The remote Ubuntu 14.04 LTS host has a package installed that is affected by multiple vulnerabilities as referenced in the USN-3753-2 advisory.
An elevation of privilege vulnerability in the kernel scsi driver. Product: Android. Versions: Android kernel. Android ID A-65023233. (CVE-2017-13168)
A flaw was found in Linux kernel in the ext4 filesystem code. A use-after-free is possible in ext4_ext_remove_space() function when mounting and operating a crafted ext4 image. (CVE-2018-10876)
Linux kernel ext4 filesystem is vulnerable to an out-of-bound access in the ext4_ext_drop_refs() function when operating on a crafted ext4 filesystem image. (CVE-2018-10877)
A flaw was found in the Linux kernel’s ext4 filesystem. A local user can cause an out-of-bounds write and a denial of service or unspecified other impact is possible by mounting and operating a crafted ext4 filesystem image. (CVE-2018-10878)
A flaw was found in the Linux kernel’s ext4 filesystem. A local user can cause a use-after-free in ext4_xattr_set_entry function and a denial of service or unspecified other impact may occur by renaming a file in a crafted ext4 filesystem image. (CVE-2018-10879)
A flaw was found in the Linux kernel’s ext4 filesystem. A local user can cause an out-of-bound access in ext4_get_group_info function, a denial of service, and a system crash by mounting and operating on a crafted ext4 filesystem image. (CVE-2018-10881)
A flaw was found in the Linux kernel’s ext4 filesystem. A local user can cause an out-of-bound write in in fs/jbd2/transaction.c code, a denial of service, and a system crash by unmounting a crafted ext4 filesystem image. (CVE-2018-10882)
In the ea_get function in fs/jfs/xattr.c in the Linux kernel through 4.17.1, a memory corruption bug in JFS can be triggered by calling setxattr twice with two different extended attribute names on the same file. This vulnerability can be triggered by an unprivileged user with the ability to create files and execute programs. A kmalloc call is incorrect, leading to slab-out-of-bounds in jfs_xattr.
(CVE-2018-12233)
An issue was discovered in fs/xfs/libxfs/xfs_attr_leaf.c in the Linux kernel through 4.17.3. An OOPS may occur for a corrupted xfs image after xfs_da_shrink_inode() is called with a NULL bp. (CVE-2018-13094)
The inode_init_owner function in fs/inode.c in the Linux kernel through 3.16 allows local users to create files with an unintended group ownership, in a scenario where a directory is SGID to a certain group and is writable by a user who is not a member of that group. Here, the non-member can trigger creation of a plain file whose group ownership is that group. The intended behavior was that the non-member can trigger creation of a directory (but not a plain file) whose group ownership is that group. The non-member can escalate privileges by making the plain file executable and SGID. (CVE-2018-13405)
An integer overflow in the uvesafb_setcmap function in drivers/video/fbdev/uvesafb.c in the Linux kernel before 4.17.4 could result in local attackers being able to crash the kernel or potentially elevate privileges because kmalloc_array is not used. (CVE-2018-13406)
Note that Nessus has not tested for these issues but has instead relied only on the application’s self-reported version number.
#
# (C) Tenable Network Security, Inc.
#
# The descriptive text and package checks in this plugin were
# extracted from Ubuntu Security Notice USN-3753-2. The text
# itself is copyright (C) Canonical, Inc. See
# <http://www.ubuntu.com/usn/>. Ubuntu(R) is a registered
# trademark of Canonical, Inc.
#
include('compat.inc');
if (description)
{
script_id(112112);
script_version("1.12");
script_set_attribute(attribute:"plugin_modification_date", value:"2024/01/09");
script_cve_id(
"CVE-2017-13168",
"CVE-2018-10876",
"CVE-2018-10877",
"CVE-2018-10878",
"CVE-2018-10879",
"CVE-2018-10881",
"CVE-2018-10882",
"CVE-2018-12233",
"CVE-2018-13094",
"CVE-2018-13405",
"CVE-2018-13406"
);
script_xref(name:"USN", value:"3753-2");
script_name(english:"Ubuntu 14.04 LTS : Linux kernel (Xenial HWE) vulnerabilities (USN-3753-2)");
script_set_attribute(attribute:"synopsis", value:
"The remote Ubuntu host is missing one or more security updates.");
script_set_attribute(attribute:"description", value:
"The remote Ubuntu 14.04 LTS host has a package installed that is affected by multiple vulnerabilities as referenced in
the USN-3753-2 advisory.
