Ubuntu 14.04 LTS : Linux kernel (Utopic HWE) vulnerabilities (USN-2517-1)

#%NASL_MIN_LEVEL 70300
#
# (C) Tenable Network Security, Inc.
#
# The descriptive text and package checks in this plugin were
# extracted from Ubuntu Security Notice USN-2517-1. The text 
# itself is copyright (C) Canonical, Inc. See 
# <http://www.ubuntu.com/usn/>. Ubuntu(R) is a registered 
# trademark of Canonical, Inc.
#

include('deprecated_nasl_level.inc');
include('compat.inc');

if (description)
{
  script_id(81570);
  script_version("1.21");
  script_set_attribute(attribute:"plugin_modification_date", value:"2024/01/09");

  script_cve_id(
    "CVE-2014-8133",
    "CVE-2014-8160",
    "CVE-2014-8559",
    "CVE-2014-8989",
    "CVE-2014-9419",
    "CVE-2014-9420",
    "CVE-2014-9428",
    "CVE-2014-9529",
    "CVE-2014-9584",
    "CVE-2014-9585",
    "CVE-2014-9683",
    "CVE-2014-9728",
    "CVE-2014-9729",
    "CVE-2014-9730",
    "CVE-2014-9731",
    "CVE-2015-0239"
  );
  script_bugtraq_id(
    70854,
    71154,
    71684,
    71717,
    71794,
    71847,
    71880,
    71883,
    71990,
    72061,
    72643,
    72842
  );
  script_xref(name:"USN", value:"2517-1");

  script_name(english:"Ubuntu 14.04 LTS : Linux kernel (Utopic HWE) vulnerabilities (USN-2517-1)");

  script_set_attribute(attribute:"synopsis", value:
"The remote Ubuntu host is missing one or more security updates.");
  script_set_attribute(attribute:"description", value:
"The remote Ubuntu 14.04 LTS host has a package installed that is affected by multiple vulnerabilities as referenced in
the USN-2517-1 advisory.

  - arch/x86/kernel/tls.c in the Thread Local Storage (TLS) implementation in the Linux kernel through 3.18.1
    allows local users to bypass the espfix protection mechanism, and consequently makes it easier for local
    users to bypass the ASLR protection mechanism, via a crafted application that makes a set_thread_area
    system call and later reads a 16-bit value. (CVE-2014-8133)

  - net/netfilter/nf_conntrack_proto_generic.c in the Linux kernel before 3.18 generates incorrect conntrack
    entries during handling of certain iptables rule sets for the SCTP, DCCP, GRE, and UDP-Lite protocols,
    which allows remote attackers to bypass intended access restrictions via packets with disallowed port
    numbers. (CVE-2014-8160)

  - The d_walk function in fs/dcache.c in the Linux kernel through 3.17.2 does not properly maintain the
    semantics of rename_lock, which allows local users to cause a denial of service (deadlock and system hang)
    via a crafted application. (CVE-2014-8559)

  - The Linux kernel through 3.17.4 does not properly restrict dropping of supplemental group memberships in
    certain namespace scenarios, which allows local users to bypass intended file permissions by leveraging a
    POSIX ACL containing an entry for the group category that is more restrictive than the entry for the other
    category, aka a negative groups issue, related to kernel/groups.c, kernel/uid16.c, and
    kernel/user_namespace.c. (CVE-2014-8989)

  - The __switch_to function in arch/x86/kernel/process_64.c in the Linux kernel through 3.18.1 does not
    ensure that Thread Local Storage (TLS) descriptors are loaded before proceeding with other steps, which
    makes it easier for local users to bypass the ASLR protection mechanism via a crafted application that
    reads a TLS base address. (CVE-2014-9419)

  - The rock_continue function in fs/isofs/rock.c in the Linux kernel through 3.18.1 does not restrict the
    number of Rock Ridge continuation entries, which allows local users to cause a denial of service (infinite
    loop, and system crash or hang) via a crafted iso9660 image. (CVE-2014-9420)

