id("CVE-2019-8980", "CVE-2019-9162", "CVE-2019-9213");
      script_xref(name:"FEDORA", value:"2019-196ab64d65");
    
      script_name(english:"Fedora 28 : kernel / kernel-headers (2019-196ab64d65)");
      script_summary(english:"Checks rpm output for the updated packages.");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote Fedora host is missing one or more security updates."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "The 4.20.14 stable kernel update contains a number of important fixes
    across the tree.
    
    ----
    
    The 4.20.13 stable kernel update contains a number of important fixes
    across the tree.
    
    ----
    
    The 4.20.12 stable kernel update contains a number of important fixes
    across the tree.
    
    Note that Tenable Network Security has extracted the preceding
    description block directly from the Fedora update system website.
    Tenable has attempted to automatically clean and format it as much as
    possible without introducing additional issues."
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bodhi.fedoraproject.org/updates/FEDORA-2019-196ab64d65"
      );
      script_set_attribute(
        attribute:"solution", 
        value:"Update the affected kernel and / or kernel-headers packages."
      );
      script_set_cvss_base_vector("CVSS2#AV:L/AC:L/Au:N/C:P/I:P/A:P");
      script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:C");
      script_set_cvss3_base_vector("CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H");
      script_set_cvss3_temporal_vector("CVSS:3.0/E:F/RL:O/RC:C");
      script_set_attribute(attribute:"cvss_score_source", value:"CVE-2019-9162");
      script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"true");
      script_set_attribute(attribute:"metasploit_name", value:'Reliable Datagram Sockets (RDS) rds_atomic_free_op NULL pointer dereference Privilege Escalation');
      script_set_attribute(attribute:"exploit_framework_metasploit", value:"true");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fedoraproject:fedora:kernel");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fedoraproject:fedora:kernel-headers");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:fedoraproject:fedora:28");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2019/02/21");
      script_set_attribute(attribute:"patch_publication_date", value:"2019/03/11");
      script_set_attribute(attribute:"plugin_publication_date", value:"2019/03/12");
      script_set_attribute(attribute:"generated_plugin", value:"current");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.");
      script_family(english:"Fedora Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl", "linux_alt_patch_detect.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/RedHat/release", "Host/RedHat/rpm-list");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("global_settings.inc");
    include("rpm.inc");
    include("ksplice.inc");
    
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    release = get_kb_item("Host/RedHat/release");
    if (isnull(release) || "Fedora" >!< release) audit(AUDIT_OS_NOT, "Fedora");
    os_ver = pregmatch(pattern: "Fedora.*release ([0-9]+)", string:release);
    if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Fedora");
    os_ver = os_ver[1];
    if (! preg(pattern:"^28([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Fedora 28", "Fedora " + os_ver);
    
    if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    
    cpu = get_kb_item("Host/cpu");
    if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
    if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Fedora", cpu);
    
    if (get_one_kb_item("Host/ksplice/kernel-cves"))
    {
      rm_kb_item(name:"Host/uptrack-uname-r");
      cve_list = make_list("CVE-2019-8980", "CVE-2019-9162", "CVE-2019-9213");
      if (ksplice_cves_check(cve_list))
      {
        audit(AUDIT_PATCH_INSTALLED, "KSplice hotfix for FEDORA-2019-196ab64d65");
      }
      else
      {
        __rpm_report = ksplice_reporting_text();
      }
    }
    
    flag = 0;
    if (rpm_check(release:"FC28", reference:"kernel-4.20.14-100.fc28")) flag++;
    if (rpm_check(release:"FC28", reference:"kernel-headers-4.20.14-100.fc28")) flag++;
    
    
    if (flag)
    {
      security_report_v4(
        port       : 0,
        severity   : SECURITY_WARNING,
        extra      : rpm_report_get()
      );
      exit(0);
    }
    else
    {
      tested = pkg_tests_get();
      if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
      else audit(AUDIT_PACKAGE_NOT_INSTALLED, "kernel / kernel-headers");
    }
    
