Lucene search

K
nessusThis script is Copyright (C) 2013-2022 and is owned by Tenable, Inc. or an Affiliate thereof.DEBIAN_DSA-2669.NASL
HistoryMay 17, 2013 - 12:00 a.m.

Debian DSA-2669-1 : linux - privilege escalation/denial of service/information leak

2013-05-1700:00:00
This script is Copyright (C) 2013-2022 and is owned by Tenable, Inc. or an Affiliate thereof.
www.tenable.com
20

Several vulnerabilities have been discovered in the Linux kernel that may lead to a denial of service, information leak or privilege escalation. The Common Vulnerabilities and Exposures project identifies the following problems :

  • CVE-2013-0160 vladz reported a timing leak with the /dev/ptmx character device. A local user could use this to determine sensitive information such as password length.

  • CVE-2013-1796 Andrew Honig of Google reported an issue in the KVM subsystem. A user in a guest operating system could corrupt kernel memory, resulting in a denial of service.

  • CVE-2013-1929 Oded Horovitz and Brad Spengler reported an issue in the device driver for Broadcom Tigon3 based gigabit Ethernet. Users with the ability to attach untrusted devices can create an overflow condition, resulting in a denial of service or elevated privileges.

  • CVE-2013-1979 Andy Lutomirski reported an issue in the socket level control message processing subsystem. Local users may be able to gain eleveated privileges.

  • CVE-2013-2015 Theodore Ts’o provided a fix for an issue in the ext4 filesystem. Local users with the ability to mount a specially crafted filesystem can cause a denial of service (infinite loop).

  • CVE-2013-2094 Tommie Rantala discovered an issue in the perf subsystem. An out-of-bounds access vulnerability allows local users to gain elevated privileges.

  • CVE-2013-3076 Mathias Krause discovered an issue in the userspace interface for hash algorithms. Local users can gain access to sensitive kernel memory.

  • CVE-2013-3222 Mathias Krause discovered an issue in the Asynchronous Transfer Mode (ATM) protocol support. Local users can gain access to sensitive kernel memory.

  • CVE-2013-3223 Mathias Krause discovered an issue in the Amateur Radio AX.25 protocol support. Local users can gain access to sensitive kernel memory.

  • CVE-2013-3224 Mathias Krause discovered an issue in the Bluetooth subsystem. Local users can gain access to sensitive kernel memory.

  • CVE-2013-3225 Mathias Krause discovered an issue in the Bluetooth RFCOMM protocol support. Local users can gain access to sensitive kernel memory.

  • CVE-2013-3227 Mathias Krause discovered an issue in the Communication CPU to Application CPU Interface (CAIF). Local users can gain access to sensitive kernel memory.

  • CVE-2013-3228 Mathias Krause discovered an issue in the IrDA (infrared) subsystem support. Local users can gain access to sensitive kernel memory.

  • CVE-2013-3229 Mathias Krause discovered an issue in the IUCV support on s390 systems. Local users can gain access to sensitive kernel memory.

  • CVE-2013-3231 Mathias Krause discovered an issue in the ANSI/IEEE 802.2 LLC type 2 protocol support. Local users can gain access to sensitive kernel memory.

  • CVE-2013-3234 Mathias Krause discovered an issue in the Amateur Radio X.25 PLP (Rose) protocol support. Local users can gain access to sensitive kernel memory.

  • CVE-2013-3235 Mathias Krause discovered an issue in the Transparent Inter Process Communication (TIPC) protocol support.
    Local users can gain access to sensitive kernel memory.

  • CVE-2013-3301 Namhyung Kim reported an issue in the tracing subsystem.
    A privileged local user could cause a denial of service (system crash). This vulnerabililty is not applicable to Debian systems by default.

#%NASL_MIN_LEVEL 70300
#
# (C) Tenable Network Security, Inc.
#
# The descriptive text and package checks in this plugin were  
# extracted from Debian Security Advisory DSA-2669. The text 
# itself is copyright (C) Software in the Public Interest, Inc.
#

include('deprecated_nasl_level.inc');
include('compat.inc');

if (description)
{
  script_id(66486);
  script_version("1.17");
  script_set_attribute(attribute:"plugin_modification_date", value:"2022/09/16");

