Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
nessusUbuntu Security Notice (C) 2018-2024 Canonical, Inc. / NASL script (C) 2018-2024 and is owned by Tenable, Inc. or an Affiliate thereof.UBUNTU_USN-3696-1.NASL
HistoryJul 03, 2018 - 12:00 a.m.

Ubuntu 16.04 LTS : Linux kernel vulnerabilities (USN-3696-1)

2018-07-0300:00:00
Ubuntu Security Notice (C) 2018-2024 Canonical, Inc. / NASL script (C) 2018-2024 and is owned by Tenable, Inc. or an Affiliate thereof.
www.tenable.com
62

8.4 High

AI Score

Confidence

High

JSON

The remote Ubuntu 16.04 LTS host has a package installed that is affected by multiple vulnerabilities as referenced in the USN-3696-1 advisory.

  • The acpi_ns_evaluate() function in drivers/acpi/acpica/nseval.c in the Linux kernel through 4.12.9 does not flush the operand cache and causes a kernel stack dump, which allows local users to obtain sensitive information from kernel memory and bypass the KASLR protection mechanism (in the kernel through 4.9) via a crafted ACPI table. (CVE-2017-13695)

  • The perf_cpu_time_max_percent_handler function in kernel/events/core.c in the Linux kernel before 4.11 allows local users to cause a denial of service (integer overflow) or possibly have unspecified other impact via a large value, as demonstrated by an incorrect sample-rate calculation. (CVE-2017-18255)

  • The __get_data_block function in fs/f2fs/data.c in the Linux kernel before 4.11 allows local users to cause a denial of service (integer overflow and loop) via crafted use of the open and fallocate system calls with an FS_IOC_FIEMAP ioctl. (CVE-2017-18257)

  • Linux Kernel version 3.18 to 4.16 incorrectly handles an SG_IO ioctl on /dev/sg0 with dxfer_direction=SG_DXFER_FROM_DEV and an empty 6-byte cmdp. This may lead to copying up to 1000 kernel heap pages to the userspace. This has been fixed upstream in https://github.com/torvalds/linux/commit/a45b599ad808c3c982fdcdc12b0b8611c2f92824 already. The problem has limited scope, as users don’t usually have permissions to access SCSI devices. On the other hand, e.g. the Nero user manual suggests doing chmod o+r+w /dev/sg* to make the devices accessible. NOTE: third parties dispute the relevance of this report, noting that the requirement for an attacker to have both the CAP_SYS_ADMIN and CAP_SYS_RAWIO capabilities makes it virtually impossible to exploit. (CVE-2018-1000204)

  • drivers/scsi/libsas/sas_scsi_host.c in the Linux kernel before 4.16 allows local users to cause a denial of service (ata qc leak) by triggering certain failure conditions. NOTE: a third party disputes the relevance of this report because the failure can only occur for physically proximate attackers who unplug SAS Host Bus Adapter cables (CVE-2018-10021)

  • The kernel_wait4 function in kernel/exit.c in the Linux kernel before 4.13, when an unspecified architecture and compiler is used, might allow local users to cause a denial of service by triggering an attempted use of the -INT_MIN value. (CVE-2018-10087)

  • The kill_something_info function in kernel/signal.c in the Linux kernel before 4.13, when an unspecified architecture and compiler is used, might allow local users to cause a denial of service via an INT_MIN argument. (CVE-2018-10124)

  • System software utilizing Lazy FP state restore technique on systems using Intel Core-based microprocessors may potentially allow a local process to infer data from another process through a speculative execution side channel. (CVE-2018-3665)

  • In the Linux Kernel before version 4.16.11, 4.14.43, 4.9.102, and 4.4.133, multiple race condition errors when handling probe, disconnect, and rebind operations can be exploited to trigger a use-after-free condition or a NULL pointer dereference by sending multiple USB over IP packets. (CVE-2018-5814)

  • An issue was discovered in the fd_locked_ioctl function in drivers/block/floppy.c in the Linux kernel through 4.15.7. The floppy driver will copy a kernel pointer to user memory in response to the FDGETPRM ioctl. An attacker can send the FDGETPRM ioctl and use the obtained kernel pointer to discover the location of kernel code and data and bypass kernel security protections such as KASLR. (CVE-2018-7755)

Note that Nessus has not tested for these issues but has instead relied only on the application’s self-reported version number.

