CVSS2
Attack Vector
ADJACENT_NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:A/AC:L/Au:N/C:C/I:C/A:C
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS
Percentile
90.9%
The version of AOS installed on the remote host is prior to 5.16.0.1. It is, therefore, affected by multiple vulnerabilities as referenced in the NXSA-AOS-5.16.0.1 advisory.
OpenSLP as used in ESXi and the Horizon DaaS appliances has a heap overwrite issue. VMware has evaluated the severity of this issue to be in the Critical severity range with a maximum CVSSv3 base score of 9.8.
(CVE-2019-5544)
Empty or malformed p256-ECDH public keys may trigger a segmentation fault due values being improperly sanitized before being copied into memory and used. This vulnerability affects Firefox ESR < 60.8, Firefox < 68, and Thunderbird < 60.8. (CVE-2019-11729)
When encrypting with a block cipher, if a call to NSC_EncryptUpdate was made with data smaller than the block size, a small out of bounds write could occur. This could have caused heap corruption and a potentially exploitable crash. This vulnerability affects Thunderbird < 68.3, Firefox ESR < 68.3, and Firefox < 71. (CVE-2019-11745)
An issue was discovered in the Linux kernel before 4.18.7. In block/blk-core.c, there is an
__blk_drain_queue() use-after-free because a certain error case is mishandled. (CVE-2018-20856)
A flaw was found in the Linux kernel. A heap based buffer overflow in mwifiex_uap_parse_tail_ies function in drivers/net/wireless/marvell/mwifiex/ie.c might lead to memory corruption and possibly other consequences. (CVE-2019-10126)
A flaw that allowed an attacker to corrupt memory and possibly escalate privileges was found in the mwifiex kernel module while connecting to a malicious wireless network. (CVE-2019-3846)
The Bluetooth BR/EDR specification up to and including version 5.1 permits sufficiently low encryption key length and does not prevent an attacker from influencing the key length negotiation. This allows practical brute-force attacks (aka KNOB) that can decrypt traffic and inject arbitrary ciphertext without the victim noticing. (CVE-2019-9506)
An information disclosure vulnerability exists when certain central processing units (CPU) speculatively access memory, aka ‘Windows Kernel Information Disclosure Vulnerability’. This CVE ID is unique from CVE-2019-1071, CVE-2019-1073. (CVE-2019-1125)
The Broadcom brcmfmac WiFi driver prior to commit 1b5e2423164b3670e8bc9174e4762d297990deff is vulnerable to a heap buffer overflow. If the Wake-up on Wireless LAN functionality is configured, a malicious event frame can be constructed to trigger an heap buffer overflow in the brcmf_wowl_nd_results function. This vulnerability can be exploited with compromised chipsets to compromise the host, or when used in combination with CVE-2019-9503, can be used remotely. In the worst case scenario, by sending specially- crafted WiFi packets, a remote, unauthenticated attacker may be able to execute arbitrary code on a vulnerable system. More typically, this vulnerability will result in denial-of-service conditions.
