The remote Ubuntu 14.04 LTS host has a package installed that is affected by multiple vulnerabilities as referenced in the USN-2517-1 advisory.
arch/x86/kernel/tls.c in the Thread Local Storage (TLS) implementation in the Linux kernel through 3.18.1 allows local users to bypass the espfix protection mechanism, and consequently makes it easier for local users to bypass the ASLR protection mechanism, via a crafted application that makes a set_thread_area system call and later reads a 16-bit value. (CVE-2014-8133)
net/netfilter/nf_conntrack_proto_generic.c in the Linux kernel before 3.18 generates incorrect conntrack entries during handling of certain iptables rule sets for the SCTP, DCCP, GRE, and UDP-Lite protocols, which allows remote attackers to bypass intended access restrictions via packets with disallowed port numbers. (CVE-2014-8160)
The d_walk function in fs/dcache.c in the Linux kernel through 3.17.2 does not properly maintain the semantics of rename_lock, which allows local users to cause a denial of service (deadlock and system hang) via a crafted application. (CVE-2014-8559)
The Linux kernel through 3.17.4 does not properly restrict dropping of supplemental group memberships in certain namespace scenarios, which allows local users to bypass intended file permissions by leveraging a POSIX ACL containing an entry for the group category that is more restrictive than the entry for the other category, aka a negative groups issue, related to kernel/groups.c, kernel/uid16.c, and kernel/user_namespace.c. (CVE-2014-8989)
The __switch_to function in arch/x86/kernel/process_64.c in the Linux kernel through 3.18.1 does not ensure that Thread Local Storage (TLS) descriptors are loaded before proceeding with other steps, which makes it easier for local users to bypass the ASLR protection mechanism via a crafted application that reads a TLS base address. (CVE-2014-9419)
The rock_continue function in fs/isofs/rock.c in the Linux kernel through 3.18.1 does not restrict the number of Rock Ridge continuation entries, which allows local users to cause a denial of service (infinite loop, and system crash or hang) via a crafted iso9660 image. (CVE-2014-9420)
The batadv_frag_merge_packets function in net/batman-adv/fragmentation.c in the B.A.T.M.A.N.
implementation in the Linux kernel through 3.18.1 uses an incorrect length field during a calculation of an amount of memory, which allows remote attackers to cause a denial of service (mesh-node system crash) via fragmented packets. (CVE-2014-9428)
Race condition in the key_gc_unused_keys function in security/keys/gc.c in the Linux kernel through 3.18.2 allows local users to cause a denial of service (memory corruption or panic) or possibly have unspecified other impact via keyctl commands that trigger access to a key structure member during garbage collection of a key. (CVE-2014-9529)
The parse_rock_ridge_inode_internal function in fs/isofs/rock.c in the Linux kernel before 3.18.2 does not validate a length value in the Extensions Reference (ER) System Use Field, which allows local users to obtain sensitive information from kernel memory via a crafted iso9660 image. (CVE-2014-9584)
The vdso_addr function in arch/x86/vdso/vma.c in the Linux kernel through 3.18.2 does not properly choose memory locations for the vDSO area, which makes it easier for local users to bypass the ASLR protection mechanism by guessing a location at the end of a PMD. (CVE-2014-9585)
Off-by-one error in the ecryptfs_decode_from_filename function in fs/ecryptfs/crypto.c in the eCryptfs subsystem in the Linux kernel before 3.18.2 allows local users to cause a denial of service (buffer overflow and system crash) or possibly gain privileges via a crafted filename. (CVE-2014-9683)
The UDF filesystem implementation in the Linux kernel before 3.18.2 does not validate certain lengths, which allows local users to cause a denial of service (buffer over-read and system crash) via a crafted filesystem image, related to fs/udf/inode.c and fs/udf/symlink.c. (CVE-2014-9728)
The udf_read_inode function in fs/udf/inode.c in the Linux kernel before 3.18.2 does not ensure a certain data-structure size consistency, which allows local users to cause a denial of service (system crash) via a crafted UDF filesystem image. (CVE-2014-9729)
The udf_pc_to_char function in fs/udf/symlink.c in the Linux kernel before 3.18.2 relies on component lengths that are unused, which allows local users to cause a denial of service (system crash) via a crafted UDF filesystem image. (CVE-2014-9730)
The UDF filesystem implementation in the Linux kernel before 3.18.2 does not ensure that space is available for storing a symlink target’s name along with a trailing \0 character, which allows local users to obtain sensitive information via a crafted filesystem image, related to fs/udf/symlink.c and fs/udf/unicode.c. (CVE-2014-9731)
The em_sysenter function in arch/x86/kvm/emulate.c in the Linux kernel before 3.18.5, when the guest OS lacks SYSENTER MSR initialization, allows guest OS users to gain guest OS privileges or cause a denial of service (guest OS crash) by triggering use of a 16-bit code segment for emulation of a SYSENTER instruction. (CVE-2015-0239)
Note that Nessus has not tested for these issues but has instead relied only on the application’s self-reported version number.
