MiracleLinux 7 : kernel-3.10.0-514.el7 (AXSA:2016-1135:09)

#%NASL_MIN_LEVEL 80900
##
# (C) Tenable, Inc.
#
# The package checks in this plugin were extracted from
# Miracle Linux Security Advisory AXSA:2016-1135:09.
##

include('deprecated_nasl_level.inc');
include('compat.inc');

if (description)
{
  script_id(289409);
  script_version("1.3");
  script_set_attribute(attribute:"plugin_modification_date", value:"2026/02/09");

  script_cve_id(
    "CVE-2013-4312",
    "CVE-2015-8374",
    "CVE-2015-8543",
    "CVE-2015-8746",
    "CVE-2015-8812",
    "CVE-2015-8844",
    "CVE-2015-8845",
    "CVE-2015-8956",
    "CVE-2016-2053",
    "CVE-2016-2069",
    "CVE-2016-2117",
    "CVE-2016-2384",
    "CVE-2016-2847",
    "CVE-2016-3070",
    "CVE-2016-3156",
    "CVE-2016-3699",
    "CVE-2016-3841",
    "CVE-2016-4569",
    "CVE-2016-4578",
    "CVE-2016-4581",
    "CVE-2016-4794",
    "CVE-2016-5412",
    "CVE-2016-5828",
    "CVE-2016-5829",
    "CVE-2016-6136",
    "CVE-2016-6198",
    "CVE-2016-6327",
    "CVE-2016-6480"
  );

  script_name(english:"MiracleLinux 7 : kernel-3.10.0-514.el7 (AXSA:2016-1135:09)");

  script_set_attribute(attribute:"synopsis", value:
"The remote MiracleLinux host is missing one or more security updates.");
  script_set_attribute(attribute:"description", value:
"The remote MiracleLinux 7 host has packages installed that are affected by multiple vulnerabilities as referenced in the
AXSA:2016-1135:09 advisory.