(CVE-2019-9500)
Improper invalidation for page table updates by a virtual guest operating system for multiple Intel® Processors may allow an authenticated user to potentially enable denial of service of the host system via local access. (CVE-2018-12207)
Insufficient access control in subsystem for Intel ® processor graphics in 6th, 7th, 8th and 9th Generation Intel® Core™ Processor Families; Intel® Pentium® Processor J, N, Silver and Gold Series; Intel® Celeron® Processor J, N, G3900 and G4900 Series; Intel® Atom® Processor A and E3900 Series; Intel® Xeon® Processor E3-1500 v5 and v6 and E-2100 Processor Families may allow an authenticated user to potentially enable denial of service via local access. (CVE-2019-0154)
TSX Asynchronous Abort condition on some CPUs utilizing speculative execution may allow an authenticated user to potentially enable information disclosure via a side channel with local access. (CVE-2019-11135)
A buffer overflow flaw was found, in versions from 2.6.34 to 5.2.x, in the way Linux kernel’s vhost functionality that translates virtqueue buffers to IOVs, logged the buffer descriptors during migration. A privileged guest user able to pass descriptors with invalid length to the host when migration is underway, could use this flaw to increase their privileges on the host. (CVE-2019-14835)
Insufficient access control in a subsystem for Intel ® processor graphics in 6th, 7th, 8th and 9th Generation Intel® Core™ Processor Families; Intel® Pentium® Processor J, N, Silver and Gold Series; Intel® Celeron® Processor J, N, G3900 and G4900 Series; Intel® Atom® Processor A and E3900 Series; Intel® Xeon® Processor E3-1500 v5 and v6, E-2100 and E-2200 Processor Families; Intel® Graphics Driver for Windows before 26.20.100.6813 (DCH) or 26.20.100.6812 and before 21.20.x.5077 (aka15.45.5077), i915 Linux Driver for Intel® Processor Graphics before versions 5.4-rc7, 5.3.11, 4.19.84, 4.14.154, 4.9.201, 4.4.201 may allow an authenticated user to potentially enable escalation of privilege via local access. (CVE-2019-0155)
A flaw was found in the way Linux kernel KVM hypervisor before 4.18 emulated instructions such as sgdt/sidt/fxsave/fxrstor. It did not check current privilege(CPL) level while emulating unprivileged instructions. An unprivileged guest user/process could use this flaw to potentially escalate privileges inside guest. (CVE-2018-10853)
The alarm_timer_nsleep function in kernel/time/alarmtimer.c in the Linux kernel through 4.17.3 has an integer overflow via a large relative timeout because ktime_add_safe is not used. (CVE-2018-13053)
An issue was discovered in fs/xfs/xfs_icache.c in the Linux kernel through 4.17.3. There is a NULL pointer dereference and panic in lookup_slow() on a NULL inode->i_ops pointer when doing pathwalks on a corrupted xfs image. This occurs because of a lack of proper validation that cached inodes are free during allocation. (CVE-2018-13093)
An issue was discovered in fs/xfs/libxfs/xfs_attr_leaf.c in the Linux kernel through 4.17.3. An OOPS may occur for a corrupted xfs image after xfs_da_shrink_inode() is called with a NULL bp. (CVE-2018-13094)
An issue was discovered in fs/xfs/libxfs/xfs_inode_buf.c in the Linux kernel through 4.17.3. A denial of service (memory corruption and BUG) can occur for a corrupted xfs image upon encountering an inode that is in extent format, but has more extents than fit in the inode fork. (CVE-2018-13095)
A flaw was found in the Linux Kernel where an attacker may be able to have an uncontrolled read to kernel- memory from within a vm guest. A race condition between connect() and close() function may allow an attacker using the AF_VSOCK protocol to gather a 4 byte information leak or possibly intercept or corrupt AF_VSOCK messages destined to other clients. (CVE-2018-14625)
drivers/infiniband/core/ucma.c in the Linux kernel through 4.17.11 allows ucma_leave_multicast to access a certain data structure after a cleanup step in ucma_process_join, which allows attackers to cause a denial of service (use-after-free). (CVE-2018-14734)
arch/x86/kernel/paravirt.c in the Linux kernel before 4.18.1 mishandles certain indirect calls, which makes it easier for attackers to conduct Spectre-v2 attacks against paravirtual guests. (CVE-2018-15594)
An issue was discovered in the Linux kernel before 4.18.6. An information leak in cdrom_ioctl_drive_status in drivers/cdrom/cdrom.c could be used by local attackers to read kernel memory because a cast from unsigned long to int interferes with bounds checking. This is similar to CVE-2018-10940. (CVE-2018-16658)
A flaw was found in the Linux kernel that allows the userspace to call memcpy_fromiovecend() and similar functions with a zero offset and buffer length which causes the read beyond the buffer boundaries, in certain cases causing a memory access fault and a system halt by accessing invalid memory address. This issue only affects kernel version 3.10.x as shipped with Red Hat Enterprise Linux 7. (CVE-2018-16885)
Since Linux kernel version 3.2, the mremap() syscall performs TLB flushes after dropping pagetable locks.
