Lucene search
This script is Copyright (C) 2019-2022 and is owned by Tenable, Inc. or an Affiliate thereof.ORACLELINUX_ELSA-2019-4820.NASLHistoryOct 14, 2019 - 12:00 a.m.
Oracle Linux 7 : Unbreakable Enterprise kernel (ELSA-2019-4820)
2019-10-1400:00:00
This script is Copyright (C) 2019-2022 and is owned by Tenable, Inc. or an Affiliate thereof.
www.tenable.com
86
The remote Oracle Linux 7 host has packages installed that are affected by multiple vulnerabilities as referenced in the ELSA-2019-4820 advisory.
-
A buffer overflow flaw was found, in versions from 2.6.34 to 5.2.x, in the way Linux kernel’s vhost functionality that translates virtqueue buffers to IOVs, logged the buffer descriptors during migration. A privileged guest user able to pass descriptors with invalid length to the host when migration is underway, could use this flaw to increase their privileges on the host. (CVE-2019-14835)
-
An out-of-bounds access issue was found in the Linux kernel, all versions through 5.3, in the way Linux kernel’s KVM hypervisor implements the Coalesced MMIO write operation. It operates on an MMIO ring buffer ‘struct kvm_coalesced_mmio’ object, wherein write indices ‘ring->first’ and ‘ring->last’ value could be supplied by a host user-space process. An unprivileged host user or process with access to ‘/dev/kvm’ device could use this flaw to crash the host kernel, resulting in a denial of service or potentially escalating privileges on the system. (CVE-2019-14821)
-
In the Linux kernel before 5.2.3, set_geometry in drivers/block/floppy.c does not validate the sect and head fields, as demonstrated by an integer overflow and out-of-bounds read. It can be triggered by an unprivileged local user when a floppy disk has been inserted. NOTE: QEMU creates the floppy device by default. (CVE-2019-14283)
-
An issue was discovered in the Linux kernel before 5.0.19. There is an out-of-bounds array access in
__xfrm_policy_unlink, which will cause denial of service, because verify_newpolicy_info in net/xfrm/xfrm_user.c mishandles directory validation. (CVE-2019-15666) -
An issue was discovered in the Linux kernel before 4.18.7. In create_qp_common in drivers/infiniband/hw/mlx5/qp.c, mlx5_ib_create_qp_resp was never initialized, resulting in a leak of stack memory to userspace. (CVE-2018-20855)
-
A flaw was found in the Linux kernel’s Bluetooth implementation of UART, all versions kernel 3.x.x before 4.18.0 and kernel 5.x.x. An attacker with local access and write permissions to the Bluetooth hardware could use this flaw to issue a specially crafted ioctl function call and cause the system to crash.
(CVE-2019-10207) -
An issue was discovered in the Linux kernel before 5.1.17. There is a NULL pointer dereference caused by a malicious USB device in the sound/usb/line6/pcm.c driver. (CVE-2019-15221)
Note that Nessus has not tested for this issue but has instead relied only on the application’s self-reported version number.
#%NASL_MIN_LEVEL 70300
##
# (C) Tenable Network Security, Inc.
#
# The descriptive text and package checks in this plugin were
# extracted from Oracle Linux Security Advisory ELSA-2019-4820.
##
include('deprecated_nasl_level.inc');
include('compat.inc');
if (description)
{
script_id(129841);
script_version("1.8");
script_set_attribute(attribute:"plugin_modification_date", value:"2022/05/18");
script_cve_id(
"CVE-2018-20855",
"CVE-2019-10207",
"CVE-2019-14283",
"CVE-2019-14821",
"CVE-2019-14835",
"CVE-2019-15221",
"CVE-2019-15666"
);
script_name(english:"Oracle Linux 7 : Unbreakable Enterprise kernel (ELSA-2019-4820)");
script_set_attribute(attribute:"synopsis", value:
"The remote Oracle Linux host is missing one or more security updates.");
script_set_attribute(attribute:"description", value:
"The remote Oracle Linux 7 host has packages installed that are affected by multiple vulnerabilities as referenced in the
ELSA-2019-4820 advisory.
