The remote Ubuntu 14.04 LTS host has a package installed that is affected by multiple vulnerabilities as referenced in the USN-3933-1 advisory.
The Linux kernel version 3.3-rc1 and later is affected by a vulnerability lies in the processing of incoming L2CAP commands - ConfigRequest, and ConfigResponse messages. This info leak is a result of uninitialized stack variables that may be returned to an attacker in their uninitialized state. By manipulating the code flows that precede the handling of these configuration messages, an attacker can also gain some control over which data will be held in the uninitialized stack variables. This can allow him to bypass KASLR, and stack canaries protection - as both pointers and stack canaries may be leaked in this manner. Combining this vulnerability (for example) with the previously disclosed RCE vulnerability in L2CAP configuration parsing (CVE-2017-1000251) may allow an attacker to exploit the RCE against kernels which were built with the above mitigations. These are the specifics of this vulnerability: In the function l2cap_parse_conf_rsp and in the function l2cap_parse_conf_req the following variable is declared without initialization: struct l2cap_conf_efs efs; In addition, when parsing input configuration parameters in both of these functions, the switch case for handling EFS elements may skip the memcpy call that will write to the efs variable: … case L2CAP_CONF_EFS: if (olen == sizeof(efs)) memcpy(&efs, (void
*)val, olen); … The olen in the above if is attacker controlled, and regardless of that if, in both of these functions the efs variable would eventually be added to the outgoing configuration request that is being built: l2cap_add_conf_opt(&ptr, L2CAP_CONF_EFS, sizeof(efs), (unsigned long) &efs); So by sending a configuration request, or response, that contains an L2CAP_CONF_EFS element, but with an element length that is not sizeof(efs) - the memcpy to the uninitialized efs variable can be avoided, and the uninitialized variable would be returned to the attacker (16 bytes). (CVE-2017-1000410)
In change_port_settings in drivers/usb/serial/io_ti.c in the Linux kernel before 4.11.3, local users could cause a denial of service by division-by-zero in the serial device layer by trying to set very high baud rates. (CVE-2017-18360)
In the Linux kernel through 4.19.6, a local user could exploit a use-after-free in the ALSA driver by supplying a malicious USB Sound device (with zero interfaces) that is mishandled in usb_audio_probe in sound/usb/card.c. (CVE-2018-19824)
A heap address information leak while using L2CAP_GET_CONF_OPT was discovered in the Linux kernel before 5.1-rc1. (CVE-2019-3459)
A heap data infoleak in multiple locations including L2CAP_PARSE_CONF_RSP was found in the Linux kernel before 5.1-rc1. (CVE-2019-3460)
In the Linux kernel before 4.20.8, kvm_ioctl_create_device in virt/kvm/kvm_main.c mishandles reference counting because of a race condition, leading to a use-after-free. (CVE-2019-6974)
The KVM implementation in the Linux kernel through 4.20.5 has an Information Leak. (CVE-2019-7222)
In the Linux kernel before 4.20.14, expand_downwards in mm/mmap.c lacks a check for the mmap minimum address, which makes it easier for attackers to exploit kernel NULL pointer dereferences on non-SMAP platforms. This is related to a capability check for the wrong task. (CVE-2019-9213)
Note that Nessus has not tested for these issues but has instead relied only on the application’s self-reported version number.
#
# (C) Tenable Network Security, Inc.
#
# The descriptive text and package checks in this plugin were
# extracted from Ubuntu Security Notice USN-3933-1. The text
# itself is copyright (C) Canonical, Inc. See
# <http://www.ubuntu.com/usn/>. Ubuntu(R) is a registered
# trademark of Canonical, Inc.
#
include('compat.inc');
if (description)
{
script_id(123682);
script_version("1.9");
script_set_attribute(attribute:"plugin_modification_date", value:"2024/01/09");
script_cve_id(
"CVE-2017-1000410",
"CVE-2017-18360",
"CVE-2018-19824",
"CVE-2019-3459",
"CVE-2019-3460",
"CVE-2019-6974",
"CVE-2019-7222",
"CVE-2019-9213"
);
script_xref(name:"USN", value:"3933-1");
script_name(english:"Ubuntu 14.04 LTS : Linux kernel vulnerabilities (USN-3933-1)");
script_set_attribute(attribute:"synopsis", value:
"The remote Ubuntu host is missing one or more security updates.");
script_set_attribute(attribute:"description", value:
"The remote Ubuntu 14.04 LTS host has a package installed that is affected by multiple vulnerabilities as referenced in
the USN-3933-1 advisory.