If a syscall such as ftruncate() removes entries from the pagetables of a task that is in the middle of mremap(), a stale TLB entry can remain for a short time that permits access to a physical page after it has been released back to the page allocator and reused. This is fixed in the following kernel versions:
4.9.135, 4.14.78, 4.18.16, 4.19. (CVE-2018-18281)
An issue was discovered in the fd_locked_ioctl function in drivers/block/floppy.c in the Linux kernel through 4.15.7. The floppy driver will copy a kernel pointer to user memory in response to the FDGETPRM ioctl. An attacker can send the FDGETPRM ioctl and use the obtained kernel pointer to discover the location of kernel code and data and bypass kernel security protections such as KASLR. (CVE-2018-7755)
Memory leak in the hwsim_new_radio_nl function in drivers/net/wireless/mac80211_hwsim.c in the Linux kernel through 4.15.9 allows local users to cause a denial of service (memory consumption) by triggering an out-of-array error case. (CVE-2018-8087)
In the hidp_process_report in bluetooth, there is an integer overflow. This could lead to an out of bounds write with no additional execution privileges needed. User interaction is not needed for exploitation.
Product: Android Versions: Android kernel Android ID: A-65853588 References: Upstream kernel.
(CVE-2018-9363)
In hid_debug_events_read of drivers/hid/hid-debug.c, there is a possible out of bounds write due to a missing bounds check. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation. Product: Android Versions: Android kernel Android ID: A-71361580. (CVE-2018-9516)
In pppol2tp_connect, there is possible memory corruption due to a use after free. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation. Product: Android. Versions: Android kernel. Android ID: A-38159931. (CVE-2018-9517)
The coredump implementation in the Linux kernel before 5.0.10 does not use locking or other mechanisms to prevent vma layout or vma flags changes while it runs, which allows local users to obtain sensitive information, cause a denial of service, or possibly have unspecified other impact by triggering a race condition with mmget_not_zero or get_task_mm calls. This is related to fs/userfaultfd.c, mm/mmap.c, fs/proc/task_mmu.c, and drivers/infiniband/core/uverbs_main.c. (CVE-2019-11599)
An issue was discovered in the Linux kernel before 5.0.7. A NULL pointer dereference can occur when megasas_create_frame_pool() fails in megasas_alloc_cmds() in drivers/scsi/megaraid/megaraid_sas_base.c.
This causes a Denial of Service, related to a use-after-free. (CVE-2019-11810)
fs/ext4/extents.c in the Linux kernel through 5.1.2 does not zero out the unused memory region in the extent tree block, which might allow local users to obtain sensitive information by reading uninitialized data in the filesystem. (CVE-2019-11833)
A heap address information leak while using L2CAP_GET_CONF_OPT was discovered in the Linux kernel before 5.1-rc1. (CVE-2019-3459)
A heap data infoleak in multiple locations including L2CAP_PARSE_CONF_RSP was found in the Linux kernel before 5.1-rc1. (CVE-2019-3460)
A flaw was found in the Linux kernel’s vfio interface implementation that permits violation of the user’s locked memory limit. If a device is bound to a vfio driver, such as vfio-pci, and the local attacker is administratively granted ownership of the device, it may cause a system memory exhaustion and thus a denial of service (DoS). Versions 3.10, 4.14 and 4.18 are vulnerable. (CVE-2019-3882)
An infinite loop issue was found in the vhost_net kernel module in Linux Kernel up to and including v5.1-rc6, while handling incoming packets in handle_rx(). It could occur if one end sends packets faster than the other end can process them. A guest user, maybe remote one, could use this flaw to stall the vhost_net kernel thread, resulting in a DoS scenario. (CVE-2019-3900)
The mincore() implementation in mm/mincore.c in the Linux kernel through 4.19.13 allowed local attackers to observe page cache access patterns of other processes on the same system, potentially allowing sniffing of secret information. (Fixing this affects the output of the fincore program.) Limited remote exploitation may be possible, as demonstrated by latency differences in accessing public files from an Apache HTTP Server. (CVE-2019-5489)
The KVM implementation in the Linux kernel through 4.20.5 has an Information Leak. (CVE-2019-7222)
A buffer overflow in the fribidi_get_par_embedding_levels_ex() function in lib/fribidi-bidi.c of GNU FriBidi through 1.0.7 allows an attacker to cause a denial of service or possibly execute arbitrary code by delivering crafted text content to a user, when this content is then rendered by an application that uses FriBidi for text layout calculations. Examples include any GNOME or GTK+ based application that uses Pango for text layout, as this internally uses FriBidi for bidirectional text layout. For example, the attacker can construct a crafted text file to be opened in GEdit, or a crafted IRC message to be viewed in HexChat. (CVE-2019-18397)
An out-of-bounds access issue was found in the Linux kernel, all versions through 5.3, in the way Linux kernel’s KVM hypervisor implements the Coalesced MMIO write operation. It operates on an MMIO ring buffer ‘struct kvm_coalesced_mmio’ object, wherein write indices ‘ring->first’ and ‘ring->last’ value could be supplied by a host user-space process. An unprivileged host user or process with access to ‘/dev/kvm’ device could use this flaw to crash the host kernel, resulting in a denial of service or potentially escalating privileges on the system. (CVE-2019-14821)
In the Linux kernel, a certain net/ipv4/tcp_output.c change, which was properly incorporated into 4.16.12, was incorrectly backported to the earlier longterm kernels, introducing a new vulnerability that was potentially more severe than the issue that was intended to be fixed by backporting. Specifically, by adding to a write queue between disconnection and re-connection, a local attacker can trigger multiple use-after-free conditions. This can result in a kernel crash, or potentially in privilege escalation.
