Lucene search

K
nessusUbuntu Security Notice (C) 2019-2024 Canonical, Inc. / NASL script (C) 2019-2024 and is owned by Tenable, Inc. or an Affiliate thereof.UBUNTU_USN-4118-1.NASL
HistorySep 03, 2019 - 12:00 a.m.

Ubuntu 16.04 LTS / 18.04 LTS : Linux kernel (AWS) vulnerabilities (USN-4118-1)

2019-09-0300:00:00
Ubuntu Security Notice (C) 2019-2024 Canonical, Inc. / NASL script (C) 2019-2024 and is owned by Tenable, Inc. or an Affiliate thereof.
www.tenable.com
27

The remote Ubuntu 16.04 LTS / 18.04 LTS host has a package installed that is affected by multiple vulnerabilities as referenced in the USN-4118-1 advisory.

  • The alarm_timer_nsleep function in kernel/time/alarmtimer.c in the Linux kernel through 4.17.3 has an integer overflow via a large relative timeout because ktime_add_safe is not used. (CVE-2018-13053)

  • An issue was discovered in fs/xfs/xfs_icache.c in the Linux kernel through 4.17.3. There is a NULL pointer dereference and panic in lookup_slow() on a NULL inode->i_ops pointer when doing pathwalks on a corrupted xfs image. This occurs because of a lack of proper validation that cached inodes are free during allocation. (CVE-2018-13093)

  • An issue was discovered in fs/f2fs/super.c in the Linux kernel through 4.14. A denial of service (out-of- bounds memory access and BUG) can occur upon encountering an abnormal bitmap size when mounting a crafted f2fs image. (CVE-2018-13096)

  • An issue was discovered in fs/f2fs/super.c in the Linux kernel through 4.17.3. There is an out-of-bounds read or a divide-by-zero error for an incorrect user_block_count in a corrupted f2fs image, leading to a denial of service (BUG). (CVE-2018-13097)

  • An issue was discovered in fs/f2fs/inode.c in the Linux kernel through 4.17.3. A denial of service (slab out-of-bounds read and BUG) can occur for a modified f2fs filesystem image in which FI_EXTRA_ATTR is set in an inode. (CVE-2018-13098)

  • An issue was discovered in fs/f2fs/inline.c in the Linux kernel through 4.4. A denial of service (out-of- bounds memory access and BUG) can occur for a modified f2fs filesystem image in which an inline inode contains an invalid reserved blkaddr. (CVE-2018-13099)

  • An issue was discovered in fs/f2fs/super.c in the Linux kernel through 4.17.3, which does not properly validate secs_per_zone in a corrupted f2fs image, as demonstrated by a divide-by-zero error.
    (CVE-2018-13100)

  • An issue was discovered in the Linux kernel through 4.17.10. There is an invalid pointer dereference in
    __del_reloc_root() in fs/btrfs/relocation.c when mounting a crafted btrfs image, related to removing reloc rb_trees when reloc control has not been initialized. (CVE-2018-14609)

  • An issue was discovered in the Linux kernel through 4.17.10. There is out-of-bounds access in write_extent_buffer() when mounting and operating a crafted btrfs image, because of a lack of verification that each block group has a corresponding chunk at mount time, within btrfs_read_block_groups in fs/btrfs/extent-tree.c. (CVE-2018-14610)

  • An issue was discovered in the Linux kernel through 4.17.10. There is a use-after-free in try_merge_free_space() when mounting a crafted btrfs image, because of a lack of chunk type flag checks in btrfs_check_chunk_valid in fs/btrfs/volumes.c. (CVE-2018-14611)

  • An issue was discovered in the Linux kernel through 4.17.10. There is an invalid pointer dereference in btrfs_root_node() when mounting a crafted btrfs image, because of a lack of chunk block group mapping validation in btrfs_read_block_groups in fs/btrfs/extent-tree.c, and a lack of empty-tree checks in check_leaf in fs/btrfs/tree-checker.c. (CVE-2018-14612)

  • An issue was discovered in the Linux kernel through 4.17.10. There is an invalid pointer dereference in io_ctl_map_page() when mounting and operating a crafted btrfs image, because of a lack of block group item validation in check_leaf_item in fs/btrfs/tree-checker.c. (CVE-2018-14613)

  • An issue was discovered in the Linux kernel through 4.17.10. There is an out-of-bounds access in
    __remove_dirty_segment() in fs/f2fs/segment.c when mounting an f2fs image. (CVE-2018-14614)

  • An issue was discovered in the Linux kernel through 4.17.10. There is a buffer overflow in truncate_inline_inode() in fs/f2fs/inline.c when umounting an f2fs image, because a length value may be negative. (CVE-2018-14615)

  • An issue was discovered in the Linux kernel through 4.17.10. There is a NULL pointer dereference in fscrypt_do_page_crypto() in fs/crypto/crypto.c when operating on a file in a corrupted f2fs image.
    (CVE-2018-14616)

  • An issue was discovered in the Linux kernel through 4.17.10. There is a NULL pointer dereference and panic in hfsplus_lookup() in fs/hfsplus/dir.c when opening a file (that is purportedly a hard link) in an hfs+ filesystem that has malformed catalog data, and is mounted read-only without a metadata directory.
    (CVE-2018-14617)

  • A security flaw was found in the Linux kernel in a way that the cleancache subsystem clears an inode after the final file truncation (removal). The new file created with the same inode may contain leftover pages from cleancache and the old file data instead of the new one. (CVE-2018-16862)

  • The function hso_get_config_data in drivers/net/usb/hso.c in the Linux kernel through 4.19.8 reads if_num from the USB device (as a u8) and uses it to index a small array, resulting in an object out-of-bounds (OOB) read that potentially allows arbitrary read in the kernel address space. (CVE-2018-19985)

  • An issue was discovered in the Linux kernel before 4.19.9. The USB subsystem mishandles size checks during the reading of an extra descriptor, related to __usb_get_extra_descriptor in drivers/usb/core/usb.c.
    (CVE-2018-20169)

