Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
nessusThis script is Copyright (C) 2022-2024 and is owned by Tenable, Inc. or an Affiliate thereof.ORACLEVM_OVMSA-2022-0024.NASL
HistorySep 07, 2022 - 12:00 a.m.

OracleVM 3.4 : kernel-uek (OVMSA-2022-0024)

2022-09-0700:00:00
This script is Copyright (C) 2022-2024 and is owned by Tenable, Inc. or an Affiliate thereof.
www.tenable.com
24

7.2 High

AI Score

Confidence

High

JSON

The remote OracleVM system is missing necessary patches to address security updates:

  • In the Linux kernel before 4.20.14, expand_downwards in mm/mmap.c lacks a check for the mmap minimum address, which makes it easier for attackers to exploit kernel NULL pointer dereferences on non-SMAP platforms. This is related to a capability check for the wrong task. (CVE-2019-9213)

  • An issue was discovered in the Linux kernel through 5.16.11. The mixed IPID assignment method with the hash-based IPID assignment policy allows an off-path attacker to inject data into a victim’s TCP session or terminate that session. (CVE-2020-36516)

  • A race condition in the Linux kernel before 5.6.2 between the VT_DISALLOCATE ioctl and closing/opening of ttys could lead to a use-after-free. (CVE-2020-36557)

  • A race condition in the Linux kernel before 5.5.7 involving VT_RESIZEX could lead to a NULL pointer dereference and general protection fault. (CVE-2020-36558)

  • When sending malicous data to kernel by ioctl cmd FBIOPUT_VSCREENINFO,kernel will write memory out of bounds. (CVE-2021-33655)

  • When setting font with malicous data by ioctl cmd PIO_FONT,kernel will write memory out of bounds.
    (CVE-2021-33656)

  • A use-after-free flaw was found in the Linux kernel’s FUSE filesystem in the way a user triggers write().
    This flaw allows a local user to gain unauthorized access to data from the FUSE filesystem, resulting in privilege escalation. (CVE-2022-1011)

Note that Nessus has not tested for these issues but has instead relied only on the application’s self-reported version number.

#%NASL_MIN_LEVEL 80900
##
# (C) Tenable, Inc.
#
# The package checks in this plugin were
# extracted from OracleVM Security Advisory OVMSA-2022-0024.
##

include('compat.inc');

if (description)
{
  script_id(164817);
  script_version("1.6");
  script_set_attribute(attribute:"plugin_modification_date", value:"2024/01/15");

  script_cve_id(
    "CVE-2019-9213",
    "CVE-2020-36516",
    "CVE-2020-36557",
    "CVE-2020-36558",
    "CVE-2021-33655",
    "CVE-2021-33656",
    "CVE-2022-1011",
    "CVE-2022-2588",
    "CVE-2022-21546"
  );

  script_name(english:"OracleVM 3.4 : kernel-uek (OVMSA-2022-0024)");

  script_set_attribute(attribute:"synopsis", value:
"The remote OracleVM host is missing one or more security updates.");
  script_set_attribute(attribute:"description", value:
"The remote OracleVM system is missing necessary patches to address security updates:

  - In the Linux kernel before 4.20.14, expand_downwards in mm/mmap.c lacks a check for the mmap minimum
    address, which makes it easier for attackers to exploit kernel NULL pointer dereferences on non-SMAP
    platforms. This is related to a capability check for the wrong task. (CVE-2019-9213)

  - An issue was discovered in the Linux kernel through 5.16.11. The mixed IPID assignment method with the
    hash-based IPID assignment policy allows an off-path attacker to inject data into a victim's TCP session
    or terminate that session. (CVE-2020-36516)

  - A race condition in the Linux kernel before 5.6.2 between the VT_DISALLOCATE ioctl and closing/opening of
    ttys could lead to a use-after-free. (CVE-2020-36557)

  - A race condition in the Linux kernel before 5.5.7 involving VT_RESIZEX could lead to a NULL pointer
    dereference and general protection fault. (CVE-2020-36558)

  - When sending malicous data to kernel by ioctl cmd FBIOPUT_VSCREENINFO,kernel will write memory out of
    bounds. (CVE-2021-33655)

  - When setting font with malicous data by ioctl cmd PIO_FONT,kernel will write memory out of bounds.
    (CVE-2021-33656)

