Ubuntu 16.04 LTS / 18.04 LTS : Linux kernel vulnerabilities (USN-4094-1)

#
# (C) Tenable Network Security, Inc.
#
# The descriptive text and package checks in this plugin were
# extracted from Ubuntu Security Notice USN-4094-1. The text 
# itself is copyright (C) Canonical, Inc. See 
# <http://www.ubuntu.com/usn/>. Ubuntu(R) is a registered 
# trademark of Canonical, Inc.
#

include('compat.inc');

if (description)
{
  script_id(127889);
  script_version("1.14");
  script_set_attribute(attribute:"plugin_modification_date", value:"2024/01/09");

  script_cve_id(
    "CVE-2018-13053",
    "CVE-2018-13093",
    "CVE-2018-13096",
    "CVE-2018-13097",
    "CVE-2018-13098",
    "CVE-2018-13099",
    "CVE-2018-13100",
    "CVE-2018-14609",
    "CVE-2018-14610",
    "CVE-2018-14611",
    "CVE-2018-14612",
    "CVE-2018-14613",
    "CVE-2018-14614",
    "CVE-2018-14615",
    "CVE-2018-14616",
    "CVE-2018-14617",
    "CVE-2018-16862",
    "CVE-2018-20169",
    "CVE-2018-20511",
    "CVE-2018-20856",
    "CVE-2018-5383",
    "CVE-2019-10126",
    "CVE-2019-1125",
    "CVE-2019-12614",
    "CVE-2019-12818",
    "CVE-2019-12819",
    "CVE-2019-12984",
    "CVE-2019-13233",
    "CVE-2019-13272",
    "CVE-2019-2024",
    "CVE-2019-2101",
    "CVE-2019-3846"
  );
  script_xref(name:"USN", value:"4094-1");
  script_xref(name:"CISA-KNOWN-EXPLOITED", value:"2022/06/10");

  script_name(english:"Ubuntu 16.04 LTS / 18.04 LTS : Linux kernel vulnerabilities (USN-4094-1)");

  script_set_attribute(attribute:"synopsis", value:
"The remote Ubuntu host is missing one or more security updates.");
  script_set_attribute(attribute:"description", value:
"The remote Ubuntu 16.04 LTS / 18.04 LTS host has a package installed that is affected by multiple vulnerabilities as
referenced in the USN-4094-1 advisory.

  - The alarm_timer_nsleep function in kernel/time/alarmtimer.c in the Linux kernel through 4.17.3 has an
    integer overflow via a large relative timeout because ktime_add_safe is not used. (CVE-2018-13053)

  - An issue was discovered in fs/xfs/xfs_icache.c in the Linux kernel through 4.17.3. There is a NULL pointer
    dereference and panic in lookup_slow() on a NULL inode->i_ops pointer when doing pathwalks on a corrupted
    xfs image. This occurs because of a lack of proper validation that cached inodes are free during
    allocation. (CVE-2018-13093)

  - An issue was discovered in fs/f2fs/super.c in the Linux kernel through 4.14. A denial of service (out-of-
    bounds memory access and BUG) can occur upon encountering an abnormal bitmap size when mounting a crafted
    f2fs image. (CVE-2018-13096)

  - An issue was discovered in fs/f2fs/super.c in the Linux kernel through 4.17.3. There is an out-of-bounds
    read or a divide-by-zero error for an incorrect user_block_count in a corrupted f2fs image, leading to a
    denial of service (BUG). (CVE-2018-13097)

  - An issue was discovered in fs/f2fs/inode.c in the Linux kernel through 4.17.3. A denial of service (slab
    out-of-bounds read and BUG) can occur for a modified f2fs filesystem image in which FI_EXTRA_ATTR is set
    in an inode. (CVE-2018-13098)

  - An issue was discovered in fs/f2fs/inline.c in the Linux kernel through 4.4. A denial of service (out-of-
    bounds memory access and BUG) can occur for a modified f2fs filesystem image in which an inline inode
    contains an invalid reserved blkaddr. (CVE-2018-13099)

  - An issue was discovered in fs/f2fs/super.c in the Linux kernel through 4.17.3, which does not properly
    validate secs_per_zone in a corrupted f2fs image, as demonstrated by a divide-by-zero error.
    (CVE-2018-13100)

  - An issue was discovered in the Linux kernel through 4.17.10. There is an invalid pointer dereference in
    __del_reloc_root() in fs/btrfs/relocation.c when mounting a crafted btrfs image, related to removing reloc
    rb_trees when reloc control has not been initialized. (CVE-2018-14609)

