Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
nessusThis script is Copyright (C) 2023 and is owned by Tenable, Inc. or an Affiliate thereof.ORACLEVM_OVMSA-2023-0023.NASL
HistoryNov 03, 2023 - 12:00 a.m.

OracleVM 3.4 : kernel-uek (OVMSA-2023-0023)

2023-11-0300:00:00
This script is Copyright (C) 2023 and is owned by Tenable, Inc. or an Affiliate thereof.
www.tenable.com
7
oraclevm 3.4
kernel-uek
security patches
linux kernel
buffer overflow
privilege escalation
use-after-free
out-of-bounds write
null pointer dereference
denial of service

7.4 High

AI Score

Confidence

High

JSON

The remote OracleVM system is missing necessary patches to address security updates:

  • An issue was discovered in the Linux kernel through 5.18.9. A type confusion bug in nft_set_elem_init (leading to a buffer overflow) could be used by a local attacker to escalate privileges, a different vulnerability than CVE-2022-32250. (The attacker can obtain root access, but must start with an unprivileged user namespace to obtain CAP_NET_ADMIN access.) This can be fixed in nft_setelem_parse_data in net/netfilter/nf_tables_api.c. (CVE-2022-34918)

  • In the Unbreakable Enterprise Kernel (UEK), the RDS module in UEK has two setsockopt(2) options, RDS_CONN_RESET and RDS6_CONN_RESET, that are not re-entrant. A malicious local user with CAP_NET_ADMIN can use this to crash the kernel. (CVE-2023-22024)

  • A use-after-free vulnerability was found in the Linux kernel’s ext4 filesystem in the way it handled the extra inode size for extended attributes. This flaw could allow a privileged local user to cause a system crash or other undefined behaviors. (CVE-2023-2513)

  • Linux Kernel nftables Out-Of-Bounds Read/Write Vulnerability; nft_byteorder poorly handled vm register contents when CAP_NET_ADMIN is in any user or network namespace (CVE-2023-35001)

  • An out-of-bounds write vulnerability in the Linux kernel’s net/sched: sch_qfq component can be exploited to achieve local privilege escalation. The qfq_change_agg() function in net/sched/sch_qfq.c allows an out- of-bounds write because lmax is updated according to packet sizes without bounds checks. We recommend upgrading past commit 3e337087c3b5805fe0b8a46ba622a962880b5d64. (CVE-2023-3611)

  • A flaw was found in the Linux kernel’s IP framework for transforming packets (XFRM subsystem). This issue may allow a malicious user with CAP_NET_ADMIN privileges to directly dereference a NULL pointer in xfrm_update_ae_params(), leading to a possible kernel crash and denial of service. (CVE-2023-3772)

  • A use-after-free vulnerability in the Linux kernel’s net/sched: cls_fw component can be exploited to achieve local privilege escalation. If tcf_change_indev() fails, fw_set_parms() will immediately return an error after incrementing or decrementing the reference counter in tcf_bind_filter(). If an attacker can control the reference counter and set it to zero, they can cause the reference to be freed, leading to a use-after-free vulnerability. We recommend upgrading past commit 0323bce598eea038714f941ce2b22541c46d488f.
    (CVE-2023-3776)

  • A use-after-free vulnerability in the Linux kernel’s net/sched: cls_route component can be exploited to achieve local privilege escalation. When route4_change() is called on an existing filter, the whole tcf_result struct is always copied into the new instance of the filter. This causes a problem when updating a filter bound to a class, as tcf_unbind_filter() is always called on the old instance in the success path, decreasing filter_cnt of the still referenced class and allowing it to be deleted, leading to a use-after-free. We recommend upgrading past commit b80b829e9e2c1b3f7aae34855e04d8f6ecaf13c8.
    (CVE-2023-4206)