  - A use-after-free flaw was found in the Linux kernel's FUSE filesystem in the way a user triggers write().
    This flaw allows a local user to gain unauthorized access to data from the FUSE filesystem, resulting in
    privilege escalation. (CVE-2022-1011)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version
number.");
  script_set_attribute(attribute:"see_also", value:"https://linux.oracle.com/cve/CVE-2019-9213.html");
  script_set_attribute(attribute:"see_also", value:"https://linux.oracle.com/cve/CVE-2020-36516.html");
  script_set_attribute(attribute:"see_also", value:"https://linux.oracle.com/cve/CVE-2020-36557.html");
  script_set_attribute(attribute:"see_also", value:"https://linux.oracle.com/cve/CVE-2020-36558.html");
  script_set_attribute(attribute:"see_also", value:"https://linux.oracle.com/cve/CVE-2021-33655.html");
  script_set_attribute(attribute:"see_also", value:"https://linux.oracle.com/cve/CVE-2021-33656.html");
  script_set_attribute(attribute:"see_also", value:"https://linux.oracle.com/cve/CVE-2022-1011.html");
  script_set_attribute(attribute:"see_also", value:"https://linux.oracle.com/cve/CVE-2022-21546.html");
  script_set_attribute(attribute:"see_also", value:"https://linux.oracle.com/cve/CVE-2022-2588.html");
  script_set_attribute(attribute:"see_also", value:"https://linux.oracle.com/errata/OVMSA-2022-0024.html");
  script_set_attribute(attribute:"solution", value:
"Update the affected kernel-uek / kernel-uek-firmware packages.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:S/C:N/I:P/A:P");
  script_set_cvss_temporal_vector("CVSS2#E:H/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:H/RL:O/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2020-36516");
  script_set_attribute(attribute:"cvss3_score_source", value:"CVE-2022-2588");

  script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"true");
  script_set_attribute(attribute:"exploit_framework_core", value:"true");
  script_set_attribute(attribute:"exploited_by_malware", value:"true");
  script_set_attribute(attribute:"metasploit_name", value:'Reliable Datagram Sockets (RDS) rds_atomic_free_op NULL pointer dereference Privilege Escalation');
  script_set_attribute(attribute:"exploit_framework_metasploit", value:"true");

  script_set_attribute(attribute:"vuln_publication_date", value:"2019/03/05");
  script_set_attribute(attribute:"patch_publication_date", value:"2022/09/06");
  script_set_attribute(attribute:"plugin_publication_date", value:"2022/09/07");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:vm:kernel-uek");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:vm:kernel-uek-firmware");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:oracle:vm_server:3.4");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"OracleVM Local Security Checks");

  script_copyright(english:"This script is Copyright (C) 2022-2024 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("ssh_get_info.nasl", "linux_alt_patch_detect.nasl");
  script_require_keys("Host/local_checks_enabled", "Host/OracleVM/release", "Host/OracleVM/rpm-list");

  exit(0);
}
include('ksplice.inc');
include('rpm.inc');

if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
var release = get_kb_item("Host/OracleVM/release");
if (isnull(release) || "OVS" >!< release) audit(AUDIT_OS_NOT, "OracleVM");
if (! preg(pattern:"^OVS" + "3\.4" + "(\.[0-9]|$)", string:release)) audit(AUDIT_OS_NOT, "OracleVM 3.4", "OracleVM " + release);
if (!get_kb_item("Host/OracleVM/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);

var cpu = get_kb_item("Host/cpu");
if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "OracleVM", cpu);
if ("x86_64" >!< cpu) audit(AUDIT_ARCH_NOT, "x86_64", cpu);

var machine_uptrack_level = get_one_kb_item('Host/uptrack-uname-r');
if (machine_uptrack_level)
{
  var trimmed_uptrack_level = ereg_replace(string:machine_uptrack_level, pattern:"\.(x86_64|i[3-6]86|aarch64)$", replace:'');
  var fixed_uptrack_levels = ['4.1.12-124.66.3.el6uek'];
  foreach var fixed_uptrack_level ( fixed_uptrack_levels ) {
    if (rpm_spec_vers_cmp(a:trimmed_uptrack_level, b:fixed_uptrack_level) >= 0)
    {
      audit(AUDIT_PATCH_INSTALLED, 'KSplice hotfix for OVMSA-2022-0024');
    }
  }
  __rpm_report = 'Running KSplice level of ' + trimmed_uptrack_level + ' does not meet the minimum fixed level of ' + join(fixed_uptrack_levels, sep:' / ') + ' for this advisory.\n\n';
}

var kernel_major_minor = get_kb_item('Host/uname/major_minor');
if (empty_or_null(kernel_major_minor)) exit(1, 'Unable to determine kernel major-minor level.');
var expected_kernel_major_minor = '4.1';
if (kernel_major_minor != expected_kernel_major_minor)
  audit(AUDIT_OS_NOT, 'running kernel level ' + expected_kernel_major_minor + ', it is running kernel level ' + kernel_major_minor);

