Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
nessusUbuntu Security Notice (C) 2023-2024 Canonical, Inc. / NASL script (C) 2023-2024 and is owned by Tenable, Inc. or an Affiliate thereof.UBUNTU_USN-5976-1.NASL
HistoryMar 27, 2023 - 12:00 a.m.

Ubuntu 20.04 LTS / 22.04 LTS : Linux kernel (OEM) vulnerabilities (USN-5976-1)

2023-03-2700:00:00
Ubuntu Security Notice (C) 2023-2024 Canonical, Inc. / NASL script (C) 2023-2024 and is owned by Tenable, Inc. or an Affiliate thereof.
www.tenable.com
12

8.1 High

AI Score

Confidence

High

JSON

The remote Ubuntu 20.04 LTS / 22.04 LTS host has a package installed that is affected by multiple vulnerabilities as referenced in the USN-5976-1 advisory.

  • A regression exists in the Linux Kernel within KVM: nVMX that allowed for speculative execution attacks.
    L2 can carry out Spectre v2 attacks on L1 due to L1 thinking it doesn’t need retpolines or IBPB after running L2 due to KVM (L0) advertising eIBRS support to L1. An attacker at L2 with code execution can execute code on an indirect branch on the host machine. We recommend upgrading to Kernel 6.2 or past commit 2e7eab81425a (CVE-2022-2196)

  • Found Linux Kernel flaw in the i740 driver. The Userspace program could pass any values to the driver through ioctl() interface. The driver doesn’t check the value of ‘pixclock’, so it may cause a divide by zero error. (CVE-2022-3061)

  • A buffer overflow flaw was found in the Linux kernel Broadcom Full MAC Wi-Fi driver. This issue occurs when a user connects to a malicious USB device. This can allow a local user to crash the system or escalate their privileges. (CVE-2022-3628)

  • An out-of-bounds(OOB) memory access vulnerability was found in vmwgfx driver in drivers/gpu/vmxgfx/vmxgfx_kms.c in GPU component in the Linux kernel with device file ‘/dev/dri/renderD128 (or Dxxx)’. This flaw allows a local attacker with a user account on the system to gain privilege, causing a denial of service(DoS). (CVE-2022-36280)

  • A vulnerability, which was classified as problematic, has been found in Linux Kernel. This issue affects the function nilfs_attach_log_writer of the file fs/nilfs2/segment.c of the component BPF. The manipulation leads to memory leak. The attack may be initiated remotely. It is recommended to apply a patch to fix this issue. The identifier VDB-211961 was assigned to this vulnerability. (CVE-2022-3646)

  • A vulnerability was found in Linux Kernel. It has been classified as problematic. Affected is the function nilfs_new_inode of the file fs/nilfs2/inode.c of the component BPF. The manipulation leads to use after free. It is possible to launch the attack remotely. It is recommended to apply a patch to fix this issue.
    The identifier of this vulnerability is VDB-211992. (CVE-2022-3649)

  • roccat_report_event in drivers/hid/hid-roccat.c in the Linux kernel through 5.19.12 has a race condition and resultant use-after-free in certain situations where a report is received while copying a report->value is in progress. (CVE-2022-41850)

  • A NULL pointer dereference flaw was found in rawv6_push_pending_frames in net/ipv6/raw.c in the network subcomponent in the Linux kernel. This flaw causes the system to crash. (CVE-2023-0394)

  • There is a use-after-free vulnerability in the Linux Kernel which can be exploited to achieve local privilege escalation. To reach the vulnerability kernel configuration flag CONFIG_TLS or CONFIG_XFRM_ESPINTCP has to be configured, but the operation does not require any privilege. There is a use-after-free bug of icsk_ulp_data of a struct inet_connection_sock. When CONFIG_TLS is enabled, user can install a tls context (struct tls_context) on a connected tcp socket. The context is not cleared if this socket is disconnected and reused as a listener. If a new socket is created from the listener, the context is inherited and vulnerable. The setsockopt TCP_ULP operation does not require any privilege. We recommend upgrading past commit 2c02d41d71f90a5168391b6a5f2954112ba2307c (CVE-2023-0461)

Note that Nessus has not tested for these issues but has instead relied only on the application’s self-reported version number.