  - The batadv_frag_merge_packets function in net/batman-adv/fragmentation.c in the B.A.T.M.A.N.
    implementation in the Linux kernel through 3.18.1 uses an incorrect length field during a calculation of
    an amount of memory, which allows remote attackers to cause a denial of service (mesh-node system crash)
    via fragmented packets. (CVE-2014-9428)

  - Race condition in the key_gc_unused_keys function in security/keys/gc.c in the Linux kernel through 3.18.2
    allows local users to cause a denial of service (memory corruption or panic) or possibly have unspecified
    other impact via keyctl commands that trigger access to a key structure member during garbage collection
    of a key. (CVE-2014-9529)

  - The parse_rock_ridge_inode_internal function in fs/isofs/rock.c in the Linux kernel before 3.18.2 does not
    validate a length value in the Extensions Reference (ER) System Use Field, which allows local users to
    obtain sensitive information from kernel memory via a crafted iso9660 image. (CVE-2014-9584)

  - The vdso_addr function in arch/x86/vdso/vma.c in the Linux kernel through 3.18.2 does not properly choose
    memory locations for the vDSO area, which makes it easier for local users to bypass the ASLR protection
    mechanism by guessing a location at the end of a PMD. (CVE-2014-9585)

  - Off-by-one error in the ecryptfs_decode_from_filename function in fs/ecryptfs/crypto.c in the eCryptfs
    subsystem in the Linux kernel before 3.18.2 allows local users to cause a denial of service (buffer
    overflow and system crash) or possibly gain privileges via a crafted filename. (CVE-2014-9683)

  - The UDF filesystem implementation in the Linux kernel before 3.18.2 does not validate certain lengths,
    which allows local users to cause a denial of service (buffer over-read and system crash) via a crafted
    filesystem image, related to fs/udf/inode.c and fs/udf/symlink.c. (CVE-2014-9728)

  - The udf_read_inode function in fs/udf/inode.c in the Linux kernel before 3.18.2 does not ensure a certain
    data-structure size consistency, which allows local users to cause a denial of service (system crash) via
    a crafted UDF filesystem image. (CVE-2014-9729)

  - The udf_pc_to_char function in fs/udf/symlink.c in the Linux kernel before 3.18.2 relies on component
    lengths that are unused, which allows local users to cause a denial of service (system crash) via a
    crafted UDF filesystem image. (CVE-2014-9730)

  - The UDF filesystem implementation in the Linux kernel before 3.18.2 does not ensure that space is
    available for storing a symlink target's name along with a trailing \0 character, which allows local users
    to obtain sensitive information via a crafted filesystem image, related to fs/udf/symlink.c and
    fs/udf/unicode.c. (CVE-2014-9731)

  - The em_sysenter function in arch/x86/kvm/emulate.c in the Linux kernel before 3.18.5, when the guest OS
    lacks SYSENTER MSR initialization, allows guest OS users to gain guest OS privileges or cause a denial of
    service (guest OS crash) by triggering use of a 16-bit code segment for emulation of a SYSENTER
    instruction. (CVE-2015-0239)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version
number.");
  script_set_attribute(attribute:"see_also", value:"https://ubuntu.com/security/notices/USN-2517-1");
  script_set_attribute(attribute:"solution", value:
"Update the affected kernel package.");
  script_set_cvss_base_vector("CVSS2#AV:L/AC:M/Au:N/C:C/I:C/A:C");
  script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:P/RL:O/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2014-9529");
  script_set_attribute(attribute:"cvss3_score_source", value:"CVE-2014-8559");

  script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"true");

  script_set_attribute(attribute:"vuln_publication_date", value:"2014/11/10");
  script_set_attribute(attribute:"patch_publication_date", value:"2015/02/26");
  script_set_attribute(attribute:"plugin_publication_date", value:"2015/02/27");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-3.16.0-31-generic");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-3.16.0-31-generic-lpae");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-3.16.0-31-lowlatency");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-3.16.0-31-powerpc-e500mc");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-3.16.0-31-powerpc-smp");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-3.16.0-31-powerpc64-emb");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-3.16.0-31-powerpc64-smp");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:canonical:ubuntu_linux:14.04:-:lts");
  script_set_attribute(attribute:"generated_plugin", value:"current");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Ubuntu Local Security Checks");

