Ubuntu Security Notice (C) 2014-2024 Canonical, Inc. / NASL script (C) 2014-2024 and is owned by Tenable, Inc. or an Affiliate thereof.UBUNTU_USN-2290-1.NASLUbuntu 14.04 LTS : Linux kernel vulnerabilities (USN-2290-1)
7.8 High
AI Score
Confidence
High
The remote Ubuntu 14.04 LTS host has a package installed that is affected by multiple vulnerabilities as referenced in the USN-2290-1 advisory.
-
The media_device_enum_entities function in drivers/media/media-device.c in the Linux kernel before 3.14.6 does not initialize a certain data structure, which allows local users to obtain sensitive information from kernel memory by leveraging /dev/media0 read access for a MEDIA_IOC_ENUM_ENTITIES ioctl call.
(CVE-2014-1739) -
The (1) BPF_S_ANC_NLATTR and (2) BPF_S_ANC_NLATTR_NEST extension implementations in the sk_run_filter function in net/core/filter.c in the Linux kernel through 3.14.3 do not check whether a certain length value is sufficiently large, which allows local users to cause a denial of service (integer underflow and system crash) via crafted BPF instructions. NOTE: the affected code was moved to the __skb_get_nlattr and
__skb_get_nlattr_nest functions before the vulnerability was announced. (CVE-2014-3144) -
The BPF_S_ANC_NLATTR_NEST extension implementation in the sk_run_filter function in net/core/filter.c in the Linux kernel through 3.14.3 uses the reverse order in a certain subtraction, which allows local users to cause a denial of service (over-read and system crash) via crafted BPF instructions. NOTE: the affected code was moved to the __skb_get_nlattr_nest function before the vulnerability was announced.
(CVE-2014-3145) -
The Linux kernel through 3.14.5 does not properly consider the presence of hugetlb entries, which allows local users to cause a denial of service (memory corruption or system crash) by accessing certain memory locations, as demonstrated by triggering a race condition via numa_maps read operations during hugepage migration, related to fs/proc/task_mmu.c and mm/mempolicy.c. (CVE-2014-3940)
-
Integer overflow in the LZ4 algorithm implementation, as used in Yann Collet LZ4 before r118 and in the lz4_uncompress function in lib/lz4/lz4_decompress.c in the Linux kernel before 3.15.2, on 32-bit platforms might allow context-dependent attackers to cause a denial of service (memory corruption) or possibly have unspecified other impact via a crafted Literal Run that would be improperly handled by programs not complying with an API limitation, a different vulnerability than CVE-2014-4715. (CVE-2014-4611)
-
The PPPoL2TP feature in net/l2tp/l2tp_ppp.c in the Linux kernel through 3.15.6 allows local users to gain privileges by leveraging data-structure differences between an l2tp socket and an inet socket.
(CVE-2014-4943) -
The net_get_random_once implementation in net/core/utils.c in the Linux kernel 3.13.x and 3.14.x before 3.14.5 on certain Intel processors does not perform the intended slow-path operation to initialize random seeds, which makes it easier for remote attackers to spoof or disrupt IP communication by leveraging the predictability of TCP sequence numbers, TCP and UDP port numbers, and IP ID values. (CVE-2014-7284)
Note that Nessus has not tested for these issues but has instead relied only on the application’s self-reported version number.
#%NASL_MIN_LEVEL 70300
#
# (C) Tenable Network Security, Inc.
#
# The descriptive text and package checks in this plugin were
# extracted from Ubuntu Security Notice USN-2290-1. The text
# itself is copyright (C) Canonical, Inc. See
# <http://www.ubuntu.com/usn/>. Ubuntu(R) is a registered
# trademark of Canonical, Inc.
#
include('deprecated_nasl_level.inc');
include('compat.inc');
if (description)
{
script_id(76569);
script_version("1.23");
script_set_attribute(attribute:"plugin_modification_date", value:"2024/01/09");
script_cve_id(
"CVE-2014-1739",
"CVE-2014-3144",
"CVE-2014-3145",
"CVE-2014-3940",
"CVE-2014-4611",
"CVE-2014-4943",
"CVE-2014-7284"
);
script_bugtraq_id(
67309,
67321,
67786,
68048,
68214,
68218,
68683
);
script_xref(name:"USN", value:"2290-1");
script_name(english:"Ubuntu 14.04 LTS : Linux kernel vulnerabilities (USN-2290-1)");
script_set_attribute(attribute:"synopsis", value:
"The remote Ubuntu host is missing one or more security updates.");
script_set_attribute(attribute:"description", value:
"The remote Ubuntu 14.04 LTS host has a package installed that is affected by multiple vulnerabilities as referenced in
the USN-2290-1 advisory.
- The media_device_enum_entities function in drivers/media/media-device.c in the Linux kernel before 3.14.6
does not initialize a certain data structure, which allows local users to obtain sensitive information
from kernel memory by leveraging /dev/media0 read access for a MEDIA_IOC_ENUM_ENTITIES ioctl call.
