Lucene search

K
nessusUbuntu Security Notice (C) 2016-2024 Canonical, Inc. / NASL script (C) 2016-2024 and is owned by Tenable, Inc. or an Affiliate thereof.UBUNTU_USN-2948-1.NASL
HistoryApr 07, 2016 - 12:00 a.m.

Ubuntu 14.04 LTS : Linux kernel (Utopic HWE) vulnerabilities (USN-2948-1)

2016-04-0700:00:00
Ubuntu Security Notice (C) 2016-2024 Canonical, Inc. / NASL script (C) 2016-2024 and is owned by Tenable, Inc. or an Affiliate thereof.
www.tenable.com
29

CVSS2

10

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:N/AC:L/Au:N/C:C/I:C/A:C

CVSS3

9.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

AI Score

8.8

Confidence

High

EPSS

0.054

Percentile

93.2%

The remote Ubuntu 14.04 LTS host has a package installed that is affected by multiple vulnerabilities as referenced in the USN-2948-1 advisory.

  • The clie_5_attach function in drivers/usb/serial/visor.c in the Linux kernel through 4.4.1 allows physically proximate attackers to cause a denial of service (NULL pointer dereference and system crash) or possibly have unspecified other impact by inserting a USB device that lacks a bulk-out endpoint.
    (CVE-2015-7566)

  • The usbvision driver in the Linux kernel package 3.10.0-123.20.1.el7 through 3.10.0-229.14.1.el7 in Red Hat Enterprise Linux (RHEL) 7.1 allows physically proximate attackers to cause a denial of service (panic) via a nonzero bInterfaceNumber value in a USB device descriptor. (CVE-2015-7833)

  • drivers/infiniband/hw/cxgb3/iwch_cm.c in the Linux kernel before 4.5 does not properly identify error conditions, which allows remote attackers to execute arbitrary code or cause a denial of service (use- after-free) via crafted packets. (CVE-2015-8812)

  • Race condition in the tty_ioctl function in drivers/tty/tty_io.c in the Linux kernel through 4.4.1 allows local users to obtain sensitive information from kernel memory or cause a denial of service (use-after- free and system crash) by making a TIOCGETD ioctl call during processing of a TIOCSETD ioctl call.
    (CVE-2016-0723)

  • The evm_verify_hmac function in security/integrity/evm/evm_main.c in the Linux kernel before 4.5 does not properly copy data, which makes it easier for local users to forge MAC values via a timing side-channel attack. (CVE-2016-2085)

  • The Linux kernel before 4.5 allows local users to bypass file-descriptor limits and cause a denial of service (memory consumption) by leveraging incorrect tracking of descriptor ownership and sending each descriptor over a UNIX socket before closing it. NOTE: this vulnerability exists because of an incorrect fix for CVE-2013-4312. (CVE-2016-2550)

  • The treo_attach function in drivers/usb/serial/visor.c in the Linux kernel before 4.5 allows physically proximate attackers to cause a denial of service (NULL pointer dereference and system crash) or possibly have unspecified other impact by inserting a USB device that lacks a (1) bulk-in or (2) interrupt-in endpoint. (CVE-2016-2782)

  • fs/pipe.c in the Linux kernel before 4.5 does not limit the amount of unread data in pipes, which allows local users to cause a denial of service (memory consumption) by creating many pipes with non-default sizes. (CVE-2016-2847)

Note that Nessus has not tested for these issues but has instead relied only on the application’s self-reported version number.

#
# (C) Tenable Network Security, Inc.
#
# The descriptive text and package checks in this plugin were
# extracted from Ubuntu Security Notice USN-2948-1. The text 
# itself is copyright (C) Canonical, Inc. See 
# <http://www.ubuntu.com/usn/>. Ubuntu(R) is a registered 
# trademark of Canonical, Inc.
#

include('compat.inc');

if (description)
{
  script_id(90405);
  script_version("2.14");
  script_set_attribute(attribute:"plugin_modification_date", value:"2024/01/09");

  script_cve_id(
    "CVE-2015-7566",
    "CVE-2015-7833",
    "CVE-2015-8812",
    "CVE-2016-0723",
    "CVE-2016-2085",
    "CVE-2016-2550",
    "CVE-2016-2782",
    "CVE-2016-2847"
  );
  script_xref(name:"USN", value:"2948-1");

  script_name(english:"Ubuntu 14.04 LTS : Linux kernel (Utopic HWE) vulnerabilities (USN-2948-1)");

  script_set_attribute(attribute:"synopsis", value:
"The remote Ubuntu host is missing one or more security updates.");
  script_set_attribute(attribute:"description", value:
"The remote Ubuntu 14.04 LTS host has a package installed that is affected by multiple vulnerabilities as referenced in
the USN-2948-1 advisory.

