Lucene search

K
nessusUbuntu Security Notice (C) 2016-2020 Canonical, Inc. / NASL script (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof.UBUNTU_USN-2930-2.NASL
HistoryMar 15, 2016 - 12:00 a.m.

Ubuntu 14.04 LTS : Linux kernel (Wily HWE) vulnerabilities (USN-2930-2)

2016-03-1500:00:00
Ubuntu Security Notice (C) 2016-2020 Canonical, Inc. / NASL script (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
www.tenable.com
27

7.2 High

CVSS2

Attack Vector

LOCAL

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:L/AC:L/Au:N/C:C/I:C/A:C

7.8 High

CVSS3

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

8.4 High

AI Score

Confidence

High

0.007 Low

EPSS

Percentile

80.8%

The remote Ubuntu 14.04 LTS host has a package installed that is affected by multiple vulnerabilities as referenced in the USN-2930-2 advisory.

  • The clie_5_attach function in drivers/usb/serial/visor.c in the Linux kernel through 4.4.1 allows physically proximate attackers to cause a denial of service (NULL pointer dereference and system crash) or possibly have unspecified other impact by inserting a USB device that lacks a bulk-out endpoint.
    (CVE-2015-7566)

  • net/sctp/sm_sideeffect.c in the Linux kernel before 4.3 does not properly manage the relationship between a lock and a socket, which allows local users to cause a denial of service (deadlock) via a crafted sctp_accept call. (CVE-2015-8767)

  • Race condition in the tty_ioctl function in drivers/tty/tty_io.c in the Linux kernel through 4.4.1 allows local users to obtain sensitive information from kernel memory or cause a denial of service (use-after- free and system crash) by making a TIOCGETD ioctl call during processing of a TIOCSETD ioctl call.
    (CVE-2016-0723)

  • Double free vulnerability in the snd_usbmidi_create function in sound/usb/midi.c in the Linux kernel before 4.5 allows physically proximate attackers to cause a denial of service (panic) or possibly have unspecified other impact via vectors involving an invalid USB descriptor. (CVE-2016-2384)

  • The treo_attach function in drivers/usb/serial/visor.c in the Linux kernel before 4.5 allows physically proximate attackers to cause a denial of service (NULL pointer dereference and system crash) or possibly have unspecified other impact by inserting a USB device that lacks a (1) bulk-in or (2) interrupt-in endpoint. (CVE-2016-2782)

  • The netfilter subsystem in the Linux kernel through 4.5.2 does not validate certain offset fields, which allows local users to gain privileges or cause a denial of service (heap memory corruption) via an IPT_SO_SET_REPLACE setsockopt call. (CVE-2016-3134)

  • Integer overflow in the xt_alloc_table_info function in net/netfilter/x_tables.c in the Linux kernel through 4.5.2 on 32-bit platforms allows local users to gain privileges or cause a denial of service (heap memory corruption) via an IPT_SO_SET_REPLACE setsockopt call. (CVE-2016-3135)

  • The snd_seq_ioctl_remove_events function in sound/core/seq/seq_clientmgr.c in the Linux kernel before 4.4.1 does not verify FIFO assignment before proceeding with FIFO clearing, which allows local users to cause a denial of service (NULL pointer dereference and OOPS) via a crafted ioctl call. (CVE-2016-2543)

  • Race condition in the queue_delete function in sound/core/seq/seq_queue.c in the Linux kernel before 4.4.1 allows local users to cause a denial of service (use-after-free and system crash) by making an ioctl call at a certain time. (CVE-2016-2544)

  • The snd_timer_interrupt function in sound/core/timer.c in the Linux kernel before 4.4.1 does not properly maintain a certain linked list, which allows local users to cause a denial of service (race condition and system crash) via a crafted ioctl call. (CVE-2016-2545)

  • sound/core/timer.c in the Linux kernel before 4.4.1 uses an incorrect type of mutex, which allows local users to cause a denial of service (race condition, use-after-free, and system crash) via a crafted ioctl call. (CVE-2016-2546)

  • sound/core/timer.c in the Linux kernel before 4.4.1 employs a locking approach that does not consider slave timer instances, which allows local users to cause a denial of service (race condition, use-after- free, and system crash) via a crafted ioctl call. (CVE-2016-2547)

  • sound/core/timer.c in the Linux kernel before 4.4.1 retains certain linked lists after a close or stop action, which allows local users to cause a denial of service (system crash) via a crafted ioctl call, related to the (1) snd_timer_close and (2) _snd_timer_stop functions. (CVE-2016-2548)

  • sound/core/hrtimer.c in the Linux kernel before 4.4.1 does not prevent recursive callback access, which allows local users to cause a denial of service (deadlock) via a crafted ioctl call. (CVE-2016-2549)

Note that Nessus has not tested for these issues but has instead relied only on the application’s self-reported version number.

