The remote Ubuntu 14.04 LTS host has a package installed that is affected by multiple vulnerabilities as referenced in the USN-3754-1 advisory.
The ext4_fill_super function in fs/ext4/super.c in the Linux kernel through 4.9.8 does not properly validate meta block groups, which allows physically proximate attackers to cause a denial of service (out- of-bounds read and system crash) via a crafted ext4 image. (CVE-2016-10208)
The acpi_ns_terminate() function in drivers/acpi/acpica/nsutils.c in the Linux kernel before 4.12 does not flush the operand cache and causes a kernel stack dump, which allows local users to obtain sensitive information from kernel memory and bypass the KASLR protection mechanism (in the kernel through 4.9) via a crafted ACPI table. (CVE-2017-11472)
Buffer overflow in the mp_override_legacy_irq() function in arch/x86/kernel/acpi/boot.c in the Linux kernel through 3.2 allows local users to gain privileges via a crafted ACPI table. (CVE-2017-11473)
The sg_ioctl function in drivers/scsi/sg.c in the Linux kernel before 4.13.4 allows local users to obtain sensitive information from uninitialized kernel heap-memory locations via an SG_GET_REQUEST_TABLE ioctl call for /dev/sg0. (CVE-2017-14991)
net/packet/af_packet.c in the Linux kernel before 4.13.6 allows local users to gain privileges via crafted system calls that trigger mishandling of packet_fanout data structures, because of a race condition (involving fanout_add and packet_do_bind) that leads to a use-after-free, a different vulnerability than CVE-2017-6346. (CVE-2017-15649)
drivers/uwb/uwbd.c in the Linux kernel before 4.13.6 allows local users to cause a denial of service (general protection fault and system crash) or possibly have unspecified other impact via a crafted USB device. (CVE-2017-16526)
sound/usb/mixer.c in the Linux kernel before 4.13.8 allows local users to cause a denial of service (snd_usb_mixer_interrupt use-after-free and system crash) or possibly have unspecified other impact via a crafted USB device. (CVE-2017-16527)
The snd_usb_create_streams function in sound/usb/card.c in the Linux kernel before 4.13.6 allows local users to cause a denial of service (out-of-bounds read and system crash) or possibly have unspecified other impact via a crafted USB device. (CVE-2017-16529)
drivers/usb/core/config.c in the Linux kernel before 4.13.6 allows local users to cause a denial of service (out-of-bounds read and system crash) or possibly have unspecified other impact via a crafted USB device, related to the USB_DT_INTERFACE_ASSOCIATION descriptor. (CVE-2017-16531)
The get_endpoints function in drivers/usb/misc/usbtest.c in the Linux kernel through 4.13.11 allows local users to cause a denial of service (NULL pointer dereference and system crash) or possibly have unspecified other impact via a crafted USB device. (CVE-2017-16532)
The usbhid_parse function in drivers/hid/usbhid/hid-core.c in the Linux kernel before 4.13.8 allows local users to cause a denial of service (out-of-bounds read and system crash) or possibly have unspecified other impact via a crafted USB device. (CVE-2017-16533)
The usb_get_bos_descriptor function in drivers/usb/core/config.c in the Linux kernel before 4.13.10 allows local users to cause a denial of service (out-of-bounds read and system crash) or possibly have unspecified other impact via a crafted USB device. (CVE-2017-16535)
The cx231xx_usb_probe function in drivers/media/usb/cx231xx/cx231xx-cards.c in the Linux kernel through 4.13.11 allows local users to cause a denial of service (NULL pointer dereference and system crash) or possibly have unspecified other impact via a crafted USB device. (CVE-2017-16536)
The imon_probe function in drivers/media/rc/imon.c in the Linux kernel through 4.13.11 allows local users to cause a denial of service (NULL pointer dereference and system crash) or possibly have unspecified other impact via a crafted USB device. (CVE-2017-16537)
drivers/media/usb/dvb-usb-v2/lmedm04.c in the Linux kernel through 4.13.11 allows local users to cause a denial of service (general protection fault and system crash) or possibly have unspecified other impact via a crafted USB device, related to a missing warm-start check and incorrect attach timing (dm04_lme2510_frontend_attach versus dm04_lme2510_tuner). (CVE-2017-16538)
The parse_hid_report_descriptor function in drivers/input/tablet/gtco.c in the Linux kernel before 4.13.11 allows local users to cause a denial of service (out-of-bounds read and system crash) or possibly have unspecified other impact via a crafted USB device. (CVE-2017-16643)
The hdpvr_probe function in drivers/media/usb/hdpvr/hdpvr-core.c in the Linux kernel through 4.13.11 allows local users to cause a denial of service (improper error handling and system crash) or possibly have unspecified other impact via a crafted USB device. (CVE-2017-16644)
The ims_pcu_get_cdc_union_desc function in drivers/input/misc/ims-pcu.c in the Linux kernel through 4.13.11 allows local users to cause a denial of service (ims_pcu_parse_cdc_data out-of-bounds read and system crash) or possibly have unspecified other impact via a crafted USB device. (CVE-2017-16645)
The qmi_wwan_bind function in drivers/net/usb/qmi_wwan.c in the Linux kernel through 4.13.11 allows local users to cause a denial of service (divide-by-zero error and system crash) or possibly have unspecified other impact via a crafted USB device. (CVE-2017-16650)
The vhci_hcd driver in the Linux Kernel before version 4.14.8 and 4.4.114 allows allows local attackers to disclose kernel memory addresses. Successful exploitation requires that a USB device is attached over IP.