#%NASL_MIN_LEVEL 70300
#
# (C) Tenable Network Security, Inc.
#
# The descriptive text and package checks in this plugin were
# extracted from Ubuntu Security Notice USN-2517-1. The text
# itself is copyright (C) Canonical, Inc. See
# <http://www.ubuntu.com/usn/>. Ubuntu(R) is a registered
# trademark of Canonical, Inc.
#
include('deprecated_nasl_level.inc');
include('compat.inc');
if (description)
{
script_id(81570);
script_version("1.21");
script_set_attribute(attribute:"plugin_modification_date", value:"2024/01/09");
script_cve_id(
"CVE-2014-8133",
"CVE-2014-8160",
"CVE-2014-8559",
"CVE-2014-8989",
"CVE-2014-9419",
"CVE-2014-9420",
"CVE-2014-9428",
"CVE-2014-9529",
"CVE-2014-9584",
"CVE-2014-9585",
"CVE-2014-9683",
"CVE-2014-9728",
"CVE-2014-9729",
"CVE-2014-9730",
"CVE-2014-9731",
"CVE-2015-0239"
);
script_bugtraq_id(
70854,
71154,
71684,
71717,
71794,
71847,
71880,
71883,
71990,
72061,
72643,
72842
);
script_xref(name:"USN", value:"2517-1");
script_name(english:"Ubuntu 14.04 LTS : Linux kernel (Utopic HWE) vulnerabilities (USN-2517-1)");
script_set_attribute(attribute:"synopsis", value:
"The remote Ubuntu host is missing one or more security updates.");
script_set_attribute(attribute:"description", value:
"The remote Ubuntu 14.04 LTS host has a package installed that is affected by multiple vulnerabilities as referenced in
the USN-2517-1 advisory.
- arch/x86/kernel/tls.c in the Thread Local Storage (TLS) implementation in the Linux kernel through 3.18.1
allows local users to bypass the espfix protection mechanism, and consequently makes it easier for local
users to bypass the ASLR protection mechanism, via a crafted application that makes a set_thread_area
system call and later reads a 16-bit value. (CVE-2014-8133)
- net/netfilter/nf_conntrack_proto_generic.c in the Linux kernel before 3.18 generates incorrect conntrack
entries during handling of certain iptables rule sets for the SCTP, DCCP, GRE, and UDP-Lite protocols,
which allows remote attackers to bypass intended access restrictions via packets with disallowed port
numbers. (CVE-2014-8160)
- The d_walk function in fs/dcache.c in the Linux kernel through 3.17.2 does not properly maintain the
semantics of rename_lock, which allows local users to cause a denial of service (deadlock and system hang)
via a crafted application. (CVE-2014-8559)
- The Linux kernel through 3.17.4 does not properly restrict dropping of supplemental group memberships in
certain namespace scenarios, which allows local users to bypass intended file permissions by leveraging a
POSIX ACL containing an entry for the group category that is more restrictive than the entry for the other
category, aka a negative groups issue, related to kernel/groups.c, kernel/uid16.c, and
kernel/user_namespace.c. (CVE-2014-8989)
- The __switch_to function in arch/x86/kernel/process_64.c in the Linux kernel through 3.18.1 does not
ensure that Thread Local Storage (TLS) descriptors are loaded before proceeding with other steps, which
makes it easier for local users to bypass the ASLR protection mechanism via a crafted application that
reads a TLS base address. (CVE-2014-9419)
- The rock_continue function in fs/isofs/rock.c in the Linux kernel through 3.18.1 does not restrict the
number of Rock Ridge continuation entries, which allows local users to cause a denial of service (infinite
loop, and system crash or hang) via a crafted iso9660 image. (CVE-2014-9420)
- The batadv_frag_merge_packets function in net/batman-adv/fragmentation.c in the B.A.T.M.A.N.