  script_cve_id(
    "CVE-2013-0160",
    "CVE-2013-1796",
    "CVE-2013-1929",
    "CVE-2013-1979",
    "CVE-2013-2015",
    "CVE-2013-2094",
    "CVE-2013-3076",
    "CVE-2013-3222",
    "CVE-2013-3223",
    "CVE-2013-3224",
    "CVE-2013-3225",
    "CVE-2013-3227",
    "CVE-2013-3228",
    "CVE-2013-3229",
    "CVE-2013-3231",
    "CVE-2013-3234",
    "CVE-2013-3235",
    "CVE-2013-3301"
  );
  script_bugtraq_id(
    57176,
    58607,
    58908,
    59055,
    59377,
    59380,
    59381,
    59383,
    59385,
    59388,
    59389,
    59390,
    59393,
    59397,
    59398,
    59512,
    59538
  );
  script_xref(name:"DSA", value:"2669");
  script_xref(name:"CISA-KNOWN-EXPLOITED", value:"2022/10/06");

  script_name(english:"Debian DSA-2669-1 : linux - privilege escalation/denial of service/information leak");

  script_set_attribute(attribute:"synopsis", value:
"The remote Debian host is missing a security-related update.");
  script_set_attribute(attribute:"description", value:
"Several vulnerabilities have been discovered in the Linux kernel that
may lead to a denial of service, information leak or privilege
escalation. The Common Vulnerabilities and Exposures project
identifies the following problems :

  - CVE-2013-0160
    vladz reported a timing leak with the /dev/ptmx
    character device. A local user could use this to
    determine sensitive information such as password length.

  - CVE-2013-1796
    Andrew Honig of Google reported an issue in the KVM
    subsystem. A user in a guest operating system could
    corrupt kernel memory, resulting in a denial of service.

  - CVE-2013-1929
    Oded Horovitz and Brad Spengler reported an issue in the
    device driver for Broadcom Tigon3 based gigabit
    Ethernet. Users with the ability to attach untrusted
    devices can create an overflow condition, resulting in a
    denial of service or elevated privileges.

  - CVE-2013-1979
    Andy Lutomirski reported an issue in the socket level
    control message processing subsystem. Local users may be
    able to gain eleveated privileges.

  - CVE-2013-2015
    Theodore Ts'o provided a fix for an issue in the ext4
    filesystem. Local users with the ability to mount a
    specially crafted filesystem can cause a denial of
    service (infinite loop).

  - CVE-2013-2094
    Tommie Rantala discovered an issue in the perf
    subsystem. An out-of-bounds access vulnerability allows
    local users to gain elevated privileges.

  - CVE-2013-3076
    Mathias Krause discovered an issue in the userspace
    interface for hash algorithms. Local users can gain
    access to sensitive kernel memory.

  - CVE-2013-3222
    Mathias Krause discovered an issue in the Asynchronous
    Transfer Mode (ATM) protocol support. Local users can
    gain access to sensitive kernel memory.

  - CVE-2013-3223
    Mathias Krause discovered an issue in the Amateur Radio
    AX.25 protocol support. Local users can gain access to
    sensitive kernel memory.

  - CVE-2013-3224
    Mathias Krause discovered an issue in the Bluetooth
    subsystem. Local users can gain access to sensitive
    kernel memory.

  - CVE-2013-3225
    Mathias Krause discovered an issue in the Bluetooth
    RFCOMM protocol support. Local users can gain access to
    sensitive kernel memory.

  - CVE-2013-3227
    Mathias Krause discovered an issue in the Communication
    CPU to Application CPU Interface (CAIF). Local users can
    gain access to sensitive kernel memory.

  - CVE-2013-3228
    Mathias Krause discovered an issue in the IrDA
    (infrared) subsystem support. Local users can gain
    access to sensitive kernel memory.

  - CVE-2013-3229
    Mathias Krause discovered an issue in the IUCV support
    on s390 systems. Local users can gain access to
    sensitive kernel memory.

  - CVE-2013-3231
    Mathias Krause discovered an issue in the ANSI/IEEE
    802.2 LLC type 2 protocol support. Local users can gain
    access to sensitive kernel memory.

  - CVE-2013-3234
    Mathias Krause discovered an issue in the Amateur Radio
    X.25 PLP (Rose) protocol support. Local users can gain
    access to sensitive kernel memory.

  - CVE-2013-3235
    Mathias Krause discovered an issue in the Transparent
    Inter Process Communication (TIPC) protocol support.
    Local users can gain access to sensitive kernel memory.

