The remote Ubuntu 14.04 LTS host has a package installed that is affected by multiple vulnerabilities as referenced in the USN-2447-1 advisory.
The SCTP implementation in the Linux kernel through 3.17.2 allows remote attackers to cause a denial of service (system crash) via a malformed ASCONF chunk, related to net/sctp/sm_make_chunk.c and net/sctp/sm_statefuns.c. (CVE-2014-3673)
The sctp_assoc_lookup_asconf_ack function in net/sctp/associola.c in the SCTP implementation in the Linux kernel through 3.17.2 allows remote attackers to cause a denial of service (panic) via duplicate ASCONF chunks that trigger an incorrect uncork within the side-effect interpreter. (CVE-2014-3687)
The SCTP implementation in the Linux kernel before 3.17.4 allows remote attackers to cause a denial of service (memory consumption) by triggering a large number of chunks in an association’s output queue, as demonstrated by ASCONF probes, related to net/sctp/inqueue.c and net/sctp/sm_statefuns.c. (CVE-2014-3688)
kernel/trace/trace_syscalls.c in the Linux kernel through 3.17.2 does not properly handle private syscall numbers during use of the perf subsystem, which allows local users to cause a denial of service (out-of- bounds read and OOPS) or bypass the ASLR protection mechanism via a crafted application. (CVE-2014-7825)
kernel/trace/trace_syscalls.c in the Linux kernel through 3.17.2 does not properly handle private syscall numbers during use of the ftrace subsystem, which allows local users to gain privileges or cause a denial of service (invalid pointer dereference) via a crafted application. (CVE-2014-7826)
The pivot_root implementation in fs/namespace.c in the Linux kernel through 3.17 does not properly interact with certain locations of a chroot directory, which allows local users to cause a denial of service (mount-tree loop) via . (dot) values in both arguments to the pivot_root system call.
(CVE-2014-7970)
Race condition in the ext4_file_write_iter function in fs/ext4/file.c in the Linux kernel through 3.17 allows local users to cause a denial of service (file unavailability) via a combination of a write action and an F_SETFL fcntl operation for the O_DIRECT flag. (CVE-2014-8086)
The paravirt_ops_setup function in arch/x86/kernel/kvm.c in the Linux kernel through 3.18 uses an improper paravirt_enabled setting for KVM guest kernels, which makes it easier for guest OS users to bypass the ASLR protection mechanism via a crafted application that reads a 16-bit value. (CVE-2014-8134)
The kvm_iommu_map_pages function in virt/kvm/iommu.c in the Linux kernel through 3.17.2 miscalculates the number of pages during the handling of a mapping failure, which allows guest OS users to cause a denial of service (host OS page unpinning) or possibly have unspecified other impact by leveraging guest OS privileges. NOTE: this vulnerability exists because of an incorrect fix for CVE-2014-3601. (CVE-2014-8369)
The do_double_fault function in arch/x86/kernel/traps.c in the Linux kernel through 3.17.4 does not properly handle faults associated with the Stack Segment (SS) segment register, which allows local users to cause a denial of service (panic) via a modify_ldt system call, as demonstrated by sigreturn_32 in the linux-clock-tests test suite. (CVE-2014-9090)
arch/x86/kernel/entry_64.S in the Linux kernel before 3.17.5 does not properly handle faults associated with the Stack Segment (SS) segment register, which allows local users to gain privileges by triggering an IRET instruction that leads to access to a GS Base address from the wrong space. (CVE-2014-9322)
Note that Nessus has not tested for these issues but has instead relied only on the application’s self-reported version number.
#%NASL_MIN_LEVEL 70300
#
# (C) Tenable Network Security, Inc.
#
# The descriptive text and package checks in this plugin were
# extracted from Ubuntu Security Notice USN-2447-1. The text
# itself is copyright (C) Canonical, Inc. See
# <http://www.ubuntu.com/usn/>. Ubuntu(R) is a registered
# trademark of Canonical, Inc.
#
include('deprecated_nasl_level.inc');
include('compat.inc');
if (description)
{
script_id(80033);
script_version("1.20");
script_set_attribute(attribute:"plugin_modification_date", value:"2024/01/09");
script_cve_id(
"CVE-2014-3673",
"CVE-2014-3687",
"CVE-2014-3688",
"CVE-2014-7825",
"CVE-2014-7826",
"CVE-2014-7970",
"CVE-2014-8086",
"CVE-2014-8134",
"CVE-2014-8369",
"CVE-2014-9090",
"CVE-2014-9322"
);
script_bugtraq_id(
70319,
70376,
70749,
70766,
70768,
70883,
70971,
70972,
71250
);
script_xref(name:"USN", value:"2447-1");
script_name(english:"Ubuntu 14.04 LTS : Linux kernel (Utopic HWE) vulnerabilities (USN-2447-1)");
script_set_attribute(attribute:"synopsis", value:
"The remote Ubuntu host is missing one or more security updates.");
script_set_attribute(attribute:"description", value:
"The remote Ubuntu 14.04 LTS host has a package installed that is affected by multiple vulnerabilities as referenced in
the USN-2447-1 advisory.