  - An issue was discovered in the Linux kernel through 4.17.10. There is out-of-bounds access in
    write_extent_buffer() when mounting and operating a crafted btrfs image, because of a lack of verification
    that each block group has a corresponding chunk at mount time, within btrfs_read_block_groups in
    fs/btrfs/extent-tree.c. (CVE-2018-14610)

  - An issue was discovered in the Linux kernel through 4.17.10. There is a use-after-free in
    try_merge_free_space() when mounting a crafted btrfs image, because of a lack of chunk type flag checks in
    btrfs_check_chunk_valid in fs/btrfs/volumes.c. (CVE-2018-14611)

  - An issue was discovered in the Linux kernel through 4.17.10. There is an invalid pointer dereference in
    btrfs_root_node() when mounting a crafted btrfs image, because of a lack of chunk block group mapping
    validation in btrfs_read_block_groups in fs/btrfs/extent-tree.c, and a lack of empty-tree checks in
    check_leaf in fs/btrfs/tree-checker.c. (CVE-2018-14612)

  - An issue was discovered in the Linux kernel through 4.17.10. There is an invalid pointer dereference in
    io_ctl_map_page() when mounting and operating a crafted btrfs image, because of a lack of block group item
    validation in check_leaf_item in fs/btrfs/tree-checker.c. (CVE-2018-14613)

  - An issue was discovered in the Linux kernel through 4.17.10. There is an out-of-bounds access in
    __remove_dirty_segment() in fs/f2fs/segment.c when mounting an f2fs image. (CVE-2018-14614)

  - An issue was discovered in the Linux kernel through 4.17.10. There is a buffer overflow in
    truncate_inline_inode() in fs/f2fs/inline.c when umounting an f2fs image, because a length value may be
    negative. (CVE-2018-14615)

  - An issue was discovered in the Linux kernel through 4.17.10. There is a NULL pointer dereference in
    fscrypt_do_page_crypto() in fs/crypto/crypto.c when operating on a file in a corrupted f2fs image.
    (CVE-2018-14616)

  - An issue was discovered in the Linux kernel through 4.17.10. There is a NULL pointer dereference and panic
    in hfsplus_lookup() in fs/hfsplus/dir.c when opening a file (that is purportedly a hard link) in an hfs+
    filesystem that has malformed catalog data, and is mounted read-only without a metadata directory.
    (CVE-2018-14617)

  - A security flaw was found in the Linux kernel in a way that the cleancache subsystem clears an inode after
    the final file truncation (removal). The new file created with the same inode may contain leftover pages
    from cleancache and the old file data instead of the new one. (CVE-2018-16862)

  - An issue was discovered in the Linux kernel before 4.19.9. The USB subsystem mishandles size checks during
    the reading of an extra descriptor, related to __usb_get_extra_descriptor in drivers/usb/core/usb.c.
    (CVE-2018-20169)

  - An issue was discovered in the Linux kernel before 4.18.11. The ipddp_ioctl function in
    drivers/net/appletalk/ipddp.c allows local users to obtain sensitive kernel address information by
    leveraging CAP_NET_ADMIN to read the ipddp_route dev and next fields via an SIOCFINDIPDDPRT ioctl call.
    (CVE-2018-20511)

  - An issue was discovered in the Linux kernel before 4.18.7. In block/blk-core.c, there is an
    __blk_drain_queue() use-after-free because a certain error case is mishandled. (CVE-2018-20856)

  - Bluetooth firmware or operating system software drivers in macOS versions before 10.13, High Sierra and
    iOS versions before 11.4, and Android versions before the 2018-06-05 patch may not sufficiently validate
    elliptic curve parameters used to generate public keys during a Diffie-Hellman key exchange, which may
    allow a remote attacker to obtain the encryption key used by the device. (CVE-2018-5383)

  - A flaw was found in the Linux kernel. A heap based buffer overflow in mwifiex_uap_parse_tail_ies function
    in drivers/net/wireless/marvell/mwifiex/ie.c might lead to memory corruption and possibly other
    consequences. (CVE-2019-10126)

  - An information disclosure vulnerability exists when certain central processing units (CPU) speculatively
    access memory, aka 'Windows Kernel Information Disclosure Vulnerability'. This CVE ID is unique from
    CVE-2019-1071, CVE-2019-1073. (CVE-2019-1125)

  - An issue was discovered in dlpar_parse_cc_property in arch/powerpc/platforms/pseries/dlpar.c in the Linux
    kernel through 5.1.6. There is an unchecked kstrdup of prop->name, which might allow an attacker to cause
    a denial of service (NULL pointer dereference and system crash). (CVE-2019-12614)