  - CVE-2013-3301
    Namhyung Kim reported an issue in the tracing subsystem.
    A privileged local user could cause a denial of service
    (system crash). This vulnerabililty is not applicable to
    Debian systems by default.");
  script_set_attribute(attribute:"see_also", value:"https://security-tracker.debian.org/tracker/CVE-2013-0160");
  script_set_attribute(attribute:"see_also", value:"https://security-tracker.debian.org/tracker/CVE-2013-1796");
  script_set_attribute(attribute:"see_also", value:"https://security-tracker.debian.org/tracker/CVE-2013-1929");
  script_set_attribute(attribute:"see_also", value:"https://security-tracker.debian.org/tracker/CVE-2013-1979");
  script_set_attribute(attribute:"see_also", value:"https://security-tracker.debian.org/tracker/CVE-2013-2015");
  script_set_attribute(attribute:"see_also", value:"https://security-tracker.debian.org/tracker/CVE-2013-2094");
  script_set_attribute(attribute:"see_also", value:"https://security-tracker.debian.org/tracker/CVE-2013-3076");
  script_set_attribute(attribute:"see_also", value:"https://security-tracker.debian.org/tracker/CVE-2013-3222");
  script_set_attribute(attribute:"see_also", value:"https://security-tracker.debian.org/tracker/CVE-2013-3223");
  script_set_attribute(attribute:"see_also", value:"https://security-tracker.debian.org/tracker/CVE-2013-3224");
  script_set_attribute(attribute:"see_also", value:"https://security-tracker.debian.org/tracker/CVE-2013-3225");
  script_set_attribute(attribute:"see_also", value:"https://security-tracker.debian.org/tracker/CVE-2013-3227");
  script_set_attribute(attribute:"see_also", value:"https://security-tracker.debian.org/tracker/CVE-2013-3228");
  script_set_attribute(attribute:"see_also", value:"https://security-tracker.debian.org/tracker/CVE-2013-3229");
  script_set_attribute(attribute:"see_also", value:"https://security-tracker.debian.org/tracker/CVE-2013-3231");
  script_set_attribute(attribute:"see_also", value:"https://security-tracker.debian.org/tracker/CVE-2013-3234");
  script_set_attribute(attribute:"see_also", value:"https://security-tracker.debian.org/tracker/CVE-2013-3235");
  script_set_attribute(attribute:"see_also", value:"https://security-tracker.debian.org/tracker/CVE-2013-3301");
  script_set_attribute(attribute:"see_also", value:"https://www.debian.org/security/2013/dsa-2669");
  script_set_attribute(attribute:"solution", value:
"Upgrade the linux and user-mode-linux packages.

For the stable distribution (wheezy), this problem has been fixed in
version 3.2.41-2+deb7u1.

Note: Updates are currently available for the amd64, i386, ia64, s390,
s390x and sparc architectures. Updates for the remaining architectures
will be released as they become available.

The following matrix lists additional source packages that were
rebuilt for compatibility with or to take advantage of this update :

                      Debian 7.0 (wheezy)  
  user-mode-linux      3.2-2um-1+deb7u1     
Note: Debian carefully tracks all known security issues across every
linux kernel package in all releases under active security support.
However, given the high frequency at which low-severity security
issues are discovered in the kernel and the resource requirements of
doing an update, updates for lower priority issues will normally not
be released for all kernels at the same time. Rather, they will be
released in a staggered or 'leap-frog' fashion.");
  script_set_cvss_base_vector("CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C");
  script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");

  script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"true");
  script_set_attribute(attribute:"exploit_framework_core", value:"true");
  script_set_attribute(attribute:"exploited_by_malware", value:"true");
  script_set_attribute(attribute:"exploit_framework_canvas", value:"true");
  script_set_attribute(attribute:"canvas_package", value:"CANVAS");

  script_set_attribute(attribute:"vuln_publication_date", value:"2013/02/17");
  script_set_attribute(attribute:"patch_publication_date", value:"2013/05/15");
  script_set_attribute(attribute:"plugin_publication_date", value:"2013/05/17");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:linux");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:debian:debian_linux:7.0");
  script_set_attribute(attribute:"generated_plugin", value:"current");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Debian Local Security Checks");

  script_copyright(english:"This script is Copyright (C) 2013-2022 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("ssh_get_info.nasl");
  script_require_keys("Host/local_checks_enabled", "Host/Debian/release", "Host/Debian/dpkg-l");

  exit(0);
}


include("audit.inc");
include("debian_package.inc");


if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
if (!get_kb_item("Host/Debian/release")) audit(AUDIT_OS_NOT, "Debian");
if (!get_kb_item("Host/Debian/dpkg-l")) audit(AUDIT_PACKAGE_LIST_MISSING);


flag = 0;
if (deb_check(release:"7.0", prefix:"linux", reference:"3.2.41-2+deb7u1")) flag++;

if (flag)
{
  if (report_verbosity > 0) security_hole(port:0, extra:deb_report_get());
  else security_hole(0);
  exit(0);
}
else audit(AUDIT_HOST_NOT, "affected");

References