Lucene search

K
nessusUbuntu Security Notice (C) 2016-2024 Canonical, Inc. / NASL script (C) 2016-2024 and is owned by Tenable, Inc. or an Affiliate thereof.UBUNTU_USN-3000-1.NASL
HistoryJun 10, 2016 - 12:00 a.m.

Ubuntu 14.04 LTS : Linux kernel (Utopic HWE) vulnerabilities (USN-3000-1)

2016-06-1000:00:00
Ubuntu Security Notice (C) 2016-2024 Canonical, Inc. / NASL script (C) 2016-2024 and is owned by Tenable, Inc. or an Affiliate thereof.
www.tenable.com
23

8.2 High

AI Score

Confidence

Low

The remote Ubuntu 14.04 LTS host has a package installed that is affected by multiple vulnerabilities as referenced in the USN-3000-1 advisory.

  • The OZWPAN driver in the Linux kernel through 4.0.5 relies on an untrusted length field during packet parsing, which allows remote attackers to obtain sensitive information from kernel memory or cause a denial of service (out-of-bounds read and system crash) via a crafted packet. (CVE-2015-4004)

  • The ecryptfs_privileged_open function in fs/ecryptfs/kthread.c in the Linux kernel before 4.6.3 allows local users to gain privileges or cause a denial of service (stack memory consumption) via vectors involving crafted mmap calls for /proc pathnames, leading to recursive pagefault handling. (CVE-2016-1583)

  • The atl2_probe function in drivers/net/ethernet/atheros/atlx/atl2.c in the Linux kernel through 4.5.2 incorrectly enables scatter/gather I/O, which allows remote attackers to obtain sensitive information from kernel memory by reading packet data. (CVE-2016-2117)

  • The gtco_probe function in drivers/input/tablet/gtco.c in the Linux kernel through 4.5.2 allows physically proximate attackers to cause a denial of service (NULL pointer dereference and system crash) via a crafted endpoints value in a USB device descriptor. (CVE-2016-2187)

  • The mct_u232_msr_to_state function in drivers/usb/serial/mct_u232.c in the Linux kernel before 4.5.1 allows physically proximate attackers to cause a denial of service (NULL pointer dereference and system crash) via a crafted USB device without two interrupt-in endpoint descriptors. (CVE-2016-3136)

  • drivers/usb/serial/cypress_m8.c in the Linux kernel before 4.5.1 allows physically proximate attackers to cause a denial of service (NULL pointer dereference and system crash) via a USB device without both an interrupt-in and an interrupt-out endpoint descriptor, related to the cypress_generic_port_probe and cypress_open functions. (CVE-2016-3137)

  • The digi_port_init function in drivers/usb/serial/digi_acceleport.c in the Linux kernel before 4.5.1 allows physically proximate attackers to cause a denial of service (NULL pointer dereference and system crash) via a crafted endpoints value in a USB device descriptor. (CVE-2016-3140)

  • The arch_pick_mmap_layout function in arch/x86/mm/mmap.c in the Linux kernel through 4.5.2 does not properly randomize the legacy base address, which makes it easier for local users to defeat the intended restrictions on the ADDR_NO_RANDOMIZE flag, and bypass the ASLR protection mechanism for a setuid or setgid program, by disabling stack-consumption resource limits. (CVE-2016-3672)

  • The ims_pcu_parse_cdc_data function in drivers/input/misc/ims-pcu.c in the Linux kernel before 4.5.1 allows physically proximate attackers to cause a denial of service (system crash) via a USB device without both a master and a slave interface. (CVE-2016-3689)

  • Double free vulnerability in drivers/net/usb/cdc_ncm.c in the Linux kernel before 4.5 allows physically proximate attackers to cause a denial of service (system crash) or possibly have unspecified other impact by inserting a USB device with an invalid USB descriptor. (CVE-2016-3951)

