Lucene search
This script is Copyright (C) 2023 and is owned by Tenable, Inc. or an Affiliate thereof.MARINER_KERNEL_CVE-2023-0461.NASLHistoryMar 28, 2023 - 12:00 a.m.
CBL Mariner 2.0 Security Update: kernel (CVE-2023-0461)
2023-03-2800:00:00
This script is Copyright (C) 2023 and is owned by Tenable, Inc. or an Affiliate thereof.
www.tenable.com
16
The version of kernel installed on the remote CBL Mariner 2.0 host is prior to tested version. It is, therefore, affected by a vulnerability as referenced in the CVE-2023-0461 advisory.
- There is a use-after-free vulnerability in the Linux Kernel which can be exploited to achieve local privilege escalation. To reach the vulnerability kernel configuration flag CONFIG_TLS or CONFIG_XFRM_ESPINTCP has to be configured, but the operation does not require any privilege. There is a use-after-free bug of icsk_ulp_data of a struct inet_connection_sock. When CONFIG_TLS is enabled, user can install a tls context (struct tls_context) on a connected tcp socket. The context is not cleared if this socket is disconnected and reused as a listener. If a new socket is created from the listener, the context is inherited and vulnerable. The setsockopt TCP_ULP operation does not require any privilege. We recommend upgrading past commit 2c02d41d71f90a5168391b6a5f2954112ba2307c (CVE-2023-0461)
Note that Nessus has not tested for this issue but has instead relied only on the application’s self-reported version number.
#%NASL_MIN_LEVEL 80900
##
# (C) Tenable, Inc.
##
include('compat.inc');
if (description)
{
script_id(173465);
script_version("1.1");
script_set_attribute(attribute:"plugin_modification_date", value:"2023/08/29");
script_cve_id("CVE-2023-0461");
script_name(english:"CBL Mariner 2.0 Security Update: kernel (CVE-2023-0461)");
script_set_attribute(attribute:"synopsis", value:
"The remote CBL Mariner host is missing one or more security updates.");
script_set_attribute(attribute:"description", value:
"The version of kernel installed on the remote CBL Mariner 2.0 host is prior to tested version. It is, therefore,
affected by a vulnerability as referenced in the CVE-2023-0461 advisory.
- There is a use-after-free vulnerability in the Linux Kernel which can be exploited to achieve local
privilege escalation. To reach the vulnerability kernel configuration flag CONFIG_TLS or
CONFIG_XFRM_ESPINTCP has to be configured, but the operation does not require any privilege. There is a
use-after-free bug of icsk_ulp_data of a struct inet_connection_sock. When CONFIG_TLS is enabled, user can
install a tls context (struct tls_context) on a connected tcp socket. The context is not cleared if this
socket is disconnected and reused as a listener. If a new socket is created from the listener, the context
is inherited and vulnerable. The setsockopt TCP_ULP operation does not require any privilege. We recommend
upgrading past commit 2c02d41d71f90a5168391b6a5f2954112ba2307c (CVE-2023-0461)
Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version
number.");
script_set_attribute(attribute:"see_also", value:"https://nvd.nist.gov/vuln/detail/CVE-2023-0461");
script_set_attribute(attribute:"solution", value:
"Update the affected packages.");
script_set_cvss_base_vector("CVSS2#AV:L/AC:L/Au:S/C:C/I:C/A:C");
script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
