Lucene search

K
nessusUbuntu Security Notice (C) 2018-2024 Canonical, Inc. / NASL script (C) 2018-2024 and is owned by Tenable, Inc. or an Affiliate thereof.UBUNTU_USN-3654-1.NASL
HistoryMay 23, 2018 - 12:00 a.m.

Ubuntu 16.04 LTS : Linux kernel vulnerabilities (USN-3654-1)

2018-05-2300:00:00
Ubuntu Security Notice (C) 2018-2024 Canonical, Inc. / NASL script (C) 2018-2024 and is owned by Tenable, Inc. or an Affiliate thereof.
www.tenable.com
101

7.8 High

CVSS3

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

8.4 High

AI Score

Confidence

High

7.2 High

CVSS2

Access Vector

Access Complexity

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:L/AC:L/Au:N/C:C/I:C/A:C

0.003 Low

EPSS

Percentile

65.2%

The remote Ubuntu 16.04 LTS host has a package installed that is affected by multiple vulnerabilities as referenced in the USN-3654-1 advisory.

  • Use-after-free in the usbtv_probe function in drivers/media/usb/usbtv/usbtv-core.c in the Linux kernel through 4.14.10 allows attackers to cause a denial of service (system crash) or possibly have unspecified other impact by triggering failure of audio registration, because a kfree of the usbtv data structure occurs during a usbtv_video_free call, but the usbtv_video_fail label’s code attempts to both access and free this data structure. (CVE-2017-17975)

  • fs/f2fs/extent_cache.c in the Linux kernel before 4.13 mishandles extent trees, which allows local users to cause a denial of service (BUG) via an application with multiple threads. (CVE-2017-18193)

  • In the Linux kernel before 4.12, Hisilicon Network Subsystem (HNS) does not consider the ETH_SS_PRIV_FLAGS case when retrieving sset_count data, which allows local users to cause a denial of service (buffer overflow and memory corruption) or possibly have unspecified other impact, as demonstrated by incompatibility between hns_get_sset_count and ethtool_get_strings. (CVE-2017-18222)

  • The netfilter subsystem in the Linux kernel through 4.15.7 mishandles the case of a rule blob that contains a jump but lacks a user-defined chain, which allows local users to cause a denial of service (NULL pointer dereference) by leveraging the CAP_NET_RAW or CAP_NET_ADMIN capability, related to arpt_do_table in net/ipv4/netfilter/arp_tables.c, ipt_do_table in net/ipv4/netfilter/ip_tables.c, and ip6t_do_table in net/ipv6/netfilter/ip6_tables.c. (CVE-2018-1065)

  • A flaw was found in the Linux 4.x kernel’s implementation of 32-bit syscall interface for bridging. This allowed a privileged user to arbitrarily write to a limited range of kernel memory. (CVE-2018-1068)

  • Linux kernel before version 4.16-rc7 is vulnerable to a null pointer dereference in dccp_write_xmit() function in net/dccp/output.c in that allows a local user to cause a denial of service by a number of certain crafted system calls. (CVE-2018-1130)

  • Systems with microprocessors utilizing speculative execution and speculative execution of memory reads before the addresses of all prior memory writes are known may allow unauthorized disclosure of information to an attacker with local user access via a side-channel analysis, aka Speculative Store Bypass (SSB), Variant 4. (CVE-2018-3639)

  • In the Linux Kernel before version 4.15.8, 4.14.25, 4.9.87, 4.4.121, 4.1.51, and 3.2.102, an error in the
    _sctp_make_chunk() function (net/sctp/sm_make_chunk.c) when handling SCTP packets length can be exploited to cause a kernel crash. (CVE-2018-5803)

  • The blkcg_init_queue function in block/blk-cgroup.c in the Linux kernel before 4.11 allows local users to cause a denial of service (double free) or possibly have unspecified other impact by triggering a creation failure. (CVE-2018-7480)

  • Memory leak in the sas_smp_get_phy_events function in drivers/scsi/libsas/sas_expander.c in the Linux kernel through 4.15.7 allows local users to cause a denial of service (memory consumption) via many read accesses to files in the /sys/class/sas_phy directory, as demonstrated by the /sys/class/sas_phy/phy-1:0:12/invalid_dword_count file. (CVE-2018-7757)

  • Race condition in the store_int_with_restart() function in arch/x86/kernel/cpu/mcheck/mce.c in the Linux kernel through 4.15.7 allows local users to cause a denial of service (panic) by leveraging root access to write to the check_interval file in a /sys/devices/system/machinecheck/machinecheck<cpu number> directory.
    NOTE: a third party has indicated that this report is not security relevant (CVE-2018-7995)

