Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
nessusUbuntu Security Notice (C) 2022-2024 Canonical, Inc. / NASL script (C) 2022-2024 and is owned by Tenable, Inc. or an Affiliate thereof.UBUNTU_USN-5560-1.NASL
HistoryAug 10, 2022 - 12:00 a.m.

Ubuntu 18.04 LTS : Linux kernel vulnerabilities (USN-5560-1)

2022-08-1000:00:00
Ubuntu Security Notice (C) 2022-2024 Canonical, Inc. / NASL script (C) 2022-2024 and is owned by Tenable, Inc. or an Affiliate thereof.
www.tenable.com
30

8.6 High

AI Score

Confidence

High

JSON

The remote Ubuntu 18.04 LTS host has a package installed that is affected by multiple vulnerabilities as referenced in the USN-5560-1 advisory.

  • A kernel information leak flaw was identified in the scsi_ioctl function in drivers/scsi/scsi_ioctl.c in the Linux kernel. This flaw allows a local attacker with a special user privilege (CAP_SYS_ADMIN or CAP_SYS_RAWIO) to create issues with confidentiality. (CVE-2022-0494)

  • A use-after-free flaw was found in the Linux kernel’s sound subsystem in the way a user triggers concurrent calls of PCM hw_params. The hw_free ioctls or similar race condition happens inside ALSA PCM for other ioctls. This flaw allows a local user to crash or potentially escalate their privileges on the system. (CVE-2022-1048)

  • A use-after-free vulnerability was found in the Linux kernel in drivers/net/hamradio. This flaw allows a local attacker with a user privilege to cause a denial of service (DOS) when the mkiss or sixpack device is detached and reclaim resources early. (CVE-2022-1195)

  • Linux Kernel could allow a local attacker to execute arbitrary code on the system, caused by a concurrency use-after-free flaw in the bad_flp_intr function. By executing a specially-crafted program, an attacker could exploit this vulnerability to execute arbitrary code or cause a denial of service condition on the system. (CVE-2022-1652)

  • A use-after-free flaw was found in the Linux kernel’s Atheros wireless adapter driver in the way a user forces the ath9k_htc_wait_for_target function to fail with some input messages. This flaw allows a local user to crash or potentially escalate their privileges on the system. (CVE-2022-1679)

  • A race condition was found the Linux kernel in perf_event_open() which can be exploited by an unprivileged user to gain root privileges. The bug allows to build several exploit primitives such as kernel address information leak, arbitrary execution, etc. (CVE-2022-1729)

  • A flaw in Linux Kernel found in nfcmrvl_nci_unregister_dev() in drivers/nfc/nfcmrvl/main.c can lead to use after free both read or write when non synchronized between cleanup routine and firmware download routine.
    (CVE-2022-1734)

  • A use-after-free flaw was found in the Linux kernel’s NFC core functionality due to a race condition between kobject creation and delete. This vulnerability allows a local attacker with CAP_NET_ADMIN privilege to leak kernel information. (CVE-2022-1974)

  • There is a sleep-in-atomic bug in /net/nfc/netlink.c that allows an attacker to crash the Linux kernel by simulating a nfc device from user-space. (CVE-2022-1975)

  • It was discovered that a nft object or expression could reference a nft set on a different nft table, leading to a use-after-free once that table was deleted. (CVE-2022-2586)

  • It was discovered that the cls_route filter implementation in the Linux kernel would not remove an old filter from the hashtable before freeing it if its handle had the value 0. (CVE-2022-2588)

  • drivers/block/floppy.c in the Linux kernel before 5.17.6 is vulnerable to a denial of service, because of a concurrency use-after-free flaw after deallocating raw_cmd in the raw_cmd_ioctl function.
    (CVE-2022-33981)

  • An issue was discovered in the Linux kernel through 5.18.9. A type confusion bug in nft_set_elem_init (leading to a buffer overflow) could be used by a local attacker to escalate privileges, a different vulnerability than CVE-2022-32250. (The attacker can obtain root access, but must start with an unprivileged user namespace to obtain CAP_NET_ADMIN access.) This can be fixed in nft_setelem_parse_data in net/netfilter/nf_tables_api.c. (CVE-2022-34918)

Note that Nessus has not tested for these issues but has instead relied only on the application’s self-reported version number.

