Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
nessusThis script is Copyright (C) 2023 and is owned by Tenable, Inc. or an Affiliate thereof.ALMA_LINUX_ALSA-2023-5093.NASL
HistorySep 14, 2023 - 12:00 a.m.

AlmaLinux 9 : kpatch-patch (ALSA-2023:5093)

2023-09-1400:00:00
This script is Copyright (C) 2023 and is owned by Tenable, Inc. or an Affiliate thereof.
www.tenable.com
6
almalinux 9
linux kernel
netfilter
nftables
privilege escalation
use-after-free
vulnerability
cve-2023-31248
cve-2023-3390
cve-2023-35001
cve-2023-3610
cve-2023-3776
cve-2023-4004
cve-2023-4147
nessus
JSON

The remote AlmaLinux 9 host has a package installed that is affected by multiple vulnerabilities as referenced in the ALSA-2023:5093 advisory.

  • Linux Kernel nftables Use-After-Free Local Privilege Escalation Vulnerability; nft_chain_lookup_byid() failed to check whether a chain was active and CAP_NET_ADMIN is in any user or network namespace (CVE-2023-31248)

  • A use-after-free vulnerability was found in the Linux kernel’s netfilter subsystem in net/netfilter/nf_tables_api.c. Mishandled error handling with NFT_MSG_NEWRULE makes it possible to use a dangling pointer in the same transaction causing a use-after-free vulnerability. This flaw allows a local attacker with user access to cause a privilege escalation issue. We recommend upgrading past commit 1240eb93f0616b21c675416516ff3d74798fdc97. (CVE-2023-3390)

  • Linux Kernel nftables Out-Of-Bounds Read/Write Vulnerability; nft_byteorder poorly handled vm register contents when CAP_NET_ADMIN is in any user or network namespace (CVE-2023-35001)

  • A use-after-free vulnerability in the Linux kernel’s netfilter: nf_tables component can be exploited to achieve local privilege escalation. Flaw in the error handling of bound chains causes a use-after-free in the abort path of NFT_MSG_NEWRULE. The vulnerability requires CAP_NET_ADMIN to be triggered. We recommend upgrading past commit 4bedf9eee016286c835e3d8fa981ddece5338795. (CVE-2023-3610)

  • A use-after-free vulnerability in the Linux kernel’s net/sched: cls_fw component can be exploited to achieve local privilege escalation. If tcf_change_indev() fails, fw_set_parms() will immediately return an error after incrementing or decrementing the reference counter in tcf_bind_filter(). If an attacker can control the reference counter and set it to zero, they can cause the reference to be freed, leading to a use-after-free vulnerability. We recommend upgrading past commit 0323bce598eea038714f941ce2b22541c46d488f.
    (CVE-2023-3776)

  • A use-after-free flaw was found in the Linux kernel’s netfilter in the way a user triggers the nft_pipapo_remove function with the element, without a NFT_SET_EXT_KEY_END. This issue could allow a local user to crash the system or potentially escalate their privileges on the system. (CVE-2023-4004)

  • A use-after-free flaw was found in the Linux kernel’s Netfilter functionality when adding a rule with NFTA_RULE_CHAIN_ID. This flaw allows a local user to crash or escalate their privileges on the system.
    (CVE-2023-4147)

Note that Nessus has not tested for these issues but has instead relied only on the application’s self-reported version number.