    The kernel package contains the Linux kernel (vmlinuz), the core of any
    Linux operating system.  The kernel handles the basic functions
    of the operating system: memory allocation, process allocation, device
    input and output, etc.
    Security issues fixed with this release:
    CVE-2013-4312
    The Linux kernel before 4.4.1 allows local users to bypass
    file-descriptor limits and cause a denial of service (memory
    consumption) by sending each descriptor over a UNIX socket before
    closing it, related to net/unix/af_unix.c and net/unix/garbage.c.
    CVE-2015-8374
    fs/btrfs/inode.c in the Linux kernel before 4.3.3 mishandles
    compressed inline extents, which allows local users to obtain
    sensitive pre-truncation information from a file via a clone action.
    CVE-2015-8543
    The networking implementation in the Linux kernel through 4.3.3, as
    used in Android and other products, does not validate protocol
    identifiers for certain protocol families, which allows local users to
    cause a denial of service (NULL function pointer dereference and
    system crash) or possibly gain privileges by leveraging CLONE_NEWUSER
    support to execute a crafted SOCK_RAW application.
    CVE-2015-8746
    fs/nfs/nfs4proc.c in the NFS client in the Linux kernel before 4.2.2
    does not properly initialize memory for migration recovery operations,
    which allows remote NFS servers to cause a denial of service (NULL
    pointer dereference and panic) via crafted network traffic.
    CVE-2015-8812
    drivers/infiniband/hw/cxgb3/iwch_cm.c in the Linux kernel before 4.5
    does not properly identify error conditions, which allows remote
    attackers to execute arbitrary code or cause a denial of service
    (use-after-free) via crafted packets.
    CVE-2015-8844
    The signal implementation in the Linux kernel before 4.3.5 on powerpc
    platforms does not check for an MSR with both the S and T bits set,
    which allows local users to cause a denial of service (TM Bad Thing
    exception and panic) via a crafted application.
    CVE-2015-8845
    The tm_reclaim_thread function in arch/powerpc/kernel/process.c in the
    Linux kernel before 4.4.1 on powerpc platforms does not ensure that TM
    suspend mode exists before proceeding with a tm_reclaim call, which
    allows local users to cause a denial of service (TM Bad Thing
    exception and panic) via a crafted application.
    CVE-2015-8956
    The rfcomm_sock_bind function in net/bluetooth/rfcomm/sock.c in the
    Linux kernel before 4.2 allows local users to obtain sensitive
    information or cause a denial of service (NULL pointer dereference)
    via vectors involving a bind system call on a Bluetooth RFCOMM socket.
    CVE-2016-2053
    The asn1_ber_decoder function in lib/asn1_decoder.c in the Linux
    kernel before 4.3 allows attackers to cause a denial of service
    (panic) via an ASN.1 BER file that lacks a public key, leading to
    mishandling by the public_key_verify_signature function in
    crypto/asymmetric_keys/public_key.c.
    CVE-2016-2069
    Race condition in arch/x86/mm/tlb.c in the Linux kernel before 4.4.1
    allows local users to gain privileges by triggering access to a paging
    structure by a different CPU.
    CVE-2016-2117
    The atl2_probe function in drivers/net/ethernet/atheros/atlx/atl2.c in
    the Linux kernel through 4.5.2 incorrectly enables scatter/gather I/O,
    which allows remote attackers to obtain sensitive information from
    kernel memory by reading packet data.
    CVE-2016-2384
    Double free vulnerability in the snd_usbmidi_create function in
    sound/usb/midi.c in the Linux kernel before 4.5 allows physically
    proximate attackers to cause a denial of service (panic) or possibly
    have unspecified other impact via vectors involving an invalid USB
    descriptor.
    CVE-2016-2847
    fs/pipe.c in the Linux kernel before 4.5 does not limit the amount of
    unread data in pipes, which allows local users to cause a denial of
    service (memory consumption) by creating many pipes with non-default
    sizes.
    CVE-2016-3070
    The trace_writeback_dirty_page implementation in
    include/trace/events/writeback.h in the Linux kernel before 4.4
    improperly interacts with mm/migrate.c, which allows local users to
    cause a denial of service (NULL pointer dereference and system crash)
    or possibly have unspecified other impact by triggering a certain page
    move.
    CVE-2016-3156
    The IPv4 implementation in the Linux kernel before 4.5.2 mishandles
    destruction of device objects, which allows guest OS users to cause a
    denial of service (host OS networking outage) by arranging for a large
    number of IP addresses.
    CVE-2016-3699
    The Linux kernel, as used in Red Hat Enterprise Linux 7.2 and Red Hat
    Enterprise MRG 2 and when booted with UEFI Secure Boot enabled, allows
    local users to bypass intended Secure Boot restrictions and execute
    untrusted code by appending ACPI tables to the initrd.
    CVE-2016-3841
    The IPv6 stack in the Linux kernel before 4.3.3 mishandles options
    data, which allows local users to gain privileges or cause a denial of
    service (use-after-free and system crash) via a crafted sendmsg system
    call.
    CVE-2016-4569
    The snd_timer_user_params function in sound/core/timer.c in the Linux
    kernel through 4.6 does not initialize a certain data structure, which
    allows local users to obtain sensitive information from kernel stack
    memory via crafted use of the ALSA timer interface.
    CVE-2016-4578
    sound/core/timer.c in the Linux kernel through 4.6 does not initialize
    certain r1 data structures, which allows local users to obtain
    sensitive information from kernel stack memory via crafted use of the
    ALSA timer interface, related to the (1) snd_timer_user_ccallback and
    (2) snd_timer_user_tinterrupt functions.
    CVE-2016-4581
    fs/pnode.c in the Linux kernel before 4.5.4 does not properly traverse
    a mount propagation tree in a certain case involving a slave mount,
    which allows local users to cause a denial of service (NULL pointer
    dereference and OOPS) via a crafted series of mount system calls.
    CVE-2016-4794
    Use-after-free vulnerability in mm/percpu.c in the Linux kernel
    through 4.6 allows local users to cause a denial of service (BUG) or
    possibly have unspecified other impact via crafted use of the mmap and
    bpf system calls.
    CVE-2016-5412
    arch/powerpc/kvm/book3s_hv_rmhandlers.S in the Linux kernel through
    4.7 on PowerPC platforms, when CONFIG_KVM_BOOK3S_64_HV is enabled,
    allows guest OS users to cause a denial of service (host OS infinite
    loop) by making a H_CEDE hypercall during the existence of a suspended
    transaction.
    CVE-2016-5828
    The start_thread function in arch/powerpc/kernel/process.c in the
    Linux kernel through 4.6.3 on powerpc platforms mishandles
    transactional state, which allows local users to cause a denial of
    service (invalid process state or TM Bad Thing exception, and system
    crash) or possibly have unspecified other impact by starting and
    suspending a transaction before an exec system call.
    CVE-2016-5829
    Multiple heap-based buffer overflows in the hiddev_ioctl_usage
    function in drivers/hid/usbhid/hiddev.c in the Linux kernel through
    4.6.3 allow local users to cause a denial of service or possibly have
    unspecified other impact via a crafted (1) HIDIOCGUSAGES or (2)
    HIDIOCSUSAGES ioctl call.
    CVE-2016-6136
    Race condition in the audit_log_single_execve_arg function in
    kernel/auditsc.c in the Linux kernel through 4.7 allows local users to
    bypass intended character-set restrictions or disrupt system-call
    auditing by changing a certain string, aka a double fetch
    vulnerability.
    CVE-2016-6198
    The filesystem layer in the Linux kernel before 4.5.5 proceeds with
    post-rename operations after an OverlayFS file is renamed to a
    self-hardlink, which allows local users to cause a denial of service
    (system crash) via a rename system call, related to fs/namei.c and
    fs/open.c.
    CVE-2016-6327
    drivers/infiniband/ulp/srpt/ib_srpt.c in the Linux kernel before 4.5.1
    allows local users to cause a denial of service (NULL pointer
    dereference and system crash) by using an ABORT_TASK command to abort
    a device write operation.
    CVE-2016-6480
    Race condition in the ioctl_send_fib function in
    drivers/scsi/aacraid/commctrl.c in the Linux kernel through 4.7 allows
    local users to cause a denial of service (out-of-bounds access or
    system crash) by changing a certain size value, aka a double fetch
    vulnerability.
    Additional Changes:

