Lucene search
Ubuntu Security Notice (C) 2018-2024 Canonical, Inc. / NASL script (C) 2018-2024 and is owned by Tenable, Inc. or an Affiliate thereof.UBUNTU_USN-3836-2.NASLHistoryDec 04, 2018 - 12:00 a.m.
Ubuntu 16.04 LTS : Linux kernel (HWE) vulnerabilities (USN-3836-2)
2018-12-0400:00:00
Ubuntu Security Notice (C) 2018-2024 Canonical, Inc. / NASL script (C) 2018-2024 and is owned by Tenable, Inc. or an Affiliate thereof.
www.tenable.com
20
5.9 Medium
AI Score
Confidence
Low
The remote Ubuntu 16.04 LTS host has a package installed that is affected by multiple vulnerabilities as referenced in the USN-3836-2 advisory.
-
In the Linux kernel 4.15.x through 4.19.x before 4.19.2, map_write() in kernel/user_namespace.c allows privilege escalation because it mishandles nested user namespaces with more than 5 UID or GID ranges. A user who has CAP_SYS_ADMIN in an affected user namespace can bypass access controls on resources outside the namespace, as demonstrated by reading /etc/shadow. This occurs because an ID transformation takes place properly for the namespaced-to-kernel direction but not for the kernel-to-namespaced direction.
(CVE-2018-18955) -
The Linux kernel, as used in Ubuntu 18.04 LTS and Ubuntu 18.10, allows local users to obtain names of files in which they would not normally be able to access via an overlayfs mount inside of a user namespace. (CVE-2018-6559)
Note that Nessus has not tested for these issues but has instead relied only on the application’s self-reported version number.
#
# (C) Tenable Network Security, Inc.
#
# The descriptive text and package checks in this plugin were
# extracted from Ubuntu Security Notice USN-3836-2. The text
# itself is copyright (C) Canonical, Inc. See
# <http://www.ubuntu.com/usn/>. Ubuntu(R) is a registered
# trademark of Canonical, Inc.
#
include('compat.inc');
if (description)
{
script_id(119340);
script_version("1.10");
script_set_attribute(attribute:"plugin_modification_date", value:"2024/01/09");
script_cve_id("CVE-2018-18955", "CVE-2018-6559");
script_xref(name:"USN", value:"3836-2");
script_name(english:"Ubuntu 16.04 LTS : Linux kernel (HWE) vulnerabilities (USN-3836-2)");
script_set_attribute(attribute:"synopsis", value:
"The remote Ubuntu host is missing one or more security updates.");
script_set_attribute(attribute:"description", value:
"The remote Ubuntu 16.04 LTS host has a package installed that is affected by multiple vulnerabilities as referenced in
the USN-3836-2 advisory.
- In the Linux kernel 4.15.x through 4.19.x before 4.19.2, map_write() in kernel/user_namespace.c allows
privilege escalation because it mishandles nested user namespaces with more than 5 UID or GID ranges. A
user who has CAP_SYS_ADMIN in an affected user namespace can bypass access controls on resources outside
the namespace, as demonstrated by reading /etc/shadow. This occurs because an ID transformation takes
place properly for the namespaced-to-kernel direction but not for the kernel-to-namespaced direction.