#%NASL_MIN_LEVEL 80900
##
# (C) Tenable, Inc.
#
# The package checks in this plugin were extracted from
# AlmaLinux Security Advisory ALSA-2023:5093.
##

include('compat.inc');

if (description)
{
  script_id(181439);
  script_version("1.1");
  script_set_attribute(attribute:"plugin_modification_date", value:"2023/10/23");

  script_cve_id(
    "CVE-2023-3390",
    "CVE-2023-3610",
    "CVE-2023-3776",
    "CVE-2023-4004",
    "CVE-2023-4147",
    "CVE-2023-31248",
    "CVE-2023-35001"
  );
  script_xref(name:"ALSA", value:"2023:5093");

  script_name(english:"AlmaLinux 9 : kpatch-patch (ALSA-2023:5093)");

  script_set_attribute(attribute:"synopsis", value:
"The remote AlmaLinux host is missing one or more security updates.");
  script_set_attribute(attribute:"description", value:
"The remote AlmaLinux 9 host has a package installed that is affected by multiple vulnerabilities as referenced in the
ALSA-2023:5093 advisory.

  - Linux Kernel nftables Use-After-Free Local Privilege Escalation Vulnerability; `nft_chain_lookup_byid()`
    failed to check whether a chain was active and CAP_NET_ADMIN is in any user or network namespace
    (CVE-2023-31248)

  - A use-after-free vulnerability was found in the Linux kernel's netfilter subsystem in
    net/netfilter/nf_tables_api.c. Mishandled error handling with NFT_MSG_NEWRULE makes it possible to use a
    dangling pointer in the same transaction causing a use-after-free vulnerability. This flaw allows a local
    attacker with user access to cause a privilege escalation issue. We recommend upgrading past commit
    1240eb93f0616b21c675416516ff3d74798fdc97. (CVE-2023-3390)

  - Linux Kernel nftables Out-Of-Bounds Read/Write Vulnerability; nft_byteorder poorly handled vm register
    contents when CAP_NET_ADMIN is in any user or network namespace (CVE-2023-35001)

  - A use-after-free vulnerability in the Linux kernel's netfilter: nf_tables component can be exploited to
    achieve local privilege escalation. Flaw in the error handling of bound chains causes a use-after-free in
    the abort path of NFT_MSG_NEWRULE. The vulnerability requires CAP_NET_ADMIN to be triggered. We recommend
    upgrading past commit 4bedf9eee016286c835e3d8fa981ddece5338795. (CVE-2023-3610)

  - A use-after-free vulnerability in the Linux kernel's net/sched: cls_fw component can be exploited to
    achieve local privilege escalation. If tcf_change_indev() fails, fw_set_parms() will immediately return an
    error after incrementing or decrementing the reference counter in tcf_bind_filter(). If an attacker can
    control the reference counter and set it to zero, they can cause the reference to be freed, leading to a
    use-after-free vulnerability. We recommend upgrading past commit 0323bce598eea038714f941ce2b22541c46d488f.
    (CVE-2023-3776)

  - A use-after-free flaw was found in the Linux kernel's netfilter in the way a user triggers the
    nft_pipapo_remove function with the element, without a NFT_SET_EXT_KEY_END. This issue could allow a local
    user to crash the system or potentially escalate their privileges on the system. (CVE-2023-4004)

  - A use-after-free flaw was found in the Linux kernel's Netfilter functionality when adding a rule with
    NFTA_RULE_CHAIN_ID. This flaw allows a local user to crash or escalate their privileges on the system.
    (CVE-2023-4147)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version
number.");
  script_set_attribute(attribute:"see_also", value:"https://errata.almalinux.org/9/ALSA-2023-5093.html");
  script_set_attribute(attribute:"solution", value:
"Update the affected kernel package.");
  script_set_cvss_base_vector("CVSS2#AV:L/AC:L/Au:S/C:C/I:C/A:C");
  script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2023-4147");

  script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
  script_cwe_id(125, 416);

  script_set_attribute(attribute:"vuln_publication_date", value:"2023/06/28");
  script_set_attribute(attribute:"patch_publication_date", value:"2023/09/12");
  script_set_attribute(attribute:"plugin_publication_date", value:"2023/09/14");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:alma:linux:kernel");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:alma:linux:9");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:alma:linux:9::appstream");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:alma:linux:9::baseos");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:alma:linux:9::crb");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:alma:linux:9::highavailability");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:alma:linux:9::nfv");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:alma:linux:9::realtime");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:alma:linux:9::resilientstorage");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:alma:linux:9::sap");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:alma:linux:9::sap_hana");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:alma:linux:9::supplementary");
  script_set_attribute(attribute:"generated_plugin", value:"current");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Alma Linux Local Security Checks");