(CVE-2017-16911)
The get_pipe() function (drivers/usb/usbip/stub_rx.c) in the Linux Kernel before version 4.14.8, 4.9.71, and 4.4.114 allows attackers to cause a denial of service (out-of-bounds read) via a specially crafted USB over IP packet. (CVE-2017-16912)
The stub_recv_cmd_submit() function (drivers/usb/usbip/stub_rx.c) in the Linux Kernel before version 4.14.8, 4.9.71, and 4.4.114 when handling CMD_SUBMIT packets allows attackers to cause a denial of service (arbitrary memory allocation) via a specially crafted USB over IP packet. (CVE-2017-16913)
The stub_send_ret_submit() function (drivers/usb/usbip/stub_tx.c) in the Linux Kernel before version 4.14.8, 4.9.71, 4.1.49, and 4.4.107 allows attackers to cause a denial of service (NULL pointer dereference) via a specially crafted USB over IP packet. (CVE-2017-16914)
The usb_destroy_configuration function in drivers/usb/core/config.c in the USB core subsystem in the Linux kernel through 4.14.5 does not consider the maximum number of configurations and interfaces before attempting to release resources, which allows local users to cause a denial of service (out-of-bounds write access) or possibly have unspecified other impact via a crafted USB device. (CVE-2017-17558)
The perf_cpu_time_max_percent_handler function in kernel/events/core.c in the Linux kernel before 4.11 allows local users to cause a denial of service (integer overflow) or possibly have unspecified other impact via a large value, as demonstrated by an incorrect sample-rate calculation. (CVE-2017-18255)
In the Linux kernel before 4.13.5, a local user could create keyrings for other users via keyctl commands, setting unwanted defaults or causing a denial of service. (CVE-2017-18270)
The load_segment_descriptor implementation in arch/x86/kvm/emulate.c in the Linux kernel before 4.9.5 improperly emulates a MOV SS, NULL selector instruction, which allows guest OS users to cause a denial of service (guest OS crash) or gain guest OS privileges via a crafted application. (CVE-2017-2583)
arch/x86/kvm/emulate.c in the Linux kernel through 4.9.3 allows local users to obtain sensitive information from kernel memory or cause a denial of service (use-after-free) via a crafted application that leverages instruction emulation for fxrstor, fxsave, sgdt, and sidt. (CVE-2017-2584)
The ping_unhash function in net/ipv4/ping.c in the Linux kernel through 4.10.8 is too late in obtaining a certain lock and consequently cannot ensure that disconnect function calls are safe, which allows local users to cause a denial of service (panic) by leveraging access to the protocol value of IPPROTO_ICMP in a socket system call. (CVE-2017-2671)
The klsi_105_get_line_state function in drivers/usb/serial/kl5kusb105.c in the Linux kernel before 4.9.5 places uninitialized heap-memory contents into a log entry upon a failure to read the line status, which allows local users to obtain sensitive information by reading the log. (CVE-2017-5549)
The ip6gre_err function in net/ipv6/ip6_gre.c in the Linux kernel allows remote attackers to have unspecified impact via vectors involving GRE flags in an IPv6 packet, which trigger an out-of-bounds access. (CVE-2017-5897)
The LLC subsystem in the Linux kernel before 4.9.13 does not ensure that a certain destructor exists in required circumstances, which allows local users to cause a denial of service (BUG_ON) or possibly have unspecified other impact via crafted system calls. (CVE-2017-6345)
The hashbin_delete function in net/irda/irqueue.c in the Linux kernel before 4.9.13 improperly manages lock dropping, which allows local users to cause a denial of service (deadlock) via crafted operations on IrDA devices. (CVE-2017-6348)
A flaw was found in the Linux kernel before version 4.12 in the way the KVM module processed the trap flag(TF) bit in EFLAGS during emulation of the syscall instruction, which leads to a debug exception(#DB) being raised in the guest stack. A user/process inside a guest could use this flaw to potentially escalate their privileges inside the guest. Linux guests are not affected by this. (CVE-2017-7518)
The NFSv2/NFSv3 server in the nfsd subsystem in the Linux kernel through 4.10.11 allows remote attackers to cause a denial of service (system crash) via a long RPC reply, related to net/sunrpc/svc.c, fs/nfsd/nfs3xdr.c, and fs/nfsd/nfsxdr.c. (CVE-2017-7645)
The saa7164_bus_get function in drivers/media/pci/saa7164/saa7164-bus.c in the Linux kernel through 4.11.5 allows local users to cause a denial of service (out-of-bounds array access) or possibly have unspecified other impact by changing a certain sequence-number value, aka a double fetch vulnerability.
