The remote Ubuntu 14.04 LTS host has a package installed that is affected by multiple vulnerabilities as referenced in the USN-3619-2 advisory.
Use-after-free vulnerability in the snd_pcm_info function in the ALSA subsystem in the Linux kernel allows attackers to gain privileges via unspecified vectors. (CVE-2017-0861)
The Linux Kernel 2.6.32 and later are affected by a denial of service, by flooding the diagnostic port 0x80 an exception can be triggered leading to a kernel panic. (CVE-2017-1000407)
The acpi_ns_terminate() function in drivers/acpi/acpica/nsutils.c in the Linux kernel before 4.12 does not flush the operand cache and causes a kernel stack dump, which allows local users to obtain sensitive information from kernel memory and bypass the KASLR protection mechanism (in the kernel through 4.9) via a crafted ACPI table. (CVE-2017-11472)
A use-after-free vulnerability was found in network namespaces code affecting the Linux kernel before 4.14.11. The function get_net_ns_by_id() in net/core/net_namespace.c does not check for the net::count value after it has found a peer network in netns_ids idr, which could lead to double free and memory corruption. This vulnerability could allow an unprivileged local user to induce kernel memory corruption on the system, leading to a crash. Due to the nature of the flaw, privilege escalation cannot be fully ruled out, although it is thought to be unlikely. (CVE-2017-15129)
sound/core/seq_device.c in the Linux kernel before 4.13.4 allows local users to cause a denial of service (snd_rawmidi_dev_seq_free use-after-free and system crash) or possibly have unspecified other impact via a crafted USB device. (CVE-2017-16528)
The get_endpoints function in drivers/usb/misc/usbtest.c in the Linux kernel through 4.13.11 allows local users to cause a denial of service (NULL pointer dereference and system crash) or possibly have unspecified other impact via a crafted USB device. (CVE-2017-16532)
The cx231xx_usb_probe function in drivers/media/usb/cx231xx/cx231xx-cards.c in the Linux kernel through 4.13.11 allows local users to cause a denial of service (NULL pointer dereference and system crash) or possibly have unspecified other impact via a crafted USB device. (CVE-2017-16536)
The imon_probe function in drivers/media/rc/imon.c in the Linux kernel through 4.13.11 allows local users to cause a denial of service (NULL pointer dereference and system crash) or possibly have unspecified other impact via a crafted USB device. (CVE-2017-16537)
The ims_pcu_get_cdc_union_desc function in drivers/input/misc/ims-pcu.c in the Linux kernel through 4.13.11 allows local users to cause a denial of service (ims_pcu_parse_cdc_data out-of-bounds read and system crash) or possibly have unspecified other impact via a crafted USB device. (CVE-2017-16645)
drivers/media/usb/dvb-usb/dib0700_devices.c in the Linux kernel through 4.13.11 allows local users to cause a denial of service (BUG and system crash) or possibly have unspecified other impact via a crafted USB device. (CVE-2017-16646)
The usbnet_generic_cdc_bind function in drivers/net/usb/cdc_ether.c in the Linux kernel through 4.13.11 allows local users to cause a denial of service (divide-by-zero error and system crash) or possibly have unspecified other impact via a crafted USB device. (CVE-2017-16649)
The qmi_wwan_bind function in drivers/net/usb/qmi_wwan.c in the Linux kernel through 4.13.11 allows local users to cause a denial of service (divide-by-zero error and system crash) or possibly have unspecified other impact via a crafted USB device. (CVE-2017-16650)
The vhci_hcd driver in the Linux Kernel before version 4.14.8 and 4.4.114 allows allows local attackers to disclose kernel memory addresses. Successful exploitation requires that a USB device is attached over IP.