  - An issue was discovered in the Linux kernel before 4.20.15. The nfc_llcp_build_tlv function in
    net/nfc/llcp_commands.c may return NULL. If the caller does not check for this, it will trigger a NULL
    pointer dereference. This will cause denial of service. This affects nfc_llcp_build_gb in
    net/nfc/llcp_core.c. (CVE-2019-12818)

  - An issue was discovered in the Linux kernel before 5.0. The function __mdiobus_register() in
    drivers/net/phy/mdio_bus.c calls put_device(), which will trigger a fixed_mdio_bus_init use-after-free.
    This will cause a denial of service. (CVE-2019-12819)

  - A NULL pointer dereference vulnerability in the function nfc_genl_deactivate_target() in net/nfc/netlink.c
    in the Linux kernel before 5.1.13 can be triggered by a malicious user-mode program that omits certain NFC
    attributes, leading to denial of service. (CVE-2019-12984)

  - In arch/x86/lib/insn-eval.c in the Linux kernel before 5.1.9, there is a use-after-free for access to an
    LDT entry because of a race condition between modify_ldt() and a #BR exception for an MPX bounds
    violation. (CVE-2019-13233)

  - In the Linux kernel before 5.1.17, ptrace_link in kernel/ptrace.c mishandles the recording of the
    credentials of a process that wants to create a ptrace relationship, which allows local users to obtain
    root access by leveraging certain scenarios with a parent-child process relationship, where a parent drops
    privileges and calls execve (potentially allowing control by an attacker). One contributing factor is an
    object lifetime issue (which can also cause a panic). Another contributing factor is incorrect marking of
    a ptrace relationship as privileged, which is exploitable through (for example) Polkit's pkexec helper
    with PTRACE_TRACEME. NOTE: SELinux deny_ptrace might be a usable workaround in some environments.
    (CVE-2019-13272)

  - In em28xx_unregister_dvb of em28xx-dvb.c, there is a possible use after free issue. This could lead to
    local escalation of privilege with no additional execution privileges needed. User interaction is not
    needed for exploitation.Product: AndroidVersions: Android kernelAndroid ID: A-111761954References:
    Upstream kernel (CVE-2019-2024)

  - In uvc_parse_standard_control of uvc_driver.c, there is a possible out-of-bound read due to improper input
    validation. This could lead to local information disclosure with no additional execution privileges
    needed. User interaction is not needed for exploitation. Product: Android. Versions: Android kernel.
    Android ID: A-111760968. (CVE-2019-2101)

  - A flaw that allowed an attacker to corrupt memory and possibly escalate privileges was found in the
    mwifiex kernel module while connecting to a malicious wireless network. (CVE-2019-3846)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version
number.");
  script_set_attribute(attribute:"see_also", value:"https://ubuntu.com/security/notices/USN-4094-1");
  script_set_attribute(attribute:"solution", value:
"Update the affected kernel package.");
  script_set_cvss_base_vector("CVSS2#AV:A/AC:L/Au:N/C:C/I:C/A:C");
  script_set_cvss_temporal_vector("CVSS2#E:H/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:H/RL:O/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2019-3846");
  script_set_attribute(attribute:"cvss3_score_source", value:"CVE-2019-10126");

  script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"true");
  script_set_attribute(attribute:"exploit_framework_core", value:"true");
  script_set_attribute(attribute:"exploited_by_malware", value:"true");
  script_set_attribute(attribute:"metasploit_name", value:'Linux Polkit pkexec helper PTRACE_TRACEME local root exploit');
  script_set_attribute(attribute:"exploit_framework_metasploit", value:"true");

  script_set_attribute(attribute:"vuln_publication_date", value:"2018/07/02");
  script_set_attribute(attribute:"patch_publication_date", value:"2019/08/13");
  script_set_attribute(attribute:"plugin_publication_date", value:"2019/08/14");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-4.15.0-1021-oracle");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-4.15.0-1040-gcp");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-4.15.0-1040-gke");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-4.15.0-1042-kvm");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-4.15.0-1043-raspi2");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-4.15.0-1050-oem");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-4.15.0-1060-snapdragon");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-4.15.0-58-generic");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-4.15.0-58-generic-lpae");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-4.15.0-58-lowlatency");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:canonical:ubuntu_linux:16.04:-:lts");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:canonical:ubuntu_linux:18.04:-:lts");
  script_set_attribute(attribute:"generated_plugin", value:"current");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Ubuntu Local Security Checks");

