Ubuntu 18.04 LTS : Linux kernel vulnerabilities (USN-4226-1)

#
# (C) Tenable Network Security, Inc.
#
# The descriptive text and package checks in this plugin were
# extracted from Ubuntu Security Notice USN-4226-1. The text 
# itself is copyright (C) Canonical, Inc. See 
# <http://www.ubuntu.com/usn/>. Ubuntu(R) is a registered 
# trademark of Canonical, Inc.
#

include('compat.inc');

if (description)
{
  script_id(132690);
  script_version("1.6");
  script_set_attribute(attribute:"plugin_modification_date", value:"2024/01/09");

  script_cve_id(
    "CVE-2019-10220",
    "CVE-2019-14895",
    "CVE-2019-14896",
    "CVE-2019-14897",
    "CVE-2019-14901",
    "CVE-2019-16231",
    "CVE-2019-16233",
    "CVE-2019-17075",
    "CVE-2019-17133",
    "CVE-2019-18660",
    "CVE-2019-18813",
    "CVE-2019-19045",
    "CVE-2019-19048",
    "CVE-2019-19052",
    "CVE-2019-19055",
    "CVE-2019-19060",
    "CVE-2019-19065",
    "CVE-2019-19067",
    "CVE-2019-19072",
    "CVE-2019-19075",
    "CVE-2019-19083",
    "CVE-2019-19524",
    "CVE-2019-19526",
    "CVE-2019-19529",
    "CVE-2019-19532",
    "CVE-2019-19534",
    "CVE-2019-19922",
    "CVE-2019-2214"
  );
  script_xref(name:"USN", value:"4226-1");

  script_name(english:"Ubuntu 18.04 LTS : Linux kernel vulnerabilities (USN-4226-1)");

  script_set_attribute(attribute:"synopsis", value:
"The remote Ubuntu host is missing one or more security updates.");
  script_set_attribute(attribute:"description", value:
"The remote Ubuntu 18.04 LTS host has a package installed that is affected by multiple vulnerabilities as referenced in
the USN-4226-1 advisory.

  - Linux kernel CIFS implementation, version 4.9.0 is vulnerable to a relative paths injection in directory
    entry lists. (CVE-2019-10220)

  - A heap-based buffer overflow was discovered in the Linux kernel, all versions 3.x.x and 4.x.x before
    4.18.0, in Marvell WiFi chip driver. The flaw could occur when the station attempts a connection
    negotiation during the handling of the remote devices country settings. This could allow the remote device
    to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2019-14895)

  - A heap-based buffer overflow vulnerability was found in the Linux kernel, version kernel-2.6.32, in
    Marvell WiFi chip driver. A remote attacker could cause a denial of service (system crash) or, possibly
    execute arbitrary code, when the lbs_ibss_join_existing function is called after a STA connects to an AP.
    (CVE-2019-14896)

  - A stack-based buffer overflow was found in the Linux kernel, version kernel-2.6.32, in Marvell WiFi chip
    driver. An attacker is able to cause a denial of service (system crash) or, possibly execute arbitrary
    code, when a STA works in IBSS mode (allows connecting stations together without the use of an AP) and
    connects to another STA. (CVE-2019-14897)

  - A heap overflow flaw was found in the Linux kernel, all versions 3.x.x and 4.x.x before 4.18.0, in Marvell
    WiFi chip driver. The vulnerability allows a remote attacker to cause a system crash, resulting in a
    denial of service, or execute arbitrary code. The highest threat with this vulnerability is with the
    availability of the system. If code execution occurs, the code will run with the permissions of root. This
    will affect both confidentiality and integrity of files on the system. (CVE-2019-14901)

  - drivers/net/fjes/fjes_main.c in the Linux kernel 5.2.14 does not check the alloc_workqueue return value,
    leading to a NULL pointer dereference. (CVE-2019-16231)

  - drivers/scsi/qla2xxx/qla_os.c in the Linux kernel 5.2.14 does not check the alloc_workqueue return value,
    leading to a NULL pointer dereference. (CVE-2019-16233)

  - An issue was discovered in write_tpt_entry in drivers/infiniband/hw/cxgb4/mem.c in the Linux kernel
    through 5.3.2. The cxgb4 driver is directly calling dma_map_single (a DMA function) from a stack variable.
    This could allow an attacker to trigger a Denial of Service, exploitable if this driver is used on an
    architecture for which this stack/DMA interaction has security relevance. (CVE-2019-17075)