script_set_cvss3_base_vector("CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H");
script_set_cvss3_temporal_vector("CVSS:3.0/E:P/RL:O/RC:C");
script_set_attribute(attribute:"cvss_score_source", value:"CVE-2023-0461");
script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
script_set_attribute(attribute:"exploit_available", value:"true");
script_set_attribute(attribute:"vuln_publication_date", value:"2023/02/28");
script_set_attribute(attribute:"patch_publication_date", value:"2023/03/14");
script_set_attribute(attribute:"plugin_publication_date", value:"2023/03/28");
script_set_attribute(attribute:"plugin_type", value:"local");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:microsoft:cbl-mariner:bpftool");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:microsoft:cbl-mariner:kernel");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:microsoft:cbl-mariner:kernel-debuginfo");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:microsoft:cbl-mariner:kernel-devel");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:microsoft:cbl-mariner:kernel-docs");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:microsoft:cbl-mariner:kernel-drivers-accessibility");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:microsoft:cbl-mariner:kernel-drivers-gpu");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:microsoft:cbl-mariner:kernel-drivers-sound");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:microsoft:cbl-mariner:kernel-dtb");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:microsoft:cbl-mariner:kernel-tools");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:microsoft:cbl-mariner:python3-perf");
script_set_attribute(attribute:"cpe", value:"x-cpe:/o:microsoft:cbl-mariner");
script_set_attribute(attribute:"generated_plugin", value:"current");
script_end_attributes();
script_category(ACT_GATHER_INFO);
script_family(english:"MarinerOS Local Security Checks");
script_copyright(english:"This script is Copyright (C) 2023 and is owned by Tenable, Inc. or an Affiliate thereof.");
script_dependencies("ssh_get_info.nasl");
script_require_keys("Host/local_checks_enabled", "Host/CBLMariner/release", "Host/CBLMariner/rpm-list", "Host/cpu");
exit(0);
}
include('rpm.inc');
if (!get_kb_item('Host/local_checks_enabled')) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
var release = get_kb_item('Host/CBLMariner/release');
if (isnull(release) || 'CBL-Mariner' >!< release) audit(AUDIT_OS_NOT, 'CBL-Mariner');
var os_ver = pregmatch(pattern: "CBL-Mariner ([0-9]+(\.[0-9]+)?)", string:release);
if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, 'CBL-Mariner');
os_ver = os_ver[1];
if (! preg(pattern:"^2([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, 'CBL-Mariner 2.0', 'CBL-Mariner ' + os_ver);
if (!get_kb_item('Host/CBLMariner/rpm-list')) audit(AUDIT_PACKAGE_LIST_MISSING);
var cpu = get_kb_item('Host/cpu');
if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
if ('x86_64' >!< cpu && cpu !~ "^i[3-6]86$" && 'aarch64' >!< cpu)
audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'CBL-Mariner', cpu);
var pkgs = [
{'reference':'bpftool-5.15.102.1-1.cm2', 'cpu':'x86_64', 'release':'2.0', 'rpm_spec_vers_cmp':TRUE},
{'reference':'bpftool-5.15.102.1-1.cm2', 'cpu':'aarch64', 'release':'2.0', 'rpm_spec_vers_cmp':TRUE},
{'reference':'kernel-5.15.102.1-1.cm2', 'cpu':'x86_64', 'release':'2.0', 'rpm_spec_vers_cmp':TRUE},