  • The udl_fb_mmap function in drivers/gpu/drm/udl/udl_fb.c at the Linux kernel version 3.4 and up to and including 4.15 has an integer-overflow vulnerability allowing local users with access to the udldrmfb driver to obtain full read and write permissions on kernel physical pages, resulting in a code execution in kernel space. (CVE-2018-8781)

  • Incorrect buffer length handling in the ncp_read_kernel function in fs/ncpfs/ncplib_kernel.c in the Linux kernel through 4.15.11, and in drivers/staging/ncpfs/ncplib_kernel.c in the Linux kernel 4.16-rc through 4.16-rc6, could be exploited by malicious NCPFS servers to crash the kernel or execute code.
    (CVE-2018-8822)

Note that Nessus has not tested for these issues but has instead relied only on the application’s self-reported version number.

#
# (C) Tenable Network Security, Inc.
#
# The descriptive text and package checks in this plugin were
# extracted from Ubuntu Security Notice USN-3654-1. The text 
# itself is copyright (C) Canonical, Inc. See 
# <http://www.ubuntu.com/usn/>. Ubuntu(R) is a registered 
# trademark of Canonical, Inc.
#

include('compat.inc');

if (description)
{
  script_id(110048);
  script_version("1.15");
  script_set_attribute(attribute:"plugin_modification_date", value:"2024/01/09");

  script_cve_id(
    "CVE-2017-17975",
    "CVE-2017-18193",
    "CVE-2017-18222",
    "CVE-2018-1065",
    "CVE-2018-1068",
    "CVE-2018-1130",
    "CVE-2018-3639",
    "CVE-2018-5803",
    "CVE-2018-7480",
    "CVE-2018-7757",
    "CVE-2018-7995",
    "CVE-2018-8781",
    "CVE-2018-8822"
  );
  script_xref(name:"USN", value:"3654-1");

  script_name(english:"Ubuntu 16.04 LTS : Linux kernel vulnerabilities (USN-3654-1)");

  script_set_attribute(attribute:"synopsis", value:
"The remote Ubuntu host is missing one or more security updates.");
  script_set_attribute(attribute:"description", value:
"The remote Ubuntu 16.04 LTS host has a package installed that is affected by multiple vulnerabilities as referenced in
the USN-3654-1 advisory.

  - Use-after-free in the usbtv_probe function in drivers/media/usb/usbtv/usbtv-core.c in the Linux kernel
    through 4.14.10 allows attackers to cause a denial of service (system crash) or possibly have unspecified
    other impact by triggering failure of audio registration, because a kfree of the usbtv data structure
    occurs during a usbtv_video_free call, but the usbtv_video_fail label's code attempts to both access and
    free this data structure. (CVE-2017-17975)

  - fs/f2fs/extent_cache.c in the Linux kernel before 4.13 mishandles extent trees, which allows local users
    to cause a denial of service (BUG) via an application with multiple threads. (CVE-2017-18193)

  - In the Linux kernel before 4.12, Hisilicon Network Subsystem (HNS) does not consider the ETH_SS_PRIV_FLAGS
    case when retrieving sset_count data, which allows local users to cause a denial of service (buffer
    overflow and memory corruption) or possibly have unspecified other impact, as demonstrated by
    incompatibility between hns_get_sset_count and ethtool_get_strings. (CVE-2017-18222)

  - The netfilter subsystem in the Linux kernel through 4.15.7 mishandles the case of a rule blob that
    contains a jump but lacks a user-defined chain, which allows local users to cause a denial of service
    (NULL pointer dereference) by leveraging the CAP_NET_RAW or CAP_NET_ADMIN capability, related to
    arpt_do_table in net/ipv4/netfilter/arp_tables.c, ipt_do_table in net/ipv4/netfilter/ip_tables.c, and
    ip6t_do_table in net/ipv6/netfilter/ip6_tables.c. (CVE-2018-1065)

  - A flaw was found in the Linux 4.x kernel's implementation of 32-bit syscall interface for bridging. This
    allowed a privileged user to arbitrarily write to a limited range of kernel memory. (CVE-2018-1068)

  - Linux kernel before version 4.16-rc7 is vulnerable to a null pointer dereference in dccp_write_xmit()
    function in net/dccp/output.c in that allows a local user to cause a denial of service by a number of
    certain crafted system calls. (CVE-2018-1130)

  - Systems with microprocessors utilizing speculative execution and speculative execution of memory reads
    before the addresses of all prior memory writes are known may allow unauthorized disclosure of information
    to an attacker with local user access via a side-channel analysis, aka Speculative Store Bypass (SSB),
    Variant 4. (CVE-2018-3639)

