Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
nessusUbuntu Security Notice (C) 2024 Canonical, Inc. / NASL script (C) 2024 and is owned by Tenable, Inc. or an Affiliate thereof.UBUNTU_USN-6700-1.NASL
HistoryMar 18, 2024 - 12:00 a.m.

Ubuntu 14.04 LTS / 16.04 LTS : Linux kernel vulnerabilities (USN-6700-1)

2024-03-1800:00:00
Ubuntu Security Notice (C) 2024 Canonical, Inc. / NASL script (C) 2024 and is owned by Tenable, Inc. or an Affiliate thereof.
www.tenable.com
13
ubuntu
linux kernel
vulnerabilities
usn-6700-1
pppol2tp
use after free
escalation of privilege
android
crc16
ext4
out of bounds read
netfilter
conntrack
dccp protocol
atalk_ioctl
__ext4_remount
nf_tables
scsi device driver

7.4 High

AI Score

Confidence

High

JSON

The remote Ubuntu 14.04 LTS / 16.04 LTS host has a package installed that is affected by multiple vulnerabilities as referenced in the USN-6700-1 advisory.

  • In pppol2tp_create of l2tp_ppp.c, there is a possible use after free due to a race condition. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android kernelAndroid ID: A-186777253References:
    Upstream kernel (CVE-2022-20567)

  • An issue was discovered in the Linux kernel before 6.3.3. There is an out-of-bounds read in crc16 in lib/crc16.c when called from fs/ext4/super.c because ext4_group_desc_csum does not properly check an offset. NOTE: this is disputed by third parties because the kernel is not intended to defend against attackers with the stated When modifying the block device while it is mounted by the filesystem access.
    (CVE-2023-34256)

  • An out-of-bounds read vulnerability was found in Netfilter Connection Tracking (conntrack) in the Linux kernel. This flaw allows a remote user to disclose sensitive information via the DCCP protocol.
    (CVE-2023-39197)

  • An issue was discovered in the Linux kernel before 6.6.8. atalk_ioctl in net/appletalk/ddp.c has a use- after-free because of an atalk_recvmsg race condition. (CVE-2023-51781)

  • A use-after-free flaw was found in the __ext4_remount in fs/ext4/super.c in ext4 in the Linux kernel. This flaw allows a local user to cause an information leak problem while freeing the old quota file names before a potential failure, leading to a use-after-free. (CVE-2024-0775)

  • A use-after-free vulnerability in the Linux kernel’s netfilter: nf_tables component can be exploited to achieve local privilege escalation. The nft_verdict_init() function allows positive values as drop error within the hook verdict, and hence the nf_hook_slow() function can cause a double free vulnerability when NF_DROP is issued with a drop error which resembles NF_ACCEPT. We recommend upgrading past commit f342de4e2f33e0e39165d8639387aa6c19dff660. (CVE-2024-1086)

  • A race condition was found in the Linux kernel’s scsi device driver in lpfc_unregister_fcf_rescan() function. This can result in a null pointer dereference issue, possibly leading to a kernel panic or denial of service issue. (CVE-2024-24855)

Note that Nessus has not tested for these issues but has instead relied only on the application’s self-reported version number.

#%NASL_MIN_LEVEL 80900
##
# (C) Tenable, Inc.
#
# The descriptive text and package checks in this plugin were
# extracted from Ubuntu Security Notice USN-6700-1. The text
# itself is copyright (C) Canonical, Inc. See
# <https://ubuntu.com/security/notices>. Ubuntu(R) is a registered
# trademark of Canonical, Inc.
##

include('compat.inc');

if (description)
{
  script_id(192220);
  script_version("1.2");
  script_set_attribute(attribute:"plugin_modification_date", value:"2024/04/05");

  script_cve_id(
    "CVE-2022-20567",
    "CVE-2023-34256",
    "CVE-2023-39197",
    "CVE-2023-51781",
    "CVE-2024-0775",
    "CVE-2024-1086",
    "CVE-2024-24855"
  );
  script_xref(name:"USN", value:"6700-1");

  script_name(english:"Ubuntu 14.04 LTS / 16.04 LTS : Linux kernel vulnerabilities (USN-6700-1)");

  script_set_attribute(attribute:"synopsis", value:
"The remote Ubuntu host is missing one or more security updates.");
  script_set_attribute(attribute:"description", value:
"The remote Ubuntu 14.04 LTS / 16.04 LTS host has a package installed that is affected by multiple vulnerabilities as
referenced in the USN-6700-1 advisory.

