DATABASE RESOURCES PRICING ABOUT US

{"id": "ANDROID:2016-10-01", "vendorId": null, "type": "androidsecurity", "bulletinFamily": "software", "title": "Android Security Bulletin\u2014October 2016", "description": "The Android Security Bulletin contains details of security vulnerabilities affecting Android devices. Alongside the bulletin, we have released a security update to Nexus devices through an over-the-air (OTA) update. The Nexus firmware images have also been released to the [Google Developer site](<https://developers.google.com/android/nexus/images>). Security Patch Levels of October 05, 2016 or later address these issues. Refer to the [documentation](<https://support.google.com/nexus/answer/4457705#nexus_devices>) to learn how to check the security patch level. Supported Nexus devices will receive a single OTA update with the October 05, 2016 security patch level. \n\nPartners were notified about the issues described in the bulletin on September 06, 2016 or earlier. Where applicable, source code patches for these issues have been released to the Android Open Source Project (AOSP) repository. This bulletin also includes links to patches outside of AOSP. \n\nThe most severe of these issues are Critical security vulnerabilities in device-specific code that could enable remote code execution within the context of the kernel, leading to the possibility of a local permanent device compromise, which may require reflashing the operating system to repair the device. The severity assessment is based on the effect that exploiting the vulnerability would possibly have on an affected device, assuming the platform and service mitigations are disabled for development purposes or if successfully bypassed. \n\nWe have had no reports of active customer exploitation or abuse of these newly reported issues. Refer to the Android and Google service mitigations section for details on the Android security platform protections and service protections such as [SafetyNet](<https://developer.android.com/training/safetynet/index.html>), which improve the security of the Android platform. \n\nWe encourage all customers to accept these updates to their devices. \n\n## Announcements\n\n * This bulletin has two security patch level strings to provide Android partners with the flexibility to more quickly fix a subset of vulnerabilities that are similar across all Android devices. See Common questions and answers for additional information: \n * **2016-10-01**: Partial security patch level string. This security patch level string indicates that all issues associated with 2016-10-01 (and all previous security patch level strings) are addressed.\n * **2016-10-05**: Complete security patch level string. This security patch level string indicates that all issues associated with 2016-10-01 and 2016-10-05 (and all previous security patch level strings) are addressed.\n * Supported Nexus devices will receive a single OTA update with the October 05, 2016 security patch level.\n\n## Android and Google service mitigations\n\nThis is a summary of the mitigations provided by the Android security platform and service protections such as SafetyNet. These capabilities reduce the likelihood that security vulnerabilities could be successfully exploited on Android. \n\n * Exploitation for many issues on Android is made more difficult by enhancements in newer versions of the Android platform. We encourage all users to update to the latest version of Android where possible.\n * The Android Security team actively monitors for abuse with [Verify Apps and SafetyNet](<http://static.googleusercontent.com/media/source.android.com/en//security/reports/Google_Android_Security_2015_Report_Final.pdf>), which are designed to warn users about [Potentially Harmful Applications](<http://static.googleusercontent.com/media/source.android.com/en//security/reports/Google_Android_Security_PHA_classifications.pdf>). Verify Apps is enabled by default on devices with [Google Mobile Services](<http://www.android.com/gms>), and is especially important for users who install applications from outside of Google Play. Device rooting tools are prohibited within Google Play, but Verify Apps warns users when they attempt to install a detected rooting application\u2014no matter where it comes from. Additionally, Verify Apps attempts to identify and block installation of known malicious applications that exploit a privilege escalation vulnerability. If such an application has already been installed, Verify Apps will notify the user and attempt to remove the detected application.\n * As appropriate, Google Hangouts and Messenger applications do not automatically pass media to processes such as Mediaserver.\n\n## Acknowledgements\n\nWe would like to thank these researchers for their contributions: \n\n * Andre Teixeira Rizzo: CVE-2016-3882\n * Andrea Biondo: CVE-2016-3921\n * Daniel Micay of Copperhead Security: CVE-2016-3922\n * [Dmitry Vyukov](<https://github.com/google/syzkaller>) of Google: CVE-2016-7117\n * dosomder: CVE-2016-3931\n * Ecular Xu (\u5f90\u5065) of Trend Micro: CVE-2016-3920\n * Gengjia Chen ([@chengjia4574](<https://twitter.com/chengjia4574>)) and [pjf](<http://weibo.com/jfpan>) of IceSword Lab, Qihoo 360 Technology Co. Ltd.: CVE-2016-6690, CVE-2016-3901, CVE-2016-6672, CVE-2016-3940, CVE-2016-3935\n * [Hang Zhang](<mailto:hzhan033@ucr.edu>), [Dongdong She](<mailto:dshe002@ucr.edu>), and [Zhiyun Qian](<mailto:zhiyunq@cs.ucr.edu>) of UC Riverside: CVE-2015-8950\n * Hao Chen of Alpha Team, Qihoo 360 Technology Co. Ltd.: CVE-2016-3860\n * Jann Horn of Google Project Zero: CVE-2016-3900, CVE-2016-3885\n * [Jason Rogena](<http://keybase.io/jasonrogena>): CVE-2016-3917\n * Jianqiang Zhao ([@jianqiangzhao](<https://twitter.com/jianqiangzhao>)) and [pjf](<http://weibo.com/jfpan>) of IceSword Lab, Qihoo 360: CVE-2016-6688, CVE-2016-6677, CVE-2016-6673, CVE-2016-6687, CVE-2016-6686, CVE-2016-6681, CVE-2016-6682, CVE-2016-3930\n * Joshua Drake ([@jduck](<https://twitter.com/jduck>)): CVE-2016-3920\n * Maciej Szaw\u0142owski of Google security team: CVE-2016-3905\n * Mark Brand of Google Project Zero: CVE-2016-6689\n * [Micha\u0142 Bednarski](<https://github.com/michalbednarski>): CVE-2016-3914, CVE-2016-6674, CVE-2016-3911, CVE-2016-3912\n * Mingjian Zhou ([@Mingjian_Zhou](<https://twitter.com/Mingjian_Zhou>)), Chiachih Wu ([@chiachih_wu](<https://twitter.com/chiachih_wu>)), and Xuxian Jiang of [C0RE Team](<http://c0reteam.org>): CVE-2016-3933, CVE-2016-3932\n * Nightwatch Cybersecurity Research ([@nightwatchcyber](<https://twitter.com/nightwatchcyber>)): CVE-2016-5348\n * Roee Hay, IBM Security X-Force Researcher: CVE-2016-6678\n * Samuel Tan of Google: CVE-2016-3925\n * [Scott Bauer](<mailto:sbauer@plzdonthack.me>) ([@ScottyBauer1](<https://twitter.com/ScottyBauer1>)): CVE-2016-3936, CVE-2016-3928, CVE-2016-3902, CVE-2016-3937, CVE-2016-6696\n * Seven Shen ([@lingtongshen](<https://twitter.com/lingtongshen>)) of Trend Micro Mobile Threat Research Team: CVE-2016-6685, CVE-2016-6683, CVE-2016-6680, CVE-2016-6679, CVE-2016-3903, CVE-2016-6693, CVE-2016-6694, CVE-2016-6695\n * [Wenke Dou](<mailto:vancouverdou@gmail.com>), Mingjian Zhou ([@Mingjian_Zhou](<https://twitter.com/Mingjian_Zhou>)), Chiachih Wu ([@chiachih_wu](<https://twitter.com/chiachih_wu>)), and Xuxian Jiang of [C0RE Team](<http://c0reteam.org>): CVE-2016-3909\n * Wenlin Yang and Guang Gong (\u9f9a\u5e7f) ([@oldfresher](<https://twitter.com/oldfresher>)) of Alpha Team, Qihoo 360 Technology Co. Ltd.: CVE-2016-3918\n * Wish Wu ([\u5434\u6f4d\u6d60](<http://weibo.com/wishlinux>)) ([@wish_wu)](<https://twitter.com/wish_wu>) of [Trend Micro Inc.](<http://blog.trendmicro.com/trendlabs-security-intelligence/author/wishwu/>): CVE-2016-3924, CVE-2016-3915, CVE-2016-3916, CVE-2016-3910\n * Yong Shi of Eagleye team, SCC, Huawei: CVE-2016-3938\n * Zhanpeng Zhao (\u884c\u4e4b) ([@0xr0ot](<https://twitter.com/0xr0ot>)) of Security Research Lab, [Cheetah Mobile](<http://www.cmcm.com>): CVE-2016-3908\n\n## 2016-10-01 security patch level\u2014Vulnerability details\n\nIn the sections below, we provide details for each of the security vulnerabilities that apply to the 2016-10-01 patch level. There is a description of the issue, a severity rationale, and a table with the CVE, associated references, severity, updated Nexus devices, updated AOSP versions (where applicable), and date reported. When available, we will link the public change that addressed the issue to the bug ID, like the AOSP change list. When multiple changes relate to a single bug, additional references are linked to numbers following the bug ID. \n\n### Elevation of privilege vulnerability in ServiceManager\n\nAn elevation of privilege in ServiceManager could enable a local malicious application to register arbitrary services that would normally be provided by a privileged process, such as the system_server. This issue is rated as High severity due to the possibility of service impersonation. \n\nCVE | References | Severity | Updated Nexus devices | Updated AOSP versions | Date reported \n---|---|---|---|---|--- \nCVE-2016-3900 | [A-29431260](<https://android.googlesource.com/platform/frameworks/native/+/d3c6ce463ac91ecbeb2128beb475d31d3ca6ef42>) [[2](<https://android.googlesource.com/platform/frameworks/native/+/047eec456943dc082e33220d28abb7df4e089f69>)] | High | All Nexus | 5.0.2, 5.1.1, 6.0, 6.0.1, 7.0 | Jun 15, 2016 \n \n### Elevation of privilege vulnerability in Lock Settings Service\n\nAn elevation of privilege vulnerability in Lock Settings Service could enable a local malicious application to clear the device PIN or password. This issue is rated as High because it is a local bypass of user interaction requirements for any developer or security settings modifications. \n\nCVE | References | Severity | Updated Nexus devices | Updated AOSP versions | Date reported \n---|---|---|---|---|--- \nCVE-2016-3908 | [A-30003944](<https://android.googlesource.com/platform/frameworks/base/+/96daf7d4893f614714761af2d53dfb93214a32e4>) | High | All Nexus | 6.0, 6.0.1, 7.0 | Jul 6, 2016 \n \n### Elevation of privilege vulnerability in Mediaserver\n\nAn elevation of privilege vulnerability in Mediaserver could enable a local malicious application to execute arbitrary code within the context of a privileged process. This issue is rated as High because it could be used to gain local access to elevated capabilities, which are not normally accessible to a third-party application. \n\nCVE | References | Severity | Updated Nexus devices | Updated AOSP versions | Date reported \n---|---|---|---|---|--- \nCVE-2016-3909 | [A-30033990](<https://android.googlesource.com/platform/frameworks/av/+/d4271b792bdad85a80e2b83ab34c4b30b74f53ec>) [[2](<https://android.googlesource.com/platform/frameworks/av/+/c48ef757cc50906e8726a3bebc3b60716292cdba>)] | High | All Nexus | 4.4.4, 5.0.2, 5.1.1, 6.0, 6.0.1, 7.0 | Jul 8, 2016 \nCVE-2016-3910 | [A-30148546](<https://android.googlesource.com/platform/frameworks/av/+/035cb12f392860113dce96116a5150e2fde6f0cc>) | High | All Nexus | 5.0.2, 5.1.1, 6.0, 6.0.1, 7.0 | Jul 13, 2016 \nCVE-2016-3913 | [A-30204103](<https://android.googlesource.com/platform/frameworks/av/+/0c3b93c8c2027e74af642967eee5c142c8fd185d>) | High | All Nexus | 4.4.4, 5.0.2, 5.1.1, 6.0, 6.0.1, 7.0 | Jul 18, 2016 \n \n### Elevation of privilege vulnerability in Zygote process\n\nAn elevation of privilege in the Zygote process could enable a local malicious application to execute arbitrary code within the context of a privileged process. This issue is rated as High because it could be used to gain local access to elevated capabilities, which are not normally accessible to a third-party application. \n\nCVE | References | Severity | Updated Nexus devices | Updated AOSP versions | Date reported \n---|---|---|---|---|--- \nCVE-2016-3911 | [A-30143607](<https://android.googlesource.com/platform/frameworks/base/+/2c7008421cb67f5d89f16911bdbe36f6c35311ad>) | High | All Nexus | 4.4.4, 5.0.2, 5.1.1, 6.0, 6.0.1, 7.0 | Jul 12, 2016 \n \n### Elevation of privilege vulnerability in framework APIs\n\nAn elevation of privilege vulnerability in the framework APIs could enable a local malicious application to execute arbitrary code within the context of a privileged process. This issue is rated as High because it could be used to gain local access to elevated capabilities, which are not normally accessible to a third-party application. \n\nCVE | References | Severity | Updated Nexus devices | Updated AOSP versions | Date reported \n---|---|---|---|---|--- \nCVE-2016-3912 | [A-30202481](<https://android.googlesource.com/platform/frameworks/base/+/6c049120c2d749f0c0289d822ec7d0aa692f55c5>) | High | All Nexus | 4.4.4, 5.0.2, 5.1.1, 6.0, 6.0.1, 7.0 | Jul 17, 2016 \n \n### Elevation of privilege vulnerability in Telephony\n\nAn elevation of privilege vulnerability in the Telephony component could enable a local malicious application to execute arbitrary code within the context of a privileged process. This issue is rated as High because it could be used to gain local access to elevated capabilities, which are not normally accessible to a third-party application. \n\nCVE | References | Severity | Updated Nexus devices | Updated AOSP versions | Date reported \n---|---|---|---|---|--- \nCVE-2016-3914 | [A-30481342](<https://android.googlesource.com/platform/packages/providers/TelephonyProvider/+/3a3a5d145d380deef2d5b7c3150864cd04be397f>) | High | All Nexus | 4.4.4, 5.0.2, 5.1.1, 6.0, 6.0.1, 7.0 | Jul 28, 2016 \n \n### Elevation of privilege vulnerability in Camera service\n\nAn elevation of privilege vulnerability in the Camera service could enable a local malicious application to execute arbitrary code within the context of a privileged process. This issue is rated as High because it could be used to gain local access to elevated capabilities, which are not normally accessible to a third-party application. \n\nCVE | References | Severity | Updated Nexus devices | Updated AOSP versions | Date reported \n---|---|---|---|---|--- \nCVE-2016-3915 | [A-30591838](<https://android.googlesource.com/platform/system/media/+/e9e44f797742f52996ebf307740dad58c28fd9b5>) | High | All Nexus | 4.4.4, 5.0.2, 5.1.1, 6.0, 6.0.1, 7.0 | Aug 1, 2016 \nCVE-2016-3916 | [A-30741779](<https://android.googlesource.com/platform/system/media/+/8e7a2b4d13bff03973dbad2bfb88a04296140433>) | High | All Nexus | 4.4.4, 5.0.2, 5.1.1, 6.0, 6.0.1, 7.0 | Aug 2, 2016 \n \n### Elevation of privilege vulnerability in fingerprint login\n\nAn elevation of privilege vulnerability during fingerprint login could enable a malicious device owner to login as a different user account on the device. This issue is rated as High due to the possibility of a lockscreen bypass. \n\nCVE | References | Severity | Updated Nexus devices | Updated AOSP versions | Date reported \n---|---|---|---|---|--- \nCVE-2016-3917 | [A-30744668](<https://android.googlesource.com/platform/frameworks/base/+/f5334952131afa835dd3f08601fb3bced7b781cd>) | High | All Nexus | 6.0.1, 7.0 | Aug 5, 2016 \n \n### Information disclosure vulnerability in AOSP Mail\n\nAn information disclosure vulnerability in AOSP Mail could enable a local malicious application to bypass operating system protections that isolate application data from other applications. This issue is rated as High because it could be used to access data without permission. \n\nCVE | References | Severity | Updated Nexus devices | Updated AOSP versions | Date reported \n---|---|---|---|---|--- \nCVE-2016-3918 | [A-30745403](<https://android.googlesource.com/platform/packages/apps/Email/+/6b2b0bd7c771c698f11d7be89c2c57c8722c7454>) | High | All Nexus | 4.4.4, 5.0.2, 5.1.1, 6.0, 6.0.1, 7.0 | Aug 5, 2016 \n \n### Denial of service vulnerability in Wi-Fi\n\nA denial of service vulnerability in Wi-Fi could enable a local proximate attacker to create a hotspot and cause a device reboot. This issue is rated as High due to the possibility of a temporary remote denial of service. \n\nCVE | References | Severity | Updated Nexus devices | Updated AOSP versions | Date reported \n---|---|---|---|---|--- \nCVE-2016-3882 | [A-29464811](<https://android.googlesource.com/platform/frameworks/opt/net/wifi/+/35a86eef3c0eef760f7e61c52a343327ba601630>) | High | All Nexus | 6.0, 6.0.1, 7.0 | Jun 17, 2016 \n \n### Denial of service vulnerability in GPS\n\nA denial of service vulnerability in the GPS component could enable a remote attacker to cause a device hang or reboot. This issue is rated as High due to the possibility of a temporary remote denial of service. \n\nCVE | References | Severity | Updated Nexus devices | Updated AOSP versions | Date reported \n---|---|---|---|---|--- \nCVE-2016-5348 | [A-29555864](<https://android.googlesource.com/platform/frameworks/base/+/218b813d5bc2d7d3952ea1861c38b4aa944ac59b>) | High | All Nexus | 4.4.4, 5.0.2, 5.1.1, 6.0, 6.0.1, 7.0 | Jun 20, 2016 \n \n### Denial of service vulnerability in Mediaserver\n\nA denial of service vulnerability in Mediaserver could enable an attacker to use a specially crafted file to cause a device hang or reboot. This issue is rated as High due to the possibility of remote denial of service. \n\nCVE | References | Severity | Updated Nexus devices | Updated AOSP versions | Date reported \n---|---|---|---|---|--- \nCVE-2016-3920 | [A-30744884](<https://android.googlesource.com/platform/frameworks/av/+/6d0249be2275fd4086783f259f4e2c54722a7c55>) | High | All Nexus | 5.0.2, 5.1.1, 6.0, 6.0.1, 7.0 | Aug 5, 2016 \n \n### Elevation of privilege vulnerability in Framework Listener\n\nAn elevation of privilege vulnerability in Framework Listener could enable a local malicious application to execute arbitrary code within the context of a privileged process. This issue is rated as Moderate because it first requires compromising a privileged process. \n\nCVE | References | Severity | Updated Nexus devices | Updated AOSP versions | Date reported \n---|---|---|---|---|--- \nCVE-2016-3921 | [A-29831647](<https://android.googlesource.com/platform/system/core/+/771ab014c24a682b32990da08e87e2f0ab765bd2>) | Moderate | All Nexus | 4.4.4, 5.0.2, 5.1.1, 6.0, 6.0.1, 7.0 | Jun 25, 2016 \n \n### Elevation of privilege vulnerability in Telephony\n\nAn elevation of privilege vulnerability in Telephony could enable a local malicious application to execute arbitrary code in the context of a privileged process. This issue is rated as Moderate because it first requires compromising a privileged process. \n\nCVE | References | Severity | Updated Nexus devices | Updated AOSP versions | Date reported \n---|---|---|---|---|--- \nCVE-2016-3922 | [A-30202619](<https://android.googlesource.com/platform/hardware/ril/+/95610818918f6f11fe7d23aca1380e6c0fac2af0>) | Moderate | All Nexus | 6.0, 6.0.1, 7.0 | Jul 17, 2016 \n \n### Elevation of privilege vulnerability in Accessibility services\n\nAn elevation of privilege vulnerability in the Accessibility services could enable a local malicious application to generate unexpected touch events on the device that could lead to applications accepting permission dialogs without the user\u2019s explicit consent. This issue is rated as Moderate because it is a local bypass of user interaction requirements that would normally require either user initiation or user permission. \n\nCVE | References | Severity | Updated Nexus devices | Updated AOSP versions | Date reported \n---|---|---|---|---|--- \nCVE-2016-3923 | [A-30647115](<https://android.googlesource.com/platform/frameworks/base/+/5f256310187b4ff2f13a7abb9afed9126facd7bc>) | Moderate | All Nexus | 7.0 | Google internal \n \n### Information disclosure vulnerability in Mediaserver\n\nAn information disclosure vulnerability in Mediaserver could enable a local malicious application to access data outside of its permission levels. This issue is rated as Moderate because it could be used to access sensitive data without permission. \n\nCVE | References | Severity | Updated Nexus devices | Updated AOSP versions | Date reported \n---|---|---|---|---|--- \nCVE-2016-3924 | [A-30204301](<https://android.googlesource.com/platform/frameworks/av/+/c894aa36be535886a8e5ff02cdbcd07dd24618f6>) | Moderate | All Nexus | 4.4.4, 5.0.2, 5.1.1, 6.0, 6.0.1, 7.0 | Jul 18, 2016 \n \n### Denial of service vulnerability in Wi-Fi\n\nA denial of service vulnerability in the Wi-Fi service could enable a local malicious application to prevent Wi-Fi calling. This issue is rated as Moderate due to the possibility of a denial of service to application functionality. \n\nCVE | References | Severity | Updated Nexus devices | Updated AOSP versions | Date reported \n---|---|---|---|---|--- \nCVE-2016-3925 | [A-30230534](<https://android.googlesource.com/platform/frameworks/opt/net/wifi/+/c2905409c20c8692d4396b8531b09e7ec81fa3fb>) | Moderate | All Nexus | 6.0, 6.0.1, 7.0 | Google internal \n \n## 2016-10-05 security patch level\u2014Vulnerability details\n\nIn the sections below, we provide details for each of the security vulnerabilities that apply to the 2016-10-05 patch level. There is a description of the issue, a severity rationale, and a table with the CVE, associated references, severity, updated Nexus devices, updated AOSP versions (where applicable), and date reported. When available, we will link the public change that addressed the issue to the bug ID, like the AOSP change list. When multiple changes relate to a single bug, additional references are linked to numbers following the bug ID. \n\n### Remote code execution vulnerability in kernel ASN.1 decoder\n\nAn elevation of privilege vulnerability in the kernel ASN.1 decoder could enable a local malicious application to execute arbitrary code within the context of the kernel. This issue is rated as Critical due to the possibility of a local permanent device compromise, which may require reflashing the operating system to repair the device. \n\nCVE | References | Severity | Updated Nexus devices | Date reported \n---|---|---|---|--- \nCVE-2016-0758 | A-29814470 [ Upstream kernel](<http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=23c8a812dc3c621009e4f0e5342aa4e2ede1ceaa>) | Critical | Nexus 5X, Nexus 6P | May 12, 2016 \n \n### Remote code execution vulnerability in kernel networking subsystem\n\nA remote code execution vulnerability in the kernel networking subsystem could enable a remote attacker to execute arbitrary code within the context of the kernel. This issue is rated as Critical due to the possibility of a local permanent device compromise, which may require reflashing the operating system to repair the device. \n\nCVE | References | Severity | Updated Nexus devices | Date reported \n---|---|---|---|--- \nCVE-2016-7117 | A-30515201 [Upstream kernel](<http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=34b88a68f26a75e4fded796f1a49c40f82234b7d>) | Critical | All Nexus | Google internal \n \n### Elevation of privilege vulnerability in MediaTek video driver\n\nAn elevation of privilege vulnerability in the MediaTek video driver could enable a local malicious application to execute arbitrary code within the context of the kernel. This issue is rated as Critical due to the possibility of a local permanent device compromise, which may require reflashing the operating system to repair the device. \n\nCVE | References | Severity | Updated Nexus devices | Date reported \n---|---|---|---|--- \nCVE-2016-3928 | A-30019362* M-ALPS02829384 | Critical | None | Jul 6, 2016 \n \n* The patch for this issue is not publicly available. The update is contained in the latest binary drivers for Nexus devices available from the [Google Developer site](<https://developers.google.com/android/nexus/drivers>). \n\n### Elevation of privilege vulnerability in kernel shared memory driver\n\nAn elevation of privilege vulnerability in the kernel shared memory driver could enable a local malicious application to execute arbitrary code within the context of the kernel. This issue is rated as Critical due to the possibility of a local permanent device compromise, which may require reflashing the operating system to repair the device. \n\nCVE | References | Severity | Updated Nexus devices | Date reported \n---|---|---|---|--- \nCVE-2016-5340 | A-30652312 [QC-CR#1008948](<https://source.codeaurora.org/quic/la//kernel/msm-3.10/commit/?id=06e51489061e5473b4e2035c79dcf7c27a6f75a6>) | Critical | Nexus 5, Nexus 5X, Nexus 6, Nexus 6P, Android One | Jul 26, 2016 \n \n### Vulnerabilities in Qualcomm components\n\nThe table below contains security vulnerabilities affecting Qualcomm components and are described in further detail in the Qualcomm AMSS March 2016 and Qualcomm AMSS April 2016 security bulletins. \n\nCVE | References | Severity | Updated Nexus devices | Date reported \n---|---|---|---|--- \nCVE-2016-3926 | A-28823953* | Critical | Nexus 5, Nexus 5X, Nexus 6, Nexus 6P | Qualcomm internal \nCVE-2016-3927 | A-28823244* | Critical | Nexus 5X, Nexus 6P | Qualcomm internal \nCVE-2016-3929 | A-28823675* | High | Nexus 5X, Nexus 6P | Qualcomm internal \n \n* The patch for this issue is not publicly available. The update is contained in the latest binary drivers for Nexus devices available from the [Google Developer site](<https://developers.google.com/android/nexus/drivers>). \n\n### Elevation of privilege vulnerability in Qualcomm networking component\n\nAn elevation of privilege vulnerability in the Qualcomm networking component could enable a local malicious application to execute arbitrary code within the context of the kernel. This issue is rated as High because it first requires compromising a privileged process. \n\nCVE | References | Severity | Updated Nexus devices | Date reported \n---|---|---|---|--- \nCVE-2016-2059 | A-27045580 [QC-CR#974577](<https://source.codeaurora.org/quic/la/kernel/msm-3.18/commit/?id=9e8bdd63f7011dff5523ea435433834b3702398d>) | High | Nexus 5, Nexus 5X, Nexus 6, Nexus 6P, Android One | Feb 4, 2016 \n \n### Elevation of privilege vulnerability in NVIDIA MMC test driver\n\nAn elevation of privilege vulnerability in the NVIDIA MMC test driver could enable a local malicious application to execute arbitrary code within the context of the kernel. This issue is rated as High because it first requires compromising a privileged process. \n\nCVE | References | Severity | Updated Nexus devices | Date reported \n---|---|---|---|--- \nCVE-2016-3930 | A-28760138* N-CVE-2016-3930 | High | Nexus 9 | May 12, 2016 \n \n* The patch for this issue is not publicly available. The update is contained in the latest binary drivers for Nexus devices available from the [Google Developer site](<https://developers.google.com/android/nexus/drivers>). \n\n### Elevation of privilege vulnerability in Qualcomm QSEE Communicator driver\n\nAn elevation of privilege vulnerability in the Qualcomm QSEE Communicator driver could enable a local malicious application to execute arbitrary code within the context of the kernel. This issue is rated as High because it first requires compromising a privileged process. \n\nCVE | References | Severity | Updated Nexus devices | Date reported \n---|---|---|---|--- \nCVE-2016-3931 | A-29157595 [QC-CR#1036418](<https://source.codeaurora.org/quic/la/kernel/msm-3.18/commit/?id=e80b88323f9ff0bb0e545f209eec08ec56fca816>) | High | Nexus 5X, Nexus 6, Nexus 6P, Android One | Jun 4, 2016 \n \n### Elevation of privilege vulnerability in Mediaserver\n\nAn elevation of privilege vulnerability in Mediaserver could enable a local malicious application to execute arbitrary code within the context of a privileged process. This issue is rated as High because it could be used to gain local access to elevated capabilities, which are not normally accessible to a third-party application. \n\nCVE | References | Severity | Updated Nexus devices | Date reported \n---|---|---|---|--- \nCVE-2016-3932 | A-29161895 M-ALPS02770870 | High | None | Jun 6, 2016 \nCVE-2016-3933 | A-29421408* N-CVE-2016-3933 | High | Nexus 9, Pixel C | Jun 14, 2016 \n \n* The patch for this issue is not publicly available. The update is contained in the latest binary drivers for Nexus devices available from the [Google Developer site](<https://developers.google.com/android/nexus/drivers>). \n\n### Elevation of privilege vulnerability in Qualcomm camera driver\n\nAn elevation of privilege vulnerability in the Qualcomm camera driver could enable a local malicious application to execute arbitrary code within the context of the kernel. This issue is rated as High because it first requires compromising a privileged process. \n\nCVE | References | Severity | Updated Nexus devices | Date reported \n---|---|---|---|--- \nCVE-2016-3903 | A-29513227 [QC-CR#1040857](<https://source.codeaurora.org/quic/la/kernel/msm-3.10/commit/?id=b8874573428e8ce024f57c6242d662fcca5e5d55>) | High | Nexus 5, Nexus 5X, Nexus 6, Nexus 6P, Android One | Jun 20, 2016 \nCVE-2016-3934 | A-30102557 [QC-CR#789704](<https://source.codeaurora.org/quic/la/kernel/msm-3.10/commit/?id=27fbeb6b025d5d46ccb0497cbed4c6e78ed1c5cc>) | High | Nexus 5, Nexus 5X, Nexus 6, Nexus 6P, Android One | Jul 12, 2016 \n \n### Elevation of privilege vulnerability in Qualcomm sound driver\n\nAn elevation of privilege vulnerability in the Qualcomm sound driver could enable a local malicious application to execute arbitrary code within the context of the kernel. This issue is rated as High because it first requires compromising a privileged process. \n\nCVE | References | Severity | Updated Nexus devices | Date reported \n---|---|---|---|--- \nCVE-2015-8951 | A-30142668 [QC-CR#948902](<https://source.codeaurora.org/quic/la/kernel/msm-3.10/commit/?h=APSS.FSM.3.0&id=ccff36b07bfc49efc77b9f1b55ed2bf0900b1d5b>) QC-CR#948902 | High | Nexus 5X, Nexus 6P, Android One | Jun 20, 2016 \n \n### Elevation of privilege vulnerability in Qualcomm crypto engine driver\n\nAn elevation of privilege vulnerability in the Qualcomm cryptographic engine driver could enable a local malicious application to execute arbitrary code within the context of the kernel. This issue is rated as High because it first requires compromising a privileged process. \n\nCVE | References | Severity | Updated Nexus devices | Date reported \n---|---|---|---|--- \nCVE-2016-3901 | A-29999161 [QC-CR#1046434](<https://source.codeaurora.org/quic/la/kernel/msm-3.18/commit/?id=5f69ccf3b011c1d14a1b1b00dbaacf74307c9132>) | High | Nexus 5X, Nexus 6, Nexus 6P, Android One | Jul 6, 2016 \nCVE-2016-3935 | A-29999665 [QC-CR#1046507](<https://source.codeaurora.org/quic/la/kernel/msm-3.18/commit/?id=5f69ccf3b011c1d14a1b1b00dbaacf74307c9132>) | High | Nexus 5X, Nexus 6, Nexus 6P, Android One | Jul 6, 2016 \n \n### Elevation of privilege vulnerability in MediaTek video driver\n\nAn elevation of privilege vulnerability in the MediaTek video driver could enable a local malicious application to execute arbitrary code within the context of the kernel. This issue is rated as High because it first requires compromising a privileged process. \n\nCVE | References | Severity | Updated Nexus devices | Date reported \n---|---|---|---|--- \nCVE-2016-3936 | A-30019037* M-ALPS02829568 | High | None | Jul 6, 2016 \nCVE-2016-3937 | A-30030994* M-ALPS02834874 | High | None | Jul 7, 2016 \n \n* The patch for this issue is not publicly available. The update is contained in the latest binary drivers for Nexus devices available from the [Google Developer site](<https://developers.google.com/android/nexus/drivers>). \n\n### Elevation of privilege vulnerability in Qualcomm video driver\n\nAn elevation of privilege vulnerability in the Qualcomm video driver could enable a local malicious application to execute arbitrary code within the context of the kernel. This issue is rated as High because it first requires compromising a privileged process. \n\nCVE | References | Severity | Updated Nexus devices | Date reported \n---|---|---|---|--- \nCVE-2016-3938 | A-30019716 [QC-CR#1049232](<https://source.codeaurora.org/quic/la/kernel/msm-3.18/commit/?id=467c81f9736b1ebc8d4ba70f9221bba02425ca10>) | High | Nexus 5X, Nexus 6, Nexus 6P, Android One | Jul 7, 2016 \nCVE-2016-3939 | A-30874196 [QC-CR#1001224](<https://source.codeaurora.org/quic/la//kernel/msm-3.18/commit/?id=e0bb18771d6ca71db2c2a61226827059be3fa424>) | High | Nexus 5X, Nexus 6, Nexus 6P, Android One | Aug 15, 2016 \n \n### Elevation of privilege vulnerability in Synaptics touchscreen driver\n\nAn elevation of privilege vulnerability in the Synaptics touchscreen driver could enable a local malicious application to execute arbitrary code within the context of the kernel. This issue is rated as High because it first requires compromising a privileged process. \n\nCVE | References | Severity | Updated Nexus devices | Date reported \n---|---|---|---|--- \nCVE-2016-3940 | A-30141991* | High | Nexus 6P, Android One | Jul 12, 2016 \nCVE-2016-6672 | A-30537088* | High | Nexus 5X | Jul 31, 2016 \n \n* The patch for this issue is not publicly available. The update is contained in the latest binary drivers for Nexus devices available from the [Google Developer site](<https://developers.google.com/android/nexus/drivers>). \n\n### Elevation of privilege vulnerability in NVIDIA camera driver\n\nAn elevation of privilege vulnerability in the NVIDIA camera driver could enable a local malicious application to execute arbitrary code within the context of the kernel. This issue is rated as High because it first requires compromising a privileged process. \n\nCVE | References | Severity | Updated Nexus devices | Date reported \n---|---|---|---|--- \nCVE-2016-6673 | A-30204201* N-CVE-2016-6673 | High | Nexus 9 | Jul 17, 2016 \n \n* The patch for this issue is not publicly available. The update is contained in the latest binary drivers for Nexus devices available from the [Google Developer site](<https://developers.google.com/android/nexus/drivers>). \n\n### Elevation of privilege vulnerability in system_server\n\nAn elevation of privilege vulnerability in system_server could enable a local malicious application to execute arbitrary code within the context of a privileged process. This issue is rated as High because it could be used to gain local access to elevated capabilities, which are not normally accessible to a third-party application. \n\nCVE | References | Severity | Updated Nexus devices | Date reported \n---|---|---|---|--- \nCVE-2016-6674 | A-30445380* | High | All Nexus | Jul 26, 2016 \n \n* The patch for this issue is not publicly available. The update is contained in the latest binary drivers for Nexus devices available from the [Google Developer site](<https://developers.google.com/android/nexus/drivers>). \n\n### Elevation of privilege vulnerability in Qualcomm Wi-Fi driver\n\nAn elevation of privilege vulnerability in the Qualcomm Wi-Fi driver could enable a local malicious application to execute arbitrary code within the context of the kernel. This issue is rated as High because it first requires compromising a privileged process. \n\nCVE | References | Severity | Updated Nexus devices | Date reported \n---|---|---|---|--- \nCVE-2016-3905 | A-28061823 [QC-CR#1001449](<https://source.codeaurora.org/quic/la/platform/vendor/qcom-opensource/wlan/qcacld-2.0/commit/?id=b5112838eb91b71eded4b5ee37338535784e0aef>) | High | Nexus 5X | Google internal \nCVE-2016-6675 | A-30873776 [QC-CR#1000861](<https://source.codeaurora.org/quic/la//platform/vendor/qcom-opensource/wlan/prima/commit/?id=1353fa0bd0c78427f3ae7d9bde7daeb75bd01d09>) | High | Nexus 5X, Android One | Aug 15, 2016 \nCVE-2016-6676 | A-30874066 [QC-CR#1000853](<https://source.codeaurora.org/quic/la//platform/vendor/qcom-opensource/wlan/qcacld-2.0/commit/?id=6ba9136879232442a182996427e5c88e5a7512a8>) | High | Nexus 5X, Android One | Aug 15, 2016 \nCVE-2016-5342 | A-30878283 [QC-CR#1032174](<https://source.codeaurora.org/quic/la/kernel/msm-3.18/commit/?id=579e796cb089324c55e0e689a180575ba81b23d9>) | High | Android One | Aug 15, 2016 \n \n### Elevation of privilege vulnerability in kernel performance subsystem\n\nAn elevation of privilege vulnerability in the kernel performance subsystem could enable a local malicious application to execute arbitrary code within the context of the kernel. This issue is rated as High because it first requires compromising a privileged process. \n\nCVE | References | Severity | Updated Nexus devices | Date reported \n---|---|---|---|--- \nCVE-2015-8955 | A-29508816 [Upstream kernel](<https://git.kernel.org/cgit/linux/kernel/git/stable/linux-stable.git/commit/?id=8fff105e13041e49b82f92eef034f363a6b1c071>) | High | Nexus 5X, Nexus 6P, Pixel C, Android One | Google internal \n \n### Information disclosure vulnerability in kernel ION subsystem\n\nAn information disclosure vulnerability in the kernel ION subsystem could enable a local malicious application to access data outside of its permission levels. This issue is rated as High because it could be used to access sensitive data without explicit user permission. \n\nCVE | References | Severity | Updated Nexus devices | Date reported \n---|---|---|---|--- \nCVE-2015-8950 | A-29795245 [QC-CR#1041735](<https://source.codeaurora.org/quic/la/kernel/msm-3.10/commit/?id=6e2c437a2d0a85d90d3db85a7471f99764f7bbf8>) | High | Nexus 5, Nexus 5X, Nexus 6, Nexus 6P | May 12, 2016 \n \n### Information disclosure vulnerability in NVIDIA GPU driver\n\nAn information disclosure vulnerability in the NVIDIA GPU driver could enable a local malicious application to access data outside of its permission levels. This issue is rated as High because it first requires compromising a privileged process. \n\nCVE | References | Severity | Updated Nexus devices | Date reported \n---|---|---|---|--- \nCVE-2016-6677 | A-30259955* N-CVE-2016-6677 | High | Nexus 9 | Jul 19, 2016 \n \n* The patch for this issue is not publicly available. The update is contained in the latest binary drivers for Nexus devices available from the [Google Developer site](<https://developers.google.com/android/nexus/drivers>). \n\n### Elevation of privilege vulnerability in Qualcomm character driver\n\nAn elevation of privilege vulnerability in the Qualcomm character driver could enable a local malicious application to execute arbitrary code within the context of the kernel. This issue is rated as Moderate because it first requires compromising a privileged process, and the vulnerable code is currently not accessible. \n\nCVE | References | Severity | Updated Nexus devices | Date reported \n---|---|---|---|--- \nCVE-2015-0572 | A-29156684 [QC-CR#848489](<https://source.codeaurora.org/quic/la/kernel/msm-3.10/commit/?id=34ad3d34fbff11b8e1210b9da0dac937fb956b61>) | Moderate | Nexus 5X, Nexus 6P | May 28, 2016 \n \n### Information disclosure vulnerability in Qualcomm sound driver\n\nAn information disclosure vulnerability in the Qualcomm sound driver could enable a local malicious application to access data outside of its permission levels. This issue is rated as Moderate because it first requires compromising a privileged process. \n\nCVE | References | Severity | Updated Nexus devices | Date reported \n---|---|---|---|--- \nCVE-2016-3860 | A-29323142 [QC-CR#1038127](<https://source.codeaurora.org/quic/la/kernel/msm-3.18/diff/sound/soc/msm/qdsp6v2/audio_calibration.c?id=528976f54be246ec93a71ac53aa4faf3e3791c48>) | Moderate | Nexus 5X, Nexus 6P, Android One | Jun 13, 2016 \n \n### Information disclosure vulnerability in Motorola USBNet driver\n\nAn information disclosure vulnerability in the Motorola USBNet driver could enable a local malicious application to access data outside of its permission levels. This issue is rated as Moderate because it first requires compromising a privileged process. \n\nCVE | References | Severity | Updated Nexus devices | Date reported \n---|---|---|---|--- \nCVE-2016-6678 | A-29914434* | Moderate | Nexus 6 | Jun 30, 2016 \n \n* The patch for this issue is not publicly available. The update is contained in the latest binary drivers for Nexus devices available from the [Google Developer site](<https://developers.google.com/android/nexus/drivers>). \n\n### Information disclosure vulnerability in Qualcomm components\n\nAn information disclosure vulnerability in Qualcomm components, including the sound driver, IPA driver and Wi-Fi driver could enable a local malicious application to access data outside of its permission levels. This issue is rated as Moderate because it first requires compromising a privileged process. \n\nCVE | References | Severity | Updated Nexus devices | Date reported \n---|---|---|---|--- \nCVE-2016-6679 | A-29915601 [QC-CR#1000913](<https://source.codeaurora.org/quic/la/platform/vendor/qcom-opensource/wlan/prima/commit/?id=d39345f0abc309959d831d09fcbf1619cc0ae0f5>) [[2](<https://source.codeaurora.org/quic/la/platform/vendor/qcom-opensource/wlan/qcacld-2.0/commit/?id=f081695446679aa44baa0d00940ea18455eeb4c5>)] | Moderate | Nexus 5X, Android One | Jun 30, 2016 \nCVE-2016-3902 | A-29953313* [QC-CR#1044072](<https://source.codeaurora.org/quic/la//kernel/msm-3.10/commit/?id=2fca425d781572393fbe51abe2e27a932d24a768>) | Moderate | Nexus 5X, Nexus 6P, | Jul 2, 2016 \nCVE-2016-6680 | A-29982678* [QC-CR#1048052](<https://source.codeaurora.org/quic/la/platform/vendor/qcom-opensource/wlan/qcacld-2.0/commit/?id=2f2fa073b95d4700de88c0f7558b4a18c13ac552>) | Moderate | Nexus 5X, Android One | Jul 3, 2016 \nCVE-2016-6681 | A-30152182 [QC-CR#1049521](<https://source.codeaurora.org/quic/la/kernel/msm-3.18/commit/?id=0950fbd39ff189497f1b6115825c210e3eeaf395>) | Moderate | Nexus 5X, Nexus 6P, Android One | Jul 14, 2016 \nCVE-2016-6682 | A-30152501 [QC-CR#1049615](<https://source.codeaurora.org/quic/la/kernel/msm-3.18/commit/?id=0950fbd39ff189497f1b6115825c210e3eeaf395>) | Moderate | Nexus 5X, Nexus 6P, Android One | Jul 14, 2016 \n \n* The patch for this issue is not publicly available. The update is contained in the latest binary drivers for Nexus devices available from the [Google Developer site](<https://developers.google.com/android/nexus/drivers>). \n\n### Information disclosure vulnerability in kernel components\n\nAn information disclosure vulnerability in kernel components, including Binder, Sync, Bluetooth, and Sound driver, could enable a local malicious application to access data outside of its permission levels. This issue is rated as Moderate because it first requires compromising a privileged process. \n\nCVE | References | Severity | Updated Nexus devices | Date reported \n---|---|---|---|--- \nCVE-2016-6683 | A-30143283* | Moderate | All Nexus | Jul 13, 2016 \nCVE-2016-6684 | A-30148243* | Moderate | Nexus 5, Nexus 5X, Nexus 6, Nexus 6P, Nexus 9, Nexus Player, Android One | Jul 13, 2016 \nCVE-2015-8956 | A-30149612* | Moderate | Nexus 5, Nexus 6P, Android One | Jul 14, 2016 \nCVE-2016-6685 | A-30402628* | Moderate | Nexus 6P | Jul 25, 2016 \n \n* The patch for this issue is not publicly available. The update is contained in the latest binary drivers for Nexus devices available from the [Google Developer site](<https://developers.google.com/android/nexus/drivers>). \n\n### Information disclosure vulnerability in NVIDIA profiler\n\nAn information disclosure vulnerability in the NVIDIA profiler could enable a local malicious application to access data outside of its permission levels. This issue is rated as Moderate because it first requires compromising a privileged process. \n\nCVE | References | Severity | Updated Nexus devices | Date reported \n---|---|---|---|--- \nCVE-2016-6686 | A-30163101* N-CVE-2016-6686 | Moderate | Nexus 9 | Jul 15, 2016 \nCVE-2016-6687 | A-30162222* N-CVE-2016-6687 | Moderate | Nexus 9 | Jul 15, 2016 \nCVE-2016-6688 | A-30593080* N-CVE-2016-6688 | Moderate | Nexus 9 | Aug 2, 2016 \n \n* The patch for this issue is not publicly available. The update is contained in the latest binary drivers for Nexus devices available from the [Google Developer site](<https://developers.google.com/android/nexus/drivers>). \n\n### Information disclosure vulnerability in kernel\n\nAn information disclosure vulnerability in Binder could enable a local malicious application to access data outside of its permission levels. This issue is rated as Moderate because it first requires compromising a privileged process. \n\nCVE | References | Severity | Updated Nexus devices | Date reported \n---|---|---|---|--- \nCVE-2016-6689 | A-30768347* | Moderate | All Nexus | Aug 9, 2016 \n \n* The patch for this issue is not publicly available. The update is contained in the latest binary drivers for Nexus devices available from the [Google Developer site](<https://developers.google.com/android/nexus/drivers>). \n\n### Denial of service vulnerability in kernel networking subsystem\n\nA denial of service vulnerability in the kernel networking subsystem could enable an attacker to block access to TCP connections and cause a temporary remote denial of service. This issue is rated as Moderate because cellular services are still available and the device is still usable. \n\nCVE | References | Severity | Updated Nexus devices | Date reported \n---|---|---|---|--- \nCVE-2016-5696 | A-30809774 [Upstream kernel](<http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=75ff39ccc1bd5d3c455b6822ab09e533c551f758>) | Moderate | Nexus 5X, Nexus 6, Nexus 6P, Nexus 9, Nexus Player, Pixel C, Android One | Jul 12, 2016 \n \n### Denial of service vulnerability in kernel sound driver\n\nA denial of service vulnerability in the kernel could allow a local malicious application to cause a device reboot. This issue is rated as Low because it is a temporary denial of service. \n\nCVE | References | Severity | Updated Nexus devices | Date reported \n---|---|---|---|--- \nCVE-2016-6690 | A-28838221* | Low | Nexus 5, Nexus 5X, Nexus 6, Nexus 6P, Nexus Player | May 18, 2016 \n \n* The patch for this issue is not publicly available. The update is contained in the latest binary drivers for Nexus devices available from the [Google Developer site](<https://developers.google.com/android/nexus/drivers>). \n\n### Vulnerabilities in Qualcomm components\n\nThe table below contains a list of security vulnerabilities that affect Qualcomm components. \n\nCVE | References | Severity | Updated Nexus devices | Date reported \n---|---|---|---|--- \nCVE-2016-6691 | [QC-CR#978452](<https://source.codeaurora.org/quic/la//platform/frameworks/opt/net/wifi/commit/?id=343f123c396b2a97fc7cce396cd5d99365cb9131>) | High | None | Jul 2016 \nCVE-2016-6692 | [QC-CR#1004933](<https://source.codeaurora.org/quic/la//kernel/msm-3.18/commit/?id=0f0e7047d39f9fb3a1a7f389918ff79cdb4a50b3>) | High | None | Aug 2016 \nCVE-2016-6693 | [QC-CR#1027585](<https://source.codeaurora.org/quic/la//kernel/msm-3.18/commit/?id=ac328eb631fa74a63d5d2583e6bfeeb5a7a2df65>) | High | None | Aug 2016 \nCVE-2016-6694 | [QC-CR#1033525](<https://source.codeaurora.org/quic/la//kernel/msm-3.18/commit/?id=961e38553aae8ba9b1af77c7a49acfbb7b0b6f62>) | High | None | Aug 2016 \nCVE-2016-6695 | [QC-CR#1033540](<https://source.codeaurora.org/quic/la//kernel/msm-3.18/commit/?id=c319c2b0926d1ea5edb4d0778d88bd3ce37c4b95>) | High | None | Aug 2016 \nCVE-2016-6696 | [QC-CR#1041130](<https://source.codeaurora.org/quic/la/kernel/msm-3.18/commit/?id=c3c9341bfdf93606983f893a086cb33a487306e5>) | High | None | Aug 2016 \nCVE-2016-5344 | [QC-CR#993650](<https://source.codeaurora.org/quic/la/kernel/msm-3.18/commit/?id=64e15c36d6c1c57dc2d95a3f163bc830a469fc20>) | Moderate | None | Aug 2016 \nCVE-2016-5343 | [QC-CR#1010081](<https://source.codeaurora.org/quic/la/kernel/msm-3.18/commit/?id=6927e2e0af4dcac357be86ba563c9ae12354bb08>) | Moderate | None | Aug 2016 \n \n## Common Questions and Answers\n\nThis section answers common questions that may occur after reading this bulletin. \n\n**1\\. How do I determine if my device is updated to address these issues? **\n\nSecurity Patch Levels of 2016-10-01 or later address all issues associated with the 2016-10-01 security patch string level. Security Patch Levels of 2016-10-05 or later address all issues associated with the 2016-10-05 security patch string level. Refer to the [help center](<https://support.google.com/nexus/answer/4457705>) for instructions on how to check the security patch level. Device manufacturers that include these updates should set the patch string level to: [ro.build.version.security_patch]:[2016-10-01] or [ro.build.version.security_patch]:[2016-10-05]. \n\n**2\\. Why does this bulletin have two security patch level strings?**\n\nThis bulletin has two security patch level strings so that Android partners have the flexibility to fix a subset of vulnerabilities that are similar across all Android devices more quickly. Android partners are encouraged to fix all issues in this bulletin and use the latest security patch level string. \n\nDevices that use the security patch level of October 5, 2016 or newer must include all applicable patches in this (and previous) security bulletins. \n\nDevices that use the October 1, 2016 security patch level must include all issues associated with that security patch level, as well as fixes for all issues reported in previous security bulletins. \n\n**3\\. How do I determine which Nexus devices are affected by each issue?**\n\nIn the 2016-10-01 and 2016-10-05 security vulnerability details sections, each table has an _Updated Nexus devices_ column that covers the range of affected Nexus devices updated for each issue. This column has a few options: \n\n * **All Nexus devices**: If an issue affects all Nexus devices, the table will have \u201cAll Nexus\u201d in the _Updated Nexus devices_ column. \u201cAll Nexus\u201d encapsulates the following [supported devices](<https://support.google.com/nexus/answer/4457705#nexus_devices>): Nexus 5, Nexus 5X, Nexus 6, Nexus 6P, Nexus 9, Android One, Nexus Player and Pixel C.\n * **Some Nexus devices**: If an issue doesn\u2019t affect all Nexus devices, the affected Nexus devices are listed in the _Updated Nexus devices_ column.\n * **No Nexus devices**: If no Nexus devices running Android 7.0 are affected by the issue, the table will have \u201cNone\u201d in the _Updated Nexus devices_ column.\n\n**4\\. What do the entries in the references column map to?**\n\nEntries under the _References_ column of the vulnerability details table may contain a prefix identifying the organization to which the reference value belongs. These prefixes map as follows: \n\nPrefix | Reference \n---|--- \nA- | Android bug ID \nQC- | Qualcomm reference number \nM- | MediaTek reference number \nN- | NVIDIA reference number \nB- | Broadcom reference number \n \n## Revisions\n\n * October 03, 2016: Bulletin published.\n * October 04, 2016: Bulletin revised to include AOSP links and update attributions for CVE-2016-3920, CVE-2016-6693, CVE-2016-6694, CVE-2016-6695, and CVE-2016-6696.\n", "published": "2016-10-03T00:00:00", "modified": "2016-10-04T00:00:00", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "cvss2": {"cvssV2": {"version": "2.0", "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "accessVector": "NETWORK", "accessComplexity": "LOW", "authentication": "NONE", "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "baseScore": 10.0}, "severity": "HIGH", "exploitabilityScore": 10.0, "impactScore": 10.0, "acInsufInfo": true, "obtainAllPrivilege": false, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}, "cvss3": {"cvssV3": {"version": "3.0", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL"}, "exploitabilityScore": 3.9, "impactScore": 5.9}, "href": "https://source.android.com/docs/security/bulletin/2016-10-01", "reporter": "Android Open Source Project", "references": [], "cvelist": ["CVE-2015-0572", "CVE-2015-8950", "CVE-2015-8951", "CVE-2015-8955", "CVE-2015-8956", "CVE-2016-0758", "CVE-2016-2059", "CVE-2016-3860", "CVE-2016-3882", "CVE-2016-3885", "CVE-2016-3900", "CVE-2016-3901", "CVE-2016-3902", "CVE-2016-3903", "CVE-2016-3905", "CVE-2016-3908", "CVE-2016-3909", "CVE-2016-3910", "CVE-2016-3911", "CVE-2016-3912", "CVE-2016-3913", "CVE-2016-3914", "CVE-2016-3915", "CVE-2016-3916", "CVE-2016-3917", "CVE-2016-3918", "CVE-2016-3920", "CVE-2016-3921", "CVE-2016-3922", "CVE-2016-3923", "CVE-2016-3924", "CVE-2016-3925", "CVE-2016-3926", "CVE-2016-3927", "CVE-2016-3928", "CVE-2016-3929", "CVE-2016-3930", "CVE-2016-3931", "CVE-2016-3932", "CVE-2016-3933", "CVE-2016-3934", "CVE-2016-3935", "CVE-2016-3936", "CVE-2016-3937", "CVE-2016-3938", "CVE-2016-3939", "CVE-2016-3940", "CVE-2016-5340", "CVE-2016-5342", "CVE-2016-5343", "CVE-2016-5344", "CVE-2016-5348", "CVE-2016-5696", "CVE-2016-6672", "CVE-2016-6673", "CVE-2016-6674", "CVE-2016-6675", "CVE-2016-6676", "CVE-2016-6677", "CVE-2016-6678", "CVE-2016-6679", "CVE-2016-6680", "CVE-2016-6681", "CVE-2016-6682", "CVE-2016-6683", "CVE-2016-6684", "CVE-2016-6685", "CVE-2016-6686", "CVE-2016-6687", "CVE-2016-6688", "CVE-2016-6689", "CVE-2016-6690", "CVE-2016-6691", "CVE-2016-6692", "CVE-2016-6693", "CVE-2016-6694", "CVE-2016-6695", "CVE-2016-6696", "CVE-2016-7117"], "immutableFields": [], "lastseen": "2022-08-15T18:03:47", "viewCount": 24, "enchantments": {"dependencies": {"references": [{"type": "amazon", "idList": ["ALAS-2016-694", "ALAS-2016-703", "ALAS-2016-726"]}, {"type": "android", "idList": ["ANDROID:CVE-2016-0758", "ANDROID:CVE-2016-3926", "ANDROID:CVE-2016-3927", "ANDROID:CVE-2016-3928", "ANDROID:CVE-2016-5340", "ANDROID:CVE-2016-7117"]}, {"type": "androidsecurity", "idList": ["ANDROID:2016-09-01", "ANDROID:2018-04-01", "ANDROID:2019-02-01"]}, {"type": "archlinux", "idList": ["ASA-201608-12", "ASA-201608-13", "ASA-201608-15", "ASA-201608-17"]}, {"type": "centos", "idList": ["CESA-2016:1033", "CESA-2016:1633", "CESA-2016:1664", "CESA-2016:2574", "CESA-2016:2962", "CESA-2017:0036", "CESA-2017:0086"]}, {"type": "cloudfoundry", "idList": ["CFOUNDRY:7F90642155B2E9B0EF351796E14F575B"]}, {"type": "cve", "idList": ["CVE-2015-0572", "CVE-2015-8950", "CVE-2015-8951", "CVE-2015-8955", "CVE-2015-8956", "CVE-2016-0758", "CVE-2016-2059", "CVE-2016-3860", "CVE-2016-3882", "CVE-2016-3885", "CVE-2016-3900", "CVE-2016-3901", "CVE-2016-3902", "CVE-2016-3903", "CVE-2016-3905", "CVE-2016-3908", "CVE-2016-3909", "CVE-2016-3910", "CVE-2016-3911", "CVE-2016-3912", "CVE-2016-3913", "CVE-2016-3914", "CVE-2016-3915", "CVE-2016-3916", "CVE-2016-3917", "CVE-2016-3918", "CVE-2016-3920", "CVE-2016-3921", "CVE-2016-3922", "CVE-2016-3923", "CVE-2016-3924", "CVE-2016-3925", "CVE-2016-3926", "CVE-2016-3927", "CVE-2016-3928", "CVE-2016-3929", "CVE-2016-3930", "CVE-2016-3931", "CVE-2016-3932", "CVE-2016-3933", "CVE-2016-3934", "CVE-2016-3935", "CVE-2016-3936", "CVE-2016-3937", "CVE-2016-3938", "CVE-2016-3939", "CVE-2016-3940", "CVE-2016-5340", "CVE-2016-5342", "CVE-2016-5343", "CVE-2016-5344", "CVE-2016-5348", "CVE-2016-5389", "CVE-2016-5696", "CVE-2016-6672", "CVE-2016-6673", "CVE-2016-6674", "CVE-2016-6675", "CVE-2016-6676", "CVE-2016-6677", "CVE-2016-6678", "CVE-2016-6679", "CVE-2016-6680", "CVE-2016-6681", "CVE-2016-6682", "CVE-2016-6683", "CVE-2016-6684", "CVE-2016-6685", "CVE-2016-6686", "CVE-2016-6687", "CVE-2016-6688", "CVE-2016-6689", "CVE-2016-6690", "CVE-2016-6691", "CVE-2016-6692", "CVE-2016-6693", "CVE-2016-6694", "CVE-2016-6695", "CVE-2016-6696", "CVE-2016-7117"]}, {"type": "debian", "idList": ["DEBIAN:DLA-609-1:1025A", "DEBIAN:DLA-670-1:F2D9C", "DEBIAN:DSA-3659-1:3F508", "DEBIAN:DSA-3659-1:5EA31", "DEBIAN:DSA-3696-1:25A5B", "DEBIAN:DSA-3696-1:EEC99"]}, {"type": "debiancve", "idList": ["DEBIANCVE:CVE-2015-8950", "DEBIANCVE:CVE-2015-8955", "DEBIANCVE:CVE-2015-8956", "DEBIANCVE:CVE-2016-0758", "DEBIANCVE:CVE-2016-3885", "DEBIANCVE:CVE-2016-3921", "DEBIANCVE:CVE-2016-5340", "DEBIANCVE:CVE-2016-5342", "DEBIANCVE:CVE-2016-5343", "DEBIANCVE:CVE-2016-5344", "DEBIANCVE:CVE-2016-5696", "DEBIANCVE:CVE-2016-7117"]}, {"type": "exploitpack", "idList": ["EXPLOITPACK:BDA3BE89ABA249CC2063AB3F4175FC49"]}, {"type": "f5", "idList": ["F5:K46514822", "F5:K50462644", "F5:K51201255", "SOL46514822", "SOL51201255"]}, {"type": "fedora", "idList": ["FEDORA:0A72361F0A0B", "FEDORA:238106085F82", "FEDORA:60DD1604971B", "FEDORA:CC8F4606D16C", "FEDORA:E2354615BF02"]}, {"type": "fortinet", "idList": ["FG-IR-16-047"]}, {"type": "hp", "idList": ["HP:C05018265", "HP:C05158555"]}, {"type": "huawei", "idList": ["HUAWEI-SA-20160907-01-TCP", "HUAWEI-SA-20161026-02-SMARTPHONE", "HUAWEI-SA-20161214-01-SMARTPHONE"]}, {"type": "ibm", "idList": ["233226C0332001C81596C237819F64BB35F4B49297346F216B4DC90C72D26485", "289F46B747F4C8F26E8F8D17623E34EDE1DB7595184FCDCC87FEDCC356AC9965", "2ABC4CD376C07922A3144CF8116D979F4BDDE16EED9AADA11262FBF58C851DBF", "61EAA34D5E4645B71F124164E8135272DB3119CF3ABDC2864377B692FCF87527", "658C6A388449448220E16F3A05A122A56F35F4A9A9370C4B63DC0779B971B6CE", "7975EECD3D2EE6CE08E72863DB53AD391D308F9DFA1EAA45FE674BAB1B264C0A", "A0B51C5217767E75AB974BA93584FB1F969514BA8D7EE9EDD025C20F274C1D2F", "A18DD1594298170A7AF630CBFFA73E78138125D119FBC5D156128BBBD99A03EC", "A9C254F86614D2334E5A1624EEBD7497A5FA74BEC3159FA2530927B6C4A89585", "AF6E3EC9D5A5C3CF688EF87142347E0688A4AE1CB6831F92326966B86BF2D9C1", "B7EDA2450D13E204B60C3A3E7379E6FCCD587CB32FEB5041ADDA6CB8E3C44FC3", "F092FBBD34304315E258962CA397F72D24D88CD673A181734FDCE39754098484"]}, {"type": "lenovo", "idList": ["LENOVO:PS500321-NOSID"]}, {"type": "mageia", "idList": ["MGAA-2016-0134", "MGASA-2016-0225", "MGASA-2016-0233", "MGASA-2016-0271", "MGASA-2016-0283"]}, {"type": "myhack58", "idList": ["MYHACK58:62201788464"]}, {"type": "nessus", "idList": ["ALA_ALAS-2016-694.NASL", "ALA_ALAS-2016-703.NASL", "ALA_ALAS-2016-726.NASL", "ARISTA_EOS_SA0023.NASL", "CENTOS_RHSA-2016-1033.NASL", "CENTOS_RHSA-2016-1633.NASL", "CENTOS_RHSA-2016-1664.NASL", "CENTOS_RHSA-2016-2574.NASL", "CENTOS_RHSA-2016-2962.NASL", "CENTOS_RHSA-2017-0036.NASL", "CENTOS_RHSA-2017-0086.NASL", "DEBIAN_DLA-609.NASL", "DEBIAN_DLA-670.NASL", "DEBIAN_DSA-3659.NASL", "DEBIAN_DSA-3696.NASL", "EULEROS_SA-2016-1026.NASL", "EULEROS_SA-2016-1043.NASL", "EULEROS_SA-2016-1051.NASL", "EULEROS_SA-2019-1484.NASL", "EULEROS_SA-2019-1489.NASL", "EULEROS_SA-2019-1491.NASL", "EULEROS_SA-2019-1494.NASL", "EULEROS_SA-2019-1496.NASL", "EULEROS_SA-2019-1508.NASL", "EULEROS_SA-2019-1513.NASL", "EULEROS_SA-2019-1516.NASL", "EULEROS_SA-2019-1517.NASL", "EULEROS_SA-2019-1521.NASL", "EULEROS_SA-2019-1523.NASL", "EULEROS_SA-2019-1530.NASL", "EULEROS_SA-2019-1534.NASL", "EULEROS_SA-2019-1536.NASL", "EULEROS_SA-2019-1537.NASL", "EULEROS_SA-2019-2531.NASL", "F5_BIGIP_SOL46514822.NASL", "FEDORA_2016-06F1572324.NASL", "FEDORA_2016-784D5526D8.NASL", "FEDORA_2016-84FDC82B74.NASL", "FEDORA_2016-9A16B2E14E.NASL", "FEDORA_2016-F8739A80B0.NASL", "OPENSUSE-2016-1015.NASL", "OPENSUSE-2016-1029.NASL", "OPENSUSE-2016-1076.NASL", "OPENSUSE-2016-1227.NASL", "OPENSUSE-2016-1410.NASL", "OPENSUSE-2016-1428.NASL", "OPENSUSE-2016-753.NASL", "OPENSUSE-2017-245.NASL", "OPENSUSE-2017-246.NASL", "ORACLELINUX_ELSA-2016-1033.NASL", "ORACLELINUX_ELSA-2016-1633.NASL", "ORACLELINUX_ELSA-2016-1664.NASL", "ORACLELINUX_ELSA-2016-2574.NASL", "ORACLELINUX_ELSA-2016-2962.NASL", "ORACLELINUX_ELSA-2016-3559.NASL", "ORACLELINUX_ELSA-2016-3565.NASL", "ORACLELINUX_ELSA-2016-3594.NASL", "ORACLELINUX_ELSA-2016-3595.NASL", "ORACLELINUX_ELSA-2016-3596.NASL", "ORACLELINUX_ELSA-2016-3617.NASL", "ORACLELINUX_ELSA-2016-3644.NASL", "ORACLELINUX_ELSA-2016-3645.NASL", "ORACLELINUX_ELSA-2016-3646.NASL", "ORACLELINUX_ELSA-2016-3655.NASL", "ORACLELINUX_ELSA-2016-3656.NASL", "ORACLELINUX_ELSA-2016-3657.NASL", "ORACLELINUX_ELSA-2017-0036.NASL", "ORACLELINUX_ELSA-2017-0086.NASL", "ORACLELINUX_ELSA-2017-1842-1.NASL", "ORACLEVM_OVMSA-2016-0052.NASL", "ORACLEVM_OVMSA-2016-0053.NASL", "ORACLEVM_OVMSA-2016-0097.NASL", "ORACLEVM_OVMSA-2016-0098.NASL", "ORACLEVM_OVMSA-2016-0100.NASL", "ORACLEVM_OVMSA-2016-0162.NASL", "ORACLEVM_OVMSA-2016-0163.NASL", "ORACLEVM_OVMSA-2016-0167.NASL", "ORACLEVM_OVMSA-2016-0179.NASL", "ORACLEVM_OVMSA-2016-0180.NASL", "ORACLEVM_OVMSA-2016-0181.NASL", "ORACLEVM_OVMSA-2017-0057.NASL", "PALO_ALTO_PAN-OS_7_0_15.NASL", "REDHAT-RHSA-2016-1033.NASL", "REDHAT-RHSA-2016-1051.NASL", "REDHAT-RHSA-2016-1055.NASL", "REDHAT-RHSA-2016-1631.NASL", "REDHAT-RHSA-2016-1632.NASL", "REDHAT-RHSA-2016-1633.NASL", "REDHAT-RHSA-2016-1657.NASL", "REDHAT-RHSA-2016-1664.NASL", "REDHAT-RHSA-2016-1814.NASL", "REDHAT-RHSA-2016-1815.NASL", "REDHAT-RHSA-2016-1939.NASL", "REDHAT-RHSA-2016-2574.NASL", "REDHAT-RHSA-2016-2584.NASL", "REDHAT-RHSA-2016-2962.NASL", "REDHAT-RHSA-2017-0031.NASL", "REDHAT-RHSA-2017-0036.NASL", "REDHAT-RHSA-2017-0065.NASL", "REDHAT-RHSA-2017-0086.NASL", "REDHAT-RHSA-2017-0091.NASL", "REDHAT-RHSA-2017-0113.NASL", "REDHAT-RHSA-2017-0196.NASL", "REDHAT-RHSA-2017-0215.NASL", "REDHAT-RHSA-2017-0216.NASL", "REDHAT-RHSA-2017-0217.NASL", "REDHAT-RHSA-2017-0270.NASL", "SL_20160512_KERNEL_ON_SL7_X.NASL", "SL_20160818_KERNEL_ON_SL7_X.NASL", "SL_20160823_KERNEL_ON_SL6_X.NASL", "SL_20161103_KERNEL_ON_SL7_X.NASL", "SL_20161220_KERNEL_ON_SL5_X.NASL", "SL_20170110_KERNEL_ON_SL6_X.NASL", "SL_20170117_KERNEL_ON_SL7_X.NASL", "SUSE_SU-2016-1672-1.NASL", "SUSE_SU-2016-1690-1.NASL", "SUSE_SU-2016-1995-1.NASL", "SUSE_SU-2016-2001-1.NASL", "SUSE_SU-2016-2002-1.NASL", "SUSE_SU-2016-2005-1.NASL", "SUSE_SU-2016-2006-1.NASL", "SUSE_SU-2016-2010-1.NASL", "SUSE_SU-2016-2014-1.NASL", "SUSE_SU-2016-2105-1.NASL", "SUSE_SU-2016-2245-1.NASL", "SUSE_SU-2016-2912-1.NASL", "SUSE_SU-2016-2976-1.NASL", "SUSE_SU-2016-3109-1.NASL", "SUSE_SU-2016-3111-1.NASL", "SUSE_SU-2016-3112-1.NASL", "SUSE_SU-2016-3119-1.NASL", "SUSE_SU-2016-3249-1.NASL", "SUSE_SU-2017-0333-1.NASL", "SUSE_SU-2017-0437-1.NASL", "SUSE_SU-2017-0471-1.NASL", "SUSE_SU-2017-0494-1.NASL", "SUSE_SU-2017-0575-1.NASL", "SUSE_SU-2017-1247-1.NASL", "SUSE_SU-2017-1360-1.NASL", "UBUNTU_USN-2975-1.NASL", "UBUNTU_USN-2975-2.NASL", "UBUNTU_USN-2976-1.NASL", "UBUNTU_USN-2977-1.NASL", "UBUNTU_USN-2978-1.NASL", "UBUNTU_USN-2978-2.NASL", "UBUNTU_USN-2978-3.NASL", "UBUNTU_USN-2979-1.NASL", "UBUNTU_USN-2979-2.NASL", "UBUNTU_USN-2979-3.NASL", "UBUNTU_USN-2979-4.NASL", "UBUNTU_USN-3070-1.NASL", "UBUNTU_USN-3070-2.NASL", "UBUNTU_USN-3070-3.NASL", "UBUNTU_USN-3070-4.NASL", "UBUNTU_USN-3071-1.NASL", "UBUNTU_USN-3071-2.NASL", "UBUNTU_USN-3072-1.NASL", "UBUNTU_USN-3126-1.NASL", "UBUNTU_USN-3360-1.NASL", "VIRTUOZZO_VZLSA-2017-0036.NASL", "VIRTUOZZO_VZLSA-2017-0086.NASL"]}, {"type": "nvidia", "idList": ["NVIDIA:4267", "NVIDIA:4561"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310106477", "OPENVAS:1361412562310106826", "OPENVAS:1361412562310120692", "OPENVAS:1361412562310120715", "OPENVAS:1361412562310703659", "OPENVAS:1361412562310703696", "OPENVAS:1361412562310808316", "OPENVAS:1361412562310808336", "OPENVAS:1361412562310808429", "OPENVAS:1361412562310808716", "OPENVAS:1361412562310808807", "OPENVAS:1361412562310842746", "OPENVAS:1361412562310842748", "OPENVAS:1361412562310842749", "OPENVAS:1361412562310842750", "OPENVAS:1361412562310842751", "OPENVAS:1361412562310842752", "OPENVAS:1361412562310842753", "OPENVAS:1361412562310842754", "OPENVAS:1361412562310842757", "OPENVAS:1361412562310842761", "OPENVAS:1361412562310842763", "OPENVAS:1361412562310842871", "OPENVAS:1361412562310842872", "OPENVAS:1361412562310842873", "OPENVAS:1361412562310842874", "OPENVAS:1361412562310842875", "OPENVAS:1361412562310842876", "OPENVAS:1361412562310842877", "OPENVAS:1361412562310842878", "OPENVAS:1361412562310842945", "OPENVAS:1361412562310842948", "OPENVAS:1361412562310843250", "OPENVAS:1361412562310851349", "OPENVAS:1361412562310851358", "OPENVAS:1361412562310851386", "OPENVAS:1361412562310851388", "OPENVAS:1361412562310851390", "OPENVAS:1361412562310851420", "OPENVAS:1361412562310851444", "OPENVAS:1361412562310851449", "OPENVAS:1361412562310851489", "OPENVAS:1361412562310851506", "OPENVAS:1361412562310871618", "OPENVAS:1361412562310871654", "OPENVAS:1361412562310871655", "OPENVAS:1361412562310871708", "OPENVAS:1361412562310871730", "OPENVAS:1361412562310871742", "OPENVAS:1361412562310871747", "OPENVAS:1361412562310882493", "OPENVAS:1361412562310882546", "OPENVAS:1361412562310882547", "OPENVAS:1361412562310882614", "OPENVAS:1361412562310882629", "OPENVAS:1361412562310882638", "OPENVAS:1361412562311220161026", "OPENVAS:1361412562311220161043", "OPENVAS:1361412562311220161051", "OPENVAS:1361412562311220191484", "OPENVAS:1361412562311220191489", "OPENVAS:1361412562311220191491", "OPENVAS:1361412562311220191494", "OPENVAS:1361412562311220191496", "OPENVAS:1361412562311220191508", "OPENVAS:1361412562311220191513", "OPENVAS:1361412562311220191516", "OPENVAS:1361412562311220191517", "OPENVAS:1361412562311220191521", "OPENVAS:1361412562311220191523", "OPENVAS:1361412562311220191530", "OPENVAS:1361412562311220191534", "OPENVAS:1361412562311220191536", "OPENVAS:1361412562311220191537", "OPENVAS:1361412562311220192531", "OPENVAS:703659", "OPENVAS:703696"]}, {"type": "oraclelinux", "idList": ["ELSA-2016-1033", "ELSA-2016-1277", "ELSA-2016-1633", "ELSA-2016-1664", "ELSA-2016-1847", "ELSA-2016-2006", "ELSA-2016-2574", "ELSA-2016-2962", "ELSA-2016-2962-1", "ELSA-2016-3559", "ELSA-2016-3565", "ELSA-2016-3594", "ELSA-2016-3595", "ELSA-2016-3644", "ELSA-2016-3645", "ELSA-2016-3646", "ELSA-2016-3655", "ELSA-2016-3656", "ELSA-2016-3657", "ELSA-2017-0036", "ELSA-2017-0086", "ELSA-2017-0817"]}, {"type": "osv", "idList": ["OSV:DLA-609-1", "OSV:DLA-670-1", "OSV:DSA-3659-1", "OSV:DSA-3696-1"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:139033"]}, {"type": "paloalto", "idList": ["PAN-SA-2017-0015"]}, {"type": "redhat", "idList": ["RHSA-2016:1033", "RHSA-2016:1051", "RHSA-2016:1055", "RHSA-2016:1631", "RHSA-2016:1632", "RHSA-2016:1633", "RHSA-2016:1657", "RHSA-2016:1664", "RHSA-2016:1814", "RHSA-2016:1815", "RHSA-2016:1939", "RHSA-2016:2574", "RHSA-2016:2584", "RHSA-2016:2962", "RHSA-2017:0031", "RHSA-2017:0036", "RHSA-2017:0065", "RHSA-2017:0086", "RHSA-2017:0091", "RHSA-2017:0113", "RHSA-2017:0196", "RHSA-2017:0215", "RHSA-2017:0216", "RHSA-2017:0217", "RHSA-2017:0270"]}, {"type": "redhatcve", "idList": ["RH:CVE-2016-0758", "RH:CVE-2016-5342", "RH:CVE-2016-5344", "RH:CVE-2016-5696"]}, {"type": "seebug", "idList": ["SSV:96322"]}, {"type": "suse", "idList": ["OPENSUSE-SU-2016:1641-1", "OPENSUSE-SU-2016:2144-1", "OPENSUSE-SU-2016:2184-1", "OPENSUSE-SU-2016:2290-1", "OPENSUSE-SU-2016:2625-1", "OPENSUSE-SU-2016:3021-1", "OPENSUSE-SU-2016:3058-1", "OPENSUSE-SU-2017:0456-1", "OPENSUSE-SU-2017:0458-1", "SUSE-SU-2016:1672-1", "SUSE-SU-2016:1690-1", "SUSE-SU-2016:1937-1", "SUSE-SU-2016:1961-1", "SUSE-SU-2016:1985-1", "SUSE-SU-2016:1994-1", "SUSE-SU-2016:1995-1", "SUSE-SU-2016:2000-1", "SUSE-SU-2016:2001-1", "SUSE-SU-2016:2002-1", "SUSE-SU-2016:2003-1", "SUSE-SU-2016:2005-1", "SUSE-SU-2016:2006-1", "SUSE-SU-2016:2007-1", "SUSE-SU-2016:2009-1", "SUSE-SU-2016:2010-1", "SUSE-SU-2016:2011-1", "SUSE-SU-2016:2014-1", "SUSE-SU-2016:2105-1", "SUSE-SU-2016:2245-1", "SUSE-SU-2016:2912-1", "SUSE-SU-2016:2976-1", "SUSE-SU-2016:3069-1", "SUSE-SU-2016:3093-1", "SUSE-SU-2016:3094-1", "SUSE-SU-2016:3098-1", "SUSE-SU-2016:3100-1", "SUSE-SU-2016:3104-1", "SUSE-SU-2016:3109-1", "SUSE-SU-2016:3111-1", "SUSE-SU-2016:3112-1", "SUSE-SU-2016:3119-1", "SUSE-SU-2016:3249-1", "SUSE-SU-2016:3304-1", "SUSE-SU-2017:0333-1", "SUSE-SU-2017:0437-1", "SUSE-SU-2017:0471-1", "SUSE-SU-2017:0494-1", "SUSE-SU-2017:0575-1", "SUSE-SU-2017:1102-1", "SUSE-SU-2017:1247-1", "SUSE-SU-2017:1360-1", "SUSE-SU-2017:1990-1", "SUSE-SU-2017:2342-1"]}, {"type": "symantec", "idList": ["SMNTC-1378"]}, {"type": "thn", "idList": ["THN:4FE2068BDC86E2EECDC3F2C86932F8F2", "THN:88858C272BB7187F908C43D40345230D", "THN:B41554BF406DE03F01F4B7A7E4CD2A52"]}, {"type": "threatpost", "idList": ["THREATPOST:0182EAF33D8879D6AD1B32A1B3C77596", "THREATPOST:31CC2AAB573ADB552A7892E2787C8764", "THREATPOST:7CADC235F13740390327E980B3E902EE", "THREATPOST:BB41A4A6AC8B8A202F84DBAD0F98EE82"]}, {"type": "ubuntu", "idList": ["USN-2975-1", "USN-2975-2", "USN-2976-1", "USN-2977-1", "USN-2978-1", "USN-2978-2", "USN-2978-3", "USN-2979-1", "USN-2979-2", "USN-2979-3", "USN-2979-4", "USN-3070-1", "USN-3070-2", "USN-3070-3", "USN-3070-4", "USN-3071-1", "USN-3071-2", "USN-3072-1", "USN-3072-2", "USN-3126-1", "USN-3126-2", "USN-3360-1", "USN-3360-2"]}, {"type": "ubuntucve", "idList": ["UB:CVE-2015-8950", "UB:CVE-2015-8955", "UB:CVE-2015-8956", "UB:CVE-2016-0758", "UB:CVE-2016-3885", "UB:CVE-2016-3900", "UB:CVE-2016-3908", "UB:CVE-2016-3909", "UB:CVE-2016-3910", "UB:CVE-2016-3911", "UB:CVE-2016-3912", "UB:CVE-2016-3913", "UB:CVE-2016-3914", "UB:CVE-2016-3915", "UB:CVE-2016-3916", "UB:CVE-2016-3917", "UB:CVE-2016-3918", "UB:CVE-2016-3920", "UB:CVE-2016-3921", "UB:CVE-2016-3922", "UB:CVE-2016-3923", "UB:CVE-2016-3924", "UB:CVE-2016-3925", "UB:CVE-2016-3928", "UB:CVE-2016-3932", "UB:CVE-2016-3933", "UB:CVE-2016-3936", "UB:CVE-2016-3937", "UB:CVE-2016-5340", "UB:CVE-2016-5342", "UB:CVE-2016-5344", "UB:CVE-2016-5348", "UB:CVE-2016-5696", "UB:CVE-2016-6674", "UB:CVE-2016-6683", "UB:CVE-2016-6689", "UB:CVE-2016-7117"]}, {"type": "zdt", "idList": ["1337DAY-ID-25483", "1337DAY-ID-25493", "1337DAY-ID-25506"]}]}, "score": {"value": 