  - In the Linux kernel through 5.3.2, cfg80211_mgd_wext_giwessid in net/wireless/wext-sme.c does not reject a
    long SSID IE, leading to a Buffer Overflow. (CVE-2019-17133)

  - The Linux kernel before 5.4.1 on powerpc allows Information Exposure because the Spectre-RSB mitigation is
    not in place for all applicable CPUs, aka CID-39e72bf96f58. This is related to
    arch/powerpc/kernel/entry_64.S and arch/powerpc/kernel/security.c. (CVE-2019-18660)

  - A memory leak in the dwc3_pci_probe() function in drivers/usb/dwc3/dwc3-pci.c in the Linux kernel through
    5.3.9 allows attackers to cause a denial of service (memory consumption) by triggering
    platform_device_add_properties() failures, aka CID-9bbfceea12a8. (CVE-2019-18813)

  - A memory leak in the mlx5_fpga_conn_create_cq() function in
    drivers/net/ethernet/mellanox/mlx5/core/fpga/conn.c in the Linux kernel before 5.3.11 allows attackers to
    cause a denial of service (memory consumption) by triggering mlx5_vector2eqn() failures, aka
    CID-c8c2a057fdc7. (CVE-2019-19045)

  - A memory leak in the crypto_reportstat() function in drivers/virt/vboxguest/vboxguest_utils.c in the Linux
    kernel before 5.3.9 allows attackers to cause a denial of service (memory consumption) by triggering
    copy_form_user() failures, aka CID-e0b0cb938864. (CVE-2019-19048)

  - A memory leak in the gs_can_open() function in drivers/net/can/usb/gs_usb.c in the Linux kernel before
    5.3.11 allows attackers to cause a denial of service (memory consumption) by triggering usb_submit_urb()
    failures, aka CID-fb5be6a7b486. (CVE-2019-19052)

  - A memory leak in the nl80211_get_ftm_responder_stats() function in net/wireless/nl80211.c in the Linux
    kernel through 5.3.11 allows attackers to cause a denial of service (memory consumption) by triggering
    nl80211hdr_put() failures, aka CID-1399c59fa929. NOTE: third parties dispute the relevance of this because
    it occurs on a code path where a successful allocation has already occurred (CVE-2019-19055)

  - A memory leak in the adis_update_scan_mode() function in drivers/iio/imu/adis_buffer.c in the Linux kernel
    before 5.3.9 allows attackers to cause a denial of service (memory consumption), aka CID-ab612b1daf41.
    (CVE-2019-19060)

  - A memory leak in the sdma_init() function in drivers/infiniband/hw/hfi1/sdma.c in the Linux kernel before
    5.3.9 allows attackers to cause a denial of service (memory consumption) by triggering rhashtable_init()
    failures, aka CID-34b3be18a04e. NOTE: This has been disputed as not a vulnerability because
    rhashtable_init() can only fail if it is passed invalid values in the second parameter's struct, but when
    invoked from sdma_init() that is a pointer to a static const struct, so an attacker could only trigger
    failure if they could corrupt kernel memory (in which case a small memory leak is not a significant
    problem). (CVE-2019-19065)

  - Four memory leaks in the acp_hw_init() function in drivers/gpu/drm/amd/amdgpu/amdgpu_acp.c in the Linux
    kernel before 5.3.8 allow attackers to cause a denial of service (memory consumption) by triggering
    mfd_add_hotplug_devices() or pm_genpd_add_device() failures, aka CID-57be09c6e874. NOTE: third parties
    dispute the relevance of this because the attacker must already have privileges for module loading
    (CVE-2019-19067)

  - A memory leak in the predicate_parse() function in kernel/trace/trace_events_filter.c in the Linux kernel
    through 5.3.11 allows attackers to cause a denial of service (memory consumption), aka CID-96c5c6e6a5b6.
    (CVE-2019-19072)

  - A memory leak in the ca8210_probe() function in drivers/net/ieee802154/ca8210.c in the Linux kernel before
    5.3.8 allows attackers to cause a denial of service (memory consumption) by triggering
    ca8210_get_platform_data() failures, aka CID-6402939ec86e. (CVE-2019-19075)

