CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:L/Au:N/C:C/I:C/A:C
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
AI Score
Confidence
High
EPSS
Percentile
91.0%
The remote Ubuntu 14.04 LTS host has a package installed that is affected by multiple vulnerabilities as referenced in the USN-2989-1 advisory.
Justin Yackoski discovered that the Atheros L2 Ethernet Driver in the Linux kernel incorrectly enables scatter/gather I/O. A remote attacker could use this to obtain potentially sensitive information from kernel memory. (CVE-2016-2117)
Jason A. Donenfeld discovered multiple out-of-bounds reads in the OZMO USB over wifi device drivers in the Linux kernel. A remote attacker could use this to cause a denial of service (system crash) or obtain potentially sensitive information from kernel memory. (CVE-2015-4004)
Andy Lutomirski discovered a race condition in the Linux kernel's translation lookaside buffer (TLB) handling of flush events. A local attacker could use this to cause a denial of service or possibly leak sensitive information. (CVE-2016-2069)
Ralf Spenneberg discovered that the Linux kernel's GTCO digitizer USB device driver did not properly validate endpoint descriptors. An attacker with physical access could use this to cause a denial of service (system crash). (CVE-2016-2187)
Hector Marco and Ismael Ripoll discovered that the Linux kernel would improperly disable Address Space Layout Randomization (ASLR) for x86 processes running in 32 bit mode if stack-consumption resource limits were disabled. A local attacker could use this to make it easier to exploit an existing vulnerability in a setuid/setgid program. (CVE-2016-3672)
Andrey Konovalov discovered that the CDC Network Control Model USB driver in the Linux kernel did not cancel work events queued if a later error occurred, resulting in a use-after-free. An attacker with physical access could use this to cause a denial of service (system crash). (CVE-2016-3951)
It was discovered that an out-of-bounds write could occur when handling incoming packets in the USB/IP implementation in the Linux kernel. A remote attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2016-3955)
Kangjie Lu discovered an information leak in the ANSI/IEEE 802.2 LLC type 2 Support implementations in the Linux kernel. A local attacker could use this to obtain potentially sensitive information from kernel memory. (CVE-2016-4485)
Kangjie Lu discovered an information leak in the routing netlink socket interface (rtnetlink) implementation in the Linux kernel. A local attacker could use this to obtain potentially sensitive information from kernel memory. (CVE-2016-4486)
It was discovered that in some situations the Linux kernel did not handle propagated mounts correctly. A local unprivileged attacker could use this to cause a denial of service (system crash). (CVE-2016-4581)
Tenable has extracted the preceding description block directly from the Ubuntu security advisory.
Note that Nessus has not tested for these issues but has instead relied only on the application’s self-reported version number.
#
# (C) Tenable Network Security, Inc.
#
# The descriptive text and package checks in this plugin were
# extracted from Ubuntu Security Notice USN-2989-1. The text
# itself is copyright (C) Canonical, Inc. See
# <http://www.ubuntu.com/usn/>. Ubuntu(R) is a registered
# trademark of Canonical, Inc.
#
include('compat.inc');
if (description)
{
script_id(91425);
script_version("2.15");
script_set_attribute(attribute:"plugin_modification_date", value:"2024/08/27");
script_cve_id(
"CVE-2015-4004",
"CVE-2016-2069",
"CVE-2016-2117",
"CVE-2016-2187",
"CVE-2016-3672",
"CVE-2016-3951",
"CVE-2016-3955",
"CVE-2016-4485",
"CVE-2016-4486",
"CVE-2016-4581"
);
script_xref(name:"USN", value:"2989-1");
script_name(english:"Ubuntu 14.04 LTS : Linux kernel vulnerabilities (USN-2989-1)");
script_set_attribute(attribute:"synopsis", value:
"The remote Ubuntu host is missing one or more security updates.");
script_set_attribute(attribute:"description", value:
"The remote Ubuntu 14.04 LTS host has a package installed that is affected by multiple vulnerabilities as referenced in
the USN-2989-1 advisory.