#
# (C) Tenable Network Security, Inc.
#
# The descriptive text and package checks in this plugin were
# extracted from Ubuntu Security Notice USN-3696-1. The text 
# itself is copyright (C) Canonical, Inc. See 
# <http://www.ubuntu.com/usn/>. Ubuntu(R) is a registered 
# trademark of Canonical, Inc.
#

include('compat.inc');

if (description)
{
  script_id(110896);
  script_version("1.11");
  script_set_attribute(attribute:"plugin_modification_date", value:"2024/01/09");

  script_cve_id(
    "CVE-2017-13695",
    "CVE-2017-18255",
    "CVE-2017-18257",
    "CVE-2018-1000204",
    "CVE-2018-10021",
    "CVE-2018-10087",
    "CVE-2018-10124",
    "CVE-2018-3665",
    "CVE-2018-5814",
    "CVE-2018-7755"
  );
  script_xref(name:"USN", value:"3696-1");

  script_name(english:"Ubuntu 16.04 LTS : Linux kernel vulnerabilities (USN-3696-1)");

  script_set_attribute(attribute:"synopsis", value:
"The remote Ubuntu host is missing one or more security updates.");
  script_set_attribute(attribute:"description", value:
"The remote Ubuntu 16.04 LTS host has a package installed that is affected by multiple vulnerabilities as referenced in
the USN-3696-1 advisory.

  - The acpi_ns_evaluate() function in drivers/acpi/acpica/nseval.c in the Linux kernel through 4.12.9 does
    not flush the operand cache and causes a kernel stack dump, which allows local users to obtain sensitive
    information from kernel memory and bypass the KASLR protection mechanism (in the kernel through 4.9) via a
    crafted ACPI table. (CVE-2017-13695)

  - The perf_cpu_time_max_percent_handler function in kernel/events/core.c in the Linux kernel before 4.11
    allows local users to cause a denial of service (integer overflow) or possibly have unspecified other
    impact via a large value, as demonstrated by an incorrect sample-rate calculation. (CVE-2017-18255)

  - The __get_data_block function in fs/f2fs/data.c in the Linux kernel before 4.11 allows local users to
    cause a denial of service (integer overflow and loop) via crafted use of the open and fallocate system
    calls with an FS_IOC_FIEMAP ioctl. (CVE-2017-18257)

  - Linux Kernel version 3.18 to 4.16 incorrectly handles an SG_IO ioctl on /dev/sg0 with
    dxfer_direction=SG_DXFER_FROM_DEV and an empty 6-byte cmdp. This may lead to copying up to 1000 kernel
    heap pages to the userspace. This has been fixed upstream in
    https://github.com/torvalds/linux/commit/a45b599ad808c3c982fdcdc12b0b8611c2f92824 already. The problem has
    limited scope, as users don't usually have permissions to access SCSI devices. On the other hand, e.g. the
    Nero user manual suggests doing `chmod o+r+w /dev/sg*` to make the devices accessible. NOTE: third parties
    dispute the relevance of this report, noting that the requirement for an attacker to have both the
    CAP_SYS_ADMIN and CAP_SYS_RAWIO capabilities makes it virtually impossible to exploit. (CVE-2018-1000204)

  - drivers/scsi/libsas/sas_scsi_host.c in the Linux kernel before 4.16 allows local users to cause a denial
    of service (ata qc leak) by triggering certain failure conditions. NOTE: a third party disputes the
    relevance of this report because the failure can only occur for physically proximate attackers who unplug
    SAS Host Bus Adapter cables (CVE-2018-10021)

  - The kernel_wait4 function in kernel/exit.c in the Linux kernel before 4.13, when an unspecified
    architecture and compiler is used, might allow local users to cause a denial of service by triggering an
    attempted use of the -INT_MIN value. (CVE-2018-10087)

  - The kill_something_info function in kernel/signal.c in the Linux kernel before 4.13, when an unspecified
    architecture and compiler is used, might allow local users to cause a denial of service via an INT_MIN
    argument. (CVE-2018-10124)

  - System software utilizing Lazy FP state restore technique on systems using Intel Core-based
    microprocessors may potentially allow a local process to infer data from another process through a
    speculative execution side channel. (CVE-2018-3665)

  - In the Linux Kernel before version 4.16.11, 4.14.43, 4.9.102, and 4.4.133, multiple race condition errors
    when handling probe, disconnect, and rebind operations can be exploited to trigger a use-after-free
    condition or a NULL pointer dereference by sending multiple USB over IP packets. (CVE-2018-5814)

