Ubuntu 16.04 LTS : Linux (HWE) vulnerabilities (USN-3617-2)

#
# (C) Tenable Network Security, Inc.
#
# The descriptive text and package checks in this plugin were
# extracted from Ubuntu Security Notice USN-3617-2. The text 
# itself is copyright (C) Canonical, Inc. See 
# <http://www.ubuntu.com/usn/>. Ubuntu(R) is a registered 
# trademark of Canonical, Inc.
#

include('compat.inc');

if (description)
{
  script_id(108835);
  script_version("1.10");
  script_set_attribute(attribute:"plugin_modification_date", value:"2024/01/09");

  script_cve_id(
    "CVE-2017-0861",
    "CVE-2017-1000407",
    "CVE-2017-15129",
    "CVE-2017-16532",
    "CVE-2017-16537",
    "CVE-2017-16645",
    "CVE-2017-16646",
    "CVE-2017-16647",
    "CVE-2017-16649",
    "CVE-2017-16650",
    "CVE-2017-16994",
    "CVE-2017-17448",
    "CVE-2017-17450",
    "CVE-2017-17741",
    "CVE-2017-17805",
    "CVE-2017-17806",
    "CVE-2017-17807",
    "CVE-2017-18204",
    "CVE-2018-1000026",
    "CVE-2018-5332",
    "CVE-2018-5333",
    "CVE-2018-5344"
  );
  script_xref(name:"USN", value:"3617-2");

  script_name(english:"Ubuntu 16.04 LTS : Linux (HWE) vulnerabilities (USN-3617-2)");

  script_set_attribute(attribute:"synopsis", value:
"The remote Ubuntu host is missing one or more security updates.");
  script_set_attribute(attribute:"description", value:
"The remote Ubuntu 16.04 LTS host has a package installed that is affected by multiple vulnerabilities as referenced in
the USN-3617-2 advisory.

  - Use-after-free vulnerability in the snd_pcm_info function in the ALSA subsystem in the Linux kernel allows
    attackers to gain privileges via unspecified vectors. (CVE-2017-0861)

  - The Linux Kernel 2.6.32 and later are affected by a denial of service, by flooding the diagnostic port
    0x80 an exception can be triggered leading to a kernel panic. (CVE-2017-1000407)

  - A use-after-free vulnerability was found in network namespaces code affecting the Linux kernel before
    4.14.11. The function get_net_ns_by_id() in net/core/net_namespace.c does not check for the net::count
    value after it has found a peer network in netns_ids idr, which could lead to double free and memory
    corruption. This vulnerability could allow an unprivileged local user to induce kernel memory corruption
    on the system, leading to a crash. Due to the nature of the flaw, privilege escalation cannot be fully
    ruled out, although it is thought to be unlikely. (CVE-2017-15129)

  - The get_endpoints function in drivers/usb/misc/usbtest.c in the Linux kernel through 4.13.11 allows local
    users to cause a denial of service (NULL pointer dereference and system crash) or possibly have
    unspecified other impact via a crafted USB device. (CVE-2017-16532)

  - The imon_probe function in drivers/media/rc/imon.c in the Linux kernel through 4.13.11 allows local users
    to cause a denial of service (NULL pointer dereference and system crash) or possibly have unspecified
    other impact via a crafted USB device. (CVE-2017-16537)

  - The ims_pcu_get_cdc_union_desc function in drivers/input/misc/ims-pcu.c in the Linux kernel through
    4.13.11 allows local users to cause a denial of service (ims_pcu_parse_cdc_data out-of-bounds read and
    system crash) or possibly have unspecified other impact via a crafted USB device. (CVE-2017-16645)

  - drivers/media/usb/dvb-usb/dib0700_devices.c in the Linux kernel through 4.13.11 allows local users to
    cause a denial of service (BUG and system crash) or possibly have unspecified other impact via a crafted
    USB device. (CVE-2017-16646)

  - drivers/net/usb/asix_devices.c in the Linux kernel through 4.13.11 allows local users to cause a denial of
    service (NULL pointer dereference and system crash) or possibly have unspecified other impact via a
    crafted USB device. (CVE-2017-16647)

  - The usbnet_generic_cdc_bind function in drivers/net/usb/cdc_ether.c in the Linux kernel through 4.13.11
    allows local users to cause a denial of service (divide-by-zero error and system crash) or possibly have
    unspecified other impact via a crafted USB device. (CVE-2017-16649)

  - The qmi_wwan_bind function in drivers/net/usb/qmi_wwan.c in the Linux kernel through 4.13.11 allows local
    users to cause a denial of service (divide-by-zero error and system crash) or possibly have unspecified
    other impact via a crafted USB device. (CVE-2017-16650)