(CVE-2017-16911)
The get_pipe() function (drivers/usb/usbip/stub_rx.c) in the Linux Kernel before version 4.14.8, 4.9.71, and 4.4.114 allows attackers to cause a denial of service (out-of-bounds read) via a specially crafted USB over IP packet. (CVE-2017-16912)
The stub_recv_cmd_submit() function (drivers/usb/usbip/stub_rx.c) in the Linux Kernel before version 4.14.8, 4.9.71, and 4.4.114 when handling CMD_SUBMIT packets allows attackers to cause a denial of service (arbitrary memory allocation) via a specially crafted USB over IP packet. (CVE-2017-16913)
The stub_send_ret_submit() function (drivers/usb/usbip/stub_tx.c) in the Linux Kernel before version 4.14.8, 4.9.71, 4.1.49, and 4.4.107 allows attackers to cause a denial of service (NULL pointer dereference) via a specially crafted USB over IP packet. (CVE-2017-16914)
The walk_hugetlb_range function in mm/pagewalk.c in the Linux kernel before 4.14.2 mishandles holes in hugetlb ranges, which allows local users to obtain sensitive information from uninitialized kernel memory via crafted use of the mincore() system call. (CVE-2017-16994)
The check_alu_op function in kernel/bpf/verifier.c in the Linux kernel through 4.4 allows local users to cause a denial of service (memory corruption) or possibly have unspecified other impact by leveraging incorrect sign extension. (CVE-2017-16995)
net/netfilter/nfnetlink_cthelper.c in the Linux kernel through 4.14.4 does not require the CAP_NET_ADMIN capability for new, get, and del operations, which allows local users to bypass intended access restrictions because the nfnl_cthelper_list data structure is shared across all net namespaces.
(CVE-2017-17448)
The __netlink_deliver_tap_skb function in net/netlink/af_netlink.c in the Linux kernel through 4.14.4, when CONFIG_NLMON is enabled, does not restrict observations of Netlink messages to a single net namespace, which allows local users to obtain sensitive information by leveraging the CAP_NET_ADMIN capability to sniff an nlmon interface for all Netlink activity on the system. (CVE-2017-17449)
net/netfilter/xt_osf.c in the Linux kernel through 4.14.4 does not require the CAP_NET_ADMIN capability for add_callback and remove_callback operations, which allows local users to bypass intended access restrictions because the xt_osf_fingers data structure is shared across all net namespaces.
(CVE-2017-17450)
The usb_destroy_configuration function in drivers/usb/core/config.c in the USB core subsystem in the Linux kernel through 4.14.5 does not consider the maximum number of configurations and interfaces before attempting to release resources, which allows local users to cause a denial of service (out-of-bounds write access) or possibly have unspecified other impact via a crafted USB device. (CVE-2017-17558)
The KVM implementation in the Linux kernel through 4.14.7 allows attackers to obtain potentially sensitive information from kernel memory, aka a write_mmio stack-based out-of-bounds read, related to arch/x86/kvm/x86.c and include/trace/events/kvm.h. (CVE-2017-17741)
The Salsa20 encryption algorithm in the Linux kernel before 4.14.8 does not correctly handle zero-length inputs, allowing a local attacker able to use the AF_ALG-based skcipher interface (CONFIG_CRYPTO_USER_API_SKCIPHER) to cause a denial of service (uninitialized-memory free and kernel crash) or have unspecified other impact by executing a crafted sequence of system calls that use the blkcipher_walk API. Both the generic implementation (crypto/salsa20_generic.c) and x86 implementation (arch/x86/crypto/salsa20_glue.c) of Salsa20 were vulnerable. (CVE-2017-17805)
The HMAC implementation (crypto/hmac.c) in the Linux kernel before 4.14.8 does not validate that the underlying cryptographic hash algorithm is unkeyed, allowing a local attacker able to use the AF_ALG-based hash interface (CONFIG_CRYPTO_USER_API_HASH) and the SHA-3 hash algorithm (CONFIG_CRYPTO_SHA3) to cause a kernel stack buffer overflow by executing a crafted sequence of system calls that encounter a missing SHA-3 initialization. (CVE-2017-17806)
The KEYS subsystem in the Linux kernel before 4.14.6 omitted an access-control check when adding a key to the current taskās default request-key keyring via the request_key() system call, allowing a local user to use a sequence of crafted system calls to add keys to a keyring with only Search permission (not Write permission) to that keyring, related to construct_get_dest_keyring() in security/keys/request_key.c.