  • The usbip_recv_xbuff function in drivers/usb/usbip/usbip_common.c in the Linux kernel before 4.5.3 allows remote attackers to cause a denial of service (out-of-bounds write) or possibly have unspecified other impact via a crafted length value in a USB/IP packet. (CVE-2016-3955)

  • The llc_cmsg_rcv function in net/llc/af_llc.c in the Linux kernel before 4.5.5 does not initialize a certain data structure, which allows attackers to obtain sensitive information from kernel stack memory by reading a message. (CVE-2016-4485)

  • The rtnl_fill_link_ifmap function in net/core/rtnetlink.c in the Linux kernel before 4.5.5 does not initialize a certain data structure, which allows local users to obtain sensitive information from kernel stack memory by reading a Netlink message. (CVE-2016-4486)

  • fs/pnode.c in the Linux kernel before 4.5.4 does not properly traverse a mount propagation tree in a certain case involving a slave mount, which allows local users to cause a denial of service (NULL pointer dereference and OOPS) via a crafted series of mount system calls. (CVE-2016-4581)

Note that Nessus has not tested for these issues but has instead relied only on the application’s self-reported version number.

#
# (C) Tenable Network Security, Inc.
#
# The descriptive text and package checks in this plugin were
# extracted from Ubuntu Security Notice USN-3000-1. The text 
# itself is copyright (C) Canonical, Inc. See 
# <http://www.ubuntu.com/usn/>. Ubuntu(R) is a registered 
# trademark of Canonical, Inc.
#

include('compat.inc');

if (description)
{
  script_id(91562);
  script_version("2.14");
  script_set_attribute(attribute:"plugin_modification_date", value:"2024/01/09");

  script_cve_id(
    "CVE-2015-4004",
    "CVE-2016-1583",
    "CVE-2016-2117",
    "CVE-2016-2187",
    "CVE-2016-3136",
    "CVE-2016-3137",
    "CVE-2016-3140",
    "CVE-2016-3672",
    "CVE-2016-3689",
    "CVE-2016-3951",
    "CVE-2016-3955",
    "CVE-2016-4485",
    "CVE-2016-4486",
    "CVE-2016-4581"
  );
  script_xref(name:"USN", value:"3000-1");

  script_name(english:"Ubuntu 14.04 LTS : Linux kernel (Utopic HWE) vulnerabilities (USN-3000-1)");

  script_set_attribute(attribute:"synopsis", value:
"The remote Ubuntu host is missing one or more security updates.");
  script_set_attribute(attribute:"description", value:
"The remote Ubuntu 14.04 LTS host has a package installed that is affected by multiple vulnerabilities as referenced in
the USN-3000-1 advisory.

  - The OZWPAN driver in the Linux kernel through 4.0.5 relies on an untrusted length field during packet
    parsing, which allows remote attackers to obtain sensitive information from kernel memory or cause a
    denial of service (out-of-bounds read and system crash) via a crafted packet. (CVE-2015-4004)

  - The ecryptfs_privileged_open function in fs/ecryptfs/kthread.c in the Linux kernel before 4.6.3 allows
    local users to gain privileges or cause a denial of service (stack memory consumption) via vectors
    involving crafted mmap calls for /proc pathnames, leading to recursive pagefault handling. (CVE-2016-1583)

  - The atl2_probe function in drivers/net/ethernet/atheros/atlx/atl2.c in the Linux kernel through 4.5.2
    incorrectly enables scatter/gather I/O, which allows remote attackers to obtain sensitive information from
    kernel memory by reading packet data. (CVE-2016-2117)

  - The gtco_probe function in drivers/input/tablet/gtco.c in the Linux kernel through 4.5.2 allows physically
    proximate attackers to cause a denial of service (NULL pointer dereference and system crash) via a crafted
    endpoints value in a USB device descriptor. (CVE-2016-2187)