- The Linux kernel version 3.3-rc1 and later is affected by a vulnerability lies in the processing of
incoming L2CAP commands - ConfigRequest, and ConfigResponse messages. This info leak is a result of
uninitialized stack variables that may be returned to an attacker in their uninitialized state. By
manipulating the code flows that precede the handling of these configuration messages, an attacker can
also gain some control over which data will be held in the uninitialized stack variables. This can allow
him to bypass KASLR, and stack canaries protection - as both pointers and stack canaries may be leaked in
this manner. Combining this vulnerability (for example) with the previously disclosed RCE vulnerability in
L2CAP configuration parsing (CVE-2017-1000251) may allow an attacker to exploit the RCE against kernels
which were built with the above mitigations. These are the specifics of this vulnerability: In the
function l2cap_parse_conf_rsp and in the function l2cap_parse_conf_req the following variable is declared
without initialization: struct l2cap_conf_efs efs; In addition, when parsing input configuration
parameters in both of these functions, the switch case for handling EFS elements may skip the memcpy call
that will write to the efs variable: ... case L2CAP_CONF_EFS: if (olen == sizeof(efs)) memcpy(&efs, (void
*)val, olen); ... The olen in the above if is attacker controlled, and regardless of that if, in both of
these functions the efs variable would eventually be added to the outgoing configuration request that is
being built: l2cap_add_conf_opt(&ptr, L2CAP_CONF_EFS, sizeof(efs), (unsigned long) &efs); So by sending a
configuration request, or response, that contains an L2CAP_CONF_EFS element, but with an element length
that is not sizeof(efs) - the memcpy to the uninitialized efs variable can be avoided, and the
uninitialized variable would be returned to the attacker (16 bytes). (CVE-2017-1000410)
- In change_port_settings in drivers/usb/serial/io_ti.c in the Linux kernel before 4.11.3, local users could
cause a denial of service by division-by-zero in the serial device layer by trying to set very high baud
rates. (CVE-2017-18360)
- In the Linux kernel through 4.19.6, a local user could exploit a use-after-free in the ALSA driver by
supplying a malicious USB Sound device (with zero interfaces) that is mishandled in usb_audio_probe in
sound/usb/card.c. (CVE-2018-19824)
- A heap address information leak while using L2CAP_GET_CONF_OPT was discovered in the Linux kernel before
5.1-rc1. (CVE-2019-3459)
- A heap data infoleak in multiple locations including L2CAP_PARSE_CONF_RSP was found in the Linux kernel
before 5.1-rc1. (CVE-2019-3460)
- In the Linux kernel before 4.20.8, kvm_ioctl_create_device in virt/kvm/kvm_main.c mishandles reference
counting because of a race condition, leading to a use-after-free. (CVE-2019-6974)
- The KVM implementation in the Linux kernel through 4.20.5 has an Information Leak. (CVE-2019-7222)
- In the Linux kernel before 4.20.14, expand_downwards in mm/mmap.c lacks a check for the mmap minimum
address, which makes it easier for attackers to exploit kernel NULL pointer dereferences on non-SMAP
platforms. This is related to a capability check for the wrong task. (CVE-2019-9213)
Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version
number.");
script_set_attribute(attribute:"see_also", value:"https://ubuntu.com/security/notices/USN-3933-1");
script_set_attribute(attribute:"solution", value:
"Update the affected kernel package.");
script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P");
script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:C");
script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H");
script_set_cvss3_temporal_vector("CVSS:3.0/E:F/RL:O/RC:C");
script_set_attribute(attribute:"cvss_score_source", value:"CVE-2019-6974");
script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
script_set_attribute(attribute:"exploit_available", value:"true");
script_set_attribute(attribute:"metasploit_name", value:'Reliable Datagram Sockets (RDS) rds_atomic_free_op NULL pointer dereference Privilege Escalation');
script_set_attribute(attribute:"exploit_framework_metasploit", value:"true");
script_set_attribute(attribute:"vuln_publication_date", value:"2017/12/07");
script_set_attribute(attribute:"patch_publication_date", value:"2019/04/02");
script_set_attribute(attribute:"plugin_publication_date", value:"2019/04/03");
script_set_attribute(attribute:"plugin_type", value:"local");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-3.13.0-168-generic");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-3.13.0-168-generic-lpae");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-3.13.0-168-lowlatency");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-3.13.0-168-powerpc-e500");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-3.13.0-168-powerpc-e500mc");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-3.13.0-168-powerpc-smp");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-3.13.0-168-powerpc64-emb");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-3.13.0-168-powerpc64-smp");