  • A use-after-free flaw was found in vmxnet3_rq_alloc_rx_buf in drivers/net/vmxnet3/vmxnet3_drv.c in VMware’s vmxnet3 ethernet NIC driver in the Linux Kernel. This issue could allow a local attacker to crash the system due to a double-free while cleaning up vmxnet3_rq_cleanup_all, which could also lead to a kernel information leak problem. (CVE-2023-4387)

  • A NULL pointer dereference flaw was found in vmxnet3_rq_cleanup in drivers/net/vmxnet3/vmxnet3_drv.c in the networking sub-component in vmxnet3 in the Linux Kernel. This issue may allow a local attacker with normal user privilege to cause a denial of service due to a missing sanity check during cleanup.
    (CVE-2023-4459)

Note that Nessus has not tested for these issues but has instead relied only on the application’s self-reported version number.

#%NASL_MIN_LEVEL 80900
##
# (C) Tenable, Inc.
#
# The package checks in this plugin were
# extracted from OracleVM Security Advisory OVMSA-2023-0023.
##

include('compat.inc');

if (description)
{
  script_id(184349);
  script_version("1.2");
  script_set_attribute(attribute:"plugin_modification_date", value:"2023/12/15");

  script_cve_id(
    "CVE-2022-34918",
    "CVE-2023-2513",
    "CVE-2023-3611",
    "CVE-2023-3772",
    "CVE-2023-3776",
    "CVE-2023-4206",
    "CVE-2023-4387",
    "CVE-2023-4459",
    "CVE-2023-22024",
    "CVE-2023-35001"
  );

  script_name(english:"OracleVM 3.4 : kernel-uek (OVMSA-2023-0023)");

  script_set_attribute(attribute:"synopsis", value:
"The remote OracleVM host is missing one or more security updates.");
  script_set_attribute(attribute:"description", value:
"The remote OracleVM system is missing necessary patches to address security updates:

  - An issue was discovered in the Linux kernel through 5.18.9. A type confusion bug in nft_set_elem_init
    (leading to a buffer overflow) could be used by a local attacker to escalate privileges, a different
    vulnerability than CVE-2022-32250. (The attacker can obtain root access, but must start with an
    unprivileged user namespace to obtain CAP_NET_ADMIN access.) This can be fixed in nft_setelem_parse_data
    in net/netfilter/nf_tables_api.c. (CVE-2022-34918)

  - In the Unbreakable Enterprise Kernel (UEK), the RDS module in UEK has two setsockopt(2) options,
    RDS_CONN_RESET and RDS6_CONN_RESET, that are not re-entrant. A malicious local user with CAP_NET_ADMIN can
    use this to crash the kernel. (CVE-2023-22024)

  - A use-after-free vulnerability was found in the Linux kernel's ext4 filesystem in the way it handled the
    extra inode size for extended attributes. This flaw could allow a privileged local user to cause a system
    crash or other undefined behaviors. (CVE-2023-2513)

  - Linux Kernel nftables Out-Of-Bounds Read/Write Vulnerability; nft_byteorder poorly handled vm register
    contents when CAP_NET_ADMIN is in any user or network namespace (CVE-2023-35001)

  - An out-of-bounds write vulnerability in the Linux kernel's net/sched: sch_qfq component can be exploited
    to achieve local privilege escalation. The qfq_change_agg() function in net/sched/sch_qfq.c allows an out-
    of-bounds write because lmax is updated according to packet sizes without bounds checks. We recommend
    upgrading past commit 3e337087c3b5805fe0b8a46ba622a962880b5d64. (CVE-2023-3611)

  - A flaw was found in the Linux kernel's IP framework for transforming packets (XFRM subsystem). This issue
    may allow a malicious user with CAP_NET_ADMIN privileges to directly dereference a NULL pointer in
    xfrm_update_ae_params(), leading to a possible kernel crash and denial of service. (CVE-2023-3772)

