10 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
CHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:N
8.8 High
AI Score
Confidence
High
0.001 Low
EPSS
Percentile
50.3%
The remote Ubuntu 22.04 LTS host has a package installed that is affected by multiple vulnerabilities as referenced in the USN-6385-1 advisory.
When SMT is enabled, certain AMD processors may speculatively execute instructions using a target from the sibling thread after an SMT mode switch potentially resulting in information disclosure. (CVE-2022-27672)
A flaw was found in the Linux kernel Traffic Control (TC) subsystem. Using a specific networking configuration (redirecting egress packets to ingress using TC action mirred) a local unprivileged user could trigger a CPU soft lockup (ABBA deadlock) when the transport protocol in use (TCP or SCTP) does a retransmission, resulting in a denial of service condition. (CVE-2022-4269)
A speculative pointer dereference problem exists in the Linux Kernel on the do_prlimit() function. The resource argument value is controlled and is used in pointer arithmetic for the ‘rlim’ variable and can be used to leak the contents. We recommend upgrading past version 6.1.8 or commit 739790605705ddcf18f21782b9c99ad7d53a8c11 (CVE-2023-0458)
A flaw was found in the Linux Kernel. The tls_is_tx_ready() incorrectly checks for list emptiness, potentially accessing a type confused entry to the list_head, leaking the last byte of the confused field that overlaps with rec->tx_ready. (CVE-2023-1075)
A flaw was found in the Linux Kernel. The tun/tap sockets have their socket UID hardcoded to 0 due to a type confusion in their initialization function. While it will be often correct, as tuntap devices require CAP_NET_ADMIN, it may not always be the case, e.g., a non-root user only having that capability. This would make tun/tap sockets being incorrectly treated in filtering/routing decisions, possibly bypassing network filters. (CVE-2023-1076)
A hash collision flaw was found in the IPv6 connection lookup table in the Linux kernel’s IPv6 functionality when a user makes a new kind of SYN flood attack. A user located in the local network or with a high bandwidth connection can increase the CPU usage of the server that accepts IPV6 connections up to 95%. (CVE-2023-1206)
A slab-out-of-bound read problem was found in brcmf_get_assoc_ies in drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c in the Linux Kernel. This issue could occur when assoc_info->req_len data is bigger than the size of the buffer, defined as WL_EXTRA_BUF_MAX, leading to a denial of service. (CVE-2023-1380)
A use-after-free flaw was found in btrfs_search_slot in fs/btrfs/ctree.c in btrfs in the Linux Kernel.This flaw allows an attacker to crash the system and possibly cause a kernel information lea (CVE-2023-1611)
A vulnerability was found in the HCI sockets implementation due to a missing capability check in net/bluetooth/hci_sock.c in the Linux Kernel. This flaw allows an attacker to unauthorized execution of management commands, compromising the confidentiality, integrity, and availability of Bluetooth communication. (CVE-2023-2002)
An issue in Zen 2 CPUs, under specific microarchitectural circumstances, may allow an attacker to potentially access sensitive information. (CVE-2023-20593)
A use-after-free vulnerability was found in iscsi_sw_tcp_session_create in drivers/scsi/iscsi_tcp.c in SCSI sub-component in the Linux Kernel. In this flaw an attacker could leak kernel internal information.
(CVE-2023-2162)
Incorrect verifier pruning in BPF in Linux Kernel >=5.4 leads to unsafe code paths being incorrectly marked as safe, resulting in arbitrary read/write in kernel memory, lateral privilege escalation, and container escape. (CVE-2023-2163)
A use-after-free vulnerability in the Linux Kernel Performance Events system can be exploited to achieve local privilege escalation. The perf_group_detach function did not check the event’s siblings’ attach_state before calling add_event_to_groups(), but remove_on_exec made it possible to call list_del_event() on before detaching from their group, making it possible to use a dangling pointer causing a use-after-free vulnerability. We recommend upgrading past commit fd0815f632c24878e325821943edccc7fde947a2. (CVE-2023-2235)
A denial of service problem was found, due to a possible recursive locking scenario, resulting in a deadlock in table_clear in drivers/md/dm-ioctl.c in the Linux Kernel Device Mapper-Multipathing sub- component. (CVE-2023-2269)
A NULL pointer dereference flaw was found in the az6027 driver in drivers/media/usb/dev-usb/az6027.c in the Linux Kernel. The message from user space is not checked properly before transferring into the device.