implementation in the Linux kernel through 3.18.1 uses an incorrect length field during a calculation of
an amount of memory, which allows remote attackers to cause a denial of service (mesh-node system crash)
via fragmented packets. (CVE-2014-9428)
- Race condition in the key_gc_unused_keys function in security/keys/gc.c in the Linux kernel through 3.18.2
allows local users to cause a denial of service (memory corruption or panic) or possibly have unspecified
other impact via keyctl commands that trigger access to a key structure member during garbage collection
of a key. (CVE-2014-9529)
- The parse_rock_ridge_inode_internal function in fs/isofs/rock.c in the Linux kernel before 3.18.2 does not
validate a length value in the Extensions Reference (ER) System Use Field, which allows local users to
obtain sensitive information from kernel memory via a crafted iso9660 image. (CVE-2014-9584)
- The vdso_addr function in arch/x86/vdso/vma.c in the Linux kernel through 3.18.2 does not properly choose
memory locations for the vDSO area, which makes it easier for local users to bypass the ASLR protection
mechanism by guessing a location at the end of a PMD. (CVE-2014-9585)
- Off-by-one error in the ecryptfs_decode_from_filename function in fs/ecryptfs/crypto.c in the eCryptfs
subsystem in the Linux kernel before 3.18.2 allows local users to cause a denial of service (buffer
overflow and system crash) or possibly gain privileges via a crafted filename. (CVE-2014-9683)
- The UDF filesystem implementation in the Linux kernel before 3.18.2 does not validate certain lengths,
which allows local users to cause a denial of service (buffer over-read and system crash) via a crafted
filesystem image, related to fs/udf/inode.c and fs/udf/symlink.c. (CVE-2014-9728)
- The udf_read_inode function in fs/udf/inode.c in the Linux kernel before 3.18.2 does not ensure a certain
data-structure size consistency, which allows local users to cause a denial of service (system crash) via
a crafted UDF filesystem image. (CVE-2014-9729)
- The udf_pc_to_char function in fs/udf/symlink.c in the Linux kernel before 3.18.2 relies on component
lengths that are unused, which allows local users to cause a denial of service (system crash) via a
crafted UDF filesystem image. (CVE-2014-9730)
- The UDF filesystem implementation in the Linux kernel before 3.18.2 does not ensure that space is
available for storing a symlink target's name along with a trailing \0 character, which allows local users
to obtain sensitive information via a crafted filesystem image, related to fs/udf/symlink.c and
fs/udf/unicode.c. (CVE-2014-9731)
- The em_sysenter function in arch/x86/kvm/emulate.c in the Linux kernel before 3.18.5, when the guest OS
lacks SYSENTER MSR initialization, allows guest OS users to gain guest OS privileges or cause a denial of
service (guest OS crash) by triggering use of a 16-bit code segment for emulation of a SYSENTER
instruction. (CVE-2015-0239)
Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version
number.");
script_set_attribute(attribute:"see_also", value:"https://ubuntu.com/security/notices/USN-2517-1");
script_set_attribute(attribute:"solution", value:
"Update the affected kernel package.");
script_set_cvss_base_vector("CVSS2#AV:L/AC:M/Au:N/C:C/I:C/A:C");
script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
script_set_cvss3_base_vector("CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H");
script_set_cvss3_temporal_vector("CVSS:3.0/E:P/RL:O/RC:C");
script_set_attribute(attribute:"cvss_score_source", value:"CVE-2014-9529");
script_set_attribute(attribute:"cvss3_score_source", value:"CVE-2014-8559");
script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
script_set_attribute(attribute:"exploit_available", value:"true");
script_set_attribute(attribute:"vuln_publication_date", value:"2014/11/10");
script_set_attribute(attribute:"patch_publication_date", value:"2015/02/26");
script_set_attribute(attribute:"plugin_publication_date", value:"2015/02/27");
script_set_attribute(attribute:"plugin_type", value:"local");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-3.16.0-31-generic");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-3.16.0-31-generic-lpae");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-3.16.0-31-lowlatency");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-3.16.0-31-powerpc-e500mc");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-3.16.0-31-powerpc-smp");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-3.16.0-31-powerpc64-emb");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-3.16.0-31-powerpc64-smp");
script_set_attribute(attribute:"cpe", value:"cpe:/o:canonical:ubuntu_linux:14.04:-:lts");
script_set_attribute(attribute:"generated_plugin", value:"current");
script_end_attributes();
script_category(ACT_GATHER_INFO);
script_family(english:"Ubuntu Local Security Checks");