  - A use-after-free vulnerability in the Linux kernel's net/sched: cls_fw component can be exploited to
    achieve local privilege escalation. If tcf_change_indev() fails, fw_set_parms() will immediately return an
    error after incrementing or decrementing the reference counter in tcf_bind_filter(). If an attacker can
    control the reference counter and set it to zero, they can cause the reference to be freed, leading to a
    use-after-free vulnerability. We recommend upgrading past commit 0323bce598eea038714f941ce2b22541c46d488f.
    (CVE-2023-3776)

  - A use-after-free vulnerability in the Linux kernel's net/sched: cls_route component can be exploited to
    achieve local privilege escalation. When route4_change() is called on an existing filter, the whole
    tcf_result struct is always copied into the new instance of the filter. This causes a problem when
    updating a filter bound to a class, as tcf_unbind_filter() is always called on the old instance in the
    success path, decreasing filter_cnt of the still referenced class and allowing it to be deleted, leading
    to a use-after-free. We recommend upgrading past commit b80b829e9e2c1b3f7aae34855e04d8f6ecaf13c8.
    (CVE-2023-4206)

  - A use-after-free flaw was found in vmxnet3_rq_alloc_rx_buf in drivers/net/vmxnet3/vmxnet3_drv.c in
    VMware's vmxnet3 ethernet NIC driver in the Linux Kernel. This issue could allow a local attacker to crash
    the system due to a double-free while cleaning up vmxnet3_rq_cleanup_all, which could also lead to a
    kernel information leak problem. (CVE-2023-4387)

  - A NULL pointer dereference flaw was found in vmxnet3_rq_cleanup in drivers/net/vmxnet3/vmxnet3_drv.c in
    the networking sub-component in vmxnet3 in the Linux Kernel. This issue may allow a local attacker with
    normal user privilege to cause a denial of service due to a missing sanity check during cleanup.
    (CVE-2023-4459)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version
number.");
  script_set_attribute(attribute:"see_also", value:"https://linux.oracle.com/cve/CVE-2022-34918.html");
  script_set_attribute(attribute:"see_also", value:"https://linux.oracle.com/cve/CVE-2023-22024.html");
  script_set_attribute(attribute:"see_also", value:"https://linux.oracle.com/cve/CVE-2023-2513.html");
  script_set_attribute(attribute:"see_also", value:"https://linux.oracle.com/cve/CVE-2023-35001.html");
  script_set_attribute(attribute:"see_also", value:"https://linux.oracle.com/cve/CVE-2023-3611.html");
  script_set_attribute(attribute:"see_also", value:"https://linux.oracle.com/cve/CVE-2023-3772.html");
  script_set_attribute(attribute:"see_also", value:"https://linux.oracle.com/cve/CVE-2023-3776.html");
  script_set_attribute(attribute:"see_also", value:"https://linux.oracle.com/cve/CVE-2023-4206.html");
  script_set_attribute(attribute:"see_also", value:"https://linux.oracle.com/cve/CVE-2023-4387.html");
  script_set_attribute(attribute:"see_also", value:"https://linux.oracle.com/cve/CVE-2023-4459.html");
  script_set_attribute(attribute:"see_also", value:"https://linux.oracle.com/errata/OVMSA-2023-0023.html");
  script_set_attribute(attribute:"solution", value:
"Update the affected kernel-uek / kernel-uek-firmware packages.");
  script_set_cvss_base_vector("CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C");
  script_set_cvss_temporal_vector("CVSS2#E:H/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:H/RL:O/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2022-34918");
  script_set_attribute(attribute:"cvss3_score_source", value:"CVE-2023-4206");

  script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"true");
  script_set_attribute(attribute:"exploit_framework_core", value:"true");
  script_set_attribute(attribute:"exploited_by_malware", value:"true");
  script_set_attribute(attribute:"metasploit_name", value:'Netfilter nft_set_elem_init Heap Overflow Privilege Escalation');
  script_set_attribute(attribute:"exploit_framework_metasploit", value:"true");