  • NASL familyHuawei Local Security Checks
    NASL idEULEROS_SA-2019-1532.NASL
    descriptionAccording to the versions of the kernel packages installed, the EulerOS Virtualization for ARM 64 installation on the remote host is affected by the following vulnerabilities : - A flaw was found in the way the Linux kernel
    last seen2020-03-19
    modified2019-05-14
    plugin id124985
    published2019-05-14
    reporterThis script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/124985
    titleEulerOS Virtualization for ARM 64 3.0.1.0 : kernel (EulerOS-SA-2019-1532)
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(124985);
      script_version("1.8");
      script_set_attribute(attribute:"plugin_modification_date", value:"2020/03/19");
    
      script_cve_id(
        "CVE-2013-2894",
        "CVE-2013-2930",
        "CVE-2014-4652",
        "CVE-2014-8133",
        "CVE-2014-9644",
        "CVE-2015-6526",
        "CVE-2015-8215",
        "CVE-2016-4470",
        "CVE-2016-4565",
        "CVE-2016-4913",
        "CVE-2016-6198",
        "CVE-2016-7097",
        "CVE-2017-15274",
        "CVE-2017-16995",
        "CVE-2017-17864",
        "CVE-2017-6001",
        "CVE-2018-14610",
        "CVE-2018-7757",
        "CVE-2019-5489",
        "CVE-2019-9162"
      );
      script_bugtraq_id(
        62052,
        64318,
        68170,
        71684,
        72320
      );
    
      script_name(english:"EulerOS Virtualization for ARM 64 3.0.1.0 : kernel (EulerOS-SA-2019-1532)");
      script_summary(english:"Checks the rpm output for the updated packages.");
    
      script_set_attribute(attribute:"synopsis", value:
    "The remote EulerOS Virtualization for ARM 64 host is missing multiple security
    updates.");
      script_set_attribute(attribute:"description", value:
    "According to the versions of the kernel packages installed, the
    EulerOS Virtualization for ARM 64 installation on the remote host is
    affected by the following vulnerabilities :
    
      - A flaw was found in the way the Linux kernel's perf
        subsystem retrieved userlevel stack traces on PowerPC
        systems. A local, unprivileged user could use this flaw
        to cause a denial of service on the system by creating
        a special stack layout that would force the
        perf_callchain_user_64() function into an infinite
        loop.(CVE-2015-6526i1/4%0
    
      - A vulnerability was found in the Linux kernel. Payloads
        of NM entries are not supposed to contain NUL. When
        such entry is processed, only the part prior to the
        first NUL goes into the concatenation (i.e. the
        directory entry name being encoded by a bunch of NM
        entries). The process stops when the amount collected
        so far + the claimed amount in the current NM entry
        exceed 254. However, the value returned as the total
        length is the sum of *claimed* sizes, not the actual
        amount collected. And that's what will be passed to
        readdir() callback as the name length - 8Kb
        __copy_to_user() from a buffer allocated by
        __get_free_page().(CVE-2016-4913i1/4%0
    
      - The perf_trace_event_perm function in
        kernel/trace/trace_event_perf.c in the Linux kernel
        before 3.12.2 does not properly restrict access to the
        perf subsystem, which allows local users to enable
        function tracing via a crafted
        application.(CVE-2013-2930i1/4%0
    
      - The mincore() implementation in mm/mincore.c in the
        Linux kernel through 4.19.13 allowed local attackers to
        observe page cache access patterns of other processes
        on the same system, potentially allowing sniffing of
        secret information. (Fixing this affects the output of
        the fincore program.) Limited remote exploitation may
        be possible, as demonstrated by latency differences in
        accessing public files from an Apache HTTP
        Server.(CVE-2019-5489i1/4%0
    
      - It was found that the espfix functionality could be
        bypassed by installing a 16-bit RW data segment into
        GDT instead of LDT (which espfix checks), and using
        that segment on the stack. A local, unprivileged user
        could potentially use this flaw to leak kernel stack
        addresses.(CVE-2014-8133i1/4%0
    
      - An issue was discovered in the btrfs filesystem code in
        the Linux kernel. An out-of-bounds access is possible
        in write_extent_buffer() when mounting and operating a
        crafted btrfs image due to a lack of verification at
        mount time within the btrfs_read_block_groups() in
        fs/btrfs/extent-tree.c function. This could lead to a
        system crash and a denial of service.(CVE-2018-14610i1/4%0
    
