The remote OracleVM system is missing necessary patches to address security updates:
A use-after-free flaw was found in the Linux kernel’s Atheros wireless adapter driver in the way a user forces the ath9k_htc_wait_for_target function to fail with some input messages. This flaw allows a local user to crash or potentially escalate their privileges on the system. (CVE-2022-1679)
In ip_check_mc_rcu of igmp.c, there is a possible use after free due to improper locking. This could lead to local escalation of privilege when opening and closing inet sockets with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android kernelAndroid ID: A-112551163References: Upstream kernel (CVE-2022-20141)
A use-after-free flaw was found in the Linux kernel’s SGI GRU driver in the way the first gru_file_unlocked_ioctl function is called by the user, where a fail pass occurs in the gru_check_chiplet_assignment function. This flaw allows a local user to crash or potentially escalate their privileges on the system. (CVE-2022-3424)
A flaw use after free in the Linux kernel integrated infrared receiver/transceiver driver was found in the way user detaching rc device. A local user could use this flaw to crash the system or potentially escalate their privileges on the system. (CVE-2023-1118)
A denial of service problem was found, due to a possible recursive locking scenario, resulting in a deadlock in table_clear in drivers/md/dm-ioctl.c in the Linux Kernel Device Mapper-Multipathing sub- component. (CVE-2023-2269)
A use after free issue was discovered in driver/firewire in outbound_phy_packet_callback in the Linux Kernel. In this flaw a local attacker with special privilege may cause a use after free problem when queue_event() fails. (CVE-2023-3159)
DISPUTED An issue was discovered in the Linux kernel before 6.3.3. There is an out-of-bounds read in crc16 in lib/crc16.c when called from fs/ext4/super.c because ext4_group_desc_csum does not properly check an offset. NOTE: this is disputed by third parties because the kernel is not intended to defend against attackers with the stated When modifying the block device while it is mounted by the filesystem access.
(CVE-2023-34256)
Note that Nessus has not tested for these issues but has instead relied only on the application’s self-reported version number.
#%NASL_MIN_LEVEL 80900
##
# (C) Tenable, Inc.
#
# The package checks in this plugin were
# extracted from OracleVM Security Advisory OVMSA-2023-0017.
##
include('compat.inc');
if (description)
{
script_id(179926);
script_version("1.0");
script_set_attribute(attribute:"plugin_modification_date", value:"2023/08/17");
script_cve_id(
"CVE-2022-1679",
"CVE-2022-3424",
"CVE-2022-20141",
"CVE-2023-1118",
"CVE-2023-2269",
"CVE-2023-3159",
"CVE-2023-34256"
);
script_name(english:"OracleVM 3.4 : kernel-uek (OVMSA-2023-0017)");
script_set_attribute(attribute:"synopsis", value:
"The remote OracleVM host is missing one or more security updates.");
script_set_attribute(attribute:"description", value:
"The remote OracleVM system is missing necessary patches to address security updates:
- A use-after-free flaw was found in the Linux kernel's Atheros wireless adapter driver in the way a user
forces the ath9k_htc_wait_for_target function to fail with some input messages. This flaw allows a local
user to crash or potentially escalate their privileges on the system. (CVE-2022-1679)
- In ip_check_mc_rcu of igmp.c, there is a possible use after free due to improper locking. This could lead
to local escalation of privilege when opening and closing inet sockets with no additional execution
privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android
kernelAndroid ID: A-112551163References: Upstream kernel (CVE-2022-20141)
- A use-after-free flaw was found in the Linux kernel's SGI GRU driver in the way the first
gru_file_unlocked_ioctl function is called by the user, where a fail pass occurs in the
gru_check_chiplet_assignment function. This flaw allows a local user to crash or potentially escalate
their privileges on the system. (CVE-2022-3424)
- A flaw use after free in the Linux kernel integrated infrared receiver/transceiver driver was found in the
way user detaching rc device. A local user could use this flaw to crash the system or potentially escalate
their privileges on the system. (CVE-2023-1118)
- A denial of service problem was found, due to a possible recursive locking scenario, resulting in a
deadlock in table_clear in drivers/md/dm-ioctl.c in the Linux Kernel Device Mapper-Multipathing sub-
component. (CVE-2023-2269)
- A use after free issue was discovered in driver/firewire in outbound_phy_packet_callback in the Linux
Kernel. In this flaw a local attacker with special privilege may cause a use after free problem when
queue_event() fails. (CVE-2023-3159)
- ** DISPUTED ** An issue was discovered in the Linux kernel before 6.3.3. There is an out-of-bounds read in
crc16 in lib/crc16.c when called from fs/ext4/super.c because ext4_group_desc_csum does not properly check
an offset. NOTE: this is disputed by third parties because the kernel is not intended to defend against
attackers with the stated When modifying the block device while it is mounted by the filesystem access.
