The remote Ubuntu 18.04 LTS host has a package installed that is affected by multiple vulnerabilities as referenced in the USN-4147-1 advisory.
Insufficient access control in the IntelĀ® PROSet/Wireless WiFi Software driver before version 21.10 may allow an unauthenticated user to potentially enable denial of service via adjacent access. (CVE-2019-0136)
A flaw was found in the Linux kernelās Bluetooth implementation of UART, all versions kernel 3.x.x before 4.18.0 and kernel 5.x.x. An attacker with local access and write permissions to the Bluetooth hardware could use this flaw to issue a specially crafted ioctl function call and cause the system to crash.
(CVE-2019-10207)
In parse_hid_report_descriptor in drivers/input/tablet/gtco.c in the Linux kernel through 5.2.1, a malicious USB device can send an HID report that triggers an out-of-bounds write during generation of debugging messages. (CVE-2019-13631)
An issue was discovered in drivers/scsi/qedi/qedi_dbg.c in the Linux kernel before 5.1.12. In the qedi_dbg_* family of functions, there is an out-of-bounds read. (CVE-2019-15090)
parse_audio_mixer_unit in sound/usb/mixer.c in the Linux kernel through 5.2.9 mishandles a short descriptor, leading to out-of-bounds memory access. (CVE-2019-15117)
check_input_term in sound/usb/mixer.c in the Linux kernel through 5.2.9 mishandles recursion, leading to kernel stack exhaustion. (CVE-2019-15118)
An issue was discovered in the Linux kernel before 5.2.6. There is a use-after-free caused by a malicious USB device in the drivers/media/v4l2-core/v4l2-dev.c driver because drivers/media/radio/radio-raremono.c does not properly allocate memory. (CVE-2019-15211)
An issue was discovered in the Linux kernel before 5.1.8. There is a double-free caused by a malicious USB device in the drivers/usb/misc/rio500.c driver. (CVE-2019-15212)
An issue was discovered in the Linux kernel before 5.2.6. There is a use-after-free caused by a malicious USB device in the drivers/media/usb/cpia2/cpia2_usb.c driver. (CVE-2019-15215)
An issue was discovered in the Linux kernel before 5.2.3. There is a NULL pointer dereference caused by a malicious USB device in the drivers/media/usb/zr364xx/zr364xx.c driver. (CVE-2019-15217)
An issue was discovered in the Linux kernel before 5.1.8. There is a NULL pointer dereference caused by a malicious USB device in the drivers/media/usb/siano/smsusb.c driver. (CVE-2019-15218)
An issue was discovered in the Linux kernel before 5.2.1. There is a use-after-free caused by a malicious USB device in the drivers/net/wireless/intersil/p54/p54usb.c driver. (CVE-2019-15220)
An issue was discovered in the Linux kernel before 5.1.17. There is a NULL pointer dereference caused by a malicious USB device in the sound/usb/line6/pcm.c driver. (CVE-2019-15221)
An issue was discovered in the Linux kernel before 5.1.8. There is a NULL pointer dereference caused by a malicious USB device in the sound/usb/line6/driver.c driver. (CVE-2019-15223)
An issue was discovered in xfs_setattr_nonsize in fs/xfs/xfs_iops.c in the Linux kernel through 5.2.9. XFS partially wedges when a chgrp fails on account of being out of disk quota. xfs_setattr_nonsize is failing to unlock the ILOCK after the xfs_qm_vop_chown_reserve call fails. This is primarily a local DoS attack vector, but it might result as well in remote DoS if the XFS filesystem is exported for instance via NFS.
(CVE-2019-15538)
An issue was discovered in the Linux kernel before 5.2.3. An out of bounds access exists in the function hclge_tm_schd_mode_vnet_base_cfg in the file drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_tm.c.
(CVE-2019-15925)
An issue was discovered in the Linux kernel before 5.2.3. Out of bounds access exists in the functions ath6kl_wmi_pstream_timeout_event_rx and ath6kl_wmi_cac_event_rx in the file drivers/net/wireless/ath/ath6kl/wmi.c. (CVE-2019-15926)
The Bluetooth BR/EDR specification up to and including version 5.1 permits sufficiently low encryption key length and does not prevent an attacker from influencing the key length negotiation. This allows practical brute-force attacks (aka KNOB) that can decrypt traffic and inject arbitrary ciphertext without the victim noticing. (CVE-2019-9506)
Note that Nessus has not tested for these issues but has instead relied only on the applicationās self-reported version number.
