The remote Ubuntu 16.04 LTS host has a package installed that is affected by multiple vulnerabilities as referenced in the USN-6700-2 advisory.
In pppol2tp_create of l2tp_ppp.c, there is a possible use after free due to a race condition. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android kernelAndroid ID: A-186777253References:
Upstream kernel (CVE-2022-20567)
An issue was discovered in the Linux kernel before 6.3.3. There is an out-of-bounds read in crc16 in lib/crc16.c when called from fs/ext4/super.c because ext4_group_desc_csum does not properly check an offset. NOTE: this is disputed by third parties because the kernel is not intended to defend against attackers with the stated When modifying the block device while it is mounted by the filesystem access.
(CVE-2023-34256)
An out-of-bounds read vulnerability was found in Netfilter Connection Tracking (conntrack) in the Linux kernel. This flaw allows a remote user to disclose sensitive information via the DCCP protocol.
(CVE-2023-39197)
An issue was discovered in the Linux kernel before 6.6.8. atalk_ioctl in net/appletalk/ddp.c has a use- after-free because of an atalk_recvmsg race condition. (CVE-2023-51781)
A use-after-free flaw was found in the __ext4_remount in fs/ext4/super.c in ext4 in the Linux kernel. This flaw allows a local user to cause an information leak problem while freeing the old quota file names before a potential failure, leading to a use-after-free. (CVE-2024-0775)
A use-after-free vulnerability in the Linux kernel’s netfilter: nf_tables component can be exploited to achieve local privilege escalation. The nft_verdict_init() function allows positive values as drop error within the hook verdict, and hence the nf_hook_slow() function can cause a double free vulnerability when NF_DROP is issued with a drop error which resembles NF_ACCEPT. We recommend upgrading past commit f342de4e2f33e0e39165d8639387aa6c19dff660. (CVE-2024-1086)
A race condition was found in the Linux kernel’s scsi device driver in lpfc_unregister_fcf_rescan() function. This can result in a null pointer dereference issue, possibly leading to a kernel panic or denial of service issue. (CVE-2024-24855)
Note that Nessus has not tested for these issues but has instead relied only on the application’s self-reported version number.
#%NASL_MIN_LEVEL 80900
##
# (C) Tenable, Inc.
#
# The descriptive text and package checks in this plugin were
# extracted from Ubuntu Security Notice USN-6700-2. The text
# itself is copyright (C) Canonical, Inc. See
# <https://ubuntu.com/security/notices>. Ubuntu(R) is a registered
# trademark of Canonical, Inc.
##
include('compat.inc');
if (description)
{
script_id(192411);
script_version("1.2");
script_set_attribute(attribute:"plugin_modification_date", value:"2024/04/05");
script_cve_id(
"CVE-2022-20567",
"CVE-2023-34256",
"CVE-2023-39197",
"CVE-2023-51781",
"CVE-2024-0775",
"CVE-2024-1086",
"CVE-2024-24855"
);
script_xref(name:"USN", value:"6700-2");
script_name(english:"Ubuntu 16.04 LTS : Linux kernel (AWS) vulnerabilities (USN-6700-2)");
script_set_attribute(attribute:"synopsis", value:
"The remote Ubuntu host is missing one or more security updates.");
script_set_attribute(attribute:"description", value:
"The remote Ubuntu 16.04 LTS host has a package installed that is affected by multiple vulnerabilities as referenced in
the USN-6700-2 advisory.
- In pppol2tp_create of l2tp_ppp.c, there is a possible use after free due to a race condition. This could
lead to local escalation of privilege with System execution privileges needed. User interaction is not
needed for exploitation.Product: AndroidVersions: Android kernelAndroid ID: A-186777253References:
Upstream kernel (CVE-2022-20567)
- An issue was discovered in the Linux kernel before 6.3.3. There is an out-of-bounds read in crc16 in
lib/crc16.c when called from fs/ext4/super.c because ext4_group_desc_csum does not properly check an
offset. NOTE: this is disputed by third parties because the kernel is not intended to defend against
attackers with the stated When modifying the block device while it is mounted by the filesystem access.
(CVE-2023-34256)
- An out-of-bounds read vulnerability was found in Netfilter Connection Tracking (conntrack) in the Linux
kernel. This flaw allows a remote user to disclose sensitive information via the DCCP protocol.