#%NASL_MIN_LEVEL 70300
#
# (C) Tenable Network Security, Inc.
#
# The descriptive text and package checks in this plugin were
# extracted from Ubuntu Security Notice USN-2930-2. The text 
# itself is copyright (C) Canonical, Inc. See 
# <http://www.ubuntu.com/usn/>. Ubuntu(R) is a registered 
# trademark of Canonical, Inc.
#

include('deprecated_nasl_level.inc');
include('compat.inc');

if (description)
{
  script_id(89935);
  script_version("2.22");
  script_set_attribute(attribute:"plugin_modification_date", value:"2024/01/09");

  script_cve_id(
    "CVE-2015-7566",
    "CVE-2015-8767",
    "CVE-2016-0723",
    "CVE-2016-2384",
    "CVE-2016-2543",
    "CVE-2016-2544",
    "CVE-2016-2545",
    "CVE-2016-2546",
    "CVE-2016-2547",
    "CVE-2016-2548",
    "CVE-2016-2549",
    "CVE-2016-2782",
    "CVE-2016-3134",
    "CVE-2016-3135"
  );
  script_xref(name:"USN", value:"2930-2");

  script_name(english:"Ubuntu 14.04 LTS : Linux kernel (Wily HWE) vulnerabilities (USN-2930-2)");

  script_set_attribute(attribute:"synopsis", value:
"The remote Ubuntu host is missing one or more security updates.");
  script_set_attribute(attribute:"description", value:
"The remote Ubuntu 14.04 LTS host has a package installed that is affected by multiple vulnerabilities as referenced in
the USN-2930-2 advisory.

  - The clie_5_attach function in drivers/usb/serial/visor.c in the Linux kernel through 4.4.1 allows
    physically proximate attackers to cause a denial of service (NULL pointer dereference and system crash) or
    possibly have unspecified other impact by inserting a USB device that lacks a bulk-out endpoint.
    (CVE-2015-7566)

  - net/sctp/sm_sideeffect.c in the Linux kernel before 4.3 does not properly manage the relationship between
    a lock and a socket, which allows local users to cause a denial of service (deadlock) via a crafted
    sctp_accept call. (CVE-2015-8767)

  - Race condition in the tty_ioctl function in drivers/tty/tty_io.c in the Linux kernel through 4.4.1 allows
    local users to obtain sensitive information from kernel memory or cause a denial of service (use-after-
    free and system crash) by making a TIOCGETD ioctl call during processing of a TIOCSETD ioctl call.
    (CVE-2016-0723)

  - Double free vulnerability in the snd_usbmidi_create function in sound/usb/midi.c in the Linux kernel
    before 4.5 allows physically proximate attackers to cause a denial of service (panic) or possibly have
    unspecified other impact via vectors involving an invalid USB descriptor. (CVE-2016-2384)

  - The treo_attach function in drivers/usb/serial/visor.c in the Linux kernel before 4.5 allows physically
    proximate attackers to cause a denial of service (NULL pointer dereference and system crash) or possibly
    have unspecified other impact by inserting a USB device that lacks a (1) bulk-in or (2) interrupt-in
    endpoint. (CVE-2016-2782)

  - The netfilter subsystem in the Linux kernel through 4.5.2 does not validate certain offset fields, which
    allows local users to gain privileges or cause a denial of service (heap memory corruption) via an
    IPT_SO_SET_REPLACE setsockopt call. (CVE-2016-3134)

  - Integer overflow in the xt_alloc_table_info function in net/netfilter/x_tables.c in the Linux kernel
    through 4.5.2 on 32-bit platforms allows local users to gain privileges or cause a denial of service (heap
    memory corruption) via an IPT_SO_SET_REPLACE setsockopt call. (CVE-2016-3135)