1.5, "vector": "NONE"}, "backreferences": {"references": [{"type": "amazon", "idList": ["ALAS-2016-703"]}, {"type": "android", "idList": ["ANDROID:CVE-2016-3927"]}, {"type": "androidsecurity", "idList": ["ANDROID:2018-04-01"]}, {"type": "archlinux", "idList": ["ASA-201608-12", "ASA-201608-13", "ASA-201608-15", "ASA-201608-17"]}, {"type": "centos", "idList": ["CESA-2016:1033", "CESA-2016:1633", "CESA-2016:1664", "CESA-2016:2962", "CESA-2017:0036", "CESA-2017:0086"]}, {"type": "cloudfoundry", "idList": ["CFOUNDRY:7F90642155B2E9B0EF351796E14F575B"]}, {"type": "cve", "idList": ["CVE-2016-0758", "CVE-2016-2059", "CVE-2016-5340", "CVE-2016-5342", "CVE-2016-5344", "CVE-2016-5696"]}, {"type": "debian", "idList": ["DEBIAN:DSA-3659-1:3F508"]}, {"type": "debiancve", "idList": ["DEBIANCVE:CVE-2015-8950", "DEBIANCVE:CVE-2015-8955", "DEBIANCVE:CVE-2015-8956", "DEBIANCVE:CVE-2016-0758", "DEBIANCVE:CVE-2016-3885", "DEBIANCVE:CVE-2016-5340", "DEBIANCVE:CVE-2016-5342", "DEBIANCVE:CVE-2016-5343", "DEBIANCVE:CVE-2016-5344", "DEBIANCVE:CVE-2016-5696", "DEBIANCVE:CVE-2016-7117"]}, {"type": "exploitdb", "idList": ["EDB-ID:40502"]}, {"type": "f5", "idList": ["SOL46514822"]}, {"type": "fedora", "idList": ["FEDORA:238106085F82"]}, {"type": "huawei", "idList": ["HUAWEI-SA-20160907-01-TCP"]}, {"type": "ibm", "idList": ["658C6A388449448220E16F3A05A122A56F35F4A9A9370C4B63DC0779B971B6CE"]}, {"type": "nessus", "idList": ["CENTOS_RHSA-2016-1033.NASL", "CENTOS_RHSA-2016-1633.NASL", "CENTOS_RHSA-2016-1664.NASL", "CENTOS_RHSA-2016-2962.NASL", "DEBIAN_DSA-3659.NASL", "EULEROS_SA-2016-1043.NASL", "EULEROS_SA-2019-1523.NASL", "EULEROS_SA-2019-1537.NASL", "F5_BIGIP_SOL46514822.NASL", "FEDORA_2016-06F1572324.NASL", "FEDORA_2016-84FDC82B74.NASL", "FEDORA_2016-F8739A80B0.NASL", "OPENSUSE-2016-1410.NASL", "ORACLELINUX_ELSA-2016-1033.NASL", "ORACLELINUX_ELSA-2016-1633.NASL", "ORACLELINUX_ELSA-2016-1664.NASL", "ORACLELINUX_ELSA-2016-3594.NASL", "ORACLELINUX_ELSA-2016-3595.NASL", "ORACLELINUX_ELSA-2017-0086.NASL", "ORACLEVM_OVMSA-2016-0053.NASL", "ORACLEVM_OVMSA-2016-0097.NASL", "ORACLEVM_OVMSA-2016-0098.NASL", "ORACLEVM_OVMSA-2016-0162.NASL", "ORACLEVM_OVMSA-2016-0163.NASL", "REDHAT-RHSA-2016-1033.NASL", "REDHAT-RHSA-2016-1051.NASL", "REDHAT-RHSA-2016-1055.NASL", "REDHAT-RHSA-2016-1631.NASL", "REDHAT-RHSA-2016-1632.NASL", "REDHAT-RHSA-2016-1633.NASL", "REDHAT-RHSA-2016-1664.NASL", "SL_20160512_KERNEL_ON_SL7_X.NASL", "SL_20160818_KERNEL_ON_SL7_X.NASL", "SL_20160823_KERNEL_ON_SL6_X.NASL", "SL_20170110_KERNEL_ON_SL6_X.NASL", "SUSE_SU-2016-2001-1.NASL", "UBUNTU_USN-2975-1.NASL", "UBUNTU_USN-2975-2.NASL", "UBUNTU_USN-2976-1.NASL", "UBUNTU_USN-2977-1.NASL", "UBUNTU_USN-2978-1.NASL", "UBUNTU_USN-2978-2.NASL", "UBUNTU_USN-2978-3.NASL", "UBUNTU_USN-2979-1.NASL", "UBUNTU_USN-2979-2.NASL", "UBUNTU_USN-2979-3.NASL", "UBUNTU_USN-2979-4.NASL"]}, {"type": "nvidia", "idList": ["NVIDIA:4561"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310842748", "OPENVAS:1361412562310843250", "OPENVAS:1361412562310851449", "OPENVAS:1361412562311220161026", "OPENVAS:703659"]}, {"type": "oraclelinux", "idList": ["ELSA-2016-1033", "ELSA-2016-1277", "ELSA-2016-1633", "ELSA-2016-1664", "ELSA-2016-3594", "ELSA-2016-3595", "ELSA-2016-3646"]}, {"type": "redhat", "idList": ["RHSA-2016:1033", "RHSA-2016:1632", "RHSA-2016:1664", "RHSA-2016:1815"]}, {"type": "redhatcve", "idList": ["RH:CVE-2016-5342"]}, {"type": "suse", "idList": ["SUSE-SU-2016:3069-1", "SUSE-SU-2016:3304-1"]}, {"type": "thn", "idList": ["THN:88858C272BB7187F908C43D40345230D"]}, {"type": "threatpost", "idList": ["THREATPOST:64D38F6418BD506C1B880D6E79D93D81"]}, {"type": "ubuntu", "idList": ["USN-3070-1", "USN-3070-4", "USN-3072-1"]}, {"type": "ubuntucve", "idList": ["UB:CVE-2015-8955", "UB:CVE-2016-3916", "UB:CVE-2016-3918"]}, {"type": "zdt", "idList": ["1337DAY-ID-25483", "1337DAY-ID-25493", "1337DAY-ID-25506"]}]}, "exploitation": null, "affected_software": {"major_version": []}, "vulnersScore": 1.5}, "_state": {"dependencies": 1660586653, "score": 1660588736, "affected_software_major_version": 1666691171}, "_internal": {"score_hash": "6281a4884c83a7afea75c2dcc196a885"}, "affectedSoftware": []}

{"nvidia": [{"lastseen": "2021-02-18T18:32:21", "bulletinFamily": "software", "cvelist": ["CVE-2016-3793", "CVE-2016-3815", "CVE-2016-3844", "CVE-2016-3847", "CVE-2016-3848", "CVE-2016-3873", "CVE-2016-3930", "CVE-2016-3933", "CVE-2016-6677", "CVE-2016-6686", "CVE-2016-6687", "CVE-2016-6688"], "description": "### Vulnerability Details\n\n#### CVE-2016-3847\n\nKernel nvavp driver heap write overflow [(Android Security Bulletin - August 2016)](<https://source.android.com/security/bulletin/2016-08-01.html>) \n \nCVSS Base Score: 8.8 \nCVSS Temporal Score: 7.9 \nCVSS Vector: [CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:P/RL:O/RC:C](<https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=\\(AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:P/RL:O/RC:C\\)>)\n\n#### CVE-2016-3815\n\nKernel camera driver stack read of user-controlled length [(Android Security Bulletin - July 2016)](<https://source.android.com/security/bulletin/2016-07-01.html>) \n \nCVSS Base Score: 7.9 \nCVSS Temporal Score: 7.1 \nCVSS Vector:[CVSS:3.0/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:N/E:P/RL:O/RC:C](<https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=\\(AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:N/E:P/RL:O/RC:C\\)>)\n\n#### CVE-2016-3873\n\nElevation of privilege vulnerability in NVIDIA kernel [(Android Security Bulletin - September 2016)](<https://source.android.com/security/bulletin/2016-09-01.html>) \n \nCVSS Base Score: 7.3 \nCVSS Temporal Score: 6.6 \nCVSS Vector: [CVSS:3.0/AV:L/AC:L/PR:H/UI:N/S:C/C:L/I:H/A:L/E:P/RL:O/RC:C)](<https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=\\(AV:L/AC:L/PR:H/UI:N/S:C/C:L/I:H/A:L/E:P/RL:O/RC:C\\)>)\n\n#### CVE-2016-3933\n\nElevation of privilege vulnerability in Mediaserver [(Android Security Bulletin - October 2016)](<https://source.android.com/security/bulletin/2016-10-01.html>) \n \nCVSS Base Score: 6.7 \nCVSS Temporal Score: 6.0 \nCVSS Vector: [CVSS:3.0/AV:L/AC:L/PR:H/UI:N/S:C/C:L/I:H/A:N/E:P/RL:O/RC:C](<https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=\\(AV:L/AC:L/PR:H/UI:N/S:C/C:L/I:H/A:N/E:P/RL:O/RC:C\\)>)\n\n#### CVE-2016-3844\n\nMediaserver libnvomx.so privilege escalation [(Android Security Bulletin - August 2016)](<https://source.android.com/security/bulletin/2016-08-01.html>) \n \nCVSS Base Score: 6.6 \nCVSS Temporal Score: 5.9 \nCVSS Vector: [CVSS:3.0/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N/E:P/RL:O/RC:C](<https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=\\(AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N/E:P/RL:O/RC:C\\)>)\n\n#### CVE-2016-3930\n\nElevation of privilege vulnerability in NVIDIA MMC test driver [(Android Security Bulletin - October 2016)](<https://source.android.com/security/bulletin/2016-10-01.html>) \n \nCVSS Base Score: 5.1 \nCVSS Temporal Score: 4.6 \nCVSS Vector: [CVSS:3.0/AV:L/AC:L/PR:H/UI:N/S:U/C:L/I:H/A:N/E:P/RL:O/RC:C)](<https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=\\(AV:L/AC:L/PR:H/UI:N/S:U/C:L/I:H/A:N/E:P/RL:O/RC:C\\)>)\n\n#### CVE-2016-3793\n\nKernel camera driver race condition use-after-free [(Android Security Bulletin - July 2016)](<https://source.android.com/security/bulletin/2016-07-01.html>) \n \nCVSS Base Score: 4.7 \nCVSS Temporal Score: 4.2 \nCVSS Vector:[CVSS:3.0/AV:L/AC:H/PR:H/UI:N/S:U/C:L/I:H/A:N/E:P/RL:O/RC:C](<https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=\\(AV:L/AC:H/PR:H/UI:N/S:U/C:L/I:H/A:N/E:P/RL:O/RC:C\\)>)\n\n#### CVE-2016-6677\n\nInformation disclosure vulnerability in NVIDIA GPU driver [(Android Security Bulletin - October 2016)](<https://source.android.com/security/bulletin/2016-10-01.html>) \n \nCVSS Base Score: 3.4 \nCVSS Temporal Score: 3.1 \nCVSS Vector:[CVSS:3.0/AV:L/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:N/E:P/RL:O/RC:C](<https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=\\(AV:L/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:N/E:P/RL:O/RC:C\\)>)\n\n#### CVE-2016-3848\n\nKernel nvavp driver race condition privilege escalation [(Android Security Bulletin - August 2016)](<https://source.android.com/security/bulletin/2016-08-01.html>) \n \nCVSS Base Score: 2.5 \nCVSS Temporal Score: 2.3 \nCVSS Vector: [CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:N/E:P/RL:O/RC:C](<https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=\\(AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:N/E:P/RL:O/RC:C\\)>)\n\n#### CVE-2016-6686, CVE-2016-6687, CVE-2016-6688\n\nInformation disclosure vulnerability in NVIDIA profiler [(Android Security Bulletin - October 2016)](<https://source.android.com/security/bulletin/2016-10-01.html>) \nCVSS Base Score: 2.3 \nCVSS Temporal Score: 2.1 \nCVSS Vector:[CVSS:3.0/AV:L/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N/E:P/RL:O/RC:C](<https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=\\(AV:L/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N/E:P/RL:O/RC:C\\)>)\n\nNVIDIA\u2019s risk assessment is based on an average of risk across a diverse set of installed systems and may not represent the true risk of your local installation. NVIDIA recommends consulting a local security or IT professional to evaluate the risk of your specific configuration. NVIDIA doesn\u2019t know of any exploits to these issues at this time.\n", "modified": "2020-11-03T09:00:00", "published": "2016-11-30T00:00:00", "id": "NVIDIA:4267", "href": "http://nvidia.custhelp.com/app/answers/detail/a_id/4267", "type": "nvidia", "title": "Security Bulletin: NVIDIA Shield Contains Multiple Vulnerabilities in Mediaserver and Kernel", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "cve": [{"lastseen": "2022-03-23T14:32:50", "description": "Multiple use-after-free vulnerabilities in sound/soc/msm/qdsp6v2/msm-lsm-client.c in the Qualcomm sound driver in Android before 2016-10-05 on Nexus 5X, Nexus 6P, and Android One devices allow attackers to gain privileges via a crafted application, aka Android internal bug 30142668 and Qualcomm internal bug CR 948902.", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.8, "vectorString": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2016-10-10T10:59:00", "type": "cve", "title": "CVE-2015-8951", "cwe": ["CWE-264"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-8951"], "modified": "2016-11-28T19:50:00", "cpe": ["cpe:/o:google:android:7.0"], "id": "CVE-2015-8951", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-8951", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "cpe23": ["cpe:2.3:o:google:android:7.0:*:*:*:*:*:*:*"]}, {"lastseen": "2022-03-23T14:32:48", "description": "arch/arm64/mm/dma-mapping.c in the Linux kernel before 4.0.3, as used in the ION subsystem in Android and other products, does not initialize certain data structures, which allows local users to obtain sensitive information from kernel memory by triggering a dma_mmap call.", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 5.5, "vectorString": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N", "version": "3.0", "userInteraction": "REQUIRED"}, "impactScore": 3.6}, "published": "2016-10-10T10:59:00", "type": "cve", "title": "CVE-2015-8950", "cwe": ["CWE-200"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 4.3, "vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-8950"], "modified": "2016-11-28T19:50:00", "cpe": ["cpe:/o:linux:linux_kernel:4.0.2"], "id": "CVE-2015-8950", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-8950", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:P/I:N/A:N"}, "cpe23": ["cpe:2.3:o:linux:linux_kernel:4.0.2:*:*:*:*:*:*:*"]}, {"lastseen": "2022-03-23T15:00:36", "description": "Off-by-one error in CORE/HDD/src/wlan_hdd_hostapd.c in the Qualcomm Wi-Fi driver in Android before 2016-10-05 on Nexus 5X and Android One devices allows attackers to gain privileges or cause a denial of service (buffer overflow) via a crafted application that makes a linkspeed ioctl call, aka Android internal bug 30873776 and Qualcomm internal bug CR 1000861.", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.8, "vectorString": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2016-10-10T10:59:00", "type": "cve", "title": "CVE-2016-6675", "cwe": ["CWE-119"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-6675"], "modified": "2016-12-06T15:03:00", "cpe": ["cpe:/o:google:android:7.0"], "id": "CVE-2016-6675", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-6675", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "cpe23": ["cpe:2.3:o:google:android:7.0:*:*:*:*:*:*:*"]}, {"lastseen": "2022-03-23T15:01:12", "description": "drivers/video/msm/mdss/mdss_mdp_pp.c in the Qualcomm MDSS driver in Android before 2016-10-05 allows attackers to cause a denial of service (invalid pointer access) or possibly have unspecified other impact via unknown vectors, aka Qualcomm internal bug CR 1004933.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2016-10-10T11:00:00", "type": "cve", "title": "CVE-2016-6692", "cwe": ["CWE-476"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": true, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-6692"], "modified": "2016-12-06T15:08:00", "cpe": ["cpe:/o:google:android:7.0"], "id": "CVE-2016-6692", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-6692", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "cpe23": ["cpe:2.3:o:google:android:7.0:*:*:*:*:*:*:*"]}, {"lastseen": "2022-03-23T15:01:12", "description": "sound/soc/msm/qdsp6v2/msm-ds2-dap-config.c in a Qualcomm QDSP6v2 driver in Android before 2016-10-05 allows attackers to cause a denial of service or possibly have unspecified other impact via a crafted visualizer data length, aka Qualcomm internal bug CR 1033540.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2016-10-10T11:00:00", "type": "cve", "title": "CVE-2016-6695", "cwe": ["CWE-119"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": true, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-6695"], "modified": "2016-12-06T15:09:00", "cpe": ["cpe:/o:google:android:7.0"], "id": "CVE-2016-6695", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-6695", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "cpe23": ["cpe:2.3:o:google:android:7.0:*:*:*:*:*:*:*"]}, {"lastseen": "2022-03-23T13:44:49", "description": "drivers/misc/qseecom.c in the Qualcomm QSEE Communicator driver in Android before 2016-10-05 on Nexus 5X, Nexus 6, Nexus 6P, and Android One devices allows attackers to gain privileges via a crafted application, aka Android internal bug 29157595 and Qualcomm internal bug CR 1036418.", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.8, "vectorString": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2016-10-10T10:59:00", "type": "cve", "title": "CVE-2016-3931", "cwe": ["CWE-264"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-3931"], "modified": "2016-11-28T20:14:00", "cpe": ["cpe:/o:google:android:7.0"], "id": "CVE-2016-3931", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-3931", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "cpe23": ["cpe:2.3:o:google:android:7.0:*:*:*:*:*:*:*"]}, {"lastseen": "2022-03-23T15:00:50", "description": "drivers/misc/qcom/qdsp6v2/audio_utils.c in a Qualcomm QDSP6v2 driver in Android before 2016-10-05 on Nexus 5X, Nexus 6P, and Android One devices does not initialize certain data structures, which allows attackers to obtain sensitive information via a crafted application, aka Android internal bug 30152182 and Qualcomm internal bug CR 1049521.", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 5.5, "vectorString": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N", "version": "3.0", "userInteraction": "REQUIRED"}, "impactScore": 3.6}, "published": "2016-10-10T10:59:00", "type": "cve", "title": "CVE-2016-6681", "cwe": ["CWE-200"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 4.3, "vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-6681"], "modified": "2016-12-06T14:46:00", "cpe": ["cpe:/o:google:android:7.0"], "id": "CVE-2016-6681", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-6681", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:P/I:N/A:N"}, "cpe23": ["cpe:2.3:o:google:android:7.0:*:*:*:*:*:*:*"]}, {"lastseen": "2022-03-23T15:01:10", "description": "service/jni/com_android_server_wifi_Gbk2Utf.cpp in the Qualcomm Wi-Fi gbk2utf module in Android before 2016-10-05 allows remote attackers to cause a denial of service (framework crash) or possibly have unspecified other impact via an access point that has a malformed SSID with GBK encoding, aka Qualcomm internal bug CR 978452.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2016-10-10T11:00:00", "type": "cve", "title": "CVE-2016-6691", "cwe": ["CWE-172"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": true, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-6691"], "modified": "2016-12-06T14:41:00", "cpe": ["cpe:/o:google:android:7.0"], "id": "CVE-2016-6691", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-6691", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "cpe23": ["cpe:2.3:o:google:android:7.0:*:*:*:*:*:*:*"]}, {"lastseen": "2022-03-23T15:01:05", "description": "The NVIDIA profiler in Android before 2016-10-05 on Nexus 9 devices allows attackers to obtain sensitive information via a crafted application, aka internal bug 30163101.", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 5.5, "vectorString": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N", "version": "3.0", "userInteraction": "REQUIRED"}, "impactScore": 3.6}, "published": "2016-10-10T11:00:00", "type": "cve", "title": "CVE-2016-6686", "cwe": ["CWE-200"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 4.3, "vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-6686"], "modified": "2016-12-06T14:41:00", "cpe": ["cpe:/o:google:android:7.0"], "id": "CVE-2016-6686", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-6686", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:P/I:N/A:N"}, "cpe23": ["cpe:2.3:o:google:android:7.0:*:*:*:*:*:*:*"]}, {"lastseen": "2022-03-23T15:01:10", "description": "sound/soc/msm/qdsp6v2/msm-ds2-dap-config.c in a Qualcomm QDSP6v2 driver in Android before 2016-10-05 allows attackers to cause a denial of service or possibly have unspecified other impact via an invalid data length, aka Qualcomm internal bug CR 1027585.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2016-10-10T11:00:00", "type": "cve", "title": "CVE-2016-6693", "cwe": ["CWE-20"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": true, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-6693"], "modified": "2016-12-06T15:04:00", "cpe": ["cpe:/o:google:android:7.0"], "id": "CVE-2016-6693", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-6693", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "cpe23": ["cpe:2.3:o:google:android:7.0:*:*:*:*:*:*:*"]}, {"lastseen": "2022-03-23T14:32:58", "description": "arch/arm64/kernel/perf_event.c in the Linux kernel before 4.1 on arm64 platforms allows local users to gain privileges or cause a denial of service (invalid pointer dereference) via vectors involving events that are mishandled during a span of multiple HW PMUs.", "cvss3": {"exploitabilityScore": 1.3, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.3, "vectorString": "CVSS:3.0/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2016-10-10T10:59:00", "type": "cve", "title": "CVE-2015-8955", "cwe": ["CWE-264"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 3.4, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 6.9, "vectorString": "AV:L/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-8955"], "modified": "2016-11-28T19:50:00", "cpe": ["cpe:/o:google:android:7.0", "cpe:/o:linux:linux_kernel:4.0.9"], "id": "CVE-2015-8955", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-8955", "cvss": {"score": 6.9, "vector": "AV:L/AC:M/Au:N/C:C/I:C/A:C"}, "cpe23": ["cpe:2.3:o:linux:linux_kernel:4.0.9:*:*:*:*:*:*:*", "cpe:2.3:o:google:android:7.0:*:*:*:*:*:*:*"]}, {"lastseen": "2022-03-23T15:00:48", "description": "CORE/HDD/src/wlan_hdd_wext.c in the Qualcomm Wi-Fi driver in Android before 2016-10-05 on Nexus 5X and Android One devices allows attackers to obtain sensitive information via a crafted application that makes an iw_set_priv ioctl call, aka Android internal bug 29982678 and Qualcomm internal bug CR 1048052.", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.8, "vectorString": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2016-10-10T10:59:00", "type": "cve", "title": "CVE-2016-6680", "cwe": ["CWE-200"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-6680"], "modified": "2016-12-06T15:08:00", "cpe": ["cpe:/o:google:android:7.0"], "id": "CVE-2016-6680", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-6680", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}, "cpe23": ["cpe:2.3:o:google:android:7.0:*:*:*:*:*:*:*"]}, {"lastseen": "2022-03-23T15:01:10", "description": "The NVIDIA profiler in Android before 2016-10-05 on Nexus 9 devices allows attackers to obtain sensitive information via a crafted application, aka internal bug 30593080.", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 5.5, "vectorString": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N", "version": "3.0", "userInteraction": "REQUIRED"}, "impactScore": 3.6}, "published": "2016-10-10T11:00:00", "type": "cve", "title": "CVE-2016-6688", "cwe": ["CWE-200"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 4.3, "vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-6688"], "modified": "2016-12-06T15:05:00", "cpe": ["cpe:/o:google:android:7.0"], "id": "CVE-2016-6688", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-6688", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:P/I:N/A:N"}, "cpe23": ["cpe:2.3:o:google:android:7.0:*:*:*:*:*:*:*"]}, {"lastseen": "2022-03-23T15:01:13", "description": "sound/soc/msm/qdsp6v2/msm-ds2-dap-config.c in a Qualcomm QDSP6v2 driver in Android before 2016-10-05 allows attackers to cause a denial of service or possibly have unspecified other impact via a large negative value for the data length, aka Qualcomm internal bug CR 1041130.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2016-10-10T11:00:00", "type": "cve", "title": "CVE-2016-6696", "cwe": ["CWE-20"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": true, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-6696"], "modified": "2016-12-06T15:09:00", "cpe": ["cpe:/o:google:android:7.0"], "id": "CVE-2016-6696", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-6696", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "cpe23": ["cpe:2.3:o:google:android:7.0:*:*:*:*:*:*:*"]}, {"lastseen": "2022-03-23T15:00:56", "description": "The kernel in Android before 2016-10-05 on Nexus devices allows attackers to obtain sensitive information via a crafted application, aka internal bug 30143283.", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 5.5, "vectorString": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N", "version": "3.0", "userInteraction": "REQUIRED"}, "impactScore": 3.6}, "published": "2016-10-10T11:00:00", "type": "cve", "title": "CVE-2016-6683", "cwe": ["CWE-200"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 4.3, "vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-6683"], "modified": "2016-12-06T15:08:00", "cpe": ["cpe:/o:google:android:7.0"], "id": "CVE-2016-6683", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-6683", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:P/I:N/A:N"}, "cpe23": ["cpe:2.3:o:google:android:7.0:*:*:*:*:*:*:*"]}, {"lastseen": "2022-03-23T13:45:03", "description": "The MediaTek video driver in Android before 2016-10-05 allows attackers to gain privileges via a crafted application, aka Android internal bug 30030994 and MediaTek internal bug ALPS02834874.", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.8, "vectorString": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2016-10-10T10:59:00", "type": "cve", "title": "CVE-2016-3937", "cwe": ["CWE-20"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-3937"], "modified": "2016-11-28T20:14:00", "cpe": ["cpe:/o:google:android:7.0"], "id": "CVE-2016-3937", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-3937", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "cpe23": ["cpe:2.3:o:google:android:7.0:*:*:*:*:*:*:*"]}, {"lastseen": "2022-03-23T15:01:07", "description": "Off-by-one error in CORE/HDD/src/wlan_hdd_cfg.c in the Qualcomm Wi-Fi driver in Android before 2016-10-05 on Nexus 5X and Android One devices allows attackers to gain privileges or cause a denial of service (buffer overflow) via a crafted application that makes a GET_CFG ioctl call, aka Android internal bug 30874066 and Qualcomm internal bug CR 1000853.", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.8, "vectorString": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2016-10-10T10:59:00", "type": "cve", "title": "CVE-2016-6676", "cwe": ["CWE-119"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-6676"], "modified": "2016-12-06T15:08:00", "cpe": ["cpe:/o:google:android:7.0"], "id": "CVE-2016-6676", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-6676", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "cpe23": ["cpe:2.3:o:google:android:7.0:*:*:*:*:*:*:*"]}, {"lastseen": "2022-03-23T13:44:39", "description": "The Accessibility services in Android 7.0 before 2016-10-01 mishandle motion events, which allows attackers to conduct touchjacking attacks and consequently gain privileges via a crafted application, aka internal bug 30647115.", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 5.5, "vectorString": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N", "version": "3.0", "userInteraction": "REQUIRED"}, "impactScore": 3.6}, "published": "2016-10-10T10:59:00", "type": "cve", "title": "CVE-2016-3923", "cwe": ["CWE-284"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 4.3, "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-3923"], "modified": "2016-11-28T20:13:00", "cpe": ["cpe:/o:google:android:7.0"], "id": "CVE-2016-3923", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-3923", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}, "cpe23": ["cpe:2.3:o:google:android:7.0:*:*:*:*:*:*:*"]}, {"lastseen": "2022-03-23T15:00:34", "description": "system_server in Android before 2016-10-05 on Nexus devices allows attackers to gain privileges via a crafted application, aka internal bug 30445380.", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.8, "vectorString": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2016-10-10T10:59:00", "type": "cve", "title": "CVE-2016-6674", "cwe": ["CWE-20"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-6674"], "modified": "2016-11-28T20:33:00", "cpe": ["cpe:/o:google:android:7.0"], "id": "CVE-2016-6674", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-6674", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}, "cpe23": ["cpe:2.3:o:google:android:7.0:*:*:*:*:*:*:*"]}, {"lastseen": "2022-03-23T13:44:33", "description": "server/wifi/anqp/ANQPFactory.java in Android 6.x before 2016-10-01 and 7.0 before 2016-10-01 allows attackers to cause a denial of service (blocked Wi-Fi usage) via a crafted application, aka internal bug 30230534.", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 5.5, "vectorString": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", "version": "3.0", "userInteraction": "REQUIRED"}, "impactScore": 3.6}, "published": "2016-10-10T10:59:00", "type": "cve", "title": "CVE-2016-3925", "cwe": ["CWE-284"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "NONE", "availabilityImpact": "PARTIAL", "integrityImpact": "NONE", "baseScore": 4.3, "vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-3925"], "modified": "2016-11-28T20:14:00", "cpe": ["cpe:/o:google:android:7.0", "cpe:/o:google:android:6.0", "cpe:/o:google:android:6.0.1"], "id": "CVE-2016-3925", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-3925", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:N/A:P"}, "cpe23": ["cpe:2.3:o:google:android:6.0:*:*:*:*:*:*:*", "cpe:2.3:o:google:android:6.0.1:*:*:*:*:*:*:*", "cpe:2.3:o:google:android:7.0:*:*:*:*:*:*:*"]}, {"lastseen": "2022-03-23T13:45:05", "description": "Multiple integer overflows in drivers/crypto/msm/qcedev.c in the Qualcomm cryptographic engine driver in Android before 2016-10-05 on Nexus 5X, Nexus 6, Nexus 6P, and Android One devices allow attackers to gain privileges via a crafted application, aka Android internal bug 29999665 and Qualcomm internal bug CR 1046507.", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.8, "vectorString": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2016-10-10T10:59:00", "type": "cve", "title": "CVE-2016-3935", "cwe": ["CWE-190"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-3935"], "modified": "2016-11-28T20:14:00", "cpe": ["cpe:/o:google:android:7.0"], "id": "CVE-2016-3935", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-3935", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "cpe23": ["cpe:2.3:o:google:android:7.0:*:*:*:*:*:*:*"]}, {"lastseen": "2022-03-23T13:44:36", "description": "Unspecified vulnerability in a Qualcomm component in Android before 2016-10-05 on Nexus 5, 5X, 6, and 6P devices has unknown impact and attack vectors, aka internal bug 28823953.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2016-10-10T10:59:00", "type": "cve", "title": "CVE-2016-3926", "cwe": ["NVD-CWE-noinfo"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": true, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-3926"], "modified": "2016-11-28T20:14:00", "cpe": ["cpe:/o:google:android:7.0"], "id": "CVE-2016-3926", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-3926", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "cpe23": ["cpe:2.3:o:google:android:7.0:*:*:*:*:*:*:*"]}, {"lastseen": "2022-03-23T15:00:36", "description": "The Synaptics touchscreen driver in Android before 2016-10-05 on Nexus 5X devices allows attackers to gain privileges via a crafted application, aka internal bug 30537088.", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.8, "vectorString": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2016-10-10T10:59:00", "type": "cve", "title": "CVE-2016-6672", "cwe": ["CWE-264"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-6672"], "modified": "2016-11-28T20:33:00", "cpe": ["cpe:/o:google:android:7.0"], "id": "CVE-2016-6672", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-6672", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "cpe23": ["cpe:2.3:o:google:android:7.0:*:*:*:*:*:*:*"]}, {"lastseen": "2022-03-23T15:00:41", "description": "The Motorola USBNet driver in Android before 2016-10-05 on Nexus 6 devices allows attackers to obtain sensitive information via a crafted application, aka internal bug 29914434.", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 5.5, "vectorString": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N", "version": "3.0", "userInteraction": "REQUIRED"}, "impactScore": 3.6}, "published": "2016-10-10T10:59:00", "type": "cve", "title": "CVE-2016-6678", "cwe": ["CWE-200"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 4.3, "vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-6678"], "modified": "2017-01-18T02:59:00", "cpe": ["cpe:/o:google:android:7.0"], "id": "CVE-2016-6678", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-6678", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:P/I:N/A:N"}, "cpe23": ["cpe:2.3:o:google:android:7.0:*:*:*:*:*:*:*"]}, {"lastseen": "2022-03-23T13:45:05", "description": "drivers/video/msm/mdss/mdss_mdp_overlay.c in the Qualcomm video driver in Android before 2016-10-05 on Nexus 5X, Nexus 6, Nexus 6P, and Android One devices allows attackers to gain privileges via a crafted application, aka Android internal bug 30019716 and Qualcomm internal bug CR 1049232.", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.8, "vectorString": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2016-10-10T10:59:00", "type": "cve", "title": "CVE-2016-3938", "cwe": ["CWE-264"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-3938"], "modified": "2016-11-28T20:14:00", "cpe": ["cpe:/o:google:android:7.0"], "id": "CVE-2016-3938", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-3938", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "cpe23": ["cpe:2.3:o:google:android:7.0:*:*:*:*:*:*:*"]}, {"lastseen": "2022-03-23T13:45:00", "description": "The MediaTek video driver in Android before 2016-10-05 allows attackers to gain privileges via a crafted application, aka Android internal bug 30019037 and MediaTek internal bug ALPS02829568.", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.8, "vectorString": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2016-10-10T10:59:00", "type": "cve", "title": "CVE-2016-3936", "cwe": ["CWE-20"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-3936"], "modified": "2016-11-28T20:14:00", "cpe": ["cpe:/o:google:android:7.0"], "id": "CVE-2016-3936", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-3936", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "cpe23": ["cpe:2.3:o:google:android:7.0:*:*:*:*:*:*:*"]}, {"lastseen": "2022-03-23T13:44:25", "description": "libsysutils/src/FrameworkListener.cpp in Framework Listener in Android 4.x before 4.4.4, 5.0.x before 5.0.2, 5.1.x before 5.1.1, 6.x before 2016-10-01, and 7.0 before 2016-10-01 allows attackers to gain privileges via a crafted application, aka internal bug 29831647.", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.8, "vectorString": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2016-10-10T10:59:00", "type": "cve", "title": "CVE-2016-3921", "cwe": ["CWE-264"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-3921"], "modified": "2016-11-28T20:13:00", "cpe": ["cpe:/o:google:android:4.3.1", "cpe:/o:google:android:4.0.4", "cpe:/o:google:android:6.0", "cpe:/o:google:android:4.4.3", "cpe:/o:google:android:6.0.1", "cpe:/o:google:android:5.0.1", "cpe:/o:google:android:5.0", "cpe:/o:google:android:4.0", "cpe:/o:google:android:4.0.1", "cpe:/o:google:android:4.2", "cpe:/o:google:android:4.1.2", "cpe:/o:google:android:4.4.1", "cpe:/o:google:android:4.0.3", "cpe:/o:google:android:4.1", "cpe:/o:google:android:4.2.2", "cpe:/o:google:android:4.3", "cpe:/o:google:android:4.2.1", "cpe:/o:google:android:4.4.2", "cpe:/o:google:android:4.0.2", "cpe:/o:google:android:5.1.0", "cpe:/o:google:android:4.4", "cpe:/o:google:android:5.1", "cpe:/o:google:android:7.0"], "id": "CVE-2016-3921", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-3921", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "cpe23": ["cpe:2.3:o:google:android:5.1:*:*:*:*:*:*:*", "cpe:2.3:o:google:android:4.3:*:*:*:*:*:*:*", "cpe:2.3:o:google:android:4.0.4:*:*:*:*:*:*:*", "cpe:2.3:o:google:android:5.1.0:*:*:*:*:*:*:*", "cpe:2.3:o:google:android:5.0:*:*:*:*:*:*:*", "cpe:2.3:o:google:android:5.0.1:*:*:*:*:*:*:*", "cpe:2.3:o:google:android:4.0:*:*:*:*:*:*:*", "cpe:2.3:o:google:android:4.0.2:*:*:*:*:*:*:*", "cpe:2.3:o:google:android:4.1.2:*:*:*:*:*:*:*", "cpe:2.3:o:google:android:6.0.1:*:*:*:*:*:*:*", "cpe:2.3:o:google:android:4.1:*:*:*:*:*:*:*", "cpe:2.3:o:google:android:4.2:*:*:*:*:*:*:*", "cpe:2.3:o:google:android:6.0:*:*:*:*:*:*:*", "cpe:2.3:o:google:android:4.0.3:*:*:*:*:*:*:*", "cpe:2.3:o:google:android:4.2.2:*:*:*:*:*:*:*", "cpe:2.3:o:google:android:4.4.2:*:*:*:*:*:*:*", "cpe:2.3:o:google:android:4.2.1:*:*:*:*:*:*:*", "cpe:2.3:o:google:android:7.0:*:*:*:*:*:*:*", "cpe:2.3:o:google:android:4.4:*:*:*:*:*:*:*", "cpe:2.3:o:google:android:4.0.1:*:*:*:*:*:*:*", "cpe:2.3:o:google:android:4.3.1:*:*:*:*:*:*:*", "cpe:2.3:o:google:android:4.4.3:*:*:*:*:*:*:*", "cpe:2.3:o:google:android:4.4.1:*:*:*:*:*:*:*"]}, {"lastseen": "2022-03-23T15:01:07", "description": "The NVIDIA profiler in Android before 2016-10-05 on Nexus 9 devices allows attackers to obtain sensitive information via a crafted application, aka internal bug 30162222.", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 5.5, "vectorString": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N", "version": "3.0", "userInteraction": "REQUIRED"}, "impactScore": 3.6}, "published": "2016-10-10T11:00:00", "type": "cve", "title": "CVE-2016-6687", "cwe": ["CWE-200"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 4.3, "vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-6687"], "modified": "2016-12-06T15:08:00", "cpe": ["cpe:/o:google:android:7.0"], "id": "CVE-2016-6687", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-6687", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:P/I:N/A:N"}, "cpe23": ["cpe:2.3:o:google:android:7.0:*:*:*:*:*:*:*"]}, {"lastseen": "2022-03-23T15:00:39", "description": "The NVIDIA GPU driver in Android before 2016-10-05 on Nexus 9 devices allows attackers to obtain sensitive information via a crafted application, aka internal bug 30259955.", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 5.5, "vectorString": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N", "version": "3.0", "userInteraction": "REQUIRED"}, "impactScore": 3.6}, "published": "2016-10-10T10:59:00", "type": "cve", "title": "CVE-2016-6677", "cwe": ["CWE-200"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 4.3, "vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-6677"], "modified": "2016-12-06T15:09:00", "cpe": ["cpe:/o:google:android:7.0"], "id": "CVE-2016-6677", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-6677", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:P/I:N/A:N"}, "cpe23": ["cpe:2.3:o:google:android:7.0:*:*:*:*:*:*:*"]}, {"lastseen": "2022-03-23T15:01:01", "description": "The kernel in Android before 2016-10-05 on Nexus 6P devices allows attackers to obtain sensitive information via a crafted application, aka internal bug 30402628.", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 5.5, "vectorString": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N", "version": "3.0", "userInteraction": "REQUIRED"}, "impactScore": 3.6}, "published": "2016-10-10T11:00:00", "type": "cve", "title": "CVE-2016-6685", "cwe": ["CWE-200"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 4.3, "vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-6685"], "modified": "2016-12-06T14:46:00", "cpe": ["cpe:/o:google:android:7.0"], "id": "CVE-2016-6685", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-6685", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:P/I:N/A:N"}, "cpe23": ["cpe:2.3:o:google:android:7.0:*:*:*:*:*:*:*"]}, {"lastseen": "2022-03-23T13:44:51", "description": "mediaserver in Android before 2016-10-05 allows attackers to gain privileges via a crafted application, aka Android internal bug 29161895 and MediaTek internal bug ALPS02770870.", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.8, "vectorString": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2016-10-10T10:59:00", "type": "cve", "title": "CVE-2016-3932", "cwe": ["CWE-264"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-3932"], "modified": "2016-11-28T20:14:00", "cpe": ["cpe:/o:google:android:7.0"], "id": "CVE-2016-3932", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-3932", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "cpe23": ["cpe:2.3:o:google:android:7.0:*:*:*:*:*:*:*"]}, {"lastseen": "2022-03-23T15:00:58", "description": "The kernel in Android before 2016-10-05 on Nexus 5, Nexus 5X, Nexus 6, Nexus 6P, Nexus 9, Nexus Player, and Android One devices allows attackers to obtain sensitive information via a crafted application, aka internal bug 30148243.", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 5.5, "vectorString": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N", "version": "3.0", "userInteraction": "REQUIRED"}, "impactScore": 3.6}, "published": "2016-10-10T11:00:00", "type": "cve", "title": "CVE-2016-6684", "cwe": ["CWE-200"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 4.3, "vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-6684"], "modified": "2016-12-06T15:07:00", "cpe": ["cpe:/o:google:android:7.0"], "id": "CVE-2016-6684", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-6684", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:P/I:N/A:N"}, "cpe23": ["cpe:2.3:o:google:android:7.0:*:*:*:*:*:*:*"]}, {"lastseen": "2022-03-23T15:01:08", "description": "Binder in the kernel in Android before 2016-10-05 on Nexus devices allows attackers to obtain sensitive information via a crafted application, aka internal bug 30768347.", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 5.5, "vectorString": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N", "version": "3.0", "userInteraction": "REQUIRED"}, "impactScore": 3.6}, "published": "2016-10-10T11:00:00", "type": "cve", "title": "CVE-2016-6689", "cwe": ["CWE-200"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 4.3, "vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-6689"], "modified": "2017-09-03T01:29:00", "cpe": ["cpe:/o:google:android:7.0"], "id": "CVE-2016-6689", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-6689", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:P/I:N/A:N"}, "cpe23": ["cpe:2.3:o:google:android:7.0:*:*:*:*:*:*:*"]}, {"lastseen": "2022-03-23T13:44:09", "description": "camera/src/camera_metadata.c in the Camera service in Android 4.x before 4.4.4, 5.0.x before 5.0.2, 5.1.x before 5.1.1, 6.x before 2016-10-01, and 7.0 before 2016-10-01 allows attackers to gain privileges via a crafted application, aka internal bug 30591838.", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.8, "vectorString": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2016-10-10T10:59:00", "type": "cve", "title": "CVE-2016-3915", "cwe": ["CWE-264"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-3915"], "modified": "2016-11-28T20:13:00", "cpe": ["cpe:/o:google:android:4.3.1", "cpe:/o:google:android:4.0.4", "cpe:/o:google:android:6.0", "cpe:/o:google:android:4.4.3", "cpe:/o:google:android:6.0.1", "cpe:/o:google:android:5.0.1", "cpe:/o:google:android:5.0", "cpe:/o:google:android:4.0", "cpe:/o:google:android:4.0.1", "cpe:/o:google:android:4.2", "cpe:/o:google:android:4.1.2", "cpe:/o:google:android:4.4.1", "cpe:/o:google:android:4.0.3", "cpe:/o:google:android:4.1", "cpe:/o:google:android:4.2.2", "cpe:/o:google:android:4.3", "cpe:/o:google:android:4.2.1", "cpe:/o:google:android:4.4.2", "cpe:/o:google:android:4.0.2", "cpe:/o:google:android:5.1.0", "cpe:/o:google:android:4.4", "cpe:/o:google:android:5.1", "cpe:/o:google:android:7.0"], "id": "CVE-2016-3915", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-3915", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "cpe23": ["cpe:2.3:o:google:android:5.1:*:*:*:*:*:*:*", "cpe:2.3:o:google:android:4.3:*:*:*:*:*:*:*", "cpe:2.3:o:google:android:4.0.4:*:*:*:*:*:*:*", "cpe:2.3:o:google:android:5.1.0:*:*:*:*:*:*:*", "cpe:2.3:o:google:android:5.0:*:*:*:*:*:*:*", "cpe:2.3:o:google:android:5.0.1:*:*:*:*:*:*:*", "cpe:2.3:o:google:android:4.0:*:*:*:*:*:*:*", "cpe:2.3:o:google:android:4.0.2:*:*:*:*:*:*:*", "cpe:2.3:o:google:android:6.0.1:*:*:*:*:*:*:*", "cpe:2.3:o:google:android:4.1.2:*:*:*:*:*:*:*", "cpe:2.3:o:google:android:4.1:*:*:*:*:*:*:*", "cpe:2.3:o:google:android:4.2:*:*:*:*:*:*:*", "cpe:2.3:o:google:android:6.0:*:*:*:*:*:*:*", "cpe:2.3:o:google:android:4.0.3:*:*:*:*:*:*:*", "cpe:2.3:o:google:android:4.2.2:*:*:*:*:*:*:*", "cpe:2.3:o:google:android:4.4.2:*:*:*:*:*:*:*", "cpe:2.3:o:google:android:4.2.1:*:*:*:*:*:*:*", "cpe:2.3:o:google:android:7.0:*:*:*:*:*:*:*", "cpe:2.3:o:google:android:4.4:*:*:*:*:*:*:*", "cpe:2.3:o:google:android:4.0.1:*:*:*:*:*:*:*", "cpe:2.3:o:google:android:4.3.1:*:*:*:*:*:*:*", "cpe:2.3:o:google:android:4.4.3:*:*:*:*:*:*:*", "cpe:2.3:o:google:android:4.4.1:*:*:*:*:*:*:*"]}, {"lastseen": "2022-03-23T15:00:53", "description": "drivers/misc/qcom/qdsp6v2/audio_utils.c in a Qualcomm QDSP6v2 driver in Android before 2016-10-05 on Nexus 5X, Nexus 6P, and Android One devices does not initialize certain data structures, which allows attackers to obtain sensitive information via a crafted application, aka Android internal bug 30152501 and Qualcomm internal bug CR 1049615.", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 5.5, "vectorString": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N", "version": "3.0", "userInteraction": "REQUIRED"}, "impactScore": 3.6}, "published": "2016-10-10T10:59:00", "type": "cve", "title": "CVE-2016-6682", "cwe": ["CWE-200"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 4.3, "vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-6682"], "modified": "2016-12-06T15:09:00", "cpe": ["cpe:/o:google:android:7.0"], "id": "CVE-2016-6682", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-6682", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:P/I:N/A:N"}, "cpe23": ["cpe:2.3:o:google:android:7.0:*:*:*:*:*:*:*"]}, {"lastseen": "2022-03-23T13:44:22", "description": "id3/ID3.cpp in libstagefright in mediaserver in Android 5.0.x before 5.0.2, 5.1.x before 5.1.1, 6.x before 2016-10-01, and 7.0 before 2016-10-01 allows remote attackers to cause a denial of service (device hang or reboot) via a crafted file, aka internal bug 30744884.", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 5.5, "vectorString": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", "version": "3.0", "userInteraction": "REQUIRED"}, "impactScore": 3.6}, "published": "2016-10-10T10:59:00", "type": "cve", "title": "CVE-2016-3920", "cwe": ["CWE-20"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "NONE", "availabilityImpact": "COMPLETE", "integrityImpact": "NONE", "baseScore": 7.1, "vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-3920"], "modified": "2016-11-28T20:13:00", "cpe": ["cpe:/o:google:android:5.0", "cpe:/o:google:android:6.0", "cpe:/o:google:android:6.0.1", "cpe:/o:google:android:5.0.1", "cpe:/o:google:android:5.1", "cpe:/o:google:android:5.1.0", "cpe:/o:google:android:7.0"], "id": "CVE-2016-3920", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-3920", "cvss": {"score": 7.1, "vector": "AV:N/AC:M/Au:N/C:N/I:N/A:C"}, "cpe23": ["cpe:2.3:o:google:android:6.0.1:*:*:*:*:*:*:*", "cpe:2.3:o:google:android:5.1:*:*:*:*:*:*:*", "cpe:2.3:o:google:android:7.0:*:*:*:*:*:*:*", "cpe:2.3:o:google:android:5.1.0:*:*:*:*:*:*:*", "cpe:2.3:o:google:android:5.0:*:*:*:*:*:*:*", "cpe:2.3:o:google:android:5.0.1:*:*:*:*:*:*:*", "cpe:2.3:o:google:android:6.0:*:*:*:*:*:*:*"]}, {"lastseen": "2022-03-23T15:01:09", "description": "The sound driver in the kernel in Android before 2016-10-05 on Nexus 5, Nexus 5X, Nexus 6, Nexus 6P, and Nexus Player devices allows attackers to cause a denial of service (reboot) via a crafted application, aka internal bug 28838221.", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 5.5, "vectorString": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", "version": "3.0", "userInteraction": "REQUIRED"}, "impactScore": 3.6}, "published": "2016-10-10T11:00:00", "type": "cve", "title": "CVE-2016-6690", "cwe": ["CWE-284"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "NONE", "availabilityImpact": "COMPLETE", "integrityImpact": "NONE", "baseScore": 7.1, "vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-6690"], "modified": "2016-12-06T15:04:00", "cpe": ["cpe:/o:google:android:7.0"], "id": "CVE-2016-6690", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-6690", "cvss": {"score": 7.1, "vector": "AV:N/AC:M/Au:N/C:N/I:N/A:C"}, "cpe23": ["cpe:2.3:o:google:android:7.0:*:*:*:*:*:*:*"]}, {"lastseen": "2022-03-23T15:01:11", "description": "sound/soc/msm/qdsp6v2/msm-ds2-dap-config.c in a Qualcomm QDSP6v2 driver in Android before 2016-10-05 allows attackers to cause a denial of service or possibly have unspecified other impact via crafted parameter data, aka Qualcomm internal bug CR 1033525.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2016-10-10T11:00:00", "type": "cve", "title": "CVE-2016-6694", "cwe": ["CWE-20"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": true, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-6694"], "modified": "2016-12-06T15:08:00", "cpe": ["cpe:/o:google:android:7.0"], "id": "CVE-2016-6694", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-6694", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "cpe23": ["cpe:2.3:o:google:android:7.0:*:*:*:*:*:*:*"]}, {"lastseen": "2022-03-23T13:44:46", "description": "The NVIDIA MMC test driver in Android before 2016-10-05 on Nexus 9 devices allows attackers to gain privileges via a crafted application, aka internal bug 28760138.", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.8, "vectorString": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2016-10-10T10:59:00", "type": "cve", "title": "CVE-2016-3930", "cwe": ["CWE-264"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-3930"], "modified": "2017-10-19T01:30:00", "cpe": ["cpe:/o:google:android:7.0"], "id": "CVE-2016-3930", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-3930", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "cpe23": ["cpe:2.3:o:google:android:7.0:*:*:*:*:*:*:*"]}, {"lastseen": "2022-03-23T15:00:30", "description": "The NVIDIA camera driver in Android before 2016-10-05 on Nexus 9 devices allows attackers to gain privileges via a crafted application, aka internal bug 30204201.", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.8, "vectorString": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2016-10-10T10:59:00", "type": "cve", "title": "CVE-2016-6673", "cwe": ["CWE-264"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-6673"], "modified": "2016-11-28T20:33:00", "cpe": ["cpe:/o:google:android:7.0"], "id": "CVE-2016-6673", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-6673", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "cpe23": ["cpe:2.3:o:google:android:7.0:*:*:*:*:*:*:*"]}, {"lastseen": "2022-03-23T14:33:01", "description": "The rfcomm_sock_bind function in net/bluetooth/rfcomm/sock.c in the Linux kernel before 4.2 allows local users to obtain sensitive information or cause a denial of service (NULL pointer dereference) via vectors involving a bind system call on a Bluetooth RFCOMM socket.", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "LOW", "baseScore": 6.1, "vectorString": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:L", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 4.2}, "published": "2016-10-10T10:59:00", "type": "cve", "title": "CVE-2015-8956", "cwe": ["CWE-476"], "bulletinFamily": "NVD", "cvss2": {"severity": "LOW", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "NONE", "baseScore": 3.6, "vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:P", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 4.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-8956"], "modified": "2018-01-05T02:30:00", "cpe": ["cpe:/o:google:android:7.0", "cpe:/o:linux:linux_kernel:4.1.33"], "id": "CVE-2015-8956", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-8956", "cvss": {"score": 3.6, "vector": "AV:L/AC:L/Au:N/C:P/I:N/A:P"}, "cpe23": ["cpe:2.3:o:linux:linux_kernel:4.1.33:*:*:*:*:*:*:*", "cpe:2.3:o:google:android:7.0:*:*:*:*:*:*:*"]}, {"lastseen": "2022-03-23T13:44:31", "description": "services/audioflinger/Effects.cpp in mediaserver in Android 4.x before 4.4.4, 5.0.x before 5.0.2, 5.1.x before 5.1.1, 6.x before 2016-10-01, and 7.0 before 2016-10-01 does not validate EFFECT_CMD_SET_PARAM and EFFECT_CMD_SET_PARAM_DEFERRED commands, which allows attackers to obtain sensitive information via a crafted application, aka internal bug 30204301.", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 5.5, "vectorString": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N", "version": "3.0", "userInteraction": "REQUIRED"}, "impactScore": 3.6}, "published": "2016-10-10T10:59:00", "type": "cve", "title": "CVE-2016-3924", "cwe": ["CWE-200"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 4.3, "vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-3924"], "modified": "2016-11-28T20:14:00", "cpe": ["cpe:/o:google:android:4.3.1", "cpe:/o:google:android:4.0.4", "cpe:/o:google:android:6.0", "cpe:/o:google:android:4.4.3", "cpe:/o:google:android:5.0.1", "cpe:/o:google:android:6.0.1", "cpe:/o:google:android:5.0", "cpe:/o:google:android:4.0", "cpe:/o:google:android:4.0.1", "cpe:/o:google:android:4.2", "cpe:/o:google:android:4.1.2", "cpe:/o:google:android:4.4.1", "cpe:/o:google:android:4.0.3", "cpe:/o:google:android:4.1", "cpe:/o:google:android:4.2.2", "cpe:/o:google:android:4.3", "cpe:/o:google:android:4.2.1", "cpe:/o:google:android:4.4.2", "cpe:/o:google:android:4.0.2", "cpe:/o:google:android:5.1.0", "cpe:/o:google:android:4.4", "cpe:/o:google:android:5.1", "cpe:/o:google:android:7.0"], "id": "CVE-2016-3924", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-3924", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:P/I:N/A:N"}, "cpe23": ["cpe:2.3:o:google:android:5.1:*:*:*:*:*:*:*", "cpe:2.3:o:google:android:4.3:*:*:*:*:*:*:*", "cpe:2.3:o:google:android:4.0.4:*:*:*:*:*:*:*", "cpe:2.3:o:google:android:5.1.0:*:*:*:*:*:*:*", "cpe:2.3:o:google:android:5.0:*:*:*:*:*:*:*", "cpe:2.3:o:google:android:5.0.1:*:*:*:*:*:*:*", "cpe:2.3:o:google:android:4.0:*:*:*:*:*:*:*", "cpe:2.3:o:google:android:4.0.2:*:*:*:*:*:*:*", "cpe:2.3:o:google:android:4.1.2:*:*:*:*:*:*:*", "cpe:2.3:o:google:android:6.0.1:*:*:*:*:*:*:*", "cpe:2.3:o:google:android:4.1:*:*:*:*:*:*:*", "cpe:2.3:o:google:android:4.2:*:*:*:*:*:*:*", "cpe:2.3:o:google:android:6.0:*:*:*:*:*:*:*", "cpe:2.3:o:google:android:4.0.3:*:*:*:*:*:*:*", "cpe:2.3:o:google:android:4.2.2:*:*:*:*:*:*:*", "cpe:2.3:o:google:android:4.4.2:*:*:*:*:*:*:*", "cpe:2.3:o:google:android:4.2.1:*:*:*:*:*:*:*", "cpe:2.3:o:google:android:7.0:*:*:*:*:*:*:*", "cpe:2.3:o:google:android:4.4:*:*:*:*:*:*:*", "cpe:2.3:o:google:android:4.0.1:*:*:*:*:*:*:*", "cpe:2.3:o:google:android:4.3.1:*:*:*:*:*:*:*", "cpe:2.3:o:google:android:4.4.3:*:*:*:*:*:*:*", "cpe:2.3:o:google:android:4.4.1:*:*:*:*:*:*:*"]}, {"lastseen": "2022-03-23T13:44:57", "description": "drivers/media/platform/msm/camera_v2/sensor/io/msm_camera_cci_i2c.c in the Qualcomm camera driver in Android before 2016-10-05 on Nexus 5, Nexus 5X, Nexus 6, Nexus 6P, and Android One devices relies on variable-length arrays, which allows attackers to gain privileges via a crafted application, aka Android internal bug 30102557 and Qualcomm internal bug CR 789704.", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.8, "vectorString": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2016-10-10T10:59:00", "type": "cve", "title": "CVE-2016-3934", "cwe": ["CWE-119"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-3934"], "modified": "2016-11-28T20:14:00", "cpe": ["cpe:/o:google:android:7.0"], "id": "CVE-2016-3934", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-3934", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "cpe23": ["cpe:2.3:o:google:android:7.0:*:*:*:*:*:*:*"]}, {"lastseen": "2022-03-23T13:44:43", "description": "Unspecified vulnerability in a Qualcomm component in Android before 2016-10-05 on Nexus 5X and 6P devices has unknown impact and attack vectors, aka internal bug 28823675.