  - The mct_u232_msr_to_state function in drivers/usb/serial/mct_u232.c in the Linux kernel before 4.5.1
    allows physically proximate attackers to cause a denial of service (NULL pointer dereference and system
    crash) via a crafted USB device without two interrupt-in endpoint descriptors. (CVE-2016-3136)

  - drivers/usb/serial/cypress_m8.c in the Linux kernel before 4.5.1 allows physically proximate attackers to
    cause a denial of service (NULL pointer dereference and system crash) via a USB device without both an
    interrupt-in and an interrupt-out endpoint descriptor, related to the cypress_generic_port_probe and
    cypress_open functions. (CVE-2016-3137)

  - The digi_port_init function in drivers/usb/serial/digi_acceleport.c in the Linux kernel before 4.5.1
    allows physically proximate attackers to cause a denial of service (NULL pointer dereference and system
    crash) via a crafted endpoints value in a USB device descriptor. (CVE-2016-3140)

  - The arch_pick_mmap_layout function in arch/x86/mm/mmap.c in the Linux kernel through 4.5.2 does not
    properly randomize the legacy base address, which makes it easier for local users to defeat the intended
    restrictions on the ADDR_NO_RANDOMIZE flag, and bypass the ASLR protection mechanism for a setuid or
    setgid program, by disabling stack-consumption resource limits. (CVE-2016-3672)

  - The ims_pcu_parse_cdc_data function in drivers/input/misc/ims-pcu.c in the Linux kernel before 4.5.1
    allows physically proximate attackers to cause a denial of service (system crash) via a USB device without
    both a master and a slave interface. (CVE-2016-3689)

  - Double free vulnerability in drivers/net/usb/cdc_ncm.c in the Linux kernel before 4.5 allows physically
    proximate attackers to cause a denial of service (system crash) or possibly have unspecified other impact
    by inserting a USB device with an invalid USB descriptor. (CVE-2016-3951)

  - The usbip_recv_xbuff function in drivers/usb/usbip/usbip_common.c in the Linux kernel before 4.5.3 allows
    remote attackers to cause a denial of service (out-of-bounds write) or possibly have unspecified other
    impact via a crafted length value in a USB/IP packet. (CVE-2016-3955)

  - The llc_cmsg_rcv function in net/llc/af_llc.c in the Linux kernel before 4.5.5 does not initialize a
    certain data structure, which allows attackers to obtain sensitive information from kernel stack memory by
    reading a message. (CVE-2016-4485)

  - The rtnl_fill_link_ifmap function in net/core/rtnetlink.c in the Linux kernel before 4.5.5 does not
    initialize a certain data structure, which allows local users to obtain sensitive information from kernel
    stack memory by reading a Netlink message. (CVE-2016-4486)

  - fs/pnode.c in the Linux kernel before 4.5.4 does not properly traverse a mount propagation tree in a
    certain case involving a slave mount, which allows local users to cause a denial of service (NULL pointer
    dereference and OOPS) via a crafted series of mount system calls. (CVE-2016-4581)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version
number.");
  script_set_attribute(attribute:"see_also", value:"https://ubuntu.com/security/notices/USN-3000-1");
  script_set_attribute(attribute:"solution", value:
"Update the affected kernel package.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C");
  script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:P/RL:O/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2016-3955");

  script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"true");

  script_set_attribute(attribute:"vuln_publication_date", value:"2015/06/07");
  script_set_attribute(attribute:"patch_publication_date", value:"2016/06/10");
  script_set_attribute(attribute:"plugin_publication_date", value:"2016/06/10");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-3.16.0-73-generic");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-3.16.0-73-generic-lpae");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-3.16.0-73-lowlatency");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-3.16.0-73-powerpc-e500mc");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-3.16.0-73-powerpc-smp");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-3.16.0-73-powerpc64-emb");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-3.16.0-73-powerpc64-smp");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:canonical:ubuntu_linux:14.04:-:lts");
  script_set_attribute(attribute:"generated_plugin", value:"current");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Ubuntu Local Security Checks");

