The remote Ubuntu 14.04 LTS host has a package installed that is affected by multiple vulnerabilities as referenced in the USN-3698-1 advisory.
The prepare_vmcs02 function in arch/x86/kvm/vmx.c in the Linux kernel through 4.13.3 does not ensure that the CR8-load exiting and CR8-store exiting L0 vmcs02 controls exist in cases where L1 omits the use TPR shadow vmcs12 control, which allows KVM L2 guest OS users to obtain read and write access to the hardware CR8 register. (CVE-2017-12154)
The assoc_array_insert_into_terminal_node function in lib/assoc_array.c in the Linux kernel before 4.13.11 mishandles node splitting, which allows local users to cause a denial of service (NULL pointer dereference and panic) via a crafted application, as demonstrated by the keyring key type, and key addition and link creation operations. (CVE-2017-12193)
Race condition in the ALSA subsystem in the Linux kernel before 4.13.8 allows local users to cause a denial of service (use-after-free) or possibly have unspecified other impact via crafted /dev/snd/seq ioctl calls, related to sound/core/seq/seq_clientmgr.c and sound/core/seq/seq_ports.c. (CVE-2017-15265)
Linux kernel before version 4.16-rc7 is vulnerable to a null pointer dereference in dccp_write_xmit() function in net/dccp/output.c in that allows a local user to cause a denial of service by a number of certain crafted system calls. (CVE-2018-1130)
System software utilizing Lazy FP state restore technique on systems using Intel Core-based microprocessors may potentially allow a local process to infer data from another process through a speculative execution side channel. (CVE-2018-3665)
The acpi_smbus_hc_add function in drivers/acpi/sbshc.c in the Linux kernel through 4.14.15 allows local users to obtain sensitive address information by reading dmesg data from an SBS HC printk call.
(CVE-2018-5750)
In the Linux Kernel before version 4.15.8, 4.14.25, 4.9.87, 4.4.121, 4.1.51, and 3.2.102, an error in the
_sctp_make_chunk() function (net/sctp/sm_make_chunk.c) when handling SCTP packets length can be exploited to cause a kernel crash. (CVE-2018-5803)
The futex_requeue function in kernel/futex.c in the Linux kernel before 4.14.15 might allow attackers to cause a denial of service (integer overflow) or possibly have unspecified other impact by triggering a negative wake or requeue value. (CVE-2018-6927)
An issue was discovered in the fd_locked_ioctl function in drivers/block/floppy.c in the Linux kernel through 4.15.7. The floppy driver will copy a kernel pointer to user memory in response to the FDGETPRM ioctl. An attacker can send the FDGETPRM ioctl and use the obtained kernel pointer to discover the location of kernel code and data and bypass kernel security protections such as KASLR. (CVE-2018-7755)
Memory leak in the sas_smp_get_phy_events function in drivers/scsi/libsas/sas_expander.c in the Linux kernel through 4.15.7 allows local users to cause a denial of service (memory consumption) via many read accesses to files in the /sys/class/sas_phy directory, as demonstrated by the /sys/class/sas_phy/phy-1:0:12/invalid_dword_count file. (CVE-2018-7757)
Note that Nessus has not tested for these issues but has instead relied only on the application’s self-reported version number.
#
# (C) Tenable Network Security, Inc.
#
# The descriptive text and package checks in this plugin were
# extracted from Ubuntu Security Notice USN-3698-1. The text
# itself is copyright (C) Canonical, Inc. See
# <http://www.ubuntu.com/usn/>. Ubuntu(R) is a registered
# trademark of Canonical, Inc.
#
include('compat.inc');
if (description)
{
script_id(110900);
script_version("1.8");
script_set_attribute(attribute:"plugin_modification_date", value:"2024/01/09");
script_cve_id(
"CVE-2017-12154",
"CVE-2017-12193",
"CVE-2017-15265",
"CVE-2018-1130",
"CVE-2018-3665",
"CVE-2018-5750",
"CVE-2018-5803",
"CVE-2018-6927",
"CVE-2018-7755",
"CVE-2018-7757"
);
script_xref(name:"USN", value:"3698-1");
script_name(english:"Ubuntu 14.04 LTS : Linux kernel vulnerabilities (USN-3698-1)");
script_set_attribute(attribute:"synopsis", value:
"The remote Ubuntu host is missing one or more security updates.");
script_set_attribute(attribute:"description", value:
"The remote Ubuntu 14.04 LTS host has a package installed that is affected by multiple vulnerabilities as referenced in
the USN-3698-1 advisory.