  script_copyright(english:"This script is Copyright (C) 2023 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("ssh_get_info.nasl", "linux_alt_patch_detect.nasl");
  script_require_keys("Host/local_checks_enabled", "Host/AlmaLinux/release", "Host/AlmaLinux/rpm-list", "Host/cpu");

  exit(0);
}


include('rpm.inc');
include('ksplice.inc');

if (!get_kb_item('Host/local_checks_enabled')) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
var os_release = get_kb_item('Host/AlmaLinux/release');
if (isnull(os_release) || 'AlmaLinux' >!< os_release) audit(AUDIT_OS_NOT, 'AlmaLinux');
var os_ver = pregmatch(pattern: "AlmaLinux release ([0-9]+(\.[0-9]+)?)", string:os_release);
if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, 'AlmaLinux');
os_ver = os_ver[1];
if (! preg(pattern:"^9([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, 'AlmaLinux 9.x', 'AlmaLinux ' + os_ver);

if (!get_kb_item('Host/AlmaLinux/rpm-list')) audit(AUDIT_PACKAGE_LIST_MISSING);

var cpu = get_kb_item('Host/cpu');
if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
if ('x86_64' >!< cpu && cpu !~ "^i[3-6]86$" && 's390' >!< cpu && 'aarch64' >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'AlmaLinux', cpu);

if (get_one_kb_item('Host/ksplice/kernel-cves'))
{
  rm_kb_item(name:'Host/uptrack-uname-r');
  var cve_list = make_list('CVE-2023-3390', 'CVE-2023-3610', 'CVE-2023-3776', 'CVE-2023-4004', 'CVE-2023-4147', 'CVE-2023-31248', 'CVE-2023-35001');
  if (ksplice_cves_check(cve_list))
  {
    audit(AUDIT_PATCH_INSTALLED, 'KSplice hotfix for ALSA-2023:5093');
  }
  else
  {
    __rpm_report = ksplice_reporting_text();
  }
}
var pkgs = [
    {'reference':'kernel-5.14.0-284.11.1.el9_2', 'cpu':'x86_64', 'release':'9', 'rpm_spec_vers_cmp':TRUE}
];

var flag = 0;
foreach var package_array ( pkgs ) {
  var reference = NULL;
  var _release = NULL;
  var sp = NULL;
  var _cpu = NULL;
  var el_string = NULL;
  var rpm_spec_vers_cmp = NULL;
  var epoch = NULL;
  var allowmaj = NULL;
  var exists_check = NULL;
  if (!empty_or_null(package_array['reference'])) reference = package_array['reference'];
  if (!empty_or_null(package_array['release'])) _release = 'Alma-' + package_array['release'];
  if (!empty_or_null(package_array['sp'])) sp = package_array['sp'];
  if (!empty_or_null(package_array['cpu'])) _cpu = package_array['cpu'];
  if (!empty_or_null(package_array['el_string'])) el_string = package_array['el_string'];
  if (!empty_or_null(package_array['rpm_spec_vers_cmp'])) rpm_spec_vers_cmp = package_array['rpm_spec_vers_cmp'];
  if (!empty_or_null(package_array['epoch'])) epoch = package_array['epoch'];
  if (!empty_or_null(package_array['allowmaj'])) allowmaj = package_array['allowmaj'];
  if (!empty_or_null(package_array['exists_check'])) exists_check = package_array['exists_check'];
  if (reference && _release && (!exists_check || rpm_exists(release:_release, rpm:exists_check))) {
    if (rpm_check(release:_release, sp:sp, cpu:_cpu, reference:reference, epoch:epoch, el_string:el_string, rpm_spec_vers_cmp:rpm_spec_vers_cmp, allowmaj:allowmaj)) flag++;
  }
}