#
# (C) Tenable Network Security, Inc.
#
# The descriptive text and package checks in this plugin were
# extracted from Ubuntu Security Notice USN-4147-1. The text
# itself is copyright (C) Canonical, Inc. See
# <http://www.ubuntu.com/usn/>. Ubuntu(R) is a registered
# trademark of Canonical, Inc.
#
include('compat.inc');
if (description)
{
script_id(129677);
script_version("1.6");
script_set_attribute(attribute:"plugin_modification_date", value:"2024/01/09");
script_cve_id(
"CVE-2019-0136",
"CVE-2019-10207",
"CVE-2019-13631",
"CVE-2019-15090",
"CVE-2019-15117",
"CVE-2019-15118",
"CVE-2019-15211",
"CVE-2019-15212",
"CVE-2019-15215",
"CVE-2019-15217",
"CVE-2019-15218",
"CVE-2019-15220",
"CVE-2019-15221",
"CVE-2019-15223",
"CVE-2019-15538",
"CVE-2019-15925",
"CVE-2019-15926",
"CVE-2019-9506"
);
script_xref(name:"USN", value:"4147-1");
script_name(english:"Ubuntu 18.04 LTS : Linux kernel vulnerabilities (USN-4147-1)");
script_set_attribute(attribute:"synopsis", value:
"The remote Ubuntu host is missing one or more security updates.");
script_set_attribute(attribute:"description", value:
"The remote Ubuntu 18.04 LTS host has a package installed that is affected by multiple vulnerabilities as referenced in
the USN-4147-1 advisory.
- Insufficient access control in the Intel(R) PROSet/Wireless WiFi Software driver before version 21.10 may
allow an unauthenticated user to potentially enable denial of service via adjacent access. (CVE-2019-0136)
- A flaw was found in the Linux kernel's Bluetooth implementation of UART, all versions kernel 3.x.x before
4.18.0 and kernel 5.x.x. An attacker with local access and write permissions to the Bluetooth hardware
could use this flaw to issue a specially crafted ioctl function call and cause the system to crash.
(CVE-2019-10207)
- In parse_hid_report_descriptor in drivers/input/tablet/gtco.c in the Linux kernel through 5.2.1, a
malicious USB device can send an HID report that triggers an out-of-bounds write during generation of
debugging messages. (CVE-2019-13631)
- An issue was discovered in drivers/scsi/qedi/qedi_dbg.c in the Linux kernel before 5.1.12. In the
qedi_dbg_* family of functions, there is an out-of-bounds read. (CVE-2019-15090)
- parse_audio_mixer_unit in sound/usb/mixer.c in the Linux kernel through 5.2.9 mishandles a short
descriptor, leading to out-of-bounds memory access. (CVE-2019-15117)
- check_input_term in sound/usb/mixer.c in the Linux kernel through 5.2.9 mishandles recursion, leading to
kernel stack exhaustion. (CVE-2019-15118)
- An issue was discovered in the Linux kernel before 5.2.6. There is a use-after-free caused by a malicious
USB device in the drivers/media/v4l2-core/v4l2-dev.c driver because drivers/media/radio/radio-raremono.c
does not properly allocate memory. (CVE-2019-15211)
- An issue was discovered in the Linux kernel before 5.1.8. There is a double-free caused by a malicious USB
device in the drivers/usb/misc/rio500.c driver. (CVE-2019-15212)
- An issue was discovered in the Linux kernel before 5.2.6. There is a use-after-free caused by a malicious
USB device in the drivers/media/usb/cpia2/cpia2_usb.c driver. (CVE-2019-15215)
- An issue was discovered in the Linux kernel before 5.2.3. There is a NULL pointer dereference caused by a
malicious USB device in the drivers/media/usb/zr364xx/zr364xx.c driver. (CVE-2019-15217)
- An issue was discovered in the Linux kernel before 5.1.8. There is a NULL pointer dereference caused by a
malicious USB device in the drivers/media/usb/siano/smsusb.c driver. (CVE-2019-15218)
- An issue was discovered in the Linux kernel before 5.2.1. There is a use-after-free caused by a malicious
USB device in the drivers/net/wireless/intersil/p54/p54usb.c driver. (CVE-2019-15220)
- An issue was discovered in the Linux kernel before 5.1.17. There is a NULL pointer dereference caused by a