      - kernel/bpf/verifier.c in the Linux kernel through
        4.14.8 mishandles states_equal comparisons between the
        pointer data type and the UNKNOWN_VALUE data type,
        which allows local users to obtain potentially
        sensitive address information, aka a 'pointer
        leak.'(CVE-2017-17864i1/4%0
    
      - drivers/hid/hid-lenovo-tpkbd.c in the Human Interface
        Device (HID) subsystem in the Linux kernel through
        3.11, when CONFIG_HID_LENOVO_TPKBD is enabled, allows
        physically proximate attackers to cause a denial of
        service (heap-based out-of-bounds write) via a crafted
        device.(CVE-2013-2894i1/4%0
    
      - Memory leak in the sas_smp_get_phy_events function in
        drivers/scsi/libsas/sas_expander.c in the Linux kernel
        allows local users to cause a denial of service (kernel
        memory exhaustion) via multiple read accesses to files
        in the /sys/class/sas_phy directory.(CVE-2018-7757i1/4%0
    
      - It was found that the original fix for CVE-2016-6786
        was incomplete. There exist a race between two
        concurrent sys_perf_event_open() calls when both try
        and move the same pre-existing software group into a
        hardware context.(CVE-2017-6001i1/4%0
    
      - In the Linux kernel before 4.20.12,
        net/ipv4/netfilter/nf_nat_snmp_basic_main.c in the SNMP
        NAT module has insufficient ASN.1 length checks (aka an
        array index error), making out-of-bounds read and write
        operations possible, leading to an OOPS or local
        privilege escalation. This affects snmp_version and
        snmp_helper.(CVE-2019-9162i1/4%0
    
      - An information leak flaw was found in the way the Linux
        kernel's Advanced Linux Sound Architecture (ALSA)
        implementation handled access of the user control's
        state. A local, privileged user could use this flaw to
        leak kernel memory to user space.(CVE-2014-4652i1/4%0
    
      - A flaw was found that the vfs_rename() function did not
        detect hard links on overlayfs. A local, unprivileged
        user could use the rename syscall on overlayfs on top
        of xfs to crash the system.(CVE-2016-6198i1/4%0
    
      - It was found that when file permissions were modified
        via chmod and the user modifying them was not in the
        owning group or capable of CAP_FSETID, the setgid bit
        would be cleared. Setting a POSIX ACL via setxattr sets
        the file permissions as well as the new ACL, but
        doesn't clear the setgid bit in a similar way. This
        could allow a local user to gain group privileges via
        certain setgid applications.(CVE-2016-7097i1/4%0
    
      - A flaw was found in the way the Linux kernel's Crypto
        subsystem handled automatic loading of kernel modules.
        A local user could use this flaw to load any installed
        kernel module, and thus increase the attack surface of
        the running kernel.(CVE-2014-9644i1/4%0
    
      - An arbitrary memory r/w access issue was found in the
        Linux kernel compiled with the eBPF bpf(2) system call
        (CONFIG_BPF_SYSCALL) support. The issue could occur due
        to calculation errors in the eBPF verifier module,
        triggered by user supplied malicious BPF program. An
        unprivileged user could use this flaw to escalate their
        privileges on a system. Setting parameter
        'kernel.unprivileged_bpf_disabled=1' prevents such
        privilege escalation by restricting access to bpf(2)
        call.(CVE-2017-16995i1/4%0
    
      - A flaw was found in the implementation of associative
        arrays where the add_key systemcall and KEYCTL_UPDATE
        operations allowed for a NULL payload with a nonzero
        length. When accessing the payload within this length
        parameters value, an unprivileged user could trivially
        cause a NULL pointer dereference (kernel
        oops).(CVE-2017-15274i1/4%0
    
      - A flaw was found in the Linux kernel's keyring handling
        code: the key_reject_and_link() function could be
        forced to free an arbitrary memory block. An attacker
        could use this flaw to trigger a use-after-free
        condition on the system, potentially allowing for
        privilege escalation.(CVE-2016-4470i1/4%0
    
      - A flaw was found in the way certain interfaces of the
        Linux kernel's Infiniband subsystem used write() as
        bi-directional ioctl() replacement, which could lead to
        insufficient memory security checks when being invoked
        using the splice() system call. A local unprivileged
        user on a system with either Infiniband hardware
        present or RDMA Userspace Connection Manager Access
        module explicitly loaded, could use this flaw to
        escalate their privileges on the
        system.(CVE-2016-4565i1/4%0
    