Tenable has extracted the preceding description block directly from the MiracleLinux security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version
number.");
  script_set_attribute(attribute:"see_also", value:"https://tsn.miraclelinux.com/en/node/7567");
  script_set_attribute(attribute:"solution", value:
"Update the affected packages.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C");
  script_set_cvss_temporal_vector("CVSS2#E:H/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:H/RL:O/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2015-8812");

  script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"true");
  script_set_attribute(attribute:"exploited_by_malware", value:"true");
  script_set_attribute(attribute:"vendor_severity", value:"High");

  script_set_attribute(attribute:"vuln_publication_date", value:"2015/10/16");
  script_set_attribute(attribute:"patch_publication_date", value:"2016/12/01");
  script_set_attribute(attribute:"plugin_publication_date", value:"2026/01/16");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:miracle:linux:kernel");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:miracle:linux:kernel-abi-whitelists");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:miracle:linux:kernel-debug");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:miracle:linux:kernel-debug-devel");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:miracle:linux:kernel-devel");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:miracle:linux:kernel-headers");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:miracle:linux:kernel-tools");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:miracle:linux:kernel-tools-libs");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:miracle:linux:perf");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:miracle:linux:python-perf");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:miracle:linux:7");
  script_set_attribute(attribute:"generated_plugin", value:"current");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Miracle Linux Local Security Checks");

  script_copyright(english:"This script is Copyright (C) 2026 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("ssh_get_info.nasl");
  script_require_keys("Host/local_checks_enabled", "Host/MiracleLinux/release", "Host/MiracleLinux/rpm-list", "Host/cpu");

  exit(0);
}


include('rpm2.inc');

if (!get_kb_item('Host/local_checks_enabled')) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
var os_product = get_kb_item('installed_os/local/SSH/0/product');
if (isnull(os_product) || 'MIRACLE LINUX' >!< os_product) audit(AUDIT_OS_NOT, 'MIRACLE LINUX');
var os_version = get_kb_item('installed_os/local/SSH/0/version');
if (isnull(os_version)) audit(AUDIT_UNKNOWN_APP_VER, 'MIRACLE LINUX');
if (! preg(pattern:"^7([^0-9]|$)", string:os_version)) audit(AUDIT_OS_NOT, 'MiracleLinux 7.x', 'MIRACLE LINUX ' + os_version);

if (!get_kb_item('Host/MiracleLinux/rpm-list')) audit(AUDIT_PACKAGE_LIST_MISSING);

var cpu = get_kb_item('Host/cpu');
if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
if ('aarch64' >!< cpu && 'ppc' >!< cpu && 's390' >!< cpu && 'x86_64' >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'MIRACLE LINUX', cpu);