  - An issue was discovered in the fd_locked_ioctl function in drivers/block/floppy.c in the Linux kernel
    through 4.15.7. The floppy driver will copy a kernel pointer to user memory in response to the FDGETPRM
    ioctl. An attacker can send the FDGETPRM ioctl and use the obtained kernel pointer to discover the
    location of kernel code and data and bypass kernel security protections such as KASLR. (CVE-2018-7755)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version
number.");
  script_set_attribute(attribute:"see_also", value:"https://ubuntu.com/security/notices/USN-3696-1");
  script_set_attribute(attribute:"solution", value:
"Update the affected kernel package.");
  script_set_cvss_base_vector("CVSS2#AV:L/AC:M/Au:N/C:C/I:C/A:C");
  script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:P/RL:O/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2018-5814");
  script_set_attribute(attribute:"cvss3_score_source", value:"CVE-2017-18255");

  script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"true");

  script_set_attribute(attribute:"vuln_publication_date", value:"2017/08/25");
  script_set_attribute(attribute:"patch_publication_date", value:"2018/07/02");
  script_set_attribute(attribute:"plugin_publication_date", value:"2018/07/03");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-4.4.0-1029-kvm");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-4.4.0-1062-aws");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-4.4.0-1092-raspi2");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-4.4.0-1095-snapdragon");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-4.4.0-130-generic");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-4.4.0-130-generic-lpae");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-4.4.0-130-lowlatency");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-4.4.0-130-powerpc-e500mc");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-4.4.0-130-powerpc-smp");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-4.4.0-130-powerpc64-emb");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-4.4.0-130-powerpc64-smp");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:canonical:ubuntu_linux:16.04:-:lts");
  script_set_attribute(attribute:"generated_plugin", value:"current");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Ubuntu Local Security Checks");

  script_copyright(english:"Ubuntu Security Notice (C) 2018-2024 Canonical, Inc. / NASL script (C) 2018-2024 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("ssh_get_info.nasl", "linux_alt_patch_detect.nasl");
  script_require_keys("Host/cpu", "Host/Ubuntu", "Host/Ubuntu/release", "Host/Debian/dpkg-l");

  exit(0);
}

include('debian_package.inc');
include('ksplice.inc');

if ( ! get_kb_item('Host/local_checks_enabled') ) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
var os_release = get_kb_item('Host/Ubuntu/release');
if ( isnull(os_release) ) audit(AUDIT_OS_NOT, 'Ubuntu');
os_release = chomp(os_release);
if (! ('16.04' >< os_release)) audit(AUDIT_OS_NOT, 'Ubuntu 16.04', 'Ubuntu ' + os_release);
if ( ! get_kb_item('Host/Debian/dpkg-l') ) audit(AUDIT_PACKAGE_LIST_MISSING);

var cpu = get_kb_item('Host/cpu');
if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
if ('x86_64' >!< cpu && cpu !~ "^i[3-6]86$" && 's390' >!< cpu && 'aarch64' >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'Ubuntu', cpu);

var kernel_mappings = {
  '16.04': {
    '4.4.0': {
      'generic': '4.4.0-130',
      'generic-lpae': '4.4.0-130',
      'lowlatency': '4.4.0-130',
      'powerpc-e500mc': '4.4.0-130',
      'powerpc-smp': '4.4.0-130',
      'powerpc64-emb': '4.4.0-130',
      'powerpc64-smp': '4.4.0-130',
      'kvm': '4.4.0-1029',
      'aws': '4.4.0-1062',
      'raspi2': '4.4.0-1092',
      'snapdragon': '4.4.0-1095'
    }
  }
};

var host_kernel_release = get_kb_item('Host/uptrack-uname-r');
if (empty_or_null(host_kernel_release)) host_kernel_release = get_kb_item_or_exit('Host/uname-r');
var host_kernel_base_version = get_kb_item_or_exit('Host/Debian/kernel-base-version');
var host_kernel_type = get_kb_item_or_exit('Host/Debian/kernel-type');
if(empty_or_null(kernel_mappings[os_release][host_kernel_base_version][host_kernel_type])) audit(AUDIT_INST_VER_NOT_VULN, 'kernel ' + host_kernel_release);

var extra = '';
var kernel_fixed_version = kernel_mappings[os_release][host_kernel_base_version][host_kernel_type] + "-" + host_kernel_type;
if (deb_ver_cmp(ver1:host_kernel_release, ver2:kernel_fixed_version) < 0)
{
  extra = extra + 'Running Kernel level of ' + host_kernel_release + ' does not meet the minimum fixed level of ' + kernel_fixed_version + ' for this advisory.\n\n';
}
  else
{
  audit(AUDIT_PATCH_INSTALLED, 'Kernel package for USN-3696-1');
}

