Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
nessusUbuntu Security Notice (C) 2019-2024 Canonical, Inc. / NASL script (C) 2019-2024 and is owned by Tenable, Inc. or an Affiliate thereof.UBUNTU_USN-3871-4.NASL
HistoryFeb 05, 2019 - 12:00 a.m.

Ubuntu 16.04 LTS : Linux kernel (HWE) vulnerabilities (USN-3871-4)

2019-02-0500:00:00
Ubuntu Security Notice (C) 2019-2024 Canonical, Inc. / NASL script (C) 2019-2024 and is owned by Tenable, Inc. or an Affiliate thereof.
www.tenable.com
68

8.1 High

AI Score

Confidence

High

JSON

The remote Ubuntu 16.04 LTS host has a package installed that is affected by multiple vulnerabilities as referenced in the USN-3871-4 advisory.

  • A flaw was found in Linux kernel in the ext4 filesystem code. A use-after-free is possible in ext4_ext_remove_space() function when mounting and operating a crafted ext4 image. (CVE-2018-10876)

  • Linux kernel ext4 filesystem is vulnerable to an out-of-bound access in the ext4_ext_drop_refs() function when operating on a crafted ext4 filesystem image. (CVE-2018-10877)

  • A flaw was found in the Linux kernel’s ext4 filesystem. A local user can cause an out-of-bounds write and a denial of service or unspecified other impact is possible by mounting and operating a crafted ext4 filesystem image. (CVE-2018-10878)

  • A flaw was found in the Linux kernel’s ext4 filesystem. A local user can cause a use-after-free in ext4_xattr_set_entry function and a denial of service or unspecified other impact may occur by renaming a file in a crafted ext4 filesystem image. (CVE-2018-10879)

  • Linux kernel is vulnerable to a stack-out-of-bounds write in the ext4 filesystem code when mounting and writing to a crafted ext4 image in ext4_update_inline_data(). An attacker could use this to cause a system crash and a denial of service. (CVE-2018-10880)

  • A flaw was found in the Linux kernel’s ext4 filesystem. A local user can cause an out-of-bound write in in fs/jbd2/transaction.c code, a denial of service, and a system crash by unmounting a crafted ext4 filesystem image. (CVE-2018-10882)

  • A flaw was found in the Linux kernel’s ext4 filesystem. A local user can cause an out-of-bounds write in jbd2_journal_dirty_metadata(), a denial of service, and a system crash by mounting and operating on a crafted ext4 filesystem image. (CVE-2018-10883)

  • A flaw was found in the Linux Kernel where an attacker may be able to have an uncontrolled read to kernel- memory from within a vm guest. A race condition between connect() and close() function may allow an attacker using the AF_VSOCK protocol to gather a 4 byte information leak or possibly intercept or corrupt AF_VSOCK messages destined to other clients. (CVE-2018-14625)

  • A use-after-free issue was found in the way the Linux kernel’s KVM hypervisor processed posted interrupts when nested(=1) virtualization is enabled. In nested_get_vmcs12_pages(), in case of an error while processing posted interrupt address, it unmaps the ‘pi_desc_page’ without resetting ‘pi_desc’ descriptor address, which is later used in pi_test_and_clear_on(). A guest user/process could use this flaw to crash the host kernel resulting in DoS or potentially gain privileged access to a system. Kernel versions before 4.14.91 and before 4.19.13 are vulnerable. (CVE-2018-16882)

  • An issue was discovered in the proc_pid_stack function in fs/proc/base.c in the Linux kernel through 4.18.11. It does not ensure that only root may inspect the kernel stack of an arbitrary task, allowing a local attacker to exploit racy stack unwinding and leak kernel task stack contents. (CVE-2018-17972)

  • Since Linux kernel version 3.2, the mremap() syscall performs TLB flushes after dropping pagetable locks.
    If a syscall such as ftruncate() removes entries from the pagetables of a task that is in the middle of mremap(), a stale TLB entry can remain for a short time that permits access to a physical page after it has been released back to the page allocator and reused. This is fixed in the following kernel versions:
    4.9.135, 4.14.78, 4.18.16, 4.19. (CVE-2018-18281)

  • The vcpu_scan_ioapic function in arch/x86/kvm/x86.c in the Linux kernel through 4.19.2 allows local users to cause a denial of service (NULL pointer dereference and BUG) via crafted system calls that reach a situation where ioapic is uninitialized. (CVE-2018-19407)

  • In hid_debug_events_read of drivers/hid/hid-debug.c, there is a possible out of bounds write due to a missing bounds check. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation. Product: Android Versions: Android kernel Android ID: A-71361580. (CVE-2018-9516)

Note that Nessus has not tested for these issues but has instead relied only on the application’s self-reported version number.

