Lucene search

K
nessus
Ubuntu Security Notice (C) 2019-2024 Canonical, Inc. / NASL script (C) 2019-2024 and is owned by Tenable, Inc. or an Affiliate thereof.UBUNTU_USN-4147-1.NASL
HistoryOct 07, 2019 - 12:00 a.m.

Ubuntu 18.04 LTS : Linux kernel vulnerabilities (USN-4147-1)

2019-10-0700:00:00
Ubuntu Security Notice (C) 2019-2024 Canonical, Inc. / NASL script (C) 2019-2024 and is owned by Tenable, Inc. or an Affiliate thereof.
www.tenable.com
25

7.5 High

AI Score

Confidence

High

The remote Ubuntu 18.04 LTS host has a package installed that is affected by multiple vulnerabilities as referenced in the USN-4147-1 advisory.

  • Insufficient access control in the Intel® PROSet/Wireless WiFi Software driver before version 21.10 may allow an unauthenticated user to potentially enable denial of service via adjacent access. (CVE-2019-0136)

  • A flaw was found in the Linux kernel’s Bluetooth implementation of UART, all versions kernel 3.x.x before 4.18.0 and kernel 5.x.x. An attacker with local access and write permissions to the Bluetooth hardware could use this flaw to issue a specially crafted ioctl function call and cause the system to crash.
    (CVE-2019-10207)

  • In parse_hid_report_descriptor in drivers/input/tablet/gtco.c in the Linux kernel through 5.2.1, a malicious USB device can send an HID report that triggers an out-of-bounds write during generation of debugging messages. (CVE-2019-13631)

  • An issue was discovered in drivers/scsi/qedi/qedi_dbg.c in the Linux kernel before 5.1.12. In the qedi_dbg_* family of functions, there is an out-of-bounds read. (CVE-2019-15090)

  • parse_audio_mixer_unit in sound/usb/mixer.c in the Linux kernel through 5.2.9 mishandles a short descriptor, leading to out-of-bounds memory access. (CVE-2019-15117)

  • check_input_term in sound/usb/mixer.c in the Linux kernel through 5.2.9 mishandles recursion, leading to kernel stack exhaustion. (CVE-2019-15118)

  • An issue was discovered in the Linux kernel before 5.2.6. There is a use-after-free caused by a malicious USB device in the drivers/media/v4l2-core/v4l2-dev.c driver because drivers/media/radio/radio-raremono.c does not properly allocate memory. (CVE-2019-15211)

  • An issue was discovered in the Linux kernel before 5.1.8. There is a double-free caused by a malicious USB device in the drivers/usb/misc/rio500.c driver. (CVE-2019-15212)

  • An issue was discovered in the Linux kernel before 5.2.6. There is a use-after-free caused by a malicious USB device in the drivers/media/usb/cpia2/cpia2_usb.c driver. (CVE-2019-15215)

  • An issue was discovered in the Linux kernel before 5.2.3. There is a NULL pointer dereference caused by a malicious USB device in the drivers/media/usb/zr364xx/zr364xx.c driver. (CVE-2019-15217)

  • An issue was discovered in the Linux kernel before 5.1.8. There is a NULL pointer dereference caused by a malicious USB device in the drivers/media/usb/siano/smsusb.c driver. (CVE-2019-15218)

  • An issue was discovered in the Linux kernel before 5.2.1. There is a use-after-free caused by a malicious USB device in the drivers/net/wireless/intersil/p54/p54usb.c driver. (CVE-2019-15220)

  • An issue was discovered in the Linux kernel before 5.1.17. There is a NULL pointer dereference caused by a malicious USB device in the sound/usb/line6/pcm.c driver. (CVE-2019-15221)

  • An issue was discovered in the Linux kernel before 5.1.8. There is a NULL pointer dereference caused by a malicious USB device in the sound/usb/line6/driver.c driver. (CVE-2019-15223)

