Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
nessusThis script is Copyright (C) 2017-2021 and is owned by Tenable, Inc. or an Affiliate thereof.SL_20171115_KERNEL_ON_SL6_X.NASL
HistoryNov 16, 2017 - 12:00 a.m.

Scientific Linux Security Update : kernel on SL6.x i386/x86_64 (20171115)

2017-11-1600:00:00
This script is Copyright (C) 2017-2021 and is owned by Tenable, Inc. or an Affiliate thereof.
www.tenable.com
44
JSON

Security Fix(es) :

  • A race condition issue leading to a use-after-free flaw was found in the way the raw packet sockets are implemented in the Linux kernel networking subsystem handling synchronization. A local user able to open a raw packet socket (requires the CAP_NET_RAW capability) could use this flaw to elevate their privileges on the system. (CVE-2017-1000111, Important)

  • An exploitable memory corruption flaw was found in the Linux kernel. The append path can be erroneously switched from UFO to non-UFO in ip_ufo_append_data() when building an UFO packet with MSG_MORE option. If unprivileged user namespaces are available, this flaw can be exploited to gain root privileges.
    (CVE-2017-1000112, Important)

  • A divide-by-zero vulnerability was found in the
    __tcp_select_window function in the Linux kernel. This can result in a kernel panic causing a local denial of service. (CVE-2017-14106, Moderate)

Bug Fix(es) :

  • When the operating system was booted with RHEV/oVirt, and the eh_deadline sysfs parameter was set to 10s, the Storage Area Network (SAN) issues caused eh_deadline to trigger with no handler. Consequently, a kernel panic occurred. This update fixes the lpfc driver, thus preventing the kernel panic under described circumstances.

  • When an NFS server returned the NFS4ERR_BAD_SEQID error to an OPEN request, the open-owner was removed from the state_owners rbtree. Consequently, NFS4 client infinite loop that required a reboot to recover occurred. This update changes NFS4ERR_BAD_SEQID handling to leave the open-owner in the state_owners rbtree by updating the create_time parameter so that it looks like a new open-owner. As a result, an NFS4 client is now able to recover without falling into the infinite recovery loop after receiving NFS4ERR_BAD_SEQID.

  • If an NFS client attempted to mount NFSv3 shares from an NFS server exported directly to the client’s IP address, and this NFS client had already mounted other shares that originated from the same server but were exported to the subnetwork which this client was part of, the auth.unix.ip cache expiration was not handled correctly.
    Consequently, the client received the ‘stale file handle’ errors when trying to mount the share. This update fixes handling of the cache expiration, and the NFSv3 shares now mount as expected without producing the ‘stale file handle’ errors.

  • When running a script that raised the tx ring count to its maximum value supported by the Solarflare Network Interface Controller (NIC) driver, the EF10 family NICs allowed the settings exceeding the hardware’s capability. Consequently, the Solarflare hardware became unusable with Scientific Linux 6. This update fixes the sfc driver, so that the tx ring can have maximum 2048 entries for all EF10 NICs. As a result, the Solarflare hardware no longer becomes unusable.

#%NASL_MIN_LEVEL 70300
#
# (C) Tenable Network Security, Inc.
#
# The descriptive text is (C) Scientific Linux.
#

include('deprecated_nasl_level.inc');
include('compat.inc');

if (description)
{
  script_id(104623);
  script_version("3.9");
  script_set_attribute(attribute:"plugin_modification_date", value:"2021/01/14");

  script_cve_id("CVE-2017-1000111", "CVE-2017-1000112", "CVE-2017-14106");

  script_name(english:"Scientific Linux Security Update : kernel on SL6.x i386/x86_64 (20171115)");
  script_summary(english:"Checks rpm output for the updated packages");

  script_set_attribute(
    attribute:"synopsis", 
    value:
"The remote Scientific Linux host is missing one or more security
updates."
  );
  script_set_attribute(
    attribute:"description", 
    value:
"Security Fix(es) :

  - A race condition issue leading to a use-after-free flaw
    was found in the way the raw packet sockets are
    implemented in the Linux kernel networking subsystem
    handling synchronization. A local user able to open a
    raw packet socket (requires the CAP_NET_RAW capability)
    could use this flaw to elevate their privileges on the
    system. (CVE-2017-1000111, Important)

