The remote Ubuntu 14.04 LTS host has a package installed that is affected by multiple vulnerabilities as referenced in the USN-3696-2 advisory.
The acpi_ns_evaluate() function in drivers/acpi/acpica/nseval.c in the Linux kernel through 4.12.9 does not flush the operand cache and causes a kernel stack dump, which allows local users to obtain sensitive information from kernel memory and bypass the KASLR protection mechanism (in the kernel through 4.9) via a crafted ACPI table. (CVE-2017-13695)
The perf_cpu_time_max_percent_handler function in kernel/events/core.c in the Linux kernel before 4.11 allows local users to cause a denial of service (integer overflow) or possibly have unspecified other impact via a large value, as demonstrated by an incorrect sample-rate calculation. (CVE-2017-18255)
The __get_data_block function in fs/f2fs/data.c in the Linux kernel before 4.11 allows local users to cause a denial of service (integer overflow and loop) via crafted use of the open and fallocate system calls with an FS_IOC_FIEMAP ioctl. (CVE-2017-18257)
Linux Kernel version 3.18 to 4.16 incorrectly handles an SG_IO ioctl on /dev/sg0 with dxfer_direction=SG_DXFER_FROM_DEV and an empty 6-byte cmdp. This may lead to copying up to 1000 kernel heap pages to the userspace. This has been fixed upstream in https://github.com/torvalds/linux/commit/a45b599ad808c3c982fdcdc12b0b8611c2f92824 already. The problem has limited scope, as users don’t usually have permissions to access SCSI devices. On the other hand, e.g. the Nero user manual suggests doing chmod o+r+w /dev/sg*
to make the devices accessible. NOTE: third parties dispute the relevance of this report, noting that the requirement for an attacker to have both the CAP_SYS_ADMIN and CAP_SYS_RAWIO capabilities makes it virtually impossible to exploit. (CVE-2018-1000204)
drivers/scsi/libsas/sas_scsi_host.c in the Linux kernel before 4.16 allows local users to cause a denial of service (ata qc leak) by triggering certain failure conditions. NOTE: a third party disputes the relevance of this report because the failure can only occur for physically proximate attackers who unplug SAS Host Bus Adapter cables (CVE-2018-10021)
The kernel_wait4 function in kernel/exit.c in the Linux kernel before 4.13, when an unspecified architecture and compiler is used, might allow local users to cause a denial of service by triggering an attempted use of the -INT_MIN value. (CVE-2018-10087)
The kill_something_info function in kernel/signal.c in the Linux kernel before 4.13, when an unspecified architecture and compiler is used, might allow local users to cause a denial of service via an INT_MIN argument. (CVE-2018-10124)
System software utilizing Lazy FP state restore technique on systems using Intel Core-based microprocessors may potentially allow a local process to infer data from another process through a speculative execution side channel. (CVE-2018-3665)
In the Linux Kernel before version 4.16.11, 4.14.43, 4.9.102, and 4.4.133, multiple race condition errors when handling probe, disconnect, and rebind operations can be exploited to trigger a use-after-free condition or a NULL pointer dereference by sending multiple USB over IP packets. (CVE-2018-5814)
An issue was discovered in the fd_locked_ioctl function in drivers/block/floppy.c in the Linux kernel through 4.15.7. The floppy driver will copy a kernel pointer to user memory in response to the FDGETPRM ioctl. An attacker can send the FDGETPRM ioctl and use the obtained kernel pointer to discover the location of kernel code and data and bypass kernel security protections such as KASLR. (CVE-2018-7755)
Note that Nessus has not tested for these issues but has instead relied only on the application’s self-reported version number.