  script_copyright(english:"Ubuntu Security Notice (C) 2019-2024 Canonical, Inc. / NASL script (C) 2019-2024 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("ssh_get_info.nasl", "linux_alt_patch_detect.nasl");
  script_require_keys("Host/cpu", "Host/Ubuntu", "Host/Ubuntu/release", "Host/Debian/dpkg-l");

  exit(0);
}

include('debian_package.inc');
include('ksplice.inc');

if ( ! get_kb_item('Host/local_checks_enabled') ) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
var os_release = get_kb_item('Host/Ubuntu/release');
if ( isnull(os_release) ) audit(AUDIT_OS_NOT, 'Ubuntu');
os_release = chomp(os_release);
if (! ('16.04' >< os_release || '18.04' >< os_release)) audit(AUDIT_OS_NOT, 'Ubuntu 16.04 / 18.04', 'Ubuntu ' + os_release);
if ( ! get_kb_item('Host/Debian/dpkg-l') ) audit(AUDIT_PACKAGE_LIST_MISSING);

var cpu = get_kb_item('Host/cpu');
if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
if ('x86_64' >!< cpu && cpu !~ "^i[3-6]86$" && 's390' >!< cpu && 'aarch64' >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'Ubuntu', cpu);

var kernel_mappings = {
  '16.04': {
    '4.15.0': {
      'generic': '4.15.0-58',
      'generic-lpae': '4.15.0-58',
      'lowlatency': '4.15.0-58',
      'oracle': '4.15.0-1021',
      'gcp': '4.15.0-1040'
    }
  },
  '18.04': {
    '4.15.0': {
      'generic': '4.15.0-58',
      'generic-lpae': '4.15.0-58',
      'lowlatency': '4.15.0-58',
      'oracle': '4.15.0-1021',
      'gcp': '4.15.0-1040',
      'gke': '4.15.0-1040',
      'kvm': '4.15.0-1042',
      'raspi2': '4.15.0-1043',
      'oem': '4.15.0-1050',
      'snapdragon': '4.15.0-1060'
    }
  }
};

var host_kernel_release = get_kb_item('Host/uptrack-uname-r');
if (empty_or_null(host_kernel_release)) host_kernel_release = get_kb_item_or_exit('Host/uname-r');
var host_kernel_base_version = get_kb_item_or_exit('Host/Debian/kernel-base-version');
var host_kernel_type = get_kb_item_or_exit('Host/Debian/kernel-type');
if(empty_or_null(kernel_mappings[os_release][host_kernel_base_version][host_kernel_type])) audit(AUDIT_INST_VER_NOT_VULN, 'kernel ' + host_kernel_release);

var extra = '';
var kernel_fixed_version = kernel_mappings[os_release][host_kernel_base_version][host_kernel_type] + "-" + host_kernel_type;
if (deb_ver_cmp(ver1:host_kernel_release, ver2:kernel_fixed_version) < 0)
{
  extra = extra + 'Running Kernel level of ' + host_kernel_release + ' does not meet the minimum fixed level of ' + kernel_fixed_version + ' for this advisory.\n\n';
}
  else
{
  audit(AUDIT_PATCH_INSTALLED, 'Kernel package for USN-4094-1');
}

if (get_one_kb_item('Host/ksplice/kernel-cves'))
{
  var cve_list = make_list('CVE-2018-5383', 'CVE-2018-13053', 'CVE-2018-13093', 'CVE-2018-13096', 'CVE-2018-13097', 'CVE-2018-13098', 'CVE-2018-13099', 'CVE-2018-13100', 'CVE-2018-14609', 'CVE-2018-14610', 'CVE-2018-14611', 'CVE-2018-14612', 'CVE-2018-14613', 'CVE-2018-14614', 'CVE-2018-14615', 'CVE-2018-14616', 'CVE-2018-14617', 'CVE-2018-16862', 'CVE-2018-20169', 'CVE-2018-20511', 'CVE-2018-20856', 'CVE-2019-1125', 'CVE-2019-2024', 'CVE-2019-2101', 'CVE-2019-3846', 'CVE-2019-10126', 'CVE-2019-12614', 'CVE-2019-12818', 'CVE-2019-12819', 'CVE-2019-12984', 'CVE-2019-13233', 'CVE-2019-13272');
  if (ksplice_cves_check(cve_list))
  {
    audit(AUDIT_PATCH_INSTALLED, 'KSplice hotfix for USN-4094-1');
  }
  else
  {
    extra = extra + ksplice_reporting_text();
  }
}
if (extra) {
  security_report_v4(
    port       : 0,
    severity   : SECURITY_HOLE,
    extra      : extra
  );
  exit(0);
}