  - An exploitable memory corruption flaw was found in the
    Linux kernel. The append path can be erroneously
    switched from UFO to non-UFO in ip_ufo_append_data()
    when building an UFO packet with MSG_MORE option. If
    unprivileged user namespaces are available, this flaw
    can be exploited to gain root privileges.
    (CVE-2017-1000112, Important)

  - A divide-by-zero vulnerability was found in the
    __tcp_select_window function in the Linux kernel. This
    can result in a kernel panic causing a local denial of
    service. (CVE-2017-14106, Moderate)

Bug Fix(es) :

  - When the operating system was booted with RHEV/oVirt,
    and the eh_deadline sysfs parameter was set to 10s, the
    Storage Area Network (SAN) issues caused eh_deadline to
    trigger with no handler. Consequently, a kernel panic
    occurred. This update fixes the lpfc driver, thus
    preventing the kernel panic under described
    circumstances.

  - When an NFS server returned the NFS4ERR_BAD_SEQID error
    to an OPEN request, the open-owner was removed from the
    state_owners rbtree. Consequently, NFS4 client infinite
    loop that required a reboot to recover occurred. This
    update changes NFS4ERR_BAD_SEQID handling to leave the
    open-owner in the state_owners rbtree by updating the
    create_time parameter so that it looks like a new
    open-owner. As a result, an NFS4 client is now able to
    recover without falling into the infinite recovery loop
    after receiving NFS4ERR_BAD_SEQID.

  - If an NFS client attempted to mount NFSv3 shares from an
    NFS server exported directly to the client's IP address,
    and this NFS client had already mounted other shares
    that originated from the same server but were exported
    to the subnetwork which this client was part of, the
    auth.unix.ip cache expiration was not handled correctly.
    Consequently, the client received the 'stale file
    handle' errors when trying to mount the share. This
    update fixes handling of the cache expiration, and the
    NFSv3 shares now mount as expected without producing the
    'stale file handle' errors.

  - When running a script that raised the tx ring count to
    its maximum value supported by the Solarflare Network
    Interface Controller (NIC) driver, the EF10 family NICs
    allowed the settings exceeding the hardware's
    capability. Consequently, the Solarflare hardware became
    unusable with Scientific Linux 6. This update fixes the
    sfc driver, so that the tx ring can have maximum 2048
    entries for all EF10 NICs. As a result, the Solarflare
    hardware no longer becomes unusable."
  );
  # https://listserv.fnal.gov/scripts/wa.exe?A2=ind1711&L=scientific-linux-errata&F=&S=&P=846
  script_set_attribute(
    attribute:"see_also",
    value:"http://www.nessus.org/u?43c4509f"
  );
  script_set_attribute(attribute:"solution", value:"Update the affected packages.");
  script_set_cvss_base_vector("CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C");
  script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:F/RL:O/RC:C");
  script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"true");
  script_set_attribute(attribute:"exploit_framework_core", value:"true");
  script_set_attribute(attribute:"exploited_by_malware", value:"true");
  script_set_attribute(attribute:"metasploit_name", value:'Linux Kernel UDP Fragmentation Offset (UFO) Privilege Escalation');
  script_set_attribute(attribute:"exploit_framework_metasploit", value:"true");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fermilab:scientific_linux:kernel");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fermilab:scientific_linux:kernel-abi-whitelists");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fermilab:scientific_linux:kernel-debug");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fermilab:scientific_linux:kernel-debug-debuginfo");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fermilab:scientific_linux:kernel-debug-devel");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fermilab:scientific_linux:kernel-debuginfo");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fermilab:scientific_linux:kernel-debuginfo-common-i686");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fermilab:scientific_linux:kernel-debuginfo-common-x86_64");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fermilab:scientific_linux:kernel-devel");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fermilab:scientific_linux:kernel-doc");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fermilab:scientific_linux:kernel-firmware");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fermilab:scientific_linux:kernel-headers");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fermilab:scientific_linux:perf");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fermilab:scientific_linux:perf-debuginfo");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fermilab:scientific_linux:python-perf");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fermilab:scientific_linux:python-perf-debuginfo");
  script_set_attribute(attribute:"cpe", value:"x-cpe:/o:fermilab:scientific_linux");

