Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
nessusThis script is Copyright (C) 2021-2023 and is owned by Tenable, Inc. or an Affiliate thereof.ORACLEVM_OVMSA-2021-0035.NASL
HistoryOct 12, 2021 - 12:00 a.m.

OracleVM 3.4 : kernel-uek (OVMSA-2021-0035)

2021-10-1200:00:00
This script is Copyright (C) 2021-2023 and is owned by Tenable, Inc. or an Affiliate thereof.
www.tenable.com
23

7.8 High

AI Score

Confidence

High

JSON

The remote OracleVM system is missing necessary patches to address security updates:

  • In fs/ocfs2/cluster/nodemanager.c in the Linux kernel before 4.15, local users can cause a denial of service (NULL pointer dereference and BUG) because a required mutex is not used. (CVE-2017-18216)

  • In pppol2tp_connect, there is possible memory corruption due to a use after free. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation. Product: Android. Versions: Android kernel. Android ID: A-38159931. (CVE-2018-9517)

  • Linux kernel CIFS implementation, version 4.9.0 is vulnerable to a relative paths injection in directory entry lists. (CVE-2019-10220)

  • Two memory leaks in the rtl_usb_probe() function in drivers/net/wireless/realtek/rtlwifi/usb.c in the Linux kernel through 5.3.11 allow attackers to cause a denial of service (memory consumption), aka CID-3f9361695113. (CVE-2019-19063)

  • A memory leak in the bfad_im_get_stats() function in drivers/scsi/bfa/bfad_attr.c in the Linux kernel through 5.3.11 allows attackers to cause a denial of service (memory consumption) by triggering bfa_port_get_stats() failures, aka CID-0e62395da2bd. (CVE-2019-19066)

  • A memory leak in the ath9k_wmi_cmd() function in drivers/net/wireless/ath/ath9k/wmi.c in the Linux kernel through 5.3.11 allows attackers to cause a denial of service (memory consumption), aka CID-728c1e2a05e4.
    (CVE-2019-19074)

  • A race condition in perf_event_open() allows local attackers to leak sensitive data from setuid programs.
    As no relevant locks (in particular the cred_guard_mutex) are held during the ptrace_may_access() call, it is possible for the specified target task to perform an execve() syscall with setuid execution before perf_event_alloc() actually attaches to it, allowing an attacker to bypass the ptrace_may_access() check and the perf_event_exit_task(current) call that is performed in install_exec_creds() during privileged execve() calls. This issue affects kernel versions before 4.8. (CVE-2019-3901)

  • An issue was discovered in the Linux kernel through 5.6.11. btree_gc_coalesce in drivers/md/bcache/btree.c has a deadlock if a coalescing operation fails. (CVE-2020-12771)

Note that Nessus has not tested for these issues but has instead relied only on the application’s self-reported version number.

#%NASL_MIN_LEVEL 70300
##
# (C) Tenable, Inc.
#
# The package checks in this plugin were
# extracted from OracleVM Security Advisory OVMSA-2021-0035.
##

include('deprecated_nasl_level.inc');
include('compat.inc');

if (description)
{
  script_id(154016);
  script_version("1.7");
  script_set_attribute(attribute:"plugin_modification_date", value:"2023/11/28");

  script_cve_id(
    "CVE-2017-11089",
    "CVE-2017-18216",
    "CVE-2018-9517",
    "CVE-2019-3900",
    "CVE-2019-3901",
    "CVE-2019-10220",
    "CVE-2019-17133",
    "CVE-2019-19063",
    "CVE-2019-19066",
    "CVE-2019-19074",
    "CVE-2019-19448",
    "CVE-2020-12114",
    "CVE-2020-12771",
    "CVE-2020-24586",
    "CVE-2020-24587",
    "CVE-2020-24588",
    "CVE-2020-26139",
    "CVE-2020-26140",
    "CVE-2020-26141",
    "CVE-2020-26142",
    "CVE-2020-26143",
    "CVE-2020-26144",
    "CVE-2020-26145",
    "CVE-2020-26146",
    "CVE-2020-26147",
    "CVE-2020-27067",
    "CVE-2021-0512",
    "CVE-2021-0605",
    "CVE-2021-3612",
    "CVE-2021-3655",
    "CVE-2021-3679",
    "CVE-2021-3715",
    "CVE-2021-38160",
    "CVE-2021-40490"
  );
  script_xref(name:"CEA-ID", value:"CEA-2021-0025");

  script_name(english:"OracleVM 3.4 : kernel-uek (OVMSA-2021-0035)");

  script_set_attribute(attribute:"synopsis", value:
"The remote OracleVM host is missing one or more security updates.");
  script_set_attribute(attribute:"description", value:
"The remote OracleVM system is missing necessary patches to address security updates:

  - In fs/ocfs2/cluster/nodemanager.c in the Linux kernel before 4.15, local users can cause a denial of
    service (NULL pointer dereference and BUG) because a required mutex is not used. (CVE-2017-18216)

  - In pppol2tp_connect, there is possible memory corruption due to a use after free. This could lead to local
    escalation of privilege with System execution privileges needed. User interaction is not needed for
    exploitation. Product: Android. Versions: Android kernel. Android ID: A-38159931. (CVE-2018-9517)

  - Linux kernel CIFS implementation, version 4.9.0 is vulnerable to a relative paths injection in directory
    entry lists. (CVE-2019-10220)

  - Two memory leaks in the rtl_usb_probe() function in drivers/net/wireless/realtek/rtlwifi/usb.c in the
    Linux kernel through 5.3.11 allow attackers to cause a denial of service (memory consumption), aka
    CID-3f9361695113. (CVE-2019-19063)

  - A memory leak in the bfad_im_get_stats() function in drivers/scsi/bfa/bfad_attr.c in the Linux kernel
    through 5.3.11 allows attackers to cause a denial of service (memory consumption) by triggering
    bfa_port_get_stats() failures, aka CID-0e62395da2bd. (CVE-2019-19066)

  - A memory leak in the ath9k_wmi_cmd() function in drivers/net/wireless/ath/ath9k/wmi.c in the Linux kernel
    through 5.3.11 allows attackers to cause a denial of service (memory consumption), aka CID-728c1e2a05e4.
    (CVE-2019-19074)

  - A race condition in perf_event_open() allows local attackers to leak sensitive data from setuid programs.
    As no relevant locks (in particular the cred_guard_mutex) are held during the ptrace_may_access() call, it
    is possible for the specified target task to perform an execve() syscall with setuid execution before
    perf_event_alloc() actually attaches to it, allowing an attacker to bypass the ptrace_may_access() check
    and the perf_event_exit_task(current) call that is performed in install_exec_creds() during privileged
    execve() calls. This issue affects kernel versions before 4.8. (CVE-2019-3901)

  - An issue was discovered in the Linux kernel through 5.6.11. btree_gc_coalesce in drivers/md/bcache/btree.c
    has a deadlock if a coalescing operation fails. (CVE-2020-12771)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version
number.");
  script_set_attribute(attribute:"see_also", value:"https://linux.oracle.com/cve/CVE-2017-18216.html");
  script_set_attribute(attribute:"see_also", value:"https://linux.oracle.com/cve/CVE-2018-9517.html");
  script_set_attribute(attribute:"see_also", value:"https://linux.oracle.com/cve/CVE-2019-10220.html");
  script_set_attribute(attribute:"see_also", value:"https://linux.oracle.com/cve/CVE-2019-19063.html");
  script_set_attribute(attribute:"see_also", value:"https://linux.oracle.com/cve/CVE-2019-19066.html");
  script_set_attribute(attribute:"see_also", value:"https://linux.oracle.com/cve/CVE-2019-19074.html");
  script_set_attribute(attribute:"see_also", value:"https://linux.oracle.com/cve/CVE-2019-3901.html");
  script_set_attribute(attribute:"see_also", value:"https://linux.oracle.com/cve/CVE-2020-12771.html");
  script_set_attribute(attribute:"see_also", value:"https://linux.oracle.com/errata/OVMSA-2021-0035.html");
  script_set_attribute(attribute:"solution", value:
"Update the affected kernel-uek / kernel-uek-firmware packages.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C");
  script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:F/RL:O/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2019-10220");
  script_set_attribute(attribute:"cvss3_score_source", value:"CVE-2019-17133");

  script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"true");