- A buffer overflow flaw was found, in versions from 2.6.34 to 5.2.x, in the way Linux kernel's vhost
functionality that translates virtqueue buffers to IOVs, logged the buffer descriptors during migration. A
privileged guest user able to pass descriptors with invalid length to the host when migration is underway,
could use this flaw to increase their privileges on the host. (CVE-2019-14835)
- An out-of-bounds access issue was found in the Linux kernel, all versions through 5.3, in the way Linux
kernel's KVM hypervisor implements the Coalesced MMIO write operation. It operates on an MMIO ring buffer
'struct kvm_coalesced_mmio' object, wherein write indices 'ring->first' and 'ring->last' value could be
supplied by a host user-space process. An unprivileged host user or process with access to '/dev/kvm'
device could use this flaw to crash the host kernel, resulting in a denial of service or potentially
escalating privileges on the system. (CVE-2019-14821)
- In the Linux kernel before 5.2.3, set_geometry in drivers/block/floppy.c does not validate the sect and
head fields, as demonstrated by an integer overflow and out-of-bounds read. It can be triggered by an
unprivileged local user when a floppy disk has been inserted. NOTE: QEMU creates the floppy device by
default. (CVE-2019-14283)
- An issue was discovered in the Linux kernel before 5.0.19. There is an out-of-bounds array access in
__xfrm_policy_unlink, which will cause denial of service, because verify_newpolicy_info in
net/xfrm/xfrm_user.c mishandles directory validation. (CVE-2019-15666)
- An issue was discovered in the Linux kernel before 4.18.7. In create_qp_common in
drivers/infiniband/hw/mlx5/qp.c, mlx5_ib_create_qp_resp was never initialized, resulting in a leak of
stack memory to userspace. (CVE-2018-20855)
- A flaw was found in the Linux kernel's Bluetooth implementation of UART, all versions kernel 3.x.x before
4.18.0 and kernel 5.x.x. An attacker with local access and write permissions to the Bluetooth hardware
could use this flaw to issue a specially crafted ioctl function call and cause the system to crash.
(CVE-2019-10207)
- An issue was discovered in the Linux kernel before 5.1.17. There is a NULL pointer dereference caused by a
malicious USB device in the sound/usb/line6/pcm.c driver. (CVE-2019-15221)
Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version
number.");
script_set_attribute(attribute:"see_also", value:"https://linux.oracle.com/errata/ELSA-2019-4820.html");
script_set_attribute(attribute:"solution", value:
"Update the affected packages.");
script_set_cvss_base_vector("CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C");
script_set_cvss_temporal_vector("CVSS2#E:H/RL:OF/RC:C");
script_set_cvss3_base_vector("CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H");
script_set_cvss3_temporal_vector("CVSS:3.0/E:H/RL:O/RC:C");
script_set_attribute(attribute:"cvss_score_source", value:"CVE-2019-14835");
script_set_attribute(attribute:"cvss3_score_source", value:"CVE-2019-14821");
script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
script_set_attribute(attribute:"exploit_available", value:"true");
script_set_attribute(attribute:"exploited_by_malware", value:"true");
script_set_attribute(attribute:"vuln_publication_date", value:"2019/07/26");
script_set_attribute(attribute:"patch_publication_date", value:"2019/10/11");
script_set_attribute(attribute:"plugin_publication_date", value:"2019/10/14");
script_set_attribute(attribute:"plugin_type", value:"local");