##
# (C) Tenable, Inc.
#
# The descriptive text and package checks in this plugin were
# extracted from Ubuntu Security Notice USN-5560-1. The text
# itself is copyright (C) Canonical, Inc. See
# <https://ubuntu.com/security/notices>. Ubuntu(R) is a registered
# trademark of Canonical, Inc.
##

include('compat.inc');

if (description)
{
  script_id(164013);
  script_version("1.7");
  script_set_attribute(attribute:"plugin_modification_date", value:"2024/01/09");

  script_cve_id(
    "CVE-2022-0494",
    "CVE-2022-1048",
    "CVE-2022-1195",
    "CVE-2022-1652",
    "CVE-2022-1679",
    "CVE-2022-1729",
    "CVE-2022-1734",
    "CVE-2022-1974",
    "CVE-2022-1975",
    "CVE-2022-2586",
    "CVE-2022-2588",
    "CVE-2022-33981",
    "CVE-2022-34918"
  );
  script_xref(name:"USN", value:"5560-1");

  script_name(english:"Ubuntu 18.04 LTS : Linux kernel vulnerabilities (USN-5560-1)");

  script_set_attribute(attribute:"synopsis", value:
"The remote Ubuntu host is missing one or more security updates.");
  script_set_attribute(attribute:"description", value:
"The remote Ubuntu 18.04 LTS host has a package installed that is affected by multiple vulnerabilities as referenced in
the USN-5560-1 advisory.

  - A kernel information leak flaw was identified in the scsi_ioctl function in drivers/scsi/scsi_ioctl.c in
    the Linux kernel. This flaw allows a local attacker with a special user privilege (CAP_SYS_ADMIN or
    CAP_SYS_RAWIO) to create issues with confidentiality. (CVE-2022-0494)

  - A use-after-free flaw was found in the Linux kernel's sound subsystem in the way a user triggers
    concurrent calls of PCM hw_params. The hw_free ioctls or similar race condition happens inside ALSA PCM
    for other ioctls. This flaw allows a local user to crash or potentially escalate their privileges on the
    system. (CVE-2022-1048)

  - A use-after-free vulnerability was found in the Linux kernel in drivers/net/hamradio. This flaw allows a
    local attacker with a user privilege to cause a denial of service (DOS) when the mkiss or sixpack device
    is detached and reclaim resources early. (CVE-2022-1195)

  - Linux Kernel could allow a local attacker to execute arbitrary code on the system, caused by a concurrency
    use-after-free flaw in the bad_flp_intr function. By executing a specially-crafted program, an attacker
    could exploit this vulnerability to execute arbitrary code or cause a denial of service condition on the
    system. (CVE-2022-1652)

  - A use-after-free flaw was found in the Linux kernel's Atheros wireless adapter driver in the way a user
    forces the ath9k_htc_wait_for_target function to fail with some input messages. This flaw allows a local
    user to crash or potentially escalate their privileges on the system. (CVE-2022-1679)

  - A race condition was found the Linux kernel in perf_event_open() which can be exploited by an unprivileged
    user to gain root privileges. The bug allows to build several exploit primitives such as kernel address
    information leak, arbitrary execution, etc. (CVE-2022-1729)

  - A flaw in Linux Kernel found in nfcmrvl_nci_unregister_dev() in drivers/nfc/nfcmrvl/main.c can lead to use
    after free both read or write when non synchronized between cleanup routine and firmware download routine.
    (CVE-2022-1734)

  - A use-after-free flaw was found in the Linux kernel's NFC core functionality due to a race condition
    between kobject creation and delete. This vulnerability allows a local attacker with CAP_NET_ADMIN
    privilege to leak kernel information. (CVE-2022-1974)

  - There is a sleep-in-atomic bug in /net/nfc/netlink.c that allows an attacker to crash the Linux kernel by
    simulating a nfc device from user-space. (CVE-2022-1975)

  - It was discovered that a nft object or expression could reference a nft set on a different nft table,
    leading to a use-after-free once that table was deleted. (CVE-2022-2586)

  - It was discovered that the cls_route filter implementation in the Linux kernel would not remove an old
    filter from the hashtable before freeing it if its handle had the value 0. (CVE-2022-2588)

  - drivers/block/floppy.c in the Linux kernel before 5.17.6 is vulnerable to a denial of service, because of
    a concurrency use-after-free flaw after deallocating raw_cmd in the raw_cmd_ioctl function.
    (CVE-2022-33981)

