Vulnerabilities > CVE-2019-9506 - Use of a Broken or Risky Cryptographic Algorithm vulnerability in multiple products

The Bluetooth BR/EDR specification up to and including version 5.1 permits sufficiently low encryption key length and does not prevent an attacker from influencing the key length negotiation. This allows practical brute-force attacks (aka "KNOB") that can decrypt traffic and inject arbitrary ciphertext without the victim noticing.

Vulnerable Configurations

Part	Description	Count
OS	Google Google Android -	1
OS	Apple Apple MAC OS X 10.12.6 Apple MAC OS X 10.14.5 Apple MAC OS X 10.13.6 Apple Watchos 5.3 Apple Iphone OS 12.4 Apple Tvos 12.4	6
OS	Canonical Canonical Ubuntu Linux 16.04 Canonical Ubuntu Linux 18.04 Canonical Ubuntu Linux 19.04	3
OS	Debian Debian Debian Linux 8.0	1
OS	Opensuse Opensuse Leap 15.0 Opensuse Leap 15.1	2
OS	Redhat Redhat Enterprise Linux 8.0 Redhat Enterprise Linux AUS 7.5 Redhat Enterprise Linux EUS 7.6 Redhat Enterprise Linux EUS 7.7 Redhat Enterprise Linux EUS 8.1 Redhat Enterprise Linux EUS 8.2 Redhat Enterprise Linux EUS 8.4 Redhat Enterprise Linux FOR Real Time 7 Redhat Enterprise Linux FOR Real Time 8 Redhat Enterprise Linux FOR Real Time EUS 8.2 Redhat Enterprise Linux FOR Real Time EUS 8.4 Redhat Enterprise Linux FOR Real Time FOR NFV 7 Redhat Enterprise Linux FOR Real Time FOR NFV 8 Redhat Enterprise Linux FOR Real Time FOR NFV EUS 8.2 Redhat Enterprise Linux FOR Real Time FOR NFV EUS 8.4 Redhat Enterprise Linux Server 7.0 Redhat Enterprise Linux Server AUS 7.3 Redhat Enterprise Linux Server AUS 7.4 Redhat Enterprise Linux Server AUS 7.6 Redhat Enterprise Linux Server AUS 7.7 Redhat Enterprise Linux Server AUS 8.2 Redhat Enterprise Linux Server AUS 8.4 Redhat Enterprise Linux Server TUS 7.3 Redhat Enterprise Linux Server TUS 7.4 Redhat Enterprise Linux Server TUS 7.6 Redhat Enterprise Linux Server TUS 7.7 Redhat Enterprise Linux Server TUS 8.2 Redhat Enterprise Linux Server TUS 8.4 Redhat Enterprise Linux TUS 7.6	29
OS	Huawei Huawei ALP Al00B Firmware - Huawei ALP Al00B Firmware 8.0.0.1.18D\(C00\) Huawei ALP Al00B Firmware 8.0.0.106\(C00\) Huawei ALP Al00B Firmware 8.0.0.113\(Sp2C00\) Huawei ALP Al00B Firmware 8.0.0.113\(Sp3C00\) Huawei ALP Al00B Firmware 8.0.0.113\(Sp7C00\) Huawei ALP Al00B Firmware 8.0.0.118\(C00\) Huawei ALP Al00B Firmware 8.0.0.120\(Sp2C00\) Huawei ALP Al00B Firmware 8.0.0.125\(Sp1C00\) Huawei ALP Al00B Firmware 8.0.0.125\(Sp3C00\) Huawei ALP Al00B Firmware 8.0.0.126\(Sp2C00\) Huawei ALP Al00B Firmware 8.0.0.126\(Sp5C00\) Huawei ALP Al00B Firmware 8.0.0.127\(Sp1C00\) Huawei ALP Al00B Firmware 8.0.0.128\(Sp2C00\) Huawei ALP Al00B Firmware 8.0.0.129 Huawei ALP Al00B Firmware 8.0.0.129\(Sp2C00\) Huawei ALP Al00B Firmware 8.0.0.153\(C00\) Huawei ALP Al00B Firmware 8.1.0.336\(C00\) Huawei ALP Al00B Firmware 9.0.0.181\(C00E87R2P20T8\) Huawei Ares Al00B Firmware * Huawei Ares Al10D Firmware * Huawei Ares Tl00C Firmware * Huawei Asoka Al00Ax Firmware * Huawei Atomu L33 Firmware * Huawei Atomu L41 Firmware * Huawei Atomu L42 Firmware * Huawei BLA Al00B Firmware - Huawei BLA Al00B Firmware 8.0.0.1.18D\(C00\) Huawei BLA Al00B Firmware 8.0.0.129 Huawei BLA Al00B Firmware 8.0.0.129\(Sp2C00\) Huawei BLA Al00B Firmware 8.0.0.129\(Sp2C786\) Huawei BLA Al00B Firmware 8.0.0.153\(C00\) Huawei BLA Al00B Firmware 8.1.0.336\(C00\) Huawei BLA Al00B Firmware 9.0.0.181\(C00E88R2P15T8\) Huawei BLA L29C Firmware 8.0.0.127\(C432\) Huawei BLA L29C Firmware 8.0.0.137\(C432\) Huawei BLA L29C Firmware 9.0.0.179\(C576E2R1P7T8\) Huawei BLA L29C Firmware 9.0.0.194\(C185E2R1P13\) Huawei BLA L29C Firmware 9.0.0.206\(C432E4R1P11\) Huawei BLA L29C Firmware 9.0.0.210\(C635E4R1P13\) Huawei BLA L29C Firmware 9.1.0.302\(C635E4R1P13T8\) Huawei BLA Tl00B Firmware 8.0.0.113\(Sp7C01\) Huawei BLA Tl00B Firmware 8.0.0.118\(C01\) Huawei BLA Tl00B Firmware 8.0.0.120\(Sp2C01\) Huawei BLA Tl00B Firmware 8.0.0.125\(Sp1C01\) Huawei BLA Tl00B Firmware 8.0.0.125\(Sp2C01\) Huawei BLA Tl00B Firmware 8.0.0.125\(Sp3C01\) Huawei BLA Tl00B Firmware 8.0.0.126\(Sp2C01\) Huawei BLA Tl00B Firmware 8.0.0.126\(Sp5C01\) Huawei BLA Tl00B Firmware 8.0.0.127\(Sp1C01\) Huawei BLA Tl00B Firmware 8.0.0.128\(Sp2C01\) Huawei BLA Tl00B Firmware 8.0.0.129\(Sp2C01\) Huawei BLA Tl00B Firmware 8.1.0.326\(C01\) Huawei Barca Al00 Firmware * Huawei Berkeley Al20 Firmware 8.0.0.105\(C00\) Huawei Berkeley Al20 Firmware 8.0.0.111\(C00\) Huawei Berkeley Al20 Firmware 8.0.0.112D\(C00\) Huawei Berkeley Al20 Firmware 8.0.0.116\(C00\) Huawei Berkeley Al20 Firmware 8.0.0.119\(C00\) Huawei Berkeley Al20 Firmware 8.0.0.119D\(C00\) Huawei Berkeley Al20 Firmware 8.0.0.122\(C00\) Huawei Berkeley Al20 Firmware 8.0.0.132\(C00\) Huawei Berkeley Al20 Firmware 8.0.0.132D\(C00\) Huawei Berkeley Al20 Firmware 8.0.0.142\(C00\) Huawei Berkeley Al20 Firmware 8.0.0.151\(C00\) Huawei Berkeley Al20 Firmware 9.0.0.156\(C00E156R2P14T8\) Huawei Berkeley L09 Firmware 8.0.0.163\(C10\) Huawei Berkeley L09 Firmware 8.0.0.163\(C432\) Huawei Berkeley L09 Firmware 8.0.0.163\(C636\) Huawei Berkeley L09 Firmware 8.0.0.172\(C10\) Huawei Berkeley L09 Firmware 8.0.0.172\(C432\) Huawei Berkeley L09 Firmware 8.0.0.173\(C636\) Huawei Berkeley L09 Firmware 9.1.0.350\(C10E3R1P14T8\) Huawei Berkeley Tl10 Firmware * Huawei Cairogo L22 Firmware * Huawei Charlotte L29C Firmware * Huawei Charlotte L29C Firmware 9.1.0.325\(C185E4R1P11T8\) Huawei Columbia Al10B Firmware 8.1.0.163\(C00\) Huawei Columbia Al10I Firmware 8.1.0.150\(C675Custc675D2\) Huawei Columbia L29D Firmware 8.1.0.146\(C461\) Huawei Columbia L29D Firmware 8.1.0.148\(C185\) Huawei Columbia L29D Firmware 8.1.0.151\(C10\) Huawei Columbia L29D Firmware 8.1.0.151\(C432\) Huawei Columbia L29D Firmware 9.1.0.350\(C10E5R1P14T8\) Huawei Columbia L29D Firmware 9.1.0.350\(C185E3R1P12T8\) Huawei Columbia L29D Firmware 9.1.0.350\(C461E3R1P11T8\) Huawei Columbia Tl00D Firmware * Huawei Cornell Al00A Firmware * Huawei Cornell Al00I Firmware * Huawei Cornell Al00Ind Firmware * Huawei Cornell Al10Ind Firmware * Huawei Cornell L29A Firmware 9.1.0.328\(C185E1R1P9T8\) Huawei Cornell L29A Firmware 9.1.0.328\(C432E1R1P9T8\) Huawei Cornell L29A Firmware 9.1.0.328\(C636E2R1P12T8\) Huawei Cornell L29A Firmware 9.1.0.330\(C461E1R1P9T8\) Huawei Cornell Tl10B Firmware * Huawei Dubai Al00A Firmware * Huawei Dura Al00A Firmware * Huawei Dura Tl00A Firmware * Huawei Emily L29C Firmware 8.1.0.156\(C605\) Huawei Emily L29C Firmware - Huawei Emily L29C Firmware 8.1.0.132A\(C432\) Huawei Emily L29C Firmware 8.1.0.135\(C782\) Huawei Emily L29C Firmware 8.1.0.154\(C10\) Huawei Emily L29C Firmware 8.1.0.154\(C461\) Huawei Emily L29C Firmware 8.1.0.154\(C635\) Huawei Emily L29C Firmware 8.1.0.156\(C185\) Huawei Emily L29C Firmware 8.1.0.159\(C636\) Huawei Emily L29C Firmware 9.0.0.159 Huawei Emily L29C Firmware 9.0.0.159\(C185E2R1P12T8\) Huawei Emily L29C Firmware 9.0.0.159\(C461E2R1P11T8\) Huawei Emily L29C Firmware 9.0.0.160\(C432E7R1P11T8\) Huawei Emily L29C Firmware 9.0.0.165\(C605E2R1P12\) Huawei Emily L29C Firmware 9.0.0.168\(C636E7R1P13T8\) Huawei Emily L29C Firmware 9.0.0.168\(C782E3R1P11T8\) Huawei Emily L29C Firmware 9.0.0.196\(C635E2R1P11T8\) Huawei Emily L29C Firmware 9.1.0.311\(C10E2R1P13T8\) Huawei Emily L29C Firmware 9.1.0.311\(C185E2R1P12T8\) Huawei Emily L29C Firmware 9.1.0.311\(C432E7R1P11T8\) Huawei Emily L29C Firmware 9.1.0.311\(C461E2R1P11T8\) Huawei Emily L29C Firmware 9.1.0.311\(C605E2R1P12T8\) Huawei Emily L29C Firmware 9.1.0.311\(C636E7R1P13T8\) Huawei Emily L29C Firmware 9.1.0.311\(C782E10R1P11T8\) Huawei Emily L29C Firmware 9.1.0.316\(C635E2R1P11T8\) Huawei Ever L29B Firmware 9.0.0.206\(C185E3R3P1\) Huawei Ever L29B Firmware 9.0.0.207\(C636E3R2P1\) Huawei Ever L29B Firmware 9.0.0.208\(C432E3R1P12\) Huawei Ever L29B Firmware 9.1.0.310\(C432E3R1P12\) Huawei Ever L29B Firmware 9.1.0.310\(C636E3R2P1\) Huawei Ever L29B Firmware 9.1.0.311\(C185E3R3P1\) Huawei Figo L23 Firmware 9.1.0.130\(C605E6R1P5T8\) Huawei Figo L31 Firmware 8.0.0.122D\(C652\) Huawei Figo L31 Firmware 9.1.0.130\(C432E8R1P5T8\) Huawei Figo Tl10B Firmware * Huawei Florida Al20B Firmware * Huawei Florida L21 Firmware 8.0.0.129\(C605\) Huawei Florida L21 Firmware 8.0.0.131\(C432\) Huawei Florida L21 Firmware 8.0.0.132\(C185\) Huawei Florida L22 Firmware 8.0.0.132\(C636\) Huawei Florida L23 Firmware 8.0.0.144\(C605\) Huawei Florida Tl10B Firmware * Huawei Honor 20 Firmware * Huawei Honor 20 PRO Firmware * Huawei Mate 20 Firmware - Huawei Mate 20 PRO Firmware - Huawei Mate 20 X Firmware - Huawei P Smart Firmware - Huawei P Smart 2019 Firmware - Huawei P20 Firmware - Huawei P20 PRO Firmware - Huawei P30 Firmware - Huawei P30 PRO Firmware - Huawei Y5 2018 Firmware - Huawei Y5 Lite Firmware - Huawei Y6 2019 Firmware - Huawei Y6 Prime 2018 Firmware - Huawei Y6 PRO 2019 Firmware - Huawei Y7 2019 Firmware - Huawei Y9 2019 Firmware - Huawei Nova 3 Firmware - Huawei Nova 4 Firmware - Huawei Nova 5 Firmware - Huawei Nova 5I PRO Firmware - Huawei Nova Lite 3 Firmware - Huawei Harry Al00C Firmware - Huawei Harry Al10B Firmware - Huawei Harry Tl00C Firmware - Huawei Hima L29C Firmware - Huawei Honor 10 Lite Firmware - Huawei Honor 8A Firmware - Huawei Honor 8X Firmware - Huawei Honor View 10 Firmware - Huawei Honor View 20 Firmware - Huawei Jakarta Al00A Firmware - Huawei Johnson Tl00D Firmware - Huawei Johnson Tl00F Firmware - Huawei Katyusha Al00A Firmware - Huawei Laya Al00Ep Firmware - Huawei Leland L21A Firmware - Huawei Leland L31A Firmware - Huawei Leland L32A Firmware - Huawei Leland L32C Firmware - Huawei Leland L42A Firmware - Huawei Leland L42C Firmware - Huawei Leland Tl10B Firmware - Huawei Leland Tl10C Firmware - Huawei Lelandp Al00C Firmware - Huawei Lelandp Al10B Firmware - Huawei Lelandp Al10D Firmware - Huawei Lelandp L22A Firmware - Huawei Lelandp L22C Firmware - Huawei Lelandp L22D Firmware - Huawei London Al40Ind Firmware - Huawei Madrid Al00A Firmware - Huawei Madrid Tl00A Firmware - Huawei NEO Al00D Firmware - Huawei Paris Al00Ic Firmware - Huawei Paris L21B Firmware - Huawei Paris L21Meb Firmware - Huawei Paris L29B Firmware - Huawei Potter Al00C Firmware - Huawei Potter Al10A Firmware - Huawei Princeton Al10B Firmware - Huawei Princeton Al10D Firmware - Huawei Princeton Tl10C Firmware - Huawei Sydney Al00 Firmware - Huawei Sydney L21 Firmware - Huawei Sydney L21Br Firmware - Huawei Sydney L22 Firmware - Huawei Sydney L22Br Firmware - Huawei Sydney Tl00 Firmware - Huawei Sydneym Al00 Firmware - Huawei Sydneym L01 Firmware - Huawei Sydneym L03 Firmware - Huawei Sydneym L21 Firmware - Huawei Sydneym L22 Firmware - Huawei Sydneym L23 Firmware - Huawei Tony Al00B Firmware - Huawei Tony Tl00B Firmware - Huawei Yale Al00A Firmware - Huawei Yale Al50A Firmware - Huawei Yale L21A Firmware - Huawei Yale L61C Firmware - Huawei Yale Tl00B Firmware - Huawei Yalep Al10B Firmware - Huawei Imanager Neteco Firmware - Huawei Imanager Neteco 6000 Firmware -	227
Hardware	Blackberry Blackberry Blackberry -	1
Hardware	Huawei Huawei ALP Al00B - Huawei Ares Al00B - Huawei Ares Al10D - Huawei Ares Tl00C - Huawei Asoka Al00Ax - Huawei Atomu L33 - Huawei Atomu L41 - Huawei Atomu L42 - Huawei BLA Al00B - Huawei BLA L29C - Huawei BLA Tl00B - Huawei Barca Al00 - Huawei Berkeley Al20 - Huawei Berkeley L09 - Huawei Berkeley Tl10 - Huawei Cairogo L22 - Huawei Charlotte L29C - Huawei Columbia Al10B - Huawei Columbia Al10I - Huawei Columbia L29D - Huawei Columbia Tl00D - Huawei Cornell Al00A - Huawei Cornell Al00I - Huawei Cornell Al00Ind - Huawei Cornell Al10Ind - Huawei Cornell L29A - Huawei Cornell Tl10B - Huawei Dubai Al00A - Huawei Dura Al00A - Huawei Dura Tl00A - Huawei Emily L29C - Huawei Ever L29B - Huawei Figo L23 - Huawei Figo L31 - Huawei Figo Tl10B - Huawei Florida Al20B - Huawei Florida L21 - Huawei Florida L22 - Huawei Florida L23 - Huawei Florida Tl10B - Huawei Honor 20 - Huawei Honor 20 PRO - Huawei Mate 20 - Huawei Mate 20 PRO - Huawei Mate 20 X - Huawei P Smart - Huawei P Smart 2019 - Huawei P20 - Huawei P20 PRO - Huawei P30 - Huawei P30 PRO - Huawei Y5 2018 - Huawei Y5 Lite - Huawei Y6 2019 - Huawei Y6 Prime 2018 - Huawei Y6 PRO 2019 - Huawei Y7 2019 - Huawei Y9 2019 - Huawei Nova 3 - Huawei Nova 4 - Huawei Nova 5 - Huawei Nova 5I PRO - Huawei Nova Lite 3 - Huawei Harry Al00C - Huawei Harry Al10B - Huawei Harry Tl00C - Huawei Hima L29C - Huawei Honor 10 Lite - Huawei Honor 8A - Huawei Honor 8X - Huawei Honor View 10 - Huawei Honor View 20 - Huawei Jakarta Al00A - Huawei Johnson Tl00D - Huawei Johnson Tl00F - Huawei Katyusha Al00A - Huawei Laya Al00Ep - Huawei Leland L21A - Huawei Leland L31A - Huawei Leland L32A - Huawei Leland L32C - Huawei Leland L42A - Huawei Leland L42C - Huawei Leland Tl10B - Huawei Leland Tl10C - Huawei Lelandp Al00C - Huawei Lelandp Al10B - Huawei Lelandp Al10D - Huawei Lelandp L22A - Huawei Lelandp L22C - Huawei Lelandp L22D - Huawei London Al40Ind - Huawei Madrid Al00A - Huawei Madrid Tl00A - Huawei NEO Al00D - Huawei Paris Al00Ic - Huawei Paris L21B - Huawei Paris L21Meb - Huawei Paris L29B - Huawei Potter Al00C - Huawei Potter Al10A - Huawei Princeton Al10B - Huawei Princeton Al10D - Huawei Princeton Tl10C - Huawei Sydney Al00 - Huawei Sydney L21 - Huawei Sydney L21Br - Huawei Sydney L22 - Huawei Sydney L22Br - Huawei Sydney Tl00 - Huawei Sydneym Al00 - Huawei Sydneym L01 - Huawei Sydneym L03 - Huawei Sydneym L21 - Huawei Sydneym L22 - Huawei Sydneym L23 - Huawei Tony Al00B - Huawei Tony Tl00B - Huawei Yale Al00A - Huawei Yale Al50A - Huawei Yale L21A - Huawei Yale L61C - Huawei Yale Tl00B - Huawei Yalep Al10B - Huawei Imanager Neteco - Huawei Imanager Neteco 6000 -	126
Application	Redhat Redhat MRG Realtime 2.0 Redhat Virtualization Host EUS 4.2	2

Common Weakness Enumeration (CWE)

CWE-327 - Use of a Broken or Risky Cryptographic Algorithm

Common Attack Pattern Enumeration and Classification (CAPEC)

Encryption Brute Forcing
An attacker, armed with the cipher text and the encryption algorithm used, performs an exhaustive (brute force) search on the key space to determine the key that decrypts the cipher text to obtain the plaintext.
Creating a Rogue Certificate Authority Certificate
An attacker exploits a weakness in the MD5 hash algorithm (weak collision resistance) to generate a certificate signing request (CSR) that contains collision blocks in the "to be signed" part. The attacker specially crafts two different, but valid X.509 certificates that when hashed with the MD5 algorithm would yield the same value. The attacker then sends the CSR for one of the certificates to the Certification Authority which uses the MD5 hashing algorithm. That request is completely valid and the Certificate Authority issues an X.509 certificate to the attacker which is signed with its private key. An attacker then takes that signed blob and inserts it into another X.509 certificate that the attacker generated. Due to the MD5 collision, both certificates, though different, hash to the same value and so the signed blob works just as well in the second certificate. The net effect is that the attackers' second X.509 certificate, which the Certification Authority has never seen, is now signed and validated by that Certification Authority. To make the attack more interesting, the second certificate could be not just a regular certificate, but rather itself a signing certificate. Thus the attacker is able to start their own Certification Authority that is anchored in its root of trust in the legitimate Certification Authority that has signed the attackers' first X.509 certificate. If the original Certificate Authority was accepted by default by browsers, so will now the Certificate Authority set up by the attacker and of course any certificates that it signs. So the attacker is now able to generate any SSL certificates to impersonate any web server, and the user's browser will not issue any warning to the victim. This can be used to compromise HTTPS communications and other types of systems where PKI and X.509 certificates may be used (e.g., VPN, IPSec) .
Signature Spoof
An attacker generates a message or datablock that causes the recipient to believe that the message or datablock was generated and cryptographically signed by an authoritative or reputable source, misleading a victim or victim operating system into performing malicious actions.
Cryptanalysis
Cryptanalysis is a process of finding weaknesses in cryptographic algorithms and using these weaknesses to decipher the ciphertext without knowing the secret key (instance deduction). Sometimes the weakness is not in the cryptographic algorithm itself, but rather in how it is applied that makes cryptanalysis successful. An attacker may have other goals as well, such as: 1. Total Break - Finding the secret key 2. Global Deduction - Finding a functionally equivalent algorithm for encryption and decryption that does not require knowledge of the secret key. 3. Information Deduction - Gaining some information about plaintexts or ciphertexts that was not previously known 4. Distinguishing Algorithm - The attacker has the ability to distinguish the output of the encryption (ciphertext) from a random permutation of bits The goal of the attacker performing cryptanalysis will depend on the specific needs of the attacker in a given attack context. In most cases, if cryptanalysis is successful at all, an attacker will not be able to go past being able to deduce some information about the plaintext (goal 3). However, that may be sufficient for an attacker, depending on the context.