(CVE-2014-1739)
- The (1) BPF_S_ANC_NLATTR and (2) BPF_S_ANC_NLATTR_NEST extension implementations in the sk_run_filter
function in net/core/filter.c in the Linux kernel through 3.14.3 do not check whether a certain length
value is sufficiently large, which allows local users to cause a denial of service (integer underflow and
system crash) via crafted BPF instructions. NOTE: the affected code was moved to the __skb_get_nlattr and
__skb_get_nlattr_nest functions before the vulnerability was announced. (CVE-2014-3144)
- The BPF_S_ANC_NLATTR_NEST extension implementation in the sk_run_filter function in net/core/filter.c in
the Linux kernel through 3.14.3 uses the reverse order in a certain subtraction, which allows local users
to cause a denial of service (over-read and system crash) via crafted BPF instructions. NOTE: the affected
code was moved to the __skb_get_nlattr_nest function before the vulnerability was announced.
(CVE-2014-3145)
- The Linux kernel through 3.14.5 does not properly consider the presence of hugetlb entries, which allows
local users to cause a denial of service (memory corruption or system crash) by accessing certain memory
locations, as demonstrated by triggering a race condition via numa_maps read operations during hugepage
migration, related to fs/proc/task_mmu.c and mm/mempolicy.c. (CVE-2014-3940)
- Integer overflow in the LZ4 algorithm implementation, as used in Yann Collet LZ4 before r118 and in the
lz4_uncompress function in lib/lz4/lz4_decompress.c in the Linux kernel before 3.15.2, on 32-bit platforms
might allow context-dependent attackers to cause a denial of service (memory corruption) or possibly have
unspecified other impact via a crafted Literal Run that would be improperly handled by programs not
complying with an API limitation, a different vulnerability than CVE-2014-4715. (CVE-2014-4611)
- The PPPoL2TP feature in net/l2tp/l2tp_ppp.c in the Linux kernel through 3.15.6 allows local users to gain
privileges by leveraging data-structure differences between an l2tp socket and an inet socket.
(CVE-2014-4943)
- The net_get_random_once implementation in net/core/utils.c in the Linux kernel 3.13.x and 3.14.x before
3.14.5 on certain Intel processors does not perform the intended slow-path operation to initialize random
seeds, which makes it easier for remote attackers to spoof or disrupt IP communication by leveraging the
predictability of TCP sequence numbers, TCP and UDP port numbers, and IP ID values. (CVE-2014-7284)
Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version
number.");
script_set_attribute(attribute:"see_also", value:"https://ubuntu.com/security/notices/USN-2290-1");
script_set_attribute(attribute:"solution", value:
"Update the affected kernel package.");
script_set_cvss_base_vector("CVSS2#AV:L/AC:M/Au:N/C:C/I:C/A:C");
script_set_cvss_temporal_vector("CVSS2#E:H/RL:OF/RC:C");
script_set_cvss3_base_vector("CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H");
script_set_cvss3_temporal_vector("CVSS:3.0/E:H/RL:O/RC:C");
script_set_attribute(attribute:"cvss_score_source", value:"CVE-2014-4943");
script_set_attribute(attribute:"cvss3_score_source", value:"CVE-2014-3144");
script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
script_set_attribute(attribute:"exploit_available", value:"true");
script_set_attribute(attribute:"exploited_by_malware", value:"true");
script_set_attribute(attribute:"exploit_framework_canvas", value:"true");
script_set_attribute(attribute:"canvas_package", value:"CANVAS");
script_set_attribute(attribute:"vuln_publication_date", value:"2014/05/11");
script_set_attribute(attribute:"patch_publication_date", value:"2014/07/16");
script_set_attribute(attribute:"plugin_publication_date", value:"2014/07/17");
script_set_attribute(attribute:"plugin_type", value:"local");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-3.13.0-32-generic");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-3.13.0-32-generic-lpae");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-3.13.0-32-lowlatency");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-3.13.0-32-powerpc-e500");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-3.13.0-32-powerpc-e500mc");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-3.13.0-32-powerpc-smp");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-3.13.0-32-powerpc64-emb");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-3.13.0-32-powerpc64-smp");
script_set_attribute(attribute:"cpe", value:"cpe:/o:canonical:ubuntu_linux:14.04:-:lts");