malicious USB device in the sound/usb/line6/pcm.c driver. (CVE-2019-15221)
- An issue was discovered in the Linux kernel before 5.1.8. There is a NULL pointer dereference caused by a
malicious USB device in the sound/usb/line6/driver.c driver. (CVE-2019-15223)
- An issue was discovered in xfs_setattr_nonsize in fs/xfs/xfs_iops.c in the Linux kernel through 5.2.9. XFS
partially wedges when a chgrp fails on account of being out of disk quota. xfs_setattr_nonsize is failing
to unlock the ILOCK after the xfs_qm_vop_chown_reserve call fails. This is primarily a local DoS attack
vector, but it might result as well in remote DoS if the XFS filesystem is exported for instance via NFS.
(CVE-2019-15538)
- An issue was discovered in the Linux kernel before 5.2.3. An out of bounds access exists in the function
hclge_tm_schd_mode_vnet_base_cfg in the file drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_tm.c.
(CVE-2019-15925)
- An issue was discovered in the Linux kernel before 5.2.3. Out of bounds access exists in the functions
ath6kl_wmi_pstream_timeout_event_rx and ath6kl_wmi_cac_event_rx in the file
drivers/net/wireless/ath/ath6kl/wmi.c. (CVE-2019-15926)
- The Bluetooth BR/EDR specification up to and including version 5.1 permits sufficiently low encryption key
length and does not prevent an attacker from influencing the key length negotiation. This allows practical
brute-force attacks (aka KNOB) that can decrypt traffic and inject arbitrary ciphertext without the
victim noticing. (CVE-2019-9506)
Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version
number.");
script_set_attribute(attribute:"see_also", value:"https://ubuntu.com/security/notices/USN-4147-1");
script_set_attribute(attribute:"solution", value:
"Update the affected kernel package.");
script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:N/A:C");
script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H");
script_set_cvss3_temporal_vector("CVSS:3.0/E:P/RL:O/RC:C");
script_set_attribute(attribute:"cvss_score_source", value:"CVE-2019-15926");
script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
script_set_attribute(attribute:"exploit_available", value:"true");
script_set_attribute(attribute:"vuln_publication_date", value:"2019/06/13");
script_set_attribute(attribute:"patch_publication_date", value:"2019/10/04");
script_set_attribute(attribute:"plugin_publication_date", value:"2019/10/07");
script_set_attribute(attribute:"plugin_type", value:"local");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-5.0.0-1020-gke");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-5.0.0-31-generic");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-5.0.0-31-generic-lpae");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-5.0.0-31-lowlatency");
script_set_attribute(attribute:"cpe", value:"cpe:/o:canonical:ubuntu_linux:18.04:-:lts");
script_set_attribute(attribute:"generated_plugin", value:"current");
script_end_attributes();
script_category(ACT_GATHER_INFO);
script_family(english:"Ubuntu Local Security Checks");
script_copyright(english:"Ubuntu Security Notice (C) 2019-2024 Canonical, Inc. / NASL script (C) 2019-2024 and is owned by Tenable, Inc. or an Affiliate thereof.");
script_dependencies("ssh_get_info.nasl", "linux_alt_patch_detect.nasl");
script_require_keys("Host/cpu", "Host/Ubuntu", "Host/Ubuntu/release", "Host/Debian/dpkg-l");
exit(0);
}
include('debian_package.inc');
include('ksplice.inc');
if ( ! get_kb_item('Host/local_checks_enabled') ) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
var os_release = get_kb_item('Host/Ubuntu/release');
if ( isnull(os_release) ) audit(AUDIT_OS_NOT, 'Ubuntu');
os_release = chomp(os_release);
if (! ('18.04' >< os_release)) audit(AUDIT_OS_NOT, 'Ubuntu 18.04', 'Ubuntu ' + os_release);