{'reference':'kernel-5.15.102.1-1.cm2', 'cpu':'aarch64', 'release':'2.0', 'rpm_spec_vers_cmp':TRUE},
{'reference':'kernel-debuginfo-5.15.102.1-1.cm2', 'cpu':'x86_64', 'release':'2.0', 'rpm_spec_vers_cmp':TRUE},
{'reference':'kernel-debuginfo-5.15.102.1-1.cm2', 'cpu':'aarch64', 'release':'2.0', 'rpm_spec_vers_cmp':TRUE},
{'reference':'kernel-devel-5.15.102.1-1.cm2', 'cpu':'x86_64', 'release':'2.0', 'rpm_spec_vers_cmp':TRUE},
{'reference':'kernel-devel-5.15.102.1-1.cm2', 'cpu':'aarch64', 'release':'2.0', 'rpm_spec_vers_cmp':TRUE},
{'reference':'kernel-docs-5.15.102.1-1.cm2', 'cpu':'x86_64', 'release':'2.0', 'rpm_spec_vers_cmp':TRUE},
{'reference':'kernel-docs-5.15.102.1-1.cm2', 'cpu':'aarch64', 'release':'2.0', 'rpm_spec_vers_cmp':TRUE},
{'reference':'kernel-drivers-accessibility-5.15.102.1-1.cm2', 'cpu':'x86_64', 'release':'2.0', 'rpm_spec_vers_cmp':TRUE},
{'reference':'kernel-drivers-accessibility-5.15.102.1-1.cm2', 'cpu':'aarch64', 'release':'2.0', 'rpm_spec_vers_cmp':TRUE},
{'reference':'kernel-drivers-gpu-5.15.102.1-1.cm2', 'cpu':'x86_64', 'release':'2.0', 'rpm_spec_vers_cmp':TRUE},
{'reference':'kernel-drivers-gpu-5.15.102.1-1.cm2', 'cpu':'aarch64', 'release':'2.0', 'rpm_spec_vers_cmp':TRUE},
{'reference':'kernel-drivers-sound-5.15.102.1-1.cm2', 'cpu':'x86_64', 'release':'2.0', 'rpm_spec_vers_cmp':TRUE},
{'reference':'kernel-drivers-sound-5.15.102.1-1.cm2', 'cpu':'aarch64', 'release':'2.0', 'rpm_spec_vers_cmp':TRUE},
{'reference':'kernel-dtb-5.15.102.1-1.cm2', 'cpu':'aarch64', 'release':'2.0', 'rpm_spec_vers_cmp':TRUE},
{'reference':'kernel-tools-5.15.102.1-1.cm2', 'cpu':'x86_64', 'release':'2.0', 'rpm_spec_vers_cmp':TRUE},
{'reference':'kernel-tools-5.15.102.1-1.cm2', 'cpu':'aarch64', 'release':'2.0', 'rpm_spec_vers_cmp':TRUE},
{'reference':'python3-perf-5.15.102.1-1.cm2', 'cpu':'x86_64', 'release':'2.0', 'rpm_spec_vers_cmp':TRUE},
{'reference':'python3-perf-5.15.102.1-1.cm2', 'cpu':'aarch64', 'release':'2.0', 'rpm_spec_vers_cmp':TRUE}
];
var flag = 0;
foreach var package_array ( pkgs ) {
var reference = NULL;
var _release = NULL;
var sp = NULL;
var _cpu = NULL;
var el_string = NULL;
var rpm_spec_vers_cmp = NULL;
var epoch = NULL;
var allowmaj = NULL;
var exists_check = NULL;
if (!empty_or_null(package_array['reference'])) reference = package_array['reference'];
if (!empty_or_null(package_array['release'])) _release = 'CBLMariner-' + package_array['release'];
if (!empty_or_null(package_array['sp'])) sp = package_array['sp'];
if (!empty_or_null(package_array['cpu'])) _cpu = package_array['cpu'];
if (!empty_or_null(package_array['el_string'])) el_string = package_array['el_string'];
if (!empty_or_null(package_array['rpm_spec_vers_cmp'])) rpm_spec_vers_cmp = package_array['rpm_spec_vers_cmp'];
if (!empty_or_null(package_array['epoch'])) epoch = package_array['epoch'];
if (!empty_or_null(package_array['allowmaj'])) allowmaj = package_array['allowmaj'];
if (!empty_or_null(package_array['exists_check'])) exists_check = package_array['exists_check'];
if (reference && _release && (!exists_check || rpm_exists(release:_release, rpm:exists_check))) {
if (rpm_check(release:_release, sp:sp, cpu:_cpu, reference:reference, epoch:epoch, el_string:el_string, rpm_spec_vers_cmp:rpm_spec_vers_cmp, allowmaj:allowmaj)) flag++;
}
}
if (flag)
{
security_report_v4(
port : 0,
severity : SECURITY_WARNING,