#
# (C) Tenable Network Security, Inc.
#
# The descriptive text and package checks in this plugin were
# extracted from Ubuntu Security Notice USN-3871-4. The text 
# itself is copyright (C) Canonical, Inc. See 
# <http://www.ubuntu.com/usn/>. Ubuntu(R) is a registered 
# trademark of Canonical, Inc.
#

include('compat.inc');

if (description)
{
  script_id(121594);
  script_version("1.12");
  script_set_attribute(attribute:"plugin_modification_date", value:"2024/01/09");

  script_cve_id(
    "CVE-2018-10876",
    "CVE-2018-10877",
    "CVE-2018-10878",
    "CVE-2018-10879",
    "CVE-2018-10880",
    "CVE-2018-10882",
    "CVE-2018-10883",
    "CVE-2018-14625",
    "CVE-2018-16882",
    "CVE-2018-17972",
    "CVE-2018-18281",
    "CVE-2018-19407",
    "CVE-2018-9516"
  );
  script_xref(name:"USN", value:"3871-4");

  script_name(english:"Ubuntu 16.04 LTS : Linux kernel (HWE) vulnerabilities (USN-3871-4)");

  script_set_attribute(attribute:"synopsis", value:
"The remote Ubuntu host is missing one or more security updates.");
  script_set_attribute(attribute:"description", value:
"The remote Ubuntu 16.04 LTS host has a package installed that is affected by multiple vulnerabilities as referenced in
the USN-3871-4 advisory.

  - A flaw was found in Linux kernel in the ext4 filesystem code. A use-after-free is possible in
    ext4_ext_remove_space() function when mounting and operating a crafted ext4 image. (CVE-2018-10876)

  - Linux kernel ext4 filesystem is vulnerable to an out-of-bound access in the ext4_ext_drop_refs() function
    when operating on a crafted ext4 filesystem image. (CVE-2018-10877)

  - A flaw was found in the Linux kernel's ext4 filesystem. A local user can cause an out-of-bounds write and
    a denial of service or unspecified other impact is possible by mounting and operating a crafted ext4
    filesystem image. (CVE-2018-10878)

  - A flaw was found in the Linux kernel's ext4 filesystem. A local user can cause a use-after-free in
    ext4_xattr_set_entry function and a denial of service or unspecified other impact may occur by renaming a
    file in a crafted ext4 filesystem image. (CVE-2018-10879)

  - Linux kernel is vulnerable to a stack-out-of-bounds write in the ext4 filesystem code when mounting and
    writing to a crafted ext4 image in ext4_update_inline_data(). An attacker could use this to cause a system
    crash and a denial of service. (CVE-2018-10880)

  - A flaw was found in the Linux kernel's ext4 filesystem. A local user can cause an out-of-bound write in in
    fs/jbd2/transaction.c code, a denial of service, and a system crash by unmounting a crafted ext4
    filesystem image. (CVE-2018-10882)

  - A flaw was found in the Linux kernel's ext4 filesystem. A local user can cause an out-of-bounds write in
    jbd2_journal_dirty_metadata(), a denial of service, and a system crash by mounting and operating on a
    crafted ext4 filesystem image. (CVE-2018-10883)

  - A flaw was found in the Linux Kernel where an attacker may be able to have an uncontrolled read to kernel-
    memory from within a vm guest. A race condition between connect() and close() function may allow an
    attacker using the AF_VSOCK protocol to gather a 4 byte information leak or possibly intercept or corrupt
    AF_VSOCK messages destined to other clients. (CVE-2018-14625)

  - A use-after-free issue was found in the way the Linux kernel's KVM hypervisor processed posted interrupts
    when nested(=1) virtualization is enabled. In nested_get_vmcs12_pages(), in case of an error while
    processing posted interrupt address, it unmaps the 'pi_desc_page' without resetting 'pi_desc' descriptor
    address, which is later used in pi_test_and_clear_on(). A guest user/process could use this flaw to crash
    the host kernel resulting in DoS or potentially gain privileged access to a system. Kernel versions before
    4.14.91 and before 4.19.13 are vulnerable. (CVE-2018-16882)