Nessus

NASL family	Windows : Microsoft Bulletins
NASL id	SMB_NT_MS19_AUG_4512488.NASL
description	The remote Windows host is missing security update 4512489 or cumulative update 4512488. It is, therefore, affected by multiple vulnerabilities : - An elevation of privilege vulnerability exists when Windows improperly handles calls to Advanced Local Procedure Call (ALPC). An attacker who successfully exploited this vulnerability could run arbitrary code in the security context of the local system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. (CVE-2019-1162) - A security feature bypass vulnerability exists when Microsoft browsers improperly handle requests of different origins. The vulnerability allows Microsoft browsers to bypass Same-Origin Policy (SOP) restrictions, and to allow requests that should otherwise be ignored. An attacker who successfully exploited the vulnerability could force the browser to send data that would otherwise be restricted. (CVE-2019-1192) - An information disclosure vulnerability exists when the Microsoft Windows Graphics Component improperly handles objects in memory. An attacker who successfully exploited the vulnerability could obtain information to further compromise the users system. (CVE-2019-1148, CVE-2019-1153) - A denial of service vulnerability exists when the XmlLite runtime (XmlLite.dll) improperly parses XML input. An attacker who successfully exploited this vulnerability could cause a denial of service against an XML application. A remote unauthenticated attacker could exploit this vulnerability by issuing specially crafted requests to an XML application. The update addresses the vulnerability by correcting how the XmlLite runtime parses XML input. (CVE-2019-1187) - A remote code execution vulnerability exists when the Windows Jet Database Engine improperly handles objects in memory. An attacker who successfully exploited this vulnerability could execute arbitrary code on a victim system. An attacker could exploit this vulnerability by enticing a victim to open a specially crafted file. The update addresses the vulnerability by correcting the way the Windows Jet Database Engine handles objects in memory. (CVE-2019-1146, CVE-2019-1147, CVE-2019-1155, CVE-2019-1156, CVE-2019-1157) - <h1>Executive Summary</h1> Microsoft is aware of the Bluetooth BR/EDR (basic rate/enhanced data rate, known as "Bluetooth Classic") key negotiation vulnerability that exists at the hardware specification level of any BR/EDR Bluetooth device. An attacker could potentially be able to negotiate the offered key length down to 1 byte of entropy, from a maximum of 16 bytes. (CVE-2019-9506) - An elevation of privilege vulnerability exists in the way that the wcmsvc.dll handles objects in memory. An attacker who successfully exploited the vulnerability could execute code with elevated permissions. (CVE-2019-1180) - An elevation of privilege exists in the p2pimsvc service where an attacker who successfully exploited the vulnerability could run arbitrary code with elevated privileges. (CVE-2019-1168) - An information disclosure vulnerability exists when the Windows Graphics component improperly handles objects in memory. An attacker who successfully exploited this vulnerability could obtain information to further compromise the users system. An authenticated attacker could exploit this vulnerability by running a specially crafted application. The update addresses the vulnerability by correcting how the Windows Graphics Component handles objects in memory. (CVE-2019-1078) - A memory corruption vulnerability exists in the Windows Server DHCP service when an attacker sends specially crafted packets to a DHCP failover server. An attacker who successfully exploited the vulnerability could cause the DHCP service to become nonresponsive. (CVE-2019-1206) - An elevation of privilege vulnerability exists in the way that the ssdpsrv.dll handles objects in memory. An attacker who successfully exploited the vulnerability could execute code with elevated permissions. (CVE-2019-1178) - A remote code execution vulnerability exists when the Windows font library improperly handles specially crafted embedded fonts. An attacker who successfully exploited the vulnerability could take control of the affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. (CVE-2019-1144, CVE-2019-1145, CVE-2019-1149, CVE-2019-1150, CVE-2019-1151, CVE-2019-1152) - An elevation of privilege vulnerability exists when the Windows kernel fails to properly handle objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. (CVE-2019-1159, CVE-2019-1164) - A remote code execution vulnerability exists in Remote Desktop Services formerly known as Terminal Services when an unauthenticated attacker connects to the target system using RDP and sends specially crafted requests. This vulnerability is pre-authentication and requires no user interaction. An attacker who successfully exploited this vulnerability could execute arbitrary code on the target system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. (CVE-2019-1181, CVE-2019-1182) - A memory corruption vulnerability exists in the Windows DHCP client when an attacker sends specially crafted DHCP responses to a client. An attacker who successfully exploited the vulnerability could run arbitrary code on the client machine. (CVE-2019-0736) - A remote code execution vulnerability exists in the way that the scripting engine handles objects in memory in Internet Explorer. The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user. (CVE-2019-1133, CVE-2019-1194) - A remote code execution vulnerability exists in the way that the VBScript engine handles objects in memory. The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user. (CVE-2019-1183) - An elevation of privilege vulnerability exists in the way that the rpcss.dll handles objects in memory. An attacker who successfully exploited the vulnerability could execute code with elevated permissions. (CVE-2019-1177) - A remote code execution vulnerability exists in the way that Microsoft browsers access objects in memory. The vulnerability could corrupt memory in a way that could allow an attacker to execute arbitrary code in the context of the current user. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user. (CVE-2019-1193) - An information disclosure vulnerability exists in Azure Active Directory (AAD) Microsoft Account (MSA) during the login request session. An attacker who successfully exploited the vulnerability could take over a user
last seen	2020-04-30
modified	2019-08-13
plugin id	127843
published	2019-08-13
reporter	This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
source	https://www.tenable.com/plugins/nessus/127843
title	KB4512489: Windows 8.1 and Windows Server 2012 R2 August 2019 Security Update
code	# # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from the Microsoft Security Updates API. The text # itself is copyright (C) Microsoft Corporation. # include('compat.inc'); if (description) { script_id(127843); script_version("1.8"); script_set_attribute(attribute:"plugin_modification_date", value:"2020/04/29"); script_cve_id( "CVE-2019-0714", "CVE-2019-0715", "CVE-2019-0716", "CVE-2019-0718", "CVE-2019-0720", "CVE-2019-0723", "CVE-2019-0736", "CVE-2019-1057", "CVE-2019-1078", "CVE-2019-1133", "CVE-2019-1143", "CVE-2019-1144", "CVE-2019-1145", "CVE-2019-1146", "CVE-2019-1147", "CVE-2019-1148", "CVE-2019-1149", "CVE-2019-1150", "CVE-2019-1151", "CVE-2019-1152", "CVE-2019-1153", "CVE-2019-1155", "CVE-2019-1156", "CVE-2019-1157", "CVE-2019-1158", "CVE-2019-1159", "CVE-2019-1162", "CVE-2019-1164", "CVE-2019-1168", "CVE-2019-1172", "CVE-2019-1177", "CVE-2019-1178", "CVE-2019-1180", "CVE-2019-1181", "CVE-2019-1182", "CVE-2019-1183", "CVE-2019-1187", "CVE-2019-1192", "CVE-2019-1193", "CVE-2019-1194", "CVE-2019-1206", "CVE-2019-1212", "CVE-2019-9506" ); script_xref(name:"MSKB", value:"4512489"); script_xref(name:"MSKB", value:"4512488"); script_xref(name:"MSFT", value:"MS19-4512489"); script_xref(name:"MSFT", value:"MS19-4512488"); script_name(english:"KB4512489: Windows 8.1 and Windows Server 2012 R2 August 2019 Security Update"); script_summary(english:"Checks for rollup."); script_set_attribute(attribute:"synopsis", value: "The remote Windows host is affected by multiple vulnerabilities."); script_set_attribute(attribute:"description", value: "The remote Windows host is missing security update 4512489 or cumulative update 4512488. It is, therefore, affected by multiple vulnerabilities : - An elevation of privilege vulnerability exists when Windows improperly handles calls to Advanced Local Procedure Call (ALPC). An attacker who successfully exploited this vulnerability could run arbitrary code in the security context of the local system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. (CVE-2019-1162) - A security feature bypass vulnerability exists when Microsoft browsers improperly handle requests of different origins. The vulnerability allows Microsoft browsers to bypass Same-Origin Policy (SOP) restrictions, and to allow requests that should otherwise be ignored. An attacker who successfully exploited the vulnerability could force the browser to send data that would otherwise be restricted. (CVE-2019-1192) - An information disclosure vulnerability exists when the Microsoft Windows Graphics Component improperly handles objects in memory. An attacker who successfully exploited the vulnerability could obtain information to further compromise the users system. (CVE-2019-1148, CVE-2019-1153) - A denial of service vulnerability exists when the XmlLite runtime (XmlLite.dll) improperly parses XML input. An attacker who successfully exploited this vulnerability could cause a denial of service against an XML application. A remote unauthenticated attacker could exploit this vulnerability by issuing specially crafted requests to an XML application. The update addresses the vulnerability by correcting how the XmlLite runtime parses XML input. (CVE-2019-1187) - A remote code execution vulnerability exists when the Windows Jet Database Engine improperly handles objects in memory. An attacker who successfully exploited this vulnerability could execute arbitrary code on a victim system. An attacker could exploit this vulnerability by enticing a victim to open a specially crafted file. The update addresses the vulnerability by correcting the way the Windows Jet Database Engine handles objects in memory. (CVE-2019-1146, CVE-2019-1147, CVE-2019-1155, CVE-2019-1156, CVE-2019-1157) - <h1>Executive Summary</h1> Microsoft is aware of the Bluetooth BR/EDR (basic rate/enhanced data rate, known as "Bluetooth Classic") key negotiation vulnerability that exists at the hardware specification level of any BR/EDR Bluetooth device. An attacker could potentially be able to negotiate the offered key length down to 1 byte of entropy, from a maximum of 16 bytes. (CVE-2019-9506) - An elevation of privilege vulnerability exists in the way that the wcmsvc.dll handles objects in memory. An attacker who successfully exploited the vulnerability could execute code with elevated permissions. (CVE-2019-1180) - An elevation of privilege exists in the p2pimsvc service where an attacker who successfully exploited the vulnerability could run arbitrary code with elevated privileges. (CVE-2019-1168) - An information disclosure vulnerability exists when the Windows Graphics component improperly handles objects in memory. An attacker who successfully exploited this vulnerability could obtain information to further compromise the users system. An authenticated attacker could exploit this vulnerability by running a specially crafted application. The update addresses the vulnerability by correcting how the Windows Graphics Component handles objects in memory. (CVE-2019-1078) - A memory corruption vulnerability exists in the Windows Server DHCP service when an attacker sends specially crafted packets to a DHCP failover server. An attacker who successfully exploited the vulnerability could cause the DHCP service to become nonresponsive. (CVE-2019-1206) - An elevation of privilege vulnerability exists in the way that the ssdpsrv.dll handles objects in memory. An attacker who successfully exploited the vulnerability could execute code with elevated permissions. (CVE-2019-1178) - A remote code execution vulnerability exists when the Windows font library improperly handles specially crafted embedded fonts. An attacker who successfully exploited the vulnerability could take control of the affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. (CVE-2019-1144, CVE-2019-1145, CVE-2019-1149, CVE-2019-1150, CVE-2019-1151, CVE-2019-1152) - An elevation of privilege vulnerability exists when the Windows kernel fails to properly handle objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. (CVE-2019-1159, CVE-2019-1164) - A remote code execution vulnerability exists in Remote Desktop Services formerly known as Terminal Services when an unauthenticated attacker connects to the target system using RDP and sends specially crafted requests. This vulnerability is pre-authentication and requires no user interaction. An attacker who successfully exploited this vulnerability could execute arbitrary code on the target system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. (CVE-2019-1181, CVE-2019-1182) - A memory corruption vulnerability exists in the Windows DHCP client when an attacker sends specially crafted DHCP responses to a client. An attacker who successfully exploited the vulnerability could run arbitrary code on the client machine. (CVE-2019-0736) - A remote code execution vulnerability exists in the way that the scripting engine handles objects in memory in Internet Explorer. The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user. (CVE-2019-1133, CVE-2019-1194) - A remote code execution vulnerability exists in the way that the VBScript engine handles objects in memory. The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user. (CVE-2019-1183) - An elevation of privilege vulnerability exists in the way that the rpcss.dll handles objects in memory. An attacker who successfully exploited the vulnerability could execute code with elevated permissions. (CVE-2019-1177) - A remote code execution vulnerability exists in the way that Microsoft browsers access objects in memory. The vulnerability could corrupt memory in a way that could allow an attacker to execute arbitrary code in the context of the current user. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user. (CVE-2019-1193) - An information disclosure vulnerability exists in Azure Active Directory (AAD) Microsoft Account (MSA) during the login request session. An attacker who successfully exploited the vulnerability could take over a user's account. (CVE-2019-1172) - A denial of service vulnerability exists when Microsoft Hyper-V Network Switch on a host server fails to properly validate input from a privileged user on a guest operating system. An attacker who successfully exploited the vulnerability could cause the host server to crash. (CVE-2019-0714, CVE-2019-0715, CVE-2019-0718, CVE-2019-0723) - A denial of service vulnerability exists when Windows improperly handles objects in memory. An attacker who successfully exploited the vulnerability could cause a target system to stop responding. (CVE-2019-0716) - An information disclosure vulnerability exists when the Windows GDI component improperly discloses the contents of its memory. An attacker who successfully exploited the vulnerability could obtain information to further compromise a users system. There are multiple ways an attacker could exploit the vulnerability, such as by convincing a user to open a specially crafted document or by convincing a user to visit an untrusted webpage. The update addresses the vulnerability by correcting how the Windows GDI component handles objects in memory. (CVE-2019-1143, CVE-2019-1158) - A remote code execution vulnerability exists when Windows Hyper-V Network Switch on a host server fails to properly validate input from an authenticated user on a guest operating system. (CVE-2019-0720) - A memory corruption vulnerability exists in the Windows Server DHCP service when processing specially crafted packets. An attacker who successfully exploited the vulnerability could cause the DHCP server service to stop responding. (CVE-2019-1212) - A remote code execution vulnerability exists when the Microsoft XML Core Services MSXML parser processes user input. An attacker who successfully exploited the vulnerability could run malicious code remotely to take control of the users system. (CVE-2019-1057)"); # https://support.microsoft.com/en-us/help/4512489/windows-8-1-update-kb4512489 script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?7c858a23"); # https://support.microsoft.com/en-us/help/4512488/windows-8-1-update-kb4512488 script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?1fc7ed0c"); script_set_attribute(attribute:"solution", value: "Apply Security Only update KB4512489 or Cumulative Update KB4512488."); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C"); script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C"); script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"); script_set_cvss3_temporal_vector("CVSS:3.0/E:P/RL:O/RC:C"); script_set_attribute(attribute:"cvss_score_source", value:"CVE-2019-1182"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"vuln_publication_date", value:"2019/08/13"); script_set_attribute(attribute:"patch_publication_date", value:"2019/08/13"); script_set_attribute(attribute:"plugin_publication_date", value:"2019/08/13"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"cpe:/o:microsoft:windows"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_family(english:"Windows : Microsoft Bulletins"); script_copyright(english:"This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof."); script_dependencies("smb_check_rollup.nasl", "smb_hotfixes.nasl", "ms_bulletin_checks_possible.nasl"); script_require_keys("SMB/MS_Bulletin_Checks/Possible"); script_require_ports(139, 445, "Host/patch_management_checks"); exit(0); } include("audit.inc"); include("smb_hotfixes_fcheck.inc"); include("smb_hotfixes.inc"); include("smb_func.inc"); include("misc_func.inc"); get_kb_item_or_exit("SMB/MS_Bulletin_Checks/Possible"); bulletin = "MS19-08"; kbs = make_list('4512488', '4512489'); if (get_kb_item("Host/patch_management_checks")) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE); get_kb_item_or_exit("SMB/Registry/Enumerated"); get_kb_item_or_exit("SMB/WindowsVersion", exit_code:1); if (hotfix_check_sp_range(win81:'0') <= 0) audit(AUDIT_OS_SP_NOT_VULN); # Windows 8 EOL productname = get_kb_item_or_exit("SMB/ProductName", exit_code:1); if ("Windows 8" >< productname && "8.1" >!< productname) audit(AUDIT_OS_SP_NOT_VULN); share = hotfix_get_systemdrive(as_share:TRUE, exit_on_fail:TRUE); if (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share); if ( smb_check_rollup(os:"6.3", sp:0, rollup_date:"08_2019", bulletin:bulletin, rollup_kb_list:[4512488, 4512489]) ) { replace_kb_item(name:'SMB/Missing/'+bulletin, value:TRUE); hotfix_security_hole(); hotfix_check_fversion_end(); exit(0); } else { hotfix_check_fversion_end(); audit(AUDIT_HOST_NOT, hotfix_get_audit_report()); }

NASL family	Oracle Linux Local Security Checks
NASL id	ORACLELINUX_ELSA-2019-3055.NASL
description	From Red Hat Security Advisory 2019:3055 : An update for kernel is now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. The kernel packages contain the Linux kernel, the core of any Linux operating system. Security Fix(es) : * kernel: Use-after-free in __blk_drain_queue() function in block/blk-core.c (CVE-2018-20856) * kernel: Heap overflow in mwifiex_update_bss_desc_with_ie function in marvell/mwifiex/scan.c (CVE-2019-3846) * hardware: bluetooth: BR/EDR encryption key negotiation attacks (KNOB) (CVE-2019-9506) * kernel: Heap overflow in mwifiex_uap_parse_tail_ies function in drivers/net /wireless/marvell/mwifiex/ie.c (CVE-2019-10126) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Bug Fixes : * gfs2: Fix iomap write page reclaim deadlock (BZ#1737373) * [FJ7.6 Bug]: [REG] kernel: ipc: ipc_free should use kvfree (BZ#1740178) * high update_cfs_rq_blocked_load contention (BZ#1740180) * [Hyper-V][RHEL 7] kdump fails to start on a Hyper-V guest of Windows Server 2019. (BZ#1740188) * kvm: backport cpuidle-haltpoll driver (BZ#1740192) * Growing unreclaimable slab memory (BZ#1741920) * [bnx2x] ping failed from pf to vf which has been attached to vm (BZ# 1741926) * [Hyper-V]vPCI devices cannot allocate IRQs vectors in a Hyper-V VM with > 240 vCPUs (i.e., when in x2APIC mode) (BZ#1743324) * Macsec: inbound MACSEC frame is unexpectedly dropped with InPktsNotValid (BZ#1744442) * RHEL 7.7 Beta - Hit error when trying to run nvme connect with IPv6 address (BZ#1744443) * RHEL 7.6 SS4 - Paths lost when running straight I/O on NVMe/RoCE system (BZ #1744444) * NFSv4.0 client sending a double CLOSE (leading to EIO application failure) (BZ#1744946) * [Azure] CRI-RDOS \| [RHEL 7.8] Live migration only takes 10 seconds, but the VM was unavailable for 2 hours (BZ#1748239) * NFS client autodisconnect timer may fire immediately after TCP connection setup and may cause DoS type reconnect problem in complex network environments (BZ#1749290) * [Inspur] RHEL7.6 ASPEED graphic card display issue (BZ#1749296) * Allows macvlan to operated correctly over the active-backup mode to support bonding events. (BZ#1751579) * [LLNL 7.5 Bug] slab leak causing a crash when using kmem control group (BZ# 1752421) Users of kernel are advised to upgrade to these updated packages, which fix these bugs.
last seen	2020-06-01
modified	2020-06-02
plugin id	130039
published	2019-10-18
reporter	This script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.
source	https://www.tenable.com/plugins/nessus/130039
title	Oracle Linux 7 : kernel (ELSA-2019-3055)

NASL family	Windows : Microsoft Bulletins
NASL id	SMB_NT_MS19_AUG_4512501.NASL
description	The remote Windows host is missing security update 4512501. It is, therefore, affected by multiple vulnerabilities : - An elevation of privilege vulnerability exists when Windows improperly handles calls to Advanced Local Procedure Call (ALPC). An attacker who successfully exploited this vulnerability could run arbitrary code in the security context of the local system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. (CVE-2019-1162) - A security feature bypass vulnerability exists when Microsoft browsers improperly handle requests of different origins. The vulnerability allows Microsoft browsers to bypass Same-Origin Policy (SOP) restrictions, and to allow requests that should otherwise be ignored. An attacker who successfully exploited the vulnerability could force the browser to send data that would otherwise be restricted. (CVE-2019-1192) - A remote code execution vulnerability exists in the way that the scripting engine handles objects in memory in Internet Explorer. The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user. (CVE-2019-1133, CVE-2019-1194) - A denial of service vulnerability exists when the XmlLite runtime (XmlLite.dll) improperly parses XML input. An attacker who successfully exploited this vulnerability could cause a denial of service against an XML application. A remote unauthenticated attacker could exploit this vulnerability by issuing specially crafted requests to an XML application. The update addresses the vulnerability by correcting how the XmlLite runtime parses XML input. (CVE-2019-1187) - An elevation of privilege vulnerability exists when DirectX improperly handles objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. (CVE-2019-1176) - An information disclosure vulnerability exists when the Windows RDP server improperly discloses the contents of its memory. An attacker who successfully exploited this vulnerability could obtain information to further compromise the system. (CVE-2019-1224, CVE-2019-1225) - A remote code execution vulnerability exists when the Windows Jet Database Engine improperly handles objects in memory. An attacker who successfully exploited this vulnerability could execute arbitrary code on a victim system. An attacker could exploit this vulnerability by enticing a victim to open a specially crafted file. The update addresses the vulnerability by correcting the way the Windows Jet Database Engine handles objects in memory. (CVE-2019-1146, CVE-2019-1147, CVE-2019-1155, CVE-2019-1156, CVE-2019-1157) - A denial of service vulnerability exists in the HTTP/2 protocol stack (HTTP.sys) when HTTP.sys improperly parses specially crafted HTTP/2 requests. An attacker who successfully exploited the vulnerability could create a denial of service condition, causing the target system to become unresponsive. (CVE-2019-9511, CVE-2019-9512, CVE-2019-9513, CVE-2019-9514, CVE-2019-9518) - <h1>Executive Summary</h1> Microsoft is aware of the Bluetooth BR/EDR (basic rate/enhanced data rate, known as "Bluetooth Classic") key negotiation vulnerability that exists at the hardware specification level of any BR/EDR Bluetooth device. An attacker could potentially be able to negotiate the offered key length down to 1 byte of entropy, from a maximum of 16 bytes. (CVE-2019-9506) - A denial of service vulnerability exists in Remote Desktop Protocol (RDP) when an attacker connects to the target system using RDP and sends specially crafted requests. An attacker who successfully exploited this vulnerability could cause the RDP service on the target system to stop responding. (CVE-2019-1223) - An information disclosure vulnerability exists when the Windows kernel improperly handles objects in memory. An attacker who successfully exploited this vulnerability could obtain information to further compromise the users system. (CVE-2019-1227) - A remote code execution vulnerability exists in Microsoft Windows that could allow remote code execution if a .LNK file is processed. An attacker who successfully exploited this vulnerability could gain the same user rights as the local user. (CVE-2019-1188) - An elevation of privilege exists in the p2pimsvc service where an attacker who successfully exploited the vulnerability could run arbitrary code with elevated privileges. (CVE-2019-1168) - A remote code execution vulnerability exists when Windows Hyper-V on a host server fails to properly validate input from an authenticated user on a guest operating system. (CVE-2019-0965) - An information disclosure vulnerability exists when the Windows Graphics component improperly handles objects in memory. An attacker who successfully exploited this vulnerability could obtain information to further compromise the users system. An authenticated attacker could exploit this vulnerability by running a specially crafted application. The update addresses the vulnerability by correcting how the Windows Graphics Component handles objects in memory. (CVE-2019-1078) - An elevation of privilege vulnerability exists in the way that the wcmsvc.dll handles objects in memory. An attacker who successfully exploited the vulnerability could execute code with elevated permissions. (CVE-2019-1180, CVE-2019-1186) - A remote code execution vulnerability exists in the way that the Chakra scripting engine handles objects in memory in Microsoft Edge. The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user. (CVE-2019-1131, CVE-2019-1139, CVE-2019-1140, CVE-2019-1195, CVE-2019-1196, CVE-2019-1197) - An elevation of privilege vulnerability exists in the way that the psmsrv.dll handles objects in memory. An attacker who successfully exploited the vulnerability could execute code with elevated permissions. (CVE-2019-1175) - An information disclosure vulnerability exists in SymCrypt during the OAEP decryption stage. An attacker who successfully exploited this vulnerability could obtain information to further compromise the users system. (CVE-2019-1171) - An elevation of privilege exists in SyncController.dll. An attacker who successfully exploited the vulnerability could run arbitrary code with elevated privileges. (CVE-2019-1198) - An elevation of privilege vulnerability exists in the way that the ssdpsrv.dll handles objects in memory. An attacker who successfully exploited the vulnerability could execute code with elevated permissions. (CVE-2019-1178) - A remote code execution vulnerability exists when the Windows font library improperly handles specially crafted embedded fonts. An attacker who successfully exploited the vulnerability could take control of the affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. (CVE-2019-1144, CVE-2019-1145, CVE-2019-1149, CVE-2019-1150, CVE-2019-1151, CVE-2019-1152) - A security feature bypass exists when Windows incorrectly validates CAB file signatures. An attacker who successfully exploited this vulnerability could inject code into a CAB file without invalidating the file
last seen	2020-04-01
modified	2019-08-13
plugin id	127845
published	2019-08-13
reporter	This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
source	https://www.tenable.com/plugins/nessus/127845
title	KB4512501: Windows 10 Version 1803 August 2019 Security Update

NASL family	Ubuntu Local Security Checks
NASL id	UBUNTU_USN-4147-1.NASL
description	It was discovered that the Intel Wi-Fi device driver in the Linux kernel did not properly validate certain Tunneled Direct Link Setup (TDLS). A physically proximate attacker could use this to cause a denial of service (Wi-Fi disconnect). (CVE-2019-0136) It was discovered that the Bluetooth UART implementation in the Linux kernel did not properly check for missing tty operations. A local attacker could use this to cause a denial of service. (CVE-2019-10207) It was discovered that the GTCO tablet input driver in the Linux kernel did not properly bounds check the initial HID report sent by the device. A physically proximate attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2019-13631) It was discovered that an out-of-bounds read existed in the QLogic QEDI iSCSI Initiator Driver in the Linux kernel. A local attacker could possibly use this to expose sensitive information (kernel memory). (CVE-2019-15090) Hui Peng and Mathias Payer discovered that the USB audio driver for the Linux kernel did not properly validate device meta data. A physically proximate attacker could use this to cause a denial of service (system crash). (CVE-2019-15117) Hui Peng and Mathias Payer discovered that the USB audio driver for the Linux kernel improperly performed recursion while handling device meta data. A physically proximate attacker could use this to cause a denial of service (system crash). (CVE-2019-15118) It was discovered that the Raremono AM/FM/SW radio device driver in the Linux kernel did not properly allocate memory, leading to a use-after-free. A physically proximate attacker could use this to cause a denial of service or possibly execute arbitrary code. (CVE-2019-15211) It was discovered at a double-free error existed in the USB Rio 500 device driver for the Linux kernel. A physically proximate attacker could use this to cause a denial of service. (CVE-2019-15212) It was discovered that a race condition existed in the CPiA2 video4linux device driver for the Linux kernel, leading to a use-after-free. A physically proximate attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2019-15215) It was discovered that a race condition existed in the Softmac USB Prism54 device driver in the Linux kernel. A physically proximate attacker could use this to cause a denial of service (system crash). (CVE-2019-15220) Benjamin Moody discovered that the XFS file system in the Linux kernel did not properly handle an error condition when out of disk quota. A local attacker could possibly use this to cause a denial of service. (CVE-2019-15538) It was discovered that the Hisilicon HNS3 ethernet device driver in the Linux kernel contained an out of bounds access vulnerability. A local attacker could use this to possibly cause a denial of service (system crash). (CVE-2019-15925) It was discovered that the Atheros mobile chipset driver in the Linux kernel did not properly validate data in some situations. An attacker could use this to cause a denial of service (system crash). (CVE-2019-15926) Daniele Antonioli, Nils Ole Tippenhauer, and Kasper B. Rasmussen discovered that the Bluetooth protocol BR/EDR specification did not properly require sufficiently strong encryption key lengths. A physically proximate attacker could use this to expose sensitive information. (CVE-2019-9506) It was discovered that ZR364XX Camera USB device driver for the Linux kernel did not properly initialize memory. A physically proximate attacker could use this to cause a denial of service (system crash). (CVE-2019-15217) It was discovered that the Siano USB MDTV receiver device driver in the Linux kernel made improper assumptions about the device characteristics. A physically proximate attacker could use this cause a denial of service (system crash). (CVE-2019-15218) It was discovered that the Line 6 POD USB device driver in the Linux kernel did not properly validate data size information from the device. A physically proximate attacker could use this to cause a denial of service (system crash). (CVE-2019-15221) It was discovered that the Line 6 USB driver for the Linux kernel contained a race condition when the device was disconnected. A physically proximate attacker could use this to cause a denial of service (system crash). (CVE-2019-15223). Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
last seen	2020-06-01
modified	2020-06-02
plugin id	129677
published	2019-10-07
reporter	Ubuntu Security Notice (C) 2019 Canonical, Inc. / NASL script (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.
source	https://www.tenable.com/plugins/nessus/129677
title	Ubuntu 18.04 LTS / 19.04 : linux, linux-aws, linux-azure, linux-gcp, linux-gke-5.0, linux-hwe, (USN-4147-1)

