Oracle Linux 6 / 7 : Unbreakable Enterprise kernel (ELSA-2024-12606)

#%NASL_MIN_LEVEL 80900
##
# (C) Tenable, Inc.
#
# The descriptive text and package checks in this plugin were
# extracted from Oracle Linux Security Advisory ELSA-2024-12606.
##

include('compat.inc');

if (description)
{
  script_id(206463);
  script_version("1.1");
  script_set_attribute(attribute:"plugin_modification_date", value:"2024/09/03");

  script_cve_id(
    "CVE-2021-46939",
    "CVE-2021-47118",
    "CVE-2021-47153",
    "CVE-2021-47171",
    "CVE-2021-47236",
    "CVE-2021-47284",
    "CVE-2021-47310",
    "CVE-2021-47353",
    "CVE-2021-47356",
    "CVE-2022-48627",
    "CVE-2023-6040",
    "CVE-2023-52445",
    "CVE-2023-52477",
    "CVE-2023-52574",
    "CVE-2023-52594",
    "CVE-2023-52615",
    "CVE-2023-52620",
    "CVE-2023-52628",
    "CVE-2023-52703",
    "CVE-2023-52809",
    "CVE-2023-52881",
    "CVE-2024-26635",
    "CVE-2024-26651",
    "CVE-2024-26675",
    "CVE-2024-26679",
    "CVE-2024-26704",
    "CVE-2024-26772",
    "CVE-2024-26778",
    "CVE-2024-26801",
    "CVE-2024-26805",
    "CVE-2024-26816",
    "CVE-2024-26859",
    "CVE-2024-26880",
    "CVE-2024-26903",
    "CVE-2024-35922",
    "CVE-2024-35944",
    "CVE-2024-35978",
    "CVE-2024-35982",
    "CVE-2024-36016",
    "CVE-2024-36883",
    "CVE-2024-36919",
    "CVE-2024-36950",
    "CVE-2024-36960"
  );

  script_name(english:"Oracle Linux 6 / 7 : Unbreakable Enterprise kernel (ELSA-2024-12606)");

  script_set_attribute(attribute:"synopsis", value:
"The remote Oracle Linux host is missing one or more security updates.");
  script_set_attribute(attribute:"description", value:
"The remote Oracle Linux 6 / 7 host has packages installed that are affected by multiple vulnerabilities as referenced in
the ELSA-2024-12606 advisory.