  - The clie_5_attach function in drivers/usb/serial/visor.c in the Linux kernel through 4.4.1 allows
    physically proximate attackers to cause a denial of service (NULL pointer dereference and system crash) or
    possibly have unspecified other impact by inserting a USB device that lacks a bulk-out endpoint.
    (CVE-2015-7566)

  - The usbvision driver in the Linux kernel package 3.10.0-123.20.1.el7 through 3.10.0-229.14.1.el7 in Red
    Hat Enterprise Linux (RHEL) 7.1 allows physically proximate attackers to cause a denial of service (panic)
    via a nonzero bInterfaceNumber value in a USB device descriptor. (CVE-2015-7833)

  - drivers/infiniband/hw/cxgb3/iwch_cm.c in the Linux kernel before 4.5 does not properly identify error
    conditions, which allows remote attackers to execute arbitrary code or cause a denial of service (use-
    after-free) via crafted packets. (CVE-2015-8812)

  - Race condition in the tty_ioctl function in drivers/tty/tty_io.c in the Linux kernel through 4.4.1 allows
    local users to obtain sensitive information from kernel memory or cause a denial of service (use-after-
    free and system crash) by making a TIOCGETD ioctl call during processing of a TIOCSETD ioctl call.
    (CVE-2016-0723)

  - The evm_verify_hmac function in security/integrity/evm/evm_main.c in the Linux kernel before 4.5 does not
    properly copy data, which makes it easier for local users to forge MAC values via a timing side-channel
    attack. (CVE-2016-2085)

  - The Linux kernel before 4.5 allows local users to bypass file-descriptor limits and cause a denial of
    service (memory consumption) by leveraging incorrect tracking of descriptor ownership and sending each
    descriptor over a UNIX socket before closing it. NOTE: this vulnerability exists because of an incorrect
    fix for CVE-2013-4312. (CVE-2016-2550)

  - The treo_attach function in drivers/usb/serial/visor.c in the Linux kernel before 4.5 allows physically
    proximate attackers to cause a denial of service (NULL pointer dereference and system crash) or possibly
    have unspecified other impact by inserting a USB device that lacks a (1) bulk-in or (2) interrupt-in
    endpoint. (CVE-2016-2782)

  - fs/pipe.c in the Linux kernel before 4.5 does not limit the amount of unread data in pipes, which allows
    local users to cause a denial of service (memory consumption) by creating many pipes with non-default
    sizes. (CVE-2016-2847)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version
number.");
  script_set_attribute(attribute:"see_also", value:"https://ubuntu.com/security/notices/USN-2948-1");
  script_set_attribute(attribute:"solution", value:
"Update the affected kernel package.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C");
  script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:P/RL:O/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2015-8812");

  script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"true");

  script_set_attribute(attribute:"vuln_publication_date", value:"2015/10/19");
  script_set_attribute(attribute:"patch_publication_date", value:"2016/04/06");
  script_set_attribute(attribute:"plugin_publication_date", value:"2016/04/07");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-3.16.0-69-generic");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-3.16.0-69-generic-lpae");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-3.16.0-69-lowlatency");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-3.16.0-69-powerpc-e500mc");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-3.16.0-69-powerpc-smp");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-3.16.0-69-powerpc64-emb");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-3.16.0-69-powerpc64-smp");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:canonical:ubuntu_linux:14.04:-:lts");
  script_set_attribute(attribute:"generated_plugin", value:"current");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Ubuntu Local Security Checks");

  script_copyright(english:"Ubuntu Security Notice (C) 2016-2024 Canonical, Inc. / NASL script (C) 2016-2024 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("ssh_get_info.nasl", "linux_alt_patch_detect.nasl");
  script_require_keys("Host/cpu", "Host/Ubuntu", "Host/Ubuntu/release", "Host/Debian/dpkg-l");

  exit(0);
}

include('debian_package.inc');
include('ksplice.inc');

if ( ! get_kb_item('Host/local_checks_enabled') ) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
var os_release = get_kb_item('Host/Ubuntu/release');
if ( isnull(os_release) ) audit(AUDIT_OS_NOT, 'Ubuntu');
os_release = chomp(os_release);
if (! ('14.04' >< os_release)) audit(AUDIT_OS_NOT, 'Ubuntu 14.04', 'Ubuntu ' + os_release);
if ( ! get_kb_item('Host/Debian/dpkg-l') ) audit(AUDIT_PACKAGE_LIST_MISSING);