  script_set_attribute(attribute:"vuln_publication_date", value:"2017/09/01");
  script_set_attribute(attribute:"patch_publication_date", value:"2017/11/15");
  script_set_attribute(attribute:"plugin_publication_date", value:"2017/11/16");
  script_set_attribute(attribute:"generated_plugin", value:"current");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_copyright(english:"This script is Copyright (C) 2017-2021 and is owned by Tenable, Inc. or an Affiliate thereof.");
  script_family(english:"Scientific Linux Local Security Checks");

  script_dependencies("ssh_get_info.nasl");
  script_require_keys("Host/local_checks_enabled", "Host/cpu", "Host/RedHat/release", "Host/RedHat/rpm-list");

  exit(0);
}


include("audit.inc");
include("global_settings.inc");
include("misc_func.inc");
include("rpm.inc");

if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
release = get_kb_item("Host/RedHat/release");
if (isnull(release) || "Scientific Linux " >!< release) audit(AUDIT_HOST_NOT, "running Scientific Linux");
os_ver = pregmatch(pattern: "Scientific Linux.*release ([0-9]+(\.[0-9]+)?)", string:release);
if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Scientific Linux");
os_ver = os_ver[1];
if (! preg(pattern:"^6([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Scientific Linux 6.x", "Scientific Linux " + os_ver);
if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);

cpu = get_kb_item("Host/cpu");
if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
if (cpu >!< "x86_64" && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Scientific Linux", cpu);


flag = 0;
if (rpm_check(release:"SL6", reference:"kernel-2.6.32-696.16.1.el6")) flag++;
if (rpm_check(release:"SL6", reference:"kernel-abi-whitelists-2.6.32-696.16.1.el6")) flag++;
if (rpm_check(release:"SL6", reference:"kernel-debug-2.6.32-696.16.1.el6")) flag++;
if (rpm_check(release:"SL6", reference:"kernel-debug-debuginfo-2.6.32-696.16.1.el6")) flag++;
if (rpm_check(release:"SL6", reference:"kernel-debug-devel-2.6.32-696.16.1.el6")) flag++;
if (rpm_check(release:"SL6", reference:"kernel-debuginfo-2.6.32-696.16.1.el6")) flag++;
if (rpm_check(release:"SL6", reference:"kernel-debuginfo-common-i686-2.6.32-696.16.1.el6")) flag++;
if (rpm_check(release:"SL6", cpu:"x86_64", reference:"kernel-debuginfo-common-x86_64-2.6.32-696.16.1.el6")) flag++;
if (rpm_check(release:"SL6", reference:"kernel-devel-2.6.32-696.16.1.el6")) flag++;
if (rpm_check(release:"SL6", reference:"kernel-doc-2.6.32-696.16.1.el6")) flag++;
if (rpm_check(release:"SL6", reference:"kernel-firmware-2.6.32-696.16.1.el6")) flag++;
if (rpm_check(release:"SL6", reference:"kernel-headers-2.6.32-696.16.1.el6")) flag++;
if (rpm_check(release:"SL6", reference:"perf-2.6.32-696.16.1.el6")) flag++;
if (rpm_check(release:"SL6", reference:"perf-debuginfo-2.6.32-696.16.1.el6")) flag++;
if (rpm_check(release:"SL6", reference:"python-perf-2.6.32-696.16.1.el6")) flag++;
if (rpm_check(release:"SL6", reference:"python-perf-debuginfo-2.6.32-696.16.1.el6")) flag++;