Justin Yackoski discovered that the Atheros L2 Ethernet Driver in the Linux kernel incorrectly enables
scatter/gather I/O. A remote attacker could use this to obtain potentially sensitive information from
kernel memory. (CVE-2016-2117)
Jason A. Donenfeld discovered multiple out-of-bounds reads in the OZMO USB over wifi device drivers in the
Linux kernel. A remote attacker could use this to cause a denial of service (system crash) or obtain
potentially sensitive information from kernel memory. (CVE-2015-4004)
Andy Lutomirski discovered a race condition in the Linux kernel's translation lookaside buffer (TLB)
handling of flush events. A local attacker could use this to cause a denial of service or possibly leak
sensitive information. (CVE-2016-2069)
Ralf Spenneberg discovered that the Linux kernel's GTCO digitizer USB device driver did not properly
validate endpoint descriptors. An attacker with physical access could use this to cause a denial of
service (system crash). (CVE-2016-2187)
Hector Marco and Ismael Ripoll discovered that the Linux kernel would improperly disable Address Space
Layout Randomization (ASLR) for x86 processes running in 32 bit mode if stack-consumption resource limits
were disabled. A local attacker could use this to make it easier to exploit an existing vulnerability in a
setuid/setgid program. (CVE-2016-3672)
Andrey Konovalov discovered that the CDC Network Control Model USB driver in the Linux kernel did not
cancel work events queued if a later error occurred, resulting in a use-after-free. An attacker with
physical access could use this to cause a denial of service (system crash). (CVE-2016-3951)
It was discovered that an out-of-bounds write could occur when handling incoming packets in the USB/IP
implementation in the Linux kernel. A remote attacker could use this to cause a denial of service (system
crash) or possibly execute arbitrary code. (CVE-2016-3955)
Kangjie Lu discovered an information leak in the ANSI/IEEE 802.2 LLC type 2 Support implementations in the
Linux kernel. A local attacker could use this to obtain potentially sensitive information from kernel
memory. (CVE-2016-4485)
Kangjie Lu discovered an information leak in the routing netlink socket interface (rtnetlink)
implementation in the Linux kernel. A local attacker could use this to obtain potentially sensitive
information from kernel memory. (CVE-2016-4486)
It was discovered that in some situations the Linux kernel did not handle propagated mounts correctly. A
local unprivileged attacker could use this to cause a denial of service (system crash). (CVE-2016-4581)
Tenable has extracted the preceding description block directly from the Ubuntu security advisory.
Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version
number.");
script_set_attribute(attribute:"see_also", value:"https://ubuntu.com/security/notices/USN-2989-1");
script_set_attribute(attribute:"solution", value:
"Update the affected kernel package.");
script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C");
script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H");
script_set_cvss3_temporal_vector("CVSS:3.0/E:P/RL:O/RC:C");
script_set_attribute(attribute:"cvss_score_source", value:"CVE-2016-3955");
script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
script_set_attribute(attribute:"exploit_available", value:"true");
script_set_attribute(attribute:"vuln_publication_date", value:"2015/06/07");
script_set_attribute(attribute:"patch_publication_date", value:"2016/06/01");
script_set_attribute(attribute:"plugin_publication_date", value:"2016/06/01");
script_set_attribute(attribute:"plugin_type", value:"local");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-3.13.0-87-generic");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-3.13.0-87-generic-lpae");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-3.13.0-87-lowlatency");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-3.13.0-87-powerpc-e500");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-3.13.0-87-powerpc-e500mc");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-3.13.0-87-powerpc-smp");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-3.13.0-87-powerpc64-emb");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-3.13.0-87-powerpc64-smp");