(CVE-2017-17807)
kernel/bpf/verifier.c in the Linux kernel through 4.14.8 ignores unreachable code, even though it would still be processed by JIT compilers. This behavior, also considered an improper branch-pruning logic issue, could possibly be used by local users for denial of service. (CVE-2017-17862)
crypto/pcrypt.c in the Linux kernel before 4.14.13 mishandles freeing instances, allowing a local user able to access the AF_ALG-based AEAD interface (CONFIG_CRYPTO_USER_API_AEAD) and pcrypt (CONFIG_CRYPTO_PCRYPT) to cause a denial of service (kfree of an incorrect pointer) or possibly have unspecified other impact by executing a crafted sequence of system calls. (CVE-2017-18075)
The dm_get_from_kobject function in drivers/md/dm.c in the Linux kernel before 4.14.3 allow local users to cause a denial of service (BUG) by leveraging a race condition with __dm_destroy during creation and removal of DM devices. (CVE-2017-18203)
The ocfs2_setattr function in fs/ocfs2/file.c in the Linux kernel before 4.14.2 allows local users to cause a denial of service (deadlock) via DIO requests. (CVE-2017-18204)
The madvise_willneed function in mm/madvise.c in the Linux kernel before 4.14.4 allows local users to cause a denial of service (infinite loop) by triggering use of MADVISE_WILLNEED for a DAX mapping.
(CVE-2017-18208)
A flaw was found in the Linux kernel before version 4.12 in the way the KVM module processed the trap flag(TF) bit in EFLAGS during emulation of the syscall instruction, which leads to a debug exception(#DB) being raised in the guest stack. A user/process inside a guest could use this flaw to potentially escalate their privileges inside the guest. Linux guests are not affected by this. (CVE-2017-7518)
Linux Linux kernel version at least v4.8 onwards, probably well before contains a Insufficient input validation vulnerability in bnx2x network card driver that can result in DoS: Network card firmware assertion takes card off-line. This attack appear to be exploitable via An attacker on a must pass a very large, specially crafted packet to the bnx2x card. This can be done from an untrusted guest VMā¦
(CVE-2018-1000026)
In the Linux kernel through 3.2, the rds_message_alloc_sgs() function does not validate a value that is used during DMA page allocation, leading to a heap-based out-of-bounds write (related to the rds_rdma_extra_size function in net/rds/rdma.c). (CVE-2018-5332)
In the Linux kernel through 4.14.13, the rds_cmsg_atomic function in net/rds/rdma.c mishandles cases where page pinning fails or an invalid address is supplied, leading to an rds_atomic_free_op NULL pointer dereference. (CVE-2018-5333)
In the Linux kernel through 4.14.13, drivers/block/loop.c mishandles lo_release serialization, which allows attackers to cause a denial of service (__lock_acquire use-after-free) or possibly have unspecified other impact. (CVE-2018-5344)
The futex_requeue function in kernel/futex.c in the Linux kernel before 4.14.15 might allow attackers to cause a denial of service (integer overflow) or possibly have unspecified other impact by triggering a negative wake or requeue value. (CVE-2018-6927)
A NULL pointer dereference was found in the net/rds/rdma.c __rds_rdma_map() function in the Linux kernel before 4.14.7 allowing local attackers to cause a system panic and a denial-of-service, related to RDS_GET_MR and RDS_GET_MR_FOR_DEST. (CVE-2018-7492)
The unimac_mdio_probe function in drivers/net/phy/mdio-bcm-unimac.c in the Linux kernel through 4.15.8 does not validate certain resource availability, which allows local users to cause a denial of service (NULL pointer dereference). (CVE-2018-8043)
Note that Nessus has not tested for these issues but has instead relied only on the applicationās self-reported version number.