  - In pppol2tp_create of l2tp_ppp.c, there is a possible use after free due to a race condition. This could
    lead to local escalation of privilege with System execution privileges needed. User interaction is not
    needed for exploitation.Product: AndroidVersions: Android kernelAndroid ID: A-186777253References:
    Upstream kernel (CVE-2022-20567)

  - An issue was discovered in the Linux kernel before 6.3.3. There is an out-of-bounds read in crc16 in
    lib/crc16.c when called from fs/ext4/super.c because ext4_group_desc_csum does not properly check an
    offset. NOTE: this is disputed by third parties because the kernel is not intended to defend against
    attackers with the stated When modifying the block device while it is mounted by the filesystem access.
    (CVE-2023-34256)

  - An out-of-bounds read vulnerability was found in Netfilter Connection Tracking (conntrack) in the Linux
    kernel. This flaw allows a remote user to disclose sensitive information via the DCCP protocol.
    (CVE-2023-39197)

  - An issue was discovered in the Linux kernel before 6.6.8. atalk_ioctl in net/appletalk/ddp.c has a use-
    after-free because of an atalk_recvmsg race condition. (CVE-2023-51781)

  - A use-after-free flaw was found in the __ext4_remount in fs/ext4/super.c in ext4 in the Linux kernel. This
    flaw allows a local user to cause an information leak problem while freeing the old quota file names
    before a potential failure, leading to a use-after-free. (CVE-2024-0775)

  - A use-after-free vulnerability in the Linux kernel's netfilter: nf_tables component can be exploited to
    achieve local privilege escalation. The nft_verdict_init() function allows positive values as drop error
    within the hook verdict, and hence the nf_hook_slow() function can cause a double free vulnerability when
    NF_DROP is issued with a drop error which resembles NF_ACCEPT. We recommend upgrading past commit
    f342de4e2f33e0e39165d8639387aa6c19dff660. (CVE-2024-1086)

  - A race condition was found in the Linux kernel's scsi device driver in lpfc_unregister_fcf_rescan()
    function. This can result in a null pointer dereference issue, possibly leading to a kernel panic or
    denial of service issue. (CVE-2024-24855)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version
number.");
  script_set_attribute(attribute:"see_also", value:"https://ubuntu.com/security/notices/USN-6700-1");
  script_set_attribute(attribute:"solution", value:
"Update the affected kernel package.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:N/A:N");
  script_set_cvss_temporal_vector("CVSS2#E:H/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:H/RL:O/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2023-39197");
  script_set_attribute(attribute:"cvss3_score_source", value:"CVE-2024-1086");

  script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"true");
  script_set_attribute(attribute:"exploited_by_malware", value:"true");

  script_set_attribute(attribute:"vuln_publication_date", value:"2022/12/01");
  script_set_attribute(attribute:"patch_publication_date", value:"2024/03/18");
  script_set_attribute(attribute:"plugin_publication_date", value:"2024/03/18");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:canonical:ubuntu_linux:14.04:-:lts");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:canonical:ubuntu_linux:16.04:-:lts");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-4.4.0-1129-aws");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-4.4.0-1130-kvm");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-4.4.0-252-generic");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-4.4.0-252-lowlatency");
  script_set_attribute(attribute:"generated_plugin", value:"current");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Ubuntu Local Security Checks");

  script_copyright(english:"Ubuntu Security Notice (C) 2024 Canonical, Inc. / NASL script (C) 2024 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("ssh_get_info.nasl", "linux_alt_patch_detect.nasl");
  script_require_keys("Host/cpu", "Host/Ubuntu", "Host/Ubuntu/release", "Host/Debian/dpkg-l");

  exit(0);
}

include('debian_package.inc');
include('ksplice.inc');

if ( ! get_kb_item('Host/local_checks_enabled') ) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
var os_release = get_kb_item('Host/Ubuntu/release');
if ( isnull(os_release) ) audit(AUDIT_OS_NOT, 'Ubuntu');
os_release = chomp(os_release);
if (! ('14.04' >< os_release || '16.04' >< os_release)) audit(AUDIT_OS_NOT, 'Ubuntu 14.04 / 16.04', 'Ubuntu ' + os_release);
if ( ! get_kb_item('Host/Debian/dpkg-l') ) audit(AUDIT_PACKAGE_LIST_MISSING);

var cpu = get_kb_item('Host/cpu');
if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
if ('x86_64' >!< cpu && cpu !~ "^i[3-6]86$" && 's390' >!< cpu && 'aarch64' >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'Ubuntu', cpu);