(CVE-2017-8831)
The snd_msnd_interrupt function in sound/isa/msnd/msnd_pinnacle.c in the Linux kernel through 4.11.7 allows local users to cause a denial of service (over-boundary access) or possibly have unspecified other impact by changing the value of a message queue head pointer between two kernel reads of that value, aka a double fetch vulnerability. (CVE-2017-9984)
The snd_msndmidi_input_read function in sound/isa/msnd/msnd_midi.c in the Linux kernel through 4.11.7 allows local users to cause a denial of service (over-boundary access) or possibly have unspecified other impact by changing the value of a message queue head pointer between two kernel reads of that value, aka a double fetch vulnerability. (CVE-2017-9985)
Linux Kernel version 3.18 to 4.16 incorrectly handles an SG_IO ioctl on /dev/sg0 with dxfer_direction=SG_DXFER_FROM_DEV and an empty 6-byte cmdp. This may lead to copying up to 1000 kernel heap pages to the userspace. This has been fixed upstream in https://github.com/torvalds/linux/commit/a45b599ad808c3c982fdcdc12b0b8611c2f92824 already. The problem has limited scope, as users don’t usually have permissions to access SCSI devices. On the other hand, e.g. the Nero user manual suggests doing chmod o+r+w /dev/sg*
to make the devices accessible. NOTE: third parties dispute the relevance of this report, noting that the requirement for an attacker to have both the CAP_SYS_ADMIN and CAP_SYS_RAWIO capabilities makes it virtually impossible to exploit. (CVE-2018-1000204)
drivers/scsi/libsas/sas_scsi_host.c in the Linux kernel before 4.16 allows local users to cause a denial of service (ata qc leak) by triggering certain failure conditions. NOTE: a third party disputes the relevance of this report because the failure can only occur for physically proximate attackers who unplug SAS Host Bus Adapter cables (CVE-2018-10021)
The kernel_wait4 function in kernel/exit.c in the Linux kernel before 4.13, when an unspecified architecture and compiler is used, might allow local users to cause a denial of service by triggering an attempted use of the -INT_MIN value. (CVE-2018-10087)
The kill_something_info function in kernel/signal.c in the Linux kernel before 4.13, when an unspecified architecture and compiler is used, might allow local users to cause a denial of service via an INT_MIN argument. (CVE-2018-10124)
The xfs_bmap_extents_to_btree function in fs/xfs/libxfs/xfs_bmap.c in the Linux kernel through 4.16.3 allows local users to cause a denial of service (xfs_bmapi_write NULL pointer dereference) via a crafted xfs image. (CVE-2018-10323)
The do_get_mempolicy function in mm/mempolicy.c in the Linux kernel before 4.12.9 allows local users to cause a denial of service (use-after-free) or possibly have unspecified other impact via crafted system calls. (CVE-2018-10675)
Linux kernel ext4 filesystem is vulnerable to an out-of-bound access in the ext4_ext_drop_refs() function when operating on a crafted ext4 filesystem image. (CVE-2018-10877)
A flaw was found in the Linux kernel’s ext4 filesystem. A local user can cause an out-of-bound access in ext4_get_group_info function, a denial of service, and a system crash by mounting and operating on a crafted ext4 filesystem image. (CVE-2018-10881)
The ext4_iget function in fs/ext4/inode.c in the Linux kernel through 4.15.15 mishandles the case of a root directory with a zero i_links_count, which allows attackers to cause a denial of service (ext4_process_freed_data NULL pointer dereference and OOPS) via a crafted ext4 image. (CVE-2018-1092)
The ext4_valid_block_bitmap function in fs/ext4/balloc.c in the Linux kernel through 4.15.15 allows attackers to cause a denial of service (out-of-bounds read and system crash) via a crafted ext4 image because balloc.c and ialloc.c do not validate bitmap block numbers. (CVE-2018-1093)
The cdrom_ioctl_media_changed function in drivers/cdrom/cdrom.c in the Linux kernel before 4.16.6 allows local attackers to use a incorrect bounds check in the CDROM driver CDROM_MEDIA_CHANGED ioctl to read out kernel memory. (CVE-2018-10940)
In the ea_get function in fs/jfs/xattr.c in the Linux kernel through 4.17.1, a memory corruption bug in JFS can be triggered by calling setxattr twice with two different extended attribute names on the same file. This vulnerability can be triggered by an unprivileged user with the ability to create files and execute programs. A kmalloc call is incorrect, leading to slab-out-of-bounds in jfs_xattr.
(CVE-2018-12233)
An issue was discovered in fs/xfs/libxfs/xfs_attr_leaf.c in the Linux kernel through 4.17.3. An OOPS may occur for a corrupted xfs image after xfs_da_shrink_inode() is called with a NULL bp. (CVE-2018-13094)
The inode_init_owner function in fs/inode.c in the Linux kernel through 3.16 allows local users to create files with an unintended group ownership, in a scenario where a directory is SGID to a certain group and is writable by a user who is not a member of that group. Here, the non-member can trigger creation of a plain file whose group ownership is that group. The intended behavior was that the non-member can trigger creation of a directory (but not a plain file) whose group ownership is that group. The non-member can escalate privileges by making the plain file executable and SGID. (CVE-2018-13405)
An integer overflow in the uvesafb_setcmap function in drivers/video/fbdev/uvesafb.c in the Linux kernel before 4.17.4 could result in local attackers being able to crash the kernel or potentially elevate privileges because kmalloc_array is not used. (CVE-2018-13406)
Note that Nessus has not tested for these issues but has instead relied only on the application’s self-reported version number.
