Ubuntu 14.04 LTS : Linux kernel (Utopic HWE) vulnerabilities (USN-2447-1)

#%NASL_MIN_LEVEL 70300
#
# (C) Tenable Network Security, Inc.
#
# The descriptive text and package checks in this plugin were
# extracted from Ubuntu Security Notice USN-2447-1. The text 
# itself is copyright (C) Canonical, Inc. See 
# <http://www.ubuntu.com/usn/>. Ubuntu(R) is a registered 
# trademark of Canonical, Inc.
#

include('deprecated_nasl_level.inc');
include('compat.inc');

if (description)
{
  script_id(80033);
  script_version("1.20");
  script_set_attribute(attribute:"plugin_modification_date", value:"2024/01/09");

  script_cve_id(
    "CVE-2014-3673",
    "CVE-2014-3687",
    "CVE-2014-3688",
    "CVE-2014-7825",
    "CVE-2014-7826",
    "CVE-2014-7970",
    "CVE-2014-8086",
    "CVE-2014-8134",
    "CVE-2014-8369",
    "CVE-2014-9090",
    "CVE-2014-9322"
  );
  script_bugtraq_id(
    70319,
    70376,
    70749,
    70766,
    70768,
    70883,
    70971,
    70972,
    71250
  );
  script_xref(name:"USN", value:"2447-1");

  script_name(english:"Ubuntu 14.04 LTS : Linux kernel (Utopic HWE) vulnerabilities (USN-2447-1)");

  script_set_attribute(attribute:"synopsis", value:
"The remote Ubuntu host is missing one or more security updates.");
  script_set_attribute(attribute:"description", value:
"The remote Ubuntu 14.04 LTS host has a package installed that is affected by multiple vulnerabilities as referenced in
the USN-2447-1 advisory.

  - The SCTP implementation in the Linux kernel through 3.17.2 allows remote attackers to cause a denial of
    service (system crash) via a malformed ASCONF chunk, related to net/sctp/sm_make_chunk.c and
    net/sctp/sm_statefuns.c. (CVE-2014-3673)

  - The sctp_assoc_lookup_asconf_ack function in net/sctp/associola.c in the SCTP implementation in the Linux
    kernel through 3.17.2 allows remote attackers to cause a denial of service (panic) via duplicate ASCONF
    chunks that trigger an incorrect uncork within the side-effect interpreter. (CVE-2014-3687)

  - The SCTP implementation in the Linux kernel before 3.17.4 allows remote attackers to cause a denial of
    service (memory consumption) by triggering a large number of chunks in an association's output queue, as
    demonstrated by ASCONF probes, related to net/sctp/inqueue.c and net/sctp/sm_statefuns.c. (CVE-2014-3688)

  - kernel/trace/trace_syscalls.c in the Linux kernel through 3.17.2 does not properly handle private syscall
    numbers during use of the perf subsystem, which allows local users to cause a denial of service (out-of-
    bounds read and OOPS) or bypass the ASLR protection mechanism via a crafted application. (CVE-2014-7825)

  - kernel/trace/trace_syscalls.c in the Linux kernel through 3.17.2 does not properly handle private syscall
    numbers during use of the ftrace subsystem, which allows local users to gain privileges or cause a denial
    of service (invalid pointer dereference) via a crafted application. (CVE-2014-7826)

  - The pivot_root implementation in fs/namespace.c in the Linux kernel through 3.17 does not properly
    interact with certain locations of a chroot directory, which allows local users to cause a denial of
    service (mount-tree loop) via . (dot) values in both arguments to the pivot_root system call.
    (CVE-2014-7970)

  - Race condition in the ext4_file_write_iter function in fs/ext4/file.c in the Linux kernel through 3.17
    allows local users to cause a denial of service (file unavailability) via a combination of a write action
    and an F_SETFL fcntl operation for the O_DIRECT flag. (CVE-2014-8086)

  - The paravirt_ops_setup function in arch/x86/kernel/kvm.c in the Linux kernel through 3.18 uses an improper
    paravirt_enabled setting for KVM guest kernels, which makes it easier for guest OS users to bypass the
    ASLR protection mechanism via a crafted application that reads a 16-bit value. (CVE-2014-8134)

  - The kvm_iommu_map_pages function in virt/kvm/iommu.c in the Linux kernel through 3.17.2 miscalculates the
    number of pages during the handling of a mapping failure, which allows guest OS users to cause a denial of
    service (host OS page unpinning) or possibly have unspecified other impact by leveraging guest OS
    privileges. NOTE: this vulnerability exists because of an incorrect fix for CVE-2014-3601. (CVE-2014-8369)

  - The do_double_fault function in arch/x86/kernel/traps.c in the Linux kernel through 3.17.4 does not
    properly handle faults associated with the Stack Segment (SS) segment register, which allows local users
    to cause a denial of service (panic) via a modify_ldt system call, as demonstrated by sigreturn_32 in the
    linux-clock-tests test suite. (CVE-2014-9090)

