Lucene search

K
nessusUbuntu Security Notice (C) 2019-2024 Canonical, Inc. / NASL script (C) 2019-2024 and is owned by Tenable, Inc. or an Affiliate thereof.UBUNTU_USN-3932-1.NASL
HistoryApr 03, 2019 - 12:00 a.m.

Ubuntu 16.04 LTS : Linux kernel vulnerabilities (USN-3932-1)

2019-04-0300:00:00
Ubuntu Security Notice (C) 2019-2024 Canonical, Inc. / NASL script (C) 2019-2024 and is owned by Tenable, Inc. or an Affiliate thereof.
www.tenable.com
29

8.1 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

8.6 High

AI Score

Confidence

High

7.2 High

CVSS2

Access Vector

Access Complexity

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:L/AC:L/Au:N/C:C/I:C/A:C

0.036 Low

EPSS

Percentile

91.6%

The remote Ubuntu 16.04 LTS host has a package installed that is affected by multiple vulnerabilities as referenced in the USN-3932-1 advisory.

  • The add_free_nid function in fs/f2fs/node.c in the Linux kernel before 4.12 does not properly track an allocated nid, which allows local users to cause a denial of service (race condition) or possibly have unspecified other impact via concurrent threads. (CVE-2017-18249)

  • An issue was discovered in fs/f2fs/super.c in the Linux kernel through 4.17.3. There is an out-of-bounds read or a divide-by-zero error for an incorrect user_block_count in a corrupted f2fs image, leading to a denial of service (BUG). (CVE-2018-13097)

  • An issue was discovered in fs/f2fs/inline.c in the Linux kernel through 4.4. A denial of service (out-of- bounds memory access and BUG) can occur for a modified f2fs filesystem image in which an inline inode contains an invalid reserved blkaddr. (CVE-2018-13099)

  • An issue was discovered in fs/f2fs/super.c in the Linux kernel through 4.17.3, which does not properly validate secs_per_zone in a corrupted f2fs image, as demonstrated by a divide-by-zero error.
    (CVE-2018-13100)

  • An issue was discovered in the Linux kernel through 4.17.10. There is out-of-bounds access in write_extent_buffer() when mounting and operating a crafted btrfs image, because of a lack of verification that each block group has a corresponding chunk at mount time, within btrfs_read_block_groups in fs/btrfs/extent-tree.c. (CVE-2018-14610)

  • An issue was discovered in the Linux kernel through 4.17.10. There is a use-after-free in try_merge_free_space() when mounting a crafted btrfs image, because of a lack of chunk type flag checks in btrfs_check_chunk_valid in fs/btrfs/volumes.c. (CVE-2018-14611)

  • An issue was discovered in the Linux kernel through 4.17.10. There is an invalid pointer dereference in btrfs_root_node() when mounting a crafted btrfs image, because of a lack of chunk block group mapping validation in btrfs_read_block_groups in fs/btrfs/extent-tree.c, and a lack of empty-tree checks in check_leaf in fs/btrfs/tree-checker.c. (CVE-2018-14612)

  • An issue was discovered in the Linux kernel through 4.17.10. There is an invalid pointer dereference in io_ctl_map_page() when mounting and operating a crafted btrfs image, because of a lack of block group item validation in check_leaf_item in fs/btrfs/tree-checker.c. (CVE-2018-14613)

  • An issue was discovered in the Linux kernel through 4.17.10. There is an out-of-bounds access in
    __remove_dirty_segment() in fs/f2fs/segment.c when mounting an f2fs image. (CVE-2018-14614)

  • An issue was discovered in the Linux kernel through 4.17.10. There is a NULL pointer dereference in fscrypt_do_page_crypto() in fs/crypto/crypto.c when operating on a file in a corrupted f2fs image.
    (CVE-2018-14616)

  • A flaw was found in the Linux kernelโ€™s NFS41+ subsystem. NFS41+ shares mounted in different network namespaces at the same time can make bc_svc_process() use wrong back-channel IDs and cause a use-after- free vulnerability. Thus a malicious container user can cause a host kernel memory corruption and a system panic. Due to the nature of the flaw, privilege escalation cannot be fully ruled out. (CVE-2018-16884)

  • In pppol2tp_connect, there is possible memory corruption due to a use after free. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation. Product: Android. Versions: Android kernel. Android ID: A-38159931. (CVE-2018-9517)