NOTE: this affects (for example) Linux distributions that use 4.9.x longterm kernels before 4.9.190 or 4.14.x longterm kernels before 4.14.139. (CVE-2019-15239)
Note that Nessus has not tested for these issues but has instead relied only on the application’s self-reported version number.
#%NASL_MIN_LEVEL 80900
##
# (C) Tenable, Inc.
##
include('deprecated_nasl_level.inc');
include('compat.inc');
if (description)
{
script_id(164593);
script_version("1.21");
script_set_attribute(attribute:"plugin_modification_date", value:"2024/03/08");
script_cve_id(
"CVE-2018-7755",
"CVE-2018-8087",
"CVE-2018-9363",
"CVE-2018-9516",
"CVE-2018-9517",
"CVE-2018-10853",
"CVE-2018-12207",
"CVE-2018-13053",
"CVE-2018-13093",
"CVE-2018-13094",
"CVE-2018-13095",
"CVE-2018-14625",
"CVE-2018-14734",
"CVE-2018-15594",
"CVE-2018-16658",
"CVE-2018-16885",
"CVE-2018-18281",
"CVE-2018-20856",
"CVE-2019-0154",
"CVE-2019-0155",
"CVE-2019-1125",
"CVE-2019-3459",
"CVE-2019-3460",
"CVE-2019-3846",
"CVE-2019-3882",
"CVE-2019-3900",
"CVE-2019-5489",
"CVE-2019-5544",
"CVE-2019-7222",
"CVE-2019-9500",
"CVE-2019-9506",
"CVE-2019-10126",
"CVE-2019-11135",
"CVE-2019-11599",
"CVE-2019-11729",
"CVE-2019-11745",
"CVE-2019-11810",
"CVE-2019-11833",
"CVE-2019-14821",
"CVE-2019-14835",
"CVE-2019-15239",
"CVE-2019-18397"
);
script_xref(name:"CISA-KNOWN-EXPLOITED", value:"2022/05/03");
script_xref(name:"CEA-ID", value:"CEA-2021-0025");
script_name(english:"Nutanix AOS : Multiple Vulnerabilities (NXSA-AOS-5.16.0.1)");
script_set_attribute(attribute:"synopsis", value:
"The Nutanix AOS host is affected by multiple vulnerabilities .");
script_set_attribute(attribute:"description", value:
"The version of AOS installed on the remote host is prior to 5.16.0.1. It is, therefore, affected by multiple
vulnerabilities as referenced in the NXSA-AOS-5.16.0.1 advisory.
- OpenSLP as used in ESXi and the Horizon DaaS appliances has a heap overwrite issue. VMware has evaluated
the severity of this issue to be in the Critical severity range with a maximum CVSSv3 base score of 9.8.
