Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
nessusUbuntu Security Notice (C) 2018-2024 Canonical, Inc. / NASL script (C) 2018-2024 and is owned by Tenable, Inc. or an Affiliate thereof.UBUNTU_USN-3698-1.NASL
HistoryJul 03, 2018 - 12:00 a.m.

Ubuntu 14.04 LTS : Linux kernel vulnerabilities (USN-3698-1)

2018-07-0300:00:00
Ubuntu Security Notice (C) 2018-2024 Canonical, Inc. / NASL script (C) 2018-2024 and is owned by Tenable, Inc. or an Affiliate thereof.
www.tenable.com
40

8.4 High

AI Score

Confidence

High

JSON

The remote Ubuntu 14.04 LTS host has a package installed that is affected by multiple vulnerabilities as referenced in the USN-3698-1 advisory.

  • The prepare_vmcs02 function in arch/x86/kvm/vmx.c in the Linux kernel through 4.13.3 does not ensure that the CR8-load exiting and CR8-store exiting L0 vmcs02 controls exist in cases where L1 omits the use TPR shadow vmcs12 control, which allows KVM L2 guest OS users to obtain read and write access to the hardware CR8 register. (CVE-2017-12154)

  • The assoc_array_insert_into_terminal_node function in lib/assoc_array.c in the Linux kernel before 4.13.11 mishandles node splitting, which allows local users to cause a denial of service (NULL pointer dereference and panic) via a crafted application, as demonstrated by the keyring key type, and key addition and link creation operations. (CVE-2017-12193)

  • Race condition in the ALSA subsystem in the Linux kernel before 4.13.8 allows local users to cause a denial of service (use-after-free) or possibly have unspecified other impact via crafted /dev/snd/seq ioctl calls, related to sound/core/seq/seq_clientmgr.c and sound/core/seq/seq_ports.c. (CVE-2017-15265)

  • Linux kernel before version 4.16-rc7 is vulnerable to a null pointer dereference in dccp_write_xmit() function in net/dccp/output.c in that allows a local user to cause a denial of service by a number of certain crafted system calls. (CVE-2018-1130)

  • System software utilizing Lazy FP state restore technique on systems using Intel Core-based microprocessors may potentially allow a local process to infer data from another process through a speculative execution side channel. (CVE-2018-3665)

  • The acpi_smbus_hc_add function in drivers/acpi/sbshc.c in the Linux kernel through 4.14.15 allows local users to obtain sensitive address information by reading dmesg data from an SBS HC printk call.
    (CVE-2018-5750)

  • In the Linux Kernel before version 4.15.8, 4.14.25, 4.9.87, 4.4.121, 4.1.51, and 3.2.102, an error in the
    _sctp_make_chunk() function (net/sctp/sm_make_chunk.c) when handling SCTP packets length can be exploited to cause a kernel crash. (CVE-2018-5803)

  • The futex_requeue function in kernel/futex.c in the Linux kernel before 4.14.15 might allow attackers to cause a denial of service (integer overflow) or possibly have unspecified other impact by triggering a negative wake or requeue value. (CVE-2018-6927)

  • An issue was discovered in the fd_locked_ioctl function in drivers/block/floppy.c in the Linux kernel through 4.15.7. The floppy driver will copy a kernel pointer to user memory in response to the FDGETPRM ioctl. An attacker can send the FDGETPRM ioctl and use the obtained kernel pointer to discover the location of kernel code and data and bypass kernel security protections such as KASLR. (CVE-2018-7755)

  • Memory leak in the sas_smp_get_phy_events function in drivers/scsi/libsas/sas_expander.c in the Linux kernel through 4.15.7 allows local users to cause a denial of service (memory consumption) via many read accesses to files in the /sys/class/sas_phy directory, as demonstrated by the /sys/class/sas_phy/phy-1:0:12/invalid_dword_count file. (CVE-2018-7757)

Note that Nessus has not tested for these issues but has instead relied only on the application’s self-reported version number.