  • A heap address information leak while using L2CAP_GET_CONF_OPT was discovered in the Linux kernel before 5.1-rc1. (CVE-2019-3459)

  • A heap data infoleak in multiple locations including L2CAP_PARSE_CONF_RSP was found in the Linux kernel before 5.1-rc1. (CVE-2019-3460)

  • An issue was discovered in can_can_gw_rcv in net/can/gw.c in the Linux kernel through 4.19.13. The CAN frame modification rules allow bitwise logical operations that can be also applied to the can_dlc field.
    The privileged user root with CAP_NET_ADMIN can create a CAN frame modification rule that makes the data length code a higher value than the available CAN frame data size. In combination with a configured checksum calculation where the result is stored relatively to the end of the data (e.g. cgw_csum_xor_rel) the tail of the skb (e.g. frag_list pointer in skb_shared_info) can be rewritten which finally can cause a system crash. Because of a missing check, the CAN drivers may write arbitrary content beyond the data registers in the CAN controllerโ€™s I/O memory when processing can-gw manipulated outgoing frames.
    (CVE-2019-3701)

  • A flaw was found in the Linux kernel in the function hid_debug_events_read() in drivers/hid/hid-debug.c file which may enter an infinite loop with certain parameters passed from a userspace. A local privileged user (root) can cause a system lock up and a denial of service. Versions from v4.18 and newer are vulnerable. (CVE-2019-3819)

  • In the Linux kernel before 4.20.8, kvm_ioctl_create_device in virt/kvm/kvm_main.c mishandles reference counting because of a race condition, leading to a use-after-free. (CVE-2019-6974)

  • The KVM implementation in the Linux kernel through 4.20.5 has a Use-after-Free. (CVE-2019-7221)

  • The KVM implementation in the Linux kernel through 4.20.5 has an Information Leak. (CVE-2019-7222)

  • In the Linux kernel before 4.20.14, expand_downwards in mm/mmap.c lacks a check for the mmap minimum address, which makes it easier for attackers to exploit kernel NULL pointer dereferences on non-SMAP platforms. This is related to a capability check for the wrong task. (CVE-2019-9213)

Note that Nessus has not tested for these issues but has instead relied only on the applicationโ€™s self-reported version number.

#
# (C) Tenable Network Security, Inc.
#
# The descriptive text and package checks in this plugin were
# extracted from Ubuntu Security Notice USN-3932-1. The text 
# itself is copyright (C) Canonical, Inc. See 
# <http://www.ubuntu.com/usn/>. Ubuntu(R) is a registered 
# trademark of Canonical, Inc.
#

include('compat.inc');

if (description)
{
  script_id(123680);
  script_version("1.10");
  script_set_attribute(attribute:"plugin_modification_date", value:"2024/01/09");

  script_cve_id(
    "CVE-2017-18249",
    "CVE-2018-13097",
    "CVE-2018-13099",
    "CVE-2018-13100",
    "CVE-2018-14610",
    "CVE-2018-14611",
    "CVE-2018-14612",
    "CVE-2018-14613",
    "CVE-2018-14614",
    "CVE-2018-14616",
    "CVE-2018-16884",
    "CVE-2018-9517",
    "CVE-2019-3459",
    "CVE-2019-3460",
    "CVE-2019-3701",
    "CVE-2019-3819",
    "CVE-2019-6974",
    "CVE-2019-7221",
    "CVE-2019-7222",
    "CVE-2019-9213"
  );
  script_xref(name:"USN", value:"3932-1");

  script_name(english:"Ubuntu 16.04 LTS : Linux kernel vulnerabilities (USN-3932-1)");

  script_set_attribute(attribute:"synopsis", value:
"The remote Ubuntu host is missing one or more security updates.");
  script_set_attribute(attribute:"description", value:
"The remote Ubuntu 16.04 LTS host has a package installed that is affected by multiple vulnerabilities as referenced in
the USN-3932-1 advisory.