var kernel_mappings = {
  '14.04': {
    '4.4.0': {
      'generic': '4.4.0-252',
      'lowlatency': '4.4.0-252',
      'aws': '4.4.0-1129'
    }
  },
  '16.04': {
    '4.4.0': {
      'generic': '4.4.0-252',
      'lowlatency': '4.4.0-252',
      'kvm': '4.4.0-1130'
    }
  }
};

var host_kernel_release = get_kb_item('Host/uptrack-uname-r');
if (empty_or_null(host_kernel_release)) host_kernel_release = get_kb_item_or_exit('Host/uname-r');
var host_kernel_base_version = get_kb_item_or_exit('Host/Debian/kernel-base-version');
var host_kernel_type = get_kb_item_or_exit('Host/Debian/kernel-type');
if(empty_or_null(kernel_mappings[os_release][host_kernel_base_version][host_kernel_type])) audit(AUDIT_INST_VER_NOT_VULN, 'kernel ' + host_kernel_release);

var extra = '';
var kernel_fixed_version = kernel_mappings[os_release][host_kernel_base_version][host_kernel_type] + "-" + host_kernel_type;
if (deb_ver_cmp(ver1:host_kernel_release, ver2:kernel_fixed_version) < 0)
{
  extra = extra + 'Running Kernel level of ' + host_kernel_release + ' does not meet the minimum fixed level of ' + kernel_fixed_version + ' for this advisory.\n\n';
}
  else
{
  audit(AUDIT_PATCH_INSTALLED, 'Kernel package for USN-6700-1');
}

if (get_one_kb_item('Host/ksplice/kernel-cves'))
{
  var cve_list = make_list('CVE-2022-20567', 'CVE-2023-34256', 'CVE-2023-39197', 'CVE-2023-51781', 'CVE-2024-0775', 'CVE-2024-1086', 'CVE-2024-24855');
  if (ksplice_cves_check(cve_list))
  {
    audit(AUDIT_PATCH_INSTALLED, 'KSplice hotfix for USN-6700-1');
  }
  else
  {
    extra = extra + ksplice_reporting_text();
  }
}
if (extra) {
  security_report_v4(
    port       : 0,
    severity   : SECURITY_HOLE,
    extra      : extra
  );
  exit(0);
}
VendorProductVersionCPE
canonicalubuntu_linuxlinux-image-4.4.0-1130-kvmp-cpe:/a:canonical:ubuntu_linux:linux-image-4.4.0-1130-kvm
canonicalubuntu_linuxlinux-image-4.4.0-252-lowlatencyp-cpe:/a:canonical:ubuntu_linux:linux-image-4.4.0-252-lowlatency
canonicalubuntu_linux16.04cpe:/o:canonical:ubuntu_linux:16.04:-:lts
canonicalubuntu_linuxlinux-image-4.4.0-1129-awsp-cpe:/a:canonical:ubuntu_linux:linux-image-4.4.0-1129-aws
canonicalubuntu_linuxlinux-image-4.4.0-252-genericp-cpe:/a:canonical:ubuntu_linux:linux-image-4.4.0-252-generic
canonicalubuntu_linux14.04cpe:/o:canonical:ubuntu_linux:14.04:-:lts

