Ubuntu 14.04 LTS : Linux kernel (Xenial HWE) vulnerabilities (USN-3654-2)

#
# (C) Tenable Network Security, Inc.
#
# The descriptive text and package checks in this plugin were
# extracted from Ubuntu Security Notice USN-3654-2. The text 
# itself is copyright (C) Canonical, Inc. See 
# <http://www.ubuntu.com/usn/>. Ubuntu(R) is a registered 
# trademark of Canonical, Inc.
#

include('compat.inc');

if (description)
{
  script_id(110049);
  script_version("1.15");
  script_set_attribute(attribute:"plugin_modification_date", value:"2024/01/09");

  script_cve_id(
    "CVE-2017-17975",
    "CVE-2017-18193",
    "CVE-2017-18222",
    "CVE-2018-1065",
    "CVE-2018-1068",
    "CVE-2018-1130",
    "CVE-2018-3639",
    "CVE-2018-5803",
    "CVE-2018-7480",
    "CVE-2018-7757",
    "CVE-2018-7995",
    "CVE-2018-8781",
    "CVE-2018-8822"
  );
  script_xref(name:"USN", value:"3654-2");

  script_name(english:"Ubuntu 14.04 LTS : Linux kernel (Xenial HWE) vulnerabilities (USN-3654-2)");

  script_set_attribute(attribute:"synopsis", value:
"The remote Ubuntu host is missing one or more security updates.");
  script_set_attribute(attribute:"description", value:
"The remote Ubuntu 14.04 LTS host has a package installed that is affected by multiple vulnerabilities as referenced in
the USN-3654-2 advisory.

  - Use-after-free in the usbtv_probe function in drivers/media/usb/usbtv/usbtv-core.c in the Linux kernel
    through 4.14.10 allows attackers to cause a denial of service (system crash) or possibly have unspecified
    other impact by triggering failure of audio registration, because a kfree of the usbtv data structure
    occurs during a usbtv_video_free call, but the usbtv_video_fail label's code attempts to both access and
    free this data structure. (CVE-2017-17975)

  - fs/f2fs/extent_cache.c in the Linux kernel before 4.13 mishandles extent trees, which allows local users
    to cause a denial of service (BUG) via an application with multiple threads. (CVE-2017-18193)

  - In the Linux kernel before 4.12, Hisilicon Network Subsystem (HNS) does not consider the ETH_SS_PRIV_FLAGS
    case when retrieving sset_count data, which allows local users to cause a denial of service (buffer
    overflow and memory corruption) or possibly have unspecified other impact, as demonstrated by
    incompatibility between hns_get_sset_count and ethtool_get_strings. (CVE-2017-18222)

  - The netfilter subsystem in the Linux kernel through 4.15.7 mishandles the case of a rule blob that
    contains a jump but lacks a user-defined chain, which allows local users to cause a denial of service
    (NULL pointer dereference) by leveraging the CAP_NET_RAW or CAP_NET_ADMIN capability, related to
    arpt_do_table in net/ipv4/netfilter/arp_tables.c, ipt_do_table in net/ipv4/netfilter/ip_tables.c, and
    ip6t_do_table in net/ipv6/netfilter/ip6_tables.c. (CVE-2018-1065)

  - A flaw was found in the Linux 4.x kernel's implementation of 32-bit syscall interface for bridging. This
    allowed a privileged user to arbitrarily write to a limited range of kernel memory. (CVE-2018-1068)

  - Linux kernel before version 4.16-rc7 is vulnerable to a null pointer dereference in dccp_write_xmit()
    function in net/dccp/output.c in that allows a local user to cause a denial of service by a number of
    certain crafted system calls. (CVE-2018-1130)

  - Systems with microprocessors utilizing speculative execution and speculative execution of memory reads
    before the addresses of all prior memory writes are known may allow unauthorized disclosure of information
    to an attacker with local user access via a side-channel analysis, aka Speculative Store Bypass (SSB),
    Variant 4. (CVE-2018-3639)

  - In the Linux Kernel before version 4.15.8, 4.14.25, 4.9.87, 4.4.121, 4.1.51, and 3.2.102, an error in the
    _sctp_make_chunk() function (net/sctp/sm_make_chunk.c) when handling SCTP packets length can be
    exploited to cause a kernel crash. (CVE-2018-5803)

  - The blkcg_init_queue function in block/blk-cgroup.c in the Linux kernel before 4.11 allows local users to
    cause a denial of service (double free) or possibly have unspecified other impact by triggering a creation
    failure. (CVE-2018-7480)

  - Memory leak in the sas_smp_get_phy_events function in drivers/scsi/libsas/sas_expander.c in the Linux
    kernel through 4.15.7 allows local users to cause a denial of service (memory consumption) via many read
    accesses to files in the /sys/class/sas_phy directory, as demonstrated by the
    /sys/class/sas_phy/phy-1:0:12/invalid_dword_count file. (CVE-2018-7757)

  - Race condition in the store_int_with_restart() function in arch/x86/kernel/cpu/mcheck/mce.c in the Linux
    kernel through 4.15.7 allows local users to cause a denial of service (panic) by leveraging root access to
    write to the check_interval file in a /sys/devices/system/machinecheck/machinecheck<cpu number> directory.
    NOTE: a third party has indicated that this report is not security relevant (CVE-2018-7995)