- An elevation of privilege vulnerability in the kernel scsi driver. Product: Android. Versions: Android
kernel. Android ID A-65023233. (CVE-2017-13168)
- A flaw was found in Linux kernel in the ext4 filesystem code. A use-after-free is possible in
ext4_ext_remove_space() function when mounting and operating a crafted ext4 image. (CVE-2018-10876)
- Linux kernel ext4 filesystem is vulnerable to an out-of-bound access in the ext4_ext_drop_refs() function
when operating on a crafted ext4 filesystem image. (CVE-2018-10877)
- A flaw was found in the Linux kernel's ext4 filesystem. A local user can cause an out-of-bounds write and
a denial of service or unspecified other impact is possible by mounting and operating a crafted ext4
filesystem image. (CVE-2018-10878)
- A flaw was found in the Linux kernel's ext4 filesystem. A local user can cause a use-after-free in
ext4_xattr_set_entry function and a denial of service or unspecified other impact may occur by renaming a
file in a crafted ext4 filesystem image. (CVE-2018-10879)
- A flaw was found in the Linux kernel's ext4 filesystem. A local user can cause an out-of-bound access in
ext4_get_group_info function, a denial of service, and a system crash by mounting and operating on a
crafted ext4 filesystem image. (CVE-2018-10881)
- A flaw was found in the Linux kernel's ext4 filesystem. A local user can cause an out-of-bound write in in
fs/jbd2/transaction.c code, a denial of service, and a system crash by unmounting a crafted ext4
filesystem image. (CVE-2018-10882)
- In the ea_get function in fs/jfs/xattr.c in the Linux kernel through 4.17.1, a memory corruption bug in
JFS can be triggered by calling setxattr twice with two different extended attribute names on the same
file. This vulnerability can be triggered by an unprivileged user with the ability to create files and
execute programs. A kmalloc call is incorrect, leading to slab-out-of-bounds in jfs_xattr.
(CVE-2018-12233)
- An issue was discovered in fs/xfs/libxfs/xfs_attr_leaf.c in the Linux kernel through 4.17.3. An OOPS may
occur for a corrupted xfs image after xfs_da_shrink_inode() is called with a NULL bp. (CVE-2018-13094)
- The inode_init_owner function in fs/inode.c in the Linux kernel through 3.16 allows local users to create
files with an unintended group ownership, in a scenario where a directory is SGID to a certain group and
is writable by a user who is not a member of that group. Here, the non-member can trigger creation of a
plain file whose group ownership is that group. The intended behavior was that the non-member can trigger
creation of a directory (but not a plain file) whose group ownership is that group. The non-member can
escalate privileges by making the plain file executable and SGID. (CVE-2018-13405)
- An integer overflow in the uvesafb_setcmap function in drivers/video/fbdev/uvesafb.c in the Linux kernel
before 4.17.4 could result in local attackers being able to crash the kernel or potentially elevate
privileges because kmalloc_array is not used. (CVE-2018-13406)
Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version
number.");
script_set_attribute(attribute:"see_also", value:"https://ubuntu.com/security/notices/USN-3753-2");
script_set_attribute(attribute:"solution", value:
"Update the affected kernel package.");
script_set_cvss_base_vector("CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C");
script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
script_set_cvss3_base_vector("CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H");
script_set_cvss3_temporal_vector("CVSS:3.0/E:P/RL:O/RC:C");
script_set_attribute(attribute:"cvss_score_source", value:"CVE-2018-13406");
script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
script_set_attribute(attribute:"exploit_available", value:"true");
script_set_attribute(attribute:"vuln_publication_date", value:"2017/12/06");
script_set_attribute(attribute:"patch_publication_date", value:"2018/08/24");
script_set_attribute(attribute:"plugin_publication_date", value:"2018/08/24");
script_set_attribute(attribute:"plugin_type", value:"local");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-4.4.0-1028-aws");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-4.4.0-134-generic");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-4.4.0-134-generic-lpae");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-4.4.0-134-lowlatency");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-4.4.0-134-powerpc-e500mc");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-4.4.0-134-powerpc-smp");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-4.4.0-134-powerpc64-emb");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-4.4.0-134-powerpc64-smp");
script_set_attribute(attribute:"cpe", value:"cpe:/o:canonical:ubuntu_linux:14.04:-:lts");