  script_set_attribute(attribute:"vuln_publication_date", value:"2022/05/31");
  script_set_attribute(attribute:"patch_publication_date", value:"2023/11/02");
  script_set_attribute(attribute:"plugin_publication_date", value:"2023/11/03");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:vm:kernel-uek");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:vm:kernel-uek-firmware");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:oracle:vm_server:3.4");
  script_set_attribute(attribute:"generated_plugin", value:"current");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"OracleVM Local Security Checks");

  script_copyright(english:"This script is Copyright (C) 2023 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("ssh_get_info.nasl", "linux_alt_patch_detect.nasl");
  script_require_keys("Host/local_checks_enabled", "Host/OracleVM/release", "Host/OracleVM/rpm-list");

  exit(0);
}
include('ksplice.inc');
include('rpm.inc');

if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
var release = get_kb_item("Host/OracleVM/release");
if (isnull(release) || "OVS" >!< release) audit(AUDIT_OS_NOT, "OracleVM");
if (! preg(pattern:"^OVS" + "3\.4" + "(\.[0-9]|$)", string:release)) audit(AUDIT_OS_NOT, "OracleVM 3.4", "OracleVM " + release);
if (!get_kb_item("Host/OracleVM/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);

var cpu = get_kb_item("Host/cpu");
if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "OracleVM", cpu);
if ("x86_64" >!< cpu) audit(AUDIT_ARCH_NOT, "x86_64", cpu);

var machine_uptrack_level = get_one_kb_item('Host/uptrack-uname-r');
if (machine_uptrack_level)
{
  var trimmed_uptrack_level = ereg_replace(string:machine_uptrack_level, pattern:"\.(x86_64|i[3-6]86|aarch64)$", replace:'');
  var fixed_uptrack_levels = ['4.1.12-124.79.2.el6uek'];
  foreach var fixed_uptrack_level ( fixed_uptrack_levels ) {
    if (rpm_spec_vers_cmp(a:trimmed_uptrack_level, b:fixed_uptrack_level) >= 0)
    {
      audit(AUDIT_PATCH_INSTALLED, 'KSplice hotfix for OVMSA-2023-0023');
    }
  }
  __rpm_report = 'Running KSplice level of ' + trimmed_uptrack_level + ' does not meet the minimum fixed level of ' + join(fixed_uptrack_levels, sep:' / ') + ' for this advisory.\n\n';
}

var kernel_major_minor = get_kb_item('Host/uname/major_minor');
if (empty_or_null(kernel_major_minor)) exit(1, 'Unable to determine kernel major-minor level.');
var expected_kernel_major_minor = '4.1';
if (kernel_major_minor != expected_kernel_major_minor)
  audit(AUDIT_OS_NOT, 'running kernel level ' + expected_kernel_major_minor + ', it is running kernel level ' + kernel_major_minor);

var pkgs = [
    {'reference':'kernel-uek-4.1.12-124.79.2.el6uek', 'cpu':'x86_64', 'release':'3.4', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'kernel-uek-4.1.12'},
    {'reference':'kernel-uek-firmware-4.1.12-124.79.2.el6uek', 'cpu':'x86_64', 'release':'3.4', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'kernel-uek-firmware-4.1.12'}
];

var flag = 0;
foreach var package_array ( pkgs ) {
  var reference = NULL;
  var _release = NULL;
  var sp = NULL;
  var _cpu = NULL;
  var el_string = NULL;
  var rpm_spec_vers_cmp = NULL;
  var epoch = NULL;
  var allowmaj = NULL;
  var exists_check = NULL;
  if (!empty_or_null(package_array['reference'])) reference = package_array['reference'];
  if (!empty_or_null(package_array['release'])) _release = 'OVS' + package_array['release'];
  if (!empty_or_null(package_array['sp'])) sp = package_array['sp'];
  if (!empty_or_null(package_array['cpu'])) _cpu = package_array['cpu'];
  if (!empty_or_null(package_array['el_string'])) el_string = package_array['el_string'];
  if (!empty_or_null(package_array['rpm_spec_vers_cmp'])) rpm_spec_vers_cmp = package_array['rpm_spec_vers_cmp'];
  if (!empty_or_null(package_array['epoch'])) epoch = package_array['epoch'];
  if (!empty_or_null(package_array['allowmaj'])) allowmaj = package_array['allowmaj'];
  if (!empty_or_null(package_array['exists_check'])) exists_check = package_array['exists_check'];
  if (reference && _release && (!exists_check || rpm_exists(release:_release, rpm:exists_check))) {
    if (rpm_check(release:_release, sp:sp, cpu:_cpu, reference:reference, epoch:epoch, el_string:el_string, rpm_spec_vers_cmp:rpm_spec_vers_cmp, allowmaj:allowmaj)) flag++;
  }
}