  script_set_attribute(attribute:"vuln_publication_date", value:"2016/04/25");
  script_set_attribute(attribute:"patch_publication_date", value:"2021/10/11");
  script_set_attribute(attribute:"plugin_publication_date", value:"2021/10/12");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:vm:kernel-uek");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:vm:kernel-uek-firmware");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:oracle:vm_server:3.4");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"OracleVM Local Security Checks");

  script_copyright(english:"This script is Copyright (C) 2021-2023 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("ssh_get_info.nasl", "linux_alt_patch_detect.nasl");
  script_require_keys("Host/local_checks_enabled", "Host/OracleVM/release", "Host/OracleVM/rpm-list");

  exit(0);
}
include('ksplice.inc');
include('rpm.inc');

if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
var release = get_kb_item("Host/OracleVM/release");
if (isnull(release) || "OVS" >!< release) audit(AUDIT_OS_NOT, "OracleVM");
if (! preg(pattern:"^OVS" + "3\.4" + "(\.[0-9]|$)", string:release)) audit(AUDIT_OS_NOT, "OracleVM 3.4", "OracleVM " + release);
if (!get_kb_item("Host/OracleVM/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);

var cpu = get_kb_item("Host/cpu");
if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "OracleVM", cpu);
if ("x86_64" >!< cpu) audit(AUDIT_ARCH_NOT, "x86_64", cpu);

var machine_uptrack_level = get_one_kb_item('Host/uptrack-uname-r');
if (machine_uptrack_level)
{
  var trimmed_uptrack_level = ereg_replace(string:machine_uptrack_level, pattern:"\.(x86_64|i[3-6]86|aarch64)$", replace:'');
  var fixed_uptrack_levels = ['4.1.12-124.56.1.el6uek'];
  foreach var fixed_uptrack_level ( fixed_uptrack_levels ) {
    if (rpm_spec_vers_cmp(a:trimmed_uptrack_level, b:fixed_uptrack_level) >= 0)
    {
      audit(AUDIT_PATCH_INSTALLED, 'KSplice hotfix for OVMSA-2021-0035');
    }
  }
  __rpm_report = 'Running KSplice level of ' + trimmed_uptrack_level + ' does not meet the minimum fixed level of ' + join(fixed_uptrack_levels, sep:' / ') + ' for this advisory.\n\n';
}

var kernel_major_minor = get_kb_item('Host/uname/major_minor');
if (empty_or_null(kernel_major_minor)) exit(1, 'Unable to determine kernel major-minor level.');
var expected_kernel_major_minor = '4.1';
if (kernel_major_minor != expected_kernel_major_minor)
  audit(AUDIT_OS_NOT, 'running kernel level ' + expected_kernel_major_minor + ', it is running kernel level ' + kernel_major_minor);

var pkgs = [
    {'reference':'kernel-uek-4.1.12-124.56.1.el6uek', 'cpu':'x86_64', 'release':'3.4', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'kernel-uek-4.1.12'},
    {'reference':'kernel-uek-firmware-4.1.12-124.56.1.el6uek', 'cpu':'x86_64', 'release':'3.4', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'kernel-uek-firmware-4.1.12'}
];

var flag = 0;
foreach var package_array ( pkgs ) {
  var reference = NULL;
  var release = NULL;
  var sp = NULL;
  var cpu = NULL;
  var el_string = NULL;
  var rpm_spec_vers_cmp = NULL;
  var epoch = NULL;
  var allowmaj = NULL;
  var exists_check = NULL;
  if (!empty_or_null(package_array['reference'])) reference = package_array['reference'];
  if (!empty_or_null(package_array['release'])) release = 'OVS' + package_array['release'];
  if (!empty_or_null(package_array['sp'])) sp = package_array['sp'];
  if (!empty_or_null(package_array['cpu'])) cpu = package_array['cpu'];
  if (!empty_or_null(package_array['el_string'])) el_string = package_array['el_string'];
  if (!empty_or_null(package_array['rpm_spec_vers_cmp'])) rpm_spec_vers_cmp = package_array['rpm_spec_vers_cmp'];
  if (!empty_or_null(package_array['epoch'])) epoch = package_array['epoch'];
  if (!empty_or_null(package_array['allowmaj'])) allowmaj = package_array['allowmaj'];
  if (!empty_or_null(package_array['exists_check'])) exists_check = package_array['exists_check'];
  if (reference && release && (!exists_check || rpm_exists(release:release, rpm:exists_check))) {
    if (rpm_check(release:release, sp:sp, cpu:cpu, reference:reference, epoch:epoch, el_string:el_string, rpm_spec_vers_cmp:rpm_spec_vers_cmp, allowmaj:allowmaj)) flag++;
  }
}