This flaw allows a local user to crash the system or potentially cause a denial of service.
(CVE-2023-28328)
do_tls_getsockopt in net/tls/tls_main.c in the Linux kernel through 6.2.6 lacks a lock_sock call, leading to a race condition (with a resultant use-after-free or NULL pointer dereference). (CVE-2023-28466)
There is a null-pointer-dereference flaw found in f2fs_write_end_io in fs/f2fs/data.c in the Linux kernel.
This flaw allows a local privileged user to cause a denial of service problem. (CVE-2023-2898)
A heap out-of-bounds write vulnerability in the Linux Kernel ipvlan network driver can be exploited to achieve local privilege escalation. The out-of-bounds write is caused by missing skb->cb initialization in the ipvlan network driver. The vulnerability is reachable if CONFIG_IPVLAN is enabled. We recommend upgrading past commit 90cbed5247439a966b645b34eb0a2e037836ea8e. (CVE-2023-3090)
A use-after-free flaw was found in r592_remove in drivers/memstick/host/r592.c in media access in the Linux Kernel. This flaw allows a local attacker to crash the system at device disconnect, possibly leading to a kernel information leak. (CVE-2023-3141)
qfq_change_class in net/sched/sch_qfq.c in the Linux kernel before 6.2.13 allows an out-of-bounds write because lmax can exceed QFQ_MIN_LMAX. (CVE-2023-31436)
An issue was discovered in the Linux kernel through 6.1-rc8. dpu_crtc_atomic_check in drivers/gpu/drm/msm/disp/dpu1/dpu_crtc.c lacks check of the return value of kzalloc() and will cause the NULL Pointer Dereference. (CVE-2023-3220)
An issue was discovered in the Linux kernel before 6.1.11. In net/netrom/af_netrom.c, there is a use- after-free because accept is also allowed for a successfully connected AF_NETROM socket. However, in order for an attacker to exploit this, the system must have netrom routing configured or the attacker must have the CAP_NET_ADMIN capability. (CVE-2023-32269)
A use-after-free vulnerability was found in the Linux kernel’s netfilter subsystem in net/netfilter/nf_tables_api.c. Mishandled error handling with NFT_MSG_NEWRULE makes it possible to use a dangling pointer in the same transaction causing a use-after-free vulnerability. This flaw allows a local attacker with user access to cause a privilege escalation issue. We recommend upgrading past commit 1240eb93f0616b21c675416516ff3d74798fdc97. (CVE-2023-3390)
A use-after-free vulnerability in the Linux kernel’s net/sched: cls_u32 component can be exploited to achieve local privilege escalation. If tcf_change_indev() fails, u32_set_parms() will immediately return an error after incrementing or decrementing the reference counter in tcf_bind_filter(). If an attacker can control the reference counter and set it to zero, they can cause the reference to be freed, leading to a use-after-free vulnerability. We recommend upgrading past commit 04c55383fa5689357bcdd2c8036725a55ed632bc.
