Lucene search

K
nessusUbuntu Security Notice (C) 2022-2024 Canonical, Inc. / NASL script (C) 2022-2024 and is owned by Tenable, Inc. or an Affiliate thereof.UBUNTU_USN-5729-2.NASL
HistoryNov 19, 2022 - 12:00 a.m.

Ubuntu 20.04 LTS / 22.04 LTS : Linux kernel vulnerabilities (USN-5729-2)

2022-11-1900:00:00
Ubuntu Security Notice (C) 2022-2024 Canonical, Inc. / NASL script (C) 2022-2024 and is owned by Tenable, Inc. or an Affiliate thereof.
www.tenable.com
74
ubuntu
linux
kernel
vulnerabilities
usn-5729-2
armv8_deprecated.c
bpf subsystem
nilfs file system
xfrm subsystem
devlink_param_set
devlink_param_get
drivers/atm/idt77252.c
nf_tables_api.c
stex.c

CVSS3

7.8

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

AI Score

8.5

Confidence

High

EPSS

0.001

Percentile

32.7%

The remote Ubuntu 20.04 LTS / 22.04 LTS host has a package installed that is affected by multiple vulnerabilities as referenced in the USN-5729-2 advisory.

It was discovered that a race condition existed in the instruction emulator of the Linux kernel on Arm     64-bit systems. A local attacker could use this to cause a denial of service (system crash).
(CVE-2022-20422)

Hsin-Wei Hung discovered that the BPF subsystem in the Linux kernel contained an out-of-bounds read     vulnerability in the x86 JIT compiler. A local attacker could possibly use this to cause a denial of     service (system crash) or expose sensitive information (kernel memory). (CVE-2022-2905)

Hao Sun and Jiacheng Xu discovered that the NILFS file system implementation in the Linux kernel contained     a use-after-free vulnerability. A local attacker could use this to cause a denial of service (system     crash) or possibly execute arbitrary code. (CVE-2022-2978)

Abhishek Shah discovered a race condition in the PF_KEYv2 implementation in the Linux kernel. A local     attacker could use this to cause a denial of service (system crash) or possibly expose sensitive     information (kernel memory). (CVE-2022-3028)

It was discovered that the Netlink device interface implementation in the Linux kernel did not properly     handle certain error conditions, leading to a use-after-free vulnerability with some network device     drivers. A local attacker with admin access to the network device could use this to cause a denial of     service (system crash) or possibly execute arbitrary code. (CVE-2022-3625)

It was discovered that the IDT 77252 ATM PCI device driver in the Linux kernel did not properly remove any     pending timers during device exit, resulting in a use-after-free vulnerability. A local attacker could     possibly use this to cause a denial of service (system crash) or execute arbitrary code. (CVE-2022-3635)

Gwangun Jung discovered that the netfilter subsystem in the Linux kernel did not properly prevent binding     to an already bound chain. A local attacker could use this to cause a denial of service (system crash).
(CVE-2022-39190)

Xingyuan Mo and Gengjia Chen discovered that the Promise SuperTrak EX storage controller driver in the     Linux kernel did not properly handle certain structures. A local attacker could potentially use this to     expose sensitive information (kernel memory). (CVE-2022-40768)

Tenable has extracted the preceding description block directly from the Ubuntu security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application’s self-reported version number.

#%NASL_MIN_LEVEL 80900
##
# (C) Tenable, Inc.
#
# The descriptive text and package checks in this plugin were
# extracted from Ubuntu Security Notice USN-5729-2. The text
# itself is copyright (C) Canonical, Inc. See
# <https://ubuntu.com/security/notices>. Ubuntu(R) is a registered
# trademark of Canonical, Inc.
##

include('compat.inc');

if (description)
{
  script_id(167921);
  script_version("1.8");
  script_set_attribute(attribute:"plugin_modification_date", value:"2024/08/27");

  script_cve_id(
    "CVE-2022-2905",
    "CVE-2022-2978",
    "CVE-2022-3028",
    "CVE-2022-3625",
    "CVE-2022-3635",
    "CVE-2022-20422",
    "CVE-2022-39190",
    "CVE-2022-40768"
  );
  script_xref(name:"USN", value:"5729-2");