  • An issue was discovered in the Linux kernel before 4.18.11. The ipddp_ioctl function in drivers/net/appletalk/ipddp.c allows local users to obtain sensitive kernel address information by leveraging CAP_NET_ADMIN to read the ipddp_route dev and next fields via an SIOCFINDIPDDPRT ioctl call.
    (CVE-2018-20511)

  • In the Linux kernel before 4.20.2, kernel/sched/fair.c mishandles leaf cfs_rq’s, which allows attackers to cause a denial of service (infinite loop in update_blocked_averages) or possibly have unspecified other impact by inducing a high load. (CVE-2018-20784)

  • An issue was discovered in the Linux kernel before 4.18.7. In block/blk-core.c, there is an
    __blk_drain_queue() use-after-free because a certain error case is mishandled. (CVE-2018-20856)

  • Bluetooth firmware or operating system software drivers in macOS versions before 10.13, High Sierra and iOS versions before 11.4, and Android versions before the 2018-06-05 patch may not sufficiently validate elliptic curve parameters used to generate public keys during a Diffie-Hellman key exchange, which may allow a remote attacker to obtain the encryption key used by the device. (CVE-2018-5383)

  • Insufficient access control in the Intel® PROSet/Wireless WiFi Software driver before version 21.10 may allow an unauthenticated user to potentially enable denial of service via adjacent access. (CVE-2019-0136)

  • A flaw was found in the Linux kernel. A heap based buffer overflow in mwifiex_uap_parse_tail_ies function in drivers/net/wireless/marvell/mwifiex/ie.c might lead to memory corruption and possibly other consequences. (CVE-2019-10126)

  • A flaw was found in the Linux kernel’s Bluetooth implementation of UART, all versions kernel 3.x.x before 4.18.0 and kernel 5.x.x. An attacker with local access and write permissions to the Bluetooth hardware could use this flaw to issue a specially crafted ioctl function call and cause the system to crash.
    (CVE-2019-10207)

  • In the Linux kernel before 5.1.7, a device can be tracked by an attacker using the IP ID values the kernel produces for connection-less protocols (e.g., UDP and ICMP). When such traffic is sent to multiple destination IP addresses, it is possible to obtain hash collisions (of indices to the counter array) and thereby obtain the hashing key (via enumeration). An attack may be conducted by hosting a crafted web page that uses WebRTC or gQUIC to force UDP traffic to attacker-controlled IP addresses. (CVE-2019-10638)

  • The Linux kernel 4.x (starting from 4.1) and 5.x before 5.0.8 allows Information Exposure (partial kernel address disclosure), leading to a KASLR bypass. Specifically, it is possible to extract the KASLR kernel image offset using the IP ID values the kernel produces for connection-less protocols (e.g., UDP and ICMP). When such traffic is sent to multiple destination IP addresses, it is possible to obtain hash collisions (of indices to the counter array) and thereby obtain the hashing key (via enumeration). This key contains enough bits from a kernel address (of a static variable) so when the key is extracted (via enumeration), the offset of the kernel image is exposed. This attack can be carried out remotely, by the attacker forcing the target device to send UDP or ICMP (or certain other) traffic to attacker-controlled IP addresses. Forcing a server to send UDP traffic is trivial if the server is a DNS server. ICMP traffic is trivial if the server answers ICMP Echo requests (ping). For client targets, if the target visits the attacker’s web page, then WebRTC or gQUIC can be used to force UDP traffic to attacker-controlled IP addresses. NOTE: this attack against KASLR became viable in 4.1 because IP ID generation was changed to have a dependency on an address associated with a network namespace. (CVE-2019-10639)

  • Insufficient input validation in Kernel Mode Driver in Intel® i915 Graphics for Linux before version 5.0 may allow an authenticated user to potentially enable escalation of privilege via local access.
    (CVE-2019-11085)

  • The Linux kernel before 5.1-rc5 allows page->_refcount reference count overflow, with resultant use-after- free issues, if about 140 GiB of RAM exists. This is related to fs/fuse/dev.c, fs/pipe.c, fs/splice.c, include/linux/mm.h, include/linux/pipe_fs_i.h, kernel/trace/trace.c, mm/gup.c, and mm/hugetlb.c. It can occur with FUSE requests. (CVE-2019-11487)

  • The coredump implementation in the Linux kernel before 5.0.10 does not use locking or other mechanisms to prevent vma layout or vma flags changes while it runs, which allows local users to obtain sensitive information, cause a denial of service, or possibly have unspecified other impact by triggering a race condition with mmget_not_zero or get_task_mm calls. This is related to fs/userfaultfd.c, mm/mmap.c, fs/proc/task_mmu.c, and drivers/infiniband/core/uverbs_main.c. (CVE-2019-11599)

  • An issue was discovered in the Linux kernel before 5.0.7. A NULL pointer dereference can occur when megasas_create_frame_pool() fails in megasas_alloc_cmds() in drivers/scsi/megaraid/megaraid_sas_base.c.
    This causes a Denial of Service, related to a use-after-free. (CVE-2019-11810)

  • An issue was discovered in rds_tcp_kill_sock in net/rds/tcp.c in the Linux kernel before 5.0.8. There is a race condition leading to a use-after-free, related to net namespace cleanup. (CVE-2019-11815)

  • fs/ext4/extents.c in the Linux kernel through 5.1.2 does not zero out the unused memory region in the extent tree block, which might allow local users to obtain sensitive information by reading uninitialized data in the filesystem. (CVE-2019-11833)

  • The do_hidp_sock_ioctl function in net/bluetooth/hidp/sock.c in the Linux kernel before 5.0.15 allows a local user to obtain potentially sensitive information from kernel stack memory via a HIDPCONNADD command, because a name field may not end with a ‘\0’ character. (CVE-2019-11884)

  • An issue was discovered in the Linux kernel before 4.20.15. The nfc_llcp_build_tlv function in net/nfc/llcp_commands.c may return NULL. If the caller does not check for this, it will trigger a NULL pointer dereference. This will cause denial of service. This affects nfc_llcp_build_gb in net/nfc/llcp_core.c. (CVE-2019-12818)