  - The snd_seq_ioctl_remove_events function in sound/core/seq/seq_clientmgr.c in the Linux kernel before
    4.4.1 does not verify FIFO assignment before proceeding with FIFO clearing, which allows local users to
    cause a denial of service (NULL pointer dereference and OOPS) via a crafted ioctl call. (CVE-2016-2543)

  - Race condition in the queue_delete function in sound/core/seq/seq_queue.c in the Linux kernel before 4.4.1
    allows local users to cause a denial of service (use-after-free and system crash) by making an ioctl call
    at a certain time. (CVE-2016-2544)

  - The snd_timer_interrupt function in sound/core/timer.c in the Linux kernel before 4.4.1 does not properly
    maintain a certain linked list, which allows local users to cause a denial of service (race condition and
    system crash) via a crafted ioctl call. (CVE-2016-2545)

  - sound/core/timer.c in the Linux kernel before 4.4.1 uses an incorrect type of mutex, which allows local
    users to cause a denial of service (race condition, use-after-free, and system crash) via a crafted ioctl
    call. (CVE-2016-2546)

  - sound/core/timer.c in the Linux kernel before 4.4.1 employs a locking approach that does not consider
    slave timer instances, which allows local users to cause a denial of service (race condition, use-after-
    free, and system crash) via a crafted ioctl call. (CVE-2016-2547)

  - sound/core/timer.c in the Linux kernel before 4.4.1 retains certain linked lists after a close or stop
    action, which allows local users to cause a denial of service (system crash) via a crafted ioctl call,
    related to the (1) snd_timer_close and (2) _snd_timer_stop functions. (CVE-2016-2548)

  - sound/core/hrtimer.c in the Linux kernel before 4.4.1 does not prevent recursive callback access, which
    allows local users to cause a denial of service (deadlock) via a crafted ioctl call. (CVE-2016-2549)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version
number.");
  script_set_attribute(attribute:"see_also", value:"https://ubuntu.com/security/notices/USN-2930-2");
  script_set_attribute(attribute:"solution", value:
"Update the affected kernel package.");
  script_set_cvss_base_vector("CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C");
  script_set_cvss_temporal_vector("CVSS2#E:H/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:H/RL:O/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2016-3135");
  script_set_attribute(attribute:"cvss3_score_source", value:"CVE-2016-3134");

  script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"true");
  script_set_attribute(attribute:"exploited_by_malware", value:"true");

  script_set_attribute(attribute:"vuln_publication_date", value:"2016/02/08");
  script_set_attribute(attribute:"patch_publication_date", value:"2016/03/14");
  script_set_attribute(attribute:"plugin_publication_date", value:"2016/03/15");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-4.2.0-34-generic");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-4.2.0-34-generic-lpae");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-4.2.0-34-lowlatency");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-4.2.0-34-powerpc-e500mc");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-4.2.0-34-powerpc-smp");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-4.2.0-34-powerpc64-emb");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-4.2.0-34-powerpc64-smp");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:canonical:ubuntu_linux:14.04:-:lts");
  script_set_attribute(attribute:"generated_plugin", value:"current");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Ubuntu Local Security Checks");

  script_copyright(english:"Ubuntu Security Notice (C) 2016-2020 Canonical, Inc. / NASL script (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("ssh_get_info.nasl", "linux_alt_patch_detect.nasl");
  script_require_keys("Host/cpu", "Host/Ubuntu", "Host/Ubuntu/release", "Host/Debian/dpkg-l");

  exit(0);
}

include('debian_package.inc');
include('ksplice.inc');

if ( ! get_kb_item('Host/local_checks_enabled') ) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
var os_release = get_kb_item('Host/Ubuntu/release');
if ( isnull(os_release) ) audit(AUDIT_OS_NOT, 'Ubuntu');
os_release = chomp(os_release);
if (! ('14.04' >< os_release)) audit(AUDIT_OS_NOT, 'Ubuntu 14.04', 'Ubuntu ' + os_release);
if ( ! get_kb_item('Host/Debian/dpkg-l') ) audit(AUDIT_PACKAGE_LIST_MISSING);

var cpu = get_kb_item('Host/cpu');
if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
if ('x86_64' >!< cpu && cpu !~ "^i[3-6]86$" && 's390' >!< cpu && 'aarch64' >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'Ubuntu', cpu);