  - In the Linux Kernel before version 4.15.8, 4.14.25, 4.9.87, 4.4.121, 4.1.51, and 3.2.102, an error in the
    _sctp_make_chunk() function (net/sctp/sm_make_chunk.c) when handling SCTP packets length can be
    exploited to cause a kernel crash. (CVE-2018-5803)

  - The blkcg_init_queue function in block/blk-cgroup.c in the Linux kernel before 4.11 allows local users to
    cause a denial of service (double free) or possibly have unspecified other impact by triggering a creation
    failure. (CVE-2018-7480)

  - Memory leak in the sas_smp_get_phy_events function in drivers/scsi/libsas/sas_expander.c in the Linux
    kernel through 4.15.7 allows local users to cause a denial of service (memory consumption) via many read
    accesses to files in the /sys/class/sas_phy directory, as demonstrated by the
    /sys/class/sas_phy/phy-1:0:12/invalid_dword_count file. (CVE-2018-7757)

  - Race condition in the store_int_with_restart() function in arch/x86/kernel/cpu/mcheck/mce.c in the Linux
    kernel through 4.15.7 allows local users to cause a denial of service (panic) by leveraging root access to
    write to the check_interval file in a /sys/devices/system/machinecheck/machinecheck<cpu number> directory.
    NOTE: a third party has indicated that this report is not security relevant (CVE-2018-7995)

  - The udl_fb_mmap function in drivers/gpu/drm/udl/udl_fb.c at the Linux kernel version 3.4 and up to and
    including 4.15 has an integer-overflow vulnerability allowing local users with access to the udldrmfb
    driver to obtain full read and write permissions on kernel physical pages, resulting in a code execution
    in kernel space. (CVE-2018-8781)

  - Incorrect buffer length handling in the ncp_read_kernel function in fs/ncpfs/ncplib_kernel.c in the Linux
    kernel through 4.15.11, and in drivers/staging/ncpfs/ncplib_kernel.c in the Linux kernel 4.16-rc through
    4.16-rc6, could be exploited by malicious NCPFS servers to crash the kernel or execute code.
    (CVE-2018-8822)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version
number.");
  script_set_attribute(attribute:"see_also", value:"https://ubuntu.com/security/notices/USN-3654-1");
  script_set_attribute(attribute:"solution", value:
"Update the affected kernel package.");
  script_set_cvss_base_vector("CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C");
  script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:P/RL:O/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2018-8822");

  script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"true");
  script_set_attribute(attribute:"in_the_news", value:"true");

  script_set_attribute(attribute:"vuln_publication_date", value:"2017/12/30");
  script_set_attribute(attribute:"patch_publication_date", value:"2018/05/22");
  script_set_attribute(attribute:"plugin_publication_date", value:"2018/05/23");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-4.4.0-1026-kvm");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-4.4.0-1060-aws");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-4.4.0-127-generic");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-4.4.0-127-generic-lpae");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-4.4.0-127-lowlatency");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-4.4.0-127-powerpc-e500mc");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-4.4.0-127-powerpc-smp");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-4.4.0-127-powerpc64-emb");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-4.4.0-127-powerpc64-smp");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:canonical:ubuntu_linux:16.04:-:lts");
  script_set_attribute(attribute:"generated_plugin", value:"current");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Ubuntu Local Security Checks");

  script_copyright(english:"Ubuntu Security Notice (C) 2018-2024 Canonical, Inc. / NASL script (C) 2018-2024 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("ssh_get_info.nasl", "linux_alt_patch_detect.nasl");
  script_require_keys("Host/cpu", "Host/Ubuntu", "Host/Ubuntu/release", "Host/Debian/dpkg-l");

  exit(0);
}

include('debian_package.inc');
include('ksplice.inc');

if ( ! get_kb_item('Host/local_checks_enabled') ) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
var os_release = get_kb_item('Host/Ubuntu/release');
if ( isnull(os_release) ) audit(AUDIT_OS_NOT, 'Ubuntu');
os_release = chomp(os_release);
if (! ('16.04' >< os_release)) audit(AUDIT_OS_NOT, 'Ubuntu 16.04', 'Ubuntu ' + os_release);
if ( ! get_kb_item('Host/Debian/dpkg-l') ) audit(AUDIT_PACKAGE_LIST_MISSING);

var cpu = get_kb_item('Host/cpu');
if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
if ('x86_64' >!< cpu && cpu !~ "^i[3-6]86$" && 's390' >!< cpu && 'aarch64' >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'Ubuntu', cpu);