if (flag)
{
  security_report_v4(
      port       : 0,
      severity   : SECURITY_WARNING,
      extra      : rpm_report_get()
  );
  exit(0);
}
else
{
  var tested = pkg_tests_get();
  if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
  else audit(AUDIT_PACKAGE_NOT_INSTALLED, 'kernel');
}
VendorProductVersionCPE
almalinux9cpe:/o:alma:linux:9::supplementary
almalinux9cpe:/o:alma:linux:9::baseos
almalinux9cpe:/o:alma:linux:9::sap
almalinux9cpe:/o:alma:linux:9::highavailability
almalinux9cpe:/o:alma:linux:9::appstream
almalinux9cpe:/o:alma:linux:9::resilientstorage
almalinux9cpe:/o:alma:linux:9::sap_hana
almalinuxkernelp-cpe:/a:alma:linux:kernel
almalinux9cpe:/o:alma:linux:9
almalinux9cpe:/o:alma:linux:9::realtime
Rows per page:
1-10 of 121

Related

redhat 21
nessus 74
oraclelinux 2
osv 15
almalinux 3
rocky 3
photon 1
openvas 23
debian 3
mageia 2
ibm 2
fedora 6
ubuntu 9
prion 6
cvelist 5
debiancve 4
zdi 2
redhatcve 4
ubuntucve 5
cve 2
cnvd 2
githubexploit 1
cbl_mariner 4
redhat
redhat
(RHSA-2023:5093) Important: kpatch-patch security update
2023-09-12 07:46:19
(RHSA-2023:5091) Important: kernel-rt security and bug fix update
2023-09-12 07:45:53
(RHSA-2023:5069) Important: kernel security, bug fix, and enhancement update
2023-09-12 07:41:41
nessus
nessus
RHEL 9 : kpatch-patch (RHSA-2023:5093)
2023-09-12 00:00:00
Oracle Linux 9 : kernel (ELSA-2023-5069)
2023-09-15 00:00:00
AlmaLinux 9 : kernel (ALSA-2023:5069)
2023-09-14 00:00:00
oraclelinux
oraclelinux
kernel security, bug fix, and enhancement update
2023-09-15 00:00:00
kernel security, bug fix, and enhancement update
2023-09-21 00:00:00
osv
osv
Important: kernel-rt security and bug fix update
2023-09-19 12:09:59
Important: kernel security, bug fix, and enhancement update
2023-09-12 00:00:00
Important: kernel-rt security and bug fix update
2023-09-12 00:00:00
almalinux
almalinux
Important: kernel security, bug fix, and enhancement update
2023-09-12 00:00:00
Important: kernel-rt security and bug fix update
2023-09-12 00:00:00
Important: kernel security, bug fix, and enhancement update
2023-09-19 00:00:00
rocky
rocky
kernel-rt security and bug fix update
2023-09-19 12:09:59
kernel security, bug fix, and enhancement update
2023-09-26 13:26:05
kernel security, bug fix, and enhancement update
2023-10-06 22:19:15
photon
photon
Important Photon OS Security Update - PHSA-2023-4.0-0457
2023-08-25 00:00:00
openvas
openvas
Debian: Security Advisory (DLA-3512-1)
2023-08-04 00:00:00
Mageia: Security Advisory (MGASA-2023-0237)
2023-07-20 00:00:00
Fedora: Security Advisory for kernel (FEDORA-2023-3661f028b8)
2023-07-26 00:00:00
debian
debian
[SECURITY] [DLA 3512-1] linux-5.10 security update
2023-08-02 15:01:01
[SECURITY] [DSA 5453-1] linux security update
2023-07-16 21:40:23
[SECURITY] [DSA 5461-1] linux security update
