Ubuntu 16.04 ESM / 18.04 LTS : Linux kernel vulnerabilities (USN-5790-1)

2023-01-0700:00:00

www.tenable.com

7.5 High

AI Score

Confidence

High

JSON

The remote Ubuntu 16.04 ESM / 18.04 LTS host has a package installed that is affected by multiple vulnerabilities as referenced in the USN-5790-1 advisory.

A vulnerability was found in the Linux kernel’s EBPF verifier when handling internal data structures.
Internal memory locations could be returned to userspace. A local attacker with the permissions to insert eBPF code to the kernel can use this to leak internal kernel memory details defeating some of the exploit mitigations in place for the kernel. (CVE-2021-4159)
In binder_inc_ref_for_node of binder.c, there is a possible way to corrupt memory due to a use after free.
This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android kernelAndroid ID:
A-239630375References: Upstream kernel (CVE-2022-20421)
Found Linux Kernel flaw in the i740 driver. The Userspace program could pass any values to the driver through ioctl() interface. The driver doesn’t check the value of ‘pixclock’, so it may cause a divide by zero error. (CVE-2022-3061)
A flaw was found in the Linux kernel’s networking code. A use-after-free was found in the way the sch_sfb enqueue function used the socket buffer (SKB) cb field after the same SKB had been enqueued (and freed) into a child qdisc. This flaw allows a local, unprivileged user to crash the system, causing a denial of service. (CVE-2022-3586)
An issue was discovered in include/asm-generic/tlb.h in the Linux kernel before 5.19. Because of a race condition (unmap_mapping_range versus munmap), a device driver can free a page while it still has stale TLB entries. This only occurs in situations with VM_PFNMAP VMAs. (CVE-2022-39188)
An issue was discovered in the Linux kernel through 5.19.8. drivers/firmware/efi/capsule-loader.c has a race condition with a resultant use-after-free. (CVE-2022-40307)
A use-after-free flaw was found in Linux kernel before 5.19.2. This issue occurs in cmd_hdl_filter in drivers/staging/rtl8712/rtl8712_cmd.c, allowing an attacker to launch a local denial of service attack and gain escalation of privileges. (CVE-2022-4095)

Note that Nessus has not tested for these issues but has instead relied only on the application’s self-reported version number.

#%NASL_MIN_LEVEL 80900
##
# (C) Tenable, Inc.
#
# The descriptive text and package checks in this plugin were
# extracted from Ubuntu Security Notice USN-5790-1. The text
# itself is copyright (C) Canonical, Inc. See
# <https://ubuntu.com/security/notices>. Ubuntu(R) is a registered
# trademark of Canonical, Inc.
##

include('compat.inc');

if (description)
{
  script_id(169692);
  script_version("1.4");
  script_set_attribute(attribute:"plugin_modification_date", value:"2024/01/09");

  script_cve_id(
    "CVE-2021-4159",
    "CVE-2022-3061",
    "CVE-2022-3586",
    "CVE-2022-4095",
    "CVE-2022-20421",
    "CVE-2022-39188",
    "CVE-2022-40307"
  );
  script_xref(name:"USN", value:"5790-1");

  script_name(english:"Ubuntu 16.04 ESM / 18.04 LTS : Linux kernel vulnerabilities (USN-5790-1)");

  script_set_attribute(attribute:"synopsis", value:
"The remote Ubuntu host is missing one or more security updates.");
  script_set_attribute(attribute:"description", value:
"The remote Ubuntu 16.04 ESM / 18.04 LTS host has a package installed that is affected by multiple vulnerabilities as
referenced in the USN-5790-1 advisory.

  - A vulnerability was found in the Linux kernel's EBPF verifier when handling internal data structures.
    Internal memory locations could be returned to userspace. A local attacker with the permissions to insert
    eBPF code to the kernel can use this to leak internal kernel memory details defeating some of the exploit
    mitigations in place for the kernel. (CVE-2021-4159)

  - In binder_inc_ref_for_node of binder.c, there is a possible way to corrupt memory due to a use after free.
    This could lead to local escalation of privilege with no additional execution privileges needed. User
    interaction is not needed for exploitation.Product: AndroidVersions: Android kernelAndroid ID:
    A-239630375References: Upstream kernel (CVE-2022-20421)

  - Found Linux Kernel flaw in the i740 driver. The Userspace program could pass any values to the driver
    through ioctl() interface. The driver doesn't check the value of 'pixclock', so it may cause a divide by
    zero error. (CVE-2022-3061)

  - A flaw was found in the Linux kernel's networking code. A use-after-free was found in the way the sch_sfb
    enqueue function used the socket buffer (SKB) cb field after the same SKB had been enqueued (and freed)
    into a child qdisc. This flaw allows a local, unprivileged user to crash the system, causing a denial of
    service. (CVE-2022-3586)

