MiracleLinux 7 : kernel-3.10.0-327.28.2.el7 (AXSA:2016-647:05)

#%NASL_MIN_LEVEL 80900
##
# (C) Tenable, Inc.
#
# The package checks in this plugin were extracted from
# Miracle Linux Security Advisory AXSA:2016-647:05.
##

include('compat.inc');

if (description)
{
  script_id(291575);
  script_version("1.2");
  script_set_attribute(attribute:"plugin_modification_date", value:"2026/02/05");

  script_cve_id("CVE-2015-8660", "CVE-2016-2143", "CVE-2016-4470");

  script_name(english:"MiracleLinux 7 : kernel-3.10.0-327.28.2.el7 (AXSA:2016-647:05)");

  script_set_attribute(attribute:"synopsis", value:
"The remote MiracleLinux host is missing one or more security updates.");
  script_set_attribute(attribute:"description", value:
"The remote MiracleLinux 7 host has packages installed that are affected by multiple vulnerabilities as referenced in the
AXSA:2016-647:05 advisory.

    The kernel package contains the Linux kernel (vmlinuz), the core of any
    Linux operating system.  The kernel handles the basic functions
    of the operating system: memory allocation, process allocation, device
    input and output, etc.
    Security issues fixed with this release:
    CVE-2015-8660
    The ovl_setattr function in fs/overlayfs/inode.c in the Linux kernel
    through 4.3.3 attempts to merge distinct setattr operations, which
    allows local users to bypass intended access restrictions and modify
    the attributes of arbitrary overlay files via a crafted application.
    CVE-2016-2143
    The fork implementation in the Linux kernel before 4.5 on s390
    platforms mishandles the case of four page-table levels, which allows
    local users to cause a denial of service (system crash) or possibly
    have unspecified other impact via a crafted application, related to
    arch/s390/include/asm/mmu_context.h and
    arch/s390/include/asm/pgalloc.h.
    CVE-2016-4470
    The key_reject_and_link function in security/keys/key.c in the Linux
    kernel through 4.6.3 does not ensure that a certain data structure is
    initialized, which allows local users to cause a denial of service
    (system crash) via vectors involving a crafted keyctl request2
    command.
    Fixed bugs:
    * The glibc headers and the Linux headers share certain definitions of key structures that are required to
    be defined in kernel and in userspace. In some instances both userspace and sanitized kernel headers have
    to be included in order to get the structure definitions required by the user program. Unfortunately
    because the glibc and Linux headers don't coordinate this can result in compilation errors. The glibc
    headers have therefore been fixed to coordinate with Linux UAPI-based headers. With the header
    coordination compilation errors no longer occur.
    * When running the TCP/IPv6 traffic over the mlx4_en networking interface on the big endian architectures,
    call traces reporting about a hw csum failure could occur. With this update, the mlx4_en driver has been
    fixed by correction of the checksum calculation for the big endian architectures. As a result, the call
    trace error no longer appears in the log messages.
    * Under significant load, some applications such as logshifter could generate bursts of log messages too
    large for the system logger to spool. Due to a race condition, log messages from that application could
    then be lost even after the log volume dropped to manageable levels. This update fixes the kernel
    mechanism used to notify the transmitter end of the socket used by the system logger that more space is
    available on the receiver side, removing a race condition which previously caused the sender to stop
    transmitting new messages and allowing all log messages to be processed correctly.
    * Previously, after heavy open or close of the Accelerator Function Unit (AFU) contexts, the interrupt
    packet went out and the AFU context did not see any interrupts. Consequently, a kernel panic could occur.
    The provided patch set fixes handling of the interrupt requests, and kernel panic no longer occurs in the
    described situation.
    * net: recvfrom would fail on short buffer.
    These updated kernel packages include several security issues and numerous bug fixes, some of which you
    can see below.

Tenable has extracted the preceding description block directly from the MiracleLinux security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version
number.");
  script_set_attribute(attribute:"see_also", value:"https://tsn.miraclelinux.com/en/node/7079");
  script_set_attribute(attribute:"solution", value:
"Update the affected packages.");
  script_set_cvss_base_vector("CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C");
  script_set_cvss_temporal_vector("CVSS2#E:H/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:H/RL:O/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2015-8660");
  script_set_attribute(attribute:"cvss3_score_source", value:"CVE-2016-2143");

  script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"true");
  script_set_attribute(attribute:"exploit_framework_core", value:"true");
  script_set_attribute(attribute:"exploited_by_malware", value:"true");
  script_set_attribute(attribute:"metasploit_name", value:'Overlayfs Privilege Escalation');
  script_set_attribute(attribute:"exploit_framework_metasploit", value:"true");
  script_set_attribute(attribute:"exploit_framework_canvas", value:"true");
  script_set_attribute(attribute:"canvas_package", value:"CANVAS");
  script_set_attribute(attribute:"vendor_severity", value:"High");

  script_set_attribute(attribute:"vuln_publication_date", value:"2015/12/23");
  script_set_attribute(attribute:"patch_publication_date", value:"2016/08/31");
  script_set_attribute(attribute:"plugin_publication_date", value:"2026/01/19");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:miracle:linux:kernel");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:miracle:linux:kernel-abi-whitelists");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:miracle:linux:kernel-debug");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:miracle:linux:kernel-debug-devel");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:miracle:linux:kernel-devel");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:miracle:linux:kernel-headers");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:miracle:linux:kernel-tools");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:miracle:linux:kernel-tools-libs");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:miracle:linux:perf");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:miracle:linux:python-perf");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:miracle:linux:7");
  script_set_attribute(attribute:"generated_plugin", value:"current");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Miracle Linux Local Security Checks");