NASL family	Ubuntu Local Security Checks
NASL id	UBUNTU_USN-4118-1.NASL
description	It was discovered that the alarmtimer implementation in the Linux kernel contained an integer overflow vulnerability. A local attacker could use this to cause a denial of service. (CVE-2018-13053) Wen Xu discovered that the XFS filesystem implementation in the Linux kernel did not properly track inode validations. An attacker could use this to construct a malicious XFS image that, when mounted, could cause a denial of service (system crash). (CVE-2018-13093) Wen Xu discovered that the f2fs file system implementation in the Linux kernel did not properly validate metadata. An attacker could use this to construct a malicious f2fs image that, when mounted, could cause a denial of service (system crash). (CVE-2018-13096, CVE-2018-13097, CVE-2018-13098, CVE-2018-13099, CVE-2018-13100, CVE-2018-14614, CVE-2018-14615, CVE-2018-14616) Wen Xu and Po-Ning Tseng discovered that btrfs file system implementation in the Linux kernel did not properly validate metadata. An attacker could use this to construct a malicious btrfs image that, when mounted, could cause a denial of service (system crash). (CVE-2018-14609, CVE-2018-14610, CVE-2018-14611, CVE-2018-14612, CVE-2018-14613) Wen Xu discovered that the HFS+ filesystem implementation in the Linux kernel did not properly handle malformed catalog data in some situations. An attacker could use this to construct a malicious HFS+ image that, when mounted, could cause a denial of service (system crash). (CVE-2018-14617) Vasily Averin and Pavel Tikhomirov discovered that the cleancache subsystem of the Linux kernel did not properly initialize new files in some situations. A local attacker could use this to expose sensitive information. (CVE-2018-16862) Hui Peng and Mathias Payer discovered that the Option USB High Speed driver in the Linux kernel did not properly validate metadata received from the device. A physically proximate attacker could use this to cause a denial of service (system crash). (CVE-2018-19985) Hui Peng and Mathias Payer discovered that the USB subsystem in the Linux kernel did not properly handle size checks when handling an extra USB descriptor. A physically proximate attacker could use this to cause a denial of service (system crash). (CVE-2018-20169) Zhipeng Xie discovered that an infinite loop could triggered in the CFS Linux kernel process scheduler. A local attacker could possibly use this to cause a denial of service. (CVE-2018-20784) It was discovered that a use-after-free error existed in the block layer subsystem of the Linux kernel when certain failure conditions occurred. A local attacker could possibly use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2018-20856) Eli Biham and Lior Neumann discovered that the Bluetooth implementation in the Linux kernel did not properly validate elliptic curve parameters during Diffie-Hellman key exchange in some situations. An attacker could use this to expose sensitive information. (CVE-2018-5383) It was discovered that the Intel wifi device driver in the Linux kernel did not properly validate certain Tunneled Direct Link Setup (TDLS). A physically proximate attacker could use this to cause a denial of service (wifi disconnect). (CVE-2019-0136) It was discovered that a heap buffer overflow existed in the Marvell Wireless LAN device driver for the Linux kernel. An attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2019-10126) It was discovered that the Bluetooth UART implementation in the Linux kernel did not properly check for missing tty operations. A local attacker could use this to cause a denial of service. (CVE-2019-10207) Amit Klein and Benny Pinkas discovered that the Linux kernel did not sufficiently randomize IP ID values generated for connectionless networking protocols. A remote attacker could use this to track particular Linux devices. (CVE-2019-10638) Amit Klein and Benny Pinkas discovered that the location of kernel addresses could exposed by the implementation of connection-less network protocols in the Linux kernel. A remote attacker could possibly use this to assist in the exploitation of another vulnerability in the Linux kernel. (CVE-2019-10639) Adam Zabrocki discovered that the Intel i915 kernel mode graphics driver in the Linux kernel did not properly restrict mmap() ranges in some situations. A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2019-11085) It was discovered that an integer overflow existed in the Linux kernel when reference counting pages, leading to potential use-after-free issues. A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2019-11487) Jann Horn discovered that a race condition existed in the Linux kernel when performing core dumps. A local attacker could use this to cause a denial of service (system crash) or expose sensitive information. (CVE-2019-11599) It was discovered that a NULL pointer dereference vulnerability existed in the LSI Logic MegaRAID driver in the Linux kernel. A local attacker could use this to cause a denial of service (system crash). (CVE-2019-11810) It was discovered that a race condition leading to a use-after-free existed in the Reliable Datagram Sockets (RDS) protocol implementation in the Linux kernel. The RDS protocol is blacklisted by default in Ubuntu. If enabled, a local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2019-11815) It was discovered that the ext4 file system implementation in the Linux kernel did not properly zero out memory in some situations. A local attacker could use this to expose sensitive information (kernel memory). (CVE-2019-11833) It was discovered that the Bluetooth Human Interface Device Protocol (HIDP) implementation in the Linux kernel did not properly verify strings were NULL terminated in certain situations. A local attacker could use this to expose sensitive information (kernel memory). (CVE-2019-11884) It was discovered that a NULL pointer dereference vulnerabilty existed in the Near-field communication (NFC) implementation in the Linux kernel. An attacker could use this to cause a denial of service (system crash). (CVE-2019-12818) It was discovered that the MDIO bus devices subsystem in the Linux kernel improperly dropped a device reference in an error condition, leading to a use-after-free. An attacker could use this to cause a denial of service (system crash). (CVE-2019-12819) It was discovered that a NULL pointer dereference vulnerability existed in the Near-field communication (NFC) implementation in the Linux kernel. A local attacker could use this to cause a denial of service (system crash). (CVE-2019-12984) Jann Horn discovered a use-after-free vulnerability in the Linux kernel when accessing LDT entries in some situations. A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2019-13233) Jann Horn discovered that the ptrace implementation in the Linux kernel did not properly record credentials in some situations. A local attacker could use this to cause a denial of service (system crash) or possibly gain administrative privileges. (CVE-2019-13272) It was discovered that the GTCO tablet input driver in the Linux kernel did not properly bounds check the initial HID report sent by the device. A physically proximate attacker could use to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2019-13631) It was discovered that the floppy driver in the Linux kernel did not properly validate meta data, leading to a buffer overread. A local attacker could use this to cause a denial of service (system crash). (CVE-2019-14283) It was discovered that the floppy driver in the Linux kernel did not properly validate ioctl() calls, leading to a division-by-zero. A local attacker could use this to cause a denial of service (system crash). (CVE-2019-14284) Tuba Yavuz discovered that a race condition existed in the DesignWare USB3 DRD Controller device driver in the Linux kernel. A physically proximate attacker could use this to cause a denial of service. (CVE-2019-14763) It was discovered that an out-of-bounds read existed in the QLogic QEDI iSCSI Initiator Driver in the Linux kernel. A local attacker could possibly use this to expose sensitive information (kernel memory). (CVE-2019-15090) It was discovered that the Raremono AM/FM/SW radio device driver in the Linux kernel did not properly allocate memory, leading to a use-after-free. A physically proximate attacker could use this to cause a denial of service or possibly execute arbitrary code. (CVE-2019-15211) It was discovered at a double-free error existed in the USB Rio 500 device driver for the Linux kernel. A physically proximate attacker could use this to cause a denial of service. (CVE-2019-15212) It was discovered that a race condition existed in the Advanced Linux Sound Architecture (ALSA) subsystem of the Linux kernel, leading to a potential use-after-free. A physically proximate attacker could use this to cause a denial of service (system crash) pro possibly execute arbitrary code. (CVE-2019-15214) It was discovered that a race condition existed in the CPiA2 video4linux device driver for the Linux kernel, leading to a use-after-free. A physically proximate attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2019-15215) It was discovered that a race condition existed in the Softmac USB Prism54 device driver in the Linux kernel. A physically proximate attacker could use this to cause a denial of service (system crash). (CVE-2019-15220) It was discovered that a use-after-free vulnerability existed in the Appletalk implementation in the Linux kernel if an error occurs during initialization. A local attacker could use this to cause a denial of service (system crash). (CVE-2019-15292) It was discovered that the Empia EM28xx DVB USB device driver implementation in the Linux kernel contained a use-after-free vulnerability when disconnecting the device. An attacker could use this to cause a denial of service (system crash). (CVE-2019-2024) It was discovered that the USB video device class implementation in the Linux kernel did not properly validate control bits, resulting in an out of bounds buffer read. A local attacker could use this to possibly expose sensitive information (kernel memory). (CVE-2019-2101) It was discovered that the Marvell Wireless LAN device driver in the Linux kernel did not properly validate the BSS descriptor. A local attacker could possibly use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2019-3846) Jason Wang discovered that an infinite loop vulnerability existed in the virtio net driver in the Linux kernel. A local attacker in a guest VM could possibly use this to cause a denial of service in the host system. (CVE-2019-3900) Daniele Antonioli, Nils Ole Tippenhauer, and Kasper B. Rasmussen discovered that the Bluetooth protocol BR/EDR specification did not properly require sufficiently strong encryption key lengths. A physicall proximate attacker could use this to expose sensitive information. (CVE-2019-9506) It was discovered that the Appletalk IP encapsulation driver in the Linux kernel did not properly prevent kernel addresses from being copied to user space. A local attacker with the CAP_NET_ADMIN capability could use this to expose sensitive information. (CVE-2018-20511) It was discovered that a race condition existed in the USB YUREX device driver in the Linux kernel. A physically proximate attacker could use this to cause a denial of service (system crash). (CVE-2019-15216) It was discovered that the Siano USB MDTV receiver device driver in the Linux kernel made improper assumptions about the device characteristics. A physically proximate attacker could use this cause a denial of service (system crash). (CVE-2019-15218) It was discovered that the Line 6 POD USB device driver in the Linux kernel did not properly validate data size information from the device. A physically proximate attacker could use this to cause a denial of service (system crash). (CVE-2019-15221) Muyu Yu discovered that the CAN implementation in the Linux kernel in some situations did not properly restrict the field size when processing outgoing frames. A local attacker with CAP_NET_ADMIN privileges could use this to execute arbitrary code. (CVE-2019-3701) Vladis Dronov discovered that the debug interface for the Linux kernel
last seen	2020-06-01
modified	2020-06-02
plugin id	128478
published	2019-09-03
reporter	Ubuntu Security Notice (C) 2019 Canonical, Inc. / NASL script (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.
source	https://www.tenable.com/plugins/nessus/128478
title	Ubuntu 16.04 LTS / 18.04 LTS : linux-aws vulnerabilities (USN-4118-1)

NASL family	Scientific Linux Local Security Checks
NASL id	SL_20191016_KERNEL_ON_SL7_X.NASL
description	Security Fix(es) : - kernel: Use-after-free in __blk_drain_queue() function in block/blk-core.c (CVE-2018-20856) - kernel: Heap overflow in mwifiex_update_bss_desc_with_ie function in marvell/mwifiex/scan.c (CVE-2019-3846) - hardware: bluetooth: BR/EDR encryption key negotiation attacks (KNOB) (CVE-2019-9506) - kernel: Heap overflow in mwifiex_uap_parse_tail_ies function in drivers/net/wireless/marvell/mwifiex/ie.c (CVE-2019-10126) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Bug Fixes : - gfs2: Fix iomap write page reclaim deadlock (BZ#1737373) - [FJ7.6 Bug]: [REG] kernel: ipc: ipc_free should use kvfree (BZ#1740178) - high update_cfs_rq_blocked_load contention (BZ#1740180) - [Hyper-V][RHEL 7] kdump fails to start on a Hyper-V guest of Windows Server 2019. (BZ#1740188) - kvm: backport cpuidle-haltpoll driver (BZ#1740192) - Growing unreclaimable slab memory (BZ#1741920) - [bnx2x] ping failed from pf to vf which has been attached to vm (BZ#1741926) - [Hyper-V]vPCI devices cannot allocate IRQs vectors in a Hyper-V VM with > 240 vCPUs (i.e., when in x2APIC mode) (BZ#1743324) - Macsec: inbound MACSEC frame is unexpectedly dropped with InPktsNotValid (BZ#1744442) - RHEL 7.7 Beta - Hit error when trying to run nvme connect with IPv6 address (BZ#1744443) - RHEL 7.6 SS4 - Paths lost when running straight I/O on NVMe/RoCE system (BZ#1744444) - NFSv4.0 client sending a double CLOSE (leading to EIO application failure) (BZ#1744946) - [Azure] CRI-RDOS \| [RHEL 7.8] Live migration only takes 10 seconds, but the VM was unavailable for 2 hours (BZ#1748239) - NFS client autodisconnect timer may fire immediately after TCP connection setup and may cause DoS type reconnect problem in complex network environments (BZ#1749290) - [Inspur] RHEL7.6 ASPEED graphic card display issue (BZ#1749296) - Allows macvlan to operated correctly over the active-backup mode to support bonding events. (BZ#1751579) - [LLNL 7.5 Bug] slab leak causing a crash when using kmem control group (BZ#1752421) Users of kernel are advised to upgrade to these updated packages, which fix these bugs.
last seen	2020-03-18
modified	2019-10-21
plugin id	130078
published	2019-10-21
reporter	This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
source	https://www.tenable.com/plugins/nessus/130078
title	Scientific Linux Security Update : kernel on SL7.x x86_64 (20191016)

NASL family	SuSE Local Security Checks
NASL id	SUSE_SU-2019-2950-1.NASL
description	The SUSE Linux Enterprise 12 SP1 kernel was updated to receive various security and bugfixes. The following security bugs were fixed : CVE-2018-12207: Untrusted virtual machines on Intel CPUs could exploit a race condition in the Instruction Fetch Unit of the Intel CPU to cause a Machine Exception during Page Size Change, causing the CPU core to be non-functional. The Linux Kernel KVM hypervisor was adjusted to avoid page size changes in executable pages by splitting / merging huge pages into small pages as needed. More information can be found on https://www.suse.com/support/kb/doc/?id=7023735 CVE-2019-11135: Aborting an asynchronous TSX operation on Intel CPUs with Transactional Memory support could be used to facilitate sidechannel information leaks out of microarchitectural buffers, similar to the previously described
last seen	2020-06-01
modified	2020-06-02
plugin id	130950
published	2019-11-13
reporter	This script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.
source	https://www.tenable.com/plugins/nessus/130950
title	SUSE SLES12 Security Update : kernel (SUSE-SU-2019:2950-1) (SACK Panic)

NASL family	Red Hat Local Security Checks
NASL id	REDHAT-RHSA-2019-3055.NASL
description	An update for kernel is now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. The kernel packages contain the Linux kernel, the core of any Linux operating system. Security Fix(es) : * kernel: Use-after-free in __blk_drain_queue() function in block/blk-core.c (CVE-2018-20856) * kernel: Heap overflow in mwifiex_update_bss_desc_with_ie function in marvell/mwifiex/scan.c (CVE-2019-3846) * hardware: bluetooth: BR/EDR encryption key negotiation attacks (KNOB) (CVE-2019-9506) * kernel: Heap overflow in mwifiex_uap_parse_tail_ies function in drivers/net /wireless/marvell/mwifiex/ie.c (CVE-2019-10126) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Bug Fixes : * gfs2: Fix iomap write page reclaim deadlock (BZ#1737373) * [FJ7.6 Bug]: [REG] kernel: ipc: ipc_free should use kvfree (BZ#1740178) * high update_cfs_rq_blocked_load contention (BZ#1740180) * [Hyper-V][RHEL 7] kdump fails to start on a Hyper-V guest of Windows Server 2019. (BZ#1740188) * kvm: backport cpuidle-haltpoll driver (BZ#1740192) * Growing unreclaimable slab memory (BZ#1741920) * [bnx2x] ping failed from pf to vf which has been attached to vm (BZ# 1741926) * [Hyper-V]vPCI devices cannot allocate IRQs vectors in a Hyper-V VM with > 240 vCPUs (i.e., when in x2APIC mode) (BZ#1743324) * Macsec: inbound MACSEC frame is unexpectedly dropped with InPktsNotValid (BZ#1744442) * RHEL 7.7 Beta - Hit error when trying to run nvme connect with IPv6 address (BZ#1744443) * RHEL 7.6 SS4 - Paths lost when running straight I/O on NVMe/RoCE system (BZ #1744444) * NFSv4.0 client sending a double CLOSE (leading to EIO application failure) (BZ#1744946) * [Azure] CRI-RDOS \| [RHEL 7.8] Live migration only takes 10 seconds, but the VM was unavailable for 2 hours (BZ#1748239) * NFS client autodisconnect timer may fire immediately after TCP connection setup and may cause DoS type reconnect problem in complex network environments (BZ#1749290) * [Inspur] RHEL7.6 ASPEED graphic card display issue (BZ#1749296) * Allows macvlan to operated correctly over the active-backup mode to support bonding events. (BZ#1751579) * [LLNL 7.5 Bug] slab leak causing a crash when using kmem control group (BZ# 1752421) Users of kernel are advised to upgrade to these updated packages, which fix these bugs.
last seen	2020-06-01
modified	2020-06-02
plugin id	129958
published	2019-10-16
reporter	This script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.
source	https://www.tenable.com/plugins/nessus/129958
title	RHEL 7 : kernel (RHSA-2019:3055)

NASL family	Red Hat Local Security Checks
NASL id	REDHAT-RHSA-2020-1460.NASL
description	The remote Redhat Enterprise Linux 7 host has packages installed that are affected by a vulnerability as referenced in the RHSA-2020:1460 advisory. - hardware: bluetooth: BR/EDR encryption key negotiation attacks (KNOB) (CVE-2019-9506) Note that Nessus has not tested for this issue but has instead relied only on the application
last seen	2020-04-23
modified	2020-04-14
plugin id	135456
published	2020-04-14
reporter	This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.
source	https://www.tenable.com/plugins/nessus/135456
title	RHEL 7 : kernel (RHSA-2020:1460)

NASL family	Windows : Microsoft Bulletins
NASL id	SMB_NT_MS19_AUG_4512507.NASL
description	The remote Windows host is missing security update 4512507. It is, therefore, affected by multiple vulnerabilities : - An elevation of privilege vulnerability exists when Windows improperly handles calls to Advanced Local Procedure Call (ALPC). An attacker who successfully exploited this vulnerability could run arbitrary code in the security context of the local system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. (CVE-2019-1162) - A security feature bypass vulnerability exists when Microsoft browsers improperly handle requests of different origins. The vulnerability allows Microsoft browsers to bypass Same-Origin Policy (SOP) restrictions, and to allow requests that should otherwise be ignored. An attacker who successfully exploited the vulnerability could force the browser to send data that would otherwise be restricted. (CVE-2019-1192) - An information disclosure vulnerability exists when the Microsoft Windows Graphics Component improperly handles objects in memory. An attacker who successfully exploited the vulnerability could obtain information to further compromise the users system. (CVE-2019-1148, CVE-2019-1153) - A denial of service vulnerability exists when the XmlLite runtime (XmlLite.dll) improperly parses XML input. An attacker who successfully exploited this vulnerability could cause a denial of service against an XML application. A remote unauthenticated attacker could exploit this vulnerability by issuing specially crafted requests to an XML application. The update addresses the vulnerability by correcting how the XmlLite runtime parses XML input. (CVE-2019-1187) - An elevation of privilege vulnerability exists when DirectX improperly handles objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. (CVE-2019-1176) - A remote code execution vulnerability exists when the Windows Jet Database Engine improperly handles objects in memory. An attacker who successfully exploited this vulnerability could execute arbitrary code on a victim system. An attacker could exploit this vulnerability by enticing a victim to open a specially crafted file. The update addresses the vulnerability by correcting the way the Windows Jet Database Engine handles objects in memory. (CVE-2019-1146, CVE-2019-1147, CVE-2019-1155, CVE-2019-1156, CVE-2019-1157) - A denial of service vulnerability exists in the HTTP/2 protocol stack (HTTP.sys) when HTTP.sys improperly parses specially crafted HTTP/2 requests. An attacker who successfully exploited the vulnerability could create a denial of service condition, causing the target system to become unresponsive. (CVE-2019-9511, CVE-2019-9512, CVE-2019-9513, CVE-2019-9514, CVE-2019-9518) - <h1>Executive Summary</h1> Microsoft is aware of the Bluetooth BR/EDR (basic rate/enhanced data rate, known as "Bluetooth Classic") key negotiation vulnerability that exists at the hardware specification level of any BR/EDR Bluetooth device. An attacker could potentially be able to negotiate the offered key length down to 1 byte of entropy, from a maximum of 16 bytes. (CVE-2019-9506) - An elevation of privilege exists in the p2pimsvc service where an attacker who successfully exploited the vulnerability could run arbitrary code with elevated privileges. (CVE-2019-1168) - An information disclosure vulnerability exists when the Windows Graphics component improperly handles objects in memory. An attacker who successfully exploited this vulnerability could obtain information to further compromise the users system. An authenticated attacker could exploit this vulnerability by running a specially crafted application. The update addresses the vulnerability by correcting how the Windows Graphics Component handles objects in memory. (CVE-2019-1078) - An elevation of privilege vulnerability exists in the way that the wcmsvc.dll handles objects in memory. An attacker who successfully exploited the vulnerability could execute code with elevated permissions. (CVE-2019-1180, CVE-2019-1186) - An elevation of privilege vulnerability exists in the way that the unistore.dll handles objects in memory. An attacker who successfully exploited the vulnerability could execute code with elevated permissions. (CVE-2019-1179) - An information disclosure vulnerability exists in SymCrypt during the OAEP decryption stage. An attacker who successfully exploited this vulnerability could obtain information to further compromise the users system. (CVE-2019-1171) - An elevation of privilege exists in SyncController.dll. An attacker who successfully exploited the vulnerability could run arbitrary code with elevated privileges. (CVE-2019-1198) - An elevation of privilege vulnerability exists in the way that the ssdpsrv.dll handles objects in memory. An attacker who successfully exploited the vulnerability could execute code with elevated permissions. (CVE-2019-1178) - A remote code execution vulnerability exists when the Windows font library improperly handles specially crafted embedded fonts. An attacker who successfully exploited the vulnerability could take control of the affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. (CVE-2019-1144, CVE-2019-1145, CVE-2019-1149, CVE-2019-1150, CVE-2019-1151, CVE-2019-1152) - A security feature bypass exists when Windows incorrectly validates CAB file signatures. An attacker who successfully exploited this vulnerability could inject code into a CAB file without invalidating the file
last seen	2020-06-01
modified	2020-06-02
plugin id	127847
published	2019-08-13
reporter	This script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.
source	https://www.tenable.com/plugins/nessus/127847
title	KB4512507: Windows 10 Version 1703 August 2019 Security Update

NASL family	Windows : Microsoft Bulletins
NASL id	SMB_NT_MS19_AUG_4512516.NASL
description	The remote Windows host is missing security update 4512516. It is, therefore, affected by multiple vulnerabilities : - An elevation of privilege vulnerability exists when Windows improperly handles calls to Advanced Local Procedure Call (ALPC). An attacker who successfully exploited this vulnerability could run arbitrary code in the security context of the local system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. (CVE-2019-1162) - A security feature bypass vulnerability exists when Microsoft browsers improperly handle requests of different origins. The vulnerability allows Microsoft browsers to bypass Same-Origin Policy (SOP) restrictions, and to allow requests that should otherwise be ignored. An attacker who successfully exploited the vulnerability could force the browser to send data that would otherwise be restricted. (CVE-2019-1192) - A remote code execution vulnerability exists in the way that the scripting engine handles objects in memory in Internet Explorer. The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user. (CVE-2019-1133, CVE-2019-1194) - A denial of service vulnerability exists when the XmlLite runtime (XmlLite.dll) improperly parses XML input. An attacker who successfully exploited this vulnerability could cause a denial of service against an XML application. A remote unauthenticated attacker could exploit this vulnerability by issuing specially crafted requests to an XML application. The update addresses the vulnerability by correcting how the XmlLite runtime parses XML input. (CVE-2019-1187) - An elevation of privilege vulnerability exists when DirectX improperly handles objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. (CVE-2019-1176) - A remote code execution vulnerability exists when the Windows Jet Database Engine improperly handles objects in memory. An attacker who successfully exploited this vulnerability could execute arbitrary code on a victim system. An attacker could exploit this vulnerability by enticing a victim to open a specially crafted file. The update addresses the vulnerability by correcting the way the Windows Jet Database Engine handles objects in memory. (CVE-2019-1146, CVE-2019-1147, CVE-2019-1155, CVE-2019-1156, CVE-2019-1157) - A denial of service vulnerability exists in the HTTP/2 protocol stack (HTTP.sys) when HTTP.sys improperly parses specially crafted HTTP/2 requests. An attacker who successfully exploited the vulnerability could create a denial of service condition, causing the target system to become unresponsive. (CVE-2019-9511, CVE-2019-9512, CVE-2019-9513, CVE-2019-9514, CVE-2019-9518) - <h1>Executive Summary</h1> Microsoft is aware of the Bluetooth BR/EDR (basic rate/enhanced data rate, known as "Bluetooth Classic") key negotiation vulnerability that exists at the hardware specification level of any BR/EDR Bluetooth device. An attacker could potentially be able to negotiate the offered key length down to 1 byte of entropy, from a maximum of 16 bytes. (CVE-2019-9506) - A remote code execution vulnerability exists in Microsoft Windows that could allow remote code execution if a .LNK file is processed. An attacker who successfully exploited this vulnerability could gain the same user rights as the local user. (CVE-2019-1188) - An elevation of privilege exists in the p2pimsvc service where an attacker who successfully exploited the vulnerability could run arbitrary code with elevated privileges. (CVE-2019-1168) - A remote code execution vulnerability exists when Windows Hyper-V on a host server fails to properly validate input from an authenticated user on a guest operating system. (CVE-2019-0965) - An information disclosure vulnerability exists when the Windows Graphics component improperly handles objects in memory. An attacker who successfully exploited this vulnerability could obtain information to further compromise the users system. An authenticated attacker could exploit this vulnerability by running a specially crafted application. The update addresses the vulnerability by correcting how the Windows Graphics Component handles objects in memory. (CVE-2019-1078) - An elevation of privilege vulnerability exists in the way that the wcmsvc.dll handles objects in memory. An attacker who successfully exploited the vulnerability could execute code with elevated permissions. (CVE-2019-1180, CVE-2019-1186) - A remote code execution vulnerability exists in the way that the Chakra scripting engine handles objects in memory in Microsoft Edge. The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user. (CVE-2019-1131, CVE-2019-1139, CVE-2019-1140, CVE-2019-1195, CVE-2019-1196, CVE-2019-1197) - An elevation of privilege vulnerability exists in the way that the unistore.dll handles objects in memory. An attacker who successfully exploited the vulnerability could execute code with elevated permissions. (CVE-2019-1179) - An information disclosure vulnerability exists in SymCrypt during the OAEP decryption stage. An attacker who successfully exploited this vulnerability could obtain information to further compromise the users system. (CVE-2019-1171) - An elevation of privilege exists in SyncController.dll. An attacker who successfully exploited the vulnerability could run arbitrary code with elevated privileges. (CVE-2019-1198) - An elevation of privilege vulnerability exists in the way that the ssdpsrv.dll handles objects in memory. An attacker who successfully exploited the vulnerability could execute code with elevated permissions. (CVE-2019-1178) - A remote code execution vulnerability exists when the Windows font library improperly handles specially crafted embedded fonts. An attacker who successfully exploited the vulnerability could take control of the affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. (CVE-2019-1144, CVE-2019-1145, CVE-2019-1149, CVE-2019-1150, CVE-2019-1151, CVE-2019-1152) - A security feature bypass exists when Windows incorrectly validates CAB file signatures. An attacker who successfully exploited this vulnerability could inject code into a CAB file without invalidating the file
last seen	2020-05-31
modified	2019-08-13
plugin id	127849
published	2019-08-13
reporter	This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
source	https://www.tenable.com/plugins/nessus/127849
title	KB4512516: Windows 10 Version 1709 August 2019 Security Update

NASL family	Red Hat Local Security Checks
NASL id	REDHAT-RHSA-2019-3517.NASL
description	An update for kernel is now available for Red Hat Enterprise Linux 8. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. The kernel packages contain the Linux kernel, the core of any Linux operating system. Security Fix(es) : * kernel: nfs: use-after-free in svc_process_common() (CVE-2018-16884) * Kernel: vhost_net: infinite loop while receiving packets leads to DoS (CVE-2019-3900) * Kernel: page cache side channel attacks (CVE-2019-5489) * hardware: bluetooth: BR/EDR encryption key negotiation attacks (KNOB) (CVE-2019-9506) * kernel: Heap overflow in mwifiex_uap_parse_tail_ies function in drivers/net /wireless/marvell/mwifiex/ie.c (CVE-2019-10126) * Kernel: KVM: OOB memory access via mmio ring buffer (CVE-2019-14821) * kernel: Information Disclosure in crypto_report_one in crypto/crypto_user.c (CVE-2018-19854) * kernel: usb: missing size check in the __usb_get_extra_descriptor() leading to DoS (CVE-2018-20169) * kernel: Heap address information leak while using L2CAP_GET_CONF_OPT (CVE-2019-3459) * kernel: Heap address information leak while using L2CAP_PARSE_CONF_RSP (CVE-2019-3460) * kernel: SCTP socket buffer memory leak leading to denial of service (CVE-2019-3874) * kernel: denial of service vector through vfio DMA mappings (CVE-2019-3882) * kernel: NULL pointer dereference in hci_uart_set_flow_control (CVE-2019-10207) * kernel: fix race condition between mmget_not_zero()/get_task_mm() and core dumping (CVE-2019-11599) * kernel: fs/ext4/extents.c leads to information disclosure (CVE-2019-11833) * kernel: sensitive information disclosure from kernel stack memory via HIDPCONNADD command (CVE-2019-11884) * kernel: use-after-free in arch/x86/lib/insn-eval.c (CVE-2019-13233) * kernel: memory leak in register_queue_kobjects() in net/core/net-sysfs.c leads to denial of service (CVE-2019-15916) * kernel: Linux stack ASLR implementation Integer overflow (CVE-2015-1593) * kernel: oob memory read in hso_probe in drivers/net/usb/hso.c (CVE-2018-19985) * Kernel: KVM: leak of uninitialized stack contents to guest (CVE-2019-7222) * Kernel: net: weak IP ID generation leads to remote device tracking (CVE-2019-10638) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Additional Changes : For detailed information on changes in this release, see the Red Hat Enterprise Linux 8.1 Release Notes linked from the References section.
last seen	2020-05-15
modified	2019-11-06
plugin id	130547
published	2019-11-06
reporter	This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
source	https://www.tenable.com/plugins/nessus/130547
title	RHEL 8 : kernel (RHSA-2019:3517)

NASL family	NewStart CGSL Local Security Checks
NASL id	NEWSTART_CGSL_NS-SA-2019-0222_KERNEL-RT.NASL
description	The remote NewStart CGSL host, running version CORE 5.04 / MAIN 5.04, has kernel-rt packages installed that are affected by multiple vulnerabilities: - Microarchitectural Store Buffer Data Sampling (MSBDS): Store buffers on some microprocessors utilizing speculative execution may allow an authenticated user to potentially enable information disclosure via a side channel with local access. A list of impacted products can be found here: https://www.intel.com/content/dam/www /public/us/en/documents/corporate- information/SA00233-microcode-update- guidance_05132019.pdf (CVE-2018-12126) - Microarchitectural Load Port Data Sampling (MLPDS): Load ports on some microprocessors utilizing speculative execution may allow an authenticated user to potentially enable information disclosure via a side channel with local access. A list of impacted products can be found here: https://www.intel.com/content/dam/www/public/us/en /documents/corporate-information/SA00233-microcode- update-guidance_05132019.pdf (CVE-2018-12127) - Microarchitectural Fill Buffer Data Sampling (MFBDS): Fill buffers on some microprocessors utilizing speculative execution may allow an authenticated user to potentially enable information disclosure via a side channel with local access. A list of impacted products can be found here: https://www.intel.com/content/dam/www /public/us/en/documents/corporate- information/SA00233-microcode-update- guidance_05132019.pdf (CVE-2018-12130) - An issue was discovered in the Linux kernel before 4.18.7. In block/blk-core.c, there is an __blk_drain_queue() use-after-free because a certain error case is mishandled. (CVE-2018-20856) - A flaw was found in the Linux kernel. A heap based buffer overflow in mwifiex_uap_parse_tail_ies function in drivers/net/wireless/marvell/mwifiex/ie.c might lead to memory corruption and possibly other consequences. (CVE-2019-10126) - A vulnerability was found in Linux kernel
last seen	2020-06-01
modified	2020-06-02
plugin id	131421
published	2019-12-02
reporter	This script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.
source	https://www.tenable.com/plugins/nessus/131421
title	NewStart CGSL CORE 5.04 / MAIN 5.04 : kernel-rt Multiple Vulnerabilities (NS-SA-2019-0222)