  script_copyright(english:"Ubuntu Security Notice (C) 2015-2024 Canonical, Inc. / NASL script (C) 2015-2024 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("ssh_get_info.nasl", "linux_alt_patch_detect.nasl");
  script_require_keys("Host/cpu", "Host/Ubuntu", "Host/Ubuntu/release", "Host/Debian/dpkg-l");

  exit(0);
}

include('debian_package.inc');
include('ksplice.inc');

if ( ! get_kb_item('Host/local_checks_enabled') ) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
var os_release = get_kb_item('Host/Ubuntu/release');
if ( isnull(os_release) ) audit(AUDIT_OS_NOT, 'Ubuntu');
os_release = chomp(os_release);
if (! ('14.04' >< os_release)) audit(AUDIT_OS_NOT, 'Ubuntu 14.04', 'Ubuntu ' + os_release);
if ( ! get_kb_item('Host/Debian/dpkg-l') ) audit(AUDIT_PACKAGE_LIST_MISSING);

var cpu = get_kb_item('Host/cpu');
if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
if ('x86_64' >!< cpu && cpu !~ "^i[3-6]86$" && 's390' >!< cpu && 'aarch64' >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'Ubuntu', cpu);

var kernel_mappings = {
  '14.04': {
    '3.16.0': {
      'generic': '3.16.0-31',
      'generic-lpae': '3.16.0-31',
      'lowlatency': '3.16.0-31',
      'powerpc-e500mc': '3.16.0-31',
      'powerpc-smp': '3.16.0-31',
      'powerpc64-emb': '3.16.0-31',
      'powerpc64-smp': '3.16.0-31'
    }
  }
};

var host_kernel_release = get_kb_item('Host/uptrack-uname-r');
if (empty_or_null(host_kernel_release)) host_kernel_release = get_kb_item_or_exit('Host/uname-r');
var host_kernel_base_version = get_kb_item_or_exit('Host/Debian/kernel-base-version');
var host_kernel_type = get_kb_item_or_exit('Host/Debian/kernel-type');
if(empty_or_null(kernel_mappings[os_release][host_kernel_base_version][host_kernel_type])) audit(AUDIT_INST_VER_NOT_VULN, 'kernel ' + host_kernel_release);

var extra = '';
var kernel_fixed_version = kernel_mappings[os_release][host_kernel_base_version][host_kernel_type] + "-" + host_kernel_type;
if (deb_ver_cmp(ver1:host_kernel_release, ver2:kernel_fixed_version) < 0)
{
  extra = extra + 'Running Kernel level of ' + host_kernel_release + ' does not meet the minimum fixed level of ' + kernel_fixed_version + ' for this advisory.\n\n';
}
  else
{
  audit(AUDIT_PATCH_INSTALLED, 'Kernel package for USN-2517-1');
}

if (get_one_kb_item('Host/ksplice/kernel-cves'))
{
  var cve_list = make_list('CVE-2014-8133', 'CVE-2014-8160', 'CVE-2014-8559', 'CVE-2014-8989', 'CVE-2014-9419', 'CVE-2014-9420', 'CVE-2014-9428', 'CVE-2014-9529', 'CVE-2014-9584', 'CVE-2014-9585', 'CVE-2014-9683', 'CVE-2014-9728', 'CVE-2014-9729', 'CVE-2014-9730', 'CVE-2014-9731', 'CVE-2015-0239');
  if (ksplice_cves_check(cve_list))
  {
    audit(AUDIT_PATCH_INSTALLED, 'KSplice hotfix for USN-2517-1');
  }
  else
  {
    extra = extra + ksplice_reporting_text();
  }
}
if (extra) {
  security_report_v4(
    port       : 0,
    severity   : SECURITY_WARNING,
    extra      : extra
  );
  exit(0);
}