  - The walk_hugetlb_range function in mm/pagewalk.c in the Linux kernel before 4.14.2 mishandles holes in
    hugetlb ranges, which allows local users to obtain sensitive information from uninitialized kernel memory
    via crafted use of the mincore() system call. (CVE-2017-16994)

  - net/netfilter/nfnetlink_cthelper.c in the Linux kernel through 4.14.4 does not require the CAP_NET_ADMIN
    capability for new, get, and del operations, which allows local users to bypass intended access
    restrictions because the nfnl_cthelper_list data structure is shared across all net namespaces.
    (CVE-2017-17448)

  - net/netfilter/xt_osf.c in the Linux kernel through 4.14.4 does not require the CAP_NET_ADMIN capability
    for add_callback and remove_callback operations, which allows local users to bypass intended access
    restrictions because the xt_osf_fingers data structure is shared across all net namespaces.
    (CVE-2017-17450)

  - The KVM implementation in the Linux kernel through 4.14.7 allows attackers to obtain potentially sensitive
    information from kernel memory, aka a write_mmio stack-based out-of-bounds read, related to
    arch/x86/kvm/x86.c and include/trace/events/kvm.h. (CVE-2017-17741)

  - The Salsa20 encryption algorithm in the Linux kernel before 4.14.8 does not correctly handle zero-length
    inputs, allowing a local attacker able to use the AF_ALG-based skcipher interface
    (CONFIG_CRYPTO_USER_API_SKCIPHER) to cause a denial of service (uninitialized-memory free and kernel
    crash) or have unspecified other impact by executing a crafted sequence of system calls that use the
    blkcipher_walk API. Both the generic implementation (crypto/salsa20_generic.c) and x86 implementation
    (arch/x86/crypto/salsa20_glue.c) of Salsa20 were vulnerable. (CVE-2017-17805)

  - The HMAC implementation (crypto/hmac.c) in the Linux kernel before 4.14.8 does not validate that the
    underlying cryptographic hash algorithm is unkeyed, allowing a local attacker able to use the AF_ALG-based
    hash interface (CONFIG_CRYPTO_USER_API_HASH) and the SHA-3 hash algorithm (CONFIG_CRYPTO_SHA3) to cause a
    kernel stack buffer overflow by executing a crafted sequence of system calls that encounter a missing
    SHA-3 initialization. (CVE-2017-17806)

  - The KEYS subsystem in the Linux kernel before 4.14.6 omitted an access-control check when adding a key to
    the current task's default request-key keyring via the request_key() system call, allowing a local user
    to use a sequence of crafted system calls to add keys to a keyring with only Search permission (not Write
    permission) to that keyring, related to construct_get_dest_keyring() in security/keys/request_key.c.
    (CVE-2017-17807)

  - The ocfs2_setattr function in fs/ocfs2/file.c in the Linux kernel before 4.14.2 allows local users to
    cause a denial of service (deadlock) via DIO requests. (CVE-2017-18204)

  - Linux Linux kernel version at least v4.8 onwards, probably well before contains a Insufficient input
    validation vulnerability in bnx2x network card driver that can result in DoS: Network card firmware
    assertion takes card off-line. This attack appear to be exploitable via An attacker on a must pass a very
    large, specially crafted packet to the bnx2x card. This can be done from an untrusted guest VM..
    (CVE-2018-1000026)

  - In the Linux kernel through 3.2, the rds_message_alloc_sgs() function does not validate a value that is
    used during DMA page allocation, leading to a heap-based out-of-bounds write (related to the
    rds_rdma_extra_size function in net/rds/rdma.c). (CVE-2018-5332)

  - In the Linux kernel through 4.14.13, the rds_cmsg_atomic function in net/rds/rdma.c mishandles cases where
    page pinning fails or an invalid address is supplied, leading to an rds_atomic_free_op NULL pointer
    dereference. (CVE-2018-5333)

  - In the Linux kernel through 4.14.13, drivers/block/loop.c mishandles lo_release serialization, which
    allows attackers to cause a denial of service (__lock_acquire use-after-free) or possibly have unspecified
    other impact. (CVE-2018-5344)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version
number.");
  script_set_attribute(attribute:"see_also", value:"https://ubuntu.com/security/notices/USN-3617-2");
  script_set_attribute(attribute:"solution", value:
"Update the affected kernel package.");
  script_set_cvss_base_vector("CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C");
  script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:F/RL:O/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2018-5332");
  script_set_attribute(attribute:"cvss3_score_source", value:"CVE-2018-5344");