NASL family	NewStart CGSL Local Security Checks
NASL id	NEWSTART_CGSL_NS-SA-2019-0221_KERNEL.NASL
description	The remote NewStart CGSL host, running version CORE 5.04 / MAIN 5.04, has kernel packages installed that are affected by multiple vulnerabilities: - An issue was discovered in the Linux kernel before 4.18.7. In block/blk-core.c, there is an __blk_drain_queue() use-after-free because a certain error case is mishandled. (CVE-2018-20856) - A flaw was found in the Linux kernel. A heap based buffer overflow in mwifiex_uap_parse_tail_ies function in drivers/net/wireless/marvell/mwifiex/ie.c might lead to memory corruption and possibly other consequences. (CVE-2019-10126) - A vulnerability was found in Linux kernel
last seen	2020-06-01
modified	2020-06-02
plugin id	131411
published	2019-12-02
reporter	This script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.
source	https://www.tenable.com/plugins/nessus/131411
title	NewStart CGSL CORE 5.04 / MAIN 5.04 : kernel Multiple Vulnerabilities (NS-SA-2019-0221)

NASL family	Windows : Microsoft Bulletins
NASL id	SMB_NT_MS19_AUG_4512517.NASL
description	The remote Windows host is missing security update 4512517. It is, therefore, affected by multiple vulnerabilities : - An elevation of privilege vulnerability exists when Windows improperly handles calls to Advanced Local Procedure Call (ALPC). An attacker who successfully exploited this vulnerability could run arbitrary code in the security context of the local system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. (CVE-2019-1162) - A security feature bypass vulnerability exists when Microsoft browsers improperly handle requests of different origins. The vulnerability allows Microsoft browsers to bypass Same-Origin Policy (SOP) restrictions, and to allow requests that should otherwise be ignored. An attacker who successfully exploited the vulnerability could force the browser to send data that would otherwise be restricted. (CVE-2019-1192) - An information disclosure vulnerability exists when the Microsoft Windows Graphics Component improperly handles objects in memory. An attacker who successfully exploited the vulnerability could obtain information to further compromise the users system. (CVE-2019-1148, CVE-2019-1153) - A denial of service vulnerability exists when the XmlLite runtime (XmlLite.dll) improperly parses XML input. An attacker who successfully exploited this vulnerability could cause a denial of service against an XML application. A remote unauthenticated attacker could exploit this vulnerability by issuing specially crafted requests to an XML application. The update addresses the vulnerability by correcting how the XmlLite runtime parses XML input. (CVE-2019-1187) - An elevation of privilege vulnerability exists when DirectX improperly handles objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. (CVE-2019-1176) - A remote code execution vulnerability exists when the Windows Jet Database Engine improperly handles objects in memory. An attacker who successfully exploited this vulnerability could execute arbitrary code on a victim system. An attacker could exploit this vulnerability by enticing a victim to open a specially crafted file. The update addresses the vulnerability by correcting the way the Windows Jet Database Engine handles objects in memory. (CVE-2019-1146, CVE-2019-1147, CVE-2019-1155, CVE-2019-1156, CVE-2019-1157) - A denial of service vulnerability exists in the HTTP/2 protocol stack (HTTP.sys) when HTTP.sys improperly parses specially crafted HTTP/2 requests. An attacker who successfully exploited the vulnerability could create a denial of service condition, causing the target system to become unresponsive. (CVE-2019-9511, CVE-2019-9512, CVE-2019-9513, CVE-2019-9514, CVE-2019-9518) - <h1>Executive Summary</h1> Microsoft is aware of the Bluetooth BR/EDR (basic rate/enhanced data rate, known as "Bluetooth Classic") key negotiation vulnerability that exists at the hardware specification level of any BR/EDR Bluetooth device. An attacker could potentially be able to negotiate the offered key length down to 1 byte of entropy, from a maximum of 16 bytes. (CVE-2019-9506) - A remote code execution vulnerability exists in the way that the Chakra scripting engine handles objects in memory in Microsoft Edge. The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user. (CVE-2019-1139, CVE-2019-1140, CVE-2019-1195, CVE-2019-1197) - An elevation of privilege exists in the p2pimsvc service where an attacker who successfully exploited the vulnerability could run arbitrary code with elevated privileges. (CVE-2019-1168) - An information disclosure vulnerability exists when the Windows Graphics component improperly handles objects in memory. An attacker who successfully exploited this vulnerability could obtain information to further compromise the users system. An authenticated attacker could exploit this vulnerability by running a specially crafted application. The update addresses the vulnerability by correcting how the Windows Graphics Component handles objects in memory. (CVE-2019-1078) - An elevation of privilege vulnerability exists in the way that the wcmsvc.dll handles objects in memory. An attacker who successfully exploited the vulnerability could execute code with elevated permissions. (CVE-2019-1180, CVE-2019-1186) - A memory corruption vulnerability exists in the Windows Server DHCP service when an attacker sends specially crafted packets to a DHCP failover server. An attacker who successfully exploited the vulnerability could cause the DHCP service to become nonresponsive. (CVE-2019-1206) - An elevation of privilege vulnerability exists in the way that the unistore.dll handles objects in memory. An attacker who successfully exploited the vulnerability could execute code with elevated permissions. (CVE-2019-1179) - An elevation of privilege exists in SyncController.dll. An attacker who successfully exploited the vulnerability could run arbitrary code with elevated privileges. (CVE-2019-1198) - An elevation of privilege vulnerability exists in the way that the ssdpsrv.dll handles objects in memory. An attacker who successfully exploited the vulnerability could execute code with elevated permissions. (CVE-2019-1178) - A remote code execution vulnerability exists when the Windows font library improperly handles specially crafted embedded fonts. An attacker who successfully exploited the vulnerability could take control of the affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. (CVE-2019-1144, CVE-2019-1145, CVE-2019-1149, CVE-2019-1150, CVE-2019-1151, CVE-2019-1152) - A security feature bypass exists when Windows incorrectly validates CAB file signatures. An attacker who successfully exploited this vulnerability could inject code into a CAB file without invalidating the file
last seen	2020-06-01
modified	2020-06-02
plugin id	127850
published	2019-08-13
reporter	This script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.
source	https://www.tenable.com/plugins/nessus/127850
title	KB4512517: Windows 10 Version 1607 and Windows Server 2016 August 2019 Security Update

NASL family	Debian Local Security Checks
NASL id	DEBIAN_DLA-1930.NASL
description	Several vulnerabilities have been discovered in the Linux kernel that may lead to a privilege escalation, denial of service or information leaks. CVE-2016-10905 A race condition was discovered in the GFS2 file-system implementation, which could lead to a use-after-free. On a system using GFS2, a local attacker could use this for denial of service (memory corruption or crash) or possibly for privilege escalation. CVE-2018-20976 It was discovered that the XFS file-system implementation did not correctly handle some mount failure conditions, which could lead to a use-after-free. The security impact of this is unclear. CVE-2018-21008 It was discovered that the rsi wifi driver did not correctly handle some failure conditions, which could lead to a use-after- free. The security impact of this is unclear. CVE-2019-0136 It was discovered that the wifi soft-MAC implementation (mac80211) did not properly authenticate Tunneled Direct Link Setup (TDLS) messages. A nearby attacker could use this for denial of service (loss of wifi connectivity). CVE-2019-9506 Daniele Antonioli, Nils Ole Tippenhauer, and Kasper Rasmussen discovered a weakness in the Bluetooth pairing protocols, dubbed the
last seen	2020-06-01
modified	2020-06-02
plugin id	129361
published	2019-09-26
reporter	This script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.
source	https://www.tenable.com/plugins/nessus/129361
title	Debian DLA-1930-1 : linux security update

NASL family	SuSE Local Security Checks
NASL id	SUSE_SU-2019-2710-1.NASL
description	The SUSE Linux Enterprise 15 SP1 kernel was updated to receive various security and bugfixes. The following security bugs were fixed : CVE-2017-18595: A double free may be caused by the function allocate_trace_buffer in the file kernel/trace/trace.c (bnc#1149555). CVE-2019-14821: An out-of-bounds access issue was found in the way Linux kernel
last seen	2020-06-01
modified	2020-06-02
plugin id	130089
published	2019-10-21
reporter	This script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.
source	https://www.tenable.com/plugins/nessus/130089
title	SUSE SLED15 / SLES15 Security Update : kernel (SUSE-SU-2019:2710-1)

NASL family	SuSE Local Security Checks
NASL id	OPENSUSE-2019-2307.NASL
description	The openSUSE Leap 15.0 kernel was updated to receive various security and bugfixes. The following security bugs were fixed : - CVE-2019-15291: There was a NULL pointer dereference caused by a malicious USB device in the flexcop_usb_probe function in the drivers/media/usb/b2c2/flexcop-usb.c driver (bnc#1146540). - CVE-2019-14821: An out-of-bounds access issue was found in the way Linux kernel
last seen	2020-06-01
modified	2020-06-02
plugin id	129806
published	2019-10-11
reporter	This script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.
source	https://www.tenable.com/plugins/nessus/129806
title	openSUSE Security Update : the Linux Kernel (openSUSE-2019-2307)

NASL family	Red Hat Local Security Checks
NASL id	REDHAT-RHSA-2019-3187.NASL
description	An update for kernel is now available for Red Hat Enterprise Linux 7.4 Advanced Update Support, Red Hat Enterprise Linux 7.4 Telco Extended Update Support, and Red Hat Enterprise Linux 7.4 Update Services for SAP Solutions. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. The kernel packages contain the Linux kernel, the core of any Linux operating system. Security Fix(es) : * hardware: bluetooth: BR/EDR encryption key negotiation attacks (KNOB) (CVE-2019-9506) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Bug Fix(es) : * Fix possible Spectre-v1 bugs in wireless code (BZ#1706696) * powerpc/pseries: Disable CPU hotplug across migrations / powerpc/rtas: Fix a potential race between CPU-Offline & Migration (LPM) (BZ#1745436) * powerpc/pseries: Fix uninitialized timer reset on migration / powerpc/pseries /mobility: Extend start/stop topology update scope (LPM) (BZ#1745438) * ISST-LTE:PVM:Zeppelin :LPM: Failure logs and stack trace seen during LPM (POWER9/P9) (BZ#1745446)
last seen	2020-06-01
modified	2020-06-02
plugin id	130189
published	2019-10-24
reporter	This script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.
source	https://www.tenable.com/plugins/nessus/130189
title	RHEL 7 : kernel (RHSA-2019:3187)

NASL family	Windows : Microsoft Bulletins
NASL id	SMB_NT_MS19_AUG_4512508.NASL
description	The remote Windows host is missing security update 4512508. It is, therefore, affected by multiple vulnerabilities : - An elevation of privilege vulnerability exists in the way that the Windows kernel image handles objects in memory. An attacker who successfully exploited the vulnerability could execute code with elevated permissions. (CVE-2019-1190) - An elevation of privilege vulnerability exists when Windows improperly handles calls to Advanced Local Procedure Call (ALPC). An attacker who successfully exploited this vulnerability could run arbitrary code in the security context of the local system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. (CVE-2019-1162) - A security feature bypass vulnerability exists when Microsoft browsers improperly handle requests of different origins. The vulnerability allows Microsoft browsers to bypass Same-Origin Policy (SOP) restrictions, and to allow requests that should otherwise be ignored. An attacker who successfully exploited the vulnerability could force the browser to send data that would otherwise be restricted. (CVE-2019-1192) - A remote code execution vulnerability exists in the way that the scripting engine handles objects in memory in Internet Explorer. The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user. (CVE-2019-1133, CVE-2019-1194) - A denial of service vulnerability exists when the XmlLite runtime (XmlLite.dll) improperly parses XML input. An attacker who successfully exploited this vulnerability could cause a denial of service against an XML application. A remote unauthenticated attacker could exploit this vulnerability by issuing specially crafted requests to an XML application. The update addresses the vulnerability by correcting how the XmlLite runtime parses XML input. (CVE-2019-1187) - An elevation of privilege vulnerability exists when DirectX improperly handles objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. (CVE-2019-1176) - An information disclosure vulnerability exists when the Windows RDP server improperly discloses the contents of its memory. An attacker who successfully exploited this vulnerability could obtain information to further compromise the system. (CVE-2019-1224, CVE-2019-1225) - An elevation of privilege vulnerability exists when reparse points are created by sandboxed processes allowing sandbox escape. An attacker who successfully exploited the vulnerability could use the sandbox escape to elevate privileges on an affected system. (CVE-2019-1170) - A remote code execution vulnerability exists when the Windows Jet Database Engine improperly handles objects in memory. An attacker who successfully exploited this vulnerability could execute arbitrary code on a victim system. An attacker could exploit this vulnerability by enticing a victim to open a specially crafted file. The update addresses the vulnerability by correcting the way the Windows Jet Database Engine handles objects in memory. (CVE-2019-1146, CVE-2019-1147, CVE-2019-1155, CVE-2019-1156, CVE-2019-1157) - A denial of service vulnerability exists in the HTTP/2 protocol stack (HTTP.sys) when HTTP.sys improperly parses specially crafted HTTP/2 requests. An attacker who successfully exploited the vulnerability could create a denial of service condition, causing the target system to become unresponsive. (CVE-2019-9511, CVE-2019-9512, CVE-2019-9513, CVE-2019-9514, CVE-2019-9518) - <h1>Executive Summary</h1> Microsoft is aware of the Bluetooth BR/EDR (basic rate/enhanced data rate, known as "Bluetooth Classic") key negotiation vulnerability that exists at the hardware specification level of any BR/EDR Bluetooth device. An attacker could potentially be able to negotiate the offered key length down to 1 byte of entropy, from a maximum of 16 bytes. (CVE-2019-9506) - A denial of service vulnerability exists in Remote Desktop Protocol (RDP) when an attacker connects to the target system using RDP and sends specially crafted requests. An attacker who successfully exploited this vulnerability could cause the RDP service on the target system to stop responding. (CVE-2019-1223) - An information disclosure vulnerability exists when the Windows kernel improperly handles objects in memory. An attacker who successfully exploited this vulnerability could obtain information to further compromise the users system. (CVE-2019-1227) - An elevation of privilege vulnerability exists in the way that the PsmServiceExtHost.dll handles objects in memory. An attacker who successfully exploited the vulnerability could execute code with elevated permissions. (CVE-2019-1173, CVE-2019-1174) - A remote code execution vulnerability exists in Microsoft Windows that could allow remote code execution if a .LNK file is processed. An attacker who successfully exploited this vulnerability could gain the same user rights as the local user. (CVE-2019-1188) - An elevation of privilege exists in the p2pimsvc service where an attacker who successfully exploited the vulnerability could run arbitrary code with elevated privileges. (CVE-2019-1168) - A remote code execution vulnerability exists when Windows Hyper-V on a host server fails to properly validate input from an authenticated user on a guest operating system. (CVE-2019-0965) - An information disclosure vulnerability exists when the Windows Graphics component improperly handles objects in memory. An attacker who successfully exploited this vulnerability could obtain information to further compromise the users system. An authenticated attacker could exploit this vulnerability by running a specially crafted application. The update addresses the vulnerability by correcting how the Windows Graphics Component handles objects in memory. (CVE-2019-1078) - A denial of service vulnerability exists when Microsoft Hyper-V Network Switch on a host server fails to properly validate input from a privileged user on a guest operating system. An attacker who successfully exploited the vulnerability could cause the host server to crash. (CVE-2019-0714, CVE-2019-0715, CVE-2019-0717, CVE-2019-0718, CVE-2019-0723) - An elevation of privilege vulnerability exists in the way that the wcmsvc.dll handles objects in memory. An attacker who successfully exploited the vulnerability could execute code with elevated permissions. (CVE-2019-1180, CVE-2019-1186) - An elevation of privilege vulnerability exists in the way that the psmsrv.dll handles objects in memory. An attacker who successfully exploited the vulnerability could execute code with elevated permissions. (CVE-2019-1175) - An information disclosure vulnerability exists in SymCrypt during the OAEP decryption stage. An attacker who successfully exploited this vulnerability could obtain information to further compromise the users system. (CVE-2019-1171) - An elevation of privilege exists in SyncController.dll. An attacker who successfully exploited the vulnerability could run arbitrary code with elevated privileges. (CVE-2019-1198) - An elevation of privilege vulnerability exists in the way that the ssdpsrv.dll handles objects in memory. An attacker who successfully exploited the vulnerability could execute code with elevated permissions. (CVE-2019-1178) - A remote code execution vulnerability exists when the Windows font library improperly handles specially crafted embedded fonts. An attacker who successfully exploited the vulnerability could take control of the affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. (CVE-2019-1144, CVE-2019-1145, CVE-2019-1149, CVE-2019-1150, CVE-2019-1151, CVE-2019-1152) - A security feature bypass exists when Windows incorrectly validates CAB file signatures. An attacker who successfully exploited this vulnerability could inject code into a CAB file without invalidating the file
last seen	2020-04-01
modified	2019-08-13
plugin id	127848
published	2019-08-13
reporter	This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
source	https://www.tenable.com/plugins/nessus/127848
title	KB4512508: Windows 10 Version 1903 August 2019 Security Update

NASL family	Windows : Microsoft Bulletins
NASL id	SMB_NT_MS19_AUG_4512497.NASL
description	The remote Windows host is missing security update 4512497. It is, therefore, affected by multiple vulnerabilities : - An elevation of privilege vulnerability exists when Windows improperly handles calls to Advanced Local Procedure Call (ALPC). An attacker who successfully exploited this vulnerability could run arbitrary code in the security context of the local system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. (CVE-2019-1162) - A security feature bypass vulnerability exists when Microsoft browsers improperly handle requests of different origins. The vulnerability allows Microsoft browsers to bypass Same-Origin Policy (SOP) restrictions, and to allow requests that should otherwise be ignored. An attacker who successfully exploited the vulnerability could force the browser to send data that would otherwise be restricted. (CVE-2019-1192) - An information disclosure vulnerability exists when the Microsoft Windows Graphics Component improperly handles objects in memory. An attacker who successfully exploited the vulnerability could obtain information to further compromise the users system. (CVE-2019-1148, CVE-2019-1153) - A denial of service vulnerability exists when the XmlLite runtime (XmlLite.dll) improperly parses XML input. An attacker who successfully exploited this vulnerability could cause a denial of service against an XML application. A remote unauthenticated attacker could exploit this vulnerability by issuing specially crafted requests to an XML application. The update addresses the vulnerability by correcting how the XmlLite runtime parses XML input. (CVE-2019-1187) - An elevation of privilege vulnerability exists when DirectX improperly handles objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. (CVE-2019-1176) - A remote code execution vulnerability exists in the way that the Chakra scripting engine handles objects in memory in Microsoft Edge. The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user. (CVE-2019-1139, CVE-2019-1140, CVE-2019-1197) - A remote code execution vulnerability exists when the Windows Jet Database Engine improperly handles objects in memory. An attacker who successfully exploited this vulnerability could execute arbitrary code on a victim system. An attacker could exploit this vulnerability by enticing a victim to open a specially crafted file. The update addresses the vulnerability by correcting the way the Windows Jet Database Engine handles objects in memory. (CVE-2019-1146, CVE-2019-1147, CVE-2019-1155, CVE-2019-1156, CVE-2019-1157) - A denial of service vulnerability exists in the HTTP/2 protocol stack (HTTP.sys) when HTTP.sys improperly parses specially crafted HTTP/2 requests. An attacker who successfully exploited the vulnerability could create a denial of service condition, causing the target system to become unresponsive. (CVE-2019-9511, CVE-2019-9512, CVE-2019-9513, CVE-2019-9514, CVE-2019-9518) - <h1>Executive Summary</h1> Microsoft is aware of the Bluetooth BR/EDR (basic rate/enhanced data rate, known as "Bluetooth Classic") key negotiation vulnerability that exists at the hardware specification level of any BR/EDR Bluetooth device. An attacker could potentially be able to negotiate the offered key length down to 1 byte of entropy, from a maximum of 16 bytes. (CVE-2019-9506) - An elevation of privilege exists in the p2pimsvc service where an attacker who successfully exploited the vulnerability could run arbitrary code with elevated privileges. (CVE-2019-1168) - An information disclosure vulnerability exists when the Windows Graphics component improperly handles objects in memory. An attacker who successfully exploited this vulnerability could obtain information to further compromise the users system. An authenticated attacker could exploit this vulnerability by running a specially crafted application. The update addresses the vulnerability by correcting how the Windows Graphics Component handles objects in memory. (CVE-2019-1078) - An elevation of privilege vulnerability exists in the way that the wcmsvc.dll handles objects in memory. An attacker who successfully exploited the vulnerability could execute code with elevated permissions. (CVE-2019-1180, CVE-2019-1186) - An elevation of privilege vulnerability exists in the way that the unistore.dll handles objects in memory. An attacker who successfully exploited the vulnerability could execute code with elevated permissions. (CVE-2019-1179) - An elevation of privilege exists in SyncController.dll. An attacker who successfully exploited the vulnerability could run arbitrary code with elevated privileges. (CVE-2019-1198) - An elevation of privilege vulnerability exists in the way that the ssdpsrv.dll handles objects in memory. An attacker who successfully exploited the vulnerability could execute code with elevated permissions. (CVE-2019-1178) - A remote code execution vulnerability exists when the Windows font library improperly handles specially crafted embedded fonts. An attacker who successfully exploited the vulnerability could take control of the affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. (CVE-2019-1144, CVE-2019-1145, CVE-2019-1149, CVE-2019-1150, CVE-2019-1151, CVE-2019-1152) - A security feature bypass exists when Windows incorrectly validates CAB file signatures. An attacker who successfully exploited this vulnerability could inject code into a CAB file without invalidating the file
last seen	2020-06-01
modified	2020-06-02
plugin id	127844
published	2019-08-13
reporter	This script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.
source	https://www.tenable.com/plugins/nessus/127844
title	KB4512497: Windows 10 August 2019 Security Update

NASL family	Red Hat Local Security Checks
NASL id	REDHAT-RHSA-2019-3218.NASL
description	An update for kernel is now available for Red Hat Enterprise Linux 7.3 Advanced Update Support, Red Hat Enterprise Linux 7.3 Telco Extended Update Support, and Red Hat Enterprise Linux 7.3 Update Services for SAP Solutions. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. The kernel packages contain the Linux kernel, the core of any Linux operating system. Security Fix(es) : * hardware: bluetooth: BR/EDR encryption key negotiation attacks (KNOB) (CVE-2019-9506) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Bug Fix(es) : * kernel build: parallelize redhat/mod-sign.sh (BZ#1755326)
last seen	2020-06-01
modified	2020-06-02
plugin id	130374
published	2019-10-30
reporter	This script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.
source	https://www.tenable.com/plugins/nessus/130374
title	RHEL 7 : kernel (RHSA-2019:3218)

NASL family	SuSE Local Security Checks
NASL id	SUSE_SU-2019-2648-1.NASL
description	The SUSE Linux Enterprise 12 SP4 for Azure kernel was updated to receive various security and bugfixes. The following security bugs were fixed : CVE-2019-15291: There was a NULL pointer dereference caused by a malicious USB device in the flexcop_usb_probe function in the drivers/media/usb/b2c2/flexcop-usb.c driver (bnc#1146540). CVE-2019-14821: An out-of-bounds access issue was found in the way Linux kernel
last seen	2020-04-01
modified	2019-10-14
plugin id	129845
published	2019-10-14
reporter	This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
source	https://www.tenable.com/plugins/nessus/129845
title	SUSE SLES12 Security Update : kernel (SUSE-SU-2019:2648-1)

NASL family	SuSE Local Security Checks
NASL id	SUSE_SU-2019-3200-1.NASL
description	The SUSE Linux Enterprise 12 SP5 kernel was updated to receive various security and bugfixes. The following security bugs were fixed : CVE-2019-19081: Fixed a memory leak in the nfp_flower_spawn_vnic_reprs() could have allowed attackers to cause a denial of service (bsc#1157045). CVE-2019-19080: Fixed four memory leaks in the nfp_flower_spawn_phy_reprs() could have allowed attackers to cause a denial of service (bsc#1157044). CVE-2019-19052: Fixed a memory leak in the gs_can_open() which could have led to denial of service (bsc#1157324). CVE-2019-19067: Fixed multiple memory leaks in acp_hw_init (bsc#1157180). CVE-2019-19060: Fixed a memory leak in the adis_update_scan_mode() which could have led to denial of service (bsc#1157178). CVE-2019-19049: Fixed a memory leak in unittest_data_add (bsc#1157173). CVE-2019-19075: Fixed a memory leak in the ca8210_probe() which could have led to denial of service by triggering ca8210_get_platform_data() failures (bsc#1157162). CVE-2019-19058: Fixed a memory leak in the alloc_sgtable() which could have led to denial of service by triggering alloc_page() failures (bsc#1157145). CVE-2019-19074: Fixed a memory leak in the ath9k_wmi_cmd() function which could have led to denial of service (bsc#1157143). CVE-2019-19073: Fixed multiple memory leaks in drivers/net/wireless/ath/ath9k/htc_hst.c which could have led to denial of service by triggering wait_for_completion_timeout() failures (bsc#1157070). CVE-2019-19083: Fixed multiple memory leaks in clock_source_create() functions which could have led to denial of service (bsc#1157049). CVE-2019-19082: Fixed multiple memory leaks in create_resource_pool() which could have led to denial of service (bsc#1157046). CVE-2019-15916: Fixed a memory leak in register_queue_kobjects() which might have led denial of service (bsc#1149448). CVE-2019-0154: Fixed an improper access control in subsystem for Intel (R) processor graphics whichs may have allowed an authenticated user to potentially enable denial of service via local access (bsc#1135966). CVE-2019-0155: Fixed an improper access control in subsystem for Intel (R) processor graphics whichs may have allowed an authenticated user to potentially enable escalation of privilege via local access (bsc#1135967). CVE-2019-16231: Fixed a NULL pointer dereference due to lack of checking the alloc_workqueue return value (bsc#1150466). CVE-2019-18805: Fixed an integer overflow in tcp_ack_update_rtt() leading to a denial of service or possibly unspecified other impact (bsc#1156187). CVE-2019-17055: Enforced CAP_NET_RAW in the AF_ISDN network module to restrict unprivileged users to create a raw socket (bsc#1152782). CVE-2019-16995: Fixed a memory leak in hsr_dev_finalize() which may have caused denial of service (bsc#1152685). CVE-2019-16233: drivers/scsi/qla2xxx/qla_os.c did not check the alloc_workqueue return value, leading to a NULL pointer dereference. (bsc#1150457). CVE-2019-10220: Added sanity checks on the pathnames passed to the user space. (bsc#1144903) CVE-2019-17666: rtlwifi: Fix potential overflow in P2P code (bsc#1154372). CVE-2019-17056: The AF_NFC network module did not enforce CAP_NET_RAW, which meant that unprivileged users could create a raw socket (bsc#1152788). CVE-2019-14821: An out-of-bounds access issue was fixed in the kernel
last seen	2020-06-01
modified	2020-06-02
plugin id	131833
published	2019-12-09
reporter	This script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.
source	https://www.tenable.com/plugins/nessus/131833
title	SUSE SLES12 Security Update : kernel (SUSE-SU-2019:3200-1)