(CVE-2023-3609)
A use-after-free vulnerability in the Linux kernel’s netfilter: nf_tables component can be exploited to achieve local privilege escalation. Flaw in the error handling of bound chains causes a use-after-free in the abort path of NFT_MSG_NEWRULE. The vulnerability requires CAP_NET_ADMIN to be triggered. We recommend upgrading past commit 4bedf9eee016286c835e3d8fa981ddece5338795. (CVE-2023-3610)
An out-of-bounds write vulnerability in the Linux kernel’s net/sched: sch_qfq component can be exploited to achieve local privilege escalation. The qfq_change_agg() function in net/sched/sch_qfq.c allows an out- of-bounds write because lmax is updated according to packet sizes without bounds checks. We recommend upgrading past commit 3e337087c3b5805fe0b8a46ba622a962880b5d64. (CVE-2023-3611)
A use-after-free vulnerability in the Linux kernel’s net/sched: cls_fw component can be exploited to achieve local privilege escalation. If tcf_change_indev() fails, fw_set_parms() will immediately return an error after incrementing or decrementing the reference counter in tcf_bind_filter(). If an attacker can control the reference counter and set it to zero, they can cause the reference to be freed, leading to a use-after-free vulnerability. We recommend upgrading past commit 0323bce598eea038714f941ce2b22541c46d488f.
(CVE-2023-3776)
A use-after-free vulnerability in the Linux kernel’s netfilter: nf_tables component can be exploited to achieve local privilege escalation. When nf_tables_delrule() is flushing table rules, it is not checked whether the chain is bound and the chain’s owner rule can also release the objects in certain circumstances. We recommend upgrading past commit 6eaf41e87a223ae6f8e7a28d6e78384ad7e407f8.
(CVE-2023-3777)
A use-after-free flaw was found in nfc_llcp_find_local in net/nfc/llcp_core.c in NFC in the Linux kernel.
This flaw allows a local user with special privileges to impact a kernel information leak issue.
(CVE-2023-3863)
Rejected reason: This CVE ID has been rejected or withdrawn by its CVE Numbering Authority because it is a duplicate of CVE-2023-4147. (CVE-2023-3995)
A use-after-free flaw was found in the Linux kernel’s netfilter in the way a user triggers the nft_pipapo_remove function with the element, without a NFT_SET_EXT_KEY_END. This issue could allow a local user to crash the system or potentially escalate their privileges on the system. (CVE-2023-4004)
A use-after-free vulnerability in the Linux kernel’s netfilter: nf_tables component can be exploited to achieve local privilege escalation. On an error when building a nftables rule, deactivating immediate expressions in nft_immediate_deactivate() can lead unbinding the chain and objects be deactivated but later used. We recommend upgrading past commit 0a771f7b266b02d262900c75f1e175c7fe76fec2. (CVE-2023-4015)
An issue was discovered in l2cap_sock_release in net/bluetooth/l2cap_sock.c in the Linux kernel before 6.4.10. There is a use-after-free because the children of an sk are mishandled. (CVE-2023-40283)
A flaw was found in the Linux kernel’s TUN/TAP functionality. This issue could allow a local user to bypass network filters and gain unauthorized access to some resources. The original patches fixing CVE-2023-1076 are incorrect or incomplete. The problem is that the following upstream commits - a096ccca6e50 (tun: tun_chr_open(): correctly initialize socket uid), - 66b2c338adce (tap: tap_open():
correctly initialize socket uid), pass inode->i_uid to sock_init_data_uid() as the last parameter and that turns out to not be accurate. (CVE-2023-4194)
A flaw was found in the exFAT driver of the Linux kernel. The vulnerability exists in the implementation of the file name reconstruction function, which is responsible for reading file name entries from a directory index and merging file name parts belonging to one file into a single long file name. Since the file name characters are copied into a stack variable, a local privileged attacker could use this flaw to overflow the kernel stack. (CVE-2023-4273)
A memory leak flaw was found in nft_set_catchall_flush in net/netfilter/nf_tables_api.c in the Linux Kernel. This issue may allow a local attacker to cause double-deactivations of catchall elements, which can result in a memory leak. (CVE-2023-4569)
Note that Nessus has not tested for these issues but has instead relied only on the application’s self-reported version number.