(CVE-2018-18955)
- The Linux kernel, as used in Ubuntu 18.04 LTS and Ubuntu 18.10, allows local users to obtain names of
files in which they would not normally be able to access via an overlayfs mount inside of a user
namespace. (CVE-2018-6559)
Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version
number.");
script_set_attribute(attribute:"see_also", value:"https://ubuntu.com/security/notices/USN-3836-2");
script_set_attribute(attribute:"solution", value:
"Update the affected kernel package.");
script_set_cvss_base_vector("CVSS2#AV:L/AC:M/Au:N/C:P/I:P/A:P");
script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:C");
script_set_cvss3_base_vector("CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H");
script_set_cvss3_temporal_vector("CVSS:3.0/E:F/RL:O/RC:C");
script_set_attribute(attribute:"cvss_score_source", value:"CVE-2018-18955");
script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
script_set_attribute(attribute:"exploit_available", value:"true");
script_set_attribute(attribute:"metasploit_name", value:'Linux Nested User Namespace idmap Limit Local Privilege Escalation');
script_set_attribute(attribute:"exploit_framework_metasploit", value:"true");
script_set_attribute(attribute:"vuln_publication_date", value:"2018/10/26");
script_set_attribute(attribute:"patch_publication_date", value:"2018/12/04");
script_set_attribute(attribute:"plugin_publication_date", value:"2018/12/04");
script_set_attribute(attribute:"plugin_type", value:"local");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-4.15.0-1025-gcp");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-4.15.0-42-generic");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-4.15.0-42-generic-lpae");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-4.15.0-42-lowlatency");
script_set_attribute(attribute:"cpe", value:"cpe:/o:canonical:ubuntu_linux:16.04:-:lts");
script_set_attribute(attribute:"generated_plugin", value:"current");
script_end_attributes();
script_category(ACT_GATHER_INFO);
script_family(english:"Ubuntu Local Security Checks");
script_copyright(english:"Ubuntu Security Notice (C) 2018-2024 Canonical, Inc. / NASL script (C) 2018-2024 and is owned by Tenable, Inc. or an Affiliate thereof.");
script_dependencies("ssh_get_info.nasl", "linux_alt_patch_detect.nasl");
script_require_keys("Host/cpu", "Host/Ubuntu", "Host/Ubuntu/release", "Host/Debian/dpkg-l");
exit(0);
}
include('debian_package.inc');
include('ksplice.inc');
if ( ! get_kb_item('Host/local_checks_enabled') ) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
var os_release = get_kb_item('Host/Ubuntu/release');
if ( isnull(os_release) ) audit(AUDIT_OS_NOT, 'Ubuntu');
os_release = chomp(os_release);
if (! ('16.04' >< os_release)) audit(AUDIT_OS_NOT, 'Ubuntu 16.04', 'Ubuntu ' + os_release);
if ( ! get_kb_item('Host/Debian/dpkg-l') ) audit(AUDIT_PACKAGE_LIST_MISSING);
var cpu = get_kb_item('Host/cpu');
if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
if ('x86_64' >!< cpu && cpu !~ "^i[3-6]86$" && 's390' >!< cpu && 'aarch64' >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'Ubuntu', cpu);
var kernel_mappings = {
'16.04': {
'4.15.0': {
'generic': '4.15.0-42',
'generic-lpae': '4.15.0-42',
'lowlatency': '4.15.0-42',
'gcp': '4.15.0-1025'
}
}
};
var host_kernel_release = get_kb_item('Host/uptrack-uname-r');
if (empty_or_null(host_kernel_release)) host_kernel_release = get_kb_item_or_exit('Host/uname-r');
var host_kernel_base_version = get_kb_item_or_exit('Host/Debian/kernel-base-version');