if (flag)
{
  security_report_v4(
      port       : 0,
      severity   : SECURITY_HOLE,
      extra      : rpm_report_get()
  );
  exit(0);
}
else
{
  var tested = pkg_tests_get();
  if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
  else audit(AUDIT_PACKAGE_NOT_INSTALLED, 'kernel-uek / kernel-uek-firmware');
}
VendorProductVersionCPE
oraclevmkernel-uekp-cpe:/a:oracle:vm:kernel-uek
oraclevmkernel-uek-firmwarep-cpe:/a:oracle:vm:kernel-uek-firmware
oraclevm_server3.4cpe:/o:oracle:vm_server:3.4

References

Related

nessus 61
oraclelinux 9
ubuntucve 7
cve 10
prion 11
debiancve 8
redhat 16
amazon 3
virtuozzo 1
openvas 14
githubexploit 10
zdt 1
centos 1
redhatcve 7
packetstorm 1
ubuntu 6
osv 6
zdi 2
cbl_mariner 14
metasploit 1
cnvd 4
f5 4
redos 1
ibm 1
nessus
nessus
Oracle Linux 6 / 7 : Unbreakable Enterprise kernel (ELSA-2023-12842)
2023-10-03 00:00:00
CBL Mariner 2.0 Security Update: kernel (CVE-2022-34918)
2023-03-20 00:00:00
Ubuntu 20.04 LTS / 22.04 LTS : Linux kernel (OEM) vulnerability (USN-5545-1)
2022-08-03 00:00:00
oraclelinux
oraclelinux
Unbreakable Enterprise kernel security update
2023-10-03 00:00:00
kernel security update
2023-11-22 00:00:00
Unbreakable Enterprise kernel-container security update
2023-09-16 00:00:00
ubuntucve
ubuntucve
CVE-2022-34918
2022-07-04 00:00:00
CVE-2023-4459
2023-08-21 00:00:00
CVE-2023-35001
2023-07-05 00:00:00
cve
cve
CVE-2022-34918
2022-07-04 21:15:00
CVE-2023-22024
2023-09-20 21:15:11
CVE-2023-4459
2023-08-21 18:49:13
prion
prion
Type confusion
2022-07-04 21:15:00
Design/Logic Flaw
2023-09-20 21:15:00
Null pointer dereference
2023-08-21 19:15:00
debiancve
debiancve
CVE-2022-34918
2022-07-04 21:15:00
CVE-2023-4459
2023-08-21 19:15:09
CVE-2023-2513
2023-05-08 21:15:11
redhat
redhat
(RHSA-2023:7419) Important: kpatch-patch security update
2023-11-21 14:42:55
(RHSA-2024:0262) Important: kernel security update
2024-01-16 15:44:51
(RHSA-2024:1831) Important: kernel security update
2024-04-16 00:09:13
amazon
amazon
Important: kernel
2023-08-03 18:09:00
Important: kernel
2023-08-03 20:16:00
Important: kernel
2023-08-03 18:09:00
virtuozzo
virtuozzo
[Important] [Security] Virtuozzo ReadyKernel Patch 159.0 for Virtuozzo Hybrid Server 7.5
2023-08-21 00:00:00
openvas
openvas
Huawei EulerOS: Security Advisory for kernel (EulerOS-SA-2023-2898)
2023-10-09 00:00:00
Huawei EulerOS: Security Advisory for kernel (EulerOS-SA-2023-3099)
2023-11-01 00:00:00
CentOS: Security Advisory for bpftool (CESA-2023:7423)
2024-03-05 00:00:00
githubexploit
githubexploit