2023-07-30 07:30:39
mageia
mageia
Updated kernel packages fix security vulnerabilities
2023-07-19 22:53:31
Updated kernel-linus packages fix security vulnerabilities
2023-07-27 01:07:49
ibm
ibm
Security Bulletin: Vulnerabilities in Linux Kernel might affect IBM Spectrum Copy Data Management
2023-12-15 13:15:03
Security Bulletin: IBM Security Guardium is affected by multiple OS level vulnerabilities
2023-11-14 16:30:38
fedora
fedora
[SECURITY] Fedora 37 Update: kernel-6.4.4-100.fc37
2023-07-23 01:25:12
[SECURITY] Fedora 37 Update: kernel-headers-6.4.4-100.fc37
2023-07-23 01:25:12
[SECURITY] Fedora 38 Update: kernel-headers-6.4.4-200.fc38
2023-07-23 01:30:41
ubuntu
ubuntu
Linux kernel (Intel IoTG) vulnerabilities
2023-07-26 00:00:00
Linux kernel vulnerabilities
2023-07-25 00:00:00
Kernel Live Patch Security Notice
2023-09-05 00:00:00
prion
prion
Privilege escalation
2023-07-05 19:15:00
Out-of-bounds
2023-07-05 19:15:00
Design/Logic Flaw
2023-07-31 17:15:00
cvelist
cvelist
Linux Kernel nftables Use-After-Free Local Privilege Escalation Vulnerability
2023-07-05 18:33:59
Use-after-free in Linux kernel's netfilter subsystem
2023-06-28 20:02:07
Kernel: netfilter: nf_tables_newrule when adding a rule with nfta_rule_chain_id leads to use-after-free
2023-08-07 13:19:43
debiancve
debiancve
CVE-2023-31248
2023-07-05 19:15:09
CVE-2023-4004
2023-07-31 17:15:10
CVE-2023-3390
2023-06-28 21:15:10
zdi
zdi
(Pwn2Own) Linux Kernel nftables Use-After-Free Local Privilege Escalation Vulnerability
2023-07-06 00:00:00
(Pwn2Own) Linux Kernel nftables Incorrect Pointer Scaling Local Privilege Escalation Vulnerability
2023-07-06 00:00:00
redhatcve
redhatcve
CVE-2023-31248
2023-07-10 18:17:47
CVE-2023-4004
2023-07-30 12:18:44
CVE-2023-35001
2023-07-10 16:27:59
ubuntucve
ubuntucve
CVE-2023-31248
2023-07-05 00:00:00
CVE-2023-4004
2023-07-31 00:00:00
CVE-2023-35001
2023-07-05 00:00:00
cve
cve
CVE-2023-31248
2023-07-05 19:15:09
CVE-2023-4004
2023-07-31 16:22:18
cnvd
cnvd
Linux kernel memory misreference vulnerability (CNVD-2023-62923)
2023-08-03 00:00:00
Linux kernel memory misreference vulnerability (CNVD-2023-64509)
2023-08-12 00:00:00
githubexploit
githubexploit
Exploit for Out-of-bounds Write in Linux Linux Kernel
2023-09-04 03:25:01
cbl_mariner
cbl_mariner
CVE-2023-4004 affecting package kernel for versions less than 5.15.126.1-1
2023-08-30 14:44:06
CVE-2023-3390 affecting package kernel for versions less than 5.15.122.1-2
2023-08-10 16:37:57
CVE-2023-4147 affecting package kernel for versions less than 5.15.126.1-1
2023-08-30 14:44:06
JSON
Related for ALMA_LINUX_ALSA-2023-5093.NASL
redhat21nessus74oraclelinux2osv15almalinux3rocky3photon1openvas23debian3mageia2ibm2fedora6ubuntu9prion6cvelist5debiancve4zdi2redhatcve4ubuntucve5cve2cnvd2githubexploit1cbl_mariner4