(CVE-2023-34256)
Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version
number.");
script_set_attribute(attribute:"see_also", value:"https://linux.oracle.com/cve/CVE-2022-1679.html");
script_set_attribute(attribute:"see_also", value:"https://linux.oracle.com/cve/CVE-2022-20141.html");
script_set_attribute(attribute:"see_also", value:"https://linux.oracle.com/cve/CVE-2022-3424.html");
script_set_attribute(attribute:"see_also", value:"https://linux.oracle.com/cve/CVE-2023-1118.html");
script_set_attribute(attribute:"see_also", value:"https://linux.oracle.com/cve/CVE-2023-2269.html");
script_set_attribute(attribute:"see_also", value:"https://linux.oracle.com/cve/CVE-2023-3159.html");
script_set_attribute(attribute:"see_also", value:"https://linux.oracle.com/cve/CVE-2023-34256.html");
script_set_attribute(attribute:"see_also", value:"https://linux.oracle.com/errata/OVMSA-2023-0017.html");
script_set_attribute(attribute:"solution", value:
"Update the affected kernel-uek / kernel-uek-firmware packages.");
script_set_cvss_base_vector("CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C");
script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
script_set_cvss3_base_vector("CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H");
script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
script_set_attribute(attribute:"cvss_score_source", value:"CVE-2022-1679");
script_set_attribute(attribute:"cvss3_score_source", value:"CVE-2023-1118");
script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
script_set_attribute(attribute:"exploit_available", value:"false");
script_set_attribute(attribute:"vuln_publication_date", value:"2021/09/30");
script_set_attribute(attribute:"patch_publication_date", value:"2023/08/03");
script_set_attribute(attribute:"plugin_publication_date", value:"2023/08/17");
script_set_attribute(attribute:"plugin_type", value:"local");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:vm:kernel-uek");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:vm:kernel-uek-firmware");
script_set_attribute(attribute:"cpe", value:"cpe:/o:oracle:vm_server:3.4");
script_set_attribute(attribute:"generated_plugin", value:"current");
script_end_attributes();
script_category(ACT_GATHER_INFO);
script_family(english:"OracleVM Local Security Checks");
script_copyright(english:"This script is Copyright (C) 2023 and is owned by Tenable, Inc. or an Affiliate thereof.");
script_dependencies("ssh_get_info.nasl", "linux_alt_patch_detect.nasl");
script_require_keys("Host/local_checks_enabled", "Host/OracleVM/release", "Host/OracleVM/rpm-list");
exit(0);
}
include('ksplice.inc');
include('rpm.inc');
if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
var release = get_kb_item("Host/OracleVM/release");
if (isnull(release) || "OVS" >!< release) audit(AUDIT_OS_NOT, "OracleVM");
if (! preg(pattern:"^OVS" + "3\.4" + "(\.[0-9]|$)", string:release)) audit(AUDIT_OS_NOT, "OracleVM 3.4", "OracleVM " + release);
if (!get_kb_item("Host/OracleVM/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
var cpu = get_kb_item("Host/cpu");
if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "OracleVM", cpu);
if ("x86_64" >!< cpu) audit(AUDIT_ARCH_NOT, "x86_64", cpu);
var machine_uptrack_level = get_one_kb_item('Host/uptrack-uname-r');
if (machine_uptrack_level)
{
var trimmed_uptrack_level = ereg_replace(string:machine_uptrack_level, pattern:"\.(x86_64|i[3-6]86|aarch64)$", replace:'');
var fixed_uptrack_levels = ['4.1.12-124.76.2.el6uek'];
foreach var fixed_uptrack_level ( fixed_uptrack_levels ) {