  - The add_free_nid function in fs/f2fs/node.c in the Linux kernel before 4.12 does not properly track an
    allocated nid, which allows local users to cause a denial of service (race condition) or possibly have
    unspecified other impact via concurrent threads. (CVE-2017-18249)

  - An issue was discovered in fs/f2fs/super.c in the Linux kernel through 4.17.3. There is an out-of-bounds
    read or a divide-by-zero error for an incorrect user_block_count in a corrupted f2fs image, leading to a
    denial of service (BUG). (CVE-2018-13097)

  - An issue was discovered in fs/f2fs/inline.c in the Linux kernel through 4.4. A denial of service (out-of-
    bounds memory access and BUG) can occur for a modified f2fs filesystem image in which an inline inode
    contains an invalid reserved blkaddr. (CVE-2018-13099)

  - An issue was discovered in fs/f2fs/super.c in the Linux kernel through 4.17.3, which does not properly
    validate secs_per_zone in a corrupted f2fs image, as demonstrated by a divide-by-zero error.
    (CVE-2018-13100)

  - An issue was discovered in the Linux kernel through 4.17.10. There is out-of-bounds access in
    write_extent_buffer() when mounting and operating a crafted btrfs image, because of a lack of verification
    that each block group has a corresponding chunk at mount time, within btrfs_read_block_groups in
    fs/btrfs/extent-tree.c. (CVE-2018-14610)

  - An issue was discovered in the Linux kernel through 4.17.10. There is a use-after-free in
    try_merge_free_space() when mounting a crafted btrfs image, because of a lack of chunk type flag checks in
    btrfs_check_chunk_valid in fs/btrfs/volumes.c. (CVE-2018-14611)

  - An issue was discovered in the Linux kernel through 4.17.10. There is an invalid pointer dereference in
    btrfs_root_node() when mounting a crafted btrfs image, because of a lack of chunk block group mapping
    validation in btrfs_read_block_groups in fs/btrfs/extent-tree.c, and a lack of empty-tree checks in
    check_leaf in fs/btrfs/tree-checker.c. (CVE-2018-14612)

  - An issue was discovered in the Linux kernel through 4.17.10. There is an invalid pointer dereference in
    io_ctl_map_page() when mounting and operating a crafted btrfs image, because of a lack of block group item
    validation in check_leaf_item in fs/btrfs/tree-checker.c. (CVE-2018-14613)

  - An issue was discovered in the Linux kernel through 4.17.10. There is an out-of-bounds access in
    __remove_dirty_segment() in fs/f2fs/segment.c when mounting an f2fs image. (CVE-2018-14614)

  - An issue was discovered in the Linux kernel through 4.17.10. There is a NULL pointer dereference in
    fscrypt_do_page_crypto() in fs/crypto/crypto.c when operating on a file in a corrupted f2fs image.
    (CVE-2018-14616)

  - A flaw was found in the Linux kernel's NFS41+ subsystem. NFS41+ shares mounted in different network
    namespaces at the same time can make bc_svc_process() use wrong back-channel IDs and cause a use-after-
    free vulnerability. Thus a malicious container user can cause a host kernel memory corruption and a system
    panic. Due to the nature of the flaw, privilege escalation cannot be fully ruled out. (CVE-2018-16884)

  - In pppol2tp_connect, there is possible memory corruption due to a use after free. This could lead to local
    escalation of privilege with System execution privileges needed. User interaction is not needed for
    exploitation. Product: Android. Versions: Android kernel. Android ID: A-38159931. (CVE-2018-9517)

  - A heap address information leak while using L2CAP_GET_CONF_OPT was discovered in the Linux kernel before
    5.1-rc1. (CVE-2019-3459)

  - A heap data infoleak in multiple locations including L2CAP_PARSE_CONF_RSP was found in the Linux kernel
    before 5.1-rc1. (CVE-2019-3460)

  - An issue was discovered in can_can_gw_rcv in net/can/gw.c in the Linux kernel through 4.19.13. The CAN
    frame modification rules allow bitwise logical operations that can be also applied to the can_dlc field.
    The privileged user root with CAP_NET_ADMIN can create a CAN frame modification rule that makes the data
    length code a higher value than the available CAN frame data size. In combination with a configured
    checksum calculation where the result is stored relatively to the end of the data (e.g. cgw_csum_xor_rel)
    the tail of the skb (e.g. frag_list pointer in skb_shared_info) can be rewritten which finally can cause a
    system crash. Because of a missing check, the CAN drivers may write arbitrary content beyond the data
    registers in the CAN controller's I/O memory when processing can-gw manipulated outgoing frames.
    (CVE-2019-3701)