#
# (C) Tenable Network Security, Inc.
#
# The descriptive text and package checks in this plugin were
# extracted from Ubuntu Security Notice USN-3696-2. The text
# itself is copyright (C) Canonical, Inc. See
# <http://www.ubuntu.com/usn/>. Ubuntu(R) is a registered
# trademark of Canonical, Inc.
#
include('compat.inc');
if (description)
{
script_id(110897);
script_version("1.11");
script_set_attribute(attribute:"plugin_modification_date", value:"2024/01/09");
script_cve_id(
"CVE-2017-13695",
"CVE-2017-18255",
"CVE-2017-18257",
"CVE-2018-1000204",
"CVE-2018-10021",
"CVE-2018-10087",
"CVE-2018-10124",
"CVE-2018-3665",
"CVE-2018-5814",
"CVE-2018-7755"
);
script_xref(name:"USN", value:"3696-2");
script_name(english:"Ubuntu 14.04 LTS : Linux kernel (Xenial HWE) vulnerabilities (USN-3696-2)");
script_set_attribute(attribute:"synopsis", value:
"The remote Ubuntu host is missing one or more security updates.");
script_set_attribute(attribute:"description", value:
"The remote Ubuntu 14.04 LTS host has a package installed that is affected by multiple vulnerabilities as referenced in
the USN-3696-2 advisory.
- The acpi_ns_evaluate() function in drivers/acpi/acpica/nseval.c in the Linux kernel through 4.12.9 does
not flush the operand cache and causes a kernel stack dump, which allows local users to obtain sensitive
information from kernel memory and bypass the KASLR protection mechanism (in the kernel through 4.9) via a
crafted ACPI table. (CVE-2017-13695)
- The perf_cpu_time_max_percent_handler function in kernel/events/core.c in the Linux kernel before 4.11
allows local users to cause a denial of service (integer overflow) or possibly have unspecified other
impact via a large value, as demonstrated by an incorrect sample-rate calculation. (CVE-2017-18255)
- The __get_data_block function in fs/f2fs/data.c in the Linux kernel before 4.11 allows local users to
cause a denial of service (integer overflow and loop) via crafted use of the open and fallocate system
calls with an FS_IOC_FIEMAP ioctl. (CVE-2017-18257)
- Linux Kernel version 3.18 to 4.16 incorrectly handles an SG_IO ioctl on /dev/sg0 with
dxfer_direction=SG_DXFER_FROM_DEV and an empty 6-byte cmdp. This may lead to copying up to 1000 kernel
heap pages to the userspace. This has been fixed upstream in
https://github.com/torvalds/linux/commit/a45b599ad808c3c982fdcdc12b0b8611c2f92824 already. The problem has
limited scope, as users don't usually have permissions to access SCSI devices. On the other hand, e.g. the
Nero user manual suggests doing `chmod o+r+w /dev/sg*` to make the devices accessible. NOTE: third parties
dispute the relevance of this report, noting that the requirement for an attacker to have both the
CAP_SYS_ADMIN and CAP_SYS_RAWIO capabilities makes it virtually impossible to exploit. (CVE-2018-1000204)
- drivers/scsi/libsas/sas_scsi_host.c in the Linux kernel before 4.16 allows local users to cause a denial
of service (ata qc leak) by triggering certain failure conditions. NOTE: a third party disputes the
relevance of this report because the failure can only occur for physically proximate attackers who unplug
SAS Host Bus Adapter cables (CVE-2018-10021)
- The kernel_wait4 function in kernel/exit.c in the Linux kernel before 4.13, when an unspecified
architecture and compiler is used, might allow local users to cause a denial of service by triggering an
attempted use of the -INT_MIN value. (CVE-2018-10087)
- The kill_something_info function in kernel/signal.c in the Linux kernel before 4.13, when an unspecified
architecture and compiler is used, might allow local users to cause a denial of service via an INT_MIN
argument. (CVE-2018-10124)
- System software utilizing Lazy FP state restore technique on systems using Intel Core-based