  • An issue was discovered in the Linux kernel before 5.0. The function __mdiobus_register() in drivers/net/phy/mdio_bus.c calls put_device(), which will trigger a fixed_mdio_bus_init use-after-free.
    This will cause a denial of service. (CVE-2019-12819)

  • A NULL pointer dereference vulnerability in the function nfc_genl_deactivate_target() in net/nfc/netlink.c in the Linux kernel before 5.1.13 can be triggered by a malicious user-mode program that omits certain NFC attributes, leading to denial of service. (CVE-2019-12984)

  • In arch/x86/lib/insn-eval.c in the Linux kernel before 5.1.9, there is a use-after-free for access to an LDT entry because of a race condition between modify_ldt() and a #BR exception for an MPX bounds violation. (CVE-2019-13233)

  • In the Linux kernel before 5.1.17, ptrace_link in kernel/ptrace.c mishandles the recording of the credentials of a process that wants to create a ptrace relationship, which allows local users to obtain root access by leveraging certain scenarios with a parent-child process relationship, where a parent drops privileges and calls execve (potentially allowing control by an attacker). One contributing factor is an object lifetime issue (which can also cause a panic). Another contributing factor is incorrect marking of a ptrace relationship as privileged, which is exploitable through (for example) Polkit’s pkexec helper with PTRACE_TRACEME. NOTE: SELinux deny_ptrace might be a usable workaround in some environments.
    (CVE-2019-13272)

  • In parse_hid_report_descriptor in drivers/input/tablet/gtco.c in the Linux kernel through 5.2.1, a malicious USB device can send an HID report that triggers an out-of-bounds write during generation of debugging messages. (CVE-2019-13631)

  • In the Linux kernel before 5.2.3, set_geometry in drivers/block/floppy.c does not validate the sect and head fields, as demonstrated by an integer overflow and out-of-bounds read. It can be triggered by an unprivileged local user when a floppy disk has been inserted. NOTE: QEMU creates the floppy device by default. (CVE-2019-14283)

  • In the Linux kernel before 5.2.3, drivers/block/floppy.c allows a denial of service by setup_format_params division-by-zero. Two consecutive ioctls can trigger the bug: the first one should set the drive geometry with .sect and .rate values that make F_SECT_PER_TRACK be zero. Next, the floppy format operation should be called. It can be triggered by an unprivileged local user even when a floppy disk has not been inserted. NOTE: QEMU creates the floppy device by default. (CVE-2019-14284)

  • In the Linux kernel before 4.16.4, a double-locking error in drivers/usb/dwc3/gadget.c may potentially cause a deadlock with f_hid. (CVE-2019-14763)

  • An issue was discovered in drivers/scsi/qedi/qedi_dbg.c in the Linux kernel before 5.1.12. In the qedi_dbg_* family of functions, there is an out-of-bounds read. (CVE-2019-15090)

  • An issue was discovered in the Linux kernel before 5.2.6. There is a use-after-free caused by a malicious USB device in the drivers/media/v4l2-core/v4l2-dev.c driver because drivers/media/radio/radio-raremono.c does not properly allocate memory. (CVE-2019-15211)

  • An issue was discovered in the Linux kernel before 5.1.8. There is a double-free caused by a malicious USB device in the drivers/usb/misc/rio500.c driver. (CVE-2019-15212)

  • An issue was discovered in the Linux kernel before 5.0.10. There is a use-after-free in the sound subsystem because card disconnection causes certain data structures to be deleted too early. This is related to sound/core/init.c and sound/core/info.c. (CVE-2019-15214)

  • An issue was discovered in the Linux kernel before 5.2.6. There is a use-after-free caused by a malicious USB device in the drivers/media/usb/cpia2/cpia2_usb.c driver. (CVE-2019-15215)

  • An issue was discovered in the Linux kernel before 5.0.14. There is a NULL pointer dereference caused by a malicious USB device in the drivers/usb/misc/yurex.c driver. (CVE-2019-15216)

  • An issue was discovered in the Linux kernel before 5.1.8. There is a NULL pointer dereference caused by a malicious USB device in the drivers/media/usb/siano/smsusb.c driver. (CVE-2019-15218)

  • An issue was discovered in the Linux kernel before 5.2.1. There is a use-after-free caused by a malicious USB device in the drivers/net/wireless/intersil/p54/p54usb.c driver. (CVE-2019-15220)

  • An issue was discovered in the Linux kernel before 5.1.17. There is a NULL pointer dereference caused by a malicious USB device in the sound/usb/line6/pcm.c driver. (CVE-2019-15221)

  • An issue was discovered in the Linux kernel before 5.0.9. There is a use-after-free in atalk_proc_exit, related to net/appletalk/atalk_proc.c, net/appletalk/ddp.c, and net/appletalk/sysctl_net_atalk.c.
    (CVE-2019-15292)

  • In em28xx_unregister_dvb of em28xx-dvb.c, there is a possible use after free issue. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android kernelAndroid ID: A-111761954References:
    Upstream kernel (CVE-2019-2024)

  • In uvc_parse_standard_control of uvc_driver.c, there is a possible out-of-bound read due to improper input validation. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation. Product: Android. Versions: Android kernel.
    Android ID: A-111760968. (CVE-2019-2101)

  • An issue was discovered in can_can_gw_rcv in net/can/gw.c in the Linux kernel through 4.19.13. The CAN frame modification rules allow bitwise logical operations that can be also applied to the can_dlc field.
    The privileged user root with CAP_NET_ADMIN can create a CAN frame modification rule that makes the data length code a higher value than the available CAN frame data size. In combination with a configured checksum calculation where the result is stored relatively to the end of the data (e.g. cgw_csum_xor_rel) the tail of the skb (e.g. frag_list pointer in skb_shared_info) can be rewritten which finally can cause a system crash. Because of a missing check, the CAN drivers may write arbitrary content beyond the data registers in the CAN controller’s I/O memory when processing can-gw manipulated outgoing frames.
    (CVE-2019-3701)

