The remote Ubuntu 14.04 LTS host has a package installed that is affected by multiple vulnerabilities as referenced in the USN-2337-1 advisory.
The ioapic_deliver function in virt/kvm/ioapic.c in the Linux kernel through 3.14.1 does not properly validate the kvm_irq_delivery_to_apic return value, which allows guest OS users to cause a denial of service (host OS crash) via a crafted entry in the redirection table of an I/O APIC. NOTE: the affected code was moved to the ioapic_service function before the vulnerability was announced. (CVE-2014-0155)
The Netlink implementation in the Linux kernel through 3.14.1 does not provide a mechanism for authorizing socket operations based on the opener of a socket, which allows local users to bypass intended access restrictions and modify network configurations by using a Netlink socket for the (1) stdout or (2) stderr of a setuid program. (CVE-2014-0181)
Array index error in the aio_read_events_ring function in fs/aio.c in the Linux kernel through 3.15.1 allows local users to obtain sensitive information from kernel memory via a large head value.
(CVE-2014-0206)
The capabilities implementation in the Linux kernel before 3.14.8 does not properly consider that namespaces are inapplicable to inodes, which allows local users to bypass intended chmod restrictions by first creating a user namespace, as demonstrated by setting the setgid bit on a file with group ownership of root. (CVE-2014-4014)
The rd_build_device_space function in drivers/target/target_core_rd.c in the Linux kernel before 3.14 does not properly initialize a certain data structure, which allows local users to obtain sensitive information from ramdisk_mcp memory by leveraging access to a SCSI initiator. (CVE-2014-4027)
mm/shmem.c in the Linux kernel through 3.15.1 does not properly implement the interaction between range notification and hole punching, which allows local users to cause a denial of service (i_mutex hold) by using the mmap system call to access a hole, as demonstrated by interfering with intended shmem activity by blocking completion of (1) an MADV_REMOVE madvise call or (2) an FALLOC_FL_PUNCH_HOLE fallocate call.
(CVE-2014-4171)
arch/x86/kernel/entry_32.S in the Linux kernel through 3.15.1 on 32-bit x86 platforms, when syscall auditing is enabled and the sep CPU feature flag is set, allows local users to cause a denial of service (OOPS and system crash) via an invalid syscall number, as demonstrated by number 1000. (CVE-2014-4508)
Race condition in the tlv handler functionality in the snd_ctl_elem_user_tlv function in sound/core/control.c in the ALSA control implementation in the Linux kernel before 3.15.2 allows local users to obtain sensitive information from kernel memory by leveraging /dev/snd/controlCX access.
(CVE-2014-4652)
sound/core/control.c in the ALSA control implementation in the Linux kernel before 3.15.2 does not ensure possession of a read/write lock, which allows local users to cause a denial of service (use-after-free) and obtain sensitive information from kernel memory by leveraging /dev/snd/controlCX access.
(CVE-2014-4653)
The snd_ctl_elem_add function in sound/core/control.c in the ALSA control implementation in the Linux kernel before 3.15.2 does not check authorization for SNDRV_CTL_IOCTL_ELEM_REPLACE commands, which allows local users to remove kernel controls and cause a denial of service (use-after-free and system crash) by leveraging /dev/snd/controlCX access for an ioctl call. (CVE-2014-4654)
The snd_ctl_elem_add function in sound/core/control.c in the ALSA control implementation in the Linux kernel before 3.15.2 does not properly maintain the user_ctl_count value, which allows local users to cause a denial of service (integer overflow and limit bypass) by leveraging /dev/snd/controlCX access for a large number of SNDRV_CTL_IOCTL_ELEM_REPLACE ioctl calls. (CVE-2014-4655)
Multiple integer overflows in sound/core/control.c in the ALSA control implementation in the Linux kernel before 3.15.2 allow local users to cause a denial of service by leveraging /dev/snd/controlCX access, related to (1) index values in the snd_ctl_add function and (2) numid values in the snd_ctl_remove_numid_conflict function. (CVE-2014-4656)
The sctp_association_free function in net/sctp/associola.c in the Linux kernel before 3.15.2 does not properly manage a certain backlog value, which allows remote attackers to cause a denial of service (socket outage) via a crafted SCTP packet. (CVE-2014-4667)
The mountpoint_last function in fs/namei.c in the Linux kernel before 3.15.8 does not properly maintain a certain reference count during attempts to use the umount system call in conjunction with a symlink, which allows local users to cause a denial of service (memory consumption or use-after-free) or possibly have unspecified other impact via the umount program. (CVE-2014-5045)
Note that Nessus has not tested for these issues but has instead relied only on the application’s self-reported version number.