#%NASL_MIN_LEVEL 80900
##
# (C) Tenable, Inc.
#
# The descriptive text and package checks in this plugin were
# extracted from Ubuntu Security Notice USN-5976-1. The text
# itself is copyright (C) Canonical, Inc. See
# <https://ubuntu.com/security/notices>. Ubuntu(R) is a registered
# trademark of Canonical, Inc.
##

include('compat.inc');

if (description)
{
  script_id(173440);
  script_version("1.3");
  script_set_attribute(attribute:"plugin_modification_date", value:"2024/01/09");

  script_cve_id(
    "CVE-2022-2196",
    "CVE-2022-3061",
    "CVE-2022-3628",
    "CVE-2022-3646",
    "CVE-2022-3649",
    "CVE-2022-36280",
    "CVE-2022-41850",
    "CVE-2023-0394",
    "CVE-2023-0461"
  );
  script_xref(name:"USN", value:"5976-1");

  script_name(english:"Ubuntu 20.04 LTS / 22.04 LTS : Linux kernel (OEM) vulnerabilities (USN-5976-1)");

  script_set_attribute(attribute:"synopsis", value:
"The remote Ubuntu host is missing one or more security updates.");
  script_set_attribute(attribute:"description", value:
"The remote Ubuntu 20.04 LTS / 22.04 LTS host has a package installed that is affected by multiple vulnerabilities as
referenced in the USN-5976-1 advisory.

  - A regression exists in the Linux Kernel within KVM: nVMX that allowed for speculative execution attacks.
    L2 can carry out Spectre v2 attacks on L1 due to L1 thinking it doesn't need retpolines or IBPB after
    running L2 due to KVM (L0) advertising eIBRS support to L1. An attacker at L2 with code execution can
    execute code on an indirect branch on the host machine. We recommend upgrading to Kernel 6.2 or past
    commit 2e7eab81425a (CVE-2022-2196)

  - Found Linux Kernel flaw in the i740 driver. The Userspace program could pass any values to the driver
    through ioctl() interface. The driver doesn't check the value of 'pixclock', so it may cause a divide by
    zero error. (CVE-2022-3061)

  - A buffer overflow flaw was found in the Linux kernel Broadcom Full MAC Wi-Fi driver. This issue occurs
    when a user connects to a malicious USB device. This can allow a local user to crash the system or
    escalate their privileges. (CVE-2022-3628)

  - An out-of-bounds(OOB) memory access vulnerability was found in vmwgfx driver in
    drivers/gpu/vmxgfx/vmxgfx_kms.c in GPU component in the Linux kernel with device file '/dev/dri/renderD128
    (or Dxxx)'. This flaw allows a local attacker with a user account on the system to gain privilege, causing
    a denial of service(DoS). (CVE-2022-36280)

  - A vulnerability, which was classified as problematic, has been found in Linux Kernel. This issue affects
    the function nilfs_attach_log_writer of the file fs/nilfs2/segment.c of the component BPF. The
    manipulation leads to memory leak. The attack may be initiated remotely. It is recommended to apply a
    patch to fix this issue. The identifier VDB-211961 was assigned to this vulnerability. (CVE-2022-3646)

  - A vulnerability was found in Linux Kernel. It has been classified as problematic. Affected is the function
    nilfs_new_inode of the file fs/nilfs2/inode.c of the component BPF. The manipulation leads to use after
    free. It is possible to launch the attack remotely. It is recommended to apply a patch to fix this issue.
    The identifier of this vulnerability is VDB-211992. (CVE-2022-3649)

  - roccat_report_event in drivers/hid/hid-roccat.c in the Linux kernel through 5.19.12 has a race condition
    and resultant use-after-free in certain situations where a report is received while copying a
    report->value is in progress. (CVE-2022-41850)