script_set_attribute(attribute:"cpe", value:"cpe:/o:canonical:ubuntu_linux:14.04:-:lts");
script_set_attribute(attribute:"generated_plugin", value:"current");
script_end_attributes();
script_category(ACT_GATHER_INFO);
script_family(english:"Ubuntu Local Security Checks");
script_copyright(english:"Ubuntu Security Notice (C) 2016-2024 Canonical, Inc. / NASL script (C) 2016-2024 and is owned by Tenable, Inc. or an Affiliate thereof.");
script_dependencies("ssh_get_info.nasl", "linux_alt_patch_detect.nasl");
script_require_keys("Host/cpu", "Host/Ubuntu", "Host/Ubuntu/release", "Host/Debian/dpkg-l");
exit(0);
}
include('debian_package.inc');
include('ksplice.inc');
if ( ! get_kb_item('Host/local_checks_enabled') ) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
var os_release = get_kb_item('Host/Ubuntu/release');
if ( isnull(os_release) ) audit(AUDIT_OS_NOT, 'Ubuntu');
os_release = chomp(os_release);
if (! ('14.04' >< os_release)) audit(AUDIT_OS_NOT, 'Ubuntu 14.04', 'Ubuntu ' + os_release);
if ( ! get_kb_item('Host/Debian/dpkg-l') ) audit(AUDIT_PACKAGE_LIST_MISSING);
var cpu = get_kb_item('Host/cpu');
if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
if ('x86_64' >!< cpu && cpu !~ "^i[3-6]86$" && 's390' >!< cpu && 'aarch64' >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'Ubuntu', cpu);
var kernel_mappings = {
'14.04': {
'3.13.0': {
'generic': '3.13.0-87',
'generic-lpae': '3.13.0-87',
'lowlatency': '3.13.0-87',
'powerpc-e500': '3.13.0-87',
'powerpc-e500mc': '3.13.0-87',
'powerpc-smp': '3.13.0-87',
'powerpc64-emb': '3.13.0-87',
'powerpc64-smp': '3.13.0-87'
}
}
};
var host_kernel_release = get_kb_item('Host/uptrack-uname-r');
if (empty_or_null(host_kernel_release)) host_kernel_release = get_kb_item_or_exit('Host/uname-r');
var host_kernel_base_version = get_kb_item_or_exit('Host/Debian/kernel-base-version');
var host_kernel_type = get_kb_item_or_exit('Host/Debian/kernel-type');
if(empty_or_null(kernel_mappings[os_release][host_kernel_base_version][host_kernel_type])) audit(AUDIT_INST_VER_NOT_VULN, 'kernel ' + host_kernel_release);
var extra = '';
var kernel_fixed_version = kernel_mappings[os_release][host_kernel_base_version][host_kernel_type] + "-" + host_kernel_type;
if (deb_ver_cmp(ver1:host_kernel_release, ver2:kernel_fixed_version) < 0)
{
extra += 'Running Kernel level of ' + host_kernel_release + ' does not meet the minimum fixed level of ' + kernel_fixed_version + ' for this advisory.\n\n';
}
else
{
audit(AUDIT_PATCH_INSTALLED, 'Kernel package for USN-2989-1');
}
if (get_one_kb_item('Host/ksplice/kernel-cves'))
{
var cve_list = make_list('CVE-2015-4004', 'CVE-2016-2069', 'CVE-2016-2117', 'CVE-2016-2187', 'CVE-2016-3672', 'CVE-2016-3951', 'CVE-2016-3955', 'CVE-2016-4485', 'CVE-2016-4486', 'CVE-2016-4581');
if (ksplice_cves_check(cve_list))
{
audit(AUDIT_PATCH_INSTALLED, 'KSplice hotfix for USN-2989-1');
}
else
{
extra = extra + ksplice_reporting_text();
}
}
if (extra) {
security_report_v4(
port : 0,
severity : SECURITY_HOLE,
extra : extra
);
exit(0);
}
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4004
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2069
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2117
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2187
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3672
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3951
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3955
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4485
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4486
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4581
ubuntu.com/security/notices/USN-2989-1
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:L/Au:N/C:C/I:C/A:C
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
AI Score
Confidence
High
EPSS
Percentile
91.0%