NASL family	SuSE Local Security Checks
NASL id	SUSE_SU-2020-0093-1.NASL
description	The SUSE Linux Enterprise 12 SP5 Azure kernel was updated to receive various security and bugfixes. The following security bugs were fixed : CVE-2019-20095: mwifiex_tm_cmd in drivers/net/wireless/marvell/mwifiex/cfg80211.c had some error-handling cases that did not free allocated hostcmd memory. This will cause a memory leak and denial of service (bnc#1159909). CVE-2019-20054: Fixed a a NULL pointer dereference in drop_sysctl_table() in fs/proc/proc_sysctl.c, related to put_links (bnc#1159910). CVE-2019-20096: Fixed a memory leak in __feat_register_sp() in net/dccp/feat.c, which may cause denial of service (bnc#1159908). CVE-2019-19966: Fixed a use-after-free in cpia2_exit() in drivers/media/usb/cpia2/cpia2_v4l.c that will cause denial of service (bnc#1159841). CVE-2019-19447: Mounting a crafted ext4 filesystem image, performing some operations, and unmounting can lead to a use-after-free in ext4_put_super in fs/ext4/super.c, related to dump_orphan_list in fs/ext4/super.c (bnc#1158819). CVE-2019-19319: A setxattr operation, after a mount of a crafted ext4 image, can cause a slab-out-of-bounds write access because of an ext4_xattr_set_entry use-after-free in fs/ext4/xattr.c when a large old_size value is used in a memset call (bnc#1158021). CVE-2019-19767: Fixed mishandling of ext4_expand_extra_isize, as demonstrated by use-after-free errors in __ext4_expand_extra_isize and ext4_xattr_set_entry, related to fs/ext4/inode.c and fs/ext4/super.c (bnc#1159297). CVE-2019-18808: A memory leak in the ccp_run_sha_cmd() function in drivers/crypto/ccp/ccp-ops.c allowed attackers to cause a denial of service (memory consumption) (bnc#1156259). CVE-2019-16746: An issue was discovered in net/wireless/nl80211.c where the length of variable elements in a beacon head were not checked, leading to a buffer overflow (bnc#1152107). CVE-2019-19066: A memory leak in the bfad_im_get_stats() function in drivers/scsi/bfa/bfad_attr.c allowed attackers to cause a denial of service (memory consumption) by triggering bfa_port_get_stats() failures (bnc#1157303). CVE-2019-19051: There was a memory leak in the i2400m_op_rfkill_sw_toggle() function in drivers/net/wimax/i2400m/op-rfkill.c in the Linux kernel allowed attackers to cause a denial of service (memory consumption) (bnc#1159024). CVE-2019-19338: There was an incomplete fix for Transaction Asynchronous Abort (TAA) (bnc#1158954). CVE-2019-19332: There was an OOB memory write via kvm_dev_ioctl_get_cpuid (bnc#1158827). CVE-2019-19537: There was a race condition bug that can be caused by a malicious USB device in the USB character device driver layer (bnc#1158904). CVE-2019-19535: There was an info-leak bug that can be caused by a malicious USB device in the drivers/net/can/usb/peak_usb/pcan_usb_fd.c driver (bnc#1158903). CVE-2019-19527: There was a use-after-free bug that can be caused by a malicious USB device in the drivers/hid/usbhid/hiddev.c driver (bnc#1158900). CVE-2019-19526: There was a use-after-free bug that can be caused by a malicious USB device in the drivers/nfc/pn533/usb.c driver (bnc#1158893). CVE-2019-19533: There was an info-leak bug that can be caused by a malicious USB device in the drivers/media/usb/ttusb-dec/ttusb_dec.c driver (bnc#1158834). CVE-2019-19532: There were multiple out-of-bounds write bugs that can be caused by a malicious USB device in the Linux kernel HID drivers (bnc#1158824). CVE-2019-19523: There was a use-after-free bug that can be caused by a malicious USB device in the drivers/usb/misc/adutux.c driver, aka CID-44efc269db79 (bnc#1158381 1158823 1158834). CVE-2019-15213: There was a use-after-free caused by a malicious USB device in the drivers/media/usb/dvb-usb/dvb-usb-init.c driver (bnc#1146544). CVE-2019-19531: There was a use-after-free bug that can be caused by a malicious USB device in the drivers/usb/misc/yurex.c driver (bnc#1158445). CVE-2019-19543: There was a use-after-free in serial_ir_init_module() in drivers/media/rc/serial_ir.c (bnc#1158427). CVE-2019-19525: There was a use-after-free bug that can be caused by a malicious USB device in the drivers/net/ieee802154/atusb.c driver (bnc#1158417). CVE-2019-19530: There was a use-after-free bug that can be caused by a malicious USB device in the drivers/usb/class/cdc-acm.c driver (bnc#1158410). CVE-2019-19536: There was an info-leak bug that can be caused by a malicious USB device in the drivers/net/can/usb/peak_usb/pcan_usb_pro.c driver (bnc#1158394). CVE-2019-19524: There was a use-after-free bug that can be caused by a malicious USB device in the drivers/input/ff-memless.c driver (bnc#1158413). CVE-2019-19528: There was a use-after-free bug that can be caused by a malicious USB device in the drivers/usb/misc/iowarrior.c driver (bnc#1158407). CVE-2019-19534: There was an info-leak bug that can be caused by a malicious USB device in the drivers/net/can/usb/peak_usb/pcan_usb_core.c driver (bnc#1158398). CVE-2019-19529: There was a use-after-free bug that can be caused by a malicious USB device in the drivers/net/can/usb/mcba_usb.c driver (bnc#1158381). CVE-2019-14901: A heap overflow flaw was found in the Linux kernel in Marvell WiFi chip driver. The vulnerability allowed a remote attacker to cause a system crash, resulting in a denial of service, or execute arbitrary code. The highest threat with this vulnerability is with the availability of the system. If code execution occurs, the code will run with the permissions of root. This will affect both confidentiality and integrity of files on the system (bnc#1157042). CVE-2019-14895: A heap-based buffer overflow was discovered in the Linux kernel in Marvell WiFi chip driver. The flaw could occur when the station attempts a connection negotiation during the handling of the remote devices country settings. This could have allowed the remote device to cause a denial of service (system crash) or possibly execute arbitrary code (bnc#1157158). CVE-2019-18660: The Linux kernel on powerpc allowed Information Exposure because the Spectre-RSB mitigation is not in place for all applicable CPUs. This is related to arch/powerpc/kernel/entry_64.S and arch/powerpc/kernel/security.c (bnc#1157038). CVE-2019-18683: An issue was discovered in drivers/media/platform/vivid in the Linux kernel. It is exploitable for privilege escalation on some Linux distributions where local users have /dev/video0 access, but only if the driver happens to be loaded. There are multiple race conditions during streaming stopping in this driver (part of the V4L2 subsystem). These issues are caused by wrong mutex locking in vivid_stop_generating_vid_cap(), vivid_stop_generating_vid_out(), sdr_cap_stop_streaming(), and the corresponding kthreads. At least one of these race conditions leads to a use-after-free (bnc#1155897). CVE-2019-18809: A memory leak in the af9005_identify_state() function in drivers/media/usb/dvb-usb/af9005.c in the Linux kernel allowed attackers to cause a denial of service (memory consumption) (bnc#1156258). CVE-2019-19046: A memory leak in the __ipmi_bmc_register() function in drivers/char/ipmi/ipmi_msghandler.c in the Linux kernel allowed attackers to cause a denial of service (memory consumption) by triggering ida_simple_get() failure (bnc#1157304). CVE-2019-19078: A memory leak in the ath10k_usb_hif_tx_sg() function in drivers/net/wireless/ath/ath10k/usb.c in the Linux kernel allowed attackers to cause a denial of service (memory consumption) by triggering usb_submit_urb() failures (bnc#1157032). CVE-2019-19062: A memory leak in the crypto_report() function in crypto/crypto_user_base.c in the Linux kernel allowed attackers to cause a denial of service (memory consumption) by triggering crypto_report_alg() failures (bnc#1157333). CVE-2019-19057: Two memory leaks in the mwifiex_pcie_init_evt_ring() function in drivers/net/wireless/marvell/mwifiex/pcie.c in the Linux kernel allowed attackers to cause a denial of service (memory consumption) by triggering mwifiex_map_pci_memory() failures (bnc#1157197). CVE-2019-19056: A memory leak in the mwifiex_pcie_alloc_cmdrsp_buf() function in drivers/net/wireless/marvell/mwifiex/pcie.c in the Linux kernel allowed attackers to cause a denial of service (memory consumption) by triggering mwifiex_map_pci_memory() failures (bnc#1157197). CVE-2019-19068: A memory leak in the rtl8xxxu_submit_int_urb() function in drivers/net/wireless/realtek/rtl8xxxu/rtl8xxxu_core.c in the Linux kernel allowed attackers to cause a denial of service (memory consumption) by triggering usb_submit_urb() failures (bnc#1157307). CVE-2019-19063: Two memory leaks in the rtl_usb_probe() function in drivers/net/wireless/realtek/rtlwifi/usb.c in the Linux kernel allowed attackers to cause a denial of service (memory consumption) (bnc#1157298). CVE-2019-19227: In the AppleTalk subsystem in the Linux kernel there was a potential NULL pointer dereference because register_snap_client may return NULL. This will lead to denial of service in net/appletalk/aarp.c and net/appletalk/ddp.c, as demonstrated by unregister_snap_client (bnc#1157678). CVE-2019-19081: A memory leak in the nfp_flower_spawn_vnic_reprs() function in drivers/net/ethernet/netronome/nfp/flower/main.c in the Linux kernel allowed attackers to cause a denial of service (memory consumption) (bnc#1157045). CVE-2019-19080: Four memory leaks in the nfp_flower_spawn_phy_reprs() function in drivers/net/ethernet/netronome/nfp/flower/main.c in the Linux kernel allowed attackers to cause a denial of service (memory consumption) (bnc#1157044). CVE-2019-19065: A memory leak in the sdma_init() function in drivers/infiniband/hw/hfi1/sdma.c in the Linux kernel allowed attackers to cause a denial of service (memory consumption) by triggering rhashtable_init() failures (bnc#1157191). CVE-2019-19077: A memory leak in the bnxt_re_create_srq() function in drivers/infiniband/hw/bnxt_re/ib_verbs.c in the Linux kernel allowed attackers to cause a denial of service (memory consumption) by triggering copy to udata failures (bnc#1157171). CVE-2019-19052: A memory leak in the gs_can_open() function in drivers/net/can/usb/gs_usb.c in the Linux kernel allowed attackers to cause a denial of service (memory consumption) by triggering usb_submit_urb() failures (bnc#1157324). CVE-2019-19067: Four memory leaks in the acp_hw_init() function in drivers/gpu/drm/amd/amdgpu/amdgpu_acp.c in the Linux kernel allowed attackers to cause a denial of service (memory consumption) by triggering mfd_add_hotplug_devices() or pm_genpd_add_device() failures (bsc#1157180). CVE-2019-19060: A memory leak in the adis_update_scan_mode() function in drivers/iio/imu/adis_buffer.c in the Linux kernel allowed attackers to cause a denial of service (memory consumption) (bnc#1157178). CVE-2019-19049: A memory leak in the unittest_data_add() function in drivers/of/unittest.c in the Linux kernel allowed attackers to cause a denial of service (memory consumption) by triggering of_fdt_unflatten_tree() failures (bsc#1157173). CVE-2019-19075: A memory leak in the ca8210_probe() function in drivers/net/ieee802154/ca8210.c in the Linux kernel allowed attackers to cause a denial of service (memory consumption) by triggering ca8210_get_platform_data() failures (bnc#1157162). CVE-2019-19058: A memory leak in the alloc_sgtable() function in drivers/net/wireless/intel/iwlwifi/fw/dbg.c in the Linux kernel allowed attackers to cause a denial of service (memory consumption) by triggering alloc_page() failures (bnc#1157145). CVE-2019-19074: A memory leak in the ath9k_wmi_cmd() function in drivers/net/wireless/ath/ath9k/wmi.c in the Linux kernel allowed attackers to cause a denial of service (memory consumption) (bnc#1157143). CVE-2019-19073: Fixed memory leaks in drivers/net/wireless/ath/ath9k/htc_hst.c allowed attackers to cause a denial of service (memory consumption) by triggering wait_for_completion_timeout() failures (bnc#1157070). CVE-2019-19083: Memory leaks in clock_source_create() functions under drivers/gpu/drm/amd/display/dc in the Linux kernel allowed attackers to cause a denial of service (memory consumption) (bnc#1157049). CVE-2019-19082: Memory leaks in create_resource_pool() functions under drivers/gpu/drm/amd/display/dc in the Linux kernel allowed attackers to cause a denial of service (memory consumption) (bnc#1157046). CVE-2019-15916: An issue was discovered in the Linux kernel There was a memory leak in register_queue_kobjects() in net/core/net-sysfs.c, which will cause denial of service (bnc#1149448). CVE-2019-0154: Insufficient access control in subsystem for Intel (R) processor graphics in 6th, 7th, 8th and 9th Generation Intel(R) Core(TM) Processor Families; Intel(R) Pentium(R) Processor J, N, Silver and Gold Series; Intel(R) Celeron(R) Processor J, N, G3900 and G4900 Series; Intel(R) Atom(R) Processor A and E3900 Series; Intel(R) Xeon(R) Processor E3-1500 v5 and v6 and E-2100 Processor Families may have allowed an authenticated user to potentially enable denial of service via local access (bnc#1135966). CVE-2019-0155: Insufficient access control in a subsystem for Intel (R) processor graphics in 6th, 7th, 8th and 9th Generation Intel(R) Core(TM) Processor Families; Intel(R) Pentium(R) Processor J, N, Silver and Gold Series; Intel(R) Celeron(R) Processor J, N, G3900 and G4900 Series; Intel(R) Atom(R) Processor A and E3900 Series; Intel(R) Xeon(R) Processor E3-1500 v5 and v6, E-2100 and E-2200 Processor Families; Intel(R) Graphics Driver for Windows (DCH) or 26.20.100.6812 and before 21.20.x.5077 (aka15.45.5077), i915 Linux Driver for Intel(R) Processor Graphics before versions 5.4-rc7, 5.3.11, 4.19.84, 4.14.154, 4.9.201, 4.4.201 may have allowed an authenticated user to potentially enable escalation of privilege via local access (bnc#1135967). CVE-2019-16231: drivers/net/fjes/fjes_main.c in the Linux kernel 5.2.14 did not check the alloc_workqueue return value, leading to a NULL pointer dereference (bnc#1150466). CVE-2019-18805: An issue was discovered in net/ipv4/sysctl_net_ipv4.c in the Linux kernel There was a net/ipv4/tcp_input.c signed integer overflow in tcp_ack_update_rtt() when userspace writes a very large integer to /proc/sys/net/ipv4/tcp_min_rtt_wlen, leading to a denial of service or possibly unspecified other impact (bnc#1156187). CVE-2019-17055: base_sock_create in drivers/isdn/mISDN/socket.c in the AF_ISDN network module in the Linux kernel did not enforce CAP_NET_RAW, which means that unprivileged users can create a raw socket (bnc#1152782). CVE-2019-16995: In the Linux kernel before 5.0.3, a memory leak exits in hsr_dev_finalize() in net/hsr/hsr_device.c if hsr_add_port fails to add a port, which may cause denial of service, aka CID-6caabe7f197d (bnc#1152685). CVE-2019-11135: TSX Asynchronous Abort condition on some CPUs utilizing speculative execution may have allowed an authenticated user to potentially enable information disclosure via a side channel with local access (bnc#1139073). CVE-2019-16233: drivers/scsi/qla2xxx/qla_os.c in the Linux kernel 5.2.14 did not check the alloc_workqueue return value, leading to a NULL pointer dereference (bnc#1150457). CVE-2018-12207: Improper invalidation for page table updates by a virtual guest operating system for multiple Intel(R) Processors may have allowed an authenticated user to potentially enable denial of service of the host system via local access (bnc#1117665). CVE-2019-10220: Linux kernel CIFS implementation, version 4.9.0 is vulnerable to a relative paths injection in directory entry lists (bnc#1144903). CVE-2019-17666: rtl_p2p_noa_ie in drivers/net/wireless/realtek/rtlwifi/ps.c in the Linux kernel lacks a certain upper-bound check, leading to a buffer overflow (bnc#1154372). CVE-2019-16232: drivers/net/wireless/marvell/libertas/if_sdio.c did not check the alloc_workqueue return value, leading to a NULL pointer dereference (bnc#1150465). CVE-2019-16234: drivers/net/wireless/intel/iwlwifi/pcie/trans.c did not check the alloc_workqueue return value, leading to a NULL pointer dereference (bnc#1150452). CVE-2019-17133: cfg80211_mgd_wext_giwessid in net/wireless/wext-sme.c did not reject a long SSID IE, leading to a Buffer Overflow (bnc#1153158). CVE-2019-17056: llcp_sock_create in net/nfc/llcp_sock.c in the AF_NFC network module in the Linux kernel did not enforce CAP_NET_RAW, which means that unprivileged users can create a raw socket, aka CID-3a359798b176 (bnc#1152788). CVE-2019-14821: An out-of-bounds access issue was found in the way Linux kernel
last seen	2020-06-01
modified	2020-06-02
plugin id	132925
published	2020-01-15
reporter	This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.
source	https://www.tenable.com/plugins/nessus/132925
title	SUSE SLES12 Security Update : kernel (SUSE-SU-2020:0093-1)

NASL family	SuSE Local Security Checks
NASL id	SUSE_SU-2019-3295-1.NASL
description	The SUSE Linux Enterprise 15 SP1 RT kernel was updated to receive various security and bugfixes. The following security bugs were fixed : CVE-2019-15916: Fixed a memory leak in register_queue_kobjects() which might have led denial of service (bsc#1149448). CVE-2019-0154: Fixed an improper access control in subsystem for Intel (R) processor graphics whichs may have allowed an authenticated user to potentially enable denial of service via local access (bsc#1135966). CVE-2019-0155: Fixed an improper access control in subsystem for Intel (R) processor graphics whichs may have allowed an authenticated user to potentially enable escalation of privilege via local access (bsc#1135967). CVE-2019-16231: Fixed a NULL pointer dereference due to lack of checking the alloc_workqueue return value (bsc#1150466). CVE-2019-18805: Fixed an integer overflow in tcp_ack_update_rtt() leading to a denial of service or possibly unspecified other impact (bsc#1156187). CVE-2019-17055: Enforced CAP_NET_RAW in the AF_ISDN network module to restrict unprivileged users to create a raw socket (bsc#1152782). CVE-2019-16995: Fixed a memory leak in hsr_dev_finalize() which may have caused denial of service (bsc#1152685). CVE-2019-11135: Aborting an asynchronous TSX operation on Intel CPUs with Transactional Memory support could be used to facilitate sidechannel information leaks out of microarchitectural buffers, similar to the previously described
last seen	2020-06-01
modified	2020-06-02
plugin id	132071
published	2019-12-16
reporter	This script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.
source	https://www.tenable.com/plugins/nessus/132071
title	SUSE SLED15 / SLES15 Security Update : kernel (SUSE-SU-2019:3295-1)

NASL family	NewStart CGSL Local Security Checks
NASL id	NEWSTART_CGSL_NS-SA-2019-0253_KERNEL-RT.NASL
description	The remote NewStart CGSL host, running version CORE 5.05 / MAIN 5.05, has kernel-rt packages installed that are affected by multiple vulnerabilities: - A flaw was found in the Linux kernel
last seen	2020-05-08
modified	2019-12-31
plugin id	132495
published	2019-12-31
reporter	This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
source	https://www.tenable.com/plugins/nessus/132495
title	NewStart CGSL CORE 5.05 / MAIN 5.05 : kernel-rt Multiple Vulnerabilities (NS-SA-2019-0253)

NASL family	Red Hat Local Security Checks
NASL id	REDHAT-RHSA-2020-0204.NASL
description	An update for kernel is now available for Red Hat Enterprise Linux 8.0 Update Services for SAP Solutions. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. The kernel packages contain the Linux kernel, the core of any Linux operating system. Security Fix(es) : * hw: Machine Check Error on Page Size Change (IFU) (CVE-2018-12207) * hw: TSX Transaction Asynchronous Abort (TAA) (CVE-2019-11135) * kernel: nfs: use-after-free in svc_process_common() (CVE-2018-16884) * hw: Intel GPU blitter manipulation can allow for arbitrary kernel memory write (CVE-2019-0155) * Kernel: vhost_net: infinite loop while receiving packets leads to DoS (CVE-2019-3900) * Kernel: page cache side channel attacks (CVE-2019-5489) * hardware: bluetooth: BR/EDR encryption key negotiation attacks (KNOB) (CVE-2019-9506) * kernel: Heap overflow in mwifiex_uap_parse_tail_ies function in drivers/net /wireless/marvell/mwifiex/ie.c (CVE-2019-10126) * kernel: heap overflow in mwifiex_update_vs_ie() function of Marvell WiFi driver (CVE-2019-14816) * Kernel: KVM: OOB memory access via mmio ring buffer (CVE-2019-14821) * kernel: heap overflow in marvell/mwifiex/tdls.c (CVE-2019-14901) * hw: Intel GPU Denial Of Service while accessing MMIO in lower power state (CVE-2019-0154) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Bug Fix(es) : * Backport TCP follow-up for small buffers (BZ#1739184) * TCP performance regression after CVE-2019-11478 bug fix (BZ#1743170) * RHEL8.0 - bnx2x link down, caused by transmit timeouts during load test (Marvell/Cavium/QLogic) (L3:) (BZ#1743548) * block: blk-mq improvement (BZ#1780567) * RHEL8.0 - Regression to RHEL7.6 by changing force_latency found during RHEL8.0 validation for SAP HANA on POWER (BZ#1781111) * blk-mq: overwirte performance drops on real MQ device (BZ#1782183) * RHEL8: creating vport takes lot of memory i.e 2GB per vport which leads to drain out system memory quickly. (BZ#1782705)
last seen	2020-06-01
modified	2020-06-02
plugin id	133221
published	2020-01-24
reporter	This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.
source	https://www.tenable.com/plugins/nessus/133221
title	RHEL 8 : kernel (RHSA-2020:0204)

NASL family	Red Hat Local Security Checks
NASL id	REDHAT-RHSA-2019-3165.NASL
description	An update for kernel-rt is now available for Red Hat Enterprise MRG 2. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. The kernel-rt packages provide the Real Time Linux Kernel, which enables fine-tuning for systems with extremely high determinism requirements. Security Fix(es) : * hardware: bluetooth: BR/EDR encryption key negotiation attacks (KNOB) (CVE-2019-9506) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Bug Fix(es) : * update the MRG 2.5.z 3.10 realtime-kernel sources (BZ#1751263)
last seen	2020-06-01
modified	2020-06-02
plugin id	130186
published	2019-10-24
reporter	This script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.
source	https://www.tenable.com/plugins/nessus/130186
title	RHEL 6 : MRG (RHSA-2019:3165)

NASL family	SuSE Local Security Checks
NASL id	SUSE_SU-2019-2984-1.NASL
description	The SUSE Linux Enterprise 12 SP2 kernel was updated to receive various security and bugfixes. The following security bugs were fixed : CVE-2018-12207: Untrusted virtual machines on Intel CPUs could exploit a race condition in the Instruction Fetch Unit of the Intel CPU to cause a Machine Exception during Page Size Change, causing the CPU core to be non-functional. The Linux Kernel kvm hypervisor was adjusted to avoid page size changes in executable pages by splitting / merging huge pages into small pages as needed. More information can be found on https://www.suse.com/support/kb/doc/?id=7023735 CVE-2019-16995: Fix a memory leak in hsr_dev_finalize() if hsr_add_port failed to add a port, which may have caused denial of service (bsc#1152685). CVE-2019-11135: Aborting an asynchronous TSX operation on Intel CPUs with Transactional Memory support could be used to facilitate sidechannel information leaks out of microarchitectural buffers, similar to the previously described
last seen	2020-06-01
modified	2020-06-02
plugin id	131120
published	2019-11-18
reporter	This script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.
source	https://www.tenable.com/plugins/nessus/131120
title	SUSE SLES12 Security Update : kernel (SUSE-SU-2019:2984-1)

NASL family	Windows : Microsoft Bulletins
NASL id	SMB_NT_MS19_AUG_4511553.NASL
description	The remote Windows host is missing security update 4511553. It is, therefore, affected by multiple vulnerabilities : - An elevation of privilege vulnerability exists in the way that the Windows kernel image handles objects in memory. An attacker who successfully exploited the vulnerability could execute code with elevated permissions. (CVE-2019-1190) - An elevation of privilege vulnerability exists when Windows improperly handles calls to Advanced Local Procedure Call (ALPC). An attacker who successfully exploited this vulnerability could run arbitrary code in the security context of the local system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. (CVE-2019-1162) - A security feature bypass vulnerability exists when Microsoft browsers improperly handle requests of different origins. The vulnerability allows Microsoft browsers to bypass Same-Origin Policy (SOP) restrictions, and to allow requests that should otherwise be ignored. An attacker who successfully exploited the vulnerability could force the browser to send data that would otherwise be restricted. (CVE-2019-1192) - A remote code execution vulnerability exists in the way that the scripting engine handles objects in memory in Internet Explorer. The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user. (CVE-2019-1133, CVE-2019-1194) - A denial of service vulnerability exists when the XmlLite runtime (XmlLite.dll) improperly parses XML input. An attacker who successfully exploited this vulnerability could cause a denial of service against an XML application. A remote unauthenticated attacker could exploit this vulnerability by issuing specially crafted requests to an XML application. The update addresses the vulnerability by correcting how the XmlLite runtime parses XML input. (CVE-2019-1187) - An elevation of privilege vulnerability exists when DirectX improperly handles objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. (CVE-2019-1176) - An information disclosure vulnerability exists when the Windows RDP server improperly discloses the contents of its memory. An attacker who successfully exploited this vulnerability could obtain information to further compromise the system. (CVE-2019-1224, CVE-2019-1225) - An elevation of privilege vulnerability exists when reparse points are created by sandboxed processes allowing sandbox escape. An attacker who successfully exploited the vulnerability could use the sandbox escape to elevate privileges on an affected system. (CVE-2019-1170) - A remote code execution vulnerability exists when the Windows Jet Database Engine improperly handles objects in memory. An attacker who successfully exploited this vulnerability could execute arbitrary code on a victim system. An attacker could exploit this vulnerability by enticing a victim to open a specially crafted file. The update addresses the vulnerability by correcting the way the Windows Jet Database Engine handles objects in memory. (CVE-2019-1146, CVE-2019-1147, CVE-2019-1155, CVE-2019-1156, CVE-2019-1157) - A denial of service vulnerability exists in the HTTP/2 protocol stack (HTTP.sys) when HTTP.sys improperly parses specially crafted HTTP/2 requests. An attacker who successfully exploited the vulnerability could create a denial of service condition, causing the target system to become unresponsive. (CVE-2019-9511, CVE-2019-9512, CVE-2019-9513, CVE-2019-9514, CVE-2019-9518) - <h1>Executive Summary</h1> Microsoft is aware of the Bluetooth BR/EDR (basic rate/enhanced data rate, known as "Bluetooth Classic") key negotiation vulnerability that exists at the hardware specification level of any BR/EDR Bluetooth device. An attacker could potentially be able to negotiate the offered key length down to 1 byte of entropy, from a maximum of 16 bytes. (CVE-2019-9506) - A denial of service vulnerability exists in Remote Desktop Protocol (RDP) when an attacker connects to the target system using RDP and sends specially crafted requests. An attacker who successfully exploited this vulnerability could cause the RDP service on the target system to stop responding. (CVE-2019-1223) - An information disclosure vulnerability exists when the Windows kernel improperly handles objects in memory. An attacker who successfully exploited this vulnerability could obtain information to further compromise the users system. (CVE-2019-1227) - An elevation of privilege vulnerability exists in the way that the PsmServiceExtHost.dll handles objects in memory. An attacker who successfully exploited the vulnerability could execute code with elevated permissions. (CVE-2019-1173, CVE-2019-1174) - A remote code execution vulnerability exists in Microsoft Windows that could allow remote code execution if a .LNK file is processed. An attacker who successfully exploited this vulnerability could gain the same user rights as the local user. (CVE-2019-1188) - An elevation of privilege exists in the p2pimsvc service where an attacker who successfully exploited the vulnerability could run arbitrary code with elevated privileges. (CVE-2019-1168) - A remote code execution vulnerability exists when Windows Hyper-V on a host server fails to properly validate input from an authenticated user on a guest operating system. (CVE-2019-0965) - An information disclosure vulnerability exists when the Windows Graphics component improperly handles objects in memory. An attacker who successfully exploited this vulnerability could obtain information to further compromise the users system. An authenticated attacker could exploit this vulnerability by running a specially crafted application. The update addresses the vulnerability by correcting how the Windows Graphics Component handles objects in memory. (CVE-2019-1078) - A denial of service vulnerability exists when Microsoft Hyper-V Network Switch on a host server fails to properly validate input from a privileged user on a guest operating system. An attacker who successfully exploited the vulnerability could cause the host server to crash. (CVE-2019-0714, CVE-2019-0715, CVE-2019-0717, CVE-2019-0718, CVE-2019-0723) - An elevation of privilege vulnerability exists in the way that the wcmsvc.dll handles objects in memory. An attacker who successfully exploited the vulnerability could execute code with elevated permissions. (CVE-2019-1180, CVE-2019-1186) - A memory corruption vulnerability exists in the Windows Server DHCP service when an attacker sends specially crafted packets to a DHCP failover server. An attacker who successfully exploited the vulnerability could cause the DHCP service to become nonresponsive. (CVE-2019-1206) - An elevation of privilege vulnerability exists in the way that the psmsrv.dll handles objects in memory. An attacker who successfully exploited the vulnerability could execute code with elevated permissions. (CVE-2019-1175) - An information disclosure vulnerability exists in SymCrypt during the OAEP decryption stage. An attacker who successfully exploited this vulnerability could obtain information to further compromise the users system. (CVE-2019-1171) - An elevation of privilege exists in SyncController.dll. An attacker who successfully exploited the vulnerability could run arbitrary code with elevated privileges. (CVE-2019-1198) - An elevation of privilege vulnerability exists in the way that the ssdpsrv.dll handles objects in memory. An attacker who successfully exploited the vulnerability could execute code with elevated permissions. (CVE-2019-1178) - A remote code execution vulnerability exists when the Windows font library improperly handles specially crafted embedded fonts. An attacker who successfully exploited the vulnerability could take control of the affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. (CVE-2019-1144, CVE-2019-1145, CVE-2019-1149, CVE-2019-1150, CVE-2019-1151, CVE-2019-1152) - A security feature bypass exists when Windows incorrectly validates CAB file signatures. An attacker who successfully exploited this vulnerability could inject code into a CAB file without invalidating the file
last seen	2020-04-01
modified	2019-08-13
plugin id	127841
published	2019-08-13
reporter	This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
source	https://www.tenable.com/plugins/nessus/127841
title	KB4511553: Windows 10 Version 1809 and Windows Server 2019 August 2019 Security Update