if (flag)
{
  security_report_v4(
      port       : 0,
      severity   : SECURITY_HOLE,
      extra      : rpm_report_get()
  );
  exit(0);
}
else
{
  var tested = pkg_tests_get();
  if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
  else audit(AUDIT_PACKAGE_NOT_INSTALLED, 'kernel-uek / kernel-uek-firmware');
}
VendorProductVersionCPE
oraclevmkernel-uekp-cpe:/a:oracle:vm:kernel-uek
oraclevmkernel-uek-firmwarep-cpe:/a:oracle:vm:kernel-uek-firmware
oraclevm_server3.4cpe:/o:oracle:vm_server:3.4

References

Related

oraclelinux 11
nessus 70
threatpost 1
ics 3
hackerone 1
malwarebytes 1
thn 1
cisco 1
checkpoint_security 1
arista 1
mageia 2
freebsd_advisory 1
lenovo 2
intel 1
hp 2
freebsd 1
suse 2
cloudfoundry 1
osv 8
ubuntu 8
redhat 4
almalinux 1
prion 14
redhatcve 12
symantec 1
debiancve 12
ubuntucve 12
veracode 6
cve 13
amazon 1
photon 1
f5 3
oraclelinux
oraclelinux
Unbreakable Enterprise kernel security update
2021-09-22 00:00:00
Unbreakable Enterprise kernel security update
2021-10-08 00:00:00
Unbreakable Enterprise kernel security update
2021-08-10 00:00:00
nessus
nessus
OracleVM 3.4 : kernel-uek (OVMSA-2021-0031)
2021-09-23 00:00:00
Oracle Linux 7 : Unbreakable Enterprise kernel (ELSA-2021-9459)
2021-09-22 00:00:00
Oracle Linux 6 / 7 : Unbreakable Enterprise kernel (ELSA-2021-9473)
2021-10-08 00:00:00
threatpost
threatpost
‘FragAttacks’: Wi-Fi Bugs Affect Millions of Devices
2021-05-12 15:48:05
ics
ics
Hitachi ABB Power Grids TropOS
2021-08-24 12:00:00
Siemens SCALANCE FragAttacks
2022-04-14 12:00:00
Mitsubishi Electric GT25-WLAN (Update A)
2022-05-12 12:00:00
hackerone
hackerone
Internet Bug Bounty: Fragmentation and Aggregation Flaws in Wi-Fi
2021-06-19 21:24:25
malwarebytes
malwarebytes
FragAttack: New Wi-Fi vulnerabilities that affect… basically everything
2021-05-12 17:31:21
thn
thn
Nearly All Wi-Fi Devices Are Vulnerable to New FragAttacks
2021-05-12 13:07:00
cisco
cisco
Multiple Vulnerabilities in Frame Aggregation and Fragmentation Implementations of 802.11 Specification Affecting Cisco Products: May 2021
2021-05-11 18:00:00
checkpoint_security
checkpoint_security
Check Point Response to Wi-Fi FragAttacks in Quantum Spark appliances
2021-06-09 23:24:30
arista
arista
Security Advisory 0063
2021-05-25 00:00:00
mageia
mageia
Updated kernel packages fix security vulnerabilities
2021-06-14 00:32:39
Updated kernel-linus packages fix security vulnerabilities
2021-06-14 00:32:39
freebsd_advisory
freebsd_advisory
FreeBSD-SA-22:02.wifi
2022-03-15 00:00:00
lenovo
lenovo
Aggregation and Fragmentation Attacks against Wi-Fi (FragAttacks) Vulnerabilities - Lenovo Support NL
2021-06-07 20:37:01
Intel® PROSet and Wireless WiFi, Intel vPro® CSME WiFi, and Intel® Killer™ WiFi Advisory - Lenovo Support NL
2021-05-11 20:39:26
intel
intel
Intel® PROSet/Wireless WiFi , Intel vPro® CSME WiFi and Killer™ WiFi Advisory Advisory
2021-05-11 00:00:00
hp
hp
Intel® PROSet/Wireless WiFi, Intel vPro® CSME WiFi and Killer™ WiFi May 2021 Security Updates