#%NASL_MIN_LEVEL 70300
#
# (C) Tenable Network Security, Inc.
#
# The descriptive text and package checks in this plugin were
# extracted from Ubuntu Security Notice USN-2337-1. The text
# itself is copyright (C) Canonical, Inc. See
# <http://www.ubuntu.com/usn/>. Ubuntu(R) is a registered
# trademark of Canonical, Inc.
#
include('deprecated_nasl_level.inc');
include('compat.inc');
if (description)
{
script_id(77492);
script_version("1.24");
script_set_attribute(attribute:"plugin_modification_date", value:"2024/01/09");
script_cve_id(
"CVE-2014-0155",
"CVE-2014-0181",
"CVE-2014-0206",
"CVE-2014-4014",
"CVE-2014-4027",
"CVE-2014-4171",
"CVE-2014-4508",
"CVE-2014-4652",
"CVE-2014-4653",
"CVE-2014-4654",
"CVE-2014-4655",
"CVE-2014-4656",
"CVE-2014-4667",
"CVE-2014-5045"
);
script_bugtraq_id(
66688,
67034,
67985,
67988,
68126,
68157,
68162,
68163,
68164,
68170,
68176,
68224,
68862
);
script_xref(name:"USN", value:"2337-1");
script_name(english:"Ubuntu 14.04 LTS : Linux kernel vulnerabilities (USN-2337-1)");
script_set_attribute(attribute:"synopsis", value:
"The remote Ubuntu host is missing one or more security updates.");
script_set_attribute(attribute:"description", value:
"The remote Ubuntu 14.04 LTS host has a package installed that is affected by multiple vulnerabilities as referenced in
the USN-2337-1 advisory.
- The ioapic_deliver function in virt/kvm/ioapic.c in the Linux kernel through 3.14.1 does not properly
validate the kvm_irq_delivery_to_apic return value, which allows guest OS users to cause a denial of
service (host OS crash) via a crafted entry in the redirection table of an I/O APIC. NOTE: the affected
code was moved to the ioapic_service function before the vulnerability was announced. (CVE-2014-0155)
- The Netlink implementation in the Linux kernel through 3.14.1 does not provide a mechanism for authorizing
socket operations based on the opener of a socket, which allows local users to bypass intended access
restrictions and modify network configurations by using a Netlink socket for the (1) stdout or (2) stderr
of a setuid program. (CVE-2014-0181)
- Array index error in the aio_read_events_ring function in fs/aio.c in the Linux kernel through 3.15.1
allows local users to obtain sensitive information from kernel memory via a large head value.
(CVE-2014-0206)
- The capabilities implementation in the Linux kernel before 3.14.8 does not properly consider that
namespaces are inapplicable to inodes, which allows local users to bypass intended chmod restrictions by
first creating a user namespace, as demonstrated by setting the setgid bit on a file with group ownership
of root. (CVE-2014-4014)
- The rd_build_device_space function in drivers/target/target_core_rd.c in the Linux kernel before 3.14 does
not properly initialize a certain data structure, which allows local users to obtain sensitive information
from ramdisk_mcp memory by leveraging access to a SCSI initiator. (CVE-2014-4027)
- mm/shmem.c in the Linux kernel through 3.15.1 does not properly implement the interaction between range
notification and hole punching, which allows local users to cause a denial of service (i_mutex hold) by
using the mmap system call to access a hole, as demonstrated by interfering with intended shmem activity
by blocking completion of (1) an MADV_REMOVE madvise call or (2) an FALLOC_FL_PUNCH_HOLE fallocate call.
(CVE-2014-4171)
- arch/x86/kernel/entry_32.S in the Linux kernel through 3.15.1 on 32-bit x86 platforms, when syscall
auditing is enabled and the sep CPU feature flag is set, allows local users to cause a denial of service
(OOPS and system crash) via an invalid syscall number, as demonstrated by number 1000. (CVE-2014-4508)
- Race condition in the tlv handler functionality in the snd_ctl_elem_user_tlv function in
sound/core/control.c in the ALSA control implementation in the Linux kernel before 3.15.2 allows local
users to obtain sensitive information from kernel memory by leveraging /dev/snd/controlCX access.
(CVE-2014-4652)
- sound/core/control.c in the ALSA control implementation in the Linux kernel before 3.15.2 does not ensure
possession of a read/write lock, which allows local users to cause a denial of service (use-after-free)
and obtain sensitive information from kernel memory by leveraging /dev/snd/controlCX access.