    - isdn: mISDN: netjet: Fix crash in nj_probe: (Zheyu Ma)  [Orabug: 36940405]  {CVE-2021-47284}
    - tracing: Restructure trace_clock_global() to never block (Steven Rostedt (VMware))  [Orabug: 36940388]
    {CVE-2021-46939}
    - udf: Fix NULL pointer dereference in udf_symlink function (Arturo Giusti)  [Orabug: 36806640]
    {CVE-2021-47353}
    - media: pvrusb2: fix use after free on context disconnection (Ricardo B. Marliere)  [Orabug: 36802294]
    {CVE-2023-52445}
    - vt: fix memory overlapping when deleting chars in the buffer (Yangxi Xiang)  [Orabug: 36802212]
    {CVE-2022-48627}
    - tty: n_gsm: fix possible out-of-bounds in gsm0_receive() (Daniel Starke)  [Orabug: 36678070]
    {CVE-2024-36016}
    - netfilter: nftables: exthdr: fix 4-byte stack OOB write (Florian Westphal)  [Orabug: 36654631]
    {CVE-2023-52628}
    - dm: call the resume method on internal suspend (Mikulas Patocka)  [Orabug: 36544879]  {CVE-2024-26880}
    - net/bnx2x: Prevent access to a freed page in page_pool (Thinh Tran)  [Orabug: 36544783]
    {CVE-2024-26859}
    - x86, relocs: Ignore relocations in .notes section (Kees Cook)  [Orabug: 36531115]  {CVE-2024-26816}
    - netlink: Fix kernel-infoleak-after-free in __skb_datagram_iter (Ryosuke Yasuoka)  [Orabug: 36531057]
    {CVE-2024-26805}
    - fbdev: savage: Error out if pixclock equals zero (Fullway Wang)  [Orabug: 36530913]  {CVE-2024-26778}
    - ext4: fix double-free of blocks due to wrong extents moved_len (Baokun Li)  [Orabug: 36530519]
    {CVE-2024-26704}
    - sr9800: Add check for usbnet_get_endpoints (Chen Ni)  [Orabug: 36530183]  {CVE-2024-26651}
    - llc: Drop support for ETH_P_TR_802_2. (Kuniyuki Iwashima)  [Orabug: 36530047]  {CVE-2024-26635}
    - netfilter: nf_tables: Reject tables of unsupported family (Phil Sutter)  [Orabug: 36192155]
    {CVE-2023-6040}
    - wifi: ath9k: Fix potential array-index-out-of-bounds read in ath9k_htc_txstatus() (Minsuk Kang)
    [Orabug: 36802321]  {CVE-2023-52594}
    - batman-adv: Avoid infinite loop trying to resize local TT (Sven Eckelmann)  [Orabug: 36643464]
    {CVE-2024-35982}
    - Bluetooth: Fix memory leak in hci_req_sync_complete() (Dmitry Antipov)  [Orabug: 36643456]
    {CVE-2024-35978}
    - VMCI: Fix memcpy() run-time warning in dg_dispatch_as_host() (Harshit Mogalapalli)  [Orabug: 36643323]
    {CVE-2024-35944}
    - fbmon: prevent division by zero in fb_videomode_from_videomode() (Roman Smirnov)  [Orabug: 36643194]
    {CVE-2024-35922}
    - scsi: libfc: Fix potential NULL pointer dereference in fc_lport_ptp_setup() (Wenchao Hao)  [Orabug:
    36901390]  {CVE-2023-52809}
    - net: usb: fix memory leak in smsc75xx_bind (Pavel Skripkin)  [Orabug: 36802200]  {CVE-2021-47171}
    - i2c: i801: Don't generate an interrupt on bus reset (Jean Delvare)  [Orabug: 36792714]  {CVE-2021-47153}
    - pid: take a reference when initializing cad_pid (Mark Rutland)  [Orabug: 36792687]  {CVE-2021-47118}
    - drm/vmwgfx: Fix invalid reads in fence signaled events (Zack Rusin)  [Orabug: 36691531]
    {CVE-2024-36960}
    - firewire: ohci: mask bus reset interrupts between ISR and bottom half (Adam Goldman)  [Orabug: 36683507]
    {CVE-2024-36950}
    - scsi: bnx2fc: Remove spin_lock_bh while releasing resources after upload (Saurav Kashyap)  [Orabug:
    36683370]  {CVE-2024-36919}
    - net: fix out-of-bounds access in ops_init (Thadeu Lima de Souza Cascardo)  [Orabug: 36683115]
    {CVE-2024-36883}
    - netfilter: nf_tables: disallow timeout for anonymous sets (Pablo Neira Ayuso)  [Orabug: 36654625]
    {CVE-2023-52620}
    - team: fix null-ptr-deref when team device type is changed (Ziyang Xuan)  [Orabug: 36654606]
    {CVE-2023-52574}
    - tcp: do not accept ACK of bytes we never sent (Eric Dumazet)  [Orabug: 36806731]  {CVE-2023-52881}
    - net/usb: kalmia: Don't pass act_len in usb_bulk_msg error path (Miko Larsson)  [Orabug: 36806698]
    {CVE-2023-52703}
    - hwrng: core - Fix page fault dead lock on mmap-ed hwrng (Herbert Xu)  [Orabug: 36806668]
    {CVE-2023-52615}
    - mISDN: fix possible use-after-free in HFC_cleanup() (Zou Wei)  [Orabug: 36806645]  {CVE-2021-47356}
    - net: ti: fix UAF in tlan_remove_one (Pavel Skripkin)  [Orabug: 36806628]  {CVE-2021-47310}
    - net: cdc_eem: fix tx fixup skb leak (Linyu Yuan)  [Orabug: 36806622]  {CVE-2021-47236}
    - usb: hub: Guard against accesses to uninitialized BOS descriptors (Ricardo Canuelo)  [Orabug: 36802300]
    {CVE-2023-52477}
    - USB: add quirk for devices with broken LPM (Alan Stern)  [Orabug: 36802300]  {CVE-2023-52477}
    - Bluetooth: rfcomm: Fix null-ptr-deref in rfcomm_check_security (Yuxuan Hu)  [Orabug: 36544991]
    {CVE-2024-26903}
    - Bluetooth: Avoid potential use-after-free in hci_error_reset (Ying Hsu)  [Orabug: 36531042]
    {CVE-2024-26801}
    - ext4: avoid allocating blocks from corrupted group in ext4_mb_find_by_goal() (Baokun Li)  [Orabug:
    36530881]  {CVE-2024-26772}
    - inet: read sk->sk_family once in inet_recv_error() (Eric Dumazet)  [Orabug: 36530348]  {CVE-2024-26679}