(CVE-2019-5544)
- Empty or malformed p256-ECDH public keys may trigger a segmentation fault due values being improperly
sanitized before being copied into memory and used. This vulnerability affects Firefox ESR < 60.8, Firefox
< 68, and Thunderbird < 60.8. (CVE-2019-11729)
- When encrypting with a block cipher, if a call to NSC_EncryptUpdate was made with data smaller than the
block size, a small out of bounds write could occur. This could have caused heap corruption and a
potentially exploitable crash. This vulnerability affects Thunderbird < 68.3, Firefox ESR < 68.3, and
Firefox < 71. (CVE-2019-11745)
- An issue was discovered in the Linux kernel before 4.18.7. In block/blk-core.c, there is an
__blk_drain_queue() use-after-free because a certain error case is mishandled. (CVE-2018-20856)
- A flaw was found in the Linux kernel. A heap based buffer overflow in mwifiex_uap_parse_tail_ies function
in drivers/net/wireless/marvell/mwifiex/ie.c might lead to memory corruption and possibly other
consequences. (CVE-2019-10126)
- A flaw that allowed an attacker to corrupt memory and possibly escalate privileges was found in the
mwifiex kernel module while connecting to a malicious wireless network. (CVE-2019-3846)
- The Bluetooth BR/EDR specification up to and including version 5.1 permits sufficiently low encryption key
length and does not prevent an attacker from influencing the key length negotiation. This allows practical
brute-force attacks (aka KNOB) that can decrypt traffic and inject arbitrary ciphertext without the
victim noticing. (CVE-2019-9506)
- An information disclosure vulnerability exists when certain central processing units (CPU) speculatively
access memory, aka 'Windows Kernel Information Disclosure Vulnerability'. This CVE ID is unique from
CVE-2019-1071, CVE-2019-1073. (CVE-2019-1125)
- The Broadcom brcmfmac WiFi driver prior to commit 1b5e2423164b3670e8bc9174e4762d297990deff is vulnerable
to a heap buffer overflow. If the Wake-up on Wireless LAN functionality is configured, a malicious event
frame can be constructed to trigger an heap buffer overflow in the brcmf_wowl_nd_results function. This
vulnerability can be exploited with compromised chipsets to compromise the host, or when used in
combination with CVE-2019-9503, can be used remotely. In the worst case scenario, by sending specially-
crafted WiFi packets, a remote, unauthenticated attacker may be able to execute arbitrary code on a
vulnerable system. More typically, this vulnerability will result in denial-of-service conditions.
(CVE-2019-9500)
- Improper invalidation for page table updates by a virtual guest operating system for multiple Intel(R)
Processors may allow an authenticated user to potentially enable denial of service of the host system via
local access. (CVE-2018-12207)
- Insufficient access control in subsystem for Intel (R) processor graphics in 6th, 7th, 8th and 9th
Generation Intel(R) Core(TM) Processor Families; Intel(R) Pentium(R) Processor J, N, Silver and Gold
Series; Intel(R) Celeron(R) Processor J, N, G3900 and G4900 Series; Intel(R) Atom(R) Processor A and E3900
Series; Intel(R) Xeon(R) Processor E3-1500 v5 and v6 and E-2100 Processor Families may allow an
authenticated user to potentially enable denial of service via local access. (CVE-2019-0154)
- TSX Asynchronous Abort condition on some CPUs utilizing speculative execution may allow an authenticated
user to potentially enable information disclosure via a side channel with local access. (CVE-2019-11135)
- A buffer overflow flaw was found, in versions from 2.6.34 to 5.2.x, in the way Linux kernel's vhost
functionality that translates virtqueue buffers to IOVs, logged the buffer descriptors during migration. A
privileged guest user able to pass descriptors with invalid length to the host when migration is underway,
could use this flaw to increase their privileges on the host. (CVE-2019-14835)
- Insufficient access control in a subsystem for Intel (R) processor graphics in 6th, 7th, 8th and 9th
Generation Intel(R) Core(TM) Processor Families; Intel(R) Pentium(R) Processor J, N, Silver and Gold
Series; Intel(R) Celeron(R) Processor J, N, G3900 and G4900 Series; Intel(R) Atom(R) Processor A and E3900
Series; Intel(R) Xeon(R) Processor E3-1500 v5 and v6, E-2100 and E-2200 Processor Families; Intel(R)
Graphics Driver for Windows before 26.20.100.6813 (DCH) or 26.20.100.6812 and before 21.20.x.5077
(aka15.45.5077), i915 Linux Driver for Intel(R) Processor Graphics before versions 5.4-rc7, 5.3.11,