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2016-10-10T10:59:00", "type": "cve", "title": "CVE-2016-3929", "cwe": ["NVD-CWE-noinfo"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": true, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-3929"], "modified": "2016-11-28T20:14:00", "cpe": ["cpe:/o:google:android:7.0"], "id": "CVE-2016-3929", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-3929", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "cpe23": ["cpe:2.3:o:google:android:7.0:*:*:*:*:*:*:*"]}, {"lastseen": "2022-03-23T13:44:14", "description": "camera/src/camera_metadata.c in the Camera service in Android 4.x before 4.4.4, 5.0.x before 5.0.2, 5.1.x before 5.1.1, 6.x before 2016-10-01, and 7.0 before 2016-10-01 allows attackers to gain privileges via a crafted application, aka internal bug 30741779.", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.8, "vectorString": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2016-10-10T10:59:00", "type": "cve", "title": "CVE-2016-3916", "cwe": ["CWE-119"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-3916"], "modified": "2016-11-28T20:13:00", "cpe": ["cpe:/o:google:android:4.3.1", "cpe:/o:google:android:4.0.4", "cpe:/o:google:android:6.0", "cpe:/o:google:android:4.4.3", "cpe:/o:google:android:5.0.1", "cpe:/o:google:android:6.0.1", "cpe:/o:google:android:5.0", "cpe:/o:google:android:4.0", "cpe:/o:google:android:4.0.1", "cpe:/o:google:android:4.4.1", "cpe:/o:google:android:4.1.2", "cpe:/o:google:android:4.2", "cpe:/o:google:android:4.0.3", "cpe:/o:google:android:4.1", "cpe:/o:google:android:4.2.2", "cpe:/o:google:android:4.3", "cpe:/o:google:android:4.2.1", "cpe:/o:google:android:4.4.2", "cpe:/o:google:android:4.0.2", "cpe:/o:google:android:5.1.0", "cpe:/o:google:android:4.4", "cpe:/o:google:android:5.1", "cpe:/o:google:android:7.0"], "id": "CVE-2016-3916", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-3916", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "cpe23": ["cpe:2.3:o:google:android:5.1:*:*:*:*:*:*:*", "cpe:2.3:o:google:android:4.3:*:*:*:*:*:*:*", "cpe:2.3:o:google:android:4.0.4:*:*:*:*:*:*:*", "cpe:2.3:o:google:android:5.1.0:*:*:*:*:*:*:*", "cpe:2.3:o:google:android:5.0:*:*:*:*:*:*:*", "cpe:2.3:o:google:android:5.0.1:*:*:*:*:*:*:*", "cpe:2.3:o:google:android:4.0:*:*:*:*:*:*:*", "cpe:2.3:o:google:android:4.0.2:*:*:*:*:*:*:*", "cpe:2.3:o:google:android:4.1.2:*:*:*:*:*:*:*", "cpe:2.3:o:google:android:6.0.1:*:*:*:*:*:*:*", "cpe:2.3:o:google:android:4.1:*:*:*:*:*:*:*", "cpe:2.3:o:google:android:4.2:*:*:*:*:*:*:*", "cpe:2.3:o:google:android:6.0:*:*:*:*:*:*:*", "cpe:2.3:o:google:android:4.0.3:*:*:*:*:*:*:*", "cpe:2.3:o:google:android:4.2.2:*:*:*:*:*:*:*", "cpe:2.3:o:google:android:4.4.2:*:*:*:*:*:*:*", "cpe:2.3:o:google:android:4.2.1:*:*:*:*:*:*:*", "cpe:2.3:o:google:android:7.0:*:*:*:*:*:*:*", "cpe:2.3:o:google:android:4.4:*:*:*:*:*:*:*", "cpe:2.3:o:google:android:4.0.1:*:*:*:*:*:*:*", "cpe:2.3:o:google:android:4.3.1:*:*:*:*:*:*:*", "cpe:2.3:o:google:android:4.4.3:*:*:*:*:*:*:*", "cpe:2.3:o:google:android:4.4.1:*:*:*:*:*:*:*"]}, {"lastseen": "2022-03-23T13:44:07", "description": "Race condition in providers/telephony/MmsProvider.java in Telephony in Android 4.x before 4.4.4, 5.0.x before 5.0.2, 5.1.x before 5.1.1, 6.x before 2016-10-01, and 7.0 before 2016-10-01 allows attackers to gain privileges via a crafted application that modifies a database between two open operations, aka internal bug 30481342.", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.8, "vectorString": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2016-10-10T10:59:00", "type": "cve", "title": "CVE-2016-3914", "cwe": ["CWE-362"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-3914"], "modified": "2016-11-28T20:13:00", "cpe": ["cpe:/o:google:android:4.3.1", "cpe:/o:google:android:4.0.4", "cpe:/o:google:android:6.0", "cpe:/o:google:android:4.4.3", "cpe:/o:google:android:5.0.1", "cpe:/o:google:android:6.0.1", "cpe:/o:google:android:5.0", "cpe:/o:google:android:4.0", "cpe:/o:google:android:4.0.1", "cpe:/o:google:android:4.2", "cpe:/o:google:android:4.1.2", "cpe:/o:google:android:4.4.1", "cpe:/o:google:android:4.0.3", "cpe:/o:google:android:4.1", "cpe:/o:google:android:4.2.2", "cpe:/o:google:android:4.3", "cpe:/o:google:android:4.2.1", "cpe:/o:google:android:4.4.2", "cpe:/o:google:android:4.0.2", "cpe:/o:google:android:5.1.0", "cpe:/o:google:android:4.4", "cpe:/o:google:android:5.1", "cpe:/o:google:android:7.0"], "id": "CVE-2016-3914", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-3914", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "cpe23": ["cpe:2.3:o:google:android:5.1:*:*:*:*:*:*:*", "cpe:2.3:o:google:android:4.3:*:*:*:*:*:*:*", "cpe:2.3:o:google:android:4.0.4:*:*:*:*:*:*:*", "cpe:2.3:o:google:android:5.1.0:*:*:*:*:*:*:*", "cpe:2.3:o:google:android:5.0:*:*:*:*:*:*:*", "cpe:2.3:o:google:android:5.0.1:*:*:*:*:*:*:*", "cpe:2.3:o:google:android:4.0:*:*:*:*:*:*:*", "cpe:2.3:o:google:android:4.0.2:*:*:*:*:*:*:*", "cpe:2.3:o:google:android:4.1.2:*:*:*:*:*:*:*", "cpe:2.3:o:google:android:6.0.1:*:*:*:*:*:*:*", "cpe:2.3:o:google:android:4.1:*:*:*:*:*:*:*", "cpe:2.3:o:google:android:4.2:*:*:*:*:*:*:*", "cpe:2.3:o:google:android:6.0:*:*:*:*:*:*:*", "cpe:2.3:o:google:android:4.0.3:*:*:*:*:*:*:*", "cpe:2.3:o:google:android:4.2.2:*:*:*:*:*:*:*", "cpe:2.3:o:google:android:4.4.2:*:*:*:*:*:*:*", "cpe:2.3:o:google:android:4.2.1:*:*:*:*:*:*:*", "cpe:2.3:o:google:android:7.0:*:*:*:*:*:*:*", "cpe:2.3:o:google:android:4.4:*:*:*:*:*:*:*", "cpe:2.3:o:google:android:4.0.1:*:*:*:*:*:*:*", "cpe:2.3:o:google:android:4.3.1:*:*:*:*:*:*:*", "cpe:2.3:o:google:android:4.4.3:*:*:*:*:*:*:*", "cpe:2.3:o:google:android:4.4.1:*:*:*:*:*:*:*"]}, {"lastseen": "2022-03-23T15:00:45", "description": "CORE/HDD/src/wlan_hdd_hostapd.c in the Qualcomm Wi-Fi driver in Android before 2016-10-05 on Nexus 5X and Android One devices allows attackers to obtain sensitive information via a crafted application that makes a setwpaie ioctl call, aka Android internal bug 29915601 and Qualcomm internal bug CR 1000913.", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 5.5, "vectorString": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N", "version": "3.0", "userInteraction": "REQUIRED"}, "impactScore": 3.6}, "published": "2016-10-10T10:59:00", "type": "cve", "title": "CVE-2016-6679", "cwe": ["CWE-200"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 4.3, "vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-6679"], "modified": "2016-12-06T15:09:00", "cpe": ["cpe:/o:google:android:7.0"], "id": "CVE-2016-6679", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-6679", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:P/I:N/A:N"}, "cpe23": ["cpe:2.3:o:google:android:7.0:*:*:*:*:*:*:*"]}, {"lastseen": "2022-03-23T13:44:01", "description": "core/java/android/os/Process.java in Zygote in Android 4.x before 4.4.4, 5.0.x before 5.0.2, 5.1.x before 5.1.1, 6.x before 2016-10-01, and 7.0 before 2016-10-01 allows attackers to gain privileges via a crafted application, aka internal bug 30143607.", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.8, "vectorString": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2016-10-10T10:59:00", "type": "cve", "title": "CVE-2016-3911", "cwe": ["CWE-264"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-3911"], "modified": "2016-11-28T20:13:00", "cpe": ["cpe:/o:google:android:4.3.1", "cpe:/o:google:android:4.0.4", "cpe:/o:google:android:6.0", "cpe:/o:google:android:4.4.3", "cpe:/o:google:android:5.0.1", "cpe:/o:google:android:6.0.1", "cpe:/o:google:android:5.0", "cpe:/o:google:android:4.0", "cpe:/o:google:android:4.0.1", "cpe:/o:google:android:4.4.1", "cpe:/o:google:android:4.1.2", "cpe:/o:google:android:4.2", "cpe:/o:google:android:4.0.3", "cpe:/o:google:android:4.1", "cpe:/o:google:android:4.2.2", "cpe:/o:google:android:4.3", "cpe:/o:google:android:4.2.1", "cpe:/o:google:android:4.4.2", "cpe:/o:google:android:4.0.2", "cpe:/o:google:android:5.1.0", "cpe:/o:google:android:4.4", "cpe:/o:google:android:5.1", "cpe:/o:google:android:7.0"], "id": "CVE-2016-3911", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-3911", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "cpe23": ["cpe:2.3:o:google:android:5.1:*:*:*:*:*:*:*", "cpe:2.3:o:google:android:4.3:*:*:*:*:*:*:*", "cpe:2.3:o:google:android:4.0.4:*:*:*:*:*:*:*", "cpe:2.3:o:google:android:5.1.0:*:*:*:*:*:*:*", "cpe:2.3:o:google:android:5.0:*:*:*:*:*:*:*", "cpe:2.3:o:google:android:5.0.1:*:*:*:*:*:*:*", "cpe:2.3:o:google:android:4.0:*:*:*:*:*:*:*", "cpe:2.3:o:google:android:4.0.2:*:*:*:*:*:*:*", "cpe:2.3:o:google:android:6.0.1:*:*:*:*:*:*:*", "cpe:2.3:o:google:android:4.1.2:*:*:*:*:*:*:*", "cpe:2.3:o:google:android:4.1:*:*:*:*:*:*:*", "cpe:2.3:o:google:android:4.2:*:*:*:*:*:*:*", "cpe:2.3:o:google:android:6.0:*:*:*:*:*:*:*", "cpe:2.3:o:google:android:4.0.3:*:*:*:*:*:*:*", "cpe:2.3:o:google:android:4.2.2:*:*:*:*:*:*:*", "cpe:2.3:o:google:android:4.4.2:*:*:*:*:*:*:*", "cpe:2.3:o:google:android:4.2.1:*:*:*:*:*:*:*", "cpe:2.3:o:google:android:7.0:*:*:*:*:*:*:*", "cpe:2.3:o:google:android:4.4:*:*:*:*:*:*:*", "cpe:2.3:o:google:android:4.0.1:*:*:*:*:*:*:*", "cpe:2.3:o:google:android:4.3.1:*:*:*:*:*:*:*", "cpe:2.3:o:google:android:4.4.3:*:*:*:*:*:*:*", "cpe:2.3:o:google:android:4.4.1:*:*:*:*:*:*:*"]}, {"lastseen": "2022-03-23T13:44:40", "description": "Unspecified vulnerability in a Qualcomm component in Android before 2016-10-05 on Nexus 5X and 6P devices has unknown impact and attack vectors, aka internal bug 28823244.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2016-10-10T10:59:00", "type": "cve", "title": "CVE-2016-3927", "cwe": ["NVD-CWE-noinfo"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": true, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-3927"], "modified": "2016-11-28T20:14:00", "cpe": ["cpe:/o:google:android:7.0"], "id": "CVE-2016-3927", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-3927", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "cpe23": ["cpe:2.3:o:google:android:7.0:*:*:*:*:*:*:*"]}, {"lastseen": "2022-03-23T14:28:55", "description": "drivers/soc/qcom/qdsp6v2/voice_svc.c in the QDSP6v2 Voice Service driver for the Linux kernel 3.x, as used in Qualcomm Innovation Center (QuIC) Android contributions for MSM devices and other products, allows attackers to cause a denial of service (memory corruption) or possibly have unspecified other impact via a write request, as demonstrated by a voice_svc_send_req buffer overflow.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2016-10-10T10:59:00", "type": "cve", "title": "CVE-2016-5343", "cwe": ["CWE-120"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-5343"], "modified": "2020-08-03T16:24:00", "cpe": ["cpe:/o:linux:linux_kernel:3.19.8"], "id": "CVE-2016-5343", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-5343", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "cpe23": ["cpe:2.3:o:linux:linux_kernel:3.19.8:*:*:*:*:*:*:*"]}, {"lastseen": "2022-03-23T14:29:10", "description": "The GPS component in Android 4.x before 4.4.4, 5.0.x before 5.0.2, 5.1.x before 5.1.1, 6.x before 2016-10-01, and 7.0 before 2016-10-01 allows man-in-the-middle attackers to cause a denial of service (memory consumption, and device hang or reboot) via a large xtra.bin or xtra2.bin file on a spoofed Qualcomm gpsonextra.net or izatcloud.net host, aka internal bug 29555864.", "cvss3": {"exploitabilityScore": 2.2, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 5.9, "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2016-10-10T10:59:00", "type": "cve", "title": "CVE-2016-5348", "cwe": ["CWE-399"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "NONE", "availabilityImpact": "COMPLETE", "integrityImpact": "NONE", "baseScore": 7.1, "vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-5348"], "modified": "2018-04-19T01:29:00", "cpe": ["cpe:/o:google:android:4.3.1", "cpe:/o:google:android:4.0.4", "cpe:/o:google:android:6.0", "cpe:/o:google:android:4.4.3", "cpe:/o:google:android:6.0.1", "cpe:/o:google:android:5.0.1", "cpe:/o:google:android:5.0", "cpe:/o:google:android:4.0", "cpe:/o:google:android:4.0.1", "cpe:/o:google:android:4.4.1", "cpe:/o:google:android:4.2", "cpe:/o:google:android:4.1.2", "cpe:/o:google:android:4.0.3", "cpe:/o:google:android:4.1", "cpe:/o:google:android:4.2.2", "cpe:/o:google:android:4.3", "cpe:/o:google:android:4.2.1", "cpe:/o:google:android:4.4.2", "cpe:/o:google:android:4.0.2", "cpe:/o:google:android:5.1.0", "cpe:/o:google:android:4.4", "cpe:/o:google:android:5.1", "cpe:/o:google:android:7.0"], "id": "CVE-2016-5348", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-5348", "cvss": {"score": 7.1, "vector": "AV:N/AC:M/Au:N/C:N/I:N/A:C"}, "cpe23": ["cpe:2.3:o:google:android:5.1:*:*:*:*:*:*:*", "cpe:2.3:o:google:android:4.3:*:*:*:*:*:*:*", "cpe:2.3:o:google:android:4.0.4:*:*:*:*:*:*:*", "cpe:2.3:o:google:android:5.1.0:*:*:*:*:*:*:*", "cpe:2.3:o:google:android:5.0:*:*:*:*:*:*:*", "cpe:2.3:o:google:android:5.0.1:*:*:*:*:*:*:*", "cpe:2.3:o:google:android:4.0:*:*:*:*:*:*:*", "cpe:2.3:o:google:android:4.0.2:*:*:*:*:*:*:*", "cpe:2.3:o:google:android:6.0.1:*:*:*:*:*:*:*", "cpe:2.3:o:google:android:4.1.2:*:*:*:*:*:*:*", "cpe:2.3:o:google:android:4.1:*:*:*:*:*:*:*", "cpe:2.3:o:google:android:4.2:*:*:*:*:*:*:*", "cpe:2.3:o:google:android:6.0:*:*:*:*:*:*:*", "cpe:2.3:o:google:android:4.0.3:*:*:*:*:*:*:*", "cpe:2.3:o:google:android:4.2.2:*:*:*:*:*:*:*", "cpe:2.3:o:google:android:4.4.2:*:*:*:*:*:*:*", "cpe:2.3:o:google:android:4.2.1:*:*:*:*:*:*:*", "cpe:2.3:o:google:android:7.0:*:*:*:*:*:*:*", "cpe:2.3:o:google:android:4.0.1:*:*:*:*:*:*:*", "cpe:2.3:o:google:android:4.4:*:*:*:*:*:*:*", "cpe:2.3:o:google:android:4.3.1:*:*:*:*:*:*:*", "cpe:2.3:o:google:android:4.4.3:*:*:*:*:*:*:*", "cpe:2.3:o:google:android:4.4.1:*:*:*:*:*:*:*"]}, {"lastseen": "2022-03-23T13:44:28", "description": "libril/RilSapSocket.cpp in Telephony in Android 6.x before 2016-10-01 and 7.0 before 2016-10-01 relies on variable-length arrays, which allows attackers to gain privileges via a crafted application, aka internal bug 30202619.", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.8, "vectorString": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2016-10-10T10:59:00", "type": "cve", "title": "CVE-2016-3922", "cwe": ["CWE-264"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-3922"], "modified": "2016-11-28T20:13:00", "cpe": ["cpe:/o:google:android:7.0", "cpe:/o:google:android:6.0.1", "cpe:/o:google:android:6.0"], "id": "CVE-2016-3922", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-3922", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}, "cpe23": ["cpe:2.3:o:google:android:6.0:*:*:*:*:*:*:*", "cpe:2.3:o:google:android:6.0.1:*:*:*:*:*:*:*", "cpe:2.3:o:google:android:7.0:*:*:*:*:*:*:*"]}, {"lastseen": "2022-03-23T13:46:03", "description": "drivers/video/msm/mdss/mdss_debug.c in the Qualcomm video driver in Android before 2016-10-05 on Nexus 5X, Nexus 6, Nexus 6P, and Android One devices allows attackers to gain privileges via a crafted application, aka Android internal bug 30874196 and Qualcomm internal bug CR 1001224.", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.8, "vectorString": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2016-10-10T10:59:00", "type": "cve", "title": "CVE-2016-3939", "cwe": ["CWE-264"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-3939"], "modified": "2016-11-28T20:14:00", "cpe": ["cpe:/o:google:android:7.0"], "id": "CVE-2016-3939", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-3939", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "cpe23": ["cpe:2.3:o:google:android:7.0:*:*:*:*:*:*:*"]}, {"lastseen": "2022-03-23T13:43:55", "description": "The Lock Settings Service in Android 6.x before 2016-10-01 and 7.0 before 2016-10-01 allows attackers to remove a device's PIN or password, and consequently gain privileges, via a crafted application, aka internal bug 30003944.", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 5.5, "vectorString": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N", "version": "3.0", "userInteraction": "REQUIRED"}, "impactScore": 3.6}, "published": "2016-10-10T10:59:00", "type": "cve", "title": "CVE-2016-3908", "cwe": ["CWE-264"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 4.3, "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-3908"], "modified": "2016-11-28T20:13:00", "cpe": ["cpe:/o:google:android:6.0.1", "cpe:/o:google:android:7.0", "cpe:/o:google:android:6.0"], "id": "CVE-2016-3908", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-3908", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}, "cpe23": ["cpe:2.3:o:google:android:6.0:*:*:*:*:*:*:*", "cpe:2.3:o:google:android:6.0.1:*:*:*:*:*:*:*", "cpe:2.3:o:google:android:7.0:*:*:*:*:*:*:*"]}, {"lastseen": "2022-03-23T13:44:04", "description": "media/libmediaplayerservice/MediaPlayerService.cpp in mediaserver in Android 4.x before 4.4.4, 5.0.x before 5.0.2, 5.1.x before 5.1.1, 6.x before 2016-10-01, and 7.0 before 2016-10-01 does not validate a certain static_cast operation, which allows attackers to gain privileges via a crafted application, aka internal bug 30204103.", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.8, "vectorString": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2016-10-10T10:59:00", "type": "cve", "title": "CVE-2016-3913", "cwe": ["CWE-264"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-3913"], "modified": "2016-11-28T20:13:00", "cpe": ["cpe:/o:google:android:4.3.1", "cpe:/o:google:android:4.0.4", "cpe:/o:google:android:6.0", "cpe:/o:google:android:4.4.3", "cpe:/o:google:android:5.0.1", "cpe:/o:google:android:6.0.1", "cpe:/o:google:android:5.0", "cpe:/o:google:android:4.0", "cpe:/o:google:android:4.0.1", "cpe:/o:google:android:4.2", "cpe:/o:google:android:4.1.2", "cpe:/o:google:android:4.4.1", "cpe:/o:google:android:4.0.3", "cpe:/o:google:android:4.1", "cpe:/o:google:android:4.2.2", "cpe:/o:google:android:4.3", "cpe:/o:google:android:4.2.1", "cpe:/o:google:android:4.4.2", "cpe:/o:google:android:4.0.2", "cpe:/o:google:android:5.1.0", "cpe:/o:google:android:4.4", "cpe:/o:google:android:5.1", "cpe:/o:google:android:7.0"], "id": "CVE-2016-3913", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-3913", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "cpe23": ["cpe:2.3:o:google:android:5.1:*:*:*:*:*:*:*", "cpe:2.3:o:google:android:4.3:*:*:*:*:*:*:*", "cpe:2.3:o:google:android:4.0.4:*:*:*:*:*:*:*", "cpe:2.3:o:google:android:5.1.0:*:*:*:*:*:*:*", "cpe:2.3:o:google:android:5.0:*:*:*:*:*:*:*", "cpe:2.3:o:google:android:5.0.1:*:*:*:*:*:*:*", "cpe:2.3:o:google:android:4.0:*:*:*:*:*:*:*", "cpe:2.3:o:google:android:4.0.2:*:*:*:*:*:*:*", "cpe:2.3:o:google:android:4.1.2:*:*:*:*:*:*:*", "cpe:2.3:o:google:android:6.0.1:*:*:*:*:*:*:*", "cpe:2.3:o:google:android:4.1:*:*:*:*:*:*:*", "cpe:2.3:o:google:android:4.2:*:*:*:*:*:*:*", "cpe:2.3:o:google:android:6.0:*:*:*:*:*:*:*", "cpe:2.3:o:google:android:4.0.3:*:*:*:*:*:*:*", "cpe:2.3:o:google:android:4.2.2:*:*:*:*:*:*:*", "cpe:2.3:o:google:android:4.4.2:*:*:*:*:*:*:*", "cpe:2.3:o:google:android:4.2.1:*:*:*:*:*:*:*", "cpe:2.3:o:google:android:7.0:*:*:*:*:*:*:*", "cpe:2.3:o:google:android:4.4:*:*:*:*:*:*:*", "cpe:2.3:o:google:android:4.0.1:*:*:*:*:*:*:*", "cpe:2.3:o:google:android:4.3.1:*:*:*:*:*:*:*", "cpe:2.3:o:google:android:4.4.3:*:*:*:*:*:*:*", "cpe:2.3:o:google:android:4.4.1:*:*:*:*:*:*:*"]}, {"lastseen": "2022-03-23T13:44:54", "description": "The MediaTek video driver in Android before 2016-10-05 allows attackers to gain privileges via a crafted application, aka Android internal bug 30019362 and MediaTek internal bug ALPS02829384.", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.8, "vectorString": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2016-10-10T10:59:00", "type": "cve", "title": "CVE-2016-3928", "cwe": ["CWE-264"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-3928"], "modified": "2016-11-28T20:14:00", "cpe": ["cpe:/o:google:android:7.0"], "id": "CVE-2016-3928", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-3928", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "cpe23": ["cpe:2.3:o:google:android:7.0:*:*:*:*:*:*:*"]}, {"lastseen": "2022-03-23T13:44:14", "description": "The framework APIs in Android 4.x before 4.4.4, 5.0.x before 5.0.2, 5.1.x before 5.1.1, 6.x before 2016-10-01, and 7.0 before 2016-10-01 allow attackers to gain privileges via a crafted application, aka internal bug 30202481.", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.8, "vectorString": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2016-10-10T10:59:00", "type": "cve", "title": "CVE-2016-3912", "cwe": ["CWE-264"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-3912"], "modified": "2016-11-28T20:13:00", "cpe": ["cpe:/o:google:android:4.3.1", "cpe:/o:google:android:4.0.4", "cpe:/o:google:android:6.0", "cpe:/o:google:android:4.4.3", "cpe:/o:google:android:5.0.1", "cpe:/o:google:android:6.0.1", "cpe:/o:google:android:5.0", "cpe:/o:google:android:4.0", "cpe:/o:google:android:4.0.1", "cpe:/o:google:android:4.2", "cpe:/o:google:android:4.1.2", "cpe:/o:google:android:4.4.1", "cpe:/o:google:android:4.0.3", "cpe:/o:google:android:4.1", "cpe:/o:google:android:4.2.2", "cpe:/o:google:android:4.3", "cpe:/o:google:android:4.2.1", "cpe:/o:google:android:4.4.2", "cpe:/o:google:android:4.0.2", "cpe:/o:google:android:5.1.0", "cpe:/o:google:android:4.4", "cpe:/o:google:android:5.1", "cpe:/o:google:android:7.0"], "id": "CVE-2016-3912", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-3912", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "cpe23": ["cpe:2.3:o:google:android:5.1:*:*:*:*:*:*:*", "cpe:2.3:o:google:android:4.3:*:*:*:*:*:*:*", "cpe:2.3:o:google:android:4.0.4:*:*:*:*:*:*:*", "cpe:2.3:o:google:android:5.1.0:*:*:*:*:*:*:*", "cpe:2.3:o:google:android:5.0:*:*:*:*:*:*:*", "cpe:2.3:o:google:android:5.0.1:*:*:*:*:*:*:*", "cpe:2.3:o:google:android:4.0:*:*:*:*:*:*:*", "cpe:2.3:o:google:android:4.0.2:*:*:*:*:*:*:*", "cpe:2.3:o:google:android:6.0.1:*:*:*:*:*:*:*", "cpe:2.3:o:google:android:4.1.2:*:*:*:*:*:*:*", "cpe:2.3:o:google:android:4.1:*:*:*:*:*:*:*", "cpe:2.3:o:google:android:4.2:*:*:*:*:*:*:*", "cpe:2.3:o:google:android:6.0:*:*:*:*:*:*:*", "cpe:2.3:o:google:android:4.0.3:*:*:*:*:*:*:*", "cpe:2.3:o:google:android:4.2.2:*:*:*:*:*:*:*", "cpe:2.3:o:google:android:4.4.2:*:*:*:*:*:*:*", "cpe:2.3:o:google:android:4.2.1:*:*:*:*:*:*:*", "cpe:2.3:o:google:android:7.0:*:*:*:*:*:*:*", "cpe:2.3:o:google:android:4.4:*:*:*:*:*:*:*", "cpe:2.3:o:google:android:4.0.1:*:*:*:*:*:*:*", "cpe:2.3:o:google:android:4.3.1:*:*:*:*:*:*:*", "cpe:2.3:o:google:android:4.4.3:*:*:*:*:*:*:*", "cpe:2.3:o:google:android:4.4.1:*:*:*:*:*:*:*"]}, {"lastseen": "2022-03-23T13:44:54", "description": "mediaserver in Android before 2016-10-05 on Nexus 9 and Pixel C devices allows attackers to gain privileges via a crafted application, aka internal bug 29421408.", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.8, "vectorString": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2016-10-10T10:59:00", "type": "cve", "title": "CVE-2016-3933", "cwe": ["CWE-264"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-3933"], "modified": "2016-11-28T20:14:00", "cpe": ["cpe:/o:google:android:7.0"], "id": "CVE-2016-3933", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-3933", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "cpe23": ["cpe:2.3:o:google:android:7.0:*:*:*:*:*:*:*"]}, {"lastseen": "2022-03-23T13:43:58", "description": "services/soundtrigger/SoundTriggerHwService.cpp in mediaserver in Android 5.0.x before 5.0.2, 5.1.x before 5.1.1, 6.x before 2016-10-01, and 7.0 before 2016-10-01 allows attackers to gain privileges via a crafted application, aka internal bug 30148546.", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.8, "vectorString": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2016-10-10T10:59:00", "type": "cve", "title": "CVE-2016-3910", "cwe": ["CWE-264"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-3910"], "modified": "2016-11-28T20:13:00", "cpe": ["cpe:/o:google:android:5.0", "cpe:/o:google:android:6.0", "cpe:/o:google:android:6.0.1", "cpe:/o:google:android:5.0.1", "cpe:/o:google:android:5.1", "cpe:/o:google:android:5.1.0", "cpe:/o:google:android:7.0"], "id": "CVE-2016-3910", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-3910", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "cpe23": ["cpe:2.3:o:google:android:6.0.1:*:*:*:*:*:*:*", "cpe:2.3:o:google:android:5.1:*:*:*:*:*:*:*", "cpe:2.3:o:google:android:7.0:*:*:*:*:*:*:*", "cpe:2.3:o:google:android:5.1.0:*:*:*:*:*:*:*", "cpe:2.3:o:google:android:5.0:*:*:*:*:*:*:*", "cpe:2.3:o:google:android:5.0.1:*:*:*:*:*:*:*", "cpe:2.3:o:google:android:6.0:*:*:*:*:*:*:*"]}, {"lastseen": "2022-03-23T12:58:17", "description": "The msm_ipc_router_bind_control_port function in net/ipc_router/ipc_router_core.c in the IPC router kernel module for the Linux kernel 3.x, as used in Qualcomm Innovation Center (QuIC) Android contributions for MSM devices and other products, does not verify that a port is a client port, which allows attackers to gain privileges or cause a denial of service (race condition and list corruption) by making many BIND_CONTROL_PORT ioctl calls.", "cvss3": {"exploitabilityScore": 1.0, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.0, "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2016-05-05T21:59:00", "type": "cve", "title": "CVE-2016-2059", "cwe": ["CWE-269"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 3.4, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 4.4, "vectorString": "AV:L/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-2059"], "modified": "2020-08-03T15:59:00", "cpe": ["cpe:/o:google:android:7.0", "cpe:/o:linux:linux_kernel:3.19.8"], "id": "CVE-2016-2059", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-2059", "cvss": {"score": 4.4, "vector": "AV:L/AC:M/Au:N/C:P/I:P/A:P"}, "cpe23": ["cpe:2.3:o:linux:linux_kernel:3.19.8:*:*:*:*:*:*:*", "cpe:2.3:o:google:android:7.0:*:*:*:*:*:*:*"]}, {"lastseen": "2022-03-23T13:44:00", "description": "The SoftMPEG4 component in libstagefright in mediaserver in Android 4.x before 4.4.4, 5.0.x before 5.0.2, 5.1.x before 5.1.1, 6.x before 2016-10-01, and 7.0 before 2016-10-01 allows attackers to gain privileges via a crafted application, aka internal bug 30033990.", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.8, "vectorString": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2016-10-10T10:59:00", "type": "cve", "title": "CVE-2016-3909", "cwe": ["CWE-264"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-3909"], "modified": "2016-11-28T20:13:00", "cpe": ["cpe:/o:google:android:4.3.1", "cpe:/o:google:android:4.0.4", "cpe:/o:google:android:6.0", "cpe:/o:google:android:4.4.3", "cpe:/o:google:android:5.0.1", "cpe:/o:google:android:6.0.1", "cpe:/o:google:android:5.0", "cpe:/o:google:android:4.0", "cpe:/o:google:android:4.0.1", "cpe:/o:google:android:4.4.1", "cpe:/o:google:android:4.1.2", "cpe:/o:google:android:4.2", "cpe:/o:google:android:4.0.3", "cpe:/o:google:android:4.1", "cpe:/o:google:android:4.2.2", "cpe:/o:google:android:4.3", "cpe:/o:google:android:4.2.1", "cpe:/o:google:android:4.4.2", "cpe:/o:google:android:4.0.2", "cpe:/o:google:android:5.1.0", "cpe:/o:google:android:4.4", "cpe:/o:google:android:5.1", "cpe:/o:google:android:7.0"], "id": "CVE-2016-3909", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-3909", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "cpe23": ["cpe:2.3:o:google:android:5.1:*:*:*:*:*:*:*", "cpe:2.3:o:google:android:4.3:*:*:*:*:*:*:*", "cpe:2.3:o:google:android:4.0.4:*:*:*:*:*:*:*", "cpe:2.3:o:google:android:5.1.0:*:*:*:*:*:*:*", "cpe:2.3:o:google:android:5.0:*:*:*:*:*:*:*", "cpe:2.3:o:google:android:5.0.1:*:*:*:*:*:*:*", "cpe:2.3:o:google:android:4.0:*:*:*:*:*:*:*", "cpe:2.3:o:google:android:4.0.2:*:*:*:*:*:*:*", "cpe:2.3:o:google:android:4.1.2:*:*:*:*:*:*:*", "cpe:2.3:o:google:android:6.0.1:*:*:*:*:*:*:*", "cpe:2.3:o:google:android:4.1:*:*:*:*:*:*:*", "cpe:2.3:o:google:android:4.2:*:*:*:*:*:*:*", "cpe:2.3:o:google:android:6.0:*:*:*:*:*:*:*", "cpe:2.3:o:google:android:4.0.3:*:*:*:*:*:*:*", "cpe:2.3:o:google:android:4.2.2:*:*:*:*:*:*:*", "cpe:2.3:o:google:android:4.4.2:*:*:*:*:*:*:*", "cpe:2.3:o:google:android:4.2.1:*:*:*:*:*:*:*", "cpe:2.3:o:google:android:7.0:*:*:*:*:*:*:*", "cpe:2.3:o:google:android:4.0.1:*:*:*:*:*:*:*", "cpe:2.3:o:google:android:4.4:*:*:*:*:*:*:*", "cpe:2.3:o:google:android:4.3.1:*:*:*:*:*:*:*", "cpe:2.3:o:google:android:4.4.3:*:*:*:*:*:*:*", "cpe:2.3:o:google:android:4.4.1:*:*:*:*:*:*:*"]}, {"lastseen": "2022-03-23T13:42:11", "description": "sound/soc/msm/qdsp6v2/audio_calibration.c in the Qualcomm sound driver in Android before 2016-10-05 on Nexus 5X, Nexus 6P, and Android One devices allows attackers to obtain sensitive information via a crafted application, aka Android internal bug 29323142 and Qualcomm internal bug CR 1038127.", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 5.5, "vectorString": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N", "version": "3.0", "userInteraction": "REQUIRED"}, "impactScore": 3.6}, "published": "2016-10-10T10:59:00", "type": "cve", "title": "CVE-2016-3860", "cwe": ["CWE-200"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 4.3, "vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-3860"], "modified": "2016-11-28T20:13:00", "cpe": ["cpe:/o:google:android:7.0"], "id": "CVE-2016-3860", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-3860", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:P/I:N/A:N"}, "cpe23": ["cpe:2.3:o:google:android:7.0:*:*:*:*:*:*:*"]}, {"lastseen": "2022-03-23T13:43:46", "description": "drivers/media/platform/msm/camera_v2/sensor/csid/msm_csid.c in the Qualcomm camera driver in Android before 2016-10-05 on Nexus 5, Nexus 5X, Nexus 6, Nexus 6P, and Android One devices allows attackers to gain privileges via a crafted application, aka Android internal bug 29513227 and Qualcomm internal bug CR 1040857.", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.8, "vectorString": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2016-10-10T10:59:00", "type": "cve", "title": "CVE-2016-3903", "cwe": ["CWE-264"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-3903"], "modified": "2016-11-28T20:13:00", "cpe": ["cpe:/o:google:android:7.0"], "id": "CVE-2016-3903", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-3903", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "cpe23": ["cpe:2.3:o:google:android:7.0:*:*:*:*:*:*:*"]}, {"lastseen": "2022-03-23T13:45:08", "description": "The Synaptics touchscreen driver in Android before 2016-10-05 on Nexus 6P and Android One devices allows attackers to gain privileges via a crafted application, aka internal bug 30141991.", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.8, "vectorString": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2016-10-10T10:59:00", "type": "cve", "title": "CVE-2016-3940", "cwe": ["CWE-264"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-3940"], "modified": "2016-11-28T20:14:00", "cpe": ["cpe:/o:google:android:7.0"], "id": "CVE-2016-3940", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-3940", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "cpe23": ["cpe:2.3:o:google:android:7.0:*:*:*:*:*:*:*"]}, {"lastseen": "2022-03-23T13:43:39", "description": "Multiple integer overflows in drivers/crypto/msm/qcedev.c in the Qualcomm cryptographic engine driver in Android before 2016-10-05 on Nexus 5X, Nexus 6, Nexus 6P, and Android One devices allow attackers to gain privileges via a crafted application, aka Android internal bug 29999161 and Qualcomm internal bug CR 1046434.", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.8, "vectorString": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2016-10-10T10:59:00", "type": "cve", "title": "CVE-2016-3901", "cwe": ["CWE-190"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-3901"], "modified": "2016-11-28T20:13:00", "cpe": ["cpe:/o:google:android:7.0"], "id": "CVE-2016-3901", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-3901", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "cpe23": ["cpe:2.3:o:google:android:7.0:*:*:*:*:*:*:*"]}, {"lastseen": "2022-03-23T14:39:59", "description": "net/ipv4/tcp_input.c in the Linux kernel before 4.7 does not properly determine the rate of challenge ACK segments, which makes it easier for remote attackers to hijack TCP sessions via a blind in-window attack.", "cvss3": {"exploitabilityScore": 2.2, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "baseScore": 4.8, "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:L", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 2.5}, "published": "2016-08-06T20:59:00", "type": "cve", "title": "CVE-2016-5696", "cwe": ["CWE-200"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "NONE", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 5.8, "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 4.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-5696"], "modified": "2021-11-17T22:15:00", "cpe": ["cpe:/a:oracle:vm_server:3.3", "cpe:/a:oracle:vm_server:3.4", "cpe:/o:google:android:7.0", "cpe:/o:linux:linux_kernel:4.6.6"], "id": "CVE-2016-5696", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-5696", "cvss": {"score": 5.8, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:P"}, "cpe23": ["cpe:2.3:a:oracle:vm_server:3.4:*:*:*:*:*:*:*", "cpe:2.3:o:linux:linux_kernel:4.6.6:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:vm_server:3.3:*:*:*:*:*:*:*", "cpe:2.3:o:google:android:7.0:*:*:*:*:*:*:*"]}, {"lastseen": "2022-03-23T13:43:43", "description": "drivers/platform/msm/ipa/ipa_qmi_service.c in the Qualcomm IPA driver in Android before 2016-10-05 on Nexus 5X and 6P devices allows attackers to obtain sensitive information via a crafted application, aka Android internal bug 29953313 and Qualcomm internal bug CR 1044072.", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 5.5, "vectorString": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N", "version": "3.0", "userInteraction": "REQUIRED"}, "impactScore": 3.6}, "published": "2016-10-10T10:59:00", "type": "cve", "title": "CVE-2016-3902", "cwe": ["CWE-200"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 4.3, "vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-3902"], "modified": "2016-11-28T20:13:00", "cpe": ["cpe:/o:google:android:7.0"], "id": "CVE-2016-3902", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-3902", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:P/I:N/A:N"}, "cpe23": ["cpe:2.3:o:google:android:7.0:*:*:*:*:*:*:*"]}, {"lastseen": "2022-03-23T11:40:26", "description": "Multiple race conditions in drivers/char/adsprpc.c and drivers/char/adsprpc_compat.c in the ADSPRPC driver for the Linux kernel 3.x, as used in Qualcomm Innovation Center (QuIC) Android contributions for MSM devices and other products, allow attackers to cause a denial of service (zero-value write) or possibly have unspecified other impact via a COMPAT_FASTRPC_IOCTL_INVOKE_FD ioctl call.", "cvss3": {"exploitabilityScore": 1.0, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.0, "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2016-10-10T10:59:00", "type": "cve", "title": "CVE-2015-0572", "cwe": ["CWE-362"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 3.4, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 4.4, "vectorString": "AV:L/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-0572"], "modified": "2020-08-04T19:19:00", "cpe": ["cpe:/o:linux:linux_kernel:3.19.8"], "id": "CVE-2015-0572", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-0572", "cvss": {"score": 4.4, "vector": "AV:L/AC:M/Au:N/C:P/I:P/A:P"}, "cpe23": ["cpe:2.3:o:linux:linux_kernel:3.19.8:*:*:*:*:*:*:*"]}, {"lastseen": "2022-03-23T13:44:26", "description": "email/provider/AttachmentProvider.java in AOSP Mail in Android 4.x before 4.4.4, 5.0.x before 5.0.2, 5.1.x before 5.1.1, 6.x before 2016-10-01, and 7.0 before 2016-10-01 does not ensure that certain values are integers, which allows attackers to read arbitrary attachments via a crafted application that provides a pathname value, aka internal bug 30745403.", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 5.5, "vectorString": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N", "version": "3.0", "userInteraction": "REQUIRED"}, "impactScore": 3.6}, "published": "2016-10-10T10:59:00", "type": "cve", "title": "CVE-2016-3918", "cwe": ["CWE-200"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 4.3, "vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-3918"], "modified": "2016-11-28T20:13:00", "cpe": ["cpe:/o:google:android:4.3.1", "cpe:/o:google:android:4.0.4", "cpe:/o:google:android:6.0", "cpe:/o:google:android:4.4.3", "cpe:/o:google:android:5.0.1", "cpe:/o:google:android:6.0.1", "cpe:/o:google:android:5.0", "cpe:/o:google:android:4.0", "cpe:/o:google:android:4.0.1", "cpe:/o:google:android:4.4.1", "cpe:/o:google:android:4.1.2", "cpe:/o:google:android:4.2", "cpe:/o:google:android:4.0.3", "cpe:/o:google:android:4.1", "cpe:/o:google:android:4.2.2", "cpe:/o:google:android:4.3", "cpe:/o:google:android:4.2.1", "cpe:/o:google:android:4.4.2", "cpe:/o:google:android:4.0.2", "cpe:/o:google:android:5.1.0", "cpe:/o:google:android:4.4", "cpe:/o:google:android:5.1", "cpe:/o:google:android:7.0"], "id": "CVE-2016-3918", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-3918", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:P/I:N/A:N"}, "cpe23": ["cpe:2.3:o:google:android:5.1:*:*:*:*:*:*:*", "cpe:2.3:o:google:android:4.3:*:*:*:*:*:*:*", "cpe:2.3:o:google:android:4.0.4:*:*:*:*:*:*:*", "cpe:2.3:o:google:android:5.1.0:*:*:*:*:*:*:*", "cpe:2.3:o:google:android:5.0:*:*:*:*:*:*:*", "cpe:2.3:o:google:android:5.0.1:*:*:*:*:*:*:*", "cpe:2.3:o:google:android:4.0:*:*:*:*:*:*:*", "cpe:2.3:o:google:android:4.0.2:*:*:*:*:*:*:*", "cpe:2.3:o:google:android:4.1.2:*:*:*:*:*:*:*", "cpe:2.3:o:google:android:6.0.1:*:*:*:*:*:*:*", "cpe:2.3:o:google:android:4.1:*:*:*:*:*:*:*", "cpe:2.3:o:google:android:4.2:*:*:*:*:*:*:*", "cpe:2.3:o:google:android:6.0:*:*:*:*:*:*:*", "cpe:2.3:o:google:android:4.0.3:*:*:*:*:*:*:*", "cpe:2.3:o:google:android:4.2.2:*:*:*:*:*:*:*", "cpe:2.3:o:google:android:4.4.2:*:*:*:*:*:*:*", "cpe:2.3:o:google:android:4.2.1:*:*:*:*:*:*:*", "cpe:2.3:o:google:android:7.0:*:*:*:*:*:*:*", "cpe:2.3:o:google:android:4.4:*:*:*:*:*:*:*", "cpe:2.3:o:google:android:4.0.1:*:*:*:*:*:*:*", "cpe:2.3:o:google:android:4.3.1:*:*:*:*:*:*:*", "cpe:2.3:o:google:android:4.4.3:*:*:*:*:*:*:*", "cpe:2.3:o:google:android:4.4.1:*:*:*:*:*:*:*"]}, {"lastseen": "2022-03-23T14:28:52", "description": "Heap-based buffer overflow in the wcnss_wlan_write function in drivers/net/wireless/wcnss/wcnss_wlan.c in the wcnss_wlan device driver for the Linux kernel 3.x, as used in Qualcomm Innovation Center (QuIC) Android contributions for MSM devices and other products, allows attackers to cause a denial of service or possibly have unspecified other impact by writing to /dev/wcnss_wlan with an unexpected amount of data.", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2016-08-30T17:59:00", "type": "cve", "title": "CVE-2016-5342", "cwe": ["CWE-787"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 7.2, "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-5342"], "modified": "2020-08-04T19:13:00", "cpe": ["cpe:/o:google:android:7.0", "cpe:/o:linux:linux_kernel:3.19.8"], "id": "CVE-2016-5342", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-5342", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}, "cpe23": ["cpe:2.3:o:linux:linux_kernel:3.19.8:*:*:*:*:*:*:*", "cpe:2.3:o:google:android:7.0:*:*:*:*:*:*:*"]}, {"lastseen": "2022-03-23T13:43:49", "description": "CORE/HDD/src/wlan_hdd_main.c in the Qualcomm Wi-Fi driver in Android before 2016-10-05 on Nexus 5X devices allows attackers to gain privileges via a crafted application that sends a SENDACTIONFRAME command, aka Android internal bug 28061823 and Qualcomm internal bug CR 1001449.", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.8, "vectorString": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2016-10-10T10:59:00", "type": "cve", "title": "CVE-2016-3905", "cwe": ["CWE-264"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-3905"], "modified": "2016-11-28T20:13:00", "cpe": ["cpe:/o:google:android:7.0"], "id": "CVE-2016-3905", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-3905", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "cpe23": ["cpe:2.3:o:google:android:7.0:*:*:*:*:*:*:*"]}], "ubuntucve": [{"lastseen": "2022-08-04T14:08:31", "description": "arch/arm64/mm/dma-mapping.c in the Linux kernel before 4.0.3, as used in\nthe ION subsystem in Android and other products, does not initialize\ncertain data structures, which allows local users to obtain sensitive\ninformation from kernel memory by triggering a dma_mmap call.\n\n#### Notes\n\nAuthor| Note \n---|--- \n[jdstrand](<https://launchpad.net/~jdstrand>) | android kernels (flo, goldfish, grouper, maguro, mako and manta) are not supported on the Ubuntu Touch 14.10 and earlier preview kernels linux-lts-saucy no longer receives official support linux-lts-quantal no longer receives official support \n[tyhicks](<https://launchpad.net/~tyhicks>) | specific to arm64 kernels\n", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 5.5, "vectorString": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N", "version": "3.0", "userInteraction": "REQUIRED"}, "impactScore": 3.6}, "published": "2016-10-10T00:00:00", "type": "ubuntucve", "title": "CVE-2015-8950", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 4.3, "vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-8950"], "modified": "2016-10-10T00:00:00", "id": "UB:CVE-2015-8950", "href": "https://ubuntu.com/security/CVE-2015-8950", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2022-08-04T14:08:30", "description": "arch/arm64/kernel/perf_event.c in the Linux kernel before 4.1 on arm64\nplatforms allows local users to gain privileges or cause a denial of\nservice (invalid pointer dereference) via vectors involving events that are\nmishandled during a span of multiple HW PMUs.\n\n#### Notes\n\nAuthor| Note \n---|--- \n[jdstrand](<https://launchpad.net/~jdstrand>) | android kernels (flo, goldfish, grouper, maguro, mako and manta) are not supported on the Ubuntu Touch 14.10 and earlier preview kernels linux-lts-saucy no longer receives official support linux-lts-quantal no longer receives official support \n[tyhicks](<https://launchpad.net/~tyhicks>) | specific to arm64 kernels\n", "cvss3": {"exploitabilityScore": 1.3, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.3, "vectorString": "CVSS:3.0/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2016-10-10T00:00:00", "type": "ubuntucve", "title": "CVE-2015-8955", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 3.4, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 6.9, "vectorString": "AV:L/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-8955"], "modified": "2016-10-10T00:00:00", "id": "UB:CVE-2015-8955", "href": "https://ubuntu.com/security/CVE-2015-8955", "cvss": {"score": 6.9, "vector": "AV:L/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-08-04T14:08:25", "description": "The kernel in Android before 2016-10-05 on Nexus devices allows attackers\nto obtain sensitive information via a crafted application, aka internal bug\n30143283.\n\n#### Notes\n\nAuthor| Note \n---|--- \n[jdstrand](<https://launchpad.net/~jdstrand>) | android kernels (flo, goldfish, grouper, maguro, mako and manta) are not supported on the Ubuntu Touch 14.10 and earlier preview kernels linux-lts-saucy no longer receives official support linux-lts-quantal no longer receives official support\n", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 5.5, "vectorString": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N", "version": "3.0", "userInteraction": "REQUIRED"}, "impactScore": 3.6}, "published": "2016-10-10T00:00:00", "type": "ubuntucve", "title": "CVE-2016-6683", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 4.3, "vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-6683"], "modified": "2016-10-10T00:00:00", "id": "UB:CVE-2016-6683", "href": "https://ubuntu.com/security/CVE-2016-6683", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2022-08-04T14:08:25", "description": "The MediaTek video driver in Android before 2016-10-05 allows attackers to\ngain privileges via a crafted application, aka Android internal bug\n30030994 and MediaTek internal bug ALPS02834874.\n\n#### Notes\n\nAuthor| Note \n---|--- \n[jdstrand](<https://launchpad.net/~jdstrand>) | android kernels (flo, goldfish, grouper, maguro, mako and manta) are not supported on the Ubuntu Touch 14.10 and earlier preview kernels linux-lts-saucy no longer receives official support linux-lts-quantal no longer receives official support\n", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.8, "vectorString": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2016-10-10T00:00:00", "type": "ubuntucve", "title": "CVE-2016-3937", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-3937"], "modified": "2016-10-10T00:00:00", "id": "UB:CVE-2016-3937", "href": "https://ubuntu.com/security/CVE-2016-3937", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-08-04T14:08:27", "description": "The Accessibility services in Android 7.0 before 2016-10-01 mishandle\nmotion events, which allows attackers to conduct touchjacking attacks and\nconsequently gain privileges via a crafted application, aka internal bug\n30647115.", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 5.5, "vectorString": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N", "version": "3.0", "userInteraction": "REQUIRED"}, "impactScore": 3.6}, "published": "2016-10-10T00:00:00", "type": "ubuntucve", "title": "CVE-2016-3923", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 4.3, "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-3923"], "modified": "2016-10-10T00:00:00", "id": "UB:CVE-2016-3923", "href": "https://ubuntu.com/security/CVE-2016-3923", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}}, {"lastseen": "2022-08-04T14:08:24", "description": "system_server in Android before 2016-10-05 on Nexus devices allows\nattackers to gain privileges via a crafted application, aka internal bug\n30445380.", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.8, "vectorString": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2016-10-10T00:00:00", "type": "ubuntucve", "title": "CVE-2016-6674", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-6674"], "modified": "2016-10-10T00:00:00", "id": "UB:CVE-2016-6674", "href": "https://ubuntu.com/security/CVE-2016-6674", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-08-04T14:08:26", "description": "server/wifi/anqp/ANQPFactory.java in Android 6.x before 2016-10-01 and 7.0\nbefore 2016-10-01 allows attackers to cause a denial of service (blocked\nWi-Fi usage) via a crafted application, aka internal bug 30230534.", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 5.5, "vectorString": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", "version": "3.0", "userInteraction": "REQUIRED"}, "impactScore": 3.6}, "published": "2016-10-10T00:00:00", "type": "ubuntucve", "title": "CVE-2016-3925", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "NONE", "availabilityImpact": "PARTIAL", "integrityImpact": "NONE", "baseScore": 4.3, "vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-3925"], "modified": "2016-10-10T00:00:00", "id": "UB:CVE-2016-3925", "href": "https://ubuntu.com/security/CVE-2016-3925", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2022-08-04T14:08:26", "description": "The MediaTek video driver in Android before 2016-10-05 allows attackers to\ngain privileges via a crafted application, aka Android internal bug\n30019037 and MediaTek internal bug ALPS02829568.\n\n#### Notes\n\nAuthor| Note \n---|--- \n[jdstrand](<https://launchpad.net/~jdstrand>) | android kernels (flo, goldfish, grouper, maguro, mako and manta) are not supported on the Ubuntu Touch 14.10 and earlier preview kernels linux-lts-saucy no longer receives official support linux-lts-quantal no longer receives official support\n", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.8, "vectorString": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2016-10-10T00:00:00", "type": "ubuntucve", "title": "CVE-2016-3936", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-3936"], "modified": "2016-10-10T00:00:00", "id": "UB:CVE-2016-3936", "href": "https://ubuntu.com/security/CVE-2016-3936", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-08-04T14:08:26", "description": "libsysutils/src/FrameworkListener.cpp in Framework Listener in Android 4.x\nbefore 4.4.4, 5.0.x before 5.0.2, 5.1.x before 5.1.1, 6.x before\n2016-10-01, and 7.0 before 2016-10-01 allows attackers to gain privileges\nvia a crafted application, aka internal bug 29831647.", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.8, "vectorString": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2016-10-10T00:00:00", "type": "ubuntucve", "title": "CVE-2016-3921", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-3921"], "modified": "2016-10-10T00:00:00", "id": "UB:CVE-2016-3921", "href": "https://ubuntu.com/security/CVE-2016-3921", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-08-04T14:08:26", "description": "mediaserver in Android before 2016-10-05 allows attackers to gain\nprivileges via a crafted application, aka Android internal bug 29161895 and\nMediaTek internal bug ALPS02770870.", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.8, "vectorString": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2016-10-10T00:00:00", "type": "ubuntucve", "title": "CVE-2016-3932", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-3932"], "modified": "2016-10-10T00:00:00", "id": "UB:CVE-2016-3932", "href": "https://ubuntu.com/security/CVE-2016-3932", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-08-04T14:08:25", "description": "Binder in the kernel in Android before 2016-10-05 on Nexus devices allows\nattackers to obtain sensitive information via a crafted application, aka\ninternal bug 30768347.\n\n#### Notes\n\nAuthor| Note \n---|--- \n[jdstrand](<https://launchpad.net/~jdstrand>) | android kernels (flo, goldfish, grouper, maguro, mako and manta) are not supported on the Ubuntu Touch 14.10 and earlier preview kernels linux-lts-saucy no longer receives official support linux-lts-quantal no longer receives official support\n", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 5.5, "vectorString": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N", "version": "3.0", "userInteraction": "REQUIRED"}, "impactScore": 3.6}, "published": "2016-10-10T00:00:00", "type": "ubuntucve", "title": "CVE-2016-6689", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 4.3, "vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-6689"], "modified": "2016-10-10T00:00:00", "id": "UB:CVE-2016-6689", "href": "https://ubuntu.com/security/CVE-2016-6689", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2022-08-04T14:08:29", "description": "camera/src/camera_metadata.c in the Camera service in Android 4.x before\n4.4.4, 5.0.x before 5.0.2, 5.1.x before 5.1.1, 6.x before 2016-10-01, and\n7.0 before 2016-10-01 allows attackers to gain privileges via a crafted\napplication, aka internal bug 30591838.", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.8, "vectorString": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2016-10-10T00:00:00", "type": "ubuntucve", "title": "CVE-2016-3915", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-3915"], "modified": "2016-10-10T00:00:00", "id": "UB:CVE-2016-3915", "href": "https://ubuntu.com/security/CVE-2016-3915", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-08-04T14:08:31", "description": "id3/ID3.cpp in libstagefright in mediaserver in Android 5.0.x before 5.0.2,\n5.1.x before 5.1.1, 6.x before 2016-10-01, and 7.0 before 2016-10-01 allows\nremote attackers to cause a denial of service (device hang or reboot) via a\ncrafted file, aka internal bug 30744884.", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 5.5, "vectorString": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", "version": "3.0", "userInteraction": "REQUIRED"}, "impactScore": 3.6}, "published": "2016-10-10T00:00:00", "type": "ubuntucve", "title": "CVE-2016-3920", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "NONE", "availabilityImpact": "COMPLETE", "integrityImpact": "NONE", "baseScore": 7.1, "vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-3920"], "modified": "2016-10-10T00:00:00", "id": "UB:CVE-2016-3920", "href": "https://ubuntu.com/security/CVE-2016-3920", "cvss": {"score": 7.1, "vector": "AV:N/AC:M/Au:N/C:N/I:N/A:C"}}, {"lastseen": "2022-08-04T14:08:29", "description": "The rfcomm_sock_bind function in net/bluetooth/rfcomm/sock.c in the Linux\nkernel before 4.2 allows local users to obtain sensitive information or\ncause a denial of service (NULL pointer dereference) via vectors involving\na bind system call on a Bluetooth RFCOMM socket.\n\n#### Notes\n\nAuthor| Note \n---|--- \n[jdstrand](<https://launchpad.net/~jdstrand>) | android kernels (flo, goldfish, grouper, maguro, mako and manta) are not supported on the Ubuntu Touch 14.10 and earlier preview kernels linux-lts-saucy no longer receives official support linux-lts-quantal no longer receives official support\n", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "LOW", "baseScore": 6.1, "vectorString": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:L", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 4.2}, "published": "2016-10-10T00:00:00", "type": "ubuntucve", "title": "CVE-2015-8956", "bulletinFamily": "info", "cvss2": {"severity": "LOW", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "NONE", "baseScore": 3.6, "vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:P", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 4.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-8956"], "modified": "2016-10-10T00:00:00", "id": "UB:CVE-2015-8956", "href": "https://ubuntu.com/security/CVE-2015-8956", "cvss": {"score": 3.6, "vector": "AV:L/AC:L/Au:N/C:P/I:N/A:P"}}, {"lastseen": "2022-08-04T14:08:27", "description": "services/audioflinger/Effects.cpp in mediaserver in Android 4.x before\n4.4.4, 5.0.x before 5.0.2, 5.1.x before 5.1.1, 6.x before 2016-10-01, and\n7.0 before 2016-10-01 does not validate EFFECT_CMD_SET_PARAM and\nEFFECT_CMD_SET_PARAM_DEFERRED commands, which allows attackers to obtain\nsensitive information via a crafted application, aka internal bug 30204301.", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 5.5, "vectorString": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N", "version": "3.0", "userInteraction": "REQUIRED"}, "impactScore": 3.6}, "published": "2016-10-10T00:00:00", "type": "ubuntucve", "title": "CVE-2016-3924", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 4.3, "vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-3924"], "modified": "2016-10-10T00:00:00", "id": "UB:CVE-2016-3924", "href": "https://ubuntu.com/security/CVE-2016-3924", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2022-08-04T14:08:27", "description": "camera/src/camera_metadata.c in the Camera service in Android 4.x before\n4.4.4, 5.0.x before 5.0.2, 5.1.x before 5.1.1, 6.x before 2016-10-01, and\n7.0 before 2016-10-01 allows attackers to gain privileges via a crafted\napplication, aka internal bug 30741779.", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.8, "vectorString": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2016-10-10T00:00:00", "type": "ubuntucve", "title": "CVE-2016-3916", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-3916"], "modified": "2016-10-10T00:00:00", "id": "UB:CVE-2016-3916", "href": "https://ubuntu.com/security/CVE-2016-3916", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-08-04T14:08:28", "description": "Race condition in providers/telephony/MmsProvider.java in Telephony in\nAndroid 4.x before 4.4.4, 5.0.x before 5.0.2, 5.1.x before 5.1.1, 6.x\nbefore 2016-10-01, and 7.0 before 2016-10-01 allows attackers to gain\nprivileges via a crafted application that modifies a database between two\nopen operations, aka internal bug 30481342.", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.8, "vectorString": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2016-10-10T00:00:00", "type": "ubuntucve", "title": "CVE-2016-3914", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-3914"], "modified": "2016-10-10T00:00:00", "id": "UB:CVE-2016-3914", "href": "https://ubuntu.com/security/CVE-2016-3914", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-08-04T14:08:29", "description": "core/java/android/os/Process.java in Zygote in Android 4.x before 4.4.4,\n5.0.x before 5.0.2, 5.1.x before 5.1.1, 6.x before 2016-10-01, and 7.0\nbefore 2016-10-01 allows attackers to gain privileges via a crafted\napplication, aka internal bug 30143607.", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.8, "vectorString": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2016-10-10T00:00:00", "type": "ubuntucve", "title": "CVE-2016-3911", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-3911"], "modified": "2016-10-10T00:00:00", "id": "UB:CVE-2016-3911", "href": "https://ubuntu.com/security/CVE-2016-3911", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-08-04T14:08:25", "description": "The GPS component in Android 4.x before 4.4.4, 5.0.x before 5.0.2, 5.1.x\nbefore 5.1.1, 6.x before 2016-10-01, and 7.0 before 2016-10-01 allows\nman-in-the-middle attackers to cause a denial of service (memory\nconsumption, and device hang or reboot) via a large xtra.bin or xtra2.bin\nfile on a spoofed Qualcomm gpsonextra.net or izatcloud.net host, aka\ninternal bug 29555864.", "cvss3": {"exploitabilityScore": 2.2, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 5.9, "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2016-10-10T00:00:00", "type": "ubuntucve", "title": "CVE-2016-5348", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "NONE", "availabilityImpact": "COMPLETE", "integrityImpact": "NONE", "baseScore": 7.1, "vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-5348"], "modified": "2016-10-10T00:00:00", "id": "UB:CVE-2016-5348", "href": "https://ubuntu.com/security/CVE-2016-5348", "cvss": {"score": 7.1, "vector": "AV:N/AC:M/Au:N/C:N/I:N/A:C"}}, {"lastseen": "2022-08-04T14:08:26", "description": "libril/RilSapSocket.cpp in Telephony in Android 6.x before 2016-10-01 and\n7.0 before 2016-10-01 relies on variable-length arrays, which allows\nattackers to gain privileges via a crafted application, aka internal bug\n30202619.", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.8, "vectorString": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2016-10-10T00:00:00", "type": "ubuntucve", "title": "CVE-2016-3922", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-3922"], "modified": "2016-10-10T00:00:00", "id": "UB:CVE-2016-3922", "href": "https://ubuntu.com/security/CVE-2016-3922", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-08-04T14:08:28", "description": "media/libmediaplayerservice/MediaPlayerService.cpp in mediaserver in\nAndroid 4.x before 4.4.4, 5.0.x before 5.0.2, 5.1.x before 5.1.1, 6.x\nbefore 2016-10-01, and 7.0 before 2016-10-01 does not validate a certain\nstatic_cast operation, which allows attackers to gain privileges via a\ncrafted application, aka internal bug 30204103.", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.8, "vectorString": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2016-10-10T00:00:00", "type": "ubuntucve", "title": "CVE-2016-3913", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-3913"], "modified": "2016-10-10T00:00:00", "id": "UB:CVE-2016-3913", "href": "https://ubuntu.com/security/CVE-2016-3913", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-08-04T14:08:29", "description": "The Lock Settings Service in Android 6.x before 2016-10-01 and 7.0 before\n2016-10-01 allows attackers to remove a device's PIN or password, and\nconsequently gain privileges, via a crafted application, aka internal bug\n30003944.", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 5.5, "vectorString": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N", "version": "3.0", "userInteraction": "REQUIRED"}, "impactScore": 3.6}, "published": "2016-10-10T00:00:00", "type": "ubuntucve", "title": "CVE-2016-3908", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 4.3, "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-3908"], "modified": "2016-10-10T00:00:00", "id": "UB:CVE-2016-3908", "href": "https://ubuntu.com/security/CVE-2016-3908", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}}, {"lastseen": "2022-08-04T14:08:27", "description": "The MediaTek video driver in Android before 2016-10-05 allows attackers to\ngain privileges via a crafted application, aka Android internal bug\n30019362 and MediaTek internal bug ALPS02829384.