#%NASL_MIN_LEVEL 80900
##
# (C) Tenable, Inc.
#
# The descriptive text and package checks in this plugin were
# extracted from Ubuntu Security Notice USN-6385-1. The text
# itself is copyright (C) Canonical, Inc. See
# <https://ubuntu.com/security/notices>. Ubuntu(R) is a registered
# trademark of Canonical, Inc.
##
include('compat.inc');
if (description)
{
script_id(181636);
script_version("1.3");
script_set_attribute(attribute:"plugin_modification_date", value:"2024/01/09");
script_cve_id(
"CVE-2022-4269",
"CVE-2022-27672",
"CVE-2023-0458",
"CVE-2023-1075",
"CVE-2023-1076",
"CVE-2023-1206",
"CVE-2023-1380",
"CVE-2023-1611",
"CVE-2023-2002",
"CVE-2023-2162",
"CVE-2023-2163",
"CVE-2023-2235",
"CVE-2023-2269",
"CVE-2023-2898",
"CVE-2023-3090",
"CVE-2023-3141",
"CVE-2023-3220",
"CVE-2023-3390",
"CVE-2023-3609",
"CVE-2023-3610",
"CVE-2023-3611",
"CVE-2023-3776",
"CVE-2023-3777",
"CVE-2023-3863",
"CVE-2023-3995",
"CVE-2023-4004",
"CVE-2023-4015",
"CVE-2023-4128",
"CVE-2023-4194",
"CVE-2023-4273",
"CVE-2023-4569",
"CVE-2023-20593",
"CVE-2023-28328",
"CVE-2023-28466",
"CVE-2023-31436",
"CVE-2023-32269",
"CVE-2023-40283"
);
script_xref(name:"USN", value:"6385-1");
script_name(english:"Ubuntu 22.04 LTS : Linux kernel (OEM) vulnerabilities (USN-6385-1)");
script_set_attribute(attribute:"synopsis", value:
"The remote Ubuntu host is missing one or more security updates.");
script_set_attribute(attribute:"description", value:
"The remote Ubuntu 22.04 LTS host has a package installed that is affected by multiple vulnerabilities as referenced in
the USN-6385-1 advisory.
- When SMT is enabled, certain AMD processors may speculatively execute instructions using a target from the
sibling thread after an SMT mode switch potentially resulting in information disclosure. (CVE-2022-27672)
- A flaw was found in the Linux kernel Traffic Control (TC) subsystem. Using a specific networking
configuration (redirecting egress packets to ingress using TC action mirred) a local unprivileged user
could trigger a CPU soft lockup (ABBA deadlock) when the transport protocol in use (TCP or SCTP) does a
retransmission, resulting in a denial of service condition. (CVE-2022-4269)
- A speculative pointer dereference problem exists in the Linux Kernel on the do_prlimit() function. The
resource argument value is controlled and is used in pointer arithmetic for the 'rlim' variable and can be
used to leak the contents. We recommend upgrading past version 6.1.8 or commit
739790605705ddcf18f21782b9c99ad7d53a8c11 (CVE-2023-0458)
- A flaw was found in the Linux Kernel. The tls_is_tx_ready() incorrectly checks for list emptiness,
potentially accessing a type confused entry to the list_head, leaking the last byte of the confused field
that overlaps with rec->tx_ready. (CVE-2023-1075)
- A flaw was found in the Linux Kernel. The tun/tap sockets have their socket UID hardcoded to 0 due to a
type confusion in their initialization function. While it will be often correct, as tuntap devices require
CAP_NET_ADMIN, it may not always be the case, e.g., a non-root user only having that capability. This
would make tun/tap sockets being incorrectly treated in filtering/routing decisions, possibly bypassing
network filters. (CVE-2023-1076)
- A hash collision flaw was found in the IPv6 connection lookup table in the Linux kernel's IPv6
functionality when a user makes a new kind of SYN flood attack. A user located in the local network or
with a high bandwidth connection can increase the CPU usage of the server that accepts IPV6 connections up
to 95%. (CVE-2023-1206)
- A slab-out-of-bound read problem was found in brcmf_get_assoc_ies in
drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c in the Linux Kernel. This issue could occur
when assoc_info->req_len data is bigger than the size of the buffer, defined as WL_EXTRA_BUF_MAX, leading
to a denial of service. (CVE-2023-1380)
- A use-after-free flaw was found in btrfs_search_slot in fs/btrfs/ctree.c in btrfs in the Linux Kernel.This
flaw allows an attacker to crash the system and possibly cause a kernel information lea (CVE-2023-1611)
- A vulnerability was found in the HCI sockets implementation due to a missing capability check in
net/bluetooth/hci_sock.c in the Linux Kernel. This flaw allows an attacker to unauthorized execution of
management commands, compromising the confidentiality, integrity, and availability of Bluetooth
communication. (CVE-2023-2002)
- An issue in Zen 2 CPUs, under specific microarchitectural circumstances, may allow an attacker to
potentially access sensitive information. (CVE-2023-20593)
- A use-after-free vulnerability was found in iscsi_sw_tcp_session_create in drivers/scsi/iscsi_tcp.c in
SCSI sub-component in the Linux Kernel. In this flaw an attacker could leak kernel internal information.