#
# (C) Tenable Network Security, Inc.
#
# The descriptive text and package checks in this plugin were
# extracted from Ubuntu Security Notice USN-3619-2. The text
# itself is copyright (C) Canonical, Inc. See
# <http://www.ubuntu.com/usn/>. Ubuntu(R) is a registered
# trademark of Canonical, Inc.
#
include('compat.inc');
if (description)
{
script_id(108878);
script_version("1.15");
script_set_attribute(attribute:"plugin_modification_date", value:"2024/01/09");
script_cve_id(
"CVE-2017-0861",
"CVE-2017-1000407",
"CVE-2017-11472",
"CVE-2017-15129",
"CVE-2017-16528",
"CVE-2017-16532",
"CVE-2017-16536",
"CVE-2017-16537",
"CVE-2017-16645",
"CVE-2017-16646",
"CVE-2017-16649",
"CVE-2017-16650",
"CVE-2017-16911",
"CVE-2017-16912",
"CVE-2017-16913",
"CVE-2017-16914",
"CVE-2017-16994",
"CVE-2017-16995",
"CVE-2017-17448",
"CVE-2017-17449",
"CVE-2017-17450",
"CVE-2017-17558",
"CVE-2017-17741",
"CVE-2017-17805",
"CVE-2017-17806",
"CVE-2017-17807",
"CVE-2017-17862",
"CVE-2017-18075",
"CVE-2017-18203",
"CVE-2017-18204",
"CVE-2017-18208",
"CVE-2017-7518",
"CVE-2018-1000026",
"CVE-2018-5332",
"CVE-2018-5333",
"CVE-2018-5344",
"CVE-2018-6927",
"CVE-2018-7492",
"CVE-2018-8043"
);
script_xref(name:"USN", value:"3619-2");
script_name(english:"Ubuntu 14.04 LTS : Linux kernel (Xenial HWE) vulnerabilities (USN-3619-2)");
script_set_attribute(attribute:"synopsis", value:
"The remote Ubuntu host is missing one or more security updates.");
script_set_attribute(attribute:"description", value:
"The remote Ubuntu 14.04 LTS host has a package installed that is affected by multiple vulnerabilities as referenced in
the USN-3619-2 advisory.
- Use-after-free vulnerability in the snd_pcm_info function in the ALSA subsystem in the Linux kernel allows
attackers to gain privileges via unspecified vectors. (CVE-2017-0861)
- The Linux Kernel 2.6.32 and later are affected by a denial of service, by flooding the diagnostic port
0x80 an exception can be triggered leading to a kernel panic. (CVE-2017-1000407)
- The acpi_ns_terminate() function in drivers/acpi/acpica/nsutils.c in the Linux kernel before 4.12 does not
flush the operand cache and causes a kernel stack dump, which allows local users to obtain sensitive
information from kernel memory and bypass the KASLR protection mechanism (in the kernel through 4.9) via a
crafted ACPI table. (CVE-2017-11472)
- A use-after-free vulnerability was found in network namespaces code affecting the Linux kernel before
4.14.11. The function get_net_ns_by_id() in net/core/net_namespace.c does not check for the net::count
value after it has found a peer network in netns_ids idr, which could lead to double free and memory
corruption. This vulnerability could allow an unprivileged local user to induce kernel memory corruption
on the system, leading to a crash. Due to the nature of the flaw, privilege escalation cannot be fully
ruled out, although it is thought to be unlikely. (CVE-2017-15129)
- sound/core/seq_device.c in the Linux kernel before 4.13.4 allows local users to cause a denial of service
(snd_rawmidi_dev_seq_free use-after-free and system crash) or possibly have unspecified other impact via a
crafted USB device. (CVE-2017-16528)
- The get_endpoints function in drivers/usb/misc/usbtest.c in the Linux kernel through 4.13.11 allows local
users to cause a denial of service (NULL pointer dereference and system crash) or possibly have
unspecified other impact via a crafted USB device. (CVE-2017-16532)
- The cx231xx_usb_probe function in drivers/media/usb/cx231xx/cx231xx-cards.c in the Linux kernel through
4.13.11 allows local users to cause a denial of service (NULL pointer dereference and system crash) or
possibly have unspecified other impact via a crafted USB device. (CVE-2017-16536)
- The imon_probe function in drivers/media/rc/imon.c in the Linux kernel through 4.13.11 allows local users
to cause a denial of service (NULL pointer dereference and system crash) or possibly have unspecified
other impact via a crafted USB device. (CVE-2017-16537)
- The ims_pcu_get_cdc_union_desc function in drivers/input/misc/ims-pcu.c in the Linux kernel through
4.13.11 allows local users to cause a denial of service (ims_pcu_parse_cdc_data out-of-bounds read and
system crash) or possibly have unspecified other impact via a crafted USB device. (CVE-2017-16645)
- drivers/media/usb/dvb-usb/dib0700_devices.c in the Linux kernel through 4.13.11 allows local users to
cause a denial of service (BUG and system crash) or possibly have unspecified other impact via a crafted
USB device. (CVE-2017-16646)
- The usbnet_generic_cdc_bind function in drivers/net/usb/cdc_ether.c in the Linux kernel through 4.13.11
allows local users to cause a denial of service (divide-by-zero error and system crash) or possibly have
unspecified other impact via a crafted USB device. (CVE-2017-16649)
- The qmi_wwan_bind function in drivers/net/usb/qmi_wwan.c in the Linux kernel through 4.13.11 allows local
users to cause a denial of service (divide-by-zero error and system crash) or possibly have unspecified
other impact via a crafted USB device. (CVE-2017-16650)
- The vhci_hcd driver in the Linux Kernel before version 4.14.8 and 4.4.114 allows allows local attackers to
disclose kernel memory addresses. Successful exploitation requires that a USB device is attached over IP.