  - A flaw was found in the Linux kernel in the function hid_debug_events_read() in drivers/hid/hid-debug.c
    file which may enter an infinite loop with certain parameters passed from a userspace. A local privileged
    user (root) can cause a system lock up and a denial of service. Versions from v4.18 and newer are
    vulnerable. (CVE-2019-3819)

  - In the Linux kernel before 4.20.8, kvm_ioctl_create_device in virt/kvm/kvm_main.c mishandles reference
    counting because of a race condition, leading to a use-after-free. (CVE-2019-6974)

  - The KVM implementation in the Linux kernel through 4.20.5 has a Use-after-Free. (CVE-2019-7221)

  - The KVM implementation in the Linux kernel through 4.20.5 has an Information Leak. (CVE-2019-7222)

  - In the Linux kernel before 4.20.14, expand_downwards in mm/mmap.c lacks a check for the mmap minimum
    address, which makes it easier for attackers to exploit kernel NULL pointer dereferences on non-SMAP
    platforms. This is related to a capability check for the wrong task. (CVE-2019-9213)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version
number.");
  script_set_attribute(attribute:"see_also", value:"https://ubuntu.com/security/notices/USN-3932-1");
  script_set_attribute(attribute:"solution", value:
"Update the affected kernel package.");
  script_set_cvss_base_vector("CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C");
  script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:F/RL:O/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2018-9517");
  script_set_attribute(attribute:"cvss3_score_source", value:"CVE-2019-6974");

  script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"true");
  script_set_attribute(attribute:"metasploit_name", value:'Reliable Datagram Sockets (RDS) rds_atomic_free_op NULL pointer dereference Privilege Escalation');
  script_set_attribute(attribute:"exploit_framework_metasploit", value:"true");

  script_set_attribute(attribute:"vuln_publication_date", value:"2018/03/26");
  script_set_attribute(attribute:"patch_publication_date", value:"2019/04/02");
  script_set_attribute(attribute:"plugin_publication_date", value:"2019/04/03");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-4.4.0-1043-kvm");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-4.4.0-1079-aws");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-4.4.0-1106-raspi2");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-4.4.0-1110-snapdragon");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-4.4.0-145-generic");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-4.4.0-145-generic-lpae");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-4.4.0-145-lowlatency");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-4.4.0-145-powerpc-e500mc");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-4.4.0-145-powerpc-smp");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-4.4.0-145-powerpc64-emb");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-4.4.0-145-powerpc64-smp");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:canonical:ubuntu_linux:16.04:-:lts");
  script_set_attribute(attribute:"generated_plugin", value:"current");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Ubuntu Local Security Checks");

  script_copyright(english:"Ubuntu Security Notice (C) 2019-2024 Canonical, Inc. / NASL script (C) 2019-2024 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("ssh_get_info.nasl", "linux_alt_patch_detect.nasl");
  script_require_keys("Host/cpu", "Host/Ubuntu", "Host/Ubuntu/release", "Host/Debian/dpkg-l");

  exit(0);
}

include('debian_package.inc');
include('ksplice.inc');

if ( ! get_kb_item('Host/local_checks_enabled') ) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
var os_release = get_kb_item('Host/Ubuntu/release');
if ( isnull(os_release) ) audit(AUDIT_OS_NOT, 'Ubuntu');
os_release = chomp(os_release);
if (! ('16.04' >< os_release)) audit(AUDIT_OS_NOT, 'Ubuntu 16.04', 'Ubuntu ' + os_release);
if ( ! get_kb_item('Host/Debian/dpkg-l') ) audit(AUDIT_PACKAGE_LIST_MISSING);

var cpu = get_kb_item('Host/cpu');
if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
if ('x86_64' >!< cpu && cpu !~ "^i[3-6]86$" && 's390' >!< cpu && 'aarch64' >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'Ubuntu', cpu);

var kernel_mappings = {
  '16.04': {
    '4.4.0': {
      'generic': '4.4.0-145',
      'generic-lpae': '4.4.0-145',
      'lowlatency': '4.4.0-145',
      'powerpc-e500mc': '4.4.0-145',
      'powerpc-smp': '4.4.0-145',
      'powerpc64-emb': '4.4.0-145',
      'powerpc64-smp': '4.4.0-145',
      'kvm': '4.4.0-1043',
      'aws': '4.4.0-1079',
      'raspi2': '4.4.0-1106',
      'snapdragon': '4.4.0-1110'
    }
  }
};