  - An issue was discovered in the proc_pid_stack function in fs/proc/base.c in the Linux kernel through
    4.18.11. It does not ensure that only root may inspect the kernel stack of an arbitrary task, allowing a
    local attacker to exploit racy stack unwinding and leak kernel task stack contents. (CVE-2018-17972)

  - Since Linux kernel version 3.2, the mremap() syscall performs TLB flushes after dropping pagetable locks.
    If a syscall such as ftruncate() removes entries from the pagetables of a task that is in the middle of
    mremap(), a stale TLB entry can remain for a short time that permits access to a physical page after it
    has been released back to the page allocator and reused. This is fixed in the following kernel versions:
    4.9.135, 4.14.78, 4.18.16, 4.19. (CVE-2018-18281)

  - The vcpu_scan_ioapic function in arch/x86/kvm/x86.c in the Linux kernel through 4.19.2 allows local users
    to cause a denial of service (NULL pointer dereference and BUG) via crafted system calls that reach a
    situation where ioapic is uninitialized. (CVE-2018-19407)

  - In hid_debug_events_read of drivers/hid/hid-debug.c, there is a possible out of bounds write due to a
    missing bounds check. This could lead to local escalation of privilege with System execution privileges
    needed. User interaction is not needed for exploitation. Product: Android Versions: Android kernel Android
    ID: A-71361580. (CVE-2018-9516)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version
number.");
  script_set_attribute(attribute:"see_also", value:"https://ubuntu.com/security/notices/USN-3871-4");
  script_set_attribute(attribute:"solution", value:
"Update the affected kernel package.");
  script_set_cvss_base_vector("CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C");
  script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:P/RL:O/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2018-9516");
  script_set_attribute(attribute:"cvss3_score_source", value:"CVE-2018-16882");

  script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"true");

  script_set_attribute(attribute:"vuln_publication_date", value:"2018/07/18");
  script_set_attribute(attribute:"patch_publication_date", value:"2019/02/04");
  script_set_attribute(attribute:"plugin_publication_date", value:"2019/02/05");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-4.15.0-1027-gcp");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-4.15.0-1032-aws");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-4.15.0-45-generic");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-4.15.0-45-generic-lpae");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-4.15.0-45-lowlatency");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:canonical:ubuntu_linux:16.04:-:lts");
  script_set_attribute(attribute:"generated_plugin", value:"current");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Ubuntu Local Security Checks");

  script_copyright(english:"Ubuntu Security Notice (C) 2019-2024 Canonical, Inc. / NASL script (C) 2019-2024 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("ssh_get_info.nasl", "linux_alt_patch_detect.nasl");
  script_require_keys("Host/cpu", "Host/Ubuntu", "Host/Ubuntu/release", "Host/Debian/dpkg-l");

  exit(0);
}

include('debian_package.inc');
include('ksplice.inc');

if ( ! get_kb_item('Host/local_checks_enabled') ) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
var os_release = get_kb_item('Host/Ubuntu/release');
if ( isnull(os_release) ) audit(AUDIT_OS_NOT, 'Ubuntu');
os_release = chomp(os_release);
if (! ('16.04' >< os_release)) audit(AUDIT_OS_NOT, 'Ubuntu 16.04', 'Ubuntu ' + os_release);
if ( ! get_kb_item('Host/Debian/dpkg-l') ) audit(AUDIT_PACKAGE_LIST_MISSING);

var cpu = get_kb_item('Host/cpu');
if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
if ('x86_64' >!< cpu && cpu !~ "^i[3-6]86$" && 's390' >!< cpu && 'aarch64' >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'Ubuntu', cpu);

var kernel_mappings = {
  '16.04': {
    '4.15.0': {
      'generic': '4.15.0-45',
      'generic-lpae': '4.15.0-45',
      'lowlatency': '4.15.0-45',
      'gcp': '4.15.0-1027',
      'aws': '4.15.0-1032'
    }
  }
};