\n\n#### Notes\n\nAuthor| Note \n---|--- \n[jdstrand](<https://launchpad.net/~jdstrand>) | android kernels (flo, goldfish, grouper, maguro, mako and manta) are not supported on the Ubuntu Touch 14.10 and earlier preview kernels linux-lts-saucy no longer receives official support linux-lts-quantal no longer receives official support\n", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.8, "vectorString": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2016-10-10T00:00:00", "type": "ubuntucve", "title": "CVE-2016-3928", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-3928"], "modified": "2016-10-10T00:00:00", "id": "UB:CVE-2016-3928", "href": "https://ubuntu.com/security/CVE-2016-3928", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-08-04T14:08:29", "description": "The framework APIs in Android 4.x before 4.4.4, 5.0.x before 5.0.2, 5.1.x\nbefore 5.1.1, 6.x before 2016-10-01, and 7.0 before 2016-10-01 allow\nattackers to gain privileges via a crafted application, aka internal bug\n30202481.", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.8, "vectorString": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2016-10-10T00:00:00", "type": "ubuntucve", "title": "CVE-2016-3912", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-3912"], "modified": "2016-10-10T00:00:00", "id": "UB:CVE-2016-3912", "href": "https://ubuntu.com/security/CVE-2016-3912", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-07-31T00:17:07", "description": "mediaserver in Android before 2016-10-05 on Nexus 9 and Pixel C devices\nallows attackers to gain privileges via a crafted application, aka internal\nbug 29421408.", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 7.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "userInteraction": "REQUIRED", "version": "3.0"}, "impactScore": 5.9}, "published": "2016-10-10T00:00:00", "type": "ubuntucve", "title": "CVE-2016-3933", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-3933"], "modified": "2016-10-10T00:00:00", "id": "UB:CVE-2016-3933", "href": "https://ubuntu.com/security/CVE-2016-3933", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-08-04T14:08:28", "description": "services/soundtrigger/SoundTriggerHwService.cpp in mediaserver in Android\n5.0.x before 5.0.2, 5.1.x before 5.1.1, 6.x before 2016-10-01, and 7.0\nbefore 2016-10-01 allows attackers to gain privileges via a crafted\napplication, aka internal bug 30148546.", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.8, "vectorString": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2016-10-10T00:00:00", "type": "ubuntucve", "title": "CVE-2016-3910", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-3910"], "modified": "2016-10-10T00:00:00", "id": "UB:CVE-2016-3910", "href": "https://ubuntu.com/security/CVE-2016-3910", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-08-04T14:08:29", "description": "The SoftMPEG4 component in libstagefright in mediaserver in Android 4.x\nbefore 4.4.4, 5.0.x before 5.0.2, 5.1.x before 5.1.1, 6.x before\n2016-10-01, and 7.0 before 2016-10-01 allows attackers to gain privileges\nvia a crafted application, aka internal bug 30033990.", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.8, "vectorString": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2016-10-10T00:00:00", "type": "ubuntucve", "title": "CVE-2016-3909", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-3909"], "modified": "2016-10-10T00:00:00", "id": "UB:CVE-2016-3909", "href": "https://ubuntu.com/security/CVE-2016-3909", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-08-04T14:09:37", "description": "net/ipv4/tcp_input.c in the Linux kernel before 4.7 does not properly\ndetermine the rate of challenge ACK segments, which makes it easier for\nremote attackers to hijack TCP sessions via a blind in-window attack.\n\n#### Bugs\n\n * <https://bugs.launchpad.net/bugs/1615835>\n\n\n#### Notes\n\nAuthor| Note \n---|--- \n[jdstrand](<https://launchpad.net/~jdstrand>) | android kernels (flo, goldfish, grouper, maguro, mako and manta) are not supported on the Ubuntu Touch 14.10 and earlier preview kernels linux-lts-saucy no longer receives official support linux-lts-quantal no longer receives official support \n[sbeattie](<https://launchpad.net/~sbeattie>) | fix is going to land in Ubuntu kernels in this SRU cycle, with a likely release date of Aug 27. Earlier access to the kernels with the fix will be available from the -proposed pocket, though they come with the risk of being less tested.\n", "cvss3": {"exploitabilityScore": 2.2, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "baseScore": 4.8, "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:L", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 2.5}, "published": "2016-08-06T00:00:00", "type": "ubuntucve", "title": "CVE-2016-5696", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "NONE", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 5.8, "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 4.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-5696"], "modified": "2016-08-06T00:00:00", "id": "UB:CVE-2016-5696", "href": "https://ubuntu.com/security/CVE-2016-5696", "cvss": {"score": 5.8, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:P"}}, {"lastseen": "2021-07-31T00:17:10", "description": "email/provider/AttachmentProvider.java in AOSP Mail in Android 4.x before\n4.4.4, 5.0.x before 5.0.2, 5.1.x before 5.1.1, 6.x before 2016-10-01, and\n7.0 before 2016-10-01 does not ensure that certain values are integers,\nwhich allows attackers to read arbitrary attachments via a crafted\napplication that provides a pathname value, aka internal bug 30745403.", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.5, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N", "userInteraction": "REQUIRED", "version": "3.0"}, "impactScore": 3.6}, "published": "2016-10-10T00:00:00", "type": "ubuntucve", "title": "CVE-2016-3918", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 4.3, "vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-3918"], "modified": "2016-10-10T00:00:00", "id": "UB:CVE-2016-3918", "href": "https://ubuntu.com/security/CVE-2016-3918", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2022-08-04T14:09:16", "description": "Heap-based buffer overflow in the wcnss_wlan_write function in\ndrivers/net/wireless/wcnss/wcnss_wlan.c in the wcnss_wlan device driver for\nthe Linux kernel 3.x, as used in Qualcomm Innovation Center (QuIC) Android\ncontributions for MSM devices and other products, allows attackers to cause\na denial of service or possibly have unspecified other impact by writing to\n/dev/wcnss_wlan with an unexpected amount of data.\n\n#### Notes\n\nAuthor| Note \n---|--- \n[jdstrand](<https://launchpad.net/~jdstrand>) | android kernels (flo, goldfish, grouper, maguro, mako and manta) are not supported on the Ubuntu Touch 14.10 and earlier preview kernels linux-lts-saucy no longer receives official support linux-lts-quantal no longer receives official support \n[sbeattie](<https://launchpad.net/~sbeattie>) | mcm tree only driver\n", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2016-08-30T00:00:00", "type": "ubuntucve", "title": "CVE-2016-5342", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 7.2, "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-5342"], "modified": "2016-08-30T00:00:00", "id": "UB:CVE-2016-5342", "href": "https://ubuntu.com/security/CVE-2016-5342", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}], "debiancve": [{"lastseen": "2023-01-30T02:08:10", "description": "arch/arm64/mm/dma-mapping.c in the Linux kernel before 4.0.3, as used in the ION subsystem in Android and other products, does not initialize certain data structures, which allows local users to obtain sensitive information from kernel memory by triggering a dma_mmap call.", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 5.5, "vectorString": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N", "version": "3.0", "userInteraction": "REQUIRED"}, "impactScore": 3.6}, "published": "2016-10-10T10:59:00", "type": "debiancve", "title": "CVE-2015-8950", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 4.3, "vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-8950"], "modified": "2016-10-10T10:59:00", "id": "DEBIANCVE:CVE-2015-8950", "href": "https://security-tracker.debian.org/tracker/CVE-2015-8950", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2023-01-30T02:08:10", "description": "arch/arm64/kernel/perf_event.c in the Linux kernel before 4.1 on arm64 platforms allows local users to gain privileges or cause a denial of service (invalid pointer dereference) via vectors involving events that are mishandled during a span of multiple HW PMUs.", "cvss3": {"exploitabilityScore": 1.3, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.3, "vectorString": "CVSS:3.0/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2016-10-10T10:59:00", "type": "debiancve", "title": "CVE-2015-8955", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 3.4, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 6.9, "vectorString": "AV:L/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-8955"], "modified": "2016-10-10T10:59:00", "id": "DEBIANCVE:CVE-2015-8955", "href": "https://security-tracker.debian.org/tracker/CVE-2015-8955", "cvss": {"score": 6.9, "vector": "AV:L/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-11-01T06:01:59", "description": "libsysutils/src/FrameworkListener.cpp in Framework Listener in Android 4.x before 4.4.4, 5.0.x before 5.0.2, 5.1.x before 5.1.1, 6.x before 2016-10-01, and 7.0 before 2016-10-01 allows attackers to gain privileges via a crafted application, aka internal bug 29831647.", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.8, "vectorString": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2016-10-10T10:59:00", "type": "debiancve", "title": "CVE-2016-3921", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-3921"], "modified": "2016-10-10T10:59:00", "id": "DEBIANCVE:CVE-2016-3921", "href": "https://security-tracker.debian.org/tracker/CVE-2016-3921", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-01-30T02:08:10", "description": "The rfcomm_sock_bind function in net/bluetooth/rfcomm/sock.c in the Linux kernel before 4.2 allows local users to obtain sensitive information or cause a denial of service (NULL pointer dereference) via vectors involving a bind system call on a Bluetooth RFCOMM socket.", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "LOW", "baseScore": 6.1, "vectorString": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:L", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 4.2}, "published": "2016-10-10T10:59:00", "type": "debiancve", "title": "CVE-2015-8956", "bulletinFamily": "info", "cvss2": {"severity": "LOW", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "NONE", "baseScore": 3.6, "vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:P", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 4.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-8956"], "modified": "2016-10-10T10:59:00", "id": "DEBIANCVE:CVE-2015-8956", "href": "https://security-tracker.debian.org/tracker/CVE-2015-8956", "cvss": {"score": 3.6, "vector": "AV:L/AC:L/Au:N/C:P/I:N/A:P"}}, {"lastseen": "2023-01-30T02:08:11", "description": "drivers/soc/qcom/qdsp6v2/voice_svc.c in the QDSP6v2 Voice Service driver for the Linux kernel 3.x, as used in Qualcomm Innovation Center (QuIC) Android contributions for MSM devices and other products, allows attackers to cause a denial of service (memory corruption) or possibly have unspecified other impact via a write request, as demonstrated by a voice_svc_send_req buffer overflow.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2016-10-10T10:59:00", "type": "debiancve", "title": "CVE-2016-5343", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-5343"], "modified": "2016-10-10T10:59:00", "id": "DEBIANCVE:CVE-2016-5343", "href": "https://security-tracker.debian.org/tracker/CVE-2016-5343", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-01-30T02:08:11", "description": "net/ipv4/tcp_input.c in the Linux kernel before 4.7 does not properly determine the rate of challenge ACK segments, which makes it easier for remote attackers to hijack TCP sessions via a blind in-window attack.", "cvss3": {"exploitabilityScore": 2.2, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "baseScore": 4.8, "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:L", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 2.5}, "published": "2016-08-06T20:59:00", "type": "debiancve", "title": "CVE-2016-5696", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "NONE", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 5.8, "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 4.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-5696"], "modified": "2016-08-06T20:59:00", "id": "DEBIANCVE:CVE-2016-5696", "href": "https://security-tracker.debian.org/tracker/CVE-2016-5696", "cvss": {"score": 5.8, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:P"}}, {"lastseen": "2023-01-30T02:08:11", "description": "Heap-based buffer overflow in the wcnss_wlan_write function in drivers/net/wireless/wcnss/wcnss_wlan.c in the wcnss_wlan device driver for the Linux kernel 3.x, as used in Qualcomm Innovation Center (QuIC) Android contributions for MSM devices and other products, allows attackers to cause a denial of service or possibly have unspecified other impact by writing to /dev/wcnss_wlan with an unexpected amount of data.", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2016-08-30T17:59:00", "type": "debiancve", "title": "CVE-2016-5342", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 7.2, "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-5342"], "modified": "2016-08-30T17:59:00", "id": "DEBIANCVE:CVE-2016-5342", "href": "https://security-tracker.debian.org/tracker/CVE-2016-5342", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}], "thn": [{"lastseen": "2018-01-27T09:18:10", "description": "[](<https://1.bp.blogspot.com/-3UpOPjytOcE/V6hJVRJJMtI/AAAAAAAApFs/bl6d7_6BhYQmp_EG4ce47oYcxgLTD-R1wCLcB/s1600/hack-android-phone.png>)\n\nAndroid has Fallen! Yet another set of Android security vulnerabilities has been discovered in Qualcomm chipsets that affect more than 900 Million Android smartphones and tablets worldwide. \n \nWhat's even worse: Most of those affected Android devices will probably never be patched. \n \nDubbed \"**Quadrooter**,\" the set of four vulnerabilities discovered in devices running Android Marshmallow and earlier that ship with Qualcomm chip could allow an attacker to gain root-level access to any Qualcomm device. \n \nThe chip, according to the latest statistics, is found in more than 900 Million Android tablets and smartphones. \n \nThat's a very big number. \n \nThe vulnerabilities have been disclosed by a team of _Check Point_ researchers at the DEF CON 24 security conference in Las Vegas. \n \n\n\n### Critical Quadrooter Vulnerabilities:\n\n \nThe four security vulnerabilities are: \n\n\n 1. [CVE-2016-2503](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2503>) discovered in Qualcomm's GPU driver and fixed in Google's Android Security Bulletin for July 2016.\n 2. [CVE-2016-2504](<http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=2016-2504>) found in Qualcomm GPU driver and fixed in Google's Android Security Bulletin for August 2016.\n 3. [CVE-2016-2059](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2059>) found in Qualcomm kernel module and fixed in April, though patch status is unknown.\n 4. [CVE-2016-5340](<http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=2016-5340>) presented in Qualcomm GPU driver and fixed, but patch status unknown.\nQualcomm is the world's leading designer of LTE (_Long Term Evolution_) chipsets with a 65% share of the LTE modem baseband market. If any one of the four flaws is exploited, an attacker can trigger privilege escalations for gaining root access to an affected device. \n \nAll an attacker needs is to write a piece of malware and send it to the victim. When installed, the malware offers the attacker privilege escalation on the affected devices. \n \nAccording to the researchers, the attack can also be conducted through a malicious app. An attacker needs to trick a user into installing a malicious app that, unlike other malware, would execute without requiring any special permission checks. \n\n\n> \"Such an app would require no special permissions to take advantage of these vulnerabilities, alleviating any suspicion users may have when installing,\" Check Point researchers write in a [blog post](<http://blog.checkpoint.com/2016/08/07/quadrooter/>).\n\nIf any of the four vulnerabilities are successfully exploited, an attacker could gain root access to an affected device, giving the attacker full access to the device, including its data, camera and microphone. \n \n\n\n### List of Affected Devices (Popular)\n\n[](<https://4.bp.blogspot.com/-nKiU-VRznSQ/V6hK2HGZjCI/AAAAAAAApF4/s-MkYCmXMa0dB1G9tulskqhVcAH-UeLLQCLcB/s1600/android-vulnerability-scanner.png>)\n\nMore than 900 Million Android devices that ship with Qualcomm chip are vulnerable to the flaws. \n \nHere's the list of some of the popular affected devices, though there are far more devices that are impacted by one or more Quadrooter vulnerabilities. \n\n\n * Samsung Galaxy S7 and Samsung S7 Edge\n * Sony Xperia Z Ultra\n * OnePlus One, OnePlus 2 and OnePlus 3\n * Google Nexus 5X, Nexus 6 and Nexus 6P\n * Blackphone 1 and Blackphone 2\n * HTC One, HTC M9 and HTC 10\n * LG G4, LG G5, and LG V10\n * New Moto X by Motorola\n * BlackBerry Priv\n\n### How to Check if Your Device is Vulnerable?\n\n \nYou can check if your smartphone or tablet is vulnerable to Quadrooter attack using [Check Point's free app](<https://play.google.com/store/apps/details?id=com.checkpoint.quadrooter>). \n \nSince the vulnerable software drivers, which control communication between Qualcomm chipset components, come pre-installed on these devices at the time of manufacturing, they can only be fixed by installing a patch from the devices' distributors or carriers after receiving fixed driver packs from Qualcomm. \n\n\n> \"This situation highlights the inherent risks in the Android security model,\" the researchers say. \"Critical security updates must pass through the entire supply chain before they can be made available to end users.\"\n\nThree of the four vulnerabilities have already been fixed in Google's latest set of [monthly security updates](<https://source.android.com/security/bulletin/>), and a patch for the remaining flaw will be rolled out in the upcoming September update. \n \nSince Qualcomm has already released the code, the phone manufacturers could be able to issue patches to the individual devices as soon as possible. \n \nAndroid Nexus devices are already patched via the over-the-air updates, but other smartphone models will need to wait until their lazy phone manufacturers integrate the fixes into their own custom Android ROMs.\n", "cvss3": {}, "published": "2016-08-07T20:06:00", "type": "thn", "title": "Warning! Over 900 Million Android Phones Vulnerable to New 'QuadRooter' Attack", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2016-2059", "CVE-2016-2504", "CVE-2016-5340", "CVE-2016-2503"], "modified": "2016-08-08T09:03:33", "id": "THN:88858C272BB7187F908C43D40345230D", "href": "https://thehackernews.com/2016/08/hack-android-phone.html", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-01-27T09:18:10", "description": "[](<https://4.bp.blogspot.com/-hEDa0CCUvq0/V6xQv40SogI/AAAAAAAApJE/_BPwDkHfi1c_pfqMblsyaLu5HvFLnCeCQCLcB/s1600/linux-server-tcp-packet-hacking.png>)\n\nIf you are using the Internet, there are the possibilities that you are open to attack. \n \nThe Transmission Control Protocol (TCP) implementation in all Linux systems deployed since 2012 (_version 3.6 and above of the Linux kernel_) poses a serious threat to Internet users, whether or not they use Linux directly. \n \nThis issue is troubling because Linux is used widely across the Internet, from web servers to Android smartphones, tablets, and smart TVs. \n \nResearchers have uncovered a serious Internet flaw, which if exploited, could allow attackers to terminate or inject malware into unencrypted communication between any two vulnerable machines on the Internet. \n \nThe vulnerability could also be used to forcefully terminate HTTPS encrypted connections and downgrade the privacy of secure connections, as well as also threatens anonymity of Tor users by routing them to certain malicious relays. \n \nThe flaw actually resides in the design and implementation of the **Request for Comments: 5961** ([RFC 5961](<https://tools.ietf.org/html/rfc5961>)) \u2013 a relatively new Internet standard that's designed to make commonly used TCP more robust against hacking attacks. \n \nTCP protocol is the heart of all Internet communications, as all application level protocols, including HTTP, FTP, SSH, Telnet, DNS, and SMTP, stand on TCP. \n \nWeb servers and other applications make use of TCP protocol to establish connections between hosts to transfer data between them. \n \nA team of six security researchers from the University of California, Riverside and the U.S. Army Research Laboratory has demonstrated a [proof-of-concept exploit](<https://www.usenix.org/conference/usenixsecurity16/technical-sessions/presentation/cao>) at the USENIX Security Symposium that can be used to detect if two hosts are communicating over TCP and ultimately attack that traffic. \n \n\n\n### No Need of Man-in-the-Attack Position\n\n[](<https://1.bp.blogspot.com/-NZwt4F_trEI/V6xJI7sa8BI/AAAAAAAApI0/FDCNjFwJYvApMupzfHdfP9NvEs9mqE1gQCLcB/s1600/linux-tcp-hacking.png>)\n\nTypically, TCP protocol assembles messages into a series of data packets that are identified by unique sequence numbers and transmitted to the receiver. When received, the data packets are then reassembled by the receiver into the original message. \n \nResearchers found that '**Side channels**' attack allows hackers to guess the TCP packet sequence numbers accurately within first 10 seconds of the attack by using no more information than just the IP addresses of both parties. \n \nThis means, an attacker with spoofed IP address does not need a man-in-the-middle (MITM) position, apparently intercepting and injecting malicious TCP packets between any two arbitrary machines on the Internet. \n \nThe researchers detailed their findings in the paper titled, '**Off-Path TCP Exploits: Global Rate Limit Considered Dangerous**' [[PDF](<http://www.cs.ucr.edu/~zhiyunq/pub/sec16_TCP_pure_offpath.pdf>)], which they presented at the conference, showing the audience how they injected a phishing form inside the USA Today website. \n\n\nYou can watch the video demonstration above that shows the attack in work. \n \n\n\n### Targeting the Tor Network\n\n \nThe researchers also show how the flaw ([CVE-2016-5696](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5696>)) can be exploited to break Secure Shell (SSH) connections and tamper with encrypted communications traveling over Tor anonymity network. \n\n\n> \"In general, we believe that a DoS [Denial of Service] attack against Tor connections can have a devastating impact on both the availability of the service as a whole and the privacy guarantees that it can provide,\" the paper reads. \n\n> \"The default policy in Tor is that if a connection is down between two relay nodes, say a middle relay and an exit relay, the middle relay will pick a different exit relay to establish the next connection. If an attacker can dictate which connections are down (via reset attacks), then the attacker can potentially force the use of certain exit relays.\"\n\nThe team also provided recommendations on how to mitigate the attack. \n \n\n\n### Here's How to Mitigate TCP Attack\n\n \nWhile patches to fix the vulnerability are developed and distributed for the current Linux kernel, as a workaround you can raise the ACK rate limit on your Linux machine or gadget to large values so that it cannot be reached. \n \nFor this, you are required to append the following to /etc/sysctl.conf: \n\n\n> net.ipv4.tcp_challenge_ack_limit = 999999999\n\nOnce done, use sysctl -p to activate the new rule. You need to perform root to do this. \n \nThe researchers also note that while Linux version 3.6 and above are vulnerable to this attack, Windows, OS X and FreeBSD are not believed to be vulnerable because they have not yet fully implemented RFC 5961.\n", "cvss3": {}, "published": "2016-08-10T23:18:00", "type": "thn", "title": "Linux TCP Flaw allows Hackers to Hijack Internet Traffic and Inject Malware Remotely", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2016-5696"], "modified": "2016-08-11T13:03:17", "id": "THN:B41554BF406DE03F01F4B7A7E4CD2A52", "href": "https://thehackernews.com/2016/08/linux-tcp-packet-hacking.html", "cvss": {"score": 5.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2018-01-27T10:06:50", "description": "[](<https://1.bp.blogspot.com/-BTKum11v1d8/V7MHT6Vy7OI/AAAAAAAApMU/v_XnTsEnvwA5lzrZWm6ya46y9oEe9AMSACLcB/s1600/android-hack-linux.png>)\n\nAn estimated 80 percent of Android smartphones and tablets running Android 4.4 KitKat and higher are vulnerable to a recently disclosed [Linux kernel flaw](<https://thehackernews.com/2016/08/linux-tcp-packet-hacking.html>) that allows hackers to terminate connections, spy on unencrypted traffic or inject malware into the parties' communications. \n \nEven the latest [Android Nougat](<https://thehackernews.com/2016/03/google-android-n-features.html>) Preview is considered to be vulnerable. \n \nThe security flaw was first appeared in the implementation of the TCP protocol in all Linux systems deployed since 2012 (version 3.6 and above of the Linux OS kernel) and the Linux Foundation has already patched the Linux kernel on July 11, 2016. \n \nHowever, the vulnerability ([CVE-2016-5696](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5696>)) is now affecting a large portion of the Android ecosystem. \n \nAccording to a [blog post](<https://blog.lookout.com/blog/2016/08/15/linux-vulnerability-android/>) published Monday by mobile security firm Lookout, the Linux flaw is present in Android version 4.4 KitKat and all future releases, including the latest developer preview of [Android Nougat](<https://thehackernews.com/2016/06/android-n-nougat-nutella.html>). \n \n\n\n### Around 1.4 BILLLLLION Android Devices Affected\n\n \nThis means that 80% of all Android devices in use today, which is nearly 1.4 Billion devices, are vulnerable to attacks, enabling hackers to spy on your communications without even compromising your network via man-in-the-middle-attack. \n \nHowever, the good news is that the Linux vulnerability is complicated and difficult to exploit, but the risk is there especially for targeted attacks. \n\n\n> \"While a man-in-the-middle attack is not required here, the attacker still needs to know a source and destination IP address to successfully execute the attack,\" Lookout stated in the blog post.\n\nWindows and Macs are not affected by the vulnerability. \n \nAccording to Google, engineers are already aware of the vulnerability and are _\"taking the appropriate actions\" _to fix the issue, a Google representative [told](<https://arstechnica.com/security/2016/08/linux-bug-leaves-1-4-billion-android-users-vulnerable-to-hijacking-attacks/>) Ars Technica. So, it is likely that a patch for Android will arrive soon. \n \n\n\n### Temporary Mitigation:\n\n * Make sure your Internet traffic is encrypted: Apps you use and Websites you visit should employ HTTPS.\n * Use a Virtual Private Network (VPN).\nTo know more about the Linux kernel flaw and its mitigation, you can head on to our post, titled \"[Linux TCP Flaw allows Hackers to Hijack Internet Traffic and Inject Malware Remotely](<https://thehackernews.com/2016/08/linux-tcp-packet-hacking.html>).\"\n", "cvss3": {}, "published": "2016-08-16T01:31:00", "type": "thn", "title": "Internet Traffic Hijacking Linux Flaw Affects 80% of Android Devices", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2016-5696"], "modified": "2016-08-16T12:37:16", "id": "THN:4FE2068BDC86E2EECDC3F2C86932F8F2", "href": "https://thehackernews.com/2016/08/hack-linux-android.html", "cvss": {"score": 5.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:PARTIAL/A:PARTIAL/"}}], "threatpost": [{"lastseen": "2018-10-06T22:54:56", "bulletinFamily": "info", "cvelist": ["CVE-2016-2059", "CVE-2016-2503", "CVE-2016-2504", "CVE-2016-5340"], "description": "Four vulnerabilities found in Qualcomm chips used in 900 million Android devices leave affected phones and tablets open to attacks that could give hackers complete system control. Researchers at Check Point who found the flaw are calling the vulnerability Quadrooter and say that a patch isn\u2019t expected to be available to most users until September.\n\nThe privilege escalation vulnerabilities were revealed at a DEF CON talk on Sunday by Check Point\u2019s Adam Donefield, the company\u2019s lead mobile security researcher. The flaws are in multiple subsystems of the Qualcomm chipset and impact top Android handsets including Samsung, HTC, Motorola, and LG phones.\n\n\u201cThese are vulnerabilities that allow adversaries to overcome all the existing mitigations in Android\u2019s Linux kernel to run kernel-code, elevating privileges and allowing an attacker to gain root privileges and completely bypassing SELinux,\u201d said Michael Shaulov, head of mobility product management. SELinux (Security-Enhanced Linux) is a is a Linux kernel security component that supports access control security policies on Android subsystems.\n\nAn attacker would need to lure an Android user into downloading a malicious app that may seem benign at the point of installation because no special permissions are required for the vulnerabilities to be exploited.\n\nA list of impacted Android devices include:\n\n * BlackBerry Priv\n * Blackphone 1 and 2\n * Google Nexus 5X, 6 and 6P\n * HTC One M9 and HTC 10\n * LG G4, G5, and V10\n * New Moto X by Motorola\n * OnePlus One, 2 and 3\n * Samsung Galaxy S7 and S7 Edge\n * Sony Xperia Z Ultra\n\nThe vulnerabilities are tied to Qualcomm\u2019s software drivers that control communication between chipset components. \u201cEach one of these vulnerabilities are unique and affect four key modules in Android subsystems,\u201d Shaulov said.\n\nOne of those vulnerabilities (CVE-2016-5340) is tied to a propriety memory allocation subsystem in Android called ashmem that enables processes to efficiently share memory buffers. \u201cDevices using Qualcomm chipsets use a modified ashmem system that provides easy access to the subsystem API from the GPU drivers,\u201d according to a [technical analysis of the vulnerability](<http://blog.checkpoint.com/2016/08/07/quadrooter/>).\n\nTwo use-after-free flaws are tied to race conditions in Qualcomm\u2019s GPU component called KGSL (Kernel Graphics Support Layer), a kernel driver that renders graphics. The first of the two (CVE-2016-2503) is tied to how the KGSL driver \u201ckgsl_sync\u201d synchronizes between the CPU and the apps.\n\n\u201cThe function is prone to a race condition flaw, where two parallel threads call the function simultaneously\u2026 This drops the refcount of a syncsource object below 0, exposing itself to a use-after-free attack,\u201d Check Point writes.\n\nThe other use-after-free vulnerability (CVE-2016-2504) is found in the KGSL driver when a module creates a GPU memory object called \u201ckgsl_mem_entry\u201d. Check Point describes: \u201cSince a user-space process can allocate and map memory to the GPU, it can both create and destroy a kgsl_mem_entry\u2026 Since there\u2019s no access protection enforced, another thread can simply free this object, invoking an use-after-free flaw.\u201d\n\nAnother flaw (CVE-2016-2059) is tied to the Linux IPC (inter-process communication) router module of the Qualcomm chip. This component provides inter-process communication capabilities for various Qualcomm components, user mode processes, and hardware drivers, Check Point said.\n\n\u201cA kernel module introduced by Qualcomm, called ipc_router, contains the vulnerability\u2026 The vulnerability\u2019s exploit goal is to gain root privileges while disabling SELinux,\u201d the report says.\n\nCheck Point disclosed its research to Qualcomm in April, after which Qualcomm classified the vulnerabilities as high severity and issued driver patches to device makers Samsung, HTC, Motorola, LG and others. But because of the fragmented relation between an end-user devices, wireless carriers, OEMs and component chip makers, Check Point said it could takes weeks to months before patches reach the actual devices. \u201cA number of factors contribute to Android fragmentation including different Android builds for different device makers, models, carriers and distributors,\u201d Check Point explains.\n\nGoogle deployed patches for its Nexus 5X, Nexus 6, and Nexus 6P Nexus for three of the four security flaws, however one of the patches is still outstanding and expected in September, according to Check Point.\n", "modified": "2016-08-08T15:11:36", "published": "2016-08-08T11:11:36", "id": "THREATPOST:7CADC235F13740390327E980B3E902EE", "href": "https://threatpost.com/quadrooter-flaw-in-qualcomm-chips-puts-900m-android-devices-at-risk/119713/", "type": "threatpost", "title": "Qualcomm Chip Flaw Leaves 900m Android Devices Open to Attack", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T22:54:48", "bulletinFamily": "info", "cvelist": ["CVE-2016-2059", "CVE-2016-2503", "CVE-2016-2504", "CVE-2016-5340"], "description": "The [Quadrooter vulnerabilities](<https://threatpost.com/quadrooter-flaw-in-qualcomm-chips-puts-900m-android-devices-at-risk/119713/>) made a lot of people take notice because the scale of affected Android devices (more than 900,000) put it on a level with [Stagefright](<https://threatpost.com/android-stagefright-flaws-put-950-million-devices-at-risk/113960/>) and other bugs that impact a large majority of the Android ecosystem.\n\nSome details on the four vulnerabilities were publicly disclosed at DEF CON in August by researchers at Check Point Software Technologies, who warned that popular handsets made by Samsung, Motorola and others were affected, and that the vulnerabilities put those devices at risk to complete compromise.\n\nTwo of the four vulnerabilities were patched in July and August respectively, and today, Google patched the two remaining vulnerabilities in its monthly [Android Security Bulletin](<https://source.android.com/security/>). Today\u2019s patches were pushed out today to Nexus devices in an over-the-air update, while partners were given the updates Aug. 5. The Android Open Source Project is expected to receive the patches within 48 hours.\n\nThe vulnerabilities enable privilege escalation and open the door to remote attacks. Multiple subsystems of the Qualcomm chipset are affected and the vulnerabilities can be exploited to bypass existing mitigations in the Android Linux kernel, allowing an attacker to gain root privileges, Check Point said.\n\nThe easiest way to compromise Android devices vulnerable to Quadrooter would be to trick the victim into downloading a malicious app. The flaws are in Qualcomm drivers that control communication between different components in the chip.\n\nGoogle patched today CVE-2016-5340 and CVE-2016-2059. CVE-2016-5340 is a bug in Android\u2019s memory allocation subsystem called ashmem, while CVE-2016-2059 is in the Linux inter-process communication router module.\n\nBoth flaws allow for root access and successful exploits would require for a device to be re-flashed, Google said.\n\nThe previously patched bugs, CVE-2016-2503 (July) and CVE-2016-2504 (August), addressed use-after-free flaws tied to race conditions in the kernel graphics support layer, a Qualcomm GPU component.\n\nGoogle today published three different patch levels: Sept. 1, 5 and 6.\n\nSept. 1 includes patches for two critical flaws, one in LibUtils and another in Mediaserver, both of which are remote code execution bugs, as is another rated high severity in MediaMuxer.\n\nLibUtil and Mediaserver bugs have been patched before in Android; Mediaserver bugs were at the heart of last summer\u2019s Stagefright vulnerabilities. All of these flaws, including the MediaMuxer issue, can be exploited via specially crafted media files. They affect all Nexus devices.\n\nThe Sept. 5 patch level addresses five critical vulnerabilities, two in the kernel security subsystem, one in the kernel networking subsystem, one in the kernel netfilter subsystem and one in the kernel USB driver. All five are privilege escalation vulnerabilities and all five can give a hacker the means to execute arbitrary code at the kernel level.\n\nThe Sept. 6 patch level, meanwhile, includes just the two Quadrooter fixes.\n", "modified": "2016-09-06T16:25:21", "published": "2016-09-06T14:00:01", "id": "THREATPOST:BB41A4A6AC8B8A202F84DBAD0F98EE82", "href": "https://threatpost.com/google-patches-quadrooter-vulnerabilities-in-android/120374/", "type": "threatpost", "title": "Google Patches Quadrooter Vulnerabilities in Android", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "seebug": [{"lastseen": "2017-11-19T11:56:41", "description": "No description provided by source.", "published": "2017-08-01T00:00:00", "type": "seebug", "title": "Failed integer overflow check leads to heap overflow in driver /dev/qce (CVE-2016-3935)", "bulletinFamily": "exploit", "cvelist": ["CVE-2016-3935"], "modified": "2017-08-01T00:00:00", "href": "https://www.seebug.org/vuldb/ssvid-96322", "id": "SSV:96322", "sourceData": "\n https://github.com/jiayy/android_vuln_poc-exp/tree/master/EXP-CVE-2016-3935\n ", "sourceHref": "https://www.seebug.org/vuldb/ssvid-96322", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "android": [{"lastseen": "2021-07-28T14:34:31", "description": "Unspecified vulnerability in a Qualcomm component in Android before 2016-10-05 on Nexus 5, 5X, 6, and 6P devices has unknown impact and attack vectors, aka internal bug 28823953.", "edition": 2, "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2016-10-01T00:00:00", "title": "CVE-2016-3926", "type": "android", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": true, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-3926"], "modified": "2019-07-29T00:00:00", "id": "ANDROID:CVE-2016-3926", "href": "http://www.androidvulnerabilities.org/vulnerabilities/CVE-2016-3926.html", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-07-28T14:34:31", "description": "Unspecified vulnerability in a Qualcomm component in Android before 2016-10-05 on Nexus 5X and 6P devices has unknown impact and attack vectors, aka internal bug 28823244.", "edition": 2, "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2016-10-01T00:00:00", "title": "CVE-2016-3927", "type": "android", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": true, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-3927"], "modified": "2019-07-29T00:00:00", "id": "ANDROID:CVE-2016-3927", "href": "http://www.androidvulnerabilities.org/vulnerabilities/CVE-2016-3927.html", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-07-28T14:34:31", "description": "The MediaTek video driver in Android before 2016-10-05 allows attackers to gain privileges via a crafted application, aka Android internal bug 30019362 and MediaTek internal bug ALPS02829384.", "edition": 2, "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 7.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "userInteraction": "REQUIRED", "version": "3.0"}, "impactScore": 5.9}, "published": "2016-10-01T00:00:00", "title": "CVE-2016-3928", "type": "android", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-3928"], "modified": "2019-07-29T00:00:00", "id": "ANDROID:CVE-2016-3928", "href": "http://www.androidvulnerabilities.org/vulnerabilities/CVE-2016-3928.html", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-07-28T14:34:39", "description": "Use-after-free vulnerability in the __sys_recvmmsg function in net/socket.c in the Linux kernel before 4.5.2 allows remote attackers to execute arbitrary code via vectors involving a recvmmsg system call that is mishandled during error processing.", "edition": 2, "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2016-10-01T00:00:00", "title": "CVE-2016-7117", "type": "android", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-7117"], "modified": "2019-07-29T00:00:00", "id": "ANDROID:CVE-2016-7117", "href": "http://www.androidvulnerabilities.org/vulnerabilities/CVE-2016-7117.html", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "zdt": [{"lastseen": "2018-01-08T19:10:45", "description": "Exploit for Android platform in category dos / poc", "cvss3": {}, "published": "2016-10-12T00:00:00", "type": "zdt", "title": "Android - Binder Generic ASLR Leak Vulnerability", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2016-6689"], "modified": "2016-10-12T00:00:00", "id": "1337DAY-ID-25506", "href": "https://0day.today/exploit/description/25506", "sourceData": "Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=889\r\n \r\nThe interaction between the kernel /dev/binder and the usermode Parcel.cpp mean\r\nthat when a binder object is passed as BINDER_TYPE_BINDER or BINDER_TYPE_WEAK_BINDER,\r\na pointer to that object (in the server process) is leaked to the client process\r\nas the cookie value. This leads to a leak of a heap address in many of the privileged\r\nbinder services, including system_server.\r\n \r\nSee attached PoC, which leaks the addresses of allocated heap objects in system_server.\r\n \r\nOutput running from the shell (run on droidfood userdebug build, MTC19X):\r\n \r\n[email\u00a0protected]:/ $ /data/local/tmp/binder_info_leak \r\n--- binder info leak ---\r\n[0] opening /dev/binder\r\n[0] looking up activity\r\n0000: 00 . 01 . 00 . 00 . 1a . 00 . 00 . 00 . 61 a 00 . 6e n 00 . 64 d 00 . 72 r 00 .\r\n0016: 6f o 00 . 69 i 00 . 64 d 00 . 2e . 00 . 6f o 00 . 73 s 00 . 2e . 00 . 49 I 00 .\r\n0032: 53 S 00 . 65 e 00 . 72 r 00 . 76 v 00 . 69 i 00 . 63 c 00 . 65 e 00 . 4d M 00 .\r\n0048: 61 a 00 . 6e n 00 . 61 a 00 . 67 g 00 . 65 e 00 . 72 r 00 . 00 . 00 . 00 . 00 .\r\n0064: 08 . 00 . 00 . 00 . 61 a 00 . 63 c 00 . 74 t 00 . 69 i 00 . 76 v 00 . 69 i 00 .\r\n0080: 74 t 00 . 79 y 00 . 00 . 00 . 00 . 00 .\r\nBR_NOOP:\r\nBR_TRANSACTION_COMPLETE:\r\nBR_REPLY:\r\n target 0000000000000000 cookie 0000000000000000 code 00000000 flags 00000000\r\n pid 0 uid 1000 data 24 offs 8\r\n0000: 85 . 2a * 68 h 73 s 7f . 01 . 00 . 00 . 01 . 00 . 00 . 00 . 55 U 00 . 00 . 00 .\r\n0016: 00 . 00 . 00 . 00 . 00 . 00 . 00 . 00 .\r\n - type 73682a85 flags 0000017f ptr 0000005500000001 cookie 0000000000000000\r\n[0] got handle 00000001\r\n0000: 00 . 01 . 00 . 00 . 1c . 00 . 00 . 00 . 61 a 00 . 6e n 00 . 64 d 00 . 72 r 00 .\r\n0016: 6f o 00 . 69 i 00 . 64 d 00 . 2e . 00 . 61 a 00 . 70 p 00 . 70 p 00 . 2e . 00 .\r\n0032: 49 I 00 . 41 A 00 . 63 c 00 . 74 t 00 . 69 i 00 . 76 v 00 . 69 i 00 . 74 t 00 .\r\n0048: 79 y 00 . 4d M 00 . 61 a 00 . 6e n 00 . 61 a 00 . 67 g 00 . 65 e 00 . 72 r 00 .\r\n0064: 00 . 00 . 00 . 00 . 05 . 00 . 00 . 00 . 70 p 00 . 77 w 00 . 6e n 00 . 65 e 00 .\r\n0080: 64 d 00 . 00 . 00 .\r\nBR_NOOP:\r\nBR_TRANSACTION_COMPLETE:\r\nBR_REPLY:\r\n target 0000000000000000 cookie 0000000000000000 code 00000000 flags 00000000\r\n pid 0 uid 1000 data 28 offs 8\r\n0000: 00 . 00 . 00 . 00 . 85 . 2a * 68 h 73 s 7f . 01 . 00 . 00 . 02 . 00 . 00 . 00 .\r\n0016: 7f . 00 . 00 . 00 . c0 . 19 . 9d . 8b . 7f . 00 . 00 . 00 .\r\n - type 73682a85 flags 0000017f ptr 0000007f00000002 cookie 0000007f8b9d19c0\r\n[0] got handle 00000000\r\n \r\n \r\nDebugger output from system_server\r\n \r\npwndbg> hexdump 0x0000007f8b9d19c0\r\n+0000 0x7f8b9d19c0 38 35 76 ab 7f 00 00 00 00 00 00 00 00 00 00 00 |85v.|....|....|....|\r\n+0010 0x7f8b9d19d0 65 00 6e 00 74 00 5f 00 40 d1 0c a8 7f 00 00 00 |e.n.|t._.|@...|....|\r\n+0020 0x7f8b9d19e0 6a 16 20 00 00 00 00 00 20 ad 81 ab 7f 00 00 00 |j...|....|....|....|\r\n+0030 0x7f8b9d19f0 e0 fc 7f 8e 7f 00 00 00 a0 f2 c7 8a 7f 00 00 00 |....|....|....|....|\r\n+0040 0x7f8b9d1a00 \r\n \r\nThis is pretty obviously the case; the code in Parcel.cpp that flattens binder objects\r\nto pass via binder transactions:\r\n \r\nstatus_t flatten_binder(const sp<ProcessState>& /*proc*/,\r\n const sp<IBinder>& binder, Parcel* out)\r\n{\r\n flat_binder_object obj;\r\n \r\n obj.flags = 0x7f | FLAT_BINDER_FLAG_ACCEPTS_FDS;\r\n if (binder != NULL) {\r\n IBinder *local = binder->localBinder();\r\n if (!local) {\r\n BpBinder *proxy = binder->remoteBinder();\r\n if (proxy == NULL) {\r\n ALOGE(\"null proxy\");\r\n }\r\n const int32_t handle = proxy ? proxy->handle() : 0;\r\n obj.type = BINDER_TYPE_HANDLE;\r\n obj.binder = 0; /* Don't pass uninitialized stack data to a remote process */\r\n obj.handle = handle;\r\n obj.cookie = 0;\r\n } else {\r\n obj.type = BINDER_TYPE_BINDER;\r\n obj.binder = reinterpret_cast<uintptr_t>(local->getWeakRefs());\r\n obj.cookie = reinterpret_cast<uintptr_t>(local); // <--- is a pointer to the object\r\n }\r\n } else {\r\n obj.type = BINDER_TYPE_BINDER;\r\n obj.binder = 0;\r\n obj.cookie = 0;\r\n }\r\n \r\n return finish_flatten_binder(binder, obj, out);\r\n}\r\n \r\nand the kernel code which processes this to send to the target process modifies\r\nthe fp->handle entry, overwriting fp->binder, but does not alter fp->cookie, which\r\ncontains the second pointer.\r\n \r\n case BINDER_TYPE_BINDER:\r\n case BINDER_TYPE_WEAK_BINDER: {\r\n struct binder_ref *ref;\r\n struct binder_node *node = binder_get_node(proc, fp->binder);\r\n if (node == NULL) {\r\n node = binder_new_node(proc, fp->binder, fp->cookie);\r\n if (node == NULL) {\r\n return_error = BR_FAILED_REPLY;\r\n goto err_binder_new_node_failed;\r\n }\r\n node->min_priority = fp->flags & FLAT_BINDER_FLAG_PRIORITY_MASK;\r\n node->accept_fds = !!(fp->flags & FLAT_BINDER_FLAG_ACCEPTS_FDS);\r\n }\r\n if (fp->cookie != node->cookie) {\r\n binder_user_error(\"%d:%d sending u%016llx node %d, cookie mismatch %016llx != %016llx\\n\",\r\n proc->pid, thread->pid,\r\n (u64)fp->binder, node->debug_id,\r\n (u64)fp->cookie, (u64)node->cookie);\r\n goto err_binder_get_ref_for_node_failed;\r\n }\r\n if (security_binder_transfer_binder(proc->tsk, target_proc->tsk)) {\r\n return_error = BR_FAILED_REPLY;\r\n goto err_binder_get_ref_for_node_failed;\r\n }\r\n ref = binder_get_ref_for_node(target_proc, node);\r\n if (ref == NULL) {\r\n return_error = BR_FAILED_REPLY;\r\n goto err_binder_get_ref_for_node_failed;\r\n }\r\n if (fp->type == BINDER_TYPE_BINDER)\r\n fp->type = BINDER_TYPE_HANDLE;\r\n else\r\n fp->type = BINDER_TYPE_WEAK_HANDLE;\r\n fp->handle = ref->desc;\r\n binder_inc_ref(ref, fp->type == BINDER_TYPE_HANDLE,\r\n &thread->todo);\r\n trace_binder_transaction_node_to_ref(t, node, ref);\r\n binder_debug(BINDER_DEBUG_TRANSACTION,\r\n \" node %d u%016llx -> ref %d desc %d\\n\",\r\n node->debug_id, (u64)node->ptr,\r\n ref->debug_id, ref->desc);\r\n } break;\r\n \r\nIn the case of 64-bit processes, we also leak the high dword of the fp->binder pointer, because \r\na uint32_t is smaller than a binder_uintptr_t.\r\n \r\n \r\nProof of Concept:\r\nhttps://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/40515.zip\n\n# 0day.today [2018-01-08] #", "sourceHref": "https://0day.today/exploit/25506", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:NONE/A:NONE/"}}, {"lastseen": "2018-01-26T23:13:46", "description": "Exploit for Android platform in category dos / poc", "cvss3": {}, "published": "2016-10-12T00:00:00", "type": "zdt", "title": "Android - 'gpsOneXtra' Data Files Denial of Service", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2016-5348"], "modified": "2016-10-12T00:00:00", "id": "1337DAY-ID-25493", "href": "https://0day.today/exploit/description/25493", "sourceData": "Summary\r\n \r\nAndroid devices can be crashed remotely forcing a halt and then a soft\r\nreboot by a MITM attacker manipulating assisted GPS/GNSS data provided\r\nby Qualcomm. This issue affects the open source code in AOSP and\r\nproprietary code in a Java XTRA downloader provided by Qualcomm. The\r\nAndroid issue was fixed by in the October 2016 Android bulletin.\r\nAdditional patches have been issued by Qualcomm to the proprietary\r\nclient in September of 2016. This issue may also affect other\r\nplatforms that use Qualcomm GPS chipsets and consume these files but\r\nthat has not been tested by us, and requires further research.\r\n \r\nBackground \u2013 GPS and gpsOneXtra\r\n \r\nMost mobile devices today include ability to locate themselves on the\r\nEarth\u2019s surface by using the Global Positioning System (GPS), a system\r\noriginally developed and currently maintained by the US military.\r\nSimilar systems developed and maintained by other countries exist as\r\nwell including Russia\u2019s GLONASS, Europe\u2019s Galileo, and China\u2019s Beidou.\r\nThe GPS signals include an almanac which lists orbit and status\r\ninformation for each of the satellites in the GPS constellation. This\r\nallows the receivers to acquire the satellites quicker since the\r\nreceiver would not need to search blindly for the location of each\r\nsatellite. Similar functionality exists for other GNSS systems. In\r\norder to solve the problem of almanac acquisition, Qualcomm developed\r\nthe gpsOneXtra system in 2007 (also known as IZat XTRA Assistance\r\nsince 2013). This system provides ability to GPS receivers to download\r\nthe almanac data over the Internet from Qualcomm-operated servers. The\r\nformat of these XTRA files is proprietary but seems to contain current\r\nsatellite location data plus estimated locations for the next 7 days,\r\nas well as additional information to improve signal acquisition. Most\r\nQualcomm mobile chipsets and GPS chips include support for this\r\ntechnology. A related Qualcomm technology called IZat adds ability to\r\nuse WiFi and cellular networks for locations in addition to GPS.\r\n \r\nBackground \u2013 Android and gpsOneXtra Data Files\r\n \r\nDuring our network monitoring of traffic originating from an Android\r\ntest device, we discovered that the device makes periodic calls to the\r\nQualcomm servers to retrieve gpsOneXtra assistance files. These\r\nrequests were performed almost every time the device connected to a\r\nWiFi network. As discovered by our research and confirmed by the\r\nAndroid source code, the following URLs were used:\r\n \r\nhttp://xtra1.gpsonextra.net/xtra.bin\r\nhttp://xtra2.gpsonextra.net/xtra.bin\r\nhttp://xtra3.gpsonextra.net/xtra.bin\r\n \r\nhttp://xtrapath1.izatcloud.net/xtra2.bin\r\nhttp://xtrapath2.izatcloud.net/xtra2.bin\r\nhttp://xtrapath3.izatcloud.net/xtra2.bin\r\n \r\nWHOIS record show that both domains \u2013 gpsonextra.net and izatcloud.net\r\nare owned by Qualcomm. Further inspection of those URLs indicate that\r\nboth domains are being hosted and served from Amazon\u2019s Cloudfront CDN\r\nservice (with the exception of xtra1.gpsonextra.net which is being\r\nserved directly by Qualcomm). On the Android platform, our inspection\r\nof the Android source code shows that the file is requested by an\r\nOS-level Java process (GpsXtraDownloader.java), which passes the data\r\nto a C++ JNI class\r\n(com_android_server_location_GnssLocationProvider.cpp), which then\r\ninjects the files into the Qualcomm modem or firmware. We have not\r\ninspected other platforms in detail, but suspect that a similar\r\nprocess is used. Our testing was performed on Android v6.0, patch\r\nlevel of January 2016, on a Motorola Moto G (2nd gen) GSM phone, and\r\nconfirmed on a Nexus 6P running Android v6.01, with May 2016 security\r\npatches. Qualcomm has additionally performed testing on their\r\nproprietary Java XTRA downloader client confirming this vulnerability.\r\n \r\nVulnerability Details\r\n \r\nAndroid platform downloads XTRA data files automatically when\r\nconnecting to a new network. This originates from a Java class\r\n(GpsXtraDownloader.java), which then passes the file to a C++/JNI\r\nclass (com_android_server_location_GnssLocationProvider.cpp) and then\r\ninjects it into the Qualcomm modem.\r\n \r\nThe vulnerability is that both the Java and the C++ code do not check\r\nhow large the data file actually is. If a file is served that is\r\nlarger than the memory available on the device, this results in all\r\nmemory being exhausted and the phone halting and then soft rebooting.\r\nThe soft reboot was sufficient to recover from the crash and no data\r\nwas lost. While we have not been able to achieve remote code execution\r\nin either the Qualcomm modem or in the Android OS, this code path can\r\npotentially be exploited for such attacks and would require more\r\nresearch.\r\n \r\nTo attack, an MITM attacker located anywhere on the network between\r\nthe phone being attacked and Qualcomm\u2019s servers can initiate this\r\nattack by intercepting the legitimate requests from the phone, and\r\nsubstituting their own, larger files. Because the default Chrome\r\nbrowser on Android reveals the model and build of the phone (as we\r\nhave written about earlier), it would be possible to derive the\r\nmaximum memory size from that information and deliver the\r\nappropriately sized attack file. Possible attackers can be hostile\r\nhotspots, hacked routers, or anywhere along the backbone. This is\r\nsomewhat mitigated by the fact that the attack file would need to be\r\nas large as the memory on the phone.\r\n \r\nThe vulnerable code resides here \u2013 (GpsXtraDownloader.java, lines 120-127):\r\n \r\nconnection.connect()\r\nint statusCode = connection.getResponseCode();\r\nif (statusCode != HttpURLConnection.HTTP_OK) {\r\nif (DEBUG) Log.d(TAG, \u201cHTTP error downloading gps XTRA: \u201c + statusCode);\r\nreturn null;\r\n}\r\nreturn Streams.readFully(connection.getInputStream());\r\n \r\nSpecifically, the affected code is using Streams.readFully to read the\r\nentire file into memory without any kind of checks on how big the file\r\nactually is.\r\n \r\nAdditional vulnerable code is also in the C++ layer \u2013\r\n(com_android_server_location_GnssLocationProvider.cpp, lines 856-858):\r\n \r\njbyte* bytes = (jbyte *)env->GetPrimitiveArrayCritical(data, 0);\r\nsGpsXtraInterface->inject_xtra_data((char *)bytes, length);\r\nenv->ReleasePrimitiveArrayCritical(data, bytes, JNI_ABORT);\r\n \r\nOnce again, no size checking is done. We were able to consistently\r\ncrash several different Android phones via a local WiFi network with\r\nthe following error message:\r\n \r\njava.lang.OutOfMemoryError: Failed to allocate a 478173740 byte\r\nallocation with 16777216 free bytes and 252MB until OOM\r\nat java.io.ByteArrayOutputStream.expand(ByteArrayOutputStream.java:91)\r\n \r\n(It should be noted that we were not able to consistently and reliable\r\nachieve a crash in the C++/JNI layer or the Qualcomm modem itself)\r\n \r\nSteps To Replicate (on Ubuntu 16.04)\r\n1. Install DNSMASQ:\r\nsudo apt-get install dnsmasq\r\n \r\n2. Install NGINX:\r\nsudo apt-get install nginx\r\n \r\n3. Modify the /etc/hosts file to add the following entries to map to\r\nthe IP of the local computer (varies by vendor of the phone):\r\n192.168.1.x xtra1.gpsonextra.net\r\n192.168.1.x xtra2.gpsonextra.net\r\n192.168.1.x xtra3.gpsonextra.net\r\n192.168.1.x xtrapath1.izatcloud.net\r\n192.168.1.x xtrapath2.izatcloud.net\r\n192.168.1.x xtrapath3.izatcloud.net\r\n \r\n4. Configure /etc/dnsmasq.conf file to listed on the IP:\r\nlisten-address=192.168.1.x\r\n \r\n5. Restart DNSMASQ:\r\nsudo /etc/init.d/dnsmasq restart\r\n \r\n6. Use fallocate to create the bin files in \u201c/var/www/html/\u201d\r\nsudo fallocate -s 2.5G xtra.bin\r\nsudo fallocate -s 2.5G xtra2.bin\r\nsudo fallocate -s 2.5G xtra3.bin\r\n \r\n7. Modify the settings on the Android test phone to static, set DNS to\r\npoint to \u201c192.168.1.x\u201d. AT THIS POINT \u2013 Android will resolve DNS\r\nagainst the local computer, and serve the GPS files from it.\r\n \r\nTo trigger the GPS download, disable WiFi and enable Wifi, or\r\nenable/disable Airplane mode. Once the phone starts downloading the\r\nfiles, the screen will go black and it will reboot.\r\n \r\nPLEASE NOTE: on some models, the XTRA file is cached and not retrieved\r\non every network connect. For those models, you may need to reboot the\r\nphone and/or follow the injection commands as described here. You can\r\nalso use an app like GPS Status and ToolboxGPS Status and Toolbox.\r\n \r\nThe fix would be to check for file sizes in both Java and native C++ code.\r\n \r\nMitigation Steps\r\n \r\nFor the Android platform, users should apply the October 2016 Android\r\nsecurity bulletin and any patches provided by Qualcomm. Please note\r\nthat as per Qualcomm, the patches for this bug only include fixes to\r\nthe Android Open Source Project (AOSP) and the Qualcomm Java XTRA\r\ndownloader clients. Apple and Microsoft have indicated to us via email\r\nthat GPS-capable devices manufactured by them including iPad, iPhones,\r\netc. and Microsoft Surface and Windows Phone devices are not affected\r\nby this bug. Blackberry devices powered by Android are affected but\r\nthe Blackberry 10 platform is not affected by this bug. For other\r\nplatforms, vendors should follow guidance provided by Qualcomm\r\ndirectly via an OEM bulletin.\r\n \r\nBounty Information\r\n \r\nThis bug has fulfilled the requirements for Google\u2019s Android Security\r\nRewards and a bounty has been paid.\r\n \r\nReferences\r\n \r\nAndroid security bulletin: October 2016\r\nCERT/CC tracking: VR-179\r\nCVE-ID: CVE-2016-5348\r\nGoogle: Android bug # 213747 / AndroidID-29555864\r\n \r\nCVE Information\r\n \r\nAs provided by Qualcomm:\r\n \r\nCVE: CVE-2016-5348\r\nAccess Vector: Network\r\nSecurity Risk: High\r\nVulnerability: CWE-400: Uncontrolled Resource Consumption (\u2018Resource\r\nExhaustion\u2019)\r\nDescription: When downloading a very large assistance data file, the\r\nclient may crash due to out of memory error.\r\nChange summary:\r\n \r\ncheck download size ContentLength before downloading data\r\ncatch OOM exception\r\n \r\nCredits\r\n \r\nWe would like to thank CERT/CC for helping to coordinate this process,\r\nand all of the vendors involved for helpful comments and a quick\r\nturnaround. This bug was discovered by Yakov Shafranovich, and the\r\nadvisory was also written by Yakov Shafranovich.\r\n \r\nTimeline\r\n \r\n201606-20: Android bug report filed with Google\r\n2016-06-21: Android bug confirmed\r\n2016-06-21: Bug also reported to Qualcomm and CERT.\r\n2016-09-14: Coordination with Qualcomm on public disclosure\r\n2016-09-15: Coordination with Google on public disclosure\r\n2016-10-03: Android security bulletin released with fix\r\n2016-10-04: Public disclosure\n\n# 0day.today [2018-01-26] #", "sourceHref": "https://0day.today/exploit/25493", "cvss": {"score": 7.1, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:NONE/A:COMPLETE/"}}, {"lastseen": "2018-03-14T23:20:08", "description": "Exploit for Android platform in category local exploits", "cvss3": {}, "published": "2016-10-11T00:00:00", "type": "zdt", "title": "Android Qualcomm GPS/GNSS Man-In-The-Middle", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2016-5348"], "modified": "2016-10-11T00:00:00", "id": "1337DAY-ID-25483", "href": "https://0day.today/exploit/description/25483", "sourceData": "Summary\r\n\r\nAndroid devices can be crashed remotely forcing a halt and then a soft\r\nreboot by a MITM attacker manipulating assisted GPS/GNSS data provided\r\nby Qualcomm. This issue affects the open source code in AOSP and\r\nproprietary code in a Java XTRA downloader provided by Qualcomm. The\r\nAndroid issue was fixed by in the October 2016 Android bulletin.\r\nAdditional patches have been issued by Qualcomm to the proprietary\r\nclient in September of 2016. This issue may also affect other\r\nplatforms that use Qualcomm GPS chipsets and consume these files but\r\nthat has not been tested by us, and requires further research.\r\n\r\nBackground a GPS and gpsOneXtra\r\n\r\nMost mobile devices today include ability to locate themselves on the\r\nEarthas surface by using the Global Positioning System (GPS), a system\r\noriginally developed and currently maintained by the US military.\r\nSimilar systems developed and maintained by other countries exist as\r\nwell including Russiaas GLONASS, Europeas Galileo, and Chinaas Beidou.\r\nThe GPS signals include an almanac which lists orbit and status\r\ninformation for each of the satellites in the GPS constellation. This\r\nallows the receivers to acquire the satellites quicker since the\r\nreceiver would not need to search blindly for the location of each\r\nsatellite. Similar functionality exists for other GNSS systems. In\r\norder to solve the problem of almanac acquisition, Qualcomm developed\r\nthe gpsOneXtra system in 2007 (also known as IZat XTRA Assistance\r\nsince 2013). This system provides ability to GPS receivers to download\r\nthe almanac data over the Internet from Qualcomm-operated servers. The\r\nformat of these XTRA files is proprietary but seems to contain current\r\nsatellite location data plus estimated locations for the next 7 days,\r\nas well as additional information to improve signal acquisition. Most\r\nQualcomm mobile chipsets and GPS chips include support for this\r\ntechnology. A related Qualcomm technology called IZat adds ability to\r\nuse WiFi and cellular networks for locations in addition to GPS.