var host_kernel_release = get_kb_item('Host/uptrack-uname-r');
if (empty_or_null(host_kernel_release)) host_kernel_release = get_kb_item_or_exit('Host/uname-r');
var host_kernel_base_version = get_kb_item_or_exit('Host/Debian/kernel-base-version');
var host_kernel_type = get_kb_item_or_exit('Host/Debian/kernel-type');
if(empty_or_null(kernel_mappings[os_release][host_kernel_base_version][host_kernel_type])) audit(AUDIT_INST_VER_NOT_VULN, 'kernel ' + host_kernel_release);

var extra = '';
var kernel_fixed_version = kernel_mappings[os_release][host_kernel_base_version][host_kernel_type] + "-" + host_kernel_type;
if (deb_ver_cmp(ver1:host_kernel_release, ver2:kernel_fixed_version) < 0)
{
  extra = extra + 'Running Kernel level of ' + host_kernel_release + ' does not meet the minimum fixed level of ' + kernel_fixed_version + ' for this advisory.\n\n';
}
  else
{
  audit(AUDIT_PATCH_INSTALLED, 'Kernel package for USN-3932-1');
}

if (get_one_kb_item('Host/ksplice/kernel-cves'))
{
  var cve_list = make_list('CVE-2017-18249', 'CVE-2018-9517', 'CVE-2018-13097', 'CVE-2018-13099', 'CVE-2018-13100', 'CVE-2018-14610', 'CVE-2018-14611', 'CVE-2018-14612', 'CVE-2018-14613', 'CVE-2018-14614', 'CVE-2018-14616', 'CVE-2018-16884', 'CVE-2019-3459', 'CVE-2019-3460', 'CVE-2019-3701', 'CVE-2019-3819', 'CVE-2019-6974', 'CVE-2019-7221', 'CVE-2019-7222', 'CVE-2019-9213');
  if (ksplice_cves_check(cve_list))
  {
    audit(AUDIT_PATCH_INSTALLED, 'KSplice hotfix for USN-3932-1');
  }
  else
  {
    extra = extra + ksplice_reporting_text();
  }
}
if (extra) {
  security_report_v4(
    port       : 0,
    severity   : SECURITY_HOLE,
    extra      : extra
  );
  exit(0);
}
VendorProductVersionCPE
canonicalubuntu_linuxlinux-image-4.4.0-1043-kvmp-cpe:/a:canonical:ubuntu_linux:linux-image-4.4.0-1043-kvm
canonicalubuntu_linuxlinux-image-4.4.0-1079-awsp-cpe:/a:canonical:ubuntu_linux:linux-image-4.4.0-1079-aws
canonicalubuntu_linuxlinux-image-4.4.0-1106-raspi2p-cpe:/a:canonical:ubuntu_linux:linux-image-4.4.0-1106-raspi2
canonicalubuntu_linuxlinux-image-4.4.0-1110-snapdragonp-cpe:/a:canonical:ubuntu_linux:linux-image-4.4.0-1110-snapdragon
canonicalubuntu_linuxlinux-image-4.4.0-145-genericp-cpe:/a:canonical:ubuntu_linux:linux-image-4.4.0-145-generic
canonicalubuntu_linuxlinux-image-4.4.0-145-generic-lpaep-cpe:/a:canonical:ubuntu_linux:linux-image-4.4.0-145-generic-lpae
canonicalubuntu_linuxlinux-image-4.4.0-145-lowlatencyp-cpe:/a:canonical:ubuntu_linux:linux-image-4.4.0-145-lowlatency
canonicalubuntu_linuxlinux-image-4.4.0-145-powerpc-e500mcp-cpe:/a:canonical:ubuntu_linux:linux-image-4.4.0-145-powerpc-e500mc
canonicalubuntu_linuxlinux-image-4.4.0-145-powerpc-smpp-cpe:/a:canonical:ubuntu_linux:linux-image-4.4.0-145-powerpc-smp
canonicalubuntu_linuxlinux-image-4.4.0-145-powerpc64-embp-cpe:/a:canonical:ubuntu_linux:linux-image-4.4.0-145-powerpc64-emb
Rows per page:
1-10 of 121

References

8.1 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

8.6 High

AI Score

Confidence

High

7.2 High

CVSS2

Access Vector

Access Complexity

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:L/AC:L/Au:N/C:C/I:C/A:C

0.036 Low

EPSS

Percentile

91.6%