microprocessors may potentially allow a local process to infer data from another process through a
speculative execution side channel. (CVE-2018-3665)
- In the Linux Kernel before version 4.16.11, 4.14.43, 4.9.102, and 4.4.133, multiple race condition errors
when handling probe, disconnect, and rebind operations can be exploited to trigger a use-after-free
condition or a NULL pointer dereference by sending multiple USB over IP packets. (CVE-2018-5814)
- An issue was discovered in the fd_locked_ioctl function in drivers/block/floppy.c in the Linux kernel
through 4.15.7. The floppy driver will copy a kernel pointer to user memory in response to the FDGETPRM
ioctl. An attacker can send the FDGETPRM ioctl and use the obtained kernel pointer to discover the
location of kernel code and data and bypass kernel security protections such as KASLR. (CVE-2018-7755)
Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version
number.");
script_set_attribute(attribute:"see_also", value:"https://ubuntu.com/security/notices/USN-3696-2");
script_set_attribute(attribute:"solution", value:
"Update the affected kernel package.");
script_set_cvss_base_vector("CVSS2#AV:L/AC:M/Au:N/C:C/I:C/A:C");
script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
script_set_cvss3_base_vector("CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H");
script_set_cvss3_temporal_vector("CVSS:3.0/E:P/RL:O/RC:C");
script_set_attribute(attribute:"cvss_score_source", value:"CVE-2018-5814");
script_set_attribute(attribute:"cvss3_score_source", value:"CVE-2017-18255");
script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
script_set_attribute(attribute:"exploit_available", value:"true");
script_set_attribute(attribute:"vuln_publication_date", value:"2017/08/25");
script_set_attribute(attribute:"patch_publication_date", value:"2018/07/02");
script_set_attribute(attribute:"plugin_publication_date", value:"2018/07/03");
script_set_attribute(attribute:"plugin_type", value:"local");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-4.4.0-1024-aws");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-4.4.0-130-generic");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-4.4.0-130-generic-lpae");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-4.4.0-130-lowlatency");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-4.4.0-130-powerpc-e500mc");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-4.4.0-130-powerpc-smp");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-4.4.0-130-powerpc64-emb");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-4.4.0-130-powerpc64-smp");
script_set_attribute(attribute:"cpe", value:"cpe:/o:canonical:ubuntu_linux:14.04:-:lts");
script_set_attribute(attribute:"generated_plugin", value:"current");
script_end_attributes();
script_category(ACT_GATHER_INFO);
script_family(english:"Ubuntu Local Security Checks");
script_copyright(english:"Ubuntu Security Notice (C) 2018-2024 Canonical, Inc. / NASL script (C) 2018-2024 and is owned by Tenable, Inc. or an Affiliate thereof.");
script_dependencies("ssh_get_info.nasl", "linux_alt_patch_detect.nasl");
script_require_keys("Host/cpu", "Host/Ubuntu", "Host/Ubuntu/release", "Host/Debian/dpkg-l");
exit(0);
}
include('debian_package.inc');
include('ksplice.inc');
if ( ! get_kb_item('Host/local_checks_enabled') ) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
var os_release = get_kb_item('Host/Ubuntu/release');
if ( isnull(os_release) ) audit(AUDIT_OS_NOT, 'Ubuntu');
os_release = chomp(os_release);
if (! ('14.04' >< os_release)) audit(AUDIT_OS_NOT, 'Ubuntu 14.04', 'Ubuntu ' + os_release);
if ( ! get_kb_item('Host/Debian/dpkg-l') ) audit(AUDIT_PACKAGE_LIST_MISSING);
var cpu = get_kb_item('Host/cpu');