script_set_attribute(attribute:"generated_plugin", value:"current");
script_end_attributes();
script_category(ACT_GATHER_INFO);
script_family(english:"Ubuntu Local Security Checks");
script_copyright(english:"Ubuntu Security Notice (C) 2014-2024 Canonical, Inc. / NASL script (C) 2014-2024 and is owned by Tenable, Inc. or an Affiliate thereof.");
script_dependencies("ssh_get_info.nasl", "linux_alt_patch_detect.nasl");
script_require_keys("Host/cpu", "Host/Ubuntu", "Host/Ubuntu/release", "Host/Debian/dpkg-l");
exit(0);
}
include('debian_package.inc');
include('ksplice.inc');
if ( ! get_kb_item('Host/local_checks_enabled') ) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
var os_release = get_kb_item('Host/Ubuntu/release');
if ( isnull(os_release) ) audit(AUDIT_OS_NOT, 'Ubuntu');
os_release = chomp(os_release);
if (! ('14.04' >< os_release)) audit(AUDIT_OS_NOT, 'Ubuntu 14.04', 'Ubuntu ' + os_release);
if ( ! get_kb_item('Host/Debian/dpkg-l') ) audit(AUDIT_PACKAGE_LIST_MISSING);
var cpu = get_kb_item('Host/cpu');
if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
if ('x86_64' >!< cpu && cpu !~ "^i[3-6]86$" && 's390' >!< cpu && 'aarch64' >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'Ubuntu', cpu);
var kernel_mappings = {
'14.04': {
'3.13.0': {
'generic': '3.13.0-32',
'generic-lpae': '3.13.0-32',
'lowlatency': '3.13.0-32',
'powerpc-e500': '3.13.0-32',
'powerpc-e500mc': '3.13.0-32',
'powerpc-smp': '3.13.0-32',
'powerpc64-emb': '3.13.0-32',
'powerpc64-smp': '3.13.0-32'
}
}
};
var host_kernel_release = get_kb_item('Host/uptrack-uname-r');
if (empty_or_null(host_kernel_release)) host_kernel_release = get_kb_item_or_exit('Host/uname-r');
var host_kernel_base_version = get_kb_item_or_exit('Host/Debian/kernel-base-version');
var host_kernel_type = get_kb_item_or_exit('Host/Debian/kernel-type');
if(empty_or_null(kernel_mappings[os_release][host_kernel_base_version][host_kernel_type])) audit(AUDIT_INST_VER_NOT_VULN, 'kernel ' + host_kernel_release);
var extra = '';
var kernel_fixed_version = kernel_mappings[os_release][host_kernel_base_version][host_kernel_type] + "-" + host_kernel_type;
if (deb_ver_cmp(ver1:host_kernel_release, ver2:kernel_fixed_version) < 0)
{
extra = extra + 'Running Kernel level of ' + host_kernel_release + ' does not meet the minimum fixed level of ' + kernel_fixed_version + ' for this advisory.\n\n';
}
else
{
audit(AUDIT_PATCH_INSTALLED, 'Kernel package for USN-2290-1');
}
if (get_one_kb_item('Host/ksplice/kernel-cves'))
{
var cve_list = make_list('CVE-2014-1739', 'CVE-2014-3144', 'CVE-2014-3145', 'CVE-2014-3940', 'CVE-2014-4611', 'CVE-2014-4943', 'CVE-2014-7284');
if (ksplice_cves_check(cve_list))
{
audit(AUDIT_PATCH_INSTALLED, 'KSplice hotfix for USN-2290-1');
}
else
{
extra = extra + ksplice_reporting_text();
}
}
if (extra) {
security_report_v4(
port : 0,
severity : SECURITY_WARNING,
extra : extra
);
exit(0);
}
| Vendor | Product | Version | CPE |
|---|---|---|---|
| canonical | ubuntu_linux | linux-image-3.13.0-32-generic | p-cpe:/a:canonical:ubuntu_linux:linux-image-3.13.0-32-generic |
| canonical | ubuntu_linux | linux-image-3.13.0-32-generic-lpae | p-cpe:/a:canonical:ubuntu_linux:linux-image-3.13.0-32-generic-lpae |
| canonical | ubuntu_linux | linux-image-3.13.0-32-lowlatency | p-cpe:/a:canonical:ubuntu_linux:linux-image-3.13.0-32-lowlatency |
| canonical | ubuntu_linux | linux-image-3.13.0-32-powerpc-e500 | p-cpe:/a:canonical:ubuntu_linux:linux-image-3.13.0-32-powerpc-e500 |
| canonical | ubuntu_linux | linux-image-3.13.0-32-powerpc-e500mc | p-cpe:/a:canonical:ubuntu_linux:linux-image-3.13.0-32-powerpc-e500mc |
| canonical | ubuntu_linux | linux-image-3.13.0-32-powerpc-smp | p-cpe:/a:canonical:ubuntu_linux:linux-image-3.13.0-32-powerpc-smp |
| canonical | ubuntu_linux | linux-image-3.13.0-32-powerpc64-emb | p-cpe:/a:canonical:ubuntu_linux:linux-image-3.13.0-32-powerpc64-emb |
| canonical | ubuntu_linux | linux-image-3.13.0-32-powerpc64-smp | p-cpe:/a:canonical:ubuntu_linux:linux-image-3.13.0-32-powerpc64-smp |
| canonical | ubuntu_linux | 14.04 | cpe:/o:canonical:ubuntu_linux:14.04:-:lts |
References
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1739
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3144
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3145
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3940
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-4611
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-4943
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-7284
ubuntu.com/security/notices/USN-2290-1
Related