  script_name(english:"Ubuntu 20.04 LTS / 22.04 LTS : Linux kernel vulnerabilities (USN-5729-2)");

  script_set_attribute(attribute:"synopsis", value:
"The remote Ubuntu host is missing one or more security updates.");
  script_set_attribute(attribute:"description", value:
"The remote Ubuntu 20.04 LTS / 22.04 LTS host has a package installed that is affected by multiple vulnerabilities as
referenced in the USN-5729-2 advisory.

    It was discovered that a race condition existed in the instruction emulator of the Linux kernel on Arm
    64-bit systems. A local attacker could use this to cause a denial of service (system crash).
    (CVE-2022-20422)

    Hsin-Wei Hung discovered that the BPF subsystem in the Linux kernel contained an out-of-bounds read
    vulnerability in the x86 JIT compiler. A local attacker could possibly use this to cause a denial of
    service (system crash) or expose sensitive information (kernel memory). (CVE-2022-2905)

    Hao Sun and Jiacheng Xu discovered that the NILFS file system implementation in the Linux kernel contained
    a use-after-free vulnerability. A local attacker could use this to cause a denial of service (system
    crash) or possibly execute arbitrary code. (CVE-2022-2978)

    Abhishek Shah discovered a race condition in the PF_KEYv2 implementation in the Linux kernel. A local
    attacker could use this to cause a denial of service (system crash) or possibly expose sensitive
    information (kernel memory). (CVE-2022-3028)

    It was discovered that the Netlink device interface implementation in the Linux kernel did not properly
    handle certain error conditions, leading to a use-after-free vulnerability with some network device
    drivers. A local attacker with admin access to the network device could use this to cause a denial of
    service (system crash) or possibly execute arbitrary code. (CVE-2022-3625)

    It was discovered that the IDT 77252 ATM PCI device driver in the Linux kernel did not properly remove any
    pending timers during device exit, resulting in a use-after-free vulnerability. A local attacker could
    possibly use this to cause a denial of service (system crash) or execute arbitrary code. (CVE-2022-3635)

    Gwangun Jung discovered that the netfilter subsystem in the Linux kernel did not properly prevent binding
    to an already bound chain. A local attacker could use this to cause a denial of service (system crash).
    (CVE-2022-39190)

    Xingyuan Mo and Gengjia Chen discovered that the Promise SuperTrak EX storage controller driver in the
    Linux kernel did not properly handle certain structures. A local attacker could potentially use this to
    expose sensitive information (kernel memory). (CVE-2022-40768)

Tenable has extracted the preceding description block directly from the Ubuntu security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version
number.");
  script_set_attribute(attribute:"see_also", value:"https://ubuntu.com/security/notices/USN-5729-2");
  script_set_attribute(attribute:"solution", value:
"Update the affected kernel package.");
  script_set_cvss_base_vector("CVSS2#AV:L/AC:L/Au:S/C:C/I:C/A:C");
  script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:P/RL:O/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2022-3625");

  script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"true");

  script_set_attribute(attribute:"vuln_publication_date", value:"2022/08/24");
  script_set_attribute(attribute:"patch_publication_date", value:"2022/11/18");
  script_set_attribute(attribute:"plugin_publication_date", value:"2022/11/19");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:canonical:ubuntu_linux:20.04:-:lts");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:canonical:ubuntu_linux:22.04:-:lts");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-5.15.0-1018-intel-iotg");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-5.15.0-1020-gke");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-5.15.0-1022-gcp");
  script_set_attribute(attribute:"generated_plugin", value:"current");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Ubuntu Local Security Checks");

  script_copyright(english:"Ubuntu Security Notice (C) 2022-2024 Canonical, Inc. / NASL script (C) 2022-2024 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("ssh_get_info.nasl", "linux_alt_patch_detect.nasl");
  script_require_keys("Host/cpu", "Host/Ubuntu", "Host/Ubuntu/release", "Host/Debian/dpkg-l");