- The SCTP implementation in the Linux kernel through 3.17.2 allows remote attackers to cause a denial of
service (system crash) via a malformed ASCONF chunk, related to net/sctp/sm_make_chunk.c and
net/sctp/sm_statefuns.c. (CVE-2014-3673)
- The sctp_assoc_lookup_asconf_ack function in net/sctp/associola.c in the SCTP implementation in the Linux
kernel through 3.17.2 allows remote attackers to cause a denial of service (panic) via duplicate ASCONF
chunks that trigger an incorrect uncork within the side-effect interpreter. (CVE-2014-3687)
- The SCTP implementation in the Linux kernel before 3.17.4 allows remote attackers to cause a denial of
service (memory consumption) by triggering a large number of chunks in an association's output queue, as
demonstrated by ASCONF probes, related to net/sctp/inqueue.c and net/sctp/sm_statefuns.c. (CVE-2014-3688)
- kernel/trace/trace_syscalls.c in the Linux kernel through 3.17.2 does not properly handle private syscall
numbers during use of the perf subsystem, which allows local users to cause a denial of service (out-of-
bounds read and OOPS) or bypass the ASLR protection mechanism via a crafted application. (CVE-2014-7825)
- kernel/trace/trace_syscalls.c in the Linux kernel through 3.17.2 does not properly handle private syscall
numbers during use of the ftrace subsystem, which allows local users to gain privileges or cause a denial
of service (invalid pointer dereference) via a crafted application. (CVE-2014-7826)
- The pivot_root implementation in fs/namespace.c in the Linux kernel through 3.17 does not properly
interact with certain locations of a chroot directory, which allows local users to cause a denial of
service (mount-tree loop) via . (dot) values in both arguments to the pivot_root system call.
(CVE-2014-7970)
- Race condition in the ext4_file_write_iter function in fs/ext4/file.c in the Linux kernel through 3.17
allows local users to cause a denial of service (file unavailability) via a combination of a write action
and an F_SETFL fcntl operation for the O_DIRECT flag. (CVE-2014-8086)
- The paravirt_ops_setup function in arch/x86/kernel/kvm.c in the Linux kernel through 3.18 uses an improper
paravirt_enabled setting for KVM guest kernels, which makes it easier for guest OS users to bypass the
ASLR protection mechanism via a crafted application that reads a 16-bit value. (CVE-2014-8134)
- The kvm_iommu_map_pages function in virt/kvm/iommu.c in the Linux kernel through 3.17.2 miscalculates the
number of pages during the handling of a mapping failure, which allows guest OS users to cause a denial of
service (host OS page unpinning) or possibly have unspecified other impact by leveraging guest OS
privileges. NOTE: this vulnerability exists because of an incorrect fix for CVE-2014-3601. (CVE-2014-8369)
- The do_double_fault function in arch/x86/kernel/traps.c in the Linux kernel through 3.17.4 does not
properly handle faults associated with the Stack Segment (SS) segment register, which allows local users
to cause a denial of service (panic) via a modify_ldt system call, as demonstrated by sigreturn_32 in the
linux-clock-tests test suite. (CVE-2014-9090)
- arch/x86/kernel/entry_64.S in the Linux kernel before 3.17.5 does not properly handle faults associated
with the Stack Segment (SS) segment register, which allows local users to gain privileges by triggering an
IRET instruction that leads to access to a GS Base address from the wrong space. (CVE-2014-9322)
Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version
number.");
script_set_attribute(attribute:"see_also", value:"https://ubuntu.com/security/notices/USN-2447-1");
script_set_attribute(attribute:"solution", value:
"Update the affected kernel package.");
script_set_cvss_base_vector("CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C");
script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
script_set_cvss3_base_vector("CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H");
script_set_cvss3_temporal_vector("CVSS:3.0/E:P/RL:O/RC:C");
script_set_attribute(attribute:"cvss_score_source", value:"CVE-2014-9322");
script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
script_set_attribute(attribute:"exploit_available", value:"true");
script_set_attribute(attribute:"vuln_publication_date", value:"2014/10/13");
script_set_attribute(attribute:"patch_publication_date", value:"2014/12/12");
script_set_attribute(attribute:"plugin_publication_date", value:"2014/12/15");
script_set_attribute(attribute:"plugin_type", value:"local");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-3.16.0-28-generic");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-3.16.0-28-generic-lpae");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-3.16.0-28-lowlatency");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-3.16.0-28-powerpc-e500mc");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-3.16.0-28-powerpc-smp");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-3.16.0-28-powerpc64-emb");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-3.16.0-28-powerpc64-smp");