(CVE-2017-16911)
- The get_pipe() function (drivers/usb/usbip/stub_rx.c) in the Linux Kernel before version 4.14.8, 4.9.71,
and 4.4.114 allows attackers to cause a denial of service (out-of-bounds read) via a specially crafted USB
over IP packet. (CVE-2017-16912)
- The stub_recv_cmd_submit() function (drivers/usb/usbip/stub_rx.c) in the Linux Kernel before version
4.14.8, 4.9.71, and 4.4.114 when handling CMD_SUBMIT packets allows attackers to cause a denial of service
(arbitrary memory allocation) via a specially crafted USB over IP packet. (CVE-2017-16913)
- The stub_send_ret_submit() function (drivers/usb/usbip/stub_tx.c) in the Linux Kernel before version
4.14.8, 4.9.71, 4.1.49, and 4.4.107 allows attackers to cause a denial of service (NULL pointer
dereference) via a specially crafted USB over IP packet. (CVE-2017-16914)
- The walk_hugetlb_range function in mm/pagewalk.c in the Linux kernel before 4.14.2 mishandles holes in
hugetlb ranges, which allows local users to obtain sensitive information from uninitialized kernel memory
via crafted use of the mincore() system call. (CVE-2017-16994)
- The check_alu_op function in kernel/bpf/verifier.c in the Linux kernel through 4.4 allows local users to
cause a denial of service (memory corruption) or possibly have unspecified other impact by leveraging
incorrect sign extension. (CVE-2017-16995)
- net/netfilter/nfnetlink_cthelper.c in the Linux kernel through 4.14.4 does not require the CAP_NET_ADMIN
capability for new, get, and del operations, which allows local users to bypass intended access
restrictions because the nfnl_cthelper_list data structure is shared across all net namespaces.
(CVE-2017-17448)
- The __netlink_deliver_tap_skb function in net/netlink/af_netlink.c in the Linux kernel through 4.14.4,
when CONFIG_NLMON is enabled, does not restrict observations of Netlink messages to a single net
namespace, which allows local users to obtain sensitive information by leveraging the CAP_NET_ADMIN
capability to sniff an nlmon interface for all Netlink activity on the system. (CVE-2017-17449)
- net/netfilter/xt_osf.c in the Linux kernel through 4.14.4 does not require the CAP_NET_ADMIN capability
for add_callback and remove_callback operations, which allows local users to bypass intended access
restrictions because the xt_osf_fingers data structure is shared across all net namespaces.
(CVE-2017-17450)
- The usb_destroy_configuration function in drivers/usb/core/config.c in the USB core subsystem in the Linux
kernel through 4.14.5 does not consider the maximum number of configurations and interfaces before
attempting to release resources, which allows local users to cause a denial of service (out-of-bounds
write access) or possibly have unspecified other impact via a crafted USB device. (CVE-2017-17558)
- The KVM implementation in the Linux kernel through 4.14.7 allows attackers to obtain potentially sensitive
information from kernel memory, aka a write_mmio stack-based out-of-bounds read, related to
arch/x86/kvm/x86.c and include/trace/events/kvm.h. (CVE-2017-17741)
- The Salsa20 encryption algorithm in the Linux kernel before 4.14.8 does not correctly handle zero-length
inputs, allowing a local attacker able to use the AF_ALG-based skcipher interface
(CONFIG_CRYPTO_USER_API_SKCIPHER) to cause a denial of service (uninitialized-memory free and kernel
crash) or have unspecified other impact by executing a crafted sequence of system calls that use the
blkcipher_walk API. Both the generic implementation (crypto/salsa20_generic.c) and x86 implementation
(arch/x86/crypto/salsa20_glue.c) of Salsa20 were vulnerable. (CVE-2017-17805)
- The HMAC implementation (crypto/hmac.c) in the Linux kernel before 4.14.8 does not validate that the
underlying cryptographic hash algorithm is unkeyed, allowing a local attacker able to use the AF_ALG-based
hash interface (CONFIG_CRYPTO_USER_API_HASH) and the SHA-3 hash algorithm (CONFIG_CRYPTO_SHA3) to cause a
kernel stack buffer overflow by executing a crafted sequence of system calls that encounter a missing
SHA-3 initialization. (CVE-2017-17806)
- The KEYS subsystem in the Linux kernel before 4.14.6 omitted an access-control check when adding a key to
the current task's default request-key keyring via the request_key() system call, allowing a local user
to use a sequence of crafted system calls to add keys to a keyring with only Search permission (not Write
permission) to that keyring, related to construct_get_dest_keyring() in security/keys/request_key.c.