var kernel_mappings = {
  '16.04': {
    '4.4.0': {
      'generic': '4.4.0-127',
      'generic-lpae': '4.4.0-127',
      'lowlatency': '4.4.0-127',
      'powerpc-e500mc': '4.4.0-127',
      'powerpc-smp': '4.4.0-127',
      'powerpc64-emb': '4.4.0-127',
      'powerpc64-smp': '4.4.0-127',
      'kvm': '4.4.0-1026',
      'aws': '4.4.0-1060'
    }
  }
};

var host_kernel_release = get_kb_item('Host/uptrack-uname-r');
if (empty_or_null(host_kernel_release)) host_kernel_release = get_kb_item_or_exit('Host/uname-r');
var host_kernel_base_version = get_kb_item_or_exit('Host/Debian/kernel-base-version');
var host_kernel_type = get_kb_item_or_exit('Host/Debian/kernel-type');
if(empty_or_null(kernel_mappings[os_release][host_kernel_base_version][host_kernel_type])) audit(AUDIT_INST_VER_NOT_VULN, 'kernel ' + host_kernel_release);

var extra = '';
var kernel_fixed_version = kernel_mappings[os_release][host_kernel_base_version][host_kernel_type] + "-" + host_kernel_type;
if (deb_ver_cmp(ver1:host_kernel_release, ver2:kernel_fixed_version) < 0)
{
  extra = extra + 'Running Kernel level of ' + host_kernel_release + ' does not meet the minimum fixed level of ' + kernel_fixed_version + ' for this advisory.\n\n';
}
  else
{
  audit(AUDIT_PATCH_INSTALLED, 'Kernel package for USN-3654-1');
}

if (get_one_kb_item('Host/ksplice/kernel-cves'))
{
  var cve_list = make_list('CVE-2017-17975', 'CVE-2017-18193', 'CVE-2017-18222', 'CVE-2018-1065', 'CVE-2018-1068', 'CVE-2018-1130', 'CVE-2018-3639', 'CVE-2018-5803', 'CVE-2018-7480', 'CVE-2018-7757', 'CVE-2018-7995', 'CVE-2018-8781', 'CVE-2018-8822');
  if (ksplice_cves_check(cve_list))
  {
    audit(AUDIT_PATCH_INSTALLED, 'KSplice hotfix for USN-3654-1');
  }
  else
  {
    extra = extra + ksplice_reporting_text();
  }
}
if (extra) {
  security_report_v4(
    port       : 0,
    severity   : SECURITY_HOLE,
    extra      : extra
  );
  exit(0);
}
VendorProductVersionCPE
canonicalubuntu_linuxlinux-image-4.4.0-1026-kvmp-cpe:/a:canonical:ubuntu_linux:linux-image-4.4.0-1026-kvm
canonicalubuntu_linuxlinux-image-4.4.0-1060-awsp-cpe:/a:canonical:ubuntu_linux:linux-image-4.4.0-1060-aws
canonicalubuntu_linuxlinux-image-4.4.0-127-genericp-cpe:/a:canonical:ubuntu_linux:linux-image-4.4.0-127-generic
canonicalubuntu_linuxlinux-image-4.4.0-127-generic-lpaep-cpe:/a:canonical:ubuntu_linux:linux-image-4.4.0-127-generic-lpae
canonicalubuntu_linuxlinux-image-4.4.0-127-lowlatencyp-cpe:/a:canonical:ubuntu_linux:linux-image-4.4.0-127-lowlatency
canonicalubuntu_linuxlinux-image-4.4.0-127-powerpc-e500mcp-cpe:/a:canonical:ubuntu_linux:linux-image-4.4.0-127-powerpc-e500mc
canonicalubuntu_linuxlinux-image-4.4.0-127-powerpc-smpp-cpe:/a:canonical:ubuntu_linux:linux-image-4.4.0-127-powerpc-smp
canonicalubuntu_linuxlinux-image-4.4.0-127-powerpc64-embp-cpe:/a:canonical:ubuntu_linux:linux-image-4.4.0-127-powerpc64-emb
canonicalubuntu_linuxlinux-image-4.4.0-127-powerpc64-smpp-cpe:/a:canonical:ubuntu_linux:linux-image-4.4.0-127-powerpc64-smp
canonicalubuntu_linux16.04cpe:/o:canonical:ubuntu_linux:16.04:-:lts

7.8 High

CVSS3

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

8.4 High

AI Score

Confidence

High

7.2 High

CVSS2

Access Vector

Access Complexity

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:L/AC:L/Au:N/C:C/I:C/A:C

0.003 Low

EPSS

Percentile

65.2%