Lucene search

K
nessusUbuntu Security Notice (C) 2016-2020 Canonical, Inc. / NASL script (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof.UBUNTU_USN-2929-1.NASL
HistoryMar 15, 2016 - 12:00 a.m.

Ubuntu 14.04 LTS : Linux kernel vulnerabilities (USN-2929-1)

2016-03-1500:00:00
Ubuntu Security Notice (C) 2016-2020 Canonical, Inc. / NASL script (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
www.tenable.com
28

CVSS2

7.2

Attack Vector

LOCAL

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:L/AC:L/Au:N/C:C/I:C/A:C

CVSS3

4.6

Attack Vector

PHYSICAL

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

AI Score

8.3

Confidence

High

EPSS

0.007

Percentile

80.8%

The remote Ubuntu 14.04 LTS host has a package installed that is affected by multiple vulnerabilities as referenced in the USN-2929-1 advisory.

  • The Linux kernel before 4.4.1 allows local users to bypass file-descriptor limits and cause a denial of service (memory consumption) by sending each descriptor over a UNIX socket before closing it, related to net/unix/af_unix.c and net/unix/garbage.c. (CVE-2013-4312)

  • The clie_5_attach function in drivers/usb/serial/visor.c in the Linux kernel through 4.4.1 allows physically proximate attackers to cause a denial of service (NULL pointer dereference and system crash) or possibly have unspecified other impact by inserting a USB device that lacks a bulk-out endpoint.
    (CVE-2015-7566)

  • The usbvision driver in the Linux kernel package 3.10.0-123.20.1.el7 through 3.10.0-229.14.1.el7 in Red Hat Enterprise Linux (RHEL) 7.1 allows physically proximate attackers to cause a denial of service (panic) via a nonzero bInterfaceNumber value in a USB device descriptor. (CVE-2015-7833)

  • Race condition in the tty_ioctl function in drivers/tty/tty_io.c in the Linux kernel through 4.4.1 allows local users to obtain sensitive information from kernel memory or cause a denial of service (use-after- free and system crash) by making a TIOCGETD ioctl call during processing of a TIOCSETD ioctl call.
    (CVE-2016-0723)

  • Double free vulnerability in the snd_usbmidi_create function in sound/usb/midi.c in the Linux kernel before 4.5 allows physically proximate attackers to cause a denial of service (panic) or possibly have unspecified other impact via vectors involving an invalid USB descriptor. (CVE-2016-2384)

  • The snd_seq_ioctl_remove_events function in sound/core/seq/seq_clientmgr.c in the Linux kernel before 4.4.1 does not verify FIFO assignment before proceeding with FIFO clearing, which allows local users to cause a denial of service (NULL pointer dereference and OOPS) via a crafted ioctl call. (CVE-2016-2543)

  • Race condition in the queue_delete function in sound/core/seq/seq_queue.c in the Linux kernel before 4.4.1 allows local users to cause a denial of service (use-after-free and system crash) by making an ioctl call at a certain time. (CVE-2016-2544)

  • The snd_timer_interrupt function in sound/core/timer.c in the Linux kernel before 4.4.1 does not properly maintain a certain linked list, which allows local users to cause a denial of service (race condition and system crash) via a crafted ioctl call. (CVE-2016-2545)

  • sound/core/timer.c in the Linux kernel before 4.4.1 uses an incorrect type of mutex, which allows local users to cause a denial of service (race condition, use-after-free, and system crash) via a crafted ioctl call. (CVE-2016-2546)

  • sound/core/timer.c in the Linux kernel before 4.4.1 employs a locking approach that does not consider slave timer instances, which allows local users to cause a denial of service (race condition, use-after- free, and system crash) via a crafted ioctl call. (CVE-2016-2547)

  • sound/core/timer.c in the Linux kernel before 4.4.1 retains certain linked lists after a close or stop action, which allows local users to cause a denial of service (system crash) via a crafted ioctl call, related to the (1) snd_timer_close and (2) _snd_timer_stop functions. (CVE-2016-2548)

  • sound/core/hrtimer.c in the Linux kernel before 4.4.1 does not prevent recursive callback access, which allows local users to cause a denial of service (deadlock) via a crafted ioctl call. (CVE-2016-2549)

  • The treo_attach function in drivers/usb/serial/visor.c in the Linux kernel before 4.5 allows physically proximate attackers to cause a denial of service (NULL pointer dereference and system crash) or possibly have unspecified other impact by inserting a USB device that lacks a (1) bulk-in or (2) interrupt-in endpoint. (CVE-2016-2782)

  • The netfilter subsystem in the Linux kernel through 4.5.2 does not validate certain offset fields, which allows local users to gain privileges or cause a denial of service (heap memory corruption) via an IPT_SO_SET_REPLACE setsockopt call. (CVE-2016-3134)

Note that Nessus has not tested for these issues but has instead relied only on the application’s self-reported version number.