if (get_one_kb_item('Host/ksplice/kernel-cves'))
{
  var cve_list = make_list('CVE-2017-13695', 'CVE-2017-18255', 'CVE-2017-18257', 'CVE-2018-3665', 'CVE-2018-5814', 'CVE-2018-7755', 'CVE-2018-10021', 'CVE-2018-10087', 'CVE-2018-10124', 'CVE-2018-1000204');
  if (ksplice_cves_check(cve_list))
  {
    audit(AUDIT_PATCH_INSTALLED, 'KSplice hotfix for USN-3696-1');
  }
  else
  {
    extra = extra + ksplice_reporting_text();
  }
}
if (extra) {
  security_report_v4(
    port       : 0,
    severity   : SECURITY_WARNING,
    extra      : extra
  );
  exit(0);
}
VendorProductVersionCPE
canonicalubuntu_linuxlinux-image-4.4.0-1029-kvmp-cpe:/a:canonical:ubuntu_linux:linux-image-4.4.0-1029-kvm
canonicalubuntu_linuxlinux-image-4.4.0-1062-awsp-cpe:/a:canonical:ubuntu_linux:linux-image-4.4.0-1062-aws
canonicalubuntu_linuxlinux-image-4.4.0-1092-raspi2p-cpe:/a:canonical:ubuntu_linux:linux-image-4.4.0-1092-raspi2
canonicalubuntu_linuxlinux-image-4.4.0-1095-snapdragonp-cpe:/a:canonical:ubuntu_linux:linux-image-4.4.0-1095-snapdragon
canonicalubuntu_linuxlinux-image-4.4.0-130-genericp-cpe:/a:canonical:ubuntu_linux:linux-image-4.4.0-130-generic
canonicalubuntu_linuxlinux-image-4.4.0-130-generic-lpaep-cpe:/a:canonical:ubuntu_linux:linux-image-4.4.0-130-generic-lpae
canonicalubuntu_linuxlinux-image-4.4.0-130-lowlatencyp-cpe:/a:canonical:ubuntu_linux:linux-image-4.4.0-130-lowlatency
canonicalubuntu_linuxlinux-image-4.4.0-130-powerpc-e500mcp-cpe:/a:canonical:ubuntu_linux:linux-image-4.4.0-130-powerpc-e500mc
canonicalubuntu_linuxlinux-image-4.4.0-130-powerpc-smpp-cpe:/a:canonical:ubuntu_linux:linux-image-4.4.0-130-powerpc-smp
canonicalubuntu_linuxlinux-image-4.4.0-130-powerpc64-embp-cpe:/a:canonical:ubuntu_linux:linux-image-4.4.0-130-powerpc64-emb
Rows per page:
1-10 of 121