if (flag)
{
  security_report_v4(
    port       : 0,
    severity   : SECURITY_HOLE,
    extra      : rpm_report_get()
  );
  exit(0);
}
else
{
  tested = pkg_tests_get();
  if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
  else audit(AUDIT_PACKAGE_NOT_INSTALLED, "kernel / kernel-abi-whitelists / kernel-debug / etc");
}
VendorProductVersionCPE
fermilabscientific_linuxkernelp-cpe:/a:fermilab:scientific_linux:kernel
fermilabscientific_linuxkernel-abi-whitelistsp-cpe:/a:fermilab:scientific_linux:kernel-abi-whitelists
fermilabscientific_linuxkernel-debugp-cpe:/a:fermilab:scientific_linux:kernel-debug
fermilabscientific_linuxkernel-debug-debuginfop-cpe:/a:fermilab:scientific_linux:kernel-debug-debuginfo
fermilabscientific_linuxkernel-debug-develp-cpe:/a:fermilab:scientific_linux:kernel-debug-devel
fermilabscientific_linuxkernel-debuginfop-cpe:/a:fermilab:scientific_linux:kernel-debuginfo
fermilabscientific_linuxkernel-debuginfo-common-i686p-cpe:/a:fermilab:scientific_linux:kernel-debuginfo-common-i686
fermilabscientific_linuxkernel-debuginfo-common-x86_64p-cpe:/a:fermilab:scientific_linux:kernel-debuginfo-common-x86_64
fermilabscientific_linuxkernel-develp-cpe:/a:fermilab:scientific_linux:kernel-devel
fermilabscientific_linuxkernel-docp-cpe:/a:fermilab:scientific_linux:kernel-doc
Rows per page:
1-10 of 171