4.19.84, 4.14.154, 4.9.201, 4.4.201 may allow an authenticated user to potentially enable escalation of
privilege via local access. (CVE-2019-0155)
- A flaw was found in the way Linux kernel KVM hypervisor before 4.18 emulated instructions such as
sgdt/sidt/fxsave/fxrstor. It did not check current privilege(CPL) level while emulating unprivileged
instructions. An unprivileged guest user/process could use this flaw to potentially escalate privileges
inside guest. (CVE-2018-10853)
- The alarm_timer_nsleep function in kernel/time/alarmtimer.c in the Linux kernel through 4.17.3 has an
integer overflow via a large relative timeout because ktime_add_safe is not used. (CVE-2018-13053)
- An issue was discovered in fs/xfs/xfs_icache.c in the Linux kernel through 4.17.3. There is a NULL pointer
dereference and panic in lookup_slow() on a NULL inode->i_ops pointer when doing pathwalks on a corrupted
xfs image. This occurs because of a lack of proper validation that cached inodes are free during
allocation. (CVE-2018-13093)
- An issue was discovered in fs/xfs/libxfs/xfs_attr_leaf.c in the Linux kernel through 4.17.3. An OOPS may
occur for a corrupted xfs image after xfs_da_shrink_inode() is called with a NULL bp. (CVE-2018-13094)
- An issue was discovered in fs/xfs/libxfs/xfs_inode_buf.c in the Linux kernel through 4.17.3. A denial of
service (memory corruption and BUG) can occur for a corrupted xfs image upon encountering an inode that is
in extent format, but has more extents than fit in the inode fork. (CVE-2018-13095)
- A flaw was found in the Linux Kernel where an attacker may be able to have an uncontrolled read to kernel-
memory from within a vm guest. A race condition between connect() and close() function may allow an
attacker using the AF_VSOCK protocol to gather a 4 byte information leak or possibly intercept or corrupt
AF_VSOCK messages destined to other clients. (CVE-2018-14625)
- drivers/infiniband/core/ucma.c in the Linux kernel through 4.17.11 allows ucma_leave_multicast to access a
certain data structure after a cleanup step in ucma_process_join, which allows attackers to cause a denial
of service (use-after-free). (CVE-2018-14734)
- arch/x86/kernel/paravirt.c in the Linux kernel before 4.18.1 mishandles certain indirect calls, which
makes it easier for attackers to conduct Spectre-v2 attacks against paravirtual guests. (CVE-2018-15594)
- An issue was discovered in the Linux kernel before 4.18.6. An information leak in cdrom_ioctl_drive_status
in drivers/cdrom/cdrom.c could be used by local attackers to read kernel memory because a cast from
unsigned long to int interferes with bounds checking. This is similar to CVE-2018-10940. (CVE-2018-16658)
- A flaw was found in the Linux kernel that allows the userspace to call memcpy_fromiovecend() and similar
functions with a zero offset and buffer length which causes the read beyond the buffer boundaries, in
certain cases causing a memory access fault and a system halt by accessing invalid memory address. This
issue only affects kernel version 3.10.x as shipped with Red Hat Enterprise Linux 7. (CVE-2018-16885)
- Since Linux kernel version 3.2, the mremap() syscall performs TLB flushes after dropping pagetable locks.
If a syscall such as ftruncate() removes entries from the pagetables of a task that is in the middle of
mremap(), a stale TLB entry can remain for a short time that permits access to a physical page after it
has been released back to the page allocator and reused. This is fixed in the following kernel versions:
4.9.135, 4.14.78, 4.18.16, 4.19. (CVE-2018-18281)
- An issue was discovered in the fd_locked_ioctl function in drivers/block/floppy.c in the Linux kernel
through 4.15.7. The floppy driver will copy a kernel pointer to user memory in response to the FDGETPRM
ioctl. An attacker can send the FDGETPRM ioctl and use the obtained kernel pointer to discover the
location of kernel code and data and bypass kernel security protections such as KASLR. (CVE-2018-7755)
- Memory leak in the hwsim_new_radio_nl function in drivers/net/wireless/mac80211_hwsim.c in the Linux
kernel through 4.15.9 allows local users to cause a denial of service (memory consumption) by triggering
an out-of-array error case. (CVE-2018-8087)
- In the hidp_process_report in bluetooth, there is an integer overflow. This could lead to an out of bounds
write with no additional execution privileges needed. User interaction is not needed for exploitation.