\r\n\r\nBackground a Android and gpsOneXtra Data Files\r\n\r\nDuring our network monitoring of traffic originating from an Android\r\ntest device, we discovered that the device makes periodic calls to the\r\nQualcomm servers to retrieve gpsOneXtra assistance files. These\r\nrequests were performed almost every time the device connected to a\r\nWiFi network. As discovered by our research and confirmed by the\r\nAndroid source code, the following URLs were used:\r\n\r\nhttp://xtra1.gpsonextra.net/xtra.bin\r\nhttp://xtra2.gpsonextra.net/xtra.bin\r\nhttp://xtra3.gpsonextra.net/xtra.bin\r\n\r\nhttp://xtrapath1.izatcloud.net/xtra2.bin\r\nhttp://xtrapath2.izatcloud.net/xtra2.bin\r\nhttp://xtrapath3.izatcloud.net/xtra2.bin\r\n\r\nWHOIS record show that both domains a gpsonextra.net and izatcloud.net\r\nare owned by Qualcomm. Further inspection of those URLs indicate that\r\nboth domains are being hosted and served from Amazonas Cloudfront CDN\r\nservice (with the exception of xtra1.gpsonextra.net which is being\r\nserved directly by Qualcomm). On the Android platform, our inspection\r\nof the Android source code shows that the file is requested by an\r\nOS-level Java process (GpsXtraDownloader.java), which passes the data\r\nto a C++ JNI class\r\n(com_android_server_location_GnssLocationProvider.cpp), which then\r\ninjects the files into the Qualcomm modem or firmware. We have not\r\ninspected other platforms in detail, but suspect that a similar\r\nprocess is used. Our testing was performed on Android v6.0, patch\r\nlevel of January 2016, on a Motorola Moto G (2nd gen) GSM phone, and\r\nconfirmed on a Nexus 6P running Android v6.01, with May 2016 security\r\npatches. Qualcomm has additionally performed testing on their\r\nproprietary Java XTRA downloader client confirming this vulnerability.\r\n\r\nVulnerability Details\r\n\r\nAndroid platform downloads XTRA data files automatically when\r\nconnecting to a new network. This originates from a Java class\r\n(GpsXtraDownloader.java), which then passes the file to a C++/JNI\r\nclass (com_android_server_location_GnssLocationProvider.cpp) and then\r\ninjects it into the Qualcomm modem.\r\n\r\nThe vulnerability is that both the Java and the C++ code do not check\r\nhow large the data file actually is. If a file is served that is\r\nlarger than the memory available on the device, this results in all\r\nmemory being exhausted and the phone halting and then soft rebooting.\r\nThe soft reboot was sufficient to recover from the crash and no data\r\nwas lost. While we have not been able to achieve remote code execution\r\nin either the Qualcomm modem or in the Android OS, this code path can\r\npotentially be exploited for such attacks and would require more\r\nresearch.\r\n\r\nTo attack, an MITM attacker located anywhere on the network between\r\nthe phone being attacked and Qualcommas servers can initiate this\r\nattack by intercepting the legitimate requests from the phone, and\r\nsubstituting their own, larger files. Because the default Chrome\r\nbrowser on Android reveals the model and build of the phone (as we\r\nhave written about earlier), it would be possible to derive the\r\nmaximum memory size from that information and deliver the\r\nappropriately sized attack file. Possible attackers can be hostile\r\nhotspots, hacked routers, or anywhere along the backbone. This is\r\nsomewhat mitigated by the fact that the attack file would need to be\r\nas large as the memory on the phone.\r\n\r\nThe vulnerable code resides here a (GpsXtraDownloader.java, lines 120-127):\r\n\r\nconnection.connect()\r\nint statusCode = connection.getResponseCode();\r\nif (statusCode != HttpURLConnection.HTTP_OK) {\r\nif (DEBUG) Log.d(TAG, aHTTP error downloading gps XTRA: a + statusCode);\r\nreturn null;\r\n}\r\nreturn Streams.readFully(connection.getInputStream());\r\n\r\nSpecifically, the affected code is using Streams.readFully to read the\r\nentire file into memory without any kind of checks on how big the file\r\nactually is.\r\n\r\nAdditional vulnerable code is also in the C++ layer a\r\n(com_android_server_location_GnssLocationProvider.cpp, lines 856-858):\r\n\r\njbyte* bytes = (jbyte *)env->GetPrimitiveArrayCritical(data, 0);\r\nsGpsXtraInterface->inject_xtra_data((char *)bytes, length);\r\nenv->ReleasePrimitiveArrayCritical(data, bytes, JNI_ABORT);\r\n\r\nOnce again, no size checking is done. We were able to consistently\r\ncrash several different Android phones via a local WiFi network with\r\nthe following error message:\r\n\r\njava.lang.OutOfMemoryError: Failed to allocate a 478173740 byte\r\nallocation with 16777216 free bytes and 252MB until OOM\r\nat java.io.ByteArrayOutputStream.expand(ByteArrayOutputStream.java:91)\r\n\r\n(It should be noted that we were not able to consistently and reliable\r\nachieve a crash in the C++/JNI layer or the Qualcomm modem itself)\r\n\r\nSteps To Replicate (on Ubuntu 16.04)\r\n1. Install DNSMASQ:\r\nsudo apt-get install dnsmasq\r\n\r\n2. Install NGINX:\r\nsudo apt-get install nginx\r\n\r\n3. Modify the /etc/hosts file to add the following entries to map to\r\nthe IP of the local computer (varies by vendor of the phone):\r\n192.168.1.x xtra1.gpsonextra.net\r\n192.168.1.x xtra2.gpsonextra.net\r\n192.168.1.x xtra3.gpsonextra.net\r\n192.168.1.x xtrapath1.izatcloud.net\r\n192.168.1.x xtrapath2.izatcloud.net\r\n192.168.1.x xtrapath3.izatcloud.net\r\n\r\n4. Configure /etc/dnsmasq.conf file to listed on the IP:\r\nlisten-address=192.168.1.x\r\n\r\n5. Restart DNSMASQ:\r\nsudo /etc/init.d/dnsmasq restart\r\n\r\n6. Use fallocate to create the bin files in a/var/www/html/a\r\nsudo fallocate -s 2.5G xtra.bin\r\nsudo fallocate -s 2.5G xtra2.bin\r\nsudo fallocate -s 2.5G xtra3.bin\r\n\r\n7. Modify the settings on the Android test phone to static, set DNS to\r\npoint to a192.168.1.xa. AT THIS POINT a Android will resolve DNS\r\nagainst the local computer, and serve the GPS files from it.\r\n\r\nTo trigger the GPS download, disable WiFi and enable Wifi, or\r\nenable/disable Airplane mode. Once the phone starts downloading the\r\nfiles, the screen will go black and it will reboot.\r\n\r\nPLEASE NOTE: on some models, the XTRA file is cached and not retrieved\r\non every network connect. For those models, you may need to reboot the\r\nphone and/or follow the injection commands as described here. You can\r\nalso use an app like GPS Status and ToolboxGPS Status and Toolbox.\r\n\r\nThe fix would be to check for file sizes in both Java and native C++ code.\r\n\r\nMitigation Steps\r\n\r\nFor the Android platform, users should apply the October 2016 Android\r\nsecurity bulletin and any patches provided by Qualcomm. Please note\r\nthat as per Qualcomm, the patches for this bug only include fixes to\r\nthe Android Open Source Project (AOSP) and the Qualcomm Java XTRA\r\ndownloader clients. Apple and Microsoft have indicated to us via email\r\nthat GPS-capable devices manufactured by them including iPad, iPhones,\r\netc. and Microsoft Surface and Windows Phone devices are not affected\r\nby this bug. Blackberry devices powered by Android are affected but\r\nthe Blackberry 10 platform is not affected by this bug. For other\r\nplatforms, vendors should follow guidance provided by Qualcomm\r\ndirectly via an OEM bulletin.\r\n\r\nBounty Information\r\n\r\nThis bug has fulfilled the requirements for Googleas Android Security\r\nRewards and a bounty has been paid.\r\n\r\nReferences\r\n\r\nAndroid security bulletin: October 2016\r\nCERT/CC tracking: VR-179\r\nCVE-ID: CVE-2016-5348\r\nGoogle: Android bug # 213747 / AndroidID-29555864\r\n\r\nCVE Information\r\n\r\nAs provided by Qualcomm:\r\n\r\nCVE: CVE-2016-5348\r\nAccess Vector: Network\r\nSecurity Risk: High\r\nVulnerability: CWE-400: Uncontrolled Resource Consumption (aResource\r\nExhaustiona)\r\nDescription: When downloading a very large assistance data file, the\r\nclient may crash due to out of memory error.\r\nChange summary:\r\n\r\ncheck download size ContentLength before downloading data\r\ncatch OOM exception\r\n\r\nCredits\r\n\r\nWe would like to thank CERT/CC for helping to coordinate this process,\r\nand all of the vendors involved for helpful comments and a quick\r\nturnaround. This bug was discovered by Yakov Shafranovich, and the\r\nadvisory was also written by Yakov Shafranovich.\r\n\r\nTimeline\r\n\r\n201606-20: Android bug report filed with Google\r\n2016-06-21: Android bug confirmed\r\n2016-06-21: Bug also reported to Qualcomm and CERT.\r\n2016-09-14: Coordination with Qualcomm on public disclosure\r\n2016-09-15: Coordination with Google on public disclosure\r\n2016-10-03: Android security bulletin released with fix\r\n2016-10-04: Public disclosure\n\n# 0day.today [2018-03-14] #", "sourceHref": "https://0day.today/exploit/25483", "cvss": {"score": 7.1, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:NONE/A:COMPLETE/"}}], "f5": [{"lastseen": "2020-04-06T22:40:51", "description": "\nF5 Product Development has evaluated the currently supported releases for potential vulnerability, and no F5 products were found to be vulnerable.\n\nNone\n\n * [K51812227: Understanding Security Advisory versioning](<https://support.f5.com/csp/article/K51812227>)\n * [K41942608: Overview of AskF5 Security Advisory articles](<https://support.f5.com/csp/article/K41942608>)\n * [K4602: Overview of the F5 security vulnerability response policy](<https://support.f5.com/csp/article/K4602>)\n * [K9970: Subscribing to email notifications regarding F5 products](<https://support.f5.com/csp/article/K9970>)\n * [K9957: Creating a custom RSS feed to view new and updated documents](<https://support.f5.com/csp/article/K9957>)\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2018-09-06T02:48:00", "type": "f5", "title": "Linux kernel vulnerability CVE-2016-5343", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-5343"], "modified": "2018-09-06T02:48:00", "id": "F5:K50462644", "href": "https://support.f5.com/csp/article/K50462644", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-06-08T18:49:09", "description": "Vulnerability Recommended Actions\n\nIf you are running a version listed in the **Versions known to be vulnerable** column, you can eliminate this vulnerability by upgrading to a version listed in the **Versions known to be not vulnerable** column. If the table lists only an older version than what you are currently running, or does not list a non-vulnerable version, then no upgrade candidate currently exists.\n\nTo mitigate this vulnerability, you should permit management access to F5 products only over a secure network and limit shell access to only trusted users. For more information for the BIG-IP system, refer to SOL13309: Restricting access to the Configuration utility by source IP address (11.x - 12.x) and SOL13092: Overview of securing access to the BIG-IP system.\n\nSupplemental Information\n\n * SOL9970: Subscribing to email notifications regarding F5 products\n * SOL9957: Creating a custom RSS feed to view new and updated documents\n * SOL4602: Overview of the F5 security vulnerability response policy\n * SOL4918: Overview of the F5 critical issue hotfix policy\n", "cvss3": {"exploitabilityScore": 2.2, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "LOW", "integrityImpact": "LOW", "baseScore": 4.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:L", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 2.5}, "published": "2016-08-26T00:00:00", "type": "f5", "title": "SOL46514822 - Linux TCP stack vulnerability CVE-2016-5696", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "NONE", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 5.8, "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 4.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-5696"], "modified": "2016-11-10T00:00:00", "id": "SOL46514822", "href": "http://support.f5.com/kb/en-us/solutions/public/k/46/sol46514822.html", "cvss": {"score": 5.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2019-02-20T21:07:46", "description": "\nF5 Product Development has assigned ID 610107 (BIG-IP), ID 461496 (ARX), and INSTALLER-2561 (Traffix SDC) to this vulnerability.\n\nTo determine if your release is known to be vulnerable, the components or features that are affected by the vulnerability, and for information about releases or hotfixes that address the vulnerability, refer to the following table:\n\nProduct| Versions known to be vulnerable| Versions known to be not vulnerable| Severity| Vulnerable component or feature \n---|---|---|---|--- \nBIG-IP LTM| 12.0.0 - 12.1.1 HF1| 12.1.1 HF2 \n11.4.0 - 11.6.1 \n11.2.1 \n10.2.1 - 10.2.4| Medium| Linux kernel \nBIG-IP AAM| 12.0.0 - 12.1.1 HF1| 12.1.1 HF2 \n11.4.0 - 11.6.1| Medium| Linux kernel \nBIG-IP AFM| 12.0.0 - 12.1.1 HF1| 12.1.1 HF2 \n11.4.0 - 11.6.1| Medium| Linux kernel \nBIG-IP Analytics| 12.0.0 - 12.1.1 HF1| 12.1.1 HF2 \n11.4.0 - 11.6.1 \n11.2.1| Medium| Linux kernel \nBIG-IP APM| 12.0.0 - 12.1.1 HF1| 12.1.1 HF2 \n11.4.0 - 11.6.1 \n11.2.1 \n10.2.1 - 10.2.4| Medium| Linux kernel \nBIG-IP ASM| 12.0.0 - 12.1.1 HF1| 12.1.1 HF2 \n11.4.0 - 11.6.1 \n11.2.1 \n10.2.1 - 10.2.4| Medium| Linux kernel \nBIG-IP DNS| 12.0.0 - 12.1.1 HF1| 12.1.1 HF2| Medium| Linux kernel \nBIG-IP Edge Gateway| None| 11.2.1 \n10.2.1 - 10.2.4| Not vulnerable| None \nBIG-IP GTM| None| 11.4.0 - 11.6.1 \n11.2.1 \n10.2.1 - 10.2.4| Not vulnerable| None \nBIG-IP Link Controller| 12.0.0 - 12.1.1 HF1| 12.1.1 HF2 \n11.4.0 - 11.6.1 \n11.2.1 \n10.2.1 - 10.2.4| Medium| Linux kernel \nBIG-IP PEM| 12.0.0 - 12.1.1 HF1| 12.1.1 HF2 \n11.4.0 - 11.6.1| Medium| Linux kernel \nBIG-IP PSM| None| 11.4.0 - 11.4.1 \n10.2.1 - 10.2.4| Not vulnerable| None \nBIG-IP WebAccelerator| None| 11.2.1 \n10.2.1 - 10.2.4| Not vulnerable| None \nBIG-IP WOM| None| 11.2.1 \n10.2.1 - 10.2.4| Not vulnerable| None \nBIG-IP WebSafe| 12.0.0 - 12.1.1 HF1| 12.1.1 HF2 \n11.6.0 - 11.6.1| Medium| Linux kernel \nARX| None| 6.2.0 - 6.4.0| Not vulnerable| None \nEnterprise Manager| None| 3.1.1| Not vulnerable| None \nFirePass| None| 7.0.0| Not vulnerable| None \nBIG-IQ Cloud| None| 4.0.0 - 4.5.0| Not vulnerable| None \nBIG-IQ Device| None| 4.2.0 - 4.5.0| Not vulnerable| None \nBIG-IQ Security| None| 4.0.0 - 4.5.0| Not vulnerable| None \nBIG-IQ ADC| None| 4.5.0| Not vulnerable| None \nBIG-IQ Centralized Management| None| 5.0.0 \n4.6.0| Not vulnerable| None \nBIG-IQ Cloud and Orchestration| None| 1.0.0| Not vulnerable| None \nF5 iWorkflow| None| 2.0.0| Not vulnerable| None \nLineRate| None| 2.5.0 - 2.6.1| Not vulnerable| None \nTraffix SDC| 5.0.0 \n4.0.0 - 4.4.0| None| Low| Linux kernel\n\nIf you are running a version listed in the **Versions known to be vulnerable** column, you can eliminate this vulnerability by upgrading to a version listed in the **Versions known to be not vulnerable** column. If the table lists only an older version than what you are currently running, or does not list a non-vulnerable version, then no upgrade candidate currently exists.\n\nTo mitigate this vulnerability, you should permit management access to F5 products only over a secure network and limit shell access to only trusted users. For more information for the BIG-IP system, refer to [K13309: Restricting access to the Configuration utility by source IP address (11.x - 12.x)](<https://support.f5.com/csp/article/K13309>) and [K13092: Overview of securing access to the BIG-IP system](<https://support.f5.com/csp/article/K13092>).\n\n * [K9970: Subscribing to email notifications regarding F5 products](<https://support.f5.com/csp/article/K9970>)\n * [K9957: Creating a custom RSS feed to view new and updated documents](<https://support.f5.com/csp/article/K9957>)\n * [K4602: Overview of the F5 security vulnerability response policy](<https://support.f5.com/csp/article/K4602>)\n * [K4918: Overview of the F5 critical issue hotfix policy](<https://support.f5.com/csp/article/K4918>)\n", "cvss3": {"exploitabilityScore": 2.2, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "LOW", "integrityImpact": "LOW", "baseScore": 4.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:L", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 2.5}, "published": "2016-08-26T20:35:00", "type": "f5", "title": "Linux TCP stack vulnerability CVE-2016-5696", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "NONE", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 5.8, "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 4.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-5696"], "modified": "2017-03-14T00:54:00", "id": "F5:K46514822", "href": "https://support.f5.com/csp/article/K46514822", "cvss": {"score": 5.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2017-06-08T00:16:23", "description": "\nF5 Product Development has assigned IDs 624722 and 624723 (BIG-IP), ID 625297 (BIG-IQ), and ID 461496 (ARX) to this vulnerability.\n\nTo determine if your release is known to be vulnerable, the components or features that are affected by the vulnerability, and for information about releases or hotfixes that address the vulnerability, refer to the following table:\n\nProduct| Versions known to be vulnerable| Versions known to be not vulnerable| Severity| Vulnerable component or feature \n---|---|---|---|--- \nBIG-IP LTM| None| 12.0.0 - 12.1.1 \n11.4.0 - 11.6.1 \n11.2.1 \n10.2.1 - 10.2.4| Not vulnerable| None \nBIG-IP AAM| None| 12.0.0 - 12.1.1 \n11.4.0 - 11.6.1| Not vulnerable| None \nBIG-IP AFM| None| 12.0.0 - 12.1.1 \n11.4.0 - 11.6.1| Not vulnerable| None \nBIG-IP Analytics| None| 12.0.0 - 12.1.1 \n11.4.0 - 11.6.1 \n11.2.1| Not vulnerable| None \nBIG-IP APM| None| 12.0.0 - 12.1.1 \n11.4.0 - 11.6.1 \n11.2.1 \n10.2.1 - 10.2.4| Not vulnerable| None \nBIG-IP ASM| None| 12.0.0 - 12.1.1 \n11.4.0 - 11.6.1 \n11.2.1 \n10.2.1 - 10.2.4| Not vulnerable| None \nBIG-IP DNS| None| 12.0.0 - 12.1.1| Not vulnerable| None \nBIG-IP Edge Gateway| None| 11.2.1 \n10.2.1 - 10.2.4| Not vulnerable| None \nBIG-IP GTM| None| 11.4.0 - 11.6.1 \n11.2.1 \n10.2.1 - 10.2.4| Not vulnerable| None \nBIG-IP Link Controller| None| 12.0.0 - 12.1.1 \n11.4.0 - 11.6.1 \n11.2.1 \n10.2.1 - 10.2.4| Not vulnerable| None \nBIG-IP PEM| None| 12.0.0 - 12.1.1 \n11.4.0 - 11.6.1| Not vulnerable| None \nBIG-IP PSM| None| 11.4.0 - 11.4.1 \n10.2.1 - 10.2.4| Not vulnerable| None \nBIG-IP WebAccelerator| None| 11.2.1 \n10.2.1 - 10.2.4| Not vulnerable| None \nBIG-IP WebSafe| None| 12.0.0 - 12.1.1 \n11.6.0 - 11.6.1| Not vulnerable \n\n| None \nARX| 6.2.0 - 6.4.0| None| Medium| Linux kernel \nEnterprise Manager| None| 3.1.1| Not vulnerable| None \nBIG-IQ Cloud| None| 4.0.0 - 4.5.0| Not vulnerable | None \nBIG-IQ Device| None| 4.2.0 - 4.5.0| Not vulnerable| None \nBIG-IQ Security| None| 4.0.0 - 4.5.0| Not vulnerable | None \nBIG-IQ ADC| None| 4.5.0| Not vulnerable| None \nBIG-IQ Centralized Management| None| 5.0.0 - 5.1.0 \n4.6.0| Not vulnerable| None \nBIG-IQ Cloud and Orchestration| None| 1.0.0| Not vulnerable | None \nF5 iWorkflow| None| 2.0.0 - 2.0.1| Not vulnerable| None \nLineRate| None| 2.5.0 - 2.6.1| Not vulnerable| None \nTraffix SDC| None| 5.0.0 - 5.1.0 \n4.0.0 - 4.4.0| Not vulnerable| None\n\nIf you are running a version listed in the **Versions known to be vulnerable** column, you can eliminate this vulnerability by upgrading to a version listed in the **Versions known to be not vulnerable** column. If the table lists only an older version than what you are currently running, or does not list a non-vulnerable version, then no upgrade candidate currently exists.\n\nMitigation\n\nNone\n\n * [K9970: Subscribing to email notifications regarding F5 products](<https://support.f5.com/csp/article/K9970>)\n * [K9957: Creating a custom RSS feed to view new and updated documents](<https://support.f5.com/csp/article/K9957>)\n * [K4602: Overview of the F5 security vulnerability response policy](<https://support.f5.com/csp/article/K4602>)\n * [K4918: Overview of the F5 critical issue hotfix policy](<https://support.f5.com/csp/article/K4918>)\n * [K167: Downloading software and firmware from F5](<https://support.f5.com/csp/article/K167>)\n * [K12766: ARX hotfix matrix](<https://support.f5.com/csp/article/K12766>)\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2016-11-08T19:37:00", "type": "f5", "title": "Linux kernel vulnerability CVE-2016-7117", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-7117"], "modified": "2016-11-08T19:37:00", "id": "F5:K51201255", "href": "https://support.f5.com/csp/article/K51201255", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "exploitpack": [{"lastseen": "2020-04-01T19:04:18", "description": "\nGoogle Android - gpsOneXtra Data Files Denial of Service", "edition": 2, "cvss3": {"exploitabilityScore": 2.2, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "NONE", "baseScore": 5.9, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 3.6}, "published": "2016-10-11T00:00:00", "title": "Google Android - gpsOneXtra Data Files Denial of Service", "type": "exploitpack", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "NONE", "availabilityImpact": "COMPLETE", "integrityImpact": "NONE", "baseScore": 7.1, "vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-5348"], "modified": "2016-10-11T00:00:00", "id": "EXPLOITPACK:BDA3BE89ABA249CC2063AB3F4175FC49", "href": "", "sourceData": "Original at:\nhttps://wwws.nightwatchcybersecurity.com/2016/10/04/advisory-cve-2016-5348-2/\n\nSummary\n\nAndroid devices can be crashed remotely forcing a halt and then a soft\nreboot by a MITM attacker manipulating assisted GPS/GNSS data provided\nby Qualcomm. This issue affects the open source code in AOSP and\nproprietary code in a Java XTRA downloader provided by Qualcomm. The\nAndroid issue was fixed by in the October 2016 Android bulletin.\nAdditional patches have been issued by Qualcomm to the proprietary\nclient in September of 2016. This issue may also affect other\nplatforms that use Qualcomm GPS chipsets and consume these files but\nthat has not been tested by us, and requires further research.\n\nBackground \u2013 GPS and gpsOneXtra\n\nMost mobile devices today include ability to locate themselves on the\nEarth\u2019s surface by using the Global Positioning System (GPS), a system\noriginally developed and currently maintained by the US military.\nSimilar systems developed and maintained by other countries exist as\nwell including Russia\u2019s GLONASS, Europe\u2019s Galileo, and China\u2019s Beidou.\nThe GPS signals include an almanac which lists orbit and status\ninformation for each of the satellites in the GPS constellation. This\nallows the receivers to acquire the satellites quicker since the\nreceiver would not need to search blindly for the location of each\nsatellite. Similar functionality exists for other GNSS systems. In\norder to solve the problem of almanac acquisition, Qualcomm developed\nthe gpsOneXtra system in 2007 (also known as IZat XTRA Assistance\nsince 2013). This system provides ability to GPS receivers to download\nthe almanac data over the Internet from Qualcomm-operated servers. The\nformat of these XTRA files is proprietary but seems to contain current\nsatellite location data plus estimated locations for the next 7 days,\nas well as additional information to improve signal acquisition. Most\nQualcomm mobile chipsets and GPS chips include support for this\ntechnology. A related Qualcomm technology called IZat adds ability to\nuse WiFi and cellular networks for locations in addition to GPS.\n\nBackground \u2013 Android and gpsOneXtra Data Files\n\nDuring our network monitoring of traffic originating from an Android\ntest device, we discovered that the device makes periodic calls to the\nQualcomm servers to retrieve gpsOneXtra assistance files. These\nrequests were performed almost every time the device connected to a\nWiFi network. As discovered by our research and confirmed by the\nAndroid source code, the following URLs were used:\n\nhttp://xtra1.gpsonextra.net/xtra.bin\nhttp://xtra2.gpsonextra.net/xtra.bin\nhttp://xtra3.gpsonextra.net/xtra.bin\n\nhttp://xtrapath1.izatcloud.net/xtra2.bin\nhttp://xtrapath2.izatcloud.net/xtra2.bin\nhttp://xtrapath3.izatcloud.net/xtra2.bin\n\nWHOIS record show that both domains \u2013 gpsonextra.net and izatcloud.net\nare owned by Qualcomm. Further inspection of those URLs indicate that\nboth domains are being hosted and served from Amazon\u2019s Cloudfront CDN\nservice (with the exception of xtra1.gpsonextra.net which is being\nserved directly by Qualcomm). On the Android platform, our inspection\nof the Android source code shows that the file is requested by an\nOS-level Java process (GpsXtraDownloader.java), which passes the data\nto a C++ JNI class\n(com_android_server_location_GnssLocationProvider.cpp), which then\ninjects the files into the Qualcomm modem or firmware. We have not\ninspected other platforms in detail, but suspect that a similar\nprocess is used. Our testing was performed on Android v6.0, patch\nlevel of January 2016, on a Motorola Moto G (2nd gen) GSM phone, and\nconfirmed on a Nexus 6P running Android v6.01, with May 2016 security\npatches. Qualcomm has additionally performed testing on their\nproprietary Java XTRA downloader client confirming this vulnerability.\n\nVulnerability Details\n\nAndroid platform downloads XTRA data files automatically when\nconnecting to a new network. This originates from a Java class\n(GpsXtraDownloader.java), which then passes the file to a C++/JNI\nclass (com_android_server_location_GnssLocationProvider.cpp) and then\ninjects it into the Qualcomm modem.\n\nThe vulnerability is that both the Java and the C++ code do not check\nhow large the data file actually is. If a file is served that is\nlarger than the memory available on the device, this results in all\nmemory being exhausted and the phone halting and then soft rebooting.\nThe soft reboot was sufficient to recover from the crash and no data\nwas lost. While we have not been able to achieve remote code execution\nin either the Qualcomm modem or in the Android OS, this code path can\npotentially be exploited for such attacks and would require more\nresearch.\n\nTo attack, an MITM attacker located anywhere on the network between\nthe phone being attacked and Qualcomm\u2019s servers can initiate this\nattack by intercepting the legitimate requests from the phone, and\nsubstituting their own, larger files. Because the default Chrome\nbrowser on Android reveals the model and build of the phone (as we\nhave written about earlier), it would be possible to derive the\nmaximum memory size from that information and deliver the\nappropriately sized attack file. Possible attackers can be hostile\nhotspots, hacked routers, or anywhere along the backbone. This is\nsomewhat mitigated by the fact that the attack file would need to be\nas large as the memory on the phone.\n\nThe vulnerable code resides here \u2013 (GpsXtraDownloader.java, lines 120-127):\n\nconnection.connect()\nint statusCode = connection.getResponseCode();\nif (statusCode != HttpURLConnection.HTTP_OK) {\nif (DEBUG) Log.d(TAG, \u201cHTTP error downloading gps XTRA: \u201c + statusCode);\nreturn null;\n}\nreturn Streams.readFully(connection.getInputStream());\n\nSpecifically, the affected code is using Streams.readFully to read the\nentire file into memory without any kind of checks on how big the file\nactually is.\n\nAdditional vulnerable code is also in the C++ layer \u2013\n(com_android_server_location_GnssLocationProvider.cpp, lines 856-858):\n\njbyte* bytes = (jbyte *)env->GetPrimitiveArrayCritical(data, 0);\nsGpsXtraInterface->inject_xtra_data((char *)bytes, length);\nenv->ReleasePrimitiveArrayCritical(data, bytes, JNI_ABORT);\n\nOnce again, no size checking is done. We were able to consistently\ncrash several different Android phones via a local WiFi network with\nthe following error message:\n\njava.lang.OutOfMemoryError: Failed to allocate a 478173740 byte\nallocation with 16777216 free bytes and 252MB until OOM\nat java.io.ByteArrayOutputStream.expand(ByteArrayOutputStream.java:91)\n\n(It should be noted that we were not able to consistently and reliable\nachieve a crash in the C++/JNI layer or the Qualcomm modem itself)\n\nSteps To Replicate (on Ubuntu 16.04)\n1. Install DNSMASQ:\nsudo apt-get install dnsmasq\n\n2. Install NGINX:\nsudo apt-get install nginx\n\n3. Modify the /etc/hosts file to add the following entries to map to\nthe IP of the local computer (varies by vendor of the phone):\n192.168.1.x xtra1.gpsonextra.net\n192.168.1.x xtra2.gpsonextra.net\n192.168.1.x xtra3.gpsonextra.net\n192.168.1.x xtrapath1.izatcloud.net\n192.168.1.x xtrapath2.izatcloud.net\n192.168.1.x xtrapath3.izatcloud.net\n\n4. Configure /etc/dnsmasq.conf file to listed on the IP:\nlisten-address=192.168.1.x\n\n5. Restart DNSMASQ:\nsudo /etc/init.d/dnsmasq restart\n\n6. Use fallocate to create the bin files in \u201c/var/www/html/\u201d\nsudo fallocate -s 2.5G xtra.bin\nsudo fallocate -s 2.5G xtra2.bin\nsudo fallocate -s 2.5G xtra3.bin\n\n7. Modify the settings on the Android test phone to static, set DNS to\npoint to \u201c192.168.1.x\u201d. AT THIS POINT \u2013 Android will resolve DNS\nagainst the local computer, and serve the GPS files from it.\n\nTo trigger the GPS download, disable WiFi and enable Wifi, or\nenable/disable Airplane mode. Once the phone starts downloading the\nfiles, the screen will go black and it will reboot.\n\nPLEASE NOTE: on some models, the XTRA file is cached and not retrieved\non every network connect. For those models, you may need to reboot the\nphone and/or follow the injection commands as described here. You can\nalso use an app like GPS Status and ToolboxGPS Status and Toolbox.\n\nThe fix would be to check for file sizes in both Java and native C++ code.\n\nMitigation Steps\n\nFor the Android platform, users should apply the October 2016 Android\nsecurity bulletin and any patches provided by Qualcomm. Please note\nthat as per Qualcomm, the patches for this bug only include fixes to\nthe Android Open Source Project (AOSP) and the Qualcomm Java XTRA\ndownloader clients. Apple and Microsoft have indicated to us via email\nthat GPS-capable devices manufactured by them including iPad, iPhones,\netc. and Microsoft Surface and Windows Phone devices are not affected\nby this bug. Blackberry devices powered by Android are affected but\nthe Blackberry 10 platform is not affected by this bug. For other\nplatforms, vendors should follow guidance provided by Qualcomm\ndirectly via an OEM bulletin.\n\nBounty Information\n\nThis bug has fulfilled the requirements for Google\u2019s Android Security\nRewards and a bounty has been paid.\n\nReferences\n\nAndroid security bulletin: October 2016\nCERT/CC tracking: VR-179\nCVE-ID: CVE-2016-5348\nGoogle: Android bug # 213747 / AndroidID-29555864\n\nCVE Information\n\nAs provided by Qualcomm:\n\nCVE: CVE-2016-5348\nAccess Vector: Network\nSecurity Risk: High\nVulnerability: CWE-400: Uncontrolled Resource Consumption (\u2018Resource\nExhaustion\u2019)\nDescription: When downloading a very large assistance data file, the\nclient may crash due to out of memory error.\nChange summary:\n\ncheck download size ContentLength before downloading data\ncatch OOM exception\n\nCredits\n\nWe would like to thank CERT/CC for helping to coordinate this process,\nand all of the vendors involved for helpful comments and a quick\nturnaround. This bug was discovered by Yakov Shafranovich, and the\nadvisory was also written by Yakov Shafranovich.\n\nTimeline\n\n201606-20: Android bug report filed with Google\n2016-06-21: Android bug confirmed\n2016-06-21: Bug also reported to Qualcomm and CERT.\n2016-09-14: Coordination with Qualcomm on public disclosure\n2016-09-15: Coordination with Google on public disclosure\n2016-10-03: Android security bulletin released with fix\n2016-10-04: Public disclosure", "cvss": {"score": 7.1, "vector": "AV:N/AC:M/Au:N/C:N/I:N/A:C"}}], "packetstorm": [{"lastseen": "2016-12-05T22:23:21", "description": "", "cvss3": {}, "published": "2016-10-10T00:00:00", "type": "packetstorm", "title": "Android Qualcomm GPS/GNSS Man-In-The-Middle", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2016-5348"], "modified": "2016-10-10T00:00:00", "id": "PACKETSTORM:139033", "href": "https://packetstormsecurity.com/files/139033/Android-Qualcomm-GPS-GNSS-Man-In-The-Middle.html", "sourceData": "`Original at: \nhttps://wwws.nightwatchcybersecurity.com/2016/10/04/advisory-cve-2016-5348-2/ \n \nSummary \n \nAndroid devices can be crashed remotely forcing a halt and then a soft \nreboot by a MITM attacker manipulating assisted GPS/GNSS data provided \nby Qualcomm. This issue affects the open source code in AOSP and \nproprietary code in a Java XTRA downloader provided by Qualcomm. The \nAndroid issue was fixed by in the October 2016 Android bulletin. \nAdditional patches have been issued by Qualcomm to the proprietary \nclient in September of 2016. This issue may also affect other \nplatforms that use Qualcomm GPS chipsets and consume these files but \nthat has not been tested by us, and requires further research. \n \nBackground a GPS and gpsOneXtra \n \nMost mobile devices today include ability to locate themselves on the \nEarthas surface by using the Global Positioning System (GPS), a system \noriginally developed and currently maintained by the US military. \nSimilar systems developed and maintained by other countries exist as \nwell including Russiaas GLONASS, Europeas Galileo, and Chinaas Beidou. \nThe GPS signals include an almanac which lists orbit and status \ninformation for each of the satellites in the GPS constellation. This \nallows the receivers to acquire the satellites quicker since the \nreceiver would not need to search blindly for the location of each \nsatellite. Similar functionality exists for other GNSS systems. In \norder to solve the problem of almanac acquisition, Qualcomm developed \nthe gpsOneXtra system in 2007 (also known as IZat XTRA Assistance \nsince 2013). This system provides ability to GPS receivers to download \nthe almanac data over the Internet from Qualcomm-operated servers. The \nformat of these XTRA files is proprietary but seems to contain current \nsatellite location data plus estimated locations for the next 7 days, \nas well as additional information to improve signal acquisition. Most \nQualcomm mobile chipsets and GPS chips include support for this \ntechnology. A related Qualcomm technology called IZat adds ability to \nuse WiFi and cellular networks for locations in addition to GPS. \n \nBackground a Android and gpsOneXtra Data Files \n \nDuring our network monitoring of traffic originating from an Android \ntest device, we discovered that the device makes periodic calls to the \nQualcomm servers to retrieve gpsOneXtra assistance files. These \nrequests were performed almost every time the device connected to a \nWiFi network. As discovered by our research and confirmed by the \nAndroid source code, the following URLs were used: \n \nhttp://xtra1.gpsonextra.net/xtra.bin \nhttp://xtra2.gpsonextra.net/xtra.bin \nhttp://xtra3.gpsonextra.net/xtra.bin \n \nhttp://xtrapath1.izatcloud.net/xtra2.bin \nhttp://xtrapath2.izatcloud.net/xtra2.bin \nhttp://xtrapath3.izatcloud.net/xtra2.bin \n \nWHOIS record show that both domains a gpsonextra.net and izatcloud.net \nare owned by Qualcomm. Further inspection of those URLs indicate that \nboth domains are being hosted and served from Amazonas Cloudfront CDN \nservice (with the exception of xtra1.gpsonextra.net which is being \nserved directly by Qualcomm). On the Android platform, our inspection \nof the Android source code shows that the file is requested by an \nOS-level Java process (GpsXtraDownloader.java), which passes the data \nto a C++ JNI class \n(com_android_server_location_GnssLocationProvider.cpp), which then \ninjects the files into the Qualcomm modem or firmware. We have not \ninspected other platforms in detail, but suspect that a similar \nprocess is used. Our testing was performed on Android v6.0, patch \nlevel of January 2016, on a Motorola Moto G (2nd gen) GSM phone, and \nconfirmed on a Nexus 6P running Android v6.01, with May 2016 security \npatches. Qualcomm has additionally performed testing on their \nproprietary Java XTRA downloader client confirming this vulnerability. \n \nVulnerability Details \n \nAndroid platform downloads XTRA data files automatically when \nconnecting to a new network. This originates from a Java class \n(GpsXtraDownloader.java), which then passes the file to a C++/JNI \nclass (com_android_server_location_GnssLocationProvider.cpp) and then \ninjects it into the Qualcomm modem. \n \nThe vulnerability is that both the Java and the C++ code do not check \nhow large the data file actually is. If a file is served that is \nlarger than the memory available on the device, this results in all \nmemory being exhausted and the phone halting and then soft rebooting. \nThe soft reboot was sufficient to recover from the crash and no data \nwas lost. While we have not been able to achieve remote code execution \nin either the Qualcomm modem or in the Android OS, this code path can \npotentially be exploited for such attacks and would require more \nresearch. \n \nTo attack, an MITM attacker located anywhere on the network between \nthe phone being attacked and Qualcommas servers can initiate this \nattack by intercepting the legitimate requests from the phone, and \nsubstituting their own, larger files. Because the default Chrome \nbrowser on Android reveals the model and build of the phone (as we \nhave written about earlier), it would be possible to derive the \nmaximum memory size from that information and deliver the \nappropriately sized attack file. Possible attackers can be hostile \nhotspots, hacked routers, or anywhere along the backbone. This is \nsomewhat mitigated by the fact that the attack file would need to be \nas large as the memory on the phone. \n \nThe vulnerable code resides here a (GpsXtraDownloader.java, lines 120-127): \n \nconnection.connect() \nint statusCode = connection.getResponseCode(); \nif (statusCode != HttpURLConnection.HTTP_OK) { \nif (DEBUG) Log.d(TAG, aHTTP error downloading gps XTRA: a + statusCode); \nreturn null; \n} \nreturn Streams.readFully(connection.getInputStream()); \n \nSpecifically, the affected code is using Streams.readFully to read the \nentire file into memory without any kind of checks on how big the file \nactually is. \n \nAdditional vulnerable code is also in the C++ layer a \n(com_android_server_location_GnssLocationProvider.cpp, lines 856-858): \n \njbyte* bytes = (jbyte *)env->GetPrimitiveArrayCritical(data, 0); \nsGpsXtraInterface->inject_xtra_data((char *)bytes, length); \nenv->ReleasePrimitiveArrayCritical(data, bytes, JNI_ABORT); \n \nOnce again, no size checking is done. We were able to consistently \ncrash several different Android phones via a local WiFi network with \nthe following error message: \n \njava.lang.OutOfMemoryError: Failed to allocate a 478173740 byte \nallocation with 16777216 free bytes and 252MB until OOM \nat java.io.ByteArrayOutputStream.expand(ByteArrayOutputStream.java:91) \n \n(It should be noted that we were not able to consistently and reliable \nachieve a crash in the C++/JNI layer or the Qualcomm modem itself) \n \nSteps To Replicate (on Ubuntu 16.04) \n1. Install DNSMASQ: \nsudo apt-get install dnsmasq \n \n2. Install NGINX: \nsudo apt-get install nginx \n \n3. Modify the /etc/hosts file to add the following entries to map to \nthe IP of the local computer (varies by vendor of the phone): \n192.168.1.x xtra1.gpsonextra.net \n192.168.1.x xtra2.gpsonextra.net \n192.168.1.x xtra3.gpsonextra.net \n192.168.1.x xtrapath1.izatcloud.net \n192.168.1.x xtrapath2.izatcloud.net \n192.168.1.x xtrapath3.izatcloud.net \n \n4. Configure /etc/dnsmasq.conf file to listed on the IP: \nlisten-address=192.168.1.x \n \n5. Restart DNSMASQ: \nsudo /etc/init.d/dnsmasq restart \n \n6. Use fallocate to create the bin files in a/var/www/html/a \nsudo fallocate -s 2.5G xtra.bin \nsudo fallocate -s 2.5G xtra2.bin \nsudo fallocate -s 2.5G xtra3.bin \n \n7. Modify the settings on the Android test phone to static, set DNS to \npoint to a192.168.1.xa. AT THIS POINT a Android will resolve DNS \nagainst the local computer, and serve the GPS files from it. \n \nTo trigger the GPS download, disable WiFi and enable Wifi, or \nenable/disable Airplane mode. Once the phone starts downloading the \nfiles, the screen will go black and it will reboot. \n \nPLEASE NOTE: on some models, the XTRA file is cached and not retrieved \non every network connect. For those models, you may need to reboot the \nphone and/or follow the injection commands as described here. You can \nalso use an app like GPS Status and ToolboxGPS Status and Toolbox. \n \nThe fix would be to check for file sizes in both Java and native C++ code. \n \nMitigation Steps \n \nFor the Android platform, users should apply the October 2016 Android \nsecurity bulletin and any patches provided by Qualcomm. Please note \nthat as per Qualcomm, the patches for this bug only include fixes to \nthe Android Open Source Project (AOSP) and the Qualcomm Java XTRA \ndownloader clients. Apple and Microsoft have indicated to us via email \nthat GPS-capable devices manufactured by them including iPad, iPhones, \netc. and Microsoft Surface and Windows Phone devices are not affected \nby this bug. Blackberry devices powered by Android are affected but \nthe Blackberry 10 platform is not affected by this bug. For other \nplatforms, vendors should follow guidance provided by Qualcomm \ndirectly via an OEM bulletin. \n \nBounty Information \n \nThis bug has fulfilled the requirements for Googleas Android Security \nRewards and a bounty has been paid. \n \nReferences \n \nAndroid security bulletin: October 2016 \nCERT/CC tracking: VR-179 \nCVE-ID: CVE-2016-5348 \nGoogle: Android bug # 213747 / AndroidID-29555864 \n \nCVE Information \n \nAs provided by Qualcomm: \n \nCVE: CVE-2016-5348 \nAccess Vector: Network \nSecurity Risk: High \nVulnerability: CWE-400: Uncontrolled Resource Consumption (aResource \nExhaustiona) \nDescription: When downloading a very large assistance data file, the \nclient may crash due to out of memory error. \nChange summary: \n \ncheck download size ContentLength before downloading data \ncatch OOM exception \n \nCredits \n \nWe would like to thank CERT/CC for helping to coordinate this process, \nand all of the vendors involved for helpful comments and a quick \nturnaround. This bug was discovered by Yakov Shafranovich, and the \nadvisory was also written by Yakov Shafranovich. \n \nTimeline \n \n201606-20: Android bug report filed with Google \n2016-06-21: Android bug confirmed \n2016-06-21: Bug also reported to Qualcomm and CERT. \n2016-09-14: Coordination with Qualcomm on public disclosure \n2016-09-15: Coordination with Google on public disclosure \n2016-10-03: Android security bulletin released with fix \n2016-10-04: Public disclosure \n`\n", "sourceHref": "https://packetstormsecurity.com/files/download/139033/androidgps-dos.txt", "cvss": {"score": 7.1, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:NONE/A:COMPLETE/"}}], "huawei": [{"lastseen": "2021-12-30T12:27:35", "description": "Two information leak vulnerabilities exist in the ION memory management module of some Huawei mobile phones due to the lack of initialization during memory allocation. (Vulnerability ID: HWPSIRT-2016-09032 and HWPSIRT-2016-09033) \n\nThese two vulnerabilities have been assigned CVE ID: CVE-2016-8757 and CVE-2015-8950.\n\nHuawei has released software updates to fix these vulnerabilities. This advisory is available at the following link:\n\n[http://www.huawei.com/en/psirt/security-advisories/huawei-sa-20161026-02-smartphone-en](<http://www.huawei.com/en/psirt/security-advisories/huawei-sa-20161026-02-smartphone-en>)\n", "edition": 1, "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.5, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N", "userInteraction": "REQUIRED", "version": "3.0"}, "impactScore": 3.6}, "published": "2016-10-26T00:00:00", "type": "huawei", "title": "Security Advisory - Two Information Leak Vulnerabilities in ION Memory Management Module of Huawei Smart Phone", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 4.3, "vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-8950", "CVE-2016-8757"], "modified": "2016-10-26T00:00:00", "id": "HUAWEI-SA-20161026-02-SMARTPHONE", "href": "https://www.huawei.com/en/psirt/security-advisories/2016/huawei-sa-20161026-02-smartphone-en", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2021-12-30T12:27:19", "description": "There is a vulnerability in the implementation of the RFC 5961, due to the improper determination of the rate of challenge ACK responses by the global rate limit feature. Successful exploit could allow an unauthenticated, remote attacker to reset or hijack into a TCP connections between two systems, resulting in a DoS condition. (Vulnerability ID: HWPSIRT-2016-08060)\n\nThis vulnerability has been assigned Common Vulnerabilities and Exposures (CVE) ID: CVE-2016-5696.\n\nHuawei has released software updates to fix these vulnerabilities. This advisory is available at the following link: \n\n<http://www.huawei.com/en/psirt/security-advisories/huawei-sa-20160907-01-tcp-en>\n", "edition": 1, "cvss3": {"exploitabilityScore": 2.2, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "LOW", "integrityImpact": "LOW", "baseScore": 4.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:L", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 2.5}, "published": "2016-09-07T00:00:00", "type": "huawei", "title": "Security Advisory - TCP Connection Hijack Vulnerability", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "NONE", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 5.8, "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 4.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-5696"], "modified": "2017-07-05T00:00:00", "id": "HUAWEI-SA-20160907-01-TCP", "href": "https://www.huawei.com/en/psirt/security-advisories/2016/huawei-sa-20160907-01-tcp-en", "cvss": {"score": 5.8, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:P"}}, {"lastseen": "2021-12-30T12:27:26", "description": "The Security Bulletin describes an E-mail Information Leak Vulnerability in Android System discovered by Google (CVE-2016-3918). An attacker tricks a user into installing a malicious application on the smart phone, and send given parameter to smart phone to obtain information in the email.(Vulnerability ID: HWPSIRT-2016-10020).\n\nThis vulnerability has been assigned Common Vulnerabilities and Exposures (CVE) ID: CVE-2016-3918.\n\nHuawei has released software updates to fix these vulnerabilities. This advisory is available at the following link: <http://www.huawei.com/en/psirt/security-advisories/huawei-sa-20161214-01-smartphone-en>\n", "edition": 1, "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.5, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N", "userInteraction": "REQUIRED", "version": "3.0"}, "impactScore": 3.6}, "published": "2016-12-14T00:00:00", "type": "huawei", "title": "Security Advisory - E-mail Information Leak Vulnerability in Android System", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 4.3, "vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-3918"], "modified": "2017-03-01T00:00:00", "id": "HUAWEI-SA-20161214-01-SMARTPHONE", "href": "https://www.huawei.com/en/psirt/security-advisories/2016/huawei-sa-20161214-01-smartphone-en", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:P/I:N/A:N"}}], "centos": [{"lastseen": "2023-01-01T04:42:49", "description": "**CentOS Errata and Security Advisory** CESA-2016:1633\n\n\nThe kernel packages contain the Linux kernel, the core of any Linux\noperating system.\n\nIt was found that the RFC 5961 challenge ACK rate limiting as implemented \nin the Linux kernel's networking subsystem allowed an off-path attacker to \nleak certain information about a given connection by creating congestion on \nthe global challenge ACK rate limit counter and then measuring the changes \nby probing packets. An off-path attacker could use this flaw to either \nterminate TCP connection and/or inject payload into non-secured TCP \nconnection between two endpoints on the network. (CVE-2016-5696, Important)\n\nRed Hat would like to thank Yue Cao from Cyber Security Group in the CS department of University of California, Riverside, for reporting this issue.\n\n**Merged security bulletin from advisories:**\nhttps://lists.centos.org/pipermail/centos-announce/2016-August/071515.html\n\n**Affected packages:**\nkernel\nkernel-abi-whitelists\nkernel-debug\nkernel-debug-devel\nkernel-devel\nkernel-doc\nkernel-headers\nkernel-tools\nkernel-tools-libs\nkernel-tools-libs-devel\nperf\npython-perf\n\n**Upstream details at:**\nhttps://access.redhat.com/errata/RHSA-2016:1633", "cvss3": {"exploitabilityScore": 2.2, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "baseScore": 4.8, "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:L", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 2.5}, "published": "2016-08-20T02:00:21", "type": "centos", "title": "kernel, perf, python security update", "bulletinFamily": "unix", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "NONE", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 5.8, "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 4.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-5696"], "modified": "2016-08-20T02:00:21", "id": "CESA-2016:1633", "href": "https://lists.centos.org/pipermail/centos-announce/2016-August/071515.html", "cvss": {"score": 5.8, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:P"}}, {"lastseen": "2023-01-01T04:42:49", "description": "**CentOS Errata and Security Advisory** CESA-2016:1664\n\n\nThe kernel packages contain the Linux kernel, the core of any Linux operating system.\n\nSecurity Fix(es):\n\nIt was found that the RFC 5961 challenge ACK rate limiting as implemented in the Linux kernel's networking subsystem allowed an off-path attacker to leak certain information about a given connection by creating congestion on the global challenge ACK rate limit counter and then measuring the changes by probing packets. An off-path attacker could use this flaw to either terminate TCP connection and/or inject payload into non-secured TCP connection between two endpoints on the network. (CVE-2016-5696, Important)\n\nRed Hat would like to thank Yue Cao (Cyber Security Group of the CS department of University of California in Riverside) for reporting this issue.\n\nBug Fix(es):\n\n* When loading the Direct Rendering Manager (DRM) kernel module, the kernel panicked if DRM was previously unloaded. The kernel panic was caused by a memory leak of the ID Resolver (IDR2). With this update, IDR2 is loaded during kernel boot, and the kernel panic no longer occurs in the described scenario. (BZ#1353827)\n\n* When more than one process attempted to use the \"configfs\" directory entry at the same time, a kernel panic in some cases occurred. With this update, a race condition between a directory entry and a lookup operation has been fixed. As a result, the kernel no longer panics in the described scenario. (BZ#1353828)\n\n* When shutting down the system by running the halt -p command, a kernel panic occurred due to a conflict between the kernel offlining CPUs and the sched command, which used the sched group and the sched domain data without first checking the data. The underlying source code has been fixed by adding a check to avoid the conflict. As a result, the described scenario no longer results in a kernel panic. (BZ#1343894)\n\n* In some cases, running the ipmitool command caused a kernel panic due to a race condition in the ipmi message handler. This update fixes the race condition, and the kernel panic no longer occurs in the described scenario. (BZ#1355980)\n\n* Previously, multiple Very Secure FTP daemon (vsftpd) processes on a directory with a large number of files led to a high contention rate on each inode's spinlock, which caused excessive CPU usage. With this update, a spinlock to protect a single memory-to-memory copy has been removed from the ext4_getattr() function. As a result, system CPU usage has been reduced and is no longer excessive in the described situation. (BZ#1355981)\n\n* When the gfs2_grow utility is used to extend Global File System 2 (GFS2), the next block allocation causes the GFS2 kernel module to re-read its resource group index. If multiple processes in the GFS2 module raced to do the same thing, one process sometimes overwrote a valid object pointer with an invalid pointer, which caused either a kernel panic or a file system corruption. This update ensures that the resource group object pointer is not overwritten. As a result, neither kernel panic nor file system corruption occur in the described scenario. (BZ#1347539)\n\n* Previously, the SCSI Remote Protocol over InfiniBand (IB-SRP) was disabled due to a bug in the srp_queue() function. As a consequence, an attempt to enable the Remote Direct Memory Access (RDMA) at boot caused the kernel to crash. With this update, srp_queue() has been fixed, and the system now boots as expected when RDMA is enabled. (BZ#1348062)\n\nEnhancement(s):\n\n* This update optimizes the efficiency of the Transmission Control Protocol (TCP) when the peer is using a window under 537 bytes in size. As a result, devices that use maximum segment size (MSS) of 536 bytes or fewer will experience improved network performance. (BZ#1354446)\n\n**Merged security bulletin from advisories:**\nhttps://lists.centos.org/pipermail/centos-announce/2016-August/071528.html\n\n**Affected packages:**\nkernel\nkernel-abi-whitelists\nkernel-debug\nkernel-debug-devel\nkernel-devel\nkernel-doc\nkernel-firmware\nkernel-headers\nperf\npython-perf\n\n**Upstream details at:**\nhttps://access.redhat.com/errata/RHSA-2016:1664", "cvss3": {"exploitabilityScore": 2.2, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "baseScore": 4.8, "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:L", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 2.5}, "published": "2016-08-23T20:59:58", "type": "centos", "title": "kernel, perf, python security update", "bulletinFamily": "unix", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "NONE", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 5.8, "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 4.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-5696"], "modified": "2016-08-23T20:59:58", "id": "CESA-2016:1664", "href": "https://lists.centos.org/pipermail/centos-announce/2016-August/071528.html", "cvss": {"score": 5.8, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:P"}}, {"lastseen": "2023-01-19T18:21:25", "description": "**CentOS Errata and Security Advisory** CESA-2016:2962\n\n\nThe kernel packages contain the Linux kernel, the core of any Linux operating\nsystem.\n\nSecurity Fix(es):\n\n* A use-after-free vulnerability was found in the kernels socket recvmmsg\nsubsystem. This may allows remote attackers to corrupt memory and may allow\nexecution of arbitrary code. This corruption takes place during the error\nhandling routines within __sys_recvmmsg() function. (CVE-2016-7117, Important)\n\nBug Fix(es):\n\n* Previously, guest virtual machines (VMs) on a Hyper-V server cluster got in\nsome cases rebooted during the graceful node failover test, because the host\nkept sending heartbeat packets independently of guests responding to them. This\nupdate fixes the bug by properly responding to all the heartbeat messages in the\nqueue, even if they are pending. As a result, guest VMs no longer get rebooted\nunder the described circumstances. (BZ#1391167)\n\n\n**Merged security bulletin from advisories:**\nhttps://lists.centos.org/pipermail/centos-announce/2016-December/071657.html\n\n**Affected packages:**\nkernel\nkernel-PAE\nkernel-PAE-devel\nkernel-debug\nkernel-debug-devel\nkernel-devel\nkernel-doc\nkernel-headers\nkernel-xen\nkernel-xen-devel\n\n**Upstream details at:**\nhttps://access.redhat.com/errata/RHSA-2016:2962", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2016-12-20T17:00:55", "type": "centos", "title": "kernel security update", "bulletinFamily": "unix", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-7117"], "modified": "2016-12-20T17:00:55", "id": "CESA-2016:2962", "href": "https://lists.centos.org/pipermail/centos-announce/2016-December/071657.html", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "openvas": [{"lastseen": "2019-05-29T18:35:42", "description": "Check the version of kernel", "cvss3": {}, "published": "2016-08-25T00:00:00", "type": "openvas", "title": "CentOS Update for kernel CESA-2016:1664 centos6", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2016-5696"], "modified": "2019-03-08T00:00:00", "id": "OPENVAS:1361412562310882547", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310882547", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# CentOS Update for kernel CESA-2016:1664 centos6\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (C) 2016 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.882547\");\n script_version(\"$Revision: 14058 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-03-08 14:25:52 +0100 (Fri, 08 Mar 2019) $\");\n script_tag(name:\"creation_date\", value:\"2016-08-25 05:40:20 +0200 (Thu, 25 Aug 2016)\");\n script_cve_id(\"CVE-2016-5696\");\n script_tag(name:\"cvss_base\", value:\"5.8\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:N/I:P/A:P\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_name(\"CentOS Update for kernel CESA-2016:1664 centos6\");\n script_tag(name:\"summary\", value:\"Check the version of kernel\");\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n script_tag(name:\"insight\", value:\"The kernel packages contain the Linux\nkernel, the core of any Linux operating system.\n\nSecurity Fix(es):\n\nIt was found that the RFC 5961 challenge ACK rate limiting as implemented\nin the Linux kernel's networking subsystem allowed an off-path attacker to\nleak certain information about a given connection by creating congestion on\nthe global challenge ACK rate limit counter and then measuring the changes\nby probing packets. An off-path attacker could use this flaw to either\nterminate TCP connection and/or inject payload into non-secured TCP\nconnection between two endpoints on the network. (CVE-2016-5696, Important)\n\nRed Hat would like to thank Yue Cao (Cyber Security Group of the CS\ndepartment of University of California in Riverside) for reporting this\nissue.\n\nBug Fix(es):\n\n * When loading the Direct Rendering Manager (DRM) kernel module, the kernel\npanicked if DRM was previously unloaded. The kernel panic was caused by a\nmemory leak of the ID Resolver (IDR2). With this update, IDR2 is loaded\nduring kernel boot, and the kernel panic no longer occurs in the described\nscenario. (BZ#1353827)\n\n * When more than one process attempted to use the 'configfs' directory\nentry at the same time, a kernel panic in some cases occurred. With this\nupdate, a race condition between a directory entry and a lookup operation\nhas been fixed. As a result, the kernel no longer panics in the described\nscenario. (BZ#1353828)\n\n * When shutting down the system by running the halt -p command, a kernel\npanic occurred due to a conflict between the kernel offlining CPUs and the\nsched command, which used the sched group and the sched domain data without\nfirst checking the data. The underlying source code has been fixed by\nadding a check to avoid the conflict. As a result, the described scenario\nno longer results in a kernel panic. (BZ#1343894)\n\n * In some cases, running the ipmitool command caused a kernel panic due to\na race condition in the ipmi message handler. This update fixes the race\ncondition, and the kernel panic no longer occurs in the described scenario.\n(BZ#1355980)\n\n * Previously, multiple Very Secure FTP daemon (vsftpd) processes on a\ndirectory with a large number of files led to a high contention rate on\neach inode's spinlock, which caused excessive CPU usage. With this update,\na spinlock to protect a single memory-to-memory copy has been removed from\nthe ext4_getattr() function. As a result, system CPU usage has been reduced\nand is no longer excessive in the described situation. (BZ#1355981)\n\n * When the gfs2_grow utility is used to extend Global File System 2 (GFS2),\nthe next block allocation causes the GFS2 kernel modu ...\n\n Description truncated, please see the referenced URL(s) for more information.\");\n script_tag(name:\"affected\", value:\"kernel on CentOS 6\");\n script_tag(name:\"solution\", value:\"Please Install the Updated Packages.