  • An issue was discovered in xfs_setattr_nonsize in fs/xfs/xfs_iops.c in the Linux kernel through 5.2.9. XFS partially wedges when a chgrp fails on account of being out of disk quota. xfs_setattr_nonsize is failing to unlock the ILOCK after the xfs_qm_vop_chown_reserve call fails. This is primarily a local DoS attack vector, but it might result as well in remote DoS if the XFS filesystem is exported for instance via NFS.
    (CVE-2019-15538)

  • An issue was discovered in the Linux kernel before 5.2.3. An out of bounds access exists in the function hclge_tm_schd_mode_vnet_base_cfg in the file drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_tm.c.
    (CVE-2019-15925)

  • An issue was discovered in the Linux kernel before 5.2.3. Out of bounds access exists in the functions ath6kl_wmi_pstream_timeout_event_rx and ath6kl_wmi_cac_event_rx in the file drivers/net/wireless/ath/ath6kl/wmi.c. (CVE-2019-15926)

  • The Bluetooth BR/EDR specification up to and including version 5.1 permits sufficiently low encryption key length and does not prevent an attacker from influencing the key length negotiation. This allows practical brute-force attacks (aka KNOB) that can decrypt traffic and inject arbitrary ciphertext without the victim noticing. (CVE-2019-9506)

Note that Nessus has not tested for these issues but has instead relied only on the application’s self-reported version number.

#
# (C) Tenable Network Security, Inc.
#
# The descriptive text and package checks in this plugin were
# extracted from Ubuntu Security Notice USN-4147-1. The text 
# itself is copyright (C) Canonical, Inc. See 
# <http://www.ubuntu.com/usn/>. Ubuntu(R) is a registered 
# trademark of Canonical, Inc.
#

include('compat.inc');

if (description)
{
  script_id(129677);
  script_version("1.6");
  script_set_attribute(attribute:"plugin_modification_date", value:"2024/01/09");

  script_cve_id(
    "CVE-2019-0136",
    "CVE-2019-10207",
    "CVE-2019-13631",
    "CVE-2019-15090",
    "CVE-2019-15117",
    "CVE-2019-15118",
    "CVE-2019-15211",
    "CVE-2019-15212",
    "CVE-2019-15215",
    "CVE-2019-15217",
    "CVE-2019-15218",
    "CVE-2019-15220",
    "CVE-2019-15221",
    "CVE-2019-15223",
    "CVE-2019-15538",
    "CVE-2019-15925",
    "CVE-2019-15926",
    "CVE-2019-9506"
  );
  script_xref(name:"USN", value:"4147-1");

  script_name(english:"Ubuntu 18.04 LTS : Linux kernel vulnerabilities (USN-4147-1)");

  script_set_attribute(attribute:"synopsis", value:
"The remote Ubuntu host is missing one or more security updates.");
  script_set_attribute(attribute:"description", value:
"The remote Ubuntu 18.04 LTS host has a package installed that is affected by multiple vulnerabilities as referenced in
the USN-4147-1 advisory.

  - Insufficient access control in the Intel(R) PROSet/Wireless WiFi Software driver before version 21.10 may
    allow an unauthenticated user to potentially enable denial of service via adjacent access. (CVE-2019-0136)

  - A flaw was found in the Linux kernel's Bluetooth implementation of UART, all versions kernel 3.x.x before
    4.18.0 and kernel 5.x.x. An attacker with local access and write permissions to the Bluetooth hardware
    could use this flaw to issue a specially crafted ioctl function call and cause the system to crash.
    (CVE-2019-10207)

  - In parse_hid_report_descriptor in drivers/input/tablet/gtco.c in the Linux kernel through 5.2.1, a
    malicious USB device can send an HID report that triggers an out-of-bounds write during generation of
    debugging messages. (CVE-2019-13631)

  - An issue was discovered in drivers/scsi/qedi/qedi_dbg.c in the Linux kernel before 5.1.12. In the
    qedi_dbg_* family of functions, there is an out-of-bounds read. (CVE-2019-15090)

  - parse_audio_mixer_unit in sound/usb/mixer.c in the Linux kernel through 5.2.9 mishandles a short
    descriptor, leading to out-of-bounds memory access. (CVE-2019-15117)