  • A flaw was found in the Linux kernel in the function hid_debug_events_read() in drivers/hid/hid-debug.c file which may enter an infinite loop with certain parameters passed from a userspace. A local privileged user (root) can cause a system lock up and a denial of service. Versions from v4.18 and newer are vulnerable. (CVE-2019-3819)

  • A flaw that allowed an attacker to corrupt memory and possibly escalate privileges was found in the mwifiex kernel module while connecting to a malicious wireless network. (CVE-2019-3846)

  • An infinite loop issue was found in the vhost_net kernel module in Linux Kernel up to and including v5.1-rc6, while handling incoming packets in handle_rx(). It could occur if one end sends packets faster than the other end can process them. A guest user, maybe remote one, could use this flaw to stall the vhost_net kernel thread, resulting in a DoS scenario. (CVE-2019-3900)

  • The Bluetooth BR/EDR specification up to and including version 5.1 permits sufficiently low encryption key length and does not prevent an attacker from influencing the key length negotiation. This allows practical brute-force attacks (aka KNOB) that can decrypt traffic and inject arbitrary ciphertext without the victim noticing. (CVE-2019-9506)

Note that Nessus has not tested for these issues but has instead relied only on the application’s self-reported version number.

#
# (C) Tenable Network Security, Inc.
#
# The descriptive text and package checks in this plugin were
# extracted from Ubuntu Security Notice USN-4118-1. The text 
# itself is copyright (C) Canonical, Inc. See 
# <http://www.ubuntu.com/usn/>. Ubuntu(R) is a registered 
# trademark of Canonical, Inc.
#

include('compat.inc');

if (description)
{
  script_id(128478);
  script_version("1.13");
  script_set_attribute(attribute:"plugin_modification_date", value:"2024/01/09");

  script_cve_id(
    "CVE-2018-13053",
    "CVE-2018-13093",
    "CVE-2018-13096",
    "CVE-2018-13097",
    "CVE-2018-13098",
    "CVE-2018-13099",
    "CVE-2018-13100",
    "CVE-2018-14609",
    "CVE-2018-14610",
    "CVE-2018-14611",
    "CVE-2018-14612",
    "CVE-2018-14613",
    "CVE-2018-14614",
    "CVE-2018-14615",
    "CVE-2018-14616",
    "CVE-2018-14617",
    "CVE-2018-16862",
    "CVE-2018-19985",
    "CVE-2018-20169",
    "CVE-2018-20511",
    "CVE-2018-20784",
    "CVE-2018-20856",
    "CVE-2018-5383",
    "CVE-2019-0136",
    "CVE-2019-10126",
    "CVE-2019-10207",
    "CVE-2019-10638",
    "CVE-2019-10639",
    "CVE-2019-11085",
    "CVE-2019-11487",
    "CVE-2019-11599",
    "CVE-2019-11810",
    "CVE-2019-11815",
    "CVE-2019-11833",
    "CVE-2019-11884",
    "CVE-2019-12818",
    "CVE-2019-12819",
    "CVE-2019-12984",
    "CVE-2019-13233",
    "CVE-2019-13272",
    "CVE-2019-13631",
    "CVE-2019-14283",
    "CVE-2019-14284",
    "CVE-2019-14763",
    "CVE-2019-15090",
    "CVE-2019-15211",
    "CVE-2019-15212",
    "CVE-2019-15214",
    "CVE-2019-15215",
    "CVE-2019-15216",
    "CVE-2019-15218",
    "CVE-2019-15220",
    "CVE-2019-15221",
    "CVE-2019-15292",
    "CVE-2019-2024",
    "CVE-2019-2101",
    "CVE-2019-3701",
    "CVE-2019-3819",
    "CVE-2019-3846",
    "CVE-2019-3900",
    "CVE-2019-9506"
  );
  script_xref(name:"USN", value:"4118-1");
  script_xref(name:"CISA-KNOWN-EXPLOITED", value:"2022/06/10");
  script_xref(name:"CEA-ID", value:"CEA-2021-0025");

  script_name(english:"Ubuntu 16.04 LTS / 18.04 LTS : Linux kernel (AWS) vulnerabilities (USN-4118-1)");

  script_set_attribute(attribute:"synopsis", value:
"The remote Ubuntu host is missing one or more security updates.");
  script_set_attribute(attribute:"description", value:
"The remote Ubuntu 16.04 LTS / 18.04 LTS host has a package installed that is affected by multiple vulnerabilities as
referenced in the USN-4118-1 advisory.

  - The alarm_timer_nsleep function in kernel/time/alarmtimer.c in the Linux kernel through 4.17.3 has an
    integer overflow via a large relative timeout because ktime_add_safe is not used. (CVE-2018-13053)

  - An issue was discovered in fs/xfs/xfs_icache.c in the Linux kernel through 4.17.3. There is a NULL pointer
    dereference and panic in lookup_slow() on a NULL inode->i_ops pointer when doing pathwalks on a corrupted
    xfs image. This occurs because of a lack of proper validation that cached inodes are free during
    allocation. (CVE-2018-13093)

  - An issue was discovered in fs/f2fs/super.c in the Linux kernel through 4.14. A denial of service (out-of-
    bounds memory access and BUG) can occur upon encountering an abnormal bitmap size when mounting a crafted
    f2fs image. (CVE-2018-13096)

  - An issue was discovered in fs/f2fs/super.c in the Linux kernel through 4.17.3. There is an out-of-bounds
    read or a divide-by-zero error for an incorrect user_block_count in a corrupted f2fs image, leading to a
    denial of service (BUG). (CVE-2018-13097)

  - An issue was discovered in fs/f2fs/inode.c in the Linux kernel through 4.17.3. A denial of service (slab
    out-of-bounds read and BUG) can occur for a modified f2fs filesystem image in which FI_EXTRA_ATTR is set
    in an inode. (CVE-2018-13098)