script_set_attribute(attribute:"cpe", value:"cpe:/o:oracle:linux:7");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:kernel-uek");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:kernel-uek-debug");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:kernel-uek-debug-devel");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:kernel-uek-devel");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:kernel-uek-doc");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:kernel-uek-headers");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:kernel-uek-tools");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:kernel-uek-tools-libs");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:kernel-uek-tools-libs-devel");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:perf");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:python-perf");
script_end_attributes();
script_category(ACT_GATHER_INFO);
script_family(english:"Oracle Linux Local Security Checks");
script_copyright(english:"This script is Copyright (C) 2019-2022 and is owned by Tenable, Inc. or an Affiliate thereof.");
script_dependencies("linux_alt_patch_detect.nasl", "ssh_get_info.nasl");
script_require_keys("Host/OracleLinux", "Host/RedHat/release", "Host/RedHat/rpm-list", "Host/local_checks_enabled");
exit(0);
}
include('audit.inc');
include('global_settings.inc');
include('ksplice.inc');
include('rpm.inc');
if (!get_kb_item('Host/local_checks_enabled')) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
if (!get_kb_item('Host/OracleLinux')) audit(AUDIT_OS_NOT, 'Oracle Linux');
var release = get_kb_item("Host/RedHat/release");
if (isnull(release) || !pregmatch(pattern: "Oracle (?:Linux Server|Enterprise Linux)", string:release)) audit(AUDIT_OS_NOT, 'Oracle Linux');
var os_ver = pregmatch(pattern: "Oracle (?:Linux Server|Enterprise Linux) .*release ([0-9]+(\.[0-9]+)?)", string:release);
if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, 'Oracle Linux');
var os_ver = os_ver[1];
if (! preg(pattern:"^7([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, 'Oracle Linux 7', 'Oracle Linux ' + os_ver);
if (!get_kb_item('Host/RedHat/rpm-list')) audit(AUDIT_PACKAGE_LIST_MISSING);
var cpu = get_kb_item('Host/cpu');
if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
if ('x86_64' >!< cpu && cpu !~ "^i[3-6]86$" && 'aarch64' >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'Oracle Linux', cpu);
var machine_uptrack_level = get_one_kb_item('Host/uptrack-uname-r');
if (machine_uptrack_level)
{
var trimmed_uptrack_level = ereg_replace(string:machine_uptrack_level, pattern:"\.(x86_64|i[3-6]86|aarch64)$", replace:'');
var fixed_uptrack_levels = ['4.14.35-1902.6.6.el7uek'];
foreach var fixed_uptrack_level ( fixed_uptrack_levels ) {
if (rpm_spec_vers_cmp(a:trimmed_uptrack_level, b:fixed_uptrack_level) >= 0)
{
audit(AUDIT_PATCH_INSTALLED, 'KSplice hotfix for ELSA-2019-4820');
}
}
__rpm_report = 'Running KSplice level of ' + trimmed_uptrack_level + ' does not meet the minimum fixed level of ' + join(fixed_uptrack_levels, sep:' / ') + ' for this advisory.\n\n';
}
var kernel_major_minor = get_kb_item('Host/uname/major_minor');
if (empty_or_null(kernel_major_minor)) exit(1, 'Unable to determine kernel major-minor level.');
var expected_kernel_major_minor = '4.14';
if (kernel_major_minor != expected_kernel_major_minor)
audit(AUDIT_OS_NOT, 'running kernel level ' + expected_kernel_major_minor + ', it is running kernel level ' + kernel_major_minor);
var pkgs = [
{'reference':'kernel-uek-4.14.35-1902.6.6.el7uek', 'cpu':'aarch64', 'release':'7', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'kernel-uek-4.14.35'},
{'reference':'kernel-uek-4.14.35-1902.6.6.el7uek', 'cpu':'x86_64', 'release':'7', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'kernel-uek-4.14.35'},
{'reference':'kernel-uek-debug-4.14.35-1902.6.6.el7uek', 'cpu':'aarch64', 'release':'7', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'kernel-uek-debug-4.14.35'},
{'reference':'kernel-uek-debug-4.14.35-1902.6.6.el7uek', 'cpu':'x86_64', 'release':'7', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'kernel-uek-debug-4.14.35'},
{'reference':'kernel-uek-debug-devel-4.14.35-1902.6.6.el7uek', 'cpu':'aarch64', 'release':'7', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'kernel-uek-debug-devel-4.14.35'},