script_copyright(english:"Ubuntu Security Notice (C) 2015-2024 Canonical, Inc. / NASL script (C) 2015-2024 and is owned by Tenable, Inc. or an Affiliate thereof.");
script_dependencies("ssh_get_info.nasl", "linux_alt_patch_detect.nasl");
script_require_keys("Host/cpu", "Host/Ubuntu", "Host/Ubuntu/release", "Host/Debian/dpkg-l");
exit(0);
}
include('debian_package.inc');
include('ksplice.inc');
if ( ! get_kb_item('Host/local_checks_enabled') ) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
var os_release = get_kb_item('Host/Ubuntu/release');
if ( isnull(os_release) ) audit(AUDIT_OS_NOT, 'Ubuntu');
os_release = chomp(os_release);
if (! ('14.04' >< os_release)) audit(AUDIT_OS_NOT, 'Ubuntu 14.04', 'Ubuntu ' + os_release);
if ( ! get_kb_item('Host/Debian/dpkg-l') ) audit(AUDIT_PACKAGE_LIST_MISSING);
var cpu = get_kb_item('Host/cpu');
if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
if ('x86_64' >!< cpu && cpu !~ "^i[3-6]86$" && 's390' >!< cpu && 'aarch64' >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'Ubuntu', cpu);
var kernel_mappings = {
'14.04': {
'3.16.0': {
'generic': '3.16.0-31',
'generic-lpae': '3.16.0-31',
'lowlatency': '3.16.0-31',
'powerpc-e500mc': '3.16.0-31',
'powerpc-smp': '3.16.0-31',
'powerpc64-emb': '3.16.0-31',
'powerpc64-smp': '3.16.0-31'
}
}
};
var host_kernel_release = get_kb_item('Host/uptrack-uname-r');
if (empty_or_null(host_kernel_release)) host_kernel_release = get_kb_item_or_exit('Host/uname-r');
var host_kernel_base_version = get_kb_item_or_exit('Host/Debian/kernel-base-version');
var host_kernel_type = get_kb_item_or_exit('Host/Debian/kernel-type');
if(empty_or_null(kernel_mappings[os_release][host_kernel_base_version][host_kernel_type])) audit(AUDIT_INST_VER_NOT_VULN, 'kernel ' + host_kernel_release);
var extra = '';
var kernel_fixed_version = kernel_mappings[os_release][host_kernel_base_version][host_kernel_type] + "-" + host_kernel_type;
if (deb_ver_cmp(ver1:host_kernel_release, ver2:kernel_fixed_version) < 0)
{
extra = extra + 'Running Kernel level of ' + host_kernel_release + ' does not meet the minimum fixed level of ' + kernel_fixed_version + ' for this advisory.\n\n';
}
else
{
audit(AUDIT_PATCH_INSTALLED, 'Kernel package for USN-2517-1');
}
if (get_one_kb_item('Host/ksplice/kernel-cves'))
{
var cve_list = make_list('CVE-2014-8133', 'CVE-2014-8160', 'CVE-2014-8559', 'CVE-2014-8989', 'CVE-2014-9419', 'CVE-2014-9420', 'CVE-2014-9428', 'CVE-2014-9529', 'CVE-2014-9584', 'CVE-2014-9585', 'CVE-2014-9683', 'CVE-2014-9728', 'CVE-2014-9729', 'CVE-2014-9730', 'CVE-2014-9731', 'CVE-2015-0239');
if (ksplice_cves_check(cve_list))
{
audit(AUDIT_PATCH_INSTALLED, 'KSplice hotfix for USN-2517-1');
}
else
{
extra = extra + ksplice_reporting_text();
}
}
if (extra) {
security_report_v4(
port : 0,
severity : SECURITY_WARNING,
extra : extra
);
exit(0);
}
Vendor | Product | Version | CPE |
---|---|---|---|
canonical | ubuntu_linux | linux-image-3.16.0-31-generic | p-cpe:/a:canonical:ubuntu_linux:linux-image-3.16.0-31-generic |
canonical | ubuntu_linux | linux-image-3.16.0-31-generic-lpae | p-cpe:/a:canonical:ubuntu_linux:linux-image-3.16.0-31-generic-lpae |
canonical | ubuntu_linux | linux-image-3.16.0-31-lowlatency | p-cpe:/a:canonical:ubuntu_linux:linux-image-3.16.0-31-lowlatency |
canonical | ubuntu_linux | linux-image-3.16.0-31-powerpc-e500mc | p-cpe:/a:canonical:ubuntu_linux:linux-image-3.16.0-31-powerpc-e500mc |
canonical | ubuntu_linux | linux-image-3.16.0-31-powerpc-smp | p-cpe:/a:canonical:ubuntu_linux:linux-image-3.16.0-31-powerpc-smp |
canonical | ubuntu_linux | linux-image-3.16.0-31-powerpc64-emb | p-cpe:/a:canonical:ubuntu_linux:linux-image-3.16.0-31-powerpc64-emb |
canonical | ubuntu_linux | linux-image-3.16.0-31-powerpc64-smp | p-cpe:/a:canonical:ubuntu_linux:linux-image-3.16.0-31-powerpc64-smp |
canonical | ubuntu_linux | 14.04 | cpe:/o:canonical:ubuntu_linux:14.04:-:lts |
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8133
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8160
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8559
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8989
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9419
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9420
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9428
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9529
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9584
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9585
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9683
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9728
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9729
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9730
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9731
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0239
ubuntu.com/security/notices/USN-2517-1