if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
if ('x86_64' >!< cpu && cpu !~ "^i[3-6]86$" && 's390' >!< cpu && 'aarch64' >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'Ubuntu', cpu);
var kernel_mappings = {
'14.04': {
'4.4.0': {
'generic': '4.4.0-130',
'generic-lpae': '4.4.0-130',
'lowlatency': '4.4.0-130',
'powerpc-e500mc': '4.4.0-130',
'powerpc-smp': '4.4.0-130',
'powerpc64-emb': '4.4.0-130',
'powerpc64-smp': '4.4.0-130',
'aws': '4.4.0-1024'
}
}
};
var host_kernel_release = get_kb_item('Host/uptrack-uname-r');
if (empty_or_null(host_kernel_release)) host_kernel_release = get_kb_item_or_exit('Host/uname-r');
var host_kernel_base_version = get_kb_item_or_exit('Host/Debian/kernel-base-version');
var host_kernel_type = get_kb_item_or_exit('Host/Debian/kernel-type');
if(empty_or_null(kernel_mappings[os_release][host_kernel_base_version][host_kernel_type])) audit(AUDIT_INST_VER_NOT_VULN, 'kernel ' + host_kernel_release);
var extra = '';
var kernel_fixed_version = kernel_mappings[os_release][host_kernel_base_version][host_kernel_type] + "-" + host_kernel_type;
if (deb_ver_cmp(ver1:host_kernel_release, ver2:kernel_fixed_version) < 0)
{
extra = extra + 'Running Kernel level of ' + host_kernel_release + ' does not meet the minimum fixed level of ' + kernel_fixed_version + ' for this advisory.\n\n';
}
else
{
audit(AUDIT_PATCH_INSTALLED, 'Kernel package for USN-3696-2');
}
if (get_one_kb_item('Host/ksplice/kernel-cves'))
{
var cve_list = make_list('CVE-2017-13695', 'CVE-2017-18255', 'CVE-2017-18257', 'CVE-2018-3665', 'CVE-2018-5814', 'CVE-2018-7755', 'CVE-2018-10021', 'CVE-2018-10087', 'CVE-2018-10124', 'CVE-2018-1000204');
if (ksplice_cves_check(cve_list))
{
audit(AUDIT_PATCH_INSTALLED, 'KSplice hotfix for USN-3696-2');
}
else
{
extra = extra + ksplice_reporting_text();
}
}
if (extra) {
security_report_v4(
port : 0,
severity : SECURITY_WARNING,
extra : extra
);
exit(0);
}
Vendor | Product | Version | CPE |
---|---|---|---|
canonical | ubuntu_linux | linux-image-4.4.0-1024-aws | p-cpe:/a:canonical:ubuntu_linux:linux-image-4.4.0-1024-aws |
canonical | ubuntu_linux | linux-image-4.4.0-130-generic | p-cpe:/a:canonical:ubuntu_linux:linux-image-4.4.0-130-generic |
canonical | ubuntu_linux | linux-image-4.4.0-130-generic-lpae | p-cpe:/a:canonical:ubuntu_linux:linux-image-4.4.0-130-generic-lpae |
canonical | ubuntu_linux | linux-image-4.4.0-130-lowlatency | p-cpe:/a:canonical:ubuntu_linux:linux-image-4.4.0-130-lowlatency |
canonical | ubuntu_linux | linux-image-4.4.0-130-powerpc-e500mc | p-cpe:/a:canonical:ubuntu_linux:linux-image-4.4.0-130-powerpc-e500mc |
canonical | ubuntu_linux | linux-image-4.4.0-130-powerpc-smp | p-cpe:/a:canonical:ubuntu_linux:linux-image-4.4.0-130-powerpc-smp |
canonical | ubuntu_linux | linux-image-4.4.0-130-powerpc64-emb | p-cpe:/a:canonical:ubuntu_linux:linux-image-4.4.0-130-powerpc64-emb |
canonical | ubuntu_linux | linux-image-4.4.0-130-powerpc64-smp | p-cpe:/a:canonical:ubuntu_linux:linux-image-4.4.0-130-powerpc64-smp |
canonical | ubuntu_linux | 14.04 | cpe:/o:canonical:ubuntu_linux:14.04:-:lts |
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-13695
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-18255
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-18257
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1000204
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-10021
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-10087
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-10124
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-3665
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-5814
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-7755
ubuntu.com/security/notices/USN-3696-2