Ubuntu 18.04 LTS : Linux kernel vulnerabilities (USN-3752-1)

#
# (C) Tenable Network Security, Inc.
#
# The descriptive text and package checks in this plugin were
# extracted from Ubuntu Security Notice USN-3752-1. The text 
# itself is copyright (C) Canonical, Inc. See 
# <http://www.ubuntu.com/usn/>. Ubuntu(R) is a registered 
# trademark of Canonical, Inc.
#

include('compat.inc');

if (description)
{
  script_id(112109);
  script_version("1.12");
  script_set_attribute(attribute:"plugin_modification_date", value:"2024/01/09");

  script_cve_id(
    "CVE-2018-1000200",
    "CVE-2018-1000204",
    "CVE-2018-10323",
    "CVE-2018-10840",
    "CVE-2018-10881",
    "CVE-2018-1093",
    "CVE-2018-1108",
    "CVE-2018-1120",
    "CVE-2018-11412",
    "CVE-2018-11506",
    "CVE-2018-12232",
    "CVE-2018-12233",
    "CVE-2018-12904",
    "CVE-2018-13094",
    "CVE-2018-13405",
    "CVE-2018-13406",
    "CVE-2018-5814",
    "CVE-2018-9415"
  );
  script_xref(name:"USN", value:"3752-1");

  script_name(english:"Ubuntu 18.04 LTS : Linux kernel vulnerabilities (USN-3752-1)");

  script_set_attribute(attribute:"synopsis", value:
"The remote Ubuntu host is missing one or more security updates.");
  script_set_attribute(attribute:"description", value:
"The remote Ubuntu 18.04 LTS host has a package installed that is affected by multiple vulnerabilities as referenced in
the USN-3752-1 advisory.

  - The Linux Kernel versions 4.14, 4.15, and 4.16 has a null pointer dereference which can result in an out
    of memory (OOM) killing of large mlocked processes. The issue arises from an oom killed process's final
    thread calling exit_mmap(), which calls munlock_vma_pages_all() for mlocked vmas.This can happen
    synchronously with the oom reaper's unmap_page_range() since the vma's VM_LOCKED bit is cleared before
    munlocking (to determine if any other vmas share the memory and are mlocked). (CVE-2018-1000200)

  - Linux Kernel version 3.18 to 4.16 incorrectly handles an SG_IO ioctl on /dev/sg0 with
    dxfer_direction=SG_DXFER_FROM_DEV and an empty 6-byte cmdp. This may lead to copying up to 1000 kernel
    heap pages to the userspace. This has been fixed upstream in
    https://github.com/torvalds/linux/commit/a45b599ad808c3c982fdcdc12b0b8611c2f92824 already. The problem has
    limited scope, as users don't usually have permissions to access SCSI devices. On the other hand, e.g. the
    Nero user manual suggests doing `chmod o+r+w /dev/sg*` to make the devices accessible. NOTE: third parties
    dispute the relevance of this report, noting that the requirement for an attacker to have both the
    CAP_SYS_ADMIN and CAP_SYS_RAWIO capabilities makes it virtually impossible to exploit. (CVE-2018-1000204)

  - The xfs_bmap_extents_to_btree function in fs/xfs/libxfs/xfs_bmap.c in the Linux kernel through 4.16.3
    allows local users to cause a denial of service (xfs_bmapi_write NULL pointer dereference) via a crafted
    xfs image. (CVE-2018-10323)

  - Linux kernel is vulnerable to a heap-based buffer overflow in the fs/ext4/xattr.c:ext4_xattr_set_entry()
    function. An attacker could exploit this by operating on a mounted crafted ext4 image. (CVE-2018-10840)

  - A flaw was found in the Linux kernel's ext4 filesystem. A local user can cause an out-of-bound access in
    ext4_get_group_info function, a denial of service, and a system crash by mounting and operating on a
    crafted ext4 filesystem image. (CVE-2018-10881)

  - The ext4_valid_block_bitmap function in fs/ext4/balloc.c in the Linux kernel through 4.15.15 allows
    attackers to cause a denial of service (out-of-bounds read and system crash) via a crafted ext4 image
    because balloc.c and ialloc.c do not validate bitmap block numbers. (CVE-2018-1093)

  - kernel drivers before version 4.17-rc1 are vulnerable to a weakness in the Linux kernel's implementation
    of random seed data. Programs, early in the boot sequence, could use the data allocated for the seed
    before it was sufficiently generated. (CVE-2018-1108)