\");\n\n script_xref(name:\"CESA\", value:\"2016:1664\");\n script_xref(name:\"URL\", value:\"http://lists.centos.org/pipermail/centos-announce/2016-August/022053.html\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2016 Greenbone Networks GmbH\");\n script_family(\"CentOS Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/centos\", \"ssh/login/rpms\", re:\"ssh/login/release=CentOS6\");\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\n\nif(release == \"CentOS6\")\n{\n\n if ((res = isrpmvuln(pkg:\"kernel\", rpm:\"kernel~2.6.32~642.4.2.el6\", rls:\"CentOS6\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"kernel-abi-whitelists\", rpm:\"kernel-abi-whitelists~2.6.32~642.4.2.el6\", rls:\"CentOS6\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"kernel-debug\", rpm:\"kernel-debug~2.6.32~642.4.2.el6\", rls:\"CentOS6\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"kernel-debug-devel\", rpm:\"kernel-debug-devel~2.6.32~642.4.2.el6\", rls:\"CentOS6\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"kernel-devel\", rpm:\"kernel-devel~2.6.32~642.4.2.el6\", rls:\"CentOS6\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"kernel-doc\", rpm:\"kernel-doc~2.6.32~642.4.2.el6\", rls:\"CentOS6\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"kernel-firmware\", rpm:\"kernel-firmware~2.6.32~642.4.2.el6\", rls:\"CentOS6\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"kernel-headers\", rpm:\"kernel-headers~2.6.32~642.4.2.el6\", rls:\"CentOS6\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"perf\", rpm:\"perf~2.6.32~642.4.2.el6\", rls:\"CentOS6\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"python-perf\", rpm:\"python-perf~2.6.32~642.4.2.el6\", rls:\"CentOS6\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n", "cvss": {"score": 5.8, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:P"}}, {"lastseen": "2019-05-29T18:35:17", "description": "Sophos XG Firewall is prone to multiple vulnerabilities.", "cvss3": {}, "published": "2016-12-16T00:00:00", "type": "openvas", "title": "Sophos XG Firewall Multiple Vulnerabilities", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2016-5696"], "modified": "2018-11-15T00:00:00", "id": "OPENVAS:1361412562310106477", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310106477", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_sophos_xg_mult_vuln.nasl 12363 2018-11-15 09:51:15Z asteins $\n#\n# Sophos XG Firewall Multiple Vulnerabilities\n#\n# Authors:\n# Christian Kuersteiner <christian.kuersteiner@greenbone.net>\n#\n# Copyright:\n# Copyright (c) 2016 Greenbone Networks GmbH\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nCPE = 'cpe:/a:sophos:xg';\n\nif (description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.106477\");\n script_version(\"$Revision: 12363 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-11-15 10:51:15 +0100 (Thu, 15 Nov 2018) $\");\n script_tag(name:\"creation_date\", value:\"2016-12-16 17:02:59 +0700 (Fri, 16 Dec 2016)\");\n script_tag(name:\"cvss_base\", value:\"5.8\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:N/I:P/A:P\");\n\n script_cve_id(\"CVE-2016-5696\");\n\n script_tag(name:\"qod_type\", value:\"remote_banner\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n script_name(\"Sophos XG Firewall Multiple Vulnerabilities\");\n\n script_category(ACT_GATHER_INFO);\n\n script_copyright(\"This script is Copyright (C) 2016 Greenbone Networks GmbH\");\n script_family(\"General\");\n script_dependencies(\"gb_sophos_xg_detect.nasl\", \"gb_sophos_xg_detect_userportal.nasl\");\n script_mandatory_keys(\"sophos/xg/installed\");\n\n script_tag(name:\"summary\", value:\"Sophos XG Firewall is prone to multiple vulnerabilities.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"Sophos XG Firewall is prone to multiple vulnerabilities:\n\n - Linux Kernel vulnerability (CVE-2016-5696)\n\n - SQL Injection vulnerability in User Portal\");\n\n script_tag(name:\"affected\", value:\"Sophos XG Firewall before version 16.01.0\");\n\n script_tag(name:\"solution\", value:\"Update to version 16.01.0 or later.\");\n\n script_xref(name:\"URL\", value:\"https://community.sophos.com/products/xg-firewall/b/xg-blog/posts/sfos-16-01-0-released-1523397409\");\n script_xref(name:\"URL\", value:\"http://zerodayinitiative.com/advisories/ZDI-16-671/\");\n\n exit(0);\n}\n\ninclude(\"host_details.inc\");\ninclude(\"version_func.inc\");\n\nif (!version = get_app_version(cpe: CPE, nofork: TRUE))\n exit(0);\n\nif (version_is_less(version: version, test_version: \"16.01.0\")) {\n report = report_fixed_ver(installed_version: version, fixed_version: \"16.01.0\");\n security_message(port: 0, data: report);\n exit(0);\n}\n\nexit(0);\n", "cvss": {"score": 5.8, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:P"}}, {"lastseen": "2019-05-29T18:35:12", "description": "Check the version of kernel", "cvss3": {}, "published": "2016-08-20T00:00:00", "type": "openvas", "title": "CentOS Update for kernel CESA-2016:1633 centos7", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2016-5696"], "modified": "2019-03-08T00:00:00", "id": "OPENVAS:1361412562310882546", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310882546", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# CentOS Update for kernel CESA-2016:1633 centos7\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (C) 2016 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.882546\");\n script_version(\"$Revision: 14058 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-03-08 14:25:52 +0100 (Fri, 08 Mar 2019) $\");\n script_tag(name:\"creation_date\", value:\"2016-08-20 05:36:42 +0200 (Sat, 20 Aug 2016)\");\n script_cve_id(\"CVE-2016-5696\");\n script_tag(name:\"cvss_base\", value:\"5.8\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:N/I:P/A:P\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_name(\"CentOS Update for kernel CESA-2016:1633 centos7\");\n script_tag(name:\"summary\", value:\"Check the version of kernel\");\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n script_tag(name:\"insight\", value:\"The kernel packages contain the Linux kernel, the core of any Linux\noperating system.\n\nIt was found that the RFC 5961 challenge ACK rate limiting as implemented\nin the Linux kernel's networking subsystem allowed an off-path attacker to\nleak certain information about a given connection by creating congestion on\nthe global challenge ACK rate limit counter and then measuring the changes\nby probing packets. An off-path attacker could use this flaw to either\nterminate TCP connection and/or inject payload into non-secured TCP\nconnection between two endpoints on the network. (CVE-2016-5696, Important)\n\nRed Hat would like to thank Yue Cao from Cyber Security Group in the CS\ndepartment of University of California, Riverside, for reporting this\nissue.\");\n script_tag(name:\"affected\", value:\"kernel on CentOS 7\");\n script_tag(name:\"solution\", value:\"Please Install the Updated Packages.\");\n\n script_xref(name:\"CESA\", value:\"2016:1633\");\n script_xref(name:\"URL\", value:\"http://lists.centos.org/pipermail/centos-announce/2016-August/022040.html\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2016 Greenbone Networks GmbH\");\n script_family(\"CentOS Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/centos\", \"ssh/login/rpms\", re:\"ssh/login/release=CentOS7\");\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\n\nif(release == \"CentOS7\")\n{\n\n if ((res = isrpmvuln(pkg:\"kernel\", rpm:\"kernel~3.10.0~327.28.3.el7\", rls:\"CentOS7\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"kernel-abi-whitelists\", rpm:\"kernel-abi-whitelists~3.10.0~327.28.3.el7\", rls:\"CentOS7\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"kernel-debug\", rpm:\"kernel-debug~3.10.0~327.28.3.el7\", rls:\"CentOS7\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"kernel-debug-devel\", rpm:\"kernel-debug-devel~3.10.0~327.28.3.el7\", rls:\"CentOS7\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"kernel-devel\", rpm:\"kernel-devel~3.10.0~327.28.3.el7\", rls:\"CentOS7\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"kernel-doc\", rpm:\"kernel-doc~3.10.0~327.28.3.el7\", rls:\"CentOS7\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"kernel-headers\", rpm:\"kernel-headers~3.10.0~327.28.3.el7\", rls:\"CentOS7\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"kernel-tools\", rpm:\"kernel-tools~3.10.0~327.28.3.el7\", rls:\"CentOS7\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"kernel-tools-libs\", rpm:\"kernel-tools-libs~3.10.0~327.28.3.el7\", rls:\"CentOS7\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"kernel-tools-libs-devel\", rpm:\"kernel-tools-libs-devel~3.10.0~327.28.3.el7\", rls:\"CentOS7\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"perf\", rpm:\"perf~3.10.0~327.28.3.el7\", rls:\"CentOS7\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"python-perf\", rpm:\"python-perf~3.10.0~327.28.3.el7\", rls:\"CentOS7\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}", "cvss": {"score": 5.8, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:P"}}, {"lastseen": "2019-05-29T18:35:52", "description": "The remote host is missing an update for the ", "cvss3": {}, "published": "2016-08-24T00:00:00", "type": "openvas", "title": "RedHat Update for kernel RHSA-2016:1664-01", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2016-5696"], "modified": "2018-11-23T00:00:00", "id": "OPENVAS:1361412562310871655", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310871655", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# RedHat Update for kernel RHSA-2016:1664-01\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (C) 2016 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.871655\");\n script_version(\"$Revision: 12497 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-11-23 09:28:21 +0100 (Fri, 23 Nov 2018) $\");\n script_tag(name:\"creation_date\", value:\"2016-08-24 05:40:30 +0200 (Wed, 24 Aug 2016)\");\n script_cve_id(\"CVE-2016-5696\");\n script_tag(name:\"cvss_base\", value:\"5.8\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:N/I:P/A:P\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_name(\"RedHat Update for kernel RHSA-2016:1664-01\");\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'kernel'\n package(s) announced via the referenced advisory.\");\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n script_tag(name:\"insight\", value:\"The kernel packages contain the Linux\n kernel, the core of any Linux operating system.\n\nSecurity Fix(es):\n\nIt was found that the RFC 5961 challenge ACK rate limiting as implemented\nin the Linux kernel's networking subsystem allowed an off-path attacker to\nleak certain information about a given connection by creating congestion on\nthe global challenge ACK rate limit counter and then measuring the changes\nby probing packets. An off-path attacker could use this flaw to either\nterminate TCP connection and/or inject payload into non-secured TCP\nconnection between two endpoints on the network. (CVE-2016-5696, Important)\n\nRed Hat would like to thank Yue Cao (Cyber Security Group of the CS\ndepartment of University of California in Riverside) for reporting this\nissue.\n\nBug Fix(es):\n\n * When loading the Direct Rendering Manager (DRM) kernel module, the kernel\npanicked if DRM was previously unloaded. The kernel panic was caused by a\nmemory leak of the ID Resolver (IDR2). With this update, IDR2 is loaded\nduring kernel boot, and the kernel panic no longer occurs in the described\nscenario. (BZ#1353827)\n\n * When more than one process attempted to use the 'configfs' directory\nentry at the same time, a kernel panic in some cases occurred. With this\nupdate, a race condition between a directory entry and a lookup operation\nhas been fixed. As a result, the kernel no longer panics in the described\nscenario. (BZ#1353828)\n\n * When shutting down the system by running the halt -p command, a kernel\npanic occurred due to a conflict between the kernel offlining CPUs and the\nsched command, which used the sched group and the sched domain data without\nfirst checking the data. The underlying source code has been fixed by\nadding a check to avoid the conflict. As a result, the described scenario\nno longer results in a kernel panic. (BZ#1343894)\n\n * In some cases, running the ipmitool command caused a kernel panic due to\na race condition in the ipmi message handler. This update fixes the race\ncondition, and the kernel panic no longer occurs in the described scenario.\n(BZ#1355980)\n\n * Previously, multiple Very Secure FTP daemon (vsftpd) processes on a\ndirectory with a large number of files led to a high contention rate on\neach inode's spinlock, which caused excessive CPU usage. With this update,\na spinlock to protect a single memory-to-memory copy has been removed from\nthe ext4_getattr() function. As a result, system CPU usage has been reduced\nand is no longer excessive in the described situation. (BZ#1355981)\n\n * When th ...\n\n Description truncated, please see the referenced URL(s) for more information.\");\n script_tag(name:\"affected\", value:\"kernel on Red Hat Enterprise Linux\n Desktop (v. 6),\n Red Hat Enterprise Linux Server (v. 6),\n Red Hat Enterprise Linux Workstation (v. 6)\");\n script_tag(name:\"solution\", value:\"Please Install the Updated Packages.\");\n\n script_xref(name:\"RHSA\", value:\"2016:1664-01\");\n script_xref(name:\"URL\", value:\"https://www.redhat.com/archives/rhsa-announce/2016-August/msg00059.html\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2016 Greenbone Networks GmbH\");\n script_family(\"Red Hat Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/rhel\", \"ssh/login/rpms\", re:\"ssh/login/release=RHENT_6\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release) exit(0);\n\nres = \"\";\n\nif(release == \"RHENT_6\")\n{\n\n if ((res = isrpmvuln(pkg:\"kernel\", rpm:\"kernel~2.6.32~642.4.2.el6\", rls:\"RHENT_6\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"kernel-debug\", rpm:\"kernel-debug~2.6.32~642.4.2.el6\", rls:\"RHENT_6\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"kernel-debug-debuginfo\", rpm:\"kernel-debug-debuginfo~2.6.32~642.4.2.el6\", rls:\"RHENT_6\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"kernel-debug-devel\", rpm:\"kernel-debug-devel~2.6.32~642.4.2.el6\", rls:\"RHENT_6\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"kernel-debuginfo\", rpm:\"kernel-debuginfo~2.6.32~642.4.2.el6\", rls:\"RHENT_6\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"kernel-debuginfo-common-i686\", rpm:\"kernel-debuginfo-common-i686~2.6.32~642.4.2.el6\", rls:\"RHENT_6\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"kernel-devel\", rpm:\"kernel-devel~2.6.32~642.4.2.el6\", rls:\"RHENT_6\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"kernel-headers\", rpm:\"kernel-headers~2.6.32~642.4.2.el6\", rls:\"RHENT_6\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"perf\", rpm:\"perf~2.6.32~642.4.2.el6\", rls:\"RHENT_6\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"perf-debuginfo\", rpm:\"perf-debuginfo~2.6.32~642.4.2.el6\", rls:\"RHENT_6\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"python-perf-debuginfo\", rpm:\"python-perf-debuginfo~2.6.32~642.4.2.el6\", rls:\"RHENT_6\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"kernel-abi-whitelists\", rpm:\"kernel-abi-whitelists~2.6.32~642.4.2.el6\", rls:\"RHENT_6\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"kernel-doc\", rpm:\"kernel-doc~2.6.32~642.4.2.el6\", rls:\"RHENT_6\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"kernel-firmware\", rpm:\"kernel-firmware~2.6.32~642.4.2.el6\", rls:\"RHENT_6\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"kernel-debuginfo-common-x86_64\", rpm:\"kernel-debuginfo-common-x86_64~2.6.32~642.4.2.el6\", rls:\"RHENT_6\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n", "cvss": {"score": 5.8, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:P"}}, {"lastseen": "2019-05-29T18:35:45", "description": "The remote host is missing an update for the ", "cvss3": {}, "published": "2016-08-19T00:00:00", "type": "openvas", "title": "RedHat Update for kernel RHSA-2016:1633-01", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2016-5696"], "modified": "2018-11-23T00:00:00", "id": "OPENVAS:1361412562310871654", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310871654", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# RedHat Update for kernel RHSA-2016:1633-01\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (C) 2016 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.871654\");\n script_version(\"$Revision: 12497 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-11-23 09:28:21 +0100 (Fri, 23 Nov 2018) $\");\n script_tag(name:\"creation_date\", value:\"2016-08-19 05:36:54 +0200 (Fri, 19 Aug 2016)\");\n script_cve_id(\"CVE-2016-5696\");\n script_tag(name:\"cvss_base\", value:\"5.8\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:N/I:P/A:P\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_name(\"RedHat Update for kernel RHSA-2016:1633-01\");\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'kernel'\n package(s) announced via the referenced advisory.\");\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n script_tag(name:\"insight\", value:\"The kernel packages contain the Linux kernel,\n the core of any Linux operating system.\n\nIt was found that the RFC 5961 challenge ACK rate limiting as implemented\nin the Linux kernel's networking subsystem allowed an off-path attacker to\nleak certain information about a given connection by creating congestion on\nthe global challenge ACK rate limit counter and then measuring the changes\nby probing packets. An off-path attacker could use this flaw to either\nterminate TCP connection and/or inject payload into non-secured TCP\nconnection between two endpoints on the network. (CVE-2016-5696, Important)\n\nRed Hat would like to thank Yue Cao from Cyber Security Group in the CS\ndepartment of University of California, Riverside, for reporting this\nissue.\");\n script_tag(name:\"affected\", value:\"kernel on Red Hat Enterprise Linux Server (v. 7)\");\n script_tag(name:\"solution\", value:\"Please Install the Updated Packages.\");\n\n script_xref(name:\"RHSA\", value:\"2016:1633-01\");\n script_xref(name:\"URL\", value:\"https://www.redhat.com/archives/rhsa-announce/2016-August/msg00044.html\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2016 Greenbone Networks GmbH\");\n script_family(\"Red Hat Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/rhel\", \"ssh/login/rpms\", re:\"ssh/login/release=RHENT_7\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release) exit(0);\n\nres = \"\";\n\nif(release == \"RHENT_7\")\n{\n\n if ((res = isrpmvuln(pkg:\"kernel-abi-whitelists\", rpm:\"kernel-abi-whitelists~3.10.0~327.28.3.el7\", rls:\"RHENT_7\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"kernel-doc\", rpm:\"kernel-doc~3.10.0~327.28.3.el7\", rls:\"RHENT_7\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"kernel\", rpm:\"kernel~3.10.0~327.28.3.el7\", rls:\"RHENT_7\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"kernel-debug\", rpm:\"kernel-debug~3.10.0~327.28.3.el7\", rls:\"RHENT_7\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"kernel-debug-debuginfo\", rpm:\"kernel-debug-debuginfo~3.10.0~327.28.3.el7\", rls:\"RHENT_7\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"kernel-debug-devel\", rpm:\"kernel-debug-devel~3.10.0~327.28.3.el7\", rls:\"RHENT_7\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"kernel-debuginfo\", rpm:\"kernel-debuginfo~3.10.0~327.28.3.el7\", rls:\"RHENT_7\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"kernel-debuginfo-common-x86_64\", rpm:\"kernel-debuginfo-common-x86_64~3.10.0~327.28.3.el7\", rls:\"RHENT_7\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"kernel-devel\", rpm:\"kernel-devel~3.10.0~327.28.3.el7\", rls:\"RHENT_7\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"kernel-headers\", rpm:\"kernel-headers~3.10.0~327.28.3.el7\", rls:\"RHENT_7\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"kernel-tools\", rpm:\"kernel-tools~3.10.0~327.28.3.el7\", rls:\"RHENT_7\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"kernel-tools-debuginfo\", rpm:\"kernel-tools-debuginfo~3.10.0~327.28.3.el7\", rls:\"RHENT_7\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"kernel-tools-libs\", rpm:\"kernel-tools-libs~3.10.0~327.28.3.el7\", rls:\"RHENT_7\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"perf\", rpm:\"perf~3.10.0~327.28.3.el7\", rls:\"RHENT_7\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"perf-debuginfo\", rpm:\"perf-debuginfo~3.10.0~327.28.3.el7\", rls:\"RHENT_7\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"python-perf\", rpm:\"python-perf~3.10.0~327.28.3.el7\", rls:\"RHENT_7\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"python-perf-debuginfo\", rpm:\"python-perf-debuginfo~3.10.0~327.28.3.el7\", rls:\"RHENT_7\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n", "cvss": {"score": 5.8, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:P"}}, {"lastseen": "2019-05-29T18:34:25", "description": "A vulnerability exists in the kernel of PAN-OS that may result in\nInformation Disclosure.", "cvss3": {}, "published": "2017-05-23T00:00:00", "type": "openvas", "title": "Palo Alto PAN-OS Kernel Vulnerability", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2016-5696"], "modified": "2018-10-26T00:00:00", "id": "OPENVAS:1361412562310106826", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310106826", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_panos_pan_sa-2017_0015.nasl 12106 2018-10-26 06:33:36Z cfischer $\n#\n# Palo Alto PAN-OS Kernel Vulnerability\n#\n# Authors:\n# Christian Kuersteiner <christian.kuersteiner@greenbone.net>\n#\n# Copyright:\n# Copyright (c) 2017 Greenbone Networks GmbH\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nCPE = 'cpe:/o:paloaltonetworks:pan-os';\n\nif (description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.106826\");\n script_version(\"$Revision: 12106 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-10-26 08:33:36 +0200 (Fri, 26 Oct 2018) $\");\n script_tag(name:\"creation_date\", value:\"2017-05-23 15:33:39 +0700 (Tue, 23 May 2017)\");\n script_tag(name:\"cvss_base\", value:\"5.8\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:N/I:P/A:P\");\n\n script_cve_id(\"CVE-2016-5696\");\n\n script_tag(name:\"qod_type\", value:\"package\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n script_name(\"Palo Alto PAN-OS Kernel Vulnerability\");\n\n script_category(ACT_GATHER_INFO);\n\n script_copyright(\"This script is Copyright (C) 2017 Greenbone Networks GmbH\");\n script_family(\"Palo Alto PAN-OS Local Security Checks\");\n script_dependencies(\"gb_palo_alto_panOS_version.nasl\");\n script_mandatory_keys(\"palo_alto_pan_os/version\");\n\n script_tag(name:\"summary\", value:\"A vulnerability exists in the kernel of PAN-OS that may result in\nInformation Disclosure.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"The challenge ACK rate limiting in the kernel's networking subsystem may\nallow an off-path attacker to leak certain information about a given connection by creating congestion on the\nglobal challenge ACK rate limit counter and then measuring the changes by probing packets.\");\n\n script_tag(name:\"affected\", value:\"PAN-OS 6.1, PAN-OS 7.0.15 and earlier, PAN-OS 7.1.9 and earlier.\");\n\n script_tag(name:\"solution\", value:\"Update to PAN-OS 7.0.16, 7.1.10 or later.\");\n\n script_xref(name:\"URL\", value:\"https://securityadvisories.paloaltonetworks.com/Home/Detail/85\");\n\n exit(0);\n}\n\ninclude(\"host_details.inc\");\ninclude(\"version_func.inc\");\n\nif (!version = get_app_version(cpe: CPE, nofork: TRUE))\n exit(0);\n\nmodel = get_kb_item(\"palo_alto_pan_os/model\");\n\nif (version_is_less(version: version, test_version: \"7.0.16\")) {\n report = report_fixed_ver(installed_version: version, fixed_version: \"7.0.16\");\n\n if (model)\n report += '\\nModel: ' + model;\n\n security_message(port: 0, data: report);\n exit(0);\n}\n\nif (version =~ \"^7\\.1\\.\") {\n if (version_is_less(version: version, test_version: \"7.1.10\")) {\n report = report_fixed_ver(installed_version: version, fixed_version: \"7.1.10\");\n\n if (model)\n report += '\\nModel: ' + model;\n\n security_message(port: 0, data: report);\n exit(0);\n }\n}\n\nexit(99);\n", "cvss": {"score": 5.8, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:P"}}, {"lastseen": "2019-05-29T18:35:49", "description": "Check the version of kernel", "cvss3": {}, "published": "2016-12-21T00:00:00", "type": "openvas", "title": "CentOS Update for kernel CESA-2016:2962 centos5", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2016-7117"], "modified": "2019-03-08T00:00:00", "id": "OPENVAS:1361412562310882614", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310882614", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# CentOS Update for kernel CESA-2016:2962 centos5\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (C) 2016 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.882614\");\n script_version(\"$Revision: 14058 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-03-08 14:25:52 +0100 (Fri, 08 Mar 2019) $\");\n script_tag(name:\"creation_date\", value:\"2016-12-21 05:44:54 +0100 (Wed, 21 Dec 2016)\");\n script_cve_id(\"CVE-2016-7117\");\n script_tag(name:\"cvss_base\", value:\"10.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_name(\"CentOS Update for kernel CESA-2016:2962 centos5\");\n script_tag(name:\"summary\", value:\"Check the version of kernel\");\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n script_tag(name:\"insight\", value:\"The kernel packages contain the Linux\nkernel, the core of any Linux operating system.\n\nSecurity Fix(es):\n\n * A use-after-free vulnerability was found in the kernels socket recvmmsg\nsubsystem. This may allows remote attackers to corrupt memory and may allow\nexecution of arbitrary code. This corruption takes place during the error\nhandling routines within __sys_recvmmsg() function. (CVE-2016-7117,\nImportant)\n\nBug Fix(es):\n\n * Previously, guest virtual machines (VMs) on a Hyper-V server cluster got\nin some cases rebooted during the graceful node failover test, because the\nhost kept sending heartbeat packets independently of guests responding to\nthem. This update fixes the bug by properly responding to all the heartbeat\nmessages in the queue, even if they are pending. As a result, guest VMs no\nlonger get rebooted under the described circumstances. (BZ#1391167)\");\n script_tag(name:\"affected\", value:\"kernel on CentOS 5\");\n script_tag(name:\"solution\", value:\"Please Install the Updated Packages.\");\n\n script_xref(name:\"CESA\", value:\"2016:2962\");\n script_xref(name:\"URL\", value:\"http://lists.centos.org/pipermail/centos-announce/2016-December/022182.html\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2016 Greenbone Networks GmbH\");\n script_family(\"CentOS Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/centos\", \"ssh/login/rpms\", re:\"ssh/login/release=CentOS5\");\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\n\nif(release == \"CentOS5\")\n{\n\n if ((res = isrpmvuln(pkg:\"kernel\", rpm:\"kernel~2.6.18~417.el5\", rls:\"CentOS5\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"kernel-debug\", rpm:\"kernel-debug~2.6.18~417.el5\", rls:\"CentOS5\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"kernel-debug-devel\", rpm:\"kernel-debug-devel~2.6.18~417.el5\", rls:\"CentOS5\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"kernel-devel\", rpm:\"kernel-devel~2.6.18~417.el5\", rls:\"CentOS5\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"kernel-doc\", rpm:\"kernel-doc~2.6.18~417.el5\", rls:\"CentOS5\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"kernel-headers\", rpm:\"kernel-headers~2.6.18~417.el5\", rls:\"CentOS5\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"kernel-PAE\", rpm:\"kernel-PAE~2.6.18~417.el5\", rls:\"CentOS5\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"kernel-PAE-devel\", rpm:\"kernel-PAE-devel~2.6.18~417.el5\", rls:\"CentOS5\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"kernel-xen\", rpm:\"kernel-xen~2.6.18~417.el5\", rls:\"CentOS5\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"kernel-xen-devel\", rpm:\"kernel-xen-devel~2.6.18~417.el5\", rls:\"CentOS5\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-05-29T18:35:07", "description": "The remote host is missing an update for the ", "cvss3": {}, "published": "2016-12-21T00:00:00", "type": "openvas", "title": "RedHat Update for kernel RHSA-2016:2962-01", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2016-7117"], "modified": "2018-11-23T00:00:00", "id": "OPENVAS:1361412562310871730", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310871730", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# RedHat Update for kernel RHSA-2016:2962-01\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (C) 2016 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.871730\");\n script_version(\"$Revision: 12497 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-11-23 09:28:21 +0100 (Fri, 23 Nov 2018) $\");\n script_tag(name:\"creation_date\", value:\"2016-12-21 05:44:26 +0100 (Wed, 21 Dec 2016)\");\n script_cve_id(\"CVE-2016-7117\");\n script_tag(name:\"cvss_base\", value:\"10.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_name(\"RedHat Update for kernel RHSA-2016:2962-01\");\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'kernel'\n package(s) announced via the referenced advisory.\");\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n script_tag(name:\"insight\", value:\"The kernel packages contain the Linux\nkernel, the core of any Linux operating system.\n\nSecurity Fix(es):\n\n * A use-after-free vulnerability was found in the kernels socket recvmmsg\nsubsystem. This may allows remote attackers to corrupt memory and may allow\nexecution of arbitrary code. This corruption takes place during the error\nhandling routines within __sys_recvmmsg() function. (CVE-2016-7117,\nImportant)\n\nBug Fix(es):\n\n * Previously, guest virtual machines (VMs) on a Hyper-V server cluster got\nin some cases rebooted during the graceful node failover test, because the\nhost kept sending heartbeat packets independently of guests responding to\nthem. This update fixes the bug by properly responding to all the heartbeat\nmessages in the queue, even if they are pending. As a result, guest VMs no\nlonger get rebooted under the described circumstances. (BZ#1391167)\");\n script_tag(name:\"affected\", value:\"kernel on\n Red Hat Enterprise Linux (v. 5 server)\");\n script_tag(name:\"solution\", value:\"Please Install the Updated Packages.\");\n\n script_xref(name:\"RHSA\", value:\"2016:2962-01\");\n script_xref(name:\"URL\", value:\"https://www.redhat.com/archives/rhsa-announce/2016-December/msg00022.html\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2016 Greenbone Networks GmbH\");\n script_family(\"Red Hat Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/rhel\", \"ssh/login/rpms\", re:\"ssh/login/release=RHENT_5\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release) exit(0);\n\nres = \"\";\n\nif(release == \"RHENT_5\")\n{\n\n if ((res = isrpmvuln(pkg:\"kernel\", rpm:\"kernel~2.6.18~417.el5\", rls:\"RHENT_5\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"kernel-PAE\", rpm:\"kernel-PAE~2.6.18~417.el5\", rls:\"RHENT_5\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"kernel-PAE-debuginfo\", rpm:\"kernel-PAE-debuginfo~2.6.18~417.el5\", rls:\"RHENT_5\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"kernel-PAE-devel\", rpm:\"kernel-PAE-devel~2.6.18~417.el5\", rls:\"RHENT_5\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"kernel-debug\", rpm:\"kernel-debug~2.6.18~417.el5\", rls:\"RHENT_5\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"kernel-debug-debuginfo\", rpm:\"kernel-debug-debuginfo~2.6.18~417.el5\", rls:\"RHENT_5\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"kernel-debug-devel\", rpm:\"kernel-debug-devel~2.6.18~417.el5\", rls:\"RHENT_5\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"kernel-debuginfo\", rpm:\"kernel-debuginfo~2.6.18~417.el5\", rls:\"RHENT_5\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"kernel-debuginfo-common\", rpm:\"kernel-debuginfo-common~2.6.18~417.el5\", rls:\"RHENT_5\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"kernel-devel\", rpm:\"kernel-devel~2.6.18~417.el5\", rls:\"RHENT_5\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"kernel-headers\", rpm:\"kernel-headers~2.6.18~417.el5\", rls:\"RHENT_5\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"kernel-xen\", rpm:\"kernel-xen~2.6.18~417.el5\", rls:\"RHENT_5\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"kernel-xen-debuginfo\", rpm:\"kernel-xen-debuginfo~2.6.18~417.el5\", rls:\"RHENT_5\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"kernel-xen-devel\", rpm:\"kernel-xen-devel~2.6.18~417.el5\", rls:\"RHENT_5\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"kernel-doc\", rpm:\"kernel-doc~2.6.18~417.el5\", rls:\"RHENT_5\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "symantec": [{"lastseen": "2021-11-07T10:50:35", "description": "### SUMMARY\n\nBlue Coat products that include a vulnerable version of an operating system that supports RFC 5961 are susceptible to a TCP session hijacking vulnerability. A remote, off-path attacker can infer the sequence numbers of an existing TCP connection, and either reset the connection or inject arbitrary data. \n \n\n\n### AFFECTED PRODUCTS\n\nThe following products are vulnerable:\n\n**Content Analysis System (CAS)** \n--- \n**CVE** | **Affected Version(s)** | **Remediation** \nCVE-2016-5696 | 2.1 and later | Not vulnerable, fixed in 2.1.1.1 \n1.3 | Upgrade to 1.3.7.3. \n \n \n\n**Mail Threat Defense (MTD)** \n--- \n**CVE** | **Affected Version(s)** | **Remediation** \nCVE-2016-5696 | 1.1 | Not available at this time \n \n \n\n**Malware Analysis Appliance (MAA)** \n--- \n**CVE** | **Affected Version(s)** | **Remediation** \nCVE-2016-5696 | 4.2 | Upgrade to 4.2.11. \n \n \n\n**Management Center (MC)** \n--- \n**CVE** | **Affected Version(s)** | **Remediation** \nCVE-2016-5696 | 1.8 and later | Not vulnerable, fixed in 1.8.1.1 \n1.7 | Upgrade to 1.7.2.1. \n1.6 | Upgrade to later release with fixes. \n1.5 | Upgrade to later release with fixes. \n \n \n\n**Norman Shark Industrial Control System Protection (ICSP)** \n--- \n**CVE** | **Affected Version(s)** | **Remediation** \nCVE-2016-5696 | 5.4 and later | Not vulnerable, fixed in 5.4.1 \n5.3 | Upgrade to later release with fixes. \n \n \n\n**Norman Shark Network Protection (NNP)** \n--- \n**CVE** | **Affected Version(s)** | **Remediation** \nCVE-2016-5696 | 5.3 | A fix will not be provided. \n \n \n\n**Norman Shark SCADA Protection (NSP)** \n--- \n**CVE** | **Affected Version(s)** | **Remediation** \nCVE-2016-5696 | 5.3 | A fix will not be provided. Customers who use NSP for USB cleaning can switch to a version of ICSP with fixes. \n \n \n\n**PacketShaper (PS) S-Series** \n--- \n**CVE** | **Affected Version(s)** | **Remediation** \nCVE-2016-5696 | 11.7 and later | Not vulnerable, fixed in 11.7.1.1 \n11.6 | Upgrade to 11.6.2.1. \n11.2, 11.3, 11.4, 11.5 | Upgrade to later release with fixes. \n \n \n\n**PolicyCenter (PC) S-Series** \n--- \n**CVE** | **Affected Version(s)** | **Remediation** \nCVE-2016-5696 | 1.1 | Upgrade to 1.1.3.1. \n \n \n\n**Reporter** \n--- \n**CVE** | **Affected Version(s)** | **Remediation** \nCVE-2016-5696 | 10.2 and later | Not vulnerable, fixed in 10.2.1.1. \n10.1 | Upgrade to 10.1.5.1. \n9.5 | Not vulnerable \n9.4 | Not vulnerable \n \n \n\n**Security Analytics** \n--- \n**CVE** | **Affected Version(s)** | **Remediation** \nCVE-2016-5696 | 7.3 and later | Not vulnerable, fixed in 7.3.1. \n7.2 | Upgrade to 7.2.2. \n7.1 | Not vulnerable \n6.6 | Not vulnerable \n \n \n\n**SSL Visibility (SSLV)** \n--- \n**CVE** | **Affected Version(s)** | **Remediation** \nCVE-2016-5696 | 3.11 and later | Not vulnerable, fixed in 3.11.1.1 \n3.10 | Not available at this time \n3.9 | Upgrade to 3.9.7.1. \n3.8.4FC | Upgrade to later release with fixes. \n \n \nThe following products have a vulnerable version of an operating system that supports RFC 5961, but are not vulnerable to known vectors of attack:\n\n**Advanced Secure Gateway (ASG)** \n--- \n**CVE** | **Affected Version(s)** | **Remediation** \nCVE-2016-5696 | 6.7 and later | Not vulnerable, fixed in 6.7.2.1 \n6.6 | Upgrade to 6.6.5.4. \n \n \n\n### ADDITIONAL PRODUCT INFORMATION \n\nThe following products are not vulnerable: \n**Android Mobile Agent \nAuthConnector \nBCAAA \nBlue Coat HSM Agent for the Luna SP \nCacheFlow \nClient Connector \nCloud Data Protection for Salesforce \nCloud Data Protection for Salesforce Analytics \nCloud Data Protection for ServiceNow \nCloud Data Protection for Oracle CRM On Demand \nCloud Data Protection for Oracle Field Service Cloud \nCloud Data Protection for Oracle Sales Cloud \nCloud Data Protection Integration Server \nCloud Data Protection Communication Server \nCloud Data Protection Policy Builder \nDirector \nGeneral Auth Connector Login Application \nIntelligenceCenter \nIntelligenceCenter Data Collector \nK9 \nPacketShaper \nPolicyCenter \nProxyAV \nProxyAV ConLog and ConLogXP \nProxyClient \nProxySG \nX-Series XOS \nUnified Agent \nWeb Isolation**\n\nBlue Coat no longer provides vulnerability information for the following products:\n\n**DLP** \nPlease, contact Digital Guardian technical support regarding vulnerability information for DLP. \n \n\n\n### ISSUES \n\n**CVE-2016-5696** \n--- \n**Severity / CVSSv2** | Medium / 4.3 (AV:N/AC:M/Au:N/C:P/I:N/A:N) \n**References** | SecurityFocus: [BID 91704](<https://www.securityfocus.com/bid/91704>) / NVD: [CVE-2016-5696](<https://nvd.nist.gov/vuln/detail/CVE-2016-5696>) \n**Impact** | Denial of service, unauthorized data modification \n**Description** | A side channel flaw in TCP packet handling allows a remote attacker to send spoofed packets and hijack a TCP connection. The attacker can reset the connection or inject arbitrary data. \n \nThis Security Advisory addresses TCP session hijacking vulnerabilities in operating systems that support _RFC 5961 - Improving TCP's Robustness to Blind In-Window Attacks_. RFC 5961 provides defenses against the following blind in-window attacks that affect the original TCP protocol specified in _RFC 793 - Transmission Control Protocol_:\n\n * Blind reset attack using TCP reset (RST) packets - a remote, off-path attacker can use spoofed RST packets to reset an existing TCP connection.\n * Blind reset attack using TCP synchronize (SYN) packets - a remote, off-path attacker can use spoofed SYN packets to reset an existing TCP connection.\n * Blind data injection attack - a remote, off-path attacker can use spoofed data packets to inject arbitrary data into an existing TCP connection.\n\nAccording to RFC 793, TCP hosts that receive one of the packets above only need to verify that the packet's sequence number is within the target's receive window. An attacker can successfully perform these attacks if they can guess sequence numbers within the target's receive window. RFC 5961 tightens the sequence number checks as follows:\n\n 1. If the packet's sequence number matches exactly the next expected sequence number, the target TCP host accepts the packet.\n 2. If the packet's sequence number does not match the next expected sequence number, but is within the target's receive window, the target TCP host responds with a challenge acknowledgement (ACK) packet. The challenge ACK packet forces the sender to resend the packet with the exact sequence number expected by the target. If the original packet is spoofed, the off-path attacker never receives the challenge ACK packet and the attack cannot proceed.\n\nRFC 5961 specifies a challenge ACK throttling mechanism to control the rate of outgoing challenge ACK packets and prevent them from consuming the target host's CPU and bandwidth resources. The throttling mechanism uses a global, system-wide counter to control the rate of challenge ACK packets among all existing network connections on the system. The counter is configurable, but uses a well-known default value _N_.\n\nSecurity researchers have discovered that the global challenge ACK counter exposes a side channel for inferring TCP sequence numbers and hijacking existing TCP connections:\n\n 1. The attacker sends a spoofed packet to the target. If the packet's sequence number is within the target's receive window, the target responds with a challenge ACK packet and decrements the global challenge ACK counter from _N_ to _N-1_.\n 2. The attacker establishes a direct TCP connection to the target and sends _N_ non-spoofed packets with in-window sequence numbers. If the attacker receives _N-1_ challenge ACK packets in response, the sequence number of the spoofed packet in step 1 was within the target's received window. If the attacker receives _N_ challege ACK packets, the spoofed packet's sequence number was not in the target's receive window.\n\nAfter guessing the TCP connection's sequence numbers, the attacker can reset the connection or inject arbitrary data. \n \n\n\n### REFERENCES \n\nOff-Path TCP Exploits: Global Rate Limit Considered Dangerous - <http://www.cs.ucr.edu/~zhiyunq/pub/sec16_TCP_pure_offpath.pdf> \nRFC 5961 - Improving TCP's Robustness to Blind In-Window Attacks - <https://tools.ietf.org/html/rfc5961> \nRFC 793 - Transmission Control Protocol - <https://tools.ietf.org/html/rfc793> \n \n\n\n### REVISION\n\n2020-04-23 A fix will not be provided in Industrial Control System Protection (ICSP) 5.3. Please upgrade to a later release with the vulnerability fixes. Advisory status changed to Closed. \n2019-10-02 Web Isolation is not vulnerable. \n2019-09-21 SA 8.0 is not vulnerable. ICSP 5.4 is not vulnerable because a fix is available in 5.4.1. \n2018-08-03 Customers who use NSP for USB cleaning can switch to a version of Industrial Control System Protection (ICSP) with fixes. \n2018-06-29 A fix for Norman Shark Network Protection (NNP) 5.3 and Norman Shark SCADA Protection (NSP) 5.3 will not be provided. \n2018-04-22 PacketShaper S-Series 11.10 is not vulnerable. \n2017-11-06 ASG 6.7 is not vulnerable because a fix is available in 6.7.2.1. \n2017-08-02 SSLV 4.1 is not vulnerable. \n2017-07-24 PacketShaper S-Series 11.9 is not vulnerable. \n2017-07-20 MC 1.10 is not vulnerable. \n2017-06-22 Security Analytics 7.3 is not vulnerable. \n2017-06-05 PacketShaper S-Series 11.8 is not vulnerable. \n2017-05-18 CAS 2.1 is not vulnerable. \n2017-03-30 MC 1.9 is not vulnerable. \n2017-03-29 A fix for ASG 6.6 is available in 6.6.5.4. \n2017-03-08 MC 1.8 is not vulnerable. ProxySG 6.7 is not vulnerable. SSLV 4.0 is not vulnerable. A fix for PolicyCenter S-Series is available in 1.1.3.1. Vulnerability inquiries for DLP should be addressed to Digital Guardian technical support. \n2017-01-25 A fix for Security Analytics 7.2 is available in 7.2.2. \n2017-01-24 A fix for CAS 1.3 is available in 1.3.7.3. \n2017-01-13 A fix in SSLV 3.9 is available in 3.9.7.1. \n2017-01-10 A fix for Reporter 10.1 is available in 10.1.5.1. \n2016-12-19 A fix for MAA is available in 4.2.11. \n2016-12-02 A fix is available in SSLV 3.11.1.1. \n2016-12-02 PacketShaper S-Series 11.7 is not vulnerable. \n2016-11-17 Cloud Data Protection for Oracle Field Service Cloud is not vulnerable. \n2016-11-14 MC 1.7 is vulnerable and a fix for MC 1.7 is available in 1.7.2.1. \n2016-11-11 SSLV 3.10 is vulnerable. A fix is not available at this time. \n2016-11-04 A fix for PacketShaper S-Series is available in 11.6.2.1. \n2016-09-14 initial public release \n2016-09-15 ASG has a vulnerable version of an operating system that supports RFC 5961, but is not vulnerable to known vectors of attack.\n", "cvss3": {"exploitabilityScore": 2.2, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "LOW", "integrityImpact": "LOW", "baseScore": 4.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:L", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 2.5}, "published": "2016-09-14T08:00:00", "type": "symantec", "title": "SA131 : TCP Session Hijacking in Operating Systems Supporting RFC 5961", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "NONE", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 5.8, "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 4.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-5696"], "modified": "2021-05-04T21:41:38", "id": "SMNTC-1378", "href": "", "cvss": {"score": 5.8, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:P"}}], "archlinux": [{"lastseen": "2016-09-02T18:44:47", "description": "A security issue has been found in the Linux kernel's implementation of\nchallenge ACKs as specified in RFC 5961. An attacker which knows a\nconnection's client IP, server IP and server port can abuse the\nchallenge ACK mechanism to determine the accuracy of a normally 'blind'\nattack on the client or server.\n\nSuccessful exploitation of this flaw could allow a remote attacker to\ninject or control a TCP stream contents in a connection between a Linux\ndevice and its connected client/server.", "edition": 2, "cvss3": {"exploitabilityScore": 2.2, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "LOW", "integrityImpact": "LOW", "baseScore": 4.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:L", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 2.5}, "published": "2016-08-14T00:00:00", "type": "archlinux", "title": "linux-grsec: information disclosure", "bulletinFamily": "unix", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "NONE", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 5.8, "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 4.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-5696"], "modified": "2016-08-14T00:00:00", "id": "ASA-201608-13", "href": "https://lists.archlinux.org/pipermail/arch-security/2016-August/000687.html", "cvss": {"score": 5.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2016-09-02T18:44:46", "description": "A security issue has been found in the Linux kernel's implementation of\nchallenge ACKs as specified in RFC 5961. An attacker which knows a\nconnection's client IP, server IP and server port can abuse the\nchallenge ACK mechanism to determine the accuracy of a normally 'blind'\nattack on the client or server.\n\nSuccessful exploitation of this flaw could allow a remote attacker to\ninject or control a TCP stream contents in a connection between a Linux\ndevice and its connected client/server.", "edition": 2, "cvss3": {"exploitabilityScore": 2.2, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "LOW", "integrityImpact": "LOW", "baseScore": 4.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:L", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 2.5}, "published": "2016-08-17T00:00:00", "type": "archlinux", "title": "linux-zen: information disclosure", "bulletinFamily": "unix", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "NONE", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 5.8, "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 4.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-5696"], "modified": "2016-08-17T00:00:00", "id": "ASA-201608-15", "href": "https://lists.archlinux.org/pipermail/arch-security/2016-August/000689.html", "cvss": {"score": 5.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2016-09-02T18:44:45", "description": "A security issue has been found in the Linux kernel's implementation of\nchallenge ACKs as specified in RFC 5961. An attacker which knows a\nconnection's client IP, server IP and server port can abuse the\nchallenge ACK mechanism to determine the accuracy of a normally 'blind'\nattack on the client or server.\n\nSuccessful exploitation of this flaw could allow a remote attacker to\ninject or control a TCP stream contents in a connection between a Linux\ndevice and its connected client/server.", "edition": 2, "cvss3": {"exploitabilityScore": 2.2, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "LOW", "integrityImpact": "LOW", "baseScore": 4.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:L", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 2.5}, "published": "2016-08-14T00:00:00", "type": "archlinux", "title": "linux: information disclosure", "bulletinFamily": "unix", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "NONE", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 5.8, "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 4.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-5696"], "modified": "2016-08-14T00:00:00", "id": "ASA-201608-12", "href": "https://lists.archlinux.org/pipermail/arch-security/2016-August/000686.html", "cvss": {"score": 5.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2016-09-02T18:44:35", "description": "A security issue has been found in the Linux kernel's implementation of\nchallenge ACKs as specified in RFC 5961. An attacker which knows a\nconnection's client IP, server IP and server port can abuse the\nchallenge ACK mechanism to determine the accuracy of a normally 'blind'\nattack on the client or server.\n\nSuccessful exploitation of this flaw could allow a remote attacker to\ninject or control a TCP stream contents in a connection between a Linux\ndevice and its connected client/server.", "edition": 2, "cvss3": {"exploitabilityScore": 2.2, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "LOW", "integrityImpact": "LOW", "baseScore": 4.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:L", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 2.5}, "published": "2016-08-21T00:00:00", "type": "archlinux", "title": "linux-lts: information disclosure", "bulletinFamily": "unix", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "NONE", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 5.8, "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 4.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-5696"], "modified": "2016-08-21T00:00:00", "id": "ASA-201608-17", "href": "https://lists.archlinux.org/pipermail/arch-security/2016-August/000691.html", "cvss": {"score": 5.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:PARTIAL/A:PARTIAL/"}}], "redhatcve": [{"lastseen": "2021-09-03T01:51:23", "description": "It was found that the RFC 5961 challenge ACK rate limiting as implemented in the Linux kernel's networking subsystem allowed an off-path attacker to leak certain information about a given connection by creating congestion on the global challenge ACK rate limit counter and then measuring the changes by probing packets. An off-path attacker could use this flaw to either terminate TCP connection and/or inject payload into non-secured TCP connection between two endpoints on the network.\n", "cvss3": {"exploitabilityScore": 2.2, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "LOW", "integrityImpact": "LOW", "baseScore": 4.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:L", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 2.5}, "published": "2016-07-12T08:48:22", "type": "redhatcve", "title": "CVE-2016-5696", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "NONE", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 5.8, "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 4.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-5696"], "modified": "2020-12-21T04:55:59", "id": "RH:CVE-2016-5696", "href": "https://access.redhat.com/security/cve/cve-2016-5696", "cvss": {"score": 5.8, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:P"}}, {"lastseen": "2021-09-02T22:53:27", "description": "Heap-based buffer overflow in the wcnss_wlan_write function in drivers/net/wireless/wcnss/wcnss_wlan.c in the wcnss_wlan device driver for the Linux kernel 3.x, as used in Qualcomm Innovation Center (QuIC) Android contributions for MSM devices and other products, allows attackers to cause a denial of service or possibly have unspecified other impact by writing to /dev/wcnss_wlan with an unexpected amount of data.\n", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 7.8, "privilegesRequired": "LOW", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2020-08-05T04:43:32", "type": "redhatcve", "title": "CVE-2016-5342", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 7.2, "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-5342"], "modified": "2021-03-18T17:19:28", "id": "RH:CVE-2016-5342", "href": "https://access.redhat.com/security/cve/cve-2016-5342", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}], "nessus": [{"lastseen": "2023-01-27T14:10:27", "description": "The version of Arista Networks EOS running on the remote device is affected by a flaw in the Linux kernel implementation within file net/ipv4/tcp_input.c due to a failure to properly determine the rate of challenge ACK segments. An unauthenticated, remote attacker can exploit this issue to access the shared counter, thereby making it easier for the attacker to hijack TCP sessions via a blind in-window attack.", "cvss3": {"exploitabilityScore": 2.2, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "baseScore": 4.8, "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:L", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 2.5}, "published": "2018-02-28T00:00:00", "type": "nessus", "title": "Arista Networks EOS tcp_input Challenge ACKs Shared Counter Disclosure (SA0023)", "bulletinFamily": "scanner", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "NONE", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 5.8, "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 4.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-5696"], "modified": "2019-11-08T00:00:00", "cpe": ["cpe:/o:arista:eos"], "id": "ARISTA_EOS_SA0023.NASL", "href": "https://www.tenable.com/plugins/nessus/107065", "sourceData": "#TRUSTED 1ef6c64187ac9588dc9827c42b9fb78364373006266f69b847d6298a75ee67ee1f66b3739a5a278d84f608adb125f04db52a5f754fc0dbc2a150f07239eae7ee0ca85faca32c4c37199a06a2f9bdcaa69f3932069ac968887f6aa2b6b60805a4cb4418d5d56a1a42b246681dae7384a5ac4bf5c88e3f56856af9f4d290035cfb4c5690145c25968ce81beb579c72aa5b2d5a200abd780b210fd5df15cbc2e69a09e8f406c6279a68df5bc1c71ad6411f46dd2a5ca15aeadf16b71e50dd2411fecaf5855ca2e8475c11c3ef9870bafdee488675703e07721f1149bb4888a64e0603754458310e7c1234715593136fd8d6d6b929b1f6ac7493b391939db1002cfa822440e96e3e06dde146f605e252120f721593b0be3d89900ce5883b915be0a8f76f56b7a76ce43786fe8fc5f4197d66483e84c32018ce906510c2e6db051501b493f1d7d8df5747edaae8b0e977e2656d679dab27efff31c1706b64ccc7698f0bcebf34c1339613950d56b984253f3d1a4ffd7e9d2355339200b8e81eebaeee56ff123607eb62b44383fa860f520a67aa4f9a423e264f64892db5ad31e7b2276447c8b4b2124e63a9a9109638b700785425cf76ef29182eb55b8ad2d892b4f2d5c34ba0270b3232d444380390363843a891e8b4794f7d88c46b7108aef70d19b0dcd32ed8a3e72dece9ed289eb21aaa321a4921141b3377b6e2c389cc387a3f\n#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(107065);\n script_version(\"1.6\");\n script_cvs_date(\"Date: 2019/11/08\");\n\n script_cve_id(\"CVE-2016-5696\");\n script_bugtraq_id(91704);\n\n script_name(english:\"Arista Networks EOS tcp_input Challenge ACKs Shared Counter Disclosure (SA0023)\");\n script_summary(english:\"Checks the Arista Networks EOS version.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The version of Arista Networks EOS running on the remote device is\naffected by an information disclosure vulnerability.\");\n script_set_attribute(attribute:\"description\", value:\n\"The version of Arista Networks EOS running on the remote device is\naffected by a flaw in the Linux kernel implementation within file\nnet/ipv4/tcp_input.c due to a failure to properly determine the rate\nof challenge ACK segments. An unauthenticated, remote attacker can\nexploit this issue to access the shared counter, thereby making it\neasier for the attacker to hijack TCP sessions via a blind in-window\nattack.\");\n # https://www.arista.com/en/support/advisories-notices/security-advisories/1461-security-advisory-23\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?71caec59\");\n script_set_attribute(attribute:\"solution\", value:\n\"Contact the vendor for a fixed version. Alternatively, apply the\nhotfix or recommended mitigations referenced in the vendor advisory.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:N/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:L\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2016/07/08\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2016/09/15\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2018/02/28\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"combined\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:arista:eos\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Misc.\");\n\n script_copyright(english:\"This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"arista_eos_detect.nbin\");\n script_require_keys(\"Host/Arista-EOS/Version\");\n\n exit(0);\n}\n\n\ninclude(\"arista_eos_func.inc\");\n\nversion = get_kb_item_or_exit(\"Host/Arista-EOS/Version\");\n\next = \"2.7.0/3431682.erahneostrunkcve20165696hotfix.5\";\nsha = \"d669cd3c2c98d6b59cd9e0e0588baa14f5064eaa9dbdcdacc9b5c52210737f13fcd5d09f064db85074cfd5f15dcdd0eddce0cf9fc8be46c310ea\";\nif(eos_extension_installed(ext:ext, sha:sha)) exit(0, \"The Arista device is not vulnerable, as a relevant hotfix has been installed.\");\n\nvmatrix = make_array();\nvmatrix[\"F\"] = make_list( \"4.14.0<=4.14.4.2\", \"4.15.0<=4.15.4.1\");\nvmatrix[\"M\"] = make_list( \"4.14.5<=4.14.15\",\n \"4.15.5<=4.15.7\",\n \"4.16.6\",\n \"4.16.7\"\n );\n\nvmatrix[\"misc\"] = make_list( \"4.14.5FX\",\n \"4.14.5FX\",\n \"4.14.5FX.1\",\n \"4.14.5FX.2\",\n \"4.14.5FX.3\",\n \"4.14.5FX.4\",\n \"4.14.5.1F-SSU\",\n \"4.15.0FX\",\n \"4.15.0FXA\",\n \"4.15.0FX1\",\n \"4.15.1FXB.1\",\n \"4.15.1FXB\",\n \"4.15.1FX-7060X\",\n \"4.15.1FX-7260QX\",\n \"4.15.3FX-7050X-72Q\",\n \"4.15.3FX-7060X.1\",\n \"4.15.3FX-7500E3\",\n \"4.15.3FX-7500E3.3\",\n \"4.15.4FX-7500E3\",\n \"4.15.5FX-7500R\",\n \"4.15.5FX-7500R-bgpscale\",\n \"4.16.6FX-7512R\",\n \"4.16.6FX-7500R.1\",\n \"4.16.6FX-7500R-bgpscale\",\n \"4.16.6FX-7500R\",\n \"4.16.6FX-7060X\",\n \"4.16.6FX-7050X2\",\n \"4.16.7M-L2EVPN\",\n \"4.16.7FX-MLAGISSU-TWO-STEP\",\n \"4.16.7FX-7500R\",\n \"4.16.7FX-7060X\"\n );\n\nif (eos_is_affected(vmatrix:vmatrix, version:version))\n{\n security_report_v4(severity:SECURITY_WARNING, port:0, extra:eos_report_get());\n}\naudit(AUDIT_INST_VER_NOT_VULN, \"Arista Networks EOS\", version);\n", "cvss": {"score": 5.8, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:P"}}, {"lastseen": "2023-01-29T14:43:52", "description": "The remote Oracle Linux 7 host has packages installed that are affected by a vulnerability as referenced in the ELSA-2016-1633 advisory.\n\n - net/ipv4/tcp_input.c in the Linux kernel before 4.7 does not properly determine the rate of challenge ACK segments, which makes it easier for remote attackers to hijack TCP sessions via a blind in-window attack.\n (CVE-2016-5696)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.", "cvss3": {"exploitabilityScore": 2.2, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "baseScore": 4.8, "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:L", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 2.5}, "published": "2016-08-19T00:00:00", "type": "nessus", "title": "Oracle Linux 7 : kernel (ELSA-2016-1633)", "bulletinFamily": "scanner", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "NONE", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 5.8, "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 4.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-5696"], "modified": "2021-09-08T00:00:00", "cpe": ["cpe:/o:oracle:linux:7", "p-cpe:/a:oracle:linux:kernel", "p-cpe:/a:oracle:linux:kernel-abi-whitelists", "p-cpe:/a:oracle:linux:kernel-debug", "p-cpe:/a:oracle:linux:kernel-debug-devel", "p-cpe:/a:oracle:linux:kernel-devel", "p-cpe:/a:oracle:linux:kernel-headers", "p-cpe:/a:oracle:linux:kernel-tools", "p-cpe:/a:oracle:linux:kernel-tools-libs", "p-cpe:/a:oracle:linux:kernel-tools-libs-devel", "p-cpe:/a:oracle:linux:perf", "p-cpe:/a:oracle:linux:python-perf"], "id": "ORACLELINUX_ELSA-2016-1633.NASL", "href": "https://www.tenable.com/plugins/nessus/93035", "sourceData": "#%NASL_MIN_LEVEL 70300\n##\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Oracle Linux Security Advisory ELSA-2016-1633.\n##\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(93035);\n script_version(\"2.13\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/09/08\");\n\n script_cve_id(\"CVE-2016-5696\");\n script_xref(name:\"RHSA\", value:\"2016:1633\");\n\n script_name(english:\"Oracle Linux 7 : kernel (ELSA-2016-1633)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Oracle Linux host is missing a security update.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Oracle Linux 7 host has packages installed that are affected by a vulnerability as referenced in the\nELSA-2016-1633 advisory.\n\n - net/ipv4/tcp_input.c in the Linux kernel before 4.7 does not properly determine the rate of challenge ACK\n segments, which makes it easier for remote attackers to hijack TCP sessions via a blind in-window attack.\n (CVE-2016-5696)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version\nnumber.