Product: Android Versions: Android kernel Android ID: A-65853588 References: Upstream kernel.
(CVE-2018-9363)
- In hid_debug_events_read of drivers/hid/hid-debug.c, there is a possible out of bounds write due to a
missing bounds check. This could lead to local escalation of privilege with System execution privileges
needed. User interaction is not needed for exploitation. Product: Android Versions: Android kernel Android
ID: A-71361580. (CVE-2018-9516)
- In pppol2tp_connect, there is possible memory corruption due to a use after free. This could lead to local
escalation of privilege with System execution privileges needed. User interaction is not needed for
exploitation. Product: Android. Versions: Android kernel. Android ID: A-38159931. (CVE-2018-9517)
- The coredump implementation in the Linux kernel before 5.0.10 does not use locking or other mechanisms to
prevent vma layout or vma flags changes while it runs, which allows local users to obtain sensitive
information, cause a denial of service, or possibly have unspecified other impact by triggering a race
condition with mmget_not_zero or get_task_mm calls. This is related to fs/userfaultfd.c, mm/mmap.c,
fs/proc/task_mmu.c, and drivers/infiniband/core/uverbs_main.c. (CVE-2019-11599)
- An issue was discovered in the Linux kernel before 5.0.7. A NULL pointer dereference can occur when
megasas_create_frame_pool() fails in megasas_alloc_cmds() in drivers/scsi/megaraid/megaraid_sas_base.c.
This causes a Denial of Service, related to a use-after-free. (CVE-2019-11810)
- fs/ext4/extents.c in the Linux kernel through 5.1.2 does not zero out the unused memory region in the
extent tree block, which might allow local users to obtain sensitive information by reading uninitialized
data in the filesystem. (CVE-2019-11833)
- A heap address information leak while using L2CAP_GET_CONF_OPT was discovered in the Linux kernel before
5.1-rc1. (CVE-2019-3459)
- A heap data infoleak in multiple locations including L2CAP_PARSE_CONF_RSP was found in the Linux kernel
before 5.1-rc1. (CVE-2019-3460)
- A flaw was found in the Linux kernel's vfio interface implementation that permits violation of the user's
locked memory limit. If a device is bound to a vfio driver, such as vfio-pci, and the local attacker is
administratively granted ownership of the device, it may cause a system memory exhaustion and thus a
denial of service (DoS). Versions 3.10, 4.14 and 4.18 are vulnerable. (CVE-2019-3882)
- An infinite loop issue was found in the vhost_net kernel module in Linux Kernel up to and including
v5.1-rc6, while handling incoming packets in handle_rx(). It could occur if one end sends packets faster
than the other end can process them. A guest user, maybe remote one, could use this flaw to stall the
vhost_net kernel thread, resulting in a DoS scenario. (CVE-2019-3900)
- The mincore() implementation in mm/mincore.c in the Linux kernel through 4.19.13 allowed local attackers
to observe page cache access patterns of other processes on the same system, potentially allowing sniffing
of secret information. (Fixing this affects the output of the fincore program.) Limited remote
exploitation may be possible, as demonstrated by latency differences in accessing public files from an
Apache HTTP Server. (CVE-2019-5489)
- The KVM implementation in the Linux kernel through 4.20.5 has an Information Leak. (CVE-2019-7222)
- A buffer overflow in the fribidi_get_par_embedding_levels_ex() function in lib/fribidi-bidi.c of GNU
FriBidi through 1.0.7 allows an attacker to cause a denial of service or possibly execute arbitrary code
by delivering crafted text content to a user, when this content is then rendered by an application that
uses FriBidi for text layout calculations. Examples include any GNOME or GTK+ based application that uses
Pango for text layout, as this internally uses FriBidi for bidirectional text layout. For example, the
attacker can construct a crafted text file to be opened in GEdit, or a crafted IRC message to be viewed in
HexChat. (CVE-2019-18397)
- An out-of-bounds access issue was found in the Linux kernel, all versions through 5.3, in the way Linux
kernel's KVM hypervisor implements the Coalesced MMIO write operation. It operates on an MMIO ring buffer
'struct kvm_coalesced_mmio' object, wherein write indices 'ring->first' and 'ring->last' value could be
supplied by a host user-space process. An unprivileged host user or process with access to '/dev/kvm'
device could use this flaw to crash the host kernel, resulting in a denial of service or potentially
escalating privileges on the system. (CVE-2019-14821)
- In the Linux kernel, a certain net/ipv4/tcp_output.c change, which was properly incorporated into 4.16.12,
was incorrectly backported to the earlier longterm kernels, introducing a new vulnerability that was
potentially more severe than the issue that was intended to be fixed by backporting. Specifically, by
adding to a write queue between disconnection and re-connection, a local attacker can trigger multiple
use-after-free conditions. This can result in a kernel crash, or potentially in privilege escalation.