var constraints = [
  {
    'release': '7',
    'pkgs': [
      {'reference':'kernel-3.10.0-514.el7', 'cpu':'x86_64', 'rpm_spec_vers_cmp':TRUE, 'epoch':'0'},
      {'reference':'kernel-abi-whitelists-3.10.0-514.el7', 'rpm_spec_vers_cmp':TRUE, 'epoch':'0'},
      {'reference':'kernel-debug-3.10.0-514.el7', 'cpu':'x86_64', 'rpm_spec_vers_cmp':TRUE, 'epoch':'0'},
      {'reference':'kernel-debug-devel-3.10.0-514.el7', 'cpu':'x86_64', 'rpm_spec_vers_cmp':TRUE, 'epoch':'0'},
      {'reference':'kernel-devel-3.10.0-514.el7', 'cpu':'x86_64', 'rpm_spec_vers_cmp':TRUE, 'epoch':'0'},
      {'reference':'kernel-headers-3.10.0-514.el7', 'cpu':'x86_64', 'rpm_spec_vers_cmp':TRUE, 'epoch':'0'},
      {'reference':'kernel-tools-3.10.0-514.el7', 'cpu':'x86_64', 'rpm_spec_vers_cmp':TRUE, 'epoch':'0'},
      {'reference':'kernel-tools-libs-3.10.0-514.el7', 'cpu':'x86_64', 'rpm_spec_vers_cmp':TRUE, 'epoch':'0'},
      {'reference':'perf-3.10.0-514.el7', 'cpu':'x86_64', 'rpm_spec_vers_cmp':TRUE, 'epoch':'0'},
      {'reference':'python-perf-3.10.0-514.el7', 'cpu':'x86_64', 'rpm_spec_vers_cmp':TRUE, 'epoch':'0'}
    ]
  }
];

var os_release = get_one_kb_item('installed_os/local/SSH/0/release');
var os_sp = get_one_kb_item('Host/*/minor_release');

var flag = 0;
var reference;
var sp;
var _cpu;
var el_string;
var rpm_spec_vers_cmp;
var epoch;
var allowmaj;
var exists_check;
var cves;
foreach var constraint ( constraints ) {
  # Check that the target release is equal to the affected release
  if (!empty_or_null(constraint['release'])){
    if (constraint['release'] != os_release) continue;
  }
  if (!empty_or_null(constraint['sp'])){
    if (constraint['sp'] != os_sp) continue;
  }
  foreach var pkg ( constraint['pkgs'] ) {
    reference = NULL;
    sp = NULL;
    _cpu = NULL;
    el_string = NULL;
    rpm_spec_vers_cmp = NULL;
    epoch = NULL;
    allowmaj = NULL;
    exists_check = NULL;
    cves = NULL;
    if (!empty_or_null(pkg['reference'])) reference = pkg['reference'];
    if (!empty_or_null(pkg['sp'])) sp = pkg['sp'];
    if (!empty_or_null(pkg['cpu'])) _cpu = pkg['cpu'];
    if (!empty_or_null(pkg['el_string'])) el_string = pkg['el_string'];
    if (!empty_or_null(pkg['rpm_spec_vers_cmp'])) rpm_spec_vers_cmp = pkg['rpm_spec_vers_cmp'];
    if (!empty_or_null(pkg['epoch'])) epoch = pkg['epoch'];
    if (!empty_or_null(pkg['allowmaj'])) allowmaj = pkg['allowmaj'];
    if (!empty_or_null(pkg['exists_check'])) exists_check = pkg['exists_check'];
    if (!empty_or_null(pkg['cves'])) cves = pkg['cves'];
    if (reference &&
        ## (no known rpm to check OR known rpm_exists)
        (!exists_check || rpm_exists(rpm:exists_check)) &&
        rpm_check(sp:sp, cpu:_cpu, reference:reference, epoch:epoch, el_string:el_string, rpm_spec_vers_cmp:rpm_spec_vers_cmp, allowmaj:allowmaj, cves:cves)) flag++;
  }
}
if (flag)
{
  security_report_v4(
      port       : 0,
      severity   : SECURITY_HOLE,
      extra      : rpm_report_get()
  );
  exit(0);
}
else
{
  var tested = pkg_tests_get();
  if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
  else audit(AUDIT_PACKAGE_NOT_INSTALLED, 'kernel / kernel-abi-whitelists / kernel-debug / kernel-debug-devel / etc');
}