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://linux.oracle.com/errata/ELSA-2016-1633.html\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:N/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:L\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2016-5696\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2016/07/12\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2016/08/18\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2016/08/19\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:oracle:linux:7\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:kernel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:kernel-abi-whitelists\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:kernel-debug\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:kernel-debug-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:kernel-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:kernel-headers\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:kernel-tools\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:kernel-tools-libs\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:kernel-tools-libs-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:perf\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:python-perf\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Oracle Linux Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2016-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"linux_alt_patch_detect.nasl\", \"ssh_get_info.nasl\");\n script_require_keys(\"Host/OracleLinux\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\", \"Host/local_checks_enabled\");\n\n exit(0);\n}\n\n\ninclude('audit.inc');\ninclude('global_settings.inc');\ninclude('ksplice.inc');\ninclude('rpm.inc');\n\nif (!get_kb_item('Host/local_checks_enabled')) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item('Host/OracleLinux')) audit(AUDIT_OS_NOT, 'Oracle Linux');\nvar release = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || !pregmatch(pattern: \"Oracle (?:Linux Server|Enterprise Linux)\", string:release)) audit(AUDIT_OS_NOT, 'Oracle Linux');\nvar os_ver = pregmatch(pattern: \"Oracle (?:Linux Server|Enterprise Linux) .*release ([0-9]+(\\.[0-9]+)?)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, 'Oracle Linux');\nvar os_ver = os_ver[1];\nif (! preg(pattern:\"^7([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, 'Oracle Linux 7', 'Oracle Linux ' + os_ver);\n\nif (!get_kb_item('Host/RedHat/rpm-list')) audit(AUDIT_PACKAGE_LIST_MISSING);\n\nvar cpu = get_kb_item('Host/cpu');\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif ('x86_64' >!< cpu && cpu !~ \"^i[3-6]86$\" && 'aarch64' >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'Oracle Linux', cpu);\nif ('x86_64' >!< cpu) audit(AUDIT_ARCH_NOT, 'x86_64', cpu);\n\nvar machine_uptrack_level = get_one_kb_item('Host/uptrack-uname-r');\nif (machine_uptrack_level)\n{\n var trimmed_uptrack_level = ereg_replace(string:machine_uptrack_level, pattern:\"\\.(x86_64|i[3-6]86|aarch64)$\", replace:'');\n var fixed_uptrack_levels = ['3.10.0-327.28.3.el7'];\n foreach var fixed_uptrack_level ( fixed_uptrack_levels ) {\n if (rpm_spec_vers_cmp(a:trimmed_uptrack_level, b:fixed_uptrack_level) >= 0)\n {\n audit(AUDIT_PATCH_INSTALLED, 'KSplice hotfix for ELSA-2016-1633');\n }\n }\n __rpm_report = 'Running KSplice level of ' + trimmed_uptrack_level + ' does not meet the minimum fixed level of ' + join(fixed_uptrack_levels, sep:' / ') + ' for this advisory.\\n\\n';\n}\n\nvar kernel_major_minor = get_kb_item('Host/uname/major_minor');\nif (empty_or_null(kernel_major_minor)) exit(1, 'Unable to determine kernel major-minor level.');\nvar expected_kernel_major_minor = '3.10';\nif (kernel_major_minor != expected_kernel_major_minor)\n audit(AUDIT_OS_NOT, 'running kernel level ' + expected_kernel_major_minor + ', it is running kernel level ' + kernel_major_minor);\n\nvar pkgs = [\n {'reference':'kernel-3.10.0-327.28.3.el7', 'cpu':'x86_64', 'release':'7', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'kernel-3.10.0'},\n {'reference':'kernel-abi-whitelists-3.10.0-327.28.3.el7', 'release':'7', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'kernel-abi-whitelists-3.10.0'},\n {'reference':'kernel-debug-3.10.0-327.28.3.el7', 'cpu':'x86_64', 'release':'7', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'kernel-debug-3.10.0'},\n {'reference':'kernel-debug-devel-3.10.0-327.28.3.el7', 'cpu':'x86_64', 'release':'7', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'kernel-debug-devel-3.10.0'},\n {'reference':'kernel-devel-3.10.0-327.28.3.el7', 'cpu':'x86_64', 'release':'7', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'kernel-devel-3.10.0'},\n {'reference':'kernel-headers-3.10.0-327.28.3.el7', 'cpu':'x86_64', 'release':'7', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'kernel-headers-3.10.0'},\n {'reference':'kernel-tools-3.10.0-327.28.3.el7', 'cpu':'x86_64', 'release':'7', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'kernel-tools-3.10.0'},\n {'reference':'kernel-tools-libs-3.10.0-327.28.3.el7', 'cpu':'x86_64', 'release':'7', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'kernel-tools-libs-3.10.0'},\n {'reference':'kernel-tools-libs-devel-3.10.0-327.28.3.el7', 'cpu':'x86_64', 'release':'7', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'kernel-tools-libs-devel-3.10.0'},\n {'reference':'perf-3.10.0-327.28.3.el7', 'cpu':'x86_64', 'release':'7', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'python-perf-3.10.0-327.28.3.el7', 'cpu':'x86_64', 'release':'7', 'rpm_spec_vers_cmp':TRUE}\n];\n\nvar flag = 0;\nforeach var package_array ( pkgs ) {\n var reference = NULL;\n var release = NULL;\n var sp = NULL;\n var cpu = NULL;\n var el_string = NULL;\n var rpm_spec_vers_cmp = NULL;\n var epoch = NULL;\n var allowmaj = NULL;\n var exists_check = NULL;\n if (!empty_or_null(package_array['reference'])) reference = package_array['reference'];\n if (!empty_or_null(package_array['release'])) release = 'EL' + package_array['release'];\n if (!empty_or_null(package_array['sp'])) sp = package_array['sp'];\n if (!empty_or_null(package_array['cpu'])) cpu = package_array['cpu'];\n if (!empty_or_null(package_array['el_string'])) el_string = package_array['el_string'];\n if (!empty_or_null(package_array['rpm_spec_vers_cmp'])) rpm_spec_vers_cmp = package_array['rpm_spec_vers_cmp'];\n if (!empty_or_null(package_array['epoch'])) epoch = package_array['epoch'];\n if (!empty_or_null(package_array['allowmaj'])) allowmaj = package_array['allowmaj'];\n if (!empty_or_null(package_array['exists_check'])) exists_check = package_array['exists_check'];\n if (reference && release) {\n if (exists_check) {\n if (rpm_exists(release:release, rpm:exists_check) && rpm_check(release:release, sp:sp, cpu:cpu, reference:reference, epoch:epoch, el_string:el_string, rpm_spec_vers_cmp:rpm_spec_vers_cmp, allowmaj:allowmaj)) flag++;\n } else {\n if (rpm_check(release:release, sp:sp, cpu:cpu, reference:reference, epoch:epoch, el_string:el_string, rpm_spec_vers_cmp:rpm_spec_vers_cmp, allowmaj:allowmaj)) flag++;\n }\n }\n}\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n var tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, 'kernel / kernel-abi-whitelists / kernel-debug / etc');\n}\n", "cvss": {"score": 5.8, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:P"}}, {"lastseen": "2023-01-29T14:43:52", "description": "net/ipv4/tcp_input.c in the Linux kernel before 4.7 does not properly determine the rate of challenge ACK segments, which makes it easier for man-in-the-middle attackers to hijack TCP sessions via a blind in-window attack. (CVE-2016-5696)", "cvss3": {"exploitabilityScore": 2.2, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "baseScore": 4.8, "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:L", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 2.5}, "published": "2016-08-29T00:00:00", "type": "nessus", "title": "F5 Networks BIG-IP : Linux TCP stack vulnerability (K46514822)", "bulletinFamily": "scanner", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "NONE", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 5.8, "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 4.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-5696"], "modified": "2019-01-04T00:00:00", "cpe": ["cpe:/a:f5:big-ip_access_policy_manager", "cpe:/a:f5:big-ip_advanced_firewall_manager", "cpe:/a:f5:big-ip_application_acceleration_manager", "cpe:/a:f5:big-ip_application_security_manager", "cpe:/a:f5:big-ip_application_visibility_and_reporting", "cpe:/a:f5:big-ip_link_controller", "cpe:/a:f5:big-ip_local_traffic_manager", "cpe:/a:f5:big-ip_policy_enforcement_manager", "cpe:/h:f5:big-ip"], "id": "F5_BIGIP_SOL46514822.NASL", "href": "https://www.tenable.com/plugins/nessus/93136", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from F5 Networks BIG-IP Solution K46514822.\n#\n# The text description of this plugin is (C) F5 Networks.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(93136);\n script_version(\"2.9\");\n script_cvs_date(\"Date: 2019/01/04 10:03:40\");\n\n script_cve_id(\"CVE-2016-5696\");\n\n script_name(english:\"F5 Networks BIG-IP : Linux TCP stack vulnerability (K46514822)\");\n script_summary(english:\"Checks the BIG-IP version.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote device is missing a vendor-supplied security patch.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"net/ipv4/tcp_input.c in the Linux kernel before 4.7 does not properly\ndetermine the rate of challenge ACK segments, which makes it easier\nfor man-in-the-middle attackers to hijack TCP sessions via a blind\nin-window attack. (CVE-2016-5696)\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://support.f5.com/csp/#/article/K13284\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://support.f5.com/csp/article/K46514822\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\n\"Upgrade to one of the non-vulnerable versions listed in the F5\nSolution K46514822.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:N/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:L\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"potential_vulnerability\", value:\"true\");\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:f5:big-ip_access_policy_manager\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:f5:big-ip_advanced_firewall_manager\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:f5:big-ip_application_acceleration_manager\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:f5:big-ip_application_security_manager\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:f5:big-ip_application_visibility_and_reporting\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:f5:big-ip_link_controller\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:f5:big-ip_local_traffic_manager\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:f5:big-ip_policy_enforcement_manager\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/h:f5:big-ip\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2016/08/26\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2016/08/29\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"F5 Networks Local Security Checks\");\n\n script_dependencies(\"f5_bigip_detect.nbin\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/BIG-IP/hotfix\", \"Host/BIG-IP/modules\", \"Host/BIG-IP/version\", \"Settings/ParanoidReport\");\n\n exit(0);\n}\n\n\ninclude(\"f5_func.inc\");\n\nif ( ! get_kb_item(\"Host/local_checks_enabled\") ) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nversion = get_kb_item(\"Host/BIG-IP/version\");\nif ( ! version ) audit(AUDIT_OS_NOT, \"F5 Networks BIG-IP\");\nif ( isnull(get_kb_item(\"Host/BIG-IP/hotfix\")) ) audit(AUDIT_KB_MISSING, \"Host/BIG-IP/hotfix\");\nif ( ! get_kb_item(\"Host/BIG-IP/modules\") ) audit(AUDIT_KB_MISSING, \"Host/BIG-IP/modules\");\n\nsol = \"K46514822\";\nvmatrix = make_array();\n\nif (report_paranoia < 2) audit(AUDIT_PARANOID);\n\n# AFM\nvmatrix[\"AFM\"] = make_array();\nvmatrix[\"AFM\"][\"affected\" ] = make_list(\"12.0.0-12.1.1HF1\");\nvmatrix[\"AFM\"][\"unaffected\"] = make_list(\"12.1.1HF2\",\"11.4.0-11.6.1\");\n\n# AM\nvmatrix[\"AM\"] = make_array();\nvmatrix[\"AM\"][\"affected\" ] = make_list(\"12.0.0-12.1.1HF1\");\nvmatrix[\"AM\"][\"unaffected\"] = make_list(\"12.1.1HF2\",\"11.4.0-11.6.1\");\n\n# APM\nvmatrix[\"APM\"] = make_array();\nvmatrix[\"APM\"][\"affected\" ] = make_list(\"12.0.0-12.1.1HF1\");\nvmatrix[\"APM\"][\"unaffected\"] = make_list(\"12.1.1HF2\",\"11.4.0-11.6.1\",\"11.2.1\",\"10.2.1-10.2.4\");\n\n# ASM\nvmatrix[\"ASM\"] = make_array();\nvmatrix[\"ASM\"][\"affected\" ] = make_list(\"12.0.0-12.1.1HF1\");\nvmatrix[\"ASM\"][\"unaffected\"] = make_list(\"12.1.1HF2\",\"11.4.0-11.6.1\",\"11.2.1\",\"10.2.1-10.2.4\");\n\n# AVR\nvmatrix[\"AVR\"] = make_array();\nvmatrix[\"AVR\"][\"affected\" ] = make_list(\"12.0.0-12.1.1HF1\");\nvmatrix[\"AVR\"][\"unaffected\"] = make_list(\"12.1.1HF2\",\"11.4.0-11.6.1\",\"11.2.1\");\n\n# LC\nvmatrix[\"LC\"] = make_array();\nvmatrix[\"LC\"][\"affected\" ] = make_list(\"12.0.0-12.1.1HF1\");\nvmatrix[\"LC\"][\"unaffected\"] = make_list(\"12.1.1HF2\",\"11.4.0-11.6.1\",\"11.2.1\",\"10.2.1-10.2.4\");\n\n# LTM\nvmatrix[\"LTM\"] = make_array();\nvmatrix[\"LTM\"][\"affected\" ] = make_list(\"12.0.0-12.1.1HF1\");\nvmatrix[\"LTM\"][\"unaffected\"] = make_list(\"12.1.1HF2\",\"11.4.0-11.6.1\",\"11.2.1\",\"10.2.1-10.2.4\");\n\n# PEM\nvmatrix[\"PEM\"] = make_array();\nvmatrix[\"PEM\"][\"affected\" ] = make_list(\"12.0.0-12.1.1HF1\");\nvmatrix[\"PEM\"][\"unaffected\"] = make_list(\"12.1.1HF2\",\"11.4.0-11.6.1\");\n\n\nif (bigip_is_affected(vmatrix:vmatrix, sol:sol))\n{\n if (report_verbosity > 0) security_warning(port:0, extra:bigip_report_get());\n else security_warning(0);\n exit(0);\n}\nelse\n{\n tested = bigip_get_tested_modules();\n audit_extra = \"For BIG-IP module(s) \" + tested + \",\";\n if (tested) audit(AUDIT_INST_VER_NOT_VULN, audit_extra, version);\n else audit(AUDIT_HOST_NOT, \"running any of the affected modules\");\n}\n", "cvss": {"score": 5.8, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:P"}}, {"lastseen": "2023-01-29T14:43:53", "description": "The remote Oracle Linux 6 host has packages installed that are affected by a vulnerability as referenced in the ELSA-2016-1664 advisory.\n\n - net/ipv4/tcp_input.c in the Linux kernel before 4.7 does not properly determine the rate of challenge ACK segments, which makes it easier for remote attackers to hijack TCP sessions via a blind in-window attack.\n (CVE-2016-5696)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.", "cvss3": {"exploitabilityScore": 2.2, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "baseScore": 4.8, "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:L", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 2.5}, "published": "2016-08-24T00:00:00", "type": "nessus", "title": "Oracle Linux 6 : kernel (ELSA-2016-1664)", "bulletinFamily": "scanner", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "NONE", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 5.8, "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 4.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-5696"], "modified": "2021-09-08T00:00:00", "cpe": ["cpe:/o:oracle:linux:6", "p-cpe:/a:oracle:linux:kernel", "p-cpe:/a:oracle:linux:kernel-abi-whitelists", "p-cpe:/a:oracle:linux:kernel-debug", "p-cpe:/a:oracle:linux:kernel-debug-devel", "p-cpe:/a:oracle:linux:kernel-devel", "p-cpe:/a:oracle:linux:kernel-firmware", "p-cpe:/a:oracle:linux:kernel-headers", "p-cpe:/a:oracle:linux:perf", "p-cpe:/a:oracle:linux:python-perf"], "id": "ORACLELINUX_ELSA-2016-1664.NASL", "href": "https://www.tenable.com/plugins/nessus/93093", "sourceData": "#%NASL_MIN_LEVEL 70300\n##\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Oracle Linux Security Advisory ELSA-2016-1664.\n##\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(93093);\n script_version(\"2.14\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/09/08\");\n\n script_cve_id(\"CVE-2016-5696\");\n script_xref(name:\"RHSA\", value:\"2016:1664\");\n\n script_name(english:\"Oracle Linux 6 : kernel (ELSA-2016-1664)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Oracle Linux host is missing a security update.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Oracle Linux 6 host has packages installed that are affected by a vulnerability as referenced in the\nELSA-2016-1664 advisory.\n\n - net/ipv4/tcp_input.c in the Linux kernel before 4.7 does not properly determine the rate of challenge ACK\n segments, which makes it easier for remote attackers to hijack TCP sessions via a blind in-window attack.\n (CVE-2016-5696)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version\nnumber.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://linux.oracle.com/errata/ELSA-2016-1664.html\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:N/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:L\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2016-5696\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2016/07/12\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2016/08/23\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2016/08/24\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:oracle:linux:6\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:kernel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:kernel-abi-whitelists\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:kernel-debug\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:kernel-debug-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:kernel-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:kernel-firmware\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:kernel-headers\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:perf\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:python-perf\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Oracle Linux Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2016-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"linux_alt_patch_detect.nasl\", \"ssh_get_info.nasl\");\n script_require_keys(\"Host/OracleLinux\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\", \"Host/local_checks_enabled\");\n\n exit(0);\n}\n\n\ninclude('audit.inc');\ninclude('global_settings.inc');\ninclude('ksplice.inc');\ninclude('rpm.inc');\n\nif (!get_kb_item('Host/local_checks_enabled')) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item('Host/OracleLinux')) audit(AUDIT_OS_NOT, 'Oracle Linux');\nvar release = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || !pregmatch(pattern: \"Oracle (?:Linux Server|Enterprise Linux)\", string:release)) audit(AUDIT_OS_NOT, 'Oracle Linux');\nvar os_ver = pregmatch(pattern: \"Oracle (?:Linux Server|Enterprise Linux) .*release ([0-9]+(\\.[0-9]+)?)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, 'Oracle Linux');\nvar os_ver = os_ver[1];\nif (! preg(pattern:\"^6([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, 'Oracle Linux 6', 'Oracle Linux ' + os_ver);\n\nif (!get_kb_item('Host/RedHat/rpm-list')) audit(AUDIT_PACKAGE_LIST_MISSING);\n\nvar cpu = get_kb_item('Host/cpu');\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif ('x86_64' >!< cpu && cpu !~ \"^i[3-6]86$\" && 'aarch64' >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'Oracle Linux', cpu);\n\nvar machine_uptrack_level = get_one_kb_item('Host/uptrack-uname-r');\nif (machine_uptrack_level)\n{\n var trimmed_uptrack_level = ereg_replace(string:machine_uptrack_level, pattern:\"\\.(x86_64|i[3-6]86|aarch64)$\", replace:'');\n var fixed_uptrack_levels = ['2.6.32-642.4.2.el6'];\n foreach var fixed_uptrack_level ( fixed_uptrack_levels ) {\n if (rpm_spec_vers_cmp(a:trimmed_uptrack_level, b:fixed_uptrack_level) >= 0)\n {\n audit(AUDIT_PATCH_INSTALLED, 'KSplice hotfix for ELSA-2016-1664');\n }\n }\n __rpm_report = 'Running KSplice level of ' + trimmed_uptrack_level + ' does not meet the minimum fixed level of ' + join(fixed_uptrack_levels, sep:' / ') + ' for this advisory.\\n\\n';\n}\n\nvar kernel_major_minor = get_kb_item('Host/uname/major_minor');\nif (empty_or_null(kernel_major_minor)) exit(1, 'Unable to determine kernel major-minor level.');\nvar expected_kernel_major_minor = '2.6';\nif (kernel_major_minor != expected_kernel_major_minor)\n audit(AUDIT_OS_NOT, 'running kernel level ' + expected_kernel_major_minor + ', it is running kernel level ' + kernel_major_minor);\n\nvar pkgs = [\n {'reference':'kernel-2.6.32-642.4.2.el6', 'cpu':'i686', 'release':'6', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'kernel-2.6.32'},\n {'reference':'kernel-2.6.32-642.4.2.el6', 'cpu':'x86_64', 'release':'6', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'kernel-2.6.32'},\n {'reference':'kernel-abi-whitelists-2.6.32-642.4.2.el6', 'release':'6', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'kernel-abi-whitelists-2.6.32'},\n {'reference':'kernel-debug-2.6.32-642.4.2.el6', 'cpu':'i686', 'release':'6', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'kernel-debug-2.6.32'},\n {'reference':'kernel-debug-2.6.32-642.4.2.el6', 'cpu':'x86_64', 'release':'6', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'kernel-debug-2.6.32'},\n {'reference':'kernel-debug-devel-2.6.32-642.4.2.el6', 'cpu':'i686', 'release':'6', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'kernel-debug-devel-2.6.32'},\n {'reference':'kernel-debug-devel-2.6.32-642.4.2.el6', 'cpu':'x86_64', 'release':'6', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'kernel-debug-devel-2.6.32'},\n {'reference':'kernel-devel-2.6.32-642.4.2.el6', 'cpu':'i686', 'release':'6', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'kernel-devel-2.6.32'},\n {'reference':'kernel-devel-2.6.32-642.4.2.el6', 'cpu':'x86_64', 'release':'6', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'kernel-devel-2.6.32'},\n {'reference':'kernel-firmware-2.6.32-642.4.2.el6', 'release':'6', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'kernel-firmware-2.6.32'},\n {'reference':'kernel-headers-2.6.32-642.4.2.el6', 'cpu':'i686', 'release':'6', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'kernel-headers-2.6.32'},\n {'reference':'kernel-headers-2.6.32-642.4.2.el6', 'cpu':'x86_64', 'release':'6', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'kernel-headers-2.6.32'},\n {'reference':'perf-2.6.32-642.4.2.el6', 'cpu':'i686', 'release':'6', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'perf-2.6.32-642.4.2.el6', 'cpu':'x86_64', 'release':'6', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'python-perf-2.6.32-642.4.2.el6', 'cpu':'i686', 'release':'6', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'python-perf-2.6.32-642.4.2.el6', 'cpu':'x86_64', 'release':'6', 'rpm_spec_vers_cmp':TRUE}\n];\n\nvar flag = 0;\nforeach var package_array ( pkgs ) {\n var reference = NULL;\n var release = NULL;\n var sp = NULL;\n var cpu = NULL;\n var el_string = NULL;\n var rpm_spec_vers_cmp = NULL;\n var epoch = NULL;\n var allowmaj = NULL;\n var exists_check = NULL;\n if (!empty_or_null(package_array['reference'])) reference = package_array['reference'];\n if (!empty_or_null(package_array['release'])) release = 'EL' + package_array['release'];\n if (!empty_or_null(package_array['sp'])) sp = package_array['sp'];\n if (!empty_or_null(package_array['cpu'])) cpu = package_array['cpu'];\n if (!empty_or_null(package_array['el_string'])) el_string = package_array['el_string'];\n if (!empty_or_null(package_array['rpm_spec_vers_cmp'])) rpm_spec_vers_cmp = package_array['rpm_spec_vers_cmp'];\n if (!empty_or_null(package_array['epoch'])) epoch = package_array['epoch'];\n if (!empty_or_null(package_array['allowmaj'])) allowmaj = package_array['allowmaj'];\n if (!empty_or_null(package_array['exists_check'])) exists_check = package_array['exists_check'];\n if (reference && release) {\n if (exists_check) {\n if (rpm_exists(release:release, rpm:exists_check) && rpm_check(release:release, sp:sp, cpu:cpu, reference:reference, epoch:epoch, el_string:el_string, rpm_spec_vers_cmp:rpm_spec_vers_cmp, allowmaj:allowmaj)) flag++;\n } else {\n if (rpm_check(release:release, sp:sp, cpu:cpu, reference:reference, epoch:epoch, el_string:el_string, rpm_spec_vers_cmp:rpm_spec_vers_cmp, allowmaj:allowmaj)) flag++;\n }\n }\n}\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n var tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, 'kernel / kernel-abi-whitelists / kernel-debug / etc');\n}\n", "cvss": {"score": 5.8, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:P"}}, {"lastseen": "2023-01-29T14:44:00", "description": "The remote OracleVM system is missing necessary patches to address critical security updates :\n\n - tcp: make challenge acks less predictable (Eric Dumazet) [Orabug: 24010103] [Orabug: 2401010] (CVE-2016-5696)", "cvss3": {"exploitabilityScore": 2.2, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "baseScore": 4.8, "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:L", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 2.5}, "published": "2016-08-19T00:00:00", "type": "nessus", "title": "OracleVM 3.4 : Unbreakable / etc (OVMSA-2016-0097)", "bulletinFamily": "scanner", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "NONE", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 5.8, "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 4.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-5696"], "modified": "2021-01-04T00:00:00", "cpe": ["p-cpe:/a:oracle:vm:kernel-uek", "p-cpe:/a:oracle:vm:kernel-uek-firmware", "cpe:/o:oracle:vm_server:3.4"], "id": "ORACLEVM_OVMSA-2016-0097.NASL", "href": "https://www.tenable.com/plugins/nessus/93036", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The package checks in this plugin were extracted from OracleVM\n# Security Advisory OVMSA-2016-0097.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(93036);\n script_version(\"2.9\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/04\");\n\n script_cve_id(\"CVE-2016-5696\");\n\n script_name(english:\"OracleVM 3.4 : Unbreakable / etc (OVMSA-2016-0097)\");\n script_summary(english:\"Checks the RPM output for the updated packages.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote OracleVM host is missing one or more security updates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"The remote OracleVM system is missing necessary patches to address\ncritical security updates :\n\n - tcp: make challenge acks less predictable (Eric Dumazet)\n [Orabug: 24010103] [Orabug: 2401010] (CVE-2016-5696)\"\n );\n # https://oss.oracle.com/pipermail/oraclevm-errata/2016-August/000513.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?2d4dfcb7\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected kernel-uek / kernel-uek-firmware packages.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:N/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:L\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:vm:kernel-uek\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:vm:kernel-uek-firmware\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:oracle:vm_server:3.4\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2016/08/06\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2016/08/18\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2016/08/19\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2016-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"OracleVM Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/OracleVM/release\", \"Host/OracleVM/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/OracleVM/release\");\nif (isnull(release) || \"OVS\" >!< release) audit(AUDIT_OS_NOT, \"OracleVM\");\nif (! preg(pattern:\"^OVS\" + \"3\\.4\" + \"(\\.[0-9]|$)\", string:release)) audit(AUDIT_OS_NOT, \"OracleVM 3.4\", \"OracleVM \" + release);\nif (!get_kb_item(\"Host/OracleVM/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"OracleVM\", cpu);\nif (\"x86_64\" >!< cpu) audit(AUDIT_ARCH_NOT, \"x86_64\", cpu);\n\nflag = 0;\nif (rpm_check(release:\"OVS3.4\", reference:\"kernel-uek-4.1.12-37.6.3.el6uek\")) flag++;\nif (rpm_check(release:\"OVS3.4\", reference:\"kernel-uek-firmware-4.1.12-37.6.3.el6uek\")) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get());\n else security_warning(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"kernel-uek / kernel-uek-firmware\");\n}\n", "cvss": {"score": 5.8, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:P"}}, {"lastseen": "2023-01-29T14:44:00", "description": "An update for kernel is now available for Red Hat Enterprise Linux 6.\n\nRed Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.\n\nThe kernel packages contain the Linux kernel, the core of any Linux operating system.\n\nSecurity Fix(es) :\n\nIt was found that the RFC 5961 challenge ACK rate limiting as implemented in the Linux kernel's networking subsystem allowed an off-path attacker to leak certain information about a given connection by creating congestion on the global challenge ACK rate limit counter and then measuring the changes by probing packets. An off-path attacker could use this flaw to either terminate TCP connection and/or inject payload into non-secured TCP connection between two endpoints on the network. (CVE-2016-5696, Important)\n\nRed Hat would like to thank Yue Cao (Cyber Security Group of the CS department of University of California in Riverside) for reporting this issue.\n\nBug Fix(es) :\n\n* When loading the Direct Rendering Manager (DRM) kernel module, the kernel panicked if DRM was previously unloaded. The kernel panic was caused by a memory leak of the ID Resolver (IDR2). With this update, IDR2 is loaded during kernel boot, and the kernel panic no longer occurs in the described scenario. (BZ#1353827)\n\n* When more than one process attempted to use the 'configfs' directory entry at the same time, a kernel panic in some cases occurred. With this update, a race condition between a directory entry and a lookup operation has been fixed. As a result, the kernel no longer panics in the described scenario. (BZ#1353828)\n\n* When shutting down the system by running the halt -p command, a kernel panic occurred due to a conflict between the kernel offlining CPUs and the sched command, which used the sched group and the sched domain data without first checking the data. The underlying source code has been fixed by adding a check to avoid the conflict. As a result, the described scenario no longer results in a kernel panic.\n(BZ#1343894)\n\n* In some cases, running the ipmitool command caused a kernel panic due to a race condition in the ipmi message handler. This update fixes the race condition, and the kernel panic no longer occurs in the described scenario. (BZ#1355980)\n\n* Previously, multiple Very Secure FTP daemon (vsftpd) processes on a directory with a large number of files led to a high contention rate on each inode's spinlock, which caused excessive CPU usage. With this update, a spinlock to protect a single memory-to-memory copy has been removed from the ext4_getattr() function. As a result, system CPU usage has been reduced and is no longer excessive in the described situation. (BZ#1355981)\n\n* When the gfs2_grow utility is used to extend Global File System 2 (GFS2), the next block allocation causes the GFS2 kernel module to re-read its resource group index. If multiple processes in the GFS2 module raced to do the same thing, one process sometimes overwrote a valid object pointer with an invalid pointer, which caused either a kernel panic or a file system corruption. This update ensures that the resource group object pointer is not overwritten. As a result, neither kernel panic nor file system corruption occur in the described scenario. (BZ#1347539)\n\n* Previously, the SCSI Remote Protocol over InfiniBand (IB-SRP) was disabled due to a bug in the srp_queue() function. As a consequence, an attempt to enable the Remote Direct Memory Access (RDMA) at boot caused the kernel to crash. With this update, srp_queue() has been fixed, and the system now boots as expected when RDMA is enabled.\n(BZ#1348062)\n\nEnhancement(s) :\n\n* This update optimizes the efficiency of the Transmission Control Protocol (TCP) when the peer is using a window under 537 bytes in size. As a result, devices that use maximum segment size (MSS) of 536 bytes or fewer will experience improved network performance.\n(BZ#1354446)", "cvss3": {"exploitabilityScore": 2.2, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "baseScore": 4.8, "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:L", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 2.5}, "published": "2016-08-24T00:00:00", "type": "nessus", "title": "RHEL 6 : kernel (RHSA-2016:1664)", "bulletinFamily": "scanner", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "NONE", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 5.8, "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 4.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-5696"], "modified": "2019-10-24T00:00:00", "cpe": ["p-cpe:/a:redhat:enterprise_linux:kernel", "p-cpe:/a:redhat:enterprise_linux:kernel-abi-whitelists", "p-cpe:/a:redhat:enterprise_linux:kernel-debug", "p-cpe:/a:redhat:enterprise_linux:kernel-debug-debuginfo", "p-cpe:/a:redhat:enterprise_linux:kernel-debug-devel", "p-cpe:/a:redhat:enterprise_linux:kernel-debuginfo", "p-cpe:/a:redhat:enterprise_linux:kernel-debuginfo-common-i686", "p-cpe:/a:redhat:enterprise_linux:kernel-debuginfo-common-s390x", "p-cpe:/a:redhat:enterprise_linux:kernel-debuginfo-common-x86_64", "p-cpe:/a:redhat:enterprise_linux:kernel-devel", "p-cpe:/a:redhat:enterprise_linux:kernel-doc", "p-cpe:/a:redhat:enterprise_linux:kernel-firmware", "p-cpe:/a:redhat:enterprise_linux:kernel-headers", "p-cpe:/a:redhat:enterprise_linux:kernel-kdump", "p-cpe:/a:redhat:enterprise_linux:kernel-kdump-debuginfo", "p-cpe:/a:redhat:enterprise_linux:kernel-kdump-devel", "p-cpe:/a:redhat:enterprise_linux:perf", "p-cpe:/a:redhat:enterprise_linux:perf-debuginfo", "p-cpe:/a:redhat:enterprise_linux:python-perf", "p-cpe:/a:redhat:enterprise_linux:python-perf-debuginfo", "cpe:/o:redhat:enterprise_linux:6"], "id": "REDHAT-RHSA-2016-1664.NASL", "href": "https://www.tenable.com/plugins/nessus/93095", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Red Hat Security Advisory RHSA-2016:1664. The text \n# itself is copyright (C) Red Hat, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(93095);\n script_version(\"2.13\");\n script_cvs_date(\"Date: 2019/10/24 15:35:41\");\n\n script_cve_id(\"CVE-2016-5696\");\n script_xref(name:\"RHSA\", value:\"2016:1664\");\n\n script_name(english:\"RHEL 6 : kernel (RHSA-2016:1664)\");\n script_summary(english:\"Checks the rpm output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Red Hat host is missing one or more security updates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"An update for kernel is now available for Red Hat Enterprise Linux 6.\n\nRed Hat Product Security has rated this update as having a security\nimpact of Important. A Common Vulnerability Scoring System (CVSS) base\nscore, which gives a detailed severity rating, is available for each\nvulnerability from the CVE link(s) in the References section.\n\nThe kernel packages contain the Linux kernel, the core of any Linux\noperating system.\n\nSecurity Fix(es) :\n\nIt was found that the RFC 5961 challenge ACK rate limiting as\nimplemented in the Linux kernel's networking subsystem allowed an\noff-path attacker to leak certain information about a given connection\nby creating congestion on the global challenge ACK rate limit counter\nand then measuring the changes by probing packets. An off-path\nattacker could use this flaw to either terminate TCP connection and/or\ninject payload into non-secured TCP connection between two endpoints\non the network. (CVE-2016-5696, Important)\n\nRed Hat would like to thank Yue Cao (Cyber Security Group of the CS\ndepartment of University of California in Riverside) for reporting\nthis issue.\n\nBug Fix(es) :\n\n* When loading the Direct Rendering Manager (DRM) kernel module, the\nkernel panicked if DRM was previously unloaded. The kernel panic was\ncaused by a memory leak of the ID Resolver (IDR2). With this update,\nIDR2 is loaded during kernel boot, and the kernel panic no longer\noccurs in the described scenario. (BZ#1353827)\n\n* When more than one process attempted to use the 'configfs' directory\nentry at the same time, a kernel panic in some cases occurred. With\nthis update, a race condition between a directory entry and a lookup\noperation has been fixed. As a result, the kernel no longer panics in\nthe described scenario. (BZ#1353828)\n\n* When shutting down the system by running the halt -p command, a\nkernel panic occurred due to a conflict between the kernel offlining\nCPUs and the sched command, which used the sched group and the sched\ndomain data without first checking the data. The underlying source\ncode has been fixed by adding a check to avoid the conflict. As a\nresult, the described scenario no longer results in a kernel panic.\n(BZ#1343894)\n\n* In some cases, running the ipmitool command caused a kernel panic\ndue to a race condition in the ipmi message handler. This update fixes\nthe race condition, and the kernel panic no longer occurs in the\ndescribed scenario. (BZ#1355980)\n\n* Previously, multiple Very Secure FTP daemon (vsftpd) processes on a\ndirectory with a large number of files led to a high contention rate\non each inode's spinlock, which caused excessive CPU usage. With this\nupdate, a spinlock to protect a single memory-to-memory copy has been\nremoved from the ext4_getattr() function. As a result, system CPU\nusage has been reduced and is no longer excessive in the described\nsituation. (BZ#1355981)\n\n* When the gfs2_grow utility is used to extend Global File System 2\n(GFS2), the next block allocation causes the GFS2 kernel module to\nre-read its resource group index. If multiple processes in the GFS2\nmodule raced to do the same thing, one process sometimes overwrote a\nvalid object pointer with an invalid pointer, which caused either a\nkernel panic or a file system corruption. This update ensures that the\nresource group object pointer is not overwritten. As a result, neither\nkernel panic nor file system corruption occur in the described\nscenario. (BZ#1347539)\n\n* Previously, the SCSI Remote Protocol over InfiniBand (IB-SRP) was\ndisabled due to a bug in the srp_queue() function. As a consequence,\nan attempt to enable the Remote Direct Memory Access (RDMA) at boot\ncaused the kernel to crash. With this update, srp_queue() has been\nfixed, and the system now boots as expected when RDMA is enabled.\n(BZ#1348062)\n\nEnhancement(s) :\n\n* This update optimizes the efficiency of the Transmission Control\nProtocol (TCP) when the peer is using a window under 537 bytes in\nsize. As a result, devices that use maximum segment size (MSS) of 536\nbytes or fewer will experience improved network performance.\n(BZ#1354446)\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/errata/RHSA-2016:1664\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2016-5696\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:N/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:L\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:kernel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:kernel-abi-whitelists\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:kernel-debug\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:kernel-debug-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:kernel-debug-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:kernel-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:kernel-debuginfo-common-i686\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:kernel-debuginfo-common-s390x\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:kernel-debuginfo-common-x86_64\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:kernel-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:kernel-doc\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:kernel-firmware\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:kernel-headers\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:kernel-kdump\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:kernel-kdump-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:kernel-kdump-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:perf\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:perf-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:python-perf\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:python-perf-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:enterprise_linux:6\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2016/08/06\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2016/08/23\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2016/08/24\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Red Hat Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\", \"linux_alt_patch_detect.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\", \"Host/cpu\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"rpm.inc\");\ninclude(\"ksplice.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Red Hat\" >!< release) audit(AUDIT_OS_NOT, \"Red Hat\");\nos_ver = pregmatch(pattern: \"Red Hat Enterprise Linux.*release ([0-9]+(\\.[0-9]+)?)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Red Hat\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^6([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Red Hat 6.x\", \"Red Hat \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\" && \"s390\" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Red Hat\", cpu);\n\nif (get_one_kb_item(\"Host/ksplice/kernel-cves\"))\n{\n rm_kb_item(name:\"Host/uptrack-uname-r\");\n cve_list = make_list(\"CVE-2016-5696\");\n if (ksplice_cves_check(cve_list))\n {\n audit(AUDIT_PATCH_INSTALLED, \"KSplice hotfix for RHSA-2016:1664\");\n }\n else\n {\n __rpm_report = ksplice_reporting_text();\n }\n}\n\nyum_updateinfo = get_kb_item(\"Host/RedHat/yum-updateinfo\");\nif (!empty_or_null(yum_updateinfo)) \n{\n rhsa = \"RHSA-2016:1664\";\n yum_report = redhat_generate_yum_updateinfo_report(rhsa:rhsa);\n if (!empty_or_null(yum_report))\n {\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : yum_report \n );\n exit(0);\n }\n else\n {\n audit_message = \"affected by Red Hat security advisory \" + rhsa;\n audit(AUDIT_OS_NOT, audit_message);\n }\n}\nelse\n{\n flag = 0;\n if (rpm_check(release:\"RHEL6\", cpu:\"i686\", reference:\"kernel-2.6.32-642.4.2.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", cpu:\"s390x\", reference:\"kernel-2.6.32-642.4.2.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", cpu:\"x86_64\", reference:\"kernel-2.6.32-642.4.2.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", reference:\"kernel-abi-whitelists-2.6.32-642.4.2.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", cpu:\"i686\", reference:\"kernel-debug-2.6.32-642.4.2.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", cpu:\"s390x\", reference:\"kernel-debug-2.6.32-642.4.2.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", cpu:\"x86_64\", reference:\"kernel-debug-2.6.32-642.4.2.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", cpu:\"i686\", reference:\"kernel-debug-debuginfo-2.6.32-642.4.2.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", cpu:\"s390x\", reference:\"kernel-debug-debuginfo-2.6.32-642.4.2.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", cpu:\"x86_64\", reference:\"kernel-debug-debuginfo-2.6.32-642.4.2.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", cpu:\"i686\", reference:\"kernel-debug-devel-2.6.32-642.4.2.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", cpu:\"s390x\", reference:\"kernel-debug-devel-2.6.32-642.4.2.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", cpu:\"x86_64\", reference:\"kernel-debug-devel-2.6.32-642.4.2.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", cpu:\"i686\", reference:\"kernel-debuginfo-2.6.32-642.4.2.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", cpu:\"s390x\", reference:\"kernel-debuginfo-2.6.32-642.4.2.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", cpu:\"x86_64\", reference:\"kernel-debuginfo-2.6.32-642.4.2.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", cpu:\"i686\", reference:\"kernel-debuginfo-common-i686-2.6.32-642.4.2.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", cpu:\"s390x\", reference:\"kernel-debuginfo-common-s390x-2.6.32-642.4.2.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", cpu:\"x86_64\", reference:\"kernel-debuginfo-common-x86_64-2.6.32-642.4.2.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", cpu:\"i686\", reference:\"kernel-devel-2.6.32-642.4.2.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", cpu:\"s390x\", reference:\"kernel-devel-2.6.32-642.4.2.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", cpu:\"x86_64\", reference:\"kernel-devel-2.6.32-642.4.2.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", reference:\"kernel-doc-2.6.32-642.4.2.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", reference:\"kernel-firmware-2.6.32-642.4.2.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", cpu:\"i686\", reference:\"kernel-headers-2.6.32-642.4.2.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", cpu:\"s390x\", reference:\"kernel-headers-2.6.32-642.4.2.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", cpu:\"x86_64\", reference:\"kernel-headers-2.6.32-642.4.2.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", cpu:\"s390x\", reference:\"kernel-kdump-2.6.32-642.4.2.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", cpu:\"s390x\", reference:\"kernel-kdump-debuginfo-2.6.32-642.4.2.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", cpu:\"s390x\", reference:\"kernel-kdump-devel-2.6.32-642.4.2.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", cpu:\"i686\", reference:\"perf-2.6.32-642.4.2.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", cpu:\"s390x\", reference:\"perf-2.6.32-642.4.2.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", cpu:\"x86_64\", reference:\"perf-2.6.32-642.4.2.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", cpu:\"i686\", reference:\"perf-debuginfo-2.6.32-642.4.2.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", cpu:\"s390x\", reference:\"perf-debuginfo-2.6.32-642.4.2.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", cpu:\"x86_64\", reference:\"perf-debuginfo-2.6.32-642.4.2.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", cpu:\"i686\", reference:\"python-perf-2.6.32-642.4.2.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", cpu:\"s390x\", reference:\"python-perf-2.6.32-642.4.2.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", cpu:\"x86_64\", reference:\"python-perf-2.6.32-642.4.2.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", cpu:\"i686\", reference:\"python-perf-debuginfo-2.6.32-642.4.2.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", cpu:\"s390x\", reference:\"python-perf-debuginfo-2.6.32-642.4.2.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", cpu:\"x86_64\", reference:\"python-perf-debuginfo-2.6.32-642.4.2.el6\")) flag++;\n\n if (flag)\n {\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : rpm_report_get() + redhat_report_package_caveat()\n );\n exit(0);\n }\n else\n {\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"kernel / kernel-abi-whitelists / kernel-debug / etc\");\n }\n}\n", "cvss": {"score": 5.8, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:P"}}, {"lastseen": "2023-01-29T14:44:00", "description": "An update for kernel is now available for Red Hat Enterprise Linux 7.\n\nRed Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.\n\nThe kernel packages contain the Linux kernel, the core of any Linux operating system.\n\nIt was found that the RFC 5961 challenge ACK rate limiting as implemented in the Linux kernel's networking subsystem allowed an off-path attacker to leak certain information about a given connection by creating congestion on the global challenge ACK rate limit counter and then measuring the changes by probing packets. An off-path attacker could use this flaw to either terminate TCP connection and/or inject payload into non-secured TCP connection between two endpoints on the network. (CVE-2016-5696, Important)\n\nRed Hat would like to thank Yue Cao from Cyber Security Group in the CS department of University of California, Riverside, for reporting this issue.", "cvss3": {"exploitabilityScore": 2.2, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "baseScore": 4.8, "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:L", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 2.5}, "published": "2016-08-19T00:00:00", "type": "nessus", "title": "RHEL 7 : kernel (RHSA-2016:1633)", "bulletinFamily": "scanner", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "NONE", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 5.8, "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 4.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-5696"], "modified": "2019-10-24T00:00:00", "cpe": ["p-cpe:/a:redhat:enterprise_linux:kernel", "p-cpe:/a:redhat:enterprise_linux:kernel-abi-whitelists", "p-cpe:/a:redhat:enterprise_linux:kernel-debug", "p-cpe:/a:redhat:enterprise_linux:kernel-debug-debuginfo", "p-cpe:/a:redhat:enterprise_linux:kernel-debug-devel", "p-cpe:/a:redhat:enterprise_linux:kernel-debuginfo", "p-cpe:/a:redhat:enterprise_linux:kernel-debuginfo-common-s390x", "p-cpe:/a:redhat:enterprise_linux:kernel-debuginfo-common-x86_64", "p-cpe:/a:redhat:enterprise_linux:kernel-devel", "p-cpe:/a:redhat:enterprise_linux:kernel-doc", "p-cpe:/a:redhat:enterprise_linux:kernel-headers", "p-cpe:/a:redhat:enterprise_linux:kernel-kdump", "p-cpe:/a:redhat:enterprise_linux:kernel-kdump-debuginfo", "p-cpe:/a:redhat:enterprise_linux:kernel-kdump-devel", "p-cpe:/a:redhat:enterprise_linux:kernel-tools", "p-cpe:/a:redhat:enterprise_linux:kernel-tools-debuginfo", "p-cpe:/a:redhat:enterprise_linux:kernel-tools-libs", "p-cpe:/a:redhat:enterprise_linux:kernel-tools-libs-devel", "p-cpe:/a:redhat:enterprise_linux:perf", "p-cpe:/a:redhat:enterprise_linux:perf-debuginfo", "p-cpe:/a:redhat:enterprise_linux:python-perf", "p-cpe:/a:redhat:enterprise_linux:python-perf-debuginfo", "cpe:/o:redhat:enterprise_linux:7", "cpe:/o:redhat:enterprise_linux:7.2", "cpe:/o:redhat:enterprise_linux:7.3", "cpe:/o:redhat:enterprise_linux:7.4", "cpe:/o:redhat:enterprise_linux:7.5", "cpe:/o:redhat:enterprise_linux:7.6", "cpe:/o:redhat:enterprise_linux:7.7"], "id": "REDHAT-RHSA-2016-1633.NASL", "href": "https://www.tenable.com/plugins/nessus/93042", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Red Hat Security Advisory RHSA-2016:1633. The text \n# itself is copyright (C) Red Hat, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(93042);\n script_version(\"2.15\");\n script_cvs_date(\"Date: 2019/10/24 15:35:41\");\n\n script_cve_id(\"CVE-2016-5696\");\n script_xref(name:\"RHSA\", value:\"2016:1633\");\n\n script_name(english:\"RHEL 7 : kernel (RHSA-2016:1633)\");\n script_summary(english:\"Checks the rpm output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Red Hat host is missing one or more security updates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"An update for kernel is now available for Red Hat Enterprise Linux 7.\n\nRed Hat Product Security has rated this update as having a security\nimpact of Important. A Common Vulnerability Scoring System (CVSS) base\nscore, which gives a detailed severity rating, is available for each\nvulnerability from the CVE link(s) in the References section.\n\nThe kernel packages contain the Linux kernel, the core of any Linux\noperating system.\n\nIt was found that the RFC 5961 challenge ACK rate limiting as\nimplemented in the Linux kernel's networking subsystem allowed an\noff-path attacker to leak certain information about a given connection\nby creating congestion on the global challenge ACK rate limit counter\nand then measuring the changes by probing packets. An off-path\nattacker could use this flaw to either terminate TCP connection and/or\ninject payload into non-secured TCP connection between two endpoints\non the network. (CVE-2016-5696, Important)\n\nRed Hat would like to thank Yue Cao from Cyber Security Group in the\nCS department of University of California, Riverside, for reporting\nthis issue.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/errata/RHSA-2016:1633\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2016-5696\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:N/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:L\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:kernel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:kernel-abi-whitelists\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:kernel-debug\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:kernel-debug-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:kernel-debug-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:kernel-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:kernel-debuginfo-common-s390x\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:kernel-debuginfo-common-x86_64\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:kernel-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:kernel-doc\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:kernel-headers\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:kernel-kdump\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:kernel-kdump-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:kernel-kdump-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:kernel-tools\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:kernel-tools-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:kernel-tools-libs\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:kernel-tools-libs-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:perf\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:perf-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:python-perf\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:python-perf-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:enterprise_linux:7\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:enterprise_linux:7.2\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:enterprise_linux:7.3\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:enterprise_linux:7.4\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:enterprise_linux:7.5\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:enterprise_linux:7.6\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:enterprise_linux:7.7\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2016/08/06\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2016/08/18\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2016/08/19\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Red Hat Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\", \"linux_alt_patch_detect.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\", \"Host/cpu\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"rpm.inc\");\ninclude(\"ksplice.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Red Hat\" >!< release) audit(AUDIT_OS_NOT, \"Red Hat\");\nos_ver = pregmatch(pattern: \"Red Hat Enterprise Linux.*release ([0-9]+(\\.[0-9]+)?)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Red Hat\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^7([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Red Hat 7.x\", \"Red Hat \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\" && \"s390\" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Red Hat\", cpu);\n\nif (get_one_kb_item(\"Host/ksplice/kernel-cves\"))\n{\n rm_kb_item(name:\"Host/uptrack-uname-r\");\n cve_list = make_list(\"CVE-2016-5696\");\n if (ksplice_cves_check(cve_list))\n {\n audit(AUDIT_PATCH_INSTALLED, \"KSplice hotfix for RHSA-2016:1633\");\n }\n else\n {\n __rpm_report = ksplice_reporting_text();\n }\n}\n\nyum_updateinfo = get_kb_item(\"Host/RedHat/yum-updateinfo\");\nif (!empty_or_null(yum_updateinfo)) \n{\n rhsa = \"RHSA-2016:1633\";\n yum_report = redhat_generate_yum_updateinfo_report(rhsa:rhsa);\n if (!empty_or_null(yum_report))\n {\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : yum_report \n );\n exit(0);\n }\n else\n {\n audit_message = \"affected by Red Hat security advisory \" + rhsa;\n audit(AUDIT_OS_NOT, audit_message);\n }\n}\nelse\n{\n flag = 0;\n if (rpm_check(release:\"RHEL7\", cpu:\"s390x\", reference:\"kernel-3.10.0-327.28.3.el7\")) flag++;\n\n if (rpm_check(release:\"RHEL7\", cpu:\"x86_64\", reference:\"kernel-3.10.0-327.28.3.el7\")) flag++;\n\n if (rpm_check(release:\"RHEL7\", reference:\"kernel-abi-whitelists-3.10.0-327.28.3.el7\")) flag++;\n\n if (rpm_check(release:\"RHEL7\", cpu:\"s390x\", reference:\"kernel-debug-3.10.0-327.28.3.el7\")) flag++;\n\n if (rpm_check(release:\"RHEL7\", cpu:\"x86_64\", reference:\"kernel-debug-3.10.0-327.28.3.el7\")) flag++;\n\n if (rpm_check(release:\"RHEL7\", cpu:\"s390x\", reference:\"kernel-debug-debuginfo-3.10.0-327.28.3.el7\")) flag++;\n\n if (rpm_check(release:\"RHEL7\", cpu:\"x86_64\", reference:\"kernel-debug-debuginfo-3.10.0-327.28.3.el7\")) flag++;\n\n if (rpm_check(release:\"RHEL7\", cpu:\"s390x\", reference:\"kernel-debug-devel-3.10.0-327.28.3.el7\")) flag++;\n\n if (rpm_check(release:\"RHEL7\", cpu:\"x86_64\", reference:\"kernel-debug-devel-3.10.0-327.28.3.el7\")) flag++;\n\n if (rpm_check(release:\"RHEL7\", cpu:\"s390x\", reference:\"kernel-debuginfo-3.10.0-327.28.3.el7\")) flag++;\n\n if (rpm_check(release:\"RHEL7\", cpu:\"x86_64\", reference:\"kernel-debuginfo-3.10.0-327.28.3.el7\")) flag++;\n\n if (rpm_check(release:\"RHEL7\", cpu:\"s390x\", reference:\"kernel-debuginfo-common-s390x-3.10.0-327.28.3.el7\")) flag++;\n\n if (rpm_check(release:\"RHEL7\", cpu:\"x86_64\", reference:\"kernel-debuginfo-common-x86_64-3.10.0-327.28.3.el7\")) flag++;\n\n if (rpm_check(release:\"RHEL7\", cpu:\"s390x\", reference:\"kernel-devel-3.10.0-327.28.3.el7\")) flag++;\n\n if (rpm_check(release:\"RHEL7\", cpu:\"x86_64\", reference:\"kernel-devel-3.10.0-327.28.3.el7\")) flag++;\n\n if (rpm_check(release:\"RHEL7\", reference:\"kernel-doc-3.10.0-327.28.3.el7\")) flag++;\n\n if (rpm_check(release:\"RHEL7\", cpu:\"s390x\", reference:\"kernel-headers-3.10.0-327.28.3.el7\")) flag++;\n\n if (rpm_check(release:\"RHEL7\", cpu:\"x86_64\", reference:\"kernel-headers-3.10.0-327.28.3.el7\")) flag++;\n\n if (rpm_check(release:\"RHEL7\", cpu:\"s390x\", reference:\"kernel-kdump-3.10.0-327.28.3.el7\")) flag++;\n\n if (rpm_check(release:\"RHEL7\", cpu:\"s390x\", reference:\"kernel-kdump-debuginfo-3.10.0-327.28.3.el7\")) flag++;\n\n if (rpm_check(release:\"RHEL7\", cpu:\"s390x\", reference:\"kernel-kdump-devel-3.10.0-327.28.3.el7\")) flag++;\n\n if (rpm_check(release:\"RHEL7\", cpu:\"x86_64\", reference:\"kernel-tools-3.10.0-327.28.3.el7\")) flag++;\n\n if (rpm_check(release:\"RHEL7\", cpu:\"x86_64\", reference:\"kernel-tools-debuginfo-3.10.0-327.28.3.el7\")) flag++;\n\n if (rpm_check(release:\"RHEL7\", cpu:\"x86_64\", reference:\"kernel-tools-libs-3.10.0-327.28.3.el7\")) flag++;\n\n if (rpm_check(release:\"RHEL7\", cpu:\"x86_64\", reference:\"kernel-tools-libs-devel-3.10.0-327.28.3.el7\")) flag++;\n\n if (rpm_check(release:\"RHEL7\", cpu:\"s390x\", reference:\"perf-3.10.0-327.28.3.el7\")) flag++;\n\n if (rpm_check(release:\"RHEL7\", cpu:\"x86_64\", reference:\"perf-3.10.0-327.28.3.el7\")) flag++;\n\n if (rpm_check(release:\"RHEL7\", cpu:\"s390x\", reference:\"perf-debuginfo-3.10.0-327.28.3.el7\")) flag++;\n\n if (rpm_check(release:\"RHEL7\", cpu:\"x86_64\", reference:\"perf-debuginfo-3.10.0-327.28.3.el7\")) flag++;\n\n if (rpm_check(release:\"RHEL7\", cpu:\"s390x\", reference:\"python-perf-3.10.0-327.28.3.el7\")) flag++;\n\n if (rpm_check(release:\"RHEL7\", cpu:\"x86_64\", reference:\"python-perf-3.10.0-327.28.3.el7\")) flag++;\n\n if (rpm_check(release:\"RHEL7\", cpu:\"s390x\", reference:\"python-perf-debuginfo-3.10.0-327.28.3.el7\")) flag++;\n\n if (rpm_check(release:\"RHEL7\", cpu:\"x86_64\", reference:\"python-perf-debuginfo-3.10.0-327.28.3.el7\")) flag++;\n\n\n if (flag)\n {\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : rpm_report_get() + redhat_report_package_caveat()\n );\n exit(0);\n }\n else\n {\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"kernel / kernel-abi-whitelists / kernel-debug / etc\");\n }\n}\n", "cvss": {"score": 5.8, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:P"}}, {"lastseen": "2023-01-29T14:44:01", "description": "An update for kernel-rt is now available for Red Hat Enterprise Linux 7.\n\nRed Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.\n\nThe kernel-rt packages provide the Real Time Linux Kernel, which enables fine-tuning for systems with extremely high determinism requirements.\n\nIt was found that the RFC 5961 challenge ACK rate limiting as implemented in the Linux kernel's networking subsystem allowed an off-path attacker to leak certain information about a given connection by creating congestion on the global challenge ACK rate limit counter and then measuring the changes by probing packets. An off-path attacker could use this flaw to either terminate TCP connection and/or inject payload into non-secured TCP connection between two endpoints on the network. (CVE-2016-5696, Important)\n\nRed Hat would like to thank Yue Cao from Cyber Security Group in the CS department of University of California, Riverside, for reporting this issue.", "cvss3": {"exploitabilityScore": 2.2, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "baseScore": 4.8, "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:L", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 2.5}, "published": "2016-08-19T00:00:00", "type": "nessus", "title": "RHEL 7 : kernel-rt (RHSA-2016:1632)", "bulletinFamily": "scanner", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "NONE", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 5.8, "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 4.