Related

redhat 7
openvas 45
nessus 54
centos 2
ubuntu 11
cloudfoundry 1
suse 35
virtuozzo 6
oraclelinux 3
fedora 2
amazon 1
debiancve 3
veracode 3
redhatcve 3
f5 3
seebug 1
packetstorm 1
myhack58 1
cve 3
ibm 1
prion 3
ubuntucve 3
metasploit 1
exploitpack 2
hackerone 1
exploitdb 3
redhat
redhat
(RHSA-2017:3200) Important: kernel security and bug fix update
2017-11-14 19:40:45
(RHSA-2017:2918) Important: kernel-rt security and bug fix update
2017-10-19 13:10:34
(RHSA-2017:2930) Important: kernel security and bug fix update
2017-10-19 13:19:00
openvas
openvas
RedHat Update for kernel RHSA-2017:3200-01
2017-11-16 00:00:00
CentOS Update for kernel CESA-2017:3200 centos6
2017-11-16 00:00:00
SUSE: Security Advisory (SUSE-SU-2017:2142-1)
2021-04-19 00:00:00
nessus
nessus
RHEL 6 : kernel (RHSA-2017:3200)
2017-11-15 00:00:00
CentOS 6 : kernel (CESA-2017:3200)
2017-11-16 00:00:00
Oracle Linux 6 : kernel (ELSA-2017-3200)
2017-11-16 00:00:00
centos
centos
kernel, perf, python security update
2017-11-15 21:38:19
kernel, perf, python security update
2017-10-23 17:05:09
ubuntu
ubuntu
Linux kernel (HWE) vulnerabilities
2017-08-11 00:00:00
Linux kernel vulnerabilities
2017-08-11 00:00:00
Linux kernel (Xenial HWE) vulnerabilities
2017-08-11 00:00:00
cloudfoundry
cloudfoundry
USN-3385-2: Linux kernel (Xenial HWE) vulnerabilities | Cloud Foundry
2017-08-17 00:00:00
suse
suse
Security update for the Linux Kernel (important)
2017-08-11 06:07:36
Security update for the Linux Kernel (important)
2017-08-11 21:07:51
Security update for the Linux Kernel (important)
2017-08-12 00:08:29
virtuozzo
virtuozzo
Important kernel security update: CVE-2017-1000111 and other; Virtuozzo ReadyKernel patch 29.1 for Virtuozzo 7.0.5
2017-08-18 00:00:00
Important kernel security update: CVE-2017-1000111 and other; Virtuozzo ReadyKernel patch 29.0 for Virtuozzo 7.0.0, 7.0.1, and 7.0.3
2017-08-17 00:00:00
Important kernel security update: CVE-2017-1000111 and other; Virtuozzo ReadyKernel patch 29.0 for Virtuozzo 7.0.4 and 7.0.4 HF3
2017-08-17 00:00:00
oraclelinux
oraclelinux
kernel security and bug fix update
2017-11-15 00:00:00
kernel security and bug fix update
2017-10-19 00:00:00
kernel security and bug fix update
2017-10-20 00:00:00
fedora
fedora
[SECURITY] Fedora 26 Update: kernel-4.12.8-300.fc26
2017-08-24 03:52:29
[SECURITY] Fedora 25 Update: kernel-4.12.8-200.fc25
2017-08-23 06:09:57
amazon
amazon
Critical: kernel
2017-08-10 16:31:00
debiancve
debiancve
CVE-2017-14106
2017-09-01 16:29:00
CVE-2017-1000112
2017-10-05 01:29:00
CVE-2017-1000111
2017-10-05 01:29:00
veracode
veracode
Denial Of Service (DoS)
2019-01-15 09:23:54
Privilege Escalation
2019-01-15 09:19:49
Privilege Escalation
2019-05-02 06:37:27
redhatcve
redhatcve
CVE-2017-1000111
2017-08-11 08:18:42
CVE-2017-14106
2017-09-01 16:48:35
CVE-2017-1000112
2019-10-10 23:53:59
f5
f5
K60250153 : Linux kernel vulnerability CVE-2017-1000112
2018-03-14 00:00:00
K62178133 : Linux kernel vulnerability CVE-2017-14106
2017-10-05 00:00:00
K44309215 : Linux kernel vulnerability CVE-2017-1000111
2018-03-14 00:00:00
seebug
seebug
Linux kernel: Exploitable memory corruption due to UFO to non-UFO path switch(CVE-2017-1000112)
2017-08-14 00:00:00
packetstorm
packetstorm
Linux Kernel UDP Fragmentation Offset (UFO) Privilege Escalation
2018-08-03 00:00:00
myhack58
myhack58
Struts 2 S2-053 flaws vulnerability bug thematic research with the POC-the exploit-warning-the black bar safety net
2017-09-17 00:00:00
cve
cve
CVE-2017-14106
2017-09-01 16:29:00
CVE-2017-1000112
2017-10-05 01:29:00
CVE-2017-1000111
2017-10-05 01:29:00
ibm
ibm
Security Bulletin: A tcp vulnerability in Linux Kernel affects IBM Integrated Management Module II (IMM2) for System x, Flex and BladeCenter Systems (CVE-2017-14106)
2023-04-14 14:32:25
prion
prion
Path traversal
2017-09-01 16:29:00
Memory corruption
2017-10-05 01:29:00
Heap overflow
2017-10-05 01:29:00
ubuntucve
ubuntucve
CVE-2017-14106
2017-09-01 00:00:00
CVE-2017-1000112
2017-08-10 00:00:00
CVE-2017-1000111
2017-08-10 00:00:00
metasploit
metasploit
Linux Kernel UDP Fragmentation Offset (UFO) Privilege Escalation
2018-04-18 00:39:59
exploitpack
exploitpack
Linux Kernel 4.4.0 4.8.0 (Ubuntu 14.0416.04 Linux Mint 1718 Zorin) - Local Privilege Escalation (KASLR SMEP)
2018-12-29 00:00:00
Linux Kernel 4.4.0-83 4.8.0-58 (Ubuntu 14.0416.04) - Local Privilege Escalation (KASLR SMEP)
2017-08-13 00:00:00
hackerone
hackerone
Internet Bug Bounty: Linux kernel: CVE-2017-1000112: a memory corruption due to UFO to non-UFO path switch
2019-08-29 14:08:01
exploitdb
exploitdb
Linux Kernel &lt; 4.4.0-83 / &lt; 4.8.0-58 (Ubuntu 14.04/16.04) - Local Privilege Escalation (KASLR / SMEP)
2017-08-13 00:00:00
Linux Kernel - UDP Fragmentation Offset &#039;UFO&#039; Privilege Escalation (Metasploit)
2018-08-03 00:00:00
Linux Kernel &lt; 4.4.0/ &lt; 4.8.0 (Ubuntu 14.04/16.04 / Linux Mint 17/18 / Zorin) - Local Privilege Escalation (KASLR / SMEP)
2018-12-29 00:00:00
JSON
Related for SL_20171115_KERNEL_ON_SL6_X.NASL
redhat7openvas45nessus54centos2ubuntu11cloudfoundry1suse35virtuozzo6oraclelinux3fedora2amazon1debiancve3veracode3redhatcve3f53seebug1packetstorm1myhack581cve3ibm1prion3ubuntucve3metasploit1exploitpack2hackerone1exploitdb3