(CVE-2017-17807)
- kernel/bpf/verifier.c in the Linux kernel through 4.14.8 ignores unreachable code, even though it would
still be processed by JIT compilers. This behavior, also considered an improper branch-pruning logic
issue, could possibly be used by local users for denial of service. (CVE-2017-17862)
- crypto/pcrypt.c in the Linux kernel before 4.14.13 mishandles freeing instances, allowing a local user
able to access the AF_ALG-based AEAD interface (CONFIG_CRYPTO_USER_API_AEAD) and pcrypt
(CONFIG_CRYPTO_PCRYPT) to cause a denial of service (kfree of an incorrect pointer) or possibly have
unspecified other impact by executing a crafted sequence of system calls. (CVE-2017-18075)
- The dm_get_from_kobject function in drivers/md/dm.c in the Linux kernel before 4.14.3 allow local users to
cause a denial of service (BUG) by leveraging a race condition with __dm_destroy during creation and
removal of DM devices. (CVE-2017-18203)
- The ocfs2_setattr function in fs/ocfs2/file.c in the Linux kernel before 4.14.2 allows local users to
cause a denial of service (deadlock) via DIO requests. (CVE-2017-18204)
- The madvise_willneed function in mm/madvise.c in the Linux kernel before 4.14.4 allows local users to
cause a denial of service (infinite loop) by triggering use of MADVISE_WILLNEED for a DAX mapping.
(CVE-2017-18208)
- A flaw was found in the Linux kernel before version 4.12 in the way the KVM module processed the trap
flag(TF) bit in EFLAGS during emulation of the syscall instruction, which leads to a debug exception(#DB)
being raised in the guest stack. A user/process inside a guest could use this flaw to potentially escalate
their privileges inside the guest. Linux guests are not affected by this. (CVE-2017-7518)
- Linux Linux kernel version at least v4.8 onwards, probably well before contains a Insufficient input
validation vulnerability in bnx2x network card driver that can result in DoS: Network card firmware
assertion takes card off-line. This attack appear to be exploitable via An attacker on a must pass a very
large, specially crafted packet to the bnx2x card. This can be done from an untrusted guest VM..
(CVE-2018-1000026)
- In the Linux kernel through 3.2, the rds_message_alloc_sgs() function does not validate a value that is
used during DMA page allocation, leading to a heap-based out-of-bounds write (related to the
rds_rdma_extra_size function in net/rds/rdma.c). (CVE-2018-5332)
- In the Linux kernel through 4.14.13, the rds_cmsg_atomic function in net/rds/rdma.c mishandles cases where
page pinning fails or an invalid address is supplied, leading to an rds_atomic_free_op NULL pointer
dereference. (CVE-2018-5333)
- In the Linux kernel through 4.14.13, drivers/block/loop.c mishandles lo_release serialization, which
allows attackers to cause a denial of service (__lock_acquire use-after-free) or possibly have unspecified
other impact. (CVE-2018-5344)
- The futex_requeue function in kernel/futex.c in the Linux kernel before 4.14.15 might allow attackers to
cause a denial of service (integer overflow) or possibly have unspecified other impact by triggering a
negative wake or requeue value. (CVE-2018-6927)
- A NULL pointer dereference was found in the net/rds/rdma.c __rds_rdma_map() function in the Linux kernel
before 4.14.7 allowing local attackers to cause a system panic and a denial-of-service, related to
RDS_GET_MR and RDS_GET_MR_FOR_DEST. (CVE-2018-7492)
- The unimac_mdio_probe function in drivers/net/phy/mdio-bcm-unimac.c in the Linux kernel through 4.15.8
does not validate certain resource availability, which allows local users to cause a denial of service
(NULL pointer dereference). (CVE-2018-8043)
Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version
number.");
script_set_attribute(attribute:"see_also", value:"https://ubuntu.com/security/notices/USN-3619-2");
script_set_attribute(attribute:"solution", value:
"Update the affected kernel package.");
script_set_cvss_base_vector("CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C");
script_set_cvss_temporal_vector("CVSS2#E:H/RL:OF/RC:C");
script_set_cvss3_base_vector("CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H");
script_set_cvss3_temporal_vector("CVSS:3.0/E:H/RL:O/RC:C");
script_set_attribute(attribute:"cvss_score_source", value:"CVE-2018-5332");