NASL family	Red Hat Local Security Checks
NASL id	REDHAT-RHSA-2019-3089.NASL
description	An update for kernel-rt is now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. The kernel-rt packages provide the Real Time Linux Kernel, which enables fine-tuning for systems with extremely high determinism requirements. Security Fix(es) : * kernel: Use-after-free in __blk_drain_queue() function in block/blk-core.c (CVE-2018-20856) * kernel: Heap overflow in mwifiex_update_bss_desc_with_ie function in marvell/mwifiex/scan.c (CVE-2019-3846) * hardware: bluetooth: BR/EDR encryption key negotiation attacks (KNOB) (CVE-2019-9506) * kernel: Heap overflow in mwifiex_uap_parse_tail_ies function in drivers/net /wireless/marvell/mwifiex/ie.c (CVE-2019-10126) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Bug Fix(es) : * kernel-rt: update to the RHEL7.7.z batch#2 source tree (BZ#1748570)
last seen	2020-06-01
modified	2020-06-02
plugin id	129992
published	2019-10-17
reporter	This script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.
source	https://www.tenable.com/plugins/nessus/129992
title	RHEL 7 : kernel-rt (RHSA-2019:3089)

NASL family	Red Hat Local Security Checks
NASL id	REDHAT-RHSA-2019-3231.NASL
description	An update for kpatch-patch is now available for Red Hat Enterprise Linux 7.6 Extended Update Support. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. This is a kernel live patch module which is automatically loaded by the RPM post-install script to modify the code of a running kernel. Security Fix(es) : * hardware: bluetooth: BR/EDR encryption key negotiation attacks (KNOB) (CVE-2019-9506) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
last seen	2020-06-01
modified	2020-06-02
plugin id	130379
published	2019-10-30
reporter	This script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.
source	https://www.tenable.com/plugins/nessus/130379
title	RHEL 7 : kpatch-patch (RHSA-2019:3231)

NASL family	Red Hat Local Security Checks
NASL id	REDHAT-RHSA-2019-3220.NASL
description	An update for kernel is now available for Red Hat Enterprise Linux 7.6 Extended Update Support. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. The kernel packages contain the Linux kernel, the core of any Linux operating system. Security Fix(es) : * Kernel: vhost_net: infinite loop while receiving packets leads to DoS (CVE-2019-3900) * hardware: bluetooth: BR/EDR encryption key negotiation attacks (KNOB) (CVE-2019-9506) * kernel: hw: Spectre SWAPGS gadget vulnerability (CVE-2019-1125) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Bug Fix(es) : * [mlx4] VXLAN over VLAN TCP segmentation (BZ#1734325) * Race condition in /dev/sg due to missing synchronization causes corruption in RHV (BZ#1737378) * [FJ7.6 Bug]: [REG] kernel: ipc: ipc_free should use kvfree (BZ#1740177) * high update_cfs_rq_blocked_load contention (BZ#1740179) * kvm: backport cpuidle-haltpoll driver (BZ#1740191) * Growing unreclaimable slab memory (BZ#1741919) * [Hyper-V]vPCI devices cannot allocate IRQs vectors in a Hyper-V VM with > 240 vCPUs (i.e., when in x2APIC mode) (BZ#1743323) * NFSv4.0 client sending a double CLOSE (leading to EIO application failure) (BZ#1744945) * powerpc/pseries: Fix uninitialized timer reset on migration / powerpc/pseries /mobility: Extend start/stop topology update scope (LPM) (BZ#1745441) * ISST-LTE:PVM:Zeppelin :LPM: Failure logs and stack trace seen during LPM (POWER9/P9) (BZ#1745448) * [LLNL 7.5 Bug] slab leak causing a crash when using kmem control group (BZ# 1748237) * [Azure] CRI-RDOS \| [RHEL 7.8] Live migration only takes 10 seconds, but the VM was unavailable for 2 hours (BZ#1748238) * Allows macvlan to operate correctly over the active-backup mode to support bonding events (BZ#1749291) * debug kernel reports scheduling while atomic bug in EFI code (BZ#1755324)
last seen	2020-06-01
modified	2020-06-02
plugin id	130376
published	2019-10-30
reporter	This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
source	https://www.tenable.com/plugins/nessus/130376
title	RHEL 7 : kernel (RHSA-2019:3220)

NASL family	Windows : Microsoft Bulletins
NASL id	SMB_NT_MS19_AUG_4512518.NASL
description	The remote Windows host is missing security update 4512482 or cumulative update 4512518. It is, therefore, affected by multiple vulnerabilities : - An elevation of privilege vulnerability exists when Windows improperly handles calls to Advanced Local Procedure Call (ALPC). An attacker who successfully exploited this vulnerability could run arbitrary code in the security context of the local system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. (CVE-2019-1162) - A security feature bypass vulnerability exists when Microsoft browsers improperly handle requests of different origins. The vulnerability allows Microsoft browsers to bypass Same-Origin Policy (SOP) restrictions, and to allow requests that should otherwise be ignored. An attacker who successfully exploited the vulnerability could force the browser to send data that would otherwise be restricted. (CVE-2019-1192) - An information disclosure vulnerability exists when the Microsoft Windows Graphics Component improperly handles objects in memory. An attacker who successfully exploited the vulnerability could obtain information to further compromise the users system. (CVE-2019-1148, CVE-2019-1153) - A denial of service vulnerability exists when the XmlLite runtime (XmlLite.dll) improperly parses XML input. An attacker who successfully exploited this vulnerability could cause a denial of service against an XML application. A remote unauthenticated attacker could exploit this vulnerability by issuing specially crafted requests to an XML application. The update addresses the vulnerability by correcting how the XmlLite runtime parses XML input. (CVE-2019-1187) - A remote code execution vulnerability exists when the Windows Jet Database Engine improperly handles objects in memory. An attacker who successfully exploited this vulnerability could execute arbitrary code on a victim system. An attacker could exploit this vulnerability by enticing a victim to open a specially crafted file. The update addresses the vulnerability by correcting the way the Windows Jet Database Engine handles objects in memory. (CVE-2019-1146, CVE-2019-1147, CVE-2019-1155, CVE-2019-1156, CVE-2019-1157) - <h1>Executive Summary</h1> Microsoft is aware of the Bluetooth BR/EDR (basic rate/enhanced data rate, known as "Bluetooth Classic") key negotiation vulnerability that exists at the hardware specification level of any BR/EDR Bluetooth device. An attacker could potentially be able to negotiate the offered key length down to 1 byte of entropy, from a maximum of 16 bytes. (CVE-2019-9506) - An elevation of privilege vulnerability exists in the way that the wcmsvc.dll handles objects in memory. An attacker who successfully exploited the vulnerability could execute code with elevated permissions. (CVE-2019-1180) - An elevation of privilege exists in the p2pimsvc service where an attacker who successfully exploited the vulnerability could run arbitrary code with elevated privileges. (CVE-2019-1168) - An information disclosure vulnerability exists when the Windows Graphics component improperly handles objects in memory. An attacker who successfully exploited this vulnerability could obtain information to further compromise the users system. An authenticated attacker could exploit this vulnerability by running a specially crafted application. The update addresses the vulnerability by correcting how the Windows Graphics Component handles objects in memory. (CVE-2019-1078) - A memory corruption vulnerability exists in the Windows Server DHCP service when an attacker sends specially crafted packets to a DHCP failover server. An attacker who successfully exploited the vulnerability could cause the DHCP service to become nonresponsive. (CVE-2019-1206) - An elevation of privilege vulnerability exists in the way that the ssdpsrv.dll handles objects in memory. An attacker who successfully exploited the vulnerability could execute code with elevated permissions. (CVE-2019-1178) - A remote code execution vulnerability exists when the Windows font library improperly handles specially crafted embedded fonts. An attacker who successfully exploited the vulnerability could take control of the affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. (CVE-2019-1144, CVE-2019-1145, CVE-2019-1149, CVE-2019-1150, CVE-2019-1151, CVE-2019-1152) - An elevation of privilege vulnerability exists when the Windows kernel fails to properly handle objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. (CVE-2019-1159, CVE-2019-1164) - A remote code execution vulnerability exists in Remote Desktop Services formerly known as Terminal Services when an unauthenticated attacker connects to the target system using RDP and sends specially crafted requests. This vulnerability is pre-authentication and requires no user interaction. An attacker who successfully exploited this vulnerability could execute arbitrary code on the target system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. (CVE-2019-1181, CVE-2019-1182) - A memory corruption vulnerability exists in the Windows DHCP client when an attacker sends specially crafted DHCP responses to a client. An attacker who successfully exploited the vulnerability could run arbitrary code on the client machine. (CVE-2019-0736) - A remote code execution vulnerability exists in the way that the scripting engine handles objects in memory in Internet Explorer. The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user. (CVE-2019-1133, CVE-2019-1194) - A remote code execution vulnerability exists in the way that the VBScript engine handles objects in memory. The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user. (CVE-2019-1183) - An elevation of privilege vulnerability exists in the way that the rpcss.dll handles objects in memory. An attacker who successfully exploited the vulnerability could execute code with elevated permissions. (CVE-2019-1177) - A remote code execution vulnerability exists in the way that Microsoft browsers access objects in memory. The vulnerability could corrupt memory in a way that could allow an attacker to execute arbitrary code in the context of the current user. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user. (CVE-2019-1193) - A denial of service vulnerability exists when Microsoft Hyper-V Network Switch on a host server fails to properly validate input from a privileged user on a guest operating system. An attacker who successfully exploited the vulnerability could cause the host server to crash. (CVE-2019-0714, CVE-2019-0715, CVE-2019-0718, CVE-2019-0723) - A denial of service vulnerability exists when Windows improperly handles objects in memory. An attacker who successfully exploited the vulnerability could cause a target system to stop responding. (CVE-2019-0716) - An information disclosure vulnerability exists when the Windows GDI component improperly discloses the contents of its memory. An attacker who successfully exploited the vulnerability could obtain information to further compromise a users system. There are multiple ways an attacker could exploit the vulnerability, such as by convincing a user to open a specially crafted document or by convincing a user to visit an untrusted webpage. The update addresses the vulnerability by correcting how the Windows GDI component handles objects in memory. (CVE-2019-1143, CVE-2019-1158) - A remote code execution vulnerability exists when Windows Hyper-V Network Switch on a host server fails to properly validate input from an authenticated user on a guest operating system. (CVE-2019-0720) - A memory corruption vulnerability exists in the Windows Server DHCP service when processing specially crafted packets. An attacker who successfully exploited the vulnerability could cause the DHCP server service to stop responding. (CVE-2019-1212) - A remote code execution vulnerability exists when the Microsoft XML Core Services MSXML parser processes user input. An attacker who successfully exploited the vulnerability could run malicious code remotely to take control of the users system. (CVE-2019-1057)
last seen	2020-06-01
modified	2020-06-02
plugin id	127851
published	2019-08-13
reporter	This script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.
source	https://www.tenable.com/plugins/nessus/127851
title	KB4512482: Windows Server 2012 August 2019 Security Update

NASL family	Ubuntu Local Security Checks
NASL id	UBUNTU_USN-4115-2.NASL
description	USN 4115-1 fixed vulnerabilities in the Linux 4.15 kernel for Ubuntu 18.04 LTS and Ubuntu 16.04 LTS. Unfortunately, as part of the update, a regression was introduced that caused a kernel crash when handling fragmented packets in some situations. This update addresses the issue. We apologize for the inconvenience. Original advisory details : Hui Peng and Mathias Payer discovered that the Option USB High Speed driver in the Linux kernel did not properly validate metadata received from the device. A physically proximate attacker could use this to cause a denial of service (system crash). (CVE-2018-19985) Zhipeng Xie discovered that an infinite loop could triggered in the CFS Linux kernel process scheduler. A local attacker could possibly use this to cause a denial of service. (CVE-2018-20784) It was discovered that the Intel Wi-Fi device driver in the Linux kernel did not properly validate certain Tunneled Direct Link Setup (TDLS). A physically proximate attacker could use this to cause a denial of service (Wi-Fi disconnect). (CVE-2019-0136) It was discovered that the Bluetooth UART implementation in the Linux kernel did not properly check for missing tty operations. A local attacker could use this to cause a denial of service. (CVE-2019-10207) Amit Klein and Benny Pinkas discovered that the Linux kernel did not sufficiently randomize IP ID values generated for connectionless networking protocols. A remote attacker could use this to track particular Linux devices. (CVE-2019-10638) Amit Klein and Benny Pinkas discovered that the location of kernel addresses could be exposed by the implementation of connection-less network protocols in the Linux kernel. A remote attacker could possibly use this to assist in the exploitation of another vulnerability in the Linux kernel. (CVE-2019-10639) It was discovered that an integer overflow existed in the Linux kernel when reference counting pages, leading to potential use-after-free issues. A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2019-11487) Jann Horn discovered that a race condition existed in the Linux kernel when performing core dumps. A local attacker could use this to cause a denial of service (system crash) or expose sensitive information. (CVE-2019-11599) It was discovered that a NULL pointer dereference vulnerability existed in the LSI Logic MegaRAID driver in the Linux kernel. A local attacker could use this to cause a denial of service (system crash). (CVE-2019-11810) It was discovered that the GTCO tablet input driver in the Linux kernel did not properly bounds check the initial HID report sent by the device. A physically proximate attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2019-13631) Praveen Pandey discovered that the Linux kernel did not properly validate sent signals in some situations on PowerPC systems with transactional memory disabled. A local attacker could use this to cause a denial of service. (CVE-2019-13648) It was discovered that the floppy driver in the Linux kernel did not properly validate meta data, leading to a buffer overread. A local attacker could use this to cause a denial of service (system crash). (CVE-2019-14283) It was discovered that the floppy driver in the Linux kernel did not properly validate ioctl() calls, leading to a division-by-zero. A local attacker could use this to cause a denial of service (system crash). (CVE-2019-14284) Tuba Yavuz discovered that a race condition existed in the DesignWare USB3 DRD Controller device driver in the Linux kernel. A physically proximate attacker could use this to cause a denial of service. (CVE-2019-14763) It was discovered that an out-of-bounds read existed in the QLogic QEDI iSCSI Initiator Driver in the Linux kernel. A local attacker could possibly use this to expose sensitive information (kernel memory). (CVE-2019-15090) It was discovered that the Raremono AM/FM/SW radio device driver in the Linux kernel did not properly allocate memory, leading to a use-after-free. A physically proximate attacker could use this to cause a denial of service or possibly execute arbitrary code. (CVE-2019-15211) It was discovered at a double-free error existed in the USB Rio 500 device driver for the Linux kernel. A physically proximate attacker could use this to cause a denial of service. (CVE-2019-15212) It was discovered that a race condition existed in the Advanced Linux Sound Architecture (ALSA) subsystem of the Linux kernel, leading to a potential use-after-free. A physically proximate attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2019-15214) It was discovered that a race condition existed in the CPiA2 video4linux device driver for the Linux kernel, leading to a use-after-free. A physically proximate attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2019-15215) It was discovered that a race condition existed in the Softmac USB Prism54 device driver in the Linux kernel. A physically proximate attacker could use this to cause a denial of service (system crash). (CVE-2019-15220) It was discovered that a use-after-free vulnerability existed in the AppleTalk implementation in the Linux kernel if an error occurs during initialization. A local attacker could use this to cause a denial of service (system crash). (CVE-2019-15292) Jason Wang discovered that an infinite loop vulnerability existed in the virtio net driver in the Linux kernel. A local attacker in a guest VM could possibly use this to cause a denial of service in the host system. (CVE-2019-3900) Daniele Antonioli, Nils Ole Tippenhauer, and Kasper B. Rasmussen discovered that the Bluetooth protocol BR/EDR specification did not properly require sufficiently strong encryption key lengths. A physically proximate attacker could use this to expose sensitive information. (CVE-2019-9506) It was discovered that a race condition existed in the USB YUREX device driver in the Linux kernel. A physically proximate attacker could use this to cause a denial of service (system crash). (CVE-2019-15216) It was discovered that the Siano USB MDTV receiver device driver in the Linux kernel made improper assumptions about the device characteristics. A physically proximate attacker could use this cause a denial of service (system crash). (CVE-2019-15218) It was discovered that the Line 6 POD USB device driver in the Linux kernel did not properly validate data size information from the device. A physically proximate attacker could use this to cause a denial of service (system crash). (CVE-2019-15221) Muyu Yu discovered that the CAN implementation in the Linux kernel in some situations did not properly restrict the field size when processing outgoing frames. A local attacker with CAP_NET_ADMIN privileges could use this to execute arbitrary code. (CVE-2019-3701) Vladis Dronov discovered that the debug interface for the Linux kernel
last seen	2020-06-01
modified	2020-06-02
plugin id	128680
published	2019-09-11
reporter	Ubuntu Security Notice (C) 2019 Canonical, Inc. / NASL script (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.
source	https://www.tenable.com/plugins/nessus/128680
title	Ubuntu 16.04 LTS / 18.04 LTS : linux, linux-aws, linux-aws-hwe, linux-azure, linux-gcp, linux-gke-4.15, (USN-4115-2)

NASL family	SuSE Local Security Checks
NASL id	SUSE_SU-2019-2706-1.NASL
description	The SUSE Linux Enterprise 15 kernel was updated to receive various security and bugfixes. The following security bugs were fixed : CVE-2019-15291: There was a NULL pointer dereference, caused by a malicious USB device in the flexcop_usb_probe function in the drivers/media/usb/b2c2/flexcop-usb.c driver (bnc#1146540). CVE-2019-14821: An out-of-bounds access issue was found in the way the KVM hypervisor implements the Coalesced MMIO write operation. It operates on an MMIO ring buffer
last seen	2020-06-01
modified	2020-06-02
plugin id	130050
published	2019-10-18
reporter	This script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.
source	https://www.tenable.com/plugins/nessus/130050
title	SUSE SLED15 / SLES15 Security Update : kernel (SUSE-SU-2019:2706-1)

NASL family	Windows : Microsoft Bulletins
NASL id	SMB_NT_MS19_AUG_4512506.NASL
description	The remote Windows host is missing security update 4512486 or cumulative update 4512506. It is, therefore, affected by multiple vulnerabilities : - An elevation of privilege vulnerability exists when Windows improperly handles calls to Advanced Local Procedure Call (ALPC). An attacker who successfully exploited this vulnerability could run arbitrary code in the security context of the local system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. (CVE-2019-1162) - A security feature bypass vulnerability exists when Microsoft browsers improperly handle requests of different origins. The vulnerability allows Microsoft browsers to bypass Same-Origin Policy (SOP) restrictions, and to allow requests that should otherwise be ignored. An attacker who successfully exploited the vulnerability could force the browser to send data that would otherwise be restricted. (CVE-2019-1192) - An information disclosure vulnerability exists when the Microsoft Windows Graphics Component improperly handles objects in memory. An attacker who successfully exploited the vulnerability could obtain information to further compromise the users system. (CVE-2019-1148, CVE-2019-1153) - A denial of service vulnerability exists when the XmlLite runtime (XmlLite.dll) improperly parses XML input. An attacker who successfully exploited this vulnerability could cause a denial of service against an XML application. A remote unauthenticated attacker could exploit this vulnerability by issuing specially crafted requests to an XML application. The update addresses the vulnerability by correcting how the XmlLite runtime parses XML input. (CVE-2019-1187) - An information disclosure vulnerability exists when the Windows GDI component improperly discloses the contents of its memory. An attacker who successfully exploited the vulnerability could obtain information to further compromise a users system. There are multiple ways an attacker could exploit the vulnerability, such as by convincing a user to open a specially crafted document or by convincing a user to visit an untrusted webpage. The update addresses the vulnerability by correcting how the Windows GDI component handles objects in memory. (CVE-2019-1143, CVE-2019-1154, CVE-2019-1158) - A remote code execution vulnerability exists when the Windows Jet Database Engine improperly handles objects in memory. An attacker who successfully exploited this vulnerability could execute arbitrary code on a victim system. An attacker could exploit this vulnerability by enticing a victim to open a specially crafted file. The update addresses the vulnerability by correcting the way the Windows Jet Database Engine handles objects in memory. (CVE-2019-1146, CVE-2019-1147, CVE-2019-1155, CVE-2019-1156, CVE-2019-1157) - <h1>Executive Summary</h1> Microsoft is aware of the Bluetooth BR/EDR (basic rate/enhanced data rate, known as "Bluetooth Classic") key negotiation vulnerability that exists at the hardware specification level of any BR/EDR Bluetooth device. An attacker could potentially be able to negotiate the offered key length down to 1 byte of entropy, from a maximum of 16 bytes. (CVE-2019-9506) - An elevation of privilege exists in the p2pimsvc service where an attacker who successfully exploited the vulnerability could run arbitrary code with elevated privileges. (CVE-2019-1168) - An elevation of privilege vulnerability exists in Windows when the Windows kernel-mode driver fails to properly handle objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. (CVE-2019-1169) - An information disclosure vulnerability exists when the Windows Graphics component improperly handles objects in memory. An attacker who successfully exploited this vulnerability could obtain information to further compromise the users system. An authenticated attacker could exploit this vulnerability by running a specially crafted application. The update addresses the vulnerability by correcting how the Windows Graphics Component handles objects in memory. (CVE-2019-1078) - An elevation of privilege vulnerability exists in the way that the ssdpsrv.dll handles objects in memory. An attacker who successfully exploited the vulnerability could execute code with elevated permissions. (CVE-2019-1178) - A remote code execution vulnerability exists when the Windows font library improperly handles specially crafted embedded fonts. An attacker who successfully exploited the vulnerability could take control of the affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. (CVE-2019-1144, CVE-2019-1145, CVE-2019-1149, CVE-2019-1150, CVE-2019-1151, CVE-2019-1152) - An elevation of privilege vulnerability exists when the Windows kernel fails to properly handle objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. (CVE-2019-1159, CVE-2019-1164) - A remote code execution vulnerability exists in Remote Desktop Services formerly known as Terminal Services when an unauthenticated attacker connects to the target system using RDP and sends specially crafted requests. This vulnerability is pre-authentication and requires no user interaction. An attacker who successfully exploited this vulnerability could execute arbitrary code on the target system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. (CVE-2019-1181, CVE-2019-1182) - A denial of service vulnerability exists when Microsoft Hyper-V Network Switch on a host server fails to properly validate input from a privileged user on a guest operating system. An attacker who successfully exploited the vulnerability could cause the host server to crash. (CVE-2019-0714, CVE-2019-0715, CVE-2019-0723) - A memory corruption vulnerability exists in the Windows DHCP client when an attacker sends specially crafted DHCP responses to a client. An attacker who successfully exploited the vulnerability could run arbitrary code on the client machine. (CVE-2019-0736) - A remote code execution vulnerability exists in the way that the scripting engine handles objects in memory in Internet Explorer. The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user. (CVE-2019-1133, CVE-2019-1194) - A remote code execution vulnerability exists in the way that the VBScript engine handles objects in memory. The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user. (CVE-2019-1183) - An elevation of privilege vulnerability exists in the way that the rpcss.dll handles objects in memory. An attacker who successfully exploited the vulnerability could execute code with elevated permissions. (CVE-2019-1177) - A remote code execution vulnerability exists in the way that Microsoft browsers access objects in memory. The vulnerability could corrupt memory in a way that could allow an attacker to execute arbitrary code in the context of the current user. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user. (CVE-2019-1193) - A denial of service vulnerability exists when Windows improperly handles objects in memory. An attacker who successfully exploited the vulnerability could cause a target system to stop responding. (CVE-2019-0716) - An information disclosure vulnerability exists when the Windows kernel improperly handles objects in memory. An attacker who successfully exploited this vulnerability could obtain information to further compromise the users system. (CVE-2019-1228) - A remote code execution vulnerability exists when Windows Hyper-V Network Switch on a host server fails to properly validate input from an authenticated user on a guest operating system. (CVE-2019-0720) - A memory corruption vulnerability exists in the Windows Server DHCP service when processing specially crafted packets. An attacker who successfully exploited the vulnerability could cause the DHCP server service to stop responding. (CVE-2019-1212) - A remote code execution vulnerability exists when the Microsoft XML Core Services MSXML parser processes user input. An attacker who successfully exploited the vulnerability could run malicious code remotely to take control of the users system. (CVE-2019-1057)
last seen	2020-06-01
modified	2020-06-02
plugin id	127846
published	2019-08-13
reporter	This script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.
source	https://www.tenable.com/plugins/nessus/127846
title	KB4512486: Windows 7 and Windows Server 2008 R2 August 2019 Security Update

NASL family	Huawei Local Security Checks
NASL id	EULEROS_SA-2019-2531.NASL
description	According to the versions of the kernel packages installed, the EulerOS installation on the remote host is affected by the following vulnerabilities : - The powermate_probe function in drivers/input/misc/powermate.c in the Linux kernel before 4.5.1 allows physically proximate attackers to cause a denial of service (NULL pointer dereference and system crash) via a crafted endpoints value in a USB device descriptor.(CVE-2016-2186) - The snd_compr_tstamp function in sound/core/compress_offload.c in the Linux kernel through 4.7, as used in Android before 2016-08-05 on Nexus 5 and 7 (2013) devices, does not properly initialize a timestamp data structure, which allows attackers to obtain sensitive information via a crafted application, aka Android internal bug 28770164 and Qualcomm internal bug CR568717.(CVE-2014-9892) - A memory leak in the cx23888_ir_probe() function in drivers/media/pci/cx23885/cx23888-ir.c in the Linux kernel through 5.3.11 allows attackers to cause a denial of service (memory consumption) by triggering kfifo_alloc() failures, aka CID-a7b2df76b42b.(CVE-2019-19054) - A memory leak in the adis_update_scan_mode() function in drivers/iio/imu/adis_buffer.c in the Linux kernel before 5.3.9 allows attackers to cause a denial of service (memory consumption), aka CID-ab612b1daf41.(CVE-2019-19060) - A memory leak in the adis_update_scan_mode_burst() function in drivers/iio/imu/adis_buffer.c in the Linux kernel before 5.3.9 allows attackers to cause a denial of service (memory consumption), aka CID-9c0530e898f3.(CVE-2019-19061) - A memory leak in the crypto_report() function in crypto/crypto_user_base.c in the Linux kernel through 5.3.11 allows attackers to cause a denial of service (memory consumption) by triggering crypto_report_alg() failures, aka CID-ffdde5932042.(CVE-2019-19062) - A memory leak in the ccp_run_sha_cmd() function in drivers/crypto/ccp/ccp-ops.c in the Linux kernel through 5.3.9 allows attackers to cause a denial of service (memory consumption), aka CID-128c66429247.(CVE-2019-18808) - In ashmem_ioctl of ashmem.c, there is an out-of-bounds write due to insufficient locking when accessing asma. This could lead to a local elevation of privilege enabling code execution as a privileged process with no additional execution privileges needed. User interaction is not needed for exploitation. Product: Android. Versions: Android kernel. Android ID: A-66954097.(CVE-2017-13216) - A certain backport in the TCP Fast Open implementation for the Linux kernel before 3.18 does not properly maintain a count value, which allow local users to cause a denial of service (system crash) via the Fast Open feature, as demonstrated by visiting the chrome://flags/#enable-tcp-fast-open URL when using certain 3.10.x through 3.16.x kernel builds, including longterm-maintenance releases and ckt (aka Canonical Kernel Team) builds.(CVE-2015-3332) - The rtnl_fill_link_ifmap function in net/core/rtnetlink.c in the Linux kernel before 4.5.5 does not initialize a certain data structure, which allows local users to obtain sensitive information from kernel stack memory by reading a Netlink message.(CVE-2016-4486) - The ip6gre_err function in net/ipv6/ip6_gre.c in the Linux kernel allows remote attackers to have unspecified impact via vectors involving GRE flags in an IPv6 packet, which trigger an out-of-bounds access.(CVE-2017-5897) - In the Linux kernel before version 4.12, Kerberos 5 tickets decoded when using the RXRPC keys incorrectly assumes the size of a field. This could lead to the size-remaining variable wrapping and the data pointer going over the end of the buffer. This could possibly lead to memory corruption and possible privilege escalation.(CVE-2017-7482) - A flaw was found in the Linux Kernel where an attacker may be able to have an uncontrolled read to kernel-memory from within a vm guest. A race condition between connect() and close() function may allow an attacker using the AF_VSOCK protocol to gather a 4 byte information leak or possibly intercept or corrupt AF_VSOCK messages destined to other clients.(CVE-2018-14625) - drivers/net/usb/asix_devices.c in the Linux kernel through 4.13.11 allows local users to cause a denial of service (NULL pointer dereference and system crash) or possibly have unspecified other impact via a crafted USB device.(CVE-2017-16647) - A memory leak in the ql_alloc_large_buffers() function in drivers/net/ethernet/qlogic/qla3xxx.c in the Linux kernel before 5.3.5 allows local users to cause a denial of service (memory consumption) by triggering pci_dma_mapping_error() failures, aka CID-1acb8f2a7a9f.(CVE-2019-18806) - An issue was discovered in the fd_locked_ioctl function in drivers/block/floppy.c in the Linux kernel through 4.15.7. The floppy driver will copy a kernel pointer to user memory in response to the FDGETPRM ioctl. An attacker can send the FDGETPRM ioctl and use the obtained kernel pointer to discover the location of kernel code and data and bypass kernel security protections such as KASLR.(CVE-2018-7755) - The usbvision driver in the Linux kernel package 3.10.0-123.20.1.el7 through 3.10.0-229.14.1.el7 in Red Hat Enterprise Linux (RHEL) 7.1 allows physically proximate attackers to cause a denial of service (panic) via a nonzero bInterfaceNumber value in a USB device descriptor.(CVE-2015-7833) - A flaw that allowed an attacker to corrupt memory and possibly escalate privileges was found in the mwifiex kernel module while connecting to a malicious wireless network.(CVE-2019-3846) - drivers/net/wireless/marvell/libertas/if_sdio.c in the Linux kernel 5.2.14 does not check the alloc_workqueue return value, leading to a NULL pointer dereference.(CVE-2019-16232) - drivers/net/wireless/intel/iwlwifi/pcie/trans.c in the Linux kernel 5.2.14 does not check the alloc_workqueue return value, leading to a NULL pointer dereference.(CVE-2019-16234) - drivers/net/fjes/fjes_main.c in the Linux kernel 5.2.14 does not check the alloc_workqueue return value, leading to a NULL pointer dereference.(CVE-2019-16231) - Insufficient access control in the Intel(R) PROSet/Wireless WiFi Software driver before version 21.10 may allow an unauthenticated user to potentially enable denial of service via adjacent access.(CVE-2019-0136) - A flaw was found in the Linux kernel. A heap based buffer overflow in mwifiex_uap_parse_tail_ies function in drivers/net/wireless/marvell/mwifiex/ie.c might lead to memory corruption and possibly other consequences.(CVE-2019-10126) - The Bluetooth BR/EDR specification up to and including version 5.1 permits sufficiently low encryption key length and does not prevent an attacker from influencing the key length negotiation. This allows practical brute-force attacks (aka
last seen	2020-05-08
modified	2019-12-09
plugin id	131805
published	2019-12-09
reporter	This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
source	https://www.tenable.com/plugins/nessus/131805
title	EulerOS 2.0 SP5 : kernel (EulerOS-SA-2019-2531)