(CVE-2023-2162)
- Incorrect verifier pruning in BPF in Linux Kernel >=5.4 leads to unsafe code paths being incorrectly
marked as safe, resulting in arbitrary read/write in kernel memory, lateral privilege escalation, and
container escape. (CVE-2023-2163)
- A use-after-free vulnerability in the Linux Kernel Performance Events system can be exploited to achieve
local privilege escalation. The perf_group_detach function did not check the event's siblings'
attach_state before calling add_event_to_groups(), but remove_on_exec made it possible to call
list_del_event() on before detaching from their group, making it possible to use a dangling pointer
causing a use-after-free vulnerability. We recommend upgrading past commit
fd0815f632c24878e325821943edccc7fde947a2. (CVE-2023-2235)
- A denial of service problem was found, due to a possible recursive locking scenario, resulting in a
deadlock in table_clear in drivers/md/dm-ioctl.c in the Linux Kernel Device Mapper-Multipathing sub-
component. (CVE-2023-2269)
- A NULL pointer dereference flaw was found in the az6027 driver in drivers/media/usb/dev-usb/az6027.c in
the Linux Kernel. The message from user space is not checked properly before transferring into the device.
This flaw allows a local user to crash the system or potentially cause a denial of service.
(CVE-2023-28328)
- do_tls_getsockopt in net/tls/tls_main.c in the Linux kernel through 6.2.6 lacks a lock_sock call, leading
to a race condition (with a resultant use-after-free or NULL pointer dereference). (CVE-2023-28466)
- There is a null-pointer-dereference flaw found in f2fs_write_end_io in fs/f2fs/data.c in the Linux kernel.
This flaw allows a local privileged user to cause a denial of service problem. (CVE-2023-2898)
- A heap out-of-bounds write vulnerability in the Linux Kernel ipvlan network driver can be exploited to
achieve local privilege escalation. The out-of-bounds write is caused by missing skb->cb initialization in
the ipvlan network driver. The vulnerability is reachable if CONFIG_IPVLAN is enabled. We recommend
upgrading past commit 90cbed5247439a966b645b34eb0a2e037836ea8e. (CVE-2023-3090)
- A use-after-free flaw was found in r592_remove in drivers/memstick/host/r592.c in media access in the
Linux Kernel. This flaw allows a local attacker to crash the system at device disconnect, possibly leading
to a kernel information leak. (CVE-2023-3141)
- qfq_change_class in net/sched/sch_qfq.c in the Linux kernel before 6.2.13 allows an out-of-bounds write
because lmax can exceed QFQ_MIN_LMAX. (CVE-2023-31436)
- An issue was discovered in the Linux kernel through 6.1-rc8. dpu_crtc_atomic_check in
drivers/gpu/drm/msm/disp/dpu1/dpu_crtc.c lacks check of the return value of kzalloc() and will cause the
NULL Pointer Dereference. (CVE-2023-3220)
- An issue was discovered in the Linux kernel before 6.1.11. In net/netrom/af_netrom.c, there is a use-
after-free because accept is also allowed for a successfully connected AF_NETROM socket. However, in order
for an attacker to exploit this, the system must have netrom routing configured or the attacker must have
the CAP_NET_ADMIN capability. (CVE-2023-32269)
- A use-after-free vulnerability was found in the Linux kernel's netfilter subsystem in
net/netfilter/nf_tables_api.c. Mishandled error handling with NFT_MSG_NEWRULE makes it possible to use a
dangling pointer in the same transaction causing a use-after-free vulnerability. This flaw allows a local
attacker with user access to cause a privilege escalation issue. We recommend upgrading past commit
1240eb93f0616b21c675416516ff3d74798fdc97. (CVE-2023-3390)
- A use-after-free vulnerability in the Linux kernel's net/sched: cls_u32 component can be exploited to
achieve local privilege escalation. If tcf_change_indev() fails, u32_set_parms() will immediately return
an error after incrementing or decrementing the reference counter in tcf_bind_filter(). If an attacker can
control the reference counter and set it to zero, they can cause the reference to be freed, leading to a
use-after-free vulnerability. We recommend upgrading past commit 04c55383fa5689357bcdd2c8036725a55ed632bc.