- The prepare_vmcs02 function in arch/x86/kvm/vmx.c in the Linux kernel through 4.13.3 does not ensure that
the CR8-load exiting and CR8-store exiting L0 vmcs02 controls exist in cases where L1 omits the use
TPR shadow vmcs12 control, which allows KVM L2 guest OS users to obtain read and write access to the
hardware CR8 register. (CVE-2017-12154)
- The assoc_array_insert_into_terminal_node function in lib/assoc_array.c in the Linux kernel before 4.13.11
mishandles node splitting, which allows local users to cause a denial of service (NULL pointer dereference
and panic) via a crafted application, as demonstrated by the keyring key type, and key addition and link
creation operations. (CVE-2017-12193)
- Race condition in the ALSA subsystem in the Linux kernel before 4.13.8 allows local users to cause a
denial of service (use-after-free) or possibly have unspecified other impact via crafted /dev/snd/seq
ioctl calls, related to sound/core/seq/seq_clientmgr.c and sound/core/seq/seq_ports.c. (CVE-2017-15265)
- Linux kernel before version 4.16-rc7 is vulnerable to a null pointer dereference in dccp_write_xmit()
function in net/dccp/output.c in that allows a local user to cause a denial of service by a number of
certain crafted system calls. (CVE-2018-1130)
- System software utilizing Lazy FP state restore technique on systems using Intel Core-based
microprocessors may potentially allow a local process to infer data from another process through a
speculative execution side channel. (CVE-2018-3665)
- The acpi_smbus_hc_add function in drivers/acpi/sbshc.c in the Linux kernel through 4.14.15 allows local
users to obtain sensitive address information by reading dmesg data from an SBS HC printk call.
(CVE-2018-5750)
- In the Linux Kernel before version 4.15.8, 4.14.25, 4.9.87, 4.4.121, 4.1.51, and 3.2.102, an error in the
_sctp_make_chunk() function (net/sctp/sm_make_chunk.c) when handling SCTP packets length can be
exploited to cause a kernel crash. (CVE-2018-5803)
- The futex_requeue function in kernel/futex.c in the Linux kernel before 4.14.15 might allow attackers to
cause a denial of service (integer overflow) or possibly have unspecified other impact by triggering a
negative wake or requeue value. (CVE-2018-6927)
- An issue was discovered in the fd_locked_ioctl function in drivers/block/floppy.c in the Linux kernel
through 4.15.7. The floppy driver will copy a kernel pointer to user memory in response to the FDGETPRM
ioctl. An attacker can send the FDGETPRM ioctl and use the obtained kernel pointer to discover the
location of kernel code and data and bypass kernel security protections such as KASLR. (CVE-2018-7755)
- Memory leak in the sas_smp_get_phy_events function in drivers/scsi/libsas/sas_expander.c in the Linux
kernel through 4.15.7 allows local users to cause a denial of service (memory consumption) via many read
accesses to files in the /sys/class/sas_phy directory, as demonstrated by the
/sys/class/sas_phy/phy-1:0:12/invalid_dword_count file. (CVE-2018-7757)
Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version
number.");
script_set_attribute(attribute:"see_also", value:"https://ubuntu.com/security/notices/USN-3698-1");
script_set_attribute(attribute:"solution", value:
"Update the affected kernel package.");
script_set_cvss_base_vector("CVSS2#AV:L/AC:M/Au:N/C:C/I:C/A:C");
script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
script_set_cvss3_base_vector("CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H");
script_set_cvss3_temporal_vector("CVSS:3.0/E:P/RL:O/RC:C");
script_set_attribute(attribute:"cvss_score_source", value:"CVE-2017-15265");
script_set_attribute(attribute:"cvss3_score_source", value:"CVE-2018-6927");
script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
script_set_attribute(attribute:"exploit_available", value:"true");
script_set_attribute(attribute:"vuln_publication_date", value:"2017/09/26");
script_set_attribute(attribute:"patch_publication_date", value:"2018/07/02");
script_set_attribute(attribute:"plugin_publication_date", value:"2018/07/03");
script_set_attribute(attribute:"plugin_type", value:"local");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-3.13.0-153-generic");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-3.13.0-153-generic-lpae");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-3.13.0-153-lowlatency");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-3.13.0-153-powerpc-e500");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-3.13.0-153-powerpc-e500mc");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-3.13.0-153-powerpc-smp");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-3.13.0-153-powerpc64-emb");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-3.13.0-153-powerpc64-smp");
script_set_attribute(attribute:"cpe", value:"cpe:/o:canonical:ubuntu_linux:14.04:-:lts");