  - The udl_fb_mmap function in drivers/gpu/drm/udl/udl_fb.c at the Linux kernel version 3.4 and up to and
    including 4.15 has an integer-overflow vulnerability allowing local users with access to the udldrmfb
    driver to obtain full read and write permissions on kernel physical pages, resulting in a code execution
    in kernel space. (CVE-2018-8781)

  - Incorrect buffer length handling in the ncp_read_kernel function in fs/ncpfs/ncplib_kernel.c in the Linux
    kernel through 4.15.11, and in drivers/staging/ncpfs/ncplib_kernel.c in the Linux kernel 4.16-rc through
    4.16-rc6, could be exploited by malicious NCPFS servers to crash the kernel or execute code.
    (CVE-2018-8822)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version
number.");
  script_set_attribute(attribute:"see_also", value:"https://ubuntu.com/security/notices/USN-3654-2");
  script_set_attribute(attribute:"solution", value:
"Update the affected kernel package.");
  script_set_cvss_base_vector("CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C");
  script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:P/RL:O/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2018-8822");

  script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"true");
  script_set_attribute(attribute:"in_the_news", value:"true");

  script_set_attribute(attribute:"vuln_publication_date", value:"2017/12/30");
  script_set_attribute(attribute:"patch_publication_date", value:"2018/05/22");
  script_set_attribute(attribute:"plugin_publication_date", value:"2018/05/23");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-4.4.0-1022-aws");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-4.4.0-127-generic");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-4.4.0-127-generic-lpae");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-4.4.0-127-lowlatency");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-4.4.0-127-powerpc-e500mc");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-4.4.0-127-powerpc-smp");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-4.4.0-127-powerpc64-emb");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-4.4.0-127-powerpc64-smp");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:canonical:ubuntu_linux:14.04:-:lts");
  script_set_attribute(attribute:"generated_plugin", value:"current");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Ubuntu Local Security Checks");

  script_copyright(english:"Ubuntu Security Notice (C) 2018-2024 Canonical, Inc. / NASL script (C) 2018-2024 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("ssh_get_info.nasl", "linux_alt_patch_detect.nasl");
  script_require_keys("Host/cpu", "Host/Ubuntu", "Host/Ubuntu/release", "Host/Debian/dpkg-l");

  exit(0);
}

include('debian_package.inc');
include('ksplice.inc');

if ( ! get_kb_item('Host/local_checks_enabled') ) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
var os_release = get_kb_item('Host/Ubuntu/release');
if ( isnull(os_release) ) audit(AUDIT_OS_NOT, 'Ubuntu');
os_release = chomp(os_release);
if (! ('14.04' >< os_release)) audit(AUDIT_OS_NOT, 'Ubuntu 14.04', 'Ubuntu ' + os_release);
if ( ! get_kb_item('Host/Debian/dpkg-l') ) audit(AUDIT_PACKAGE_LIST_MISSING);

var cpu = get_kb_item('Host/cpu');
if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
if ('x86_64' >!< cpu && cpu !~ "^i[3-6]86$" && 's390' >!< cpu && 'aarch64' >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'Ubuntu', cpu);

var kernel_mappings = {
  '14.04': {
    '4.4.0': {
      'generic': '4.4.0-127',
      'generic-lpae': '4.4.0-127',
      'lowlatency': '4.4.0-127',
      'powerpc-e500mc': '4.4.0-127',
      'powerpc-smp': '4.4.0-127',
      'powerpc64-emb': '4.4.0-127',
      'powerpc64-smp': '4.4.0-127',
      'aws': '4.4.0-1022'
    }
  }
};

var host_kernel_release = get_kb_item('Host/uptrack-uname-r');
if (empty_or_null(host_kernel_release)) host_kernel_release = get_kb_item_or_exit('Host/uname-r');
var host_kernel_base_version = get_kb_item_or_exit('Host/Debian/kernel-base-version');
var host_kernel_type = get_kb_item_or_exit('Host/Debian/kernel-type');
if(empty_or_null(kernel_mappings[os_release][host_kernel_base_version][host_kernel_type])) audit(AUDIT_INST_VER_NOT_VULN, 'kernel ' + host_kernel_release);

var extra = '';
var kernel_fixed_version = kernel_mappings[os_release][host_kernel_base_version][host_kernel_type] + "-" + host_kernel_type;
if (deb_ver_cmp(ver1:host_kernel_release, ver2:kernel_fixed_version) < 0)
{
  extra = extra + 'Running Kernel level of ' + host_kernel_release + ' does not meet the minimum fixed level of ' + kernel_fixed_version + ' for this advisory.\n\n';
}
  else
{
  audit(AUDIT_PATCH_INSTALLED, 'Kernel package for USN-3654-2');
}

if (get_one_kb_item('Host/ksplice/kernel-cves'))
{
  var cve_list = make_list('CVE-2017-17975', 'CVE-2017-18193', 'CVE-2017-18222', 'CVE-2018-1065', 'CVE-2018-1068', 'CVE-2018-1130', 'CVE-2018-3639', 'CVE-2018-5803', 'CVE-2018-7480', 'CVE-2018-7757', 'CVE-2018-7995', 'CVE-2018-8781', 'CVE-2018-8822');
  if (ksplice_cves_check(cve_list))
  {
    audit(AUDIT_PATCH_INSTALLED, 'KSplice hotfix for USN-3654-2');
  }
  else
  {
    extra = extra + ksplice_reporting_text();
  }
}
if (extra) {
  security_report_v4(
    port       : 0,
    severity   : SECURITY_HOLE,
    extra      : extra
  );
  exit(0);
}