(CVE-2023-3609)
- A use-after-free vulnerability in the Linux kernel's netfilter: nf_tables component can be exploited to
achieve local privilege escalation. Flaw in the error handling of bound chains causes a use-after-free in
the abort path of NFT_MSG_NEWRULE. The vulnerability requires CAP_NET_ADMIN to be triggered. We recommend
upgrading past commit 4bedf9eee016286c835e3d8fa981ddece5338795. (CVE-2023-3610)
- An out-of-bounds write vulnerability in the Linux kernel's net/sched: sch_qfq component can be exploited
to achieve local privilege escalation. The qfq_change_agg() function in net/sched/sch_qfq.c allows an out-
of-bounds write because lmax is updated according to packet sizes without bounds checks. We recommend
upgrading past commit 3e337087c3b5805fe0b8a46ba622a962880b5d64. (CVE-2023-3611)
- A use-after-free vulnerability in the Linux kernel's net/sched: cls_fw component can be exploited to
achieve local privilege escalation. If tcf_change_indev() fails, fw_set_parms() will immediately return an
error after incrementing or decrementing the reference counter in tcf_bind_filter(). If an attacker can
control the reference counter and set it to zero, they can cause the reference to be freed, leading to a
use-after-free vulnerability. We recommend upgrading past commit 0323bce598eea038714f941ce2b22541c46d488f.
(CVE-2023-3776)
- A use-after-free vulnerability in the Linux kernel's netfilter: nf_tables component can be exploited to
achieve local privilege escalation. When nf_tables_delrule() is flushing table rules, it is not checked
whether the chain is bound and the chain's owner rule can also release the objects in certain
circumstances. We recommend upgrading past commit 6eaf41e87a223ae6f8e7a28d6e78384ad7e407f8.
(CVE-2023-3777)
- A use-after-free flaw was found in nfc_llcp_find_local in net/nfc/llcp_core.c in NFC in the Linux kernel.
This flaw allows a local user with special privileges to impact a kernel information leak issue.