script_set_attribute(attribute:"generated_plugin", value:"current");
script_end_attributes();
script_category(ACT_GATHER_INFO);
script_family(english:"Ubuntu Local Security Checks");
script_copyright(english:"Ubuntu Security Notice (C) 2018-2024 Canonical, Inc. / NASL script (C) 2018-2024 and is owned by Tenable, Inc. or an Affiliate thereof.");
script_dependencies("ssh_get_info.nasl", "linux_alt_patch_detect.nasl");
script_require_keys("Host/cpu", "Host/Ubuntu", "Host/Ubuntu/release", "Host/Debian/dpkg-l");
exit(0);
}
include('debian_package.inc');
include('ksplice.inc');
if ( ! get_kb_item('Host/local_checks_enabled') ) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
var os_release = get_kb_item('Host/Ubuntu/release');
if ( isnull(os_release) ) audit(AUDIT_OS_NOT, 'Ubuntu');
os_release = chomp(os_release);
if (! ('14.04' >< os_release)) audit(AUDIT_OS_NOT, 'Ubuntu 14.04', 'Ubuntu ' + os_release);
if ( ! get_kb_item('Host/Debian/dpkg-l') ) audit(AUDIT_PACKAGE_LIST_MISSING);
var cpu = get_kb_item('Host/cpu');
if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
if ('x86_64' >!< cpu && cpu !~ "^i[3-6]86$" && 's390' >!< cpu && 'aarch64' >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'Ubuntu', cpu);
var kernel_mappings = {
'14.04': {
'3.13.0': {
'generic': '3.13.0-153',
'generic-lpae': '3.13.0-153',
'lowlatency': '3.13.0-153',
'powerpc-e500': '3.13.0-153',
'powerpc-e500mc': '3.13.0-153',
'powerpc-smp': '3.13.0-153',
'powerpc64-emb': '3.13.0-153',
'powerpc64-smp': '3.13.0-153'
}
}
};
var host_kernel_release = get_kb_item('Host/uptrack-uname-r');
if (empty_or_null(host_kernel_release)) host_kernel_release = get_kb_item_or_exit('Host/uname-r');
var host_kernel_base_version = get_kb_item_or_exit('Host/Debian/kernel-base-version');
var host_kernel_type = get_kb_item_or_exit('Host/Debian/kernel-type');
if(empty_or_null(kernel_mappings[os_release][host_kernel_base_version][host_kernel_type])) audit(AUDIT_INST_VER_NOT_VULN, 'kernel ' + host_kernel_release);
var extra = '';
var kernel_fixed_version = kernel_mappings[os_release][host_kernel_base_version][host_kernel_type] + "-" + host_kernel_type;
if (deb_ver_cmp(ver1:host_kernel_release, ver2:kernel_fixed_version) < 0)
{
extra = extra + 'Running Kernel level of ' + host_kernel_release + ' does not meet the minimum fixed level of ' + kernel_fixed_version + ' for this advisory.\n\n';
}
else
{
audit(AUDIT_PATCH_INSTALLED, 'Kernel package for USN-3698-1');
}
if (get_one_kb_item('Host/ksplice/kernel-cves'))
{
var cve_list = make_list('CVE-2017-12154', 'CVE-2017-12193', 'CVE-2017-15265', 'CVE-2018-1130', 'CVE-2018-3665', 'CVE-2018-5750', 'CVE-2018-5803', 'CVE-2018-6927', 'CVE-2018-7755', 'CVE-2018-7757');
if (ksplice_cves_check(cve_list))
{
audit(AUDIT_PATCH_INSTALLED, 'KSplice hotfix for USN-3698-1');
}
else
{
extra = extra + ksplice_reporting_text();
}
}
if (extra) {
security_report_v4(
port : 0,
severity : SECURITY_WARNING,
extra : extra
);
exit(0);
}
Vendor | Product | Version | CPE |
---|---|---|---|
canonical | ubuntu_linux | linux-image-3.13.0-153-generic | p-cpe:/a:canonical:ubuntu_linux:linux-image-3.13.0-153-generic |
canonical | ubuntu_linux | linux-image-3.13.0-153-generic-lpae | p-cpe:/a:canonical:ubuntu_linux:linux-image-3.13.0-153-generic-lpae |
canonical | ubuntu_linux | linux-image-3.13.0-153-lowlatency | p-cpe:/a:canonical:ubuntu_linux:linux-image-3.13.0-153-lowlatency |
canonical | ubuntu_linux | linux-image-3.13.0-153-powerpc-e500 | p-cpe:/a:canonical:ubuntu_linux:linux-image-3.13.0-153-powerpc-e500 |
canonical | ubuntu_linux | linux-image-3.13.0-153-powerpc-e500mc | p-cpe:/a:canonical:ubuntu_linux:linux-image-3.13.0-153-powerpc-e500mc |
canonical | ubuntu_linux | linux-image-3.13.0-153-powerpc-smp | p-cpe:/a:canonical:ubuntu_linux:linux-image-3.13.0-153-powerpc-smp |
canonical | ubuntu_linux | linux-image-3.13.0-153-powerpc64-emb | p-cpe:/a:canonical:ubuntu_linux:linux-image-3.13.0-153-powerpc64-emb |
canonical | ubuntu_linux | linux-image-3.13.0-153-powerpc64-smp | p-cpe:/a:canonical:ubuntu_linux:linux-image-3.13.0-153-powerpc64-smp |
canonical | ubuntu_linux | 14.04 | cpe:/o:canonical:ubuntu_linux:14.04:-:lts |
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12154
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12193
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-15265
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1130
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-3665
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-5750
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-5803
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-6927
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-7755
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-7757
ubuntu.com/security/notices/USN-3698-1