var pkgs = [
    {'reference':'kernel-uek-4.1.12-124.66.3.el6uek', 'cpu':'x86_64', 'release':'3.4', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'kernel-uek-4.1.12'},
    {'reference':'kernel-uek-firmware-4.1.12-124.66.3.el6uek', 'cpu':'x86_64', 'release':'3.4', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'kernel-uek-firmware-4.1.12'}
];

var flag = 0;
foreach var package_array ( pkgs ) {
  var reference = NULL;
  var release = NULL;
  var sp = NULL;
  var cpu = NULL;
  var el_string = NULL;
  var rpm_spec_vers_cmp = NULL;
  var epoch = NULL;
  var allowmaj = NULL;
  var exists_check = NULL;
  if (!empty_or_null(package_array['reference'])) reference = package_array['reference'];
  if (!empty_or_null(package_array['release'])) release = 'OVS' + package_array['release'];
  if (!empty_or_null(package_array['sp'])) sp = package_array['sp'];
  if (!empty_or_null(package_array['cpu'])) cpu = package_array['cpu'];
  if (!empty_or_null(package_array['el_string'])) el_string = package_array['el_string'];
  if (!empty_or_null(package_array['rpm_spec_vers_cmp'])) rpm_spec_vers_cmp = package_array['rpm_spec_vers_cmp'];
  if (!empty_or_null(package_array['epoch'])) epoch = package_array['epoch'];
  if (!empty_or_null(package_array['allowmaj'])) allowmaj = package_array['allowmaj'];
  if (!empty_or_null(package_array['exists_check'])) exists_check = package_array['exists_check'];
  if (reference && release && (!exists_check || rpm_exists(release:release, rpm:exists_check))) {
    if (rpm_check(release:release, sp:sp, cpu:cpu, reference:reference, epoch:epoch, el_string:el_string, rpm_spec_vers_cmp:rpm_spec_vers_cmp, allowmaj:allowmaj)) flag++;
  }
}

if (flag)
{
  security_report_v4(
      port       : 0,
      severity   : SECURITY_WARNING,
      extra      : rpm_report_get()
  );
  exit(0);
}
else
{
  var tested = pkg_tests_get();
  if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
  else audit(AUDIT_PACKAGE_NOT_INSTALLED, 'kernel-uek / kernel-uek-firmware');
}
VendorProductVersionCPE
oraclevmkernel-uekp-cpe:/a:oracle:vm:kernel-uek
oraclevmkernel-uek-firmwarep-cpe:/a:oracle:vm:kernel-uek-firmware
oraclevm_server3.4cpe:/o:oracle:vm_server:3.4