Tenable has extracted the preceding description block directly from the Oracle Linux security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version
number.");
  script_set_attribute(attribute:"see_also", value:"https://linux.oracle.com/errata/ELSA-2024-12606.html");
  script_set_attribute(attribute:"solution", value:
"Update the affected packages.");
  script_set_cvss_base_vector("CVSS2#AV:L/AC:L/Au:S/C:C/I:C/A:C");
  script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2023-6040");

  script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"false");

  script_set_attribute(attribute:"vuln_publication_date", value:"2021/07/14");
  script_set_attribute(attribute:"patch_publication_date", value:"2024/09/02");
  script_set_attribute(attribute:"plugin_publication_date", value:"2024/09/03");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"cpe:/a:oracle:linux:6:10:UEKR4_ELS");
  script_set_attribute(attribute:"cpe", value:"cpe:/a:oracle:linux:7::UEKR4");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:oracle:linux:6");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:oracle:linux:7");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:kernel-uek");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:kernel-uek-debug");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:kernel-uek-debug-devel");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:kernel-uek-devel");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:kernel-uek-doc");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:kernel-uek-firmware");
  script_set_attribute(attribute:"generated_plugin", value:"current");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Oracle Linux Local Security Checks");

  script_copyright(english:"This script is Copyright (C) 2024 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("linux_alt_patch_detect.nasl", "ssh_get_info.nasl");
  script_require_keys("Host/OracleLinux", "Host/RedHat/release", "Host/RedHat/rpm-list", "Host/local_checks_enabled");

  exit(0);
}


include('ksplice.inc');
include('rpm.inc');

if (!get_kb_item('Host/local_checks_enabled')) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
if (!get_kb_item('Host/OracleLinux')) audit(AUDIT_OS_NOT, 'Oracle Linux');
var os_release = get_kb_item("Host/RedHat/release");
if (isnull(os_release) || !pregmatch(pattern: "Oracle (?:Linux Server|Enterprise Linux)", string:os_release)) audit(AUDIT_OS_NOT, 'Oracle Linux');
var os_ver = pregmatch(pattern: "Oracle (?:Linux Server|Enterprise Linux) .*release ([0-9]+(\.[0-9]+)?)", string:os_release);
if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, 'Oracle Linux');
os_ver = os_ver[1];
if (! preg(pattern:"^(6|7)([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, 'Oracle Linux 6 / 7', 'Oracle Linux ' + os_ver);

if (!get_kb_item('Host/RedHat/rpm-list')) audit(AUDIT_PACKAGE_LIST_MISSING);

var cpu = get_kb_item('Host/cpu');
if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
if ('x86_64' >!< cpu && cpu !~ "^i[3-6]86$" && 'aarch64' >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'Oracle Linux', cpu);
if ('x86_64' >!< cpu) audit(AUDIT_ARCH_NOT, 'x86_64', cpu);

var machine_uptrack_level = get_one_kb_item('Host/uptrack-uname-r');
if (machine_uptrack_level)
{
  var trimmed_uptrack_level = ereg_replace(string:machine_uptrack_level, pattern:"\.(x86_64|i[3-6]86|aarch64)$", replace:'');
  var fixed_uptrack_levels = ['4.1.12-124.89.4.el6uek', '4.1.12-124.89.4.el7uek'];
  foreach var fixed_uptrack_level ( fixed_uptrack_levels ) {
    if (rpm_spec_vers_cmp(a:trimmed_uptrack_level, b:fixed_uptrack_level) >= 0)
    {
      audit(AUDIT_PATCH_INSTALLED, 'KSplice hotfix for ELSA-2024-12606');
    }
  }
  __rpm_report = 'Running KSplice level of ' + trimmed_uptrack_level + ' does not meet the minimum fixed level of ' + join(fixed_uptrack_levels, sep:' / ') + ' for this advisory.\n\n';
}

var kernel_major_minor = get_kb_item('Host/uname/major_minor');
if (empty_or_null(kernel_major_minor)) exit(1, 'Unable to determine kernel major-minor level.');
var expected_kernel_major_minor = '4.1';
if (kernel_major_minor != expected_kernel_major_minor)
  audit(AUDIT_OS_NOT, 'running kernel level ' + expected_kernel_major_minor + ', it is running kernel level ' + kernel_major_minor);