#
# (C) Tenable Network Security, Inc.
#
# The descriptive text and package checks in this plugin were
# extracted from Ubuntu Security Notice USN-3754-1. The text
# itself is copyright (C) Canonical, Inc. See
# <http://www.ubuntu.com/usn/>. Ubuntu(R) is a registered
# trademark of Canonical, Inc.
#
include('compat.inc');
if (description)
{
script_id(112113);
script_version("1.11");
script_set_attribute(attribute:"plugin_modification_date", value:"2024/01/09");
script_cve_id(
"CVE-2016-10208",
"CVE-2017-11472",
"CVE-2017-11473",
"CVE-2017-14991",
"CVE-2017-15649",
"CVE-2017-16526",
"CVE-2017-16527",
"CVE-2017-16529",
"CVE-2017-16531",
"CVE-2017-16532",
"CVE-2017-16533",
"CVE-2017-16535",
"CVE-2017-16536",
"CVE-2017-16537",
"CVE-2017-16538",
"CVE-2017-16643",
"CVE-2017-16644",
"CVE-2017-16645",
"CVE-2017-16650",
"CVE-2017-16911",
"CVE-2017-16912",
"CVE-2017-16913",
"CVE-2017-16914",
"CVE-2017-17558",
"CVE-2017-18255",
"CVE-2017-18270",
"CVE-2017-2583",
"CVE-2017-2584",
"CVE-2017-2671",
"CVE-2017-5549",
"CVE-2017-5897",
"CVE-2017-6345",
"CVE-2017-6348",
"CVE-2017-7518",
"CVE-2017-7645",
"CVE-2017-8831",
"CVE-2017-9984",
"CVE-2017-9985",
"CVE-2018-1000204",
"CVE-2018-10021",
"CVE-2018-10087",
"CVE-2018-10124",
"CVE-2018-10323",
"CVE-2018-10675",
"CVE-2018-10877",
"CVE-2018-10881",
"CVE-2018-1092",
"CVE-2018-1093",
"CVE-2018-10940",
"CVE-2018-12233",
"CVE-2018-13094",
"CVE-2018-13405",
"CVE-2018-13406"
);
script_xref(name:"USN", value:"3754-1");
script_name(english:"Ubuntu 14.04 LTS : Linux kernel vulnerabilities (USN-3754-1)");
script_set_attribute(attribute:"synopsis", value:
"The remote Ubuntu host is missing one or more security updates.");
script_set_attribute(attribute:"description", value:
"The remote Ubuntu 14.04 LTS host has a package installed that is affected by multiple vulnerabilities as referenced in
the USN-3754-1 advisory.
- The ext4_fill_super function in fs/ext4/super.c in the Linux kernel through 4.9.8 does not properly
validate meta block groups, which allows physically proximate attackers to cause a denial of service (out-
of-bounds read and system crash) via a crafted ext4 image. (CVE-2016-10208)
- The acpi_ns_terminate() function in drivers/acpi/acpica/nsutils.c in the Linux kernel before 4.12 does not
flush the operand cache and causes a kernel stack dump, which allows local users to obtain sensitive
information from kernel memory and bypass the KASLR protection mechanism (in the kernel through 4.9) via a
crafted ACPI table. (CVE-2017-11472)
- Buffer overflow in the mp_override_legacy_irq() function in arch/x86/kernel/acpi/boot.c in the Linux
kernel through 3.2 allows local users to gain privileges via a crafted ACPI table. (CVE-2017-11473)
- The sg_ioctl function in drivers/scsi/sg.c in the Linux kernel before 4.13.4 allows local users to obtain
sensitive information from uninitialized kernel heap-memory locations via an SG_GET_REQUEST_TABLE ioctl
call for /dev/sg0. (CVE-2017-14991)
- net/packet/af_packet.c in the Linux kernel before 4.13.6 allows local users to gain privileges via crafted
system calls that trigger mishandling of packet_fanout data structures, because of a race condition
(involving fanout_add and packet_do_bind) that leads to a use-after-free, a different vulnerability than
CVE-2017-6346. (CVE-2017-15649)
- drivers/uwb/uwbd.c in the Linux kernel before 4.13.6 allows local users to cause a denial of service
(general protection fault and system crash) or possibly have unspecified other impact via a crafted USB
device. (CVE-2017-16526)
- sound/usb/mixer.c in the Linux kernel before 4.13.8 allows local users to cause a denial of service
(snd_usb_mixer_interrupt use-after-free and system crash) or possibly have unspecified other impact via a
crafted USB device. (CVE-2017-16527)
- The snd_usb_create_streams function in sound/usb/card.c in the Linux kernel before 4.13.6 allows local
users to cause a denial of service (out-of-bounds read and system crash) or possibly have unspecified
other impact via a crafted USB device. (CVE-2017-16529)
- drivers/usb/core/config.c in the Linux kernel before 4.13.6 allows local users to cause a denial of
service (out-of-bounds read and system crash) or possibly have unspecified other impact via a crafted USB
device, related to the USB_DT_INTERFACE_ASSOCIATION descriptor. (CVE-2017-16531)
- The get_endpoints function in drivers/usb/misc/usbtest.c in the Linux kernel through 4.13.11 allows local
users to cause a denial of service (NULL pointer dereference and system crash) or possibly have
unspecified other impact via a crafted USB device. (CVE-2017-16532)
- The usbhid_parse function in drivers/hid/usbhid/hid-core.c in the Linux kernel before 4.13.8 allows local
users to cause a denial of service (out-of-bounds read and system crash) or possibly have unspecified
other impact via a crafted USB device. (CVE-2017-16533)
- The usb_get_bos_descriptor function in drivers/usb/core/config.c in the Linux kernel before 4.13.10 allows
local users to cause a denial of service (out-of-bounds read and system crash) or possibly have
unspecified other impact via a crafted USB device. (CVE-2017-16535)
- The cx231xx_usb_probe function in drivers/media/usb/cx231xx/cx231xx-cards.c in the Linux kernel through
4.13.11 allows local users to cause a denial of service (NULL pointer dereference and system crash) or
possibly have unspecified other impact via a crafted USB device. (CVE-2017-16536)
- The imon_probe function in drivers/media/rc/imon.c in the Linux kernel through 4.13.11 allows local users