(CVE-2023-3863)
- Rejected reason: This CVE ID has been rejected or withdrawn by its CVE Numbering Authority because it is a
duplicate of CVE-2023-4147. (CVE-2023-3995)
- A use-after-free flaw was found in the Linux kernel's netfilter in the way a user triggers the
nft_pipapo_remove function with the element, without a NFT_SET_EXT_KEY_END. This issue could allow a local
user to crash the system or potentially escalate their privileges on the system. (CVE-2023-4004)
- A use-after-free vulnerability in the Linux kernel's netfilter: nf_tables component can be exploited to
achieve local privilege escalation. On an error when building a nftables rule, deactivating immediate
expressions in nft_immediate_deactivate() can lead unbinding the chain and objects be deactivated but
later used. We recommend upgrading past commit 0a771f7b266b02d262900c75f1e175c7fe76fec2. (CVE-2023-4015)
- An issue was discovered in l2cap_sock_release in net/bluetooth/l2cap_sock.c in the Linux kernel before
6.4.10. There is a use-after-free because the children of an sk are mishandled. (CVE-2023-40283)
- A flaw was found in the Linux kernel's TUN/TAP functionality. This issue could allow a local user to
bypass network filters and gain unauthorized access to some resources. The original patches fixing
CVE-2023-1076 are incorrect or incomplete. The problem is that the following upstream commits -
a096ccca6e50 (tun: tun_chr_open(): correctly initialize socket uid), - 66b2c338adce (tap: tap_open():
correctly initialize socket uid), pass inode->i_uid to sock_init_data_uid() as the last parameter and
that turns out to not be accurate. (CVE-2023-4194)
- A flaw was found in the exFAT driver of the Linux kernel. The vulnerability exists in the implementation
of the file name reconstruction function, which is responsible for reading file name entries from a
directory index and merging file name parts belonging to one file into a single long file name. Since the
file name characters are copied into a stack variable, a local privileged attacker could use this flaw to
overflow the kernel stack. (CVE-2023-4273)
- A memory leak flaw was found in nft_set_catchall_flush in net/netfilter/nf_tables_api.c in the Linux
Kernel. This issue may allow a local attacker to cause double-deactivations of catchall elements, which
can result in a memory leak. (CVE-2023-4569)
Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version
number.");
script_set_attribute(attribute:"see_also", value:"https://ubuntu.com/security/notices/USN-6385-1");
script_set_attribute(attribute:"solution", value:
"Update the affected kernel package.");
script_set_cvss_base_vector("CVSS2#AV:L/AC:L/Au:S/C:C/I:C/A:C");
script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
script_set_cvss3_base_vector("CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H");
script_set_cvss3_temporal_vector("CVSS:3.0/E:P/RL:O/RC:C");
script_set_attribute(attribute:"cvss_score_source", value:"CVE-2023-40283");
script_set_attribute(attribute:"cvss3_score_source", value:"CVE-2023-2163");
script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
script_set_attribute(attribute:"exploit_available", value:"true");
script_set_attribute(attribute:"vuln_publication_date", value:"2022/12/05");
script_set_attribute(attribute:"patch_publication_date", value:"2023/09/19");
script_set_attribute(attribute:"plugin_publication_date", value:"2023/09/19");
script_set_attribute(attribute:"plugin_type", value:"local");
script_set_attribute(attribute:"cpe", value:"cpe:/o:canonical:ubuntu_linux:22.04:-:lts");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-6.0.0-1021-oem");
script_set_attribute(attribute:"generated_plugin", value:"current");
script_end_attributes();
script_category(ACT_GATHER_INFO);
script_family(english:"Ubuntu Local Security Checks");
script_copyright(english:"Ubuntu Security Notice (C) 2023-2024 Canonical, Inc. / NASL script (C) 2023-2024 and is owned by Tenable, Inc. or an Affiliate thereof.");
script_dependencies("ssh_get_info.nasl", "linux_alt_patch_detect.nasl");
script_require_keys("Host/cpu", "Host/Ubuntu", "Host/Ubuntu/release", "Host/Debian/dpkg-l");
exit(0);
}
include('debian_package.inc');
include('ksplice.inc');
if ( ! get_kb_item('Host/local_checks_enabled') ) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
var os_release = get_kb_item('Host/Ubuntu/release');
if ( isnull(os_release) ) audit(AUDIT_OS_NOT, 'Ubuntu');
os_release = chomp(os_release);
if (! ('22.04' >< os_release)) audit(AUDIT_OS_NOT, 'Ubuntu 22.04', 'Ubuntu ' + os_release);
if ( ! get_kb_item('Host/Debian/dpkg-l') ) audit(AUDIT_PACKAGE_LIST_MISSING);
var cpu = get_kb_item('Host/cpu');
if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