var cpu = get_kb_item('Host/cpu');
if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
if ('x86_64' >!< cpu && cpu !~ "^i[3-6]86$" && 's390' >!< cpu && 'aarch64' >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'Ubuntu', cpu);

var kernel_mappings = {
  '14.04': {
    '3.16.0': {
      'generic': '3.16.0-69',
      'generic-lpae': '3.16.0-69',
      'lowlatency': '3.16.0-69',
      'powerpc-e500mc': '3.16.0-69',
      'powerpc-smp': '3.16.0-69',
      'powerpc64-emb': '3.16.0-69',
      'powerpc64-smp': '3.16.0-69'
    }
  }
};

var host_kernel_release = get_kb_item('Host/uptrack-uname-r');
if (empty_or_null(host_kernel_release)) host_kernel_release = get_kb_item_or_exit('Host/uname-r');
var host_kernel_base_version = get_kb_item_or_exit('Host/Debian/kernel-base-version');
var host_kernel_type = get_kb_item_or_exit('Host/Debian/kernel-type');
if(empty_or_null(kernel_mappings[os_release][host_kernel_base_version][host_kernel_type])) audit(AUDIT_INST_VER_NOT_VULN, 'kernel ' + host_kernel_release);

var extra = '';
var kernel_fixed_version = kernel_mappings[os_release][host_kernel_base_version][host_kernel_type] + "-" + host_kernel_type;
if (deb_ver_cmp(ver1:host_kernel_release, ver2:kernel_fixed_version) < 0)
{
  extra = extra + 'Running Kernel level of ' + host_kernel_release + ' does not meet the minimum fixed level of ' + kernel_fixed_version + ' for this advisory.\n\n';
}
  else
{
  audit(AUDIT_PATCH_INSTALLED, 'Kernel package for USN-2948-1');
}

if (get_one_kb_item('Host/ksplice/kernel-cves'))
{
  var cve_list = make_list('CVE-2015-7566', 'CVE-2015-7833', 'CVE-2015-8812', 'CVE-2016-0723', 'CVE-2016-2085', 'CVE-2016-2550', 'CVE-2016-2782', 'CVE-2016-2847');
  if (ksplice_cves_check(cve_list))
  {
    audit(AUDIT_PATCH_INSTALLED, 'KSplice hotfix for USN-2948-1');
  }
  else
  {
    extra = extra + ksplice_reporting_text();
  }
}
if (extra) {
  security_report_v4(
    port       : 0,
    severity   : SECURITY_HOLE,
    extra      : extra
  );
  exit(0);
}
VendorProductVersionCPE
canonicalubuntu_linux14.04cpe:/o:canonical:ubuntu_linux:14.04:-:lts
canonicalubuntu_linuxlinux-image-3.16.0-69-lowlatencyp-cpe:/a:canonical:ubuntu_linux:linux-image-3.16.0-69-lowlatency
canonicalubuntu_linuxlinux-image-3.16.0-69-powerpc-e500mcp-cpe:/a:canonical:ubuntu_linux:linux-image-3.16.0-69-powerpc-e500mc
canonicalubuntu_linuxlinux-image-3.16.0-69-powerpc64-embp-cpe:/a:canonical:ubuntu_linux:linux-image-3.16.0-69-powerpc64-emb
canonicalubuntu_linuxlinux-image-3.16.0-69-powerpc64-smpp-cpe:/a:canonical:ubuntu_linux:linux-image-3.16.0-69-powerpc64-smp
canonicalubuntu_linuxlinux-image-3.16.0-69-generic-lpaep-cpe:/a:canonical:ubuntu_linux:linux-image-3.16.0-69-generic-lpae
canonicalubuntu_linuxlinux-image-3.16.0-69-genericp-cpe:/a:canonical:ubuntu_linux:linux-image-3.16.0-69-generic
canonicalubuntu_linuxlinux-image-3.16.0-69-powerpc-smpp-cpe:/a:canonical:ubuntu_linux:linux-image-3.16.0-69-powerpc-smp

CVSS2

10

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:N/AC:L/Au:N/C:C/I:C/A:C

CVSS3

9.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

AI Score

8.8

Confidence

High

EPSS

0.054

Percentile

93.2%