#
# (C) Tenable Network Security, Inc.
#
# The descriptive text and package checks in this plugin were
# extracted from Ubuntu Security Notice USN-3698-1. The text 
# itself is copyright (C) Canonical, Inc. See 
# <http://www.ubuntu.com/usn/>. Ubuntu(R) is a registered 
# trademark of Canonical, Inc.
#

include('compat.inc');

if (description)
{
  script_id(110900);
  script_version("1.8");
  script_set_attribute(attribute:"plugin_modification_date", value:"2024/01/09");

  script_cve_id(
    "CVE-2017-12154",
    "CVE-2017-12193",
    "CVE-2017-15265",
    "CVE-2018-1130",
    "CVE-2018-3665",
    "CVE-2018-5750",
    "CVE-2018-5803",
    "CVE-2018-6927",
    "CVE-2018-7755",
    "CVE-2018-7757"
  );
  script_xref(name:"USN", value:"3698-1");

  script_name(english:"Ubuntu 14.04 LTS : Linux kernel vulnerabilities (USN-3698-1)");

  script_set_attribute(attribute:"synopsis", value:
"The remote Ubuntu host is missing one or more security updates.");
  script_set_attribute(attribute:"description", value:
"The remote Ubuntu 14.04 LTS host has a package installed that is affected by multiple vulnerabilities as referenced in
the USN-3698-1 advisory.

  - The prepare_vmcs02 function in arch/x86/kvm/vmx.c in the Linux kernel through 4.13.3 does not ensure that
    the CR8-load exiting and CR8-store exiting L0 vmcs02 controls exist in cases where L1 omits the use
    TPR shadow vmcs12 control, which allows KVM L2 guest OS users to obtain read and write access to the
    hardware CR8 register. (CVE-2017-12154)

  - The assoc_array_insert_into_terminal_node function in lib/assoc_array.c in the Linux kernel before 4.13.11
    mishandles node splitting, which allows local users to cause a denial of service (NULL pointer dereference
    and panic) via a crafted application, as demonstrated by the keyring key type, and key addition and link
    creation operations. (CVE-2017-12193)

  - Race condition in the ALSA subsystem in the Linux kernel before 4.13.8 allows local users to cause a
    denial of service (use-after-free) or possibly have unspecified other impact via crafted /dev/snd/seq
    ioctl calls, related to sound/core/seq/seq_clientmgr.c and sound/core/seq/seq_ports.c. (CVE-2017-15265)

  - Linux kernel before version 4.16-rc7 is vulnerable to a null pointer dereference in dccp_write_xmit()
    function in net/dccp/output.c in that allows a local user to cause a denial of service by a number of
    certain crafted system calls. (CVE-2018-1130)

  - System software utilizing Lazy FP state restore technique on systems using Intel Core-based
    microprocessors may potentially allow a local process to infer data from another process through a
    speculative execution side channel. (CVE-2018-3665)

  - The acpi_smbus_hc_add function in drivers/acpi/sbshc.c in the Linux kernel through 4.14.15 allows local
    users to obtain sensitive address information by reading dmesg data from an SBS HC printk call.
    (CVE-2018-5750)

  - In the Linux Kernel before version 4.15.8, 4.14.25, 4.9.87, 4.4.121, 4.1.51, and 3.2.102, an error in the
    _sctp_make_chunk() function (net/sctp/sm_make_chunk.c) when handling SCTP packets length can be
    exploited to cause a kernel crash. (CVE-2018-5803)

  - The futex_requeue function in kernel/futex.c in the Linux kernel before 4.14.15 might allow attackers to
    cause a denial of service (integer overflow) or possibly have unspecified other impact by triggering a
    negative wake or requeue value. (CVE-2018-6927)

  - An issue was discovered in the fd_locked_ioctl function in drivers/block/floppy.c in the Linux kernel
    through 4.15.7. The floppy driver will copy a kernel pointer to user memory in response to the FDGETPRM
    ioctl. An attacker can send the FDGETPRM ioctl and use the obtained kernel pointer to discover the
    location of kernel code and data and bypass kernel security protections such as KASLR. (CVE-2018-7755)

  - Memory leak in the sas_smp_get_phy_events function in drivers/scsi/libsas/sas_expander.c in the Linux
    kernel through 4.15.7 allows local users to cause a denial of service (memory consumption) via many read
    accesses to files in the /sys/class/sas_phy directory, as demonstrated by the
    /sys/class/sas_phy/phy-1:0:12/invalid_dword_count file. (CVE-2018-7757)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version
number.");
  script_set_attribute(attribute:"see_also", value:"https://ubuntu.com/security/notices/USN-3698-1");
  script_set_attribute(attribute:"solution", value:
"Update the affected kernel package.");
  script_set_cvss_base_vector("CVSS2#AV:L/AC:M/Au:N/C:C/I:C/A:C");
  script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:P/RL:O/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2017-15265");
  script_set_attribute(attribute:"cvss3_score_source", value:"CVE-2018-6927");