  script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"true");
  script_set_attribute(attribute:"metasploit_name", value:'Reliable Datagram Sockets (RDS) rds_atomic_free_op NULL pointer dereference Privilege Escalation');
  script_set_attribute(attribute:"exploit_framework_metasploit", value:"true");

  script_set_attribute(attribute:"vuln_publication_date", value:"2017/11/04");
  script_set_attribute(attribute:"patch_publication_date", value:"2018/04/03");
  script_set_attribute(attribute:"plugin_publication_date", value:"2018/04/04");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-4.13.0-1012-gcp");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-4.13.0-1022-oem");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-4.13.0-38-generic");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-4.13.0-38-generic-lpae");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-4.13.0-38-lowlatency");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:canonical:ubuntu_linux:16.04:-:lts");
  script_set_attribute(attribute:"generated_plugin", value:"current");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Ubuntu Local Security Checks");

  script_copyright(english:"Ubuntu Security Notice (C) 2018-2024 Canonical, Inc. / NASL script (C) 2018-2024 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("ssh_get_info.nasl", "linux_alt_patch_detect.nasl");
  script_require_keys("Host/cpu", "Host/Ubuntu", "Host/Ubuntu/release", "Host/Debian/dpkg-l");

  exit(0);
}

include('debian_package.inc');
include('ksplice.inc');

if ( ! get_kb_item('Host/local_checks_enabled') ) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
var os_release = get_kb_item('Host/Ubuntu/release');
if ( isnull(os_release) ) audit(AUDIT_OS_NOT, 'Ubuntu');
os_release = chomp(os_release);
if (! ('16.04' >< os_release)) audit(AUDIT_OS_NOT, 'Ubuntu 16.04', 'Ubuntu ' + os_release);
if ( ! get_kb_item('Host/Debian/dpkg-l') ) audit(AUDIT_PACKAGE_LIST_MISSING);

var cpu = get_kb_item('Host/cpu');
if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
if ('x86_64' >!< cpu && cpu !~ "^i[3-6]86$" && 's390' >!< cpu && 'aarch64' >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'Ubuntu', cpu);

var kernel_mappings = {
  '16.04': {
    '4.13.0': {
      'generic': '4.13.0-38',
      'generic-lpae': '4.13.0-38',
      'lowlatency': '4.13.0-38',
      'gcp': '4.13.0-1012',
      'oem': '4.13.0-1022'
    }
  }
};

var host_kernel_release = get_kb_item('Host/uptrack-uname-r');
if (empty_or_null(host_kernel_release)) host_kernel_release = get_kb_item_or_exit('Host/uname-r');
var host_kernel_base_version = get_kb_item_or_exit('Host/Debian/kernel-base-version');
var host_kernel_type = get_kb_item_or_exit('Host/Debian/kernel-type');
if(empty_or_null(kernel_mappings[os_release][host_kernel_base_version][host_kernel_type])) audit(AUDIT_INST_VER_NOT_VULN, 'kernel ' + host_kernel_release);

var extra = '';
var kernel_fixed_version = kernel_mappings[os_release][host_kernel_base_version][host_kernel_type] + "-" + host_kernel_type;
if (deb_ver_cmp(ver1:host_kernel_release, ver2:kernel_fixed_version) < 0)
{
  extra = extra + 'Running Kernel level of ' + host_kernel_release + ' does not meet the minimum fixed level of ' + kernel_fixed_version + ' for this advisory.\n\n';
}
  else
{
  audit(AUDIT_PATCH_INSTALLED, 'Kernel package for USN-3617-2');
}

if (get_one_kb_item('Host/ksplice/kernel-cves'))
{
  var cve_list = make_list('CVE-2017-0861', 'CVE-2017-15129', 'CVE-2017-16532', 'CVE-2017-16537', 'CVE-2017-16645', 'CVE-2017-16646', 'CVE-2017-16647', 'CVE-2017-16649', 'CVE-2017-16650', 'CVE-2017-16994', 'CVE-2017-17448', 'CVE-2017-17450', 'CVE-2017-17741', 'CVE-2017-17805', 'CVE-2017-17806', 'CVE-2017-17807', 'CVE-2017-18204', 'CVE-2017-1000407', 'CVE-2018-5332', 'CVE-2018-5333', 'CVE-2018-5344', 'CVE-2018-1000026');
  if (ksplice_cves_check(cve_list))
  {
    audit(AUDIT_PATCH_INSTALLED, 'KSplice hotfix for USN-3617-2');
  }
  else
  {
    extra = extra + ksplice_reporting_text();
  }
}
if (extra) {
  security_report_v4(
    port       : 0,
    severity   : SECURITY_HOLE,
    extra      : extra
  );
  exit(0);
}