  - check_input_term in sound/usb/mixer.c in the Linux kernel through 5.2.9 mishandles recursion, leading to
    kernel stack exhaustion. (CVE-2019-15118)

  - An issue was discovered in the Linux kernel before 5.2.6. There is a use-after-free caused by a malicious
    USB device in the drivers/media/v4l2-core/v4l2-dev.c driver because drivers/media/radio/radio-raremono.c
    does not properly allocate memory. (CVE-2019-15211)

  - An issue was discovered in the Linux kernel before 5.1.8. There is a double-free caused by a malicious USB
    device in the drivers/usb/misc/rio500.c driver. (CVE-2019-15212)

  - An issue was discovered in the Linux kernel before 5.2.6. There is a use-after-free caused by a malicious
    USB device in the drivers/media/usb/cpia2/cpia2_usb.c driver. (CVE-2019-15215)

  - An issue was discovered in the Linux kernel before 5.2.3. There is a NULL pointer dereference caused by a
    malicious USB device in the drivers/media/usb/zr364xx/zr364xx.c driver. (CVE-2019-15217)

  - An issue was discovered in the Linux kernel before 5.1.8. There is a NULL pointer dereference caused by a
    malicious USB device in the drivers/media/usb/siano/smsusb.c driver. (CVE-2019-15218)

  - An issue was discovered in the Linux kernel before 5.2.1. There is a use-after-free caused by a malicious
    USB device in the drivers/net/wireless/intersil/p54/p54usb.c driver. (CVE-2019-15220)

  - An issue was discovered in the Linux kernel before 5.1.17. There is a NULL pointer dereference caused by a
    malicious USB device in the sound/usb/line6/pcm.c driver. (CVE-2019-15221)

  - An issue was discovered in the Linux kernel before 5.1.8. There is a NULL pointer dereference caused by a
    malicious USB device in the sound/usb/line6/driver.c driver. (CVE-2019-15223)

  - An issue was discovered in xfs_setattr_nonsize in fs/xfs/xfs_iops.c in the Linux kernel through 5.2.9. XFS
    partially wedges when a chgrp fails on account of being out of disk quota. xfs_setattr_nonsize is failing
    to unlock the ILOCK after the xfs_qm_vop_chown_reserve call fails. This is primarily a local DoS attack
    vector, but it might result as well in remote DoS if the XFS filesystem is exported for instance via NFS.
    (CVE-2019-15538)

  - An issue was discovered in the Linux kernel before 5.2.3. An out of bounds access exists in the function
    hclge_tm_schd_mode_vnet_base_cfg in the file drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_tm.c.
    (CVE-2019-15925)

  - An issue was discovered in the Linux kernel before 5.2.3. Out of bounds access exists in the functions
    ath6kl_wmi_pstream_timeout_event_rx and ath6kl_wmi_cac_event_rx in the file
    drivers/net/wireless/ath/ath6kl/wmi.c. (CVE-2019-15926)

  - The Bluetooth BR/EDR specification up to and including version 5.1 permits sufficiently low encryption key
    length and does not prevent an attacker from influencing the key length negotiation. This allows practical
    brute-force attacks (aka KNOB) that can decrypt traffic and inject arbitrary ciphertext without the
    victim noticing. (CVE-2019-9506)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version
number.");
  script_set_attribute(attribute:"see_also", value:"https://ubuntu.com/security/notices/USN-4147-1");
  script_set_attribute(attribute:"solution", value:
"Update the affected kernel package.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:N/A:C");
  script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:P/RL:O/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2019-15926");

  script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"true");

  script_set_attribute(attribute:"vuln_publication_date", value:"2019/06/13");
  script_set_attribute(attribute:"patch_publication_date", value:"2019/10/04");
  script_set_attribute(attribute:"plugin_publication_date", value:"2019/10/07");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-5.0.0-1020-gke");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-5.0.0-31-generic");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-5.0.0-31-generic-lpae");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-5.0.0-31-lowlatency");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:canonical:ubuntu_linux:18.04:-:lts");
  script_set_attribute(attribute:"generated_plugin", value:"current");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Ubuntu Local Security Checks");