{'reference':'kernel-uek-debug-devel-4.14.35-1902.6.6.el7uek', 'cpu':'x86_64', 'release':'7', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'kernel-uek-debug-devel-4.14.35'},
{'reference':'kernel-uek-devel-4.14.35-1902.6.6.el7uek', 'cpu':'aarch64', 'release':'7', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'kernel-uek-devel-4.14.35'},
{'reference':'kernel-uek-devel-4.14.35-1902.6.6.el7uek', 'cpu':'x86_64', 'release':'7', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'kernel-uek-devel-4.14.35'},
{'reference':'kernel-uek-doc-4.14.35-1902.6.6.el7uek', 'release':'7', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'kernel-uek-doc-4.14.35'},
{'reference':'kernel-uek-headers-4.14.35-1902.6.6.el7uek', 'cpu':'aarch64', 'release':'7', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'kernel-uek-headers-4.14.35'},
{'reference':'kernel-uek-tools-4.14.35-1902.6.6.el7uek', 'cpu':'aarch64', 'release':'7', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'kernel-uek-tools-4.14.35'},
{'reference':'kernel-uek-tools-4.14.35-1902.6.6.el7uek', 'cpu':'x86_64', 'release':'7', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'kernel-uek-tools-4.14.35'},
{'reference':'kernel-uek-tools-libs-4.14.35-1902.6.6.el7uek', 'cpu':'aarch64', 'release':'7', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'kernel-uek-tools-libs-4.14.35'},
{'reference':'kernel-uek-tools-libs-devel-4.14.35-1902.6.6.el7uek', 'cpu':'aarch64', 'release':'7', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'kernel-uek-tools-libs-devel-4.14.35'},
{'reference':'perf-4.14.35-1902.6.6.el7uek', 'cpu':'aarch64', 'release':'7', 'rpm_spec_vers_cmp':TRUE},
{'reference':'python-perf-4.14.35-1902.6.6.el7uek', 'cpu':'aarch64', 'release':'7', 'rpm_spec_vers_cmp':TRUE}
];
var flag = 0;
foreach var package_array ( pkgs ) {
var reference = NULL;
var release = NULL;
var sp = NULL;
var cpu = NULL;
var el_string = NULL;
var rpm_spec_vers_cmp = NULL;
var epoch = NULL;
var allowmaj = NULL;
var exists_check = NULL;
if (!empty_or_null(package_array['reference'])) reference = package_array['reference'];
if (!empty_or_null(package_array['release'])) release = 'EL' + package_array['release'];
if (!empty_or_null(package_array['sp'])) sp = package_array['sp'];
if (!empty_or_null(package_array['cpu'])) cpu = package_array['cpu'];
if (!empty_or_null(package_array['el_string'])) el_string = package_array['el_string'];
if (!empty_or_null(package_array['rpm_spec_vers_cmp'])) rpm_spec_vers_cmp = package_array['rpm_spec_vers_cmp'];
if (!empty_or_null(package_array['epoch'])) epoch = package_array['epoch'];
if (!empty_or_null(package_array['allowmaj'])) allowmaj = package_array['allowmaj'];
if (!empty_or_null(package_array['exists_check'])) exists_check = package_array['exists_check'];
if (reference && release) {
if (exists_check) {
if (rpm_exists(release:release, rpm:exists_check) && rpm_check(release:release, sp:sp, cpu:cpu, reference:reference, epoch:epoch, el_string:el_string, rpm_spec_vers_cmp:rpm_spec_vers_cmp, allowmaj:allowmaj)) flag++;
} else {
if (rpm_check(release:release, sp:sp, cpu:cpu, reference:reference, epoch:epoch, el_string:el_string, rpm_spec_vers_cmp:rpm_spec_vers_cmp, allowmaj:allowmaj)) flag++;
}
}
}
if (flag)
{
security_report_v4(
port : 0,
severity : SECURITY_HOLE,
extra : rpm_report_get()
);
exit(0);
}
else
{
var tested = pkg_tests_get();
if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
else audit(AUDIT_PACKAGE_NOT_INSTALLED, 'kernel-uek / kernel-uek-debug / kernel-uek-debug-devel / etc');
}
| Vendor | Product | Version | CPE |
|---|---|---|---|
| oracle | linux | 7 | cpe:/o:oracle:linux:7 |
| oracle | linux | kernel-uek | p-cpe:/a:oracle:linux:kernel-uek |
| oracle | linux | kernel-uek-debug | p-cpe:/a:oracle:linux:kernel-uek-debug |
| oracle | linux | kernel-uek-debug-devel | p-cpe:/a:oracle:linux:kernel-uek-debug-devel |
| oracle | linux | kernel-uek-devel | p-cpe:/a:oracle:linux:kernel-uek-devel |