NOTE: this affects (for example) Linux distributions that use 4.9.x longterm kernels before 4.9.190 or
4.14.x longterm kernels before 4.14.139. (CVE-2019-15239)
Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version
number.");
# https://portal.nutanix.com/page/documents/security-advisories/release-advisories/details?id=NXSA-AOS-5.16.0.1
script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?8ec7e0a4");
script_set_attribute(attribute:"solution", value:
"Update the Nutanix AOS software to recommended version.");
script_set_cvss_base_vector("CVSS2#AV:A/AC:L/Au:N/C:C/I:C/A:C");
script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:C");
script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H");
script_set_cvss3_temporal_vector("CVSS:3.0/E:F/RL:O/RC:C");
script_set_attribute(attribute:"cvss_score_source", value:"CVE-2019-3846");
script_set_attribute(attribute:"cvss3_score_source", value:"CVE-2019-5544");
script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
script_set_attribute(attribute:"exploit_available", value:"true");
script_set_attribute(attribute:"vuln_publication_date", value:"2018/01/18");
script_set_attribute(attribute:"patch_publication_date", value:"2022/08/24");
script_set_attribute(attribute:"plugin_publication_date", value:"2022/09/01");
script_set_attribute(attribute:"plugin_type", value:"local");
script_set_attribute(attribute:"cpe", value:"cpe:/o:nutanix:aos");
script_set_attribute(attribute:"generated_plugin", value:"current");
script_end_attributes();
script_category(ACT_GATHER_INFO);
script_family(english:"Misc.");
script_copyright(english:"This script is Copyright (C) 2022-2024 and is owned by Tenable, Inc. or an Affiliate thereof.");
script_dependencies("nutanix_collect.nasl");
script_require_keys("Host/Nutanix/Data/lts", "Host/Nutanix/Data/Service", "Host/Nutanix/Data/Version", "Host/Nutanix/Data/arch");
exit(0);
}
include('vcf.inc');
include('vcf_extras.inc');
var app_info = vcf::nutanix::get_app_info();
var constraints = [
{ 'fixed_version' : '5.16.0.1', 'product' : 'AOS', 'fixed_display' : 'Upgrade the AOS install to 5.16.0.1 or higher.', 'lts' : FALSE },
{ 'fixed_version' : '5.16.0.1', 'product' : 'NDFS', 'fixed_display' : 'Upgrade the AOS install to 5.16.0.1 or higher.', 'lts' : FALSE }
];
vcf::nutanix::check_version_and_report(
app_info:app_info,
constraints:constraints,
severity:SECURITY_HOLE
);
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-10853
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-12207
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-13053
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-13093
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-13094
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-13095
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-14625
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-14734
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-15594
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-16658
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-16885
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-18281
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20856
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-7755
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-8087
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-9363
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-9516
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-9517
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-0154
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-0155
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-10126
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11135
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1125
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11599
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11729
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11745
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11810
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11833
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-14821
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-14835
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-15239
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-18397
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-3459
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-3460
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-3846
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-3882
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-3900
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5489
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5544
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-7222
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9500
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9506
www.nessus.org/u?8ec7e0a4
CVSS2
Attack Vector
ADJACENT_NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:A/AC:L/Au:N/C:C/I:C/A:C
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS
Percentile
90.9%