to cause a denial of service (NULL pointer dereference and system crash) or possibly have unspecified
other impact via a crafted USB device. (CVE-2017-16537)
- drivers/media/usb/dvb-usb-v2/lmedm04.c in the Linux kernel through 4.13.11 allows local users to cause a
denial of service (general protection fault and system crash) or possibly have unspecified other impact
via a crafted USB device, related to a missing warm-start check and incorrect attach timing
(dm04_lme2510_frontend_attach versus dm04_lme2510_tuner). (CVE-2017-16538)
- The parse_hid_report_descriptor function in drivers/input/tablet/gtco.c in the Linux kernel before 4.13.11
allows local users to cause a denial of service (out-of-bounds read and system crash) or possibly have
unspecified other impact via a crafted USB device. (CVE-2017-16643)
- The hdpvr_probe function in drivers/media/usb/hdpvr/hdpvr-core.c in the Linux kernel through 4.13.11
allows local users to cause a denial of service (improper error handling and system crash) or possibly
have unspecified other impact via a crafted USB device. (CVE-2017-16644)
- The ims_pcu_get_cdc_union_desc function in drivers/input/misc/ims-pcu.c in the Linux kernel through
4.13.11 allows local users to cause a denial of service (ims_pcu_parse_cdc_data out-of-bounds read and
system crash) or possibly have unspecified other impact via a crafted USB device. (CVE-2017-16645)
- The qmi_wwan_bind function in drivers/net/usb/qmi_wwan.c in the Linux kernel through 4.13.11 allows local
users to cause a denial of service (divide-by-zero error and system crash) or possibly have unspecified
other impact via a crafted USB device. (CVE-2017-16650)
- The vhci_hcd driver in the Linux Kernel before version 4.14.8 and 4.4.114 allows allows local attackers to
disclose kernel memory addresses. Successful exploitation requires that a USB device is attached over IP.
(CVE-2017-16911)
- The get_pipe() function (drivers/usb/usbip/stub_rx.c) in the Linux Kernel before version 4.14.8, 4.9.71,
and 4.4.114 allows attackers to cause a denial of service (out-of-bounds read) via a specially crafted USB
over IP packet. (CVE-2017-16912)
- The stub_recv_cmd_submit() function (drivers/usb/usbip/stub_rx.c) in the Linux Kernel before version
4.14.8, 4.9.71, and 4.4.114 when handling CMD_SUBMIT packets allows attackers to cause a denial of service
(arbitrary memory allocation) via a specially crafted USB over IP packet. (CVE-2017-16913)
- The stub_send_ret_submit() function (drivers/usb/usbip/stub_tx.c) in the Linux Kernel before version
4.14.8, 4.9.71, 4.1.49, and 4.4.107 allows attackers to cause a denial of service (NULL pointer
dereference) via a specially crafted USB over IP packet. (CVE-2017-16914)
- The usb_destroy_configuration function in drivers/usb/core/config.c in the USB core subsystem in the Linux
kernel through 4.14.5 does not consider the maximum number of configurations and interfaces before
attempting to release resources, which allows local users to cause a denial of service (out-of-bounds
write access) or possibly have unspecified other impact via a crafted USB device. (CVE-2017-17558)
- The perf_cpu_time_max_percent_handler function in kernel/events/core.c in the Linux kernel before 4.11
allows local users to cause a denial of service (integer overflow) or possibly have unspecified other
impact via a large value, as demonstrated by an incorrect sample-rate calculation. (CVE-2017-18255)
- In the Linux kernel before 4.13.5, a local user could create keyrings for other users via keyctl commands,
setting unwanted defaults or causing a denial of service. (CVE-2017-18270)
- The load_segment_descriptor implementation in arch/x86/kvm/emulate.c in the Linux kernel before 4.9.5
improperly emulates a MOV SS, NULL selector instruction, which allows guest OS users to cause a denial
of service (guest OS crash) or gain guest OS privileges via a crafted application. (CVE-2017-2583)
- arch/x86/kvm/emulate.c in the Linux kernel through 4.9.3 allows local users to obtain sensitive
information from kernel memory or cause a denial of service (use-after-free) via a crafted application
that leverages instruction emulation for fxrstor, fxsave, sgdt, and sidt. (CVE-2017-2584)
- The ping_unhash function in net/ipv4/ping.c in the Linux kernel through 4.10.8 is too late in obtaining a
certain lock and consequently cannot ensure that disconnect function calls are safe, which allows local
users to cause a denial of service (panic) by leveraging access to the protocol value of IPPROTO_ICMP in a
socket system call. (CVE-2017-2671)
- The klsi_105_get_line_state function in drivers/usb/serial/kl5kusb105.c in the Linux kernel before 4.9.5
places uninitialized heap-memory contents into a log entry upon a failure to read the line status, which
allows local users to obtain sensitive information by reading the log. (CVE-2017-5549)
- The ip6gre_err function in net/ipv6/ip6_gre.c in the Linux kernel allows remote attackers to have
unspecified impact via vectors involving GRE flags in an IPv6 packet, which trigger an out-of-bounds
access. (CVE-2017-5897)
- The LLC subsystem in the Linux kernel before 4.9.13 does not ensure that a certain destructor exists in
required circumstances, which allows local users to cause a denial of service (BUG_ON) or possibly have
unspecified other impact via crafted system calls. (CVE-2017-6345)
- The hashbin_delete function in net/irda/irqueue.c in the Linux kernel before 4.9.13 improperly manages
lock dropping, which allows local users to cause a denial of service (deadlock) via crafted operations on