  script_copyright(english:"Ubuntu Security Notice (C) 2016-2024 Canonical, Inc. / NASL script (C) 2016-2024 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("ssh_get_info.nasl", "linux_alt_patch_detect.nasl");
  script_require_keys("Host/cpu", "Host/Ubuntu", "Host/Ubuntu/release", "Host/Debian/dpkg-l");

  exit(0);
}

include('debian_package.inc');
include('ksplice.inc');

if ( ! get_kb_item('Host/local_checks_enabled') ) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
var os_release = get_kb_item('Host/Ubuntu/release');
if ( isnull(os_release) ) audit(AUDIT_OS_NOT, 'Ubuntu');
os_release = chomp(os_release);
if (! ('14.04' >< os_release)) audit(AUDIT_OS_NOT, 'Ubuntu 14.04', 'Ubuntu ' + os_release);
if ( ! get_kb_item('Host/Debian/dpkg-l') ) audit(AUDIT_PACKAGE_LIST_MISSING);

var cpu = get_kb_item('Host/cpu');
if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
if ('x86_64' >!< cpu && cpu !~ "^i[3-6]86$" && 's390' >!< cpu && 'aarch64' >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'Ubuntu', cpu);

var kernel_mappings = {
  '14.04': {
    '3.16.0': {
      'generic': '3.16.0-73',
      'generic-lpae': '3.16.0-73',
      'lowlatency': '3.16.0-73',
      'powerpc-e500mc': '3.16.0-73',
      'powerpc-smp': '3.16.0-73',
      'powerpc64-emb': '3.16.0-73',
      'powerpc64-smp': '3.16.0-73'
    }
  }
};

var host_kernel_release = get_kb_item('Host/uptrack-uname-r');
if (empty_or_null(host_kernel_release)) host_kernel_release = get_kb_item_or_exit('Host/uname-r');
var host_kernel_base_version = get_kb_item_or_exit('Host/Debian/kernel-base-version');
var host_kernel_type = get_kb_item_or_exit('Host/Debian/kernel-type');
if(empty_or_null(kernel_mappings[os_release][host_kernel_base_version][host_kernel_type])) audit(AUDIT_INST_VER_NOT_VULN, 'kernel ' + host_kernel_release);

var extra = '';
var kernel_fixed_version = kernel_mappings[os_release][host_kernel_base_version][host_kernel_type] + "-" + host_kernel_type;
if (deb_ver_cmp(ver1:host_kernel_release, ver2:kernel_fixed_version) < 0)
{
  extra = extra + 'Running Kernel level of ' + host_kernel_release + ' does not meet the minimum fixed level of ' + kernel_fixed_version + ' for this advisory.\n\n';
}
  else
{
  audit(AUDIT_PATCH_INSTALLED, 'Kernel package for USN-3000-1');
}

if (get_one_kb_item('Host/ksplice/kernel-cves'))
{
  var cve_list = make_list('CVE-2015-4004', 'CVE-2016-1583', 'CVE-2016-2117', 'CVE-2016-2187', 'CVE-2016-3136', 'CVE-2016-3137', 'CVE-2016-3140', 'CVE-2016-3672', 'CVE-2016-3689', 'CVE-2016-3951', 'CVE-2016-3955', 'CVE-2016-4485', 'CVE-2016-4486', 'CVE-2016-4581');
  if (ksplice_cves_check(cve_list))
  {
    audit(AUDIT_PATCH_INSTALLED, 'KSplice hotfix for USN-3000-1');
  }
  else
  {
    extra = extra + ksplice_reporting_text();
  }
}
if (extra) {
  security_report_v4(
    port       : 0,
    severity   : SECURITY_HOLE,
    extra      : extra
  );
  exit(0);
}

8.2 High

AI Score

Confidence

Low

Related for UBUNTU_USN-3000-1.NASL