2021-05-14 00:00:00
PC Wireless Wi-Fi Adapter Driver Security Updates August 2021
2021-08-27 00:00:00
freebsd
freebsd
FreeBSD-kernel -- Multiple WiFi issues
2022-03-15 00:00:00
suse
suse
Security update for the Linux Kernel (important)
2021-07-01 00:00:00
Security update for the Linux Kernel (important)
2021-06-06 00:00:00
cloudfoundry
cloudfoundry
USN-5000-1: Linux kernel vulnerabilities | Cloud Foundry
2021-07-08 00:00:00
osv
osv
linux-kvm vulnerabilities
2021-06-25 19:56:40
linux-oem-5.10 vulnerabilities
2021-06-23 03:45:22
linux, linux-aws, linux-aws-5.4, linux-azure, linux-azure-5.4, linux-gcp, linux-gcp-5.4, linux-gke, linux-gke-5.4, linux-gkeop, linux-gkeop-5.4, linux-hwe-5.4, linux-oracle, linux-oracle-5.4, linux-raspi, linux-raspi-5.4 vulnerabilities
2021-06-23 03:36:14
ubuntu
ubuntu
Linux kernel (KVM) vulnerabilities
2021-06-25 00:00:00
Linux kernel vulnerabilities
2021-06-23 00:00:00
Linux kernel (OEM) vulnerabilities
2021-06-23 00:00:00
redhat
redhat
(RHSA-2021:3445) Important: kernel-rt security and bug fix update
2021-09-07 14:39:26
(RHSA-2021:3446) Important: kernel security and bug fix update
2021-09-07 16:02:16
(RHSA-2021:3443) Important: kpatch-patch security update
2021-09-07 14:26:10
almalinux
almalinux
Moderate: kernel security, bug fix, and enhancement update
2021-11-09 09:08:02
prion
prion
Race condition
2020-12-15 17:15:00
Null pointer dereference
2018-03-05 18:29:00
Design/Logic Flaw
2021-05-11 20:15:00
redhatcve
redhatcve
CVE-2017-18216
2018-03-06 10:18:56
CVE-2020-27067
2021-03-01 15:40:01
CVE-2017-11089
2018-04-06 02:52:17
symantec
symantec
Linux kernel CVE-2019-19448 Use After Free Denial of Service Vulnerability
2019-11-30 00:00:00
debiancve
debiancve
CVE-2017-18216
2018-03-05 18:29:00
CVE-2019-19448
2019-12-08 02:15:00
CVE-2020-26142
2021-05-11 20:15:00
ubuntucve
ubuntucve
CVE-2017-18216
2018-03-05 00:00:00
CVE-2020-26142
2021-05-11 00:00:00
CVE-2020-26140
2021-05-11 00:00:00
veracode
veracode
Arbitrary Code Execution
2020-10-14 01:07:16
Packet Injection
2021-11-17 22:37:25
Packet Injection
2021-11-17 22:37:42
cve
cve
CVE-2020-26142
2021-05-11 20:15:00
CVE-2020-27067
2020-12-15 17:15:00
CVE-2019-19448
2019-12-08 02:15:00
amazon
amazon
Medium: kernel
2021-10-04 20:16:00
photon
photon
Home Download Photon OS User Documentation FAQ Security Advisories Related Information Lightwave - PHSA-2019-1.0-0262
2019-12-15 00:00:00
f5
f5
K43378049 : Linux kernel vulnerability CVE-2019-19074
2020-01-22 00:00:00
K82131333 : Linux kernel vulnerability CVE-2019-19066
2020-02-07 00:00:00
K29203191 : Linux kernel vulnerability CVE-2019-10220
2020-02-06 00:00:00

7.8 High

AI Score

Confidence

High

JSON
Related for ORACLEVM_OVMSA-2021-0035.NASL
oraclelinux11nessus70threatpost1ics3hackerone1malwarebytes1thn1cisco1checkpoint_security1arista1mageia2freebsd_advisory1lenovo2intel1hp2freebsd1suse2cloudfoundry1osv8ubuntu8redhat4almalinux1prion14redhatcve12symantec1debiancve12ubuntucve12veracode6cve13amazon1photon1f53