  - An issue was discovered in fs/f2fs/inline.c in the Linux kernel through 4.4. A denial of service (out-of-
    bounds memory access and BUG) can occur for a modified f2fs filesystem image in which an inline inode
    contains an invalid reserved blkaddr. (CVE-2018-13099)

  - An issue was discovered in fs/f2fs/super.c in the Linux kernel through 4.17.3, which does not properly
    validate secs_per_zone in a corrupted f2fs image, as demonstrated by a divide-by-zero error.
    (CVE-2018-13100)

  - An issue was discovered in the Linux kernel through 4.17.10. There is an invalid pointer dereference in
    __del_reloc_root() in fs/btrfs/relocation.c when mounting a crafted btrfs image, related to removing reloc
    rb_trees when reloc control has not been initialized. (CVE-2018-14609)

  - An issue was discovered in the Linux kernel through 4.17.10. There is out-of-bounds access in
    write_extent_buffer() when mounting and operating a crafted btrfs image, because of a lack of verification
    that each block group has a corresponding chunk at mount time, within btrfs_read_block_groups in
    fs/btrfs/extent-tree.c. (CVE-2018-14610)

  - An issue was discovered in the Linux kernel through 4.17.10. There is a use-after-free in
    try_merge_free_space() when mounting a crafted btrfs image, because of a lack of chunk type flag checks in
    btrfs_check_chunk_valid in fs/btrfs/volumes.c. (CVE-2018-14611)

  - An issue was discovered in the Linux kernel through 4.17.10. There is an invalid pointer dereference in
    btrfs_root_node() when mounting a crafted btrfs image, because of a lack of chunk block group mapping
    validation in btrfs_read_block_groups in fs/btrfs/extent-tree.c, and a lack of empty-tree checks in
    check_leaf in fs/btrfs/tree-checker.c. (CVE-2018-14612)

  - An issue was discovered in the Linux kernel through 4.17.10. There is an invalid pointer dereference in
    io_ctl_map_page() when mounting and operating a crafted btrfs image, because of a lack of block group item
    validation in check_leaf_item in fs/btrfs/tree-checker.c. (CVE-2018-14613)

  - An issue was discovered in the Linux kernel through 4.17.10. There is an out-of-bounds access in
    __remove_dirty_segment() in fs/f2fs/segment.c when mounting an f2fs image. (CVE-2018-14614)

  - An issue was discovered in the Linux kernel through 4.17.10. There is a buffer overflow in
    truncate_inline_inode() in fs/f2fs/inline.c when umounting an f2fs image, because a length value may be
    negative. (CVE-2018-14615)

  - An issue was discovered in the Linux kernel through 4.17.10. There is a NULL pointer dereference in
    fscrypt_do_page_crypto() in fs/crypto/crypto.c when operating on a file in a corrupted f2fs image.
    (CVE-2018-14616)

  - An issue was discovered in the Linux kernel through 4.17.10. There is a NULL pointer dereference and panic
    in hfsplus_lookup() in fs/hfsplus/dir.c when opening a file (that is purportedly a hard link) in an hfs+
    filesystem that has malformed catalog data, and is mounted read-only without a metadata directory.
    (CVE-2018-14617)

  - A security flaw was found in the Linux kernel in a way that the cleancache subsystem clears an inode after
    the final file truncation (removal). The new file created with the same inode may contain leftover pages
    from cleancache and the old file data instead of the new one. (CVE-2018-16862)

  - The function hso_get_config_data in drivers/net/usb/hso.c in the Linux kernel through 4.19.8 reads if_num
    from the USB device (as a u8) and uses it to index a small array, resulting in an object out-of-bounds
    (OOB) read that potentially allows arbitrary read in the kernel address space. (CVE-2018-19985)

  - An issue was discovered in the Linux kernel before 4.19.9. The USB subsystem mishandles size checks during
    the reading of an extra descriptor, related to __usb_get_extra_descriptor in drivers/usb/core/usb.c.
    (CVE-2018-20169)

  - An issue was discovered in the Linux kernel before 4.18.11. The ipddp_ioctl function in
    drivers/net/appletalk/ipddp.c allows local users to obtain sensitive kernel address information by
    leveraging CAP_NET_ADMIN to read the ipddp_route dev and next fields via an SIOCFINDIPDDPRT ioctl call.
    (CVE-2018-20511)

  - In the Linux kernel before 4.20.2, kernel/sched/fair.c mishandles leaf cfs_rq's, which allows attackers to
    cause a denial of service (infinite loop in update_blocked_averages) or possibly have unspecified other
    impact by inducing a high load. (CVE-2018-20784)

  - An issue was discovered in the Linux kernel before 4.18.7. In block/blk-core.c, there is an
    __blk_drain_queue() use-after-free because a certain error case is mishandled. (CVE-2018-20856)

  - Bluetooth firmware or operating system software drivers in macOS versions before 10.13, High Sierra and
    iOS versions before 11.4, and Android versions before the 2018-06-05 patch may not sufficiently validate
    elliptic curve parameters used to generate public keys during a Diffie-Hellman key exchange, which may
    allow a remote attacker to obtain the encryption key used by the device. (CVE-2018-5383)

  - Insufficient access control in the Intel(R) PROSet/Wireless WiFi Software driver before version 21.10 may
    allow an unauthenticated user to potentially enable denial of service via adjacent access. (CVE-2019-0136)

  - A flaw was found in the Linux kernel. A heap based buffer overflow in mwifiex_uap_parse_tail_ies function
    in drivers/net/wireless/marvell/mwifiex/ie.c might lead to memory corruption and possibly other
    consequences. (CVE-2019-10126)

  - A flaw was found in the Linux kernel's Bluetooth implementation of UART, all versions kernel 3.x.x before
    4.18.0 and kernel 5.x.x. An attacker with local access and write permissions to the Bluetooth hardware
    could use this flaw to issue a specially crafted ioctl function call and cause the system to crash.
    (CVE-2019-10207)