  exit(0);
}

include('debian_package.inc');
include('ksplice.inc');

if ( ! get_kb_item('Host/local_checks_enabled') ) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
var os_release = get_kb_item('Host/Ubuntu/release');
if ( isnull(os_release) ) audit(AUDIT_OS_NOT, 'Ubuntu');
os_release = chomp(os_release);
if (! ('20.04' >< os_release || '22.04' >< os_release)) audit(AUDIT_OS_NOT, 'Ubuntu 20.04 / 22.04', 'Ubuntu ' + os_release);
if ( ! get_kb_item('Host/Debian/dpkg-l') ) audit(AUDIT_PACKAGE_LIST_MISSING);

var cpu = get_kb_item('Host/cpu');
if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
if ('x86_64' >!< cpu && cpu !~ "^i[3-6]86$" && 's390' >!< cpu && 'aarch64' >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'Ubuntu', cpu);

var kernel_mappings = {
  '20.04': {
    '5.15.0': {
      'gke': '5.15.0-1020',
      'gcp': '5.15.0-1022'
    }
  },
  '22.04': {
    '5.15.0': {
      'intel-iotg': '5.15.0-1018'
    }
  }
};

var host_kernel_release = get_kb_item('Host/uptrack-uname-r');
if (empty_or_null(host_kernel_release)) host_kernel_release = get_kb_item_or_exit('Host/uname-r');
var host_kernel_base_version = get_kb_item_or_exit('Host/Debian/kernel-base-version');
var host_kernel_type = get_kb_item_or_exit('Host/Debian/kernel-type');
if(empty_or_null(kernel_mappings[os_release][host_kernel_base_version][host_kernel_type])) audit(AUDIT_INST_VER_NOT_VULN, 'kernel ' + host_kernel_release);

var extra = '';
var kernel_fixed_version = kernel_mappings[os_release][host_kernel_base_version][host_kernel_type] + "-" + host_kernel_type;
if (deb_ver_cmp(ver1:host_kernel_release, ver2:kernel_fixed_version) < 0)
{
  extra += 'Running Kernel level of ' + host_kernel_release + ' does not meet the minimum fixed level of ' + kernel_fixed_version + ' for this advisory.\n\n';
}
  else
{
  audit(AUDIT_PATCH_INSTALLED, 'Kernel package for USN-5729-2');
}

if (get_one_kb_item('Host/ksplice/kernel-cves'))
{
  var cve_list = make_list('CVE-2022-2905', 'CVE-2022-2978', 'CVE-2022-3028', 'CVE-2022-3625', 'CVE-2022-3635', 'CVE-2022-20422', 'CVE-2022-39190', 'CVE-2022-40768');
  if (ksplice_cves_check(cve_list))
  {
    audit(AUDIT_PATCH_INSTALLED, 'KSplice hotfix for USN-5729-2');
  }
  else
  {
    extra = extra + ksplice_reporting_text();
  }
}
if (extra) {
  security_report_v4(
    port       : 0,
    severity   : SECURITY_WARNING,
    extra      : extra
  );
  exit(0);
}
VendorProductVersionCPE
canonicalubuntu_linux20.04cpe:/o:canonical:ubuntu_linux:20.04:-:lts
canonicalubuntu_linuxlinux-image-5.15.0-1020-gkep-cpe:/a:canonical:ubuntu_linux:linux-image-5.15.0-1020-gke
canonicalubuntu_linux22.04cpe:/o:canonical:ubuntu_linux:22.04:-:lts
canonicalubuntu_linuxlinux-image-5.15.0-1022-gcpp-cpe:/a:canonical:ubuntu_linux:linux-image-5.15.0-1022-gcp
canonicalubuntu_linuxlinux-image-5.15.0-1018-intel-iotgp-cpe:/a:canonical:ubuntu_linux:linux-image-5.15.0-1018-intel-iotg

CVSS3

7.8

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

AI Score

8.5

Confidence

High

EPSS

0.001

Percentile

32.7%