#%NASL_MIN_LEVEL 70300
#
# (C) Tenable Network Security, Inc.
#
# The descriptive text and package checks in this plugin were
# extracted from Ubuntu Security Notice USN-2929-1. The text 
# itself is copyright (C) Canonical, Inc. See 
# <http://www.ubuntu.com/usn/>. Ubuntu(R) is a registered 
# trademark of Canonical, Inc.
#

include('deprecated_nasl_level.inc');
include('compat.inc');

if (description)
{
  script_id(89932);
  script_version("2.22");
  script_set_attribute(attribute:"plugin_modification_date", value:"2024/01/09");

  script_cve_id(
    "CVE-2013-4312",
    "CVE-2015-7566",
    "CVE-2015-7833",
    "CVE-2016-0723",
    "CVE-2016-2384",
    "CVE-2016-2543",
    "CVE-2016-2544",
    "CVE-2016-2545",
    "CVE-2016-2546",
    "CVE-2016-2547",
    "CVE-2016-2548",
    "CVE-2016-2549",
    "CVE-2016-2782",
    "CVE-2016-3134"
  );
  script_xref(name:"USN", value:"2929-1");

  script_name(english:"Ubuntu 14.04 LTS : Linux kernel vulnerabilities (USN-2929-1)");

  script_set_attribute(attribute:"synopsis", value:
"The remote Ubuntu host is missing one or more security updates.");
  script_set_attribute(attribute:"description", value:
"The remote Ubuntu 14.04 LTS host has a package installed that is affected by multiple vulnerabilities as referenced in
the USN-2929-1 advisory.

  - The Linux kernel before 4.4.1 allows local users to bypass file-descriptor limits and cause a denial of
    service (memory consumption) by sending each descriptor over a UNIX socket before closing it, related to
    net/unix/af_unix.c and net/unix/garbage.c. (CVE-2013-4312)

  - The clie_5_attach function in drivers/usb/serial/visor.c in the Linux kernel through 4.4.1 allows
    physically proximate attackers to cause a denial of service (NULL pointer dereference and system crash) or
    possibly have unspecified other impact by inserting a USB device that lacks a bulk-out endpoint.
    (CVE-2015-7566)

  - The usbvision driver in the Linux kernel package 3.10.0-123.20.1.el7 through 3.10.0-229.14.1.el7 in Red
    Hat Enterprise Linux (RHEL) 7.1 allows physically proximate attackers to cause a denial of service (panic)
    via a nonzero bInterfaceNumber value in a USB device descriptor. (CVE-2015-7833)

  - Race condition in the tty_ioctl function in drivers/tty/tty_io.c in the Linux kernel through 4.4.1 allows
    local users to obtain sensitive information from kernel memory or cause a denial of service (use-after-
    free and system crash) by making a TIOCGETD ioctl call during processing of a TIOCSETD ioctl call.
    (CVE-2016-0723)

  - Double free vulnerability in the snd_usbmidi_create function in sound/usb/midi.c in the Linux kernel
    before 4.5 allows physically proximate attackers to cause a denial of service (panic) or possibly have
    unspecified other impact via vectors involving an invalid USB descriptor. (CVE-2016-2384)

  - The snd_seq_ioctl_remove_events function in sound/core/seq/seq_clientmgr.c in the Linux kernel before
    4.4.1 does not verify FIFO assignment before proceeding with FIFO clearing, which allows local users to
    cause a denial of service (NULL pointer dereference and OOPS) via a crafted ioctl call. (CVE-2016-2543)

  - Race condition in the queue_delete function in sound/core/seq/seq_queue.c in the Linux kernel before 4.4.1
    allows local users to cause a denial of service (use-after-free and system crash) by making an ioctl call
    at a certain time. (CVE-2016-2544)