  - A NULL pointer dereference flaw was found in rawv6_push_pending_frames in net/ipv6/raw.c in the network
    subcomponent in the Linux kernel. This flaw causes the system to crash. (CVE-2023-0394)

  - There is a use-after-free vulnerability in the Linux Kernel which can be exploited to achieve local
    privilege escalation. To reach the vulnerability kernel configuration flag CONFIG_TLS or
    CONFIG_XFRM_ESPINTCP has to be configured, but the operation does not require any privilege. There is a
    use-after-free bug of icsk_ulp_data of a struct inet_connection_sock. When CONFIG_TLS is enabled, user can
    install a tls context (struct tls_context) on a connected tcp socket. The context is not cleared if this
    socket is disconnected and reused as a listener. If a new socket is created from the listener, the context
    is inherited and vulnerable. The setsockopt TCP_ULP operation does not require any privilege. We recommend
    upgrading past commit 2c02d41d71f90a5168391b6a5f2954112ba2307c (CVE-2023-0461)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version
number.");
  script_set_attribute(attribute:"see_also", value:"https://ubuntu.com/security/notices/USN-5976-1");
  script_set_attribute(attribute:"solution", value:
"Update the affected kernel package.");
  script_set_cvss_base_vector("CVSS2#AV:L/AC:L/Au:S/C:C/I:C/A:C");
  script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:P/RL:O/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2023-0461");
  script_set_attribute(attribute:"cvss3_score_source", value:"CVE-2022-2196");

  script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"true");

  script_set_attribute(attribute:"vuln_publication_date", value:"2022/09/01");
  script_set_attribute(attribute:"patch_publication_date", value:"2023/03/27");
  script_set_attribute(attribute:"plugin_publication_date", value:"2023/03/27");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:canonical:ubuntu_linux:20.04:-:lts");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:canonical:ubuntu_linux:22.04:-:lts");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-5.14.0-1059-oem");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-5.17.0-1029-oem");
  script_set_attribute(attribute:"generated_plugin", value:"current");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Ubuntu Local Security Checks");

  script_copyright(english:"Ubuntu Security Notice (C) 2023-2024 Canonical, Inc. / NASL script (C) 2023-2024 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("ssh_get_info.nasl", "linux_alt_patch_detect.nasl");
  script_require_keys("Host/cpu", "Host/Ubuntu", "Host/Ubuntu/release", "Host/Debian/dpkg-l");

  exit(0);
}

include('debian_package.inc');
include('ksplice.inc');

if ( ! get_kb_item('Host/local_checks_enabled') ) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
var os_release = get_kb_item('Host/Ubuntu/release');
if ( isnull(os_release) ) audit(AUDIT_OS_NOT, 'Ubuntu');
os_release = chomp(os_release);
if (! ('20.04' >< os_release || '22.04' >< os_release)) audit(AUDIT_OS_NOT, 'Ubuntu 20.04 / 22.04', 'Ubuntu ' + os_release);
if ( ! get_kb_item('Host/Debian/dpkg-l') ) audit(AUDIT_PACKAGE_LIST_MISSING);

var cpu = get_kb_item('Host/cpu');
if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
if ('x86_64' >!< cpu && cpu !~ "^i[3-6]86$" && 's390' >!< cpu && 'aarch64' >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'Ubuntu', cpu);

var kernel_mappings = {
  '20.04': {
    '5.14.0': {
      'oem': '5.14.0-1059'
    }
  },
  '22.04': {
    '5.17.0': {
      'oem': '5.17.0-1029'
    }
  }
};

var host_kernel_release = get_kb_item('Host/uptrack-uname-r');
if (empty_or_null(host_kernel_release)) host_kernel_release = get_kb_item_or_exit('Host/uname-r');
var host_kernel_base_version = get_kb_item_or_exit('Host/Debian/kernel-base-version');
var host_kernel_type = get_kb_item_or_exit('Host/Debian/kernel-type');
if(empty_or_null(kernel_mappings[os_release][host_kernel_base_version][host_kernel_type])) audit(AUDIT_INST_VER_NOT_VULN, 'kernel ' + host_kernel_release);