script_set_attribute(attribute:"cvss3_score_source", value:"CVE-2018-6927");
script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
script_set_attribute(attribute:"exploit_available", value:"true");
script_set_attribute(attribute:"exploit_framework_core", value:"true");
script_set_attribute(attribute:"exploited_by_malware", value:"true");
script_set_attribute(attribute:"metasploit_name", value:'Linux BPF Sign Extension Local Privilege Escalation');
script_set_attribute(attribute:"exploit_framework_metasploit", value:"true");
script_set_attribute(attribute:"vuln_publication_date", value:"2017/07/20");
script_set_attribute(attribute:"patch_publication_date", value:"2018/04/05");
script_set_attribute(attribute:"plugin_publication_date", value:"2018/04/06");
script_set_attribute(attribute:"plugin_type", value:"local");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-4.4.0-1016-aws");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-4.4.0-119-generic");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-4.4.0-119-generic-lpae");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-4.4.0-119-lowlatency");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-4.4.0-119-powerpc-e500mc");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-4.4.0-119-powerpc-smp");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-4.4.0-119-powerpc64-emb");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-4.4.0-119-powerpc64-smp");
script_set_attribute(attribute:"cpe", value:"cpe:/o:canonical:ubuntu_linux:14.04:-:lts");
script_set_attribute(attribute:"generated_plugin", value:"current");
script_end_attributes();
script_category(ACT_GATHER_INFO);
script_family(english:"Ubuntu Local Security Checks");
script_copyright(english:"Ubuntu Security Notice (C) 2018-2024 Canonical, Inc. / NASL script (C) 2018-2024 and is owned by Tenable, Inc. or an Affiliate thereof.");
script_dependencies("ssh_get_info.nasl", "linux_alt_patch_detect.nasl");
script_require_keys("Host/cpu", "Host/Ubuntu", "Host/Ubuntu/release", "Host/Debian/dpkg-l");
exit(0);
}
include('debian_package.inc');
include('ksplice.inc');
if ( ! get_kb_item('Host/local_checks_enabled') ) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
var os_release = get_kb_item('Host/Ubuntu/release');
if ( isnull(os_release) ) audit(AUDIT_OS_NOT, 'Ubuntu');
os_release = chomp(os_release);
if (! ('14.04' >< os_release)) audit(AUDIT_OS_NOT, 'Ubuntu 14.04', 'Ubuntu ' + os_release);
if ( ! get_kb_item('Host/Debian/dpkg-l') ) audit(AUDIT_PACKAGE_LIST_MISSING);
var cpu = get_kb_item('Host/cpu');
if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
if ('x86_64' >!< cpu && cpu !~ "^i[3-6]86$" && 's390' >!< cpu && 'aarch64' >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'Ubuntu', cpu);
var kernel_mappings = {
'14.04': {
'4.4.0': {
'generic': '4.4.0-119',
'generic-lpae': '4.4.0-119',
'lowlatency': '4.4.0-119',
'powerpc-e500mc': '4.4.0-119',
'powerpc-smp': '4.4.0-119',
'powerpc64-emb': '4.4.0-119',
'powerpc64-smp': '4.4.0-119',
'aws': '4.4.0-1016'
}
}
};
var host_kernel_release = get_kb_item('Host/uptrack-uname-r');
if (empty_or_null(host_kernel_release)) host_kernel_release = get_kb_item_or_exit('Host/uname-r');
var host_kernel_base_version = get_kb_item_or_exit('Host/Debian/kernel-base-version');
var host_kernel_type = get_kb_item_or_exit('Host/Debian/kernel-type');
if(empty_or_null(kernel_mappings[os_release][host_kernel_base_version][host_kernel_type])) audit(AUDIT_INST_VER_NOT_VULN, 'kernel ' + host_kernel_release);
var extra = '';
var kernel_fixed_version = kernel_mappings[os_release][host_kernel_base_version][host_kernel_type] + "-" + host_kernel_type;
if (deb_ver_cmp(ver1:host_kernel_release, ver2:kernel_fixed_version) < 0)
{
extra = extra + 'Running Kernel level of ' + host_kernel_release + ' does not meet the minimum fixed level of ' + kernel_fixed_version + ' for this advisory.\n\n';
}
else
{
audit(AUDIT_PATCH_INSTALLED, 'Kernel package for USN-3619-2');
}
if (get_one_kb_item('Host/ksplice/kernel-cves'))
{