Related

ubuntu 2
openvas 46
nessus 68
cloudfoundry 1
photon 5
suse 2
debiancve 10
prion 10
ubuntucve 10
cve 10
redhatcve 8
veracode 2
debian 1
amazon 2
f5 2
osv 3
freebsd_advisory 1
oraclelinux 2
citrix 1
redhat 2
mskb 1
lenovo 2
intel 1
thn 1
freebsd 1
kaspersky 1
centos 1
paloalto 1
xen 1
mscve 1
ubuntu
ubuntu
Linux kernel (Xenial HWE) vulnerabilities
2018-07-02 00:00:00
Linux kernel vulnerabilities
2018-07-02 00:00:00
openvas
openvas
Ubuntu: Security Advisory (USN-3696-1)
2018-07-03 00:00:00
Ubuntu: Security Advisory (USN-3696-2)
2018-07-03 00:00:00
Huawei EulerOS: Security Advisory for kernel (EulerOS-SA-2018-1261)
2020-01-23 00:00:00
nessus
nessus
Ubuntu 14.04 LTS : Linux kernel (Xenial HWE) vulnerabilities (USN-3696-2)
2018-07-03 00:00:00
EulerOS Virtualization 2.5.1 : kernel (EulerOS-SA-2018-1261)
2018-09-18 00:00:00
Photon OS 2.0: Linux PHSA-2018-2.0-0062
2019-02-07 00:00:00
cloudfoundry
cloudfoundry
USN-3696-2: Linux kernel (Xenial HWE) vulnerabilities | Cloud Foundry
2018-07-10 00:00:00
photon
photon
Important Photon OS Security Update - PHSA-2018-0062
2018-06-21 00:00:00
Home Download Photon OS User Documentation FAQ Security Advisories Related Information Lightwave - PHSA-2018-2.0-0062
2018-06-26 00:00:00
Important Photon OS Security Update - PHSA-2018-0150
2018-06-21 00:00:00
suse
suse
Security update for the Linux Kernel (important)
2018-05-11 18:07:25
Security update for the Linux Kernel (important)
2018-05-09 00:14:28
debiancve
debiancve
CVE-2017-18257
2018-04-04 17:29:00
CVE-2017-18255
2018-03-31 17:29:00
CVE-2018-1000204
2018-06-26 14:29:00
prion
prion
Integer overflow
2018-04-04 17:29:00
Heap overflow
2018-06-26 14:29:00
Integer overflow
2018-03-31 17:29:00
ubuntucve
ubuntucve
CVE-2017-18255
2018-03-31 00:00:00
CVE-2017-18257
2018-04-04 00:00:00
CVE-2018-1000204
2018-06-26 00:00:00
cve
cve
CVE-2017-18255
2018-03-31 17:29:00
CVE-2017-18257
2018-04-04 17:29:00
CVE-2018-1000204
2018-06-26 14:29:00
redhatcve
redhatcve
CVE-2017-18257
2018-04-10 04:49:12
CVE-2017-18255
2018-04-03 06:49:54
CVE-2018-1000204
2018-06-11 08:19:19
veracode
veracode
Information Disclosure
2019-08-08 00:07:18
Information Disclosure
2019-01-15 09:23:51
debian
debian
[SECURITY] [DLA 1423-1] linux-4.9 new package
2018-07-18 15:37:11
amazon
amazon
Low: kernel
2019-09-13 23:08:00
Low: kernel
2019-09-13 22:43:00
f5
f5
K42558402 : Linux kernel vulnerability CVE-2018-5814
2018-11-02 00:00:00
K21344224 : Lazy FP state restore vulnerability CVE-2018-3665
2018-06-21 00:00:00
osv
osv
CVE-2018-3665
2018-06-21 20:29:00
xen - security update
2018-06-20 00:00:00
linux-4.9 - security update
2018-07-14 00:00:00
freebsd_advisory
freebsd_advisory
FreeBSD-SA-18:07.lazyfpu
2018-06-21 00:00:00
oraclelinux
oraclelinux
Unbreakable Enterprise kernel security update
2018-06-15 00:00:00
kernel security update
2018-06-14 00:00:00
citrix
citrix
CVE-2018-3665 - Citrix XenServer Security Update
2018-06-15 04:00:00
redhat
redhat
(RHSA-2018:1944) Moderate: kernel-rt security update
2018-06-19 13:05:06
(RHSA-2018:1852) Moderate: kernel security update
2018-06-14 19:11:57
mskb
mskb
Description of the security update for the L1TF variant vulnerabilities in Windows Server 2008: August 14, 2018
2018-08-14 07:00:00
lenovo
lenovo
Lazy FP State Restore - US
2018-12-13 11:22:07
Lazy FP State Restore - Lenovo Support NL
2018-12-13 11:22:07
intel
intel
Lazy FP State Restore
2018-06-13 00:00:00
thn
thn
New 'Lazy FP State Restore' Vulnerability Found in All Modern Intel CPUs
2018-06-14 07:59:00
freebsd
freebsd
FreeBSD -- Lazy FPU State Restore Information Disclosure
2018-06-21 00:00:00
kaspersky
kaspersky
KLA11891 Microsoft Advisory for Microsoft Products (ESU)
2018-06-13 00:00:00
centos
centos
kernel, perf, python security update
2018-06-16 10:49:53
paloalto
paloalto
Information Disclosure in WildFire Appliance (WF-500)
2019-07-08 22:15:00
xen
xen
Speculative register leakage from lazy FPU context switching
2018-06-13 20:23:00
mscve
mscve
Microsoft Guidance for Lazy FP State Restore
2018-06-13 07:00:00

8.4 High

AI Score

Confidence

High

JSON
Related for UBUNTU_USN-3696-1.NASL
ubuntu2openvas46nessus68cloudfoundry1photon5suse2debiancve10prion10ubuntucve10cve10redhatcve8veracode2debian1amazon2f52osv3freebsd_advisory1oraclelinux2citrix1redhat2mskb1lenovo2intel1thn1freebsd1kaspersky1centos1paloalto1xen1mscve1