  - The snd_timer_interrupt function in sound/core/timer.c in the Linux kernel before 4.4.1 does not properly
    maintain a certain linked list, which allows local users to cause a denial of service (race condition and
    system crash) via a crafted ioctl call. (CVE-2016-2545)

  - sound/core/timer.c in the Linux kernel before 4.4.1 uses an incorrect type of mutex, which allows local
    users to cause a denial of service (race condition, use-after-free, and system crash) via a crafted ioctl
    call. (CVE-2016-2546)

  - sound/core/timer.c in the Linux kernel before 4.4.1 employs a locking approach that does not consider
    slave timer instances, which allows local users to cause a denial of service (race condition, use-after-
    free, and system crash) via a crafted ioctl call. (CVE-2016-2547)

  - sound/core/timer.c in the Linux kernel before 4.4.1 retains certain linked lists after a close or stop
    action, which allows local users to cause a denial of service (system crash) via a crafted ioctl call,
    related to the (1) snd_timer_close and (2) _snd_timer_stop functions. (CVE-2016-2548)

  - sound/core/hrtimer.c in the Linux kernel before 4.4.1 does not prevent recursive callback access, which
    allows local users to cause a denial of service (deadlock) via a crafted ioctl call. (CVE-2016-2549)

  - The treo_attach function in drivers/usb/serial/visor.c in the Linux kernel before 4.5 allows physically
    proximate attackers to cause a denial of service (NULL pointer dereference and system crash) or possibly
    have unspecified other impact by inserting a USB device that lacks a (1) bulk-in or (2) interrupt-in
    endpoint. (CVE-2016-2782)

  - The netfilter subsystem in the Linux kernel through 4.5.2 does not validate certain offset fields, which
    allows local users to gain privileges or cause a denial of service (heap memory corruption) via an
    IPT_SO_SET_REPLACE setsockopt call. (CVE-2016-3134)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version
number.");
  script_set_attribute(attribute:"see_also", value:"https://ubuntu.com/security/notices/USN-2929-1");
  script_set_attribute(attribute:"solution", value:
"Update the affected kernel package.");
  script_set_cvss_base_vector("CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C");
  script_set_cvss_temporal_vector("CVSS2#E:H/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:H/RL:O/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2016-3134");

  script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"true");
  script_set_attribute(attribute:"exploited_by_malware", value:"true");

  script_set_attribute(attribute:"vuln_publication_date", value:"2015/10/19");
  script_set_attribute(attribute:"patch_publication_date", value:"2016/03/14");
  script_set_attribute(attribute:"plugin_publication_date", value:"2016/03/15");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-3.13.0-83-generic");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-3.13.0-83-generic-lpae");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-3.13.0-83-lowlatency");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-3.13.0-83-powerpc-e500");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-3.13.0-83-powerpc-e500mc");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-3.13.0-83-powerpc-smp");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-3.13.0-83-powerpc64-emb");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-3.13.0-83-powerpc64-smp");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:canonical:ubuntu_linux:14.04:-:lts");
  script_set_attribute(attribute:"generated_plugin", value:"current");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Ubuntu Local Security Checks");

  script_copyright(english:"Ubuntu Security Notice (C) 2016-2020 Canonical, Inc. / NASL script (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("ssh_get_info.nasl", "linux_alt_patch_detect.nasl");
  script_require_keys("Host/cpu", "Host/Ubuntu", "Host/Ubuntu/release", "Host/Debian/dpkg-l");

  exit(0);
}

include('debian_package.inc');
include('ksplice.inc');

if ( ! get_kb_item('Host/local_checks_enabled') ) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
var os_release = get_kb_item('Host/Ubuntu/release');
if ( isnull(os_release) ) audit(AUDIT_OS_NOT, 'Ubuntu');
os_release = chomp(os_release);
if (! ('14.04' >< os_release)) audit(AUDIT_OS_NOT, 'Ubuntu 14.04', 'Ubuntu ' + os_release);
if ( ! get_kb_item('Host/Debian/dpkg-l') ) audit(AUDIT_PACKAGE_LIST_MISSING);

var cpu = get_kb_item('Host/cpu');
if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
if ('x86_64' >!< cpu && cpu !~ "^i[3-6]86$" && 's390' >!< cpu && 'aarch64' >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'Ubuntu', cpu);