  - A flaw was found affecting the Linux kernel before version 4.17. By mmap()ing a FUSE-backed file onto a
    process's memory containing command line arguments (or environment strings), an attacker can cause
    utilities from psutils or procps (such as ps, w) or any other program which makes a read() call to the
    /proc/<pid>/cmdline (or /proc/<pid>/environ) files to block indefinitely (denial of service) or for some
    controlled time (as a synchronization primitive for other attacks). (CVE-2018-1120)

  - In the Linux kernel 4.13 through 4.16.11, ext4_read_inline_data() in fs/ext4/inline.c performs a memcpy
    with an untrusted length value in certain circumstances involving a crafted filesystem that stores the
    system.data extended attribute value in a dedicated inode. (CVE-2018-11412)

  - The sr_do_ioctl function in drivers/scsi/sr_ioctl.c in the Linux kernel through 4.16.12 allows local users
    to cause a denial of service (stack-based buffer overflow) or possibly have unspecified other impact
    because sense buffers have different sizes at the CDROM layer and the SCSI layer, as demonstrated by a
    CDROMREADMODE2 ioctl call. (CVE-2018-11506)

  - In net/socket.c in the Linux kernel through 4.17.1, there is a race condition between fchownat and close
    in cases where they target the same socket file descriptor, related to the sock_close and sockfs_setattr
    functions. fchownat does not increment the file descriptor reference count, which allows close to set the
    socket to NULL during fchownat's execution, leading to a NULL pointer dereference and system crash.
    (CVE-2018-12232)

  - In the ea_get function in fs/jfs/xattr.c in the Linux kernel through 4.17.1, a memory corruption bug in
    JFS can be triggered by calling setxattr twice with two different extended attribute names on the same
    file. This vulnerability can be triggered by an unprivileged user with the ability to create files and
    execute programs. A kmalloc call is incorrect, leading to slab-out-of-bounds in jfs_xattr.
    (CVE-2018-12233)

  - In arch/x86/kvm/vmx.c in the Linux kernel before 4.17.2, when nested virtualization is used, local
    attackers could cause L1 KVM guests to VMEXIT, potentially allowing privilege escalations and denial of
    service attacks due to lack of checking of CPL. (CVE-2018-12904)

  - An issue was discovered in fs/xfs/libxfs/xfs_attr_leaf.c in the Linux kernel through 4.17.3. An OOPS may
    occur for a corrupted xfs image after xfs_da_shrink_inode() is called with a NULL bp. (CVE-2018-13094)

  - The inode_init_owner function in fs/inode.c in the Linux kernel through 3.16 allows local users to create
    files with an unintended group ownership, in a scenario where a directory is SGID to a certain group and
    is writable by a user who is not a member of that group. Here, the non-member can trigger creation of a
    plain file whose group ownership is that group. The intended behavior was that the non-member can trigger
    creation of a directory (but not a plain file) whose group ownership is that group. The non-member can
    escalate privileges by making the plain file executable and SGID. (CVE-2018-13405)

  - An integer overflow in the uvesafb_setcmap function in drivers/video/fbdev/uvesafb.c in the Linux kernel
    before 4.17.4 could result in local attackers being able to crash the kernel or potentially elevate
    privileges because kmalloc_array is not used. (CVE-2018-13406)

  - In the Linux Kernel before version 4.16.11, 4.14.43, 4.9.102, and 4.4.133, multiple race condition errors
    when handling probe, disconnect, and rebind operations can be exploited to trigger a use-after-free
    condition or a NULL pointer dereference by sending multiple USB over IP packets. (CVE-2018-5814)

  - In driver_override_store and driver_override_show of bus.c, there is a possible double free due to
    improper locking. This could lead to local escalation of privilege with System execution privileges
    needed. User interaction is not needed for exploitation. Product: Android Versions: Android kernel Android
    ID: A-69129004 References: Upstream kernel. (CVE-2018-9415)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version
number.");
  script_set_attribute(attribute:"see_also", value:"https://ubuntu.com/security/notices/USN-3752-1");
  script_set_attribute(attribute:"solution", value:
"Update the affected kernel package.");
  script_set_cvss_base_vector("CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C");
  script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:P/RL:O/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2018-13406");
  script_set_attribute(attribute:"cvss3_score_source", value:"CVE-2018-9415");

  script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"true");