  - arch/x86/kernel/entry_64.S in the Linux kernel before 3.17.5 does not properly handle faults associated
    with the Stack Segment (SS) segment register, which allows local users to gain privileges by triggering an
    IRET instruction that leads to access to a GS Base address from the wrong space. (CVE-2014-9322)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version
number.");
  script_set_attribute(attribute:"see_also", value:"https://ubuntu.com/security/notices/USN-2447-1");
  script_set_attribute(attribute:"solution", value:
"Update the affected kernel package.");
  script_set_cvss_base_vector("CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C");
  script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:P/RL:O/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2014-9322");

  script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"true");

  script_set_attribute(attribute:"vuln_publication_date", value:"2014/10/13");
  script_set_attribute(attribute:"patch_publication_date", value:"2014/12/12");
  script_set_attribute(attribute:"plugin_publication_date", value:"2014/12/15");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-3.16.0-28-generic");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-3.16.0-28-generic-lpae");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-3.16.0-28-lowlatency");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-3.16.0-28-powerpc-e500mc");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-3.16.0-28-powerpc-smp");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-3.16.0-28-powerpc64-emb");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-3.16.0-28-powerpc64-smp");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:canonical:ubuntu_linux:14.04:-:lts");
  script_set_attribute(attribute:"generated_plugin", value:"current");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Ubuntu Local Security Checks");

  script_copyright(english:"Ubuntu Security Notice (C) 2014-2024 Canonical, Inc. / NASL script (C) 2014-2024 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("ssh_get_info.nasl", "linux_alt_patch_detect.nasl");
  script_require_keys("Host/cpu", "Host/Ubuntu", "Host/Ubuntu/release", "Host/Debian/dpkg-l");

  exit(0);
}

include('debian_package.inc');
include('ksplice.inc');

if ( ! get_kb_item('Host/local_checks_enabled') ) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
var os_release = get_kb_item('Host/Ubuntu/release');
if ( isnull(os_release) ) audit(AUDIT_OS_NOT, 'Ubuntu');
os_release = chomp(os_release);
if (! ('14.04' >< os_release)) audit(AUDIT_OS_NOT, 'Ubuntu 14.04', 'Ubuntu ' + os_release);
if ( ! get_kb_item('Host/Debian/dpkg-l') ) audit(AUDIT_PACKAGE_LIST_MISSING);

var cpu = get_kb_item('Host/cpu');
if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
if ('x86_64' >!< cpu && cpu !~ "^i[3-6]86$" && 's390' >!< cpu && 'aarch64' >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'Ubuntu', cpu);

var kernel_mappings = {
  '14.04': {
    '3.16.0': {
      'generic': '3.16.0-28',
      'generic-lpae': '3.16.0-28',
      'lowlatency': '3.16.0-28',
      'powerpc-e500mc': '3.16.0-28',
      'powerpc-smp': '3.16.0-28',
      'powerpc64-emb': '3.16.0-28',
      'powerpc64-smp': '3.16.0-28'
    }
  }
};

var host_kernel_release = get_kb_item('Host/uptrack-uname-r');
if (empty_or_null(host_kernel_release)) host_kernel_release = get_kb_item_or_exit('Host/uname-r');
var host_kernel_base_version = get_kb_item_or_exit('Host/Debian/kernel-base-version');
var host_kernel_type = get_kb_item_or_exit('Host/Debian/kernel-type');
if(empty_or_null(kernel_mappings[os_release][host_kernel_base_version][host_kernel_type])) audit(AUDIT_INST_VER_NOT_VULN, 'kernel ' + host_kernel_release);

var extra = '';
var kernel_fixed_version = kernel_mappings[os_release][host_kernel_base_version][host_kernel_type] + "-" + host_kernel_type;
if (deb_ver_cmp(ver1:host_kernel_release, ver2:kernel_fixed_version) < 0)
{
  extra = extra + 'Running Kernel level of ' + host_kernel_release + ' does not meet the minimum fixed level of ' + kernel_fixed_version + ' for this advisory.\n\n';
}
  else
{
  audit(AUDIT_PATCH_INSTALLED, 'Kernel package for USN-2447-1');
}

if (get_one_kb_item('Host/ksplice/kernel-cves'))
{
  var cve_list = make_list('CVE-2014-3673', 'CVE-2014-3687', 'CVE-2014-3688', 'CVE-2014-7825', 'CVE-2014-7826', 'CVE-2014-7970', 'CVE-2014-8086', 'CVE-2014-8134', 'CVE-2014-8369', 'CVE-2014-9090', 'CVE-2014-9322');
  if (ksplice_cves_check(cve_list))
  {
    audit(AUDIT_PATCH_INSTALLED, 'KSplice hotfix for USN-2447-1');
  }
  else
  {
    extra = extra + ksplice_reporting_text();
  }
}
if (extra) {
  security_report_v4(
    port       : 0,
    severity   : SECURITY_HOLE,
    extra      : extra
  );
  exit(0);
}