IrDA devices. (CVE-2017-6348)
- A flaw was found in the Linux kernel before version 4.12 in the way the KVM module processed the trap
flag(TF) bit in EFLAGS during emulation of the syscall instruction, which leads to a debug exception(#DB)
being raised in the guest stack. A user/process inside a guest could use this flaw to potentially escalate
their privileges inside the guest. Linux guests are not affected by this. (CVE-2017-7518)
- The NFSv2/NFSv3 server in the nfsd subsystem in the Linux kernel through 4.10.11 allows remote attackers
to cause a denial of service (system crash) via a long RPC reply, related to net/sunrpc/svc.c,
fs/nfsd/nfs3xdr.c, and fs/nfsd/nfsxdr.c. (CVE-2017-7645)
- The saa7164_bus_get function in drivers/media/pci/saa7164/saa7164-bus.c in the Linux kernel through 4.11.5
allows local users to cause a denial of service (out-of-bounds array access) or possibly have unspecified
other impact by changing a certain sequence-number value, aka a double fetch vulnerability.
(CVE-2017-8831)
- The snd_msnd_interrupt function in sound/isa/msnd/msnd_pinnacle.c in the Linux kernel through 4.11.7
allows local users to cause a denial of service (over-boundary access) or possibly have unspecified other
impact by changing the value of a message queue head pointer between two kernel reads of that value, aka a
double fetch vulnerability. (CVE-2017-9984)
- The snd_msndmidi_input_read function in sound/isa/msnd/msnd_midi.c in the Linux kernel through 4.11.7
allows local users to cause a denial of service (over-boundary access) or possibly have unspecified other
impact by changing the value of a message queue head pointer between two kernel reads of that value, aka a
double fetch vulnerability. (CVE-2017-9985)
- Linux Kernel version 3.18 to 4.16 incorrectly handles an SG_IO ioctl on /dev/sg0 with
dxfer_direction=SG_DXFER_FROM_DEV and an empty 6-byte cmdp. This may lead to copying up to 1000 kernel
heap pages to the userspace. This has been fixed upstream in
https://github.com/torvalds/linux/commit/a45b599ad808c3c982fdcdc12b0b8611c2f92824 already. The problem has
limited scope, as users don't usually have permissions to access SCSI devices. On the other hand, e.g. the
Nero user manual suggests doing `chmod o+r+w /dev/sg*` to make the devices accessible. NOTE: third parties
dispute the relevance of this report, noting that the requirement for an attacker to have both the
CAP_SYS_ADMIN and CAP_SYS_RAWIO capabilities makes it virtually impossible to exploit. (CVE-2018-1000204)
- drivers/scsi/libsas/sas_scsi_host.c in the Linux kernel before 4.16 allows local users to cause a denial
of service (ata qc leak) by triggering certain failure conditions. NOTE: a third party disputes the
relevance of this report because the failure can only occur for physically proximate attackers who unplug
SAS Host Bus Adapter cables (CVE-2018-10021)
- The kernel_wait4 function in kernel/exit.c in the Linux kernel before 4.13, when an unspecified
architecture and compiler is used, might allow local users to cause a denial of service by triggering an
attempted use of the -INT_MIN value. (CVE-2018-10087)
- The kill_something_info function in kernel/signal.c in the Linux kernel before 4.13, when an unspecified
architecture and compiler is used, might allow local users to cause a denial of service via an INT_MIN
argument. (CVE-2018-10124)
- The xfs_bmap_extents_to_btree function in fs/xfs/libxfs/xfs_bmap.c in the Linux kernel through 4.16.3
allows local users to cause a denial of service (xfs_bmapi_write NULL pointer dereference) via a crafted
xfs image. (CVE-2018-10323)
- The do_get_mempolicy function in mm/mempolicy.c in the Linux kernel before 4.12.9 allows local users to
cause a denial of service (use-after-free) or possibly have unspecified other impact via crafted system
calls. (CVE-2018-10675)
- Linux kernel ext4 filesystem is vulnerable to an out-of-bound access in the ext4_ext_drop_refs() function
when operating on a crafted ext4 filesystem image. (CVE-2018-10877)
- A flaw was found in the Linux kernel's ext4 filesystem. A local user can cause an out-of-bound access in
ext4_get_group_info function, a denial of service, and a system crash by mounting and operating on a
crafted ext4 filesystem image. (CVE-2018-10881)
- The ext4_iget function in fs/ext4/inode.c in the Linux kernel through 4.15.15 mishandles the case of a
root directory with a zero i_links_count, which allows attackers to cause a denial of service
(ext4_process_freed_data NULL pointer dereference and OOPS) via a crafted ext4 image. (CVE-2018-1092)
- The ext4_valid_block_bitmap function in fs/ext4/balloc.c in the Linux kernel through 4.15.15 allows
attackers to cause a denial of service (out-of-bounds read and system crash) via a crafted ext4 image
because balloc.c and ialloc.c do not validate bitmap block numbers. (CVE-2018-1093)
- The cdrom_ioctl_media_changed function in drivers/cdrom/cdrom.c in the Linux kernel before 4.16.6 allows
local attackers to use a incorrect bounds check in the CDROM driver CDROM_MEDIA_CHANGED ioctl to read out
kernel memory. (CVE-2018-10940)
- In the ea_get function in fs/jfs/xattr.c in the Linux kernel through 4.17.1, a memory corruption bug in
JFS can be triggered by calling setxattr twice with two different extended attribute names on the same
file. This vulnerability can be triggered by an unprivileged user with the ability to create files and
execute programs. A kmalloc call is incorrect, leading to slab-out-of-bounds in jfs_xattr.