var pkgs = [
    {'reference':'kernel-uek-4.1.12-124.89.4.el6uek', 'cpu':'x86_64', 'release':'6', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'kernel-uek-4.1.12'},
    {'reference':'kernel-uek-debug-4.1.12-124.89.4.el6uek', 'cpu':'x86_64', 'release':'6', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'kernel-uek-debug-4.1.12'},
    {'reference':'kernel-uek-debug-devel-4.1.12-124.89.4.el6uek', 'cpu':'x86_64', 'release':'6', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'kernel-uek-debug-devel-4.1.12'},
    {'reference':'kernel-uek-devel-4.1.12-124.89.4.el6uek', 'cpu':'x86_64', 'release':'6', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'kernel-uek-devel-4.1.12'},
    {'reference':'kernel-uek-doc-4.1.12-124.89.4.el6uek', 'cpu':'x86_64', 'release':'6', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'kernel-uek-doc-4.1.12'},
    {'reference':'kernel-uek-firmware-4.1.12-124.89.4.el6uek', 'cpu':'x86_64', 'release':'6', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'kernel-uek-firmware-4.1.12'},
    {'reference':'kernel-uek-4.1.12-124.89.4.el7uek', 'cpu':'x86_64', 'release':'7', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'kernel-uek-4.1.12'},
    {'reference':'kernel-uek-debug-4.1.12-124.89.4.el7uek', 'cpu':'x86_64', 'release':'7', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'kernel-uek-debug-4.1.12'},
    {'reference':'kernel-uek-debug-devel-4.1.12-124.89.4.el7uek', 'cpu':'x86_64', 'release':'7', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'kernel-uek-debug-devel-4.1.12'},
    {'reference':'kernel-uek-devel-4.1.12-124.89.4.el7uek', 'cpu':'x86_64', 'release':'7', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'kernel-uek-devel-4.1.12'},
    {'reference':'kernel-uek-doc-4.1.12-124.89.4.el7uek', 'cpu':'x86_64', 'release':'7', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'kernel-uek-doc-4.1.12'},
    {'reference':'kernel-uek-firmware-4.1.12-124.89.4.el7uek', 'cpu':'x86_64', 'release':'7', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'kernel-uek-firmware-4.1.12'}
];

var flag = 0;
foreach var package_array ( pkgs ) {
  var reference = NULL;
  var _release = NULL;
  var sp = NULL;
  var _cpu = NULL;
  var el_string = NULL;
  var rpm_spec_vers_cmp = NULL;
  var epoch = NULL;
  var allowmaj = NULL;
  var exists_check = NULL;
  if (!empty_or_null(package_array['reference'])) reference = package_array['reference'];
  if (!empty_or_null(package_array['release'])) _release = 'EL' + package_array['release'];
  if (!empty_or_null(package_array['sp'])) sp = package_array['sp'];
  if (!empty_or_null(package_array['cpu'])) _cpu = package_array['cpu'];
  if (!empty_or_null(package_array['el_string'])) el_string = package_array['el_string'];
  if (!empty_or_null(package_array['rpm_spec_vers_cmp'])) rpm_spec_vers_cmp = package_array['rpm_spec_vers_cmp'];
  if (!empty_or_null(package_array['epoch'])) epoch = package_array['epoch'];
  if (!empty_or_null(package_array['allowmaj'])) allowmaj = package_array['allowmaj'];
  if (!empty_or_null(package_array['exists_check'])) exists_check = package_array['exists_check'];
  if (reference && _release) {
    if (exists_check) {
        if (rpm_exists(release:_release, rpm:exists_check) && rpm_check(release:_release, sp:sp, cpu:cpu, reference:reference, epoch:epoch, el_string:el_string, rpm_spec_vers_cmp:rpm_spec_vers_cmp, allowmaj:allowmaj)) flag++;
    } else {
        if (rpm_check(release:_release, sp:sp, cpu:_cpu, reference:reference, epoch:epoch, el_string:el_string, rpm_spec_vers_cmp:rpm_spec_vers_cmp, allowmaj:allowmaj)) flag++;
    }
  }
}

if (flag)
{
  security_report_v4(
      port       : 0,
      severity   : SECURITY_WARNING,
      extra      : rpm_report_get()
  );
  exit(0);
}
else
{
  var tested = pkg_tests_get();
  if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
  else audit(AUDIT_PACKAGE_NOT_INSTALLED, 'kernel-uek / kernel-uek-debug / kernel-uek-debug-devel / etc');
}