  - In the Linux kernel before 5.1.7, a device can be tracked by an attacker using the IP ID values the kernel
    produces for connection-less protocols (e.g., UDP and ICMP). When such traffic is sent to multiple
    destination IP addresses, it is possible to obtain hash collisions (of indices to the counter array) and
    thereby obtain the hashing key (via enumeration). An attack may be conducted by hosting a crafted web page
    that uses WebRTC or gQUIC to force UDP traffic to attacker-controlled IP addresses. (CVE-2019-10638)

  - The Linux kernel 4.x (starting from 4.1) and 5.x before 5.0.8 allows Information Exposure (partial kernel
    address disclosure), leading to a KASLR bypass. Specifically, it is possible to extract the KASLR kernel
    image offset using the IP ID values the kernel produces for connection-less protocols (e.g., UDP and
    ICMP). When such traffic is sent to multiple destination IP addresses, it is possible to obtain hash
    collisions (of indices to the counter array) and thereby obtain the hashing key (via enumeration). This
    key contains enough bits from a kernel address (of a static variable) so when the key is extracted (via
    enumeration), the offset of the kernel image is exposed. This attack can be carried out remotely, by the
    attacker forcing the target device to send UDP or ICMP (or certain other) traffic to attacker-controlled
    IP addresses. Forcing a server to send UDP traffic is trivial if the server is a DNS server. ICMP traffic
    is trivial if the server answers ICMP Echo requests (ping). For client targets, if the target visits the
    attacker's web page, then WebRTC or gQUIC can be used to force UDP traffic to attacker-controlled IP
    addresses. NOTE: this attack against KASLR became viable in 4.1 because IP ID generation was changed to
    have a dependency on an address associated with a network namespace. (CVE-2019-10639)

  - Insufficient input validation in Kernel Mode Driver in Intel(R) i915 Graphics for Linux before version 5.0
    may allow an authenticated user to potentially enable escalation of privilege via local access.
    (CVE-2019-11085)

  - The Linux kernel before 5.1-rc5 allows page->_refcount reference count overflow, with resultant use-after-
    free issues, if about 140 GiB of RAM exists. This is related to fs/fuse/dev.c, fs/pipe.c, fs/splice.c,
    include/linux/mm.h, include/linux/pipe_fs_i.h, kernel/trace/trace.c, mm/gup.c, and mm/hugetlb.c. It can
    occur with FUSE requests. (CVE-2019-11487)

  - The coredump implementation in the Linux kernel before 5.0.10 does not use locking or other mechanisms to
    prevent vma layout or vma flags changes while it runs, which allows local users to obtain sensitive
    information, cause a denial of service, or possibly have unspecified other impact by triggering a race
    condition with mmget_not_zero or get_task_mm calls. This is related to fs/userfaultfd.c, mm/mmap.c,
    fs/proc/task_mmu.c, and drivers/infiniband/core/uverbs_main.c. (CVE-2019-11599)

  - An issue was discovered in the Linux kernel before 5.0.7. A NULL pointer dereference can occur when
    megasas_create_frame_pool() fails in megasas_alloc_cmds() in drivers/scsi/megaraid/megaraid_sas_base.c.
    This causes a Denial of Service, related to a use-after-free. (CVE-2019-11810)

  - An issue was discovered in rds_tcp_kill_sock in net/rds/tcp.c in the Linux kernel before 5.0.8. There is a
    race condition leading to a use-after-free, related to net namespace cleanup. (CVE-2019-11815)

  - fs/ext4/extents.c in the Linux kernel through 5.1.2 does not zero out the unused memory region in the
    extent tree block, which might allow local users to obtain sensitive information by reading uninitialized
    data in the filesystem. (CVE-2019-11833)

  - The do_hidp_sock_ioctl function in net/bluetooth/hidp/sock.c in the Linux kernel before 5.0.15 allows a
    local user to obtain potentially sensitive information from kernel stack memory via a HIDPCONNADD command,
    because a name field may not end with a '\0' character. (CVE-2019-11884)

  - An issue was discovered in the Linux kernel before 4.20.15. The nfc_llcp_build_tlv function in
    net/nfc/llcp_commands.c may return NULL. If the caller does not check for this, it will trigger a NULL
    pointer dereference. This will cause denial of service. This affects nfc_llcp_build_gb in
    net/nfc/llcp_core.c. (CVE-2019-12818)

  - An issue was discovered in the Linux kernel before 5.0. The function __mdiobus_register() in
    drivers/net/phy/mdio_bus.c calls put_device(), which will trigger a fixed_mdio_bus_init use-after-free.
    This will cause a denial of service. (CVE-2019-12819)

  - A NULL pointer dereference vulnerability in the function nfc_genl_deactivate_target() in net/nfc/netlink.c
    in the Linux kernel before 5.1.13 can be triggered by a malicious user-mode program that omits certain NFC
    attributes, leading to denial of service. (CVE-2019-12984)

  - In arch/x86/lib/insn-eval.c in the Linux kernel before 5.1.9, there is a use-after-free for access to an
    LDT entry because of a race condition between modify_ldt() and a #BR exception for an MPX bounds
    violation. (CVE-2019-13233)

  - In the Linux kernel before 5.1.17, ptrace_link in kernel/ptrace.c mishandles the recording of the
    credentials of a process that wants to create a ptrace relationship, which allows local users to obtain
    root access by leveraging certain scenarios with a parent-child process relationship, where a parent drops
    privileges and calls execve (potentially allowing control by an attacker). One contributing factor is an
    object lifetime issue (which can also cause a panic). Another contributing factor is incorrect marking of
    a ptrace relationship as privileged, which is exploitable through (for example) Polkit's pkexec helper
    with PTRACE_TRACEME. NOTE: SELinux deny_ptrace might be a usable workaround in some environments.
    (CVE-2019-13272)

  - In parse_hid_report_descriptor in drivers/input/tablet/gtco.c in the Linux kernel through 5.2.1, a
    malicious USB device can send an HID report that triggers an out-of-bounds write during generation of
    debugging messages. (CVE-2019-13631)