  script_copyright(english:"Ubuntu Security Notice (C) 2019-2024 Canonical, Inc. / NASL script (C) 2019-2024 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("ssh_get_info.nasl", "linux_alt_patch_detect.nasl");
  script_require_keys("Host/cpu", "Host/Ubuntu", "Host/Ubuntu/release", "Host/Debian/dpkg-l");

  exit(0);
}

include('debian_package.inc');
include('ksplice.inc');

if ( ! get_kb_item('Host/local_checks_enabled') ) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
var os_release = get_kb_item('Host/Ubuntu/release');
if ( isnull(os_release) ) audit(AUDIT_OS_NOT, 'Ubuntu');
os_release = chomp(os_release);
if (! ('18.04' >< os_release)) audit(AUDIT_OS_NOT, 'Ubuntu 18.04', 'Ubuntu ' + os_release);
if ( ! get_kb_item('Host/Debian/dpkg-l') ) audit(AUDIT_PACKAGE_LIST_MISSING);

var cpu = get_kb_item('Host/cpu');
if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
if ('x86_64' >!< cpu && cpu !~ "^i[3-6]86$" && 's390' >!< cpu && 'aarch64' >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'Ubuntu', cpu);

var kernel_mappings = {
  '18.04': {
    '5.0.0': {
      'generic': '5.0.0-31',
      'generic-lpae': '5.0.0-31',
      'lowlatency': '5.0.0-31',
      'gke': '5.0.0-1020'
    }
  }
};

var host_kernel_release = get_kb_item('Host/uptrack-uname-r');
if (empty_or_null(host_kernel_release)) host_kernel_release = get_kb_item_or_exit('Host/uname-r');
var host_kernel_base_version = get_kb_item_or_exit('Host/Debian/kernel-base-version');
var host_kernel_type = get_kb_item_or_exit('Host/Debian/kernel-type');
if(empty_or_null(kernel_mappings[os_release][host_kernel_base_version][host_kernel_type])) audit(AUDIT_INST_VER_NOT_VULN, 'kernel ' + host_kernel_release);

var extra = '';
var kernel_fixed_version = kernel_mappings[os_release][host_kernel_base_version][host_kernel_type] + "-" + host_kernel_type;
if (deb_ver_cmp(ver1:host_kernel_release, ver2:kernel_fixed_version) < 0)
{
  extra = extra + 'Running Kernel level of ' + host_kernel_release + ' does not meet the minimum fixed level of ' + kernel_fixed_version + ' for this advisory.\n\n';
}
  else
{
  audit(AUDIT_PATCH_INSTALLED, 'Kernel package for USN-4147-1');
}

if (get_one_kb_item('Host/ksplice/kernel-cves'))
{
  var cve_list = make_list('CVE-2019-0136', 'CVE-2019-9506', 'CVE-2019-10207', 'CVE-2019-13631', 'CVE-2019-15090', 'CVE-2019-15117', 'CVE-2019-15118', 'CVE-2019-15211', 'CVE-2019-15212', 'CVE-2019-15215', 'CVE-2019-15217', 'CVE-2019-15218', 'CVE-2019-15220', 'CVE-2019-15221', 'CVE-2019-15223', 'CVE-2019-15538', 'CVE-2019-15925', 'CVE-2019-15926');
  if (ksplice_cves_check(cve_list))
  {
    audit(AUDIT_PATCH_INSTALLED, 'KSplice hotfix for USN-4147-1');
  }
  else
  {
    extra = extra + ksplice_reporting_text();
  }
}
if (extra) {
  security_report_v4(
    port       : 0,
    severity   : SECURITY_HOLE,
    extra      : extra
  );
  exit(0);
}

References

How to find holes in your network?

Try incredible fast Vulners Perimeter Scanner and find vulnerabilities and unnecessary ip and ports in network devices inside your network before anyone else.

Try Network Scanner

7.5 High

AI Score

Confidence

High

Related for UBUNTU_USN-4147-1.NASL