var kernel_mappings = {
  '14.04': {
    '3.13.0': {
      'generic': '3.13.0-83',
      'generic-lpae': '3.13.0-83',
      'lowlatency': '3.13.0-83',
      'powerpc-e500': '3.13.0-83',
      'powerpc-e500mc': '3.13.0-83',
      'powerpc-smp': '3.13.0-83',
      'powerpc64-emb': '3.13.0-83',
      'powerpc64-smp': '3.13.0-83'
    }
  }
};

var host_kernel_release = get_kb_item('Host/uptrack-uname-r');
if (empty_or_null(host_kernel_release)) host_kernel_release = get_kb_item_or_exit('Host/uname-r');
var host_kernel_base_version = get_kb_item_or_exit('Host/Debian/kernel-base-version');
var host_kernel_type = get_kb_item_or_exit('Host/Debian/kernel-type');
if(empty_or_null(kernel_mappings[os_release][host_kernel_base_version][host_kernel_type])) audit(AUDIT_INST_VER_NOT_VULN, 'kernel ' + host_kernel_release);

var extra = '';
var kernel_fixed_version = kernel_mappings[os_release][host_kernel_base_version][host_kernel_type] + "-" + host_kernel_type;
if (deb_ver_cmp(ver1:host_kernel_release, ver2:kernel_fixed_version) < 0)
{
  extra = extra + 'Running Kernel level of ' + host_kernel_release + ' does not meet the minimum fixed level of ' + kernel_fixed_version + ' for this advisory.\n\n';
}
  else
{
  audit(AUDIT_PATCH_INSTALLED, 'Kernel package for USN-2929-1');
}

if (get_one_kb_item('Host/ksplice/kernel-cves'))
{
  var cve_list = make_list('CVE-2013-4312', 'CVE-2015-7566', 'CVE-2015-7833', 'CVE-2016-0723', 'CVE-2016-2384', 'CVE-2016-2543', 'CVE-2016-2544', 'CVE-2016-2545', 'CVE-2016-2546', 'CVE-2016-2547', 'CVE-2016-2548', 'CVE-2016-2549', 'CVE-2016-2782', 'CVE-2016-3134');
  if (ksplice_cves_check(cve_list))
  {
    audit(AUDIT_PATCH_INSTALLED, 'KSplice hotfix for USN-2929-1');
  }
  else
  {
    extra = extra + ksplice_reporting_text();
  }
}
if (extra) {
  security_report_v4(
    port       : 0,
    severity   : SECURITY_HOLE,
    extra      : extra
  );
  exit(0);
}
VendorProductVersionCPE
canonicalubuntu_linux14.04cpe:/o:canonical:ubuntu_linux:14.04:-:lts
canonicalubuntu_linuxlinux-image-3.13.0-83-lowlatencyp-cpe:/a:canonical:ubuntu_linux:linux-image-3.13.0-83-lowlatency
canonicalubuntu_linuxlinux-image-3.13.0-83-genericp-cpe:/a:canonical:ubuntu_linux:linux-image-3.13.0-83-generic
canonicalubuntu_linuxlinux-image-3.13.0-83-powerpc-e500p-cpe:/a:canonical:ubuntu_linux:linux-image-3.13.0-83-powerpc-e500
canonicalubuntu_linuxlinux-image-3.13.0-83-powerpc-e500mcp-cpe:/a:canonical:ubuntu_linux:linux-image-3.13.0-83-powerpc-e500mc
canonicalubuntu_linuxlinux-image-3.13.0-83-powerpc64-smpp-cpe:/a:canonical:ubuntu_linux:linux-image-3.13.0-83-powerpc64-smp
canonicalubuntu_linuxlinux-image-3.13.0-83-powerpc64-embp-cpe:/a:canonical:ubuntu_linux:linux-image-3.13.0-83-powerpc64-emb
canonicalubuntu_linuxlinux-image-3.13.0-83-powerpc-smpp-cpe:/a:canonical:ubuntu_linux:linux-image-3.13.0-83-powerpc-smp
canonicalubuntu_linuxlinux-image-3.13.0-83-generic-lpaep-cpe:/a:canonical:ubuntu_linux:linux-image-3.13.0-83-generic-lpae

CVSS2

7.2

Attack Vector

LOCAL

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:L/AC:L/Au:N/C:C/I:C/A:C

CVSS3

4.6

Attack Vector

PHYSICAL

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

AI Score

8.3

Confidence

High

EPSS

0.007

Percentile

80.8%