extra : rpm_report_get()
);
exit(0);
}
else
{
var tested = pkg_tests_get();
if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
else audit(AUDIT_PACKAGE_NOT_INSTALLED, 'bpftool / kernel / kernel-debuginfo / kernel-devel / kernel-docs / etc');
}
| Vendor | Product | Version | CPE |
|---|---|---|---|
| microsoft | cbl-mariner | bpftool | p-cpe:/a:microsoft:cbl-mariner:bpftool |
| microsoft | cbl-mariner | kernel | p-cpe:/a:microsoft:cbl-mariner:kernel |
| microsoft | cbl-mariner | kernel-debuginfo | p-cpe:/a:microsoft:cbl-mariner:kernel-debuginfo |
| microsoft | cbl-mariner | kernel-devel | p-cpe:/a:microsoft:cbl-mariner:kernel-devel |
| microsoft | cbl-mariner | kernel-docs | p-cpe:/a:microsoft:cbl-mariner:kernel-docs |
| microsoft | cbl-mariner | kernel-drivers-accessibility | p-cpe:/a:microsoft:cbl-mariner:kernel-drivers-accessibility |
| microsoft | cbl-mariner | kernel-drivers-gpu | p-cpe:/a:microsoft:cbl-mariner:kernel-drivers-gpu |
| microsoft | cbl-mariner | kernel-drivers-sound | p-cpe:/a:microsoft:cbl-mariner:kernel-drivers-sound |
| microsoft | cbl-mariner | kernel-dtb | p-cpe:/a:microsoft:cbl-mariner:kernel-dtb |
| microsoft | cbl-mariner | kernel-tools | p-cpe:/a:microsoft:cbl-mariner:kernel-tools |
Related
ubuntucve
ubuntucve
CVE-2023-0461
2023-02-22 00:00:00
cbl_mariner
cbl_mariner
CVE-2023-0461 affecting package kernel for versions less than 5.15.102.1-1
2023-03-24 23:56:03
CVE-2023-0461 affecting package kernel 5.10.172.1-1
2023-04-07 04:59:28
veracode
veracode
Use-After-Free
2023-03-06 20:47:27
nessus
nessus
RHEL 8 : kernel (RHSA-2023:1841)
2023-04-20 00:00:00
RHEL 8 : kpatch-patch (RHSA-2023:1923)
2023-04-21 00:00:00
RHEL 8 : kernel-rt (RHSA-2023:1556)
2023-04-04 00:00:00
cve
cve
CVE-2023-0461
2023-02-28 15:15:11
redhatcve
redhatcve
CVE-2023-0461
2023-03-07 15:59:40
redhat
redhat
(RHSA-2023:1841) Important: kernel security and bug fix update
2023-04-18 16:09:23
(RHSA-2023:1923) Important: kpatch-patch security update
2023-04-21 08:10:58
(RHSA-2023:3191) Important: kpatch-patch security update
2023-05-17 15:13:12
f5
f5
K000135122 : Linux kernel vulnerability CVE-2023-0461
2023-06-20 00:00:00
githubexploit
githubexploit
Exploit for Use After Free in Linux Linux Kernel
2023-05-11 05:21:28
Exploit for Use After Free in Linux Linux Kernel
2023-05-11 01:00:45
Exploit for Use After Free in Linux Linux Kernel
2023-05-09 10:44:10
prion
prion
Design/Logic Flaw
2023-02-28 15:15:00
debiancve
debiancve
CVE-2023-0461
2023-02-28 15:15:11
ibm
ibm
ubuntu
ubuntu
Kernel Live Patch Security Notice
2023-03-27 00:00:00
Linux kernel vulnerabilities
2023-03-06 00:00:00
Linux kernel (OEM) vulnerabilities
2023-03-03 00:00:00
openvas
openvas
SUSE: Security Advisory (SUSE-SU-2023:4883-1)
2023-12-18 00:00:00
openSUSE: Security Advisory for the Linux Kernel (SUSE-SU-2023:4882-1)
2024-03-04 00:00:00
Huawei EulerOS: Security Advisory for kernel (EulerOS-SA-2023-1956)
2023-05-18 00:00:00
osv
osv
linux-kvm, linux-raspi2, linux-snapdragon vulnerabilities
2023-03-06 23:22:29
linux-oem-5.14, linux-oem-5.17 vulnerabilities
2023-03-03 00:28:16
linux-oem-6.0 vulnerabilities
2023-03-03 00:49:19
amazon
amazon
Important: kernel
2023-03-17 15:53:00
Important: kernel
2023-02-03 19:19:00
photon
photon
Important Photon OS Security Update - PHSA-2023-3.0-0527
2023-02-07 00:00:00
Related for MARINER_KERNEL_CVE-2023-0461.NASL