  - In the Linux kernel before 5.2.3, set_geometry in drivers/block/floppy.c does not validate the sect and
    head fields, as demonstrated by an integer overflow and out-of-bounds read. It can be triggered by an
    unprivileged local user when a floppy disk has been inserted. NOTE: QEMU creates the floppy device by
    default. (CVE-2019-14283)

  - In the Linux kernel before 5.2.3, drivers/block/floppy.c allows a denial of service by setup_format_params
    division-by-zero. Two consecutive ioctls can trigger the bug: the first one should set the drive geometry
    with .sect and .rate values that make F_SECT_PER_TRACK be zero. Next, the floppy format operation should
    be called. It can be triggered by an unprivileged local user even when a floppy disk has not been
    inserted. NOTE: QEMU creates the floppy device by default. (CVE-2019-14284)

  - In the Linux kernel before 4.16.4, a double-locking error in drivers/usb/dwc3/gadget.c may potentially
    cause a deadlock with f_hid. (CVE-2019-14763)

  - An issue was discovered in drivers/scsi/qedi/qedi_dbg.c in the Linux kernel before 5.1.12. In the
    qedi_dbg_* family of functions, there is an out-of-bounds read. (CVE-2019-15090)

  - An issue was discovered in the Linux kernel before 5.2.6. There is a use-after-free caused by a malicious
    USB device in the drivers/media/v4l2-core/v4l2-dev.c driver because drivers/media/radio/radio-raremono.c
    does not properly allocate memory. (CVE-2019-15211)

  - An issue was discovered in the Linux kernel before 5.1.8. There is a double-free caused by a malicious USB
    device in the drivers/usb/misc/rio500.c driver. (CVE-2019-15212)

  - An issue was discovered in the Linux kernel before 5.0.10. There is a use-after-free in the sound
    subsystem because card disconnection causes certain data structures to be deleted too early. This is
    related to sound/core/init.c and sound/core/info.c. (CVE-2019-15214)

  - An issue was discovered in the Linux kernel before 5.2.6. There is a use-after-free caused by a malicious
    USB device in the drivers/media/usb/cpia2/cpia2_usb.c driver. (CVE-2019-15215)

  - An issue was discovered in the Linux kernel before 5.0.14. There is a NULL pointer dereference caused by a
    malicious USB device in the drivers/usb/misc/yurex.c driver. (CVE-2019-15216)

  - An issue was discovered in the Linux kernel before 5.1.8. There is a NULL pointer dereference caused by a
    malicious USB device in the drivers/media/usb/siano/smsusb.c driver. (CVE-2019-15218)

  - An issue was discovered in the Linux kernel before 5.2.1. There is a use-after-free caused by a malicious
    USB device in the drivers/net/wireless/intersil/p54/p54usb.c driver. (CVE-2019-15220)

  - An issue was discovered in the Linux kernel before 5.1.17. There is a NULL pointer dereference caused by a
    malicious USB device in the sound/usb/line6/pcm.c driver. (CVE-2019-15221)

  - An issue was discovered in the Linux kernel before 5.0.9. There is a use-after-free in atalk_proc_exit,
    related to net/appletalk/atalk_proc.c, net/appletalk/ddp.c, and net/appletalk/sysctl_net_atalk.c.
    (CVE-2019-15292)

  - In em28xx_unregister_dvb of em28xx-dvb.c, there is a possible use after free issue. This could lead to
    local escalation of privilege with no additional execution privileges needed. User interaction is not
    needed for exploitation.Product: AndroidVersions: Android kernelAndroid ID: A-111761954References:
    Upstream kernel (CVE-2019-2024)

  - In uvc_parse_standard_control of uvc_driver.c, there is a possible out-of-bound read due to improper input
    validation. This could lead to local information disclosure with no additional execution privileges
    needed. User interaction is not needed for exploitation. Product: Android. Versions: Android kernel.
    Android ID: A-111760968. (CVE-2019-2101)

  - An issue was discovered in can_can_gw_rcv in net/can/gw.c in the Linux kernel through 4.19.13. The CAN
    frame modification rules allow bitwise logical operations that can be also applied to the can_dlc field.
    The privileged user root with CAP_NET_ADMIN can create a CAN frame modification rule that makes the data
    length code a higher value than the available CAN frame data size. In combination with a configured
    checksum calculation where the result is stored relatively to the end of the data (e.g. cgw_csum_xor_rel)
    the tail of the skb (e.g. frag_list pointer in skb_shared_info) can be rewritten which finally can cause a
    system crash. Because of a missing check, the CAN drivers may write arbitrary content beyond the data
    registers in the CAN controller's I/O memory when processing can-gw manipulated outgoing frames.
    (CVE-2019-3701)

  - A flaw was found in the Linux kernel in the function hid_debug_events_read() in drivers/hid/hid-debug.c
    file which may enter an infinite loop with certain parameters passed from a userspace. A local privileged
    user (root) can cause a system lock up and a denial of service. Versions from v4.18 and newer are
    vulnerable. (CVE-2019-3819)

  - A flaw that allowed an attacker to corrupt memory and possibly escalate privileges was found in the
    mwifiex kernel module while connecting to a malicious wireless network. (CVE-2019-3846)

  - An infinite loop issue was found in the vhost_net kernel module in Linux Kernel up to and including
    v5.1-rc6, while handling incoming packets in handle_rx(). It could occur if one end sends packets faster
    than the other end can process them. A guest user, maybe remote one, could use this flaw to stall the
    vhost_net kernel thread, resulting in a DoS scenario. (CVE-2019-3900)