(CVE-2014-4653)
- The snd_ctl_elem_add function in sound/core/control.c in the ALSA control implementation in the Linux
kernel before 3.15.2 does not check authorization for SNDRV_CTL_IOCTL_ELEM_REPLACE commands, which allows
local users to remove kernel controls and cause a denial of service (use-after-free and system crash) by
leveraging /dev/snd/controlCX access for an ioctl call. (CVE-2014-4654)
- The snd_ctl_elem_add function in sound/core/control.c in the ALSA control implementation in the Linux
kernel before 3.15.2 does not properly maintain the user_ctl_count value, which allows local users to
cause a denial of service (integer overflow and limit bypass) by leveraging /dev/snd/controlCX access for
a large number of SNDRV_CTL_IOCTL_ELEM_REPLACE ioctl calls. (CVE-2014-4655)
- Multiple integer overflows in sound/core/control.c in the ALSA control implementation in the Linux kernel
before 3.15.2 allow local users to cause a denial of service by leveraging /dev/snd/controlCX access,
related to (1) index values in the snd_ctl_add function and (2) numid values in the
snd_ctl_remove_numid_conflict function. (CVE-2014-4656)
- The sctp_association_free function in net/sctp/associola.c in the Linux kernel before 3.15.2 does not
properly manage a certain backlog value, which allows remote attackers to cause a denial of service
(socket outage) via a crafted SCTP packet. (CVE-2014-4667)
- The mountpoint_last function in fs/namei.c in the Linux kernel before 3.15.8 does not properly maintain a
certain reference count during attempts to use the umount system call in conjunction with a symlink, which
allows local users to cause a denial of service (memory consumption or use-after-free) or possibly have
unspecified other impact via the umount program. (CVE-2014-5045)
Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version
number.");
script_set_attribute(attribute:"see_also", value:"https://ubuntu.com/security/notices/USN-2337-1");
script_set_attribute(attribute:"solution", value:
"Update the affected kernel package.");
script_set_cvss_base_vector("CVSS2#AV:L/AC:H/Au:N/C:C/I:C/A:C");
script_set_cvss_temporal_vector("CVSS2#E:H/RL:OF/RC:C");
script_set_cvss3_base_vector("CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H");
script_set_cvss3_temporal_vector("CVSS:3.0/E:H/RL:O/RC:C");
script_set_attribute(attribute:"cvss_score_source", value:"CVE-2014-5045");
script_set_attribute(attribute:"cvss3_score_source", value:"CVE-2014-0181");
script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
script_set_attribute(attribute:"exploit_available", value:"true");
script_set_attribute(attribute:"exploited_by_malware", value:"true");
script_set_attribute(attribute:"vuln_publication_date", value:"2014/04/14");
script_set_attribute(attribute:"patch_publication_date", value:"2014/09/02");
script_set_attribute(attribute:"plugin_publication_date", value:"2014/09/03");
script_set_attribute(attribute:"plugin_type", value:"local");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-3.13.0-35-generic");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-3.13.0-35-generic-lpae");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-3.13.0-35-lowlatency");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-3.13.0-35-powerpc-e500");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-3.13.0-35-powerpc-e500mc");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-3.13.0-35-powerpc-smp");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-3.13.0-35-powerpc64-emb");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-3.13.0-35-powerpc64-smp");
script_set_attribute(attribute:"cpe", value:"cpe:/o:canonical:ubuntu_linux:14.04:-:lts");
script_set_attribute(attribute:"generated_plugin", value:"current");
script_end_attributes();
script_category(ACT_GATHER_INFO);
script_family(english:"Ubuntu Local Security Checks");
script_copyright(english:"Ubuntu Security Notice (C) 2014-2024 Canonical, Inc. / NASL script (C) 2014-2024 and is owned by Tenable, Inc. or an Affiliate thereof.");
script_dependencies("ssh_get_info.nasl", "linux_alt_patch_detect.nasl");
script_require_keys("Host/cpu", "Host/Ubuntu", "Host/Ubuntu/release", "Host/Debian/dpkg-l");
exit(0);
}
include('debian_package.inc');
include('ksplice.inc');
if ( ! get_kb_item('Host/local_checks_enabled') ) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