(CVE-2023-39197)
- An issue was discovered in the Linux kernel before 6.6.8. atalk_ioctl in net/appletalk/ddp.c has a use-
after-free because of an atalk_recvmsg race condition. (CVE-2023-51781)
- A use-after-free flaw was found in the __ext4_remount in fs/ext4/super.c in ext4 in the Linux kernel. This
flaw allows a local user to cause an information leak problem while freeing the old quota file names
before a potential failure, leading to a use-after-free. (CVE-2024-0775)
- A use-after-free vulnerability in the Linux kernel's netfilter: nf_tables component can be exploited to
achieve local privilege escalation. The nft_verdict_init() function allows positive values as drop error
within the hook verdict, and hence the nf_hook_slow() function can cause a double free vulnerability when
NF_DROP is issued with a drop error which resembles NF_ACCEPT. We recommend upgrading past commit
f342de4e2f33e0e39165d8639387aa6c19dff660. (CVE-2024-1086)
- A race condition was found in the Linux kernel's scsi device driver in lpfc_unregister_fcf_rescan()
function. This can result in a null pointer dereference issue, possibly leading to a kernel panic or
denial of service issue. (CVE-2024-24855)
Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version
number.");
script_set_attribute(attribute:"see_also", value:"https://ubuntu.com/security/notices/USN-6700-2");
script_set_attribute(attribute:"solution", value:
"Update the affected kernel package.");
script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:N/A:N");
script_set_cvss_temporal_vector("CVSS2#E:H/RL:OF/RC:C");
script_set_cvss3_base_vector("CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H");
script_set_cvss3_temporal_vector("CVSS:3.0/E:H/RL:O/RC:C");
script_set_attribute(attribute:"cvss_score_source", value:"CVE-2023-39197");
script_set_attribute(attribute:"cvss3_score_source", value:"CVE-2024-1086");
script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
script_set_attribute(attribute:"exploit_available", value:"true");
script_set_attribute(attribute:"exploited_by_malware", value:"true");
script_set_attribute(attribute:"vuln_publication_date", value:"2022/12/01");
script_set_attribute(attribute:"patch_publication_date", value:"2024/03/21");
script_set_attribute(attribute:"plugin_publication_date", value:"2024/03/21");
script_set_attribute(attribute:"plugin_type", value:"local");
script_set_attribute(attribute:"cpe", value:"cpe:/o:canonical:ubuntu_linux:16.04:-:lts");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-4.4.0-1167-aws");
script_set_attribute(attribute:"generated_plugin", value:"current");
script_end_attributes();
script_category(ACT_GATHER_INFO);
script_family(english:"Ubuntu Local Security Checks");
script_copyright(english:"Ubuntu Security Notice (C) 2024 Canonical, Inc. / NASL script (C) 2024 and is owned by Tenable, Inc. or an Affiliate thereof.");
script_dependencies("ssh_get_info.nasl", "linux_alt_patch_detect.nasl");
script_require_keys("Host/cpu", "Host/Ubuntu", "Host/Ubuntu/release", "Host/Debian/dpkg-l");
exit(0);
}
include('debian_package.inc');
include('ksplice.inc');
if ( ! get_kb_item('Host/local_checks_enabled') ) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
var os_release = get_kb_item('Host/Ubuntu/release');
if ( isnull(os_release) ) audit(AUDIT_OS_NOT, 'Ubuntu');
os_release = chomp(os_release);
if (! ('16.04' >< os_release)) audit(AUDIT_OS_NOT, 'Ubuntu 16.04', 'Ubuntu ' + os_release);
if ( ! get_kb_item('Host/Debian/dpkg-l') ) audit(AUDIT_PACKAGE_LIST_MISSING);
var cpu = get_kb_item('Host/cpu');
if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
if ('x86_64' >!< cpu && cpu !~ "^i[3-6]86$" && 's390' >!< cpu && 'aarch64' >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'Ubuntu', cpu);
var kernel_mappings = {
'16.04': {
'4.4.0': {
'aws': '4.4.0-1167'
}
}
};
var host_kernel_release = get_kb_item('Host/uptrack-uname-r');
if (empty_or_null(host_kernel_release)) host_kernel_release = get_kb_item_or_exit('Host/uname-r');
var host_kernel_base_version = get_kb_item_or_exit('Host/Debian/kernel-base-version');
var host_kernel_type = get_kb_item_or_exit('Host/Debian/kernel-type');
if(empty_or_null(kernel_mappings[os_release][host_kernel_base_version][host_kernel_type])) audit(AUDIT_INST_VER_NOT_VULN, 'kernel ' + host_kernel_release);
var extra = '';
var kernel_fixed_version = kernel_mappings[os_release][host_kernel_base_version][host_kernel_type] + "-" + host_kernel_type;
if (deb_ver_cmp(ver1:host_kernel_release, ver2:kernel_fixed_version) < 0)
{
extra = extra + 'Running Kernel level of ' + host_kernel_release + ' does not meet the minimum fixed level of ' + kernel_fixed_version + ' for this advisory.\n\n';
}
else
{
audit(AUDIT_PATCH_INSTALLED, 'Kernel package for USN-6700-2');
}
if (get_one_kb_item('Host/ksplice/kernel-cves'))
{
var cve_list = make_list('CVE-2022-20567', 'CVE-2023-34256', 'CVE-2023-39197', 'CVE-2023-51781', 'CVE-2024-0775', 'CVE-2024-1086', 'CVE-2024-24855');
if (ksplice_cves_check(cve_list))
{
audit(AUDIT_PATCH_INSTALLED, 'KSplice hotfix for USN-6700-2');
}
else
{
extra = extra + ksplice_reporting_text();
}
}
if (extra) {
security_report_v4(
port : 0,
severity : SECURITY_HOLE,
extra : extra
);
exit(0);
}
Vendor | Product | Version | CPE |
---|---|---|---|
canonical | ubuntu_linux | 16.04 | cpe:/o:canonical:ubuntu_linux:16.04:-:lts |
canonical | ubuntu_linux | linux-image-4.4.0-1167-aws | p-cpe:/a:canonical:ubuntu_linux:linux-image-4.4.0-1167-aws |
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-20567
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-34256
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-39197
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-51781
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-0775
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-1086
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-24855
ubuntu.com/security/notices/USN-6700-2