var extra = '';
var kernel_fixed_version = kernel_mappings[os_release][host_kernel_base_version][host_kernel_type] + "-" + host_kernel_type;
if (deb_ver_cmp(ver1:host_kernel_release, ver2:kernel_fixed_version) < 0)
{
  extra = extra + 'Running Kernel level of ' + host_kernel_release + ' does not meet the minimum fixed level of ' + kernel_fixed_version + ' for this advisory.\n\n';
}
  else
{
  audit(AUDIT_PATCH_INSTALLED, 'Kernel package for USN-5976-1');
}

if (get_one_kb_item('Host/ksplice/kernel-cves'))
{
  var cve_list = make_list('CVE-2022-2196', 'CVE-2022-3061', 'CVE-2022-3628', 'CVE-2022-3646', 'CVE-2022-3649', 'CVE-2022-36280', 'CVE-2022-41850', 'CVE-2023-0394', 'CVE-2023-0461');
  if (ksplice_cves_check(cve_list))
  {
    audit(AUDIT_PATCH_INSTALLED, 'KSplice hotfix for USN-5976-1');
  }
  else
  {
    extra = extra + ksplice_reporting_text();
  }
}
if (extra) {
  security_report_v4(
    port       : 0,
    severity   : SECURITY_WARNING,
    extra      : extra
  );
  exit(0);
}
VendorProductVersionCPE
canonicalubuntu_linux20.04cpe:/o:canonical:ubuntu_linux:20.04:-:lts
canonicalubuntu_linux22.04cpe:/o:canonical:ubuntu_linux:22.04:-:lts
canonicalubuntu_linuxlinux-image-5.14.0-1059-oemp-cpe:/a:canonical:ubuntu_linux:linux-image-5.14.0-1059-oem
canonicalubuntu_linuxlinux-image-5.17.0-1029-oemp-cpe:/a:canonical:ubuntu_linux:linux-image-5.17.0-1029-oem