References

Related

nessus 57
oraclelinux 12
suse 5
openvas 29
ubuntu 8
osv 10
cve 9
ubuntucve 8
cve0day 1
veracode 5
broadcom 2
debiancve 8
prion 8
redhatcve 8
zdt 1
cnvd 2
cbl_mariner 6
fedora 1
mageia 1
githubexploit 5
redhat 9
f5 1
zdi 1
amazon 1
redos 1
nessus
nessus
Oracle Linux 6 / 7 : Unbreakable Enterprise kernel (ELSA-2022-9761)
2022-09-07 00:00:00
SUSE SLES15 Security Update : kernel (Live Patch 31 for SLE 15) (SUSE-SU-2022:4027-1)
2022-11-17 00:00:00
SUSE SLES15 Security Update : kernel (Live Patch 26 for SLE 15) (SUSE-SU-2022:4129-1)
2022-11-19 00:00:00
oraclelinux
oraclelinux
Unbreakable Enterprise kernel security update
2022-09-06 00:00:00
Unbreakable Enterprise kernel security update
2022-09-16 00:00:00
Unbreakable Enterprise kernel-container security update
2022-09-16 00:00:00
suse
suse
Security update for the Linux Kernel (important)
2022-08-16 00:00:00
Security update for the Linux Kernel (important)
2022-09-01 00:00:00
Security update for the Linux Kernel (important)
2022-08-23 00:00:00
openvas
openvas
SUSE: Security Advisory (SUSE-SU-2022:2827-1)
2022-08-17 00:00:00
openSUSE: Security Advisory for the (SUSE-SU-2022:2827-1)
2022-08-17 00:00:00
Huawei EulerOS: Security Advisory for kernel (EulerOS-SA-2022-2712)
2022-11-04 00:00:00
ubuntu
ubuntu
Linux kernel (AWS) vulnerabilities
2022-08-24 00:00:00
Linux kernel vulnerability
2022-09-01 00:00:00
Linux kernel (AWS) vulnerability
2022-09-02 00:00:00
osv
osv
linux-aws vulnerabilities
2022-08-24 15:49:43
linux-azure, linux-gcp, linux-hwe vulnerability
2022-08-31 23:12:24
linux-oracle vulnerability
2022-09-05 22:10:47
cve
cve
CVE-2022-21546
2022-09-06 17:18:18
CVE-2019-9213
2019-03-05 22:29:00
CVE-2020-36557
2022-07-21 04:15:00
ubuntucve
ubuntucve
CVE-2020-36557
2022-07-21 00:00:00
CVE-2019-9213
2019-03-05 00:00:00
CVE-2020-36516
2022-02-26 00:00:00
cve0day
cve0day
Linux Kernel CVE-2019-9213 NULL Dereferences
2019-03-06 13:41:31
veracode
veracode
Use-after-free
2023-01-31 13:33:53
Spoofing Attack
2023-01-28 00:46:14
Denial Of Service (DoS)
2023-01-28 00:46:29
broadcom
broadcom
Linux kernel before 5.6.2 between the VT_DISALLOCATE ioctl and closing opening of ttys could lead to a use-after-free
2023-08-01 00:00:00
A race condition in the Linux kernel before 5.5.7 involving VT_RESIZEX could lead to a NULL pointer dereference and general protection fault.
2023-08-01 00:00:00
debiancve
debiancve
CVE-2020-36557
2022-07-21 04:15:00
CVE-2020-36516
2022-02-26 04:15:00
CVE-2019-9213
2019-03-05 22:29:00
prion
prion
Race condition
2022-07-21 04:15:00
Null pointer dereference
2019-03-05 22:29:00
Design/Logic Flaw
2022-02-26 04:15:00
redhatcve
redhatcve
CVE-2020-36557
2022-07-31 17:44:29
CVE-2020-36516
2022-03-02 11:24:33
CVE-2020-36558
2022-07-31 17:44:38
zdt
zdt
Linux < 4.20.14 - Virtual Address 0 is Mappable via Privileged write() to /proc/*/mem Exploit
2019-03-06 00:00:00
cnvd
cnvd
Linux kernel has unspecified vulnerabilities (CNVD-2022-17770)
2022-03-01 00:00:00
Linux Kernel FUSE filesystem elevation of privilege vulnerability
2022-03-22 00:00:00
cbl_mariner
cbl_mariner
CVE-2021-33656 affecting package kernel 5.10.123.1-1
2022-08-12 16:45:24
CVE-2021-33655 affecting package kernel 5.10.134.1-2
2022-10-04 07:51:40
CVE-2021-33655 affecting package kernel 5.15.57.1-3
2022-10-05 23:34:27
fedora
fedora
[SECURITY] Fedora 29 Update: kernel-headers-4.20.14-200.fc29
2019-03-10 18:25:36
mageia
mageia
Updated kernel packages fix security vulnerability
2019-03-29 18:51:06
githubexploit
githubexploit
Exploit for Use After Free in Linux Linux Kernel
2023-06-16 03:02:38
Exploit for Double Free in Linux Linux Kernel
2023-03-09 21:29:56
Exploit for Double Free in Linux Linux Kernel
2022-12-04 22:10:57
redhat
redhat
(RHSA-2022:7171) Important: kernel security and bug fix update
2022-10-25 12:36:50
(RHSA-2023:4023) Important: kpatch-patch security update
2023-07-11 07:39:10
(RHSA-2022:7137) Important: kpatch-patch security update
2022-10-25 07:52:27
f5
f5
K32615023 : Linux kernel vulnerability CVE-2022-2588
2022-10-20 00:00:00
zdi
zdi
(Pwn2Own) Linux Kernel route4_change Double Free Privilege Escalation Vulnerability
2022-08-18 00:00:00
amazon
amazon
Important: kernel
2019-03-20 22:39:00
redos
redos
ROS-20220908-01
2022-09-08 00:00:00

7.2 High

AI Score

Confidence

High

JSON
Related for ORACLEVM_OVMSA-2022-0024.NASL
nessus57oraclelinux12suse5openvas29ubuntu8osv10cve9ubuntucve8cve0day1veracode5broadcom2debiancve8prion8redhatcve8zdt1cnvd2cbl_mariner6fedora1mageia1githubexploit5redhat9f51zdi1amazon1redos1