  - The Bluetooth BR/EDR specification up to and including version 5.1 permits sufficiently low encryption key
    length and does not prevent an attacker from influencing the key length negotiation. This allows practical
    brute-force attacks (aka KNOB) that can decrypt traffic and inject arbitrary ciphertext without the
    victim noticing. (CVE-2019-9506)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version
number.");
  script_set_attribute(attribute:"see_also", value:"https://ubuntu.com/security/notices/USN-4118-1");
  script_set_attribute(attribute:"solution", value:
"Update the affected kernel package.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C");
  script_set_cvss_temporal_vector("CVSS2#E:H/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:H/RL:O/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2019-15292");
  script_set_attribute(attribute:"cvss3_score_source", value:"CVE-2019-10126");

  script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"true");
  script_set_attribute(attribute:"exploit_framework_core", value:"true");
  script_set_attribute(attribute:"exploited_by_malware", value:"true");
  script_set_attribute(attribute:"metasploit_name", value:'Linux Polkit pkexec helper PTRACE_TRACEME local root exploit');
  script_set_attribute(attribute:"exploit_framework_metasploit", value:"true");

  script_set_attribute(attribute:"vuln_publication_date", value:"2018/07/02");
  script_set_attribute(attribute:"patch_publication_date", value:"2019/09/02");
  script_set_attribute(attribute:"plugin_publication_date", value:"2019/09/03");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-4.15.0-1047-aws");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:canonical:ubuntu_linux:16.04:-:lts");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:canonical:ubuntu_linux:18.04:-:lts");
  script_set_attribute(attribute:"generated_plugin", value:"current");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Ubuntu Local Security Checks");

  script_copyright(english:"Ubuntu Security Notice (C) 2019-2024 Canonical, Inc. / NASL script (C) 2019-2024 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("ssh_get_info.nasl", "linux_alt_patch_detect.nasl");
  script_require_keys("Host/cpu", "Host/Ubuntu", "Host/Ubuntu/release", "Host/Debian/dpkg-l");

  exit(0);
}

include('debian_package.inc');
include('ksplice.inc');

if ( ! get_kb_item('Host/local_checks_enabled') ) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
var os_release = get_kb_item('Host/Ubuntu/release');
if ( isnull(os_release) ) audit(AUDIT_OS_NOT, 'Ubuntu');
os_release = chomp(os_release);
if (! ('16.04' >< os_release || '18.04' >< os_release)) audit(AUDIT_OS_NOT, 'Ubuntu 16.04 / 18.04', 'Ubuntu ' + os_release);
if ( ! get_kb_item('Host/Debian/dpkg-l') ) audit(AUDIT_PACKAGE_LIST_MISSING);

var cpu = get_kb_item('Host/cpu');
if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
if ('x86_64' >!< cpu && cpu !~ "^i[3-6]86$" && 's390' >!< cpu && 'aarch64' >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'Ubuntu', cpu);

var kernel_mappings = {
  '16.04': {
    '4.15.0': {
      'aws': '4.15.0-1047'
    }
  },
  '18.04': {
    '4.15.0': {
      'aws': '4.15.0-1047'
    }
  }
};

var host_kernel_release = get_kb_item('Host/uptrack-uname-r');
if (empty_or_null(host_kernel_release)) host_kernel_release = get_kb_item_or_exit('Host/uname-r');
var host_kernel_base_version = get_kb_item_or_exit('Host/Debian/kernel-base-version');
var host_kernel_type = get_kb_item_or_exit('Host/Debian/kernel-type');
if(empty_or_null(kernel_mappings[os_release][host_kernel_base_version][host_kernel_type])) audit(AUDIT_INST_VER_NOT_VULN, 'kernel ' + host_kernel_release);

var extra = '';
var kernel_fixed_version = kernel_mappings[os_release][host_kernel_base_version][host_kernel_type] + "-" + host_kernel_type;
if (deb_ver_cmp(ver1:host_kernel_release, ver2:kernel_fixed_version) < 0)
{
  extra = extra + 'Running Kernel level of ' + host_kernel_release + ' does not meet the minimum fixed level of ' + kernel_fixed_version + ' for this advisory.\n\n';
}
  else
{
  audit(AUDIT_PATCH_INSTALLED, 'Kernel package for USN-4118-1');
}

if (get_one_kb_item('Host/ksplice/kernel-cves'))
{
  var cve_list = make_list('CVE-2018-5383', 'CVE-2018-13053', 'CVE-2018-13093', 'CVE-2018-13096', 'CVE-2018-13097', 'CVE-2018-13098', 'CVE-2018-13099', 'CVE-2018-13100', 'CVE-2018-14609', 'CVE-2018-14610', 'CVE-2018-14611', 'CVE-2018-14612', 'CVE-2018-14613', 'CVE-2018-14614', 'CVE-2018-14615', 'CVE-2018-14616', 'CVE-2018-14617', 'CVE-2018-16862', 'CVE-2018-19985', 'CVE-2018-20169', 'CVE-2018-20511', 'CVE-2018-20784', 'CVE-2018-20856', 'CVE-2019-0136', 'CVE-2019-2024', 'CVE-2019-2101', 'CVE-2019-3701', 'CVE-2019-3819', 'CVE-2019-3846', 'CVE-2019-3900', 'CVE-2019-9506', 'CVE-2019-10126', 'CVE-2019-10207', 'CVE-2019-10638', 'CVE-2019-10639', 'CVE-2019-11085', 'CVE-2019-11487', 'CVE-2019-11599', 'CVE-2019-11810', 'CVE-2019-11815', 'CVE-2019-11833', 'CVE-2019-11884', 'CVE-2019-12818', 'CVE-2019-12819', 'CVE-2019-12984', 'CVE-2019-13233', 'CVE-2019-13272', 'CVE-2019-13631', 'CVE-2019-14283', 'CVE-2019-14284', 'CVE-2019-14763', 'CVE-2019-15090', 'CVE-2019-15211', 'CVE-2019-15212', 'CVE-2019-15214', 'CVE-2019-15215', 'CVE-2019-15216', 'CVE-2019-15218', 'CVE-2019-15220', 'CVE-2019-15221', 'CVE-2019-15292');
  if (ksplice_cves_check(cve_list))
  {
    audit(AUDIT_PATCH_INSTALLED, 'KSplice hotfix for USN-4118-1');
  }
  else
  {
    extra = extra + ksplice_reporting_text();
  }
}
if (extra) {
  security_report_v4(
    port       : 0,
    severity   : SECURITY_HOLE,
    extra      : extra
  );
  exit(0);
}

References