if ('x86_64' >!< cpu && cpu !~ "^i[3-6]86$" && 's390' >!< cpu && 'aarch64' >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'Ubuntu', cpu);
var kernel_mappings = {
'22.04': {
'6.0.0': {
'oem': '6.0.0-1021'
}
}
};
var host_kernel_release = get_kb_item('Host/uptrack-uname-r');
if (empty_or_null(host_kernel_release)) host_kernel_release = get_kb_item_or_exit('Host/uname-r');
var host_kernel_base_version = get_kb_item_or_exit('Host/Debian/kernel-base-version');
var host_kernel_type = get_kb_item_or_exit('Host/Debian/kernel-type');
if(empty_or_null(kernel_mappings[os_release][host_kernel_base_version][host_kernel_type])) audit(AUDIT_INST_VER_NOT_VULN, 'kernel ' + host_kernel_release);
var extra = '';
var kernel_fixed_version = kernel_mappings[os_release][host_kernel_base_version][host_kernel_type] + "-" + host_kernel_type;
if (deb_ver_cmp(ver1:host_kernel_release, ver2:kernel_fixed_version) < 0)
{
extra = extra + 'Running Kernel level of ' + host_kernel_release + ' does not meet the minimum fixed level of ' + kernel_fixed_version + ' for this advisory.\n\n';
}
else
{
audit(AUDIT_PATCH_INSTALLED, 'Kernel package for USN-6385-1');
}
if (get_one_kb_item('Host/ksplice/kernel-cves'))
{
var cve_list = make_list('CVE-2022-4269', 'CVE-2022-27672', 'CVE-2023-0458', 'CVE-2023-1075', 'CVE-2023-1076', 'CVE-2023-1206', 'CVE-2023-1380', 'CVE-2023-1611', 'CVE-2023-2002', 'CVE-2023-2162', 'CVE-2023-2163', 'CVE-2023-2235', 'CVE-2023-2269', 'CVE-2023-2898', 'CVE-2023-3090', 'CVE-2023-3141', 'CVE-2023-3220', 'CVE-2023-3390', 'CVE-2023-3609', 'CVE-2023-3610', 'CVE-2023-3611', 'CVE-2023-3776', 'CVE-2023-3777', 'CVE-2023-3863', 'CVE-2023-3995', 'CVE-2023-4004', 'CVE-2023-4015', 'CVE-2023-4128', 'CVE-2023-4194', 'CVE-2023-4273', 'CVE-2023-4569', 'CVE-2023-20593', 'CVE-2023-28328', 'CVE-2023-28466', 'CVE-2023-31436', 'CVE-2023-32269', 'CVE-2023-40283');
if (ksplice_cves_check(cve_list))
{
audit(AUDIT_PATCH_INSTALLED, 'KSplice hotfix for USN-6385-1');
}
else
{
extra = extra + ksplice_reporting_text();
}
}
if (extra) {
security_report_v4(
port : 0,
severity : SECURITY_WARNING,
extra : extra
);
exit(0);
}
Vendor | Product | Version | CPE |
---|---|---|---|
canonical | ubuntu_linux | 22.04 | cpe:/o:canonical:ubuntu_linux:22.04:-:lts |
canonical | ubuntu_linux | linux-image-6.0.0-1021-oem | p-cpe:/a:canonical:ubuntu_linux:linux-image-6.0.0-1021-oem |
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-27672
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-4269
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-0458
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-1075
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-1076
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-1206
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-1380
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-1611
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-2002
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-20593
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-2162
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-2163
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-2235
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-2269
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-28328
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-28466
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-2898
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-3090
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-3141
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-31436
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-3220
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-32269
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-3390
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-3609
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-3610
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-3611
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-3776
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-3777
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-3863
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-3995
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-4004
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-4015
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-40283
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-4128
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-4194
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-4273
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-4569
ubuntu.com/security/notices/USN-6385-1
10 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
CHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:N
8.8 High
AI Score
Confidence
High
0.001 Low
EPSS
Percentile
50.3%