script_set_attribute(attribute:"generated_plugin", value:"current");
script_end_attributes();
script_category(ACT_GATHER_INFO);
script_family(english:"Ubuntu Local Security Checks");
script_copyright(english:"Ubuntu Security Notice (C) 2018-2024 Canonical, Inc. / NASL script (C) 2018-2024 and is owned by Tenable, Inc. or an Affiliate thereof.");
script_dependencies("ssh_get_info.nasl", "linux_alt_patch_detect.nasl");
script_require_keys("Host/cpu", "Host/Ubuntu", "Host/Ubuntu/release", "Host/Debian/dpkg-l");
exit(0);
}
include('debian_package.inc');
include('ksplice.inc');
if ( ! get_kb_item('Host/local_checks_enabled') ) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
var os_release = get_kb_item('Host/Ubuntu/release');
if ( isnull(os_release) ) audit(AUDIT_OS_NOT, 'Ubuntu');
os_release = chomp(os_release);
if (! ('14.04' >< os_release)) audit(AUDIT_OS_NOT, 'Ubuntu 14.04', 'Ubuntu ' + os_release);
if ( ! get_kb_item('Host/Debian/dpkg-l') ) audit(AUDIT_PACKAGE_LIST_MISSING);
var cpu = get_kb_item('Host/cpu');
if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
if ('x86_64' >!< cpu && cpu !~ "^i[3-6]86$" && 's390' >!< cpu && 'aarch64' >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'Ubuntu', cpu);
var kernel_mappings = {
'14.04': {
'4.4.0': {
'generic': '4.4.0-134',
'generic-lpae': '4.4.0-134',
'lowlatency': '4.4.0-134',
'powerpc-e500mc': '4.4.0-134',
'powerpc-smp': '4.4.0-134',
'powerpc64-emb': '4.4.0-134',
'powerpc64-smp': '4.4.0-134',
'aws': '4.4.0-1028'
}
}
};
var host_kernel_release = get_kb_item('Host/uptrack-uname-r');
if (empty_or_null(host_kernel_release)) host_kernel_release = get_kb_item_or_exit('Host/uname-r');
var host_kernel_base_version = get_kb_item_or_exit('Host/Debian/kernel-base-version');
var host_kernel_type = get_kb_item_or_exit('Host/Debian/kernel-type');
if(empty_or_null(kernel_mappings[os_release][host_kernel_base_version][host_kernel_type])) audit(AUDIT_INST_VER_NOT_VULN, 'kernel ' + host_kernel_release);
var extra = '';
var kernel_fixed_version = kernel_mappings[os_release][host_kernel_base_version][host_kernel_type] + "-" + host_kernel_type;
if (deb_ver_cmp(ver1:host_kernel_release, ver2:kernel_fixed_version) < 0)
{
extra = extra + 'Running Kernel level of ' + host_kernel_release + ' does not meet the minimum fixed level of ' + kernel_fixed_version + ' for this advisory.\n\n';
}
else
{
audit(AUDIT_PATCH_INSTALLED, 'Kernel package for USN-3753-2');
}
if (get_one_kb_item('Host/ksplice/kernel-cves'))
{
var cve_list = make_list('CVE-2017-13168', 'CVE-2018-10876', 'CVE-2018-10877', 'CVE-2018-10878', 'CVE-2018-10879', 'CVE-2018-10881', 'CVE-2018-10882', 'CVE-2018-12233', 'CVE-2018-13094', 'CVE-2018-13405', 'CVE-2018-13406');
if (ksplice_cves_check(cve_list))
{
audit(AUDIT_PATCH_INSTALLED, 'KSplice hotfix for USN-3753-2');
}
else
{
extra = extra + ksplice_reporting_text();
}
}
if (extra) {
security_report_v4(
port : 0,
severity : SECURITY_HOLE,
extra : extra
);
exit(0);
}
Vendor | Product | Version | CPE |
---|---|---|---|
canonical | ubuntu_linux | linux-image-4.4.0-1028-aws | p-cpe:/a:canonical:ubuntu_linux:linux-image-4.4.0-1028-aws |
canonical | ubuntu_linux | linux-image-4.4.0-134-generic | p-cpe:/a:canonical:ubuntu_linux:linux-image-4.4.0-134-generic |
canonical | ubuntu_linux | linux-image-4.4.0-134-generic-lpae | p-cpe:/a:canonical:ubuntu_linux:linux-image-4.4.0-134-generic-lpae |
canonical | ubuntu_linux | linux-image-4.4.0-134-lowlatency | p-cpe:/a:canonical:ubuntu_linux:linux-image-4.4.0-134-lowlatency |
canonical | ubuntu_linux | linux-image-4.4.0-134-powerpc-e500mc | p-cpe:/a:canonical:ubuntu_linux:linux-image-4.4.0-134-powerpc-e500mc |
canonical | ubuntu_linux | linux-image-4.4.0-134-powerpc-smp | p-cpe:/a:canonical:ubuntu_linux:linux-image-4.4.0-134-powerpc-smp |
canonical | ubuntu_linux | linux-image-4.4.0-134-powerpc64-emb | p-cpe:/a:canonical:ubuntu_linux:linux-image-4.4.0-134-powerpc64-emb |
canonical | ubuntu_linux | linux-image-4.4.0-134-powerpc64-smp | p-cpe:/a:canonical:ubuntu_linux:linux-image-4.4.0-134-powerpc64-smp |
canonical | ubuntu_linux | 14.04 | cpe:/o:canonical:ubuntu_linux:14.04:-:lts |
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-13168
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-10876
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-10877
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-10878
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-10879
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-10881
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-10882
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-12233
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-13094
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-13405
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-13406
ubuntu.com/security/notices/USN-3753-2