  - Memory leaks in *clock_source_create() functions under drivers/gpu/drm/amd/display/dc in the Linux kernel
    before 5.3.8 allow attackers to cause a denial of service (memory consumption). This affects the
    dce112_clock_source_create() function in drivers/gpu/drm/amd/display/dc/dce112/dce112_resource.c, the
    dce100_clock_source_create() function in drivers/gpu/drm/amd/display/dc/dce100/dce100_resource.c, the
    dcn10_clock_source_create() function in drivers/gpu/drm/amd/display/dc/dcn10/dcn10_resource.c, the
    dcn20_clock_source_create() function in drivers/gpu/drm/amd/display/dc/dcn20/dcn20_resource.c, the
    dce120_clock_source_create() function in drivers/gpu/drm/amd/display/dc/dce120/dce120_resource.c, the
    dce110_clock_source_create() function in drivers/gpu/drm/amd/display/dc/dce110/dce110_resource.c, and the
    dce80_clock_source_create() function in drivers/gpu/drm/amd/display/dc/dce80/dce80_resource.c, aka
    CID-055e547478a1. (CVE-2019-19083)

  - In the Linux kernel before 5.3.12, there is a use-after-free bug that can be caused by a malicious USB
    device in the drivers/input/ff-memless.c driver, aka CID-fa3a5a1880c9. (CVE-2019-19524)

  - In the Linux kernel before 5.3.9, there is a use-after-free bug that can be caused by a malicious USB
    device in the drivers/nfc/pn533/usb.c driver, aka CID-6af3aa57a098. (CVE-2019-19526)

  - In the Linux kernel before 5.3.11, there is a use-after-free bug that can be caused by a malicious USB
    device in the drivers/net/can/usb/mcba_usb.c driver, aka CID-4d6636498c41. (CVE-2019-19529)

  - In the Linux kernel before 5.3.9, there are multiple out-of-bounds write bugs that can be caused by a
    malicious USB device in the Linux kernel HID drivers, aka CID-d9d4b1e46d95. This affects drivers/hid/hid-
    axff.c, drivers/hid/hid-dr.c, drivers/hid/hid-emsff.c, drivers/hid/hid-gaff.c, drivers/hid/hid-holtekff.c,
    drivers/hid/hid-lg2ff.c, drivers/hid/hid-lg3ff.c, drivers/hid/hid-lg4ff.c, drivers/hid/hid-lgff.c,
    drivers/hid/hid-logitech-hidpp.c, drivers/hid/hid-microsoft.c, drivers/hid/hid-sony.c, drivers/hid/hid-
    tmff.c, and drivers/hid/hid-zpff.c. (CVE-2019-19532)

  - In the Linux kernel before 5.3.11, there is an info-leak bug that can be caused by a malicious USB device
    in the drivers/net/can/usb/peak_usb/pcan_usb_core.c driver, aka CID-f7a1337f0d29. (CVE-2019-19534)

  - kernel/sched/fair.c in the Linux kernel before 5.3.9, when cpu.cfs_quota_us is used (e.g., with
    Kubernetes), allows attackers to cause a denial of service against non-cpu-bound applications by
    generating a workload that triggers unwanted slice expiration, aka CID-de53fd7aedb1. (In other words,
    although this slice expiration would typically be seen with benign workloads, it is possible that an
    attacker could calculate how many stray requests are required to force an entire Kubernetes cluster into a
    low-performance state caused by slice expiration, and ensure that a DDoS attack sent that number of stray
    requests. An attack does not affect the stability of the kernel; it only causes mismanagement of
    application execution.) (CVE-2019-19922)

  - In binder_transaction of binder.c, there is a possible out of bounds write due to a missing bounds check.
    This could lead to local escalation of privilege with no additional execution privileges needed. User
    interaction is not needed for exploitation.Product: AndroidVersions: Android kernelAndroid ID:
    A-136210786References: Upstream kernel (CVE-2019-2214)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version
number.");
  script_set_attribute(attribute:"see_also", value:"https://ubuntu.com/security/notices/USN-4226-1");
  script_set_attribute(attribute:"solution", value:
"Update the affected kernel package.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C");
  script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:P/RL:O/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2019-14901");
  script_set_attribute(attribute:"cvss3_score_source", value:"CVE-2019-17133");

  script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"true");