if ( ! get_kb_item('Host/Debian/dpkg-l') ) audit(AUDIT_PACKAGE_LIST_MISSING);
var cpu = get_kb_item('Host/cpu');
if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
if ('x86_64' >!< cpu && cpu !~ "^i[3-6]86$" && 's390' >!< cpu && 'aarch64' >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'Ubuntu', cpu);
var kernel_mappings = {
'18.04': {
'5.0.0': {
'generic': '5.0.0-31',
'generic-lpae': '5.0.0-31',
'lowlatency': '5.0.0-31',
'gke': '5.0.0-1020'
}
}
};
var host_kernel_release = get_kb_item('Host/uptrack-uname-r');
if (empty_or_null(host_kernel_release)) host_kernel_release = get_kb_item_or_exit('Host/uname-r');
var host_kernel_base_version = get_kb_item_or_exit('Host/Debian/kernel-base-version');
var host_kernel_type = get_kb_item_or_exit('Host/Debian/kernel-type');
if(empty_or_null(kernel_mappings[os_release][host_kernel_base_version][host_kernel_type])) audit(AUDIT_INST_VER_NOT_VULN, 'kernel ' + host_kernel_release);
var extra = '';
var kernel_fixed_version = kernel_mappings[os_release][host_kernel_base_version][host_kernel_type] + "-" + host_kernel_type;
if (deb_ver_cmp(ver1:host_kernel_release, ver2:kernel_fixed_version) < 0)
{
extra = extra + 'Running Kernel level of ' + host_kernel_release + ' does not meet the minimum fixed level of ' + kernel_fixed_version + ' for this advisory.\n\n';
}
else
{
audit(AUDIT_PATCH_INSTALLED, 'Kernel package for USN-4147-1');
}
if (get_one_kb_item('Host/ksplice/kernel-cves'))
{
var cve_list = make_list('CVE-2019-0136', 'CVE-2019-9506', 'CVE-2019-10207', 'CVE-2019-13631', 'CVE-2019-15090', 'CVE-2019-15117', 'CVE-2019-15118', 'CVE-2019-15211', 'CVE-2019-15212', 'CVE-2019-15215', 'CVE-2019-15217', 'CVE-2019-15218', 'CVE-2019-15220', 'CVE-2019-15221', 'CVE-2019-15223', 'CVE-2019-15538', 'CVE-2019-15925', 'CVE-2019-15926');
if (ksplice_cves_check(cve_list))
{
audit(AUDIT_PATCH_INSTALLED, 'KSplice hotfix for USN-4147-1');
}
else
{
extra = extra + ksplice_reporting_text();
}
}
if (extra) {
security_report_v4(
port : 0,
severity : SECURITY_HOLE,
extra : extra
);
exit(0);
}
Vendor | Product | Version | CPE |
---|---|---|---|
canonical | ubuntu_linux | linux-image-5.0.0-1020-gke | p-cpe:/a:canonical:ubuntu_linux:linux-image-5.0.0-1020-gke |
canonical | ubuntu_linux | linux-image-5.0.0-31-generic | p-cpe:/a:canonical:ubuntu_linux:linux-image-5.0.0-31-generic |
canonical | ubuntu_linux | linux-image-5.0.0-31-generic-lpae | p-cpe:/a:canonical:ubuntu_linux:linux-image-5.0.0-31-generic-lpae |
canonical | ubuntu_linux | linux-image-5.0.0-31-lowlatency | p-cpe:/a:canonical:ubuntu_linux:linux-image-5.0.0-31-lowlatency |
canonical | ubuntu_linux | 18.04 | cpe:/o:canonical:ubuntu_linux:18.04:-:lts |
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-0136
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-10207
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-13631
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-15090
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-15117
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-15118
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-15211
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-15212
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-15215
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-15217
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-15218
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-15220
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-15221
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-15223
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-15538
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-15925
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-15926
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9506
ubuntu.com/security/notices/USN-4147-1