| oracle | linux | kernel-uek-doc | p-cpe:/a:oracle:linux:kernel-uek-doc |
| oracle | linux | kernel-uek-headers | p-cpe:/a:oracle:linux:kernel-uek-headers |
| oracle | linux | kernel-uek-tools | p-cpe:/a:oracle:linux:kernel-uek-tools |
| oracle | linux | kernel-uek-tools-libs | p-cpe:/a:oracle:linux:kernel-uek-tools-libs |
| oracle | linux | kernel-uek-tools-libs-devel | p-cpe:/a:oracle:linux:kernel-uek-tools-libs-devel |
References
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20855
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-10207
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-14283
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-14821
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-14835
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-15221
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-15666
linux.oracle.com/errata/ELSA-2019-4820.html
Related
oraclelinux
oraclelinux
Unbreakable Enterprise kernel security update
2019-10-11 00:00:00
Unbreakable Enterprise kernel security update
2019-10-01 00:00:00
Unbreakable Enterprise kernel security update
2019-09-17 00:00:00
nessus
nessus
Oracle Linux 6 / 7 : Unbreakable Enterprise kernel (ELSA-2019-4808)
2019-10-02 00:00:00
Amazon Linux 2 : kernel (ALAS-2019-1293)
2019-09-27 00:00:00
Amazon Linux AMI : kernel (ALAS-2019-1293)
2019-09-30 00:00:00
openvas
openvas
Fedora Update for kernel-tools FEDORA-2019-a570a92d5a
2019-10-04 00:00:00
Fedora Update for kernel-headers FEDORA-2019-a570a92d5a
2019-10-04 00:00:00
openSUSE: Security Advisory for the Linux Kernel (openSUSE-SU-2019:1924-1)
2019-08-17 00:00:00
amazon
amazon
Important: kernel
2019-09-25 23:01:00
Important: kernel
2019-09-25 22:59:00
fedora
fedora
[SECURITY] Fedora 29 Update: kernel-headers-5.2.17-100.fc29
2019-10-02 01:42:27
[SECURITY] Fedora 29 Update: kernel-tools-5.2.17-100.fc29
2019-10-02 01:42:27
[SECURITY] Fedora 30 Update: kernel-headers-5.2.15-200.fc30
2019-09-19 01:34:38
suse
suse
Security update for the Linux Kernel (important)
2019-08-16 00:00:00
Security update for the Linux Kernel (important)
2019-08-16 00:00:00
osv
osv
CVE-2018-20855
2019-07-26 05:15:10
linux - security update
2019-09-25 00:00:00
linux-4.9 - security update
2019-09-30 00:00:00
redhatcve
redhatcve
debiancve
debiancve
prion
prion
Memory corruption
2019-07-26 05:15:00
Out-of-bounds
2019-08-27 05:15:00
Null pointer dereference
2019-08-19 22:15:00
cve
cve
ubuntucve
ubuntucve
veracode
veracode
Denial Of Service (DoS)
2020-04-29 02:43:08
Denial Of Service (DoS)
2020-03-26 02:15:42
Denial Of Service (DoS)
2020-04-03 00:40:32
f5
f5
K53420251 : Linux kernel vulnerability CVE-2019-15666
2019-10-21 00:00:00
K57536416 : Kernel vulnerability CVE-2019-14835
2020-10-19 00:00:00
K59513013 : Linux kernel vulnerability CVE-2019-14821
2020-10-19 00:00:00
centos
centos
kernel, perf, python security update
2019-09-27 12:17:17
bpftool, kernel, perf, python security update
2019-10-02 16:02:22
kernel, perf, python security update
2019-12-24 15:25:23
mageia
mageia
Updated kernel packages fix security vulnerabilities
2019-09-21 19:04:55
Updated kernel packages fix security vulnerabilities
2019-09-21 19:04:55
Updated kernel-linus packages fix security vulnerabilities
2019-11-20 00:16:53
debian
debian
[SECURITY] [DSA 4531-1] linux security update
2019-09-25 04:04:13
[SECURITY] [DLA 1940-1] linux-4.9 security update
2019-10-01 13:56:02
[SECURITY] [DSA 4531-1] linux security update
2019-09-25 04:04:13
githubexploit
githubexploit
Exploit for NULL Pointer Dereference in Linux Linux Kernel
2019-07-30 08:39:21
ibm
ibm
redhat
redhat
(RHSA-2019:2901) Important: kernel security update
2019-09-25 11:57:13
(RHSA-2019:2869) Important: kernel security and bug fix update
2019-09-23 12:11:17
(RHSA-2019:2867) Important: kernel security update
2019-09-23 12:10:35
huawei
huawei
Security Advisory - Buffer Overflow Vulnerability in QEMU-KVM
2020-01-15 00:00:00
virtuozzo
virtuozzo
Related for ORACLELINUX_ELSA-2019-4820.NASL