Related

nessus 73
ubuntu 18
openvas 17
osv 17
cvelist 7
ubuntucve 7
debiancve 7
redhatcve 6
cve 7
prion 7
redos 1
cbl_mariner 6
oraclelinux 10
cnvd 1
githubexploit 2
amazon 4
virtuozzo 1
f5 1
thn 1
photon 3
redhat 1
fedora 2
nessus
nessus
Ubuntu 16.04 LTS : Linux kernel (AWS) vulnerabilities (USN-6700-2)
2024-03-21 00:00:00
Ubuntu 16.04 LTS / 18.04 LTS : Linux kernel (GCP) vulnerabilities (USN-6701-2)
2024-03-20 00:00:00
Ubuntu 14.04 LTS : Linux kernel (Azure) vulnerabilities (USN-6701-4)
2024-04-09 00:00:00
ubuntu
ubuntu
Linux kernel vulnerabilities
2024-03-18 00:00:00
Linux kernel (AWS) vulnerabilities
2024-03-21 00:00:00
Linux kernel vulnerabilities
2024-03-25 00:00:00
openvas
openvas
Ubuntu: Security Advisory (USN-6700-1)
2024-03-19 00:00:00
Ubuntu: Security Advisory (USN-6700-2)
2024-03-22 00:00:00
Ubuntu: Security Advisory (USN-6701-2)
2024-03-21 00:00:00
osv
osv
linux, linux-aws, linux-kvm, linux-lts-xenial vulnerabilities
2024-03-18 23:57:25
linux-aws vulnerabilities
2024-03-21 20:19:05
linux-aws-hwe, linux-azure, linux-azure-4.15, linux-oracle vulnerabilities
2024-03-25 23:58:12
cvelist
cvelist
CVE-2022-20567
2022-12-16 00:00:00
CVE-2024-24855 Race condition vulnerability in Linux kernel scsi device driver lpfc_unregister_fcf_rescan()
2024-02-05 07:25:41
CVE-2023-39197 Kernel: dccp: conntrack out-of-bounds read in nf_conntrack_dccp_packet()
2024-01-23 03:04:26
ubuntucve
ubuntucve
CVE-2024-24855
2024-02-05 00:00:00
CVE-2022-20567
2022-12-16 00:00:00
CVE-2023-39197
2024-01-23 00:00:00
debiancve
debiancve
CVE-2024-24855
2024-02-05 08:15:44
CVE-2022-20567
2022-12-16 16:15:00
CVE-2023-39197
2024-01-23 03:15:11
redhatcve
redhatcve
CVE-2024-24855
2024-02-06 13:02:52
CVE-2023-39197
2023-11-08 20:46:57
CVE-2023-34256
2023-07-28 14:48:55
cve
cve
CVE-2024-24855
2024-02-05 08:15:44
CVE-2022-20567
2022-12-16 16:15:00
CVE-2023-39197
2024-01-23 03:15:11
prion
prion
Race condition
2024-02-05 08:15:00
Race condition
2022-12-16 16:15:00
Out-of-bounds
2023-05-31 20:15:00
redos
redos
ROS-20240409-05
2024-04-09 00:00:00
cbl_mariner
cbl_mariner
CVE-2023-51781 affecting package kernel for versions less than 5.15.148.1-1
2024-02-25 03:00:06
CVE-2023-34256 affecting package kernel for versions less than 5.15.116.1-1
2023-06-27 20:56:13
CVE-2023-34256 affecting package kernel 5.10.183.1-1
2023-06-27 21:25:25
oraclelinux
oraclelinux
Unbreakable Enterprise kernel-container security update
2024-04-02 00:00:00
kernel security update
2024-04-03 00:00:00
kernel security update
2024-04-03 00:00:00
cnvd
cnvd
Linux kernel resource management error vulnerability (CNVD-2024-14762)
2024-02-02 00:00:00
githubexploit
githubexploit
Exploit for Use After Free in Linux Linux Kernel
2024-03-20 21:16:41
Exploit for Use After Free in Linux Linux Kernel
2024-04-30 16:10:37
amazon
amazon
Important: kernel
2024-02-15 03:52:00
Important: kernel
2024-02-14 20:03:00
Important: kernel
2023-06-21 19:11:00
virtuozzo
virtuozzo
[Important] [Security] Virtuozzo ReadyKernel Patch 167.0 for Virtuozzo Hybrid Server 7.5
2024-02-06 00:00:00
f5
f5
K000139430 : Linux kernel vulnerability CVE-2024-1086
2024-04-30 00:00:00
thn
thn
New Linux Bug Could Lead to User Password Leaks and Clipboard Hijacking
2024-03-29 10:49:00
photon
photon
Important Photon OS Security Update - PHSA-2024-5.0-0206
2024-02-14 00:00:00
Important Photon OS Security Update - PHSA-2024-3.0-0723
2024-02-10 00:00:00
Important Photon OS Security Update - PHSA-2024-3.0-0725
2024-02-13 00:00:00
redhat
redhat
(RHSA-2024:2697) Important: kpatch-patch security update
2024-05-06 00:59:31
fedora
fedora
[SECURITY] Fedora 39 Update: kernel-6.7.3-200.fc39
2024-02-06 01:18:52
[SECURITY] Fedora 39 Update: kernel-headers-6.7.3-200.fc39
2024-02-06 01:18:53

7.4 High

AI Score

Confidence

High

JSON
Related for UBUNTU_USN-6700-1.NASL
nessus73ubuntu18openvas17osv17cvelist7ubuntucve7debiancve7redhatcve6cve7prion7redos1cbl_mariner6oraclelinux10cnvd1githubexploit2amazon4virtuozzo1f51thn1photon3redhat1fedora2