  - An issue was discovered in include/asm-generic/tlb.h in the Linux kernel before 5.19. Because of a race
    condition (unmap_mapping_range versus munmap), a device driver can free a page while it still has stale
    TLB entries. This only occurs in situations with VM_PFNMAP VMAs. (CVE-2022-39188)

  - An issue was discovered in the Linux kernel through 5.19.8. drivers/firmware/efi/capsule-loader.c has a
    race condition with a resultant use-after-free. (CVE-2022-40307)

  - A use-after-free flaw was found in Linux kernel before 5.19.2. This issue occurs in cmd_hdl_filter in
    drivers/staging/rtl8712/rtl8712_cmd.c, allowing an attacker to launch a local denial of service attack and
    gain escalation of privileges. (CVE-2022-4095)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version
number.");
  script_set_attribute(attribute:"see_also", value:"https://ubuntu.com/security/notices/USN-5790-1");
  script_set_attribute(attribute:"solution", value:
"Update the affected kernel package.");
  script_set_cvss_base_vector("CVSS2#AV:L/AC:L/Au:S/C:C/I:C/A:C");
  script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2022-4095");

  script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");

  script_set_attribute(attribute:"vuln_publication_date", value:"2022/05/06");
  script_set_attribute(attribute:"patch_publication_date", value:"2023/01/06");
  script_set_attribute(attribute:"plugin_publication_date", value:"2023/01/07");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:canonical:ubuntu_linux:16.04:-:esm");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:canonical:ubuntu_linux:18.04:-:lts");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-4.15.0-1058-dell300x");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-4.15.0-1112-oracle");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-4.15.0-1125-raspi2");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-4.15.0-1133-kvm");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-4.15.0-1142-gcp");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-4.15.0-1143-snapdragon");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-4.15.0-1147-aws");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-4.15.0-1147-aws-hwe");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-4.15.0-1158-azure");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-4.15.0-201-generic");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-4.15.0-201-generic-lpae");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-4.15.0-201-lowlatency");
  script_set_attribute(attribute:"generated_plugin", value:"current");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Ubuntu Local Security Checks");

  script_copyright(english:"Ubuntu Security Notice (C) 2023-2024 Canonical, Inc. / NASL script (C) 2023-2024 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("ssh_get_info.nasl", "linux_alt_patch_detect.nasl");
  script_require_keys("Host/cpu", "Host/Ubuntu", "Host/Ubuntu/release", "Host/Debian/dpkg-l");

  exit(0);
}

include('debian_package.inc');
include('ksplice.inc');

if ( ! get_kb_item('Host/local_checks_enabled') ) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
var os_release = get_kb_item('Host/Ubuntu/release');
if ( isnull(os_release) ) audit(AUDIT_OS_NOT, 'Ubuntu');
os_release = chomp(os_release);
if (! ('16.04' >< os_release || '18.04' >< os_release)) audit(AUDIT_OS_NOT, 'Ubuntu 16.04 / 18.04', 'Ubuntu ' + os_release);
if ( ! get_kb_item('Host/Debian/dpkg-l') ) audit(AUDIT_PACKAGE_LIST_MISSING);

var cpu = get_kb_item('Host/cpu');
if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
if ('x86_64' >!< cpu && cpu !~ "^i[3-6]86$" && 's390' >!< cpu && 'aarch64' >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'Ubuntu', cpu);

var kernel_mappings = {
  '16.04': {
    '4.15.0': {
      'generic': '4.15.0-201',
      'lowlatency': '4.15.0-201',
      'oracle': '4.15.0-1112',
      'gcp': '4.15.0-1142',
      'aws': '4.15.0-1147',
      'aws-hwe': '4.15.0-1147'
    }
  },
  '18.04': {
    '4.15.0': {
      'generic': '4.15.0-201',
      'generic-lpae': '4.15.0-201',
      'lowlatency': '4.15.0-201',
      'dell300x': '4.15.0-1058',
      'oracle': '4.15.0-1112',
      'raspi2': '4.15.0-1125',
      'kvm': '4.15.0-1133',
      'gcp': '4.15.0-1142',
      'snapdragon': '4.15.0-1143',
      'aws': '4.15.0-1147',
      'azure': '4.15.0-1158'
    }
  }
};

var host_kernel_release = get_kb_item('Host/uptrack-uname-r');
if (empty_or_null(host_kernel_release)) host_kernel_release = get_kb_item_or_exit('Host/uname-r');
var host_kernel_base_version = get_kb_item_or_exit('Host/Debian/kernel-base-version');
var host_kernel_type = get_kb_item_or_exit('Host/Debian/kernel-type');
if(empty_or_null(kernel_mappings[os_release][host_kernel_base_version][host_kernel_type])) audit(AUDIT_INST_VER_NOT_VULN, 'kernel ' + host_kernel_release);