  script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"true");

  script_set_attribute(attribute:"vuln_publication_date", value:"2017/09/26");
  script_set_attribute(attribute:"patch_publication_date", value:"2018/07/02");
  script_set_attribute(attribute:"plugin_publication_date", value:"2018/07/03");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-3.13.0-153-generic");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-3.13.0-153-generic-lpae");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-3.13.0-153-lowlatency");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-3.13.0-153-powerpc-e500");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-3.13.0-153-powerpc-e500mc");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-3.13.0-153-powerpc-smp");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-3.13.0-153-powerpc64-emb");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-3.13.0-153-powerpc64-smp");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:canonical:ubuntu_linux:14.04:-:lts");
  script_set_attribute(attribute:"generated_plugin", value:"current");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Ubuntu Local Security Checks");

  script_copyright(english:"Ubuntu Security Notice (C) 2018-2024 Canonical, Inc. / NASL script (C) 2018-2024 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("ssh_get_info.nasl", "linux_alt_patch_detect.nasl");
  script_require_keys("Host/cpu", "Host/Ubuntu", "Host/Ubuntu/release", "Host/Debian/dpkg-l");

  exit(0);
}

include('debian_package.inc');
include('ksplice.inc');

if ( ! get_kb_item('Host/local_checks_enabled') ) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
var os_release = get_kb_item('Host/Ubuntu/release');
if ( isnull(os_release) ) audit(AUDIT_OS_NOT, 'Ubuntu');
os_release = chomp(os_release);
if (! ('14.04' >< os_release)) audit(AUDIT_OS_NOT, 'Ubuntu 14.04', 'Ubuntu ' + os_release);
if ( ! get_kb_item('Host/Debian/dpkg-l') ) audit(AUDIT_PACKAGE_LIST_MISSING);

var cpu = get_kb_item('Host/cpu');
if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
if ('x86_64' >!< cpu && cpu !~ "^i[3-6]86$" && 's390' >!< cpu && 'aarch64' >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'Ubuntu', cpu);

var kernel_mappings = {
  '14.04': {
    '3.13.0': {
      'generic': '3.13.0-153',
      'generic-lpae': '3.13.0-153',
      'lowlatency': '3.13.0-153',
      'powerpc-e500': '3.13.0-153',
      'powerpc-e500mc': '3.13.0-153',
      'powerpc-smp': '3.13.0-153',
      'powerpc64-emb': '3.13.0-153',
      'powerpc64-smp': '3.13.0-153'
    }
  }
};

var host_kernel_release = get_kb_item('Host/uptrack-uname-r');
if (empty_or_null(host_kernel_release)) host_kernel_release = get_kb_item_or_exit('Host/uname-r');
var host_kernel_base_version = get_kb_item_or_exit('Host/Debian/kernel-base-version');
var host_kernel_type = get_kb_item_or_exit('Host/Debian/kernel-type');
if(empty_or_null(kernel_mappings[os_release][host_kernel_base_version][host_kernel_type])) audit(AUDIT_INST_VER_NOT_VULN, 'kernel ' + host_kernel_release);

var extra = '';
var kernel_fixed_version = kernel_mappings[os_release][host_kernel_base_version][host_kernel_type] + "-" + host_kernel_type;
if (deb_ver_cmp(ver1:host_kernel_release, ver2:kernel_fixed_version) < 0)
{
  extra = extra + 'Running Kernel level of ' + host_kernel_release + ' does not meet the minimum fixed level of ' + kernel_fixed_version + ' for this advisory.\n\n';
}
  else
{
  audit(AUDIT_PATCH_INSTALLED, 'Kernel package for USN-3698-1');
}