script_set_attribute(attribute:"cpe", value:"cpe:/o:canonical:ubuntu_linux:14.04:-:lts");
script_set_attribute(attribute:"generated_plugin", value:"current");
script_end_attributes();
script_category(ACT_GATHER_INFO);
script_family(english:"Ubuntu Local Security Checks");
script_copyright(english:"Ubuntu Security Notice (C) 2014-2024 Canonical, Inc. / NASL script (C) 2014-2024 and is owned by Tenable, Inc. or an Affiliate thereof.");
script_dependencies("ssh_get_info.nasl", "linux_alt_patch_detect.nasl");
script_require_keys("Host/cpu", "Host/Ubuntu", "Host/Ubuntu/release", "Host/Debian/dpkg-l");
exit(0);
}
include('debian_package.inc');
include('ksplice.inc');
if ( ! get_kb_item('Host/local_checks_enabled') ) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
var os_release = get_kb_item('Host/Ubuntu/release');
if ( isnull(os_release) ) audit(AUDIT_OS_NOT, 'Ubuntu');
os_release = chomp(os_release);
if (! ('14.04' >< os_release)) audit(AUDIT_OS_NOT, 'Ubuntu 14.04', 'Ubuntu ' + os_release);
if ( ! get_kb_item('Host/Debian/dpkg-l') ) audit(AUDIT_PACKAGE_LIST_MISSING);
var cpu = get_kb_item('Host/cpu');
if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
if ('x86_64' >!< cpu && cpu !~ "^i[3-6]86$" && 's390' >!< cpu && 'aarch64' >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'Ubuntu', cpu);
var kernel_mappings = {
'14.04': {
'3.16.0': {
'generic': '3.16.0-28',
'generic-lpae': '3.16.0-28',
'lowlatency': '3.16.0-28',
'powerpc-e500mc': '3.16.0-28',
'powerpc-smp': '3.16.0-28',
'powerpc64-emb': '3.16.0-28',
'powerpc64-smp': '3.16.0-28'
}
}
};
var host_kernel_release = get_kb_item('Host/uptrack-uname-r');
if (empty_or_null(host_kernel_release)) host_kernel_release = get_kb_item_or_exit('Host/uname-r');
var host_kernel_base_version = get_kb_item_or_exit('Host/Debian/kernel-base-version');
var host_kernel_type = get_kb_item_or_exit('Host/Debian/kernel-type');
if(empty_or_null(kernel_mappings[os_release][host_kernel_base_version][host_kernel_type])) audit(AUDIT_INST_VER_NOT_VULN, 'kernel ' + host_kernel_release);
var extra = '';
var kernel_fixed_version = kernel_mappings[os_release][host_kernel_base_version][host_kernel_type] + "-" + host_kernel_type;
if (deb_ver_cmp(ver1:host_kernel_release, ver2:kernel_fixed_version) < 0)
{
extra = extra + 'Running Kernel level of ' + host_kernel_release + ' does not meet the minimum fixed level of ' + kernel_fixed_version + ' for this advisory.\n\n';
}
else
{
audit(AUDIT_PATCH_INSTALLED, 'Kernel package for USN-2447-1');
}
if (get_one_kb_item('Host/ksplice/kernel-cves'))
{
var cve_list = make_list('CVE-2014-3673', 'CVE-2014-3687', 'CVE-2014-3688', 'CVE-2014-7825', 'CVE-2014-7826', 'CVE-2014-7970', 'CVE-2014-8086', 'CVE-2014-8134', 'CVE-2014-8369', 'CVE-2014-9090', 'CVE-2014-9322');
if (ksplice_cves_check(cve_list))
{
audit(AUDIT_PATCH_INSTALLED, 'KSplice hotfix for USN-2447-1');
}
else
{
extra = extra + ksplice_reporting_text();
}
}
if (extra) {
security_report_v4(
port : 0,
severity : SECURITY_HOLE,
extra : extra
);
exit(0);
}
Vendor | Product | Version | CPE |
---|---|---|---|
canonical | ubuntu_linux | linux-image-3.16.0-28-generic | p-cpe:/a:canonical:ubuntu_linux:linux-image-3.16.0-28-generic |
canonical | ubuntu_linux | linux-image-3.16.0-28-generic-lpae | p-cpe:/a:canonical:ubuntu_linux:linux-image-3.16.0-28-generic-lpae |
canonical | ubuntu_linux | linux-image-3.16.0-28-lowlatency | p-cpe:/a:canonical:ubuntu_linux:linux-image-3.16.0-28-lowlatency |
canonical | ubuntu_linux | linux-image-3.16.0-28-powerpc-e500mc | p-cpe:/a:canonical:ubuntu_linux:linux-image-3.16.0-28-powerpc-e500mc |
canonical | ubuntu_linux | linux-image-3.16.0-28-powerpc-smp | p-cpe:/a:canonical:ubuntu_linux:linux-image-3.16.0-28-powerpc-smp |
canonical | ubuntu_linux | linux-image-3.16.0-28-powerpc64-emb | p-cpe:/a:canonical:ubuntu_linux:linux-image-3.16.0-28-powerpc64-emb |
canonical | ubuntu_linux | linux-image-3.16.0-28-powerpc64-smp | p-cpe:/a:canonical:ubuntu_linux:linux-image-3.16.0-28-powerpc64-smp |
canonical | ubuntu_linux | 14.04 | cpe:/o:canonical:ubuntu_linux:14.04:-:lts |
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3673
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3687
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3688
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-7825
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-7826
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-7970
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8086
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8134
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8369
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9090
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9322
ubuntu.com/security/notices/USN-2447-1