var cve_list = make_list('CVE-2017-0861', 'CVE-2017-7518', 'CVE-2017-11472', 'CVE-2017-15129', 'CVE-2017-16528', 'CVE-2017-16532', 'CVE-2017-16536', 'CVE-2017-16537', 'CVE-2017-16645', 'CVE-2017-16646', 'CVE-2017-16649', 'CVE-2017-16650', 'CVE-2017-16911', 'CVE-2017-16912', 'CVE-2017-16913', 'CVE-2017-16914', 'CVE-2017-16994', 'CVE-2017-16995', 'CVE-2017-17448', 'CVE-2017-17449', 'CVE-2017-17450', 'CVE-2017-17558', 'CVE-2017-17741', 'CVE-2017-17805', 'CVE-2017-17806', 'CVE-2017-17807', 'CVE-2017-17862', 'CVE-2017-18075', 'CVE-2017-18203', 'CVE-2017-18204', 'CVE-2017-18208', 'CVE-2017-1000407', 'CVE-2018-5332', 'CVE-2018-5333', 'CVE-2018-5344', 'CVE-2018-6927', 'CVE-2018-7492', 'CVE-2018-8043', 'CVE-2018-1000026');
if (ksplice_cves_check(cve_list))
{
audit(AUDIT_PATCH_INSTALLED, 'KSplice hotfix for USN-3619-2');
}
else
{
extra = extra + ksplice_reporting_text();
}
}
if (extra) {
security_report_v4(
port : 0,
severity : SECURITY_HOLE,
extra : extra
);
exit(0);
}
Vendor | Product | Version | CPE |
---|---|---|---|
canonical | ubuntu_linux | linux-image-4.4.0-1016-aws | p-cpe:/a:canonical:ubuntu_linux:linux-image-4.4.0-1016-aws |
canonical | ubuntu_linux | linux-image-4.4.0-119-generic | p-cpe:/a:canonical:ubuntu_linux:linux-image-4.4.0-119-generic |
canonical | ubuntu_linux | linux-image-4.4.0-119-generic-lpae | p-cpe:/a:canonical:ubuntu_linux:linux-image-4.4.0-119-generic-lpae |
canonical | ubuntu_linux | linux-image-4.4.0-119-lowlatency | p-cpe:/a:canonical:ubuntu_linux:linux-image-4.4.0-119-lowlatency |
canonical | ubuntu_linux | linux-image-4.4.0-119-powerpc-e500mc | p-cpe:/a:canonical:ubuntu_linux:linux-image-4.4.0-119-powerpc-e500mc |
canonical | ubuntu_linux | linux-image-4.4.0-119-powerpc-smp | p-cpe:/a:canonical:ubuntu_linux:linux-image-4.4.0-119-powerpc-smp |
canonical | ubuntu_linux | linux-image-4.4.0-119-powerpc64-emb | p-cpe:/a:canonical:ubuntu_linux:linux-image-4.4.0-119-powerpc64-emb |
canonical | ubuntu_linux | linux-image-4.4.0-119-powerpc64-smp | p-cpe:/a:canonical:ubuntu_linux:linux-image-4.4.0-119-powerpc64-smp |
canonical | ubuntu_linux | 14.04 | cpe:/o:canonical:ubuntu_linux:14.04:-:lts |
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0861
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-1000407
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11472
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-15129
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-16528
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-16532
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-16536
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-16537
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-16645
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-16646
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-16649
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-16650
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-16911
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-16912
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-16913
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-16914
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-16994
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-16995
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-17448
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-17449
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-17450
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-17558
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-17741
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-17805
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-17806
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-17807
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-17862
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-18075
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-18203
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-18204
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-18208
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7518
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1000026
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-5332
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-5333
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-5344
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-6927
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-7492
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-8043
ubuntu.com/security/notices/USN-3619-2