  script_copyright(english:"This script is Copyright (C) 2026 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("ssh_get_info.nasl");
  script_require_keys("Host/local_checks_enabled", "Host/MiracleLinux/release", "Host/MiracleLinux/rpm-list", "Host/cpu");

  exit(0);
}


include('rpm2.inc');

if (!get_kb_item('Host/local_checks_enabled')) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
var os_product = get_kb_item('installed_os/local/SSH/0/product');
if (isnull(os_product) || 'MIRACLE LINUX' >!< os_product) audit(AUDIT_OS_NOT, 'MIRACLE LINUX');
var os_version = get_kb_item('installed_os/local/SSH/0/version');
if (isnull(os_version)) audit(AUDIT_UNKNOWN_APP_VER, 'MIRACLE LINUX');
if (! preg(pattern:"^7([^0-9]|$)", string:os_version)) audit(AUDIT_OS_NOT, 'MiracleLinux 7.x', 'MIRACLE LINUX ' + os_version);

if (!get_kb_item('Host/MiracleLinux/rpm-list')) audit(AUDIT_PACKAGE_LIST_MISSING);

var cpu = get_kb_item('Host/cpu');
if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
if ('aarch64' >!< cpu && 'ppc' >!< cpu && 's390' >!< cpu && 'x86_64' >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'MIRACLE LINUX', cpu);

var constraints = [
  {
    'release': '7',
    'pkgs': [
      {'reference':'kernel-3.10.0-327.28.2.el7', 'cpu':'x86_64', 'rpm_spec_vers_cmp':TRUE, 'epoch':'0'},
      {'reference':'kernel-abi-whitelists-3.10.0-327.28.2.el7', 'rpm_spec_vers_cmp':TRUE, 'epoch':'0'},
      {'reference':'kernel-debug-3.10.0-327.28.2.el7', 'cpu':'x86_64', 'rpm_spec_vers_cmp':TRUE, 'epoch':'0'},
      {'reference':'kernel-debug-devel-3.10.0-327.28.2.el7', 'cpu':'x86_64', 'rpm_spec_vers_cmp':TRUE, 'epoch':'0'},
      {'reference':'kernel-devel-3.10.0-327.28.2.el7', 'cpu':'x86_64', 'rpm_spec_vers_cmp':TRUE, 'epoch':'0'},
      {'reference':'kernel-headers-3.10.0-327.28.2.el7', 'cpu':'x86_64', 'rpm_spec_vers_cmp':TRUE, 'epoch':'0'},
      {'reference':'kernel-tools-3.10.0-327.28.2.el7', 'cpu':'x86_64', 'rpm_spec_vers_cmp':TRUE, 'epoch':'0'},
      {'reference':'kernel-tools-libs-3.10.0-327.28.2.el7', 'cpu':'x86_64', 'rpm_spec_vers_cmp':TRUE, 'epoch':'0'},
      {'reference':'perf-3.10.0-327.28.2.el7', 'cpu':'x86_64', 'rpm_spec_vers_cmp':TRUE, 'epoch':'0'},
      {'reference':'python-perf-3.10.0-327.28.2.el7', 'cpu':'x86_64', 'rpm_spec_vers_cmp':TRUE, 'epoch':'0'}
    ]
  }
];

var os_release = get_one_kb_item('installed_os/local/SSH/0/release');
var os_sp = get_one_kb_item('Host/*/minor_release');

var flag = 0;
var reference;
var sp;
var _cpu;
var el_string;
var rpm_spec_vers_cmp;
var epoch;
var allowmaj;
var exists_check;
var cves;
foreach var constraint ( constraints ) {
  # Check that the target release is equal to the affected release
  if (!empty_or_null(constraint['release'])){
    if (constraint['release'] != os_release) continue;
  }
  if (!empty_or_null(constraint['sp'])){
    if (constraint['sp'] != os_sp) continue;
  }
  foreach var pkg ( constraint['pkgs'] ) {
    reference = NULL;
    sp = NULL;
    _cpu = NULL;
    el_string = NULL;
    rpm_spec_vers_cmp = NULL;
    epoch = NULL;
    allowmaj = NULL;
    exists_check = NULL;
    cves = NULL;
    if (!empty_or_null(pkg['reference'])) reference = pkg['reference'];
    if (!empty_or_null(pkg['sp'])) sp = pkg['sp'];
    if (!empty_or_null(pkg['cpu'])) _cpu = pkg['cpu'];
    if (!empty_or_null(pkg['el_string'])) el_string = pkg['el_string'];
    if (!empty_or_null(pkg['rpm_spec_vers_cmp'])) rpm_spec_vers_cmp = pkg['rpm_spec_vers_cmp'];
    if (!empty_or_null(pkg['epoch'])) epoch = pkg['epoch'];
    if (!empty_or_null(pkg['allowmaj'])) allowmaj = pkg['allowmaj'];
    if (!empty_or_null(pkg['exists_check'])) exists_check = pkg['exists_check'];
    if (!empty_or_null(pkg['cves'])) cves = pkg['cves'];
    if (reference &&
        ## (no known rpm to check OR known rpm_exists)
        (!exists_check || rpm_exists(rpm:exists_check)) &&
        rpm_check(sp:sp, cpu:_cpu, reference:reference, epoch:epoch, el_string:el_string, rpm_spec_vers_cmp:rpm_spec_vers_cmp, allowmaj:allowmaj, cves:cves)) flag++;
  }
}
if (flag)
{
  security_report_v4(
      port       : 0,
      severity   : SECURITY_HOLE,
      extra      : rpm_report_get()
  );
  exit(0);
}
else
{
  var tested = pkg_tests_get();
  if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
  else audit(AUDIT_PACKAGE_NOT_INSTALLED, 'kernel / kernel-abi-whitelists / kernel-debug / kernel-debug-devel / etc');
}