      - It was found that the Linux kernel's IPv6 network stack
        did not properly validate the value of the MTU variable
        when it was set. A remote attacker could potentially
        use this flaw to disrupt a target system's networking
        (packet loss) by setting an invalid MTU value, for
        example, via a NetworkManager daemon that is processing
        router advertisement packets running on the target
        system.(CVE-2015-8215i1/4%0
    
    Note that Tenable Network Security has extracted the preceding
    description block directly from the EulerOS security advisory. Tenable
    has attempted to automatically clean and format it as much as possible
    without introducing additional issues.");
      # https://developer.huaweicloud.com/ict/en/site-euleros/euleros/security-advisories/EulerOS-SA-2019-1532
      script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?bf9dd973");
      script_set_attribute(attribute:"solution", value:
    "Update the affected kernel packages.");
      script_set_cvss_base_vector("CVSS2#AV:N/AC:H/Au:N/C:C/I:C/A:C");
      script_set_cvss_temporal_vector("CVSS2#E:H/RL:OF/RC:C");
      script_set_cvss3_base_vector("CVSS:3.0/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H");
      script_set_cvss3_temporal_vector("CVSS:3.0/E:H/RL:O/RC:C");
      script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"true");
      script_set_attribute(attribute:"exploit_framework_core", value:"true");
      script_set_attribute(attribute:"exploited_by_malware", value:"true");
      script_set_attribute(attribute:"metasploit_name", value:'Linux BPF Sign Extension Local Privilege Escalation');
      script_set_attribute(attribute:"exploit_framework_metasploit", value:"true");
    
      script_set_attribute(attribute:"patch_publication_date", value:"2019/05/09");
      script_set_attribute(attribute:"plugin_publication_date", value:"2019/05/14");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:kernel");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:kernel-devel");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:kernel-headers");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:kernel-tools");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:kernel-tools-libs");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:kernel-tools-libs-devel");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:perf");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:python-perf");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:huawei:euleros:uvp:3.0.1.0");
      script_set_attribute(attribute:"generated_plugin", value:"current");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_family(english:"Huawei Local Security Checks");
    
      script_copyright(english:"This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/cpu", "Host/EulerOS/release", "Host/EulerOS/rpm-list", "Host/EulerOS/uvp_version");
    
      exit(0);
    }
    
    include("audit.inc");
    include("global_settings.inc");
    include("rpm.inc");
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    
    release = get_kb_item("Host/EulerOS/release");
    if (isnull(release) || release !~ "^EulerOS") audit(AUDIT_OS_NOT, "EulerOS");
    uvp = get_kb_item("Host/EulerOS/uvp_version");
    if (uvp != "3.0.1.0") audit(AUDIT_OS_NOT, "EulerOS Virtualization 3.0.1.0");
    if (!get_kb_item("Host/EulerOS/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    cpu = get_kb_item("Host/cpu");
    if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
    if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$" && "aarch64" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "EulerOS", cpu);
    if ("aarch64" >!< cpu) audit(AUDIT_ARCH_NOT, "aarch64", cpu);
    
    flag = 0;
    
    pkgs = ["kernel-4.19.28-1.2.117",
            "kernel-devel-4.19.28-1.2.117",
            "kernel-headers-4.19.28-1.2.117",
            "kernel-tools-4.19.28-1.2.117",
            "kernel-tools-libs-4.19.28-1.2.117",
            "kernel-tools-libs-devel-4.19.28-1.2.117",
            "perf-4.19.28-1.2.117",
            "python-perf-4.19.28-1.2.117"];
    
    foreach (pkg in pkgs)
      if (rpm_check(release:"EulerOS-2.0", reference:pkg)) flag++;
    
    if (flag)
    {
      security_report_v4(
        port       : 0,
        severity   : SECURITY_HOLE,
        extra      : rpm_report_get()
      );
      exit(0);
    }
    else
    {
      tested = pkg_tests_get();
      if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
      else audit(AUDIT_PACKAGE_NOT_INSTALLED, "kernel");
    }