NASL family	Red Hat Local Security Checks
NASL id	REDHAT-RHSA-2019-3076.NASL
description	An update for kpatch-patch is now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. This is a kernel live patch module which is automatically loaded by the RPM post-install script to modify the code of a running kernel. Security Fix(es) : * kernel: Use-after-free in __blk_drain_queue() function in block/blk-core.c (CVE-2018-20856) * kernel: Heap overflow in mwifiex_update_bss_desc_with_ie function in marvell/mwifiex/scan.c (CVE-2019-3846) * hardware: bluetooth: BR/EDR encryption key negotiation attacks (KNOB) (CVE-2019-9506) * kernel: Heap overflow in mwifiex_uap_parse_tail_ies function in drivers/net /wireless/marvell/mwifiex/ie.c (CVE-2019-10126) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
last seen	2020-06-01
modified	2020-06-02
plugin id	129960
published	2019-10-16
reporter	This script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.
source	https://www.tenable.com/plugins/nessus/129960
title	RHEL 7 : kpatch-patch (RHSA-2019:3076)

NASL family	SuSE Local Security Checks
NASL id	SUSE_SU-2019-2879-1.NASL
description	The SUSE Linux Enterprise 12 SP4 kernel was updated to receive various security and bugfixes. The following security bugs were fixed : CVE-2017-18595: A double free may be caused by the function allocate_trace_buffer in the file kernel/trace/trace.c (bnc#1149555). CVE-2019-14821: An out-of-bounds access issue was found in the way Linux kernel
last seen	2020-06-01
modified	2020-06-02
plugin id	130452
published	2019-11-01
reporter	This script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.
source	https://www.tenable.com/plugins/nessus/130452
title	SUSE SLED12 / SLES12 Security Update : kernel (SUSE-SU-2019:2879-1)

NASL family	Debian Local Security Checks
NASL id	DEBIAN_DLA-1919.NASL
description	Several vulnerabilities have been discovered in the Linux kernel that may lead to a privilege escalation, denial of service or information leaks. This updated advisory text mentions the additional non-security changes and notes the need to install new binary packages. CVE-2019-0136 It was discovered that the wifi soft-MAC implementation (mac80211) did not properly authenticate Tunneled Direct Link Setup (TDLS) messages. A nearby attacker could use this for denial of service (loss of wifi connectivity). CVE-2019-9506 Daniele Antonioli, Nils Ole Tippenhauer, and Kasper Rasmussen discovered a weakness in the Bluetooth pairing protocols, dubbed the
last seen	2020-04-01
modified	2019-09-16
plugin id	128779
published	2019-09-16
reporter	This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
source	https://www.tenable.com/plugins/nessus/128779
title	Debian DLA-1919-2 : linux-4.9 security update

NASL family	Red Hat Local Security Checks
NASL id	REDHAT-RHSA-2019-3309.NASL
description	An update for kernel-rt is now available for Red Hat Enterprise Linux 8. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. The kernel-rt packages provide the Real Time Linux Kernel, which enables fine-tuning for systems with extremely high determinism requirements. Security Fix(es) : * kernel: nfs: use-after-free in svc_process_common() (CVE-2018-16884) * Kernel: vhost_net: infinite loop while receiving packets leads to DoS (CVE-2019-3900) * Kernel: page cache side channel attacks (CVE-2019-5489) * hardware: bluetooth: BR/EDR encryption key negotiation attacks (KNOB) (CVE-2019-9506) * kernel: Heap overflow in mwifiex_uap_parse_tail_ies function in drivers/net /wireless/marvell/mwifiex/ie.c (CVE-2019-10126) * Kernel: KVM: OOB memory access via mmio ring buffer (CVE-2019-14821) * kernel: Information Disclosure in crypto_report_one in crypto/crypto_user.c (CVE-2018-19854) * kernel: usb: missing size check in the __usb_get_extra_descriptor() leading to DoS (CVE-2018-20169) * kernel: Heap address information leak while using L2CAP_GET_CONF_OPT (CVE-2019-3459) * kernel: Heap address information leak while using L2CAP_PARSE_CONF_RSP (CVE-2019-3460) * kernel: SCTP socket buffer memory leak leading to denial of service (CVE-2019-3874) * kernel: denial of service vector through vfio DMA mappings (CVE-2019-3882) * kernel: NULL pointer dereference in hci_uart_set_flow_control (CVE-2019-10207) * kernel: fix race condition between mmget_not_zero()/get_task_mm() and core dumping (CVE-2019-11599) * kernel: fs/ext4/extents.c leads to information disclosure (CVE-2019-11833) * kernel: sensitive information disclosure from kernel stack memory via HIDPCONNADD command (CVE-2019-11884) * kernel: use-after-free in arch/x86/lib/insn-eval.c (CVE-2019-13233) * kernel: memory leak in register_queue_kobjects() in net/core/net-sysfs.c leads to denial of service (CVE-2019-15916) * kernel: oob memory read in hso_probe in drivers/net/usb/hso.c (CVE-2018-19985) * Kernel: KVM: leak of uninitialized stack contents to guest (CVE-2019-7222) * Kernel: net: weak IP ID generation leads to remote device tracking (CVE-2019-10638) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Additional Changes : For detailed information on changes in this release, see the Red Hat Enterprise Linux 8.1 Release Notes linked from the References section.
last seen	2020-05-08
modified	2019-11-06
plugin id	130526
published	2019-11-06
reporter	This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
source	https://www.tenable.com/plugins/nessus/130526
title	RHEL 8 : kernel-rt (RHSA-2019:3309)

NASL family	SuSE Local Security Checks
NASL id	SUSE_SU-2019-2949-1.NASL
description	The SUSE Linux Enterprise 12-SP3 kernel was updated to receive various security and bugfixes. The following security bugs were fixed : CVE-2018-12207: Untrusted virtual machines on Intel CPUs could exploit a race condition in the Instruction Fetch Unit of the Intel CPU to cause a Machine Exception during Page Size Change, causing the CPU core to be non-functional. The Linux Kernel kvm hypervisor was adjusted to avoid page size changes in executable pages by splitting / merging huge pages into small pages as needed. More information can be found on https://www.suse.com/support/kb/doc/?id=7023735 CVE-2019-16995: Fix a memory leak in hsr_dev_finalize() if hsr_add_port failed to add a port, which may have caused denial of service (bsc#1152685). CVE-2019-11135: Aborting an asynchronous TSX operation on Intel CPUs with Transactional Memory support could be used to facilitate sidechannel information leaks out of microarchitectural buffers, similar to the previously described
last seen	2020-06-01
modified	2020-06-02
plugin id	130949
published	2019-11-13
reporter	This script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.
source	https://www.tenable.com/plugins/nessus/130949
title	SUSE SLES12 Security Update : kernel (SUSE-SU-2019:2949-1)

NASL family	CentOS Local Security Checks
NASL id	CENTOS_RHSA-2019-3055.NASL
description	An update for kernel is now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. The kernel packages contain the Linux kernel, the core of any Linux operating system. Security Fix(es) : * kernel: Use-after-free in __blk_drain_queue() function in block/blk-core.c (CVE-2018-20856) * kernel: Heap overflow in mwifiex_update_bss_desc_with_ie function in marvell/mwifiex/scan.c (CVE-2019-3846) * hardware: bluetooth: BR/EDR encryption key negotiation attacks (KNOB) (CVE-2019-9506) * kernel: Heap overflow in mwifiex_uap_parse_tail_ies function in drivers/net /wireless/marvell/mwifiex/ie.c (CVE-2019-10126) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Bug Fixes : * gfs2: Fix iomap write page reclaim deadlock (BZ#1737373) * [FJ7.6 Bug]: [REG] kernel: ipc: ipc_free should use kvfree (BZ#1740178) * high update_cfs_rq_blocked_load contention (BZ#1740180) * [Hyper-V][RHEL 7] kdump fails to start on a Hyper-V guest of Windows Server 2019. (BZ#1740188) * kvm: backport cpuidle-haltpoll driver (BZ#1740192) * Growing unreclaimable slab memory (BZ#1741920) * [bnx2x] ping failed from pf to vf which has been attached to vm (BZ# 1741926) * [Hyper-V]vPCI devices cannot allocate IRQs vectors in a Hyper-V VM with > 240 vCPUs (i.e., when in x2APIC mode) (BZ#1743324) * Macsec: inbound MACSEC frame is unexpectedly dropped with InPktsNotValid (BZ#1744442) * RHEL 7.7 Beta - Hit error when trying to run nvme connect with IPv6 address (BZ#1744443) * RHEL 7.6 SS4 - Paths lost when running straight I/O on NVMe/RoCE system (BZ #1744444) * NFSv4.0 client sending a double CLOSE (leading to EIO application failure) (BZ#1744946) * [Azure] CRI-RDOS \| [RHEL 7.8] Live migration only takes 10 seconds, but the VM was unavailable for 2 hours (BZ#1748239) * NFS client autodisconnect timer may fire immediately after TCP connection setup and may cause DoS type reconnect problem in complex network environments (BZ#1749290) * [Inspur] RHEL7.6 ASPEED graphic card display issue (BZ#1749296) * Allows macvlan to operated correctly over the active-backup mode to support bonding events. (BZ#1751579) * [LLNL 7.5 Bug] slab leak causing a crash when using kmem control group (BZ# 1752421) Users of kernel are advised to upgrade to these updated packages, which fix these bugs.
last seen	2020-06-01
modified	2020-06-02
plugin id	130128
published	2019-10-22
reporter	This script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.
source	https://www.tenable.com/plugins/nessus/130128
title	CentOS 7 : kernel (CESA-2019:3055)

NASL family	SuSE Local Security Checks
NASL id	OPENSUSE-2019-2308.NASL
description	The openSUSE Leap 15.1 kernel was updated to receive various security and bugfixes. The following security bugs were fixed : - CVE-2019-15291: There was a NULL pointer dereference caused by a malicious USB device in the flexcop_usb_probe function in the drivers/media/usb/b2c2/flexcop-usb.c driver (bnc#1146540). - CVE-2019-14821: An out-of-bounds access issue was found in the way Linux kernel
last seen	2020-06-01
modified	2020-06-02
plugin id	129807
published	2019-10-11
reporter	This script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.
source	https://www.tenable.com/plugins/nessus/129807
title	openSUSE Security Update : the Linux Kernel (openSUSE-2019-2308)

NASL family	NewStart CGSL Local Security Checks
NASL id	NEWSTART_CGSL_NS-SA-2019-0247_KERNEL.NASL
description	The remote NewStart CGSL host, running version CORE 5.05 / MAIN 5.05, has kernel packages installed that are affected by multiple vulnerabilities: - A flaw was found in the Linux kernel
last seen	2020-05-08
modified	2019-12-31
plugin id	132474
published	2019-12-31
reporter	This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
source	https://www.tenable.com/plugins/nessus/132474
title	NewStart CGSL CORE 5.05 / MAIN 5.05 : kernel Multiple Vulnerabilities (NS-SA-2019-0247)

NASL family	Ubuntu Local Security Checks
NASL id	UBUNTU_USN-4115-1.NASL
description	Hui Peng and Mathias Payer discovered that the Option USB High Speed driver in the Linux kernel did not properly validate metadata received from the device. A physically proximate attacker could use this to cause a denial of service (system crash). (CVE-2018-19985) Zhipeng Xie discovered that an infinite loop could triggered in the CFS Linux kernel process scheduler. A local attacker could possibly use this to cause a denial of service. (CVE-2018-20784) It was discovered that the Intel wifi device driver in the Linux kernel did not properly validate certain Tunneled Direct Link Setup (TDLS). A physically proximate attacker could use this to cause a denial of service (wifi disconnect). (CVE-2019-0136) It was discovered that the Bluetooth UART implementation in the Linux kernel did not properly check for missing tty operations. A local attacker could use this to cause a denial of service. (CVE-2019-10207) Amit Klein and Benny Pinkas discovered that the Linux kernel did not sufficiently randomize IP ID values generated for connectionless networking protocols. A remote attacker could use this to track particular Linux devices. (CVE-2019-10638) Amit Klein and Benny Pinkas discovered that the location of kernel addresses could exposed by the implementation of connection-less network protocols in the Linux kernel. A remote attacker could possibly use this to assist in the exploitation of another vulnerability in the Linux kernel. (CVE-2019-10639) It was discovered that an integer overflow existed in the Linux kernel when reference counting pages, leading to potential use-after-free issues. A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2019-11487) Jann Horn discovered that a race condition existed in the Linux kernel when performing core dumps. A local attacker could use this to cause a denial of service (system crash) or expose sensitive information. (CVE-2019-11599) It was discovered that a NULL pointer dereference vulnerability existed in the LSI Logic MegaRAID driver in the Linux kernel. A local attacker could use this to cause a denial of service (system crash). (CVE-2019-11810) It was discovered that the GTCO tablet input driver in the Linux kernel did not properly bounds check the initial HID report sent by the device. A physically proximate attacker could use to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2019-13631) Praveen Pandey discovered that the Linux kernel did not properly validate sent signals in some situations on PowerPC systems with transactional memory disabled. A local attacker could use this to cause a denial of service. (CVE-2019-13648) It was discovered that the floppy driver in the Linux kernel did not properly validate meta data, leading to a buffer overread. A local attacker could use this to cause a denial of service (system crash). (CVE-2019-14283) It was discovered that the floppy driver in the Linux kernel did not properly validate ioctl() calls, leading to a division-by-zero. A local attacker could use this to cause a denial of service (system crash). (CVE-2019-14284) Tuba Yavuz discovered that a race condition existed in the DesignWare USB3 DRD Controller device driver in the Linux kernel. A physically proximate attacker could use this to cause a denial of service. (CVE-2019-14763) It was discovered that an out-of-bounds read existed in the QLogic QEDI iSCSI Initiator Driver in the Linux kernel. A local attacker could possibly use this to expose sensitive information (kernel memory). (CVE-2019-15090) It was discovered that the Raremono AM/FM/SW radio device driver in the Linux kernel did not properly allocate memory, leading to a use-after-free. A physically proximate attacker could use this to cause a denial of service or possibly execute arbitrary code. (CVE-2019-15211) It was discovered at a double-free error existed in the USB Rio 500 device driver for the Linux kernel. A physically proximate attacker could use this to cause a denial of service. (CVE-2019-15212) It was discovered that a race condition existed in the Advanced Linux Sound Architecture (ALSA) subsystem of the Linux kernel, leading to a potential use-after-free. A physically proximate attacker could use this to cause a denial of service (system crash) pro possibly execute arbitrary code. (CVE-2019-15214) It was discovered that a race condition existed in the CPiA2 video4linux device driver for the Linux kernel, leading to a use-after-free. A physically proximate attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2019-15215) It was discovered that a race condition existed in the Softmac USB Prism54 device driver in the Linux kernel. A physically proximate attacker could use this to cause a denial of service (system crash). (CVE-2019-15220) It was discovered that a use-after-free vulnerability existed in the Appletalk implementation in the Linux kernel if an error occurs during initialization. A local attacker could use this to cause a denial of service (system crash). (CVE-2019-15292) Jason Wang discovered that an infinite loop vulnerability existed in the virtio net driver in the Linux kernel. A local attacker in a guest VM could possibly use this to cause a denial of service in the host system. (CVE-2019-3900) Daniele Antonioli, Nils Ole Tippenhauer, and Kasper B. Rasmussen discovered that the Bluetooth protocol BR/EDR specification did not properly require sufficiently strong encryption key lengths. A physicall proximate attacker could use this to expose sensitive information. (CVE-2019-9506) It was discovered that a race condition existed in the USB YUREX device driver in the Linux kernel. A physically proximate attacker could use this to cause a denial of service (system crash). (CVE-2019-15216) It was discovered that the Siano USB MDTV receiver device driver in the Linux kernel made improper assumptions about the device characteristics. A physically proximate attacker could use this cause a denial of service (system crash). (CVE-2019-15218) It was discovered that the Line 6 POD USB device driver in the Linux kernel did not properly validate data size information from the device. A physically proximate attacker could use this to cause a denial of service (system crash). (CVE-2019-15221) Muyu Yu discovered that the CAN implementation in the Linux kernel in some situations did not properly restrict the field size when processing outgoing frames. A local attacker with CAP_NET_ADMIN privileges could use this to execute arbitrary code. (CVE-2019-3701) Vladis Dronov discovered that the debug interface for the Linux kernel
last seen	2020-06-01
modified	2020-06-02
plugin id	128475
published	2019-09-03
reporter	Ubuntu Security Notice (C) 2019 Canonical, Inc. / NASL script (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.
source	https://www.tenable.com/plugins/nessus/128475
title	Ubuntu 16.04 LTS / 18.04 LTS : linux, linux-azure, linux-gcp, linux-gke-4.15, linux-hwe, linux-kvm, (USN-4115-1)

NASL family	Huawei Local Security Checks
NASL id	EULEROS_SA-2019-2274.NASL
description	According to the versions of the kernel packages installed, the EulerOS installation on the remote host is affected by the following vulnerabilities : - The kernel package contains the Linux kernel (vmlinuz), the core of any Linux operating system. The kernel handles the basic functions of the operating system: memory allocation, process allocation, device input and output, etc.Security Fix(es):Systems with microprocessors utilizing speculative execution and indirect branch prediction may allow unauthorized disclosure of information to an attacker with local user access via a side-channel analysis of the data cache.(CVE-2017-5754)The ip6gre_err function in net/ipv6/ip6_gre.c in the Linux kernel allows remote attackers to have unspecified impact via vectors involving GRE flags in an IPv6 packet, which trigger an out-of-bounds access.(CVE-2017-5897)The vmw_surface_define_ioctl function in drivers/gpu/drm/vmwgfx/vmwgfx_surface.c in the Linux kernel through 4.10.5 does not check for a zero value of certain levels data, which allows local users to cause a denial of service (ZERO_SIZE_PTR dereference, and GPF and possibly panic) via a crafted ioctl call for a /dev/dri/renderD* device.(CVE-2017-7261)The KEYS subsystem in the Linux kernel before 4.10.13 allows local users to cause a denial of service (memory consumption) via a series of KEY_REQKEY_DEFL_THREAD_KEYRING keyctl_set_reqkey_keyring calls.(CVE-2017-7472)A flaw was found in the Linux kernel before version 4.12 in the way the KVM module processed the trap flag(TF) bit in EFLAGS during emulation of the syscall instruction, which leads to a debug exception(#DB) being raised in the guest stack. A user/process inside a guest could use this flaw to potentially escalate their privileges inside the guest. Linux guests are not affected by this.(CVE-2017-7518)The kill_something_info function in kernel/signal.c in the Linux kernel before 4.13, when an unspecified architecture and compiler is used, might allow local users to cause a denial of service via an INT_MIN argument.(CVE-2018-10124)The xfs_bmap_extents_to_btree function in fs/xfs/libxfs/xfs_bmap.c in the Linux kernel through 4.16.3 allows local users to cause a denial of service (xfs_bmapi_write NULL pointer dereference) via a crafted xfs image.(CVE-2018-10323)The Linux kernel before version 4.11 is vulnerable to a NULL pointer dereference in fs/cifs/cifsencrypt.c:setup_ntlmv2_rsp() that allows an attacker controlling a CIFS server to kernel panic a client that has this server mounted, because an empty TargetInfo field in an NTLMSSP setup negotiation response is mishandled during session recovery.(CVE-2018-1066)The do_get_mempolicy function in mm/mempolicy.c in the Linux kernel before 4.12.9 allows local users to cause a denial of service (use-after-free) or possibly have unspecified other impact via crafted system calls.(CVE-2018-10675)An issue was discovered in fs/xfs/libxfs/xfs_attr_leaf.c in the Linux kernel through 4.17.3. An OOPS may occur for a corrupted xfs image after xfs_da_shrink_inode() is called with a NULL bp.(CVE-2018-13094)An issue was discovered in fs/xfs/xfs_super.c in the Linux kernel before 4.18. A use after free exists, related to xfs_fs_fill_super failure.(CVE-2018-20976)Systems with microprocessors utilizing speculative execution and branch prediction may allow unauthorized disclosure of information to an attacker with local user access via a speculative buffer overflow and side-channel analysis.(CVE-2018-3693)In the function sbusfb_ioctl_helper() in drivers/video/fbdev/sbuslib.c in the Linux kernel through 4.15, an integer signedness error allows arbitrary information leakage for the FBIOPUTCMAP_SPARC and FBIOGETCMAP_SPARC commands.(CVE-2018-6412)Race condition in the store_int_with_restart() function in arch/x86/kernel/cpu/mcheck/mce.c in the Linux kernel through 4.15.7 allows local users to cause a denial of service (panic) by leveraging root access to write to the check_interval file in a /sys/devices/system/machinecheck/machinecheck directory. NOTE: a third party has indicated that this report is not security relevant.(CVE-2018-7995)In the hidp_process_report in bluetooth, there is an integer overflow. This could lead to an out of bounds write with no additional execution privileges needed. User interaction is not needed for exploitation. Product: Android Versions: Android kernel Android ID: A-65853588 References: Upstream kernel.(CVE-2018-9363)In nfc_llcp_build_sdreq_tlv of llcp_commands.c, there is a possible out of bounds write due to a missing bounds check. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation. Product: Android. Versions: Android kernel. Android ID: A-73083945.(CVE-2018-9518)A vulnerability was found in Linux kernel
last seen	2020-05-08
modified	2019-11-08
plugin id	130736
published	2019-11-08
reporter	This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
source	https://www.tenable.com/plugins/nessus/130736
title	EulerOS 2.0 SP3 : kernel (EulerOS-SA-2019-2274)

NASL family	Red Hat Local Security Checks
NASL id	REDHAT-RHSA-2019-2975.NASL
description	An update for kernel is now available for Red Hat Enterprise Linux 7.5 Extended Update Support. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. The kernel packages contain the Linux kernel, the core of any Linux operating system. Security Fix(es) : * hardware: bluetooth: BR/EDR encryption key negotiation attacks (KNOB) (CVE-2019-9506) * kernel: hw: Spectre SWAPGS gadget vulnerability (CVE-2019-1125) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Bug Fix(es) : * TCP packets are segmented when sent to the VLAN device when coming from VXLAN dev. (BZ#1732810) * skb head copy occurs when sending traffic over OVS managed VXLAN tunnel (BZ #1733896) * [mlx4] VXLAN over VLAN TCP segmentation (BZ#1734306) * use
last seen	2020-06-01
modified	2020-06-02
plugin id	129738
published	2019-10-09
reporter	This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
source	https://www.tenable.com/plugins/nessus/129738
title	RHEL 7 : kernel (RHSA-2019:2975)

NASL family	Red Hat Local Security Checks
NASL id	REDHAT-RHSA-2019-3217.NASL
description	An update for kernel-alt is now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. The kernel-alt packages provide the Linux kernel version 4.x. Security Fix(es) : * kernel: MIDI driver race condition leads to a double-free (CVE-2018-10902) * kernel: Use-after-free in __blk_drain_queue() function in block/blk-core.c (CVE-2018-20856) * kernel: brcmfmac heap buffer overflow in brcmf_wowl_nd_results (CVE-2019-9500) * hardware: bluetooth: BR/EDR encryption key negotiation attacks (KNOB) (CVE-2019-9506) * kernel: a NULL pointer dereference in drivers/scsi/megaraid/ megaraid_sas_base.c leading to DoS (CVE-2019-11810) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Bug Fix(es) : * kernel modules pkey and paes_s390 are not available (BZ#1719192) * pkey: Indicate old mkvp only if old and curr. mkvp are different (BZ# 1720621) * System dropped into Mon running softboots Exception: 501 (Hardware Interrupt) at c00000000000a814 replay_interrupt_return+0x0/0x4 (ipmi) (BZ# 1737563) * kernel: jump label transformation performance (BZ#1739143) * Backport i40e MDD detection removal for PFs (BZ#1747618)
last seen	2020-06-01
modified	2020-06-02
plugin id	130373
published	2019-10-30
reporter	This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
source	https://www.tenable.com/plugins/nessus/130373
title	RHEL 7 : kernel-alt (RHSA-2019:3217)

Redhat

advisories

bugzilla

id	1738705
title	CVE-2018-20856 kernel: Use-after-free in __blk_drain_queue() function in block/blk-core.c

oval

comment Red Hat Enterprise Linux must be installed
oval oval:com.redhat.rhba:tst:20070304026

AND

comment Red Hat Enterprise Linux 7 is installed
oval oval:com.redhat.rhba:tst:20150364027

comment kernel earlier than 0:3.10.0-1062.4.1.el7 is currently running
oval oval:com.redhat.rhsa:tst:20193055033
comment kernel earlier than 0:3.10.0-1062.4.1.el7 is set to boot up on next boot
oval oval:com.redhat.rhsa:tst:20193055034

AND
comment kernel-doc is earlier than 0:3.10.0-1062.4.1.el7
oval oval:com.redhat.rhsa:tst:20193055001
comment kernel-doc is signed with Red Hat redhatrelease2 key
oval oval:com.redhat.rhsa:tst:20100842002

AND

comment kernel-abi-whitelists is earlier than 0:3.10.0-1062.4.1.el7
oval oval:com.redhat.rhsa:tst:20193055003
comment kernel-abi-whitelists is signed with Red Hat redhatrelease2 key
oval oval:com.redhat.rhsa:tst:20131645022