var kernel_mappings = {
  '14.04': {
    '4.2.0': {
      'generic': '4.2.0-34',
      'generic-lpae': '4.2.0-34',
      'lowlatency': '4.2.0-34',
      'powerpc-e500mc': '4.2.0-34',
      'powerpc-smp': '4.2.0-34',
      'powerpc64-emb': '4.2.0-34',
      'powerpc64-smp': '4.2.0-34'
    }
  }
};

var host_kernel_release = get_kb_item('Host/uptrack-uname-r');
if (empty_or_null(host_kernel_release)) host_kernel_release = get_kb_item_or_exit('Host/uname-r');
var host_kernel_base_version = get_kb_item_or_exit('Host/Debian/kernel-base-version');
var host_kernel_type = get_kb_item_or_exit('Host/Debian/kernel-type');
if(empty_or_null(kernel_mappings[os_release][host_kernel_base_version][host_kernel_type])) audit(AUDIT_INST_VER_NOT_VULN, 'kernel ' + host_kernel_release);

var extra = '';
var kernel_fixed_version = kernel_mappings[os_release][host_kernel_base_version][host_kernel_type] + "-" + host_kernel_type;
if (deb_ver_cmp(ver1:host_kernel_release, ver2:kernel_fixed_version) < 0)
{
  extra = extra + 'Running Kernel level of ' + host_kernel_release + ' does not meet the minimum fixed level of ' + kernel_fixed_version + ' for this advisory.\n\n';
}
  else
{
  audit(AUDIT_PATCH_INSTALLED, 'Kernel package for USN-2930-2');
}

if (get_one_kb_item('Host/ksplice/kernel-cves'))
{
  var cve_list = make_list('CVE-2015-7566', 'CVE-2015-8767', 'CVE-2016-0723', 'CVE-2016-2384', 'CVE-2016-2543', 'CVE-2016-2544', 'CVE-2016-2545', 'CVE-2016-2546', 'CVE-2016-2547', 'CVE-2016-2548', 'CVE-2016-2549', 'CVE-2016-2782', 'CVE-2016-3134', 'CVE-2016-3135');
  if (ksplice_cves_check(cve_list))
  {
    audit(AUDIT_PATCH_INSTALLED, 'KSplice hotfix for USN-2930-2');
  }
  else
  {
    extra = extra + ksplice_reporting_text();
  }
}
if (extra) {
  security_report_v4(
    port       : 0,
    severity   : SECURITY_HOLE,
    extra      : extra
  );
  exit(0);
}
VendorProductVersionCPE
canonicalubuntu_linux14.04cpe:/o:canonical:ubuntu_linux:14.04:-:lts
canonicalubuntu_linuxlinux-image-4.2.0-34-generic-lpaep-cpe:/a:canonical:ubuntu_linux:linux-image-4.2.0-34-generic-lpae
canonicalubuntu_linuxlinux-image-4.2.0-34-powerpc-e500mcp-cpe:/a:canonical:ubuntu_linux:linux-image-4.2.0-34-powerpc-e500mc
canonicalubuntu_linuxlinux-image-4.2.0-34-lowlatencyp-cpe:/a:canonical:ubuntu_linux:linux-image-4.2.0-34-lowlatency
canonicalubuntu_linuxlinux-image-4.2.0-34-powerpc64-smpp-cpe:/a:canonical:ubuntu_linux:linux-image-4.2.0-34-powerpc64-smp
canonicalubuntu_linuxlinux-image-4.2.0-34-genericp-cpe:/a:canonical:ubuntu_linux:linux-image-4.2.0-34-generic
canonicalubuntu_linuxlinux-image-4.2.0-34-powerpc64-embp-cpe:/a:canonical:ubuntu_linux:linux-image-4.2.0-34-powerpc64-emb
canonicalubuntu_linuxlinux-image-4.2.0-34-powerpc-smpp-cpe:/a:canonical:ubuntu_linux:linux-image-4.2.0-34-powerpc-smp

7.2 High

CVSS2

Attack Vector

LOCAL

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:L/AC:L/Au:N/C:C/I:C/A:C

7.8 High

CVSS3

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

8.4 High

AI Score

Confidence

High

0.007 Low

EPSS

Percentile

80.8%