(CVE-2018-12233)
- An issue was discovered in fs/xfs/libxfs/xfs_attr_leaf.c in the Linux kernel through 4.17.3. An OOPS may
occur for a corrupted xfs image after xfs_da_shrink_inode() is called with a NULL bp. (CVE-2018-13094)
- The inode_init_owner function in fs/inode.c in the Linux kernel through 3.16 allows local users to create
files with an unintended group ownership, in a scenario where a directory is SGID to a certain group and
is writable by a user who is not a member of that group. Here, the non-member can trigger creation of a
plain file whose group ownership is that group. The intended behavior was that the non-member can trigger
creation of a directory (but not a plain file) whose group ownership is that group. The non-member can
escalate privileges by making the plain file executable and SGID. (CVE-2018-13405)
- An integer overflow in the uvesafb_setcmap function in drivers/video/fbdev/uvesafb.c in the Linux kernel
before 4.17.4 could result in local attackers being able to crash the kernel or potentially elevate
privileges because kmalloc_array is not used. (CVE-2018-13406)
Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version
number.");
script_set_attribute(attribute:"see_also", value:"https://ubuntu.com/security/notices/USN-3754-1");
script_set_attribute(attribute:"solution", value:
"Update the affected kernel package.");
script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H");
script_set_cvss3_temporal_vector("CVSS:3.0/E:P/RL:O/RC:C");
script_set_attribute(attribute:"cvss_score_source", value:"CVE-2017-5897");
script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
script_set_attribute(attribute:"exploit_available", value:"true");
script_set_attribute(attribute:"vuln_publication_date", value:"2017/01/15");
script_set_attribute(attribute:"patch_publication_date", value:"2018/08/24");
script_set_attribute(attribute:"plugin_publication_date", value:"2018/08/24");
script_set_attribute(attribute:"plugin_type", value:"local");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-3.13.0-157-generic");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-3.13.0-157-generic-lpae");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-3.13.0-157-lowlatency");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-3.13.0-157-powerpc-e500");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-3.13.0-157-powerpc-e500mc");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-3.13.0-157-powerpc-smp");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-3.13.0-157-powerpc64-emb");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-3.13.0-157-powerpc64-smp");
script_set_attribute(attribute:"cpe", value:"cpe:/o:canonical:ubuntu_linux:14.04:-:lts");
script_set_attribute(attribute:"generated_plugin", value:"current");
script_end_attributes();
script_category(ACT_GATHER_INFO);
script_family(english:"Ubuntu Local Security Checks");
script_copyright(english:"Ubuntu Security Notice (C) 2018-2024 Canonical, Inc. / NASL script (C) 2018-2024 and is owned by Tenable, Inc. or an Affiliate thereof.");
script_dependencies("ssh_get_info.nasl", "linux_alt_patch_detect.nasl");
script_require_keys("Host/cpu", "Host/Ubuntu", "Host/Ubuntu/release", "Host/Debian/dpkg-l");
exit(0);
}
include('debian_package.inc');
include('ksplice.inc');
if ( ! get_kb_item('Host/local_checks_enabled') ) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
var os_release = get_kb_item('Host/Ubuntu/release');
if ( isnull(os_release) ) audit(AUDIT_OS_NOT, 'Ubuntu');
os_release = chomp(os_release);
if (! ('14.04' >< os_release)) audit(AUDIT_OS_NOT, 'Ubuntu 14.04', 'Ubuntu ' + os_release);
if ( ! get_kb_item('Host/Debian/dpkg-l') ) audit(AUDIT_PACKAGE_LIST_MISSING);
var cpu = get_kb_item('Host/cpu');
if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
if ('x86_64' >!< cpu && cpu !~ "^i[3-6]86$" && 's390' >!< cpu && 'aarch64' >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'Ubuntu', cpu);
var kernel_mappings = {
'14.04': {
'3.13.0': {
'generic': '3.13.0-157',
'generic-lpae': '3.13.0-157',
'lowlatency': '3.13.0-157',
'powerpc-e500': '3.13.0-157',
'powerpc-e500mc': '3.13.0-157',
'powerpc-smp': '3.13.0-157',
'powerpc64-emb': '3.13.0-157',
'powerpc64-smp': '3.13.0-157'
}
}
};
var host_kernel_release = get_kb_item('Host/uptrack-uname-r');
if (empty_or_null(host_kernel_release)) host_kernel_release = get_kb_item_or_exit('Host/uname-r');
var host_kernel_base_version = get_kb_item_or_exit('Host/Debian/kernel-base-version');
var host_kernel_type = get_kb_item_or_exit('Host/Debian/kernel-type');
if(empty_or_null(kernel_mappings[os_release][host_kernel_base_version][host_kernel_type])) audit(AUDIT_INST_VER_NOT_VULN, 'kernel ' + host_kernel_release);
var extra = '';
var kernel_fixed_version = kernel_mappings[os_release][host_kernel_base_version][host_kernel_type] + "-" + host_kernel_type;
if (deb_ver_cmp(ver1:host_kernel_release, ver2:kernel_fixed_version) < 0)
{
extra = extra + 'Running Kernel level of ' + host_kernel_release + ' does not meet the minimum fixed level of ' + kernel_fixed_version + ' for this advisory.\n\n';
}
else
{
audit(AUDIT_PATCH_INSTALLED, 'Kernel package for USN-3754-1');
}
if (get_one_kb_item('Host/ksplice/kernel-cves'))
{