Exploit for Type Confusion in Linux Linux Kernel
2022-07-24 14:47:40
Exploit for Type Confusion in Linux Linux Kernel
2022-08-02 09:52:02
Exploit for Type Confusion in Linux Linux Kernel
2022-07-25 06:13:41
zdt
zdt
Netfilter nft_set_elem_init Heap Overflow Privilege Escalation Exploit
2022-09-28 00:00:00
centos
centos
bpftool, kernel, perf, python security update
2024-01-12 19:36:38
redhatcve
redhatcve
CVE-2023-4459
2023-08-21 16:48:58
CVE-2022-34918
2022-07-06 09:06:11
CVE-2023-2513
2023-05-04 10:21:26
packetstorm
packetstorm
Netfilter nft_set_elem_init Heap Overflow Privilege Escalation
2022-09-28 00:00:00
ubuntu
ubuntu
Linux kernel (OEM) vulnerability
2022-08-02 00:00:00
Linux kernel vulnerabilities
2023-09-06 00:00:00
Linux kernel (GKE) vulnerabilities
2023-08-31 00:00:00
osv
osv
linux-oem-5.14, linux-oem-5.17 vulnerability
2022-08-02 17:39:00
linux-gcp-5.4, linux-oracle-5.4 vulnerabilities
2023-08-31 22:07:37
linux-raspi, linux-raspi-5.4 vulnerabilities
2023-09-06 14:11:44
zdi
zdi
(Pwn2Own) Linux Kernel nftables Incorrect Pointer Scaling Local Privilege Escalation Vulnerability
2023-07-06 00:00:00
Linux Kernel nf_tables_expr_destroy Use-After-Free Privilege Escalation Vulnerability
2023-12-20 00:00:00
cbl_mariner
cbl_mariner
CVE-2022-34918 affecting package kernel for versions less than 5.15.55.1-1
2022-08-03 21:15:19
CVE-2022-34918 affecting package kernel 5.10.123.1-1
2022-08-12 16:45:24
CVE-2023-4459 affecting package kernel for versions less than 5.15.126.1-1
2023-08-30 15:15:49
metasploit
metasploit
Netfilter nft_set_elem_init Heap Overflow Privilege Escalation
2022-07-20 11:51:22
cnvd
cnvd
Linux Kernel Denial of Service Vulnerability (CNVD-2023-71723)
2023-08-24 00:00:00
WordPress WP-EMail plugin cross-site scripting vulnerability
2023-08-18 00:00:00
Linux kernel elevation of privilege vulnerability (CNVD-2023-70082)
2023-09-11 00:00:00
f5
f5
K000133447 : Linux kernel vulnerability CVE-2022-32250
2023-04-11 00:00:00
K000137871 : Linux kernel vulnerability CVE-2023-35001
2023-12-12 00:00:00
K000138731 : Linux vulnerability CVE-2023-3776
2024-02-27 00:00:00
redos
redos
ROS-20220619-01
2022-06-19 00:00:00
ibm
ibm
Security Bulletin: IBM Security Guardium is affected by vulnerabilities in the Linux Kernel
2024-01-24 18:45:22

7.4 High

AI Score

Confidence

High

JSON
Related for ORACLEVM_OVMSA-2023-0023.NASL
nessus61oraclelinux9ubuntucve7cve10prion11debiancve8redhat16amazon3virtuozzo1openvas14githubexploit10zdt1centos1redhatcve7packetstorm1ubuntu6osv6zdi2cbl_mariner14metasploit1cnvd4f54redos1ibm1