  - An issue was discovered in the Linux kernel through 5.18.9. A type confusion bug in nft_set_elem_init
    (leading to a buffer overflow) could be used by a local attacker to escalate privileges, a different
    vulnerability than CVE-2022-32250. (The attacker can obtain root access, but must start with an
    unprivileged user namespace to obtain CAP_NET_ADMIN access.) This can be fixed in nft_setelem_parse_data
    in net/netfilter/nf_tables_api.c. (CVE-2022-34918)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version
number.");
  script_set_attribute(attribute:"see_also", value:"https://ubuntu.com/security/notices/USN-5560-1");
  script_set_attribute(attribute:"solution", value:
"Update the affected kernel package.");
  script_set_cvss_base_vector("CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C");
  script_set_cvss_temporal_vector("CVSS2#E:H/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:H/RL:O/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2022-34918");

  script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"true");
  script_set_attribute(attribute:"exploit_framework_core", value:"true");
  script_set_attribute(attribute:"exploited_by_malware", value:"true");
  script_set_attribute(attribute:"metasploit_name", value:'Netfilter nft_set_elem_init Heap Overflow Privilege Escalation');
  script_set_attribute(attribute:"exploit_framework_metasploit", value:"true");

  script_set_attribute(attribute:"vuln_publication_date", value:"2022/03/25");
  script_set_attribute(attribute:"patch_publication_date", value:"2022/08/10");
  script_set_attribute(attribute:"plugin_publication_date", value:"2022/08/10");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:canonical:ubuntu_linux:18.04:-:lts");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-4.15.0-1051-dell300x");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-4.15.0-1104-oracle");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-4.15.0-1117-raspi2");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-4.15.0-1125-kvm");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-4.15.0-1134-gcp");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-4.15.0-1135-snapdragon");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-4.15.0-1139-aws");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-4.15.0-1149-azure");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-4.15.0-191-generic");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-4.15.0-191-generic-lpae");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-4.15.0-191-lowlatency");
  script_set_attribute(attribute:"generated_plugin", value:"current");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Ubuntu Local Security Checks");

  script_copyright(english:"Ubuntu Security Notice (C) 2022-2024 Canonical, Inc. / NASL script (C) 2022-2024 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("ssh_get_info.nasl", "linux_alt_patch_detect.nasl");
  script_require_keys("Host/cpu", "Host/Ubuntu", "Host/Ubuntu/release", "Host/Debian/dpkg-l");

  exit(0);
}

include('debian_package.inc');
include('ksplice.inc');

if ( ! get_kb_item('Host/local_checks_enabled') ) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
var os_release = get_kb_item('Host/Ubuntu/release');
if ( isnull(os_release) ) audit(AUDIT_OS_NOT, 'Ubuntu');
os_release = chomp(os_release);
if (! ('18.04' >< os_release)) audit(AUDIT_OS_NOT, 'Ubuntu 18.04', 'Ubuntu ' + os_release);
if ( ! get_kb_item('Host/Debian/dpkg-l') ) audit(AUDIT_PACKAGE_LIST_MISSING);

var cpu = get_kb_item('Host/cpu');
if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
if ('x86_64' >!< cpu && cpu !~ "^i[3-6]86$" && 's390' >!< cpu && 'aarch64' >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'Ubuntu', cpu);

var kernel_mappings = {
  '18.04': {
    '4.15.0': {
      'generic': '4.15.0-191',
      'generic-lpae': '4.15.0-191',
      'lowlatency': '4.15.0-191',
      'dell300x': '4.15.0-1051',
      'oracle': '4.15.0-1104',
      'raspi2': '4.15.0-1117',
      'kvm': '4.15.0-1125',
      'gcp': '4.15.0-1134',
      'snapdragon': '4.15.0-1135',
      'aws': '4.15.0-1139',
      'azure': '4.15.0-1149'
    }
  }
};

var host_kernel_release = get_kb_item('Host/uptrack-uname-r');
if (empty_or_null(host_kernel_release)) host_kernel_release = get_kb_item_or_exit('Host/uname-r');
var host_kernel_base_version = get_kb_item_or_exit('Host/Debian/kernel-base-version');
var host_kernel_type = get_kb_item_or_exit('Host/Debian/kernel-type');
if(empty_or_null(kernel_mappings[os_release][host_kernel_base_version][host_kernel_type])) audit(AUDIT_INST_VER_NOT_VULN, 'kernel ' + host_kernel_release);

var extra = '';
var kernel_fixed_version = kernel_mappings[os_release][host_kernel_base_version][host_kernel_type] + "-" + host_kernel_type;
if (deb_ver_cmp(ver1:host_kernel_release, ver2:kernel_fixed_version) < 0)
{
  extra = extra + 'Running Kernel level of ' + host_kernel_release + ' does not meet the minimum fixed level of ' + kernel_fixed_version + ' for this advisory.\n\n';
}
  else
{
  audit(AUDIT_PATCH_INSTALLED, 'Kernel package for USN-5560-1');
}