var cve_list = make_list('CVE-2016-10208', 'CVE-2017-2583', 'CVE-2017-2584', 'CVE-2017-2671', 'CVE-2017-5549', 'CVE-2017-5897', 'CVE-2017-6345', 'CVE-2017-6348', 'CVE-2017-7518', 'CVE-2017-7645', 'CVE-2017-8831', 'CVE-2017-9984', 'CVE-2017-9985', 'CVE-2017-11472', 'CVE-2017-11473', 'CVE-2017-14991', 'CVE-2017-15649', 'CVE-2017-16526', 'CVE-2017-16527', 'CVE-2017-16529', 'CVE-2017-16531', 'CVE-2017-16532', 'CVE-2017-16533', 'CVE-2017-16535', 'CVE-2017-16536', 'CVE-2017-16537', 'CVE-2017-16538', 'CVE-2017-16643', 'CVE-2017-16644', 'CVE-2017-16645', 'CVE-2017-16650', 'CVE-2017-16911', 'CVE-2017-16912', 'CVE-2017-16913', 'CVE-2017-16914', 'CVE-2017-17558', 'CVE-2017-18255', 'CVE-2017-18270', 'CVE-2018-1092', 'CVE-2018-1093', 'CVE-2018-10021', 'CVE-2018-10087', 'CVE-2018-10124', 'CVE-2018-10323', 'CVE-2018-10675', 'CVE-2018-10877', 'CVE-2018-10881', 'CVE-2018-10940', 'CVE-2018-12233', 'CVE-2018-13094', 'CVE-2018-13405', 'CVE-2018-13406', 'CVE-2018-1000204');
if (ksplice_cves_check(cve_list))
{
audit(AUDIT_PATCH_INSTALLED, 'KSplice hotfix for USN-3754-1');
}
else
{
extra = extra + ksplice_reporting_text();
}
}
if (extra) {
security_report_v4(
port : 0,
severity : SECURITY_HOLE,
extra : extra
);
exit(0);
}
Vendor | Product | Version | CPE |
---|---|---|---|
canonical | ubuntu_linux | linux-image-3.13.0-157-generic | p-cpe:/a:canonical:ubuntu_linux:linux-image-3.13.0-157-generic |
canonical | ubuntu_linux | linux-image-3.13.0-157-generic-lpae | p-cpe:/a:canonical:ubuntu_linux:linux-image-3.13.0-157-generic-lpae |
canonical | ubuntu_linux | linux-image-3.13.0-157-lowlatency | p-cpe:/a:canonical:ubuntu_linux:linux-image-3.13.0-157-lowlatency |
canonical | ubuntu_linux | linux-image-3.13.0-157-powerpc-e500 | p-cpe:/a:canonical:ubuntu_linux:linux-image-3.13.0-157-powerpc-e500 |
canonical | ubuntu_linux | linux-image-3.13.0-157-powerpc-e500mc | p-cpe:/a:canonical:ubuntu_linux:linux-image-3.13.0-157-powerpc-e500mc |
canonical | ubuntu_linux | linux-image-3.13.0-157-powerpc-smp | p-cpe:/a:canonical:ubuntu_linux:linux-image-3.13.0-157-powerpc-smp |
canonical | ubuntu_linux | linux-image-3.13.0-157-powerpc64-emb | p-cpe:/a:canonical:ubuntu_linux:linux-image-3.13.0-157-powerpc64-emb |
canonical | ubuntu_linux | linux-image-3.13.0-157-powerpc64-smp | p-cpe:/a:canonical:ubuntu_linux:linux-image-3.13.0-157-powerpc64-smp |
canonical | ubuntu_linux | 14.04 | cpe:/o:canonical:ubuntu_linux:14.04:-:lts |
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-10208
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11472
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11473
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14991
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-15649
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-16526
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-16527
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-16529
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-16531
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-16532
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-16533
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-16535
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-16536
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-16537
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-16538
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-16643
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-16644
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-16645
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-16650
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-16911
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-16912
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-16913
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-16914
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-17558
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-18255
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-18270
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2583
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2584
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2671
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5549
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5897
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-6345
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-6348
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7518
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7645
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8831
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9984
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9985
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1000204
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-10021
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-10087
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-10124
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-10323
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-10675
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-10877
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-10881
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1092
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1093
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-10940
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-12233
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-13094
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-13405
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-13406
ubuntu.com/security/notices/USN-3754-1