var host_kernel_release = get_kb_item('Host/uptrack-uname-r');
if (empty_or_null(host_kernel_release)) host_kernel_release = get_kb_item_or_exit('Host/uname-r');
var host_kernel_base_version = get_kb_item_or_exit('Host/Debian/kernel-base-version');
var host_kernel_type = get_kb_item_or_exit('Host/Debian/kernel-type');
if(empty_or_null(kernel_mappings[os_release][host_kernel_base_version][host_kernel_type])) audit(AUDIT_INST_VER_NOT_VULN, 'kernel ' + host_kernel_release);

var extra = '';
var kernel_fixed_version = kernel_mappings[os_release][host_kernel_base_version][host_kernel_type] + "-" + host_kernel_type;
if (deb_ver_cmp(ver1:host_kernel_release, ver2:kernel_fixed_version) < 0)
{
  extra = extra + 'Running Kernel level of ' + host_kernel_release + ' does not meet the minimum fixed level of ' + kernel_fixed_version + ' for this advisory.\n\n';
}
  else
{
  audit(AUDIT_PATCH_INSTALLED, 'Kernel package for USN-3871-4');
}

if (get_one_kb_item('Host/ksplice/kernel-cves'))
{
  var cve_list = make_list('CVE-2018-9516', 'CVE-2018-10876', 'CVE-2018-10877', 'CVE-2018-10878', 'CVE-2018-10879', 'CVE-2018-10880', 'CVE-2018-10882', 'CVE-2018-10883', 'CVE-2018-14625', 'CVE-2018-16882', 'CVE-2018-17972', 'CVE-2018-18281', 'CVE-2018-19407');
  if (ksplice_cves_check(cve_list))
  {
    audit(AUDIT_PATCH_INSTALLED, 'KSplice hotfix for USN-3871-4');
  }
  else
  {
    extra = extra + ksplice_reporting_text();
  }
}
if (extra) {
  security_report_v4(
    port       : 0,
    severity   : SECURITY_HOLE,
    extra      : extra
  );
  exit(0);
}
VendorProductVersionCPE
canonicalubuntu_linuxlinux-image-4.15.0-1027-gcpp-cpe:/a:canonical:ubuntu_linux:linux-image-4.15.0-1027-gcp
canonicalubuntu_linuxlinux-image-4.15.0-1032-awsp-cpe:/a:canonical:ubuntu_linux:linux-image-4.15.0-1032-aws
canonicalubuntu_linuxlinux-image-4.15.0-45-genericp-cpe:/a:canonical:ubuntu_linux:linux-image-4.15.0-45-generic
canonicalubuntu_linuxlinux-image-4.15.0-45-generic-lpaep-cpe:/a:canonical:ubuntu_linux:linux-image-4.15.0-45-generic-lpae
canonicalubuntu_linuxlinux-image-4.15.0-45-lowlatencyp-cpe:/a:canonical:ubuntu_linux:linux-image-4.15.0-45-lowlatency
canonicalubuntu_linux16.04cpe:/o:canonical:ubuntu_linux:16.04:-:lts