AND
comment python-perf is earlier than 0:3.10.0-1062.4.1.el7
oval oval:com.redhat.rhsa:tst:20193055005
comment python-perf is signed with Red Hat redhatrelease2 key
oval oval:com.redhat.rhsa:tst:20111530024
AND
comment perf is earlier than 0:3.10.0-1062.4.1.el7
oval oval:com.redhat.rhsa:tst:20193055007
comment perf is signed with Red Hat redhatrelease2 key
oval oval:com.redhat.rhsa:tst:20100842006

AND

comment kernel-tools-libs is earlier than 0:3.10.0-1062.4.1.el7
oval oval:com.redhat.rhsa:tst:20193055009
comment kernel-tools-libs is signed with Red Hat redhatrelease2 key
oval oval:com.redhat.rhsa:tst:20140678016

AND

comment kernel-tools is earlier than 0:3.10.0-1062.4.1.el7
oval oval:com.redhat.rhsa:tst:20193055011
comment kernel-tools is signed with Red Hat redhatrelease2 key
oval oval:com.redhat.rhsa:tst:20140678012

AND

comment kernel-headers is earlier than 0:3.10.0-1062.4.1.el7
oval oval:com.redhat.rhsa:tst:20193055013
comment kernel-headers is signed with Red Hat redhatrelease2 key
oval oval:com.redhat.rhsa:tst:20100842010

AND

comment kernel-devel is earlier than 0:3.10.0-1062.4.1.el7
oval oval:com.redhat.rhsa:tst:20193055015
comment kernel-devel is signed with Red Hat redhatrelease2 key
oval oval:com.redhat.rhsa:tst:20100842016

AND

comment kernel-debug-devel is earlier than 0:3.10.0-1062.4.1.el7
oval oval:com.redhat.rhsa:tst:20193055017
comment kernel-debug-devel is signed with Red Hat redhatrelease2 key
oval oval:com.redhat.rhsa:tst:20100842008

AND

comment kernel-debug is earlier than 0:3.10.0-1062.4.1.el7
oval oval:com.redhat.rhsa:tst:20193055019
comment kernel-debug is signed with Red Hat redhatrelease2 key
oval oval:com.redhat.rhsa:tst:20100842014

AND
comment kernel is earlier than 0:3.10.0-1062.4.1.el7
oval oval:com.redhat.rhsa:tst:20193055021
comment kernel is signed with Red Hat redhatrelease2 key
oval oval:com.redhat.rhsa:tst:20100842012
AND
comment bpftool is earlier than 0:3.10.0-1062.4.1.el7
oval oval:com.redhat.rhsa:tst:20193055023
comment bpftool is signed with Red Hat redhatrelease2 key
oval oval:com.redhat.rhsa:tst:20183083026

AND

comment kernel-tools-libs-devel is earlier than 0:3.10.0-1062.4.1.el7
oval oval:com.redhat.rhsa:tst:20193055025
comment kernel-tools-libs-devel is signed with Red Hat redhatrelease2 key
oval oval:com.redhat.rhsa:tst:20140678022

AND

comment kernel-bootwrapper is earlier than 0:3.10.0-1062.4.1.el7
oval oval:com.redhat.rhsa:tst:20193055027
comment kernel-bootwrapper is signed with Red Hat redhatrelease2 key
oval oval:com.redhat.rhsa:tst:20100842018

AND

comment kernel-kdump-devel is earlier than 0:3.10.0-1062.4.1.el7
oval oval:com.redhat.rhsa:tst:20193055029
comment kernel-kdump-devel is signed with Red Hat redhatrelease2 key
oval oval:com.redhat.rhsa:tst:20100842022

AND

comment kernel-kdump is earlier than 0:3.10.0-1062.4.1.el7
oval oval:com.redhat.rhsa:tst:20193055031
comment kernel-kdump is signed with Red Hat redhatrelease2 key
oval oval:com.redhat.rhsa:tst:20100842020

rhsa

id	RHSA-2019:3055
released	2019-10-16
severity	Important
title	RHSA-2019:3055: kernel security and bug fix update (Important)

bugzilla

id	1748570
title	kernel-rt: update to the RHEL7.7.z batch#2 source tree

oval

comment Red Hat Enterprise Linux must be installed
oval oval:com.redhat.rhba:tst:20070304026

AND

comment Red Hat Enterprise Linux 7 is installed
oval oval:com.redhat.rhba:tst:20150364027

AND

comment kernel-rt-doc is earlier than 0:3.10.0-1062.4.1.rt56.1027.el7
oval oval:com.redhat.rhsa:tst:20193089001
comment kernel-rt-doc is signed with Red Hat redhatrelease2 key
oval oval:com.redhat.rhsa:tst:20150727002

AND

comment kernel-rt-trace-devel is earlier than 0:3.10.0-1062.4.1.rt56.1027.el7
oval oval:com.redhat.rhsa:tst:20193089003
comment kernel-rt-trace-devel is signed with Red Hat redhatrelease2 key
oval oval:com.redhat.rhsa:tst:20150727004

AND

comment kernel-rt-trace is earlier than 0:3.10.0-1062.4.1.rt56.1027.el7
oval oval:com.redhat.rhsa:tst:20193089005
comment kernel-rt-trace is signed with Red Hat redhatrelease2 key
oval oval:com.redhat.rhsa:tst:20150727008

AND

comment kernel-rt-devel is earlier than 0:3.10.0-1062.4.1.rt56.1027.el7
oval oval:com.redhat.rhsa:tst:20193089007
comment kernel-rt-devel is signed with Red Hat redhatrelease2 key
oval oval:com.redhat.rhsa:tst:20150727012

AND

comment kernel-rt-debug-devel is earlier than 0:3.10.0-1062.4.1.rt56.1027.el7
oval oval:com.redhat.rhsa:tst:20193089009
comment kernel-rt-debug-devel is signed with Red Hat redhatrelease2 key
oval oval:com.redhat.rhsa:tst:20150727010

AND

comment kernel-rt-debug is earlier than 0:3.10.0-1062.4.1.rt56.1027.el7
oval oval:com.redhat.rhsa:tst:20193089011
comment kernel-rt-debug is signed with Red Hat redhatrelease2 key
oval oval:com.redhat.rhsa:tst:20150727014

AND

comment kernel-rt is earlier than 0:3.10.0-1062.4.1.rt56.1027.el7
oval oval:com.redhat.rhsa:tst:20193089013
comment kernel-rt is signed with Red Hat redhatrelease2 key
oval oval:com.redhat.rhsa:tst:20150727006

AND

comment kernel-rt-trace-kvm is earlier than 0:3.10.0-1062.4.1.rt56.1027.el7
oval oval:com.redhat.rhsa:tst:20193089015
comment kernel-rt-trace-kvm is signed with Red Hat redhatrelease2 key
oval oval:com.redhat.rhsa:tst:20160212016

AND

comment kernel-rt-kvm is earlier than 0:3.10.0-1062.4.1.rt56.1027.el7
oval oval:com.redhat.rhsa:tst:20193089017
comment kernel-rt-kvm is signed with Red Hat redhatrelease2 key
oval oval:com.redhat.rhsa:tst:20160212018

AND

comment kernel-rt-debug-kvm is earlier than 0:3.10.0-1062.4.1.rt56.1027.el7
oval oval:com.redhat.rhsa:tst:20193089019
comment kernel-rt-debug-kvm is signed with Red Hat redhatrelease2 key
oval oval:com.redhat.rhsa:tst:20160212020

rhsa

id	RHSA-2019:3089
released	2019-10-16
severity	Important
title	RHSA-2019:3089: kernel-rt security and bug fix update (Important)

rhsa
id RHSA-2019:2975
rhsa
id RHSA-2019:3076
rhsa
id RHSA-2019:3165
rhsa
id RHSA-2019:3187
rhsa
id RHSA-2019:3217
rhsa
id RHSA-2019:3218
rhsa
id RHSA-2019:3220
rhsa
id RHSA-2019:3231
rhsa
id RHSA-2019:3309
rhsa
id RHSA-2019:3517
rhsa
id RHSA-2020:0204

rpms

kernel-0:3.10.0-862.43.1.el7
kernel-abi-whitelists-0:3.10.0-862.43.1.el7
kernel-bootwrapper-0:3.10.0-862.43.1.el7
kernel-debug-0:3.10.0-862.43.1.el7
kernel-debug-debuginfo-0:3.10.0-862.43.1.el7
kernel-debug-devel-0:3.10.0-862.43.1.el7
kernel-debuginfo-0:3.10.0-862.43.1.el7
kernel-debuginfo-common-ppc64-0:3.10.0-862.43.1.el7
kernel-debuginfo-common-ppc64le-0:3.10.0-862.43.1.el7
kernel-debuginfo-common-s390x-0:3.10.0-862.43.1.el7
kernel-debuginfo-common-x86_64-0:3.10.0-862.43.1.el7
kernel-devel-0:3.10.0-862.43.1.el7
kernel-doc-0:3.10.0-862.43.1.el7
kernel-headers-0:3.10.0-862.43.1.el7
kernel-kdump-0:3.10.0-862.43.1.el7
kernel-kdump-debuginfo-0:3.10.0-862.43.1.el7
kernel-kdump-devel-0:3.10.0-862.43.1.el7
kernel-tools-0:3.10.0-862.43.1.el7
kernel-tools-debuginfo-0:3.10.0-862.43.1.el7
kernel-tools-libs-0:3.10.0-862.43.1.el7
kernel-tools-libs-devel-0:3.10.0-862.43.1.el7
perf-0:3.10.0-862.43.1.el7
perf-debuginfo-0:3.10.0-862.43.1.el7
python-perf-0:3.10.0-862.43.1.el7
python-perf-debuginfo-0:3.10.0-862.43.1.el7
bpftool-0:3.10.0-1062.4.1.el7
bpftool-debuginfo-0:3.10.0-1062.4.1.el7
kernel-0:3.10.0-1062.4.1.el7
kernel-abi-whitelists-0:3.10.0-1062.4.1.el7
kernel-bootwrapper-0:3.10.0-1062.4.1.el7
kernel-debug-0:3.10.0-1062.4.1.el7
kernel-debug-debuginfo-0:3.10.0-1062.4.1.el7
kernel-debug-devel-0:3.10.0-1062.4.1.el7
kernel-debuginfo-0:3.10.0-1062.4.1.el7
kernel-debuginfo-common-ppc64-0:3.10.0-1062.4.1.el7
kernel-debuginfo-common-ppc64le-0:3.10.0-1062.4.1.el7
kernel-debuginfo-common-s390x-0:3.10.0-1062.4.1.el7
kernel-debuginfo-common-x86_64-0:3.10.0-1062.4.1.el7
kernel-devel-0:3.10.0-1062.4.1.el7
kernel-doc-0:3.10.0-1062.4.1.el7
kernel-headers-0:3.10.0-1062.4.1.el7
kernel-kdump-0:3.10.0-1062.4.1.el7
kernel-kdump-debuginfo-0:3.10.0-1062.4.1.el7
kernel-kdump-devel-0:3.10.0-1062.4.1.el7
kernel-tools-0:3.10.0-1062.4.1.el7
kernel-tools-debuginfo-0:3.10.0-1062.4.1.el7
kernel-tools-libs-0:3.10.0-1062.4.1.el7
kernel-tools-libs-devel-0:3.10.0-1062.4.1.el7
perf-0:3.10.0-1062.4.1.el7
perf-debuginfo-0:3.10.0-1062.4.1.el7
python-perf-0:3.10.0-1062.4.1.el7
python-perf-debuginfo-0:3.10.0-1062.4.1.el7
kpatch-patch-3_10_0-1062-0:1-5.el7
kpatch-patch-3_10_0-1062-debuginfo-0:1-5.el7
kpatch-patch-3_10_0-1062_1_1-0:1-4.el7
kpatch-patch-3_10_0-1062_1_1-debuginfo-0:1-4.el7
kpatch-patch-3_10_0-1062_1_2-0:1-3.el7
kpatch-patch-3_10_0-1062_1_2-debuginfo-0:1-3.el7
kernel-rt-0:3.10.0-1062.4.1.rt56.1027.el7
kernel-rt-debug-0:3.10.0-1062.4.1.rt56.1027.el7
kernel-rt-debug-debuginfo-0:3.10.0-1062.4.1.rt56.1027.el7
kernel-rt-debug-devel-0:3.10.0-1062.4.1.rt56.1027.el7
kernel-rt-debug-kvm-0:3.10.0-1062.4.1.rt56.1027.el7
kernel-rt-debug-kvm-debuginfo-0:3.10.0-1062.4.1.rt56.1027.el7
kernel-rt-debuginfo-0:3.10.0-1062.4.1.rt56.1027.el7
kernel-rt-debuginfo-common-x86_64-0:3.10.0-1062.4.1.rt56.1027.el7
kernel-rt-devel-0:3.10.0-1062.4.1.rt56.1027.el7
kernel-rt-doc-0:3.10.0-1062.4.1.rt56.1027.el7
kernel-rt-kvm-0:3.10.0-1062.4.1.rt56.1027.el7
kernel-rt-kvm-debuginfo-0:3.10.0-1062.4.1.rt56.1027.el7
kernel-rt-trace-0:3.10.0-1062.4.1.rt56.1027.el7
kernel-rt-trace-debuginfo-0:3.10.0-1062.4.1.rt56.1027.el7
kernel-rt-trace-devel-0:3.10.0-1062.4.1.rt56.1027.el7
kernel-rt-trace-kvm-0:3.10.0-1062.4.1.rt56.1027.el7
kernel-rt-trace-kvm-debuginfo-0:3.10.0-1062.4.1.rt56.1027.el7
kernel-rt-1:3.10.0-693.60.1.rt56.654.el6rt
kernel-rt-debug-1:3.10.0-693.60.1.rt56.654.el6rt
kernel-rt-debug-debuginfo-1:3.10.0-693.60.1.rt56.654.el6rt
kernel-rt-debug-devel-1:3.10.0-693.60.1.rt56.654.el6rt
kernel-rt-debuginfo-1:3.10.0-693.60.1.rt56.654.el6rt
kernel-rt-debuginfo-common-x86_64-1:3.10.0-693.60.1.rt56.654.el6rt
kernel-rt-devel-1:3.10.0-693.60.1.rt56.654.el6rt
kernel-rt-doc-1:3.10.0-693.60.1.rt56.654.el6rt
kernel-rt-firmware-1:3.10.0-693.60.1.rt56.654.el6rt
kernel-rt-trace-1:3.10.0-693.60.1.rt56.654.el6rt
kernel-rt-trace-debuginfo-1:3.10.0-693.60.1.rt56.654.el6rt
kernel-rt-trace-devel-1:3.10.0-693.60.1.rt56.654.el6rt
kernel-rt-vanilla-1:3.10.0-693.60.1.rt56.654.el6rt
kernel-rt-vanilla-debuginfo-1:3.10.0-693.60.1.rt56.654.el6rt
kernel-rt-vanilla-devel-1:3.10.0-693.60.1.rt56.654.el6rt
kernel-0:3.10.0-693.60.1.el7
kernel-abi-whitelists-0:3.10.0-693.60.1.el7
kernel-bootwrapper-0:3.10.0-693.60.1.el7
kernel-debug-0:3.10.0-693.60.1.el7
kernel-debug-debuginfo-0:3.10.0-693.60.1.el7
kernel-debug-devel-0:3.10.0-693.60.1.el7
kernel-debuginfo-0:3.10.0-693.60.1.el7
kernel-debuginfo-common-ppc64le-0:3.10.0-693.60.1.el7
kernel-debuginfo-common-x86_64-0:3.10.0-693.60.1.el7
kernel-devel-0:3.10.0-693.60.1.el7
kernel-doc-0:3.10.0-693.60.1.el7
kernel-headers-0:3.10.0-693.60.1.el7
kernel-tools-0:3.10.0-693.60.1.el7
kernel-tools-debuginfo-0:3.10.0-693.60.1.el7
kernel-tools-libs-0:3.10.0-693.60.1.el7
kernel-tools-libs-devel-0:3.10.0-693.60.1.el7
perf-0:3.10.0-693.60.1.el7
perf-debuginfo-0:3.10.0-693.60.1.el7
python-perf-0:3.10.0-693.60.1.el7
python-perf-debuginfo-0:3.10.0-693.60.1.el7
kernel-0:4.14.0-115.14.1.el7a
kernel-abi-whitelists-0:4.14.0-115.14.1.el7a
kernel-bootwrapper-0:4.14.0-115.14.1.el7a
kernel-debug-0:4.14.0-115.14.1.el7a
kernel-debug-debuginfo-0:4.14.0-115.14.1.el7a
kernel-debug-devel-0:4.14.0-115.14.1.el7a
kernel-debuginfo-0:4.14.0-115.14.1.el7a
kernel-debuginfo-common-aarch64-0:4.14.0-115.14.1.el7a
kernel-debuginfo-common-ppc64le-0:4.14.0-115.14.1.el7a
kernel-debuginfo-common-s390x-0:4.14.0-115.14.1.el7a
kernel-devel-0:4.14.0-115.14.1.el7a
kernel-doc-0:4.14.0-115.14.1.el7a
kernel-headers-0:4.14.0-115.14.1.el7a
kernel-kdump-0:4.14.0-115.14.1.el7a
kernel-kdump-debuginfo-0:4.14.0-115.14.1.el7a
kernel-kdump-devel-0:4.14.0-115.14.1.el7a
kernel-tools-0:4.14.0-115.14.1.el7a
kernel-tools-debuginfo-0:4.14.0-115.14.1.el7a
kernel-tools-libs-0:4.14.0-115.14.1.el7a
kernel-tools-libs-devel-0:4.14.0-115.14.1.el7a
perf-0:4.14.0-115.14.1.el7a
perf-debuginfo-0:4.14.0-115.14.1.el7a
python-perf-0:4.14.0-115.14.1.el7a
python-perf-debuginfo-0:4.14.0-115.14.1.el7a
kernel-0:3.10.0-514.70.1.el7
kernel-abi-whitelists-0:3.10.0-514.70.1.el7
kernel-bootwrapper-0:3.10.0-514.70.1.el7
kernel-debug-0:3.10.0-514.70.1.el7
kernel-debug-debuginfo-0:3.10.0-514.70.1.el7
kernel-debug-devel-0:3.10.0-514.70.1.el7
kernel-debuginfo-0:3.10.0-514.70.1.el7
kernel-debuginfo-common-ppc64le-0:3.10.0-514.70.1.el7
kernel-debuginfo-common-x86_64-0:3.10.0-514.70.1.el7
kernel-devel-0:3.10.0-514.70.1.el7
kernel-doc-0:3.10.0-514.70.1.el7
kernel-headers-0:3.10.0-514.70.1.el7
kernel-tools-0:3.10.0-514.70.1.el7
kernel-tools-debuginfo-0:3.10.0-514.70.1.el7
kernel-tools-libs-0:3.10.0-514.70.1.el7
kernel-tools-libs-devel-0:3.10.0-514.70.1.el7
perf-0:3.10.0-514.70.1.el7
perf-debuginfo-0:3.10.0-514.70.1.el7
python-perf-0:3.10.0-514.70.1.el7
python-perf-debuginfo-0:3.10.0-514.70.1.el7
bpftool-0:3.10.0-957.38.1.el7
kernel-0:3.10.0-957.38.1.el7
kernel-abi-whitelists-0:3.10.0-957.38.1.el7
kernel-bootwrapper-0:3.10.0-957.38.1.el7
kernel-debug-0:3.10.0-957.38.1.el7
kernel-debug-debuginfo-0:3.10.0-957.38.1.el7
kernel-debug-devel-0:3.10.0-957.38.1.el7
kernel-debuginfo-0:3.10.0-957.38.1.el7
kernel-debuginfo-common-ppc64-0:3.10.0-957.38.1.el7
kernel-debuginfo-common-ppc64le-0:3.10.0-957.38.1.el7
kernel-debuginfo-common-s390x-0:3.10.0-957.38.1.el7
kernel-debuginfo-common-x86_64-0:3.10.0-957.38.1.el7
kernel-devel-0:3.10.0-957.38.1.el7
kernel-doc-0:3.10.0-957.38.1.el7
kernel-headers-0:3.10.0-957.38.1.el7
kernel-kdump-0:3.10.0-957.38.1.el7
kernel-kdump-debuginfo-0:3.10.0-957.38.1.el7
kernel-kdump-devel-0:3.10.0-957.38.1.el7
kernel-tools-0:3.10.0-957.38.1.el7
kernel-tools-debuginfo-0:3.10.0-957.38.1.el7
kernel-tools-libs-0:3.10.0-957.38.1.el7
kernel-tools-libs-devel-0:3.10.0-957.38.1.el7
perf-0:3.10.0-957.38.1.el7
perf-debuginfo-0:3.10.0-957.38.1.el7
python-perf-0:3.10.0-957.38.1.el7
python-perf-debuginfo-0:3.10.0-957.38.1.el7
kpatch-patch-3_10_0-957_35_1-0:1-2.el7
kpatch-patch-3_10_0-957_35_1-debuginfo-0:1-2.el7
kpatch-patch-3_10_0-957_35_2-0:1-1.el7
kpatch-patch-3_10_0-957_35_2-debuginfo-0:1-1.el7
kernel-rt-0:4.18.0-147.rt24.93.el8
kernel-rt-core-0:4.18.0-147.rt24.93.el8
kernel-rt-debug-0:4.18.0-147.rt24.93.el8
kernel-rt-debug-core-0:4.18.0-147.rt24.93.el8
kernel-rt-debug-debuginfo-0:4.18.0-147.rt24.93.el8
kernel-rt-debug-devel-0:4.18.0-147.rt24.93.el8
kernel-rt-debug-kvm-0:4.18.0-147.rt24.93.el8
kernel-rt-debug-kvm-debuginfo-0:4.18.0-147.rt24.93.el8
kernel-rt-debug-modules-0:4.18.0-147.rt24.93.el8
kernel-rt-debug-modules-extra-0:4.18.0-147.rt24.93.el8
kernel-rt-debuginfo-0:4.18.0-147.rt24.93.el8
kernel-rt-debuginfo-common-x86_64-0:4.18.0-147.rt24.93.el8
kernel-rt-devel-0:4.18.0-147.rt24.93.el8
kernel-rt-kvm-0:4.18.0-147.rt24.93.el8
kernel-rt-kvm-debuginfo-0:4.18.0-147.rt24.93.el8
kernel-rt-modules-0:4.18.0-147.rt24.93.el8
kernel-rt-modules-extra-0:4.18.0-147.rt24.93.el8
bpftool-0:4.18.0-147.el8
bpftool-debuginfo-0:4.18.0-147.el8
kernel-0:4.18.0-147.el8
kernel-abi-whitelists-0:4.18.0-147.el8
kernel-core-0:4.18.0-147.el8
kernel-cross-headers-0:4.18.0-147.el8
kernel-debug-0:4.18.0-147.el8
kernel-debug-core-0:4.18.0-147.el8
kernel-debug-debuginfo-0:4.18.0-147.el8
kernel-debug-devel-0:4.18.0-147.el8
kernel-debug-modules-0:4.18.0-147.el8
kernel-debug-modules-extra-0:4.18.0-147.el8
kernel-debuginfo-0:4.18.0-147.el8
kernel-debuginfo-common-aarch64-0:4.18.0-147.el8
kernel-debuginfo-common-ppc64le-0:4.18.0-147.el8
kernel-debuginfo-common-s390x-0:4.18.0-147.el8
kernel-debuginfo-common-x86_64-0:4.18.0-147.el8
kernel-devel-0:4.18.0-147.el8
kernel-doc-0:4.18.0-147.el8
kernel-headers-0:4.18.0-147.el8
kernel-modules-0:4.18.0-147.el8
kernel-modules-extra-0:4.18.0-147.el8
kernel-tools-0:4.18.0-147.el8
kernel-tools-debuginfo-0:4.18.0-147.el8
kernel-tools-libs-0:4.18.0-147.el8
kernel-tools-libs-devel-0:4.18.0-147.el8
kernel-zfcpdump-0:4.18.0-147.el8
kernel-zfcpdump-core-0:4.18.0-147.el8
kernel-zfcpdump-debuginfo-0:4.18.0-147.el8
kernel-zfcpdump-devel-0:4.18.0-147.el8
kernel-zfcpdump-modules-0:4.18.0-147.el8
kernel-zfcpdump-modules-extra-0:4.18.0-147.el8
perf-0:4.18.0-147.el8
perf-debuginfo-0:4.18.0-147.el8
python3-perf-0:4.18.0-147.el8
python3-perf-debuginfo-0:4.18.0-147.el8
bpftool-0:4.18.0-80.15.1.el8_0
bpftool-debuginfo-0:4.18.0-80.15.1.el8_0
kernel-0:4.18.0-80.15.1.el8_0
kernel-abi-whitelists-0:4.18.0-80.15.1.el8_0
kernel-core-0:4.18.0-80.15.1.el8_0
kernel-cross-headers-0:4.18.0-80.15.1.el8_0
kernel-debug-0:4.18.0-80.15.1.el8_0
kernel-debug-core-0:4.18.0-80.15.1.el8_0
kernel-debug-debuginfo-0:4.18.0-80.15.1.el8_0
kernel-debug-devel-0:4.18.0-80.15.1.el8_0
kernel-debug-modules-0:4.18.0-80.15.1.el8_0
kernel-debug-modules-extra-0:4.18.0-80.15.1.el8_0
kernel-debuginfo-0:4.18.0-80.15.1.el8_0
kernel-debuginfo-common-aarch64-0:4.18.0-80.15.1.el8_0
kernel-debuginfo-common-ppc64le-0:4.18.0-80.15.1.el8_0
kernel-debuginfo-common-s390x-0:4.18.0-80.15.1.el8_0
kernel-debuginfo-common-x86_64-0:4.18.0-80.15.1.el8_0
kernel-devel-0:4.18.0-80.15.1.el8_0
kernel-doc-0:4.18.0-80.15.1.el8_0
kernel-headers-0:4.18.0-80.15.1.el8_0
kernel-modules-0:4.18.0-80.15.1.el8_0
kernel-modules-extra-0:4.18.0-80.15.1.el8_0
kernel-tools-0:4.18.0-80.15.1.el8_0
kernel-tools-debuginfo-0:4.18.0-80.15.1.el8_0
kernel-tools-libs-0:4.18.0-80.15.1.el8_0
kernel-zfcpdump-0:4.18.0-80.15.1.el8_0
kernel-zfcpdump-core-0:4.18.0-80.15.1.el8_0
kernel-zfcpdump-debuginfo-0:4.18.0-80.15.1.el8_0
kernel-zfcpdump-devel-0:4.18.0-80.15.1.el8_0
kernel-zfcpdump-modules-0:4.18.0-80.15.1.el8_0
kernel-zfcpdump-modules-extra-0:4.18.0-80.15.1.el8_0
perf-0:4.18.0-80.15.1.el8_0
perf-debuginfo-0:4.18.0-80.15.1.el8_0
python3-perf-0:4.18.0-80.15.1.el8_0
python3-perf-debuginfo-0:4.18.0-80.15.1.el8_0
kernel-0:3.10.0-327.86.1.el7
kernel-abi-whitelists-0:3.10.0-327.86.1.el7
kernel-debug-0:3.10.0-327.86.1.el7
kernel-debug-debuginfo-0:3.10.0-327.86.1.el7
kernel-debug-devel-0:3.10.0-327.86.1.el7
kernel-debuginfo-0:3.10.0-327.86.1.el7
kernel-debuginfo-common-x86_64-0:3.10.0-327.86.1.el7
kernel-devel-0:3.10.0-327.86.1.el7
kernel-doc-0:3.10.0-327.86.1.el7
kernel-headers-0:3.10.0-327.86.1.el7
kernel-tools-0:3.10.0-327.86.1.el7
kernel-tools-debuginfo-0:3.10.0-327.86.1.el7
kernel-tools-libs-0:3.10.0-327.86.1.el7
kernel-tools-libs-devel-0:3.10.0-327.86.1.el7
perf-0:3.10.0-327.86.1.el7
perf-debuginfo-0:3.10.0-327.86.1.el7
python-perf-0:3.10.0-327.86.1.el7
python-perf-debuginfo-0:3.10.0-327.86.1.el7

The Hacker News

id	THN:7C2166B58EF6EE65AF920B2CE0FD9845
last seen	2019-08-16
modified	2019-08-16
published	2019-08-14
reporter	The Hacker News
source	https://thehackernews.com/2019/08/bluetooth-knob-vulnerability.html
title	New Bluetooth Vulnerability Lets Attackers Spy On Encrypted Connections

Summary

Vulnerable Configurations

Common Weakness Enumeration (CWE)

Common Attack Pattern Enumeration and Classification (CAPEC)

Nessus

Redhat

The Hacker News

Related news

References