if (get_one_kb_item('Host/ksplice/kernel-cves'))
{
  var cve_list = make_list('CVE-2022-0494', 'CVE-2022-1048', 'CVE-2022-1195', 'CVE-2022-1652', 'CVE-2022-1679', 'CVE-2022-1729', 'CVE-2022-1734', 'CVE-2022-1974', 'CVE-2022-1975', 'CVE-2022-2586', 'CVE-2022-2588', 'CVE-2022-33981', 'CVE-2022-34918');
  if (ksplice_cves_check(cve_list))
  {
    audit(AUDIT_PATCH_INSTALLED, 'KSplice hotfix for USN-5560-1');
  }
  else
  {
    extra = extra + ksplice_reporting_text();
  }
}
if (extra) {
  security_report_v4(
    port       : 0,
    severity   : SECURITY_HOLE,
    extra      : extra
  );
  exit(0);
}
VendorProductVersionCPE
canonicalubuntu_linux18.04cpe:/o:canonical:ubuntu_linux:18.04:-:lts
canonicalubuntu_linuxlinux-image-4.15.0-1051-dell300xp-cpe:/a:canonical:ubuntu_linux:linux-image-4.15.0-1051-dell300x
canonicalubuntu_linuxlinux-image-4.15.0-1104-oraclep-cpe:/a:canonical:ubuntu_linux:linux-image-4.15.0-1104-oracle
canonicalubuntu_linuxlinux-image-4.15.0-1117-raspi2p-cpe:/a:canonical:ubuntu_linux:linux-image-4.15.0-1117-raspi2
canonicalubuntu_linuxlinux-image-4.15.0-1125-kvmp-cpe:/a:canonical:ubuntu_linux:linux-image-4.15.0-1125-kvm
canonicalubuntu_linuxlinux-image-4.15.0-1134-gcpp-cpe:/a:canonical:ubuntu_linux:linux-image-4.15.0-1134-gcp
canonicalubuntu_linuxlinux-image-4.15.0-1135-snapdragonp-cpe:/a:canonical:ubuntu_linux:linux-image-4.15.0-1135-snapdragon
canonicalubuntu_linuxlinux-image-4.15.0-1139-awsp-cpe:/a:canonical:ubuntu_linux:linux-image-4.15.0-1139-aws
canonicalubuntu_linuxlinux-image-4.15.0-1149-azurep-cpe:/a:canonical:ubuntu_linux:linux-image-4.15.0-1149-azure
canonicalubuntu_linuxlinux-image-4.15.0-191-genericp-cpe:/a:canonical:ubuntu_linux:linux-image-4.15.0-191-generic
Rows per page:
1-10 of 121