  script_set_attribute(attribute:"vuln_publication_date", value:"2019/09/11");
  script_set_attribute(attribute:"patch_publication_date", value:"2020/01/07");
  script_set_attribute(attribute:"plugin_publication_date", value:"2020/01/07");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-5.0.0-1009-oracle");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-5.0.0-1023-aws");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-5.0.0-1027-gke");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-5.0.0-1028-azure");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-5.0.0-1033-oem-osp1");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:canonical:ubuntu_linux:18.04:-:lts");
  script_set_attribute(attribute:"generated_plugin", value:"current");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Ubuntu Local Security Checks");

  script_copyright(english:"Ubuntu Security Notice (C) 2020-2024 Canonical, Inc. / NASL script (C) 2020-2024 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("ssh_get_info.nasl", "linux_alt_patch_detect.nasl");
  script_require_keys("Host/cpu", "Host/Ubuntu", "Host/Ubuntu/release", "Host/Debian/dpkg-l");

  exit(0);
}

include('debian_package.inc');
include('ksplice.inc');

if ( ! get_kb_item('Host/local_checks_enabled') ) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
var os_release = get_kb_item('Host/Ubuntu/release');
if ( isnull(os_release) ) audit(AUDIT_OS_NOT, 'Ubuntu');
os_release = chomp(os_release);
if (! ('18.04' >< os_release)) audit(AUDIT_OS_NOT, 'Ubuntu 18.04', 'Ubuntu ' + os_release);
if ( ! get_kb_item('Host/Debian/dpkg-l') ) audit(AUDIT_PACKAGE_LIST_MISSING);

var cpu = get_kb_item('Host/cpu');
if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
if ('x86_64' >!< cpu && cpu !~ "^i[3-6]86$" && 's390' >!< cpu && 'aarch64' >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'Ubuntu', cpu);

var kernel_mappings = {
  '18.04': {
    '5.0.0': {
      'oracle': '5.0.0-1009',
      'aws': '5.0.0-1023',
      'gke': '5.0.0-1027',
      'azure': '5.0.0-1028',
      'oem-osp1': '5.0.0-1033'
    }
  }
};

var host_kernel_release = get_kb_item('Host/uptrack-uname-r');
if (empty_or_null(host_kernel_release)) host_kernel_release = get_kb_item_or_exit('Host/uname-r');
var host_kernel_base_version = get_kb_item_or_exit('Host/Debian/kernel-base-version');
var host_kernel_type = get_kb_item_or_exit('Host/Debian/kernel-type');
if(empty_or_null(kernel_mappings[os_release][host_kernel_base_version][host_kernel_type])) audit(AUDIT_INST_VER_NOT_VULN, 'kernel ' + host_kernel_release);

var extra = '';
var kernel_fixed_version = kernel_mappings[os_release][host_kernel_base_version][host_kernel_type] + "-" + host_kernel_type;
if (deb_ver_cmp(ver1:host_kernel_release, ver2:kernel_fixed_version) < 0)
{
  extra = extra + 'Running Kernel level of ' + host_kernel_release + ' does not meet the minimum fixed level of ' + kernel_fixed_version + ' for this advisory.\n\n';
}
  else
{
  audit(AUDIT_PATCH_INSTALLED, 'Kernel package for USN-4226-1');
}

if (get_one_kb_item('Host/ksplice/kernel-cves'))
{
  var cve_list = make_list('CVE-2019-2214', 'CVE-2019-10220', 'CVE-2019-14895', 'CVE-2019-14896', 'CVE-2019-14897', 'CVE-2019-14901', 'CVE-2019-16231', 'CVE-2019-16233', 'CVE-2019-17075', 'CVE-2019-17133', 'CVE-2019-18660', 'CVE-2019-18813', 'CVE-2019-19045', 'CVE-2019-19048', 'CVE-2019-19052', 'CVE-2019-19055', 'CVE-2019-19060', 'CVE-2019-19065', 'CVE-2019-19067', 'CVE-2019-19072', 'CVE-2019-19075', 'CVE-2019-19083', 'CVE-2019-19524', 'CVE-2019-19526', 'CVE-2019-19529', 'CVE-2019-19532', 'CVE-2019-19534', 'CVE-2019-19922');
  if (ksplice_cves_check(cve_list))
  {
    audit(AUDIT_PATCH_INSTALLED, 'KSplice hotfix for USN-4226-1');
  }
  else
  {
    extra = extra + ksplice_reporting_text();
  }
}
if (extra) {
  security_report_v4(
    port       : 0,
    severity   : SECURITY_HOLE,
    extra      : extra
  );
  exit(0);
}