var extra = '';
var kernel_fixed_version = kernel_mappings[os_release][host_kernel_base_version][host_kernel_type] + "-" + host_kernel_type;
if (deb_ver_cmp(ver1:host_kernel_release, ver2:kernel_fixed_version) < 0)
{
  extra = extra + 'Running Kernel level of ' + host_kernel_release + ' does not meet the minimum fixed level of ' + kernel_fixed_version + ' for this advisory.\n\n';
}
  else
{
  audit(AUDIT_PATCH_INSTALLED, 'Kernel package for USN-5790-1');
}

if (get_one_kb_item('Host/ksplice/kernel-cves'))
{
  var cve_list = make_list('CVE-2021-4159', 'CVE-2022-3061', 'CVE-2022-3586', 'CVE-2022-4095', 'CVE-2022-20421', 'CVE-2022-39188', 'CVE-2022-40307');
  if (ksplice_cves_check(cve_list))
  {
    audit(AUDIT_PATCH_INSTALLED, 'KSplice hotfix for USN-5790-1');
  }
  else
  {
    extra = extra + ksplice_reporting_text();
  }
}
if (extra) {
  security_report_v4(
    port       : 0,
    severity   : SECURITY_WARNING,
    extra      : extra
  );
  exit(0);
}

VendorProductVersionCPE
canonicalubuntu_linux16.04cpe:/o:canonical:ubuntu_linux:16.04:-:esm
canonicalubuntu_linux18.04cpe:/o:canonical:ubuntu_linux:18.04:-:lts
canonicalubuntu_linuxlinux-image-4.15.0-1058-dell300xp-cpe:/a:canonical:ubuntu_linux:linux-image-4.15.0-1058-dell300x
canonicalubuntu_linuxlinux-image-4.15.0-1112-oraclep-cpe:/a:canonical:ubuntu_linux:linux-image-4.15.0-1112-oracle
canonicalubuntu_linuxlinux-image-4.15.0-1125-raspi2p-cpe:/a:canonical:ubuntu_linux:linux-image-4.15.0-1125-raspi2
canonicalubuntu_linuxlinux-image-4.15.0-1133-kvmp-cpe:/a:canonical:ubuntu_linux:linux-image-4.15.0-1133-kvm
canonicalubuntu_linuxlinux-image-4.15.0-1142-gcpp-cpe:/a:canonical:ubuntu_linux:linux-image-4.15.0-1142-gcp
canonicalubuntu_linuxlinux-image-4.15.0-1143-snapdragonp-cpe:/a:canonical:ubuntu_linux:linux-image-4.15.0-1143-snapdragon
canonicalubuntu_linuxlinux-image-4.15.0-1147-awsp-cpe:/a:canonical:ubuntu_linux:linux-image-4.15.0-1147-aws
canonicalubuntu_linuxlinux-image-4.15.0-1147-aws-hwep-cpe:/a:canonical:ubuntu_linux:linux-image-4.15.0-1147-aws-hwe

Vendor	Product	Version	CPE
canonical	ubuntu_linux	16.04	cpe:/o:canonical:ubuntu_linux:16.04:-:esm
canonical	ubuntu_linux	18.04	cpe:/o:canonical:ubuntu_linux:18.04:-:lts
canonical	ubuntu_linux	linux-image-4.15.0-1058-dell300x	p-cpe:/a:canonical:ubuntu_linux:linux-image-4.15.0-1058-dell300x
canonical	ubuntu_linux	linux-image-4.15.0-1112-oracle	p-cpe:/a:canonical:ubuntu_linux:linux-image-4.15.0-1112-oracle
canonical	ubuntu_linux	linux-image-4.15.0-1125-raspi2	p-cpe:/a:canonical:ubuntu_linux:linux-image-4.15.0-1125-raspi2
canonical	ubuntu_linux	linux-image-4.15.0-1133-kvm	p-cpe:/a:canonical:ubuntu_linux:linux-image-4.15.0-1133-kvm
canonical	ubuntu_linux	linux-image-4.15.0-1142-gcp	p-cpe:/a:canonical:ubuntu_linux:linux-image-4.15.0-1142-gcp
canonical	ubuntu_linux	linux-image-4.15.0-1143-snapdragon	p-cpe:/a:canonical:ubuntu_linux:linux-image-4.15.0-1143-snapdragon
canonical	ubuntu_linux	linux-image-4.15.0-1147-aws	p-cpe:/a:canonical:ubuntu_linux:linux-image-4.15.0-1147-aws
canonical	ubuntu_linux	linux-image-4.15.0-1147-aws-hwe	p-cpe:/a:canonical:ubuntu_linux:linux-image-4.15.0-1147-aws-hwe