Related

ubuntu 14
nessus 75
osv 14
cve 9
prion 6
debiancve 6
ubuntucve 6
redhat 15
mageia 2
oraclelinux 3
redos 2
photon 6
centos 1
fedora 2
suse 4
cbl_mariner 9
redhatcve 5
zdt 1
githubexploit 9
metasploit 1
packetstorm 1
debian 1
f5 1
zdi 2
veracode 4
ubuntu
ubuntu
Linux kernel vulnerabilities
2022-08-10 00:00:00
Linux kernel vulnerabilities
2022-08-10 00:00:00
Linux kernel (Azure CVM) vulnerabilities
2022-08-25 00:00:00
nessus
nessus
Ubuntu 16.04 ESM : Linux kernel vulnerabilities (USN-5560-2)
2022-08-10 00:00:00
Ubuntu 18.04 LTS / 20.04 LTS : Linux kernel vulnerabilities (USN-5562-1)
2022-08-10 00:00:00
Ubuntu 20.04 LTS : Linux kernel (Azure CVM) vulnerabilities (USN-5582-1)
2022-08-25 00:00:00
osv
osv
linux-hwe, linux-aws-hwe, linux-azure, linux-gcp, linux-oracle vulnerabilities
2022-08-10 12:36:02
linux, linux-aws, linux-azure-4.15, linux-dell300x, linux-gcp-4.15, linux-kvm, linux-oracle, linux-raspi2, linux-snapdragon vulnerabilities
2022-08-10 11:17:35
linux-azure-fde vulnerabilities
2022-08-25 03:58:20
cve
cve
CVE-2022-34918
2022-07-04 21:15:00
CVE-2022-33981
2022-06-18 16:15:00
CVE-2022-2586
2024-01-08 18:15:44
prion
prion
Type confusion
2022-07-04 21:15:00
Design/Logic Flaw
2022-06-18 16:15:00
Design/Logic Flaw
2024-01-08 18:15:00
debiancve
debiancve
CVE-2022-34918
2022-07-04 21:15:00
CVE-2022-33981
2022-06-18 16:15:00
CVE-2022-32250
2022-06-02 21:15:00
ubuntucve
ubuntucve
CVE-2022-34918
2022-07-04 00:00:00
CVE-2022-33981
2022-06-18 00:00:00
CVE-2022-2586
2022-08-09 00:00:00
redhat
redhat
(RHSA-2022:5806) Important: kernel security update
2022-08-02 06:10:45
(RHSA-2022:5636) Important: kernel security and bug fix update
2022-07-19 14:44:22
(RHSA-2022:5236) Important: kernel-rt security and bug fix update
2022-06-28 07:52:41
mageia
mageia
Updated kernel packages fix security vulnerabilities
2022-08-26 00:21:07
Updated kernel-linus packages fix security vulnerabilities
2022-08-26 00:21:07
oraclelinux
oraclelinux
Unbreakable Enterprise kernel security update
2022-08-02 00:00:00
Unbreakable Enterprise kernel security update
2022-09-21 00:00:00
Unbreakable Enterprise kernel-container security update
2022-09-21 00:00:00
redos
redos
ROS-20220908-01
2022-09-08 00:00:00
ROS-20220619-01
2022-06-19 00:00:00
photon
photon
Moderate Photon OS Security Update - PHSA-2022-0506
2022-08-10 00:00:00
Important Photon OS Security Update - PHSA-2022-0226
2022-08-10 00:00:00
Important Photon OS Security Update - PHSA-2022-0488
2022-06-21 00:00:00
centos
centos
bpftool, kernel, perf, python security update
2022-08-02 19:42:00
fedora
fedora
[SECURITY] Fedora 36 Update: kernel-5.18.17-200.fc36
2022-08-14 02:39:58
[SECURITY] Fedora 35 Update: kernel-5.18.17-100.fc35
2022-08-14 03:02:16
suse
suse
Security update for the Linux Kernel (important)
2022-06-24 00:00:00
Security update for the Linux Kernel (important)
2022-06-24 00:00:00
Security update for the Linux Kernel (important)
2022-09-01 00:00:00
cbl_mariner
cbl_mariner
CVE-2022-33981 affecting package kernel 5.10.123.1-1
2022-08-12 16:45:24
CVE-2022-33981 affecting package kernel 5.15.48.1-2
2022-08-03 21:15:19
CVE-2022-34918 affecting package kernel 5.15.48.1-4
2022-08-03 21:15:19
redhatcve
redhatcve
CVE-2022-33981
2022-06-21 06:59:25
CVE-2022-34918
2022-07-06 09:06:11
CVE-2022-32250
2022-06-07 02:30:38
zdt
zdt
Netfilter nft_set_elem_init Heap Overflow Privilege Escalation Exploit
2022-09-28 00:00:00
githubexploit
githubexploit
Exploit for Type Confusion in Linux Linux Kernel
2022-07-24 14:47:40
Exploit for Type Confusion in Linux Linux Kernel
2022-07-21 22:06:19
Exploit for Type Confusion in Linux Linux Kernel
2022-08-02 09:52:02
metasploit
metasploit
Netfilter nft_set_elem_init Heap Overflow Privilege Escalation
2022-07-20 11:51:22
packetstorm
packetstorm
Netfilter nft_set_elem_init Heap Overflow Privilege Escalation
2022-09-28 00:00:00
debian
debian
[SECURITY] [DSA 5173-1] linux security update
2022-07-03 15:49:12
f5
f5
K000133447 : Linux kernel vulnerability CVE-2022-32250
2023-04-11 00:00:00
zdi
zdi
Linux Kernel nf_tables_expr_destroy Use-After-Free Privilege Escalation Vulnerability
2023-12-20 00:00:00
(Pwn2Own) Linux Kernel nft_object Use-After-Free Privilege Escalation Vulnerability
2022-08-18 00:00:00
veracode
veracode
Privilege Escalation
2022-09-16 19:39:12
Denial Of Service (DoS)
2022-09-16 19:53:28
Use After Free
2022-09-16 19:50:43

8.6 High

AI Score

Confidence

High

JSON
Related for UBUNTU_USN-5560-1.NASL
ubuntu14nessus75osv14cve9prion6debiancve6ubuntucve6redhat15mageia2oraclelinux3redos2photon6centos1fedora2suse4cbl_mariner9redhatcve5zdt1githubexploit9metasploit1packetstorm1debian1f51zdi2veracode4