if (get_one_kb_item('Host/ksplice/kernel-cves'))
{
  var cve_list = make_list('CVE-2017-12154', 'CVE-2017-12193', 'CVE-2017-15265', 'CVE-2018-1130', 'CVE-2018-3665', 'CVE-2018-5750', 'CVE-2018-5803', 'CVE-2018-6927', 'CVE-2018-7755', 'CVE-2018-7757');
  if (ksplice_cves_check(cve_list))
  {
    audit(AUDIT_PATCH_INSTALLED, 'KSplice hotfix for USN-3698-1');
  }
  else
  {
    extra = extra + ksplice_reporting_text();
  }
}
if (extra) {
  security_report_v4(
    port       : 0,
    severity   : SECURITY_WARNING,
    extra      : extra
  );
  exit(0);
}
VendorProductVersionCPE
canonicalubuntu_linuxlinux-image-3.13.0-153-genericp-cpe:/a:canonical:ubuntu_linux:linux-image-3.13.0-153-generic
canonicalubuntu_linuxlinux-image-3.13.0-153-generic-lpaep-cpe:/a:canonical:ubuntu_linux:linux-image-3.13.0-153-generic-lpae
canonicalubuntu_linuxlinux-image-3.13.0-153-lowlatencyp-cpe:/a:canonical:ubuntu_linux:linux-image-3.13.0-153-lowlatency
canonicalubuntu_linuxlinux-image-3.13.0-153-powerpc-e500p-cpe:/a:canonical:ubuntu_linux:linux-image-3.13.0-153-powerpc-e500
canonicalubuntu_linuxlinux-image-3.13.0-153-powerpc-e500mcp-cpe:/a:canonical:ubuntu_linux:linux-image-3.13.0-153-powerpc-e500mc
canonicalubuntu_linuxlinux-image-3.13.0-153-powerpc-smpp-cpe:/a:canonical:ubuntu_linux:linux-image-3.13.0-153-powerpc-smp
canonicalubuntu_linuxlinux-image-3.13.0-153-powerpc64-embp-cpe:/a:canonical:ubuntu_linux:linux-image-3.13.0-153-powerpc64-emb
canonicalubuntu_linuxlinux-image-3.13.0-153-powerpc64-smpp-cpe:/a:canonical:ubuntu_linux:linux-image-3.13.0-153-powerpc64-smp
canonicalubuntu_linux14.04cpe:/o:canonical:ubuntu_linux:14.04:-:lts