var os_release = get_kb_item('Host/Ubuntu/release');
if ( isnull(os_release) ) audit(AUDIT_OS_NOT, 'Ubuntu');
os_release = chomp(os_release);
if (! ('14.04' >< os_release)) audit(AUDIT_OS_NOT, 'Ubuntu 14.04', 'Ubuntu ' + os_release);
if ( ! get_kb_item('Host/Debian/dpkg-l') ) audit(AUDIT_PACKAGE_LIST_MISSING);
var cpu = get_kb_item('Host/cpu');
if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
if ('x86_64' >!< cpu && cpu !~ "^i[3-6]86$" && 's390' >!< cpu && 'aarch64' >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'Ubuntu', cpu);
var kernel_mappings = {
'14.04': {
'3.13.0': {
'generic': '3.13.0-35',
'generic-lpae': '3.13.0-35',
'lowlatency': '3.13.0-35',
'powerpc-e500': '3.13.0-35',
'powerpc-e500mc': '3.13.0-35',
'powerpc-smp': '3.13.0-35',
'powerpc64-emb': '3.13.0-35',
'powerpc64-smp': '3.13.0-35'
}
}
};
var host_kernel_release = get_kb_item('Host/uptrack-uname-r');
if (empty_or_null(host_kernel_release)) host_kernel_release = get_kb_item_or_exit('Host/uname-r');
var host_kernel_base_version = get_kb_item_or_exit('Host/Debian/kernel-base-version');
var host_kernel_type = get_kb_item_or_exit('Host/Debian/kernel-type');
if(empty_or_null(kernel_mappings[os_release][host_kernel_base_version][host_kernel_type])) audit(AUDIT_INST_VER_NOT_VULN, 'kernel ' + host_kernel_release);
var extra = '';
var kernel_fixed_version = kernel_mappings[os_release][host_kernel_base_version][host_kernel_type] + "-" + host_kernel_type;
if (deb_ver_cmp(ver1:host_kernel_release, ver2:kernel_fixed_version) < 0)
{
extra = extra + 'Running Kernel level of ' + host_kernel_release + ' does not meet the minimum fixed level of ' + kernel_fixed_version + ' for this advisory.\n\n';
}
else
{
audit(AUDIT_PATCH_INSTALLED, 'Kernel package for USN-2337-1');
}
if (get_one_kb_item('Host/ksplice/kernel-cves'))
{
var cve_list = make_list('CVE-2014-0155', 'CVE-2014-0181', 'CVE-2014-0206', 'CVE-2014-4014', 'CVE-2014-4027', 'CVE-2014-4171', 'CVE-2014-4508', 'CVE-2014-4652', 'CVE-2014-4653', 'CVE-2014-4654', 'CVE-2014-4655', 'CVE-2014-4656', 'CVE-2014-4667', 'CVE-2014-5045');
if (ksplice_cves_check(cve_list))
{
audit(AUDIT_PATCH_INSTALLED, 'KSplice hotfix for USN-2337-1');
}
else
{
extra = extra + ksplice_reporting_text();
}
}
if (extra) {
security_report_v4(
port : 0,
severity : SECURITY_WARNING,
extra : extra
);
exit(0);
}
Vendor | Product | Version | CPE |
---|---|---|---|
canonical | ubuntu_linux | linux-image-3.13.0-35-generic | p-cpe:/a:canonical:ubuntu_linux:linux-image-3.13.0-35-generic |
canonical | ubuntu_linux | linux-image-3.13.0-35-generic-lpae | p-cpe:/a:canonical:ubuntu_linux:linux-image-3.13.0-35-generic-lpae |
canonical | ubuntu_linux | linux-image-3.13.0-35-lowlatency | p-cpe:/a:canonical:ubuntu_linux:linux-image-3.13.0-35-lowlatency |
canonical | ubuntu_linux | linux-image-3.13.0-35-powerpc-e500 | p-cpe:/a:canonical:ubuntu_linux:linux-image-3.13.0-35-powerpc-e500 |
canonical | ubuntu_linux | linux-image-3.13.0-35-powerpc-e500mc | p-cpe:/a:canonical:ubuntu_linux:linux-image-3.13.0-35-powerpc-e500mc |
canonical | ubuntu_linux | linux-image-3.13.0-35-powerpc-smp | p-cpe:/a:canonical:ubuntu_linux:linux-image-3.13.0-35-powerpc-smp |
canonical | ubuntu_linux | linux-image-3.13.0-35-powerpc64-emb | p-cpe:/a:canonical:ubuntu_linux:linux-image-3.13.0-35-powerpc64-emb |
canonical | ubuntu_linux | linux-image-3.13.0-35-powerpc64-smp | p-cpe:/a:canonical:ubuntu_linux:linux-image-3.13.0-35-powerpc64-smp |
canonical | ubuntu_linux | 14.04 | cpe:/o:canonical:ubuntu_linux:14.04:-:lts |
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0155
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0181
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0206
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-4014
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-4027
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-4171
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-4508
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-4652
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-4653
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-4654
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-4655
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-4656
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-4667
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-5045
ubuntu.com/security/notices/USN-2337-1