  script_set_attribute(attribute:"vuln_publication_date", value:"2018/04/02");
  script_set_attribute(attribute:"patch_publication_date", value:"2018/08/24");
  script_set_attribute(attribute:"plugin_publication_date", value:"2018/08/24");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-4.15.0-1018-gcp");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-4.15.0-1020-aws");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-4.15.0-1020-kvm");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-4.15.0-1021-raspi2");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-4.15.0-33-generic");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-4.15.0-33-generic-lpae");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-4.15.0-33-lowlatency");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-4.15.0-33-snapdragon");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:canonical:ubuntu_linux:18.04:-:lts");
  script_set_attribute(attribute:"generated_plugin", value:"current");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Ubuntu Local Security Checks");

  script_copyright(english:"Ubuntu Security Notice (C) 2018-2024 Canonical, Inc. / NASL script (C) 2018-2024 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("ssh_get_info.nasl", "linux_alt_patch_detect.nasl");
  script_require_keys("Host/cpu", "Host/Ubuntu", "Host/Ubuntu/release", "Host/Debian/dpkg-l");

  exit(0);
}

include('debian_package.inc');
include('ksplice.inc');

if ( ! get_kb_item('Host/local_checks_enabled') ) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
var os_release = get_kb_item('Host/Ubuntu/release');
if ( isnull(os_release) ) audit(AUDIT_OS_NOT, 'Ubuntu');
os_release = chomp(os_release);
if (! ('18.04' >< os_release)) audit(AUDIT_OS_NOT, 'Ubuntu 18.04', 'Ubuntu ' + os_release);
if ( ! get_kb_item('Host/Debian/dpkg-l') ) audit(AUDIT_PACKAGE_LIST_MISSING);

var cpu = get_kb_item('Host/cpu');
if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
if ('x86_64' >!< cpu && cpu !~ "^i[3-6]86$" && 's390' >!< cpu && 'aarch64' >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'Ubuntu', cpu);

var kernel_mappings = {
  '18.04': {
    '4.15.0': {
      'generic': '4.15.0-33',
      'generic-lpae': '4.15.0-33',
      'lowlatency': '4.15.0-33',
      'snapdragon': '4.15.0-33',
      'gcp': '4.15.0-1018',
      'aws': '4.15.0-1020',
      'kvm': '4.15.0-1020',
      'raspi2': '4.15.0-1021'
    }
  }
};

var host_kernel_release = get_kb_item('Host/uptrack-uname-r');
if (empty_or_null(host_kernel_release)) host_kernel_release = get_kb_item_or_exit('Host/uname-r');
var host_kernel_base_version = get_kb_item_or_exit('Host/Debian/kernel-base-version');
var host_kernel_type = get_kb_item_or_exit('Host/Debian/kernel-type');
if(empty_or_null(kernel_mappings[os_release][host_kernel_base_version][host_kernel_type])) audit(AUDIT_INST_VER_NOT_VULN, 'kernel ' + host_kernel_release);

var extra = '';
var kernel_fixed_version = kernel_mappings[os_release][host_kernel_base_version][host_kernel_type] + "-" + host_kernel_type;
if (deb_ver_cmp(ver1:host_kernel_release, ver2:kernel_fixed_version) < 0)
{
  extra = extra + 'Running Kernel level of ' + host_kernel_release + ' does not meet the minimum fixed level of ' + kernel_fixed_version + ' for this advisory.\n\n';
}
  else
{
  audit(AUDIT_PATCH_INSTALLED, 'Kernel package for USN-3752-1');
}

if (get_one_kb_item('Host/ksplice/kernel-cves'))
{
  var cve_list = make_list('CVE-2018-1093', 'CVE-2018-1108', 'CVE-2018-1120', 'CVE-2018-5814', 'CVE-2018-9415', 'CVE-2018-10323', 'CVE-2018-10840', 'CVE-2018-10881', 'CVE-2018-11412', 'CVE-2018-11506', 'CVE-2018-12232', 'CVE-2018-12233', 'CVE-2018-12904', 'CVE-2018-13094', 'CVE-2018-13405', 'CVE-2018-13406', 'CVE-2018-1000200', 'CVE-2018-1000204');
  if (ksplice_cves_check(cve_list))
  {
    audit(AUDIT_PATCH_INSTALLED, 'KSplice hotfix for USN-3752-1');
  }
  else
  {
    extra = extra + ksplice_reporting_text();
  }
}
if (extra) {
  security_report_v4(
    port       : 0,
    severity   : SECURITY_HOLE,
    extra      : extra
  );
  exit(0);
}