var host_kernel_type = get_kb_item_or_exit('Host/Debian/kernel-type');
if(empty_or_null(kernel_mappings[os_release][host_kernel_base_version][host_kernel_type])) audit(AUDIT_INST_VER_NOT_VULN, 'kernel ' + host_kernel_release);
var extra = '';
var kernel_fixed_version = kernel_mappings[os_release][host_kernel_base_version][host_kernel_type] + "-" + host_kernel_type;
if (deb_ver_cmp(ver1:host_kernel_release, ver2:kernel_fixed_version) < 0)
{
extra = extra + 'Running Kernel level of ' + host_kernel_release + ' does not meet the minimum fixed level of ' + kernel_fixed_version + ' for this advisory.\n\n';
}
else
{
audit(AUDIT_PATCH_INSTALLED, 'Kernel package for USN-3836-2');
}
if (get_one_kb_item('Host/ksplice/kernel-cves'))
{
var cve_list = make_list('CVE-2018-6559', 'CVE-2018-18955');
if (ksplice_cves_check(cve_list))
{
audit(AUDIT_PATCH_INSTALLED, 'KSplice hotfix for USN-3836-2');
}
else
{
extra = extra + ksplice_reporting_text();
}
}
if (extra) {
security_report_v4(
port : 0,
severity : SECURITY_WARNING,
extra : extra
);
exit(0);
}
| Vendor | Product | Version | CPE |
|---|---|---|---|
| canonical | ubuntu_linux | linux-image-4.15.0-1025-gcp | p-cpe:/a:canonical:ubuntu_linux:linux-image-4.15.0-1025-gcp |
| canonical | ubuntu_linux | linux-image-4.15.0-42-generic | p-cpe:/a:canonical:ubuntu_linux:linux-image-4.15.0-42-generic |
| canonical | ubuntu_linux | linux-image-4.15.0-42-generic-lpae | p-cpe:/a:canonical:ubuntu_linux:linux-image-4.15.0-42-generic-lpae |
| canonical | ubuntu_linux | linux-image-4.15.0-42-lowlatency | p-cpe:/a:canonical:ubuntu_linux:linux-image-4.15.0-42-lowlatency |
| canonical | ubuntu_linux | 16.04 | cpe:/o:canonical:ubuntu_linux:16.04:-:lts |
Related
openvas
openvas
Ubuntu: Security Advisory (USN-3836-1)
2018-12-04 00:00:00
Ubuntu: Security Advisory (USN-3833-1)
2018-12-04 00:00:00
Ubuntu: Security Advisory (USN-3836-2)
2018-12-04 00:00:00
ubuntu
ubuntu
Linux kernel (AWS) vulnerabilities
2018-11-30 00:00:00
Linux kernel vulnerabilities
2018-12-03 00:00:00
Linux kernel (HWE) vulnerabilities
2018-12-04 00:00:00
cloudfoundry
cloudfoundry
USN-3836-2: Linux kernel (HWE) vulnerabilities | Cloud Foundry
2018-12-06 00:00:00
nessus
nessus
Ubuntu 18.04 LTS : Linux kernel vulnerabilities (USN-3836-1)
2018-12-04 00:00:00
Ubuntu 18.04 LTS : Linux kernel (AWS) vulnerabilities (USN-3833-1)
2018-11-30 00:00:00
zdt
zdt
Linux Kernel 4.15.x < 4.19.2 - map_write() CAP_SYS_ADMIN Local Privilege Escalation (cron Method)
2019-07-26 00:00:00
Linux Kernel 4.15.x < 4.19.2 - map_write() CAP_SYS_ADMIN Local Privilege Escalation (ldpreload)
2019-07-26 00:00:00
Linux - Broken uid/gid Mapping for Nested User Namespaces Exploit
2018-11-16 00:00:00
cve
cve
CVE-2018-18955
2018-11-16 20:29:00
CVE-2018-6559
2018-10-26 17:29:00
exploitpack
exploitpack
packetstorm
packetstorm
Linux Nested User Namespace idmap Limit Local Privilege Escalation
2018-11-28 00:00:00
redhatcve
redhatcve
CVE-2018-18955
2020-04-02 08:59:56
debiancve
debiancve
CVE-2018-18955
2018-11-16 20:29:00
CVE-2018-6559
2018-10-26 17:29:00
ubuntucve
ubuntucve
CVE-2018-18955
2018-11-16 00:00:00
CVE-2018-6559
2018-10-18 00:00:00
prion
prion
Input validation
2018-11-16 20:29:00
Design/Logic Flaw
2018-10-26 17:29:00
f5
f5
K39103040 : Kernel vulnerability CVE-2018-18955
2019-04-08 00:00:00
metasploit
metasploit
Linux Nested User Namespace idmap Limit Local Privilege Escalation
2018-11-20 14:10:28
exploitdb
exploitdb
kitploit
kitploit