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-5696"], "modified": "2019-10-24T00:00:00", "cpe": ["p-cpe:/a:redhat:enterprise_linux:kernel-rt", "p-cpe:/a:redhat:enterprise_linux:kernel-rt-debug", "p-cpe:/a:redhat:enterprise_linux:kernel-rt-debug-debuginfo", "p-cpe:/a:redhat:enterprise_linux:kernel-rt-debug-devel", "p-cpe:/a:redhat:enterprise_linux:kernel-rt-debug-kvm", "p-cpe:/a:redhat:enterprise_linux:kernel-rt-debug-kvm-debuginfo", "p-cpe:/a:redhat:enterprise_linux:kernel-rt-debuginfo", "p-cpe:/a:redhat:enterprise_linux:kernel-rt-debuginfo-common-x86_64", "p-cpe:/a:redhat:enterprise_linux:kernel-rt-devel", "p-cpe:/a:redhat:enterprise_linux:kernel-rt-doc", "p-cpe:/a:redhat:enterprise_linux:kernel-rt-kvm", "p-cpe:/a:redhat:enterprise_linux:kernel-rt-kvm-debuginfo", "p-cpe:/a:redhat:enterprise_linux:kernel-rt-trace", "p-cpe:/a:redhat:enterprise_linux:kernel-rt-trace-debuginfo", "p-cpe:/a:redhat:enterprise_linux:kernel-rt-trace-devel", "p-cpe:/a:redhat:enterprise_linux:kernel-rt-trace-kvm", "p-cpe:/a:redhat:enterprise_linux:kernel-rt-trace-kvm-debuginfo", "cpe:/o:redhat:enterprise_linux:7"], "id": "REDHAT-RHSA-2016-1632.NASL", "href": "https://www.tenable.com/plugins/nessus/93041", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Red Hat Security Advisory RHSA-2016:1632. The text \n# itself is copyright (C) Red Hat, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(93041);\n script_version(\"2.13\");\n script_cvs_date(\"Date: 2019/10/24 15:35:41\");\n\n script_cve_id(\"CVE-2016-5696\");\n script_xref(name:\"RHSA\", value:\"2016:1632\");\n\n script_name(english:\"RHEL 7 : kernel-rt (RHSA-2016:1632)\");\n script_summary(english:\"Checks the rpm output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Red Hat host is missing one or more security updates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"An update for kernel-rt is now available for Red Hat Enterprise Linux\n7.\n\nRed Hat Product Security has rated this update as having a security\nimpact of Important. A Common Vulnerability Scoring System (CVSS) base\nscore, which gives a detailed severity rating, is available for each\nvulnerability from the CVE link(s) in the References section.\n\nThe kernel-rt packages provide the Real Time Linux Kernel, which\nenables fine-tuning for systems with extremely high determinism\nrequirements.\n\nIt was found that the RFC 5961 challenge ACK rate limiting as\nimplemented in the Linux kernel's networking subsystem allowed an\noff-path attacker to leak certain information about a given connection\nby creating congestion on the global challenge ACK rate limit counter\nand then measuring the changes by probing packets. An off-path\nattacker could use this flaw to either terminate TCP connection and/or\ninject payload into non-secured TCP connection between two endpoints\non the network. (CVE-2016-5696, Important)\n\nRed Hat would like to thank Yue Cao from Cyber Security Group in the\nCS department of University of California, Riverside, for reporting\nthis issue.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/errata/RHSA-2016:1632\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2016-5696\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:N/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:L\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:kernel-rt\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:kernel-rt-debug\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:kernel-rt-debug-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:kernel-rt-debug-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:kernel-rt-debug-kvm\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:kernel-rt-debug-kvm-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:kernel-rt-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:kernel-rt-debuginfo-common-x86_64\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:kernel-rt-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:kernel-rt-doc\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:kernel-rt-kvm\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:kernel-rt-kvm-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:kernel-rt-trace\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:kernel-rt-trace-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:kernel-rt-trace-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:kernel-rt-trace-kvm\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:kernel-rt-trace-kvm-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:enterprise_linux:7\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2016/08/06\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2016/08/18\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2016/08/19\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Red Hat Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\", \"linux_alt_patch_detect.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\", \"Host/cpu\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"rpm.inc\");\ninclude(\"ksplice.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Red Hat\" >!< release) audit(AUDIT_OS_NOT, \"Red Hat\");\nos_ver = pregmatch(pattern: \"Red Hat Enterprise Linux.*release ([0-9]+(\\.[0-9]+)?)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Red Hat\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^7([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Red Hat 7.x\", \"Red Hat \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\" && \"s390\" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Red Hat\", cpu);\n\nif (get_one_kb_item(\"Host/ksplice/kernel-cves\"))\n{\n rm_kb_item(name:\"Host/uptrack-uname-r\");\n cve_list = make_list(\"CVE-2016-5696\");\n if (ksplice_cves_check(cve_list))\n {\n audit(AUDIT_PATCH_INSTALLED, \"KSplice hotfix for RHSA-2016:1632\");\n }\n else\n {\n __rpm_report = ksplice_reporting_text();\n }\n}\n\nyum_updateinfo = get_kb_item(\"Host/RedHat/yum-updateinfo\");\nif (!empty_or_null(yum_updateinfo)) \n{\n rhsa = \"RHSA-2016:1632\";\n yum_report = redhat_generate_yum_updateinfo_report(rhsa:rhsa);\n if (!empty_or_null(yum_report))\n {\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : yum_report \n );\n exit(0);\n }\n else\n {\n audit_message = \"affected by Red Hat security advisory \" + rhsa;\n audit(AUDIT_OS_NOT, audit_message);\n }\n}\nelse\n{\n flag = 0;\n if (rpm_check(release:\"RHEL7\", cpu:\"x86_64\", reference:\"kernel-rt-3.10.0-327.28.3.rt56.235.el7\")) flag++;\n if (rpm_check(release:\"RHEL7\", cpu:\"x86_64\", reference:\"kernel-rt-debug-3.10.0-327.28.3.rt56.235.el7\")) flag++;\n if (rpm_check(release:\"RHEL7\", cpu:\"x86_64\", reference:\"kernel-rt-debug-debuginfo-3.10.0-327.28.3.rt56.235.el7\")) flag++;\n if (rpm_check(release:\"RHEL7\", cpu:\"x86_64\", reference:\"kernel-rt-debug-devel-3.10.0-327.28.3.rt56.235.el7\")) flag++;\n if (rpm_check(release:\"RHEL7\", cpu:\"x86_64\", reference:\"kernel-rt-debug-kvm-3.10.0-327.28.3.rt56.235.el7\")) flag++;\n if (rpm_check(release:\"RHEL7\", cpu:\"x86_64\", reference:\"kernel-rt-debug-kvm-debuginfo-3.10.0-327.28.3.rt56.235.el7\")) flag++;\n if (rpm_check(release:\"RHEL7\", cpu:\"x86_64\", reference:\"kernel-rt-debuginfo-3.10.0-327.28.3.rt56.235.el7\")) flag++;\n if (rpm_check(release:\"RHEL7\", cpu:\"x86_64\", reference:\"kernel-rt-debuginfo-common-x86_64-3.10.0-327.28.3.rt56.235.el7\")) flag++;\n if (rpm_check(release:\"RHEL7\", cpu:\"x86_64\", reference:\"kernel-rt-devel-3.10.0-327.28.3.rt56.235.el7\")) flag++;\n if (rpm_check(release:\"RHEL7\", reference:\"kernel-rt-doc-3.10.0-327.28.3.rt56.235.el7\")) flag++;\n if (rpm_check(release:\"RHEL7\", cpu:\"x86_64\", reference:\"kernel-rt-kvm-3.10.0-327.28.3.rt56.235.el7\")) flag++;\n if (rpm_check(release:\"RHEL7\", cpu:\"x86_64\", reference:\"kernel-rt-kvm-debuginfo-3.10.0-327.28.3.rt56.235.el7\")) flag++;\n if (rpm_check(release:\"RHEL7\", cpu:\"x86_64\", reference:\"kernel-rt-trace-3.10.0-327.28.3.rt56.235.el7\")) flag++;\n if (rpm_check(release:\"RHEL7\", cpu:\"x86_64\", reference:\"kernel-rt-trace-debuginfo-3.10.0-327.28.3.rt56.235.el7\")) flag++;\n if (rpm_check(release:\"RHEL7\", cpu:\"x86_64\", reference:\"kernel-rt-trace-devel-3.10.0-327.28.3.rt56.235.el7\")) flag++;\n if (rpm_check(release:\"RHEL7\", cpu:\"x86_64\", reference:\"kernel-rt-trace-kvm-3.10.0-327.28.3.rt56.235.el7\")) flag++;\n if (rpm_check(release:\"RHEL7\", cpu:\"x86_64\", reference:\"kernel-rt-trace-kvm-debuginfo-3.10.0-327.28.3.rt56.235.el7\")) flag++;\n\n if (flag)\n {\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : rpm_report_get() + redhat_report_package_caveat()\n );\n exit(0);\n }\n else\n {\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"kernel-rt / kernel-rt-debug / kernel-rt-debug-debuginfo / etc\");\n }\n}\n", "cvss": {"score": 5.8, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:P"}}, {"lastseen": "2022-04-12T16:04:20", "description": "An update for kernel is now available for Red Hat Enterprise Linux 6.7 Extended Update Support.\n\nRed Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.\n\nThe kernel packages contain the Linux kernel, the core of any Linux operating system.\n\nSecurity Fix(es) :\n\n* It was found that the RFC 5961 challenge ACK rate limiting as implemented in the Linux kernel's networking subsystem allowed an off-path attacker to leak certain information about a given connection by creating congestion on the global challenge ACK rate limit counter and then measuring the changes by probing packets. An off-path attacker could use this flaw to either terminate TCP connection and/or inject payload into non-secured TCP connection between two endpoints on the network. (CVE-2016-5696, Important)\n\nRed Hat would like to thank Yue Cao (Cyber Security Group of the CS department of University of California in Riverside) for reporting this issue.\n\nBug Fix(es) :\n\n* When an interrupt request occurred and the new API was scheduled on a different CPU, the enic driver previously generated a warning message. This behavior was caused by a race condition between the vnic_intr_unmask() function and the enic_poll_unlock_napi() function.\nThis update fixes the napi_poll() function to unlock before unmasking the interrupt. As a result, the warning message no longer occurs in the described situation. (BZ# 1351192)", "cvss3": {"score": 4.8, "vector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:L"}, "published": "2016-09-08T00:00:00", "type": "nessus", "title": "RHEL 6 : kernel (RHSA-2016:1815)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2016-5696"], "modified": "2019-10-24T00:00:00", "cpe": ["p-cpe:/a:redhat:enterprise_linux:kernel", "p-cpe:/a:redhat:enterprise_linux:kernel-abi-whitelists", "p-cpe:/a:redhat:enterprise_linux:kernel-debug", "p-cpe:/a:redhat:enterprise_linux:kernel-debug-debuginfo", "p-cpe:/a:redhat:enterprise_linux:kernel-debug-devel", "p-cpe:/a:redhat:enterprise_linux:kernel-debuginfo", "p-cpe:/a:redhat:enterprise_linux:kernel-debuginfo-common-i686", "p-cpe:/a:redhat:enterprise_linux:kernel-debuginfo-common-s390x", "p-cpe:/a:redhat:enterprise_linux:kernel-debuginfo-common-x86_64", "p-cpe:/a:redhat:enterprise_linux:kernel-devel", "p-cpe:/a:redhat:enterprise_linux:kernel-doc", "p-cpe:/a:redhat:enterprise_linux:kernel-firmware", "p-cpe:/a:redhat:enterprise_linux:kernel-headers", "p-cpe:/a:redhat:enterprise_linux:kernel-kdump", "p-cpe:/a:redhat:enterprise_linux:kernel-kdump-debuginfo", "p-cpe:/a:redhat:enterprise_linux:kernel-kdump-devel", "p-cpe:/a:redhat:enterprise_linux:perf", "p-cpe:/a:redhat:enterprise_linux:perf-debuginfo", "p-cpe:/a:redhat:enterprise_linux:python-perf", "p-cpe:/a:redhat:enterprise_linux:python-perf-debuginfo", "cpe:/o:redhat:enterprise_linux:6.7"], "id": "REDHAT-RHSA-2016-1815.NASL", "href": "https://www.tenable.com/plugins/nessus/93365", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Red Hat Security Advisory RHSA-2016:1815. The text \n# itself is copyright (C) Red Hat, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(93365);\n script_version(\"2.11\");\n script_cvs_date(\"Date: 2019/10/24 15:35:41\");\n\n script_cve_id(\"CVE-2016-5696\");\n script_xref(name:\"RHSA\", value:\"2016:1815\");\n\n script_name(english:\"RHEL 6 : kernel (RHSA-2016:1815)\");\n script_summary(english:\"Checks the rpm output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Red Hat host is missing one or more security updates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"An update for kernel is now available for Red Hat Enterprise Linux 6.7\nExtended Update Support.\n\nRed Hat Product Security has rated this update as having a security\nimpact of Important. A Common Vulnerability Scoring System (CVSS) base\nscore, which gives a detailed severity rating, is available for each\nvulnerability from the CVE link(s) in the References section.\n\nThe kernel packages contain the Linux kernel, the core of any Linux\noperating system.\n\nSecurity Fix(es) :\n\n* It was found that the RFC 5961 challenge ACK rate limiting as\nimplemented in the Linux kernel's networking subsystem allowed an\noff-path attacker to leak certain information about a given connection\nby creating congestion on the global challenge ACK rate limit counter\nand then measuring the changes by probing packets. An off-path\nattacker could use this flaw to either terminate TCP connection and/or\ninject payload into non-secured TCP connection between two endpoints\non the network. (CVE-2016-5696, Important)\n\nRed Hat would like to thank Yue Cao (Cyber Security Group of the CS\ndepartment of University of California in Riverside) for reporting\nthis issue.\n\nBug Fix(es) :\n\n* When an interrupt request occurred and the new API was scheduled on\na different CPU, the enic driver previously generated a warning\nmessage. This behavior was caused by a race condition between the\nvnic_intr_unmask() function and the enic_poll_unlock_napi() function.\nThis update fixes the napi_poll() function to unlock before unmasking\nthe interrupt. As a result, the warning message no longer occurs in\nthe described situation. (BZ# 1351192)\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/errata/RHSA-2016:1815\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2016-5696\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:N/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:L\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:kernel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:kernel-abi-whitelists\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:kernel-debug\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:kernel-debug-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:kernel-debug-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:kernel-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:kernel-debuginfo-common-i686\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:kernel-debuginfo-common-s390x\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:kernel-debuginfo-common-x86_64\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:kernel-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:kernel-doc\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:kernel-firmware\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:kernel-headers\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:kernel-kdump\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:kernel-kdump-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:kernel-kdump-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:perf\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:perf-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:python-perf\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:python-perf-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:enterprise_linux:6.7\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2016/08/06\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2016/09/06\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2016/09/08\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Red Hat Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\", \"linux_alt_patch_detect.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\", \"Host/cpu\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"rpm.inc\");\ninclude(\"ksplice.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Red Hat\" >!< release) audit(AUDIT_OS_NOT, \"Red Hat\");\nos_ver = pregmatch(pattern: \"Red Hat Enterprise Linux.*release ([0-9]+(\\.[0-9]+)?)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Red Hat\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^6\\.7([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Red Hat 6.7\", \"Red Hat \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\" && \"s390\" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Red Hat\", cpu);\n\nif (get_one_kb_item(\"Host/ksplice/kernel-cves\"))\n{\n rm_kb_item(name:\"Host/uptrack-uname-r\");\n cve_list = make_list(\"CVE-2016-5696\");\n if (ksplice_cves_check(cve_list))\n {\n audit(AUDIT_PATCH_INSTALLED, \"KSplice hotfix for RHSA-2016:1815\");\n }\n else\n {\n __rpm_report = ksplice_reporting_text();\n }\n}\n\nyum_updateinfo = get_kb_item(\"Host/RedHat/yum-updateinfo\");\nif (!empty_or_null(yum_updateinfo)) \n{\n rhsa = \"RHSA-2016:1815\";\n yum_report = redhat_generate_yum_updateinfo_report(rhsa:rhsa);\n if (!empty_or_null(yum_report))\n {\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : yum_report \n );\n exit(0);\n }\n else\n {\n audit_message = \"affected by Red Hat security advisory \" + rhsa;\n audit(AUDIT_OS_NOT, audit_message);\n }\n}\nelse\n{\n flag = 0;\n if (rpm_check(release:\"RHEL6\", sp:\"7\", cpu:\"i686\", reference:\"kernel-2.6.32-573.34.1.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"7\", cpu:\"s390x\", reference:\"kernel-2.6.32-573.34.1.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"7\", cpu:\"x86_64\", reference:\"kernel-2.6.32-573.34.1.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"7\", reference:\"kernel-abi-whitelists-2.6.32-573.34.1.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"7\", cpu:\"i686\", reference:\"kernel-debug-2.6.32-573.34.1.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"7\", cpu:\"s390x\", reference:\"kernel-debug-2.6.32-573.34.1.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"7\", cpu:\"x86_64\", reference:\"kernel-debug-2.6.32-573.34.1.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"7\", cpu:\"i686\", reference:\"kernel-debug-debuginfo-2.6.32-573.34.1.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"7\", cpu:\"s390x\", reference:\"kernel-debug-debuginfo-2.6.32-573.34.1.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"7\", cpu:\"x86_64\", reference:\"kernel-debug-debuginfo-2.6.32-573.34.1.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"7\", cpu:\"i686\", reference:\"kernel-debug-devel-2.6.32-573.34.1.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"7\", cpu:\"s390x\", reference:\"kernel-debug-devel-2.6.32-573.34.1.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"7\", cpu:\"x86_64\", reference:\"kernel-debug-devel-2.6.32-573.34.1.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"7\", cpu:\"i686\", reference:\"kernel-debuginfo-2.6.32-573.34.1.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"7\", cpu:\"s390x\", reference:\"kernel-debuginfo-2.6.32-573.34.1.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"7\", cpu:\"x86_64\", reference:\"kernel-debuginfo-2.6.32-573.34.1.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"7\", cpu:\"i686\", reference:\"kernel-debuginfo-common-i686-2.6.32-573.34.1.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"7\", cpu:\"s390x\", reference:\"kernel-debuginfo-common-s390x-2.6.32-573.34.1.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"7\", cpu:\"x86_64\", reference:\"kernel-debuginfo-common-x86_64-2.6.32-573.34.1.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"7\", cpu:\"i686\", reference:\"kernel-devel-2.6.32-573.34.1.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"7\", cpu:\"s390x\", reference:\"kernel-devel-2.6.32-573.34.1.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"7\", cpu:\"x86_64\", reference:\"kernel-devel-2.6.32-573.34.1.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"7\", reference:\"kernel-doc-2.6.32-573.34.1.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"7\", reference:\"kernel-firmware-2.6.32-573.34.1.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"7\", cpu:\"i686\", reference:\"kernel-headers-2.6.32-573.34.1.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"7\", cpu:\"s390x\", reference:\"kernel-headers-2.6.32-573.34.1.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"7\", cpu:\"x86_64\", reference:\"kernel-headers-2.6.32-573.34.1.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"7\", cpu:\"s390x\", reference:\"kernel-kdump-2.6.32-573.34.1.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"7\", cpu:\"s390x\", reference:\"kernel-kdump-debuginfo-2.6.32-573.34.1.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"7\", cpu:\"s390x\", reference:\"kernel-kdump-devel-2.6.32-573.34.1.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"7\", cpu:\"i686\", reference:\"perf-2.6.32-573.34.1.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"7\", cpu:\"s390x\", reference:\"perf-2.6.32-573.34.1.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"7\", cpu:\"x86_64\", reference:\"perf-2.6.32-573.34.1.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"7\", cpu:\"i686\", reference:\"perf-debuginfo-2.6.32-573.34.1.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"7\", cpu:\"s390x\", reference:\"perf-debuginfo-2.6.32-573.34.1.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"7\", cpu:\"x86_64\", reference:\"perf-debuginfo-2.6.32-573.34.1.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"7\", cpu:\"i686\", reference:\"python-perf-2.6.32-573.34.1.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"7\", cpu:\"s390x\", reference:\"python-perf-2.6.32-573.34.1.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"7\", cpu:\"x86_64\", reference:\"python-perf-2.6.32-573.34.1.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"7\", cpu:\"i686\", reference:\"python-perf-debuginfo-2.6.32-573.34.1.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"7\", cpu:\"s390x\", reference:\"python-perf-debuginfo-2.6.32-573.34.1.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"7\", cpu:\"x86_64\", reference:\"python-perf-debuginfo-2.6.32-573.34.1.el6\")) flag++;\n\n if (flag)\n {\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : rpm_report_get() + redhat_report_package_caveat()\n );\n exit(0);\n }\n else\n {\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"kernel / kernel-abi-whitelists / kernel-debug / etc\");\n }\n}\n", "cvss": {"score": 5.8, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:P"}}, {"lastseen": "2022-03-30T16:04:21", "description": "It was found that the RFC 5961 challenge ACK rate limiting as implemented in the Linux kernel's networking subsystem allowed an off-path attacker to leak certain information about a given connection by creating congestion on the global challenge ACK rate limit counter and then measuring the changes by probing packets. An off-path attacker could use this flaw to either terminate TCP connection and/or inject payload into non-secured TCP connection between two endpoints on the network. (CVE-2016-5696, Important)", "cvss3": {"score": 4.8, "vector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:L"}, "published": "2016-08-22T00:00:00", "type": "nessus", "title": "Scientific Linux Security Update : kernel on SL7.x x86_64 (20160818)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2016-5696"], "modified": "2021-01-14T00:00:00", "cpe": ["p-cpe:/a:fermilab:scientific_linux:kernel", "p-cpe:/a:fermilab:scientific_linux:kernel-abi-whitelists", "p-cpe:/a:fermilab:scientific_linux:kernel-debug", "p-cpe:/a:fermilab:scientific_linux:kernel-debug-debuginfo", "p-cpe:/a:fermilab:scientific_linux:kernel-debug-devel", "p-cpe:/a:fermilab:scientific_linux:kernel-debuginfo", "p-cpe:/a:fermilab:scientific_linux:kernel-debuginfo-common-x86_64", "p-cpe:/a:fermilab:scientific_linux:kernel-devel", "p-cpe:/a:fermilab:scientific_linux:kernel-doc", "p-cpe:/a:fermilab:scientific_linux:kernel-headers", "p-cpe:/a:fermilab:scientific_linux:kernel-tools", "p-cpe:/a:fermilab:scientific_linux:kernel-tools-debuginfo", "p-cpe:/a:fermilab:scientific_linux:kernel-tools-libs", "p-cpe:/a:fermilab:scientific_linux:kernel-tools-libs-devel", "p-cpe:/a:fermilab:scientific_linux:perf", "p-cpe:/a:fermilab:scientific_linux:perf-debuginfo", "p-cpe:/a:fermilab:scientific_linux:python-perf", "p-cpe:/a:fermilab:scientific_linux:python-perf-debuginfo", "x-cpe:/o:fermilab:scientific_linux"], "id": "SL_20160818_KERNEL_ON_SL7_X.NASL", "href": "https://www.tenable.com/plugins/nessus/93071", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text is (C) Scientific Linux.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(93071);\n script_version(\"2.5\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/14\");\n\n script_cve_id(\"CVE-2016-5696\");\n\n script_name(english:\"Scientific Linux Security Update : kernel on SL7.x x86_64 (20160818)\");\n script_summary(english:\"Checks rpm output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\n\"The remote Scientific Linux host is missing one or more security\nupdates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"It was found that the RFC 5961 challenge ACK rate limiting as\nimplemented in the Linux kernel's networking subsystem allowed an\noff-path attacker to leak certain information about a given connection\nby creating congestion on the global challenge ACK rate limit counter\nand then measuring the changes by probing packets. An off-path\nattacker could use this flaw to either terminate TCP connection and/or\ninject payload into non-secured TCP connection between two endpoints\non the network. (CVE-2016-5696, Important)\"\n );\n # https://listserv.fnal.gov/scripts/wa.exe?A2=ind1608&L=scientific-linux-errata&F=&S=&P=6799\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?73f4f6c4\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:N/I:P/A:P\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:L\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fermilab:scientific_linux:kernel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fermilab:scientific_linux:kernel-abi-whitelists\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fermilab:scientific_linux:kernel-debug\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fermilab:scientific_linux:kernel-debug-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fermilab:scientific_linux:kernel-debug-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fermilab:scientific_linux:kernel-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fermilab:scientific_linux:kernel-debuginfo-common-x86_64\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fermilab:scientific_linux:kernel-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fermilab:scientific_linux:kernel-doc\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fermilab:scientific_linux:kernel-headers\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fermilab:scientific_linux:kernel-tools\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fermilab:scientific_linux:kernel-tools-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fermilab:scientific_linux:kernel-tools-libs\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fermilab:scientific_linux:kernel-tools-libs-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fermilab:scientific_linux:perf\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fermilab:scientific_linux:perf-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fermilab:scientific_linux:python-perf\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fermilab:scientific_linux:python-perf-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"x-cpe:/o:fermilab:scientific_linux\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2016/08/06\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2016/08/18\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2016/08/22\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2016-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Scientific Linux Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/cpu\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Scientific Linux \" >!< release) audit(AUDIT_HOST_NOT, \"running Scientific Linux\");\nos_ver = pregmatch(pattern: \"Scientific Linux.*release ([0-9]+(\\.[0-9]+)?)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Scientific Linux\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^7([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Scientific Linux 7.x\", \"Scientific Linux \" + os_ver);\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (cpu >!< \"x86_64\" && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Scientific Linux\", cpu);\n\n\nflag = 0;\nif (rpm_check(release:\"SL7\", cpu:\"x86_64\", reference:\"kernel-3.10.0-327.28.3.el7\")) flag++;\nif (rpm_check(release:\"SL7\", reference:\"kernel-abi-whitelists-3.10.0-327.28.3.el7\")) flag++;\nif (rpm_check(release:\"SL7\", cpu:\"x86_64\", reference:\"kernel-debug-3.10.0-327.28.3.el7\")) flag++;\nif (rpm_check(release:\"SL7\", cpu:\"x86_64\", reference:\"kernel-debug-debuginfo-3.10.0-327.28.3.el7\")) flag++;\nif (rpm_check(release:\"SL7\", cpu:\"x86_64\", reference:\"kernel-debug-devel-3.10.0-327.28.3.el7\")) flag++;\nif (rpm_check(release:\"SL7\", cpu:\"x86_64\", reference:\"kernel-debuginfo-3.10.0-327.28.3.el7\")) flag++;\nif (rpm_check(release:\"SL7\", cpu:\"x86_64\", reference:\"kernel-debuginfo-common-x86_64-3.10.0-327.28.3.el7\")) flag++;\nif (rpm_check(release:\"SL7\", cpu:\"x86_64\", reference:\"kernel-devel-3.10.0-327.28.3.el7\")) flag++;\nif (rpm_check(release:\"SL7\", reference:\"kernel-doc-3.10.0-327.28.3.el7\")) flag++;\nif (rpm_check(release:\"SL7\", cpu:\"x86_64\", reference:\"kernel-headers-3.10.0-327.28.3.el7\")) flag++;\nif (rpm_check(release:\"SL7\", cpu:\"x86_64\", reference:\"kernel-tools-3.10.0-327.28.3.el7\")) flag++;\nif (rpm_check(release:\"SL7\", cpu:\"x86_64\", reference:\"kernel-tools-debuginfo-3.10.0-327.28.3.el7\")) flag++;\nif (rpm_check(release:\"SL7\", cpu:\"x86_64\", reference:\"kernel-tools-libs-3.10.0-327.28.3.el7\")) flag++;\nif (rpm_check(release:\"SL7\", cpu:\"x86_64\", reference:\"kernel-tools-libs-devel-3.10.0-327.28.3.el7\")) flag++;\nif (rpm_check(release:\"SL7\", cpu:\"x86_64\", reference:\"perf-3.10.0-327.28.3.el7\")) flag++;\nif (rpm_check(release:\"SL7\", cpu:\"x86_64\", reference:\"perf-debuginfo-3.10.0-327.28.3.el7\")) flag++;\nif (rpm_check(release:\"SL7\", cpu:\"x86_64\", reference:\"python-perf-3.10.0-327.28.3.el7\")) flag++;\nif (rpm_check(release:\"SL7\", cpu:\"x86_64\", reference:\"python-perf-debuginfo-3.10.0-327.28.3.el7\")) flag++;\n\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"kernel / kernel-abi-whitelists / kernel-debug / etc\");\n}\n", "cvss": {"score": 5.8, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:P"}}, {"lastseen": "2022-03-30T16:04:21", "description": "The remote OracleVM system is missing necessary patches to address critical security updates :\n\n - tcp: make challenge acks less predictable (Eric Dumazet) [Orabug: 24010012] [Orabug: 2401010] (CVE-2016-5696)\n\n - ocfs2: call ocfs2_journal_access_di before ocfs2_journal_dirty in ocfs2_write_end_nolock (yangwenfang) [Orabug: 19601200]\n\n - ocfs2: improve recovery performance (Junxiao Bi) [Orabug: 24395691]", "cvss3": {"score": 4.8, "vector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:L"}, "published": "2016-08-19T00:00:00", "type": "nessus", "title": "OracleVM 3.3 : Unbreakable / etc (OVMSA-2016-0098)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2016-5696"], "modified": "2021-01-04T00:00:00", "cpe": ["p-cpe:/a:oracle:vm:kernel-uek", "p-cpe:/a:oracle:vm:kernel-uek-firmware", "cpe:/o:oracle:vm_server:3.3"], "id": "ORACLEVM_OVMSA-2016-0098.NASL", "href": "https://www.tenable.com/plugins/nessus/93037", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The package checks in this plugin were extracted from OracleVM\n# Security Advisory OVMSA-2016-0098.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(93037);\n script_version(\"2.9\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/04\");\n\n script_cve_id(\"CVE-2016-5696\");\n\n script_name(english:\"OracleVM 3.3 : Unbreakable / etc (OVMSA-2016-0098)\");\n script_summary(english:\"Checks the RPM output for the updated packages.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote OracleVM host is missing one or more security updates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"The remote OracleVM system is missing necessary patches to address\ncritical security updates :\n\n - tcp: make challenge acks less predictable (Eric Dumazet)\n [Orabug: 24010012] [Orabug: 2401010] (CVE-2016-5696)\n\n - ocfs2: call ocfs2_journal_access_di before\n ocfs2_journal_dirty in ocfs2_write_end_nolock\n (yangwenfang) [Orabug: 19601200]\n\n - ocfs2: improve recovery performance (Junxiao Bi)\n [Orabug: 24395691]\"\n );\n # https://oss.oracle.com/pipermail/oraclevm-errata/2016-August/000515.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?0f67eaf9\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected kernel-uek / kernel-uek-firmware packages.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:N/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:L\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:vm:kernel-uek\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:vm:kernel-uek-firmware\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:oracle:vm_server:3.3\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2016/08/06\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2016/08/18\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2016/08/19\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2016-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"OracleVM Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/OracleVM/release\", \"Host/OracleVM/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/OracleVM/release\");\nif (isnull(release) || \"OVS\" >!< release) audit(AUDIT_OS_NOT, \"OracleVM\");\nif (! preg(pattern:\"^OVS\" + \"3\\.3\" + \"(\\.[0-9]|$)\", string:release)) audit(AUDIT_OS_NOT, \"OracleVM 3.3\", \"OracleVM \" + release);\nif (!get_kb_item(\"Host/OracleVM/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"OracleVM\", cpu);\nif (\"x86_64\" >!< cpu) audit(AUDIT_ARCH_NOT, \"x86_64\", cpu);\n\nflag = 0;\nif (rpm_check(release:\"OVS3.3\", reference:\"kernel-uek-3.8.13-118.10.2.el6uek\")) flag++;\nif (rpm_check(release:\"OVS3.3\", reference:\"kernel-uek-firmware-3.8.13-118.10.2.el6uek\")) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get());\n else security_warning(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"kernel-uek / kernel-uek-firmware\");\n}\n", "cvss": {"score": 5.8, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:P"}}, {"lastseen": "2022-05-08T16:00:39", "description": "An update for kernel-rt is now available for Red Hat Enterprise MRG 2.5.\n\nRed Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.\n\nThe kernel-rt packages provide the Real Time Linux Kernel, which enables fine-tuning for systems with extremely high determinism requirements.\n\nIt was found that the RFC 5961 challenge ACK rate limiting as implemented in the Linux kernel's networking subsystem allowed an off-path attacker to leak certain information about a given connection by creating congestion on the global challenge ACK rate limit counter and then measuring the changes by probing packets. An off-path attacker could use this flaw to either terminate TCP connection and/or inject payload into non-secured TCP connection between two endpoints on the network. (CVE-2016-5696, Important)\n\nRed Hat would like to thank Yue Cao from Cyber Security Group in the CS department of University of California, Riverside, for reporting this issue.", "cvss3": {"score": 4.8, "vector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:L"}, "published": "2016-08-19T00:00:00", "type": "nessus", "title": "RHEL 6 : MRG (RHSA-2016:1631)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2016-5696"], "modified": "2019-10-24T00:00:00", "cpe": ["p-cpe:/a:redhat:enterprise_linux:kernel-rt", "p-cpe:/a:redhat:enterprise_linux:kernel-rt-debug", "p-cpe:/a:redhat:enterprise_linux:kernel-rt-debug-debuginfo", "p-cpe:/a:redhat:enterprise_linux:kernel-rt-debug-devel", "p-cpe:/a:redhat:enterprise_linux:kernel-rt-debuginfo", "p-cpe:/a:redhat:enterprise_linux:kernel-rt-debuginfo-common-x86_64", "p-cpe:/a:redhat:enterprise_linux:kernel-rt-devel", "p-cpe:/a:redhat:enterprise_linux:kernel-rt-doc", "p-cpe:/a:redhat:enterprise_linux:kernel-rt-firmware", "p-cpe:/a:redhat:enterprise_linux:kernel-rt-trace", "p-cpe:/a:redhat:enterprise_linux:kernel-rt-trace-debuginfo", "p-cpe:/a:redhat:enterprise_linux:kernel-rt-trace-devel", "p-cpe:/a:redhat:enterprise_linux:kernel-rt-vanilla", "p-cpe:/a:redhat:enterprise_linux:kernel-rt-vanilla-debuginfo", "p-cpe:/a:redhat:enterprise_linux:kernel-rt-vanilla-devel", "cpe:/o:redhat:enterprise_linux:6"], "id": "REDHAT-RHSA-2016-1631.NASL", "href": "https://www.tenable.com/plugins/nessus/93040", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Red Hat Security Advisory RHSA-2016:1631. The text \n# itself is copyright (C) Red Hat, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(93040);\n script_version(\"2.13\");\n script_cvs_date(\"Date: 2019/10/24 15:35:41\");\n\n script_cve_id(\"CVE-2016-5696\");\n script_xref(name:\"RHSA\", value:\"2016:1631\");\n\n script_name(english:\"RHEL 6 : MRG (RHSA-2016:1631)\");\n script_summary(english:\"Checks the rpm output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Red Hat host is missing one or more security updates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"An update for kernel-rt is now available for Red Hat Enterprise MRG\n2.5.\n\nRed Hat Product Security has rated this update as having a security\nimpact of Important. A Common Vulnerability Scoring System (CVSS) base\nscore, which gives a detailed severity rating, is available for each\nvulnerability from the CVE link(s) in the References section.\n\nThe kernel-rt packages provide the Real Time Linux Kernel, which\nenables fine-tuning for systems with extremely high determinism\nrequirements.\n\nIt was found that the RFC 5961 challenge ACK rate limiting as\nimplemented in the Linux kernel's networking subsystem allowed an\noff-path attacker to leak certain information about a given connection\nby creating congestion on the global challenge ACK rate limit counter\nand then measuring the changes by probing packets. An off-path\nattacker could use this flaw to either terminate TCP connection and/or\ninject payload into non-secured TCP connection between two endpoints\non the network. (CVE-2016-5696, Important)\n\nRed Hat would like to thank Yue Cao from Cyber Security Group in the\nCS department of University of California, Riverside, for reporting\nthis issue.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/errata/RHSA-2016:1631\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2016-5696\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:N/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:L\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:kernel-rt\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:kernel-rt-debug\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:kernel-rt-debug-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:kernel-rt-debug-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:kernel-rt-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:kernel-rt-debuginfo-common-x86_64\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:kernel-rt-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:kernel-rt-doc\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:kernel-rt-firmware\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:kernel-rt-trace\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:kernel-rt-trace-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:kernel-rt-trace-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:kernel-rt-vanilla\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:kernel-rt-vanilla-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:kernel-rt-vanilla-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:enterprise_linux:6\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2016/08/06\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2016/08/18\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2016/08/19\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Red Hat Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\", \"linux_alt_patch_detect.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\", \"Host/cpu\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"rpm.inc\");\ninclude(\"ksplice.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Red Hat\" >!< release) audit(AUDIT_OS_NOT, \"Red Hat\");\nos_ver = pregmatch(pattern: \"Red Hat Enterprise Linux.*release ([0-9]+(\\.[0-9]+)?)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Red Hat\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^6([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Red Hat 6.x\", \"Red Hat \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\" && \"s390\" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Red Hat\", cpu);\n\nif (get_one_kb_item(\"Host/ksplice/kernel-cves\"))\n{\n rm_kb_item(name:\"Host/uptrack-uname-r\");\n cve_list = make_list(\"CVE-2016-5696\");\n if (ksplice_cves_check(cve_list))\n {\n audit(AUDIT_PATCH_INSTALLED, \"KSplice hotfix for RHSA-2016:1631\");\n }\n else\n {\n __rpm_report = ksplice_reporting_text();\n }\n}\n\nyum_updateinfo = get_kb_item(\"Host/RedHat/yum-updateinfo\");\nif (!empty_or_null(yum_updateinfo)) \n{\n rhsa = \"RHSA-2016:1631\";\n yum_report = redhat_generate_yum_updateinfo_report(rhsa:rhsa);\n if (!empty_or_null(yum_report))\n {\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : yum_report \n );\n exit(0);\n }\n else\n {\n audit_message = \"affected by Red Hat security advisory \" + rhsa;\n audit(AUDIT_OS_NOT, audit_message);\n }\n}\nelse\n{\n flag = 0;\n\n if (! (rpm_exists(release:\"RHEL6\", rpm:\"mrg-release\"))) audit(AUDIT_PACKAGE_NOT_INSTALLED, \"MRG\");\n\n if (rpm_check(release:\"RHEL6\", cpu:\"x86_64\", reference:\"kernel-rt-3.10.0-327.rt56.195.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", cpu:\"x86_64\", reference:\"kernel-rt-debug-3.10.0-327.rt56.195.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", cpu:\"x86_64\", reference:\"kernel-rt-debug-debuginfo-3.10.0-327.rt56.195.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", cpu:\"x86_64\", reference:\"kernel-rt-debug-devel-3.10.0-327.rt56.195.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", cpu:\"x86_64\", reference:\"kernel-rt-debuginfo-3.10.0-327.rt56.195.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", cpu:\"x86_64\", reference:\"kernel-rt-debuginfo-common-x86_64-3.10.0-327.rt56.195.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", cpu:\"x86_64\", reference:\"kernel-rt-devel-3.10.0-327.rt56.195.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", reference:\"kernel-rt-doc-3.10.0-327.rt56.195.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", reference:\"kernel-rt-firmware-3.10.0-327.rt56.195.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", cpu:\"x86_64\", reference:\"kernel-rt-trace-3.10.0-327.rt56.195.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", cpu:\"x86_64\", reference:\"kernel-rt-trace-debuginfo-3.10.0-327.rt56.195.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", cpu:\"x86_64\", reference:\"kernel-rt-trace-devel-3.10.0-327.rt56.195.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", cpu:\"x86_64\", reference:\"kernel-rt-vanilla-3.10.0-327.rt56.195.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", cpu:\"x86_64\", reference:\"kernel-rt-vanilla-debuginfo-3.10.0-327.rt56.195.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", cpu:\"x86_64\", reference:\"kernel-rt-vanilla-devel-3.10.0-327.rt56.195.el6\")) flag++;\n\n if (flag)\n {\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : rpm_report_get() + redhat_report_package_caveat()\n );\n exit(0);\n }\n else\n {\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"kernel-rt / kernel-rt-debug / kernel-rt-debug-debuginfo / etc\");\n }\n}\n", "cvss": {"score": 5.8, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:P"}}, {"lastseen": "2022-05-08T16:00:42", "description": "An update for kernel is now available for Red Hat Enterprise Linux 7.\n\nRed Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.\n\nThe kernel packages contain the Linux kernel, the core of any Linux operating system.\n\nIt was found that the RFC 5961 challenge ACK rate limiting as implemented in the Linux kernel's networking subsystem allowed an off-path attacker to leak certain information about a given connection by creating congestion on the global challenge ACK rate limit counter and then measuring the changes by probing packets. An off-path attacker could use this flaw to either terminate TCP connection and/or inject payload into non-secured TCP connection between two endpoints on the network. (CVE-2016-5696, Important)\n\nRed Hat would like to thank Yue Cao from Cyber Security Group in the CS department of University of California, Riverside, for reporting this issue.", "cvss3": {"score": 4.8, "vector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:L"}, "published": "2016-08-22T00:00:00", "type": "nessus", "title": "CentOS 7 : kernel (CESA-2016:1633)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2016-5696"], "modified": "2021-01-04T00:00:00", "cpe": ["p-cpe:/a:centos:centos:kernel", "p-cpe:/a:centos:centos:kernel-abi-whitelists", "p-cpe:/a:centos:centos:kernel-debug", "p-cpe:/a:centos:centos:kernel-debug-devel", "p-cpe:/a:centos:centos:kernel-devel", "p-cpe:/a:centos:centos:kernel-doc", "p-cpe:/a:centos:centos:kernel-headers", "p-cpe:/a:centos:centos:kernel-tools", "p-cpe:/a:centos:centos:kernel-tools-libs", "p-cpe:/a:centos:centos:kernel-tools-libs-devel", "p-cpe:/a:centos:centos:perf", "p-cpe:/a:centos:centos:python-perf", "cpe:/o:centos:centos:7"], "id": "CENTOS_RHSA-2016-1633.NASL", "href": "https://www.tenable.com/plugins/nessus/93052", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Red Hat Security Advisory RHSA-2016:1633 and \n# CentOS Errata and Security Advisory 2016:1633 respectively.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(93052);\n script_version(\"2.9\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/04\");\n\n script_cve_id(\"CVE-2016-5696\");\n script_xref(name:\"RHSA\", value:\"2016:1633\");\n\n script_name(english:\"CentOS 7 : kernel (CESA-2016:1633)\");\n script_summary(english:\"Checks rpm output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote CentOS host is missing one or more security updates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"An update for kernel is now available for Red Hat Enterprise Linux 7.\n\nRed Hat Product Security has rated this update as having a security\nimpact of Important. A Common Vulnerability Scoring System (CVSS) base\nscore, which gives a detailed severity rating, is available for each\nvulnerability from the CVE link(s) in the References section.\n\nThe kernel packages contain the Linux kernel, the core of any Linux\noperating system.\n\nIt was found that the RFC 5961 challenge ACK rate limiting as\nimplemented in the Linux kernel's networking subsystem allowed an\noff-path attacker to leak certain information about a given connection\nby creating congestion on the global challenge ACK rate limit counter\nand then measuring the changes by probing packets. An off-path\nattacker could use this flaw to either terminate TCP connection and/or\ninject payload into non-secured TCP connection between two endpoints\non the network. (CVE-2016-5696, Important)\n\nRed Hat would like to thank Yue Cao from Cyber Security Group in the\nCS department of University of California, Riverside, for reporting\nthis issue.\"\n );\n # https://lists.centos.org/pipermail/centos-announce/2016-August/022040.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?ef0ede46\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected kernel packages.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:N/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:L\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2016-5696\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:kernel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:kernel-abi-whitelists\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:kernel-debug\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:kernel-debug-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:kernel-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:kernel-doc\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:kernel-headers\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:kernel-tools\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:kernel-tools-libs\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:kernel-tools-libs-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:perf\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:python-perf\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:centos:centos:7\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2016/08/06\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2016/08/19\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2016/08/22\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2016-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"CentOS Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/CentOS/release\", \"Host/CentOS/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/CentOS/release\");\nif (isnull(release) || \"CentOS\" >!< release) audit(AUDIT_OS_NOT, \"CentOS\");\nos_ver = pregmatch(pattern: \"CentOS(?: Linux)? release ([0-9]+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"CentOS\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^7([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"CentOS 7.x\", \"CentOS \" + os_ver);\n\nif (!get_kb_item(\"Host/CentOS/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"CentOS\", cpu);\n\n\nflag = 0;\nif (rpm_check(release:\"CentOS-7\", cpu:\"x86_64\", reference:\"kernel-3.10.0-327.28.3.el7\")) flag++;\nif (rpm_check(release:\"CentOS-7\", cpu:\"x86_64\", reference:\"kernel-abi-whitelists-3.10.0-327.28.3.el7\")) flag++;\nif (rpm_check(release:\"CentOS-7\", cpu:\"x86_64\", reference:\"kernel-debug-3.10.0-327.28.3.el7\")) flag++;\nif (rpm_check(release:\"CentOS-7\", cpu:\"x86_64\", reference:\"kernel-debug-devel-3.10.0-327.28.3.el7\")) flag++;\nif (rpm_check(release:\"CentOS-7\", cpu:\"x86_64\", reference:\"kernel-devel-3.10.0-327.28.3.el7\")) flag++;\nif (rpm_check(release:\"CentOS-7\", cpu:\"x86_64\", reference:\"kernel-doc-3.10.0-327.28.3.el7\")) flag++;\nif (rpm_check(release:\"CentOS-7\", cpu:\"x86_64\", reference:\"kernel-headers-3.10.0-327.28.3.el7\")) flag++;\nif (rpm_check(release:\"CentOS-7\", cpu:\"x86_64\", reference:\"kernel-tools-3.10.0-327.28.3.el7\")) flag++;\nif (rpm_check(release:\"CentOS-7\", cpu:\"x86_64\", reference:\"kernel-tools-libs-3.10.0-327.28.3.el7\")) flag++;\nif (rpm_check(release:\"CentOS-7\", cpu:\"x86_64\", reference:\"kernel-tools-libs-devel-3.10.0-327.28.3.el7\")) flag++;\nif (rpm_check(release:\"CentOS-7\", cpu:\"x86_64\", reference:\"perf-3.10.0-327.28.3.el7\")) flag++;\nif (rpm_check(release:\"CentOS-7\", cpu:\"x86_64\", reference:\"python-perf-3.10.0-327.28.3.el7\")) flag++;\n\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"kernel / kernel-abi-whitelists / kernel-debug / kernel-debug-devel / etc\");\n}\n", "cvss": {"score": 5.8, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:P"}}, {"lastseen": "2022-04-12T16:04:17", "description": "An update for kernel is now available for Red Hat Enterprise Linux 6.6 Extended Update Support.\n\nRed Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.\n\nThe kernel packages contain the Linux kernel, the core of any Linux operating system.\n\nSecurity Fix(es) :\n\n* It was found that the RFC 5961 challenge ACK rate limiting as implemented in the Linux kernel's networking subsystem allowed an off-path attacker to leak certain information about a given connection by creating congestion on the global challenge ACK rate limit counter and then measuring the changes by probing packets. An off-path attacker could use this flaw to either terminate TCP connection and/or inject payload into non-secured TCP connection between two endpoints on the network. (CVE-2016-5696, Important)\n\nRed Hat would like to thank Yue Cao (Cyber Security Group of the CS department of University of California in Riverside) for reporting this issue.\n\nBug Fix(es) :\n\n* Previously, the BUG_ON() signal appeared in the fs_clear_inode() function where the nfs_have_writebacks() function reported a positive value for nfs_inode->npages. As a consequence, a kernel panic occurred. The provided patch performs a serialization by holding the inode i_lock over the check of PagePrivate and locking the request, which fixes this bug. (BZ#1365163)", "cvss3": {"score": 4.8, "vector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:L"}, "published": "2016-09-28T00:00:00", "type": "nessus", "title": "RHEL 6 : kernel (RHSA-2016:1939)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2016-5696"], "modified": "2019-10-24T00:00:00", "cpe": ["p-cpe:/a:redhat:enterprise_linux:kernel", "p-cpe:/a:redhat:enterprise_linux:kernel-abi-whitelists", "p-cpe:/a:redhat:enterprise_linux:kernel-debug", "p-cpe:/a:redhat:enterprise_linux:kernel-debug-debuginfo", "p-cpe:/a:redhat:enterprise_linux:kernel-debug-devel", "p-cpe:/a:redhat:enterprise_linux:kernel-debuginfo", "p-cpe:/a:redhat:enterprise_linux:kernel-debuginfo-common-i686", "p-cpe:/a:redhat:enterprise_linux:kernel-debuginfo-common-s390x", "p-cpe:/a:redhat:enterprise_linux:kernel-debuginfo-common-x86_64", "p-cpe:/a:redhat:enterprise_linux:kernel-devel", "p-cpe:/a:redhat:enterprise_linux:kernel-doc", "p-cpe:/a:redhat:enterprise_linux:kernel-firmware", "p-cpe:/a:redhat:enterprise_linux:kernel-headers", "p-cpe:/a:redhat:enterprise_linux:kernel-kdump", "p-cpe:/a:redhat:enterprise_linux:kernel-kdump-debuginfo", "p-cpe:/a:redhat:enterprise_linux:kernel-kdump-devel", "p-cpe:/a:redhat:enterprise_linux:perf", "p-cpe:/a:redhat:enterprise_linux:perf-debuginfo", "p-cpe:/a:redhat:enterprise_linux:python-perf", "p-cpe:/a:redhat:enterprise_linux:python-perf-debuginfo", "cpe:/o:redhat:enterprise_linux:6.6"], "id": "REDHAT-RHSA-2016-1939.NASL", "href": "https://www.tenable.com/plugins/nessus/93762", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Red Hat Security Advisory RHSA-2016:1939. The text \n# itself is copyright (C) Red Hat, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(93762);\n script_version(\"2.12\");\n script_cvs_date(\"Date: 2019/10/24 15:35:41\");\n\n script_cve_id(\"CVE-2016-5696\");\n script_xref(name:\"RHSA\", value:\"2016:1939\");\n\n script_name(english:\"RHEL 6 : kernel (RHSA-2016:1939)\");\n script_summary(english:\"Checks the rpm output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Red Hat host is missing one or more security updates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"An update for kernel is now available for Red Hat Enterprise Linux 6.6\nExtended Update Support.\n\nRed Hat Product Security has rated this update as having a security\nimpact of Important. A Common Vulnerability Scoring System (CVSS) base\nscore, which gives a detailed severity rating, is available for each\nvulnerability from the CVE link(s) in the References section.\n\nThe kernel packages contain the Linux kernel, the core of any Linux\noperating system.\n\nSecurity Fix(es) :\n\n* It was found that the RFC 5961 challenge ACK rate limiting as\nimplemented in the Linux kernel's networking subsystem allowed an\noff-path attacker to leak certain information about a given connection\nby creating congestion on the global challenge ACK rate limit counter\nand then measuring the changes by probing packets. An off-path\nattacker could use this flaw to either terminate TCP connection and/or\ninject payload into non-secured TCP connection between two endpoints\non the network. (CVE-2016-5696, Important)\n\nRed Hat would like to thank Yue Cao (Cyber Security Group of the CS\ndepartment of University of California in Riverside) for reporting\nthis issue.\n\nBug Fix(es) :\n\n* Previously, the BUG_ON() signal appeared in the fs_clear_inode()\nfunction where the nfs_have_writebacks() function reported a positive\nvalue for nfs_inode->npages. As a consequence, a kernel panic\noccurred. The provided patch performs a serialization by holding the\ninode i_lock over the check of PagePrivate and locking the request,\nwhich fixes this bug. (BZ#1365163)\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/errata/RHSA-2016:1939\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2016-5696\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:N/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:L\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:kernel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:kernel-abi-whitelists\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:kernel-debug\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:kernel-debug-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:kernel-debug-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:kernel-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:kernel-debuginfo-common-i686\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:kernel-debuginfo-common-s390x\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:kernel-debuginfo-common-x86_64\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:kernel-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:kernel-doc\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:kernel-firmware\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:kernel-headers\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:kernel-kdump\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:kernel-kdump-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:kernel-kdump-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:perf\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:perf-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:python-perf\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:python-perf-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:enterprise_linux:6.6\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2016/08/06\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2016/09/27\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2016/09/28\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Red Hat Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\", \"linux_alt_patch_detect.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\", \"Host/cpu\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"rpm.inc\");\ninclude(\"ksplice.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Red Hat\" >!< release) audit(AUDIT_OS_NOT, \"Red Hat\");\nos_ver = pregmatch(pattern: \"Red Hat Enterprise Linux.*release ([0-9]+(\\.[0-9]+)?)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Red Hat\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^6\\.6([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Red Hat 6.6\", \"Red Hat \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\" && \"s390\" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Red Hat\", cpu);\n\nif (get_one_kb_item(\"Host/ksplice/kernel-cves\"))\n{\n rm_kb_item(name:\"Host/uptrack-uname-r\");\n cve_list = make_list(\"CVE-2016-5696\");\n if (ksplice_cves_check(cve_list))\n {\n audit(AUDIT_PATCH_INSTALLED, \"KSplice hotfix for RHSA-2016:1939\");\n }\n else\n {\n __rpm_report = ksplice_reporting_text();\n }\n}\n\nyum_updateinfo = get_kb_item(\"Host/RedHat/yum-updateinfo\");\nif (!empty_or_null(yum_updateinfo)) \n{\n rhsa = \"RHSA-2016:1939\";\n yum_report = redhat_generate_yum_updateinfo_report(rhsa:rhsa);\n if (!empty_or_null(yum_report))\n {\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : yum_report \n );\n exit(0);\n }\n else\n {\n audit_message = \"affected by Red Hat security advisory \" + rhsa;\n audit(AUDIT_OS_NOT, audit_message);\n }\n}\nelse\n{\n flag = 0;\n if (rpm_check(release:\"RHEL6\", sp:\"6\", cpu:\"i686\", reference:\"kernel-2.6.32-504.52.1.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"6\", cpu:\"s390x\", reference:\"kernel-2.6.32-504.52.1.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"6\", cpu:\"x86_64\", reference:\"kernel-2.6.32-504.52.1.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"6\", reference:\"kernel-abi-whitelists-2.6.32-504.52.1.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"6\", cpu:\"i686\", reference:\"kernel-debug-2.6.32-504.52.1.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"6\", cpu:\"s390x\", reference:\"kernel-debug-2.6.32-504.52.1.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"6\", cpu:\"x86_64\", reference:\"kernel-debug-2.6.32-504.52.1.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"6\", cpu:\"i686\", reference:\"kernel-debug-debuginfo-2.6.32-504.52.1.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\"