if (rpm_spec_vers_cmp(a:trimmed_uptrack_level, b:fixed_uptrack_level) >= 0)
{
audit(AUDIT_PATCH_INSTALLED, 'KSplice hotfix for OVMSA-2023-0017');
}
}
__rpm_report = 'Running KSplice level of ' + trimmed_uptrack_level + ' does not meet the minimum fixed level of ' + join(fixed_uptrack_levels, sep:' / ') + ' for this advisory.\n\n';
}
var kernel_major_minor = get_kb_item('Host/uname/major_minor');
if (empty_or_null(kernel_major_minor)) exit(1, 'Unable to determine kernel major-minor level.');
var expected_kernel_major_minor = '4.1';
if (kernel_major_minor != expected_kernel_major_minor)
audit(AUDIT_OS_NOT, 'running kernel level ' + expected_kernel_major_minor + ', it is running kernel level ' + kernel_major_minor);
var pkgs = [
{'reference':'kernel-uek-4.1.12-124.76.2.el6uek', 'cpu':'x86_64', 'release':'3.4', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'kernel-uek-4.1.12'},
{'reference':'kernel-uek-firmware-4.1.12-124.76.2.el6uek', 'cpu':'x86_64', 'release':'3.4', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'kernel-uek-firmware-4.1.12'}
];
var flag = 0;
foreach var package_array ( pkgs ) {
var reference = NULL;
var _release = NULL;
var sp = NULL;
var _cpu = NULL;
var el_string = NULL;
var rpm_spec_vers_cmp = NULL;
var epoch = NULL;
var allowmaj = NULL;
var exists_check = NULL;
if (!empty_or_null(package_array['reference'])) reference = package_array['reference'];
if (!empty_or_null(package_array['release'])) _release = 'OVS' + package_array['release'];
if (!empty_or_null(package_array['sp'])) sp = package_array['sp'];
if (!empty_or_null(package_array['cpu'])) _cpu = package_array['cpu'];
if (!empty_or_null(package_array['el_string'])) el_string = package_array['el_string'];
if (!empty_or_null(package_array['rpm_spec_vers_cmp'])) rpm_spec_vers_cmp = package_array['rpm_spec_vers_cmp'];
if (!empty_or_null(package_array['epoch'])) epoch = package_array['epoch'];
if (!empty_or_null(package_array['allowmaj'])) allowmaj = package_array['allowmaj'];
if (!empty_or_null(package_array['exists_check'])) exists_check = package_array['exists_check'];
if (reference && _release && (!exists_check || rpm_exists(release:_release, rpm:exists_check))) {
if (rpm_check(release:_release, sp:sp, cpu:_cpu, reference:reference, epoch:epoch, el_string:el_string, rpm_spec_vers_cmp:rpm_spec_vers_cmp, allowmaj:allowmaj)) flag++;
}
}
if (flag)
{
security_report_v4(
port : 0,
severity : SECURITY_HOLE,
extra : rpm_report_get()
);
exit(0);
}
else
{
var tested = pkg_tests_get();
if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
else audit(AUDIT_PACKAGE_NOT_INSTALLED, 'kernel-uek / kernel-uek-firmware');
}
Vendor | Product | Version | CPE |
---|---|---|---|
oracle | vm | kernel-uek | p-cpe:/a:oracle:vm:kernel-uek |
oracle | vm | kernel-uek-firmware | p-cpe:/a:oracle:vm:kernel-uek-firmware |
oracle | vm_server | 3.4 | cpe:/o:oracle:vm_server:3.4 |
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-1679
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-20141
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-3424
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-1118
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-2269
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-3159
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-34256
linux.oracle.com/cve/CVE-2022-1679.html
linux.oracle.com/cve/CVE-2022-20141.html
linux.oracle.com/cve/CVE-2022-3424.html
linux.oracle.com/cve/CVE-2023-1118.html
linux.oracle.com/cve/CVE-2023-2269.html
linux.oracle.com/cve/CVE-2023-3159.html
linux.oracle.com/cve/CVE-2023-34256.html
linux.oracle.com/errata/OVMSA-2023-0017.html