Related

osv 19
openvas 27
ubuntu 20
nessus 35
veracode 8
debiancve 11
cbl_mariner 10
prion 9
cve 11
cnvd 2
ubuntucve 11
redhatcve 11
photon 2
oraclelinux 1
githubexploit 3
f5 1
redhat 7
amazon 4
fedora 6
ibm 1
osv
osv
linux-oem-5.14, linux-oem-5.17 vulnerabilities
2023-03-27 22:26:57
linux-aws-5.4, linux-gcp, linux-gcp-5.4, linux-hwe-5.4, linux-ibm, linux-ibm-5.4, linux-oracle-5.4 vulnerabilities
2023-02-15 20:03:17
linux, linux-aws, linux-azure, linux-azure-5.4, linux-gkeop, linux-kvm, linux-oracle, linux-raspi, linux-raspi-5.4 vulnerabilities
2023-02-09 18:26:39
openvas
openvas
Ubuntu: Security Advisory (USN-5976-1)
2023-03-28 00:00:00
Ubuntu: Security Advisory (USN-5909-1)
2023-03-03 00:00:00
Ubuntu: Security Advisory (USN-5874-1)
2023-02-16 00:00:00
ubuntu
ubuntu
Linux kernel (OEM) vulnerabilities
2023-03-27 00:00:00
Linux kernel (Azure CVM) vulnerabilities
2023-03-02 00:00:00
Linux kernel vulnerabilities
2023-02-09 00:00:00
nessus
nessus
Ubuntu 18.04 LTS / 20.04 LTS : Linux kernel vulnerabilities (USN-5874-1)
2023-02-16 00:00:00
Ubuntu 20.04 LTS : Linux kernel (Azure CVM) vulnerabilities (USN-5909-1)
2023-03-03 00:00:00
Ubuntu 18.04 LTS / 20.04 LTS : Linux kernel vulnerabilities (USN-5853-1)
2023-02-09 00:00:00
veracode
veracode
Denial Of Service (DoS)
2023-01-17 19:04:07
Denial Of Service (DoS)
2023-03-06 19:20:27
Denial Of Service (DoS)
2023-03-06 19:24:07
debiancve
debiancve
CVE-2022-3061
2022-09-01 18:15:00
CVE-2022-41850
2022-09-30 06:15:00
CVE-2022-36280
2022-09-09 15:15:00
cbl_mariner
cbl_mariner
CVE-2022-41850 affecting package kernel 5.10.149.1-1
2022-11-24 00:45:57
CVE-2022-41850 affecting package kernel 5.15.80.1-1
2022-12-19 20:13:00
CVE-2022-36280 affecting package kernel 5.10.167.1-1
2023-03-02 04:18:44
prion
prion
Improper access control
2022-09-09 15:15:00
Race condition
2022-09-30 06:15:00
Design/Logic Flaw
2022-09-01 18:15:00
cve
cve
CVE-2022-36280
2022-09-09 15:15:00
CVE-2022-41850
2022-09-30 06:15:00
CVE-2022-3649
2022-10-21 20:15:00
cnvd
cnvd
Linux kernel hid-roccat.c resource management error vulnerability
2022-10-09 00:00:00
Linux kernel vmxgfx_kms.c denial of service vulnerability
2022-09-15 00:00:00
ubuntucve
ubuntucve
CVE-2022-41850
2022-09-30 00:00:00
CVE-2022-3061
2022-09-01 00:00:00
CVE-2022-36280
2022-09-09 00:00:00
redhatcve
redhatcve
CVE-2022-41850
2022-09-30 20:19:08
CVE-2022-36280
2022-10-13 14:30:05
CVE-2022-3061
2022-08-30 09:14:55
photon
photon
Important Photon OS Security Update - PHSA-2023-3.0-0527
2023-02-07 00:00:00
Moderate Photon OS Security Update - PHSA-2023-5.0-0006
2023-05-16 00:00:00
oraclelinux
oraclelinux
Unbreakable Enterprise kernel security update
2023-04-04 00:00:00
githubexploit
githubexploit
Exploit for Use After Free in Linux Linux Kernel
2023-05-11 05:21:28
Exploit for Use After Free in Linux Linux Kernel
2023-05-09 10:44:10
Exploit for Use After Free in Linux Linux Kernel
2023-05-11 01:00:45
f5
f5
K000135122 : Linux kernel vulnerability CVE-2023-0461
2023-06-20 00:00:00
redhat
redhat
(RHSA-2023:1923) Important: kpatch-patch security update
2023-04-21 08:10:58
(RHSA-2023:1841) Important: kernel security and bug fix update
2023-04-18 16:09:23
(RHSA-2023:1557) Important: kernel security and bug fix update
2023-04-04 06:31:02
amazon
amazon
Important: kernel
2022-10-31 19:40:00
Important: kernel
2022-10-31 19:40:00
Important: kernel
2022-12-01 17:33:00
fedora
fedora
[SECURITY] Fedora 37 Update: kernel-headers-6.1.5-200.fc37
2023-01-15 02:01:34
[SECURITY] Fedora 37 Update: kernel-tools-6.1.5-200.fc37
2023-01-15 02:01:34
[SECURITY] Fedora 37 Update: kernel-6.1.5-200.fc37
2023-01-15 02:01:34
ibm
ibm
Security Bulletin: Multiple Linux Kernel vulnerabilities may affect IBM Elastic Storage System
2023-08-11 17:03:57

8.1 High

AI Score

Confidence

High

JSON
Related for UBUNTU_USN-5976-1.NASL
osv19openvas27ubuntu20nessus35veracode8debiancve11cbl_mariner10prion9cve11cnvd2ubuntucve11redhatcve11photon2oraclelinux1githubexploit3f51redhat7amazon4fedora6ibm1