Related

openvas 30
cloudfoundry 3
nessus 47
ubuntu 15
altlinux 1
suse 3
oraclelinux 7
ubuntucve 12
mageia 3
debian 1
prion 12
redhatcve 12
veracode 7
f5 6
debiancve 12
cve 13
photon 3
osv 1
fedora 9
packetstorm 1
googleprojectzero 1
openvas
openvas
Ubuntu Update for linux-azure USN-3871-5
2019-02-08 00:00:00
Ubuntu Update for linux-aws-hwe USN-3871-4
2019-02-05 00:00:00
Ubuntu Update for linux USN-3871-2
2019-02-05 00:00:00
cloudfoundry
cloudfoundry
USN-3871-4: Linux kernel (HWE) vulnerabilities | Cloud Foundry
2019-02-15 00:00:00
USN-3753-2: Linux kernel (Xenial HWE) vulnerabilities | Cloud Foundry
2018-09-11 00:00:00
USN-3879-2: Linux kernel (Xenial HWE) vulnerabilities | Cloud Foundry
2019-02-15 00:00:00
nessus
nessus
Ubuntu 18.04 LTS : Linux kernel (AWS, GCP, KVM, OEM, Raspberry Pi 2) vulnerabilities (USN-3871-3)
2019-02-05 00:00:00
Ubuntu 14.04 LTS / 16.04 LTS / 18.04 LTS : Linux kernel (Azure) vulnerabilities (USN-3871-5)
2019-02-08 00:00:00
Ubuntu 18.04 LTS : Linux kernel vulnerabilities (USN-3871-1)
2019-01-30 00:00:00
ubuntu
ubuntu
Linux kernel regression
2019-01-31 00:00:00
Linux kernel (AWS, GCP, KVM, OEM, Raspberry Pi 2) vulnerabilities
2019-02-04 00:00:00
Linux kernel vulnerabilities
2019-01-29 00:00:00
altlinux
altlinux
Security fix for the ALT Linux 8 package kernel-image-std-pae version 1:4.4.140-alt0.M80P.1
2018-07-16 00:00:00
suse
suse
Security update for the Linux Kernel (important)
2018-08-17 12:32:52
Security update for the Linux Kernel (important)
2018-08-17 12:20:07
Security update for the Linux Kernel (important)
2018-12-15 00:15:13
oraclelinux
oraclelinux
Unbreakable Enterprise kernel security update
2019-04-09 00:00:00
Unbreakable Enterprise kernel security update
2019-04-08 00:00:00
Unbreakable Enterprise kernel security update
2019-03-12 00:00:00
ubuntucve
ubuntucve
CVE-2018-10879
2018-07-26 00:00:00
CVE-2018-10880
2018-07-25 00:00:00
CVE-2018-10877
2018-07-18 00:00:00
mageia
mageia
Updated kernel packages fixes security vulnerabilities
2018-07-25 11:24:17
Updated kernel-tmb packages fix security vulnerabilities
2018-08-15 18:45:26
Updated kernel-linus packages fix security vulnerabilities
2018-08-15 18:45:26
debian
debian
[SECURITY] [DLA 1423-1] linux-4.9 new package
2018-07-18 15:37:11
prion
prion
Design/Logic Flaw
2018-07-27 18:29:00
Stack overflow
2018-07-25 13:29:00
Design/Logic Flaw
2019-01-03 16:29:00
redhatcve
redhatcve
CVE-2018-10880
2018-06-29 18:49:42
CVE-2018-16882
2020-04-04 05:14:32
CVE-2018-10883
2019-10-21 06:03:23
veracode
veracode
Memory Corruption
2019-05-16 03:18:35
Memory Corruption
2019-05-16 03:18:34
Denial Of Service (DoS)
2019-08-08 00:07:15
f5
f5
K80557033 : Linux kernel vulnerability CVE-2018-16882
2019-04-21 00:00:00
K36462841 : Linux kernel vulnerability CVE-2018-18281
2022-07-08 00:00:00
K12915342 : Linux kernel vulnerability CVE-2018-14625
2019-01-31 00:00:00
debiancve
debiancve
CVE-2018-16882
2019-01-03 16:29:00
CVE-2018-10882
2018-07-27 18:29:00
CVE-2018-10880
2018-07-25 13:29:00
cve
cve
CVE-2018-16882
2019-01-03 16:29:00
CVE-2018-10882
2018-07-27 18:29:00
CVE-2018-10880
2018-07-25 13:29:00
photon
photon
Home Download Photon OS User Documentation FAQ Security Advisories Related Information Lightwave - PHSA-2019-2.0-0138
2019-03-05 00:00:00
Home Download Photon OS User Documentation FAQ Security Advisories Related Information Lightwave - PHSA-2018-1.0-0188
2018-09-26 00:00:00
Important Photon OS Security Update - PHSA-2018-0165
2018-07-16 00:00:00
osv
osv
linux-4.9 - security update
2018-07-14 00:00:00
fedora
fedora
[SECURITY] Fedora 29 Update: kernel-headers-4.19.9-300.fc29
2018-12-18 03:07:10
[SECURITY] Fedora 29 Update: kernel-4.19.9-300.fc29
2018-12-18 03:07:10
[SECURITY] Fedora 29 Update: kernel-4.18.13-300.fc29
2018-10-30 17:45:14
packetstorm
packetstorm
Linux mremap() TLB Flush Too Late
2018-10-29 00:00:00
googleprojectzero
googleprojectzero
Mitigations are attack surface, too
2020-02-12 00:00:00

8.1 High

AI Score

Confidence

High

JSON
Related for UBUNTU_USN-3871-4.NASL
openvas30cloudfoundry3nessus47ubuntu15altlinux1suse3oraclelinux7ubuntucve12mageia3debian1prion12redhatcve12veracode7f56debiancve12cve13photon3osv1fedora9packetstorm1googleprojectzero1