script_set_attribute(attribute:"cpe", value:"cpe:/o:canonical:ubuntu_linux:14.04:-:lts");
script_set_attribute(attribute:"generated_plugin", value:"current");
script_end_attributes();
script_category(ACT_GATHER_INFO);
script_family(english:"Ubuntu Local Security Checks");
script_copyright(english:"Ubuntu Security Notice (C) 2019-2024 Canonical, Inc. / NASL script (C) 2019-2024 and is owned by Tenable, Inc. or an Affiliate thereof.");
script_dependencies("ssh_get_info.nasl", "linux_alt_patch_detect.nasl");
script_require_keys("Host/cpu", "Host/Ubuntu", "Host/Ubuntu/release", "Host/Debian/dpkg-l");
exit(0);
}
include('debian_package.inc');
include('ksplice.inc');
if ( ! get_kb_item('Host/local_checks_enabled') ) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
var os_release = get_kb_item('Host/Ubuntu/release');
if ( isnull(os_release) ) audit(AUDIT_OS_NOT, 'Ubuntu');
os_release = chomp(os_release);
if (! ('14.04' >< os_release)) audit(AUDIT_OS_NOT, 'Ubuntu 14.04', 'Ubuntu ' + os_release);
if ( ! get_kb_item('Host/Debian/dpkg-l') ) audit(AUDIT_PACKAGE_LIST_MISSING);
var cpu = get_kb_item('Host/cpu');
if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
if ('x86_64' >!< cpu && cpu !~ "^i[3-6]86$" && 's390' >!< cpu && 'aarch64' >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'Ubuntu', cpu);
var kernel_mappings = {
'14.04': {
'3.13.0': {
'generic': '3.13.0-168',
'generic-lpae': '3.13.0-168',
'lowlatency': '3.13.0-168',
'powerpc-e500': '3.13.0-168',
'powerpc-e500mc': '3.13.0-168',
'powerpc-smp': '3.13.0-168',
'powerpc64-emb': '3.13.0-168',
'powerpc64-smp': '3.13.0-168'
}
}
};
var host_kernel_release = get_kb_item('Host/uptrack-uname-r');
if (empty_or_null(host_kernel_release)) host_kernel_release = get_kb_item_or_exit('Host/uname-r');
var host_kernel_base_version = get_kb_item_or_exit('Host/Debian/kernel-base-version');
var host_kernel_type = get_kb_item_or_exit('Host/Debian/kernel-type');
if(empty_or_null(kernel_mappings[os_release][host_kernel_base_version][host_kernel_type])) audit(AUDIT_INST_VER_NOT_VULN, 'kernel ' + host_kernel_release);
var extra = '';
var kernel_fixed_version = kernel_mappings[os_release][host_kernel_base_version][host_kernel_type] + "-" + host_kernel_type;
if (deb_ver_cmp(ver1:host_kernel_release, ver2:kernel_fixed_version) < 0)
{
extra = extra + 'Running Kernel level of ' + host_kernel_release + ' does not meet the minimum fixed level of ' + kernel_fixed_version + ' for this advisory.\n\n';
}
else
{
audit(AUDIT_PATCH_INSTALLED, 'Kernel package for USN-3933-1');
}
if (get_one_kb_item('Host/ksplice/kernel-cves'))
{
var cve_list = make_list('CVE-2017-18360', 'CVE-2017-1000410', 'CVE-2018-19824', 'CVE-2019-3459', 'CVE-2019-3460', 'CVE-2019-6974', 'CVE-2019-7222', 'CVE-2019-9213');
if (ksplice_cves_check(cve_list))
{
audit(AUDIT_PATCH_INSTALLED, 'KSplice hotfix for USN-3933-1');
}
else
{
extra = extra + ksplice_reporting_text();
}
}
if (extra) {
security_report_v4(
port : 0,
severity : SECURITY_WARNING,
extra : extra
);
exit(0);
}
Vendor | Product | Version | CPE |
---|---|---|---|
canonical | ubuntu_linux | linux-image-3.13.0-168-generic | p-cpe:/a:canonical:ubuntu_linux:linux-image-3.13.0-168-generic |
canonical | ubuntu_linux | linux-image-3.13.0-168-generic-lpae | p-cpe:/a:canonical:ubuntu_linux:linux-image-3.13.0-168-generic-lpae |
canonical | ubuntu_linux | linux-image-3.13.0-168-lowlatency | p-cpe:/a:canonical:ubuntu_linux:linux-image-3.13.0-168-lowlatency |
canonical | ubuntu_linux | linux-image-3.13.0-168-powerpc-e500 | p-cpe:/a:canonical:ubuntu_linux:linux-image-3.13.0-168-powerpc-e500 |
canonical | ubuntu_linux | linux-image-3.13.0-168-powerpc-e500mc | p-cpe:/a:canonical:ubuntu_linux:linux-image-3.13.0-168-powerpc-e500mc |
canonical | ubuntu_linux | linux-image-3.13.0-168-powerpc-smp | p-cpe:/a:canonical:ubuntu_linux:linux-image-3.13.0-168-powerpc-smp |
canonical | ubuntu_linux | linux-image-3.13.0-168-powerpc64-emb | p-cpe:/a:canonical:ubuntu_linux:linux-image-3.13.0-168-powerpc64-emb |
canonical | ubuntu_linux | linux-image-3.13.0-168-powerpc64-smp | p-cpe:/a:canonical:ubuntu_linux:linux-image-3.13.0-168-powerpc64-smp |
canonical | ubuntu_linux | 14.04 | cpe:/o:canonical:ubuntu_linux:14.04:-:lts |
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-1000410
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-18360
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-19824
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-3459
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-3460
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-6974
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-7222
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9213
ubuntu.com/security/notices/USN-3933-1