Related

ubuntu 4
openvas 44
nessus 54
altlinux 2
oraclelinux 4
ibm 1
fedora 4
prion 9
redhatcve 9
veracode 9
virtuozzo 6
redhat 2
ubuntucve 9
thn 1
f5 6
cve 8
debiancve 9
osv 4
amazon 2
alpinelinux 1
citrix 1
mskb 1
freebsd_advisory 1
lenovo 1
debian 1
mscve 1
xen 1
paloalto 1
kaspersky 1
centos 1
zdt 1
ubuntu
ubuntu
Linux kernel (Trusty HWE) vulnerabilities
2018-07-02 00:00:00
Linux kernel vulnerabilities
2018-07-02 00:00:00
Linux kernel (OEM) vulnerabilities
2018-07-02 00:00:00
openvas
openvas
Ubuntu: Security Advisory (USN-3698-2)
2022-08-26 00:00:00
Ubuntu: Security Advisory (USN-3698-1)
2018-07-03 00:00:00
Ubuntu: Security Advisory (USN-3697-1)
2018-07-03 00:00:00
nessus
nessus
Ubuntu 17.10 : linux, linux-raspi2 vulnerabilities (USN-3697-1)
2018-07-03 00:00:00
Ubuntu 16.04 LTS : Linux kernel (OEM) vulnerabilities (USN-3697-2)
2018-07-03 00:00:00
Oracle Linux 6 / 7 : Unbreakable Enterprise kernel (ELSA-2018-4193)
2018-08-10 00:00:00
altlinux
altlinux
Security fix for the ALT Linux 7 package kernel-image-un-def version 1:4.1.46-alt0.M70P.1
2017-11-16 00:00:00
Security fix for the ALT Linux 7 package kernel-image-un-def version 1:4.1.44-alt0.M70P.1.1
2017-10-17 00:00:00
oraclelinux
oraclelinux
Unbreakable Enterprise kernel security update
2018-08-09 00:00:00
Unbreakable Enterprise kernel security update
2018-11-08 00:00:00
Unbreakable Enterprise kernel security update
2018-06-15 00:00:00
ibm
ibm
Security Bulletin: Vulnerabilities in the Linux kernel affect PowerKVM
2018-06-18 01:38:34
fedora
fedora
[SECURITY] Fedora 27 Update: kernel-4.15.8-300.fc27
2018-03-13 23:26:22
[SECURITY] Fedora 26 Update: kernel-4.13.11-200.fc26
2017-11-07 22:22:27
[SECURITY] Fedora 25 Update: kernel-4.13.11-100.fc25
2017-11-07 23:42:04
prion
prion
Design/Logic Flaw
2017-09-26 05:29:00
Null pointer dereference
2017-11-22 18:29:00
Race condition
2017-10-16 18:29:00
redhatcve
redhatcve
CVE-2017-12154
2017-09-13 11:48:51
CVE-2017-15265
2017-10-13 12:19:21
CVE-2017-12193
2019-10-08 16:09:22
veracode
veracode
Authorization Bypass
2019-05-16 02:50:21
NULL Pointer Dereference
2019-05-16 02:13:54
Denial Of Service (DoS)
2019-01-15 09:27:22
virtuozzo
virtuozzo
Kernel security update: CVE-2017-12193; Virtuozzo ReadyKernel patch 37.1 for Virtuozzo 7.0.0, 7.0.1, 7.0.3, 7.0.4, and 7.0.4 HF3
2017-11-10 00:00:00
Kernel security update: CVE-2017-15265; new kernel 2.6.32-042stab126.1, Virtuozzo 6.0 Update 12 Hotfix 18 (6.0.12-3688)
2017-11-20 00:00:00
Kernel security update: CVE-2017-15265; new kernel 2.6.32-042stab126.1 for Virtuozzo Containers for Linux 4.7, Server Bare Metal 5.0
2017-11-20 00:00:00
redhat
redhat
(RHSA-2018:3823) Moderate: kernel security and bug fix update
2018-12-12 14:22:12
(RHSA-2018:1944) Moderate: kernel-rt security update
2018-06-19 13:05:06
ubuntucve
ubuntucve
CVE-2017-15265
2017-10-16 00:00:00
CVE-2018-5750
2018-01-26 00:00:00
CVE-2017-12154
2017-09-26 00:00:00
thn
thn
Yet Another Linux Kernel Privilege-Escalation Bug Discovered
2017-10-16 04:02:00
f5
f5
K32616738 : Linux kernel vulnerability CVE-2017-15265
2018-08-28 00:00:00
K89434121 : Linux kernel vulnerability CVE-2017-12193
2018-01-29 00:00:00
K22503522 : Linux kernel vulnerability CVE-2018-7757
2018-06-21 00:00:00
cve
cve
CVE-2017-15265
2017-10-16 18:29:00
CVE-2018-5750
2018-01-26 19:29:00
CVE-2017-12154
2017-09-26 05:29:00
debiancve
debiancve
CVE-2017-15265
2017-10-16 18:29:00
CVE-2018-5750
2018-01-26 19:29:00
CVE-2018-7755
2018-03-08 07:29:00
osv
osv
CVE-2018-5750
2018-01-26 19:29:00
CVE-2018-6927
2018-02-12 19:29:01
xen - security update
2018-06-20 00:00:00
amazon
amazon
Low: kernel
2019-09-13 23:08:00
Low: kernel
2019-09-13 22:43:00
alpinelinux
alpinelinux
CVE-2018-7757
2018-03-08 14:29:00
citrix
citrix
CVE-2018-3665 - Citrix XenServer Security Update
2018-06-15 04:00:00
mskb
mskb
Description of the security update for the L1TF variant vulnerabilities in Windows Server 2008: August 14, 2018
2018-08-14 07:00:00
freebsd_advisory
freebsd_advisory
FreeBSD-SA-18:07.lazyfpu
2018-06-21 00:00:00
lenovo
lenovo
Lazy FP State Restore - Lenovo Support NL
2018-12-13 11:22:07
debian
debian
[SECURITY] [DSA 4232-1] xen security update
2018-06-20 07:02:39
mscve
mscve
Microsoft Guidance for Lazy FP State Restore
2018-06-13 07:00:00
xen
xen
Speculative register leakage from lazy FPU context switching
2018-06-13 20:23:00
paloalto
paloalto
Information Disclosure in WildFire Appliance (WF-500)
2019-07-08 22:15:00
kaspersky
kaspersky
KLA11891 Microsoft Advisory for Microsoft Products (ESU)
2018-06-13 00:00:00
centos
centos
kernel, perf, python security update
2018-06-16 10:49:53
zdt
zdt
Linux Kernel _sctp_make_chunk() Denial Of Service Vulnerability
2018-03-02 00:00:00

8.4 High

AI Score

Confidence

High

JSON
Related for UBUNTU_USN-3698-1.NASL
ubuntu4openvas44nessus54altlinux2oraclelinux4ibm1fedora4prion9redhatcve9veracode9virtuozzo6redhat2ubuntucve9thn1f56cve8debiancve9osv4amazon2alpinelinux1citrix1mskb1freebsd_advisory1lenovo1debian1mscve1xen1paloalto1kaspersky1centos1zdt1